NSX Experience Day Axians GNS AG

Transcription

1 NSX Experience Day Axians GNS AG 26. Nov Christoph Altherr NSX Specialist SE VMware Inc. All rights reserved. 1

2 Agenda Lecture 01 - Introduction to NSX (30min) Lecture 02 - NSX Architecture (30min) Lab Min - HOL NET, Module 1 NSX Manager Installation and Configuration Lecture 03 - Logical Switching and Routing (60min) Lab Min - HOL NET, Module 2 Logical Switching Lab Min - HOL NET, Module 3 Logical Routing Lecture 04 - Introduction to NSX Security (30min) Lecture 05 - Getting Started with Security and NSX (15min) Lab Min HOL NET, Module 4 Service Composer and Distributed Firewall Overview Lecture 06 - Policy Creation (15min) Lab Min HOL NET, Module 5 Intelligent Grouping Lab Min HOL NET, Module 6 User Based Security with a Jump Box Lab Min HOL NET, Module 7 Application Rule Manager Lecture 07 - Operations & Visibility (30min) Lab Min HOL NET, Module Visibility across Virtual and Physical

3 WLAN SSID:GNS-Guest WebRedirection: User / Pwd gemäss Voucher 3

4 VMware Hands-On Labs (HOL) NSX Security Experience Day Labs HOL Workshops: 4

5 VMware Hands-On Labs (HOL) Alternative Access Option NSX Security Experience Day Labs 5

6 VMware Hands-On Labs (HOL) Enroll Lab NSX Security Experience Day Labs 6

7 VMware Hands-On Labs (HOL) Start Lab NSX Security Experience Day Labs Lab: Doc: 7

8 VMware Hands-On Labs (HOL) Extend remaining lab time 8

9 Introduction to NSX

10 In short, software is eating the world. Marc Andreessen, General Partner, Andreessen Horowitz and Netscape co-founder

11 The Data Center Networking Challenge There has been a lot of innovation and virtualization in the data center. Except for one area Compute Storage Networking 11

12 The Data Center Networking Challenge The lack of networking virtualization is holding back your ability to: Keep up with the pace of business Secure your data centers Control cost Compute Storage Networking 12

13 The Emerging Cloud Networking Challenge Public clouds solve some of the limitations of data centers, but they can also introduce new networking and security challenges: Multiple clouds Inconsistent tools and policies Different skillsets

14 Network Virtualization Solves These Problems Abstracting networking and security from the underlying infrastructure Data center Cloud Branch office IoT

15 NSX Vision: Driving NSX Everywhere Managing security and connectivity for many heterogeneous end points Cloud Branch offices/edge computing/iot New app frameworks On-premises data center End users

16

17 NSX Value Proposition vswitch Hypervisor vswitch Hypervisor Virtualization layer Network, storage, compute

18 NSX Value Proposition Routing Switching Load balancing Firewalling Routing Switching Load balancing Firewalling Network and security services vswitch In-hypervisor (on-prem) Hypervisor as a Service (cloud) Hardware/Cloud independent

19 NSX Value Proposition Workloads Routing Switching vswitch Load balancing Firewalling Routing Switching Load balancing Firewalling NSX Platform Hypervisor Virtualization layer Network, storage, compute

20 Ground-breaking use cases Enterprises can often justify the cost of NSX through a single use case 20

21 VMware NSX is to networking what VMware ESXi is to compute.

22 NSX Architecture

23 Physical Network Logical Network NSX Architecture and Components (Optional) Cloud Consumption Self-service portal vrealize Automation, OpenStack, vcloud Director, Custom CMP Management plane vcenter Server NSX Manager Single configuration portal REST API entry-point Control plane NSX Controller NSX Edge Manages logical networks Control plane protocol Separation of control and data plane Controller is not in the data path Distributed Services Data plane VDS Hypervisor Logical Switch Distributed Logical Router Firewall HW VTEP High-performance data plane Scale-out distributed forwarding model Flexibility for connecting logical networks to physical HV Kernel Modules

