Documente Academic
Documente Profesional
Documente Cultură
2 Technical Overview
NSBU TPM Team
Presenter
Title
October, 2015
2014 VMware Inc. All rights reserved.
NSX vSphere 6.2
Release Priorities
2
Delivering a platform that
Extends NSX Control beyond vCenter and Data Center boundaries
Cross-VC NSX Use Cases
Increase the span of NSX logical networks to enable:
Capacity Pooling across multiple vCenter Servers
Non disruptive migrations
Cloud and VDI deployments
DB App Web
App Web DB
Web App DB
CONFIDENTIAL 4
Cross-VC NSX Use Cases
Centralized security policy management
One place to Manage FW rules
Rules enforced regardless of VM location and VC
CONFIDENTIAL 5
Cross-VC NSX Use Cases
NSX 6.2 supports new mobility boundaries in vSphere 6
Enable Cross VC and Long Distance vMotion
On existing networks, with no new hardware required
vCenter-A vCenter-B
VDS-A VDS-B
VXLAN
Transport (L3) &
vMotion Network
(L3)
CONFIDENTIAL 6
Cross-VC NSX Use Cases
Enhance NSX Multi-Site Support
Active-Active (From Metro to 150ms RTT)
Disaster Recovery
N-S Connectivity N-S Connectivity
vCenter-A vCenter-B
<=150ms
CONFIDENTIAL 7
Cross-VC NSX Logical Networks
Universal Object Configuration
(NSX UI & API)
Universal Configuration Synchronization
Universal
Controller
USS Cluster
vCenter & NSX Manager A vCenter & NSX Manager B vCenter & NSX Manager H
Primary Secondary Secondary
Universal
DFW
CONFIDENTIAL 8
Cross-VC NSX Design Guidelines Networking
Universal Controller Cluster size remains at 3 nodes
NSX Controllers always run within a single vCenter
Server and single Site
The Universal Controller Cluster continues to manage
Local VXLAN/DLR objects in addition to Universal objects
Transport Zone determines whether Logical Switches are
Local or Universal
Cross VC vMotion is validated with NSX 6.2 for Universal
Logical Networks (L2 and L3)
CONFIDENTIAL 9
Cross-VC NSX Universal Distributed Firewall
NSX 6.2 also supports Cross-VC Distributed Firewall for centralized management of Firewall
Policy
This is configured through a Universal section in the DFW rule table on the Primary
NSX Manager
The Universal section will automatically be synchronized to all Secondary
Secondary
CONFIDENTIAL 10
Cross-VC NSX Universal Distributed Firewall Rules
The following Universal Grouping Objects are available:
Universal Security Groups
Universal IP Sets
Universal MAC Sets
Universal Services &
Service Groups
Universal DFW rules are based on these Universal objects only. VC inventory remains local to
an NSX Manager
IP based rules are the standard approach when applying policy across VC boundaries
Universal Security Groups and IP/MAC Sets can also be used in Local sections
CONFIDENTIAL 11
Cross-VC NSX vSphere Considerations
vSphere 6 is a current requirement for Universal Logical Switches, Distributed Logical Routers
and Distributed Firewall
Cross-VC NSX does not have a dependency on a specific Platform Services Controller
deployment model. Both Embedded and External modes are supported
Embedded External
Benefits of an
Virtual Machine or External PSC include:
Virtual Machine or Virtual Machine or Physical Server
Physical Server Physical Server
Platform Services
Enhanced Linked
Platform Services
Controller
Platform Services
Controller
Controller Mode (centralized
management of NSX)
vCenter Server vCenter Server
Primary Secondary
CONFIDENTIAL 20
Cross-VC NSX Design Guidelines General
Support for up to 8 NSX Managers initially
One Primary
Seven Secondary
Cross-VC NSX Control Plane latency increased to 150ms RTT
NSX
Design Aligns with Long Distance vMotion
Guidelines Universal Synchronization is Full sync operation
Performs differential between Primary and Secondary NSX
Managers
Synchronizes the differences
Simple and reliable approach, but does mean the overhead
increases with the number of universal objects
NSX Manager now has a high scale configuration (8vCPU
24GB of RAM)
NSX Controller, UDLR Control VM and Edge Services Gateway
migrationCONFIDENTIAL
across vCenter Servers is not supported 21
Cross-VC NSX Key Benefits
Provides a comprehensive Cross vCenter network and security solution covering L2, L3 and
Firewalling
Decoupled from underlying physical network
Fully integrated software based solution, not hardware centric
CONFIDENTIAL 22
Delivering a platform that is
Easy to operate at scale
NSX 6.2: Whats New in Ops & Troubleshooting
Central CLI
Traceflow
Communication Channel Health
Includes new APIs
General Operations related improvements
IPFIX Netflow now includes blocked flows
Active-Standby Edge status
Log Improvement for OSPF/BGP on NSX Edge
Audit Log improvements
Central CLI for NSX
Reduces troubleshooting time for distributed network functions
Overview
VM
VM VM Central CLI for Monitoring and Troubleshooting
VM
VM
Show Command available for Logical Switches, Logical
VM VM Routers, NSX Edges and Distributed Firewall
NSX vSwitch VM
Hypervisor
NSX vSwitch
Hypervisor Benefits
Simplify troubleshooting
Reduce time to resolution
Central access to distributed network functions
25
Central CLI Overview
Read-only Commands
Available Centrally on NSX Manager via SSH/Console/API.
