VMware VCloud Networking and Security 5.1 - Tech Overview
25
© 2010 VMware Inc. All rights reserved VMware vCloud Networking and Security – What’s New Venky Deshpande, Sr. Technical Marketing Manager, VMware Grant Suzuki, Sr. Technical Marketing Manager, VMware
-
Upload
sanjeev-tyagi -
Category
Documents
-
view
32 -
download
2
description
VMware vCloud Networking and Security 5.1 - Tech Overview.ppt
Transcript of VMware VCloud Networking and Security 5.1 - Tech Overview
VMware presentationVMware vCloud Networking and Security – What’s
New
Venky Deshpande, Sr. Technical Marketing Manager, VMware
Grant Suzuki, Sr. Technical Marketing Manager, VMware
*
*
Internal Only
The information about to be presented is confidential and is covered by the terms of VMware’s Key Employment Agreement and Business Conduct Guidelines.
These agreements outline your obligations regarding confidential information which apply to VMware employees both during and following employment at the company.
*
*
vSphere
Software defined Storage
Software defined Networking
Software Defined Security
Software defined Availability
Vmware dramatically reduced the provisioning time of compute resources through vSphere product. Customers have gained significant efficiency and flexibility as a direct result of deploying Vmware’s vistualization solution. However, the network and security aspects of the data centers have not kept pace with the server virtualization when it comes to providing flexibility. The rigid and physical device based network and security design prevents customer achieving the agility they are hoping to achieve through cloud infrastructure.
Vmware is extending the similar approach to storage, network, security, availability, and applications in order to create a software defined datacenter(SDDC). SDDC enables enterprise IT departments to offer services that users need while delivering better economics, velocity, and security than can be achieved with legacy architectures.
And this is possible because of the software defined datacenter services layer.
We will focus on the Software defined Networking and security aspects in this talk.
*
*
vCloud Networking
Extensible Platform
Management and Operations
*
*
ALLOWS TO POOL COMPUTE INDEPENDENT OF PHYSICAL NETWORK TOPOLOGY
VMware Network Virtualization
*
*
Depends on physical constructs for isolation
Abstract across many hosts
Abstract across all hosts
Networks isolation independent of physical network constructs
Vswitch and VDS were industry firsts we should show we have been doing this for a while. Check with people with history…
Distributed
Switch
VXLAN
Distributed
Switch
Distributed
Switch
vSwitch
Vmware introduced virtual switch with vSphere platform to provide connectivity between virtual machines and to the external physical network. As customers started deploying large number of hosts running vSphere, Vmware introduced distributed switch. Distributed switch simplified the management aspects of the virtual networks and also extended the capabilities of the virtual switch by providing the visibility and monitoring features. In both these virtual switch deployments the isolation between the traffic is only possible through the VLAN support and have to depend on the physical network infrastructure to provide that isolation.
*
*
Compute resource are tied to Layer 2 network boundary
Can’t make use of resources that are available in different rack
Because they are in separate Layer 2 Domain
Network infrastructure is not flexible to support On Demand infrastructure service.
Networks are pre provisioned and difficult to change on the fly
Rigid hierarchical network design that is dictated by physical switch capacity
Can’t provision large number of isolated networks
Limitation of number of VLANs (4k)
Limited Mobility due to the layer 2 restrictions and IP name space challenges
*
*
VXLAN overview ::
It is an IETF draft standard supported by companies such as Cisco, Broadcom, Arista, Brocade, IBM.
The IP packets from the virtual machines are encapsulated in to the MAC frames. This MAC frame is then encapsulated with UDP header and 8 byte of VXLAN Header and a new MAC frame is created for this packet. Because of this encapsulation the virtual machines MAC address is not visible to the external physical switch infrastructure.
The unknown unicast traffic is converted in to Multicast instead of Broadcast. The VXLAN protocol works with existing physical network.
The encap and decap of the UDP frame and VXLAN header is performed by the VTEP. VTEP is a module that runs on the host’s vsphere kernel.