24 NSX Management Plane Components vra/openstack/custom vsphere APIs NSX REST APIs Management plane vcenter 1:1 NSX Manager Third-party management console Single pane of glass NSX Manager vsphere plugin NSX Manager Runs as a virtual machine Provisioning and management of network and network services VXLAN preparation Logical network consumption Network services configuration

25 NSX Control Plane Components vsphere cluster NSX controllers vsphere HA DRS with anti-affinity Properties Virtual form factor (4 vcpu, 4GB RAM) Data plane programming Control plane isolation Benefits Scale out High availability VXLAN - no multicast ARP suppression ESXi Host agent Data-path kernel modules

26 NSX Data Plane Components Data plane vsphere components NSX Edge service gateways HW VTEP Security VXLAN DLR Security VXLAN DLR Security VXLAN DLR SECURITY SECURITY SECURITY Compute clusters Edge clusters and HW VTEP (physical-to-virtual) ESXi Hypervisor kernel modules (VIBs) VDS Logical switch Distributed logical router VDS Distributed firewall vsphere distributed switch VMkernel modules Logical switching (VXLAN) Distributed logical router Distributed firewall VM form factor highly available dynamic routing: OSPF, BGP L3-L7 services: NAT, DHCP, load balancer, VPN, firewall ToR switch Bandwidth and physical ports scale-out VLANs for physical workloads local to a rack

27 NSX Component Interaction - Deployment and Configuration 2 Register with vcenter NSX Manager 1 Deploy NSX Manager Prepare hosts 4 vcenter Deploy NSX controllers 3 NSX Controller NSX Edge Services GW 5 Configure and deploy NSX Edge gateway(s) and network services vsphere cluster 1 vsphere cluster 2 vsphere cluster n

28 One time Recurring Deploying and Configuring VMware NSX Deploy VMware NSX Consumption NSX Mgmt NSX Edge Programmatic virtual network deployment Virtual infrastructure Component deployment Logical networks Deploy NSX manager Deploy NSX controller cluster Logical network/security services Deploy logical switches per tier Preparation Host preparation Deploy distributed logical router or connect to existing Logical network preparation Security policy and network services

29 Lab 01 NSX Manager Installation and Configuration Lab time: 15 minutes To access this lab perform the following steps: Log in to the VMware Hands-On Labs Web site Search for HOL NET Enroll in the lab Follow the lab steps in pages 11 through 17 Do not END your lab, in fact extend it

30 Logical Switching

31 Physical view VMs in dvpgs (distributed virtual Port Group) VM4 VM5 VM6 VM1 VM2 VM3 VDS dvpg2 (VLAN-backed) VDS dvpg1 (VLAN-backed) vsphere Distributed Switch Physical network 31

32 Physical view VMs in LSs (Logical Switches) VM4 VM5 VM6 VM1 VM2 VM3 VDS NSX dvpg2 LS2 (VXLAN-backed) (VLAN-backed) VDS NSX dvpg1 LS1 (VXLAN-backed) (VLAN-backed) vsphere Distributed Switch Physical network 32

33 Traffic Flow VXLAN-backed VDS In this setup, VM1 and VM2 are on different hosts but belong to the same logical switch When these VMs communicate, a VXLAN overlay is established between the two hosts vsphere distributed switch (VDS) NSX enables multicast free VXLAN with the help of the NSX controllers Host A Host B VXLAN encapsulation at the kernel level in the ESXi host VXLAN overlay IP fabric VTEP = VXLAN Tunnel End Point 33

34 Traffic Flow VXLAN-backed VDS Assume VM1 sends some traffic to VM2: L2 frame L2 frame L2 frame 1 VM1 sends L2 frame to local VTEP IP/UDP/VXLAN 2 VTEP adds VXLAN, UDP and IP headers 3 Physical transport network forwards as a regular IP packet vsphere distributed switch (VDS) 4 Destination hypervisor VTEP deencapsulates frame Host A Host B 5 L2 frame delivered to VM2 VXLAN overlay IP fabric 34

35 Traffic Flow VXLAN-backed VDS L2 frame L2 frame L2 frame IP/UDP/VXLAN vsphere distributed switch (VDS) Host A Host B VXLAN overlay IP fabric 35

