HOL-2026-01-NET

VMware NSX-T: Getting Started

Steve Baca

Senior Technical Instructor

Confidential │ ©2019 VMware, Inc.

 EDGE/IOT
BRANCH TELCO/NFV
BRANCH BRANCH TELCO/NFV

BRANCH
BRANCH

BRANCH
BRANCH

TELCO/NFV
BRANCH

BRANCH EDGE/IOT
BRANCH
EDGE/IOT

The Virtual Cloud Network

Connect and Protect your Business
©2019 VMware, Inc. 2
 Public
Clouds

VMs, Containers, Telco

Microservices Networks

Virtual Cloud
Networking Built-in
Automated

Connect & Protect Identity Secure Connectivity Availability

Private
any workload across any Data Centers
Analytics and Insights Policy Scalability
Things
environment Apps and Data

Programmable
Application Centric

Branch
Users Offices

Confidential │ ©2019 VMware, Inc. 3

VMware NSX Portfolio
The Foundation of the Virtual Cloud Network

NETWORKING AND SECURITY MANAGEMENT AND AUTOMATION

Cloud-Based Management Workflow Automation Blueprints / Templates Insights / Discovery Visibility

Network Insight vRealize Automation

Network discovery and insights End-to-end workload automation

NETWORK AND SECURITY VIRTUALIZATION

Security Integration Extensibility Automation Elasticity

NSX Data Center NSX Cloud AppDefense NSX SD-WAN NSX Hybrid Connect
Networking and security for Networking and security for Modern application security by VeloCloud Data center and cloud
data Public Cloud workloads WAN connectivity workload migration
center workloads services

Confidential │ ©2019 VMware, Inc. 4

NSX Data Center Use Cases

Security Multi-Cloud Automation Cloud-Native

Networking Apps

©2019 VMware, Inc. 5

 How does VMware NSX Data
Center deliver on the promise of
network virtualization?

©2019 VMware, Inc. 6

The Data Center Networking Challenge
There Has Been a Lot of Innovation and Virtualization in the Data Center

Except for one area…

Compute Storage Networking

Confidential │ ©2019 VMware, Inc. 7

 Ready for the future Virtual Cloud Network

Public Cloud AWS, IBM and Azure

VMware Advancing Business
Reinvent Wide Area Connectivity NSX SD-WAN by VeloCloud
Transformation with Networking (WAN) and Hybridity NSX Hybrid Connect
Networking and Security in
Container
Software Frameworks
Pivotal Container Service (PKS)

Reinvent security App Security AppDefense

Multi-Cloud and
Expand the network Multi-Hypervisor
NSX-T

Value from the network Automation vRealize Automation

Insights Network Insight (Arkin)

Rethink networking Micro-Segmentation NSX

Network Virtualization Nicira

vSphere Software-Defined Data Center

Distributed Switch
©2019 VMware, Inc. 8
High-Level Architecture of NSX-T Data Center
The three main elements of NSX-T Data Center architecture are the management, control, and data
planes. This architectural separation enables scalability without impacting workloads.
Tunneling and GENEVE Overview
Tunneling isolates physical and virtual networks using encapsulation. Tunnels are set up between TEPs.
Generic Network Virtualization Encapsulation (GENEVE) is an Internet Engineering Task Force overlay
tunneling mechanism providing L2 over L3 encapsulation of data plane packets.
In NSX-T Data Center, packets from VMs are encapsulated with the GENEVE header before being pushed
through the tunnel.

VMware NSX-T Data Center: Troubleshooting and Operations | 6 - 15

Logical Routing in NSX-T Data Center
NSX-T Data Center gateways provide:

•North-south routing

•East-west routing

•Multitenant support

•Static and dynamic routing configuration (eBGP and iBGP)

•High-availability support

•IPv6 support

•Flexible network topology

•Multicast support

•L3 services (NAT, LB, VPN, service insertion)

•DDI (DNS, DHCP, IP Address Management) functions

•Firewall operations
Logical Routing: Multitier Topology
In multitier distributed routing:
• Tier-0 and Tier-1 routers are also instantiated on the hypervisors to prevent hairpinning.

• Fully distributed architecture: As much routing as possible is performed upfront at the source.