The diagram on the left shows the logical view of VXLAN configured with one logical network.
With the 24 bit field for the number VXLAN network identifier, customers can have 16 million such logical networks.
The other two main components shown in the diagram are the vShield Edge gateway devices. These two devices act in network HA mode with one of them being active and another standby,
*
*
LACP support
With the release of vSphere 5.1, VMware brings a number of powerful new features and enhancements to the networking capabilities in the vSphere platform. These new features enable customers to manage their virtual switch infrastructure with greater efficiency and confidence. The new capabilities can be categorized into three main areas: operational improvements, monitoring and troubleshooting enhancements, and improved scalability and extensibility of the VMware vSphere Distributed Switch (VDS) platform. Following are some of the key features as part of this release.
Network Health Check support – helps detect misconfigurations across physical and virtual switches
Configuration Backup Restore – Allows vSphere admins to store the VDS configuration as well as recover the network from the old configurations
Rollback and recovery – Addresses the challenges that customer faced when management network failure caused the Hosts to disconnect from the vCenter Server
Port Mirroring enhancements – New troubleshooting capabilities are introduced by supporting RSPAN and ERSPAN
Auto Expand - Customers now don’t have to manually expand or shrink the number of virtual ports in the distributed port group
MAC address Management - Supports locally administered MAC allowing users : Specify MAC prefix and/or MAC ranges; Control over all 48 bits of MAC address.
LACP support - Standards based link aggregation method
*
*
Remote port mirroring support. Compatible with Cisco’s RSPAN
Support for encapsulated remote port mirroring via GRE tunnel. This is also called as ERSPAN.
IPFIX (NetFlow v10)
NetFlow v5 is not supported on VDS.
Enhanced SNMP support
Networking MIBs support
Virtual Switch related MIBs
To address the network administrator’s need for visibility into virtual infrastructure traffic, VMware introduced port mirroring and NetFlow features as part of the vSphere 5.0 release. These features provide necessary and familiar tools to network administrators that help them in monitoring and troubleshooting tasks. In vSphere 5.1, the port-mirroring feature is enhanced through the additional support for RSPAN and ERSPAN capability.
IPFIX or NetFlow version 10 is the advanced and flexible protocol that allows customer to define the NetFlow records that can be collected at the VDS and sent across to a collector tool. Following are some key attributes of the protocol:
Customers can use templates to define the records
Template descriptions are communicated by the VDS to the Collector engine
Can report IPv6, MPLS, VXLAN flows.
SNMP is a standard protocol that allows a management system to poll agents running on network devices for specific information. The information that devices report depends on the individual agents running on those devices as well as the Management Information Base (MIB) supported. The SNMP agent available on VMware vSphere ESXi 5.0 and earlier releases of ESX provides support for SNMP v1 and v2 protocol with VMware MIBs. The Examples of some of VMware MIBs are “Vmware-Sysem-MIB” and “VMware-Env-MIB”. In this release of vSphere 5.1 SNMP support is enhanced through the following key capabilities:
1) Better security through the support for SNMPv3.
*
*
Single Root IO Virtualization (SR-IOV) Support
Standard that allows one PCI express (PCIe) adapter to be presented as multiple separate logical IO devices. Customers who want to offload IO processing to the adapters and reduce network latency can make use of this feature.
Scalability improvements
Number of static port group – 10,000
Number of distributed virtual ports – 60,000
Number of Hosts per VDS – 500
Netdump – Provides the ESXI hosts without disk (stateless/Autodeploy) the ability to core dump over network
Single Root IO Virtualization is a standard that allows one PCI express (PCIe) adapter to be presented as multiple separate logical devices to the VMs. The hypervisor manages the physical function (PF) while the virtual functions (VFs) are exposed to the VMs. In the hypervisor SR-IOV capable network devices offer the benefits of direct I/O, which includes reduced latency and reduced host CPU utilization. VMware vSphere ESXi platform’s VM Direct Path (pass through) functionality provides similar benefits to the customer, but requires a physical adapter per VM. In SR-IOV the pass through functionality can be provided from a single adapter to multiple VMs through VFs
Improved Scaling numbers.
