NSX Student Guide (Editable)

VMware NSX:
Install, Configure, Manage

Lecture Manual
NSX 6.0
VMware Education Services

VMware , Inc.
www.vmware.com/education
VMware NSX:
Install, Configure, Manage
NSX 6.0
Part Number EDU-EN -NSXICM6-LECT
Lecture Manual
Copyright/Trademark
Copyright 2014 VMware , Inc. All rights reserved . This manual and its accompanying
materials are protected by U.S. and international copyright and intellectual property laws.
VMware products are covered by one or more patents listed at http ://www.vmware.com/go/
patents . VMware is a registered trademark or trademark of VMware , Inc. in the United States
and/or other jurisdictions. All other marks and names ment ioned herein may be trademarks
of the ir respective companies.
The training material is provided "as is," and all express or implied cond itions,
representations, and warranties, includ ing any implied warranty of merchantability, fitness for
a particular purpose or noninfringement, are discla imed , even if VMware, Inc., has been
advised of the possibility of such claims. This training mate rial is designed to support an
instructor-led training course and is intended to be used for reference purposes in
conjunction with the instructor-led training course. The train ing material is not a standalone
tra ining tool. Use of the training material for self-study without class attendance is not
recommended.
These materials and the computer programs to which it relates are the property of, and
embody trade secrets and confidential information proprietary to, VMware, Inc., and may not
be reproduced, copied, disclosed, transferred, adapted or modified without the express
written approval of VMware, Inc.
Course development: Rob Nendel , John Tuffin, Jerry Ozbun
Technical review : Elver Sena, Chris McCain
Technical editing : Jim Brook , Shalini Pallat , Jeffrey Gardiner
Production and publishing: Ron Morton, Regina Aboud
The courseware for VMware instructor-led training relies on materials developed by the
VMware Technical Communications writers who produce the core technical documentation ,
available at http://www.vmware .com/supportlpubs.
www.vmware.com/education
TABLE OF CONTENTS
MODULE 1
Course Introduction
Importance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Learner Objectives
".. "
Learner Objectives (2) .. " ". " ".. ".. "
"
You Are Here . " " " " " ". " ". " ".. " ". " ".. ".. "
"
Typographical Conventions. " ".. ".. "
References " " ". " " " " " ". " ". " ". . " ". " ". . ". . ". . . ". . "
".. "
About NSX " ". " " " " " ". " ". " ".. " ". " ".. ".. "
NSX Certification
VMware Learning Path Tool.
NSX Resources
MODULE 2
NSX Networking" " " " ". " " " " " ". " ". " ".. " ". " ".. ".. "... "..
You Are Here " " " " " " " " " " " " " ". " ". " " ". " ". " ".. ".. " ".. "..
Importance" " " " " " " " " " " " " " " " ". " " " " " ". " ". " ".. " ". " ".. "..
"..
Module Lessons" " " " " ". " " " " " ". " ". " ".. " ". " ".. ".. "
Lesson I: Introduction to vSphere Virtualization
Learner Objectives
Virtual Machines
Benefits ofVirtuaI Machines
"
ESXi Hypervisor
"
vCenter Server. ".. " ".. ".. "
vCenter Server Management Features
".. "
vSphere vMotion .. "
"
Shared Storage. ".. " ".. ".. "
Features That Use Shared Storage
Virtual Networking
Virtual Switch Types
Networking Features
vSphere Product Placement.
Review of Learner Objectives
Lesson 2: Overview of the Software-Defined Data Center.
Learner Objectives. "
"
".. "
Choices for IT . ".. "
Data Center Models"
"
Advantage of Software-Defined Data Center
Choice for New IT
Software-Defined Data Center as New IT.
Components of a Software-Defined Data Center
Vision and Strategy
Virtual Compute, Storage, and Network
Data Center Hardware. . . . . . . . . . . . . . . . . . . .
Hypervisors and Virtual Switches
VMware NSX: Install, Configure, Manage
1
2
3
4
5
6
7
8
9
".. 10
11
"
"
"
"
13
14
15
16
17
18
19
".. 20
21
22
23
25
26
27
28
29
30
32
33
34
35
36
37
" .. 38
39
40
41
42
43
44
45
NSX: Network Virtualization Platform

About a Virtual Network
Network Virtualization: Layer 2
Concept Summary
Review of Learner Objeetives
Lesson 3: Introduction to NSX and NSX Manager.
Learner Objectives
NSX Capabilities
Prepare for Installation: Client and User Access
Prepare for Installation: Port Requirements
Installation: Manager OVA
Initial Configuration: Management UI
Initial Configuration: Time and Syslog Settings
Initial Configuration: Network Settings
Initial Configuration: vCenter Server Connection
NSX Overview: Planes
NSX Overview: Data Plane Components
NSX Overview: Control Plane Components
NSX Overview: Management Plane Component
NSX Overview: Consumption
Enterprise Topology
Servicer Provider: Multiple Tenant Topology
Multiple Tenant Topology: Scalable Desigu
Scalability
NSX for vSphere: Scale Boundaries
NSX Manager
Building the NSX Platform
Lab I: Introduction
Lab I: Configuring NSX Manager
Concept Summary
Lesson 4: NSX Controller
Learner Objectives
NSX Controller
NSX Controller Cluster Deployment
Control Plane Interaction
Control Plane Security
Control Plane Security: Diagram
User World Agent
NSX Controller: Master Election
Master Failure Scenario
NSX Controller Workload Distribution
ii
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
82
83
84
85
86
87
88
89
Slicing Assignment
Slicing Distribution
Slice Redistribution
Component Interaction: Configuration
"
Lab 2: Introduction (I) . " .. " " .. " .. "
Lab 2: Introduction (2) . ".. " ".. ".. "
"
Lab 2: Configuring and Deploying an NSX Controller Cluster
".. "
Key Points
MODULE 3
Contents
90
91
92
93
94
95
96
97
98
" .. " .. " " . "99

Logical Switch Networks and VXLAN Overlays. ".. "
You Are Here
100
Importance" " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " "101
Module Lessons" " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " "102
"
103
Lesson 1: Ethernet Fundamentals " ". " ".. ".. "
Learner Objectives" " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " ". " " " " " ". "104
Review: Networking Definitions. ".. " ".. ".. "
"
105
Ethernet
" .. " .. " " . " " . " " " " " " " " " " "106
MAC Tables
107
Broadcast Domain
108
Address Resolution Protocol
109
From Packets to Frames
110
111
Segmentation and Encapsulation
Layer 3: IPv4 Datagram
112
Layer 4: TCP Segment
113
Concept Summary. "
114
115
Lesson 2: Overview ofvSphere Distributed Switch
" .116
Learner Objectives
" .117
VMkernel Networking
" .118
Advantages ofvSphere Distributed Switch
119
Distributed Switch Architecture
120
vSphere Distributed Switch Enhancements in ESXi 5.5
121
Design Considerations
122
Teaming Best Practices
123
Load-Based Teaming
124
Distributed Switch in Enterprise
125
Lab 3: Introduction (1) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .126
Lab 3: Introduction (2)
127
Lab 3: Preparing for Virtual Networking
" .128
Concept Summary
129
130
Lesson 3: Link Aggregation
131
iii
Learner Objectives
132
Ethernet Loop
133
Spanning Tree Protocol
134
STP Diagram" . " " " " " ". " ". " " ". " ". " " ". " ". " " ". " ". " " ". " ". " " ". "135
Bandwidth Constraint " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " "136
Link Aggregation Control Protocol.
137
Enhanced LACP in vSphere 5.5
138
Enhanced LACP ". " " ". " ". " " ". " ". " " ". " ". " " ". " ". " " ". " ". " " ". "139
Concept Summary
140
141
Lesson 4: Virtual LANs
142
Learner Objectives
143
Virtual LANs" " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " "144
Switches and Routers with VLANs .. "
"
145
VLANsand ARP" " " " " " " " " " " " " " " " " " " " " " " " " ". " " " " " ". " " " " " ". "146
VLANs Across switches" ". " " ". " ". " " ". " ". " " ". " ". " " ". " ". " " ". "147
VLAN Scalability " " " " " " " " " " " " " " " " " " " " " " " " ". " " " " " ". " " " " " ". "148
802.1Q
149
802.1Q Frame
150
Native VLAN
151
Concept Summary
152
153
Lesson 5: VXLAN: Logical Switch Networks
154
Learner Objectives. " ".. ".. "
".. "
".. "
".. "
"
155
VXLAN Tenus" ". " ".. ".. " ".. ".. " ".. ".. " ".. ".. "
".. "
"156
VXLAN Protocol Overview
157
Virtual Extensible LAN
158
NSX Use Cases
159
VXLAN Frame Format
160
Multicast: Network Components
161
Internet Group Management Protocol
162
Bidirectional PIM . "
".. "
".. "
"
"
"
163
NSX for vSphere VXLAN Replication Modes
164
VXLAN Replication: Control Plane
165
VXLAN Replication: Data Plane
166
Unicast Mode
167
Multicast Mode
168
Hybrid Mode
169
Unicast and Hybrid Mode: Same Host
" .170
Unicast Mode: Different Hosts
172
Hybrid Mode: Different Hosts
173
Multicast Mode: Different Hosts
174
Quality of Service
175
iv
MODULE 4
Contents
QoS Tagging
Physical Network Congestion
NSX Component Interaction: Configuration
NSX Logical Switching
Logical Switch
Lab 4: Introduction (l)
Lab 4: Configuring and Testing Logical Switch Networks
Concept Summary
Review of Leamer Objectives
Key Points
176
177
178
179
180
181
182
183
184
185
186
NSX Routing
You Are Here
Importance
Module Lessons
Lesson 1: NSX Routing
Learner Objectives
Supported Routing Protocols
OSPF Features
About OSPF
OSPF Neighbor Relationships
OSPF Packet Types
OSPF Hello Packets
Other OSPF Packets
OSPF Neighbor States
OSPF Router Types
OSPF Areas
OSPF Area Types
OSPF Normal Area
OSPF Stub Area
OSPF NSSA
OSPF Area and Router Types Example
Intermediate System to Intermediate System
IS-IS Features
IS-IS Areas
IS-IS Router Levels
IS-IS Neighbor Adjacency
IS-IS Design Considerations
BGP Features
Border Gateway Protocol
BGP AS Numbers
BGP Peers
187
188
189
190
191
192
193
194
195
196
197
198
200
201
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
v
BOP Peers Example

BOP Route Selection
Concept Summary
Lesson 2: NSX Logieal Router
Learner Objectives
Layer 3 Networking Overview
Layer 3 Enables Larger Networks
Distributed Logical Router
Hairpinning
Distributed Logical Router: Logical View
Distributed Logical Router: Physical View
Data Path: Host Components
VLAN LIF
Designated Instance
VXLAN LIF
Control Plane: Components
Logical Router Control Virtual Machine
Management, Control, and Data Communication
Deployment Models: One Tier
Deployment Models: Two Tier
Distributed Router Traffic Flow: Same Host
Distributed Router Traffic Flow: Different Host.
Lab 5: Configuring and Deploying an NSX Distributed Router
Concept Summary
Lesson 3: Layer 2 Bridging
Learner Objectives
VXLAN to VLAN Layer 2 Bridging
Use Cases
Layer 2 Bridging Details
Bridge Instance
Bridge Instance Failure
Layer 2 Bridging: Flow Overview
ARP Request from VXLAN
ARP Response from the VLAN
Unicast Traffic
ARP Request from VLAN
vi
220
221
222
223
224
225
226
227
228
229
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
262
263
264
Concept Summary
265
Learner Objectives
266
Lesson 4: NSX Edge Services Gateway
267
Learner Objectives.. " " . " " . " " " . " " . " " " . " " . " " " . " " . " " " . " " . " " " . "268
NSX Edge Gateway" " " . " " . " " " . " " . " " " . " " . " " " . " " . " " " . " " . " " " . "269
"
270
Integrated Network Services" ".. ".. "
NSX Edge Services Gateway Sizing
271
Features Summary. " " " . " " . " " " . " " . " " " . " " . " " " . " " . " " " . " " . " " " . "272
NSX Edge Routing
273
Routing Verification
274
275
Lab 6: Introduction (I)
276
Lab 7: Introduction" " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " . "277
Lab 6: Deploying an NSX Edge Services Gateway and Configuring
Static Routing " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " "278
Lab 7: Configuring and Testing Dynamic Routing on NSX Edge
Appliances" " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " "279
" .280
Key Points
281
MODULE 5
Contents
NSX Edge Services Gateway Features

" .. "
" .. " .. " " .283
You Are Here. ".. " ".. ".. " ".. ".. " ".. ".. "
".. "
".. "... "284
Importance" " " . " " . " " " . " " . " " " . " " . " " " . " " . " ".. " " . " ".. " " . " ".. "285
".. "
"286
Module Lessons" .. " ".. ".. " ".. ".. " ".. ".. "... ".. "
287
Lesson 1: NSX Edge Network Address Translation
".. "
".. "
".. "
"
288
Learner Objectives. " ".. ".. "
Private IPv4 IP addresses
289
IPv4 Overlapping Space
290
Managing NAT Rules
291
" .292
Source NAT Deployment Using NSX Edge
Example: Set Up External Access to Web Server.
"
" .293
Add a Second External IP Address for NAT Use
294
295
Destination NAT Deployment Using NSX Edge
296
Creating a Destination NAT Rule for Inbound External Access
297
Create a Destination NAT Rule and Test Inbound Connectivity
299
Creating a Source NAT Rule and Testing Outbound Connectivity
Lab 8: Introduction (I) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .300
301
302
Lab 8: Configuring and Testing Network Address Translation on
303
an NSX Edge Services Gateway
Concept Summary
304
305
vii
Lesson 2: NSX Edge Load Balancing

306
Learner Objectives
307
NSX Edge Load Balancer
308
NSX Edge Load Balancer Modes
"
309
".. "
"310
Load-Balancer Operation .. " ".. ".. " ".. ".. " ".. ".. "
"
311
One-Ann Load Balancer" .. " ".. ".. "
One-Ann Load Balancer Traffic Flow
312
Inline Load Balancer" ". " ". " " ". " ". " " ". " ". " ".. " ". " ".. " ". " ".. "313
Inline Load Balancer Traffic Flow
" .314
Lab 9: Introduction
315
Lab 10: Introduction
316
Lab 9: Configuring Load Balancing with NSX Edge Gateway (1)" " " "317
Lab 9: Configuring Load Balancing with NSX Edge Gateway (2)
318
"
319
Lab 10: Advanced Load Balancing .. "
Concept Summary" " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " ". " " " " " ". "320
".. "
321
Review of Learner Objectives" .. " ". " ".. ".. "
Lesson 3: NSX Edge High Availability " " " " " " " ". " ". " " ". " ". " ".. "322
Learner Objectives
323
High Availability
324
NSX Edge High Availability Operation
325
Stateful High Availability
326
".. "
".. "
"
"
328
NSX Edge Failure. "
".. "
NSX Edge Services Gateway High Availability
329
330
Virtual Machine and Appliance Failure .. ".. "
ESXi Host Failure. "
".. "
".. "
".. "
"
"
331
"
"
"
"
332
" .333
Lab II: Configuring NSX Edge High Availability
Concept Summary
334
335
Lesson 4: NSX Edge and VPN
336
Learner Objectives
337
".. "
".. "
".. "
"
"
338
Logical L2 VPN .. "
339
Overview of Layer 2 VPN
Logical User (SSL) and Site-to-Site (IPsec) VPN
340
".. "
".. "
".. "
"
"
341
NSX IPsec VPN .. "
IPsec Security Protocols: Internet Key Exchange
" .. " . " " " "342
IPsec Security Protocols: Encapsulating Security Payload. " .. " . " " " "344
IPsec ESP Tunnel Mode Packet
" .. " .. " " .345
Configuration Example for IPsec VPN
" .346
IPsec with AES-NI
347
Add an IPsec VPN
348
" .349
NSX SSL VPN-Plus Service
" .. "
SSL VPN-Plus
350
viii
MODULE 6
Contents
NSX Edge SSL VPN-Plus Secure Management Access Server

Use Cases for SSL VPN-Plus Services
Lab 12: Configuring Layer 2 VPN Tunnels
Lab 13: Configuring IPsec Tunnels
Lab 14: Configuring and Testing SSL VPN-Plus
Concept Summary
Review of Leamer Objectives
Key Points
351
352
353
354
355
356
357
358
359
360
361
362
NSX Seeurity
You Are Here
Importance
Module Lessons
Lesson 1: NSX Edge Firewall
Leamer Objectives
NSX Edge and Distributed Firewall: Security Comparison
NSX Edge Firewall
Firewall Rule Types
Virtualization Context Awareness
Populating Firewall Rules
Source and Destination of a Rule
Firewall Service
Create a Firewall Serviee
Action Option
Publish Changes
NSX Edge Services Gateway: Form Factors
Lab 15: Introduction (I)
Lab 15: Using NSX Edge Firewall Rules to Control
Network Traffic
Concept Summary
Lesson 2: Distributed Firewall
Learner Objectives
Evolution of Firewall Placement.
Distributed Firewall Overview
Distributed Firewall Filtering
Distributed Firewall Location and Policy Independence
Distributed Firewall Policy Enforcement
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
ix
Distributed Firewall Components: Communication

392
Distributed Data Path
393
Policy Rule Objects
394
Layer 2 Policy Rules" ". " ". " " ". " ". " " ". " ". " ".. " ". " ".. " ". " ".. "395
Layer 3 and Layer 4 Policy Rules
396
397
Centralized Management of the Distributed Firewall
Using Distributed Firewall Sections
398
Policy Rule Objects" " ". " ". " " ". " ". " " ". " ". " " ". " ". " " ". " ". " " ". "399
" .400
Logical Switch Rule-Based Example
" .. "
Security Groups
401
Security Group Components
402
" .403
Rule-Based Security Group Example
" .. "
Applied To: Example "" " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " .404
Lab 16: Introduction" ". " " " " " ". " " " " " ". " " " " " ". " " " " " ". " ". " " ". .405
Lab 16: Using NSX Distributed Firewall Rules to Control
Network Traffic" " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " .406
Concept Summary" " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " ". " " " " " ". "407
" .408
Lesson 3: Flow Monitoring
.409
Learner Objectives. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .410
Flow Monitoring
411
Enable Flow Monitoring
.412
".. "
".. "
".. "
"
.413
Exclusion Settings. " ".. ".. "
".. "
.414
Viewing Flows. " ". " ".. ".. " ".. ".. " ".. ".. " ".. ".. "
Flow Views by Service
.415
".. "
".. "
.416
Live Monitoring" .. " ".. ".. " ".. ".. " ".. ".. "
Live Monitoring Output Example
.417
.418
Lab 17: Using Flow Monitoring
.419
Concept Summary
.420
.421
Lesson 4: Role-Based Access Control
.422
".. "
".. "
"
"
.423
Learner Objectives. "
".. "
Authentication, Authorization, and Accounting Model
.424
".. "
".. "
".. "
.425
Identity Sources" .. " ".. ".. " ".. ".. "
Identity Source vSphere Requirements
" .426
Role-Based Access Control for NSX for vSphere
" .. " .. "" "427
NSX User Roles
428
Scopes
" .. " .. " " "429
NSX Role Guidelines
.430
Permission Inheritance Example: Single Group
431
Permission Inheritance Example: Multiple Groups
432
Configure Role-Based Access Control
433
Define Scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .434

435
436
Lab 18: Managing NSX Users and Roles
Concept Summary
437
.438
Lesson 5: Service Composer
439
Learner Objectives
440
Service Composer
441
Using Service Composer
442
NSX Integrated Partners
443
NSX: Third-Party End-to-End Workflow
444
Registering Partner Services
445
Partner Service Registration: Palo Alto Networks
446
Partner Service Registration: Symantec
447
Service Installation
448
Security Policy
449
Service Composer Canvas
450
Canvas View (1)
451
Canvas View (2)
452
Canvas View (3)
453
Service Composer: Vulnerability Scan Example
.454
Serviee Composer: Traffic Redirection with PAN Example (1)
.455
Service Composer: Traffic Redirection with PAN Example (2)
.456
Concept Summary
.457
458
Lesson 6: Other Monitoring Options
459
Learner Objectives
.460
About Syslog
.461
Syslog Format
.462
vCenter Log Insight.
.463
Concept Summary
.464
.465
Review of Learner Objeetives
Key Points
.466
Contents
xi
xii
VMware NSX: Install , Config ure, Manage
MODULE 1
II
Course Introduction
Slide 1-1
oa
c
Cil
(1)
Module 1
:J
......
i3
c.
c
VMware NSX: Install , Configure , Manage
Q.
o'
:J
Importance
Slide 1-2
VMware NSXTM is the network virtualization and security platform for

the software-defined data center. NSX brings virtualization to your
existing network and transforms network operations and economics.
VMwa re NSX: Install , Configure, Manage
II
Learner Objectives
Slide 1-3
oa
By the end of this course, you should be able to meet the following
objectives:
c
Cil
(1)
Describe the evolution of the software-defined data center
::J
......
Describe how NSX is the next step in the evolution of the softwaredefined data center
ac.
Describe data center prerequisites for NSX deployment
o'
::J
Describe basic NSX layer 2 networking
Q.
Configure, deploy , and use logical switch networks

Configure and deploy NSX distributed routers to establish East-West
connectivity
Configure and deploy VMware NSX Edge services gateway appliances
to establish North-South connectivity
Configure and use all the main features of the NSX Edge services
gateway
Module 1
Cou rse Introduct ion
Learner Objectives (2)

Slide 1-4
By the end of this course, you should be able to meet the following
objectives:
Configure NSX Edge firewall rules to restrict network traffic
Configure Distributed Firewall rules to restrict network traffic
Use role-based access to control user account privileges
Use Activity Monitoring to determine if a security policy is effective
Use Flow Monitoring to monitor network traffic streams

Configure Service Composer policies
II
You Are Here

Slide 1-5
oa
c
Cil
(1)
VMware N5X: Install Configure Manage
:J
......
i3
c.
IE
Q.
o'
:J
Course Introduction
NSX Networking
Logical Switch Networks and VXLAN Overlays
NSX Routing
NSX Security
Module 1 Course Introduction
Typographical Conventions
Slide 1-6
The following typographical conventions are used in this course.
Monospace
Filenames, folder names , path

names , and command names :
Navigate to the VMS folder.
Monospace bold
What the user types :

Enter ipconfig /release.
Boldface
User interface controls:

Click the Configuration tab.
Italic
Book titles and placeholder

variables :
vSphere Virtual Machine
Admin istration
ESXi- hostname
II
References
Slide 1-7
oa
c
Cil
(1)
::J
......
ac.
Title
Location
NSX Installation and Upgrade Guide
http://pubs .vmware .com/NSX-6/index.jsp
NSX Administration Guide
http://pubs.vmware.com/NSX-6/index.jsp
Module 1
Course Introduction
Q.
o'
::J
About NSX
Slide 1-8
NSX is a network virtualization platform that enables you to build a

rich set of logical networking services.
Logical Switching: Layer 2 over Layer 3,
decoupled from the physical network
Logical Routing: Routing between virtual
networks without exiting the software
container
Logical Firewall: Distributed Firewall,
Kernel Integrated, High Performance
Logical Load Balancer: Application Load
Balancing in software
Any Network Hardware
Logical VPN: Site-to-site and remote

access VPN in software
NSX API: REST API for integration into
any cloud management platform
Partner Ecosystem
II
NSX Cert ification

Slide 1-9
oa
For details about VMware certifications, go to:
c
Cil
(1)
http://mylearn.vmware.com/portals/certification
::J
......
ac.
c
Q.
o'
::J
Module 1
Course Introduction
VMware Learning Path Tool

Slide 1-10
vmwareEDUCATION SERVICES
Learning Path Tool

Learn by SolutionTrack. Role. Product. or Certification
Choose YourPath'
Leamby
Leamby
Leamby
Solution Track
Role
Product
Achieve
Certification
To determine your learning path for VMware training, go to:

http://vmwarelearningpaths.com
To make the VMware training that you take most valuable, you must decide which learning path to
take. Your learning path can be based upon a solution track that you want to pursue or a role in your
organization that you want to take on. Your learning path can also be based on a product that you
want to master or a VMware certification that you want to achieve. Regard less of wh ich path you
choose, the VMware Learning Path Tool can help you to succeed and achieve your goal.
10
VMware NSX : Install , Configure, Manage
II
NSX Resources
Slide 1- 11
oa
For NSX technical information, use the following resources:
c
Cil
(1)
NSX Resources
http://www.vmware.com/products/nsx/resources.html
::J
......
ac.
VMware Communities
http://communities.vmware.com/
VMware Support
http://www.vmware.com/support/
VMware Education
http://www.vmware.com/education
VMware Support Toolbar

http://vmwaresupport.toolbar.fm
Q.
o'
::J
Making full use of VMware technical resources can save you time and money. The following are
extensive VMwa re Web-based resources:
The VMware Communities Web page provides tools and know ledge to help users maximize
their invest ment in VMware products. VMware Communities provides information about
virtua lization technology in technical papers, documentation, a know ledge base , discussion
forums , user groups , and technical newsletters.
The VMware Support page provides a central point from which you can view support offerings,
create a support request, and download products, updates, drivers and tools, and patches.
You can view the course catalog and the latest schedu le of courses offered worldwide on the
VMwa re Education page. This page also provides access to informat ion about the latest
advanced courses offered worldwide.
For quick access to commu nities, documentation, downloads, support information, and more ,
install the VMware Support Toolbar, which is a free download .
VMware vSphere documentation is availab le on the VMware Web site. From this page, you
can access all the vSphere guides , which also include guides for optional modules or products.
Module 1
Cou rse Introduction
11
12
VMware NSX: Install , Configure, Manage
MODULE 2
N5X Networking
Slide 2- 1
Module 2
II
z
><
zCD
en
?o
.....
~
::J
to
VMwa re NSX: Install , Configure , Manage
13
You Are Here

Slide 2-2
VMware NSX: Install Configure Manage
IE
Course Introduction
NSX Networking
NSX Routing
NSX Edge Services Gateway
NSX Security
14
VMware NSX: Install , Configu re, Manage
Importance
Slide 2-3
Understanding the high level concepts of the software-defined data

center and network virtualization using VMware NSXTM is critical to
efficiently using NSX in the virtualized environment that enterprises
are moving to.
II
z
><
(j)
CD
?o
.....
:::J
to
Module 2
NSX Networking
15
Module Lessons
Slide 2-4
Lesson 1:
Introduction to vSphere Virtualization
Lesson 2:
Overview of the Software-Defined Data Center
Lesson 3:
Introduction to NSX and NSX Manager
Lesson 4:
NSX Controller
16
Lesson 1: Introduction to vSphere Virtualization

Slide 2-5
II
z
><
(j)
Lesson 1:
Introduction to vSphere Virtualization
CD
?o
.....
:::J
to
Module 2
NSX Networking
17
Learner Objectives
Slide 2-6
By the end of this lesson, you should be able to meet the following
objectives:
Discuss the features of VMware vSphere
Provide an overview of the challenges that vSphere is intended to

resolve
18
Virtual Machines
Slide 2-7
II
Real Operating System
z
><
(j)
Dedicated Virtual Hardware
CD
?o
.....
Real Applications
:::J
to
Stable and Dependable
No Need for Modification
No Special Changes to
as
Virtual machines look and behave like physical servers .

Users might not be able to distinguish a virtua l machine from a physical server. Subtle differences
make virtual machines unique and helpful in the data center. The hardware of a virtual machine is
softwa re.
This feature gives you many advantages, such as the ability to replace and upgrade components of
the virtual hardware quickly.
Virtual hardware also allows you to add hardware devices such as network cards and processors
without rebooting the virtua l machine.
Ultimately, virtual hardware can help reduce your downtim e because you do not need to reboot your
virtual machin es every time you want to upgrade their capabilities.
Module 2
NSX Networking
19
Benefits of Virtual Machines

Slide 2-8
Image Backups
Bare-Metal Backups
File-Based Restores
Hardware Independence for Restores
Virtual machines can be used to host any application from file servers, database serve rs, email
serve rs, and even high-p erform ance application servers.
Organizations might choose to virtualize their servers for the followin g reasons:
Consolidate lightly used servers to conserve space and power in their data center. These
workloads are ideal for virtualization because you can often place many virtua l machines on a
single physic al host.
Increase availability, whether as a protection scheme against common hardware failures or
compl ete site-level disasters. Virtual machines are easy to move, copy, and restore, so they
make disaster recovery simple.
Provision new servers quickl y because new virtual machines can be created and deployed in
minut es.
20
ESXi Hypervisor
Slide 2-9
VMware ESXi benefits:

Direct hardware access
Type 1 Hypervisor
II
Type 2 Hypervisor
z
><
zCD
Less overhead than hosted hypervisors
en
Flexible installation options
?o
.....
~
::J
to
11
ESXi
I:l
---
=Lower resource overhead
VMware ESXi is a VMware type I hypervisor. ESX i is a bare-metal hypervisor. This hypervisor
performs the role of resource management while enjoying direct access to the underlying physical
hardware.
This hypervisor can improve your resource efficiency because of less operating system overhead . In
addition, the stability of the ESX i hypervisor is not dependent on another operating system.
ESXi is commonly insta lled directly on hard drives in your physical server, but ESXi can also be
installed onto flash drives, SO cards, and USB drives.
You can also network-boot an ESX i host using traditional boot from network tools such as preboo t
execution environment (PXE) and Trivial File Transfer Protocol (TFTP) servers.
VMware provides several ways to deploy your ESXi hosts because each organization's needs vary.
ESXi hosts your virtua l machines and provides some basic management functions to help you
deploy and control your virtual mach ines.
Module 2
NSX Networking
21
vCenter Server
Slide 2-10
VMware vCenter Server"
Active Directory
dom ain
vSphere Client
is scalable
ESXi host
ESXi host
ESXi host
vCenter Server
Components:
Identity Management Server
Database Server
1,000 ESXi hosts
Application Server
Web Server
10,000 VMs
VMware vSphere Web Client
VMware vCenter Server" is a multitier application designed for the enterpris e, but is capabl e of
managing even the smallest of organizations. The vCenter Server system is designed to be highly
scalabl e and can expand with your data center virtu alization initiatives. The vCenter Server system
includes components for an Identity Management Server, Database Server, Application Server, Web
Server, and VMware vSph ere Web Client.
You can deploy the vCenter Server system in various forms and install the roles onto a single server
or multipl e servers depending on your needs. The vCenter Server system can be installed on a
Windows system or deployed as a virtual appliance to give you more flexibility.
A single vCenter Server system can scale from managing a single ESXi host up to 1,000 ESXi
hosts. The vCenter Server system can also manage up to 10,000 pow ered on virtual machin es, which
is ju st one vCenter Server instance.
As an organization expands, you can add more vCent er Server instances and even migrate into a
cloud-b ased configuration to provid e more management and provisioning abiliti es.
22
vCenter Server Management Features

Slide 2-1 1
The vCenter Server system is a centralized platform for management

features.
II
The vCenter Server system includes the following management

features:
z
><
VMware vSphere vMotion
(j)
VMware vSphere Distributed Resource Scheduler" (DRS)
VMware vSphere Distributed Power Manaqernent" (DPM)
?o
VMware vSphere Storage vMotion

VMware vSphere Storage DRS
CD
.....
VIT1W<lre
:::J
to
VMwar e v Center
Server
VMware vSphere Data Protection

VMware vSphere High Ava ilability
VMwa re vSphere Fault Tolera nce
VMware vSphere Replication
The vCenter Server system manag es each of your ESXi hosts. The vCenter Server system can
perform operations that require multiple ESXi hosts.
The vCen ter Server system includes the following featur es:
VMware vSphere vMotion enabl es you to migrate running virtua l machines from one ESXi
host to another without disrupting the virtua l machine.
VMware vSphere Distributed Resource Scheduler" (DRS) provid es load balancing for your
virtual machines acros s the ESXi hosts. DRS leverages vSphere vMo tion to balanc e these
worklo ads.
If configured, VMw are vSph ere Distribu ted Power Managem ent" (DPM) can be used to
power off unused ESXi hosts in your environment. DPM can also pow er on the unused EXI
hosts at the correct time.
VMware vSphere Storage vMotion allows you to migrate a running virtual machine 's hard
disks from one storage device to another devic e.
VMware vSphere Storage DRSTM automates load balancing from a storag e perspective.
VMware vSphere Data Protection" enab les you to back up your virtual machin es.
Module 2
NSX Networking
23
VMware vSphere also has availability features such as VMware vSphere High
Availability'P' to restart your virtual mac hines on another host if you have a hardware problem.
If a virtual machine restart is too slow, VMware vSphere Fault Toleranc e provid es
uninterrupted availability for your virtual machines.
VMware vSphere Replication" can copy your virtual machin es to another site for disaster
recovery.
24
vSphere vMotion
Slide 2- 12
en
X
ro
~
o
~
'"
<0
vSphere vMutiun allows yuu tu migrate a running virtual machine from one ESXi host to another,
even during norm al business hours.
You can usc vSphere vMotion to help load balance your ESX i hosts in a cluster.
vCenter Server orchestrates a copy process between the ESXi hosts. The memory is copied between
the hosts and the virtual machioe is transferred to the new host.
vSphere vMutiun can operate without shared storage, meaning that you can migra te a running
virtual machine between hosts, even if the ESXi hosts have no shared storage in common.
Module 2
NSX Networking
25
Shared Storage
Slide 2- 13
Shared Storage
Virtual Machines
Applications and Operating Systems
Visible to multiple ESXi hosts

Typically used to store
virtual machines and ISO files
ESXi Hosts
Storage Array
vSphere supports Fibre Channel, Fibre Channel over Ethernet (FCoE), iSCSI, and NFS for Shared
storage. vSphere also supports local storage .
Each storage option has its own strengths and weaknesses. So VMware does not cons ider one
storage type as better than another for virtua lization.
26
VMware NSX: Install, Configu re, Manage
Features That Use Shared Storage

Slide 2- 14
The following features use

shared storage:
DRS
II
Virtual Machines
Applications and Operating Systems
DPM
vSphere Storage DRS
vSphere HA
vSphere FT
z
><
zCD
en
?o
.....
~
::J
to
ESXi Hosts
Storage Array
Features that are listed in the slide require a shared storage infrastructure to work properly.
Module 2
NSX Networking
27
Virtual Networking
Slide 2- 15
Virtual networking is similar to physical networking. Each virtual machine and ESXi host on the
network has an address and a virtual network card. These virtual network cards are connected to
virtual Ethernet switc hes.
Virtual switches attach your virtual machin es to the physical network, or you can create isolated
networks to be used during testing and development. Virtual networking provides the same
flexibility as server virtualization.
28
Virtual Switch Types

Slide 2-16
Virtual switches are of the following types:
Standard switch architecture: Manages virtual machine and networking

at the host level
VMware vSphere Distributed Sw itch architecture: Manages virtual

machine and networking at the data center level
II
z
><
(j)
CD
?o
.....
:::J
to
Virtual switches can be of different forms, each with a different feature set. vSphere supports two
main categories of virtua l switches: the standard switch and the VMware vSphere Distributed
Switcht>'. Both switches help you to reduce network clutter by reducing the number of physical
network cab les plugged into your ESXi hosts .
Each ESXi host is preb uilt with a standard switch that provides basic connectivity and management
features . The distributed switch expands upon that model by providing a central interface to manage
the different connections and features found in the virtual switches . The distributed switch can
provide more features as a resu lt of this centralized management approach.
Module 2
NSX Networking
29
Networking Features
Slide 2-17
Networking has the following features:

VLANs
Traffic shaping
Port mirrorin g
Q08, D8CP
CPD/LLDP
Virtual networking can be as simpl e or as comp lex as you need. The following features are
supported by vSphere:
VLANs provide logieal separation of your network traffic , and are often used to isolate different
subnetworks. such as a test or restore network.
Traffic shaping is a feature that allows you to restrict the inbo und and outbound network
bandwidth ofa group of virtual machine s. This feature can help reduc e congestion in your
virtual network.
Port mirroring enables you lu monitor a virtual machin e's traffic for troubleshooting or intrusion
prev ention. This feature allows you to capt ure all the traffic sent to or from a virtual machine
for later inspec tion.
Quality of service (QoS) and DSCP are networkin g standard s that allow network switches to
prioritize certain network traffic over others. An example is prioritizing the voice traffic from a
call manager server to improve performance .
NetFlow is a network monitoring tool that allows you to determin e your top talkers on the
network and other metadata about the comm unications that occur on your network.
30
VMware NSX: Install, Configure , Manage
Cisco Discovery Protoco l (CDP) and Link Layer Discovery Protocol (LLDP) are discovery
protoco ls used to identify neighboring physical network switches. CDP and LLDP can be used
to help discover and troubl eshoot misconfigurations.
II
z
><
(j)
CD
?o
.....
:::J
to
Module 2
NSX Networking
31
vSphere Product Placement

Slide 2- 18
'-
>.
;t:::
1/1
.~
.c
..!!!
Q)
Q,
>.
J:
vSphere
Edition
32
en
w
r:::
III
0
:;:;
Q)
0
'0..
0
:;:;
0
..r:::
::!:
>
Cl
r:::
r:::
III
III
r:::
0
(1);
'- III
Q) u
..r::::=
Q,Q,
en
Q)
>0::
0
:;:;
0
Q)
u
r:::
en
--
::!:
III
'-
0::
0
"C
Q)
Q)
::l
>
Cl
III
'-
Q)
en
::l
III
LL
en
0::
0
::!:
0..
Essentials
Essentials Plus
Standard
Enterprise
Enterprise Plus
Q)
Cl
III
'-
.c..r:::
.u
'-.-
en
oen
.!!!

