Presentation is loading. Please wait.

Presentation is loading. Please wait.

© 2014 VMware Inc. All rights reserved. NSX – Introduzione e casi d’Uso Luca Morelli – Sr Sales Engineer - NSX

Published byShavonne Melton Modified over 8 years ago

Similar presentations

Presentation on theme: "© 2014 VMware Inc. All rights reserved. NSX – Introduzione e casi d’Uso Luca Morelli – Sr Sales Engineer - NSX"— Presentation transcript:

1 © 2014 VMware Inc. All rights reserved. NSX – Introduzione e casi d’Uso Luca Morelli – Sr Sales Engineer - NSX lmorelli@vmware.com

2 Agenda 2 1Il Software Defined Data Center 2Introduzione alla Virtualizzazione di Rete con NSX 3Il Paradigma della Micro-Segmentazione 4Principali Casi d’Uso

3 Taking what we have learned…. Software Hardware Virtual Machines Virtual Machines Compute Capacity NetworkStorage Applications Server Virtualization Intelligence in the virtualization layer Vendor independent x86 capacity Transformative operational model Automated configuration & management Intelligence in hardware Dedicated, vendor specific infrastructure Manual configuration & management Manual Operational Model Automated Operational Model Programmatically Create, Snapshot, Store, Move, Delete, Restore

4 To deliver a Software Defined Data Center approach Software Hardware Virtual Machines Virtual Machines Virtual Networks Virtual Networks Virtual Storage Virtual Storage Compute Capacity Network Capacity Storage Capacity Applications Location Independence Data Center Virtualization Pooled compute, network and storage capacity Vendor independent, best price/performance Simplified configuration & management Automated Operational Model Programmatically Create, Snapshot, Store, Move, Delete, Restore

5 Why SDDC is the only model for Hybrid Cloud 5 Compatibility of networking and security policies independent of location Private Cloud Any Application SDDC Platform Any x86 Any Storage Any IP network Data Center Virtualization Inter- Data Center Any Application Any x86 Any Storage Any IP network Hybrid- Data Center Any Application Any x86 Any Storage Any IP network SDDC Platform

6 Compute Virtualization Abstraction Layer The Network Is a Barrier to Software Defined Data Center!! Physical Network Software Defined Data Center Provisioning is slow Mobility is limited Hardware dependent Operationally intensive 6 Servers

7 NSX - Distributed Services in the Hypervisor Applications Virtual Machines Virtual Networks Virtual Storage Data Center Virtualization Location Independence Software Hardware L2 Switching L3 Routing Firewalling/ACLs Load Balancing Automated operational model of the SDDC Network & Security Services Now in the Hypervisor Pooled compute, network and storage capacity; Vendor independent, best price/perf; Simplified config and mgt. Compute Capacity Network Capacity Storage Capacity

8 Non-Disruptive Deployment

9 Services Distributed to the Virtual Switch

10 Physical Workloads and Legacy VLANs

11 NSX vSwitch With NSXBefore NSX Default Gateway UCS Fabric AUCS Fabric B UCS Blade 1 vswitch 6 wire hops UCS Fabric AUCS Fabric B UCS Blade 1UCS Blade 2 vswitch UCS Fabric AUCS Fabric B 0 wire hops UCS Fabric AUCS Fabric B UCS Blade 1UCS Blade 2 With NSXBefore NSX East-West Routing / Same hostEast-West Routing / Host to host 2 wire hops NSX vSwitch UCS Blade 1 The 3 Advantages of Distributing Services 1. Routing - more efficient networking, fewer hops Default Gateway

12 12 Internet Security Policy Perimeter Firewalls Cloud Management Platform The 3 Advantages of Distributing Services 2. Operational Model of a VM Accurate firewall policies follow workloads as they move

13 CONFIDENTIAL13 Platform-based automation Automated provisioning and workload adds/moves/changes Hypervisor-based, in kernel distributed firewalling High throughput rates on a per hypervisor basis Every hypervisor adds additional east- west firewalling capacity The 3 Advantages of Distributing Services 3. Provisioning Automation with Scale-Out Performance

14 Network Virtualization – Market Analysis  Primary Drivers of growth:  Need for flexible networks and improve provisioning times  CapEx Savings  Improved Network Management  Recoverability from Failure and Disaster Recovery  Swift response to changing business requirements  Agility 1 Source - IDC SDN (Network Virtualization, Automated Provisioning and Network Programmability) will grow annually by 89% from $960 million in 2014 to more than $8 billion in 2018 1

