nsx small dc - rainfocus€¦ · shahzad ali nsx for small dc psc server vm option#2 • design...
TRANSCRIPT
Shahzad Ali, VMware Inc.Gilles Chekroun, VMware Inc.
NET1345BE
#VMworld #NET1345BE
NSX in Small Data Centers for Small and Medium Businesses
VMworld 2017 Content: Not fo
r publication or distri
bution
#NET1345BE CONFIDENTIAL
• This presentation may contain product features that are currently under development.
• This overview of new technology represents no commitment from VMware to deliver these features in any generally available product.
• Features are subject to change, and must not be included in contracts, purchase orders, or sales agreements of any kind.
• Technical feasibility and market demand will affect final delivery.
• Pricing and packaging for any new technologies or features discussed or presented have not been determined.
Disclaimer
2
VMworld 2017 Content: Not fo
r publication or distri
bution
#NET1345BE CONFIDENTIAL
Introduction
Shahzad Ali NSX For Small DC
Compute ClusterDB VMs
Compute ClusterWeb/App VMs
Compute ClusterVDI VMs
Edge Cluster Management Cluster
Collapsed Cluster
VMworld 2017 Content: Not fo
r publication or distri
bution
#NET1345BE CONFIDENTIAL
Agenda
4
Disclaimer: Not all possible designs are discussed
only common options are shownShahzad Ali NSX For Small DC
1 Deployment Models
2 Design and Deployment Considerations
3 Growth – Business Needs
4 Case Studies
VMworld 2017 Content: Not fo
r publication or distri
bution
#NET1345BE CONFIDENTIAL
Session Objective
5
Shahzad Ali NSX For Small DC
No DC left behind Small DC does not
mean small customer
Start anywhere
Grow anywhereVMworld 2017 Content: Not fo
r publication or distri
bution
#NET1345BE CONFIDENTIAL
NSX for vSphere Components
6
NSX-MGR
Logical Switch
vCenter (VC)
NSX
EDGENAT
Management Plane
Control Plane
Distributed Data Plane
Data Plane
Firewall Load Balancer (LB)
Router
NSX-Controller ClusterDLR Control VM
Distributed Logical Router (DLR)
Distributed Firewall(DFW)
Reference
Shahzad Ali NSX For Small DC
VDS VMworld 2017 Content: Not fo
r publication or distri
bution
#NET1345BE CONFIDENTIAL 7
Shahzad Ali NSX For Small DC
Management
Cluster
WAN
Internet
L3
L2
Payload
Cluster
Host M1
Host M3
Host M2
Host P3
Host P2
Host P1
Host E1
Host E3
Host E2
Host P5
Host P4
Host E4
L3
L2
DC Fabric
Edge
Cluster
NSX
EDGENSX
EDGE
NSX
EDGE
NSX
EDGE
Payload
Cluster
Large DC: Hosts>100 ; N-S BW > 10G Medium DC: Hosts 10-100; N-S BW < 10G
Collapsed
Management
&
Edge Clusters
WAN
Internet
L3
L2
Payload
Cluster
Host ME1
Host ME3
Host ME2
Host P3
Host P2
Host P1
NSX
EDGE
NSX
EDGE
VMworld 2017 Content: Not fo
r publication or distri
bution
#NET1345BE CONFIDENTIAL 8
Cluster Features
Collapse Mgmt.,
Edge and Payload • Mix of less I/O and High I/O requirement
Collapsed
Management
Edge and Payload
Cluster
WAN
Internet
L3
L2
Host C1
Host C3
Host C2
Host C4
NSX
EDGE
NSX
EDGE
Shahzad Ali NSX For Small DC
Small DC: Number of Hosts 3-10 ; N-S BW Requirement < 10G
Resource reservation is the key to meet SLA in Small DC
VMworld 2017 Content: Not fo
r publication or distri
bution
Deployment ModelsSmall does not mean Small Enterprise
9
VMworld 2017 Content: Not fo
r publication or distri
bution
#NET1345BE CONFIDENTIAL
VXLAN Backed
Port Groups
(LS)
10
VDS
DFW
VLAN Backed
Port Groups
Physical ESG
VM
DFW
Physical
DLR
Transit LSUplink Port Group
Uplink Port Group
LB
Bridge
Shahzad Ali NSX For Small DC
VLAN Backed
Port Groups
VDS
ESG
VM
DFW
Physical
Small DC Deployment Models
Security Focused
• Distributed Firewall
• Non disruptive
• VXLAN is not a requirement
• Existing setup
Full Stack
• Distributed Firewall
• Logical Switching (VXLAN)
• Distributed Routing (DLR)
• ESG Service (NAT, LAB, VPN etc.)