*
*
Logical Network Services: Firewall, Load Balancing, VPN, DNS Forwarding, DHCP, Data Security
Attach Services per Logical Network
VMware Network Virtualization
vShield Edge
vCloud 3rd Party Service Plugins
*
*
vShield Edge active/passive security virtual machine monitoring
Synchronization and Stateful 3-second failover for HTTP, HTTPS, and also TCP by port (SSH, FTP, etc.).
Asymmetrical routing issues avoided
Failover does not incur loss of half the bandwidth as this is Active/Standby.
vSphere Host monitoring and vMotion recovery
*
*
Firewall Rule ID will also show up in Syslog!
Rule table and controls will also be the same in vShield App!
The vShield Edge gateway services
Firewall
Rule sequence gives order of execution
Rule ID is a unique identifier that will show up in logging as well along with the hostname of the vShield device which sent it
Controls for paging and filtering, allow for easier table viewing
vCenter containers like Resource Pools, vApp and Security Groups can be used as Source or Destination in FW rules
Configured proximally to other network services like NAT, load balancing and VPN
HA capabilities that protect against network failures, host failures, and software failures
Edge and App firewall rule tables have been aligned
Rule table now features inline editing
Firewall rules now make extensive use of vCenter objects
Footnotes:
*
*
External
External-1
External-2
vShield Edge 5.0 was limited to 1 Internal interface and 1 External interface.
One possible example of how vShield Edge 5.1 with 10 interfaces can be configured.
From 2 predefined to 10 user defined interfaces.
vShield Edge 5.0 1 External
1 Internal
vShield Edge 5.1 10 User defined Interfaces
vShield Edge 5.0 was limited to 1 Internal and 1 External Interface.
vShield Edge 5.1 allows up to 10 interfaces that can be configured as Internal or External by the user.
Not all interfaces need to be configured
Interfaces can now be connected to the vSphere virtual network via a “Virtual Wire” (VXLAN), in addition to the original 5.0 options of “Standard Port Group” or “Distributed Port Group”.
Multi-subnet Support: multiple subnets are now supported on each interface.
Multiple external IP addresses can be configured for LB, VPN and NAT.
Internal interfaces can be RFC1918 private addresses.
All virtual network interfaces of a vShield Edge should be on different port groups.
The subnets of all vSE interfaces should not overlap.
*
*
24,000 connections per second1
In vShield 5.0.1, there was only the “Compact” version of the vShield Edge. 5.1 scales this up with two new, larger vShield Edge sizes.
Footnotes:
*
*
Flexibility of Multiple External IP Ranges for Edge Services
In 5.0.1 there was a limitation of just one subnet on external Edge interfaces.
In 5.1, secondary classless inter-domain routing (CIDR) blocks can be added and assigned to particular logical services.
Customers can add external subnets on-demand, without re-installing
Can restrict which subnet pool is available per service
VXLAN: Dev
10.1.0.0/16, 74.32.1.64/30
VXLAN: Dev
Supports HTTPS pass-through
SSL-VPN
Production
Network
Edge provides administrative users with “full tunnel” access to protected resources by establishing an SSL encrypted tunnel between a laptop (Mac or Windows) and Edge.
Edge SSL-VPN is intended to be deployed for administrative purposes and as a substitute for more complicated IPsec Client-to-Site or Console/Jumper Server solutions.
Edge SSL-VPN does not support mobile clients (iOS / Droid) nor does it deliver common end user features such as reverse proxy, custom portal and SSL offload.
It is very important to not confuse the use cases and capabilities of Edge SSL-VPN with those of View.
