NSX Edge: • Connects isolated networks to shared uplink and provides network services like FW, LB, … • Supports Multi- VM VM Tenancy in Cloud environment VM VM
VM VM
Compute Racks Compute Racks EDGE Rack
NSX Edge Services Gateway CONFIDENTIAL 5 | 34
Integrated Network Services Firewall Overview Load Balancer VPN • Integrated L3 – L7 services • Virtual appliance model to Routing/NAT provide rapid deployment and DDI DHCP/DNS relay scale-out …. Benefits
• Real time service instantiation
• Support for dynamic service
VM VM VM VM VM differentiation per tenant/application
• Uses x86 compute capacity
NSX Edge Services Gateway CONFIDENTIAL 6 | 34
Features Summary NSX Edge Gateway Services
Firewall Rule configuration with IP, Port ranges, Grouping Objects, VC Containers
Network Address Translation Source and Destination NAT capabilities.
DHCP Configuration of IP Pools, gateways, DNS servers and search domains.
Routing Static as well as Dynamic Routing protocols support (OSPF, BGP, ISIS)
Load Balancing Configure Virtual Servers and backend pools using IP addresses or VC Objects
Site-to-Site VPN IPSec site to site VPN between two Edges or other vendor VPN terminators.
SSL VPN Allow remote users to access the private networks behind Edge GSW.
L2VPN Stretch your layer 2 across datacenters.
High Availability Active-Standby HA capability which works well with vSphere HA.
DNS/Syslog Allow configuring DNS relay and remote syslog servers.
NSX Edge Services Gateway CONFIDENTIAL 7 | 34
NSX Edge and DFW – Security Comparison Typical deployment of FW in a DC/SDDC: WAN Internet
Quad-Large 4 vCPU Suitable for high 1024 MB vRAM performance Firewall
Large 2 vCPU 1024 MB vRAM
Compact 1 vCPU 512MB vRAM
NSX Edge Services Gateway CONFIDENTIAL 9 | 34
Configure and Manage NSX Edge Services
NSX Edge Services Gateway CONFIDENTIAL 10 | 34
Form Factor Conversions
NSX Edge Services Gateway CONFIDENTIAL 11 | 34
Interface Based Routing and Firewall
Tenant A Features
• Dynamic Routing: Tenant B OSPF/eBGP/iBGP/IS-IS L2 L2 Tenant C • North-South Routing L2 L2 • Virtualization context firewall L2
L2 L2 Scale & Performance L2
• Up to line rate performance
with scale up architecture
Use Cases
• Create on demand network
services to speed up application provisioning
NSX Edge Services Gateway CONFIDENTIAL 12 | 34
NSX Edge Load Balancer
Web 1 Web 2 Web 3 Features
• TCP, HTTP, HTTPS with Stateful HA
• Multiple Virtual IPs each with separate server pool and configurations • Multiple load balancing algorithms • Multiple Session Persistence methods • Configurable health checks • Application Rules • SSL Termination with Certificate Management • Transparent/Full Proxy Mode • IPv6 Support
Use Cases
• Per Tenant Cloud LB
• Dynamic VIP for applications
NSX Edge Services Gateway CONFIDENTIAL 13 | 34
Logical VPN – User and Site-to-Site Features
• Interoperable IPsec tested with major
vendors Internet/ • Clients on all major OS (Win, Apple, Linux) WAN • Remote Authentication via Active Directory, RSA Secure ID, LDAP, Radius • TCP Acceleration • Encryption – 3DES, AES128, AES256 • AESNI H/W Offload • NAT & Perimeter Firewall Traversal
Scale and Performance
• High Performance – AES-NI acceleration
• 2+ Gb/s throughput per tenant Internet/ Use Cases WAN • Cloud to Corporate • Cloud On-boarding • Remote Office/Branch Office • Remote Management
NSX Edge Services Gateway CONFIDENTIAL 14 | 34
Logical VPN – Layer 2
Features
• SSL-based • Web-proxy Support • L2 Extension to Cloud VM VM VM • Broadcast support
Scale & Performance
• High Performance – AES-NI
acceleration Public • 2+ Gb/s throughput per tenant Internet/ WAN Cloud Use Cases
• Cloud On-boarding • Cloud Bursting
NSX Edge Services Gateway CONFIDENTIAL 15 | 34
NSX Edge Services Gateway High Availability (1)
Heartbeat and Synchronization Anti-affinity
• Heartbeat and sync both use the • Active and Standby Edges are same internal vNic placed on different ESXi hosts • L2 connectivity using same PG • On ESXi failure, NSX Manager • Stateful failover for features attempts to place Edges on different hosts again
Internal PG
NSX Edge Services Gateway CONFIDENTIAL 17 | 34
NSX Edge Services Gateway High Availability (2) • Active standby model – Health check interval for heartbeat 1 sec – Failover time ~15 seconds – NSX Manager also performs keep-alives to verify Edge is alive
• Modes of configuration – Advanced/Manual mode: Internal vNic designated by the user – Auto configure mode: NSX Manager uses first available internal vNic
• Other Redundancy – Physical redundancy with host monitoring and vSphere HA – Process restart redundancy with process monitoring
NSX Edge Services Gateway CONFIDENTIAL 18 | 34
NSX Edge HA – Failover Behavior Feature Behavior Firewall / NAT Stateful failover for firewall connections. Connection entries are synced to the standby appliance. Failover to standby in 15 seconds by default, can be configured (down to 6)
DHCP When Standby becomes active the HA link synchronization should preserve DHCP allocation table state.
