Sie sind auf Seite 1von 30

NSX Edge Services Gateway

Elver Sena Sosa

© 2014 VMware Inc. All rights reserved.


Sections
Section 1
• Introduction to NSX Edge Services Gateway
Section 2
• Dynamic Routing Overview

NSX for vSphere Component Overview CONFIDENTIAL 2 | 34


Introduction to NSX
Edge Services Gateway
Section 1
NSX Edge Services Gateway – Network
Placement

WAN
Internet

NSX Edge:
• Connects isolated
networks to shared
uplink and provides
network services like
FW, LB, …
• Supports Multi-
VM VM Tenancy in Cloud
environment
VM VM

VM VM

Compute Racks Compute Racks EDGE Rack

NSX Edge Services Gateway CONFIDENTIAL 5 | 34


Integrated Network Services
Firewall
Overview
Load Balancer
VPN • Integrated L3 – L7 services
• Virtual appliance model to
Routing/NAT provide rapid deployment and
DDI
DHCP/DNS relay scale-out
….
Benefits

• Real time service instantiation

• Support for dynamic service


VM VM VM VM VM differentiation per
tenant/application

• Uses x86 compute capacity

NSX Edge Services Gateway CONFIDENTIAL 6 | 34


Features Summary
NSX Edge
Gateway Services

Firewall Rule configuration with IP, Port ranges, Grouping Objects, VC Containers

Network Address Translation Source and Destination NAT capabilities.

DHCP Configuration of IP Pools, gateways, DNS servers and search domains.

Routing Static as well as Dynamic Routing protocols support (OSPF, BGP, ISIS)

Load Balancing Configure Virtual Servers and backend pools using IP addresses or VC Objects

Site-to-Site VPN IPSec site to site VPN between two Edges or other vendor VPN terminators.

SSL VPN Allow remote users to access the private networks behind Edge GSW.

L2VPN Stretch your layer 2 across datacenters.

High Availability Active-Standby HA capability which works well with vSphere HA.

DNS/Syslog Allow configuring DNS relay and remote syslog servers.

NSX Edge Services Gateway CONFIDENTIAL 7 | 34


NSX Edge and DFW – Security Comparison
Typical deployment of FW in a DC/SDDC:
WAN
Internet

Perimeter FW
N-S
(Physical)
protection

NSX Edge Edge


Services
Gateway
Rack
Compute Compute
Rack Rack

• DFW positioned for E-W traffic filtering. DFW


vDS
DFW

• NSX Edge Services Gateway positioned


for
N-S traffic filtering. E-W protection
SDDC

NSX Edge Services Gateway CONFIDENTIAL 8 | 34


NSX Edge Services Gateway Sizing
• X-Large
Suitable for high performance
– 6 vCPU Firewall + Load Balancer +
– 8192 MB vRAM Routing

Quad-Large
4 vCPU Suitable for high
1024 MB vRAM performance Firewall

Large
2 vCPU
1024 MB vRAM

Compact
1 vCPU
512MB vRAM

NSX Edge Services Gateway CONFIDENTIAL 9 | 34


Configure and Manage NSX Edge Services

NSX Edge Services Gateway CONFIDENTIAL 10 | 34


Form Factor Conversions

NSX Edge Services Gateway CONFIDENTIAL 11 | 34


Interface Based Routing and Firewall

Tenant A
Features

• Dynamic Routing:
Tenant B OSPF/eBGP/iBGP/IS-IS
L2
L2
Tenant C • North-South Routing
L2 L2
• Virtualization context firewall
L2

L2 L2
Scale & Performance
L2

• Up to line rate performance


with scale up architecture

Use Cases

• Create on demand network


services to speed up
application provisioning

NSX Edge Services Gateway CONFIDENTIAL 12 | 34


NSX Edge Load Balancer

Web 1 Web 2 Web 3 Features

• TCP, HTTP, HTTPS with Stateful HA


• Multiple Virtual IPs each with separate
server pool and configurations
• Multiple load balancing algorithms
• Multiple Session Persistence methods
• Configurable health checks
• Application Rules
• SSL Termination with Certificate
Management
• Transparent/Full Proxy Mode
• IPv6 Support

Use Cases

• Per Tenant Cloud LB


• Dynamic VIP for applications

NSX Edge Services Gateway CONFIDENTIAL 13 | 34


Logical VPN – User and Site-to-Site
Features

• Interoperable IPsec tested with major


vendors
Internet/ • Clients on all major OS (Win, Apple,
Linux)
WAN • Remote Authentication via Active
Directory, RSA Secure ID, LDAP, Radius
• TCP Acceleration
• Encryption – 3DES, AES128, AES256
• AESNI H/W Offload
• NAT & Perimeter Firewall Traversal

Scale and Performance

• High Performance – AES-NI acceleration


• 2+ Gb/s throughput per tenant
Internet/
Use Cases
WAN
• Cloud to Corporate
• Cloud On-boarding
• Remote Office/Branch Office
• Remote Management

NSX Edge Services Gateway CONFIDENTIAL 14 | 34


Logical VPN – Layer 2

Features

• SSL-based
• Web-proxy Support
• L2 Extension to Cloud
VM VM VM • Broadcast support

Scale & Performance

• High Performance – AES-NI


acceleration
Public • 2+ Gb/s throughput per tenant
Internet/
WAN Cloud
Use Cases

• Cloud On-boarding
• Cloud Bursting

NSX Edge Services Gateway CONFIDENTIAL 15 | 34


NSX Edge Services Gateway High Availability (1)

Heartbeat and Synchronization Anti-affinity


• Heartbeat and sync both use the • Active and Standby Edges are
same internal vNic placed on different ESXi hosts
• L2 connectivity using same PG • On ESXi failure, NSX Manager
• Stateful failover for features attempts to place Edges on different
hosts again