Centralized Edge
• ESG VM based model
• Not much east/west traffic
• Intermediate/Transition step
• Multiple edges possible
Uplink Port Group
VMworld 2017 Content: Not fo
r publication or distri
bution
#NET1345BE CONFIDENTIAL
Security Focused Model
• No physical routing/MTU change needed
• Use existing VLAN backed-port groups
• DFW enabled on all hosts
11
Shahzad Ali NSX For Small DC
Important Use-Cases
Distributed Firewall
Agentless Anti-Virus (AV)
VDS
DFW
VLAN Backed
Port Groups
Physical
Uplink Port Group
VMworld 2017 Content: Not fo
r publication or distri
bution
#NET1345BE CONFIDENTIAL
WAN
Internet
Security Focused Model
• Small footprint
– Min: 2 hosts required
– Easy expansion for additional workload
• Recommendation: At least 3 hosts in production
– Deploy more hosts to sustain a single host failure
12
Use-Case: Distributed Firewall
Single Cluster with NSX
L3
L2
Host 1
Host 3
Host 2
Function vCPU MEM (GB) Storage (GB) VMs
Tiny vCenter Appliance
with Embedded *PSC
2 8 120 1
NSX Manager 4 16 60 1
Total 6 24 180 2
NSX Footprint
Shahzad Ali NSX For Small DC
*PSC (Platform Services Controller)
VMworld 2017 Content: Not fo
r publication or distri
bution
#NET1345BE CONFIDENTIAL
WAN
Internet
Security Focused Model
• Requires additional Service VMs
– NSX GI-SVM (Guest Introspection Service VM)
– Partner Service VM (SVM)
• Cluster based SVM deployment
– Min: 2 hosts required
– Recommendation: At least 3 hosts in production
13
Use-Case: Distributed Firewall with Agentless Anti-Virus (AV)
Single Cluster with NSX
L3
L2
Host 1
Host 3
Host 2
NSX GI
SVMPartner
SVM
NSX GI
SVMPartner
SVM
NSX GI
SVMPartner
SVM
Shahzad Ali NSX For Small DC
Function vCPU MEM (GB) Storage (GB) VMs
Tiny vCenter with
Embedded PSC
2 8 120 1
NSX Manager 4 16 60 1
GI-SVM 2 1 4 Hosts#
Partner-SVM See Guest Introspection partner for details Hosts#
VMworld 2017 Content: Not fo
r publication or distri
bution
#NET1345BE CONFIDENTIAL
Centralized Edge Deployment Model
• No DLR, VXLAN and Controllers needed
– Port groups attached to ESG VM
– No physical routing/MTU changes needed
– Availability improved by Edge HA and vSphere
14
Transitional Model: From Security Focused Full Stack
Shahzad Ali NSX For Small DC
NSX
EDGE
NSX
EDGE
WAN
Internet
Single Cluster
L3
L2
Host 1
Host 3
Host 2VDS
Multi-Function GW
Routing
Firewall
LB
NAT
VPN GW
Supported Trunk
Interface (200 VLANs)
DFW
Port
Groups
Physical
VMworld 2017 Content: Not fo
r publication or distri
bution
#NET1345BE CONFIDENTIAL
Full Stack Model
• VXLAN based overlay
– Optimized routing (DLR) and logical switching (LS)
– Separation of control and data plane
– VXLAN and DFW enabled on all hosts
• MTU of >=1600 for VTEP VLAN segment
15
Shahzad Ali NSX For Small DC
VXLAN Backed
Port Groups
(LS)
ESG
VM
DFW
Physical
DLR
Transit LS
Uplink Port Group
LB
Bridge
VMworld 2017 Content: Not fo
r publication or distri
bution
#NET1345BE CONFIDENTIAL
Full Stack Model: Deployment Considerations
• At least 3 hosts needed
– Recommendation: 4 ESXi hosts in Production
– Management and Edge functions co-exist with Payload
– No DLR Control VM needed with static routing
16
Function vCPU MEM (GB) Storage (GB) VMs
Tiny vCenter Appliance with
Embedded PSC
2 8 120 1
NSX Manager 4 16 60 1
NSX Controllers 4 x 3 4 x 3 28 x 3 3
Edge VM (Large)* 2 x 2 0.5 x 2 ~1 x 2 2*
Total 22 37 ~ 266 7