36 Traffic Flow Troubleshooting VXLAN-backed VDS Assume VM1 sends some traffic to VM2: 1 VM1 sends L2 frame to local VTEP L2 frame IP/UDP/VXLAN 2 3 VTEP adds VXLAN, UDP and IP headers Physical transport network forwards as a regular IP packet vsphere distributed switch (VDS) IP/UDP/VXLAN 4 Original L2/L3/L4 headers Destination hypervisor VTEP deencapsulates frame Host A Host B 5 L2 frame delivered to VM2 Hash VXLAN overlay IP fabric UDP Source Port VMworld: NET8241 Monitoring and Troubleshooting NSX with vrealize Network Insight NSX-V End-to-End Traceflow Visualization Tool: 36

37 Logical Routing

38 NSX Logical Routing Component Edge Services Gateway On/Off-Ramp connectivity between logical and physical. VPN NSX Edge Services Gateway - Optimized for N-S Routing Static, OSPF, BGP - Network Services Firewall NAT Load Balancing VPN DHCP DNS 38

39 NSX Logical Routing Component Distributed Logical Router Optimized for E-W Hypervisor Kernel Modules (VIBs) ESXi Instantiated on ESX hosts LIFs are defined on the Distributed Router to handle VM default gateway traffic Distributed logical router LIF1 LIF2 LIF3 DLR Instance DLR Control VM Multiple LIFs per DLR instance Multiple DLR instances to isolate separate tenant domains DLR Control VM peers with the Edge Service Gateway and exchanges routing information

40 OSPF, BGP Peering NSX logical Routing Components Interaction External network 1 Dynamic routing protocol is configured on the logical router instance NSX Edge (Acting as next hop router) 2 Controller pushes new logical router configuration including LIFs to ESXi hosts Control DLR Control VM 1 NSX Mgr 3 OSPF/BGP peering between the NSX Edge and logical router control VM Data path Control 4 Learnt routes from the NSX Edge are pushed to the controller for distribution DLR 5 2 Controller Cluster 5 6 Controller sends the route updates to all ESXi hosts Routing kernel modules on the hosts handle the data path traffic / / /24 40

41 Distributed Routing Traffic Flow Same Host DA: SA: DA: vmac SA: MAC1 1 L VM1 MAC1 IP 4 Payload VM2 MAC2 VXLAN 5002 VXLAN 5001 vsphere Host vsphere Distributed Switch /24 LIF1 LIF2 vmac Internal LIFs /24 DLR 3 LIF2 ARP Table VM IP VM MAC LIF1 : LIF2 : vsphere Host DLR MAC2 Host 1 Host 2 Routing Table Destination Interface Mask Gateway Connect Direct Direct Transport Network

42 Lab 02 Logical Switching Lab time: 30 minutes To access this lab perform the following steps: Log in to the VMware Hands-On Labs Web site Search for HOL NET Enroll in the lab Follow the lab steps in pages 19 through 63 Do not END your lab, in fact extend it

43 Lab 03 Logical Routing Lab time: 45 minutes To access this lab perform the following steps: Log in to the VMware Hands-On Labs Web site Search for HOL NET Enroll in the lab Follow the lab steps in pages 65 through 233 Do not END your lab, in fact extend it

44 Introduction to NSX Security

45 Security with NSX Micro-segmentation Secure end user DMZ Anywhere

46 Our security realities When threats breach the perimeter, it s hard to stop lateral spread MICRO-SEGMENTATION Low priority systems are often targeted first. INTERNET Attackers can move freely around the data center. NETWORK PERIMETER Attackers then gather and exfiltrate the valuable data. 46

47 What if you could Enforce security at the most granular level of the data center? MICRO-SEGMENTATION Every VM can have: INTERNET Individual security policies Individual firewalls NETWORK PERIMETER 47

48 What if you could Maintain that level of consistent security across an entire application MICRO-SEGMENTATION Modern apps today are distributed in nature Security needs to reach beyond an individual VM WEB DB Each VM is typically part of a larger application