Slide 2-19
You should be able to meet the following objectives:
Discuss the features of vSphere
Provide an overview of the challenges that vSphere is intended to

resolve
II
z
><
(j)
CD
?o
.....
:::J
to
Module 2
NSX Networking
33
Lesson 2: Overview of the Software-Defined Data Center

Slide 2-20
Lesson 2:
Overview of the Software-Defined Data
Center
34
Learner Objectives
Slide 2-2 1
objectives:
Describe advantages of the software-defined data center
Identify components of the software-defined data center
II
z
><
(j)
Explain the role of the virtual network in the software-defined data

center
CD
?o
.....
:::J
to
Module 2
NSX Networking
35
Choices for IT
Slide 2-22
Software is the foundation that is powering the evolution of networks

and data center infrastructure.
Software-Defined
New IT
Data Center
Hardware Defined
Data Center
(
No IT
Outsourced
Today, enterpris e busin ess leaders want their IT to create applic ations quickly and easily. Enterprise
business leaders must decide whether to build in-house IT or to outsourc e their IT and app lications.
36
Data Center Models

Slide 2-23
Businesses that want to deploy applications and their necessary

server infrastructure quickly, choose between the current hardwarebased model and the software-defined data center.
Hardware-Defined
Data Center
OR
Any Application
II
Software-Defined
Data Center
Applicatio n-Spec ific Policies
z
><
(j)
Any Application
CD
~~~~~~~~i5l
~
Data Center Virtualization
Any x86
Any Storage
App lication -Specific Policies
Any IP Network
The hardware-defined data center is the traditi onal model. This model includes racks of equipment
and each piece of hardware includes one or more specific defined tasks. Email, database, and other
business-criti cal applications run on specific servers . This mod el is not the answer for futur e
requir ements.
Module 2
NSX Networking
37
?o
.....
:::J
to
Advantage of Software-Defined Data Center

Slide 2-24
Some of the most agile providers and consumers are moving system
intelligence into software through custom applications or platforms.
Google I Facebook I
Amazon Data Centers
":oftwa re I Hard ware Abstraction
oftware I Hardware Abstraction
Any x86
Any Storage
Any IP network
Providers are decoupled from physical infrastructure, allowing them to use any x86, any storage,
and any IP networking hardware. This approac h increases agility, reduces cost, and provides a
highly scalable infrastructure with a softwa re-defined data center approac h. These benefits resu lt
from a hardware-abstraction layer software that runs on top.
38
VMwa re NSX: Install , Configu re, Manage
Choice for New IT

Slide 2-25
Software can innovate much faster than hardware.
Software-Defined
Data Center
Any Application
Google I Facebook I
Amazon Data Centers
II
Hardware-Defined
Data Cente r
z
><
(j)
Any Application
CD
?o
....
:::J
to
Any x86
Any Storage
Any IP network
~J
The software-defined data center is similar to the approac h taken by Amazon, Goog le, and
Facebook. This approac h does not include a vertically integrated hardware-specific approac h. For
example, with a hardware-centric infrastructure, you must buy in-unit networking hardware for the
network to function. With the software-defined data center approac h, you can run any network
switch.
Module 2
NSX Networking
39
Software-Defined Data Center as New IT

Slide 2-26
The software-defined data center can span across multiple data

centers and into hybrid service providers, independent of physical
infrastructure.
Software-Defined
Data Center
Inter-Data Center
Hybrid Data Center
Any Application
Any Application
Any Application
Any x86
Any x86
Any x86
Any Storage
Any Storage
Any Storage
Any IP network
Any IP network
Any IP network
. .
.. .... .
Data Center
. .
vutuanzauon
VMware NSX TM can do layer 2, SSL, and IPSEC VPNs . This functionality provi des business
continuance and disaster recovery capab ilities, whic h are not otherw ise avai lable. NSX can be
combined with VMware vCloud Hybrid Service" to provi de a hybrid cloud strategy.
40
Components of a Software-Defined Data Center

Slide 2-27
The software-defined data center extends virtualization.

Applications
App lications
Applications
Software-Defined
Data Center
Software-De fi ned
Dat a Center
Software-Defined
Data Center
Virtual Compute
Virtual Storage
Virtual Network
Policy
Security
Scale
Virtual Compute
Virtual Storage
Virtual Network
Policy
Security
Scale
Virtual Compute
Virtual Storage
Virtual Network
Policy
Security
Scale
II
z
><
zCD
en
?o
.....
~
::J
Desktop
Storage
~ ---~--------------------------------------------_.
Admin
Policy Configuration
Operational Visibility
Clo ud Manageme nt
to
Internet
Virtual Desktop
Laptop
Tablet
Mobile
Hardware Independence
IP Network
Hardware
Server
Hardware
Sto rage
Hardware
Location Independence
Data Cen ter 1
Data Ce nter 2
Public DC
The software-defined data center extends the virtualization conc epts like abstraction, poolin g, and
automation to all data center resources and services. Components of the software-defined data center
can be implemented together, or in phases:
Compute virtualization, network virtualization, and software-defined storage deliver
abstraction, pooling, and automation of the compute, network, and storage infrastructure
services.
Automated management delivers a framework for policy-based management of data center
application and services.
Module 2
NSX Networking
41
Vision and Strategy

Slide 2-28
The software-defined data center is not a product, but it is an

approach.
The software-defined data center leverages products from VMwa re and other companies.
Manage ment and orchestration are used to configure, manage, monitor, and operationalize a
software-defined data center. Produc ts like VMware vCloud Automat ion Center'?', VMware
vCe nter Opera tions Management Suitet>', and VMware vCenter Log Insight" and also third party solutions or custom cloud management platform s can be used.
The software-defined data center has the followin g advantages :
A software-defined data center is decoupled from the und erlying hardware, and takes advantage
of underlying network, server, and storage hardware.
A software-defined data center is location-independent and can be in a single data center, span
multi ple private data centers, or span hybrid public data centers
A software-defined data center leverages a data center virtualization layer to enable
independent, isolated application environments to be deployed on top of the hardware and
location-independent infrastructure.
42
Virtual Compute , Storage, and Network

Slide 2-29
The pooling of hardware resources provides many advantages.
II
z
><
(j)
Software
Virtual
Machines
Virtual
Networks
Virtual
Storage
-------------------------Hardware
Compute
Capacity
Network
Capacity
CD
.....
Application
Consumption
Storage
Capacity
Location Independence
?o
~
:::J
to
Desktop
Internet
Virtual Desktop
Laptop
Tablet
Mobi le
The software-defined data center is a unified data center platform that provides automation,
flexibility, and efficiency. Compute, storage , networking, security, and availability services are
pooled, aggregated, and delivered as softwa re. These services are also managed by intelligent,
policy-driven software.
Module 2
NSX Networking
43
Data Center Hardware

Slide 2-30
NSX uses existing data center hardware.
'cal Network
, ling phySI
EXl5u
NSX enables you to start with your existing network and server hardware in the data center.
44
Hypervisors and Virtual Switches

Slide 2-3 1
ESXi hosts, virtual switches, and distributed switches run on the

hardware.
en
X
ro
~
o
~
'"
<0
Module 2
NSX Networking
45
NSX: Network Virtualization Platform

Slide 2-32
NSX handles the data across the virtual switches.
NSX adds nothing to the physic al switching environment. NSX exists in the ESXi environment and
is independent of the network hardware.
46
About a Virtual Network

Slide 2-33
A virtual network is a software container that delivers network

services. These network services are expected from a network by
connected workloads.
II
z
><
zCD
en
?o
.....
~
::J
to
Module 2
NSX Networking
47

Slide 2-34
NSX virtualizes logical switching.
The slide shows an example of layer 2 connectivity between two virtual machin es on the same
hypervisor and host. Traffic on the layer 2 network never leaves the hypervisor.
48

Slide 2-35
NSX virtualizes logical routing.
II
z
><
zCD
en
?o
.....
~
::J
to
. INetwork
Existing PhyslC3
The slide shows an example where NSX virtualizes the layer 3 connectivity between two virtual
machin es on the same hypervisor and host. NSX virtualizes the layer 3 connectivity in different IP
subnets and logical switch es with out leaving the hypervisor to use a physical router. This
virtualization also provides routing between two virtual machin es on two different sides of the data
center across multipl e layer 3 subnets and availability zones.
Module 2
NSX Networking
49
Concept Summary
Slide 2-36
A review of concepts discussed in this lesson:
What is the layer where management components

operate?
The management plane
What is the layer where control components operate?

What is the layer where data is transmitted?
The data plane
What is a vSphere port group created on a distributed

switch with NSX modules installed called?
A logical switch
What are multiple tenants connected to the same egress

point segregated by isolating the tenant networks called?
What handles NSX communications between the
VMware NSX Manager!" , VMware NSX Controller!" ,
and ESXi host?
What uses layer 3 UDP encapsulation to extend logical
layer 2 networks across layer 3 boundaries?
What is used for integration into cloud management
platform?
What is the virtual machine used by NSX for control
plane operations?
50
The control plane
Multitenant
User World Agent (UWA)
Virtual Extensible Local Area Network
(VXLAN)
Representational State Transfer API
(REST API)
NSX Controller

Slide 2-37
Describe advantages of the software-defined data center
Identify components of the software-defined data center
Explain the role of the virtual network in the software-defined data

center
II
z
><
(j)
CD
?o
.....
:::J
to
Module 2
NSX Networking
51
Lesson 3: Introduction to NSX and NSX Manager

Slide 2-38
Lesson 3:
Introduction to NSX and NSX Manager
52
Learner Objectives
Slide 2-39
objectives:
Describe capabilities of NSX
Explain differences between the data, control, and management planes
Recognize NSX topologies
Illustrate the role of NSX Manager
II
z
><
(j)
CD
?o
.....
:::J
to
Module 2
NSX Networking
53
NSX Capabilities
Slide 2-40
NSX has a number of features.
Lo gical Switching: Layer 2 over Layer 3,

decoupled from the physical network
Logical Routing : Routing between virtual
networks without exiting the software container
Logical Firewall: Distributed firewall, kernel
integrated, high performance
Logical Load Balancer: Application load
balancing in software
Any Network Hardware
Logical Virtual Private Network (VPN): Siteto-site and remote access VPN in software
VMware NSX APITM : REST API for integration
into any cloud management platform
Partner Ecosystem
NSX provides the following function al services:

Logical layer 2 to enable the extension of a layer 2 segment or IP subnet anyw here in the fabric
irrespective of the physical network design.
Distributed routin g to enable routin g between IP subnets without traffic going out to the
physical router.
Distributed firewall to enable security enforcement at the kernel and VNIC level.
Logical load balancing to provid e support for layer 4 throu gh layer 7 load balancin g with the
ability to do SSL termination,
SSL VPN services to enable layer 2 VPN services.
54
Prepare for Installation: Client and User Access

Slide 2-4 1
The requirements for deploying NSX to a vSphere environment are

the following:
II
Management system and browser requirements:

A supported web browser:
-
z
><
Internet Explorer 8, 9 (54-bit), and 10.
(j)
- The two most recent versions of Mozilla Firefox.
CD
- The two most recent versions of Google Chrome.
?o
.....
The vSphere Web Client.
:::J
Cookies enabled in the browser used for management.
to
Environment requirements:
Correct DNS configuration for ESXi hosts added by name.
User permissions to add and power on virtual machines.
Permissions to add files to the virtual machine datastore.
NSX has the following requirements:

vCenter Server 5.5 or later
ESXi 5.0 or later for each server
VMware Tools'P'
Module 2
NSX Networking
55
Prepare for Installation: Port Requirements

Slide 2-42
NSX components require a number of ports for NSX

communications:
443 between the ESXi hosts , vCenter Server, and NSX Manager.
443 between the REST client and NSX Manager.
TCP 902 and 903 between the vSphere Web Client and ESXi hosts.
TCP 80 and 443 to access the NSX Manager management user
interface and initialize the vSphere and NSX Manager connection.
TCP 22 for CLI troubleshooting.
NSX requires these port s for installation and daily operations.
56
Installation: Manager OVA

Slide 2-43
After ensuring the correct preparation steps, install the OVA:
II
1. Obtain the NSX Manager OVA file.

2. Deploy the NSX Manager OVA file.
3. Log in to the NSX Manager.
z
><
(j)
4. Establish the NSX Manager and vCenter Server connection.
5. Back up the NSX Manager data.
CD
?o
.....
:::J
to
To install the OVA
1. Place the NSX Manager Open Virtualization Appliance (OVA) file in a location access ible to
your vCenter server and ESXi hosts.
2. Import the OVA like any other virtua l machine.
During the import process you are prompted to configure the initial network settings .
3. Power on the NSX Manager.
4. Log in to the administrative interface to configure the NSX Manager.
5. Configure the different NSX settings.
The NSX features are ready to use.
Module 2
NSX Networking
57
Initial Configuration: Management UI

Slide 2-44
Access the NSX Manager user interface to configure the manager

initially.
--.,
I ..... ... J
"._"'
~
...
-----------------------1
NSX ManagerVirtualAppliance Management
Download Tech sccccn LOg
Manage Appll3nte settIf'lgs
BackUp & Restore
Manage vCenter PegrstranOll
upgraoe
After logging in to the NSX Manag er, click Manage App liance Settings to configure the initial
settings.
58
Initial Configuration: Time and Syslog Settings

Slide 2-45
Configure the time server and syslog settings.
. ..-
II
....-... ".,
I ' .. _,
st11lNC'J,
Gene ral
..
Spttll'1 P'lTP urvtr t1etow Fot 590 ton"atlon 10work cor~tIY It II reQulrt d 1tl0i1 tt..,
be In sync 11'5 lecOftlfMnd~ lo U'58the same
NTP$eM'1
192 168 no 10
Tim.lone
tJTC
01108f1Q14 21 35 U
e!Jlme
z
><
zCD
en
Uneontlgur. HTP serv!i!"] ~
rime s.n mg.

mpUM."t tJ'5edbY1M!'sao51-rver
on !tit, 'tIrtlJll aoppllinu
~n13
tffP UM'r ItlOuk!
?o
.....
~
::J
to
( Unc(Ml(lg urt
S}osIogSefwf
J~
You( an s~1ftthe IP ad4feu Ot ".me oftrle "rs," S.t"Mlf Sh.' elln De rnolYe'd uSIng1M!'abO'tementioned ONS Sel't'tf{'S)
Syttog StfWf
"<'C-I-Q1 a corp local
PM
51'
ProtocOl
UOP
l .....
...us
On the general page, configure the time and Syslog services.
Module 2
NSX Networking
59
Initial Configuration: Network Settings

Slide 2-46
Assign the NSX Manager to the correct IP address and configure

other IP settings.
51 II IHGS
Hostn~
ns:.mgrI-Ota
Dom aItl N ."...
SSL Ctl1U'Iutft
1PY4 lnfonn.allOn
Inl68"OU
Ne1mask
155255 ''55 0
Df'f~I1.
191 168110 :1
Oartway
IP6InfOfftUlllon
Acld,e ",
Prtl'ilLengttl
OtfaulOa~
~Il oblecti lert'n~nc:t'G ustng ill hOi~ilme , 'l'OO mus.l prtMde one 01' mQfe ONS Unotf'S commonlO ..c~r. ESXhOm and
~r ~tl.'. co~nts (Ifl)llmiliTYor st< ol\d ary UMf I S. ...mO\Ot<l.lle fleld Mllablt (Ins ......., In ItItllntwouhJ aUumt tnt ""POns.lbl!lt'J')
To rnOfwto
lPt ONSStrm1
PJ1m;wy~
In 168 110 10
Sf' COndiitY SeolWf
Ifl\ofiONSStt\l\"fs
Pr1rntSef'm
SecondaryStfWr
Verify that the network settings are correc t.
60
Initial Configuration: vCenter Server Connection

Slide 2-47
Register the NSX Manager with a vCenter Server to begin using NSX
capabi Iities.
II
z
><
zCD
1'''''_
....... ~ , . "'IjI"+C.1~
'1'1'110;1' ' -
en
-'
lookup SeNe..
F'or~.'*r "r~",
s.rw:.
S 1 _~, lOU","confgur, LOOI<UD

""'d Pf~ tie sao MmInI'tr~fOr
lsotlAOn\It... IIIlto ~(~lM<JIlot..tlheNTP
?o
crt1lIff\ll.Io~'l"NSlC .... M~~I'lCS.Mt . . .

ttMl' lOt
ton6gu'.lIbtlrllOw()t', (NQ('"
sse
.....
...:-,,(: ~ ""Cl IlO "
~
::J
.c.,.., Urvtf .,..atI\f1I NSX
l1Wtntott HTTPS ll'Ol1{ ~ ~l'I"iU
to
E..
" 1!'lIQ'~~
StiNK' to dflotaYfJ ...........,.II'lft.W1I(t./rt'
IOll.OO'tflHfOf(Clf'lVnUl'll{a~ll"""tfl
H$l(
Ml nl9 tmt"' StMt:.
"~.'" IHtotI1:lltnllln(l U"rN.(.t.OfC",,~ "'.pannolol'

lMlIII~bon'lfIt1\ot 'N$XMtalIWOf'l and UP",ad'0\Ii".. WIl)ufI'C.'"
t1O$Uocf Dr
ESlCalIdVC For.U 1l.lafportS
S''''''-'''O~In( pl.n. trltvf''''iC~'CPV and
1(:,,.,..,.... N.me
.c'MltS.!'Wtr
10 . 1 0 .10 .1 1
roo!
SlIIIn
"l'Wf"
...c...,
IMfl'oOlYrn.,....-..ontl !JfWtfltot'M1 i1I~hlC'W
ConnIfd
Connect the NSX Manager to the desired vCenter Server and the initial configuration is complete.
Module 2
NSX Networking
61
NSX Overview: Planes

Slide 2-48
Each component operates in a specific plane.

Consumption
Model
Management
Plane
- - ----- - - - - - - - - - ------ - - - - - - ------ - - - - - - - - -- ---- - - - - - - --- ----.- - - - - - - ------- - - - - - -- ------- - - - - -- - - - ---- - -- - - - ---
Control
Plane
.--- - - ---_.- - - -- -------- ------- -- ---- ------------- .--- - -- ---- - ------_.- - - --- ------ - -- -----. -- - - --------- - ----------
Data
Plane
NSX uses the management plane, control plane, and data plane models. Compo nents on one plane
have minimal or no effec t on the functi ons of the planes below.
62
NSX Overview: Data Plane Components

Slide 2-49
The data plane handles the flow of data between endpoints.
II
Consumption
Model
z
><
Management
(j)
Plane
--------------------------------------------------- ------ - - - - - - - - ------ - - - - - - - - - ------ - - - - - ---- - - - - - - - --- -------
CD
?o
Control
Plane
....
:::J
to
-- - ----- - - - - - ---- -- - - - - -_.- - - - - - - - --- - - - -- ----- - - --- - ----- - - - ------- - - - ---_.- -- - -- -------- -- ------ ---------- - ------
NSX Virtual Switch
NSX Edge
Services
+ ~ lti ~ ' G ateway
=-liDii,stil,rib~~u ted
. h
Data
Plane
: VXLAN
~
Distri but ed Firewall :

I.:C? g.i ~_<!I.f~.C?!J_t~_r
':
Hypervisor Kernel Modules
ESXi
'
VMware NSX Virtual Switch

Distributed network edge
Line rate performance
VMware NSX Edge gateway
virtual machine form factor
Data plane for North-South
traffic
Routing and advanced
services
Switch Security
The data plane is defined by the distributed switch. The distributed switch does only layer 2
switching. Hosts have to be on the same layer 2 network so that virtual machines on each host can
communicate with virtual machines on the other host.
NSX installs three vSphere Installation Bund les (VlB) that enable NSX functionality to the host.
One VlB enables the layer 2 VXLAN functionality, another VlB enables the distributed router, and
the final VlB enables the distributed firewall. After adding the VlBs to a distributed switch, that
distributed switch is called VMware NSX Virtual Switch . On NSX Virtual Switch, hosts are not
restricted to the same layer 2 domain for virtual machine to virtual machine communic ation across
hosts. You must migrate virtual machines from a host before installing the VlBs . If the VlBs must
be removed , the ESXi host requires a reboot.
VMware NSX Edge" gateway is not distributed and so the gateway lacks a contro l entity. NSX
Edge gateway handles control traffic. Conceptually, an NSX Edge gateway should be on the barrier
between the data and control planes.
Module 2
NSX Networking
63
NSX Overview: Control Plane Components

Slide 2-50
The control plane handles the implementation.

Consumption
Model
Management
Plane
- - ---- - - - - - - - -- -_.- - - - - - - - _. ------ - - - - - - - ------ - - - - - - - - --
Control
Plane
NSX Logical
Router Control VM
.--- ----- --- --- - - -_.-
User World Agent
~-
Manages lo gical networks

Run-time state
Does not sit in the dat a path
Control plane protocol
---------- - - --------- ------ - --- ---_.- - - - ----_.-- - - -------- - -- ---------- - -_.--- --- ------ - ----
NSX Virtual Sw itch
Data
Plane
----- - - - - - _. ---- - - - - - - - -------- - - - - - - - ------ - - - - - - - --
NSX Controller
NSX Edge .
Services
Gateway
NSX Virtual Sw itch

Distributed netwo rk edge
Li ne rat e performance
NSX Edge gateway
Virtual mach ine form factor
Data pl ane fo r North-So uth
t raffic
services
Switch Security
The NSX logica l router contro l virt ual machine and VMware NSX Con troller" are virtua l
machi nes that are dep loyed by VMware NSX Managert'<,
The user world agent (UWA) is composed of the ntcpad and vsfwd daemons on the ESXi host.
Communication related to NSX between the NSX Manager instance or the NSX Con tro ller
instance s and the ESXi hos t happen thro ugh the UWA.
The logical router control virtual machine hand les routing network relationships . This virtua l
mach ine gives the routing table to the NSX Manager instance .
The NSX Virtual Switch does not control routing plane traffic . So the NSX logical router control
virtua l mach ine is instant iated on its beha lf to handle that func tion. One NSX Controller virtual
machine gets dep loyed for each distributed logical router instance. The NSX Controller instanc e
retains information for the media access control (MAC), Address Resolution Protocol (ARP), and
Virtua l Tunne l End Poin t (VTEP) tab les. VMware reco mme nds that you deploy NSX Controller
instances in clusters of three to preve nt situatio ns where the NSX Contro ller clusters are split even ly.
If the control plane componen ts are lost, the ability to form new paths between virtual mac hines is
also lost and the current paths age out as the TTLs exp ire.
64
NSX Overview: Management Plane Component

Slide 2-51
The management plane handles the user management input.
II
Consumption
Model
Management
NSX Manager
vCenter Server Message Bus

A ent
Plane
z
><
zCD
Single point of configuration

REST API and UI interface
en
- - - ----- - - - - - - - ----- -- - ------- ----- - - - - - - _. ----- - - - - - - -- ------ - - - - - - - - ---- - - - - - - - - ------- - - - - - - - ------ -- - - - - - - --
Control
Plane
NSX Logical
Router Control VM
NSX Controller
User World Agent
Manages logical networks

Run-time st ate
Does not sit in the data path
Con trol plane protocol
?o
.....
~
::J
to
NSX Virtual Switch
+ - ~- - - - - -dS - - - - - -~- - j
Distributed
Data
Plane
VXLAN
t.
.~
Distributed Firewall
!-~9 !l?~~ _~_~L!!~ ~
:
:
NSX Edge .
Services
Gateway
NSX Virtual Sw itch

Distributed netw ork edge
NSX Edge gateway
vi rtu al machine form factor
Data plane for North-South
traffic
servic es
Switch Security
NSX Manager comm unicates with a vCenter Server system and is the interface for the VMware
NSX APJTM for third-party applicatio ns that integrate with NSX. The NSX Controller instances are
deployed by the NSX Manager instance. NSX Manager requests the vCenter Server system to
deploy the NSX Controller virtual machines from OVA files.
Module 2
NSX Networking
65
NSX Overview: Consumption

Slide 2-52
These planes build a virtualized network that is consumed by customers.

Self-service portal
Cloud management
VMware vCloud
Automation c enter w
,.,
Co nsumption
Model
NSX Manager
ve enter Server
Message Bus
Management
A ant
Plane
Con trol
Plane
NSX Logical
Router Contro l VM
NSX Controller
User World Agen t
NSX Virt ual Switch
EB~ i
Dat a
Plane
Dis t rib ut ed
Flm wal l
L\>9jc~ 1 RQI,lt \"
Hypervisor Kernel Modules
NSX Edg e
Services
Gatew ay
Single point of configuration
REST API and UI interface
Manages Logical networks

Run-t Ime state
Does n ot sit in the data path
NSX Virtual Swi tch
Distributed network edge
NSX Edge gateway

Virtual machine form factor
Data plane fo r North-South
traffic
services
Switch Security
All of these components build an infrastruct ure for networking thai is consumed in the same fashion
as compute, memory, and storage resources in the software-defined data center.
66
Enterprise Topology
Slide 2-53
A common enterprise-level topology.
II
External Network
~------ -
z
><
zCD
Physical Router
en
VLAN 20
Uplink
?o
.....
NSX Edge Services

Gateway
~
::J
to
VXLAN 5020
Uplink
LR Instance 1
NSX Manager helps to configure and manage logical routin g services. During the configuration
process, you can deploy either a distributed or a centralized logical router. If the distributed router is
selected, the NSX Manager instance deploys the logical router control virtua l machine and pushes
the logical interface configurations to each host throu gh the NSX Controller cluster.
In centralized routing, NSX Manager deploys the NSX Edge services router virtual machin e. The
API interface of NSX Manager helps automate deployment and management of these logical routers
through a cloud management platform .
Module 2
NSX Networking
67
Servicer Provider: Multiple Tenant Topology

Slide 2-54
Multiple tenants to the same NSX Edge gateway.

External Network
NSX Edge Services

Gateway
Tenant 2
In a a service provider environment, multipl e tenants exist. Each tenant can have different
requirements in terms of number of isolated logical networks and other network services, such as
load balancing, firewall, and VPN. In such deployments, NSX Edge services router provides
network services capabilities and dynamic routing protocol support.
As shown in the slide, the two tenants are connected to the externa l network through the NSX Edge
services router. Each tenant has its logical router instance that provid es routin g in the tenant. A
dynamic routin g protocol is configured between the tenant logical router and the NSX Edge services
router. This routin g protoc ol provides the connectivity from the tenant virtual machin es to the
external network.
In this topolo gy the East-West traffic routing is handled by the distributed router in the hyperviso r
and the North-South traffic flows through the NSX Edge services router.
68
Multiple Tenant Topology: Scalable Design

Slide 2-55
This multitenant topology is more flexible.
II
External Network
z
><
zCD
en
NSX Edge Serv ices

Gatew ay
?o
.....
~
::J
to
Web logical
Switch
The service provider topology can be scaled out as shown in the slide. The diagram shows nine
tenants served by an NSX Edge instance on the left and the other nine tenants served by an NSX
Edge instance on the right. The service provider can easily provision another NSX Edge instance to
serve additional tenants.
Module 2
NSX Networking
69
Scalability
Slide 2-56
Scaling compute infrastructure:

Adding hosts to clusters
Add ing new clusters
Effect on distributed switch design : Distributed
switch can span across 1,000 hosts.
Scaling number of users or applications:

More virtual machines are connected to isolated
networks (VLANs)
Q;
Effects on distributed switch design:
Q)
Separate port groups for each application
c
o
.!!l
ro
o
10,000 port groups are supported

Cluster 1
Cluster 2
Cluster 3
The number of virtual ports is 60,000

Dynam ic port management (static ports)
The distributed switch supports up to 1,000 hosts that allow for a wide variety of scaling options.
These options range from a model where every clust er has its own distributed switch to a mod el
with a single distributed switch spanning all clust ers. NSX even supports multipl e distributed
switches in the same cluster.
If a distributed switch spans multipl e clust ers, when you create a port group, every host connected to
that distributed switch knows about the new port group. Thus , every new port group can cause
additional resourc e consumption. The main reason to span distributed switch across clusters is to
support virtual machin e migration with vSph ere vMo tion.
70
NSX for vSphere : Scale Boundaries

Slide 2-57
...
II
1:1 Mapping of
the
vCenter Server
System to the
NSX Cluster
z
><
zCD
en
?o
.....
~
::J
to
,. _ . _ . _ . _ . _. _ . _ . - .
. ------ -- ---- - ------. I
!i
I:
L
-.
:I
v8p here vnaonon
r'
' 1
I I
q .
i "L
I._ ._ ._._ ._._ ._ .~
.,
r]
-,
lI :I
'- '- '- '- '- '- '- '-'
based on DRS
Manua l
vSpherevMotlon
1-------.....
--------1
1-1
Logical Network Span
NSX is coupl ed with the vCenter Server system to provide enhanced functionality on VMware
hypervisors so that it scales in parallel with the vCenter Server system. Typically a cloud
management system is used to aggregate multiple vCenter Server systems and NSX Manager
instances to enable horizontal scalability.
NSX Manager and vCenter Server systems are linked I: I and NSX Controller clusters are deployed
by NSX Manager. In addition to the vSphere vMo tion bound aries, VMware NSXTM for vSphere
enables layer 2 connectivity that spans the entire vCenter Server using VXLAN . The vCenter Server
system includes 1,000 hosts and 10,000 virtual machines.
NSX provides a similar architecture. The main difference is that the NSX Controller cluster scales
independently from vCenter Server system. So the vSphere vMotion boundaries are the same, but
NSX allows logical network s and layer 2 boundaries to extend beyond a single vCenter Server
system. The limit is still 1,000 hypervisors, but multipl e hypervisor platforms are supported.
Module 2
NSX Networking
71
NSX Manager
Slide 2-58
NSX centralized management plane:
Provides the management UI and NSX API.
Installs UWA, VXLAN, distributed routing , and distributed firewall kernel

modules.
Configures the NSX Controller cluster through a REST API.

Configures hosts through
a message bus.
- '-
,,-,=,--_ o
Generates certificates to
secure control plane
communications.
- .............-
H$I.
.-.-,
...
w
-0
~
...-0-1 IIfMIN
__
tI'OII'-....._NSlI-., .
.....
_1IIOal_-OO:- _ _
1e9a1 _ _ III9CIII-"o.- _
fII~.....-.._
.~
.t_~
_
"' 1...
_ 111
_
. .......
_0..
.....
........ "...,..'*"4""""
...
- ,,- .......
-.-.~
_ _ ........
t l I _ ~
' " " - t I _ ..
-...-_~
"-"'-'..-d_
.....
-oo4~QIl...--.,
-~"........1 . . - . 4
.--..n ... "'-t....
....,...
___
NSX Manager is the only component that is installed. NSX Manager handles all the manage ment
tasks. A direct correlation of one vCenter Server system to one NSX Manager exists. So if vCloud
Automa tion Center is present with multiple vCenter Server systems, each of those vCenter Server
systems has an NSX Manager instance.
An installation ofNSX Manager includ es OVA files to deploy the NSX Edge gateways, NSX
Controller, and the VIBs that get pushed to the ESXi hosts for the distributed switches. NSX
Manage r uses REST API for external communications from third-party applications such as
firewa lls and security software that integrate with NSX.
72
Building the NSX Platform

Slide 2-59
Consumption
You can deploy NSX by using this process.
~~~
Prerequisites:
Physical NetworkVXLAN Transport
Network, MTU
vCenter Server 5.5 and
ESXi 5.5
vSphere Distributed
Switch
II
P rogrammati
Virtual
Network Deployment
z
><
zCD
B ~ [!][i][!]
B [!] [I] [!] ~ B
en
VM
VM
?o
~[!]~ B
.....
~
::J
to
Logical Networks
Log ic al Network or Secu rity Serv ic es
Ql
Deploy Logical Switches per tier
j::
Ql
l:
0 1_ =--
Prepa rat ion
- - Host
- -Preparation
- - - - - ....
Logical Network Preparation
Deploy Distributed Logical Router

or Connect to Existing Router
Create Bridged Network
Connect to Centralized Router
NSX deploys into vSphere clusters. The NSX platform has basic requireme nts. Any serve r on which
you can install ESXi 5.5 can run NSX , connected to any physical network. Multicast over the
physical infrast ructure is an added benefit but not required. After you deploy NSX Manager, you
deploy NSX Controller instances, VIBs, and configure the virtual network.
Module 2
NSX Networking
73
Lab 1: Introduction
Slide 2-60
At the beginning of lab 1, the installation of NSX Manager is

complete. The focus of this lab is verification of the initial
configuration.
Manage
(jener 31network settings
SfTlIHC$
SETTltIGS
General
TimeSetlings
General
SpecifllNTP server betov
Network
Network
NTPServer
SSL Certificates
Timezone
Backups & Restore
sst. cenncates
NSXManagement Service
1P'f4 Information
Backup s s Restore
Address
UOQlacle
Netm ask
Manage
DefaultOalewav
Upgrade
COMPOtlEtlTS
Hos1n ame
Demain Name
t aervce
SETTINGS
General
looJ(upservice
Fcr vce nter verstons 5.1 a
IPv61nformabon
Address
PrefiXLength
Default Gateway
Netwo rk
Loo kup Service
SSL Certificates
ONSSerwrs
Backups & Resto re

Upgrade
COMPONENTS
vcenter server
Connecting to a vc enter s
Access' of Chapter 'Prepal
NSX Management Service
To resofve all objects refiner
1p.,.4 DNS sewers

Prima!y Server
Secondary Server
If your vcenter serveris he
vcenter Server
vcenter User Name
1M DNS sewers
Prima!y Server
Secondary Server
Search Domains
Status'
74
Lab 1: Configuring NSX Manager

Slide 2-6 1
Attach an NSX Manager appliance to a vCenter Server system
II
1. Access Your Lab Environment

2. Review the NSX Manager Configuration
3. Verify That the vSphere Web Client Plug-In for NSX Manager Is
Installed
z
><
(j)
4. License vCenter Server, the ESXi Hosts, and NSX Manager
5. Clean Up for the Next Lab
?o
CD
.....
:::J
to
Module 2
NSX Networking
75
Concept Summary
Slide 2-62
A review of concepts discussed in this les son:

Routing Protocols
What is the set of rules used by routers to determine paths called?
Which protocol facilitates the propaga tion of multicast traffic across a routed network?
Protocol Independent Multicast (PIM)
What is used to acqu ire the MAC addresses asso ciated with IP add resses?
Address Resolution Protocol (ARP)

What is the layer 2 address of a network interface?
Media Access Control (MAC) address

What is used to issue textual commands to NSX components ?
Command Line Interface (CLI)

What is the file for mat used to store and import virtual machines?
Open Virtualization Format (OVF)

What is a network device used to restrict and filter traffic betwee n networks and endpo ints?
What is a serv ice embedded in the ESXi kernel that is used to protect virtual machine s calle d?
What is the method for dividing workloads among NSX controllers ?
What is an appliance deployed by the NSX manager , primarily used for perimeter services?
A Firewall
Slice
NSX Edge
76

Slide 2-63
Describe capabilities of NSX
Explain differences between the data , control, and management planes
Recognize NSX topologies
II
z
><
(j)
Illustrate the role of NSX Manager
CD
?o
.....
:::J
to
Module 2
NSX Networking
77
Lesson 4: NSX Controller

Slide 2-64
Lesson 4:
NSX Controller
78
Learner Objectives
Slide 2-65
objectives:
Describe NSX Controller instances
Explain NSX Controller clustering
II
z
><
(j)
Determine NSX Controller roles
CD
?o
.....
:::J
to
Module 2
NSX Networking
79
NSX Controller
Slide 2-66
NSX Controller provides:
VXLAN distribution and logical routing network information to ESXi

hosts.
Clustering for scale out and high availability.
Workload distribution within an NSX Controller cluster.
Removal of multicast routing and PIM dependency in the physical

network.
Suppression of ARP broadcast traffic in VXLAN networks.

NSX Controller
VXLAN Directory
Service
MAC table
ARPlable
VTEP table
VMware recommends that you have three NSX Controller instances for each NSX Controller
cluster. You should always have an odd number ofNSCX Controller instances to avoid a situation in
which the NSX Controller instances are split evenly on a decisio n.
NSX Contro ller stores four types of tables:
The ARP tab le
The MAC table
VTEP table
Routing table
The ESXi host, with NSX Virtual Switch, intercepts the following types of traffic:
Virtual machine broadcast
Virtual machine unicast
Virtual machine mult icast
Etherne t requests
Queries to the NSX Contro ller instance to retrieve the correct response to those requests
80
For example, when a virtual machine sends an ARP request to get the MAC address for another
virtual machine, that ARP request is intercepted by the host and sent to the NSX Controller instance.
If the NSX Controller instance has the correct information , the informatio n is returned to the host
and the host replies to the virtual machin e locally. Thu s, broadcast traffic is reduced across the
VXLAN and the various tables on the NSX Controller instance are built. NSX Controller gets the
routing tables from the logical routing controller virtual machin e.
II
z
><
(j)
CD
?o
.....
:::J
to
Module 2
NSX Networking
81
NSX Controller Cluster Deployment

Slide 2-67
NSX Controller nodes are deployed as virtual machines.

Each virtual machine consumes 4 vCPU and 4 GB of RAM.
NSX Controller password is defined during the deployment of the
first node and is consistent across all nodes.
NSX Controller nodes must be deployed in the same vCenter Server
instance that NSX Manager is connected to.
A cluster size of 3 NSX Controller nodes is recommended.
NSX Controller interaction is through CLI, and configuration
operations are available through NSX API.
The first NSX Controller instance that is deployed requests a password and all future NSX
Controller instances that are deployed use this password. This password is used by a user to connect
through SSH into NSX Manager or NSX Controller. NSX Controller must be connected to the same
vCenter Server system as NSX Manager. VMware recommends that you deploy NSX Controller
instances in clusters of three. Each NSX Controller instance in a cluster must be deployed
individually.
82
Control Plane Interaction

Slide 2-68
ESXi hosts and NSX logical router

virtual machines learn network
information and send it to NSX
Controller through UWA.
The NSX Controller CLI provides a

consistent interface to verify
VXLAN and logical routing
network state information.
II
NSX Manager
z
><
zCD
en
NSX Controller
Cluster
?o
.....
~
::J
to
NSX Manager also provides APls

to programmatically retrieve data
from the NSX Controller nodes in
future.
NSX Controller uses the UWA daemon s to communicate from the hosts management address . NSX
Controller instances in a cluster replicate the different ARP, MAC, and VTEP tables in that cluster.
Module 2
NSX Networking
83
Control Plane Security

Slide 2-69
All NSX Control communication is protected with SSL encryption

over the management network.
NSX Manager creates and installs self-signed certificates to each
ESXi host and NSX Controller cluster.
Mutual authentication of NSX entities occurs by verifying certificates.
The control plane is secure d with SSL encryption by using certifica tes that are managed by NSX
Ma nager.
84
Control Plane Security: Diagram

Slide 2-70
The control plane requires certificate-based authentication.

NSX Manager
REST
API
A
W
~EJ
II
Create
certificate
NSX Manager
Database
z
><
zCD
en
Message
Bus
?o
.....
~
::J
to
NSX Manager creates certificates and stores them in a database. NSX Manager pushes these
certific ates to the NSX Contro ller instances as they are deployed . NSX Manager uses the message
bus to talk to the host for dep loying the VlBs . NSX Controller and the host go through the UWA
daemons .
Module 2
NSX Networking
85
User World Agent

Slide 2-71
The UWA has the following features:
Runs as a service daemon called netcpa .
Uses SSL to communicate with NSX Controller on the control plane.
Mediates between NSX Controller and the hypervisor kernel modules ,

except the distributed firewall
Retrieves information from NSX Manager through the message bus

agent.
The Distributed Firewall kernel modules communicate directly with

NSX Manager through the vsfwd service daemon.
-'-1
NSX Controller
NSX Controller
NSX Controller
i L_~:W== -
-~
iI
!1- ------ ------------- __---- - ----- -----__-- Kernel Modules
ll- - ---- -----
- ---- -
iL ESXi Host
.
------ - ---- - - ----
.---------.--.-----.---.--------.---------...- ------..-----1 i
!I
-..- - - - - - - - - - - - - - - - - - -...- ---.-----.---.-.....--..-...1 iI

"
The UWA includes two daemons that run on the host. The UWA is responsible for comm unication
between NSX Controller and ESXi host for layers 2 and 3, and for VXLAN communications. The
UWA can connect to multiple NSX Controller instances and maintains logs at / v a r /l o g /
ne tcpa . log. The distributed firewa ll has its own daemon. This daemon talks directly to NSX
Manager.
86
VMwa re NSX : Install , Configure, Manage
NSX Controller: Master Election

Slide 2-72
Each role needs a master.
II
Masters for different roles can sit on different nodes.

NSX Controller uses Paxos-based algorithm.
z
><
zCD
Guaranteed correctness (not necessarily convergence).
en
?o
.....
~
::J
to
Two roles are used for NSX Contro ller workloads. These roles are called logical switches and
logical routers. A master election determines the NSX Controller instance that is the master for a
particular role. Every role has a master. The master selects the NSX Controller instances and
allocates the portion of work for that role .
Paxos is a family of protocols for solving consens us in a network of unreliable processors.
Module 2
NSX Networking
87
Master Failure Scenario

Slide 2-73
A node failure triggers an election for roles when the master is no

longer available for that role.
A new node is promoted to master after the election process.
'ii.vXLAN
.-
If a master NSX Controller instance for a role fails, the cluster elects a new master for that role from
the available NSX Controller instances. The new master NSX Controller instance for that role
reallocates the lost portions of work among the remaining NSX Controller instances.
NSX Controller instances are on the control plane. So an NSX Contro ller failure does not affect data
plane traffic. For example, if the host requests the MAC address for an lP address through an ARP
request, and the NSX Controller instance does not respond, then the ARP is processed. The normal
ARP request process does not wait for the NSX Controller instance.
88
NSX Controller Workload Distribution

Slide 2-74
The NSX Controller cluster must:
II
Dynamically distribute workloads across all available NSX Controller

cluster nodes
Redistribute workloads when a cluster member is added
Have the ability to sustain failure of any cluster node
(j)
Perform the workload distribution so that it is transparent to applications
z
><
CD
?o
.....
:::J
Solution: Slicing
to
Slicing is the action of dividin g NSX Controller workloads into different slices so that each NSX
Controller instance has an equal portion of the work.
Module 2
NSX Networking
89
Slicing Assignment
Slide 2-75
For a given role, create a number of slices.

Define objects that are to be sliced.
Assign objects into their slices.
Logical Switches / VNls
Logical Switch Slices
Objects
Logical Routers
Logical Router Slices
After a master NSX Controller instance is chosen for a role, that NSX Contro ller divid es the
different logical switches and routers among all available NSX Controllers in a cluster. Each
numbered box on the slide represents slices that the master uses to divide the workloads . The logical
switch master divides the logical switches into slices and assigns these slices to different NSX
Controller instances. The master for the logica l routers does the same .
90
Slicing Distribution
Slide 2-76
For a given role, create a number of slices
II
Define objects that are to be sliced.

Assign objects into their slices.
z
><
zCD
Distribute slices across NSX Controller cluster nodes.
en
?o
.....
~
::J
to
Logical Switch Slices
Logical Router Slices
These slices are assigned to the different NSX Controller instances in that cluster. The master for a
role dec ides which NSX Controller instances are assigned to which slices. If a request comes in on
router slic e 6, the slice is to ld to connect to the third NSX Controller inst anc e. If a req uest comes in
on logical switch slic e 2, that req uest is processed by the second NSX Controller instance.
Module 2
NSX Networking
91
Slice Redistribution
Slide 2-77
When an NSX Controller fails, the master for the role redistributes slices
among remaining nodes
Slice redistribution happens on:
Creation of the NSX Controller cluster.
A reduction in the number of available NSX Controller nodes in the cluster.
An increase in the number of available NSX Controller nodes in the cluster.
When one of the NSX Controller instances in a cluster fails, the masters for the roles redis tribute the
slices to the remaining available clusters.
92
Component Interaction: Configuration

Slide 2-78
The components of the NSX platform are configured in a specific

order.
vCenter
Server
A
V
Register with
vCenter Server
II
NSX Manager
. . DeployNSX
. . Manager
~epl~
oy
~
NSX .
Controller Cluster ~
z
><
zCD
en
Deploy the NSX Edge

gateway and configure
network services
:.
?o
.....
NSX Controller
~
::J
NSX Edge
Gateway
to
r- --- - ----- ---~
l .
' - - I~
;:::;:~
,~ ~
I r.::! ~ _
l_ vSpher e ClusteL 1
r --.. . I~,.
~=-::
~ L:
,._._.vSphere ClusteL2 _J
:::=::E I~ : ~~I
~ --=
._- .
l _.VSPhere CI,usteL N j
The components of the NSX platform are configured in the following order:
1. Only NSX Manager is installed.
2. Durin g NSX Manager installation, the vCenter Server IP address and credentials are provided
and the NSX Manager instance conn ects to the vCenter Server system. The NSX Manager
instance enables the NSX components in the VMware vSphere Web Client.
3. The vSphere Web Client is used to deploy the NSX Controller instances through NSX Manager.
4. After NSX Controller instances are deployed, hosts are prepared by using NSX Manager to
install the VIBs on the ESXi hosts in the cluster.
5. After the components are installed and deployed, you define the logical networking
components, such as adding distributed routers and creating firewall policies.
This procedur e is repeated for each vSphere clust er.
Module 2
NSX Networking
93

Slide 2-79
Add NSX Controller clusters in odd numbers.

~
Home
Net w orking & Security
E!NSXHome
I 'LO
Install atioll
Mana g ement
I Host Prepar ation
L ogical Netw
1 _0.- '
Manag em enl
Installation
1 Ho st Prepara tion
Logical NeIWo
NSXManayer
l:! LogicalSwitches
~ NSXEdges
NSX lJI, n, gtr
n Firewall
E! 192.168.110.42
Iif3 scoorouaro
't\ ServiceDefinitions
8 ServiceComposer
GlFlow Monitorin g
!!!B Activity Monito ring
.. Networking & Security Inventm y
.. >
+
N~m.
NSX M , n,~. ,
n Firewall
E!! 192 .168. 110.42
.. seetce Definitions
EJ Service Com pose r

~ DataSecurity
NSXliU'"'~8t
e L1 92 ~ 1 1 ~
~ Flow Monitor ing
ll_..".,
gg ActiVity Moniloring
(: Iu~.,-,: , Pil'Qt
-I
.. Networking & Se&ur ity Invent ory
C1IU~1Of4'
HNSX Controller node
~ NSXEdges
IiI5 SpoofGuard
.."....-
~ DataSecurity
E!! NSX Managers
Home
Networkin g & Security
R!N8XHome
NSX Manager
~ Logical Switc he s
.t ~
Conn"",-" ro
Fe. .
~ NSX Managers
.. >
NSX Cont roller nodes
N ~m .
Nod.
eonnoner-e
connouer-7
192.168110 201
confroner-a
192.16B.110.203
192 ,168,110,202
94

Slide 2-80
Use the CLI to confirm the NSX Controller status.

nvp-e co nt.r o I Le r
Type
II
# shOIJ co nt.r o.l c-c Lua te r status
Join status:
Majority status :
:Restart status:
ClustEr ID:
NodE UUID:
5tatus
5ince
Join complEtE
ConnEctEd to clustEr majority
This controller can be safely restarted
07/14 17:53:22
07/14 18:04:46
07/14 18:04:47
z
><
(j)
47b40b57-fbdf-4fcE-a171-bff6a36345bO
47b40b57-fbdf-4fcE-a171-bff6a36345bO
CD
?o
....
:::J
to
Module 2
NSX Networking
95
Lab 2: Configuring and Deploying an NSX Controller Cluster

Slide 2-8 1
Deploy a three-node NSX Controller Cluster

1. Prepare for the Lab
2. Deploy the First NSX Controller Instance
3. Verify That the First NSX Controller Instance Is Operational
4. Deploy the Second NSX Controller Instance
5. Verify That the Second NSX Controller Instance Is Operational
6. Deploy the Third NSX Controller Instance
7. Verify That the Third NSX Controller Instance Is Operational
96

Slide 2-82
Describe NSX Controller instances
Explain NSX Controller clustering
Determine NSX Controller roles
II
z
><
(j)
CD
?o
.....
:::J
to
Module 2
NSX Networking
97
Key Points
Slide 2-83
Software is the foundation that is powering the evolution of networks

and data center infrastructure.
NSX uses the management plane, control plane, and data plane
models.
NSX Controller provides VXLAN distribution and logical routing network
information to ESXi hosts.
Questions?
98
MODULE 3
Logical Switch Networks and VXLAN

Overlays
Slide 3- 1
Module 3
II
r
o
co
0"
OJ
(j)
s;:::;:
o
:::r
Z
CD
:?
o
...,
"en
OJ
:::J
C.
~
z
<
CD
...,
OJ
-c
en
99
You Are Here

Slide 3-2

Course Introduction
I
IE
NSX Networking
NSX Routing
NSX Security
100
Importance
Slide 3-3
Virtual Extensible LAN (VXLAN) enables you to create a logical

network for your virtual machines across different networks. You can
create a layer 2 network on top of your layer 3 networks.
II
r
o
co
n"
0)
(j)
s;:::;:
o
::r
Z
CD
~
o
...,
"en
0)
:::J
C.
~
z
<
CD
...,
0)
-c
en
Module 3
101
Module Lessons
Slide 3-4
Lesson 1:
Ethernet Fundamentals
Lesson 2:
Overview of vSphere Distributed Switch
Lesson 3:
Link Aggregation
Lesson 4:
Virtual LANs
Lesson 5:
VXLAN: Logical Switch Networks
102
Lesson 1: Ethernet Fundamentals

Slide 3-5
II
Lesson 1:
Ethernet Fundamentals
o
co
n"
0)
(j)
s;:::;:
o
::r
Z
CD
~
o
...,
"en
0)
:::J
C.
~
z
<
CD
...,
0)
-c
en
Module 3
103
Learner Objectives
Slide 3-6
objectives:
Describe Ethernet frames
Describe segmentation and encapsulation
Explain the Address Resolution Protocol (ARP) process
104
Review: Networking Definitions

Slide 3-7
Network: Physical connection that enables computers to communicate
Frame: Unit of transfer, Layer 2 of the OSI model
Packets (a layer 3 unit of transfer) are segmented into Frames for transmission
Frames are transmitted across the physical medium and assembled by the target/destination device
Protocol: An agreement between two devices about how information is to be transmitted.
II
Broadcast Domain: Shared communication medium.