*
*
IPsec VPN supports AES-NI
Up to 40% performance increase by supporting the new Intel® AES-NI (AES New Encryption Instruction Set).1
The vSE offloads the AES encryption of data to the hardware on supported Intel Xeon and 2nd generation Intel Core processors.
No user configuration needed to enable. AES-NI support in hardware is auto-detected.
Supports certificate authentication, pre-shared key mode and IP Unicast traffic.
Multiple peer subnets can be configured behind a vSE IPSec tunnel. These subnets must be non-overlapping address ranges.
vShield Edge can sit behind a NAT device (NAT-Traversal)
Remote VPN routers can be located behind a NAT device as well.
You can have a maximum of 64 tunnels across maximum of 10 sites.
You must configure an external IP address on the vShield Edge to provide VPN service.
No dynamic routing protocol at this time.
Footnotes:
*
*
Choice and Flexibility through Standard API’s and Open Architecture
Logical Network Services
Extensible Platform
VMware Network Virtualization
Management and Operations
Virtual DC 3
Virtual DC 2
Virtual DC 1
Management and Context
Inside Virtual Server
i.e. AV solution would plug-in here without needing an agent.
Edge of Virtual Server
I.e. Host IPS agentless solution.
Edge of Virtual Network
I.e. Network IPS plug-in at DC edge.
Four points of integration possible for services:
Inside a virtual machine
Network edge of a virtual datacenter
Management plane
Application programming interface shifting to Netsec API
Load Balancing, IPS, WAN Optimization are some 3rd Party services solutions developing on the Netsec API.
3rd party vendors using the VMSafe API are transitioning over to the NetSec API.
Endpoint, 3rd Party service insertion, such as antivirus scanning, is part of the vSphere platform.
This is because it uses the endpoint security (EPSec) API and not the (NetSec) API.
*
*
Extensibility to other VMware Products
New in vCenter Networking and Security 5.1, API access to Traffic statistics is available.
This can be accessed by VMware Charge Back or another traffic monitoring solution.
The following statistics can be fetched from Edge using an API “Get” command over HTTPS:
vNetwork interace index number
Receive rate in Bytes/second
Transmit rate in Bytes/second
Requires vShieldAdmin, securityAdmin or superUser role rights.
vShield Edge gathers, archives and rolls up the statistics.
vShield Manager does not archive any data.
*
*
Venky Deshpande, Sr. Technical Marketing Manager, VMware
Grant Suzuki, Sr. Technical Marketing Manager, VMware
*
*
Internal Only
The information about to be presented is confidential and is covered by the terms of VMware’s Key Employment Agreement and Business Conduct Guidelines.
These agreements outline your obligations regarding confidential information which apply to VMware employees both during and following employment at the company.
*
*
vSphere
Software defined Storage
Software defined Networking
Software Defined Security
Software defined Availability
Vmware dramatically reduced the provisioning time of compute resources through vSphere product. Customers have gained significant efficiency and flexibility as a direct result of deploying Vmware’s vistualization solution. However, the network and security aspects of the data centers have not kept pace with the server virtualization when it comes to providing flexibility. The rigid and physical device based network and security design prevents customer achieving the agility they are hoping to achieve through cloud infrastructure.
Vmware is extending the similar approach to storage, network, security, availability, and applications in order to create a software defined datacenter(SDDC). SDDC enables enterprise IT departments to offer services that users need while delivering better economics, velocity, and security than can be achieved with legacy architectures.
And this is possible because of the software defined datacenter services layer.
We will focus on the Software defined Networking and security aspects in this talk.