* ESG with High Availability with static routing
Single Cluster
WAN
InternetL3
L2
Host 1
Host 3
Host 2
Host 4NSX
EDGE
NSX
EDGE
Shahzad Ali NSX For Small DC
VMworld 2017 Content: Not fo
r publication or distri
bution
vSphere Consideration
17
VMworld 2017 Content: Not fo
r publication or distri
bution
#NET1345BE CONFIDENTIAL
vCenter (VC)
• Design Option#1: VC with Embedded PSC
– Recommended for small DC
– 1 single sign-on domain with single site
– No growth plans in near future
18
Robust vSphere and VC design is the foundation
Option#1
Shahzad Ali NSX For Small DC
PSC Server VM
Option#2
• Design Option#2: External PSC
– Recommended for medium-large setups
– Multiple vCenters / Cross-VC / DR
– For Small DC: If planning to grow
vCenter Server
PSC Server
VM
VM
vCenter Server VM
VM
VMworld 2017 Content: Not fo
r publication or distri
bution
#NET1345BE CONFIDENTIAL
vCenter Server VM Form Factor
• Tiny vCenter (VC) Appliance with Embedded PSC
– If minimizing resource utilization is key factor for deployment
• Majority Small DC Customers:
– Deploy Small VC appliance
– Future growth
• VC should be first to boot in VM boot order
Options Hosts VM Potential
NSX Deployment Type
vCPU MEM (GB) Disk (GB)
Embedded PSC
Tiny 10 100 Small DC 2 8 120
Small 100 1000 Small DC 4 16 150
Medium 400 4000 Medium DC 8 24 300
Large 1000 10,000 Large DC 16 32 450
http://tinyurl.com/DeployVC6
http://tinyurl.com/PerformanceVC6
Shahzad Ali NSX For Small DC
VMworld 2017 Content: Not fo
r publication or distri
bution
#NET1345BE CONFIDENTIAL
vSphere and NSX Licensing Options
– NSX supported for all vSphere licenses
– VDS included with NSX (vSphere 5.5 U3 or 6.0+)
20
NSX
vSphere Enterprise is EoA: https://kb.vmware.com/kb/2143987
Compare License Options: http://www.vmware.com/products/vsphere.html#compare
Essential+ • Up to 3 hosts, vSphere HA
Standard • 1000 hosts per vCenter, vSphere HA
Enterprise+ • vSphere HA, DRS, VDS etc.
vSphere
Features Standard Advance Enterprise
Distributed Routing and Switching (DLR/VXLAN) ✓ ✓ ✓
NSX ESG (except load balancer) ✓ ✓ ✓
SW L2 bridging ✓ ✓ ✓
Distributed Firewall (DFW – Micro-Segmentation) ✓ ✓
NSX Edge load balancing ✓ ✓
Cross vCenter NSX ✓
Reference
Shahzad Ali NSX For Small DC
VMworld 2017 Content: Not fo
r publication or distri
bution
NSX Component Consideration
21
NSX - Modular and Flexible
VMworld 2017 Content: Not fo
r publication or distri
bution
#NET1345BE CONFIDENTIAL
NSX Manager
• Management and API entry point
• Reservation enabled by default
• vCPU and Mem modification allowed
– Recommended to stick with the defaults
• Add VC VM in the NSX “VM Exclusion List”
– Or create fine grained rules in DFW
– NSX components are automatically part of exclusion list
• NSX manager backup
• Not in the data-path
• Second in VM boot order
22
16 GB
reserved
by default
Shahzad Ali NSX For Small DC
VMworld 2017 Content: Not fo
r publication or distri
bution
#NET1345BE CONFIDENTIAL
NSX Controllers
• Needed for VXLAN and DLR
• Must deploy 3
– Manually create “SHOULD” anti-affinity rules
– Use 4 hosts for additional redundancy
• 4 vCPU and 4GB MEM
– Reserved: 4GB MEM
• Locked down VM
– vCPU/MEM modification disabled
• Not in the data-path
• 3rd in VM boot order
23
4GB reserved by
default
MEM: 4GB
Shahzad Ali NSX For Small DC
VMworld 2017 Content: Not fo
r publication or distri
bution