Delivery: The way a receiver identifies the destination of a frame :
The header is in the front of the frames [Header][Payload]
o
co
Many nodes might receive a frame, but only the identified destination keeps the frame (all others
discard)
n'
0)
Arbitration : The act of negotiating the use of a shared medium.
(j)
s;:::;:
Point-to-point network: A network in which every physical wire is connected to only two devices.
o
::r
Switch: A bridge that transforms a shared-bus (broadcast) configuration into a point-to-point

network.
CD
~
o
...,
Router: A device that acts as a junction between two layer 3 networks to transfer packets between
them.
en
'"
0)
Gateway: A device that connects two networks communicating over different protocols.
:::J
C.
~
z
<
CD
...,
0)
-c
en
Module 3
105
Ethernet
Slide 3-8
Source and destination identification uses media access control (MAC)

addresses:
Listen and wait for channel to be available
Carrier Sense Multiple Access with Collision Detection (CSMA-CD): If a

collision occurs, wait a random period before retrying.
IPreamble 1Destination I Source 1 Type 1---'-.-.--r-I-c-R-c-I

8 bytes
6 bytes
6 bytes
2 bytes
46 to 1,500 bytes
4 bytes
Destination and source are 48-bit MAC addresses (for example ,

OO:26:4a:18:f6:aa)
The Type indicates the protocol that the Data portion of the frame contains:
Type Ox0800 is IPv4
Type Ox0806 is ARP
Type Ox86DD is IPv6
Data part of layer 2 frame contains a layer 3 datagram
Ethernet is the most commo nly used layer 2 system in data centers . The main purpose of Etherne t is
to define the source and destination of frames and ensure that the shared medium is used efficiently
among all hosts.
106
MAC Tables
Slide 3-9
The MAC address tables associate MAC addresses with LAN ports
on the switch.
VlaIl
All
All
1
1
1
1
1
1
1
1
1
1
Ifac Addr ess
Type
Po r ts
- --- ---- -- -
- --- - - --
-- -- -
657 0 .7367 .745 0

gefa .2 054 .4465
Ob 9 f. 5 a g e. 7 6 a8
7 1d5 .5 1c4 .dcc4
d7cb .463d . e5dc
6fb2 .eb09 .f9ac
l a 4 7. 9 400. e 4 6 7
d 8fd . 8d8f .9ged
b7 05 .be 8b .6 2 8 e
13 5 3.0 7 2 a. b 9 4b
c6cb .73g e . lb2c
f3 8c .3 17b .b9 0 0
S TATIC
S TATIC
DYNAMI C
DYNAlofIC
DYNAlofI C
DYNAlofIC
DYNAlofIC
DYNAlofIC
DYNAlofI C
DYNAlofIC
DYNAlofIC
DYNAlofI C
CPU
CPU
Fa O/5
FaO/ 8
FaO/ 2
FaO/ l l
FaO/ 9
FaO/7
Fa O/4
FaO/ 13
FaO/6
FaO/3
II
r
o
co
n'
0)
(j)
s;:::;:
o
::r
Z
CD
~
o
...,
"en
0)
:::J
C.
A switch uses a media access control (MAC) address table to direct frames from a sending network
device to a destination network device. The switch builds this table as it receives frames. The switch
associates the MAC address of the sending device with the LAN port on which the frame is received
by using the source MAC address in the frame.
When the switch receives a communication for an unknown destination address, the switch sends
the frame to all other LAN ports of the same VLAN . When the destination device replies, the switch
adds the relevant MAC source address and port ID in the address table. The switch sends all
subsequent frames for that destination to the correct LAN port without sending to all LAN ports.
Module 3
107
~
z
<
CD
...,
0)
-c
en
Broadcast Domain
Slide 3- 10
A broadcast domain is a logical division of a computer network, in

which all hosts can reach each other by broadcast at the data link
layer.
Router
/~
Switch
Switch
Hub
/\
Broadcast Domain
108
/
/\
Hub
Collision Domain
Address Resolution Protocol

Slide 3- 11
ARP provides a mechanism for a device to map an IP address to a

MAC address.
When a device needs to communicate with another device for which
the IP address is known but the MAC address is unknown:
The source device creates an ARP packet with the destination's IP

address.
II
The source places the packet in a Broadcast Ethernet frame.
The Broadcast Ethernet Frame is transmitted across the local subnet.
o
co
The destination device receives a copy of the frame and opens the
copy to check the IP address in the destination field.
n'
0)
The destination responds to the ARP request with a frame to the source
with the destination's MAC address as the source MAC address.
o
::r
(j)
s;:::;:
Z
CD
The source receives frames and reads the destination's MAC address.
~
o
...,
"en
0)
:::J
C.
~
z
<
CD
...,
0)
-c
en
Module 3
109
From Packets to Frames

Slide 3- 12
An Ethernet Ethertype of Ox0800 indicates that the payload is an IP

packet:
When putting a packet into a frame, the end station uses the
destination MAC address that corresponds to the destination IP
address.
If the destination IP address is not in the same subnet as the source

end station, the end station uses the MAC address of the default
gateway as the destination MAC address.
If the end station does not know the destination MAC address that
corresponds with the destination IP address, the end station cannot
send the frame.
All network data moves through a network as frames
110
Segmentation and Encapsulation

Slide 3- 13
Lower layers add headers (and sometimes trailers) to data from

higher layers.
Network entities (switches/routers) move traffic based on header
information at the appropriate 051 layer.
Advanced features like intrusion detection and firewalls look deeper
beyond the header.
Application
II
r
Data
o
co
n"
0)
Transport
Network
(j)
s;:::;:
o
::r
CD
~
o
...,
Data Link
"en
0)
:::J
C.
~
z
<
CD
...,
0)
-c
en
Module 3
111
Layer 3: IPv4 Datagram

Slide 3-14
IP packets are carried in Ethernet frames.

Version I IHL
IDifferentiated Services
Identification
Time to Live
Total Length
Flags I
Protocol
Fragment Offset
Header Checks um
Source Address (32-bit IPv4 address)

Destination Address (32-bit IPv4 address)
Options
IilmDr

.. In.
Version =4
If no options, IHL =5
Source and Destination are 32 bit
IPv4 addresses
. ,.... .
Padding
-'"
Protocol =6 means that the data

portion contains a TCP segment.
Protocol = 17 means UDP
Routers and switches review the header information of the frame to route and switch traffic , app ly
policy contro ls, and build routing and switching tables. IP headers enab le quality of service (QoS)
application, control layer 3 loops using Time To Live (TTL), and congestion control using explicit
congestion notification bits. In the IP packet, UDP/TCP segments are embedded with their protoco l
numbers identified in the header for the host or gateway to process.
112
Layer 4: TCP Segment

Slide 3-15
Source and destination are 16bit TCP port numbers.
Source Port
Destination Port
Sequence Number
II
Acknowledgement Number
Data
Offset
UA E R S F
RC0 S Y I
GK L T N N
Reserved
Window
o
co
n"
0)
(j)
Checksum
s;:::;:
Urgent Pointer
Options
.
. 1I11e.' .
IilmDr
... III
- .--m"-
o
::r
Padding
CD
~
o
...,
.JiUi.'
"en
0)
:::J
C.
TCP is a connection-based protocol with guaran teed delivery. Devices send data over a connection
socket.
~
z
<
CD
...,
0)
-c
en
Module 3
113
Concept Summary
Slide 3- 16
A review of terms used in this lesson:

What is the data encapsulation for layer 2
transmission across the physical network
medium called?
114
Ethernet frame
What is the data encapsu lation fo r layer 3 for

transm ission across routed networks called?
Packet
Which is the data link layer of the OSI model of

a network?
Layer 2
Which is the network layer of the OSI model of a

network?
Layer 3
Which is the transport layer of the OSI model of

a network?
Layer 4

Slide 3- 17
Describe Ethernet frames
Describe segmentation and encapsulation
Explain the ARP process
II
r
o
co
n"
0)
(j)
s;:::;:
o
::r
Z
CD
~
o
...,
"en
0)
:::J
C.
~
z
<
CD
...,
0)
-c
en
Module 3
115
Lesson 2: Overview of vSphere Distributed Switch

Slide 3-18
Lesson 2:
Overview of vSphere Distributed Switch
116
Learner Objectives
Slide 3- 19
objectives:
Describe VMware vSphere Distributed Switch
Configure a distributed switch
II
r
o
co
n"
0)
(j)
s;:::;:
o
::r
Z
CD
~
o
...,
"en
0)
:::J
C.
~
z
<
CD
...,
0)
-c
en
Module 3
117
VMkernel Networking
Slide 3-20
Teaming recommendations:
Link Aggregation Control Protocol (LACP) 802.3ad is a good

option for optimal use of available bandwidth and quick
convergence .
Load-based teaming is recommended to simplify configuration

and reduce dependencies on the physical network, while still
effectively using multiple uplinks.
VMware NSXTMintroduces support for multiple VTEPs per host

with VXLANs.
Network partitioning technologies tend to increase complexity.
Overlay networks are used for virtual machines.

Use VLANs for VMkernel interfaces to avoid circular
dependencies.
DHCP relay and IP helper support are important for VMware
Physical
Switch
vSphere Auto DeployTM.
Link Aggregation Control Protocol (LACP) requires configuration on the upstream switch . You can
use load-based teaming to simpl ify configuration and reduce dependencies on the physical network ,
whil e effectively using multipl e uplinks .
118
Advantages of vSphere Distributed Switch

Slide 3-2 1
The advantages of using a vSphere Distributed Switch are the

following:
Manage all switches in a data center versus individual switches per

host
Advanced feature support
II
Higher scale
Foundation for your network virtualization journey
o
co
VM
~
VM
NETWORK
NETWORK
STATE
STATE
0"
VM
OJ
(j)
NETWORK
STATE
s;:::;:
o
:::r
Z
CD
:?
o
...,
"en
OJ
:::J
C.
~
z
<
CD
...,
OJ
-c
en
Module 3
119
Distributed Switch Architecture

Slide 3-22
Management plane: Configures various parameters of the distributed switch

Data plane: Handles the packet switching function
Management Plane
Legend:
_
dvPGA
dvPGB
dvUplink PG
dvUplink
Host 1
vmnicO
vmnic1
vmmcO
vmnic1
In VMwa re vSphere, the host handles the data plane. The host has information about which MAC
addresses are in which port groups. The VMwa re vCen ter Server" system controls the management
plane and if the vCen ter Server system fails, nothing changes on the contro l plane. Hosts and virtual
machines continu e to function. Features that rely on the vCenter Server system, like VMware
vSphere vMoti on, are unavailable until the management plane is restored.
The VMware NSX Virtual Switch'Y, which is a normal distributed switch with the VMware NSXTM
VIBs installed, is different. If a VXLAN port group exists, only the data is managed at the data
plane. The control plane is handled by VMware NSX Controller" and management is handled by
VMware NSX Managerr.
120
vSphere Distributed Switch Enhancements in ESXi 5.5

Slide 3-23
Performance and Scale

Enhanced LACP
Enhanced SR-IOV
II
40 GigE NIC support

Packet Classification
o
co
Traffic Filtering (ACLs)
0"
OJ
DSCP Marking (OoS)
(j)
s;:::;:
o
Visibility and Troubleshooting
:::r
Z
Host Level Packet Capture

Tool (tcpdump)
:?
o
CD
...,
"en
OJ
:::J
C.
In vSphere 5.5, LACP handles more than port aggregation and supports all LACP features. vSphere
5.5 also supports Mellanox 40 GB network interface cards. vSphere uses traffic filtering and access
control lists (ACLs) to enable traffic, drop traffic, or change tags. Layer 2 Class of Service (CoS)
and layer 3 Differentiated Services Code Point (DSCP) tagging is fully supported.
~
z
<
CD
...,
OJ
-c
en
Module 3
121
Slide 3-24
Available infrastructure:
Type of servers
Type of physical switches
Servers:
Rack mount or blade
Number of ports and speed. For example: Ten 1 Gb links or one 10Gb
link
Physical switches:
Managed and unmanaged
Protocol and features support
You must make several design consideratio ns when planning a distributed switch deployment. In the
software-defined data center ecosys tem the most frequently depleted resource is memory, not CPU .
Not every virtual machin e has the same proportionality of CPU to memory.
Understanding where enviro nment constraints are, and how your design can consider these
constraints is critical. The type of network interfaces in hosts is also important. In today 's data
center 10 GB interfaces are common with some instances of 40 GB interfaces. Dependin g on the
infrastructure, various switches with different features and functions might exist.
122
Teaming Best Practices

Slide 3-25
Link aggregation mechanisms do not double the bandwidth:
Hashing algorithm performs better in some scenarios. For example:

Web servers that are accessed by different users have enough
variation in IP source and destination addresses and can utilize links
effectively.
However, few workloads accessing a NAS array have no variation in

the packet header fields. Traffic might end up on only one physical NIC.
II
r
o
co
Load-based teaming has the following advantages:
n
0)
Takes link utilization into account
(j)
s;:::;:
Checks the utilization of links every 30 seconds
o
::r
No special configuration required on the physical switches
CD
~
o
...,
"en
0)
:::J
C.
Hashing algorithms are not perfect. For serve rs where the systems connecting are varied, the
hashing works we ll. In scenarios where a few high-consumption endpoints exist, the hashing can
result in one link being busier than the others. An example is IP storage with NFS . Typically, NFS
datastores or servers are on the same logic layer 2 as the VMke me l port that uses that data. Little to
no load sharing happens.
~
z
<
CD
...,
0)
-c
en
Module 3
123
Load-Based Teaming
Slide 3-26
Load-based teaming splits traffic to utilize all available links.
VM2
VM1
10
Network
Traffic
an
d 'dl h
WI
vSphere
vMotion
7Gig
VM1
5Gig
VM2
2Gig
VM1
VM2
L..---_>
Rebalance
11
....._ _......~.;;.'--~;...;..._ _Distributed

Switch
12 GB
2GB
Distributed
Switch
7GB
The examp le shows the advantage of load-based teaming. The diagram on the left has 14 GB of data
going out to two 10GB lines. vSphere vMotion consumes 7 GB, virtual machine 1 (VM I)
consumes 5 GB, and virtua l machine 2 (VM2) consumes 2 GB. Virtual machine 1 and vSphere
vMotion try to send a total of 12 GB of data out of the same 10 GB link. Virtual machine 2 sends 2
GB of data out of the second 10 GB link. Thus , 2 GB is lost on the first link.
The diagram on the right shows that by implementing load-based teaming, virtua l mach ine I is
forced to use the other interface. All machines and services get the bandwidth that they need . This
feature should be configured on distributed switch before NSX is installed.
124
Distributed Switch in Enterprise

Slide 3-27
The distributed switch has many features that are useful in an

enterprise setting.
vCenter Server
- - - Distributed
Switch
2c
<ll
U
ro
ro
Cluster 1
Cluster 2
Cluster 3
Cluster 4
ROBO 1
________
1 1- I I
I I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
II
- - - - - - - 1
Distributed
Switch
I
I
ROBO 2
I
I
I
I
I
I
I
I
~L
o
co
0
OJ
(j)
s;:::;:
o
::r
Multiple distributed switches per VC (128)
Distributed switches can span multiple clusters
Central management for DC and ROBO

environments
Role-based management control
CD
~
o
...,
"en
Hundreds of hosts per distributed switch
OJ
:::J
C.
~
z
Distributed switches must be in the same vCenter Server system as NSX Manager so that NSX
Manager can use the distributed switch.
<
CD
...,
OJ
-c
en
Module 3
125

Slide 3-28
Install NSX modules on hosts.
1--- ---'-- - -' Host Preparation

NSX Manag er: ( 192.168.110.42
Logical Network Preparation
I~ )
Installation of network virtualization componentsonvSphere hosts

Clusters & Hosts
liB SpoofGuard
~
s er-tce Definitions
EJ Servi ce Composer
0lJ Data Securrty

Gl Flow Monitoring
Ii!8 Activity Monitoring
126
.. 1Jb Managementand Edge Cluster

~
l!lJ Com pute Cluster A

I}b Compute Cluster B
Installation Status
-r: Installing
r: Installing
Install

Slide 3-29
Prepare hosts for VXLAN networking.

Eb
Add IP Pool
(?l, ..
- - New T' ansport lone
Name:
eatewav
*1
*1
A gateway
OesUlpbon
Prefix Length:
*1
I
Secondary DNS:
I
DNS Suffix
I
Primary DNS:
* lOIObarTranspon Zone
Name
C onlrol Plan e Mode
Ia
MlJ~iJ~on Pf'I/$J(fI '-
I Unicasl
IIXt,ANcQT1lrolpl.af*
Static IP Pool:
II
1
Murbcasl
Hybrid
Segment 10 pool
Provide a segmentiD pool and m ulticast range uniq ue to this NSX
manager.
o
co
Op:1IYlJ!edUmc8$l n
*1
Segment10 pool:
Selec t clu ste rS II) add
A static IP P
ab cd:87 :87:
OJ
(In the range of 5000-16777216)

N. ",.
a list orcorn
for example
0"
*11
0
0
0
tt
Mana geme nt and Edge Clusle r

Compute Cluster A
{) ccrnoute Cluster 8
"
(j)
s;:::;:
o Enable multicast addressing
Multicast addresses are required only for Hybrid and Multica.st control
:::r
Z
plane modes
CD
:?
o
Multicast must be enabled if you are using 5.1 host.
OK
II
Cancel
...,
"en
OJ
:::J
C.
~
z
<
CD
...,
OJ
-c
en
Module 3
127
Lab 3 : Preparing for Virtual Networking

Slide 3-30
Install NSX for vSphere modules in ESXi hosts and configure the
VXLAN IP pools and a transport zone
2. Install NSX for vSphere Modules on the ESXi Hosts
3. Configure VXLAN on the ESXi Hosts
4. Configure the VXLAN 10 Pool
5. Configure a Global Transport Zone
128
Concept Summary
Slide 3-3 1

What is a virtual switch shared across multiple
ESXi hosts called?
Distributedswitch
(Hint: VMware NSX Virtual Switch" is defined as a port

group on this.)
What is the configuration of multiple NICs to

share workloads for higher bandwidth called?
II
Teaming
o
co
n"
0)
(j)
s;:::;:
o
::r
Z
CD
~
o
...,
"en
0)
:::J
C.
~
z
<
CD
...,
0)
-c
en
Module 3
129

Slide 3-32

Describe vSphere Distributed Switch
130
Configure a distributed switch
Lesson 3: Link Aggregation

Slide 3-33
II
Lesson 3:
Link Aggregation
o
co
n"
0)
(j)
s;:::;:
o
::r
Z
CD
~
o
...,
"en
0)
:::J
C.
~
z
<
CD
...,
0)
-c
en
Module 3
131
Learner Objectives
Slide 3-34
objectives:
Describe the Spanning Tree Protocol (STP)
Describe the purpose of LACP
Create an overlay network
132
Ethernet Loop
Slide 3-35
Host A sends a
broadcast frame.
The Ethernet switch notices t

it is a broadcast frame and
sends a copy out of every
interface .
The third Ethernet switch notices that it is a

broadcast frame and sends a copy out to the
first switch , thus creating an Ethernet Loop.
II
r
o
co
0'
OJ
(j)
s;:::;:
o
::r
Z
CD
The second Ethernet switch notices

that it is a broadcast frame and
sends a copy out of every interface.
~
o
...,
"en
OJ
:::J
C.
~
z
<
CD
...,
OJ
-c
en
Module 3
133
Spanning Tree Protocol

Slide 3-36
STP is a Link Layer protocol that helps maintain a loop free LAN:
STP is standardized in IEEE 802.1 D.
STP assigns a switch as root bridge.
Every other switch in the LAN creates only one data path back to the
bridge.
All other data paths leading to the bridge are prevented from forwarding
traffic.
All paths not leading to the bridge are allowed to forward traffic.
NSX does not participate in STP.
134
STP Diagram
Slide 3-37
In STP, only one of the two switches blocks the data path. The other
switch keeps the link in a forwarding state.
Root Bridge
II
r
o
co
0"
OJ
(j)
s;:::;:
o
::r
Z
CD
- - - Blocking
~
o
...,
"en
OJ
:::J
C.
~
z
<
CD
...,
OJ
-c
en
Module 3
135
Bandwidth Constraint
Slide 3-38
STP always blocks all paths except the one leading up to the root
bridge.
If the forwarding path goes down, the switch activates one of the
block paths.
Root Bridge
Forwarding
Forwardi ng
~ BI O Cki n g
With Spanning Tree Protocol (STP) , you can gain additional bandw idth between switches by going
to the next speed in Ethernet, for example, from 100 Mb to 1Gb.
136
Link Aggregation Control Protocol

Slide 3-39
LACP:
Is a standards-based link aggregation method: 802.3ad
Provides automatic negotiation of link aggregation parameters between

virtual and physical switches
Advantages:
Provides higher bandwidth and redundancy
Detects link failures and cabling mistakes
Reconfigures links automatically
II
r
o
co
n"
0)
Deployments with static link aggregation groups (LAGs) have

problems such as PXE boot.
(j)
s;:::;:
o
::r
Z
CD
~
o
...,
"en
0)
:::J
C.
~
z
LACP is a type of port aggregation. Port aggrega tion is the bundling of interfaces to tell the STP
that only a single link exists instead of multiple links. LACP ensures that link aggregation
parameters match at both ends of the link aggregation.
<
The different types of LACP negotiation are the following:
CD
...,
0)
1. Enable port aggregation on the links. Switches do the port aggregation and must be manually
configured to be compatible at each end of that link.
2. One switch sends repeated requests to the other switch that is requesting the port aggregation
status. The two switches negotiate the status of the links and proceed.
3. Switches wait until they receive an aggregation request, negotiate the status of the links, and
proceed.
The LACP negotiation verifies that the link aggregation configurations between switches are
compatible. For the second or third type of LACP negotiation , switches negotiate details. The details
might includ e the number ofli nks that exist in the port group, the speed of the port group, and MTU.
Each switch determines the hashing that it uses to load balance its links independent of the other.
Module 3
137
-c
en
Enhanced LACP in vSphere 5.5

Slide 3-40
Comprehensive load balancing algorithm support includes 20

hashing algorithm options.
Multiple LAGs:
64 LAGs per host
64 LAGs per distributed switch
Workflow:
New workflow to configure LACP using templates
Useful in large environments
Hosts and distributed switches can support up to 64 Link Aggregat ion Groups (LAGs) .
138
Enhanced LACP
Slide 3-4 1
Host
Active Link :
LAG 1
II
LACP:
LAG 1 - 2 Uplinks; LB
algorithm - Source IP
address .
o
co
0'
OJ
LAG 2 - 2 Uplinks; LB
algorithm - Destination
IP address
(j)
s;:::;:
o
:::r
Z
CD
:?
o
...,
LAG 1 - Port 1,2

Physical Switch 2
"en
LAG 2 - Port 1,2
OJ
:::J
C.
~
z
The example shows the use of different switches for LACP, with each link aggregation using a
different hashing algorithm.
<
CD
...,
OJ
-c
en
Module 3
139
Concept Summary
Slide 3-42

What is the condition where there are multiple
layer 2 paths between two endpoints called?
Which protocol ensures that there are no
Ethernet loops?
Which is the standards-based link aggregation
method used in NSX?
140
Ethernet loop
Spanning Tree Protocol (STP)
Link Aggregation Control Protocol (LACP)

Slide 3-43
Describe the STP
Describe the purpose of LACP
Create an overlay network
II
r
o
co
n"
0)
(j)
s;:::;:
o
::r
Z
CD
~
o
...,
"en
0)
:::J
C.
~
z
<
CD
...,
0)
-c
en
Module 3
141
Lesson 4: Virtual LANs

Slide 3-44
Lesson 4:
Virtual LANs
142
Learner Objectives
Slide 3-45
objectives:
Explain how VLANs are used
II
r
o
co
n"
0)
(j)
s;:::;:
o
::r
Z
CD
~
o
...,
"en
0)
:::J
C.
~
z
<
CD
...,
0)
-c
en
Module 3
143
Virtual LANs
Slide 3-46
Split switches into separate virtual switches:

Only members of a virtual LAN (VLAN) can see that VLAN 's traffic.
Traffic between VLANs must go through a router.
Switch
VLAN X Nodes
VLAN Y Nodes
VLANs address scalability, security, and network management by enab ling a switch to serve
multipl e virtual subnets from its LAN ports. Routers in VLAN topologies provide broadcast
filtering, security, and traffic flow management. Switches must not bridge traffic between VLANs
because the integrity of the VLAN broadcast domain might be violated.
144
VMwa re NSX: Install, Configu re, Manage
Switches and Routers with VLANs

Slide 3-47
Without VLANs , each group is on a different IP network and on a different

switch.
. - . - . _ . _ . - . -. - .
.-. . .-.
'- .
....
\
10.2.0.0/16
...
II
I.:a!!!::-----~~
-'- -'- '-'-'-'-'- ".-. .'-'

One link per VLAN or a single VLAN Trunk later.
._ 0-'-'
.
.-.
....
- .-
o
co
0'
-'- . -'- '-
OJ
(j)
s;:::;:
..-
FaOIO
:::r
Z
FaO/1
:?
o
CD
....
... ...
- '- 0_. _ . _. _ . _ . -. - . - ".-.
...,
"en
OJ
'
:::J
C.
By default, all ports on a switch are in a single broadcast domain. Devices belonging to different
domains must be isolated using individual switches. VLANs enable a single swi tch to serve multiple
switching domains . The forwarding table on the sw itch is parti tioned be tween all ports belonging to
a common VLAN.
With this change, devices belonging to multiple domains can be collocated on a single switch. Also,
hosts can be spread around in the data center on different L2 segments and maintain domain and
subnet isolation.
Module 3
Logical Switch Netwo rks and VXLAN Overlays
145
~
z
<
CD
...,
OJ
-c
en
VLANs and ARP

Slide 3-48
Without VLAN, the ARP is seen on all subnets on a switch. All ports
on a switch are part of the broadcast domain.
Assigning a host to the correct VLAN is a two-step process:
Connect the host to the correct port on the switch with a VLAN
configured.
Assign an IP address to the host for that subnet. Otherwise the host
cannot find peers on the same subnet.
ARP
f Request
1
1
1
3 4 5 6 . Po rt
1 2 2 1 . VLAN
172.30.1.21/24
VLAN 1
172.30.2. rO/24
VLAN 2
146
172.30.1.23/24
VLAN 1
VLANs Across switches

Slide 3-49
VLAN tagging is used when a single link needs to carry traffic for
more than one VLAN.
Interswitch links are configured as trunks, carrying frames from
multiple VLANs for that switch.
Each frame carries a tag that identifies which VLAN it belongs to.
II
----------Tagged Frames
o
co
802.1Q Trunk
n"
0)
(j)
s;:::;:
o
::r
Z
CD
~
o
...,
Without tagging, one physical connection per VLAN is required

between switches. This is not scalable.
"en
0)
:::J
C.
~
z
<
CD
...,
0)
-c
en
Module 3
147
VLAN Scalability
Slide 3-50
How does host A communicate with host E?

How does host F communicate with host B?
Host A, MAC A
Host B, MAC B
Hoste, MAC C
Int erf ac e 5
VLA N 20
Host 0 , MAC 0
148
Host E, MAC E
HostF, MAC F
802.10
Slide 3-5 1
802.1 Q is an extension to the Ethernet standards to enable VLAN

information to be carried in an Ethernet frame:
802 .10 is configured in interfaces, typically Ethernet switches.
Interfaces that are configured to support 802.10 Ethernet frames are

called Trunk interfaces.
Interfaces that are not configured to support 802.10 frames are called
Access interfaces.
II
The 802.10 standard has support for 4096 VLANs.
o
co
VLANs 0 and 4095 are not used for production traffic.
n'
0)
The 802.10 EtherType is Ox8100.
(j)
s;:::;:
.. .-.
802.10 frames increase the standard Ethernet frame to 1522 bytes.
o
::r
Up to 1500
6 bytes
6 bytes
2 bytes
1 :11
2 bytes
2 bytes
;1
bytes
6 bytes
CD
~
o
...,
"en
Standard Ethernet Frame
0)
:::J
C.
~
z
<
CD
...,
0)
-c
en
Module 3
149
802.10 Frame
Slide 3-52
Normal Ethernet Frame

SA: 6
Type/Length: 2
Data: 46 to 1500
IEEE 802.1q Tagged Frame
C12 bits of VLAN ID to identify 4,096 possible VLANs
3 bits
150
12 bits
Native VLAN
Slide 3-53
A Trunk interface expects every ingress frame to be tagged with a

VLAN number. If an ingress frame is received without a VLAN tag, the
frame is dropped by the Ethernet switch.
To avoid dropping frames, a trunk can be configured to assign all
ingress frames without a VLAN tag to a default VLAN. This default
VLAN is called the native VLAN.
II
r
o
co
n"
0)
(j)
s;:::;:
o
::r
Z
CD
~
o
...,
"en
0)
:::J
C.
~
z
<
CD
...,
0)
-c
en
Module 3
151
Concept Summary
Slide 3-54

What are groups of devices on separate physical
networks that communicate as if on the same logical
network called?
Virtual Local Area Networks (VLAN)
What is broadcasting communications from a single

source endpoint to multiple destination endpoints called?
Multicast
What is broadcasting communications from a single

source endpoint to a single dest ination endpoint called?
Unicast
Which is the communications protocol for establishing

multicast group memberships?
152
Internet Group Management Protocol (IGMP)

Slide 3-55
Explain how VLANs are used
II
r
o
co
n"
0)
(j)
s;:::;:
o
::r
Z
CD
~
o
...,
"en
0)
:::J
C.
~
z
<
CD
...,
0)
-c
en
Module 3
153
Lesson 5: VXLAN: Logical Switch Networks

Slide 3-56
Lesson 5:
VXLAN: Logical Switch Networks
154
Learner Objectives
Slide 3-57
objectives:
Describe VXLAN overlay networks
Define the VXLAN frame format
Compare unicast, multicast, and hybrid modes
II
r
o
co
n"
0)
(j)
s;:::;:
o
::r
Z
CD
~
o
...,
"en
0)
:::J
C.
~
z
<
CD
...,
0)
-c
en
Module 3
155
VXLAN Terms
Slide 3-58
A Virtual Tunnel End Point (VTEP) is an entity that encapsulates an Ethernet

frame in a VXLAN frame or de-encapsulates a VXLAN frame and forwards the
inner Ethernet frame.
A VTEP proxy is a VTEP that forwards VXLAN traffic to its local segment from
another VTEP in a remote segment.
A transport zone defines members or VTEPs of the VXLAN overlay:
Can include ESXi hosts from different VMware vSphere clusters
A cluster can be part of multiple transport zones
A VXLAN Number Identifier (VNI) is a 24-bit number that gets added to the VXLAN
frame:
The VNI uniquely identifies the segment to which the inner Ethernet frame belongs
Multiple VNls can exist in the same transport zone
VMware NSXTMfor vSphere starts with VNI 5000
VXLAN is an Ethernet in IP overlay technology, where the original layer 2 frame is encapsulated in
a User Datagram Protocol (UDP) packe t and delivered over a transport network. This technology
provides the ability to extend layer 2 networks across layer 3 boundaries and consume capacity
across clusters. The maximum transmission unit (MTU) requirement is for a minimum of 1,600
bytes to support IPv4 and IPv6 guest traffic . The Virtual Tunnel End Point (VTE Ps) do not support
fragmentation. VXLAN also provi des increased scalability as it is no longer tied to the 802.1q
protocol limit of 4,096. The 24-bit address space theoretica lly enables up to 16 million VXLAN
netwo rks. Each VXLAN network is an isolated logical network.
156
VXLAN Protocol Overview

Slide 3-59
VXLAN VTEP is the VMkernel interface that serves as the endpoint

for encapsulation or de-encapsulation of VXLAN traffic.
Ethernet in IP overlay network:
Entire L2 frame encapsulated in User Datagram Protocol (UDP)
50+ bytes of overhead
II
VXLAN can cross layer 3 network boundaries.

VXLAN is an overlay between VMware ESXi hosts. Virtual
machines do not see VXLAN 10.
o
co
n"
0)
(j)
s;:::;:
o
::r
Z
CD
~
o
...,
"en
0)
:::J
C.
~
z
The VTEP Proxy, used in UTEP and MTEP, replicates the frame that it rece ives. The VXLAN
Number Identifier (VNI) is 24 bits.
A transport zone is a configurab le boundary for a VNI. A single transport zone is usually sufficient.
All clusters in the same transport zone share the same VNI. A transport zone can contain multiple
clusters and a cluster can be a part of multiple transport zones. A transport zone tells the host or
cluster which logical switch has been created. If you do not want logical switches to show up on
certa in hosts, you can create a transport zone to constrain tenants. The underlying port group still
exists across the distributed switch.
Module 3
Logical Switch Netwo rks and VXLAN Overlays
157
<
CD
...,
0)
-c
en
Virtual Extensible LAN

Slide 3-60
VXLAN is an IP overlay technology that eliminates virtual network

segmentation.
VXLAN functionality:
Allows network boundary devices to extend virtual network boundaries
over physical IP networks
Expands the number of available logical Ethernet segments from 4094
to over 16 million logical segments
Encapsulates the source Ethernet frame in a new UDP packet
VXLAN is transparent to virtual machines
Adds 50 bytes to the original frame
Submitted to IETF for standardization
In April 2013, lANA reserved UDP port 4789 for VXLAN.
VXLAN is a network overlay technology. VXLAN encapsulates frames at layer 2 into a UDP
header. The traffic is encapulated into and deencapsulated from a VXLAN header by the VTEP.
The VXLAN adds 50 to 54 bytes of information to the frame, depending on whether VLAN tagging
is used. VMwa re recommends increasing the MTU to at least 1,600 bytes to support NSX . Larger
MTUs might already be in place depending on what other technologies are in use on the network. If
a custom MTU size is already set, either ensure that enough unused space exists in the MTU to
enable the additional 54 bytes or increase the MTU size to accommodate the addition.
158
NSX Use Cases

Slide 3-61
II
r
o
co
Speed up network
provisioning
Simplify service
insertion, both virtual
and physical
Streamline DMZ
changes
Automate network
and service
provisioning for
private clouds and
tesUdev
environments
0"
Automate network
provisioning for
tenants with
customization
OJ
(j)
s;:::;:
o
::r
Z
Maximize hardware
sharing across
tenants
CD
~
o
...,
"en
OJ
:::J
C.
The most common use cases for NSX are data center autom ation , self-service IT, and multitenant
cloud environments.
~
z
<
CD
...,
OJ
-c
en
Module 3
159
VXLAN Frame Format

Slide 3-62
IP
Header
Data'
Outer
Dest
MAC
I I
IP
Protoco
I
I I
Outer
Source
MAC
Header
Checksum
Optional
802.1Q
EtherType
Outer Outer
Source Dest
IP
IP
I I
Optiona l
Outer
EtherType
802.1Q
VXLAN
Flags
I I
RSVD
VXLAN
NI
(VNI)
RSVD
The VXLAN fram e forma t is shown here. The top frame is the original frame from the virtua l
machin es, minus the Frame Check Sequence (FCS), encapsu lated in a VXLAN frame. A new FCS
is created by the VTEP to includ e the entire VX LAN frame . The VLAN tag in the layer 2 Etherne t
frame exists if the port group that your VX LAN VMke rnel port is connected to has an assoc iated
VLAN numb er. When the port group is associated with a VLAN number, the port group tags the
VXLAN frame with that VLAN numb er.
160
Multicast: Network Components

Slide 3-63
The goal of multicast is to send a single packet from a source device

to multiple destinations, likely on different subnets.
Server
Layer 2 switch
with IGMP snooping
Router 1
Client
II
r
r+--
o
co
IGMP
~ IIII
IGMP
0"
---+t
OJ
(j)
s;:::;:
UDP / RTP
Multicast Traffic
\.
o
::r
CD
~
o
...,
"en
LAN
OJ
:::J
C.
The idea is to use the network to replicate and prevent the source from creating a large numb er of
individual unicast sessions to each destination. Some key applications of multic ast include
multim edia content delivery, financial institutions such as stock exchanges and high-frequency
trading centers, and IPTV networks. Multic ast is a necessary component of many enterprise
networks.
~
z
<
CD
...,
OJ
-c
en
Module 3
161
Internet Group Management Protocol

Slide 3-64
Hosts use the Internet Group Management Protocol (IGMP) to tell

routers about group membership.
Routers or layer 3 switch solicits group membership from directly
connected hosts.
Versions:
Version 1: RFC 1112 is supported on Windows 95.
Version 2: RFC 2236 is supported on the latest service pack for Windows and
most UNIX systems.
Version 3: RFC 3376 is supported in Window XP and various UNIX systems.
162
Bidirectional PIM
Slide 3-65
Source/Receiver
- - - Shared Tree
1t-rwa--
--....,)~
Upstream Forwarding
---')~
Downstream Forwarding
II
r
o
co
0"
OJ
RP- Rendezvous Point
(j)
s;:::;:
Notation: 1*,G)
:::r
Z
* = All Source
G = Group
Receiver 1
CD
:?
o
Receiver 2
...,
"en
OJ
:::J
C.
For network virtualization using VXLAN , bidirectional Protocol-Independent Multicast (PIM) is

import ant. VXLAN relies on a many-to-many multicast infrastructure. The most efficient way is to
use bidirectional PIM.
~
z
<
CD
...,
OJ
-c
en
Module 3
163
NSX for vSphere VXLAN Replication Modes

Slide 3-66
Three modes of traffic replication exist:
two modes are based on VMware NSX
Name
Controller" based and one mode is
1Ql, ..
New Transport Zone
IGIObal-Transport-Zone
>II
Description
based on data plane
Control Plane Mode
Unicast mode is all replication using
a Multicast
Multicast on Physical rJeMJolf< used (or VXLAN con lrol plane
a unrcast
unicast.
VXLAN controfpftJnehaOOIOO ty NSX coreoser Cluster
'2) Hybrid
Hybrid mode is local replication that is

offloaded to the physical network and
Optimized Unless! mode. Offloads local traffic repticsston to pttysical nel'MJrll
Clusters to Add
(2) Selected Objects
remote replication through unicast.
(Q.
N~m.
Multicast mode requires IGMP for a

layer 2 topology and multicast routing
--
Select clusters 10add
IIG1 U
~
IJ
Management & Edge Cluster

Compute Clus ter 01
.)
Filler
NSX ",S..,Id',
Sb IU$
C vest
t) Norma l
vost
&
Norma!
for L3 topology.
All modes require at least a 1,GOO-byte
MTU.
--
I~
QQ~
Replication mode relates to the hand ling of broadcast, unknown unicast , and multicast (BUM)
traffic. Unicast has no physical network requirements apart from the MTU . All traffic is replicated
by the VTEPs. In the same VXLAN segment, traffic is rep licated by the source VTEP. In remote
VXLAN segments, the NSX Contro ller instance selects a proxy VTEP. Hybrid mode uses IOMP
layer 2 multicast to offload local replication to the physical network. Remote replication uses unicast
proxies, so multicast routing is not necessary. Hybrid is recommended for most deploymen ts.
Multicast is seen frequent ly in upgrade scenarios from VMware vCloud Networking and
Security'P' 5.1 or environments that already have multicast routing.
164
VXLAN Replication: Control Plane

Slide 3-67
In unicast or hybrid mode, the NSX Controller instance
selects one VTEP in every remote segment from its
VTEP mapping table as a proxy. This selection is per VNI
(balances load across proxy VTEPs).
In unicast mode, this proxy is called a Unicast Tunnel

End Point (UTEP).
In hybr id mode, this proxy is called a Multicast Tunnel

End Point (MTEP).
This list of UTEPs or MTEPs is synced to each VTEP.
NSX Controller
VXLAN Directory
Service
[
[
II
MAC Table
ARPTable
o
co
VTEPTable
0'
OJ
If a UTEP or MTEP leaves a VNI, the NSX Controller

instance selects a new proxy in the segment and
updates the participating VTEPs:
VTEP report
VTEP failure
(j)
s;:::;:
o
:::r
Z
CD
:?
o
...,
"en
OJ
:::J
C.
~
z
The VTEPs to which the list of UTEPs or MTEPs are synced are memb ers of the associated
VXLAN Network Identifi er (VN I).
VTEPs leave a VNI either voluntarily because the VMware ESXi host is gracefully powered off,
or all virtual machin es connected to the VNI are migrated or shut down. VTEPs also leave the VNI
if the VTEP fails. When a VTEP fails, it cannot invalidate its VTEP VNI mappin g entry with the
NSX Controller instance. The NSX Controller instance detects that the keep-alive has expired and
invalidates the entry.
Module 3 Logical Switch Networks and VXLAN Overlays
165
<
CD
...,
OJ
-c
en
VXLAN Replication: Data Plane

Slide 3-68
The VXLAN header format is updated in NSX

for vSphere:
A new REPLICATE LOCALLY bit is used in
the VXLAN header for unicast and hybrid
modes.
VXLAN Header Format
When a UTEP or MTEP receives a unicast

frame with the REPLICATE_LOCALLY bit set,
the UTEP or MTEP is responsible for injecting
the frame to the local transport network.
The behavior of the proxy depends on its
traffic replication mode.
The first field of eight bits is used for VXLAN flags. Seven of these bits are reserved in vCloud
Networking and Security 5.1. These reserved bits are set to zero . The fifth bit is set to 1 when the
header includes a valid VNI. VMwa re NSXTM for vSphere adds a bit for a replicate locally flag
which is set to 1 for delivery to a UTEP or MTE P.
166
Unicast Mode
Slide 3-69
Source UTEP:
Replicates encapsulated frame to each local VTEP through unicast
Replicates encaps ulated frame to each remote UTEP through unicast
Destination UTEP:
Receives the encapsulated frame from the source VTEP
Replicates encapsulated frame to each local VTEP through unicast
II
Unicast mode considerations:
No multicast configuration needed on the physical network
Higher overhead on the source VTEP and UTEP
o
co
n
0)
(j)
s;:::;:
Configurable per VNI during logical switch provisioning
o
::r
Z
CD
~
o
...,
"en
0)
:::J
C.
In NSX, the default mode of traffic replication is unicast. Initially no multicast support is required
on the physical network.
This mode reduces network dependencies to only increase in maximum transmission unit (MTU) .
Each layer 2 transport subnet has one dynam ically assigned VTEP that acts as a proxy and is
responsible for replica ting traffic to other VTEPs within the segment. This proxy addresses the most
common objections and allows VXLAN deployment with minimal physical network support.
One downside of unicast mode is the higher overhead. In unicast mode the source VTEP and
proxies must copy the same frame multiple times to every VTEP within the layer 2 subnet. Copying
the same frame multiple times results in higher CPU utilization on the host as the VXLAN transport
zone and clusters increase in size.
Module 3
167
~
z
<
CD
...,
0)
-c
en
Multicast Mode
Slide 3-70
Source VTEP:
Replicates encapsulated frame to each remote VTEP through multicast
Replicates encapsulated frame to each local VTEP through multicast
No UTEP or MTEP roles