49 Better security, simplified policy Define a policy using workload characteristics, not IPs and ports MICRO-SEGMENTATION An NSX security policy can be based on things like: Operating system Machine name Services Application tier Regulatory requirements Security posture DATA CENTER PERIMETER PCI Scope Creating and managing policies becomes a whole lot easier

50 Non-NSX Loosely chained/attached firewalling Can easily be bypassed by accident or willful VM4 L2 FW VM1 VM2 VM3 VDS dvpg2 (Unsecured-Net) VDS dvpg1 (Secured Net) vsphere Distributed Switch Physical network Default GW Default GW 50

51 VMware NSX Micro-Segmentation VMs in dvpgs (distributed virtual Port Group) VM4 VM5 VM6 VM1 VM2 VM3 VDS dvpg2 (VLAN-backed) VDS dvpg1 (VLAN-backed) vsphere Distributed Switch Physical network 51

52 VMware NSX Micro-Segmentation VMs in LSs (Logical Switches) VM4 VM5 VM6 VM1 VM2 VM3 VDS NSX dvpg2 LS2 (VXLAN-backed) (VLAN-backed) VDS NSX dvpg1 LS1 (VXLAN-backed) (VLAN-backed) vsphere Distributed Switch Physical network 52

53 NSX Distributed Firewalling Micro-segmentation Finance HR Engineering Perimeter firewall DMZ Inside firewall App DB Each VM can now be its own perimeter Policies align with logical groups Prevents threats from spreading Services AD NTP DHCP DNS CERT VMworld: SEC8348 Deploying Security in a Brownfield Environment 53

54 NSX Distributed Firewalling Micro-segmentation Source: 54

55 Security Group "in action"

56 DFW Centralized Management Identity - User identity - Groups VC containers - Datacenters & Clusters - Portgroups - VXLAN Services - Protocol - Ports - Custom Choice of PEP - Clusters - VXLAN - vnics IPv6 compliant - IPv6 address - IPv6 sets VM containers - VM names - VM tags - VM attributes IPv6 Services 56 34

57 Security with NSX Micro-segmentation Secure end user DMZ Anywhere

58 Our security realities Proliferation of devices accessing the data center, yet not all are secured SECURE END USER MOBILE WORKERS HAVE BROAD ACCESS TO DATA CENTER RESOURCES INTERNET VDI at a branch or remote location Mobile device in the field or at home NETWORK PERIMETER Laptop or desktop at work or home 58

59 What if you could Extend micro-segmentation out to secure the end user device SECURE END USER MICRO-SEGMENTATION LIMITS DEVICE ACCESS TO ONLY WHAT IS NEEDED INTERNET VDI at a branch or remote location Mobile device in the field or at home NETWORK PERIMETER Laptop or desktop at work or home 59

60 Security with NSX Micro-segmentation Secure end user DMZ Anywhere

61 Our security realities Isolating physical infrastructure for security is effective, but inefficient DMZ ANYWHERE DATA CENTER Manual processes Inefficient use of pooled resources PHYSICAL DMZ CORE INFRASTRUCTURE High CapEx investment 61

62 What if you could Pool your physical infrastructure resources DMZ ANYWHERE DATA CENTER CORE INFRASTRUCTURE 62

63 What if you could So that you could provide isolation at the hypervisor layer DMZ ANYWHERE CORE INFRASTRUCTURE 63

64 What if you could Enabling you to create DMZs anywhere, regardless of their location DMZ ANYWHERE DMZ DMZ Scalable and flexible Increase asset utilization CORE INFRASTRUCTURE Simplify management 64

65 Getting Started with Security and NSX

66 NSX Security Features Security Inherently secure infrastructure Micro-segmentation Distributed firewall for inter / intra zone segmentation Rules based on IP, MAC, VM attributes, vcenter & external context Secure end user VDI security with NSX distributed firewall context based on active directory Guest introspection for anti-virus, malware protection DMZ for PCI, HIPAA and other compliance Guest introspection for anti-virus, malware protection, 3 rd party FW, IPS/IDS DMZ anywhere

