Scott and Brad

Quick Recap:

implementing NSX. – business wants to be Amazon-like. Do more with less. Abstract, Pool,Automation is key. Across compute networking and storage.

Both need access to same environment. how?

RBAC, integration with AD groups

Modify existing role for network admins and server admins are administrator

1. restrict per DVS. NSX groups for Network Admins. VMkernels, system traffic, etc for Server admins.

> network folder, modify permissions,

2. RBAC with a single DVS (preferred methode)

> just give read-only on a portgroup level to network admins. (like vmotion, mgmt, nfs, etc)

On a VM level, RBAC on VM’s. Network admins get access on Folder level (F5, LB, NSX). Server admin get no access/read-only


TEX2254 VMworld 2014 Barcelona

Quick Recap:

A lot of customers want to be Amazon-like. SDDC is a used for this. NSX is the SDN part of the SDDC model.

NSX momentum, over 150 customers.

How are these customers using NSX today: Three main use cases

1. Self-Service IT (Portal) – DevOps Cloud and On-boarding M&A

2. Data Center Automation – Micro-segmentation of App – Simplifying Compute Silo

3. DMZ Deployments

NSX is not a product, it is a platform. how?

Operations, Security, Physical + Virtual (L2 L3 gateway) Application Delivery (LB, Wan Optimization)

Service Insertion through Gateway, VTEP.




VMware NSX Distributed Firewall

Quick recap:

The VMware NSX Distributed Firewall can be used for micro-segmentation. There are no choke points and there is scale-out performance up to 20 Gbps.

It acts like firewall on the vNic. Each vNic has it’s own rule set. Performance is close to line-rate. Traffic Redirection is possible to 3th party.

Of course there is the Rest API.

DFW is a stateful engine.  During a VMotion the state table is migrated tand is in place before the VM arrives on the destination host

NPV traffic map

If you use SAN pin groups in UCS manager. it wil translate to the NPV traffic map feature on the CLI. You can see that with the “show npv traffic-map” command on the FI (connect nxos)

show npv traffic-map

UCS-SB60-A(nxos)# show npv traffic-map

NPV Traffic Map Information:
Server-If External-If(s)

vfc699 san-port-channel 100
vfc700 vfc697
vfc701 vfc697
vfc702 san-port-channel 100

show running:

npv traffic-map server-interface vfc699 external-interface san-port-channel 100
npv traffic-map server-interface vfc700 external-interface vfc697
npv traffic-map server-interface vfc701 external-interface vfc697
npv traffic-map server-interface vfc702 external-interface san-port-channel 100

Nexus STP-Lite feature (Nexus 7000)

STP Lite

FCoE does not require full Spanning Tree Protocol (STP) because FCoE has no bridging functionality, which means that no STP loops are created in the network. STP Lite on FCoE interfaces ensures rapid convergence across the network by sending an agreement Bridge Protocol Data Unit (BPDU) whenever it receives a proposal BPDU. The FCoE link sends the identical agreement BPDU in response to either an Multiple Spanning Tree (MST) or a Per VLAN Rapid Spanning Tree Plus (PVRST+) proposal BPDU. Additionally, STP Lite suppresses the MAC address flushing function for FCoE VLANs.

STP Lite is enabled automatically by default across the entire device for FCoE VLANs as soon as the first FCoE VLAN comes up. At the same time, the system automatically converts all FCoE links as the STP-type normal ports. This feature runs only in FCoE VLANs.

show spanning-tree summary
Switch is in rapid-pvst mode
Root bridge for: VLAN0010
Port Type Default is disable
Edge Port [PortFast] BPDU Guard Default is enabled
Edge Port [PortFast] BPDU Filter Default is enabled
Bridge Assurance is enabled
Loopguard Default is disabled
Pathcost method used is long
STP-Lite is enabled

Name Blocking Listening Learning Forwarding STP Active
———————- ——– ——— ——– ———- ———-
VLAN0010 0 0 0 4 4
———————- ——– ——— ——– ———- ———-
1 vlan 0 0 0 4 4