Multicast mode considerations:
IGMP and IGMP snooping configuration needed on the physical

network
Multicast address required over physical network
Lowest overhead on the source VTEP
Multicast mode uses the VTEP as a proxy. In multicast, the VTEP never goes to the NSX Controller
instance. As soon as the VTEP receives the broadcast traffic, the VTEP multicasts the traffic to all
devices .
168
Hybrid Mode
Slide 3-7 1
Source MTEP:
Replicates encapsulated frame to each remote MTEP through unicast
Destination MTEP role:
Receives the encapsulated frame from the source MTEP
II
Unicast mode considerations:
o
co
IGMP Snooping configuration needed on the physical network
n"
0)
VTEPs send IGMP joins and IGMP reports
(j)
s;:::;:
Multicast address required over physical network
o
::r
CD
~
o
...,
"en
0)
:::J
C.
To reduce the overhead of traffic replication, multicas t proxy is used for optimization. The VTEP
does not replicate all traffic in software. The VTEP leverages the physical network to replicate
through multicast by selecting one VTEP in each L2 transport network to serve as a multi cast proxy.
This mode is L2 IOMP only, and PIM is not needed in hybrid mode . This mode is not the defau lt
mode of operation in NSX for vSphere, but is important for larger scale operations. Also the
configuration overhead or complexity of L2 IOMP is significantly lower than multicast routing.
Module 3
169
~
z
<
CD
...,
0)
-c
en
Unicast and Hybrid Mode: Same Host

Slide 3-72
VM1 communicates with VM2 on the same host.
Management Network
- - - - - - - - - - - - t~..-1
- :;';;;;
- i'-:l:''''-J~---:i-<-.;.;;..;;.o"",.
: ,,"--U
'-..
Transport Network
-0
Transport Network
~- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -~~~~~~~!! ~~~~- - - - - - - - - - - - - - - - - - - - - - - - - - - - -_:
The diagram shows the process by which virtual machine I (VM I) communicates with virtual
machine 2 (VM2) on the same host in the same VXLAN when VM I lacks the MAC address for
VM2 :
1. VM I sends Address Resolution Protoco l (ARP) request for the MAC address of VM2 on the
same logical switch (VNI 500 I) on the same host.
2. Broadcast is sent to all virtual machines on the logical switch of the same host. The switch
securi ty module uses the management network to query the NSX Controller instances ARP
table for VM2 ARP entry.
3. Because VM2 is on the same logical switch, VM2 sends an ARP reply before NSX Controll er
respon ds to the switch security module:
a. IfVM2 has not participated in previous ARP reply or Dynam ic Host Configuration Protoco l
(DHCP), the NSX Controller instance lacks the inform ation.
b. Switch security module updates local ARP table and notifies NSX Controller to update the
ARP entry for VM2 (in the ARP table).
170
4. Logical switch delivers a unicast ARP reply to VM 1.
This scena rio does not incur VXLAN encapsulation . If the transport zone is configured as a
multicast , the ARP request broadcast is forwarded in a VXLAN encaps ulation to all the other
VTEPs in the multicast group.
II
r
o
co
n"
0)
(j)
s;:::;:
o
::r
Z
CD
~
o
...,
"en
0)
:::J
C.
~
z
<
CD
...,
0)
-c
en
Module 3
171
Unicast Mode: Different Hosts

Slide 3-73
Initial communications of VM1 with VM3 on another host.
Management Network
The diagram shows the process in unicast mod e. Virtual mach ine I (VM 1) communicates with
virtual machine 3 (VM3) on different host s in the same VXLAN when VMl lacks the MAC address
for VM3:
1. VM 1 sends an ARP request for the MAC address of VM3 on the same logical switch (VNI
5001) on a different host in a different cluster.
2. Broadcast is sent on the local logical switch and the switch security modul e queries the NSX
Controller instance for an ARP entry for VM3.
3. The NSX Controller instance lacks the information on VM3. So the broadc ast is forw arded as
encapsulated unicast from VTEPx to all local VTEPs and the remote proxy VTEP.
4. VM3 sends a unicast ARP reply that is encapsulated by VTEPy, and is sent to VTEPx, and
return ed to VM 1.
5. VTEPx learns the MAC address ofVM3 for all subsequent communication from local virtual
machin es to VM3.
172
Hybrid Mode: Different Hosts

Slide 3-74
Initial communications of VM1 with VM3 on another host.
II
r
o
co
0"
OJ
(j)
s;:::;:
o
Management Network
---.~~~~
- - -~
- - -~
- - -~
- - -~
----------------, ,
O
Transport N etwork
Transport Networ k
:'
,: ~
:
:
~,----------------------------------~~~~~p~-~ ~~~~------------------------------;
,
- - --
----
----
The diagram shows the process in hybr id mode. Virtual machin e I (VM I) communicates with
virtual machin e 3 (VM3) on different hosts in the same VXLAN when VM I lacks the MAC address
for VM3:
:::r
Z
CD
:?
o
...,
"en
OJ
:::J
C.
~
z
<
1. VM I sends an ARP request for the MAC address of VM3 on the same logical switch (VNI
500 I) on a different host in a different cluster.
CD
...,
OJ
-c
en
2. The broadcast is sent on the local logical switch and the switch security modul e queries the
NSX Controller instance and ARP entry for VM3.
3. The NSX Controller lacks the information on VM3. So the broadcast is forwarded from VTEPx
to all local VTEPs using multicast and to the remote proxy VTEP using unicast.
4. VM3 sends a unicast ARP reply that is encapsulated by VTEPy, sent to VTEPx, and returned to
VM I.
5. VTEPx learns the MAC address of VM3 for all subsequent communication from local virtual
machin es to VM3.
Module 3
173
Multicast Mode: Different Hosts

Slide 3-75
Initial communication of VM1 with VM3.
..'
Management Network
r
-----------Transport Network
Transport Network
~-----------------------------------~~~~~~~-~ ~~~~-----------------------------_:
The diagram shows the process in multicast mode . Virtua l machine 1 (VM 1) com municates with
virtual machine 3 (VM3) on different hosts in the same VXLAN when VM l lacks the MAC address
for VM3:
1. VM 1 sends an ARP request for the MAC address of VM3 on the same logical switch (VN I
500 1) on a different host in a different cluster.
2. The broadcast is sent on local logical switch and the switch security modul e is checked.
3. If the switch security module lacks the information for VM3 , the broa dcast is encapsulated as a
mult icast and forwarded to all VTE Ps.
4 . VM3 sends a uni cast ARP reply that is encapsula ted by VTEPy, sent to VTEPx, and delivered
to VM l.
5. VTEPx learns the MAC of virt ual machine 3 (VM3) for all subseq uen t comm unication from
local virtua l machines to VM3 .
The fact that the virtua l machine is on a differen t cluster does not change the packet walk proc ess . In
all these cases the same events occur when communication is taking place between two virtua l
machin es on different hosts of the same clus ter or different cluster.
174
Quality of Service
Slide 3-76
You can ensure that the application traffic flowing through the
physical network infrastructure is prioritized by using the following
ways:
Class of Service (CoS): Layer 2 Tag
Differentiated Services Code Point (DSCP) Marking: Layer 3 Tag
II
802.1 Q Header
6 bits
2 bits
DSCP
16 bits
3 bits
1 bit
o
co
12 bits
n"
0)
(j)
s;:::;:
o
::r
Z
CD
~
o
...,
"en
IP Header
0)
:::J
C.
Traffic can be classified in different ways. In a layer 2 fram e, the 802.1q header contains the
inform ation for the Class of Service (CoS). The first 16 bits are always Ox8100 , which means that
the header contains a VLAN tag. The class of service is in the next 3 bits follow ed by a flag that
indicates whether to fragment.
Layer 3 has a different field called Differentiated Services Code Point (DSCP) that has 6 bits . The
first three values typically match the first three CoS bits. At the bound ary between layers 2 and 3,
the switch can take the CoS and other factors like the source or destination address and match that to
a layer 3 DSCP value . Because DSCP has more potential values, it can be more specific about the
service that it is going to provid e.
Module 3
175
~
z
<
CD
...,
0)
-c
en
QoS Tagging
Slide 3-77
Guest Tagging
..
1
Virtual Switch Tagg ing
Ell
vSphereil
Ell
II vSphere'1 .:::l'=
Physical
Network
Distributed switches pass VM CoS

markings downstream
NIOe cannot assign separate queue
based on the tag
Administrators lose control
..
1
Physical Switch Tagging
Physical
Network
vSphere Distributed Switch
II vSphere I
..l
Ell
Physical
Networ k
- - - --
Distributed switch implements CoS and

DSCP marking, or both
OoS marking or remarking done in the

phys ical switch and/or router
Preferred option
Burdensome OoS management on each

edg e device (for example : ToR)
Single edge OoS enforcement point
Traffic that comes from a virtua l machine can be tagged at several levels. Traffic can be tagged by
the virtua l machi ne, by NSX Virtual Switch, or at the physical switch.
176
Physical Network Congestion

Slide 3-78
----+
----+
----+
"Sphere Distributed Switch
II vSphere:1
Higher Tagged Traffic

Lower Tagged Traffic
Untagged Traffic
II
r
Congested Switch
o
co
0
OJ
(j)
s;:::;:
o
:::r
Z
CD
:?
o
...,
Physical Network
"en
OJ
:::J
C.
In the example, the virtual machine traffic is tagged from the hypervisor. The traffic goes through
the physical network. Depending on the QoS settings and cong estion , the virtual machin e traffic
reaches its destination or is dropp ed. In most cases of congestion, the traffic with the highest QoS
priority is the most likely to reach its destination.
~
z
<
CD
...,
OJ
-c
en
Module 3
177
NSX Component Interaction: Configuration

Slide 3-79
Configuring the NSX platform.
vCenter
Server
__
. :-=-:: I~ '
'"_"'"
'II -
~
I ~ a.: .--=t
I.
I
I
NSX Controller
Configuration
(Logical switches ,
Distributed logical routers)
Host Configuration
(Logical switches,
Distributed logical routers)
Service
Configuration
(LB , FW, VPN, and so on)
__ ,. ... . f8E ----I"

_-I
,
;.=~
~ I~ : [BE .......
The components of the NSX platform are configured in the followin g order:
1. The NSX Manager is connected to vCenter Server and prepares the infrastructure.
2. Provisioning of logical switches and distributed logical routers occurs throu gh the VMware
vSphere Web Client or VMware NSX APFM. After switches and routers are provisioned, they
are published to NSX Controller and the slicing process determin es which NSX Controller node
is active .
3. NSX Controller proactively syncs inform ation to the active ESXi hosts through the UWA. For
VXLAN logical switches, the host becomes activ e for a given VNI after a virtual machine is
conn ected to that VNI and powered on. The UWA reports to the NSX Controller, syncs the
VTEP list, and starts popul ating MAC and IP address information .
4. The Distributed Firewall configuration is sent directly to the ESXi hosts through the secured
message bus. The VMware NSX Edge" configuration is sent directly to the NSX Edge
gateway through the message bus.
5. As the virtual infrastructure scales and additional hosts are added, the logical switches, routers,
and firewalls are scaled with the compute infrastructure. The scaling occurs as the same clust er
is expanded, or as new clusters are prepared for network virtualization.
178
NSX Logical Switching

Slide 3-80
~~
II
co
Per application or multitenant segmentation

Virtual machine mobility requires L2
everywhere
Large L2 physical network sprawl : STP
issues
HW memory (MAC , FIB) table limits
Logical Switching: Usin
r
o
0'
Benefits
Challenges
Scalable multitenancy across data

center
Enabling L2 over L3 infrastructure
Overlay based with VXLAN , STT, GRE ,
and so on
Logical switches span across physical
hosts and network switches
OJ
(j)
s;:::;:
o
::r
Z
CD
~
o
...,
N to scale the network
"en
OJ
:::J
C.
~
z
<
CD
...,
OJ
'<
en
Module 3
179
Logical Switch
Slide 3-81
The logical switch is a virtual network segment that has been

identified with a VNI:
Each logical switch gets its own unique VNI.
A VXLAN distributed switch port group is created in all the VTEPs in the
same transport zone where the logical switch is created .
Virtual machine 's vNICs get connected to logical switches.
Logical switches support mobility and availability features in vSphere
such as:
VMware vSphere vMotion
VMware vSphere High Availability
The logical switch is a distributed port group on the distrib uted switch . The logical switch can
expand distributed switches by being associated with a port group in each distributed switch . The
vCenter Server system creates the port group for the NSX Manager. vSphere vMo tion is supported,
but only among those hosts that are part of the same distributed switch.
180

Slide 3-82
Creating logical switches.

Logical Swit ches
N ~X M::m:::.npr'
n ... 1 en
11
n . ... I ... 1
~ New logical Switch
Name
:::::: NSX Edge s
[I
De scription
~.
II
===========~
* :=
1
Firewa ll
15 Spo ofGuard
Il!\ Service Definition s
tJ Service Composer
I'flJ Data Se curity
61 Flow Monitoring
TransportZone
Control Plane Mode
I I
o
co
o Multi cast
n"
0)
Multicast on Physical neM'ork used for VXl.AN control plane.
o Unicast
(j)
s;:::;:
VXLAN control plane handfed by NSX Controller Cluster.
gg ActivityMonitoring
o Hybrid
... Networking & Security Inventory
NSX Managers
* I Globa l Transport Zo ne
o
::r
OptimizedUnic&st mode. Off/oads focal traffic replication to physical ne~il'Ork.
CD
OK
I[
~
o
...,
"en
Cance l
.d .
0)
:::J
C.
~
z
<
CD
...,
0)
-c
en
Module 3
181

Slide 3-83
Migrating virtual machines to the logical switches.
~ Iransit-Netwnrk - AddVirtual Machines

1 Select Virtual Ma chines
Select Virtual Machines

Select VMs to connect to this network
2 Select VNICs
J Ready to complete
V irtual ma chine
o
o
o
o
o
o
o
o
o
182
/'IJ
/'IJ
/'IJ
/'IJ
/'IJ
/'IJ
/'IJ
/'IJ
/'IJ
app-sv-01 a
br-s v-02a
db-s v-01a
mgt- sv-01a
N8 XJ ontroller_af c9ddf4-eee2-4 39a-800 b-6318e d
N8XJ ontroll er_b 1033456- cbea-4be O-832 9-35224
N8XJ ontroll er_bb1 c4724-4g e3-48d9- a2ed-a a504
w eb-sv-0 1a
web -sv-02 a
Lab 4: Configuring and Testing Logical Switch Networks

Slide 3-84
Create and test logical switches for the Web-Tier, App-Tier, DB-Tier,
and transport networks
2. Create Logical Switches
3. Verify That Logical Switch Port Groups Appear in vSphere
II
4. Migrate Virtual Machines to Logical Switches

5. Test Connectivity
o
co
n
0)
(j)
s;:::;:
o
::r
Z
CD
~
o
...,
"en
0)
:::J
C.
~
z
<
CD
...,
0)
-c
en
Module 3
183
Concept Summary
Slide 3-85
What is the tunnel endpoint for VXLAN communication
between ESXi hosts , across a transport network , using Layer 3
encapsulation called?
What is the tunnel endpoint for VXLAN communications using
multicast called ?
What is the tunnel endpoint for VXLAN communications using
unicast called?
What is a port group on a vSphere Distributed Switch with NSX
VXLAN Tunnel Endpoint (VTEP)
Multicast Tunnel Endpoint (MTEP)
Logical switch
Unicast Tunnel Endpoint (UTEP)
modules installed called?

What is the transmission of different multicast traffic across
VXLAN networks called ?
Which mode uses both unicast and multicast to conserve
bandwidth while ensuring a speedy delivery?
Which feature ensures that high-value traffic is prioritized
during periods of network conge stion?
184
VXLAN replication
Hybrid
Quality of Service (QoS)

Slide 3-86
Describe VXLAN overlay networks
Define the VXLAN frame format
Compare unicast, multicast, and hybrid modes
II
r
o
co
n"
0)
(j)
s;:::;:
o
::r
Z
CD
~
o
...,
"en
0)
:::J
C.
~
z
<
CD
...,
0)
-c
en
Module 3
185
Key Points
Slide 3-87
VLANs split switches into separate virtual switches.

A distributed switch is used to manage all switches in a data center
versus individual switches per host.
LACP provides automatic negotiation of link aggregation parameters
between virtual and physical switches.
A VXLAN VTEP is the VMkernel interface which serves as the endpoint
for encapsulation/de-encapsulation of VXLAN traffic.
Questions?
186
MODULE 4
N5X Routing
Slide 4-1
Module 4
II
z
><
(J)
::0
o
c
~
:::J
c.c
187
You Are Here

Slide 4-2

Course Introduction
NSX Networking
IE

NSX Routing
NSX Security
188
Importance
Slide 4-3
The distributed routing capability in the VMware NSXTM platform

provides an optimized and scalable way of handling East-West traffic
in a data center.
The VMware NSX Edge services router provides the traditional
centralized routing support in the NSX platform.
II
z
><
(J)
::0
o
c
~
:::J
(C
Module 4
NSX Routing
189
Module Lessons
Slide 4-4
Lesson 1:
NSX Routing
Lesson 2:
NSX Logical Router
Lesson 3:
Layer 2 Bridging
Lesson 4:
190
Lesson 1: NSX Routing

Slide 4-5
Lesson 1:
NSX Routing
II
z
><
(J)
::0
o
c
~
:::J
(C
Module 4
NSX Routing
191
Learner Objectives
Slide 4-6
objectives:
Compare Open Shortest Path First (OSPF), Intermediate System to

Intermediate System (IS-IS), and Border Gateway Protocol (BGP)
Describe OSPF area types
Describe IS-IS routing levels
Describe the BGP
192
Supported Routing Protocols

Slide 4-7
The following routing protocols are supported by NSX:
OSPF
IS-IS
BGP:
Internal BGP (iBGP)
External BGP (eBGP)
II
z
><
(J)
::0
o
c
~
:::J
(C
The TCP/IP protocol suite offers different routing protocols that provide a router with methods for
building valid routes. The following routing protocols are supported:
Open Shortest Path First (OSPF) : This protocol is a link-state protoco l that uses a link-state
routing algorithm. This protocol is an interior routing protocol.
Intermediate System to Intermediate System (IS-IS): This protocol determines the best route for
datagrams through a packet switched network.
Border Gateway Protocol (BGP): This protocol is an exterior gateway protocol that is designed
to exchange routing information between autonomous systems (AS) on the Internet.
Module 4
NSX Routing
193
OSPF Features
Slide 4-8
OSPF distributes routing information between different routers

belonging to a single autonomous system (AS):
Area level support: Default area 51
Backbone and NSSA support
Clear text and MD5 peer authentication
Interface-level support
Helio interval and dead interval configuration
Priority for designated router and backup designated router election
Interface cost configuration
OSPF is a link-state protocol. Each router maintains a database describ ing the AS topo logy. When
you enable OSPF, area 0 and area 5 1 are created by default. Area 51 can be deleted and replaced
with a desired area .
By default, OSPF adjacency negotia tions use clear authentication by assuming that the segment is
secure. If installed in an insecure segment, enabling authentication ensure s that a third party cannot
corrup t the routing table or hijack connection by injecting a compromised default route .
194
About OSPF
Slide 4-9
OSPF is a routing protocol that uses the router's link states to

determine the optimal path to reach a destination:
OSPF is an Internal Gateway Protocol (IGP) because it is under the

management control of a single institution or AS.
OSPF uses Dijkstra's algorithm to find the shortest path, or the lowest
cost, to a destination .
Every OSPF router creates a path tree to each subnet. The OSPF
router is at the center of the tree.
OSPF routers that share an Ethernet segment form neighbor

adjacencies.
Latest supported OSPF version is version 2.
II
z
><
(J)
::0
o
c
~
:::J
(C
OSPF maintains a link-state database that describes the AS topology. Each part icipating router has
an identical database. The router shares this database with routers in the AS by a mechanism called
flooding . All routers in the AS run the same algori thm used to construct the shortest path between
the router and the root. This algori thm gives each router the route to each destination in the AS.
When multiple paths to a destination exist and those paths are of equa l cost, traffic is distributed
equally among those paths.
Module 4
NSX Routing
195
OSPF Neighbor Relationships

Slide 4-10
Routers on the same network segment with the same area 10 are
neighbors.
Neighbor relationships are established through a discovery process:
1. The router determines its OSPF router 10 (RID).

2. The router starts the OSPF process.
3. The router sends out Hello packets using multicast.
4. When a Hello packet is received from anothe r router containing the RID
for itself, the routers become neighbors.
OSPF-enabled routers must find neighboring OSPF-enab led routers and form neighbor adjacencies
with those routers . OSPF-enabled routers form neighbor adjacenc ies by multicasting information to
other OSPF-enabled routers . Each router is responsible for main taining a Neighbor Table of the
OSPF-enab led routers that it has formed adjacencies with . The router is also responsible for sharing
this table with other routers . This multicast uses Hello packets that contain the necessary
information to form adjacencies.
196
OSPF Packet Types

Slide 4-11
OSPF has many different packet types used for communicating

OSPF information:
Hello packets
Database Descriptor packets
Link State Request packets
Link State Update packets
Link State Acknowledgement packets

Version #
Type
II
I Packet Length
Router 10
z
><
Area 10
Checksum
(J)
AuType
::0
o
c
Authentication
:::J
Authentication
(C
A ll OSPF packets have a header of 24 bytes. This header contai ns the information required for any
OSPF communica tion:
The version of OSPF in use by the originatin g router.
The packet type : A total of five packet types are sent by OS PF.
The total length of the packet.
The Router ID (RID) of the originating router.
The Area ID for the area to which the originating interface on the originating router belongs.
A checksum va lue for the packet to verify it has not been corru pted. This checksum excludes
the authentication fie lds.
The Authentication type (AuType) currently in use. Authentication can be none, plain text
password, or MD5 authentication.
The authentication data needed if any authentication type is used.
Module 4
NSX Routing
197
OSPF Hello Packets

Slide 4-12
OSPF He l lo Packet
Ne two r k Mask : 255 .255 .255 . 0
Hello I n t e r v a l : 1 0 se c o n ds
Opt i ons : 0 ,, 1 2 (L . E )
= DN: DN- b i t i s NOT se t
0. ..
= 0 : O- b i t i s NOT s et
.0. .
= DC: Dereand circuit s a re NOT s u p p o r te d
. .0.
= L : Th e p ac ket c ont ain3 LLS data b lock
. . .0
.... 0 ... = NP : N ,9s a i s NOT s uppo rt ed
. 0 .. = MC: NOT mu l t i c a s t capabl e
. . . . . . 1- = E : E"te r na lRouti ngCapacity
Ro ut e r Priorit y : 1
Rout e r De ad Inte r v a l : ~ O se c on ds
Network Mask
Desi gnated Ro ut e r : 0 .0 .0 .0
Ba c kup De sign at ed Route r : 0 .0 .0 .0
Hellolnterval Options Router Priority
Ac t i ve Ne ighbour : 1 0 . 1 0 .2 .2
. . ..
. ...
0
. . ..
... .
RouterDeadlnterval
Designated Route r
Backup Designa ted Router
Neighbor
The OSPF-enabled router builds neighbor adjacencies by periodic ally sending out packets called
Hello packets from all OSPF- enabl ed interfaces on the router. OSPF-enabled routers see Hello
packets from other OSPF- enabl ed routers and add these routers to a record called a Neighbor Table.
After the routers have added each other to their tables, those routers have formed an adjacency.
To form a neighbor adjacency, both OSPF- enabled routers must pass certain parameters specified in
their respectiv e Hello packets:
The subnet included is that of the originating interface.
The HelloInt erval is the interval at which the Hello packet is sent from an OSPF-enabled
router 's interfaces. The default interval is 10 seconds but the HelloInt erval is configured per
interface.
Options includ e the capabilities of the originating router.
Router Priority is the priority of the originating router, used in designated router elections.
The originating router sets the Router Dead Interval to guide how long the router is silent before
other routers mark it as a dead link .
The IP address of the current Designated Router.
198
The IP address of the current Back up Designated Router.

The RIDs of all OSPF neighbor routers for the originating router.
II
z
><
(J)
::0
o
c
~
:::J
(C
Module 4
NSX Routing
199
Other OSPF Packets

Slide 4-13
Database Descriptor
Interface MTU
Options
00 Sequence Number
Link State Request

LS Type
Link State 10
Advertising Router
LSA Header
Link State Update
Link State Acknowledgement
# LSAs
Header
LSAs
The other OSP F packets are used as part of the process for keeping the Link State tables
synchronized between all OSPF-enabled routers:
1. Type 2 packets are Database Descriptor packets. Database Descriptor packets are used to
synchronize the router link states between all neighbors. This synchroni zation is important for
keeping the router paths accurate and not sending traffic to dead links. The OSPF router
summarizes the local database and the packets carry a set of LSAs inside the Database
Descriptor packet.
2. Type 3 packets are Link State Request packets. OSPF-enabled routers use Link State Request
packets to request neighbor database updates when their own link state databases are old based
on the Database Descriptor packet data. Adjacent rout ers that detect an LSA that is more
updated than their own database copy, request the newer LSA from the neighbor.
3. Type 4 packets are Link State Update (LSU) packets. The request for an update takes the form
of a Link State Request (LSR) packet that contains requests for any LSA updates needed. The
router with the updated database responds to the LSR with a LSU packet that contains all of the
requested LSAs .
4. Type 5 packets are Link State Acknowledgment (LSAck) packets. After the LSU packet is
received, the receiving router sends an LSAck packet to the originating router.
200
OSPF Neighbor States

Slide 4-14
OSPF Neighbors have different states depending on their status:
Down
Attempt
Init
2-Way
Exstart
Exchange
Loading
Full
Designated / Backup Designated
Ne i ghbo r 1 0
10.10.1. 2 5 4
10.10 . 2. 2 5 4
10. 20.10. 2 5 4
10. 20.11.2 5 4
10 . 20.1 2. 2 5 4
Pr i
10
1
0
0
0
S tat e
FULL/ DR
FULL/BDR
2WAY
2'11AY
DO'I/N
Dead Ti me
00:0 0: 2 7
00:0 0: 31
00:00: 3 3
00:00: 2 9
00:00 :35
II
Ad d r e ss
1 9 2.1 68.0. 3
1 9 2.1 68.0. 7
192.16 8 .0.11
1 9 2. 1 68.0.13
1 9 2.1 68.0.17
Interfa c e
Fas te t he r ne t
Fas te t he r ne t
Fas te t he r ne t
Fas te t he r ne t
Fas te t he r ne t
z
><
(J)
0 /0
0 /0
0/ 0
0/0
0/0
::0
o
c
~
:::J
(C
OSPF -enabled routers keep the link state databas e curren t at all times. This database is used to
determine where to send traffic by the most efficient path:
Down indicates that the neighbor has not been heard from within the RouterDeadInterval time .
Attempt is only used for manually configured neighbors. The current router is send ing Hello
packe ts to any router in the Attemp t state.
When the status is Init, the router has received a Hello packet from this neighbor and replied but
has not completed the process for establishing adjacency.
A 2-Way state indicates that bidirectional comm unication is established with the neighbor
router.
Exstart indica tes that the routers are beginning the link state information exchange.
Exchange is the state when neighbor routers exchange the Databas e Descriptor packets.
In the Loading state, based on the information in the Database Descrip tor packets, routers are
exchanging the link state information.
The Full state indica tes that routers are synced and in adjacency.
Module 4
NSX Routing
201
The Designated Router (DR) is an OSP F-enabled router interface. This interface is elected by all the
other routers in an area to be a centralized router that keeps a topology table of the entire network.
The Backup Designated Router (BDR) is designated if the DR fails. When a DR is present, other
OSPF-enabled routers form adjacencies only with the DR and BDR. Non-DR or BDR rout ers send
updates directl y to the DR and BDR. The DR multi casts updates out to all other routers in the area.
The use of this centra lized maintenance coupled with the use of multi casting conserves network
bandwidth.
The DR is determi ned throu gh an election proc ess where the OSP F-enabled router interface with the
highest priority is elected as the DR. The BDR is the OSPF-enabled router interface with the next
highest priority. If the DR fails, the BDR assumes the DR role and a new BDR is elected.
202
OSPF Router Types

Slide 4-15
The OSPF router type is a property of the OSPF process. A physical

router can host more than a single OSPF router type with one type on
each port.
Routers can have the following OSPF router types:
Area Border Routers (ABR): Connect one or more areas to the
backbone network.
Autonomous System Boundary Routers (ASBR): Connect to other
autonomous systems and exchange routing information.
II
Internal Routers (IR): Connect all interfaces in a single OSPF area .
z
><
(J)
::0
o
c
~
:::J
(C
The main router types are the following:

Area Border Routers (ABR) connect one or more OSPF areas to the backbone network. The
ABR keeps an individual copy of the link-sta te database in memory for each connec ted area .
Autonomous System Boundary Routers (ASBR) connect to other routers that belong to other
areas using other routing protcols or static routing. The static routing or additional routing
protoco l, such as IS-IS is in addition to OSPF. The ASBRs distrib ute routes discovered from
external systems to other OSPF -enab led routers .
The Interna l Router (IR) is an OSPF-enabled router that belongs to only one area and has
neighbors only within that area .
Module 4
NSX Routing
203
OSPF Areas
Slide 4- 16
An OSPF AS includes all routers that run OSPF and these routers
exchange link-state information with each other:
An AS is also called a routing domain .
In the OSPF AS, each router interface that is participating in the
OSPF process is placed in an area:
A router can have interfaces in more than one area.
A router with interfaces in more than one area must have one of those
interfaces in the backbone area, or area O.
A router only forms neighbor adjacencies with another router in a local
segment if both routers are in the same area .
The default OSPF area for NSX is Area 51.
Areas are sets of networks that are grouped together. Areas are a collection of routers, links, and
networks that have the same area identification. Each OSPF area can combine with other areas and
form a backbone area . Backbone areas combine multipl e indepe ndent areas into one logical routing
domain. This backbone area has an ID of 0 or (0.0.0.0). The primary responsibility of the backbone
area is to distribute routing information between nonbackbone areas .
204
OSPF Area Types

Slide 4- 17
OSPF defines the following types of areas:
Normal area
Stub area
Not so stubby area (NSSA)
II
z
><
(J)
::0
o
c
~
:::J
(C
Each area maintains a separa te link-state database. Stub areas are areas that do not receive route
advertisements externa l to the AS. Not so stubby area (NSSA) is a stub area that can import AS
external routes and send them to other areas . But NSSA cannot receive AS externa l routes from
other areas .
Module 4
NSX Routing
205
OSPF Normal Area

Slide 4- 18
An OSPF normal area is a nonbackbone area that receives full

routing updates from the backbone:
Routers in the area have full visibility of all networks in the OSPF AS.
No special configuration is needed in the routers.
In an OSPF normal area, routers have full visibility to all networks in the AS. Every router in a
normal area knows about every route.
206
OSPF Stub Area

Slide 4-19
An OSPF stub area is a nonbackbone area that receives only a

default route from the backbone.
Routers within the area continue to exchange routing updates and
intra-area routes:
Routers in the area have full visibility of only networks in their area .
The stub area is configured at the area border router.
II
z
><
(J)
::0
o
c
~
:::J
(C
A stub area is usefu l if routers do not need to know about every route. Routers contin ue to exchange
information in their area but not external destinations. Instead, routers in the area must send external
packe ts to an area border router (ABR). The area border router advertises a default route in place of
external routes and generates a network summary link-state advertisement (LSA). Packets destined
for an external route are sent to the ABR .
Module 4
NSX Routing
207
OSPF NSSA
Slide 4-20
An OSPF NSSA is a nonbackbone area that receives only a default

route from the backbone:
The NSSA also has an AS boundary router that injects external routes
to the area.
The external routes are advertised to the backbone area.
Routers in the area continue to exchange routing information for intraarea networks.
The NSSA is configured on an area border router.
An OSPF NSSA allows external routing information to be imported in a limited fashion into the
stub area. OSPF NSSA is useful for making an area aware of a non-O SPF router. This information
can be flooded within the area, but the area remai ns protected from being flooded with all routes.
208
OSPF Area and Router Types Example

Slide 4-21
Areas are logical groupings of hosts, networks, and routers.

Area 0
Area 813
Normal
) Internal
:l"t~lf-----{O
Router
II
z
><
(J)
Internal
Router
::0
o
c
Area 829 Stub
:::J
c.c
The diagram shows the interaction s of the different areas with each other.
Module 4
NSX Routing
209
Intermediate System to Intermediate System

Slide 4-22
IS-IS is a routing protocol that uses the router's link states to

determine the optimal path to reach a destination:
Similar in design to OSPF.
IS-IS can route non-IP traffic.
IS-IS was originally defined by OSI/IEC 10589:2002.
IS-IS is the preferred IGP used by large Internet Service Providers

(ISPs) globally.
In ISO terminology, IS-IS is a router.
IS-IS is an interdomain dynamic routing protocol used to support large routing domains. OSPF is
designed to support only TCP/IP networks whereas IS-IS started as an ISO protoco l. Both protoco ls
are interior gateway protocols (lOP), but IS-IS runs over layer 2 and is intended to support multiple
routed protocols.
210
IS-IS Features
Slide 4-23
Router-level support:
Area 10, system 10 (default router-id), IS-Type (default level -1-2),
domain password , and area password
Area-level support:
Up to 3 IP addresses per area
Interface-level support:
vNIC name
Hello timer, hello multiplier
Metric, priority
Circuit type
LSP interval
z
><
Mesh group
::0
o
c
Password
II
(J)
:::J
(C
IS-IS and OSPF have similar features. VMware NSXTM supports up to three IP addressees per area
and a wide range of interface levels.
Module 4
NSX Routing
211
IS-IS Areas
Slide 4-24
Like OSPF, IS-IS associates routers into areas:
Areas should be contiguous.
IS-IS defines two areas: level 1 areas and level 2 areas.

Level 1 areas are equivalent to normal OSPF nonbackbone areas:
Routers in this area advertise intra-area route information in the area.
A router can be a part of multiple level 1 areas.
Level 2 areas only advertise inter-area route information in the area:
This area is close to an OSPF backbone area.
Like OSPF , IS-IS area has numbers.
IS-IS uses a two-level hierarchy for managing and scaling large networks. A routing domain is
partitioned into areas . Level I routers know the topology of their area including all routers and
endpoints in their area. Leve l I routers do not know the identity of routers or destinations outside
their areas . Level I routers forward all traffic that is outside their area to a level 2 router in their
area .
Level 2 routers know the level 2 area and know which addresses can be reached by contacting other
level 2 routers. A level 2 router does not know the topology of a layer I area . Level 2 routers can
exchange packets or routing information directly with external routers located outside of the routing
domain.
212
IS-IS Router Levels

Slide 4-25
IS-IS assigns an area type to the entire router rather than the router
links.
Leve l 1 Area
Leve l 2 Backbone
Level 1 Area
II
z
><
(J)
::0
o
c
~
:::J
c.c
Leve l l routers belonging to a level 1 area only form neighbor adjacencies with level 1 routers in the
same area and have full visibi lity of their area . Leve l 2 routers belonging to a level 2 area can form
neigh bor adjace ncies with any level 2 router, including in other areas and advertise interarea routes.
Level 1-2 routers belong to both level 1 and level 2 areas at the same time. Similar to OSPF 's AB R,
level 1-2 routers can form neighbor adjace ncies with any othe r router in any area. Level 1-2 router
takes level 1 area routing updates and propagates them to level 2 areas and the other way round.
Only level 2 routers can connect to an external netwo rk.
Module 4
NSX Routing
213
IS-IS Neighbor Adjacency

Slide 4-26
ISIS routers exchange Hello Protocol Data Units (Hello PDU) to

discover ISIS speakers in the segment and to form neighbor
adjacencies.
Level 1 Area
Level 2 Backbone
All IS-IS speakers in a segment form neighbor adjacencies with each other:
Levell routers send and listen for level I Hello Protocol Data Units (PDUs).
Level 2 routers send and listen for level 2 Hello PDUs.
Level 1-2 routers send and listen for levell and level 2 Hello PDUs.
214
IS-IS Design Considerations

Slide 4-27
IS-IS has more flexible rules than OSPF regarding neighbor

adjacencies and route advertisement:
Level 2 only routers are not needed.
Multiple level 1 areas can be joined with level 1 or 2 routers .
An area cannot be disjointed.

All routers in the same area should have an area path to every other
router in the area.
Area boundaries exist in the links, not routers.
II
z
><
(J)
::0
o
c
~
:::J
(C
Module 4
NSX Routing
215
BGP Features
Slide 4-28
iBGP and eBGP support

Router-level configuration
Local AS
Neighbor-level configuration:
Keep alive timer (default 60)
Hold-down timer (default 180)
Authentication MD5
Per neighbor filtering

Inbound or outbound accept or deny by prefix range
The BOP is an interAS routing protocol.

BOPs can be either internal BOP (iBOP) or externa l BOP (eBOP) . eBO P is used when talking to a
router that has an AS number that is different from its own. iBOP is used with routers in the same
local AS.
You can use neighbor-level configurations to configure various settings to customize the BOP
configuration.
216
Border Gateway Protocol

Slide 4-29
BGP is a routing protocol that provides route reachability while

avoiding path loops:
BGP is an external gateway protocol (EGP) because BGP is used

between different AS under different management controls to advertise
routes.
Each AS administrator chooses which routes to advertise through BGP.
Each AS administrator chooses which routes to receive through BGP.
BGP is the standard route advertisement protocol on the Internet.
Latest BGP version is 4, RFC 4271.
II
z
><
(J)
::0
o
c
~
:::J
(C
BOP is a standardize d exterior gateway protocol designed to exchange routin g and reachability
inform ation between AS on the Internet.
Module 4
NSX Routing
217
BGP AS Numbers
Slide 4-30
BGP speakers are assigned an AS number (ASN).

An ASN uniquely identifies all the BGP speaking routers under the
same management control:
The Internet Assigned Numbers Authority (lANA) assigns public ASNs.

Originally BGP supported 2 A16, or 65,536 ASNs:
RFC 6793 expanded ASN support for 2"32, or 4,294,967,296 ASNs.

ASNs 64,512 through 65,534 and 4,200,000,000 through
4,294,967,294 are internal ASNs for anyone to use.
These internal ASNs cannot be advertised on the Internet.
An AS is a set of routers under a single technical administration . The AS uses an interior gateway
protocol (lOP) and common metr ics to determin e how to route packe ts in the AS. The AS uses an
interAS routing protocol to determine how to route packe ts to other AS. Each of these AS is
uniquely identified using an AS numb er (ASN) .
218
BGP Peers
Slide 4-31
BGP neighbor adjacencies, called peers, are manually configured.

Each BGP speaker must have information about the other BGP router
before the BGP speaker starts sending hello packets:
rep
BGP peers establish a communication over
port 179.
If two BGP peers have different BGP ASNs , the peers are called eBGP
and BGP assumes that they are under different management control.
If two BGP peers have the same BGP ASN, the peers are called iBGP
and BGP assumes that they are under one management control.
II
z
><
(J)
::0
o
c
~
:::J
(C
Peers are manually configured to exchange routing information and form TCP connections. A peer
in a different AS is called an external peer, while a peer in the same AS is called an internal peer.
Module 4
NSX Routing
219
BGP Peers Example

Slide 4-32
A BGP router is only aware of its BGP neighbors and conducts all
control plane communication with them.
AS 90
iBG P
220
BGP Route Selection

Slide 4-33
A BGP router only installs one path to a route in its routing table.
If multiple paths exist for the route, the BGP router selects the best
route based on the following criteria:
1. Prefer the path with the highest local preference.

2. Prefer the locally originated path.
3. Prefer the shortest AS path.
4. Choose the path with the lowest origin code .
5. Choose the path with the lowest multiexit discriminator.
6. Choose an eBGP over an iBGP.
7. Choose a route through the nearest IGP neighbor as determined by the
lowest IGP metric .
8. Choose a path with the lowest router 10.
II
z
><
(J)
::0
o
c
~
:::J
(C
BOP routers typically receive multipl e paths to the same destination. The BOP best path algorithm
is used to determin e which path is best to install in the BOP routing table.
Module 4
NSX Routing
221
Concept Summary
Slide 4-34

Which is the interior routing protocol that uses
link state tables to map network topology?
222
Open Shortest Path First (OSPF)
Which protocol floods link state information

through a network of routers to map network
topology?
Intermediate System to
Intermediate System (IS-IS) protocol
Which protocol manually configures and uses

rep to connect to peers?
Border Gateway Protocol (BGP)

Slide 4-35
objectives:
Compare OSPF , IS-IS, and BGP
Describe OSPF area types
Describe IS-IS routing levels
Describe the BGP
II
z
><
(J)
::0
o
c
~
:::J
(C
Module 4
NSX Routing
223
Lesson 2: NSX Logical Router

Slide 4-36
Lesson 2:
NSX Logical Router
224
Learner Objectives
Slide 4-37
objectives:
Describe the role of the distributed logical router
Deploy a distributed logical router
II
z
><
(J)
::0
o
c
~
:::J
(C
Module 4
NSX Routing
225
Layer 3 Networking Overview

Slide 4-38
The network layer handles the following:

Selecting routes
Knowing the addresses of neighboring network nodes
Prioritizing traffic based on quality of service
Forwarding messages for local host domains to the transport layer
Router
Endpoint
These tasks are performed by the router that allows the routing between different nodes without
broadcasting all traffic to all nodes.
226
Layer 3 Enables Larger Networks

Slide 4-39
Layer 3 routers can be linked to other routers and endpoints.

Inter-router links allow for much larger networks.
Series
Central
II
z
><
(J)
::0
o
c
~
:::J
c.c
In addition to being linked to endpoints in a local network, the router can be linked to other routers .
Nodes that are separated by distance communicate with each other witho ut extending miles of
network cables. Placing a router at each group of endpoints and running a single line from router to
router is a practica l solution . Rout ers can be chain ed in series , or connected by a centra l router.
Module 4
NSX Routing
227
Distributed Logical Router

Slide 4-40
The distributed routing capability in the NSX platform provides an

optimized and scalable way of handling East-West traffic in a data
center.
Overview
Routing between virtual netwo rks
without leaving virtual space
'Layer 3 data plane distriOOOOOObuted in
hypervisor
;:..)
Layer 3 control plane running in a virtual
machine
-Dynarnic routing protocols for route discovery
and adve rtiseme nt
'Simplified deployment using VMwa re NSX
Manaqer " UI or API
Scale & Performance
' 1000 Logical Interfaces per distributed logical
router instance
'1 200 distributed logical router instances total
'1 00 per VMware ESXi host
'Line rate performance per hyperviso r
MM
Use Cases
' Optimize routing and data path in virtual
networks
' Supports single tenant or multitenant
deployment models
Routin g between virtual networks, layer 3 is distributed in the hypervisor. The distributed logical
router optimizes the routing and data path, and supports single-tenant or mult itenant deployments.
For example, a network that contains two VNls that have the same IP address ing. Two different
distribut ed routers must be deployed with one distribut ed router conn ecting to tenant A and one to
tenant B.
228
Hairpinning
Slide 4-41
The distributed logical router prevents hairpinning.