67 Getting Started with NSX Security 1 4 Run Virtual Network Assessment Run Application Rule Manager Deploy VRNI to understand current state of infrastructure based on flow analysis No need to install NSX yet! ARM analysis can be used to analyze posture of your apps and automatically create new rules Build a microsegmentation policy 2 Deploy NSX 5 Micro-segment and monitor Install NSX bits and prepare hosts to deploy NSX distributed firewall. No changes to your existing infrastructure. Hint you can automate this! Repeat for other apps, send logs to syslog and monitor your apps Microsegmentation done! 3 Create Infrastructure DFW Rules Use data from Virtual Network Assessment to build firewall policy for core services like DNS, syslog, AD and more. Gives apps access to core services

68 Security in the DC with NSX What is Zero Trust?

69 Deploying NSX Micro-Segmentation Deployment Options: Distributed Segmentation Distributed Firewall applied to each vnic Controlled Communication or Isolation between workloads on the same or different VLAN East West Filtering by NSX Distributed Firewall Existing physical firewall only handles North South communication Traffic discovery to determine required flows/rules Advanced Partner Services can be inserted at each vnic Stateful DFW Policy Controlled Communication STOP STOP Stateful DFW Physical Router

70 Deploying NSX Micro-Segmentation Deployment Options: Distributed Segmentation and Network Overlays Logical Switches based on overlays to isolate/segment independent of the underlying physical network Distributed Logical Routers to optimize East West Routing Edge Services Gateway can also be leveraged for N-S routing, N-S firewalling, load balancing, NAT, VPN Distributed Firewall providing Controlled Communication or Isolation between workloads on the same or different Logical Switch (overlay) Advanced Partner Services can be inserted at each vnic Stateful DFW Policy Controlled Communication STOP STOP Stateful DFW VPN DLR / ESG

71 Deploying NSX Micro-Segmentation Deployment Steps: Deploying NSX Manager, VDS and Host Prep Pre-existing and Management and Compute clusters can be leveraged NSX Manager deployed in the Mgmt cluster and peered with the existing vcenter server VDS is required for all compute clusters Host preparation installs NSX VIB to all hosts in a cluster Non-disruptive operation Distributed Firewall is enabled on every VM with a default allowall policy Management Cluster VDS Compute Clusters VLAN 10 VLAN 20 VLAN 30 L3 L2

72 Policy Creation

73 Micro-Segmentation Policy Creation Firewall Rule Table and Service Composer Firewall Rule Table Service Composer Analogous to typical Firewall rule table Provides overview of all rules in the system DFW Rules and Network Introspection Sections enable rule grouping UI and API Driven One or more Security policies can be applied to Security Groups Policies define DFW rules and Service Chain. Abstraction enables efficient service deployment Independent policies are combined specific to each workload UI and API Driven

74 Micro-Segmentation Policy Creation Policy and Grouping Methodology Security Groups allow abstraction and grouping of workloads from the underlying virtual infrastructure End-Users and Cloud Admins are able to define application-centric security policies Security policies are applied to one or more security groups where workloads are members Security Tags are applied to Virtual Machines and can be used for dynamic Security Group membership Security Tag Virtual Machine Security Group Security Policy ST VM SG Members (VM, vnic) and Context (user identity, security posture) Guest Introspection, Distributed Firewall and Network Introspection Policies

75 Micro-Segmentation Policy Creation Dynamic Policy using Security Tags Example App1 Security Group Requirements Apply differentiated policy based on OS, Environment, Automate policy application for new appliations being provisioned Upon vra Blueprint deployment All VMs part of an application are placed into a new Security Group Every VM is tagged with multiple tags identifying: Function, Zone, OS, Environment and Tenant App1 Apache App1 - WLS App1 - ORADB DMZ_ PROD_ RHEL Apache TRUSTED_ PROD_ RHEL WLS RESTRICTED_ PROD_ RHEL ORADB

76 Micro-Segmentation Policy Creation Zero Trust Policy Model Used for Quarantine and/or Allow Rules Emergency Rules Infrastructure Rules Environment Rules Global Rules AD, DNS, NTP, DHCP, Backup, Mgmt Servers Rules between Zones Prod vs Dev, PCI vs Non PCI, Inter BU rules Inter-Application Rules Intra-Application Rules Default Rule = Deny Rules between Applications Rules between the app tiers or the rules or between micro-services VRNI /ARM / EM Whitelisting / Zero Trust

77 Micro-Segmentation Policy Creation Application Discovery - Methods and Tools Leveraging Existing Firewall Policy vrealize Network Insight NSX Application Rule Manager and Endpoint Monitoring vrealize Log Insight Firewall Log?

