Introduction to NSX - CSL · DR with NSX Network Virtualization (simple view) SAN SAN 10.0.30.21...

Introduction to NSX

1

Going beyond servervirtualization

Going beyond servervirtualization

IT’S TIME FOR A NEW IT APPROACH

SLOW TECHNOLOGYADOPTION RATES

HIGH USER EXPECTATIONS

SLOW REPONSES

PRIVACYISSUES

INTEGRATION PROBLEMS

SERVICE OUTAGES

SHORTAGE OF RIGHT SKILLS

DECLINING BUDGET

DIFFERENT APPLICATIONS AGING INFRASTRUCTURE

SECURITY

PROLIFERATIONOF DEVICES

FRAGMENTEDDATA CENTER

LIMITED RESOURCES

CLOUD SILOSSECURITY

PROLIFERATIONOF DEVICES

FRAGMENTEDDATA CENTER

CLOUD SILOS

It’s Time to Virtualize the WHOLE Data Center

EFFICIENT SECURE

Optimized for rapid

development and delivery

of all applications, for safe

consumption on any device

The Software Defined

Data Center

AGILE

Network Virtualization is Key

Data Center Virtualization Layer

Intelligence in SoftwareOperational Model of VM for Data CenterAutomated Configuration & Management

What is a Software Defined Data Center (SDDC)?

Intelligence in HardwareDedicated, Vendor Specific InfrastructureManual Configuration & Management

Software

Hardware Compute, Network and Storage CapacityPooled, Vendor Independent, Best Price/Performance InfrastructureSimplified Configuration & Management

Network Virtualization is at the core of an SDDC approach

Network, storage, compute

Virtualization layer

Non-Disrupting Deployment

Network, storage, compute

Virtualization layer

“Network hypervisor”

Virtual Data Centers

Network Virtualization is at the core of an SDDC approach

Non-Disrupting Deployment

The Power of Distributed Services

Switching

Routing

Firewalling/ACLs

Load Balancing

Network and security services now distributed in the hypervisor

Switching

Routing

Firewalling/ACLs

Load Balancing

High throughput rates

East-west firewalling

Native platform capability

The Power of Distributed Services

A Traditional “Virtual Switch”

Traditional Layer 3 Routing?

A Virtual Network?

A Virtual Network?

Non-Disruptive Deployment

Programmatically Provisioned

Network & Security Services Distributed to the Virtual SwitchPhysical Network becomes high-speed IP backplane

DR Today (simple view)

10.0.10/24 10.0.20/24

10.0.10.21 10.0.20.21 MajorRTOImpact

Change IP AddressReconfig Security4

Primary Site Recovery Site

Recoverthe VM

3

Replicate VM & Storage

2Physical Network Infrastructure Physical Network Infrastructure

SAN

1Snapshot VM

SAN

Step 1&2(e.g VMware SRM)

18

DR with NSX Network Virtualization (simple view)

SAN SAN

10.0.30.21 10.0.30.21

Virtual Network10.0.30/24

80%RTONSX Controller NSX Controller

Snapshot Network &

Security

2b

Primary Site Recovery Site

1Snapshot VM Network & Security

already exists

Recoverthe VM

3

Physical Network Infrastructure Physical Network Infrastructure2a

Replicate VM & Storage

10.0.10/24 10.0.20/24

Step 1&2(e.g VMware SRM)

19

Virtual Network10.0.30/24

Support for Physical Workloads and VLANs

Support for Physical Workloads and VLANs

Non-Disruptive Deployment

The Power of Distributed Network & Security Services & Policies

Problem: Data Center Network SecurityPerimeter-centric network security has proven insufficient, and micro-segmentation is operationally infeasible

Little or no

lateral controls

inside perimeter

Internet Internet

Insufficient OperationallyInfeasible

Why traditional approaches are operationally infeasible…

25

Internet

Perimeter Firewalls

• Create firewall rules before provisioning

• Update Firewall rules when move or change

• Delete firewall rules when app decommissioned

• Problem increases with more East-West traffic

How an SDDC approach makes micro-segmentation feasible

26

Internet

Security Policy

Perimeter Firewalls

CloudManagement

Platform

There is a BIG difference…

•

•

•

•

•

•

•

•

•

•

NSX Distributed Firewalling Performance

28

20Gbps Per Host of Firewall Performancewith Negligible CPU Impact

NSX Distributed Firewalling Performance

CONFIDENTIAL 29

80K CPS with 100+ Rules per Host

A Typical Virtual Appliance does ~6K CPS per VMA Physical Appliance performs 300K – 400K CPS per appliance

Align type of controls to what you are protecting

Isolation Explicit Allow Comm. Secure Communications

NGFW

IPS

IPS

NGFW

Se

rvic

e I

nse

rtio

n

Application A

Application B

App Tier

DB Tier

(e.g

TC

P,1

433)

No Communication Path

Advanced Services Insertion – Example: Palo Alto Networks NGFW

Internet

Security Policy

TrafficSteering

Intelligent groupingGroups defined by customized criteria

Operating System Machine Name

Application Tier

Services

Security PostureRegulatory

Requirements

Automated Security in a Software-Defined Data CenterData Center Micro-Segmentation

CONFIDENTIAL 33

Automated Security in a Software-Defined Data CenterData Center Micro-Segmentation

CONFIDENTIAL 34

Benefits of Taking a Software Defined Data Center Approach

35

Multi-tenant Infrastructure

IT Automating IT

Developer CloudDMZ Anywhere

Micro-segmentation

Secure End User

Metro Pooling

Hybrid Cloud Networking

Reduce infrastructure

provisioning time from

weeks to minutes

Secure infrastructure

at 1/3 the cost

Reduce RTO by 80%

Disaster Recovery

Security Speed & Agility Application Continuity

Value

NSX partner ecosystem

Physical Infrastructure

Security

Operations

Application Delivery

Thank you