VMware presentationVMware vCloud Networking and Security – What’s
New
Venky Deshpande, Sr. Technical Marketing Manager, VMware
Grant Suzuki, Sr. Technical Marketing Manager, VMware
*
*
Internal Only
The information about to be presented is confidential and is
covered by the terms of VMware’s Key Employment Agreement and
Business Conduct Guidelines.
These agreements outline your obligations regarding confidential
information which apply to VMware employees both during and
following employment at the company.
*
*
vSphere
Software defined Storage
Software defined Networking
Software Defined Security
Software defined Availability
Vmware dramatically reduced the provisioning time of compute
resources through vSphere product. Customers have gained
significant efficiency and flexibility as a direct result of
deploying Vmware’s vistualization solution. However, the network
and security aspects of the data centers have not kept pace with
the server virtualization when it comes to providing flexibility.
The rigid and physical device based network and security design
prevents customer achieving the agility they are hoping to achieve
through cloud infrastructure.
Vmware is extending the similar approach to storage, network,
security, availability, and applications in order to create a
software defined datacenter(SDDC). SDDC enables enterprise IT
departments to offer services that users need while delivering
better economics, velocity, and security than can be achieved with
legacy architectures.
And this is possible because of the software defined datacenter
services layer.
We will focus on the Software defined Networking and security
aspects in this talk.
*
*
vCloud Networking
Extensible Platform
Management and Operations
*
*
ALLOWS TO POOL COMPUTE INDEPENDENT OF PHYSICAL NETWORK
TOPOLOGY
VMware Network Virtualization
*
*
Depends on physical constructs for isolation
Abstract across many hosts
Abstract across all hosts
Networks isolation independent of physical network constructs
Vswitch and VDS were industry firsts we should show we have been
doing this for a while. Check with people with history…
Distributed
Switch
VXLAN
Distributed
Switch
Distributed
Switch
vSwitch
Vmware introduced virtual switch with vSphere platform to provide
connectivity between virtual machines and to the external physical
network. As customers started deploying large number of hosts
running vSphere, Vmware introduced distributed switch. Distributed
switch simplified the management aspects of the virtual networks
and also extended the capabilities of the virtual switch by
providing the visibility and monitoring features. In both these
virtual switch deployments the isolation between the traffic is
only possible through the VLAN support and have to depend on the
physical network infrastructure to provide that isolation.
*
*
Compute resource are tied to Layer 2 network boundary
Can’t make use of resources that are available in different
rack
Because they are in separate Layer 2 Domain
Network infrastructure is not flexible to support On Demand
infrastructure service.
Networks are pre provisioned and difficult to change on the
fly
Rigid hierarchical network design that is dictated by physical
switch capacity
Can’t provision large number of isolated networks
Limitation of number of VLANs (4k)
Limited Mobility due to the layer 2 restrictions and IP name space
challenges
*
*
VXLAN overview ::
It is an IETF draft standard supported by companies such as Cisco,
Broadcom, Arista, Brocade, IBM.
The IP packets from the virtual machines are encapsulated in to the
MAC frames. This MAC frame is then encapsulated with UDP header and
8 byte of VXLAN Header and a new MAC frame is created for this
packet. Because of this encapsulation the virtual machines MAC
address is not visible to the external physical switch
infrastructure.
The unknown unicast traffic is converted in to Multicast instead of
Broadcast. The VXLAN protocol works with existing physical
network.
The encap and decap of the UDP frame and VXLAN header is performed
by the VTEP. VTEP is a module that runs on the host’s vsphere
kernel.
The diagram on the left shows the logical view of VXLAN configured
with one logical network.
With the 24 bit field for the number VXLAN network identifier,
customers can have 16 million such logical networks.
The other two main components shown in the diagram are the vShield
Edge gateway devices. These two devices act in network HA mode with
one of them being active and another standby,
*
*
LACP support
With the release of vSphere 5.1, VMware brings a number of powerful
new features and enhancements to the networking capabilities in the
vSphere platform. These new features enable customers to manage
their virtual switch infrastructure with greater efficiency and
confidence. The new capabilities can be categorized into three main
areas: operational improvements, monitoring and troubleshooting
enhancements, and improved scalability and extensibility of the
VMware vSphere Distributed Switch (VDS) platform. Following are
some of the key features as part of this release.