Leverages existing message bus channel to gather data from remote nodes
CLIs are categorized by function:
Logical Switch
Logical Router (DLR)
Distributed Firewall (DFW)
Edge
The command may query the following sources based on the command that is executed:
Local Config Database from NSX Manager
Controller
Host
Edge
Central CLI Syntax (1 of 2)
show
show logical-switch
show logical-router
show dfw
show edge
show dlb
show vm
show vnic
show cluster
show host
show controller
Central CLI Data Plane
Reduces troubleshooting time for distributed network functions
NSX Mgr.
Stats:
rule 2036: 845 evals, in 0 out 0 pkts, in 0 out 0 bytes
rule 1428: 845 evals, in 0 out 0 pkts, in 0 out 0 bytes
rule 1004: 845 evals, in 18 out 0 pkts, in 1152 out 0 bytes
rule 1004: 672 evals, in 18 out 0 pkts, in 1296 out 0 bytes
rule 1003: 823 evals, in 252 out 0 pkts, in 83420 out 0 bytes
rule 1003: 131 evals, in 0 out 0 pkts, in 0 out 0 bytes
rule 1002: 785 evals, in 4646 out 0 pkts, in 3068616 out 0 bytes
rule 1001: 310 evals, in 253030 out 0 pkts, in 15596640 out 0 bytes
VXLAN 5000
VXLAN 5001
Data Plane
28 28
Central CLI Calling via API
L2 and L3 Trace Flow
Test Connectivity through Logical and Physical paths
Overview
Web1 Web2
Ability to trace a packet through Virtual network.
VM IP Packet
VM
Logical Shows where the packet is dropped
Switch 1 5
Supports L2 and L3 Trace flow
3 4 Benefits
30
L2 and L3 Trace Flow
Quickly identify problems in logical vs. physical network and pinpoint issues in NSX data-path
Web1 Web2
VM IP Packet
VM
Logical
Switch 1
3 4
31
Enhancements to NSX APIs
UI and APIs to retrieve Run Time state from Controller, Hypervisor and Edge
Control Plane
Benefits
Access to LS, LR run
time information
VMware and Partner management tools can provide details
using these APIs
Support Additional Troubleshooting workflows through VROPs
Data Plane
HV1 HV2
Access to LS, LR and
DFW run time information
32
Communication Channel Health And Recovery
Checks communication channel status between:
NSX Manager And Firewall Agent (vsfwd)
NSX Manager And Network Control Plane Agent (netcpa)
Host And All Controller Nodes (it should connect to)
Overview
VM
Benefits
Hypervisor
I NSX vSwitch Prevents security risk when VM Tools is not present
AP
S T
RE
35
IP Discovery Mechanisms available pre-6.2
Two categories of IP Discovery mechanisms available in pre-6.2 NSX releases.
36
Improved IP Discovery Mechanisms in 6.2
Two new automated IP Discovery Mechanisms
DHCP Snooping
ARP Snooping
DHCP Snooping
Tracks DHCP Protocol Messages and updates the IP based on confirmation.
Tracks both IPv4 & IPv6 addresses for a vNIC.
ARP Snooping
ARP messages from the guest VM are snooped.
37
Improved IP Discovery Mechanisms in 6.2
Components
Existing DVFilter agent that learns from VM TX traffic, and also uses
Switch Security Module the snooped addresses to enforce basic L2, L3 security such as
[dvfilter-switch-security] spoof guard.
vNic slot 1 Currently no security features are enabled, and the module primarily
learns VM IPs and MACs.