*
*
vCloud Networking
Extensible Platform
Management and Operations
*
*
ALLOWS TO POOL COMPUTE INDEPENDENT OF PHYSICAL NETWORK TOPOLOGY
VMware Network Virtualization
*
*
Depends on physical constructs for isolation
Abstract across many hosts
Abstract across all hosts
Networks isolation independent of physical network constructs
Vswitch and VDS were industry firsts we should show we have been doing this for a while. Check with people with history…
Distributed
Switch
VXLAN
Distributed
Switch
Distributed
Switch
vSwitch
Vmware introduced virtual switch with vSphere platform to provide connectivity between virtual machines and to the external physical network. As customers started deploying large number of hosts running vSphere, Vmware introduced distributed switch. Distributed switch simplified the management aspects of the virtual networks and also extended the capabilities of the virtual switch by providing the visibility and monitoring features. In both these virtual switch deployments the isolation between the traffic is only possible through the VLAN support and have to depend on the physical network infrastructure to provide that isolation.
*
*
Compute resource are tied to Layer 2 network boundary
Can’t make use of resources that are available in different rack
Because they are in separate Layer 2 Domain
Network infrastructure is not flexible to support On Demand infrastructure service.
Networks are pre provisioned and difficult to change on the fly
Rigid hierarchical network design that is dictated by physical switch capacity
Can’t provision large number of isolated networks
Limitation of number of VLANs (4k)
Limited Mobility due to the layer 2 restrictions and IP name space challenges
*
*
VXLAN overview ::
It is an IETF draft standard supported by companies such as Cisco, Broadcom, Arista, Brocade, IBM.
The IP packets from the virtual machines are encapsulated in to the MAC frames. This MAC frame is then encapsulated with UDP header and 8 byte of VXLAN Header and a new MAC frame is created for this packet. Because of this encapsulation the virtual machines MAC address is not visible to the external physical switch infrastructure.
The unknown unicast traffic is converted in to Multicast instead of Broadcast. The VXLAN protocol works with existing physical network.
The encap and decap of the UDP frame and VXLAN header is performed by the VTEP. VTEP is a module that runs on the host’s vsphere kernel.
The diagram on the left shows the logical view of VXLAN configured with one logical network.
With the 24 bit field for the number VXLAN network identifier, customers can have 16 million such logical networks.
The other two main components shown in the diagram are the vShield Edge gateway devices. These two devices act in network HA mode with one of them being active and another standby,
*
*
LACP support
With the release of vSphere 5.1, VMware brings a number of powerful new features and enhancements to the networking capabilities in the vSphere platform. These new features enable customers to manage their virtual switch infrastructure with greater efficiency and confidence. The new capabilities can be categorized into three main areas: operational improvements, monitoring and troubleshooting enhancements, and improved scalability and extensibility of the VMware vSphere Distributed Switch (VDS) platform. Following are some of the key features as part of this release.
Network Health Check support – helps detect misconfigurations across physical and virtual switches
Configuration Backup Restore – Allows vSphere admins to store the VDS configuration as well as recover the network from the old configurations
Rollback and recovery – Addresses the challenges that customer faced when management network failure caused the Hosts to disconnect from the vCenter Server
Port Mirroring enhancements – New troubleshooting capabilities are introduced by supporting RSPAN and ERSPAN
Auto Expand - Customers now don’t have to manually expand or shrink the number of virtual ports in the distributed port group
MAC address Management - Supports locally administered MAC allowing users : Specify MAC prefix and/or MAC ranges; Control over all 48 bits of MAC address.
LACP support - Standards based link aggregation method
*
*
Remote port mirroring support. Compatible with Cisco’s RSPAN
Support for encapsulated remote port mirroring via GRE tunnel. This is also called as ERSPAN.
IPFIX (NetFlow v10)
NetFlow v5 is not supported on VDS.
Enhanced SNMP support
Networking MIBs support
Virtual Switch related MIBs
To address the network administrator’s need for visibility into virtual infrastructure traffic, VMware introduced port mirroring and NetFlow features as part of the vSphere 5.0 release. These features provide necessary and familiar tools to network administrators that help them in monitoring and troubleshooting tasks. In vSphere 5.1, the port-mirroring feature is enhanced through the additional support for RSPAN and ERSPAN capability.