NSX
Edge Galeway
Packet is de livered to the

destination .
Packet is
delivered to the
gateway interface
t:l~ ii
VM on green logical
switch communicates
with VM on red logical ..... "" ,
switch.
for routing.
Com pu te
NSX
Rack 1
Edge/Managemen
l
Rack
Frame are sent over
VXLAN transport
fter the Routing decision ,

the frame is sent to the
VM on Red Logical Switch
network to the
gateway IP of green
logical switch.
II
z
><
Frame delive red
o the destinatio
VTEP
(J)
::0
o
c
>
VXLAN Transport Network
:::J
(C
Without the distributed router, routin g is done in one of the following ways:
A physical appliance is used. All traffic has to go to a physical appliance and come back
regardless of whether the virtual machin es are on the same host.
Routing is perform ed on a virtual router such as the VMwa re NSX Edge" gateway. This
method uses a virtual machine runnin g on one of the hosts to act as the router.
If virtual machin es runnin g on a hypervisor are connected to different subnets, the communication
between these virtual machines has to go throu gh a router. This nonoptimal traffic flow is sometimes
called hairpinning.
The example in the slide illustrates the traffic flow without the distributed logical router:
1. A virtual machine on the first VMware ESXi
host wants to communicate with a virtual

machin e on the same ESXi host. The two virtual machines are on separate subnets.
2. A frame is sent by the green virtual machine to the distributed switch. Because the virtual
machin es are on different subnets, the host forwards the frame to the default gateway.
3. The frame is received by the ESXi host that is hosting the NSX Edge gateway.
4. The packet is delivered to the NSX Edge gateway for routin g.

Module 4
NSX Routing
229
5. The NSX Edge gateway makes a routing decision and sends the packet back to the ESXi host,
which forwards the packe t back to the red logical switch.
6. The ESXi host that is hosting the red virtual machine receives the packe t and forwards the
frame to the red virtual machine.
7. The packet is delivered to the red virtual machine. If the red virtual machine responds, the
traffic flow is reversed.
230
Distributed Logical Router: Logical View

Slide 4-42
The distributed logical router kernel modules can route between

physical and virtual subnets.
VXLAN
logical Router Instance 1
WebVM
AppVM
VXLAN 5001
II
Router Instance 2
VLAN
z
><
(J)
AppVM
::0
o
c
~
:::J
VLAN 10
(C
VLAN 20
The distributed logical router rout es between YXLAN subnets. Two virtual machin es might be on
the same host and the Web YM on YXLAN 500 I might want to communicate with the App YM on
YXLAN 5002. The distributed logical router routes traffic between the two virtual machin es on the
same host.
The distributed logical router can also route between physical and virtua l subnets.
Module 4
NSX Routing
231
Distributed Logical Router: Physical View

Slide 4-43
The distributed logical routers run at the kernel module level.

Physical
NSX
Co ntrolle r
Cl u-ster
VXLAN Transport and

Management Network
VMware NSX Manager" configures and manages the routing service. During the configuration
process, NSX Manager deploys the logical router control virtual machine and pushes the logical
interface configurations to each host through the control cluster.
The logical router control virtual machine is the control plane component ofthe routin g process. The
logical router control virtual machin e supports the OSPF and BGP protocols.
The logical router kernel module is configured as part of the preparation through NSX Manager. The
kernel modul es are similar to line cards in a modul ar chassis supporting layer 3 routing. The kernel
modul es have a routing inform ation base that is pushed through the VMware NSX Controller"
cluster. The kernel modul e performs all the data plane functions of route lookup and Address
Resoluti on Protocol (ARP) entry lookup.
The NSX Controller cluster is responsible for distributing routes learned from the logical router
control virtual mach ine across the hypervisors. Each control node in the cluster takes responsibility
for distributing the information for a particular distributed logical router instanc e. In a deployment
where multipl e distributed logical router instances are deployed, the load is distributed across the
NSX Controller nodes .
232
Data Path: Host Components

Slide 4-44
The distributed logical router instance owns the logical interfaces (L1Fs):
IP addresses are ass igned on the L1Fs .
Multiple L1Fs can be configured on one distributed logical router instance.
The L1F configuration is distributed to every host.
An ARP table is maintained per L1F.
The virtual MAC (vMAC) is the MAC address of the L1F:
vMAC is the same across all the hosts and it is never seen by the physical
netwo rk, only by virtual machines.
Virtual machines use the vMAC as thei r default gateway MAC address .
II
The physical MAC (pMAC) is the MAC address of the uplink through
which traffic flows to the physical network:
z
><
(J)
For VLAN L1Fs the pMAC is seen by the physical network.
::0
o
c
~
:::J
(C
The distribu ted logica l router owns the logical interface (LIF). This concep t is simi lar to interfaces
on a physical router. But on the distribu ted router, the interfaces are called LIFs. The LIF connects to
logical switches or distributed port groups. A distributed logical router can have a maximum of
1,000 LIFs . For each segment that the distrib uted logical router is connected to, the distr ibuted
logical router has one ARP tab le.
The media access control (MAC) addresses in this environment are the virtua l MAC (vMAC)
addresses and the physical MAC (pMAC) addresses. If a LIF connects to a logical switch, the
virtual machines use the MAC addresses associated with that LIF as their next hop for the default
gateway. When a virtua l mach ine does an ARP request, the virtua l machine's MAC address is called
a vMAC. A virtual machine 's vMAC is never stored in the MAC table of a physical switch because
the virtua l machine's vMAC address is interna l to the VXLAN domain. Every host running the same
distributed logical router instance presents the same vMAC for each LIF to the virtual machines in
the logical switc h.
If an interface on the distrib uted logical router connects to a distrib uted port group , the distributed
router might talk to a physical entity by using the source MAC address . So a physica l switch sees
the pMAC and has the pMAC in the MAC table .
Module 4
NSX Routing
233
VLAN L1F
Slide 4-45
The distributed logical router supports distributed port groups that

are backed by VLAN:
First hop routing is handled on the host and traffic is switched to the
appropriate VLAN.
A designated instance is required per VLAN L1F.
A VLAN 10 must be defined on the distributed port group:

VLAN 10 of
a is not supported.
VLAN L1Fs can only span one distributed virtual switch.
The logical interface can be one of the following types:

VXLAN LIF: You connect the router to a logical switch.
VLAN LIF: You connect the router to a distributed port group that has one or mor e VLANs.
When the LIF is connected to a VLAN , the LIF has a pMAC and when the LIF is connected to a
VXLAN, the LIF has a vMAC. VLAN LIFs can only span one distributed switch because the
VLAN LIF is a port group and can only belong to one distribut ed switch. But a logical switch can be
configured in mu ltiple distributed switches.
234
Designated Instance
Slide 4-46
The designated instance is the host responsible for resolving ARP on
a VLAN L1F:
One designated instance exists per VLAN L1F.
Any ARP request in the distributed port group is handled by the
designated instance.
VMware NSX Controller" selects the designated instance:
NSX Controller pushes designated instance selection to all other hosts.
When the designated instance fails, NSX Controller does the

following:
Elects another host as the designated instance
Informs the remaining host about the new designated instance
II
z
><
(J)
::0
o
c
~
:::J
(C
The distributed logica l router is connec ted to a port group that gives access to the physical network.
The physical network might not be able to determine which of the different hosts own the MAC
address for that VLAN LIF at any point in time . To overcome this problem, each host has its own
pMAC address for the VLAN LIF, but only one host responds to ARP requests for the VLAN LIF.
The host that responds to the ARP requests for the VLAN LIFs is called the designated instance and
this host is chosen by NSX Controller. The designated instance also sends ARP requests on behalf
of all other hosts . All ingress traffic to the VLAN LIF is received by the designated instance. All
egress traffic from the VLAN LIF leaves the originating host directly without going through the
designated instance.
Module 4
NSX Routing
235
VXLAN L1F
Slide 4-47
The distributed logical router supports logical switches that are

backed by VXLAN :
First hop routing is handled on the host and traffic is switched to the
appropriate logical switch:
If the destination is at another host, the Ethernet frame is placed in a
VXLAN frame and forwarded .
A designated instance is not required.

Only one VXLAN L1F can connect to a logical switch:
The next hop router can be an NSX Edge services gateway
VXLAN IF can span all distributed switches in the transport zone.
Distributed logical routers perform best with VXLAN L1Fs.
If the VXLAN LIF connects to a VXLAN port group or logical switch, the LIF has a vMAC that is
used by all hosts. No designated instance exists because the vMAC is never visible in the physical
network.
You can have only one VXLAN LIF connecti ng to a logical switch. Only one distributed logica l
router can be connected to a logical switch.
236
Control Plane: Components

Slide 4-48
Distributed logical router control plane is provided by a per instance

logical router control virtual machine and NSX Controller.
Supports dynamic routing protocols:
OSPF
BGP
High availability supported through active-standby configuration.

Logical router
control virtual
machine
II
Communi cates with NSX Manager and NSX

Controller cluster :
-
NSX Manager sends L1F information to the

control virtual machine and NSX Controller
cluster.
Control virtual machine sends routing

updates to the controller cluster.
z
><
(J)
::0
o
c
~
:::J
(C
When a distributed logical router is deployed, the logical router control virtua l machine is also
deployed. The logical router control virtua l machine handles all control plane communications for
the distributed logical router. To enable high availability, deploy two logical router control virtual
machines and designate one as active and one as passive. If the active logical router control virtual
machine fails, the passive logical router contro l virtual machine takes 15 secon ds to take over.
Because the control virtual machine is not in the data plane, data plane traffic is not affected.
Controlling high availability resu lts in the addition or remova l of additional logical router control
virtual machines. When high availability is enabled, NSX Manage r enables the VMwa re vCenter
Server" system to deploy another logical control router virtua l machine. The logical router control
virtua l machine handles the OSPF and BOP protocols. So without a passive logical router control
virtual machine, you might lose neighbor adjace ncies if the active logical router control virtual
machine has a problem.
Module 4
NSX Routing
237
Logical Router Control Virtual Machine

Slide 4-49
The logical router control virtual machine is a control plane

component:
The logical router control virtual machine does perform any routing.
Routing is performed by the distributed logical router in the data plane.
The firewall on the distributed logical router only secures the control
virtual machine.
Control
Plane
NSX Log ical

Router Control VM
---- - - _.-- - ----- -----
<--
---- - --- -- ------ - ---- ---- - - ---- _.- --- - -------- -- - ----- -- --- - -- ----- - - - --- - - - - - - - ----- - - - -- --
NSX Virtual Sw itch
NSX Edge
+ !n~------Qf<---n---.
D,sl ibuled
Data
Plane
Does not sit in the data path

Provides OSPF route updates
to other routers (peering)
VXLAN
Dist rib ut ed
Fir ew all
~_C!g~~ ~J _~~1I ~~ ~
The physical rou ting takes

place in the data plane
serviCej
.. ;
Hyp erv isor Kern el Modu les
ESXi
The logical router control virtual machine is a control plane component and does not perform any
routin g. The routin g is performed in the data plane by the distributed logical router.
The logical router control virtua l machine's function is to establish routing proto col sessions with
other routers. An IP address called the Protocol Address is assigned to the logical router control
virtual machin e. This address is used to form adjacencies with peers.
The firewall installed to the distributed router does not do East-West traffic filtering. The firewall is
strictly present to protect the logical router control virtual machine.
238
Management, Control, and Data Communication

Slide 4-50
To support OSPF, the logical router control virtual machine must

have a connection in the segment as the L1F of the distributed router.
Dynamic routing protoco l is
configured on the logical router
instance .
Exte rn al Netwo rk
NSX Manager
Logical Router
Control VM
192 .168 .10.1
OSPF or BGP peering is

estab lished between the NSX Edge
and logical router contro l virtual
machine. The protocol address is
used for contro l communication .
192 .168 .10 .2
LOgiCal !
Router ~
172 .16.10 .1
NSX Controller pushes new logical

router configuration including LiF s
to ESXi hosts.
II
Learn routes are pushed to the

NSX Contro ller cluster for
distribution.
z
><
(J)
::0
o
c
172 .16 .20 .1
DB
VM
172 .16.20 .10
Routing kernel modules on hosts

handle the data path traffic.
:::J
c.c
To support OSPF, the logical router control virtual machine must have a connection in the segment
as the LIF of the distributed router. OSPF configuration requires the following IP addresses:
An IP address for the uplink LIF on the distributed router for data plane communications.
An IP address used exclusively for control conversations to the logical router control virtual
machin e. This IP address is used by the control virtual machine to talk OSPF neighbor
adjacencies and update the routin g table. The control virtual machine also does BOP across this
IP address.
These machines do appear as virtual machines in the vCenter Server system inventory. These
machin es should only be manipulated from the Network and Security view of the VMware
vSphere Web Client, and never from VMs and Templates or other views.
Module 4
NSX Routing
239
Deployment Models: One Tier

Slide 4-51
One tier of routing:
Distributed for East-West
Externa l
Designated instance
for North-South
Networks
Dynamic routing
to advertise logical networks
'"
I
OSPF :
VLAN VX LA N
Uplink Uplin k
BGP 'of
'"fJ\....;...------...Oist ributed Logical Router
tor'tl~ ---
- - - - -10 ESe ES'- - - - - -.
Web
App
DB
The diagram shows a distributed logical router connected to multiple logical switches. These
switches can be VXLANs. An up link can be added and converted to a VLAN uplink by connecting
the uplink to a port group . After the uplink is connected, a designated instance is chosen and
connected to the phys ical network.
You can put an NSX Edge instance between the physical and the logical router. VMware
recommends this design. If you are deploying and NSX Edge instance, do not use a VLAN LIP. Use
a VXLAN LIF. Use a VLAN LIF only if you must go direct ly outside. If you use VXLAN with the
edge , no designated instance exists and every router can directly forward traffic.
240
VMware NSX : Install, Configure, Manage
Deployment Models: Two Tier

Slide 4-52
Two tiers of routing
Distributed for East-West
Perimeter for North-South
Extern al
Networks
Dynamic routing to advertise

logical networks
,-Dynamic Routing
A
I
: (OSPF, IS-IS, BGP)

't'
Perimeter NSX Edge

Transit Uplink3
Transit Uplink1
,,,- - - - - - - - - - - - - - Dynamic Routing

,,,
(OSPF, BGP)
II
z
><
(J)
::0
o
c
~
:::J
c.c
The topology needs firewa lling at the perimeter to restrict access between the distributed routers. On
each distr ibuted router, firewa ll rules only allow traffic between certa in devices and selected traffic
on the outside.
The topology can easily be converted to a multitenancy configuration by inserting an NSX Edge
instance above each of the three logical routers . The original NSX Edge instance becomes the
perimeter NSX Edge instance that is shared by the three NSX Edge instances . The NSX Edge
instances allow each tenant their own config uration. Often , the NAT dev ice also belongs to the
tenant.
Module 4
NSX Routing
241
Distributed Router Traffic Flow: Same Host

Slide 4-53
DA: vMAC r;;-:.,.=~=---:::----="':I

SA : MAC 1 ~~~~~
Logical Router Control VM
192 .168.10.10
.".
DA: 192.168.10.10
....
~kLlF
SA: 192 .168.20.10
L1 F1
Internal L1Fs
L1F1 : 192.168. 20.1
L1F2 : 192.168.10.1
Host 1
L1F2
~
vMAC
Host 2
192.168.10.0
255.255.255.0
0.0.0.0
Direct
192. 168 .20.0
25 5.255.255.0
0.0.0.0
Direct
The diagram is a packet walk through the network:

1. Virtual machine I (VM I) on VXLAN 500 I attempts to communicate with virtual machine 2
(VM2) on VXLAN 5002 .
2. VM I sends a frame with the layer 3 IP on the payload to its default gateway. The default
gateway uses the destination IP address to determine that it is directly conn ected to that subnet.
3. The default gateway checks its ARP table and sees the correct MAC address for that
destina tion.
4. VM2 is running on the same host. The default gateway passes the frame to VM2.
242
Distributed Router Traffic Flow: Different Host

Slide 4-54
DA: MAC2
SA: vMAC
Ho st 1 _-.III~
Host 2
II
z
><
(J)
::0
o
c
DA: MAC2
SA: pMAC 1
:::J
t.t
c.c
In the example, virtual machin e I (VMI ) on VXLAN 500 I attempts communication to virtual
machin e 2 (VM2) on VXLAN 5002 :
1. VM2 is on a different subnet. So VM I sends the frame to the default gateway.
2. The default gateway sends the traffic to the router and the router determin es that the destination
IP address is on a directly conn ected interface.
3. The router checks its ARP table to obtain the MAC address of the destination virtual machine.
But the MAC address is not listed. The router sends the frame to the logical switch for VXLAN
5002.
4. The source and destination MAC addresses on the internal frame are changed. So the
destination MAC address is the address for VM2 and the source MAC address is the vMAC
LIF for that subnet. The logical switch in the source host determin es that the destin ation is on
host number 2.
5. The logical switch puts the Ethernet frame in a VXLAN frame and sends the frame to host 2.
6. Host 2 takes out the layer 2 frame, looks at the destination mac address, and delivers it to the
destination virtual machine.
Module 4
NSX Routing
243

Slide 4-55
Add an NSX Edge as a distributed router virtual machine.

Ic _
O .
1lI--
'8 'ilflT.iiM" ,j,, _

1. CU tredal1llals
" '-.1
] Coof";!Ule
IIJ-
Install Twa
deplo"TlIl!1~
~ s.-. (: CIIlI(lOUt
S conr'llQ" pHA
~ o.. ~_
6 Ready to c OfIJlIlel e
... --....
.-.....~tffDC llan~
N"",e lin d descript IO"
E d ~e seot ces GatS'W<lY
4 CoofillWelnlertdcas
. s-c. ~
i:3 ~""" ~
-,
N.... NSl(Edge
l ~ "'I1 """'"
~,
wo.x f ~
U'...., HD:.~ 1 1t1 ' ' ' ,H! . 1
....--....... ""-h
.... -...,
( . j LogICal (DIstribu ted) Router
o
Name
Hostname
Ena ble Hi gh AlIailabilily
-l
I
I
I
De5wpbQn
't enant
..
244

Slide 4-56
Entering interface addresses.

Add NS)( Edge Int erfac e
vNIC#
*'li,.,..,_
:':
.,....--",.,..,.,....
Name
o Internal
Type:
G Uplink
Select Remove
Connected To
Connectiii ty Status
Configu reeucnet
Connected
Disconnec ted
Add Subnet
Add Subnet
I'======~
+
Specify the IP addresses in the sutmet
Enter the IP
Specifythe IP addresses i Address .
"" x
II
Prima ry IP
MAC Addresses
Confirm the IP
addre ss
"TU
Options
sub net prefix length"
'"
Subne1prefix length:
L I_ _- - - - - '
FenceParameter
OK
II
z
><
*1' - - -
(J)
OK
Cancel
.t::
I[
::0
o
c
Cancel
:::J
c.c
Module 4
NSX Routing
245

Slide 4-57
The Transit-Interface must be configured with a prefix length of 29.

Add Subnet
Specify the IP addresses in the subnet:
.;I
Primary IP
Subnet prefi x length :
IP Addless
'---------'1 0
Ca ncel
C9
[
OK
I[
Cancel
If this setting is missed, the OSPF lab fails because OSPF does not
see the two edges on the same transit network.
246

Slide 4-58
Verifying the NSX Edge deployment.

nvp-controller 1# ShO ~001
n
Co n t r o Iler
nzs VTEPs
5001
10.10.10.1
2
nvp-Gontroller 1# I
The initial arp -n command may return a blank table.
II
z
><
(J)
::0
o
c
~
:::J
(C
Module 4
NSX Routing
247
Lab 5: Configuring and Deploying an NSX Distributed Router

Slide 4-59
Configure East-West routing by deploying a distributed logical router

2. Configure and Deploy an NSX Distributed Logical Router
3. Verify the Distributed Router Deployment and Configuration
4. Test Connectivity
5. Use NSX Controller CLI Commands to Verify the Distributed Router
Deployment
248
Concept Summary
Slide 4-60

What is a virtualized router implemented by NSX
modules installed in each ESXi host kernel called?
What is send ing communications through part of the
same path already taken when forwarding it to a
destination called?
What is an uplink owned by a logical router that
connects to VLAN port groups called?
What is an uplink owned by a logical router that can
span all virtual distributed switches in the transport
zone called?
Logical distributed router
Hairpinning
VLAN L1F
II
VXLAN L1F
z
><
(J)
::0
o
c
~
:::J
(C
Module 4
NSX Routing
249

Slide 4-61

Describe the role of the distributed logical router
250
Deploy a distributed logical router
Lesson 3: Layer 2 Bridging

Slide 4-62
Lesson 3:
Layer 2 Bridging
II
z
><
(J)
::0
o
c
~
:::J
(C
Module 4
NSX Routing
251
Learner Objectives
Slide 4-63
objectives:
Describe layer 2 bridging between VXLANs and VLANs
Describe the traffic flow between VXLAN and VLAN
Configure layer 2 bridging
252
VXLAN to VLAN Layer 2 Bridging

Slide 4-64
A VXLAN to VLAN bridge enables direct Ethernet connectivity

between virtual machines in a logical switch, and virtual machines in
a distributed port group:
This connectivity is called layer 2 bridging.
The Ethernet connectivity can also be extended to physical devices by
assigning an uplink to the distributed port group.
II
Distributed Router
z
><
(J)
::0
o
c
ESXi Host
Designated Instance
:::J
(C
VXLAN 973729
You create a layer 2 bridge between a logical switch and a VLAN , which enables you to migrate
virtual workloads to physical devices with no effect on IP addresses. A logical network can leverage
a physical gateway and access existing physical network and securi ty resources by bridging the
logical switch broadcast domain to the VLAN broadcast domain.
Module 4
NSX Routing
253
Use Cases
Slide 4-65
Sometimes you must enable virtual machines on logical switches to

have direct layer 2 access to the physical network:
During physical to virtual (P2V) migrations where changing IP

addresses is not an option
Extend virtual services in the logical switch to external devices
Extend physical network services to virtual machines in logical switches
Access existing physical network and security resources

Layer 2 bridging is not intended for use in the following cases:
VXLAN to VXLAN connectivity
VLAN to VLAN connectivity
Data center interconnect
Bridging can also be used in a migration strategy where you might be using P2V and you do not
want to change subnets.
VXLAN to VXLAN bridging or VLAN to VLAN bridging is not supported. Bridging between
different data centers is also not supported. All participants of the VLAN and VXLAN bridge must
be in the same data center.
254
Layer 2 Bridging Details

Slide 4-66
Distributed router is required to configure bridging :
Multiple bridges are supported per distributed router
Bridge instance runs on the host where the logical router

control virtual machine is active.
Layer 2 bridging data path is entirely in the VMkernel:
A special dvPort type called a sink port is used to steer packets to the
bridge.
II
You cannot enable both distributed routing and bridging on a

logical switch at present.
z
><
(J)
::0
o
c
~
:::J
(C
The layer 2 bridge runs on the host that has the NSX Edge logical router virtual machine. The layer
2 bridging path is entirely in the VMkernel. The sink port connects to the distributed port group
from the VMkernel on the distributed router. The sink port steers all traffic related to bridg ing on to
the switch . You cannot have routing enabled on those interfaces that you connect to the distributed
router.
The distrib uted router that performs the bridging cannot perform routing on that logical switc h. The
virtual machines on that switch cannot use the distributed router as their default gateway. Because
logical switches cannot be connec ted to more than one distrib uted router, those virtual machines
must have a default gateway. The default gateway must be either externally in the physical network
or in an appliance, such as the NSX Edge gateway. The NSX Edge gateway must be connected to
the logical switc h on the port group .
Module 4
NSX Routing
255
Bridge Instance
Slide 4-67
The host where the logical router control virtual machine runs is
selected as the designated instance to perform the VXLAN to VLAN
bridging function:
The bridge instance sends a copy of learned MAC address table entries
to the NSX Controller.
If the bridge instance fails, the control virtual machine pushes a copy of
the MAC address table to the new designated instance.
If every host is allowed to go directly to the physical network with the broadcast traffic, the network
might be overwhelmed. So one of the hosts is chosen as a bridge instance. NSX Controller chooses
a host to be the brid ge instance. The bridge instance is usually the host that is runnin g the logical
router controller.
If the brid ge instance fails, the NSX Controller instance pushes a copy of the media access control
(MAC) address table to the new bridge instance to keep it synchronized.
256
Bridge Instance Failure

Slide 4-68
Standby Logical Router
Control Virtual Machine
Active Logical Router

Control Virtual Machine
VXLAN 5001
Runs on the host with logical router

control virtual machine
Multiple bridges supported per logical
router
>
II
Physical Workload
II
z
><
(J)
Physical. Router
.'
~ ~""
::0
o
c
~
:::J
(C
In the example, a logical distributed router controller has failed and NSX HA is enabled. When the
bridge instance fails, the bridge instance is moved to the new active host and gets the physical MAC
addresses that were on the failed bridge instance. You can have multiple bridges on the same logical
router.
Module 4
NSX Routing
257
Layer 2 Bridging: Flow Overview

Slide 4-69
Traffic flow from the VXLAN to the VLAN through the bridge instance.
ARP Request
,
192.168 .100.4
~
VM1
VM2
VXLAN SW01
VTEP 1
VM 3
V NI50001 1
VLAN100
VT EP 2
Physical Host
vLan 100
192 .168 .100.4
In the example, VM2 wants to communicate with a physical host on VLAN 100. ESXi host numb er
3 is the bridge instance.
258
Slide 4-70
Multiple bridge instances versus separate distributed routers:
Bridge instances are limited to the throughput of a single ESXi host.
Interoperability:
VLAN and VXLAN logical switch are on the same distributed switch.
Bridging a VLAN 10 of 0 is not supported.
Scalability targets:
Line rate throughput.
Latency and CPU usage comparable with standard VXLAN.
II
Loop prevention:
Only one bridge active per VXLAN-VLAN.
z
><
(J)
Detect and filter if the same packet is received through a different uplink
by matching MAC address .
::0
o
c
~
:::J
(C
A bridg e instance is assigned to the ESXi host that runs the logical distributed controll er. If you have
to use multipl e bridges, consider usin g multipl e distributed routers so that the bridge instances can
be spread out among the different ESXi hosts to get greater throughput.
The VLAN-VXLAN logical switch must be on the same distributed switch. The port group that you
are bridging must have a VLAN numb er associated with it.
You must consider the throughput that goes throu gh the designated instance and also the latency.
Because all the bridge traffic is hairpinn ed to the bridge instance, you should only have one bridge
from VXLAN to VLAN to avoid loops.
Detect and filter is a function of the brid ge instance to ensure that duplic ate packets are not coming
through.
Module 4
NSX Routing
259
ARP Request from VXLAN

Slide 4-71
Layer 2
Network
Port,
MACl
The exampl e is a packet walk of an Address Resolution Protocol (ARP) requ est from a virtual
machin e to a physic al host on the network. In the example, the virtual machine on this VXLAN
segment attempts to contact this physical host for the first time:
1. The ARP request from VM I comes to the ESXi host with the IP addre ss of a host on the
physical network.
2. The ESXi host does not know the destination MAC addre ss. So the ESXi host contacts NSX
Controller to find the destination MAC address.
3. The NSX Controller instanc e is unawar e of the MAC address. So the ESXi host sends a
broadcast to the VXLAN segment 500 I.
4. All ESXi hosts on the VXLAN segment receive the broadcast and forward it up to their virtual
machines.
5. VM2 receives the request becaus e it is a broadcast and disregards the frame and drops it.
6. The designated instance receives the broadcast.
7. The designated instanc e forwards the broadcast to VLAN 100 on the physical network.
260
8. The physical switch receives the broadcast on VLAN 100 and forwards it out to all ports on
VLAN 100.
The physical server receives the broadcast and determin es whether the frame belongs to it.
II
z
><
(J)
::0
o
c
~
:::J
(C
Module 4
NSX Routing
261
ARP Response from the VLAN

Slide 4-72
MAC3
IP3
DA~
MAC3
~~
;;':';''-_ _
Port 1
MAC1
Port 2
MAC3
The slide shows an example of the response from the physical host back to the virtual machine:
1. The physical host creates an ARP response for the machine. The source MAC address is the
physical host's MAC and the destination MAC is the virtual machine's MAC address.
2. The physical host puts the frame on the wire.
3. The physical switch sends the packet out of the port where the ARP request originated.
4. The frame is received by the bridge instance.
5. The bridge instance examines the MAC address table, sends the packet to the VNl that contains
the virtual machine's MAC address, and sends the frame. The bridge instance also stores the
MAC address of the physical server in the MAC address table.
6. The ESXi host receives the frame and stores the MAC address of the physical server in its own
local MAC address table.
The virtual machine receives the frame.
262
Unicast Traffic
Slide 4-73
MAC3
5001
8i
IP3
II
MAC3
'"
DA~
'-:":":':;;~:":':"
z
><
(J)
::0
o
c
Port 1
Port2
MAC 1
:::J
c.c
MAC3
The example shows the traffic flow from the virtual machin e to the physical server after the initial
ARP request is resolved:
1. The virtual machine sends a packet destined for the physical server.
2. The ESXi host locates the destination MAC address in its MAC address table.
3. The ESXi host sends the traffic to the bridge instanc e.
4. The bridge instance receives the packet and locates the destination MAC address.
5. The bridg e instance forwards the packet to the physical network.
6. The switch on the physical server receives the traffic and forwards the traffic to the physical
host.
The physical host receives the traffic.
Module 4
NSX Routing
263
ARP Request from VLAN

Slide 4-74
MAC3
Layer 2
Network
The slide shows an example of an ARP request from a physical host on a VLAN to a virtual
machine on VXLAN :
1. An ARP request is receive d from the physical server on the VLAN that is destined for a virtual
machine on the VXLAN through broadcast.
2. The frame is sent to the physical switch where it is forwarded to all ports on VLAN 100.
3. The ESXi host receives the frame and passes it up to the bridge instance.
4. The bridge instance receives the frame and looks up the destination IP address in its MAC
address table.
5. Because the bridge instance does not know the destination MAC address, it sends a broadcast
on VXLAN 500 1 to resolve the MAC address.
6. All ESX i hosts on the VXLAN receive the broadcast and forwar d the frame to their virtual
machines.
VM2 drops the frame, but VM 1 sends an ARP response.
264
Concept Summary
Slide 4-75

Which action connects a VLAN and a VXLAN
network as the same logical network?
Bridging
II
z
><
(J)
::0
o
c
~
:::J
(C
Module 4
NSX Routing
265
Learner Objectives
Slide 4-76
objectives:
Describe layer 2 bridging between VXLANs and VLANs
Describe the traffic flow between VXLAN and VLAN
Configure layer 2 bridging
266
Lesson 4: NSX Edge Services Gateway

Slide 4-77
Lesson 4:
II
z
><
(J)
::0
o
c
~
:::J
(C
Module 4
NSX Routing
267
Learner Objectives
Slide 4-78
objectives:
Deploy NSX Edge gateway
Deploy OSPF on NSX Edge
268
NSX Edge Gateway

Slide 4-79
The NSX Edge gateway connects isolated stub networks to shared

(uplink) networks.
NSX
NSX Edge
Services
Ga teway
logic al
Router
C ontr ol
NSX
Manager
II
z
><
(J)
Physical Network
::0
o
c
----
:::J
c.c
NSX Edge supports OS PF, an lOP that routes IP packets only in a single routing domain. NSX Edge
gathers link state information from avai lable routers and constructs a topology map of the network.
The topology determines the routing table presented to the Internet layer, which makes routing
decisions based on the destination IP address found in IP packe ts.
Module 4
NSX Routing
269
Integrated Network Services

Slide 4-80
NSX Edge provides common gateway services such as DHCP, VPN,

NAT, dynamic routing, and load balancing.
Firewall
Load balancer
VPN
Routing and NAT
DHCP and DNS relay
Overview
Integrated L3 to L7 services
Virtual appliance model to
provide rapid deployment and
scale-out
Benefits
Real-time service instantiation
Support for dynamic service
differentiation per tenant or
application
Uses x86 compute capacity
Several perimeter services are available for the NSX Edge gateway. These services are not
embedded in the distributed router. NSX Edge gateway is a virtual machine that has one interface
connected to the virtual mach ine segment through logical switches or distributed and standard port
groups.
These services are meant to work in environments where a third-p arty solution might not exist.
Sometimes a third-p arty solution might be more effective than NSX Edge service because that
solution is a dedicated device and not a multipurpose device like NSX Edge . All of these services
can be disabled to allow a third-party solution to be deployed.
In a multitenancy environment, NSX Edge for NAT might exist if duplicate IP segments exist.
270
NSX Edge Services Gateway Sizing

Slide 4- 81
NSX Edge can be deployed in four different configurations.

X-Large
6vCPU
Suitable for high performance

layer 7 load balancer
8192 MB vRAM
Quad-Large
4vCPU
1024 MB
vRAM
Suitable for high

performance firewall and
routing
II
Large
z
><
2vCPU
(J)
1024 MB vRAM
::0
o
c
Compact
:::J
c.c
1 vCPU , 512 MB vRAM
When NSX Edge gateway is deployed, the wizard asks for the desired size. If a gateway with the
wrong size is deployed, the gateway can be replaced with minim al effort by deploying a new NSX
Edge gateway. The existing NSX Edge gateway is removed and an NSX Edge gateway with the
desired size is created. The configuration from the old NSX Edge gateway is applied by NSX
Manager to the new NSX Edge gateway. The name of the new NSX Edge gateway instance is
different.
A service interruption might occur when the old NSX Edge gateway instance is remove d and the
new NSX Edge gateway instance is redeployed.
Module 4
NSX Routing
271
Features Summary
Slide 4-82
r;I."_l
NSX Edge
Gateway Services
F ire w all
5-Tuple rule configuration with IP, port ranges, grouping objects .
Network Address Translation
Source and destination NAT capabi lities .
DHCP
Configuration of IP Pools, gateways , DNS servers, and search domains.
Rou ting
Static and dynamic routing protocols support (OSPF, BGP, IS-IS).
Load Balancing
Configure virtual servers and backend pools using IP addresses or VC objects.
Site-to-Site V PN
IPsec site-to-site VPN between two NSX Edge instances or other vendor VPN terminators .
SS L V PN
Allow remote users to access the internal networks behind NSX Edge gateway
L2VPN
Stretch your layer 2 across data centers.
High Availabi lity
Active-Standby HA capability that works with VMwa re vSphere High Availability.
DNS/Syslog
Allow configuring DNS relay and remote Syslog servers .
Traditional firewalls operate by applying a set of rules containing a few criteria including source IP
address and port , destination IP address and port, and protocol. Advanced third-p arty firewalls have
a few additional options. In addition to the traditional criteria, the NSX Edge firewall, NSX Edge, or
Distributed Firewall, can use additional vSphere criteria. The vSphere criteria include resource
pools, clusters, networks, and many other metadata details from the vCenter Server system.
272
NSX Edge Routing

Slide 4-83
The NSX Edge appliance supports static and dynamic routing:
OSPF
IS-IS
BGP
Route redistribution
Routing is configured by selecting NSX Edge Gateway> Manager>

Routing.
II
z
><
(J)
::0
o
c
~
:::J
(C
Module 4
NSX Routing
273
Routing Verification
Slide 4-84
To verify that routing works as expected, access the NSX Edge

gateway eLi by using SSH or console connection:
show ip ospf neighbors
show ip ospf database
show ip ospf interface
show ip bgp
show ip bgp neighbors
show isis neighbors
show ip route
274
show isis database

show isis interface

Slide 4-85
Deploy an NSX Edge as a perimeter gateway.

"I
New NSX Edlll!
..... , I.';
i ' :r.'gW!!
I ;
"I. UJ ereeeuuers
N<HIM!and description
Install Type
IINle l
WI"
O lntemal
Connected To
J CorlfMJuredepl~l1e'Ilt
Ii
Name
4 ConfIljure neerreces
5 Default Od(ll'WdYsellmljs
L ogi cal (Distributed) R outer
6 firewllll and HA
D Enable High AvailaPill1y
7 Ready-In complete
C!
Atld NSl< Edge Int e rf ac e
(!' Edgesereces Gateway
Connecteo
ccn nectrofv Status
o Upl ink
o Disconnected
Sele ct
Remove-
Configure subnets
Nam e
Hostname
- , Perimeter G alew~
IPAdd,u .
Subn.t P.. ~ ~ L ongltl
nescnou on
Tenant
I
I
MAC Addresses
II
You can speclflo' a MAC address or leaveit blank for auto ueneranon In
case ofHA, fWQ dltrerent MAC addresses ere required
MTU
N,~
-Cancel
500
,
,
Options
Fence Parameters
En able Pr o)(\{ARP
Se nd le MP Re dire ct
z
><
(J)
::0
o
c
Example: ethernellJ.f111er1pa raml"'t
~ I c'""' : ~
Module 4
NSX Routing
275
:::J
c.c

Slide 4-86
Configure the static routes.
+
Global Cnnfi quratie n
Typ@
NebAlork
internal_high
1 0 10.10 0/ 2 4
OSPF
user
1 0 10.7.0/ 2 4
1 0. 7 7 . 2
Uplink-Interface
1500
BGP
user
1 0 10.9.0/ 2 4
10 . 5 5 . 2
Tran sit-Interfac e
1500
Static Routes
Next Hop
10 .9 9 .2
Interrace
MTU
Uplink-lntel1ace
1515
Route Redistrihution
276
Lab 7: Introduction
Slide 4-87
You delete the static routes in the lab.