DVfilter
DFW
vNic slot 2
Enforces IP spoofguard
38
Routing Enhancements
Enhance routing configuration and troubleshooting
Overview
Benefits
39
Routing Enhancements: Admin distance for static route (1 of 2)
Floating Static routes for Routing Protocols Backup
.2
192.168.1.0/24
Benefits
Improve convergence time for DLR control VM failover
.1
Improve flexibility in the supported routing topologies
DLR
Active Standby
Web App DB
.2
192.168.1.0/24 Benefits
.1 Improve convergence time for DLR control VM failover
DLR
X
Active Standby
Improve flexibility in the supported routing topologies
Web App DB
41
Routing Enhancements: No DLR Control VM with static routing
Reduce NSX VM footprint
172.16.2.0/24
42
Routing Enhancements: Disable uRPF check per interface
Fine tuning Edge configuration
B
Overview
External Network
Benefits
DLR Improve flexibility in ECMP topology with the option to disable
uRPF check.
Web App DB
43
Routing Enhancements: Exact Match for redistribution filters
Overview
External Network
In pre-6.2, the redistribution filter is using longest prefix
match. For example the statement deny 10.0.0.0/16 would
also deny the route 10.0.1.0/24
In 6.2, the redistribution filter will have the same matching
E-BGP algorithm as ACL, so exact prefix match by default (except if
E1 E2 E3 E8
le or ge options are used)
Redistribution
With filters
OSPF Benefits
DLR
Aligned the configuration with the rest of the industry.
Web App DB
44
Routing Enhancements: Do not announce DLR HA interface
App
172.16.1.0/24
45
Routing Enhancements: Display AS-path in show ip bgp
Enhance routing troubleshooting
Overview
AS 8228 It will display the full AS path for all the prefix in the output of
the CLI command show ip bgp
AS 65002 AS 65003
AS 65001
E1 E2 E3 E8
Benefits
Enhance CLI to ease the troubleshooting operations
DLR AS 65000
Web App DB
46
Support /31 subnet mask and /32 Host Routes
Overview
.2
10.0.0.2/31
Edge .3 Benefits
Edge> show ip route Conserve IP addresses
S 172.16.10.11/32 via 192.168.1.2 Provide VM level granularity for routing (can also be
.
redistributed to a dynamic routing protocol)
47
Support relays in DHCP server
Overview
Edge
The static binding or pool does not have to be directly
DHCP server connected to the ESG where the DHCP server is configured
anymore.
.2
Support subnet mask for DHCP static binding and pool in API
and UI.
.1
DLR
Benefits
DHCP relay
Use ESG DHCP server with DHCP relay in place.
172.16.2.0/24
48
Load Balancer & L2VPN Enhancements
Improves scalability & usability
Overview
L2 L2
LB Feature: Support VIP and Pool port range
L2
Future enablement support for additional 3 rd
rd-party LBaaS
49
NSX Load-Balancing Health Monitoring
NSX 6.0 / 6.1 NSX 6.2
50
NSX LB VIP and Pool port range
NSX 6.0 / 6.1 NSX 6.2
51
Distributed Logical Router and Bridging Integration
NSX 6.0 / 6.1 NSX 6.2
52
Software Layer 2 Gateway Form Factor
Native capability of NSX
High performance VXLAN to VLAN gateway in hypervisor kernel
53
Physical Services Integration via NSX Hardware VTEPs
Provide connectivity to physical workloads and services
Overview
54
NSX Hardware VTEP OVSDB integration: Logical and Physical
VM1 VM2
Logical view
VLAN
100
Physical view
Physical
Infrastructure IP Network
No Multicast
B
SD
OV
VM1
55
NSX Packaging & Scale
NSX can run on any vSphere Edition, not tied to Enterprise Plus
NSX can work with any vSphere edition, no dependency on vSphere Enterprise Plus (as of
vSphere 6.0 and vSphere 5.5 U3)
NSX Manager license deployment will include VDS
VDS available on all hosts which are managed by the vCenter where NSX Manager is installed
VDS entitlement with NSX is only for use with NSX, not for standalone use
customers who want to run VDS independent of NSX need to purchase vSphere Enterprise Plus
entitlements for the relevant hosts.
EULA enforced
CONFIDENTIAL 57
NSX Support for vSphere 6.0
NSX builds on top of industry-first hypervisor technologies
Overview
Benefits
58
NSX 6.2 Scalability
Overview
59
Summary & QA
NSX 6.2
Accelerating NSX adoption
& driving new opportunities
Cross-vCenter Networking and Security Disaster Recovery Solution with NSX Multi-Site Data Center Solutions
Cross-VC vMotion over VXLAN, with
Routing and Security
Troubleshooting: Central CLI, TraceFlow Improved IP Discovery mechanisms for Logical Routing Enhancements
NSX API Enhancements Virtual Machines Logical Load Balancing enhancements
Health Check of NSX Comm. Channels