A clear, comprehensive guide to VMware’s latest virtualization solution

Mastering VMware NSX for vSphere is the ultimate guide to VMware’s network security virtualization platform. Written by a rock star in the VMware community, this book offers invaluable guidance and crucial reference for every facet of NSX, with clear explanations that go far beyond the public documentation. Coverage includes NSX architecture, controllers, and edges; preparation and deployment; logical switches; VLANS and VXLANS; logical routers; virtualization; edge network services; firewall security; and much more to help you take full advantage of the platform’s many features.

More and more organizations are recognizing both the need for stronger network security and the powerful solution that is NSX; usage has doubled in the past year alone, and that trend is projected to grow—and these organizations need qualified professionals who know how to work effectively with the NSX platform. This book covers everything you need to know to exploit the platform’s full functionality so you can:

• Step up security at the application level
• Automate security and networking services
• Streamline infrastructure for better continuity
• Improve compliance by isolating systems that handle sensitive data

VMware’s NSX provides advanced security tools at a lower cost than traditional networking. As server virtualization has already become a de facto standard in many circles, network virtualization will follow quickly—and NSX positions VMware in the lead the way vSphere won the servers. NSX allows you to boost security at a granular level, streamline compliance, and build a more robust defense against the sort of problems that make headlines. Mastering VMware NSX for vSphere helps you get up to speed quickly and put this powerful platform to work for your organization.