15 Gartner Magic Quadrant Data Center Networking 2015 15 Gartner Data Center Networking Magic Quadrant, May 11, 2015 “Due to its pricing models, VMware's NSX allows organizations to incrementally adopt SDN without requiring large upfront capital investments.” “VMware NSX can run on top of any appropriately provisioned IP-based Ethernet network” “VMware should be considered for organizations looking to increase networking agility or security within highly virtualized data centers” “We believe VMware has the largest installed base of any SDN solution in the market today” “NSX microsegmentation is an innovative mechanism to provide intra-data-center security (east-west) in a cost-effective manner compared with traditional appliance-based approaches.”

16 Organizations face multiple issues with security 16 Source NSX Security Infographic: http://vmw.re/1AdyTEAhttp://vmw.re/1AdyTEA

17 Problem: Data Center Network Security Perimeter-centric network security has proven insufficient, and micro-segmentation is operationally infeasible Little or no lateral controls inside perimeter Internet InsufficientOperationally Infeasible

18 Companies hacked from inside 18 http://www.xataka.com/seguridad/las-aventuras-amorosas-de-37-millones-de-usuarios-al-descubierto-hackean-ashley-madison http://krebsonsecurity.com/2014/02/target-hackers-broke-in-via-hvac-company/

19 VMware NSX Micro-Segmentation 19 Isolation and segmentation Unit-level trust / least privilege Ubiquity and centralized control Zero-Trust security model that follows the VM 1 2 3 Microsegmentation is now possible in dynamic, multi-tenant environments: High performance, in kernel distributed stateful firewall Security between VMs on same IP Subnet Integration with best-of-breed security partners VMware NSX Ecosystem: http://www.vmware.com/products/nsx/resourceshttp://www.vmware.com/products/nsx/resources Developing a Framework to Improve Critical Infrastructure Cybersecurity: http://csrc.nist.gov/cyberframework/rfi_comments/040813_forrester_research.pdf http://csrc.nist.gov/cyberframework/rfi_comments/040813_forrester_research.pdf

20 NSX Distributed Firewall Delivers Micro-Segmentation Efficient rule management Dynamic Policy (e.g: AV, DLP, Vulnerability Scan) No choke points with scale out performance (Near Line Rate) Enabled for cloud automation SrcDst ANYShared Service DesktopWEB_GROUP Rules based on logical containers Platform for Distributed Services WEB_ GROUP “Web Policy”  Firewall – allow inbound HTTP/S, allow outbound ANY “Web Policy”  Firewall – allow inbound HTTP/S, allow outbound ANY Firewall policies are pre- approved, used repeatedly by cloud automation Web App DB VM NSX Distributed Firewall is Optimized for SDDC 20 CONFIDENTIAL

21 NSX vSwitch With NSX Distributed Virtual Firewall Before NSX UCS Fabric AUCS Fabric B UCS Blade 1 vswitch 6 wire hops UCS Fabric AUCS Fabric B UCS Blade 1UCS Blade 2 vswitch UCS Fabric AUCS Fabric B 0 wire hops UCS Fabric AUCS Fabric B UCS Blade 1UCS Blade 2 With NSX Distributed Virtual Firewall Before NSX East-West Firewalling / Same hostEast-West Firewalling / Host to host 2 wire hops NSX vSwitch UCS Blade 1 The 3 Advantages of Distributing Services Firewalling – much simpler operations Default Gateway

22 CONFIDENTIAL NSX DFW Policy Objects Policy rules construct: Rich dynamic container based rules apart from just IP addresses: VC containers Clusters datacenters Portgroups VXLAN VC containers Clusters datacenters Portgroups VXLAN VM containers VM names VM tags VM attributes VM containers VM names VM tags VM attributes Identity AD Groups Identity AD Groups IPv6 compliant IPv6 address IPv6 sets IPv6 compliant IPv6 address IPv6 sets Services Protocol Ports Custom Services Protocol Ports Custom IPv6 Services Choice of PEP (Policy Enforcement Point) Clusters VXLAN vNICs … Choice of PEP (Policy Enforcement Point) Clusters VXLAN vNICs … Action Allow Block Reject Action Allow Block Reject 22