ESXi-1 ESXi-2
Tier-0 DR Tier-0 DR

100.64.224.0/31 100.64.224.2/31 100.64.224.0/31 100.64.224.2/31

100.64.224.1/31 100.64.224.3/31 100.64.224.1/31 100.64.224.3/31

Tenant 1 Tenant 2 Tenant 1 Tenant 2

Tier-1 DR Tier-1 DR Tier-1 DR Tier-1 DR
Two-Tier Routing with Connectivity Options for Workload (1)
Simplified multitier distributed routing:
• Tier-0 connects to physical devices.

• Tier-1 provides tenant-specific routing.

Distinct Routing
Peer

Overlay Logical VLAN Logical Switch

Switch
Tier-0 ECMP or LB
Active-Standby
Tier-1 Logical Router E- Tier-1 Logical Router
W Distributed Active-Standby
NAT

Web LS App LS Db LS App LS Db LS FW

Web LS

VPN

Tenant 1 Tenant 2
Two-Tier Routing with Connectivity Options for Workload (2)
Stateful services runs in a centralized mode:
• FW, NAT, LB DHCP, and VPN

• Bridging services

Tier-0 services:
• DPDK-based forwarding: Routing and bridging

• Services: NAT, FW, and DHCP

• Centralized overlay logical switch segments

• Centralized VLAN logical switch segments

Tier-1 services:
• Tenant routing

• FW, NAT, LB, and VPN services

Our Security Realities
When Threats Breach the Perimeter, It’s Hard to Stop Lateral Spread

Low priority systems are

Network Perimeter often targeted first

Attackers can move freely

around the data center

Attackers then gather and

exfiltrate the valuable data

Internet

Confidential │ ©2019 VMware, Inc. 15

What If You Could…
Build in Zero Trust at the Most Granular Level of the Data Center?

Network Perimeter
PCI
Every Workload can have:
Scope
Individual firewalls
Individual security policies
Policies can be defined based on
any context
VM attributes
Network attributes
Application attributes

Internet

Confidential │ ©2019 VMware, Inc. 16

NSX-T Data Center Distributed Firewall

Micro-segmentation simplifies network security: Finance HR Engineering

Perimeter
• Zero Trust / Least Privilege model. Firewall
DMZ

• Each VM can now be its Inside

own perimeter. Firewall

App
• Policies align with logical
groups.

• Prevents threats from spreading.

DB

• Network topology-agnostic.
Services

AD NTP DHCP DNS CERT

NSX-T Data Center Distributed Firewall: ESXi Data Plane
About the ESXi data plane:
• Uses NSX Virtual Distributed switch
(N-VDS) for workload connectivity. https
TCP 443, TLS 1.2
GUI/REST
• DFW uses vSip kernel module and NSX Manager Cluster
kernel I/O chains filters. Stats and Status Policy Rules and Groups
AMQP- RabbitMQ NSX Channel
• LCP intelligently programs the FW TCP 1234, TLS 1.2 TCP 1235, TLS 1.2
rule table for every vNIC based on
MPA LCP
the Applied To field in the policy.
Userspace
• Maintains Flow State Table for DFW
Rule and Flow Table Kernel Space
active flows along with user Slot 2 vSIP
FW Kernel Module
configured Rule Table.

NSX Virtual Distributed Switch

ESXi
 We’ve helped thousands of
organizations succeed with
You don’t need to go it alone. NSX through:

VMware is here to help you every

step of the way. Professional Services
Training
VMUG community

Confidential │ ©2019 VMware, Inc. 19

Where to Get Started

Engage and Learn Take

Join the NSX VMUG Community VMware Education - Training and Certification
vmug.com/nsx vmware.com/go/nsxtraining
Connect with your Peers
communities.vmware.com
Embrace the NSX Mindset
nsxmindset.com
Find NSX Resources
vmware.com/go/networking Try
Read the Network Virtualization Blog
blogs.vmware.com/networkvirtualization Free Hands-on Labs
Test drive NSX with expert-led or self-paces hands-on labs
labs.hol.vmware.com

Confidential │ ©2019 VMware, Inc. 20

Thank You

Confidential │ ©2019 VMware, Inc.