Table of contents

Introduction xvii

Chapter 1 Abstracting Network and Security 1

Networks: 1990s 1

Colocation 2

Workload-to-Server Ratio 3

Inefficient Resource Allocation 3

The Long Road to Provisioning 3

Data Centers Come of Age 4

Data Center Workloads 4

Workloads Won’t Stay Put 5

VMware 6

Virtualization 6

What is Happening in There? 6

Portability 8

Virtualize Away 8

Extending Virtualization to Storage 9

Virtual Networking and Security 9

NSX to the Rescue 10

The Bottom Line 13

Chapter 2 NSX Architecture and Requirements 15

NSX Network Virtualization 16

Planes of Operation 16

NSX Manager Role and Function 18

ESXi Hosts 19

vCenter Server 20

vSphere Distributed Switch 21

NSX VIBs 23

Competitive Advantage: IOChain 24

IOChain Security Features 24

NSX Controllers 25

NSX Controller Clustering 26

NSX Controller Roles 26

NSX Edge 28

ESG Sizing 30

NSX Role-Based Access Control 30

Overlay and Underlay Networks 32

Replication Modes for Traffic Going to Multiple Destinations 34

The Bottom Line 36

Chapter 3 Preparing NSX 39

NSX Manager Prerequisites 39

Open Ports and Name Resolution 40

Minimum Resource Requirements for NSX Data Center Appliances 40

vSphere HA and DRS 41

IP Addressing and Port Groups 43

Installing the Client Integration Plug-in 44

Installing NSX Manager 44

Associating NSX Manager to vCenter 46

Adding AD/LDAP to NSX 47

Linking Multiple NSX Managers Together (Cross- vCenter NSX) 51

Multi-site Consistency with Universal Components 51

Primary and Secondary NSX Managers 53

Preparing ESXi Clusters for NSX 54

Creating a Universal Transport Zone on the Primary NSX Manager 56

vSphere Distributed Switches Membership 57

Adding Secondary NSX Managers 58

The Bottom Line 59

Chapter 4 Distributed Logical Switch 61

vSphere Standard Switch (vSS) 62

Traffic Shaping 63

Understanding Port Groups 64

NIC Teaming 65

Ensuring Security 66

Virtual Distributed Switch (vDS) 67

Virtual eXtensible LANs (VXLANs) 68

Employing Logical Switches 71

Three Tables That Store VNI Information 73

Collecting VNI Information 74

Centralized MAC Table 75

VTEP Table 76

We Might as Well Talk about ARP Now 79

Filling In the L2 and L3 Headers 79

Switch Security Module 81

Understanding Broadcast, Unknown Unicast, and Multicast 83

Layer 2 Flooding 83

Replication Modes 83

Deploying Logical Switches 84

Creating a Logical Switch 85

The Bottom Line 85

Chapter 5 Marrying VLANs and VXLANs 87

Shotgun Wedding: Layer 2 Bridge 87

Architecture 88

Challenges 89

Deployment 90

Under the Hood 102

Layer 2 VPN 102

NSX Native L2 Bridging 103

Hardware Switches to the Rescue 103

Hardware VTEPs 103

Deployment 104

Under the Hood 104

The Bottom Line 105

Chapter 6 Distributed Logical Router 107

Distributed Logical Router (DLR) 107

Control Plane Smarts 108

Logical Router Control Virtual Machine 108

Understanding DLR Efficiency 111

Another Concept to Consider 115

Let’s Get Smart about Routing 117

OSPF 119

Border Gateway Protocol (BGP) 120

Oh Yeah, Statics Too 123

Deploying Distributed Logical Routers 125

The Bottom Line 134

Chapter 7 NFV: Routing with NSX Edges 137

Network Function Virtualization: NSX Has It Too 137

This is Nice: Edge HA A 138

Adding HA 139

Let’s Do Routing Like We Always Do 140

Deploying the Edge Services Gateway 144

Configuring BGP 151

Configuring OSPF 154

Configuring Static Routes 155

Routing with the DLR and ESG 156

Using CLI Commands 156

Default Behaviors to Be Aware Of 157

Equal Cost Multi-Path Routing157

The Bottom Line 160

Chapter 8 More NVF: NSX Edge Services Gateway 163

ESG Network Placement 163

Network Address Translation 164

Configuring Source NAT 166

Configuring Destination NAT 166

Configuring SNAT on the ESG 167

Configuring DNAT on the ESG 169

ESG Load Balancer 171

Configuring an ESG Load Balancer 173

Layer 2 VPN (If You Must) 178

Secure Sockets Layer Virtual Private Network 179

Split Tunneling 180

Configuring SSL VPN 180

Internet Protocol Security VPN 187

Understanding NAT Traversal 188

Configuring IPsec Site-to-Site VPN with the ESG 188

Round Up of Other Services 190

DHCP Service 191

Configuring the ESG as a DHCP Server 192

DHCP Relay 194

Configuring the DLR for DHCP Relay 196

DNS Relay 198

Configuring DNS Relay on the ESG 199

The Bottom Line 200

Chapter 9 NSX Security, the Money Maker 203

Traditional Router ACL Firewall 203

I Told You about the IOChain 204

Slot 2: Distributed Firewall 206

Under the Hood 207

Adding DFW Rules 210

Segregating Firewall Rules 214

IP Discovery 215

Gratuitous ARP Used in ARP Poisoning Attacks 216

Why is My Traffic Getting Blocked? 218

Great, Now It’s Being Allowed 219

Identity Firewall: Rules Based on Who Logs In 220

Distributing Firewall Rules to Each ESXi Host: What’s Happening? 220

The Bottom Line 222

Chapter 10 Service Composer and Third-Party Appliances 223

Security Groups 224

Dynamic Inclusion 225

Static Inclusion 226

Static Exclusion 226

Defining a Security Group through Static Inclusion 227

Defining a Security Group through Dynamic Inclusion 229

Customizing a Security Group with Static Exclusion 231

Defining a Security Group Using Security Tags 231

Adding to DFW Rules 233

Service Insertion 236

IOChain, the Gift that Keeps on Giving 236

Layer 7 Stuff: Network Introspection 236

Guest Introspection 237

Service Insertion Providers 238

Security Policies 239

Creating Policies 239

Enforcing Policies 243

The Bottom Line 245

Chapter 11 vRealize Automation and REST APIs 247

vRealize Automation Features 247

vRA Editions 249

Integrating vRA and NSX 250

vRealize Automation Endpoints 250

Associating NSX Manager with vRealize Automation 252

Network Profiles 253

vRA External, Routed, and NAT Network Profiles 255

Reservations 258

vRealize Orchestrator Workflows 261

Creating a Blueprint for One Machine261

Adding NSX Workflow to a Blueprint 264

Creating a Request Service in the vRA Catalog 265

Configuring an Entitlement 268

Deploying a Blueprint that Consumes NSX Services 271

REST APIs 273

NSX REST API GET Request 275

NSX REST API POST Request 275

NSX REST API DELETE Request 276

The Bottom Line 277

Appendix The Bottom Line 279

Chapter 1: Abstracting Network and Security 279

Chapter 2: NSX Architecture and Requirements 280

Chapter 3: Preparing NSX 280

Chapter 4: Distributed Logical Switch 281

Chapter 5: Marrying VLANs and VXLANs 283

Chapter 6: Distributed Logical Router 284

Chapter 7: NFV: Routing with NSX Edges 286

Chapter 8: More NVF: NSX Edge Services Gateway 287

Chapter 9: NSX Security, the Money Maker 289

Chapter 10: Service Composer and Third-Party Appliances 290

Chapter 11: vRealize Automation and REST APIs 291

Index 293