Load Balancer For L7, Sticky tables are synced. Health of backend pool servers is synced. Will perform a back-end status health check before becoming available.
Dynamic Routing Routing table (fib entries) are synced.
Failover to standby in 15 seconds by default, can be configured (down to 6)
IPSec VPN When Standby becomes active the tunnels should reconnect automatically
SSL VPN When Standby becomes active the client should reconnect automatically
L2 VPN High Availability is not supported for this feature. Will be supported in future release.
NSX Edge Services Gateway CONFIDENTIAL 19 | 34
Questions
NSX for vSphere Component Overview CONFIDENTIAL 20 | 34
Dynamic Routing Overview Section 2 Supported Routing Protocols • OSPF: Open Shortest Path First • BGP: Border Gateway Protocol – iBGP and eBGP support
• IS-IS: Intermediate System to Intermediate System
NSX Edge Services Gateway CONFIDENTIAL 22 | 34
OSPF Features • Area Level Support – Default Area 51 • Backbone and NSSA support • Cleartext and MD5 peer Authentication • Interface level support • Hello, Dead interval configuration • Priority for DR/BDR election • Interface Cost configuration
NSX Edge Services Gateway CONFIDENTIAL 23 | 34
BGP Features • iBGP and eBGP support • Router Level • Local AS • Neighbor level configuration – Keep alive timer (default 60) – Hold-down timer (default 180) – Authentication MD5 – Per Neighbor filtering • Inbound/Outbound accept/deny by Prefix range
NSX Edge Services Gateway CONFIDENTIAL 24 | 34
IS-IS Features • Router Level support • Area ID, System ID (default router-id), IS-Type (default level -1-2), Domain Password, Area Password • Area Level Support – Up to 3 IP addresses per area
• Interface level support
– vNIC name – Hello timer, Hello Multiplier – Metric, Priority – Circuit type – LSP Interval – Mesh group – Password
NSX Edge Services Gateway CONFIDENTIAL 25 | 34
Multi Tenant Topology – Supported (< 10)
External Network
NSX Edge Services
Gateway
VXLAN 5020 VXLAN 5021
Uplink Tenant 1 Uplink Tenant 2 LR Instance 2 LR Instance 1
Web VM App VM Web VM App VM
VM VM VM VM
VXLAN 5001 VXLAN 5002 VXLAN 5010 VXLAN 5011
NSX Edge Services Gateway CONFIDENTIAL 26 | 34
Lower Density Multi Tenant Topology (Simplified) OSPF BGP External Network IS-IS Static Route
NSX Edge Services NSX Edge Services
Gateway Gateway
VXLAN 5020 VXLAN 5021
OSPF BGP Tenant 1 Tenant 2 Static Route LR Instance 2 LR Instance 1
Web VM App VM Web VM App VM
VM VM VM VM
VXLAN 5001 VXLAN 5002 VXLAN 5010 VXLAN 5011
NSX Edge Services Gateway CONFIDENTIAL 27 | 34
High Density Multi Tenant Topology (Routed) External Network
NSX Edge (X-Large) Route
Aggregation Layer
VXLAN 5022
Tenant’s NSX Edge Tenant’s NSX Edge
Services Gateway Services Gateway
VXLAN 5020 VXLAN 5021
Tenant 1 Tenant 2 LR Instance 2 LR Instance 1
Web VM App VM Web VM App VM
VM VM VM VM
VXLAN 5001 VXLAN 5002 VXLAN 5010 VXLAN 5011
NSX Edge Services Gateway CONFIDENTIAL 28 | 34
Supported Dynamic Routing Protocols in NSX for vSphere
OSPF iBGP or eBGP
backbone area (Area 0) Originate Redistribute default ospf to bgp
SEG (Edge) SEG (Edge)
NSX Edge NSX Edge
OSPF NSSA OSPF NSSA
Uplink area (Area 51) area (Area 51) Originate Originate Uplink default default LDR(Edge) LDR(Edge) LR LR
Redistribute Redistribute connected connected
NSX Edge Services Gateway CONFIDENTIAL 29 | 34
NSX vSphere Scale Limits Edge Management Configuration Limits Item Maximum Note Number of Edge Appliances 2,000
Firewall Rules 20,000
NAT 20,000
Number of Static Routes 100,000
Number of Load Balancer Pools 20,000
# of LB virtual Servers 6,000
Members in LB Pools 60,000
DHCP Pools 20,000
DHCP Static Bindings 200,000
IPSec Sites / Tunnels per NSX 64
Edge
IPSec Sites / Tunnels 128,000 This is a number published across a max of 2,000 Edge Appliances which can be supported in NSX
![1419318717_ICT [I.T.] (NTA 4) - Brochure](https://imgv2-2-f.scribdassets.com/img/document/464340893/149x198/23e01a9d24/1591277431?v=1)
![[DASAN Success Story] Taifo GPON Solution for Taipei City](https://imgv2-2-f.scribdassets.com/img/document/371127347/149x198/c9f769c5f6/1518170265?v=1)
