A clear, comprehensive guide to VMware’s latest virtualization solution
Mastering VMware NSX for vSphere is the ultimate guide to VMware’s network security virtualization platform. Written by a rock star in the VMware community, this book offers invaluable guidance and crucial reference for every facet of NSX, with clear explanations that go far beyond the public documentation. Coverage includes NSX architecture, controllers, and edges; preparation and deployment; logical switches; VLANS and VXLANS; logical routers; virtualization; edge network services; firewall security; and much more to help you take full advantage of the platform’s many features.
More and more organizations are recognizing both the need for stronger network security and the powerful solution that is NSX; usage has doubled in the past year alone, and that trend is projected to grow - and these organizations need qualified professionals who know how to work effectively with the NSX platform. This book covers everything you need to know to exploit the platform’s full functionality so you can:
- Step up security at the application level
- Automate security and networking services
- Streamline infrastructure for better continuity
- Improve compliance by isolating systems that handle sensitive data
VMware’s NSX provides advanced security tools at a lower cost than traditional networking. As server virtualization has already become a de facto standard in many circles, network virtualization will follow quickly - and NSX positions VMware in the lead the way vSphere won the servers. NSX allows you to boost security at a granular level, streamline compliance, and build a more robust defense against the sort of problems that make headlines. Mastering VMware NSX for vSphere helps you get up to speed quickly and put this powerful platform to work for your organization.
Table of Contents
Introduction xvii
Chapter 1 Abstracting Network and Security 1
Networks: 1990s 1
Colocation 2
Workload-to-Server Ratio 3
Inefficient Resource Allocation 3
The Long Road to Provisioning 3
Data Centers Come of Age 4
Data Center Workloads 4
Workloads Won’t Stay Put 5
VMware 6
Virtualization 6
What is Happening in There? 6
Portability 8
Virtualize Away 8
Extending Virtualization to Storage 9
Virtual Networking and Security 9
NSX to the Rescue 10
The Bottom Line 13
Chapter 2 NSX Architecture and Requirements 15
NSX Network Virtualization 16
Planes of Operation 16
NSX Manager Role and Function 18
ESXi Hosts 19
vCenter Server 20
vSphere Distributed Switch 21
NSX VIBs 23
Competitive Advantage: IOChain 24
IOChain Security Features 24
NSX Controllers 25
NSX Controller Clustering 26
NSX Controller Roles 26
NSX Edge 28
ESG Sizing 30
NSX Role-Based Access Control 30
Overlay and Underlay Networks 32
Replication Modes for Traffic Going to Multiple Destinations 34
The Bottom Line 36
Chapter 3 Preparing NSX 39
NSX Manager Prerequisites 39
Open Ports and Name Resolution 40
Minimum Resource Requirements for NSX Data Center Appliances 40
vSphere HA and DRS 41
IP Addressing and Port Groups 43
Installing the Client Integration Plug-in 44
Installing NSX Manager 44
Associating NSX Manager to vCenter 46
Adding AD/LDAP to NSX 47
Linking Multiple NSX Managers Together (Cross- vCenter NSX) 51
Multi-site Consistency with Universal Components 51
Primary and Secondary NSX Managers 53
Preparing ESXi Clusters for NSX 54
Creating a Universal Transport Zone on the Primary NSX Manager 56
vSphere Distributed Switches Membership 57
Adding Secondary NSX Managers 58
The Bottom Line 59
Chapter 4 Distributed Logical Switch 61
vSphere Standard Switch (vSS) 62
Traffic Shaping 63
Understanding Port Groups 64
NIC Teaming 65
Ensuring Security 66
Virtual Distributed Switch (vDS) 67
Virtual eXtensible LANs (VXLANs) 68
Employing Logical Switches 71
Three Tables That Store VNI Information 73
Collecting VNI Information 74
Centralized MAC Table 75
VTEP Table 76
We Might as Well Talk about ARP Now 79
Filling In the L2 and L3 Headers 79
Switch Security Module 81
Understanding Broadcast, Unknown Unicast, and Multicast 83
Layer 2 Flooding 83
Replication Modes 83
Deploying Logical Switches 84
Creating a Logical Switch 85
The Bottom Line 85