IPFIX or NetFlow version 10 is the advanced and flexible protocol that allows customer to define the NetFlow records that can be collected at the VDS and sent across to a collector tool. Following are some key attributes of the protocol:
Customers can use templates to define the records
Template descriptions are communicated by the VDS to the Collector engine
Can report IPv6, MPLS, VXLAN flows.
SNMP is a standard protocol that allows a management system to poll agents running on network devices for specific information. The information that devices report depends on the individual agents running on those devices as well as the Management Information Base (MIB) supported. The SNMP agent available on VMware vSphere ESXi 5.0 and earlier releases of ESX provides support for SNMP v1 and v2 protocol with VMware MIBs. The Examples of some of VMware MIBs are “Vmware-Sysem-MIB” and “VMware-Env-MIB”. In this release of vSphere 5.1 SNMP support is enhanced through the following key capabilities:
1) Better security through the support for SNMPv3.
*
*
Single Root IO Virtualization (SR-IOV) Support
Standard that allows one PCI express (PCIe) adapter to be presented as multiple separate logical IO devices. Customers who want to offload IO processing to the adapters and reduce network latency can make use of this feature.
Scalability improvements
Number of static port group – 10,000
Number of distributed virtual ports – 60,000
Number of Hosts per VDS – 500
Netdump – Provides the ESXI hosts without disk (stateless/Autodeploy) the ability to core dump over network
Single Root IO Virtualization is a standard that allows one PCI express (PCIe) adapter to be presented as multiple separate logical devices to the VMs. The hypervisor manages the physical function (PF) while the virtual functions (VFs) are exposed to the VMs. In the hypervisor SR-IOV capable network devices offer the benefits of direct I/O, which includes reduced latency and reduced host CPU utilization. VMware vSphere ESXi platform’s VM Direct Path (pass through) functionality provides similar benefits to the customer, but requires a physical adapter per VM. In SR-IOV the pass through functionality can be provided from a single adapter to multiple VMs through VFs
Improved Scaling numbers.
*
*
Logical Network Services: Firewall, Load Balancing, VPN, DNS Forwarding, DHCP, Data Security
Attach Services per Logical Network
VMware Network Virtualization
vShield Edge
vCloud 3rd Party Service Plugins
*
*
vShield Edge active/passive security virtual machine monitoring
Synchronization and Stateful 3-second failover for HTTP, HTTPS, and also TCP by port (SSH, FTP, etc.).
Asymmetrical routing issues avoided
Failover does not incur loss of half the bandwidth as this is Active/Standby.
vSphere Host monitoring and vMotion recovery
*
*
Firewall Rule ID will also show up in Syslog!
Rule table and controls will also be the same in vShield App!
The vShield Edge gateway services
Firewall
Rule sequence gives order of execution
Rule ID is a unique identifier that will show up in logging as well along with the hostname of the vShield device which sent it
Controls for paging and filtering, allow for easier table viewing
vCenter containers like Resource Pools, vApp and Security Groups can be used as Source or Destination in FW rules
Configured proximally to other network services like NAT, load balancing and VPN
HA capabilities that protect against network failures, host failures, and software failures
Edge and App firewall rule tables have been aligned
Rule table now features inline editing
Firewall rules now make extensive use of vCenter objects
Footnotes:
*
*
External
External-1
External-2
vShield Edge 5.0 was limited to 1 Internal interface and 1 External interface.
One possible example of how vShield Edge 5.1 with 10 interfaces can be configured.
From 2 predefined to 10 user defined interfaces.
vShield Edge 5.0 1 External
1 Internal
vShield Edge 5.1 10 User defined Interfaces
vShield Edge 5.0 was limited to 1 Internal and 1 External Interface.
vShield Edge 5.1 allows up to 10 interfaces that can be configured as Internal or External by the user.
Not all interfaces need to be configured
Interfaces can now be connected to the vSphere virtual network via a “Virtual Wire” (VXLAN), in addition to the original 5.0 options of “Standard Port Group” or “Distributed Port Group”.
