Who is Chris Wahl? • VMware Certified Design Expert (VCDX) #104 ▫ Data Center and Network Virtualization

• Tech, Lab, Certs, Reviews, Videos ▫ WahlNetwork.com

• CCNA Data Center & vCloud Courses ▫ Pluralsight.com

• Virtualization User Podcast as a Service ▫ VUPaaS.com

Networking for VMware Administrators Paperback, Kindle, eBook, EPUB, MOBI, PDF 100% of my profits go to Alzheimer’s Association

Social Media

NSX deployment requirements Do I need new hardware? A new network? Both?

NSX Manager • Provided as an OVA file • Connects to vCenter Server • Provides overall management • RESTful API endpoint

NSX Controllers • Manager builds the Controllers • Distributed control plane (slicing) • MAC, ARP, and VTEP tables • 3 suggested for quorum

ESXi Host Modules • Kernel modules ▫ DLR – Distributed Logical Router ▫ DFW – Distributed Firewall

• VXLAN interface

A few common questions • ESXi Software Installs ▫ Point NSX at the cluster ▫ VIBs are installed ▫ If reboot required, maintenance roll

• VM Resource Requirements ▫ Manager = 4 vCPUs, 12 GB RAM ▫ 3 Controllers = 12 vCPUs and 12 GB RAM ▫ Total = 16 vCPUs, 24 GB RAM

Minimum Network Requirements

• Required for VXLAN encapsulation

1600 Byte MTU

• Used for VXLAN communication

Designated Transport VLAN(s)

• Can use unicast (5.5+), multicast, or hybrid mix

Multicast (optional)

Why would I even deploy this? Because “it’s cool” doesn’t impress my boss

It’s all about the services Network

Abstraction (VXLAN)

Automation and Orchestration

Distributed Firewalling (DFW)

Edge Services (L3-L7)

Distributed Logical Routing

(DLR)

3rd Party Extensibility

Network Abstraction with VXLAN • What is it? ▫ Virtual Extensible LAN ▫ IETF Standard (RFC 7348)

• Layer 2 segments ▫ VLAN = 4096 (2^12) ▫ VXLAN = 16.7M (2^24)

16 Miiiiiiiiiiiiiiiiiillion

Network Abstraction with VXLAN • Layer 2 over Layer 3

Image from definethecloud.com

L2 L3 VXLAN L2

Traditional VLAN Architecture

ESXi

VM

Network Fabric

ESXi

VM

Traditional VLAN Architecture

ESXi

VM

Network Fabric

ESXi ESXi ESXi

VM VM VM

Traditional VLAN Architecture

ESXi

VM

Network Fabric

ESXi ESXi ESXi

VM VM VM VM VM VM VM

Network Fabric Transport VLAN

VXLAN Architecture

ESXi ESXi ESXi ESXi

VM VM VM VM VM VM VM VM

Network Fabric Transport VLAN

VXLAN Architecture

ESXi ESXi ESXi ESXi

VM VM VM VM VM VM VM VM

Transport VLAN

Routing in the hypervisor • ESXi hosts form “one giant router” • Each host acts as the SVI

ESXi ESXi

VM VM

Routing in the hypervisor • ESXi hosts form “one giant router” • Each host acts as the SVI

ESXi

VM VM

VDS

Distributed Firewall • Works with any type of port group • Does not require VXLAN • Applied on the virtual NIC in the VM

Port Group

VM dvport

Uplinks vmnic

0 vmnic

1 FW

Building workload pods Scale-out architecture for repeatable delivery

Define application tiers • The three tier application ▫ Web farm ▫ Application or middleware ▫ Backend database

• Additional considerations ▫ Management / OOB ▫ Utility jump boxes ▫ Physical services

Sample application construction

Web

VM

App DB Utility

VM VM VM VM VM VM VM

How do we get to them? • Several options available ▫ Physical routed port or SVI ▫ NSX Distributed Logical Router ▫ NSX Edge Services Gateway ▫ Mix of these

Switchport Trunk Config

The old “business as usual”

Web

VM

App DB Utility

VM VM VM VM VM VM VM

Web VLAN 101

App VLAN 102

DB VLAN 103

Utility VLAN 104

Distributed Logical Router

Add some distributed routing

Web

VM

App DB Utility

VM VM VM VM VM VM VM

Distributed Logical Router

Assign gateway interfaces

Web

VM

App DB Utility

VM VM VM VM VM VM VM

.1 .1 .1 .1

Need a path to the physical world • Some design options ▫ Uplink the DLR to a VLAN ▫ Build a transit network ▫ Use an NSX Edge device

• Or ignore the physical world ▫ Create an “isolated network” ▫ Encapsulation hides the IPs and MACs

Distributed Logical Router

Attach an uplink to the router

Web

VM

App DB Utility

VM VM VM VM VM VM VM

.1 .1 .1 .1

.2 .1

Pod template established • Add a sprinkle of Distributed Firewall rules • A dash of network services ▫ Load balancers, NAT, DHCP, etc.

• Perfect your L2 and L3 networks • Test it out • Repeat as needed ▫ Prod, Stage, Test, UAT, QA, Dev, SpongeBob

Automation and Orchestration Where the magic happens

Network Automation • Cloud Management Platforms ▫ “CMPs” ▫ The way forward for on-prem cloud

• Integration points ▫ OpenStack ▫ vRealize Automation (formerly vCAC)

• RESTful APIs

Making API calls to NSX • NSX uses basic authorization ▫ Base64 encoding of user:pass ▫ Pass this value in the header

• Receive payload as XML

Creating an auth string in PowerShell 3 • Make use of native conversions

• Invoke-WebRequest is your friend!

$auth = [System.Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes($Username + ":" + $Password)) $head = @{"Authorization"="Basic $auth"}

Invoke-WebRequest -Uri https://NSX/api/2.0/vdn/controller -Headers $head

Real world integration points • Most common workflow consumers ▫ Build Python / Javascript scripts ▫ Call scripts from vCenter Orchestrator

(Now vRealize Orchestrator) ▫ Return values to workflow ▫ Occasionally used on behalf of vCAC

• Ideal roadmap items ▫ Bake all NSX workflows into vCO natively ▫ Build out a PoSh module for NSX

Example blueprint actions

•User picks blueprint •Answer IaaS questions •Approvals •Provisioning kickoff

Send to vCO

•Call scripts •Wait for return value •Build out LS, attach to LR

Send back to CMP •Return success

•Attach VMs to LS •Pull IP from IPAM •Handoff to config mgmt

Complete

Thank you for a great session! For more goodies, check out these resources:

Visit WahlNetwork.com for Deep Dives, Home Lab Tips, Reviews, and More!

Check out “Networking for VMware Administrators” by VMware Press

Over 25 hours of my video training content is on Pluralsight.com

Nearly 100 free HD videos on the WahlNetwork YouTube Channel