#NET1345BE CONFIDENTIAL
DLR Control VM
• Needed only if dynamic routing is used
• Deploy in HA mode (Active/Standby)
• vCPU/MEM modification disabled
• Anti-affinity rule is created automatically
24
Shahzad Ali NSX For Small DC
- Light weigh VM
- Reservation
enabled
VMworld 2017 Content: Not fo
r publication or distri
bution
#NET1345BE CONFIDENTIAL
Edge Service Gateway
• VM Form factor
– Large: Good for small DC design/features
– X-Large: For L7 NSX Load Balancer (LB)
– Form factor can be upgraded any time later
• vCPU and MEM reservation enabled by default
– Locked down VM
25
VM Size vCPU MemoryHD
(GB)Suitable For
Compact 1 512 M 1 LAB/PoC
Large 2 1 GB 1 Small DC
Quad Large 4 2 GB 1Medium/
Large DC
X-Large 6 8 GB 3 L7 LB
Shahzad Ali NSX For Small DC
VMworld 2017 Content: Not fo
r publication or distri
bution
#NET1345BE CONFIDENTIAL
ESG Design Choices
Stateful Services?
Yes
Throughput Requirement
>10GMulti-tiered
Design
< 10GESG-HA
No
Throughput Requirement
< 10 GESG-HA
>10G
2 or more ESG-ECMP
26
ESG in
HA or
ECMP?
Shahzad Ali NSX For Small DC[Other designs are also possible depending on scale]
VMworld 2017 Content: Not fo
r publication or distri
bution
#NET1345BE CONFIDENTIAL 27
ESG with HA
– Anti-affinity rules automatically created (DRS)
– Avoid: Active ESG and Active DLR Control VM on same host
Automatic Rule
ESG with ECMP
– Manually create anti-affinity rules
– Avoid: Active ESG and Active DLR Control VM on same host
ESG Deployment
Host 1
Host 2
Active
ESG
Standby
ESGActive DLR
Control VM
Standby DLR
Control VM
Host 1
Host 3
Host 2
Host 4
ECMP
ESG
Active DLR
Control VM
Standby DLR
Control VM
ECMP
ESG
ECMP
ESG
ECMP
ESG
VMworld 2017 Content: Not fo
r publication or distri
bution
#NET1345BE CONFIDENTIAL
vSphere High Availability (HA) and NSX
Admission Control policy options
28
vSphere HA Admission Control ensures VM failover capacity
Shahzad Ali NSX For Small DC
Slot Policy Cluster Resource Percentage Dedicated FailoverN+1 10% Standby Host
VMworld 2017 Content: Not fo
r publication or distri
bution
#NET1345BE CONFIDENTIAL
vSphere HA Restart Priority
• Cluster percentage based admission control means more flexibility with workloads
– A lack of resources may require that some VMs not be restarted during an HA event
– HA restart priority allows you to designate high priority vs. low priority workloads
– NSX workloads should be designated as the highest priority
– HA Dependencies can also be used
29
Shahzad Ali NSX For Small DC
VMworld 2017 Content: Not fo
r publication or distri
bution
#NET1345BE CONFIDENTIAL
vSphere HA Calculations
• Total your cluster resources and make notes of how much CPU and Memory are available
30
Know what you have to work with
Shahzad Ali NSX For Small DC
Small LAB Deployment with 2 hostsVMworld 2017 Content: Not fo
r publication or distri
bution
#NET1345BE CONFIDENTIAL
vSphere HA Calculations
Slot Based HA Policy
31
Know what you have to work with
Total Cluster CPU = 11.20 GHzTotal Cluster MEM = 10.00 GB
Shahzad Ali NSX For Small DC
Cluster Percentage Based Policy
11200MHz * .75 = 8400MHz
10000MB *.75 = 7500MB
5600MHz / 32MHz = 175 Slots
5000MB / 100MB= 50 Slots
VMworld 2017 Content: Not fo
r publication or distri
bution
#NET1345BE CONFIDENTIAL
vSphere Resource Pools and NSX
• Use Resource Pools to guarantee CPU and Memory to priority workloads
CAUTION!