Multi-subnet Support: multiple subnets are now supported on each interface.
Multiple external IP addresses can be configured for LB, VPN and NAT.
Internal interfaces can be RFC1918 private addresses.
All virtual network interfaces of a vShield Edge should be on different port groups.
The subnets of all vSE interfaces should not overlap.
*
*
24,000 connections per second1
In vShield 5.0.1, there was only the “Compact” version of the vShield Edge. 5.1 scales this up with two new, larger vShield Edge sizes.
Footnotes:
*
*
Flexibility of Multiple External IP Ranges for Edge Services
In 5.0.1 there was a limitation of just one subnet on external Edge interfaces.
In 5.1, secondary classless inter-domain routing (CIDR) blocks can be added and assigned to particular logical services.
Customers can add external subnets on-demand, without re-installing
Can restrict which subnet pool is available per service
VXLAN: Dev
10.1.0.0/16, 74.32.1.64/30
VXLAN: Dev
Supports HTTPS pass-through
SSL-VPN
Production
Network
Edge provides administrative users with “full tunnel” access to protected resources by establishing an SSL encrypted tunnel between a laptop (Mac or Windows) and Edge.
Edge SSL-VPN is intended to be deployed for administrative purposes and as a substitute for more complicated IPsec Client-to-Site or Console/Jumper Server solutions.
Edge SSL-VPN does not support mobile clients (iOS / Droid) nor does it deliver common end user features such as reverse proxy, custom portal and SSL offload.
It is very important to not confuse the use cases and capabilities of Edge SSL-VPN with those of View.
*
*
IPsec VPN supports AES-NI
Up to 40% performance increase by supporting the new Intel® AES-NI (AES New Encryption Instruction Set).1
The vSE offloads the AES encryption of data to the hardware on supported Intel Xeon and 2nd generation Intel Core processors.
No user configuration needed to enable. AES-NI support in hardware is auto-detected.
Supports certificate authentication, pre-shared key mode and IP Unicast traffic.
Multiple peer subnets can be configured behind a vSE IPSec tunnel. These subnets must be non-overlapping address ranges.
vShield Edge can sit behind a NAT device (NAT-Traversal)
Remote VPN routers can be located behind a NAT device as well.
You can have a maximum of 64 tunnels across maximum of 10 sites.
You must configure an external IP address on the vShield Edge to provide VPN service.
No dynamic routing protocol at this time.
Footnotes:
*
*
Choice and Flexibility through Standard API’s and Open Architecture
Logical Network Services
Extensible Platform
VMware Network Virtualization
Management and Operations
Virtual DC 3
Virtual DC 2
Virtual DC 1
Management and Context
Inside Virtual Server
i.e. AV solution would plug-in here without needing an agent.
Edge of Virtual Server
I.e. Host IPS agentless solution.
Edge of Virtual Network
I.e. Network IPS plug-in at DC edge.
Four points of integration possible for services:
Inside a virtual machine
Network edge of a virtual datacenter
Management plane
Application programming interface shifting to Netsec API
Load Balancing, IPS, WAN Optimization are some 3rd Party services solutions developing on the Netsec API.
3rd party vendors using the VMSafe API are transitioning over to the NetSec API.
Endpoint, 3rd Party service insertion, such as antivirus scanning, is part of the vSphere platform.
This is because it uses the endpoint security (EPSec) API and not the (NetSec) API.
*
*
Extensibility to other VMware Products
New in vCenter Networking and Security 5.1, API access to Traffic statistics is available.
This can be accessed by VMware Charge Back or another traffic monitoring solution.
The following statistics can be fetched from Edge using an API “Get” command over HTTPS:
vNetwork interace index number
Receive rate in Bytes/second
Transmit rate in Bytes/second
Requires vShieldAdmin, securityAdmin or superUser role rights.
vShield Edge gathers, archives and rolls up the statistics.
vShield Manager does not archive any data.
*
*
