TEX2254 VMworld 2014 Barcelona

Quick Recap:

A lot of customers want to be Amazon-like. SDDC is a used for this. NSX is the SDN part of the SDDC model.

NSX momentum, over 150 customers.

How are these customers using NSX today: Three main use cases

1. Self-Service IT (Portal) – DevOps Cloud and On-boarding M&A

2. Data Center Automation – Micro-segmentation of App – Simplifying Compute Silo

3. DMZ Deployments

NSX is not a product, it is a platform. how?

Operations, Security, Physical + Virtual (L2 L3 gateway) Application Delivery (LB, Wan Optimization)

Service Insertion through Gateway, VTEP.

 

 

 

VMware NSX Distributed Firewall

Quick recap:

The VMware NSX Distributed Firewall can be used for micro-segmentation. There are no choke points and there is scale-out performance up to 20 Gbps.

It acts like firewall on the vNic. Each vNic has it’s own rule set. Performance is close to line-rate. Traffic Redirection is possible to 3th party.

Of course there is the Rest API.

DFW is a stateful engine.  During a VMotion the state table is migrated tand is in place before the VM arrives on the destination host

NPV traffic map

If you use SAN pin groups in UCS manager. it wil translate to the NPV traffic map feature on the CLI. You can see that with the “show npv traffic-map” command on the FI (connect nxos)

show npv traffic-map

UCS-SB60-A(nxos)# show npv traffic-map

NPV Traffic Map Information:
—————————————-
Server-If External-If(s)

—————————————-
vfc699 san-port-channel 100
vfc700 vfc697
vfc701 vfc697
vfc702 san-port-channel 100
—————————————-

show running:

npv traffic-map server-interface vfc699 external-interface san-port-channel 100
npv traffic-map server-interface vfc700 external-interface vfc697
npv traffic-map server-interface vfc701 external-interface vfc697
npv traffic-map server-interface vfc702 external-interface san-port-channel 100

Nexus STP-Lite feature (Nexus 7000)

STP Lite

FCoE does not require full Spanning Tree Protocol (STP) because FCoE has no bridging functionality, which means that no STP loops are created in the network. STP Lite on FCoE interfaces ensures rapid convergence across the network by sending an agreement Bridge Protocol Data Unit (BPDU) whenever it receives a proposal BPDU. The FCoE link sends the identical agreement BPDU in response to either an Multiple Spanning Tree (MST) or a Per VLAN Rapid Spanning Tree Plus (PVRST+) proposal BPDU. Additionally, STP Lite suppresses the MAC address flushing function for FCoE VLANs.

STP Lite is enabled automatically by default across the entire device for FCoE VLANs as soon as the first FCoE VLAN comes up. At the same time, the system automatically converts all FCoE links as the STP-type normal ports. This feature runs only in FCoE VLANs.

show spanning-tree summary
Switch is in rapid-pvst mode
Root bridge for: VLAN0010
Port Type Default is disable
Edge Port [PortFast] BPDU Guard Default is enabled
Edge Port [PortFast] BPDU Filter Default is enabled
Bridge Assurance is enabled
Loopguard Default is disabled
Pathcost method used is long
STP-Lite is enabled

Name Blocking Listening Learning Forwarding STP Active
———————- ——– ——— ——– ———- ———-
VLAN0010 0 0 0 4 4
———————- ——– ——— ——– ———- ———-
1 vlan 0 0 0 4 4

MDS IVR commands

9222i(config-if)# show interface port-channel 1
port-channel 1 is trunking
Hardware is GigabitEthernet
Port WWN is 24:01:00:05:9b:28:54:00
Admin port mode is auto, trunk mode is on
snmp link state traps are enabled
Port mode is TE
Port vsan is 1
Speed is 2 Gbps
Trunk vsans (admin allowed and active) (1,97-98,209)
Trunk vsans (up) (209)
Trunk vsans (isolated) (1,97-98)
Trunk vsans (initializing) ()
5 minutes input rate 0 bits/sec, 0 bytes/sec, 0 frames/sec
5 minutes output rate 0 bits/sec, 0 bytes/sec, 0 frames/sec
492 frames input, 65052 bytes
492 Class F frames input, 65052 bytes
0 Class 2/3 frames input, 0 bytes
0 Reass frames
0 Error frames timestamp error 0
494 frames output, 63728 bytes
494 Class F frames output, 63728 bytes
0 Class 2/3 frames output, 0 bytes
9222i(config-if)# show interface port-channel 1 brief