• Resource pools can be detrimental to VM performance if not used and maintained correctly
• Use cluster resources calculations and VM requirements to build Pools properly
• Plan for growth!
32
Resource Pools can be used to guarantee resources to priority workloads
Shahzad Ali NSX For Small DC
VMworld 2017 Content: Not fo
r publication or distri
bution
#NET1345BE CONFIDENTIAL
VDS (vSphere Distributed Switch)
• VDS requires vSphere Enterprise+
– Free with NSX (vSphere 5.5 U3 or 6.0+)
• Use single VDS – keep it simple
• Recommended VTEP vmknic teaming policy is Route Based on Originating Port (Source-ID)
– VXLAN multipath with multiple VTEPs per host
– VM-to-VTEP pinning based on the VM source virtual port ID
• For simplicity (single VTEP) - use “Fail Over”
Shahzad Ali NSX For Small DC
VMworld 2017 Content: Not fo
r publication or distri
bution
Growing NSX Small DC Deployments
34
Start Anywhere – Grow Anywhere – Without Any Boundaries
VMworld 2017 Content: Not fo
r publication or distri
bution
#NET1345BE CONFIDENTIAL
Grow As Per Business Requirements
35
Starting Small – Less Upfront Cost – Phased Approach
Grow
NSX
Compute Capacity
Throughput
Feature/Services
Migration
More Sites
VMworld 2017 Content: Not fo
r publication or distri
bution
#NET1345BE CONFIDENTIAL
Use-Case1: DFW Service Insertion Full Stack
36
Enhancing DC Security Beyond DFW
Note: Other topologies are possible – the pictures shown are representative only
Partner
SVM
GI
SVM
VDS
Distributed
Firewall
Partner
SVM
GI
SVM
VLAN Backed Port Groups
NSX
EDGE
VXLAN Backed Port Groups
NSX
EDGE
VXLAN Transit
Logical Switch
Uplink Port Group
Uplink Port Group
Shahzad Ali NSX For Small DC
Casino Customer
with VDI
VMworld 2017 Content: Not fo
r publication or distri
bution
#NET1345BE CONFIDENTIAL
Use-Case2: Single Site Multi-Site (Cross-VC NSX)
37
Site-A Site-B
DLR Universal DLR
Shahzad Ali NSX For Small DC
Note: Other topologies are possible – the pictures shown are representative only
Gov. Customer with
DR
VMworld 2017 Content: Not fo
r publication or distri
bution
#NET1345BE CONFIDENTIAL 38
Shahzad Ali NSX For Small DC
All DCs are equal in the
eyes of NSX
Small DC does not
mean small customer
Start anywhere,
Grow anywhere
Key Takeaways
VMworld 2017 Content: Not fo
r publication or distri
bution
#NET1345BE CONFIDENTIAL
Join VMUG for exclusive access to NSX
vmug.com/VMUG-Join/VMUG-Advantage
Connect with your peers
communities.vmware.com
Find NSX Resources
vmware.com/products/nsx
Network Virtualization Blog
blogs.vmware.com/networkvirtualization
Where to get started
Dozens of Unique NSX Sessions
Spotlights, breakouts, quick talks & group discussions
Visit the VMware Booth
Product overview, use-case demos
Visit Technical Partner Booths
Integration demos – Infrastructure, security, operations,
visibility, and more
Meet the Experts
Join our Experts in an intimate roundtable discussion
Free Hands-on Labs
Test drive NSX yourself with expert-led or self-paces
hands-on labs
labs.hol.vmware.com
Training and Certification
Several paths to professional certifications. Learn
more at the Education & Certification Lounge.
vmware.com/go/nsxtraining
Engage and Learn Experience
Try TakeVMworld 2017 Content: N
ot for publicatio
n or distribution
40
VMworld 2017 Content: Not fo
r publication or distri
bution
VMworld 2017 Content: Not fo
r publication or distri
bution