Network Health Check support – helps detect misconfigurations
across physical and virtual switches
Configuration Backup Restore – Allows vSphere admins to store the
VDS configuration as well as recover the network from the old
configurations
Rollback and recovery – Addresses the challenges that customer
faced when management network failure caused the Hosts to
disconnect from the vCenter Server
Port Mirroring enhancements – New troubleshooting capabilities are
introduced by supporting RSPAN and ERSPAN
Auto Expand - Customers now don’t have to manually expand or shrink
the number of virtual ports in the distributed port group
MAC address Management - Supports locally administered MAC allowing
users : Specify MAC prefix and/or MAC ranges; Control over all 48
bits of MAC address.
LACP support - Standards based link aggregation method
*
*
Remote port mirroring support. Compatible with Cisco’s RSPAN
Support for encapsulated remote port mirroring via GRE tunnel. This
is also called as ERSPAN.
IPFIX (NetFlow v10)
NetFlow v5 is not supported on VDS.
Enhanced SNMP support
Networking MIBs support
Virtual Switch related MIBs
To address the network administrator’s need for visibility into
virtual infrastructure traffic, VMware introduced port mirroring
and NetFlow features as part of the vSphere 5.0 release. These
features provide necessary and familiar tools to network
administrators that help them in monitoring and troubleshooting
tasks. In vSphere 5.1, the port-mirroring feature is enhanced
through the additional support for RSPAN and ERSPAN
capability.
IPFIX or NetFlow version 10 is the advanced and flexible protocol
that allows customer to define the NetFlow records that can be
collected at the VDS and sent across to a collector tool. Following
are some key attributes of the protocol:
Customers can use templates to define the records
Template descriptions are communicated by the VDS to the Collector
engine
Can report IPv6, MPLS, VXLAN flows.
SNMP is a standard protocol that allows a management system to poll
agents running on network devices for specific information. The
information that devices report depends on the individual agents
running on those devices as well as the Management Information Base
(MIB) supported. The SNMP agent available on VMware vSphere ESXi
5.0 and earlier releases of ESX provides support for SNMP v1 and v2
protocol with VMware MIBs. The Examples of some of VMware MIBs are
“Vmware-Sysem-MIB” and “VMware-Env-MIB”. In this release of vSphere
5.1 SNMP support is enhanced through the following key
capabilities:
1) Better security through the support for SNMPv3.
*
*
Single Root IO Virtualization (SR-IOV) Support
Standard that allows one PCI express (PCIe) adapter to be presented
as multiple separate logical IO devices. Customers who want to
offload IO processing to the adapters and reduce network latency
can make use of this feature.
Scalability improvements
Number of static port group – 10,000
Number of distributed virtual ports – 60,000
Number of Hosts per VDS – 500
Netdump – Provides the ESXI hosts without disk
(stateless/Autodeploy) the ability to core dump over network
Single Root IO Virtualization is a standard that allows one PCI
express (PCIe) adapter to be presented as multiple separate logical
devices to the VMs. The hypervisor manages the physical function
(PF) while the virtual functions (VFs) are exposed to the VMs. In
the hypervisor SR-IOV capable network devices offer the benefits of
direct I/O, which includes reduced latency and reduced host CPU
utilization. VMware vSphere ESXi platform’s VM Direct Path (pass
through) functionality provides similar benefits to the customer,
but requires a physical adapter per VM. In SR-IOV the pass through
functionality can be provided from a single adapter to multiple VMs
through VFs
Improved Scaling numbers.
*
*
Logical Network Services: Firewall, Load Balancing, VPN, DNS
Forwarding, DHCP, Data Security
Attach Services per Logical Network
VMware Network Virtualization
vShield Edge
vCloud 3rd Party Service Plugins
*
*
vShield Edge active/passive security virtual machine
monitoring
Synchronization and Stateful 3-second failover for HTTP, HTTPS, and
also TCP by port (SSH, FTP, etc.).
Asymmetrical routing issues avoided
Failover does not incur loss of half the bandwidth as this is
Active/Standby.
vSphere Host monitoring and vMotion recovery
*
*
Firewall Rule ID will also show up in Syslog!
Rule table and controls will also be the same in vShield App!
The vShield Edge gateway services
Firewall
Rule sequence gives order of execution
Rule ID is a unique identifier that will show up in logging as well
along with the hostname of the vShield device which sent it
Controls for paging and filtering, allow for easier table
viewing
vCenter containers like Resource Pools, vApp and Security Groups
can be used as Source or Destination in FW rules
Configured proximally to other network services like NAT, load
balancing and VPN
HA capabilities that protect against network failures, host
failures, and software failures
Edge and App firewall rule tables have been aligned
Rule table now features inline editing
Firewall rules now make extensive use of vCenter objects
Footnotes:
*
*
External
External-1
External-2
vShield Edge 5.0 was limited to 1 Internal interface and 1 External
interface.