OSPF initially fails, but the lab guides troubleshooting to resolve.
Default Gateway
Global Configuration
Static Routes
upnnk-mterrece
Gateway IP:
192.168.1002
OSPF
MTU:
BGP
Descriptio
IS-IS
Area to Interfa ce Mapping:
EditDynamicRouting Configuration
vNIC
RouteRedistribution
DynamicRl:
Uplink-Interface
Trans it-Interfa ce
Router 10:
I I
II
G"l Enable 08P F

f"J
D
BGP:
18-18 :
LogLevel:
* [ Uplink-Interface - 1...
11 Enable BGP
08PF :
Logging:
Router 10 :
Enable 18-18
Enable Logging
Log Level:
I I_
nl_
O
z
><
~_
(J)
Save
II
Cancel
::0
o
c
~
:::J
(C
Module 4
NSX Routing
277
Lab 6: Deploying an NSX Edge Services Gateway and

Configuring Static Routing
Slide 4-88
Configure and deploy an NSX Edge services gateway to provide

perimeter routing and other network services

2. Configure and Deploy an NSX Edge Gateway
3. Verify the NSX Edge Gateway Deployment
4. Configure Static Routes on the NSX Edge Gateway
5. Configure Static Routes on the Distributed Router
6. Test Connectivity Between an External Network and a Logical Switch
Network
278
Lab 7: Configuring and Testing Dynamic Routing on NSX Edge

Appliances
Slide 4-89
Configure OSPF to establish bidirectional connectivity between the

Management network and the Web-Tier, App-Tier, and DB-Tier logical
switch networks

2. Remove Static Routes from Perimeter Gateway
3. Configure OSPF on Perimeter Gateway
4. Redistribute Perimeter Gateway Subnets
II
5. Remove Static Route on Distributed Router

6. Configure OSPF on Distributed Router
z
><
7. Redistribute Distributed Router Internal Subnets
(J)
8. Troubleshoot Connectivity Between Logical Switch Networks and the

Management Network
::0
o
c
~
:::J
9. Resolve the Connectivity Issue
(C
10.Clean Up for the Next Lab
Module 4
NSX Routing
279

Slide 4-90

Deploy NSX Edge gateway
280
Deploy OSPF on NSX Edge
Key Points
Slide 4-91
OSPF is a link-state protocol. Each router maintains a database that

describes the AS topology.
The distributed logical router optimizes the routing and data path, and
supports single-tenant or multitenant deployments.
NSX Edge supports OSPF, an interior gateway protocol that routes IP

packets only within a single routing domain .
Layer 2 bridging is intended for VXLAN to VLAN connectivity.
Questions?
II
z
><
(J)
::0
o
c
~
:::J
(C
Module 4
NSX Routing
281
282
MODULE 5

Features
Slide 5- 1
Module 5
II
z
><
(J)
m
0..
(Q
CD
(J)
CD
<:
n"
CD
rJl
G)
til
......
CD
stil
'<
"Tl
CD
til
......
C
.....
CD
rJl
283
You Are Here

Slide 5-2

Course Introduction
NSX Networking
IE
NSX Routing
NSX Security
284
Importance
Slide 5-3
The services gateway gives you access to all VMware NSX Edge
services such as firewall, network address translation (NAT),
Dynamic Host Configuration Protocol, virtual private network (VPN),
load balancing, and high availability.
II
z
(J)
m
0..
(Q
CD
(J)
CD
<:
n"
CD
rJl
G)
til
......
CD
stil
'<
"Tl
CD
til
......
C
.....
CD
rJl
Module 5
285
Module Lessons
Slide 5-4
Lesson 1:
NSX Edge Network Address Translation
Lesson 2:
NSX Edge Load Balancing
Lesson 3:
NSX Edge High Availability
Lesson 4:
NSX Edge and VPN
Lesson 5:
Layer 2 Bridging
286
Lesson 1: NSX Edge Network Address Translation

Slide 5-5
Lesson 1:
NSX Edge Network Address Translation
II
z
(J)
m
0..
(Q
CD
(J)
CD
<:
n"
CD
rJl
G)
til
......
CD
stil
'<
"Tl
CD
til
......
C
.....
CD
rJl
Module 5
287
Learner Objectives
Slide 5-6
objectives:
Determine when to use a destination network address translation rule

and a source network address translation rule
Add an internal interface to the NSX Edge gateway

Create a destination network address translation rule to enable inbound
access from an external source by translating a public IP address to a
private IP address
Create a source network address translation rule to translate a private
IP address to a public IP address for outbound traffic
288
Private IPv4 IP addresses

Slide 5-7
Private IPv4 IP addresses are IP addresses reserved for the internal

use of corporations:
Defined in RFC1918 .
Private IP addresses cannot be advertised in the public Internet.
Three blocks of IP addresses are reserved for private use: 10.0.0.0/8,

172.16.0.0/12, and 192.168.0.0/16.
II
ACME Corpo ration

Intern al Netw ork
External
network
z
><
(J)
The number of IPv4 TCP/IP addresse s that are available is limit ed. Many applications in an
enterprise requir e conn ectivity only in one enterprise and do not need external connectivity for most
internal hosts. Request for change (RFC) 1918 defines address allocation for private Internet. You
can only use IPv4 private IP addresses to address all devices on your network. Private IP addresses
cannot be advertised in the publi c Internet.
m
0..
(Q
CD
(J)
CD
<:
n'
CD
rJl
G)
til
......
CD
stil
'<
"Tl
CD
til
......
C
.....
CD
rJl
Module 5
289
IPv4 Overlapping Space

Slide 5-8
VMware vCloud Automation Center" tenant, ACME Corporation,

needs to communicate with vCloud Automation Center tenant, XYZ
Industries.
Both tenants have many networks and now need end systems on
both sides for direct communications.
ACME Corporation
XYZ Industries
vCloudAutomation
Center Networks
vCloudAutomation
Ce nter Networks
Hosts assigned with private IP addresses cannot communicate with other hosts through the Internet.
The solution to this problem is to use network address translation (NAT) with private addressi ng.
290
Managing NAT Rules

Slide 5-9
NSX Edge provides NAT service to assign a public address to a

computer or group of computers in a private network:
NAT rules provide access to services running on privately addressed

virtual machines.
The NAT service configuration is separated into the following sets of

rules:
Source NAT rules translate the source IP address of outbound packets
so that packets appear as originating from a different network.
Destination NAT rules translate the destination IP address of inbound

packets so that packets are delivered to a target address on some
other network.
II
z
(J)
VMware NSX Edge" provides NAT service to assign a publi c address to a computer or group of
computers in a private network . Using this technology limits the numb er of public IP addresses that
an organization or company must use, for econo my and security purposes.
You must configure NAT rules to provide access to services running on privately addressed virtual
machines. The NAT service config uration is separate d into source NAT and destination NAT rules.
m
0..
(Q
CD
(J)
CD
<:
n"
CD
rJl
G)
til
......
CD
stil
'<
"Tl
CD
til
......
C
.....
CD
rJl
Module 5
291
Source NAT Deployment Using NSX Edge

Slide 5-10
Server 1
Server 2
Server 3
VM
VM
VM
192.168.1.2
192.168.1 .3
192.168.1.4
Test-Network
192.168.1.1
NSX Edge Gateway

10.20.181.170: Primary IPAddress
10.20.181.171: Source NAT Translated IP
Address
External-Network
Source NAT is used to translate a private internal IP address into a publi c IP address for outbo und
traffic. In the slide, NSX Edge gateway is translating Test-Network using addresses 192.168.1.0
through 192.1 68.1.24 and 10.20.181.171. This technique that the source NAT uses is called
masquerading. In this type of source NAT, the whole Lab-Network behind the NSX Edge gateway is
masquerading as a single host with IP address 10.20.18 1.171. You can also use the primary IP
address 10.20.1 81.170 as the source NAT translated IP address .
292
Example: Set Up External Access to Web Server

Slide 5- 11
Make a Web server on the HQ VXLAN network available to external

users:
1. Add an internal interface (HQ VXLAN Network) to NSX Edge.
2. Add a second IP address to the external interface subnet:
The second address is used by the external client.
3. Create a destination NAT rule that translates the external-facing

address to the Web server's IP address . No other IP address
combination is allowed through the NAT service.
If multiple Web servers exist, use the load balancer service in NSX
Edge to distribute connections.
II
z
(J)
m
0..
(Q
CD
(J)
CD
<:
n
CD
rJl
G)
til
......
CD
stil
'<
"Tl
CD
til
......
C
.....
CD
rJl
Module 5
293
Add a Second External IP Address for NAT Use

Slide 5-12
Add a second IP address in the existing subnet for the external

interface:
The second IP address is to be used for the destination NAT and

source NAT rules.
Summary
______
o_n_i
lo_r_ l t.1anage
( Settings l_F_ir_ew
_ a_1I " " ' - _ - - - J L - _ . l -_ _~
Gr
"___
__L_
Configure Interlaces of this NSX Edge .
Con
II
ur ton
Interfaces
vlIlC#
IP
1 ... lI.t m
Certificates
ddress
192 .168 .100 .3"
Uplink-Interlace 1192.168.100.10
To add a second IP address to the already-defined subnet for the external interface
1. In the VMwa re NSX Manager" page, select Edges and double-cli ck edge-I to display the
management page for HQ-E dge .
2. Select Configure > Interface s to display the list of interfaces.
3. Click the Ed it (pencil) icon to add the second IP address .
The second address is used to define both destination NAT and source NAT rules.
294
Destination NAT Deployment Using NSX Edge

Slide 5-13
Web Server
VM
App Server
DB Server
VM
192.168.1.2
VM
192.168.1.3
192.168.1.4
Test-Network
192.168.1 .1
NSX Edge Gateway

10.20.181.170: Primary IP Address
10.20.181 .171: Destination NAT
Public IP Address
II
External-Network
(J)
Destination NAT is commonly used to publish a service located in a private network on a publicly
accessib le IP address . In the example, NSX Edge NAT is publishing the Web Server 192.168.1.2 on
an externa l network as 10.20.181.171. You can also use the primary IP address 10.20.181.170 as
destination NAT.
m
0..
(Q
CD
(J)
CD
<:
n'
CD
rJl
G)
til
......
CD
stil
'<
"Tl
CD
til
......
C
.....
CD
rJl
Module 5
295
Creating a Destination NAT Rule for Inbound External Access

Slide 5-14
Destination NAT rules can be defined for any IP address or range of

IP addresses that has been configured on a network interface.
For example, create a destination NAT rule to enable an external
client to access a Web server that is on an internal network.
A Web server's internallP address is 192.168.20.10.
The IP address added to the NSX Edge external interface is
172.20.11.12.
All packets destined for 172.20.11.12 arrive on the NSX Edge external
interface.
The destination NAT rule performs a destination IP address translation
from 172.20.11.12 to 192.168.20.10.
You can test the rule by displaying the administrative share for the C:
drive on the internal system with \ \172. 20 .11.12\C$:
Ensure that the response for a command that you use is from the
internal system , not the NSX Edge appliance.
You can create a destination NAT rule to map a public IP address to a private internal IP address .
The rule translates the destination IP address in the inbound packet to an interna l IP address and
forwar ds the packet.
The original (public) IP address must be added to the NSX Edge interface on which you want to add
the rule, that is, on the external interface.
296
Create a Destination NAT Rule and Test Inbound Connectivity

Slide 5-15
To create the destination NAT rule:

1. Click the Add icon and select Add DNAT Rule.
Add DNATRJJle
[ Setting s
I Firewall ~
Routing [
I Upli nk-Ingterface
Applied On:
OnglnaIIP/Ran ge :
Tran slated Port/Range :
2. Enable the rule in the dialog box

or after the rule is added.
3. Enable logging while testing
the rule.
I-
I-1
Original Port/Ra nge :

Translated IP/Rang e:
_I
Protocol :
A ctio n
I-
*I
~==~
I-1
Description"
_ _ _I
D Enabled
D Enable loggin g
OK
I[
Cancel
II
I,
(J)
To create the destination NAT rule
0..
(Q
1. In the NSX Edge management page, doubl e-click the NSX Edge instance that handles the NAT
operations.
2. Click the NAT tab.
CD
(J)
CD
<:
n
CD
rJl
G)
In the slide, the rule is configured for the HQ- Edge instance.
til
......
CD
stil
3. Click the Add icon and select Add DNAT Rule.
'<
In the Add DNAT Rule dialog box, configure the following settings :
"Tl
CD
til
......
C
.....
The interface on which to apply the destination NAT rule, for example, External.
The drop-d own menu displays the names of all 10 interfaces for this NSX Edge instance,
but not in alphabetical order.
The original (public) IP address in one of the following formats:
IP address: 192.168.10.1
IP address range: 192.168.10.1-192.168.10.10
IP address/subnet: 192.168.10. 1/24
Module 5
297
CD
rJl
The protocol s that can be used are the following:

UDP
TCP
Any
The origina l port or port range:
Port number: 80
Port range: 80-85
Any port
Tran slated IPlran ge: Th e trans lated IP address is in one of the form ats listed for the original
(public) IP address.
Tran slated Port/ran ge: Th e transl ated port rang e, as described for the original port or port
range .
298
Creating a Source NAT Rule and Testing Outbound Connectivity

Slide 5-16
You can create a source NAT rule to translate a private internallP

address into a public IP address for outbound traffic.
For the selected NSX Edge instance, select Add> Add SNAT Rule.
?
Add SNAT Rule
Appl ied On:
[ Uplink- Ingterface
o Enabled
o Enable logging
OK
I[
Cancel
II
You can test the outbound connectivity by pinging a translated

address from a system with one of the source IP addresses.
(J)
In the NSX Edge Manage page , double -click the NSX Edge instanc e for a source NAT rule and
click the NAT tab. In the example, the rule is configured for the HQ-Edge instance.
0..
(Q
CD
(J)
Click the Add icon and select Add SNAT Rule to open the dialog box . The trans lated (public) IP
address must be added to the NSX Edge interface on which you want to add the rule. The IP address
formats are the same formats that are used for the Add DNAT Rule choices. The source NAT rule
can be enabled in the dialog box or enabled later.
You can test the outbound rule by pinging a trans lated IP address from a system on the internal
network. The internal virtual machine sends the ping request. The source IP address of each Internet
Control Message Protocol packet ( 192.168.20.10 in the examp le) is trans lated to the public NAT
address (172.20 .11.12). The public NAT address is defined by the source NAT rule. Replies to the
ping command are from the upstream router. The upstream router responds to ping requests from the
172.20. 11.12 IP address, which is the trans lated IP address . The router has no knowledge of the
interna l network.
Module 5
299
CD
<:
n"
CD
rJl
G)
til
......
CD
stil
'<
"Tl
CD
til
......
C
.....
CD
rJl

Slide 5-17
A traffic capture has a specific format.
Destination
Address
Source
Port
300
Destination
Port

Slide 5-18
Adding an IP address to an interface.

EditSubnet
EditIP addresses in this subnet:
Adding a destination NAT

and source NAT rule.
lC
Primary IP
o
o
IP Address
1i~ 1
II
Cancel
I Upli nk-Inlerfa ce
Appl ied On:
Original lP/Range:
192,168,100,3
Proto col:
SubnetPrefix Length
>I<
I I
I I
1
I
1 1
I
1 1
24-,-------.J
c
J
::.
Original PortlRange:
OK
II
Cancel
I,
Translated IP/Range:
Translated PortiRange:
>I<
Descnptron:
1_ _ 1
o Enabled
o Enable logging
OK
II
Cancel
II
I,
(J)
m
0..
(Q
CD
(J)
CD
<:
n"
CD
rJl
G)
til
.....
CD
stil
'<
"Tl
CD
til
.....
C
....
CD
rJl
Module 5
NSX Edge Services Gateway Featu res
301

Slide 5-19
Resetting VMware NSX Controller" credentials.

~
e"
NSX Edges
I- I
NSXMana ger : ( t 92.t 68.1 t O.42

NSXHome
@ Ins ta llation
~ Logi cal Switches
:
I']
NSX Edges
Firew all
iiEI SpoofGua rd
~ Service Defi nition s
f!J Service Composer

~ Data Secu rity
~ Flow Monitoring
t!!3 Activity Monitorin g

... Networking & Security Inventory
"
EI I @
....
edge-5
edge-6
ACtlons _
1 .. Nam e
Id
Distributed Router
Actions - Perimeter Gateway
X Delete
"
Force Sync
Deploy
IItIil Redepl oy
Change auto rule configuration

~ Downl oad Tech Suppo rt Logs
Upgrade version
Convertto Compact
Convert to Large
N SX Man ag ers
Convert to X-Large
(iiOO;; ; ,
302
Lab 8: Configuring and Testing Network Address Translation on

an NSX Edge Services Gateway
Slide 5-20
Use destination NAT and source NAT rules to establish a one-to-one relationship
between the IP address of a Web server on an internal subnet and an IP address
in an externally accessible subnet

2. Verify Non-Translated Packet Addressing
3. Configure an AdditionallP Address on the Uplink Interface of Perimeter
Gateway
4. Configure a Destination NAT Rule
5. Test Connectivity Using the Destination NAT Translation
6. Verify Non-Translated Packet Addressing Before Defining a Source NAT Rule
II
7. Configure a Source NAT Rule

8. Test Connectivity Using the Source NAT Translation
9. Use What You Have Learned
(J)
m
0..
(Q
CD
(J)
CD
<:
0'
CD
rJl
G)
til
......
CD
stil
'<
"Tl
CD
til
......
C
.....
CD
rJl
Module 5
303
Concept Summary
Slide 5-2 1

What is version 4 of the Internet Protocol calle d?
What are IPv4 networks with overlapping IP
address configurations called?
IPv4 Overlapping
What translates either the source or the

destination address to a pre-determined value?
What is used to change the source IP address in
an IP communication?
What is used to change the destination IP
address in an IP communication?
304
IPv4
Network Address Translation (NAT)
Source NAT rule
Destination NAT rule

Slide 5-22
Decide when to use a destination network address translation rule and

a source network address translation rule
Add an internal interface to the NSX Edge gateway

Create a destination network address translation rule to enable inbound
access from an external source by translating a public IP address to a
private IP address
Create a source network address translation rule to translate a private
IP address to a public IP address for outbound traffic
II
z
(J)
m
0..
(Q
CD
(J)
CD
<:
n"
CD
rJl
G)
til
......
CD
stil
'<
"Tl
CD
til
......
C
.....
CD
rJl
Module 5
305
Lesson 2: NSX Edge Load Balancing

Slide 5-23
Lesson 2:
NSX Edge Load Balancing
306
Learner Objectives
Slide 5-24
objectives:
Describe the NSX Edge load balancing
Configure load balancing
Compare one-armed load balancing to inline load balancing
II
z
(J)
m
0..
(Q
CD
(J)
CD
<:
n"
CD
rJl
G)
til
......
CD
stil
'<
"Tl
CD
til
......
C
.....
CD
rJl
Module 5
307
NSX Edge Load Balancer

Slide 5-25
The NSX Edge load balancer enables network traffic to follow

multiple paths to a specific desti;. .:n=a=ti-=o..:. .:n,,--"
Load sharing:
~
w c
~
-----,
Load is distributed across

multiple backend servers
Service high availability:

Servers or applications that fail
are automatically removed from
the pool
Use cases:
Per-tenant cloud load balancing
Dynamic virtual IP (viP) for
applications
The NSX Edge load balanc er enables network traffic to follow multiple paths to a specific
destination. The NSX Edge load balancer distributes incoming service requests evenly among
multiple servers in such a way that the load distribution is transparent to users. Load balancing thus
helps in achieving optimal resource use, maximi zing throughput, minimizing response time, and
avoiding overload. NSX Edge provides load balancing up to layer 7.
In the example in the slide , access to the Web server network is load balanced.
The load balancer does not do global balancing, but it does local load balancing. If multiple virtual
machines provide a Web service , the NSX Edge load balancer can provide load balancing across
those virtual machines. One of the virtual machines being load balanced might become unreachable,
or the service might become unresponsive. The load balancer service detects that condition and
removes that Web server from the load balance rotation.
Clients do not open a Web browser and go to the IP address of the Web server. Instead, the client
points to an IP that is owned or hosted by the load balanc er itself. The load balancer redirects the
client traffic by changing the destination IP address. The load balancer 's IP address is chang ed to the
IP address of the Web server that was selected to establish your session. The IP address that was
used by the client to connect to the Web site is called the virtual IP (vIP).
308
NSX Edge Load Balancer Modes

Slide 5-26
Features
TCP, HTTP, HTTPS with stateful high
ava ilability
Multiple viP addresses, each with
separate server pool and
configurat ions
Multiple load balancing algo rithms
and session persistence methods
Configurable health checks
Application rules
SSL te rminat ion with certificate
management, SS L pass-through ,
and SSL initiation
IPv6 support
II
Modes
One-arm mode
Inline mode
z
><
(J)
The load balanc er accepts TCP, HTT P, or HTTPS reques ts on the externa l IP ad dress and decides
w hich internal server to use.
m
0..
(Q
CD
(J)
You can ad d a server pool to manage and share backend servers flex ibly and efficient ly. A pool
manages load balance r distributi on meth od s and has a service mo nitor attac hed to it for health check
parameters.
CD
<:
0'
CD
rJl
G)
Implement ation models for load ba lanc ing can eithe r be one -arm or inline.
til
......
CD
stil
'<
"Tl
CD
til
......
C
.....
CD
rJl
Module 5
309
Load-Balancer Operation
Slide 5-27
Multiple virtual servers are supported.

Each virtual server is identified by a VIP address.
VIP is an IP address and also contains the service port number.
A VIP has an associated back-end pool of server IP addresses.
For example:
VIP: 163.63.63.63 and port 80
Backend pool addresses: 10.10.10.1 through 10.10.10.3
Two modes
Layer 7-proxy based (for example, HTTP)
Layer 4-based (Tep)
Layer 7 load balancing combines standard load balancing features for specific types of content. An
application delivery network can be optimized to serve specific types of content. For example, data
security, such as data scrubbing, is likely not necessary for l PG or GIF images , so the scrubbing
might be applied to only HTML and PHP.
310
One-Arm Load Balancer

Slide 5-28
The one-arm load balancer mode is also called proxy mode. The NSX
Edge gateway uses one interface to advertise the viP address and to
connect to the Web servers.
Design considerations:
Increases the number of NSX Edge appliances deployed
Client IP address is not preserved :

Web traffic can use the x-forward ed-for HTTP header
II
z
(J)
The one-arm load balancer has several advan tages and disadvantages. The advantages are that the
design is simple and can be deployed easily. The main disadvantage is that you must have a load
balancer per segment, leading to a large number of load balancers.
m
0..
(Q
CD
(J)
CD
<:
n
The one-arm implementation uses the HTTP X-Forwarded-For standard to redirect traffic to a
different IP address .
CD
rJl
G)
til
......
CD
stil
'<
"Tl
CD
til
......
C
.....
CD
rJl
Module 5
311
One-Arm Load Balancer Traffic Flow

Slide 5-29
One-arm load balancers must be on the same segment as the Web

servers that are load balanced
1.
2.
3.
4.
__
Client IP address > VIP address

Edge IP address > Server IP address
Server IP address> Edge IP address
VIP address
> Client IP address
~Ojl~~ ~e~~o!:..k ~
I
I
I
I
I
I
---------- ..... ,
Router: NSX Edge
or Distributed
Router (Layer 3)
Source NAT
-:-jtt~==1~=1if~
0'
Destination NAT
,
I
I
I
I
I
I
I
~ NSX Edge Router

,
" Load Balancer
I
---------------------------------~
In the one-ann design, when you deploy the NSX Edge instance, the interface advertises the vIP.
This vIP is the IP address that clients use to reach the load balanced servers. When traffic reaches
the vIP, the destination IP address is changed to the Web server IP address. This IP address is sent to
the Web server that is chosen by the load balancer. The NSX Edge instance uses NAT to change the
source IP address of the requestor to an IP address on the same subnet as the vIP. So when the Web
server replies, it is replying to the translated IP address on the NSX Edge load balancer. The NSX
Edge instance does the reverse NAT and sends the traffic back to the requestor.
In this design, the load balancer has to be on the same segment as the Web servers to which it is
providing the load balancing service.
If you do not use NAT to change the source IP address, the virtual machines reply directly to the
requestor and use their source IP address instead of the vIP. The requestor does not recognize the
serve r and discards the traffic.
312
Inline Load Balancer

Slide 5-30
Inline load balancer mode is also called transparent mode. The NSX
Edge gateway uses the following distinct interfaces:
An interface to advertise the viP address

An interface to connect to the Web servers
Design considerations:
Client IP address is preserved
An NSX Edge gateway must exist and the Web servers must point to
the NSX Edge gateway as the default gateway.
II
z
(J)
Inline proxy is another design option. The advan tage is that the client IP address is preserved
because the proxies are not doing source NAT. This design also requires fewer load balancers
because a single NSX Edge instance can service multiple segments.
0..
(Q
CD
(J)
CD
With this configuration, you cannot have a distr ibuted router beca use the Web servers must point at
the NSX Edge instance as the default gateway.
<:
n'
CD
rJl
G)
til
......
CD
stil
'<
"Tl
CD
til
......
C
.....
CD
rJl
Module 5
313
Inline Load Balancer Traffic Flow

Slide 5-3 1
The inline proxy design is like the traditional firewall design.

1.
2.
3.
4.
Client IP address > VIP address

Client IP address > Server IP address
Server IP address> Client IP address
VIP address
> Client IP address
Logical network
;--------------
I
I
I
I
I
I
I
(Destination NAT)
NSX Edge Router

(Layer 3 + Load Balancer)
,-------------------------------,
,
\
I
I
I
I
I
I
I
J
/
The inline proxy design is similar to the traditional firewall design. The device has at least two
interfaces. The vIP resides on the external interface. The internal interface is connected to the
segment for the Web servers. In this model the only IP address that uses NAT is the destination IP
address. The vIP is changed to one of the virtual machine IP addresses. The load balancer perform s
a hashing algorithm to decide which of the Web servers gets that traffic.
You must not change the source IP address because you must set up your Web serve rs to use your
NSX Edge instance as the default gateway. Traffic comes back the same way so that externa l IP
address can remain.
314
Lab 9: Introduction
Slide 5-32
Create an application profile.

New Profil e
Name
G TCP 0
Typ'
HTTP
HTT
ml
I
Create a server pool.

(JJ
New Pool
Enable SSL Passjhrouc
Name:
HITP Redirect URL
I None
Persistence:
Des cription:
Cookie Name
. -;
Mode
Insert x.Porwstoeo-rur HTTPheader

Enab le Pool Side SSL
Vir1l1alServer ce nmca...
1721610,1
Algorithm :
[ ROUN D-ROBIN
Monitors :
[ NONE
En abl @d
N~m.
I
I I
I I
Members
l Service cernncetes J CA Certific ates TCRl 1

Common
-I
Nam e
IP Ad dress
Weight
Monitor Port
Pe rt
Ma x Conn ...
Min Co nn e.. .
Ill<ue,
172 16.10 ,1
MED-APP CORP lAED-APP C'
o Transparent
[
.;
Cipher
Client Authentication
OK
I[
Can cel
Ignore
~~
II
z
><
(J)
m
0..
(Q
CD
(J)
CD
<:
n"
CD
rJl
G)
til
......
CD
stil
'<
11
CD
til
......
C
.....
CD
rJl
Module 5
315

Slide 5-33
When deleting interfaces it is critical to select the correct interface.

Configure interfaces of this NSX Edge.
Edll ProfIle
'1NIC#
1 .
Nam e
Uplink-Interface
IP Address
Name
192.168.100.3*
Type
192.168.100.7
ShowAIl
Transit-Interface
192.168.10.1*
WebTier-Temp
172.16.10.1*
l Ap p- p ro~ l e
o TCP a HIT ? HTTPS

o Enable SSL Pa s slhrough
,~'I
HTI? Redirect URL
Persistence
11
[ None
ccc ae Name
Mode
Inse rt X-Forw arded-Fof HTTPh eade r

Enab le Pool Side SSL
Virtual SefW'f Cert IfICiiI_.
1 Pool C.. mscates 1
SeMceCe rtl1kales 1 ( "'C ertificate s
I~
172,16,\0,1
I CRl
1721610,1
rue J ul 15 2014
IllED-APP CORP MEOAPPCO RP Wed J ul16 2014
Reconfigure the App-Pool.

L:J
Ci pher:
cneot Authenlication
316
[ Ignore
I I

Slide 5-34
Configure a round-robin load balancer to distribute traffic between

two Web servers, and verify round-robin operation using traffic
capture tools
2. Verify the Lack of Connectivity
3. Add an IP Address to the Uplink Interface
4. Enable the Load Balancer Service and Configure an Application Profile
5. Create a Server Pool
6. Create a Virtual Server
II
z
(J)
m
0..
(Q
CD
(J)
CD
<:
n
CD
rJl
G)
til
......
CD
stil
'<
"Tl
CD
til
......
C
.....
CD
rJl
Module 5
317

Slide 5-35
Configure a round-robin load balancer to distribute traffic between

two Web servers, and verify round-robin operation using traffic
capture tools
7. Use the Packet Capture Capabilities of NSX Edge to Verify RoundRobin Load Balancing
8. Examine NAT Rule Changes
9. Migrate the Web-Tier Logical Switch to the Perimeter Gateway
10.Reposition the Virtual Server and Examine NAT Rule Changes
11.Use a Packet Capture to Verify Round-Robin Operation
318
Lab 10: Advanced Load Balancing

Slide 5-36
Configure a load balancer to provide SSL security for a Web site

2. Generate a Certificate
3. Modify the Existing Load Balancer
4. Capture Network Traffic at Perimeter Gateway
5. Migrate the Web-Tier Logical Switch Back to Distributed Router
II
z
(J)
m
0..
(Q
CD
(J)
CD
<:
n
CD
rJl
G)
til
......
CD
stil
'<
"Tl
CD
til
......
C
.....
CD
rJl
Module 5
319
Concept Summary
Slide 5-37

What distributes serve r load among multiple
servers using an intermediate proxy?
What are a number of separate serve rs or
applications that are pooled together as a single
resource for load balancing called?
Server pool
What IP address is assigned to a load balancing

proxy (server)?
Virtual IP address (viP)
Which load balancer uses a single path and

interface for ingress and egress traffic?
One-arm-load balancer
Which load balancer uses separate paths and

interfaces for ingress and egress traffic?
320
Load balancing
Inline load balancer

Slide 5-38
Describe the NSX Edge load balancing
Configure load balancing
Compare one-armed load balancing to inline load balancing
II
z
(J)
m
0..
(Q
CD
(J)
CD
<:
n"
CD
rJl
G)
til
......
CD
stil
'<
"Tl
CD
til
......
C
.....
CD
rJl
Module 5
321
Lesson 3: NSX Edge High Availability

Slide 5-39
Lesson 3:
NSX Edge High Availability
322
Learner Objectives
Slide 5-40
objectives:
Explain benefits of stateful high availability
Configure the high availability service

Test and verify the high availability service before placing the service in
production
II
z
(J)
m
0..
(Q
CD
(J)
CD
<:
n"
CD
rJl
G)
til
......
CD
stil
'<
"Tl
CD
til
......
C
.....
CD
rJl
Module 5
323
High Availability
Slide 5-41
The NSX Edge gateway can be deployed in pairs for a highly

available, network-services solution provider:
Active and standby NSX Edge gateways are placed in different hosts.
Heartbeat and sync packets are sent over the same internal vNIC .
On VMware ESXi host failure, an attempt is made to maintain NSX

Edge gateways in separate hosts.
,---- I,---- I
,---,---,----1
I ...... 1 I - I
II
I
I
I _ _ I
I __ I
I I
l____'
L ___'
L ___'
I I _ va.
I __
"'l1li
I _
'11'''
I _
...1lilI II
t-----,
- t-----,
I
Internal Port Group

U
NSX Edge high availability (HA) ensures that an NSX Edge appliance is always available by
installing an active pair ofNSX Edge gateways on your virtualized infrastructure . You can enable
high avai lability either when installing NSX Edge or on an installed NSX Edge instance.
The primary NSX Edge appliance is in the active state and the secondary app liance is in the standby
state . NSX Edge replicates the configuration of the primary appliance for the standby appliance or
you can manually add two appliances. VMware recommends that you create the primary and
secondary applianc es on separate resource pools and datastores. If you create the prima ry and
secondary appliances on the same datastore, the datastore must be shared across all hosts in the
cluster. Thus, the high avai lability app liance pair can be dep loyed on different VMware ESXi
hosts . If the datastore is a local storage , both virtual mach ines are deployed on the same host.
324
VM wa re NSX: Install , Configure, Manage
NSX Edge High Availability Operation

Slide 5-42
The heartbeat and synchronization traffic use one internal interface

on each NSX Edge instance, connected to the same internal subnet:
The NSX Edge appliances must be enabled to communicate without
layer 2 restrictions .
Heartbeat
--- Data Synchronization
High availability protection mechanisms:
Network high availability: Secondary NSX
Edge
vSphere HA: Protection against host
failure
Process high availability: Protection
against process failure
II
z
(J)
High availability ensures that an NSX Edge appliance is always available on your virtua lized
network. You can enable high availability when installing NSX Edge or later. NSX Edge HA
supports two NSX Edge appliances (peers) per cluster, runnin g in active-standby mode.
0..
(Q
CD
(J)
CD
NSX Manager manages the lifecycle of both peers and pushes user configurations because they are
connected to both NSX Edge instances simultaneously.
<:
n"
CD
rJl
G)
NSX Edge pushes runtime state inform ation to the standby, such as VMware vCenter Single SignOn" information.
NSX Edge HA peers communicate with each other for heartbeat messages and runtim e state
synchronization. Each peer has a designated IP address to communicate with the other peer. The IP
addresse s are for high availability purposes only and cannot be used for any other services . The IP
addresses must be allocated on one of the internal interfaces of the NSX Edge.
Heartbeat and data synchronization both use the same internal vNIC. Layer 2 connectivity is
through the same port group.
Module 5 NSX Edge Services Gateway Features
325
til
......
CD
stil
'<
"Tl
CD
til
......
C
.....
CD
rJl
Stateful High Availability

Slide 5-43
The primary NSX Edge appliance is in the active state and the
secondary appliance is in the standby state:
All NSX Edge services run on the active appliance.
The primary appliance maintains a heartbeat with the standby
appliance and sends service updates through an internal interface .
If a heartbeat is not received from the primary appliance in the
specified time, the primary appliance is declared dead and the
standby moves to the active state. The standby appliance:
Takes over the interface configuration of the primary appliance
Starts the NSX Edge services that were running on the primary
appliance
The NSX Edge gateway replicates the configuration of the primary
appliance to create the standby appliance.
The primary NSX Edge appliance is in the active state and the secondary appliance is in the standby
state. All NSX Edge services run on the active appliance . The primary appliance maintains a
heartbeat with the standby appliance and sends service updates through an internal interface.
If a heartbeat is not rece ived from the primary appliance in the specified time (default value is 6
seconds), the primary appliance is declared dead. The standby appliance moves to the active state
and takes over the interface configuration of the primary appliance. The standby appliance also
starts the NSX Edge services that were runnin g on the primary appliance. When the switch over
takes place, a system event is displayed in the System Events tab of Settings & Reports. Load
balancer and virtual private network (VPN) services must reestablish TCP connection with NSX
Edge, so the service is disrupt ed for some time. Virtual wire connections and firewall sessions are
synchronized between the primary and standby appliances, so that service is not disrupted during
switch over.
If the NSX Edge appliance fails and a bad state is reported, high ava ilability force-synchroni zes the
failed appliance to revive it. When the appliance is revived, it takes on the configuration of the now
active appliance and stays in a standby state. If the NSX Edge appliance is dead, you must delete the
appliance and add an appliance.
The NSX Edge appliance replicates the configuration of the primary appliance for the standby
appliance or you can manually add two appliances . VMware recommends that you create the
326
primary and secondary appliances on separate resource pools and datastores. You can create the
primary and secondary appliances on the same datastore. The datast ore must be shared across all
hosts in the cluster so that the high availability appliance pair can be deployed on different ESXi
hosts. If the datastore is local storage, both virtual machines are deployed on the same host.
NSX Edge ensures that the two high availability NSX Edge virtual machin es are not on the same
ESXi host. This feature works even after you migrate virtual machines with VMware vSphere
Distributed Resource Scheduler" (DRS) and VMware vSphere vMotion. But this feature does
not work when you manually migrate the virtual machines to the same host. Two virtual machin es
are deployed on the VMware vCenter Server" instance in the same resource pool and datastore as
the appliance that you configured. Local link IP addresses are assigned to high availability virtual
machin es in the NSX Edge HA so that they can communicate with each other. You can specify
management IP addresses to override the local links. If Syslog servers are configured, logs on the
active appliance are sent to the Syslog servers.
II
z
(J)
m
0..
(Q
CD
(J)
CD
<:
n
CD
rJl
G)
til
......
CD
stil
'<
"Tl
CD
til
......
C
.....
CD
rJl
Module 5
327
NSX Edge Failure

Slide 5-44
If the primary NSX Edge appliance fails, the secondary NSX Edge
detects the failure:
Default dead timer is 15 seconds:

Can be changed
Minimum 6 seconds
Secondary NSX Edge assumes the primary role:

The CLI command shows service high availability to verify primary
After secondary NSX Edge becomes primary, all new flows go

through it:
Connections must be re-established for all flows existing at the time of
primary failure .
Load balance persistence is synchronized.
If a heartbeat is not rece ived from the primary appliance in the specified time (default value is 15
secon ds), the primary appliance is declared dead. The standby appliance moves to the active state
and takes over the interface configuration of the primary appliance. The standby appliance also
starts the NSX Edge services that were running on the primary appliance. When the switch over
takes place, a syste m event is displayed in the System Events tab of Settings & Reports. Load
balancer and VPN services must re-establish TCP connection with NSX Edge, so the service is
disrupted for some time. Virtual wire connections and firewall sessions are synchronized between
the primary and standby appliances, so no service disrupti on occurs during switch over.
328
NSX Edge Services Gateway High Availability

Slide 5-45
Heartbeat and synchronization:
Heartbeat and sync both use the
same internal vNIC.
Layer 2 connectivity using same
port group .
o
Stateful failover for features .
Anti -affi nity:

o
Act ive and standby NSX Edge gateways
are placed on different ESXi hosts.
o
On ESXi host failure, VMware NSX
Manaqer" attempts to place NSX Edge
gateways on different hosts again .
,---,---,---,----l I,---- II
I - II
I - II II -_ -_ II
I _
I
I
I
I "M _ I
I YM
I VM _ I
I __ I
v ..
I __ I
L ___' L ___'
11''''
I _
Willi
I __ I
I __ I
L ___' L ___' L ___'
Internal Port Group
II
z
><
(J)
NSX Edge ensures that the two highly available NSX Edge virtual machines are not on the same
ESXi host. This feature works even after you migrate virtual machines with DRS and vSphere
vMotion. But this feature does not work when you manually migrate the virtual machines to the
same host. Two virtual machines are deployed on a vCenter Server host in the same resource pool
and datastore as the appliance that you configured. Local link IPs are assigned to high availability
virtual machines in the NSX Edge HA so that they can communicate with each other. You can
specify management lP addresses to override the local links.
m
0..
(Q
CD
(J)
CD
<:
0'
CD
rJl
G)
til
......
CD
stil
'<
"Tl
CD
til
......
C
.....
CD
rJl
Module 5
329
Virtual Machine and Appliance Failure

Slide 5-46
NSX Edge health checks detect virtual machine or application failure:

Delay is dependent on the health check configuration. The default
configuration is 3x5 seconds.
Virtual machines that do not respond to health checks are taken out
of service:
Edge - Manage>
Load Balancer> Pools
ShowPo04 Slatlstlcs
Pool and Member Slacus
Pool Status andSla slles

P OOI ID
Virtual machine Appl icat ion Health Check

has to be configured for the pool.
For clients with persistence to that server, a
new pers istence is created when clients
recon nect.
PlXlJ. ,
SSH-Web-Pool1
UP
pOOl-2
HTTPWeb-Pool
UP
lI,mb" S1>lIJ. .nd
St"'be'.
T1Wt>b4
10.0.1.14
DOWN
member-'
T1Web5
10 0 1 ' 5
UP
memberS
When setting up load balancing , you place different destination servers into different pools . Pools
includ e the virtual machin es that are hosting the Web server. When you select the pool in the
VMware vSph ere Web Client, you can see members of that pool and members that are marked as
unavailable.
330
ESXi Host Failure

Slide 5-47
The response to an ESXi host failure is the same as when the NSX
Edge primary appliance fails:
If VMware vSphere Distributed Resource Scheduler" is enabled in

the cluster, the secondary NSX Edge gateway runs in a different ESXi
host from the primary NSX Edge gateway:
Anti-affinity rules are automatically created.
II
z
(J)
Host failure is handled in the same way as an NSX Edge failure. The keep-alive packets between the
standby and active NSX Edge devices time out if the virtual machine fails or if the host that contains
the active device fails. The recovery process is the same as for NSX Edge failure. If a host
configured with DRS fails , the anti-affinity rule ensures that the second virtual mach ine is relocated
to a different host when the new virtual machin e powers on.
m
0..
(Q
CD
(J)
CD
<:
n"
CD
rJl
G)
til
......
CD
stil
'<
"Tl
CD
til
......
C
.....
CD
rJl
Module 5
331
Lab 11 Introduction
Slide 5-48
You use the load balancing from the previous lab and expand upon
it.
I?J. HI
Genefal" CSR
Common Name
OrganlzabonNam"
O,gamzahon UnI1
,
,,
I:!
I Ap p P rO~ le
o rep 0
TW'
I
HTTP
'0 .
HTIPS
D Enable SSLPa ssth, ough
Country
HTTPRed i'ect URL
hl"ssayeAlgo rrthm
I RSA
Pers,stence
Descnpbon
Protile
Name
Localil\"
State
I
Ed~
I
I None
I
I- I
CookJe Name
lIlod ..
o Insert >(.Fo.......a'dedFor KTTPheader

VI1udl SeNef Cert rf,ca._
I Pool
Name
artl
, Ie
ce ceneeatee eRL
Service Ce rtifica tes
'" I sewer-soot
Description
,,,.",
171.16 .10.1
172.15 .10,1
I ROUND-ROBIN
I NONE
Algori thm
[."' .. o. N... .
ijJ;
Edit P1Iol
D Enab le Pool Side SSL
Monitors
t- I
I- I
Members
En . bl . d
'"
Cipher
I-
Client Aulll enbcation
[ IgnOre
I-
'"
N.",.
IP Add'....
eo,
..... ~Co"n
web-s.
17216
443
443
Web-s ......
172.16 ,..
443
443
W. ;ght
Mo njl. , Po rt
lA,nConn
o Transparent
OD~
332
Lab 11: Configuring NSX Edge High Availability

Slide 5-49
Configure high availability and use the NSX Edge command line to
determine current HA status and view heartbeat traffic
2. Configure NSX Edge High Availability
3. Examine the High Availability Service Status and Heartbeat
4. Force a Failover Condition
5. Restore the Failed Node
II
z
(J)
m
0..
(Q
CD
(J)
CD
<:
n
CD
rJl
G)
til
......
CD
stil
'<
"Tl
CD
til
......
C
.....
CD
rJl
Module 5
333
Concept Summary
Slide 5-50
334
Which term refers to ensuring that an application

or service remains available?
High availability
Which type of high availability uses primary and

backup devices that synchronize to minimize
service interruptions when the active node fails?
Stateful high availability

Slide 5-5 1
Explain benefits of stateful high availability
Configure the high availability service

Test and verify the high availability service before placing the service in
production
II
z
(J)
m
0..
(Q
CD
(J)
CD
<:
n"
CD
rJl
G)
til
......
CD
stil
'<
"Tl
CD
til
......
C
.....
CD
rJl
Module 5
335
Lesson 4: NSX Edge and VPN

Slide 5-52
Lesson 4:
NSX Edge and VPN
336
Learner Objectives
Slide 5-53
objectives:
Configure a layer 2 VPN on the NSX Edge gateway
Explain how an IPsec VPN enables systems at a branch location to

access systems securely on a private network at headquarters
Configure an IP address on an external interface for use by an IPsec

VPN
Configure an IPsec VPN service that connects the private networks at
two locations across the Internet
Describe the use case that SSL VPN-Plus addresses
Decide whether Web-access mode or full-access mode is optimal for a

use case
II
Configure the SSL VPN-Plus server settings that enable SSL on the
external interface
(J)
m
0..
(Q
CD
(J)
CD
<:
n"
CD
rJl
G)
til
......
CD
stil
'<
"Tl
CD
til
......
C
.....
CD
rJl
Module 5
337
Logical L2 VPN
Slide 5-54
Features
- - - - - - - - - - -i"lrl--
...I..-
..I.....I
SSL-based
Web-proxy Support
L2 Bridge to Cloud
Broadcast support
Scale and
Performance
High Performance:
AES-NI acceleration
2 Gb/s throughput per
tenant
Use Cases
Cloud On-boarding
Cloud Burst ing
Layer 2 VPN allows you to configure a tunnel between two sites. Virtual machines remain on the
same subnet in spite of being moved between these sites, which enables you to extend your data
center. An NSX Edge gateway at one site can provide all services to virtual machines on the other
site.
338
Overview of Layer 2 VPN

Slide 5-55
To create the L2 VPN tunnel, you configure a layer 2 VPN server and
layer 2 VPN client:
You enable the layer 2 VPN service on the NSX Edge instance and
configure a server and a client.
The layer 2 VPN server is the source NSX Edge gateway to which the
L2 VPN is to be connected.
The layer 2 VPN client is the destination NSX Edge.
II
z
(J)
m
0..
(Q
CD
(J)
CD
<:
n"
CD
rJl
G)
til
......
CD
stil
'<
"Tl
CD
til
......
C
.....
CD
rJl
Module 5
339
Logical User (SSL) and Site-to-Site (IPsec) VPN

Slide 5-56
Features
Interoperable IPsec tested with major
vendors
Clients on all major os (Windows,
Apple , Linux)
Remote authentication through Active
Directory, RSA Secure 10, LDAP,
Radius
TCP Acceleration
Encryption : 3DES , AES128 , AES256
AESNI HIW Offload
NAT and perimeter firewall traversal
Scale and Performance
High performance: AES-NI
acceleration
2 Gb /s throughput per tenant
Use Cases
Cloud to corporate
Cloud on-boarding
Remote office or branch office
Remote management
NSX Edge supports several types of VPNs. SSL VPN-Plus allows remote users to access private
corporate applications. IPsec VPN offers site-to-site connec tivity between an NSX Edge instance
and remote sites. Layer 2 VPN enables you to extend your data center by allowing virtual machines
to keep network connectivity across geographica l boundaries.
340
NSX IPsec VPN

Slide 5-57
Encapsulating Security Payload (ESP) tunnel mode is used:

64 tunnels are supported across a maximum of 10 sites.
Internet Key Exchange v1
Multiple nonoverlapping local and peer subnets can be configured.
Industry standard IPsec implementation:
Full interoperability with Cisco, Juniper, Sonicwall , and others
Supports both the preshared key (PSK) and certificate authentication

mode.
Supported encryption algorithms are AES (default), AES256, and
TripleDES.
II
z
(J)
NSX Edge supports certificate authentication, preshared key mode, IP unicast traffic, and no
dynamic routing protocol between the NSX Edge instance and remote VPN routers . Behind each
remote VPN router, you can configure multipl e subnets to connect to the internal network behind an
NSX Edge instance through IPsec tunn els. These subnets and the internal network behind an NSX
Edge instance must have address ranges that do not overlap .
m
0..
(Q
CD
(J)
CD
<:
n"
CD
rJl
You can deploy an NSX Edge gateway behind a NAT device. In this deployment, the NAT device
translates the VPN address of a NSX Edge instance to a publi cly access ible address facing the
Internet. Remote VPN routers use this public address to access the NSX Edge instance. You can also
place remote VPN routers behind a NAT device. You must provide the VPN native address and the
VPN Gateway ID to set up the tunn el. On both ends, static one-to-one NAT is required for the VPN
address. You can have a maximum of 64 tunn els across a maximum of 10 sites.
G)
til
......
CD
stil
'<
"Tl
CD
til
......
C
.....
CD
rJl
Module 5
341
IPsec Security Protocols: Internet Key Exchange

Slide 5-58
Internet Key Exchange (IKE) v1 :