Chapter 5 Marrying VLANs and VXLANs 87
Shotgun Wedding: Layer 2 Bridge 87
Architecture 88
Challenges 89
Deployment 90
Under the Hood 102
Layer 2 VPN 102
NSX Native L2 Bridging 103
Hardware Switches to the Rescue 103
Hardware VTEPs 103
Deployment 104
Under the Hood 104
The Bottom Line 105
Chapter 6 Distributed Logical Router 107
Distributed Logical Router (DLR) 107
Control Plane Smarts 108
Logical Router Control Virtual Machine 108
Understanding DLR Efficiency 111
Another Concept to Consider 115
Let’s Get Smart about Routing 117
OSPF 119
Border Gateway Protocol (BGP) 120
Oh Yeah, Statics Too 123
Deploying Distributed Logical Routers 125
The Bottom Line 134
Chapter 7 NFV: Routing with NSX Edges 137
Network Function Virtualization: NSX Has It Too 137
This is Nice: Edge HA A 138
Adding HA 139
Let’s Do Routing Like We Always Do 140
Deploying the Edge Services Gateway 144
Configuring BGP 151
Configuring OSPF 154
Configuring Static Routes 155
Routing with the DLR and ESG 156
Using CLI Commands 156
Default Behaviors to Be Aware Of 157
Equal Cost Multi-Path Routing157
The Bottom Line 160
Chapter 8 More NVF: NSX Edge Services Gateway 163
ESG Network Placement 163
Network Address Translation 164
Configuring Source NAT 166
Configuring Destination NAT 166
Configuring SNAT on the ESG 167
Configuring DNAT on the ESG 169
ESG Load Balancer 171
Configuring an ESG Load Balancer 173
Layer 2 VPN (If You Must) 178
Secure Sockets Layer Virtual Private Network 179
Split Tunneling 180
Configuring SSL VPN 180
Internet Protocol Security VPN 187
Understanding NAT Traversal 188
Configuring IPsec Site-to-Site VPN with the ESG 188
Round Up of Other Services 190
DHCP Service 191
Configuring the ESG as a DHCP Server 192
DHCP Relay 194
Configuring the DLR for DHCP Relay 196
DNS Relay 198
Configuring DNS Relay on the ESG 199
The Bottom Line 200
Chapter 9 NSX Security, the Money Maker 203
Traditional Router ACL Firewall 203
I Told You about the IOChain 204
Slot 2: Distributed Firewall 206
Under the Hood 207
Adding DFW Rules 210
Segregating Firewall Rules 214
IP Discovery 215
Gratuitous ARP Used in ARP Poisoning Attacks 216
Why is My Traffic Getting Blocked? 218
Great, Now It’s Being Allowed 219
Identity Firewall: Rules Based on Who Logs In 220
Distributing Firewall Rules to Each ESXi Host: What’s Happening? 220
The Bottom Line 222
Chapter 10 Service Composer and Third-Party Appliances 223
Security Groups 224
Dynamic Inclusion 225
Static Inclusion 226
Static Exclusion 226
Defining a Security Group through Static Inclusion 227
Defining a Security Group through Dynamic Inclusion 229
Customizing a Security Group with Static Exclusion 231
Defining a Security Group Using Security Tags 231
Adding to DFW Rules 233
Service Insertion 236
IOChain, the Gift that Keeps on Giving 236
Layer 7 Stuff: Network Introspection 236
Guest Introspection 237
Service Insertion Providers 238
Security Policies 239
Creating Policies 239
Enforcing Policies 243
The Bottom Line 245
Chapter 11 vRealize Automation and REST APIs 247
vRealize Automation Features 247
vRA Editions 249
Integrating vRA and NSX 250
vRealize Automation Endpoints 250
Associating NSX Manager with vRealize Automation 252
Network Profiles 253
vRA External, Routed, and NAT Network Profiles 255
Reservations 258
vRealize Orchestrator Workflows 261
Creating a Blueprint for One Machine261
Adding NSX Workflow to a Blueprint 264
Creating a Request Service in the vRA Catalog 265
Configuring an Entitlement 268
Deploying a Blueprint that Consumes NSX Services 271
REST APIs 273
NSX REST API GET Request 275
NSX REST API POST Request 275
NSX REST API DELETE Request 276
The Bottom Line 277
Appendix The Bottom Line 279
Chapter 1: Abstracting Network and Security 279
Chapter 2: NSX Architecture and Requirements 280
Chapter 3: Preparing NSX 280
Chapter 4: Distributed Logical Switch 281
Chapter 5: Marrying VLANs and VXLANs 283
Chapter 6: Distributed Logical Router 284
Chapter 7: NFV: Routing with NSX Edges 286
Chapter 8: More NVF: NSX Edge Services Gateway 287
Chapter 9: NSX Security, the Money Maker 289
Chapter 10: Service Composer and Third-Party Appliances 290
Chapter 11: vRealize Automation and REST APIs 291
Index 293