23 23 Configure policy with Security Groups Select elements to uniquely identify application workloads Use attributes to create Security GroupsApply policies to security groups 123 ABC DEF Group XYZ App 1 OS: Windows 8 TAG: “Production”  Enforce policy based on logical constructs  Reduce configuration errors  Policy follows VM, not IP  Reduce rule sprawl and complexity  Enforce policy based on logical constructs  Reduce configuration errors  Policy follows VM, not IP  Reduce rule sprawl and complexity Use security groups to abstract policy from application workloads. Group XYZ Policy 1 “IPS for Desktops” “FW for Desktops” Policy 2 “AV for Production” “FW for Production” Element type StaticDynamic Data center Virtual net Virtual machine vNIC VM name OS type User ID Security tag

24 Micro-segmentation simplifies network security  Each VM can now be its own perimeter  Policies align with logical groups  Prevents threats from spreading App DMZ Services DB Perimeter firewall AD NTPDHCPDNSCERT Inside firewall Finance Engineering HR

25 Without Network Virtualization 60% Asset Utilization With Network Virtualization 90% Asset Utilization Improved Server Utilization – less overprovisioning of servers 25

26 WAN Internet Compute Cluster Perimeter Firewall (Physical) NSX EDGE Service Gateway Compute Cluster SDDC (Software Defined DC) DFW DFW: E-W NSX EDGE Service Gateway positioned to protect border of the SDDC: EDGE: North – South traffic protection NSX EDGE Service Gateway positioned to protect border of the SDDC: EDGE: North – South traffic protection NSX DFW positioned for internal SDDC traffic protection: DFW: East – West traffic protection NSX DFW positioned for internal SDDC traffic protection: DFW: East – West traffic protection Physical Virtual Compute Cluster EDGE: N-S NSX Security in SDDC 26CONFIDENTIAL

27 Micro-segmentation in detail Segmentation Isolation Advanced services Controlled communication path within a single network Fine-grained enforcement of security Security policies based on logical groupings of VMs Advanced services: addition of 3 rd party security, as needed by policy Platform for including leading security solutions Dynamic addition of advanced security to adapt to changing security conditions No communication path between unrelated networks No cross-talk between networks Overlay technology assures networks are separated by default

28 NSX Partners and Service Categories Application Delivery Services Physical-to-Virtual Services Operations and Visibility Security NSX Partner Extensions http://www.vmware.com/products/nsx/resources.html

29 VMware NSX –Use Cases Self-Service IT Dev X Dev A Test X Acquisition A DevOps Cloud On-boarding M&A Application specific networking Flexible IP Address Mgmt Simplified consumption Key Capabilities Examples Data Center Automation Micro-segmentation of App Simplifying Compute Silos DMZ Deployments Programmatic Consumption Full featured stack Visibility and ops Key Capabilities Examples Public Clouds XaaS Clouds Vertical Clouds Multi-tenant Deployment Programmatic L2, L3, Security Overlapping IP Addressing Any Hypervisor, Any CMP Key Capabilities Examples

30 Use case: Multi-tenancy with segmentation and advanced services isolation Tenant 1 Tenant 2 Perimeter firewall DMZ/Web App DB HR Group App DMZ/Web DB Finance Group Services Mgmt Services/Management Group Perimeter firewall DMZ/Web App DB HR Group App DMZ/Web DB Finance Group Services Mgmt Services/Management Group 30 No traffic between networks  Completely separate unrelated networks  Add advanced services based on virtual network, network segment, or Security Group

31 Use case: Networking and Security for VDI 31  Eliminate complex policy sets and topologies for different VDI users  Align policies to logical grouping  Decouple network topology from VDI security  Eliminate complex policy sets and topologies for different VDI users  Align policies to logical grouping  Decouple network topology from VDI security Simplify VDI deployments APP1 Web 1App 1 APP2 Web 2App 2 Engineering External Contractor 1 External Contractor 2 Eng  Eng net 4 “External 1*”  Web 1 4 “External 2*”  Web 24 APP1 Web 1App 1 APP2 Web 2App 2 Engineering External Contractor 1 External Contractor 2 Traditional Data Center NSX Data Center VLANs Engineering External Contractor 1 External Contractor 2 Eng  Web 1 4 Eng  App 1 4 Eng  Web 2 4 Eng  App 2 4 Ext1  Web 1 4 Ext1  App 1 5 Ext2  Web 2 4 Ext2  App 2 5 …

32 Use Case: Infrastructure Management with vRealize Automation New Features  Simplified Multi-Tier App Deployment  Improved Connectivity − Deployment of logical switches and networks  Enhanced Security −Intelligent placement of workloads in security groups protected by firewalls  Increased Availability −Via deployment of NSX distributed firewalls and load balancers Benefits  Deliver secure, scalable, performing application-specific infrastructure on-demand Dynamically Provision and Decommission NSX Logical Services