78 Micro-Segmentation Policy Creation NSX Micro-Segmentation Visibility and Planning Tools Profile applications both on the wire and on the guest. Can be used on a per application basis. End-to-end visibility and rule creation/enforcement Empowers app team = visibility and rule creation streamlines deployment Drives whitelisting model default deny and open up the necessities Fast app operationalization

79 Micro-Segmentation Policy Creation NSX Micro-Segmentation Visibility and Planning Tools: Application Rule Manager Leverages flow monitoring to monitors all flows for select VNICs Flows are de-duplicated, correlated and filtered Optimized Flow tables are presented to users IP addresses/ports are replaced with objects Users can further optimize flow table Firewall rules are generated and can be published after review

80 Lab 04 Service Composer and Distributed Firewall Overview Lab time: 45 minutes To access this lab perform the following steps: Log in to the VMware Hands-On Labs Web site Search for HOL NET Enroll in the lab Follow the lab steps in pages 235 through 343 Do not END your lab, in fact extend it

81 Lab 05 Intelligent Grouping Lab time: 30 minutes To access this lab perform the following steps: Log in to the VMware Hands-On Labs Web site Search for HOL NET Enroll in the lab Follow the lab steps in pages 345 through 390 Do not END your lab, in fact extend it

82 Lab 06 User Based Security with Jumpbox Lab time: 45 minutes To access this lab perform the following steps: Log in to the VMware Hands-On Labs Web site Search for HOL NET Enroll in the lab Follow the lab steps in pages 392 through 460 Do not END your lab, in fact extend it Note: Don t forget to install guest introspection

83 Lab 07 Application Rule Manager Lab time: 30 minutes To access this lab perform the following steps: Log in to the VMware Hands-On Labs Web site Search for HOL NET Enroll in the lab Follow the lab steps in pages 462 through 504 Do not END your lab, in fact extend it Note: change default rule to allow disable internal 2 internal rule

84 Operations and Visibility

85 NSX Dashboard

86 VM Live Flow

87 L2 and L3 Trace Flow Test Connectivity through Logical and Physical paths Web1 Web2 Overview Logical Switch VM IP Packet VM Ability to trace a packet through Virtual and Physical network Shows where the packet is dropped Supports L2 and L3 Trace flow User defined Packet format 3 4 Can we initiated by UI or API Benefits Helps Identify problems in Virtual or Physical network Enhanced supportability and troubleshooting User defined packet header helps validate and troubleshoot FW rules

88 Central CLI NSX Central CLI Management Plane Control Plane Data Plane NSX Controllers NSX Mgr. Centralized read-only commands to fetch run-time data across multiple components Available on NSX Manager in user mode Leverages existing communication channels between components Can be consumed by custom scripts via APIs vsphere ESXi Hosts 88 NSX Edge

89 Log Insight NSX Dashboards

90 Log Insight NSX Dashboards

91 Monitoring Network Connection and Traffic Functionality overview Source: 91

92 VMware VDS Packet Capture Source: C3FCEEF3D0D5.html 92

93 VMware VDS Packet Capture pktcap-uw utility 93

94 VMware VDS Packet Capture pktcap-uw utility ESXi 5.5 (and later) enhanced packet capture tool (pktcap-uw) built-in 5 important packet caputure points: 1. Capture packet as it leaves/enters VM 2. Capture traffic after NSX DFW 3. Capture VXLAN encapsulated traffic 4. Capture traffic after NSX DLR routing 5. Capture NSX control plane traffic Source: Source: 94