IKE is a standard method that is used to arrange secure, authenticated
communications.
IKE uses UDP port 500.
IKE has two phases:
Phase 1 sets up mutual authentication of the peers, negotiates

cryptographic parameters, and creates session keys.
Phase 2 negotiates an IPsec tunnel by creating keying material for the

IPsec tunnel to use, either by using the IKE phase-one keys as a base
or by performing a new key exchange.
IPsec is a framework of open standards. Many technical terms are in the logs of the NSX Edge
instance and other VPN appliances that you can use to troubleshoot the IPsec VPN. You might
encounter some of these standards:
Internet Security Assoc iation and Key Management Protoco l (ISAKMP): This protocol is
defined by RFC 2408 for establishing Security Associations (SA) and cryptographic keys in an
Internet enviro nment. ISAKMP only provides a framework for authentication and key exchange
and is designed to be key exchange independent.
Oakley: This protocol is a key agreement protoco l that allows authenticated parties to exchange
keying materia l across an insecure connection by using the Diffie-Hellman key exchange
algorithm.
Internet Key Exchange (IKE): This protoco l is a combination of ISAKMP framework and
Oakley. NSX Edge provides IKEv2.
IKE has two phases. Phase 1 sets up mutual authentication of the peers , negotiates
cryptograp hic parameters, and creates session keys. Phase 2 negotiates an IPsec tunnel by
creating keying material for the IPsec tunn el to use. Phase 2 either uses the IKE phase one keys
as a base or performs a new key exchange .
342
The following phase I parameters are used by NSX Edge:

Main mode
3DES or AES (configurable)
SHA-I
MODP group 2 (I 024 bits)
Preshared secret (configurable)
Security association lifetime of28800 seconds (eight hours)
ISAKMP aggressive mode disab led
The following IKE phase 2 parame ters are supported by NSX Edge:
3DES or AES (matches the phase I setting)
SHA-I
ESP tunne l mode
MODP group 2 (1024 bits)
II
Perfect forward secrecy for rekeying

Security association lifetime of3600 seconds (one hour)
Selectors for all IP protocols, all ports, between the two networks, using IPv4 subnets
(J)
Diffie-Hellman (DH) key exchange: This protocol is a cryptographic protocol that allows two
parties that have no previo us know ledge of one another to jointly establish a shared secret key
over an insecure communications channel. NSX Edge supports DH group 2 (I 024 bits) and
group 5 (1536 bits) .
X
0..
(Q
CD
(J)
CD
<:
n"
CD
rJl
G)
til
......
CD
stil
'<
"Tl
CD
til
......
C
.....
CD
rJl
Module 5
343
IPsec Security Protocols: Encapsulating Security Payload

Slide 5-59
ESP tunnel mode:

Confidentiality (encryption)
Connection less integrity
Data origin authentication
Protection against replay attacks
Encapsulating Security Payload (ESP) is a member of the IPsec protocol suite. In IPsec, it provides
origin authenticity, integrity, and confidentiality protection of packets. ESP in Tunnel Mode
encapsulates the entire original IP packet with a new packet header. ESP protects the whole inner IP
packet (including the inner header). The outer header remains unprot ected. ESP operates directly on
IP, using IP protocol number 50.
344
IPsec ESP Tunnel Mode Packet

Slide 5-60
The original packet that is transmitted is both encrypted and

authenticated.
Original Data
IP Header
Outer
IP Header
ESP
Header
Original
IP Header
Data
ESP
Trailer
ESP
Authentication
Data
Encrypted
(
Authenticated
(
II
z
(J)
When a packet is processed by ESP in tunnel mode , the entire packet is surro unded by the ESP
header, ESP trailer, and ESP authentication data:
0..
(Q
CD
(J)
ESP header: Contains two fields, the SPI and Sequence Number, and comes before the
encrypted data .
CD
<:
n"
CD
rJl
ESP trai ler: Placed after the encrypted data . The ESP trai ler contains padding that is used to
align the encrypted data through a Padding and Pad Length field.
til
......
ESP authen tication data: Contains an integrity check value.
stil
G)
CD
'<
"Tl
CD
til
......
C
.....
CD
rJl
Module 5
345
Configuration Example for IPsec VPN

Slide 5-61
Use the NSX Edge instances at HQ and Branch. Each instance is a

VPN gateway:
The NSX Edge gateway at HQ connects the internal network
192.168.20.0/24 to the Internet
The internal interface is 192.168.20.1.
The uplink interface is 10.15.25.13.
The NSX Edge gateway at the Branch location connects internal

network 192.168.30.0/24 to the Internet
The internal interface is 192.1 68.30.1.
'. '. b
'!<
192 .168 .20 .0/24
1 92. 1 6~~0. 1
NSX Edge Gateway
Internet
r--
- -P,lK
,92.,68.30., 119: ';;;0.0124
Branch
NSX Edge Gateway
The slide contains config uration examples for a basic point-to-point IPsec VPN connection between
an NSX Edge instance at headquarters and an NSX Edge instance at the remote location . VPN
gateways from Cisco, WatchGuard, and others can also be used at the remote location.
For this scenario, the NSX Edge instance at headquarters connects the interna l network,
192.168.20.0 through 192.168.20.24, to the Internet. The NSX Edge interfaces are configured as
follows:
The interna l interface is 192.168.20.1.
The remote gateway connects the 172.16.0.0 through 172.16.0. 16 internal network to the Internet.
The remote gateway interfaces are configured as follows:
The internal interface is 192.168.30 .1.
346
IPsec with AES-N I

Slide 5-62
Up to 40 percent performance increase by supporting the Intel AES-NI

(AES New Encryption Instruction Set):
NSX Edge offloads the AES encryption of data to the hardware on
supported Intel Xeon and second-generation Intel Core processors.
No user configuration is necessary AES-NI support in hardware is

autodetected.
Supports certificate authentication, preshared key mode, and IP unicast

traffic.
II
z
(J)
The encryption overhead for packet traffic in a VPN application can be high. The Intel AES-NI
feature can substantially reduce the demand on the CPUs of the ESXi hosts.
0..
(Q
CD
(J)
CD
<:
CD
rJl
G)
til
......
CD
stil
'<
"Tl
CD
til
......
C
.....
CD
rJl
Module 5
347
Add an IPsec VPN

Slide 5-63
You must configure at least one externallP address on the NSX Edge
gateway to provide IPsec VPN service:
348
Add IPSec VP N
For the local NSX Edge

instance, enter the following:
An ID, the external IP
address , and the CIDR block
for the local subnets
The same set of information
for the peer endpoint
For the remote NSX Edge
instance, enter the same
information , but from the remote
perspective.
Select an encryption algorithm,
type of authentication , DiffieHellman group, and MTU.
GZI Enabled
Name:
Localld
LocalEndpoint
LocalSubnets
'1
SlJbnets.shouldbe entered in CJDR format

with comma as separator
Peer Id
.(
Peer Endpoint
1
Endpoint should be a valid JP address o r leff
blank to represent AN Y
Peersuonets:
'1
SlJbnels should be entered in CJDRformal
wilh comma as ::.eparator
Encryption Algorithm
I AES
Authentication:
0 P8K
I I
Certificate
Pre-Shared Key:
,+.
~~
"
NSX SSL VPN-Plus Service

Slide 5-64
Enables individual remote users to connect securely to private

networks behind an NSX Edge gateway:
Remote users can access applications and servers from the private
networks.
Provides two access modes:

Web access mode (without a client)
Full network access mode (requires that a client is installed)
Supports the following operating systems:

Windows XP and above , including Windows 8
Mac
as x Tiger, Leopard , and Snow
Leopard
Performance optimization:
II
The TCP optimization option avoids TCP-over-TCP meltdown .
Dynamic compression is an option.
(J)
Conventional full access SSL VPNs send TCP/IP data in a second TCP/IP stack for encryption over
the Internet. The result is that application layer data is encapsulated twice in two separate TCP
streams. When packet loss occurs (which happens even under optimal Internet condi tions) , a
performance degradation effect called TCP-over-TCP meltdown occurs . In essence, two TCP
instances are correcting a single packet of IP data, undermining network throughput and causing
connection timeo uts. TCP optimization eliminates this TCP-over-TCP problem, ensuring optimal
performance.
m
0..
(Q
CD
(J)
CD
<:
0'
CD
rJl
G)
til
......
CD
stil
'<
"Tl
CD
til
......
C
.....
CD
rJl
Module 5
349
SSL VPN-Plus
Slide 5-65
Access your corporate LAN by using the Web-access mode or with a

downloadable SSL client:
No special hardware or
software is required.
NSX Manager
Co rporate LAN
:0.
Adm in
Remote users connecting
through Web access mode.
Remote Desktop
,< Connection
ShowQpbom
With SSL VPN-Plus, remote users can connect securely to private network s behind an NSX Edge
gateway. Remote users can acce ss servers and applications in the private networks.
NSX Edge provides users with access to protected resources by establishing an SSL encrypted
tunnel between a laptop (Mac OS X or Windows) and NSX Edge.
The SSL VPN-Plus service is intended to be deployed as a substitute for more complicated IPsec
c1ient-to- site or jump serve r solut ions. SSL VPN-Plus does not support mobile clients, nor does it
deliver common end-user features such as reverse proxy, custom portal, and SSL offload.
The use cases and capabilities ofNSX Edge SSL VPN-Plus are different from capabiliti es that are
provided by Horizon" View'>' . View is the VMware comprehensive approac h to virtual desktop
infrastructure, secure mobility, and end-user remote access .
350
NSX Edge SSL VPN-Plus Secure Management Access Server

Slide 5-66
Features
Supports up to 25
users
Full tunnel client
SSL-encrypted AES,
SHA
Authentication through
Local, RADIUS , LDAP
Windows and Mac
clients
Web browser or thickclient choice
as
II
z
><
(J)
NSX Edge provides administrative users with full tunnel access to protected reso urces by
establishing an SSL encrypted tunn el between a laptop (Mac or Windows) and NSX Edge .
0..
(Q
CD
(J)
CD
<:
n
CD
rJl
G)
til
......
CD
stil
'<
"Tl
CD
til
......
C
.....
CD
rJl
Module 5
351
Use Cases for SSL VPN-Plus Services

Slide 5-67
The primary use case is secure remote access without the use of a
jump box.
Another use case is to secure Web access with the thick client:
In full-tunnel mode, any traffic initiated at the client is tunneled to the

SSL VPN-Plus gateway and directed to the respective networks.
No traffic is sent from the client system directly to the Internet.

Access can be enforced for the client system's local network (LAN).
The administrator can direct the traffic to a Web filtering or caching
device .
352

Slide 5-68
Creating a layer 2 VPN requires two NSX Edge instances with the
correct VPN configuration.
~
.. Chent DetaIls :
I
Server Address:
Server Port
:J
IWElb-TIer
Inlema l lnlertate "
I. I
OescnptlOn
The VPN tunnel is confirmed from

the configuration screen.
.. User Detaus:
User Id: '
""
Pass word:
ge . TYile PdSS WOfd:
I
~
PrOlCVSettlngs
cert mcete DeCalls:

CAC e rtlfltale
"'-n
o Validate server c ernnc ete
HI"'.
.,
""
QQ I
Can CElI
Fetch Status
Tunnel Status
UP
Status :
Establi shed Date :
Byte Received :
1876
Byte Tran sm itted :
56696
JI
II
z
><
(J)
m
0..
(Q
CD
(J)
CD
<:
n"
CD
rJl
G)
til
......
CD
stil
'<
"Tl
CD
til
......
C
.....
CD
rJl
Module 5
353

Slide 5-69
The headquarters connection.
The remote branch NSX Edge.
al
ean IPSec VP N
~ Enabled
~ Enabl ed
Name:
c::
Edit IPSec VPN
IHQ-Branch
I
I
tocauo
* IHQ
Local Endpoint
* 11 0 . 1 0 . 1 0 0 . 1 0
tocer subnets :
* 11 0 . 1 6 . 0 . 0 / 1 9
Isranch
Peer End point
* 11 0 . 1 0 . 1 3 0 . 1 0
0(1<
IPSec VPN stat ist ics
N,m~
11 0 . 1 0 . 13 0 . 1 0
11 0 . 1 6 . 4 0 . 0 / 2 4
Local Endl
PUIEndp
10.10.100.10
10.10.130.10
ChanMIS
TunnelSl.
Subnets srouta be entered in CfOR formal

with comma as separator,
'"
IHQ
I
I
. 11 0 . 1 0 . 1 0 0 . 10
Endpom l should tJ;:Ja v

blank /0 repre:;;enlAN':>'
Peer subn ete:
I
I
I
I HQ-Branch
'" I sranch
IPSecVPNStatus and Statistics
Sutme!s should be ent

with comma &5 6epa ral
Pee r Id
Name :
Localld
Endpomt fjhouid be a valid IP address or let!
blank to rep/esenlANY
* 11 0 . 1 6 . 4 0 . 0 / 2 4
_ 11 0 . 1 6 . 0 . 0 / 1 9
IPSec VPN Tunnel Status and stansncs :
Subnels sroota be em
wllh comma as {)epa/at,
En cryption Algori thm
I AES
Authen tication
Pre-Shared Key
Diffie- Hei lman Group
LOCiI Subn~ts
PurSubne ls
Subnels srovta be entered in C/OR formal

with comma as seoecnor.
TunMI state
cemn
PSK
I I
IAES
0 PSK
Certificate
Dis play shared key
DH 2
O DH5
[;?I En abl e perfect forw ard se crecy(PFS)
up
[;?I Enable
QQ~
354
Lt>llnIQ" 'ut,o
Display sha red key
0 0 H2
O OH5
perfect forward secrecy(PFS)
QQ~

Slide 5-70
Add an authentication source.

Add Authentication server
Authentication ServerType
I LOCAL
I .. I
~ Enable password policy
Password Length
Minimum no.or aipnaoets:

Minimum no, ofDigits
Minimum no. of special characters
Configure SSL VPN-Plus.
Password should not contain user 10
' E:J TO ~
~I=====~
~I=====~
LI
----'
Password expiresin
Cllange SImle r 5etl illIlS
Expirynotification in
IPv6 Ad dr ~ s s
I 192 .16B.130((pnm.JY)
I None
CipherLisl
IRcHms
after specific number of
IAES12B-SHA
unsuccessful retries
11
I- I
Enable accountlockoutpolicy:
Retry Count
User account will get locked
s e....a r c erme ete
[;?J Use
Default Certificate
RetryDuration:
Lockout Duration
II
Status
o Enabled 0 Disabled
o Use this setverror secondaryauthentication
rermrnate Session if authentication fails
z
><
(J)
m
0..
(Q
CD
(J)
CD
<:
n'
CD
rJl
G)
til
......
CD
stil
'<
"Tl
CD
til
......
C
.....
CD
rJl
Module 5
355

Slide 5-71
Configure an IP Pool.
Configure the VPN

installation package.
Add Inst alldl ion
Profile N ame
'I
,,
PllCk~
*1
...
I),t_ .
IU3
OK
career ,
Create mstarlauonpackages for

Windows
L,nux
D Mac
Des cription
I
Status
(! i Enabled
Disabled
lnst all1ltioll p ar amet ers for WIndows;
Network
Netmask:
Des cription
Send Traffic
.~(===========i
.~I============i
0
OverTunnel
Bypass Tunnel
o Start Client on 10Qon
o Hide chent system lr<IV Icon
D Allow remember pas swo rd
G?l Create de sktop icon
Enable eueramode mstauaucn
D Hide SSL cnentn~rk adapter
Enab le silent mode opera tion
o SelVEl ' secullly certificate vahoaton

~~
~ Enable TC P Optimiz ation
Ports
staius
356
Enabled
Disabled
Lab 12: Configuring Layer 2 VPN Tunnels

Slide 5-72
Configure a layer 2 VPN tunnel between two NSX Edge services

gateway appliances
2. Migrate a Web Server Virtual Machine to a Different Cluster
3. Create a Logical Switch and Migrate Virtual Machine Networking
4. Deploy the Branch Edge
5. Configure Branch Gateway as a Layer 2 VPN Client
6. Add an IP Address to the Uplink Interface
7. Add a Web-Tier Interface to Perimeter Gateway
8. Configure Perimeter Gateway as a Layer 2 VPN Server
9. Test Tunnel Connectivity
II
10.Verify Tunnel Connectivity

(J)
m
0..
(Q
CD
(J)
CD
<:
0'
CD
rJl
G)
til
......
CD
stil
'<
"Tl
CD
til
......
C
.....
CD
rJl
Module 5
357
Lab 13: Configuring IPsec Tunnels

Slide 5-73
Configure, test, and troubleshoot an IPsec tunnel designed to

connect two sites (HQ and Branch)
2. Prepare the Perimeter Gateway for IPsec Tunneling
3. Configure Perimeter Gateway as an IPSec Tunnel Endpoint
4. Prepare the Branch Gateway for IPsec Tunneling
5. Update the web-sv-02a Web Server with the New Web-Tier Subnet
Specification
6. Configure Branch Gateway as an IPsec Tunnel Endpoint
7. Test VPN Tunnel Connectivity
8. Troubleshoot and Resolve VPN Tunnel Connectivity
358
Lab 14: Configuring and Testing SSL VPN-Plus

Slide 5-74
Configure an SSL VPN-Plus portal page and a direct-access client

package
2. Configure SSL VPN-Plus Server Settings
3. Configure a Local Authentication Server and a Local User
4. Enable SSL VPN-Plus and Test Portal Access
5. Configure an IP Pool and Private Networks
6. Create and Test an Installation Package
7. Test Network Access by Using the SSL VPN-Plus Client Application
8. Review the Client Configuration and Examine Traffic
II
z
(J)
m
0..
(Q
CD
(J)
CD
<:
n
CD
rJl
G)
til
......
CD
stil
'<
"Tl
CD
til
......
C
.....
CD
rJl
Module 5
359
Concept Summary
Slide 5-75

Which protocol suite is used as network-tonetwork connections to secure internet
communications?
IPsec
Virtual Private Network (VPN)
Which is the connection between two network

devices that is encrypted in some way?
What is used to secure and connect an individual
computer to a network?
360
Secure Socket Layer (SSL)

Slide 5-76

Configure a layer 2 VPN on the NSX Edge gateway
Explain how an IPsec VPN enables systems at a branch location to

access systems securely on a private network at headquarters
Configure an IP address on an external interface for use by an IPsec

VPN
Configure an IPsec VPN service that connects the private networks at
two locations across the Internet
Describe the use case that SSL VPN-Plus addresses
Decide whether Web-access mode or full-access mode is optimal for a

use case
Configure the SSL VPN-Plus server settings that enable SSL on the
external interface
II
z
(J)
m
0..
(Q
CD
(J)
CD
<:
n"
CD
rJl
G)
til
......
CD
stil
'<
"Tl
CD
til
......
C
.....
CD
rJl
Module 5
361
Key Points
Slide 5-77
NSX Edge provides NAT service to assign a public address to a

computer or group of computers in a private network.
With load balancing, traffic load is distributed across multiple backend

servers.
High availability ensures that an NSX Edge appliance is always

available by installing an active pair of edges on your virtualized
infrastructure.
NSX Edge supports several types of VPNs.
Questions?
362
MODULE 6
NSX Security
Slide 6- 1
Module 6
II
z
(f)
X
(f)
(1)
c
....
363
You Are Here

Slide 6-2

Course Introduction
NSX Networking
.. .
~
364
NSX Routing
..
NSX Security
Importance
Slide 6-3
Virtualizing the network abstracts application workload

communications from the physical network and hardware topology.
This virtualization is critical in allowing network security to break free
from the physical constraints. Virtualization enables the network
security to be based on user, application, and business context.
z
><
(J)
(J)
(J)
c...,
Module 6
NSX Security
365
Module Lessons
Slide 6-4
Lesson 1:
NSX Edge Firewall
Lesson 2:
Lesson 3:
Flow Monitoring
Lesson 4:
Role-Based Access Control
Lesson 5:
Service Composer
Lesson 6:
Other Monitoring Options
366
Lesson 1: NSX Edge Firewall

Slide 6-5
Lesson 1:
NSX Edge Firewall
II
z
(f)
X
(f)
(1)
c
....
Module 6
NSX Security
367
Learner Objectives
Slide 6-6
objectives:
Describe where the VMware NSX Edge firewall is typically deployed
Compare the NSX Edge firewall to the distributed firewall
Configure the NSX Edge firewall rules
368
NSX Edge and Distributed Firewall: Security Comparison

Slide 6-7
Typical deployment of a firewall

in a software-defined data center:
Distributed Firewall positioned

for East-West traffic filtering.
NSX Edge services gateway
positioned for North-South
traffic filtering.
~N
........~ ,...
Internet
Perime ter FW
(Physica l)
N-S
protection
A logical firewall provides security mechanisms for dynamic virtua l data centers. A logical firewall
includ es components to addres s different dep loyment use cases.
The Distributed Firewall focuses on East-West access and the VMware NSX Edge" Firewall
focuses on the North -South traffic enforcement at the tenant or data center perimeter. Together, these
components addr ess the end-to-end firewall needs of virtual data centers. You can dep loy either or
both of these technologies.
II
z
(f)
X
(f)
(1)
c
....
Module 6
NSX Security
369
NSX Edge Firewall

Slide 6-8
The NSX Edge appliance provides a stateful firewall for North-South

and East-West traffic flows:
Supports dynamic routing
Virtualization context aware
Provides line rate performance
All NSX Edge firewall configurations are done from Manage> Firewall
Firewall rules are applied in ascending number order
O '
~ .
.. ,
~
-;
c..nllf.ll.03 N1u~r. C1I!f_' lno."",
_M
,..,......
14olI'~
-.
,-
-""
0 '"
...... -
.....
I ~ C"
I/iIlIMUI
O ll$llI' M1 ,-an,
"<tt,t
-..
"""
The NSX Edge firewall provides perimeter security functionality including firewall , network
address translation (NAT), and site-to-site IPSec and SSL virtua l private network (VP N)
functio nality. This solution is avai lable in the virtual machine form factor and can be deployed in a
high availability mode .
370
Firewall Rule Types

Slide 6-9
The types of firewall rule are the following:
Default: Rules created during the deployment of the NSX Edge

gateway
Internal: Rules created by the NSX Edge gateway in support of services

configured by the user
User: Rules created by the user
The firewall rule type does not affect the application of the rule.
Ty PE
Internal
Internal
User
Default
II
z
(f)
X
(f)
(1)
c
....
Module 6
NSX Security
371
Virtualization Context Awareness

Slide 6-10
The NSX Edge firewall can filter traffic flows based on IP and
TCP/UDP header information.
The NSX Edge firewall can also filter traffic flows based on
virtualization-specific information:
Data center
Cluster
Resource pool
Port group
Logical switch
vApp
Virtual machine name
372
Populating Firewall Rules

Slide 6- 11
Point to each rule and click the white cross:

Assign a descriptive name to the rule.
Select a source.
Select a destination.
Select a service.
Select an action.
eo 2
"
roultng
mtemat
u
Default Rule
,"y
any
Rule Name
Isnareoornt
I
~~
"
"
o os pr.anyan y
Accept
any
Acc ept
Accept
II
z
(f)
X
(f)
(1)
c
....
Module 6
NSX Security
373
Source and Destination of a Rule

Slide 6-12
The rule's source and destination can include the IP address in the
packet or information provided by VMware vCenter Server, such as
virtual machine name or resource pool:
The source and destination can be compounded to include multiple
criteria.
If any of the criteria listed in the source matches, the rule is applied.
No .
Nam@
Type
Source
Destination
~ 1
firewall
Internal
O vse
any
~ 2
routing
Inlernal
any
any
~ 3
Sharepoint
User
0 10.10.10.1
tl'!J Compute Cluster 8
l:!App-Tier01
oo-sv-o t a
When you select a virtua l NIC (vNIC) Group, and select vse, the rule applies to the traffic generated
by the NSX Edge instance. If you selec t interna l or external, the rule applies to traffic coming from
any internal or uplink interface of the selected NSX Edge instance. The rule is updated when you
configure additional interfaces.
374
Firewall Service
Slide 6-13
A service in the firewall context is a collection of TCP/UDP ports that

form the components for successful communication with an end
system:
A service can be all the source and destination ports needed to access
an Oracle database.
A service group is a collection of services.
'"'
any
O ospf:any:any
"A'Data RecoveryAppliance
~ H e a rttl e a t
o
D
D
D
~ ll4 i co rs on
Exctlange2010
~ M S Exchange 2010 Client Access Servers
~ MS
Exchange 2010 Transport Servers
~ MS
Exdlange 2010 MailboxServers
New
II
Avoid specifying the source port when you create rules. Instead, you can create a service for a
protocol-port combination.
(f)
X
(f)
(1)
c
....
Module 6
NSX Secu rity
375
Create a Firewall Service

Slide 6-14
After you create the service, it is automatically added to the Service

column.
Add Service
New...
Service
Service Grou p
An Application can beviewed as a tag on network traffic of specrned

protoco l thai is trans mitted through speci fie d port or set of ports
Name
Descnpnon:
'~
I =====::;
Protocol
ITCP
I I
Destination ports:
e.c.: 700 1-7020,7100,8000-9 000

.. Advanced options
So urce ports
e.a.: 700 1-7020,7 100.8000-9000
376
Action Option
Slide 6-15
The Action option allows the rule to accept or deny the traffic:
Logging can be enabled for the rule.
Network Address Translation support can be enabled.
The rule can be applied on ingress or egress.
Action:
Log:
O Log
Deny
Accept
0 0 not log
comments:
... Advanced options

Match on:
Translated
o Enable Rule Direction

Incoming
Original
Outgoing
OK
II
Cancel
II
z
(f)
X
(f)
(1)
c
....
Module 6
NSX Secu rity
377
Publish Changes
Slide 6-16
After the rule is created , publish the changes to NSX Edge.

The changes take effect immediately.
This rule se t has unsaved manges . Click on PUblish Changes button 10start deplo ying
~~
.0 X
ISea rch
Generated rulesarecurrently shown Hiderules

T..,.
s.-
Des!.inelion
I ~ C'
""
No-
~ 1
firewall
mtemat
0 "'"
any
any
Accep t
~ 2
routing
Internal
,"y
any
osp tany:any
Accept
~ 3
snareccmt
User
0 10.10 10.1
Oh Compute Cluster 8
SharePoinl2010
Accept
~ Ap p-Ti e r0 1
81
,"y
any
~ 4
378
_t - .
Default Rule
Defaul t
SoM~
ActIon
db-sv-01a
,"y
Accept
NSX Edge Services Gateway: Form Factors

Slide 6-17
The NSX Edge services gateway provides several virtual machine form
factors.
Number of NAT rules: 2,000.
Size
vCPU
RAM
Total Number of
Firewall
Connections
Number of Firewall
Rules
Comments
Compact
64 MB
64 ,000
2,000
Suitable for basic

firewall
Large
1 GB
1,000 ,000
2,000
Suitable for mediumlevel firewall
Quad Large
1 GB
1,000 ,000
2,000
XLarge
8GB
1,00 0,000
2,000
I Suitable for highperformance firewall

Suitable for highperformance firewall +
load balan cer
II
z
(f)
X
(f)
(1)
c
....
Module 6
NSX Security
379

Slide 6-18
Firewall rules are processed in order. The first rule that matches the
traffic being examined is applied and the traffic is passed or dropped.
380
No .
Name
Type
Source
Destination
Service
Action
e. 1
firewall
Internal
O vse
any
any
Accept
e. 2
ipsec
Internal
0 192.168.130.4
0 192.168.130.4
0 192.168.100.10
0 192.168.100.10
e. 3
sslvpn
Internal
any
0 192.168.130.4
e udp500,4500 :any
o esp :any:any
o tcp.443 any
e. 4
Default Rule
Default
any
any
any
Accept
Accept
Deny

Slide 6-19
Restrict the destination.

Destination
IP Addre ss:
0 1PV4 O lPV6
Value:
eg192168200 1,192.168.200.1124, 192.166.200 .1192.168.200 24
OK
II
C ancel
Restrict the protocol.
Ihttp]
Available (30)
0
0
0
0
0
0
.01
Selected (0)
Q CIM-HTI P
CIM-HTI PS
ffi
HTIP
HTIPS
HTTPS , net.tcp binding
Offi ce Server Web serv..
New...
OK
II
Cancel
II
z
(f)
X
(f)
(1)
...c
Module 6
NSX Secu rity
381
Lab 15: Using NSX Edge Firewall Rules to Control Network

Traffic
Slide 6-20
Define NSX Edge firewall rules to restrict traffic to one or more Web
servers

2. Enable Flow Monitoring for Future Reference
3. Restrict Inbound Web Server Traffic to HTTP and HTTPS
4. Determine How the Firewall Rule Interacts with Other NSX Edge
Features
382
Concept Summary
Slide 6-2 1

Which network device is used to restrict and filter
traffic between networks and endpoints?
Firewall
Which NSX Edge virtual appliance is deployed as

a perimete r firewall?
NSX Edge firewall
What performs packet inspection and tracks

the state of connections passing through the
firewall?
Stateful firewall
Which are the set of rules by which a firewall

bases its decisions to allow or deny traffic?
Firewall rules
What is the ability to use details about a virtual

machine known to the host for firewall rule
construction called?
Virtualization context awareness
II
z
(f)
X
(f)
(1)
c
....
Module 6
NSX Security
383

Slide 6-22

Describe where the NSX Edge firewall is typically deployed
Compare the NSX Edge firewall to the distributed firewall
Configure the NSX Edge firewall rules
384
Lesson 2: Distributed Firewall

Slide 6-23
Lesson 2:
II
z
(f)
X
(f)
(1)
c
....
Module 6
NSX Security
385
Learner Objectives
Slide 6-24
objectives:
Compare the Distributed Firewall to traditional firewalls
Describe the policy enforcement of the Distributed Firewall
Configure rules on the Distributed Firewall
386
Evolution of Firewall Placement

Slide 6-25
The firewall has evolved in recent years.

Yesterday 's Virtual
Infrastructure
NSX
Virtual Infrastructure
cd
I
The firewa ll has evolved in recent years. Originally, the firewall was a physical device that was
placed at the perimeter of the network to inspect traffic entering the data center.
The next stage in the evo lution was firewall appliances runnin g in virtual machines. From a
hypervisor perspective, one virtual machine talked to another virtual machine. The virtual machine
acting as the firewa ll had to be the default gateway for the other virtual machines runnin g on that
host. Sometimes, firewa lls also ran in the virtual machine to provide an additional layer of security.
NSX Secu rity
(f)
X
(f)
(1)
c
....
The Distributed Firewall is a hypervisor kernel-embedded firewa ll that provides visibility and
control for virtualized workloads and networks. The Distributed Firewa ll offers multiple sets of
configurab le rules for netwo rk layers 2, 3, and 4.
Module 6
II
387
Distributed Firewall Overview

Slide 6-26
The distributed firewall module is embedded in the VMkernel.
VM
Kernel-Embedded Firewall
The hypervisor-embedded nature of the firewall delivers close to line rate throu ghput to enable
higher workload consolidation on physical servers . The distributed nature of the firewa ll provides a
scale-out architecture that extends firewall capac ity when additional hosts are added to a data center.
No virtua l machine can circumvent the firewa ll. Egress and ingress packet are always processed by
the firewall. In extreme load exists, such as CPU satura tion or if memory is full, the Distributed
Firewa ll behaves as a fail close firewall. No packet passes through the firewall.
388
Distributed Firewall Filtering

Slide 6-27
Distributed Firewall provides security filtering functions on every

host, in the hypervisor, and at kernel level:
Distributed Firewall is a East-West stateful L2-L4 firewall
Distributed enforcement of policy rules
Distributed Firewall offers centralized configuration using the

vSphere Web Client.
..[)
The Distributed Firewall provid es security filtering functions on every host in the hypervisor at the
kem el level. The Distrib uted Firewall is an East-West statefu l layer 2, 3, and 4 firewall. The
Distributed Firewall provid es distrib uted enforcement of policy rules. The Distributed Firewall is
configured usin g the VMware vSph ere Web Client. The Distributed Firewall is independent of the
distributed router.
II
z
(f)
X
(f)
(1)
The Distributed Firewall is meant for East-West traffic or horizontal traffic . The NSX Edge firewall
focuses on the North -South traffic enforcement at the tenant or data center perimeter.
The NSX Edge services gateway firewall protects the data path traffic. The firewall on the contro l
virtual machin e for the distrib uted router contro ls access to the distributed router, for example, to
enable SSH access to the contro l virtual mach ine. So the firewall rules have no effect on the data
path traffic for the distributed router.
Module 6
NSX Security
389
c
....
Distributed Firewall Location and Policy Independence

Slide 6-28
Policies are virtual machine name-based, attribute-based, and

vCenter Server container-based.
Policy is independent of virtual machine location:
The distributed firewall can enforce security rules between two virtual
machines even if they are on the same L2 segment ( VXLAN or VLAN).
Policy rules always follow the virtual machine , even if a migration with
VMware vSphere vMotion occurs.
The Distributed Firewall policy is independent of where the virtual machin e is located. If a virtua l
machin e is migra ted to another host using VMware vSphere vMo tion, the firewall policy
follows the virtua l machin e.
390
Distributed Firewall Policy Enforcement

Slide 6-29
Distributed Firewall enforces rules at the vNIC layer before

encapsulation (or after de-encapsulation):
Independent of transport network (VXLAN or VLAN)
Independent of underlying virtual switch: VMware NSX Virtual Switch"

or distributed switch
IP3
IP1
MAC3
MAC1
VTEP IP: 10.20.10.10

-
vSphere Host
,
'".""",,,,
VTEP IP: 10.20.10.11
Policy Rules:
Source
Destination
- - - -
Service
Action
vSphere Host
, .. ,, t,,'
VM1
VM2, VM3
TCP port 123
VM1
VM2, VM3
any
No relationship exists between distributed switch ACL or security capabilities and Distributed Firewall.
II
Distributed Firewall rules are enforced at the vNIC layer before encapsulation or after deencapsulation. The distribut ed firewa ll policies are independent of whether a virtual machine is
connected to a VXLAN or VLAN . Distributed Firewall rules are independent of virtual machine
location.
(f)
The Distributed Firewa ll can enforce rules even if the virtual machines are on the same layer 2
segment. Policy rules always follow a virtual machine if the virtual machine is migrated to another
host.
Module 6
NSX Security
391
(f)
(1)
c
....
Distributed Firewall Components: Communication

Slide 6-30
Firewall rules are configured in the vSphere Web Client and pushed
to VMware NSX Manager.
REST API
Client
vSphe re
We b
Client
Distributed
Firewall
Security VXLAN DR DFW
Using a Web browser, you can connect to the vSphere Web Client that accesses the VMware
vCen ter Server" system . The vCenter Server system provides the user interface to manage policy
rules and mon itor distrib uted firewa ll activity.
The vCenter Server system communicates with VMware NSX Managert'". NSX Manager pushes
the rules down to the VMware ESXi host into the distr ibuted firewa ll kernel module.
The distributed firewa ll module on the ESXi host runs in the kerne l space and is responsible for
firewa ll rules enforcement at the vNIC level.
VMware NSX APFM can also be used to comm unicate with and configure the Distributed Firewall.
VMware NSX Controller" is not responsible for distributed firewa ll functiona lity.
392
Distributed Data Path

Slide 6-31
Distributed Firewall rules are enforced on each vNIC.

Source
Destination
Source
i ------"j
1
1
,
,
:1 VM :,
1
L
1
vSwitch
''
Destination
1~-----------------------,
~
1
1
1
1
1
1._
vSwitch
1
1
1
"
i---- -------------- ----.
-, 1
,
,
,
,
,
,
,
,
1
1
1
1
1
1
1
1
_ __ J
L_
vSwitch
The Distributed Firewall provid es hypervisor-based firewall enforcement on every vNIC . The data
path is optimized for performance and scalability. This daemon checks rules on both the ingress and
egress on the source and destination virtual machine. No virtua l machine traffic can circumvent the
firewal l.
II
z
(f)
X
(f)
(1)
c
....
Module 6
NSX Security
393
Policy Rule Objects

Slide 6-32
The Distributed Firewall supports security rules, called policy rules,

at the layer 2, layer 3, and layer 4 levels:
Layer 2 rules are created on the Ethernet tab.
Layer 3 and layer 4 rules are created on the General tab :

General rules are enforced after Ethernet policy rules are applied .
TCP/IP Model
Application Layer
OSI Model
. ..
Presentation Layer
_ _Session Lave r_ _
I
I
Tran sport Layer
Transpo rt La yer
Inte rnet La yer
Ne twork La ye r
Da ta Li nk Lay er
Ne twork Access Lay er

Physi cal Lay er
L3/L4 rules control traffic at network and

transport layer. Use L3/L4 rules to filter specific
source or destination IP addresses or L4
protocols. Some examples of L4 protocols are
SSH (TCP port 22), HTIP (TCP port 80).
L2 rules control traffic at data link layer. Use L2

rules to filter specific source or destination
MAC addresses or L2 protocols. Some
examples of L2 protocols are ARP, RARP, and
LLDP.
The Distributed Firewall supports security rules at the layer 2, layer 3, and layer 4 levels. Layer 2
rules are configured in the Ethernet tab of the NSX Controller instance. These rules are meant for
actions that happen at layer 2 such as Cisco Discovery Protoco l (CDP) and ARP.
The rules for layer 3 and layer 4 are defined in the Ge neral tab. The Ge neral tab policies define
rules to manage traditional traffic between virtual machines in different subnets or from East-West
traffic.
394
Layer 2 Policy Rules

Slide 6-33
You define firewall rules for layer 2 on the Ethernet tab.
....;;-
.... .
~ &.I..:""'"Y
'"
f! Nl>XHoIN
"'--
; ;;' NSXE"OI4
'!l -
~I '
N"P'--"
Cil Fbo1r ~
DI"WeTttMl:'l\M~ll
It."
'"
l!J s.rn:. ~
---
~....-,
~1119 . ~ ~
!!I ~ M"-'
--
~":'y2~
_. Ib)Ic.Il ~
.-1'3--
..-
08""'.-.
L.I)W7l'1* lJ
_.
...,
"'"-
....
' '
...
. 1:-
....
1-..
'
....
....
J~
+ lll / "
+0 / - "
I'll '
In the vSphere Web Client, under the Network and Security section, you find the Firewall tab. The
Firewall tab is where distributed firewall policies are defined. On the Co nfigu ration tab of the
Firewall tab are General policies and Ethernet policies. Ethernet policies are rules that are enforced
at layer 2.
II
z
(f)
X
(f)
(1)
c
....
Module 6 NSX Security
395
Layer 3 and Layer 4 Policy Rules

Slide 6-34
You define firewall rules for layer 3 and layer 4 rules on the General
tab.
~.-.. .--.,
f ~l sa-:l1 ~
t! NS.I: _
"<Sll:~, [ tN. ' ~ ~ .lOD .1
;,==...
dt~=....c':: ':': : " _------------------------=:;01
'!I '-"'-"
..,.
. :s.r..a ~
l'J:sr.a e:crntc-r
DfW~
DllllSoKutfIy
&1
:<- -..
' -71
~L.$ . _ U _~OCX
Q N2MlfMl:mtR'lO
~ Ing " kunfr ~
E!W!;X " ' - -
..
>
~====:JI ~
-. ~ .1
. o... ~ ~ I1'uiIf I SI
..
'
...""'....
"'"
, n ..
"
396
Centralized Management of the Distributed Firewall

Slide 6-35
The Firewall tab allows centralized management of all Distributed Firewall rules.
SaYId C~
CtlllllfolrU IllrI
__
-.
l,l SXII I ~
a Ie - ,
&1
~~.~
.-
Identity
- User identity
- Groups
irtual Center Serv er

Con tai ners
- Clusters
- Data centers
- Port groups
- VXLAN
01
==~I !Q:I
Services
- Protocol
- Ports
- Custom
8IcI:1ItnnlOtrU lOCll.nmnl
r1 /
.....
lC
N... or~no" "'1lIIY Irtrtrl101Y

t!l Ni5Ji.... ~
E >
e,
e.
""
e.
.....
""
...
VM Co ntainers
- VM names
- VM tags
- VM attributes
OHC~
. DHC P-C~"' I
..,.
.....
...,
- ...
The Firewall tab allows centrali zed manag ement of all Distributed Firewall rules. When you add a
rule, you provide a name , source, destina tion, service , action , and where the rules are enforced.
The source and destination can be an IP set, but it can also be a security group that you define . A
security group is a collection of assets or grouping objects from your VMware vSphere inventory.
You can also create sections to separate rules for different lines of busine sses, for example, different
departments .
The last rule or the default rule is typically set to deny. In most cases, an administrator wants to
explicitly allow certain types of traffic and block everything else by default. Internet rules get
applied before genera l rules so they are processed from top to bottom . When the traffic matches a
particular rule, the processing stops and the rule actio n is processed .
Module 6
NSX Security
397
II
z
(f)
X
(f)
(1)
c
....
Using Distributed Firewall Sections

Slide 6-36
Distributed Firewall sections segment policy rules for easier

manageability and better performance. Sections do not affect the
overall security policies.
To merge two sections together, click the symbol and select the section to merge with.
s.a _ _ . ..... _ _
-....---
. ~ - -"-::::""'\I~~
-
... . "1- -
-.
,,-............
-..
--.
tj
.---.
.""
.......,.~
!t ""5ll ~
..,
....
.""
.""
.""
..-
-..:uoo ....... _
~~---""
_.
-...
.""
The Distributed Firewall can have different rules based on sections such as a department. For
example, you might separate rules for human resources and for engineering departments in separate
sections. If you later decide to combine rules from different sections, you can merge sections and
consolidate the rules in those sections. You merge sections together by clicking the Merge icon.
Although sections have no effect on security, sectioning can ease management by allowing
administrators to apply rules to specific groups or job roles.
398
Policy Rule Objects

Slide 6-37
Datacenter
vCente r Dalacen
Cluster
vCenler Cluster a
Rule will apply fa
DataCenter
Rule will apply fOI
Cluster
VMware Cluster attribute
Distributed Virtual Port
Port Group of a distributed

switch
Network
vCenter Network
Rule will apply fa
Virtual App
vCenter vAPP at
Rule will apply101
Resource Pool
vCenter Resoure
Rule will applyfat
Virtual Machine
VM name attribut Ports (Destination L4 port vN IC
vNIC
VM vNIC attribut
E-~--------+-NS-X-IO~gj-Ca-'sw
---'
iIC
Logical Switch
Group
Network
Network attribute
Virtual Machine
VM attribute
Advancedoptions:
Logical Switch
Source Ports (Source L4 P -'-i-'-'= = = =
Rule will apply fO I all VI.".'.' ..... \.AJ,,,'c....'cu
LV ""'"
vN1Cattribute
VXLAN logical switch

= = = L-- - - - - - -
---"
IU~'\"CI' ", n'''.,11
Security Group
NSX security group attribute (defined through Service Composer tab)

