VMWARE NSX-T

VMware NSX-T Reference Design Guide Table of Contents 1 Introduction 4 1.1 How to Use This Document 4 1.2 Networking and Security Today 5 1.3 NSX-T Architecture Value and Scope 5 2 NSX-T Architecture Components 11 2.1 Management Plane 11 2.2 Control Plane 12 2.3 Data Plane 12 3 NSX-T Logical Switching 13 3.1 The N-VDS 13 3.1.1 Uplink vs. pNIC 13 3.1.2 Teaming Policy 14 3.1.3 Uplink Profile 14 3.1.4 Transport Zones, Host Switch Name 16 3.2 Logical Switching 17 3.2.1 Overlay Backed Logical Switches 17 3.2.2 Flooded Traffic 18 3.2.2.1 Head-End Replication Mode 19 3.2.2.2 Two-tier Hierarchical Mode 19 3.2.3 Unicast Traffic 21 3.2.4 Data Plane Learning 22 3.2.5 Tables Maintained by the NSX-T Controller 23 3.2.5.1 MAC Address to TEP Tables 23 3.2.5.2 ARP Tables 23 3.2.6 Overlay Encapsulation 25 4 NSX-T Logical Routing 26 4.1 Logical Router Components 27 4.1.1 Distributed Router (DR) 27 4.1.2 Services Router 32 4.2 Two-Tier Routing 36 VMware NSX-T Reference Design Guide 2 4.2.1 Interface Types on Tier-1 and Tier-0 Logical Routers 37 4.2.2 Route Types on Tier-1 and Tier-0 Logical Routers 38 4.2.3 Fully Distributed Two Tier Routing 39 4.3 Edge Node 41 4.3.1 Bare Metal Edge 42 4.3.2 VM Form Factor 46 4.3.3 Edge Cluster 48 4.4 Routing Capabilities 49 4.4.1 Static Routing 49 4.4.2 Dynamic Routing 50 4.5 Services High Availability 53 4.5.1 Active/Active 53 4.5.2 Active/Standby 54 4.6 Other Network Services 56 4.6.1 Network Address Translation 56 4.6.2 DHCP Services 56 4.6.3 Metadata Proxy Service 57 4.6.4 Edge Firewall Service 57 4.7 Topology Consideration 57 4.7.1 Supported Topologies 57 4.7.2 Unsupported Topologies 59 5 NSX-T Security 60 5.1 NSX-T Security Use Cases 60 5.2 NSX-T DFW Architecture and Components 62 5.2.1 Management Plane 62 5.2.2 Control Plane 62 5.2.3 Data Plane 63 5.3 NSX-T Data Plane Implementation - ESXi vs. KVM Hosts 63 5.3.1 ESXi Hosts- Data Plane Components 64 5.3.2 KVM Hosts- Data Plane Components 64 5.3.3 NSX-T DFW Policy Lookup and Packet Flow 65 5.4 NSX-T Security Policy- Plan, Design and Implement 67 5.4.1 Security Policy- Methodology 67 5.4.1.1 Application 68 VMware NSX-T Reference Design Guide 3 5.4.1.2 Infrastructure 68 5.4.1.3 Network 69 5.4.2 Security Rule Model 69 5.4.3 Security Policy - Consumption Model 70 5.4.3.1 Group Creation Strategies 71 5.4.3.2 Define Policy using DFW Rule Table 73 5.5 Additional Security Features 78 5.6 NSX-T Security Deployment Options 79 5.7 Edge FW 79 5.7.1 Consumption 80 5.7.2 Implementation 80 5.7.3 Deployment Scenarios 80 5.8 Recommendation for Security Deployments 82 6 NSX-T Design Considerations 83 6.1 Physical Infrastructure of the Data Center 83 6.2 NSX-T Infrastructure Component Connectivity 85 6.3 Compute Cluster Design (ESXi/KVM) 88 6.4 Edge Node and Services Design 93 6.4.1 Bare Metal Edge Design 93 6.4.2 Edge Node VM 96 6.4.3 Edge Cluster 101 6.5 Multi-Compute Workload Domain Design Consideration 103 6.5.1 Common Deployment Consideration with NSX-T Components 105 6.5.2 Collapsed Management and Edge Resources Design 106 6.5.3 Dedicated Management and Edge Resources Design 109 6.5.3.1 Enterprise ESXi Based Design 109 6.5.3.2 Enterprise KVM Based Design 111 7 Conclusion 113