33 “Protected” Site“Recovery” Site Storage VMFS/NFS Storage VMFS/NFS Replication Use Case: Disaster Recovery Scenarios with NSX+SRM NSX Manager NSX Controller Cluster vCenter + SRM vRA NSX Manager NSX Controller Cluster vCenter + SRM vCRA Firewall Rules & Security Groups

34 Use Case: A True Hybrid Cloud powered by VMware NSX Local Data Center Internet IPSec VPN SSL VPN (vCloud Air Network) vCloud Air L2 VPN Some Benefits: L2VPN for DC Extension Granular Network Security with Trust Groups Bi-directional workload migration using vSphere web client 34 Some Benefits: Today with vCloud AIR Tomorrow with Amazon AWS, Azure, Google and other Public Cloud Providers

35 What You’ve Done with NSX 35 NSX Customers 900+ Production Deployments (adding 25-50 per quarter) 100+ Organizations invested US$1M+ in NSX 65+ What You’re Doing Next EXPANDED SECURITY New security partners, integrations, and projects and applications of NSX. DEEPER INTEGRATION New infrastructure and operations partners, integrations, and frameworks for IT organizations √ APPLICATION CONTINUITY New functionality to scale deployments across vCenter instances, with the ability to: Pool resources from multiple data centers Recover from disasters faster Deploy a hybrid cloud architecture NSX 6.2 contains over 20 new features Tested against over 1000 new scenarios

36 VMware NSX Momentum Top investment banks Enterprises, public & service providers 36

37 VMware NSX Value Prop VMware NSX Transforms the Operational Model of the Network Network provisioning time reduced from 7 days to 30 sec. Reduce network provisioning time from days to seconds Cost Savings Reduce operational costs by 80% Increase compute asset utilization to 90%, reduce hardware costs by 40- 50% Operational automation Simplified IP hardware Operational automation Simplified IP hardware Choice Any Hypervisor: vSphere, KVM, Xen, HyperV (future) Any Network Hardware Any CMP: vRealize, OpenStack Partner Ecosystem. Any hypervisor Any CMP with Partners Any hypervisor Any CMP with Partners

38 What’s Next… VMware NSX Hands-on Labs labs.hol.vmware.com 38 Explore, Engage, Evolve virtualizeyournetwork.com Network Virtualization Blog blogs.vmware.com/networkvirtualization NSX Product Page vmware.com/go/nsx NSX Training & Certification www.vmware.com/go/NVtraining NSX Technical Resources Reference Designs vmware.com/products/nsx/resources VMware NSX YouTube Channel youtube.com/user/vmwarensx VMware NSX Community communities.vmware.com/community/vmtn/nsx Play Learn Deploy

39 39 Q&A

40 Thank you. Luca Morelli Network Virtualization Platform Sr System Engineer

41 NSX Architecture and Components Animated Slide Cloud Consumption Self Service Portal vCloud Automation Center, OpenStack, Custom Data Plane NSX Edge ESXi Hypervisor Kernel Modules Distributed Services High – Performance Data Plane Scale-out Distributed Forwarding Model Management Plane NSX Manager Single configuration portal REST API entry-point Control Plane NSX Controller Manages Logical networks Control-Plane Protocol Separation of Control and Data Plane Firewall Distributed Logical Router Logical Switch Logical Network Physical Network … …

42 CONFIDENTIAL Distributed Logical Routing – Multi-Tenant Deployment Models  2 Tiers of Routing Distributed for E-W Perimeter for N-S  Static / Dynamic Routing to advertise Logical Networks Perimeter NSX Edge Dynamic Routing (OSPF, BGP) External Networks Web Logical Switch App Logical Switch DB Logical Switch Web Logical Switch App Logical Switch DB Logical Switch Web Logical Switch App Logical Switch DB Logical Switch Logical Router Instance 1 Logical Router Instance 2 Logical Router Instance n Static or Dynamic Routing (OSPF, BGP) Transit Uplink 1 Transit Uplink 3 Transit Uplink 2

Download ppt "© 2014 VMware Inc. All rights reserved. NSX – Introduzione e casi d’Uso Luca Morelli – Sr Sales Engineer - NSX"

Similar presentations

Architecting and Building a Secure and Compliant Virtual Infrastructure and Private Cloud Rob Randell, CISSP, CCSK Principal Systems Engineer – Security.