Rule will apply for all VM/ vNIC part of the Security Group
lP sets
Listof IPv4 or IPv6 address
VMware NSX Services" enable you to put multiple ports into a nam e, for example, ports 20 and 21
into NSX Services called FTP. You can use protocol ports or you can create NSX Services in new
port new ranges. Several predefined NSX Services are created on the Distributed Firewall by
default.
You can perform various actions on the traffic. Actions define what the firewall should do with the
traffic after a rule match occurs , such as block or allow or log or not log.
Using the Applied To text box, you can specify which virtual machin e, and hence which vNICs,
receive the rule. The Applied To text box enables you to specify where the rules are enforced. The
rule action can be applied to a logical switch and is applied to every virtual machin e on the virtual
switch. You can apply the rule action to a clust er and every virtual machin e in that clust er is affected
by that firewall rule. If a new virtual machine is added to the clust er, the firewall rule is also applied
to that virtual machine. You can apply the rules to a data center, a clust er, a distributed port group, a
network, a logical switch , or a virtual machine vNIC.
When search ing Syslogs for firewall values, you must look for the BSIP value in the firewall entries.
Module 6
NSX Security
399
II
z
(f)
X
(f)
(1)
c
....
Logical Switch Rule-Based Example

Slide 6-38
Rules can be enforced between virtual machines on the same

segment and between virtual machines on different segments.
.-
- '- -_.O'
1lI ""-
r- iRl _~
,tano .tQI .
1'fSJI,~
a-
~-- -
+ o.
:::i:1lIP ' "
e _-_
:"!-
..1'J-. -.-
1~
.
..,
'i
G ____
- ___
...... ..-,--,
!!""-
.....
1.71
'ZaEi .
tB ROOt
-.I~ 1l
....
""".'.Mal"nPS_
_.
..
X6
'
5I UNUlI _
JoWUl'
..
" .....-.-..
IEEl
Ie.-
~ =_!WI
........
e-. ...... "-J""'"'S ,J
1m >
-- I
+ 1 / . ..
r:/ . ..
Router Inst anc e 1
Source
Dest
Action
------------VM1NM2
Block
WebVM
VM1
VM2
APP lo gical- sw itch-2
VXLAN 5002
VM4
Allow
VM1
Block
VM3
(assuming
default rule is
set to block)
In the example on the slide, traffic coming from the Web logical switch that is destined for the App
logical switch is blocked by rule I . Thus, VM I and VM2 cannot talk to VM3 and VM4 .
Rule 2 states that traffic from VM I destined for VM2 is allowed. Th e two virtual machines are on
the same logical switch segm ent. Assuming that the default ru le is set to block all other traffic,
traffic from VM2 is not allow ed to VM I and traffic between VM3 and VM4 is block ed.
400
Security Groups
Slide 6-39
A security group is a construct that allows dynamic grouping of objects:
Based on inclusion and exclusion of objects defined under vCenter Server:
Done internally under NSX Manager
Network and Security> Service Composer> Security Groups tab

-------------------------------\II'TlWMe' vSpheno
.-- '-
web Client
,,
O' ..J"j
11 1oISll _
"
u.-.ecUPW () I . . . . . - .
I ..
e-
.-
<-~
......- ~.-~
ll. -......
ENSlI.I~
.-"-
'!l - -
.
"
Dynamic membership criteria can be defined to include objects into the

security group:
Match any or all of the following criteria :
Computer
as name,
Computer Name, VM Name, Security Tag , Entity
The Grouping feature enables you to create custom containers to which you can assig n resources,
such as virtual machines and network adapters, for distributed firewa ll protection. After a group is
defined, you can add the group as source or destination to a firewa ll rule for protection.
Using the dynamic mapping capabi lity of security groups, you can define the criteria that an object
must meet to be added to the security group that you are creating. This capability enables you to
include virtual machines by defining a filter criteria with several parameters supported to match the
search criteria.
For examp le, you may include a criteria to add all virtua l machines that run a specific operating
system (such as Microsoft Windows 2003) to the security group. Securi ty tags are case-sensitive.
Module 6 NSX Security
401
II
z
(f)
X
(f)
(1)
c
....
Security Group Components

Slide 6-40
When you create a security group, you specify its expression, inclusions, and
exclusion parts
Expression:
Defined the dynamic membersh ip criteria of vCenter Server objects
Configured in the Defined dynamic membership tab in the New Security Group wizard
Inclusions:
Static membership selection of vCenter Server objects
Configured in the Select objects to include tab in the New Security Group wizard
Exclusions:
Static membersh ip rejection of vCenter Server objects
Configured in the Select objects to exclude tab in the New Security Group wizard
Objects identified in the inclusion part are added to the objects identified in the
expression
402
Any objects identified in the exclusions part is removed from the security group
Rule-Based Security Group Example

Slide 6-41
.~: ' I
. G/ . L
SECURITY-GROUP-WINDOWS: dynamic membership: Computer OS name contains Windows

SECURITY-GROUP-L1NUX: dynamic membership: Computer OS name contains Linux
Router Instance 1
Source
Destination
VM1
VM2
Block
VM1
I VM4
I Block
VM3
VM2
Block
VM#
I VM4
I Block
,,-",
Windows Linux
W EB logical-switch -1
VXL AN 5001
Action
VM1
VM3
Allow
VM3
rVM2
VM 1
Allow
VM4
Allow
VM4
VM2
Allow
.,
When the security group is created, it can be used as a source or destination when creating a firewall
policy. This ability gives organizations the flexibility in designing their firewall rules and reducing
the numb er of lines they have to enter. When the security group is created, you can add virtual
machin es to a security group by editing the security group. Securit y groups can be nested in other
security groups.
II
z
(f)
X
(f)
(1)
In the example, two securit y groups exist. One group contains virtual machin es running the
Windows operating system and the other contains virtual machin es running the Linux operating
system. The firewall policy is set so that Windows traffic sent to Linux is blocked. Linux virtual
machin e traffic sent to Windows is allowed. The Windows and Linux virtual machines are in the
same segment and yet one line enforces this policy. If you add virtual machines, they fall into the
security groups depending on the operating system and the policy is applied.
Module 6
NSX Secu rity
..,c
403
Applied To: Example

Slide 6-42
Source
Destination
Service
Actio
n
Appli ed To
VM1 ,VM2 ,VM3

Allow
Source
Destination
Service
Action
VM1 , VM4
vCenter Server ::::::>
NSX Manager
Allow
Allow
Source
Destination
Service
Action
The Applied To text box allows you to specify which destination component receives the rules. The
rule might contain a virtual machine, vNIC, cluster, distributed port group, network , data center, or
logical switch in the source or destination text boxes. VMware recomm ends that you add these
comp onents into the Applied To text box so that the rule is optim ally offloaded to the ESXi hosts.
When dealing with large rule sets or overlappin g IP addresses , use the Applied To text box to
restrict the scope of Distributed Firewall rules.
Rules are created on the vSphere Web Client and sent through the vCenter Server instance which
passes them on to the NSX Manager. The NSX manager instance evaluates the rule and pushes the
rule to the corresponding host to apply to the corresponding virtual machin es. So both rules are
attached to VMI , only the first rule is attached to VM2, only the first rule is attached to VM3, and
only the second rule is attached to VM4.
In the example, you have two rules. Rule lone allows VM I to communicate with VM2 and VM3
on port 123. The second rule says that VMI can communicate with VM4 on port 321.
Traffic going to VM4 does not need to check rule I. The second rule applies to VM I and VM4 , so
the traffic going to VM3 does not go throu gh this rule.
404

Slide 6-43
Add a section to the rules.

Select theoptions tocreate newsection
Section name
Section Position
*1."....
0 Add section above
oj<
Add section below

OK
II
The Distributed Firewall configuration

is backed up at regular intervals.
Cancel
Search
AutoSaved_2014-Jul-1618:49 :39
root
71161201411:49:39. Auto saved dran
AutoSaved_2014-Jul-16 18:49:26
root
7/161201411:49:26 , Auto saveddraft
AutoSaved_2014-Jul-1618:45:29
root
71161201411:45:28 . Auto saved urart
root
711612014 11:41:31 . Auto saved draft
root
711612014 11:38:19 . Auto saved draft
root
711612014 11:29:58. Auto saved draft

OK
I[
Cancel
II
z
(f)
X
(f)
(1)
c
....
Module 6
NSX Secu rity
405
Lab 16: Using NSX Distributed Firewall Rules to Control Network

Traffic
Slide 6-44
Define NSX Distributed Firewall rules to restrict traffic to one or more

Web servers and between application tiers

2. Create a Distributed Firewall Section
3. Configure Cross-Tier Rules
4. Restrict Inbound Web Server Traffic to HTTP and HTTPS
5. Review Distributed Firewall Log Entries
6. Restore a Saved Distributed Firewall Configuration
406
Concept Summary
Slide 6-45

What is a firewall rule set for distributed firewalls
called?
Firewall policy
What filters different traffic types by the firewall?
Firewall filtering
What are firewall policies that are independent of

the virtua l machine location called?
What allows dynamic grouping of virtual
machines based on defined criteria?
Policy independence
Security groups
II
z
(f)
X
(f)
(1)
c
....
Module 6
NSX Security
407

Slide 6-46

Compare the Distributed Firewall to traditional firewalls
Describe the policy enforcement of the Distributed Firewall
Configure rules on the Distributed Firewall
408
Lesson 3: Flow Monitoring

Slide 6-47
Lesson 3:
Flow Monitoring
II
z
(f)
X
(f)
(1)
c
....
Module 6
NSX Security
409
Learner Objectives
Slide 6-48
objectives:
Describe how Flow Monitoring can be used to enhance security
Configure a Distributed Firewall rule to block a traffic flow
410
Flow Monitoring
Slide 6-49
Flow Monitoring is a traffic analysis tool that provides a detailed view

of the traffic to and from protected virtual machines.
Flow Monitoring configures the distributed firewall to capture flows
and send them to NSX Manager for retention.
1 Home
Networking & Security
e...
Flow Monitoring
Dashboard
Details By Service
E!! NSX Hom e

ii Installation
NSXMan ager ( 1g2.16B.110.42
~ Logical Switches
Global Flow Collection Status:
=
o
NSX Edges
Live Flow
I~ )
D isabled
Enable
Systemis configured to NOT collectfirewall relatedffows
Firewall
~ SpOOfGuard
Service DefiniUons
Service Composer
J Data Secu rity

m,
Flow Momtorlng
The Distributed Firewall has visibility of all traffic flows that have taken place in the logica l
switches. By drillin g down into the traffic data, you can eva luate the use of your resources and send
session information to the Distributed Firewall to create a rule or block rule at any level.
II
z
(f)
X
(f)
(1)
c
....
Module 6
NSX Security
411
Enable Flow Monitoring

Slide 6-50
Flow collection must be enabled for you to view traffic information.

You can choose what flows you want to enable and what flows you
do not want to see.
........
N.~,&kc.nty
p'! NSXHO",.
iQt.,.tIll.. on
1J: L O~ ~'
CiIobIIflow CGIiKuo. SUtvt;; En.bled
=NSX[~ ..
~o,~"'/J;!a;
"r.......
( (M,abllt ]
~~.'~~l"1.IT'.t"
~'Kol'ed~
h dlo. a S.II Il'Uil .
15'
, . s.Mce OtllrlrDonl
8
S)SlIo'n
o'IOfCO&'.ct~"iJllftC/l""a"ec.oI'",~
$tMo;t ComNStl'
QlD"' _
~. .-r-u.g
I- -'
&
s.c".r ~1orY
~ tfS;l; "Jl'l~WJ
>
.......
138137
By default , Flow Monitoring is disabled. To enab le Flow Monitoring, click the Enable button.
Flows that should not be collect ed can be added to the exclusion lists in the Exclus ion Settings of
the Configuratio n tab.
412
Exclusion Settings
Slide 6-51
You can filter the data being displayed by specifying exclusion

criterion.
You can exclude flows from collection based on multiple criteria:
DFW blocked flows
Layer 2 flows
Source and destination IP sets, MAC sets, Virtual machine, and vNICs
Srir.d ('.on~'f!1
Source and destination IP
Destination port
e - .",.. ,,_
C~td
Service
......
la,.. ~ rl lJ'IiII'\
",
y"
'J$lftm oel\4lr""a etOOl.M1
U 'otllC
0 !JJ ' ~i>'
til ou-.70 1d
ijl 0.4'#00 1.10
o
o
BJ l)f-s....o2.
ttl
d b "w ~1 .1
II
z
(f)
X
(f)
(1)
c
....
Module 6
NSX Secu rity
413
Viewing Flows
Slide 6-52
After Flow Monitoring is enabled, the captured flows can be viewed

from the dashboard, with the default views: Top Flows, Top
Destinations, and Top Sources.
........""
f:
-\
~1"....i-~~L:",.
.t..... .t . . . ..t..=.'.
, _
414
... _
.I"NI"
., ....
.._
..."
_
a~
I ....... .
0._
!.
t a...
...... . .
,. ,.
I~' _
I"' UI "
10.. ...
1'1."
......
......
.....
Flow Views by Service

Slide 6-53
The Details By Service tab provides information on all the flows

grouped by service:
You can view blocked flows by service.
You can modify the rule that allowed the flow .
..- . Uoo'"
~
...........
,lQ ....
"
--
_ _ _ '1l;J')
-~
_~--.e--.-1Il
--
--
.. ... ....
.
.'...... ......
~
I n ' ''U!'I''
Il'1l1'lt"'"''
a-Ull'tl. ' . "
~- ,
.~"lt
n,.
-,.
-_
"'"
~"'H
..
;JQ;.I
'Ill!
.. t.
. . . . .1' .. ,.
.!II!IIIII""
.-.-..-.-
-,.....
.-,....
On."1'"''
_"1ol1'1hII
."'Mn.,.
----... ........----__ l._

~,~
-~
__
(,.r __
If you click the Details by Service button at the top, you might see a flow that you do not want. You
can add a rule to block the flow or edit the existing rule that is permitting the flow.
II
z
(f)
X
(f)
(1)
c
....
Module 6
NSX Security
415
Live Monitoring
Slide 6-54
You can view UDP and TCP connections from and to a selected vNIC .
l.,.
5 00 ....0 .
(jI _ _
dl ~ "
Dash board
Details By Service
NSX Manager: ( 192.168.11 0.42
I Live Flow I Configu
I~ )
/J ~ "
~ ::::..
M
Live Flow will be show n for th e selected vNIC. Please se l

vNIC(row s0
Start
I[
he live ftows
Stop
~l e-'
To view traffic between two virtual machines, you can view live traffic for one virtual machine on
one computer and the other virtual machine on a second computer. You can view traffic for a
maximum of two vNICs per host and for 5 vNICs per infrastructure.
416
Live Monitoring Output Example

Slide 6-55
The screenshot shows the output from Live Monitoring for the
selected vNIC.
Dashboard
Live
Ftowwnt be sh own
vN1C:
1002
~OO2
1-)
for the se lected vNIC . Please select a vNlC and press start to see the live rtows
apacne-w-nta - Network adapter 1
Refresh Ra te:
Ruleld
I Live Flow I Configuratio n
Details By Service
NSX Manacer: ( 192.168.1 10.42
Browse
--Start
15Seconds I I
Direaion
Flow Type
OUT
Active
IN
;4,tlive
Proloool
UDP
ODP
Source IP
Source Pon.
DoStinalion IP
Ne w a cti ve f1ow~
Destination
PM
Stille
Flows wi th stJte c ha nge
Incoming
InlXlming
B~~
Paclle15
Term i n.ated flows
Outgoing
B~~
192.168.100.75
138
192.168.100.255 138
229
192.168.100 .76
138
192.168.100.255 138
236
1
I
I
I
II
z
(f)
X
(f)
(1)
c
....
Module 6
NSX Security
417

Slide 6-56
Flow monitoring has been enabled in a previous lab.

OS ...
4 Home
Networking & Secur ity
Flow Monito r ing
Dashboard
Eft NSX Home
Details By Service
NSXM,mag er ( 19 2.166.110.42
Live Flow
I)
@ Installatio n
Global Flow Collect ion Status:
~ Logical Switches
Enabled
Filter the results.

Disa ble
~ NSXEdges
System is confio;}wed 10collect &JJ firewall re lated flo'l't"s except those /1
1"'1
Exclusion Settings
Firewall
ii5scoorcuaro
System will not collect f/owr, thai ma tch tile
o Las115 min utes
t1 Service Composer
Collect BlockedFlows
4i Data Security
couect Layer2Flows
It! Flow MonitOring

L!'8 Activit!" Monitoring
Source
Destination
.. Netwo rking & Secu rity Invent ory

(II NSX Managers
.. )
Destination ports
Service
Review flows by service.

Dashboard
Details By Service
Live Flow
N8XManager: [ 192.168.1104 2 I ~I
~ Allowed FIOWS ~
Change Time Int erval
soeceea coraoon
. . Service Defi nitions
418
o La st1 hour
o La st 12 hours
o La st 24 hours
o Last 1 week
o Last 2 we eks
o From :
51B 42ffi
ro : ~~~=51B . 57ffi
Configuration
OK
II
Cancel
Blo cked Flows 1
Lab 17: Using Flow Monitoring

Slide 6-57
Examine network flows using the Flow Monitoring feature and define
a firewall rule based on a flow
2. Examine Dashboard Details
3. Review Allowed Flows by Service
4. Add a Firewall Rule Based on a Flow
II
z
(f)
X
(f)
(1)
c
....
Module 6
NSX Security
419
Concept Summary
Slide 6-58

What provides a detailed view of traffic to and
from virtual machines?
420
Flow monitoring

Slide 6-59
Describe how Flow Monitoring can be used to enhance security
Configure a Distributed Firewall rule to block a traffic flow
II
z
(f)
X
(f)
(1)
c
....
Module 6
NSX Security
421
Lesson 4: Role-Based Access Control

Slide 6-60
Lesson 4:
Role-Based Access Control
422
Learner Objectives
Slide 6-6 1
objectives:
Describe authentication , authorization, and accounting (AAA)
Describe role-based access control
Describe the roles available in NSX Manager
Explain the scope options
Configure role-based access control in NSX Manager
II
z
(f)
X
(f)
(1)
c
....
Module 6
NSX Security
423
Authentication, Authorization, and Accounting Model

Slide 6-62
AAA is a security model for providing user access to restricted

systems:
Authentication is the process of validating the user.
Authorization is the process of granting partial or full access to the
authenticated user to the restricted system.
Accounting is the process of logging the activities of the user after
authorization is granted .
AAA is flexible because it allows the implementation of parts of the
model.
You use the vSphere Web Client to configure AAA through VMware
vCenter Single Sign-On
VMware NSXTMuses vCenter Single Sign-On AAA configuration
through vCenter Server.
In many organizations, networkin g and security operations are handled by different teams or
members. Such organizations might require a way to limit certain operations to specific users.
424
Identity Sources
Slide 6-63
An identity source is an entity that provides full or partial AAA

services.
vCenter Single Sign-On supports the following identity sources:
Microsoft Active Directory
Network Information Service (NIS)
Lightweight Directory Access Protocol (LDAP)
vCenter Single Sign-On is based on Security Assertion Markup

Language (SAML) tokens.
VMware NSX TM supports VMware vCenter Single Sign-Ont> vCen ter Sing le Sign-On enables
NSX to authenticate users from other identity services such as Active Directory, Network
Information Serv ice (NIS), and LDAP.
II
z
(f)
X
(f)
(1)
c
....
Module 6
NSX Secu rity
425
Identity Source vSphere Requirements

Slide 6-64
To correctly add an identity source to the VMware vSphere

environment, the following vCenter Server services must be
configured:
vCenter Single Sign-On must be installed.
NTP must be configured on all the vSphere systems.
426
DNS must be populated for all vSphere systems.
Role-Based Access Control for NSX for vSphere

Slide 6-65
Role-based access control is a method of granting user access to

restricted systems based on the function, or role, that the user has
been assigned:
Users can be assigned a role directly or indirectly by belonging to a

user group.
NSX users and user groups can be identified from existing vCenter
Server users or identity sources configured with vCenter Single SignOn.
The default NSX admin user cannot be disabled.
NSX has predefined roles .
NSX system access can be restricted for users by using scopes.
A permission is the combination of the user, scope, and role.
A user 's role defines the actions that the user is allowed to perform on a given resource. The role
determines the user 's authorized activities on the given resource, ensuring that a user has access
only to functions necessary to complete applicable operations. This role allows domain control over
specific resources, or system-wide control if the user 's right has no restrictions.
II
z
(f)
X
(f)
(1)
c
....
Module 6
NSX Security
427
NSX User Roles

Slide 6-66
NSX provides roles that users can be assigned to:
Enterprise Administrator: Has read and write access to all areas of

NSX.
NSX Administrator: Has read-write access to NSX operations area,

such as installing virtual appliances and configuring port groups , and
has read-only access to other areas.
Security Administrator: Has read-write access to NSX security area,

such as defining data security policies , creating port groups and
creating reports for NSX modules , and has read-only access to other
areas.
Auditor: Has read-only access to all areas.
New roles cannot be created.
NSX Manager provides four default roles that allow you to determine a user's authorized level of
activity.
428
Scopes
Slide 6-67
NSX provides scopes to restrict the area that a user can access in
the NSX system:
Global: The user has access to all areas of NSX.
Limited Access: The user has access to only the NSX areas defined in
the user profile .
II
The scope of a role determin es resources that a particular user can view.
(f)
X
(f)
(1)
c
....
Module 6
NSX Security
429
NSX Role Guidelines

Slide 6-68
The following guidelines can be used for creating roles in NSX:

User management for the vSphere Web Client is separate from CLI
user management.
NSX permiss ions are independent of vCenter Server permissions.
Users inherit the permission of the user group that they belong to.
Users can have multiple permissions if they belong to multiple user

groups.
A user cannot be defined without a role.

After a role is assigned to users, the role can be changed.
The Enterprise Administrator and NSX Administrator roles have a
global scope.
430
Permission Inheritance Example: Single Group

Slide 6-69
John does not have permissions defined in NSX, but John belongs to
the user group Groundhog:
John is an NSX Auditor with read-only access to all areas.
User Option
Value
Group Option
Value
Name
John
Name
Groundhog
Belongs to group
Groundhog
Role assigned
Auditor
Role assigned
N/A
Scope
Global
II
z
(f)
X
(f)
(1)
c
....
Module 6
NSX Security
431
Permission Inheritance Example: Multiple Groups

Slide 6-70
John does not have permissions defined in NSX, but John belongs to
the user group Groundhog:
John is a Security Administrator with read-write access to all objects in
Datacenter1.
John is an NSX Auditor with read-only access to all other areas.
Group
"
Value
User
tl
O pion
Value
ti
O pion
Value
Name
Groundhog
Name
John
Name
Spider
Role
assigned
Auditor
Belongs to
group
Groundhog,
Spider
Role
assigned
Security
Administrator
Scope
Global
Role
assigned
N/A
Scope
Datacenter1
O pion
t
432
Group
Configure Role-Based Access Control

Slide 6-7 1
To grant user access to NSX:

1. Navigate to NSX Managers and select NSX Manager.
2. Select Manage> Users.
3. Select the user or user group.
4. Assign a role.
5. Define the scope.
K-4 NSX Managers
It 192.168 .110 .42
+
"'"'
Change Role
Origin
(3.:
Role,
Status
aumm
vCenter
System Admin ist rator
Enabled
root
vce nter
Enterpris e Adm inistr...
Enabled
II
z
(f)
X
(f)
(1)
c
....
Module 6
NSX Security
433
Define Scope
Slide 6-72
The choices for the scope are the following:

Data center
Port group
Logical switch
Virtual machine
Virtual appliance
1""'-=--'--- - - - - - - - - - - .....
.." , l6fIoIot"rlJotoN
11fM !icq:.e$ .. ~ ... _ l' . b ........
Multiple objects can be selected. :11

:'';'"'
=
t!=
' -~_
st
~'di"~\m. -uou ....... "",
0 .........
434
c.-T!w<Ol

Slide 6-73
Add a user to the N5X server.
, .-. ......
,,'
-"""""
vCenter privileges are

required.
Sll<tll.wCMlIItt u... orgrvwIV .IIIQn rol.
] Um l 'kupe
U\ t'I (
oWl
109 0tI ...... tII<t (ll'lJtf"t;..I,
..... Inventory lists
I'TY,,"'.IO<t" .l yC."",
GJ vCenter Servers
(Itt 1!'i1@ilP~", IOC.II' or l,,~omlll'l com )
SPt<11lfill ~ ""I(lf O'CtuCl
eMIt.'
Eb. Datacenters
Id Hosts
\J Clusters
_~
Limit the user's N5X access.
;I Resou rce Pools
..
Edit Role AssVlffleut fOf \/Center user
1 SCIedRo lcs
Q
NO resmeuoo, use' may
accessN$X
gloOal conl'lgura llon
-----,}
~
ume aHen to 1Ft. port group , datacenter, or NSX Edgl' lis ted be-low
Type0011group. dal aeemer, or NS)( Edgen<lmelol'lnd
Ad,
(OJ Datastore Clusters
ft Standard Networks
limit SCope
5e-1 access st ope forunr
EJ Datastores
Distributed Switches
~ Virtual Machines
00 vApps
Q VM Templates
E
E
E
E
E
E
E
E
E
E
E
E
>
>
>
>
>
>
>
>
>
>
>
>
9 rilnch-Wob-Tie,
t Compule_VDS- HOAccess (ABC Medical)
I(} Compult_VDS Mgml ~BC Medlta l)
Cancel
II
z
(f)
X
(f)
(1)
c
....
Module 6
NSX Security
435
Lab 18: Managing NSX Users and Roles

Slide 6-74
Add an
user
ssa user as an NSX Administrator and change the role of the

2. Add an SSG User with NSX Administration Rights
3. Restrict an NSX User to Administration of a Specific NSX Edge
4. Explore Roles and Scope Limitations
436
Concept Summary
Slide 6-75

What is a permissions model that defines users '
access to a system by their role?
Role Based Access Control (RBAC)
What describes a general category of users that

perform a specific type of task within a system?
User role
What is the security model for providing user

access to restricted systems?
Authentication, authorization,
and accounting (AAA)
What is the VMware implementation of AAA?
VMware vCenter Single Sign-On
What is an entity that provides full or partial

AAA services?
Identity source
What restricts users based on areas of NSX

that they are allowed to access?
Scope
When the permission settings of a role are

inherited to the user with in that role, what is
the inheritance called?
Permissions inheritance
II
z
(f)
X
(f)
(1)
c
....
Module 6
NSX Security
437

Slide 6-76

Describe AAA
Describe role-based access control
Describe the roles available in NSX Manager
Explain the scope options

Configure role-based access control in NSX Manager
438
Lesson 5: Service Composer

Slide 6-77
Lesson 5:
Service Composer
II
z
(f)
X
(f)
(1)
c
....
Module 6
NSX Security
439
Learner Objectives
Slide 6-78
objectives:
Explain how Service Composer enhances security
Create a policy and security group
Create a rule in Service Composer
440
Service Composer
Slide 6-79
Service Composer helps you to provision and assign network and

security services to applications in a virtual infrastructure.
What you want to

protect
..............................
..
Security Groups
............................
~
Members (VM , vNIC) and

Context (user identity, security
posture)
. _
How you want to

protect it
Security Policies
..................................
Services (Firewall , antivirus)
and Profiles (labels representing
specific policies)
You map services to a security group, and the services are applied to the virtual machines in the
securi ty group. Define security policies based on service profiles already defined (or blessed) by the
security team . Apply these policies to one or more security groups where your workloads are
members .
II
z
(f)
X
(f)
(1)
c
....
Module 6
NSX Secu rity
441
Using Service Composer

Slide 6-80
A security policy is created and consists of the following:
Endpoint services from VMware or partners
Antivirus and malware

Vulnerability management
Data security
Data loss prevention
Distributed Firewall rules
Network introspection services from VMware or partners
Security policy is then applied to one or more security groups.

A weight is given to the Security Policy to control precedence in the
following situations:
Multiple security policies applied to the same security group.
Virtual machines that are members of two different security groups .

A security policy is a collection of the following service configurations:
Firewa ll rules that define the traffic to be allowed to, from, or within the security group that
apply to vNICs.
Endpoint services which are data security or third-party solution provider services, such as
antivirus or vulnerabi lity management services that apply to virtua l machines. Endpoint
services must be installed for identity firewa ll.
Network introspection services which are services that monitor your network, such as intrus ion
prevention systems that apply to virtua l machines.
A virtual machine might belong to more than one security group . Services that are applied to the
virtual machine depend on the prece dence of the security policy mapped to the security groups .
442
NSX Integrated Partners

Slide 6-8 1
NSX collects all third-party security tools in one place where the team
can manage, control, and apply security.
NSXAPI
NSX Controller and NSX Manager
_ _ _ _ _ _ _ _ _ _ _ Partner Extensions
Security Services
6)
:+
ADC/LB
L2 Gateway
Firewa ll
IDS/IPS
6)
AV/FIM
6)
Vulnerability
Management
I Service Composer =Service Consumption
Traffic leaves the virtual machine and is sent to the integrated partner product. Some partners have
integrated products into NSX. This traffic flow happens before the traffic reaches the network.
II
z
(f)
X
(f)
(1)
c
....
Module 6
NSX Secu rity
443
NSX: Third-Party End-to-End Workflow

Slide 6-82
You can extend the NSX operation model to third-party services:
Register the third-party management platform with NSX Manager.
Deploy the third-party virtual machine appliance per VMware ESXi

cluster.
Consume the service.
444
Registering Partner Services

Slide 6-83
Before a partner security service is available to a security policy, the

service must be registered with NSX.
.1_
-,.--""-.........
--
O'
... 0 . - .
....... ' ~
IGlIliIlNIIIf ;t:l... nf~
!I HSI _
..=I$IU,..
"'-
_..
...............
MMI..... ~
.....
""-
:i....-.e
~-.
!l teP "-'-'
....
I
__
.....".
~ .............
.
.
........ . .
If the partner solutions management console does not provide a mechanism to register the solution
with NSX Manager, you must register the solution manually.
II
z
(f)
X
(f)
(1)
c
....
Module 6
NSX Security
445
Partner Service Registration: Palo Alto Networks

Slide 6-84
Ask the partner for instructions on how to register the service with
NSX.
You need t he followi ng :
~~~p~aIO~alt;O~~~~~~~~i~~
NSX Manager IP address or FQDN ~ ..
F'-::
NSX Manager credentials
&-
.._._.. -.-.....
- _.
----_--.... -.......
---....
::"..~:-.:-.o:r-- ...._ c . - s ...
~- --'
,1-. ----'-
'-
g .. r-.
ft _
446
--------_-.... -..
Partner Service Registration: Symantec

Slide 6-85
Symantec protection is delivered as an agentless service on the NSX

platform.
~~""'-Ocw.m
Ill .
lI ' .....- , _ -
.Ol-.--- _
._..-- L _
e-
._
-----_.
----,_ .
_ _ _ _
~ - -.
II
z
(f)
X
(f)
(1)
c
....
Module 6
NSX Security
447
Service Installation
Slide 6-86
After you register the partner service, you must deploy the partner
service virtual machine.
(~~.1I-"7'
- .-_::-:':":"'---.-
I :=-==
~
'"
.
--
- =:--- .=-- I
:=- -=;-: --- ;-
.. - - - - - - -
Palo Alto Networks

~~~Oltftt
.-=
il .
CJ,
1--.__-- _----._-_..- .....:..;---.

."C-" ,,__
- t="
'
"
...-..-.1
. _ .e--_. 1--.-.-..
, -O '
, _ ",
I~~~iiiiiiiiil~
1' 7 _ = ...':":'"......
..
-
eft __ _
, ~ -
:i.... _
.-==--~ ~
-~
'.
uI ...._
-~
...
...
..
-~
~ .-.
~.-.
", e . -.__
Symantec
If the partn er solution includes a host-resident virtual appliance, you can install the service after you
register the solution.
448
Security Policy
Slide 6-87
A security policy is a set of endpoint, firewall, and network

introspection services that can be applied to a security group.
l ....IE
i.
' ,
" 1._ ...., .,1_-
.:; ., .=-
-0-_.-..
_"'_1 ....
......
~.-.-
_ _ _ . . . . . . . t,
..
.~
...
II
z
(f)
X
(f)
(1)
c
....
Module 6
NSX Security
449
Service Composer Canvas

Slide 6-88
The Service Composer canvas is a container that associates the

security group with the service policy to apply to the security group.
1
2
pel DSS ZOlne

1
~1
Service Composer offers a canvas view that displays all security groups in the selected NSX
Manager. The view also displays details such as members of each security grou p and the security
policy that is applied to the member.
450
Canvas View (1)

Slide 6-89
Containers: Grouping of VMs , IPs, and more to define

what you want to protect.
Example: Financial Applications, Desktop Users,
Quarantine Zone
Policies are a collection of service

profiles that are assigned to this
container to define how you want to
protect this container.
Example: PCI Compliance or
Quarantine Policy
Nested containe rs are

other groupings within the
container.
Example: Quarantine
Zone is a subgroup within
My Data Center.
2
WHAT You Wan ...
VMs (workloads) that belong to this container.
Service profiles for deployed

services, assigned to these policies
Services supported today:
Distributed Virtual Firewall
Antivirus
Vulnerability Management
Network IPS
Data Security (DLP scan)
User Activity Monitoring
File Integrity Monitoring
Example: Apache -Web-VM , Exchange Server -VM
All security groups in the selected NSX Manager, which are not contained in another security group,
are displayed with the policies applied on them.
II
z
(f)
X
(f)
(1)
c
....
Module 6
NSX Secu rity
451
Canvas View (2)

Slide 6-90
Members: Applica tions and workloads that belong to this container.
Examp les: Apache-Web-VM , Exchange Server-VM

ard
WHAT tWant to Protect - Virtual Machines
Virtual MaChines ]L.. _

(0_
) E_rra
_' s
( C( Filter
Na""
EO
EO
win7_AV
Win7_Vuln
EJ 2
:1
What I want to protect
WHAT I Want to...

1
~1
II
Membersasaf 8/16/13 5:29 PM
The slide shows virtual machines that are currently part of the main security group and nested
security groups.
452
Canvas View (3)

Slide 6-9 1
--
.
'-.- ..
Q
-8]0
8Jo
, ......
1&
61 0
61 0
,. -
--""'V'
Each rectangular box in the canvas represents a security group. Icons in the box represent security
group members and details about the security policy mapped to the security group.
II
z
(f)
X
(f)
(1)
c
....
Module 6
NSX Secu rity
453
Service Composer: Vulnerability Scan Example

Slide 6-92
1.
The Web server virtual machine that is running 115 is deployed, unknowingly having a
vulnerability.
2.
A vulnerab ility scan is initiated on Web server, for example, Rapid7's Nexpose product.
3.
The virtual machine is tagged in NSX Manager with the eVE and evss Score.
4.
NSX Manager associates the virtual machine with the Quarantine (VSM FfW Deny).
5.
The adm inistrator applies patches, Nexpose re-scans vi rtual machine and clears tag.
6.
NSX Manager removes the virtual machine from Quarantine and the v irtual machine returns to
its normal duties.
Membe rship: Includ e V Ms
that have been provisioned
as WebServer
SG: Web Servers
1-------I
I r--
NSX Mana9 L.-er_ -,

Membership: Incl ude VMs
which have CVSS score >= 9
Services
r - - ,..-;'I~
In the examp le, the virtua l machine powers on and is a part of the group . So polices are applied to
the virtua l machine. Rapid 7 gets the traffic and determines the rating of the virtual machine and
labels the traffic as untrustworthy. The virtua l machine is moved to a new security group and denies
all the traffic. The virtua l machine is moved from the trusted security group to the untrusted security
group based on input from the Rapid 7 device .
The virtual machines can be a part of the first security group because they meet the criteria of both
groups . However, the highest weight gets the policy applied . The weighting determines which
policy is applied to the virtual mach ine when the virtua l machine is a part of multip le groups.
454

Slide 6-93
Traffic redirection (or traffic steering) can be configured in the

following ways:
Any new virtual machine added to the corresponding Security-Group
(S-G) is automatically subject to associated traffic redirection.
S-GWEB
S-GAPP
S-G DB
User
Security-Group to Security-Group
--------
Security-Group to Any
Traffic redirection or (traffic steering) from a guest virtual machine to a Palo Alto Networks VMSeries firewa ll is performed internally at the hypervisor level using shared memory space . The NSX
admin istrator specifies which DVS port-group or logical switch (VXLAN) needs to be served by the
Palo Alto Networks VM-Series firewa ll.
X
(1)
c
....
Traffic redirectio n (defined in the Network Introspection Service window) can be defined in the
following ways:
From Security Group (SG- I for instance) to Security Group (SG-2 for instance)
From Any to Security Group (SG- I for instance)
From Securi ty Group (SG- I for instanc e) to Any
Any means any source or destination IP address respectively.
NSX Security
(f)
(f)
Using Service Composer or Security Policy, the security team can define traffic flows that are
redirected to the Palo Alto Networks VM-Series firewa ll for inspection and enforcement. Traffic
allowed by the VM-Series Firewall is then returne d to the VMware NSX Virtual Switch" for
delivery to the final destina tion. The final destinat ion is either the guest virtua l machine or the
physica l device.
Module 6
II
455

Slide 6-94
Security Policy or Network Introspection Services:

Define traffic that is steered to PAN VM-Series FW
Source or Destination:
Any
Policy 's Security Group
Select Security Groups
Action:
~ I. -- ---- --
.... _
_ _Od - .
.... _ _ ttrI'/II'
Redirect to service
Do not redirect
Protocol:
Any
Specified: TCP/UDP destination
port and source port
.-.. .
.
",.
,~
456
Concept Summary
Slide 6-95

What is a third-party security tool able to be
managed from within Service Composer called?
Integrated partner
What is extending the NSX operational model to

third-party services called?
Third-Party End-to-End Workflow
II
z
(f)
X
(f)
(1)
c
....
Module 6
NSX Security
457

Slide 6-96
Explain how Service Composer enhances security
Create a policy and security group
Create a rule in Service Composer
458
Lesson 6: Other Monitoring Options

Slide 6-97
Lesson 6:
Other Monitoring Options
II
z
(f)
X
(f)
(1)
c
....
Module 6
NSX Security
459
Learner Objectives
Slide 6-98
objectives:
Describe how to find firewall entries in the Syslog
Analyze Syslog security entries
460
About Syslog
Slide 6-99
Syslog is supported across all NSX components
NSX Manager
VMware NSX
Controller"
Action
[)elMS;
Gett,ng Started
Summ ary
Mo.nllQf
RelatedObJeds
Sire
Large
Aulo cenerate rules
Enabled
SyslGg seMlIS
NSX Edge
Serve Edit 5yslog

Aclvanc &d Syslem 5etllfl ll &
Serve
Hosl profile
ESXi
Se~e r5
ConOgurllDon
SyslOllserver1 syslOll.corplocal
Time Con fig ul illiOfI
Powe r Milnagement
M"'-Wl'M"h
System Resour ce AIoc.lI bl
SETTINGS
General
NelwOf1(
SSL
cemncates
saoaes & Restore

Upgrade
CO MPO NENTS
Syslog Server
vShreldManager serace
You can specify the IP address or name of the syslog server mat can be reserved usnc me above mentioned DNS Server(s)
syslog corp loca l
Sys~
Server
p,"
51'
TCP
Protocol
You can enable Syslog for the NSX components even on NSX Controller and NSX Edge . You
specify a Syslog serve r where all the Syslog messages are collected. Management plane logs are
available through NSX Manager and data plane logs are available through vCenter Server. VMware
recommends that you specify the same Syslog server for the NSX component and vCenter Server to
get a complete picture when viewing logs on the Syslog serve r.
II
z
(f)
X
(f)
(1)
C
....
Module 6
NSX Security
461
Syslog Format
Slide 6-100
The system event message logged in the Syslog has the following
structure:
Syslog header
Event 10
Timestamp
Application name
Event code
Severity
Message
The system event message that is logged in the Syslog has the structure listed in the slide.
462
vCenter Log Insight

Slide 6-101
Consolidate, visualize, and correlate Syslog data from multiple

related components in a software-defined data center.
Build custom dashboards for real-time monitoring and trending.
Customize log interpretation logic to parse using regex, int, and str.
..-:::I-=::r::=-
.--
::;;-..-
--_ ._- ~~
II~I
VMware vCenter Log Insight" provides faster analytical queries and aggregation than tradit ional
tools, especially on larger data sets. vCenter Log Insight identifies key-value pairs and adds
structure to all types of unstructured log data, enabling administrators to troubleshoot quickly,
without needing to know the data beforehand.
II
z
(f)
X
(f)
(1)
c
....
Module 6
NSX Secu rity
463
Concept Summary
Slide 6-102

What is a computer message logging standard
called?
Which is the VMware product that delivers realtime log management and analysis?
464
Syslog
VMware vCenter Log InsightTM

Slide 6-103
Describe how to find firewall entries in the Sysloq
Analyze Sysloq security entries
II
z
(f)
X
(f)
(1)
c
....
Module 6
NSX Security
465
Key Points
Slide 6-104
Distributed Firewall focuses on East-West access controls.
The NSX Edge firewall focuses on the North-South traffic enforcement

at the tenant or data center perimeter.
A user's role defines actions that the user is allowed to perform on a
given resource.
Flow Monitoring provides a detailed view of the traffic to and from

protected virtual machines.
Service Composer helps you to provision and assign network and

security services to applications in a virtual infrastructure.
Syslog can be enabled for all NSX components.
Questions?
466

NSX Student Guide (Editable)

Uploaded by

Copyright:

Available Formats

NSX Student Guide (Editable)

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

NSX Student Guide (Editable)

Uploaded by

Copyright:

Available Formats

VMware NSX:

Install, Configure, Manage

VMware Education Services

VMware NSX: Install, Configure, Manage

NSX: Network Virtualization Platform

VMware NSX: Install, Configure, Manage

" .. " .. " " . "99

VMware NSX: Install, Configure, Manage

BOP Peers Example

VMware NSX: Install, Configure, Manage

NSX Edge Services Gateway Features

Lesson 2: NSX Edge Load Balancing

VMware NSX: Install, Configure, Manage

NSX Edge SSL VPN-Plus Secure Management Access Server

Distributed Firewall Components: Communication

VMware NSX: Install, Configure, Manage

Define Scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .434

VMware NSX: Install , Config ure, Manage

VMware NSX: Install, Configure, Manage

VMware NSX: Install , Configure , Manage

VMware NSXTM is the network virtualization and security platform for

VMwa re NSX: Install , Configure, Manage

Describe the evolution of the software-defined data center

Describe data center prerequisites for NSX deployment

Describe basic NSX layer 2 networking

Configure, deploy , and use logical switch networks

Cou rse Introduct ion

Learner Objectives (2)

Use Activity Monitoring to determine if a security policy is effective

Use Flow Monitoring to monitor network traffic streams

VMwa re NSX: Install , Configure, Manage

You Are Here

VMware N5X: Install Configure Manage

Module 1 Course Introduction

The following typographical conventions are used in this course.

Filenames, folder names , path

What the user types :

User interface controls:

Book titles and placeholder

VMwa re NSX: Install , Configure, Manage

NSX Installation and Upgrade Guide

http://pubs .vmware .com/NSX-6/index.jsp

NSX Administration Guide

NSX is a network virtualization platform that enables you to build a

Logical VPN: Site-to-site and remote

VMware NSX: Install, Configure, Manage

NSX Cert ification

For details about VMware certifications, go to:

VMware Learning Path Tool

Learning Path Tool

To determine your learning path for VMware training, go to:

VMware NSX : Install , Configure, Manage

For NSX technical information, use the following resources:

VMware Support Toolbar

Cou rse Introduction

VMware NSX: Install , Configure, Manage

VMwa re NSX: Install , Configure , Manage

You Are Here

VMware NSX: Install Configure Manage

VMware NSX: Install , Configu re, Manage