95 VMware VDS Packet Capture Analyze capture file in Wireshark For better and easier analysis of the packet captures, SCP the two pcap files from the ESXi host to a PC Open one of the files with Wireshark and then click Merge from File menu Then, choose the other pcap file. The merged captures are now both shown in Wireshark 95

96 vrealize Network Insight vrni

97 Intelligent Operations for Software-Defined Datacenter Application vrealize Network Insight vrealize Business for Cloud 1 vrealize Operations 1 vrealize Log Insight 2 Network & Security Compute Storage Hybrid Cloud Physical/ Virtual/ Cloud Environment 1 vrealize Suite components 2 Included with vrealize Suite and ships with NSX 97

98 vrealize Network Insight Transformative Operations for NSX based Software-Defined Data Center Plan Micro-segmentation Deployment and Audit Security Compliance Optimize Network Performance with Visibility & Analytics Across Virtual, Physical and Cloud Offers Best Practices, Health and Availability of NSX Deployment Source: 98

99 East-West Traffic Analysis East-West Traffic Flow Analysis Breakdown of Data Center Traffic by East- West, VM-to-VM, VM-to-Physical, Switched, Routed, etc. Get Detailed Flow stats behind each number 99

100 Security Policy Automation Micro-Segmentation Discover vcenter and NSX constructs (folders, clusters, vlans, security tags) Automated Security Groupings Based on vcenter and NSX Constructs, Workload Characteristics, Ports, Common Services Recommended Security Policies / Firewall Rules (Zero-Trust Model) See Network Traffic Per Host, Per VM Export as CSV 100

101 Data Paths Across Overlay And Underlay Connectivity Graphs VM to VM, VM to Physical, VM to Internet Hop-by-Hop Path across Overlay (LDRs, Edge Gateways) and Underlay (Physical VDCs & VRFs). See V-To-P Boundary Correlated Problems And Performance Metrics Across Virtual and Physical See Effective Firewall Rules and Security Policies across NSX and PANW in Service- Chained Environment NSX Firewall PANW Virtual FW VXLAN Converged Infrastructure (Ex: UCS) VLAN PANW Physical Firewall Physical Network Switch, Router 101

102 Simple & Contextual Search Hi Shiv, what do you need help with today? Single pane of glass between virtual & physical Google-like search for ease of use Time aware search (go back in time) Fewer clicks to find and identify issues Simplified interface, reduce learning curve across admin teams 32

103 NSX Infrastructure Monitoring and Best Practices Checks Configuration, Health and Consistency Validation VTEP Level Misconfigurations VTEPS Underlay Mapping Checks Netcpa Health Hosts Version Validation LDR and Edge Config Issues Routing Misconfigurations/ Issues between LDR, Edge and Physical Routers 103

104 Lab Visibility across Virtual and Physical Lab time: 30 minutes To access this lab perform the following steps: Log in to the VMware Hands-On Labs Web site Search for the vrni Lab HOL NET Enroll in the lab Follow the lab steps in pages 58 through 100

105 Additional Resources Websites VMware Hands on Labs ( HOL NET - VMware NSX - Getting Started HOL NET - VMware NSX - Distributed Firewall and Micro-Segmentation HOL NET - VMware NSX - Operations and Visibility HOL NET - VMware NSX - Advanced Consumption HOL NET - VMware NSX and SRM - Active-Standby Solution HOL NET - VMware NSX-T - Getting Started HOL NET - VMware NSX-T with Kubernetes HOL NET - Secure Horizon with Trend Micro and NSX HOL NET - VMware AppDefense - Secure Datacenter Endpoints HOL NET - Palo Alto Networks VM-Series on NSX - Next-Gen Security for your SDDC HOL NET - Check Point vsec and NSX - Advanced SDDC Security NSX for vsphere Design Guide

106 Free ebooks VMware NSX Micro-segmentation: Day 1 Guide VMware NSX Micro-segmentation: Day 2 Guide Operationalizing VMware NSX Automating NSX for vsphere with PowerNSX 106

107

108 Thank you!