——————————————————————————-
Interface Vsan Admin Status Oper Oper IP
Trunk Mode Speed Address
Mode (Gbps)
——————————————————————————-
port-channel 1 1 on trunking TE 2 —
P9-9222i(config-if)#
P9-9222i(config-if)# show vsan 209
vsan 209 information
name:VSAN0209 state:active
interoperability mode:default
loadbalancing:src-id/dst-id/oxid
operational state:up

9222i(config-if)# show in
in-order-guarantee incompatibility-all inventory
inactive-if-config install
incompatibility interface
9222i(config-if)# show interface port-channel 1
port-channel 1 is trunking
Hardware is GigabitEthernet
Port WWN is 24:01:00:05:9b:28:54:00
Admin port mode is auto, trunk mode is on
snmp link state traps are enabled
Port mode is TE
Port vsan is 1
Speed is 2 Gbps
Trunk vsans (admin allowed and active) (1,97-98,209)
Trunk vsans (up) (209)
Trunk vsans (isolated) (1,97-98)
Trunk vsans (initializing) ()
5 minutes input rate 4288 bits/sec, 536 bytes/sec, 3 frames/sec
5 minutes output rate 3272 bits/sec, 409 bytes/sec, 3 frames/sec
1546 frames input, 215392 bytes
1546 Class F frames input, 215392 bytes
0 Class 2/3 frames input, 0 bytes
0 Reass frames
0 Error frames timestamp error 0
1548 frames output, 156732 bytes
1548 Class F frames output, 156732 bytes
0 Class 2/3 frames output, 0 bytes
0 Error frames
Member[1] : fcip1
Member[2] : fcip2

9222i(config-if)# conf t
9222i(config)# 2014 Feb 27 18:33:14 P9-9222i %VSHD-5-VSHD_SYSLOG_CONFIG_I: Configured from vty by admin on 10.2.8.91@pts/0
9222i(config)# feature ivr
9222i(config)# ivr nat
P9-9222i(config)# 2014 Feb 27 18:33:43 P9-9222i %IVR-5-FCID_NAT_MODE_ACTIVATED: FCID network address translation (NAT) mode has been activated
9222i(config)# ivr distribute
9222i(config)# 2014 Feb 27 18:33:51 P9-9222i %IVR-5-VSAN_TOPOLOGY_ACTIVATED: Inter-VSAN Topology has been activated
9222i(config)# ivr vsan-topology auto
fabric is now locked for configuration. Please ‘commit’ configuration when done.
9222i(config)# ivr commit
commit initiated. check ivr status
P9-9222i(config)# show ivr

Inter-VSAN Routing is enabled

Inter-VSAN enabled switches
—————————

AFID VSAN DOMAIN CAPABILITY SWITCH WWN
——————————————————————-
1 1 0x 1( 1) 0000001f 20:00:00:05:9b:28:54:00 *
1 97 0x61( 97) 0000001f 20:00:00:05:9b:28:54:00 *
1 98 0xed(237) 0000001f 20:00:00:05:9b:28:54:00 *
1 209 0x8a(138) 0000001f 20:00:00:05:73:d3:77:80
1 209 0xd1(209) 0000001f 20:00:00:05:9b:28:54:00 *

Total: 5 IVR-enabled VSAN-Domain pairs

Inter-VSAN topology status
————————–

Current Status: Inter-VSAN topology is ACTIVE, AUTO Mode
Last activation time: Thu Feb 27 18:34:14 2014

Inter-VSAN zoneset status
————————-
name : master-ivr
state : activation success
last activate time : Thu Feb 27 18:33:51 2014

Fabric distribution status
———————–
fabric distribution enabled
Last Action Time Stamp : Thu Feb 27 18:34:13 2014
Last Action : Commit
Last Action Result : Success
Last Action Failure Reason : none

Inter-VSAN NAT mode status
————————–
FCID-NAT is enabled
Last activation time : Thu Feb 27 18:33:43 2014

AAM mode status
————————–
AAM is disabled

License status
—————–
Built-in

Sharing of tcam space across xE ports disabled
9222i(config)#