One possible example of how vShield Edge 5.1 with 10 interfaces can
be configured.
From 2 predefined to 10 user defined interfaces.
vShield Edge 5.0 1 External
1 Internal
vShield Edge 5.1 10 User defined Interfaces
vShield Edge 5.0 was limited to 1 Internal and 1 External
Interface.
vShield Edge 5.1 allows up to 10 interfaces that can be configured
as Internal or External by the user.
Not all interfaces need to be configured
Interfaces can now be connected to the vSphere virtual network via
a “Virtual Wire” (VXLAN), in addition to the original 5.0 options
of “Standard Port Group” or “Distributed Port Group”.
Multi-subnet Support: multiple subnets are now supported on each
interface.
Multiple external IP addresses can be configured for LB, VPN and
NAT.
Internal interfaces can be RFC1918 private addresses.
All virtual network interfaces of a vShield Edge should be on
different port groups.
The subnets of all vSE interfaces should not overlap.
*
*
24,000 connections per second1
In vShield 5.0.1, there was only the “Compact” version of the
vShield Edge. 5.1 scales this up with two new, larger vShield Edge
sizes.
Footnotes:
*
*
Flexibility of Multiple External IP Ranges for Edge Services
In 5.0.1 there was a limitation of just one subnet on external Edge
interfaces.
In 5.1, secondary classless inter-domain routing (CIDR) blocks can
be added and assigned to particular logical services.
Customers can add external subnets on-demand, without
re-installing
Can restrict which subnet pool is available per service
VXLAN: Dev
10.1.0.0/16, 74.32.1.64/30
VXLAN: Dev
Supports HTTPS pass-through
SSL-VPN
Production
Network
Edge provides administrative users with “full tunnel” access to
protected resources by establishing an SSL encrypted tunnel between
a laptop (Mac or Windows) and Edge.
Edge SSL-VPN is intended to be deployed for administrative purposes
and as a substitute for more complicated IPsec Client-to-Site or
Console/Jumper Server solutions.
Edge SSL-VPN does not support mobile clients (iOS / Droid) nor does
it deliver common end user features such as reverse proxy, custom
portal and SSL offload.
It is very important to not confuse the use cases and capabilities
of Edge SSL-VPN with those of View.
*
*
IPsec VPN supports AES-NI
Up to 40% performance increase by supporting the new Intel® AES-NI
(AES New Encryption Instruction Set).1
The vSE offloads the AES encryption of data to the hardware on
supported Intel Xeon and 2nd generation Intel Core
processors.
No user configuration needed to enable. AES-NI support in hardware
is auto-detected.
Supports certificate authentication, pre-shared key mode and IP
Unicast traffic.
Multiple peer subnets can be configured behind a vSE IPSec tunnel.
These subnets must be non-overlapping address ranges.
vShield Edge can sit behind a NAT device (NAT-Traversal)
Remote VPN routers can be located behind a NAT device as
well.
You can have a maximum of 64 tunnels across maximum of 10
sites.
You must configure an external IP address on the vShield Edge to
provide VPN service.
No dynamic routing protocol at this time.
Footnotes:
*
*
Choice and Flexibility through Standard API’s and Open
Architecture
Logical Network Services
Extensible Platform
VMware Network Virtualization
Management and Operations
Virtual DC 3
Virtual DC 2
Virtual DC 1
Management and Context
Inside Virtual Server
i.e. AV solution would plug-in here without needing an agent.
Edge of Virtual Server
I.e. Host IPS agentless solution.
Edge of Virtual Network
I.e. Network IPS plug-in at DC edge.
Four points of integration possible for services:
Inside a virtual machine
Network edge of a virtual datacenter
Management plane
Application programming interface shifting to Netsec API
Load Balancing, IPS, WAN Optimization are some 3rd Party services
solutions developing on the Netsec API.
3rd party vendors using the VMSafe API are transitioning over to
the NetSec API.
Endpoint, 3rd Party service insertion, such as antivirus scanning,
is part of the vSphere platform.
This is because it uses the endpoint security (EPSec) API and not
the (NetSec) API.
*
*
Extensibility to other VMware Products
New in vCenter Networking and Security 5.1, API access to Traffic
statistics is available.
This can be accessed by VMware Charge Back or another traffic
monitoring solution.
The following statistics can be fetched from Edge using an API
“Get” command over HTTPS:
vNetwork interace index number
Receive rate in Bytes/second
Transmit rate in Bytes/second
Requires vShieldAdmin, securityAdmin or superUser role
rights.
vShield Edge gathers, archives and rolls up the statistics.
vShield Manager does not archive any data.
*
*