Architecting and Building a Secure and Compliant Virtual Infrastructure and Private Cloud Rob Randell, CISSP, CCSK Principal Systems Engineer – Security.
System Center 2012 R2 Overview

System Center 2012 R2 Overview
Current impacts of cloud migration on broadband network operations and businesses David Sterling Partner, i 3 m 3 Solutions.

Current impacts of cloud migration on broadband network operations and businesses David Sterling Partner, i 3 m 3 Solutions.
The Case for Enterprise Ready Virtual Private Clouds Timothy Wood, Alexandre Gerber *, K.K. Ramakrishnan *, Jacobus van der Merwe *, and Prashant Shenoy.

The Case for Enterprise Ready Virtual Private Clouds Timothy Wood, Alexandre Gerber *, K.K. Ramakrishnan *, Jacobus van der Merwe *, and Prashant Shenoy.
Virtualization of Fixed Network Functions on the Oracle Fabric Krishna Srinivasan Director, Product Management Oracle Networking Savi Venkatachalapathy.

Virtualization of Fixed Network Functions on the Oracle Fabric Krishna Srinivasan Director, Product Management Oracle Networking Savi Venkatachalapathy.
Application Centric Infrastructure

Application Centric Infrastructure
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Software Defined Networking.

© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Software Defined Networking.
VMware Virtualization Last Update 2014.02.06 2.0.0 1Copyright 2011-2014 Kenneth M. Chipps Ph.D. www.chipps.com.

VMware Virtualization Last Update Copyright Kenneth M. Chipps Ph.D.
SDN in Openstack - A real-life implementation Leo Wong.

SDN in Openstack - A real-life implementation Leo Wong.
“It’s going to take a month to get a proof of concept going.” “I know VMM, but don’t know how it works with SPF and the Portal” “I know Azure, but.

“It’s going to take a month to get a proof of concept going.” “I know VMM, but don’t know how it works with SPF and the Portal” “I know Azure, but.
Cisco and NetApp Confidential. Distributed under non-disclosure only. Name Date FlexPod Entry-level Solution FlexPod Value, Sized Right for Smaller Workloads.

Cisco and NetApp Confidential. Distributed under non-disclosure only. Name Date FlexPod Entry-level Solution FlexPod Value, Sized Right for Smaller Workloads.
Unified Logs and Reporting for Hybrid Centralized Management

Unified Logs and Reporting for Hybrid Centralized Management
Virtual techdays INDIA │ 9-11 February 2011 Cross Hypervisor Management Using SCVMM 2008 R2 Vikas Madan │ Partner Consultant II, Microsoft Corporation.

Virtual techdays INDIA │ 9-11 February 2011 Cross Hypervisor Management Using SCVMM 2008 R2 Vikas Madan │ Partner Consultant II, Microsoft Corporation.
Citrix Partner Update The Citrix Delivery Centre.

Citrix Partner Update The Citrix Delivery Centre.
© 2010 VMware Inc. All rights reserved Confidential VMware Vision Jarod Martin Senior Solutions Engineer.

© 2010 VMware Inc. All rights reserved Confidential VMware Vision Jarod Martin Senior Solutions Engineer.
CON7349 - Software-Defined Networking in a Hybrid, Open Data Center Krishna Srinivasan Senior Principal Product Strategy Manager Oracle Virtual Networking.

CON Software-Defined Networking in a Hybrid, Open Data Center Krishna Srinivasan Senior Principal Product Strategy Manager Oracle Virtual Networking.
Microsoft delivers a complete datacenter solution with Windows Server 2012 R2 out-of-the-box Cloud OS Development Management Identity Virtualization.

Microsoft delivers a complete datacenter solution with Windows Server 2012 R2 out-of-the-box Cloud OS Development Management Identity Virtualization.
Plan Introduction What is Cloud Computing?

Plan Introduction What is Cloud Computing?
VMware vSphere 4 Introduction. Agenda VMware vSphere Virtualization Technology vMotion Storage vMotion Snapshot High Availability DRS Resource Pools Monitoring.

VMware vSphere 4 Introduction. Agenda VMware vSphere Virtualization Technology vMotion Storage vMotion Snapshot High Availability DRS Resource Pools Monitoring.
How to protect your Virtual Datacenter Michiel van den Bos.

How to protect your Virtual Datacenter Michiel van den Bos.

Similar presentations

Ads by Google