Internal PG

NSX Edge Services Gateway CONFIDENTIAL 17 | 34


NSX Edge Services Gateway High Availability (2)
• Active standby model
– Health check interval for heartbeat 1 sec
– Failover time ~15 seconds
– NSX Manager also performs keep-alives to verify Edge is alive

• Modes of configuration
– Advanced/Manual mode: Internal vNic designated by the user
– Auto configure mode: NSX Manager uses first available internal vNic

• Other Redundancy
– Physical redundancy with host monitoring and vSphere HA
– Process restart redundancy with process monitoring

NSX Edge Services Gateway CONFIDENTIAL 18 | 34


NSX Edge HA – Failover Behavior
Feature Behavior
Firewall / NAT Stateful failover for firewall connections. Connection entries are synced to the standby
appliance.
Failover to standby in 15 seconds by default, can be configured (down to 6)

DHCP When Standby becomes active the HA link synchronization should preserve DHCP
allocation table state.

Load Balancer For L7, Sticky tables are synced. Health of backend pool servers is synced.
Will perform a back-end status health check before becoming available.

Dynamic Routing Routing table (fib entries) are synced.


Failover to standby in 15 seconds by default, can be configured (down to 6)

IPSec VPN When Standby becomes active the tunnels should reconnect automatically

SSL VPN When Standby becomes active the client should reconnect automatically

L2 VPN High Availability is not supported for this feature. Will be supported in future release.

NSX Edge Services Gateway CONFIDENTIAL 19 | 34


Questions

NSX for vSphere Component Overview CONFIDENTIAL 20 | 34


Dynamic Routing
Overview
Section 2
Supported Routing Protocols
• OSPF: Open Shortest Path First
• BGP: Border Gateway Protocol
– iBGP and eBGP support

• IS-IS: Intermediate System to Intermediate System

NSX Edge Services Gateway CONFIDENTIAL 22 | 34


OSPF Features
• Area Level Support – Default Area 51
• Backbone and NSSA support
• Cleartext and MD5 peer Authentication
• Interface level support
• Hello, Dead interval configuration
• Priority for DR/BDR election
• Interface Cost configuration

NSX Edge Services Gateway CONFIDENTIAL 23 | 34


BGP Features
• iBGP and eBGP support
• Router Level
• Local AS
• Neighbor level configuration
– Keep alive timer (default 60)
– Hold-down timer (default 180)
– Authentication MD5
– Per Neighbor filtering
• Inbound/Outbound accept/deny by Prefix range

NSX Edge Services Gateway CONFIDENTIAL 24 | 34


IS-IS Features
• Router Level support
• Area ID, System ID (default router-id), IS-Type (default level -1-2),
Domain Password, Area Password
• Area Level Support
– Up to 3 IP addresses per area

• Interface level support


– vNIC name
– Hello timer, Hello Multiplier
– Metric, Priority
– Circuit type
– LSP Interval
– Mesh group
– Password

NSX Edge Services Gateway CONFIDENTIAL 25 | 34


Multi Tenant Topology – Supported (< 10)

External Network

NSX Edge Services


Gateway

VXLAN 5020 VXLAN 5021


Uplink Tenant 1 Uplink Tenant 2
LR Instance 2
LR Instance 1

Web VM App VM Web VM App VM

VM VM VM VM

VXLAN 5001 VXLAN 5002 VXLAN 5010 VXLAN 5011

NSX Edge Services Gateway CONFIDENTIAL 26 | 34


Lower Density Multi Tenant Topology
(Simplified)
OSPF
BGP External Network
IS-IS
Static Route

NSX Edge Services NSX Edge Services


Gateway Gateway

VXLAN 5020 VXLAN 5021


OSPF
BGP Tenant 1 Tenant 2
Static Route
LR Instance 2
LR Instance 1

Web VM App VM Web VM App VM

VM VM VM VM

VXLAN 5001 VXLAN 5002 VXLAN 5010 VXLAN 5011

NSX Edge Services Gateway CONFIDENTIAL 27 | 34


High Density Multi Tenant Topology (Routed)
External Network

NSX Edge (X-Large) Route


Aggregation Layer

VXLAN 5022

Tenant’s NSX Edge Tenant’s NSX Edge


Services Gateway Services Gateway

VXLAN 5020 VXLAN 5021


Tenant 1 Tenant 2
LR Instance 2
LR Instance 1

Web VM App VM Web VM App VM

VM VM VM VM

VXLAN 5001 VXLAN 5002 VXLAN 5010 VXLAN 5011

NSX Edge Services Gateway CONFIDENTIAL 28 | 34


Supported Dynamic Routing Protocols in NSX
for vSphere

OSPF iBGP or eBGP


backbone area
(Area 0) Originate Redistribute
default ospf to bgp

SEG (Edge) SEG (Edge)


NSX Edge NSX Edge

OSPF NSSA OSPF NSSA


Uplink area (Area 51) area (Area 51)
Originate Originate Uplink
default default
LDR(Edge) LDR(Edge)
LR LR

Redistribute Redistribute
connected connected

NSX Edge Services Gateway CONFIDENTIAL 29 | 34


NSX vSphere Scale Limits
Edge Management Configuration Limits
Item Maximum Note
Number of Edge Appliances 2,000

Firewall Rules 20,000

NAT 20,000

Number of Static Routes 100,000

Number of Load Balancer Pools 20,000

# of LB virtual Servers 6,000

Members in LB Pools 60,000

DHCP Pools 20,000

DHCP Static Bindings 200,000

IPSec Sites / Tunnels per NSX 64


Edge

IPSec Sites / Tunnels 128,000 This is a number published across a max of 2,000 Edge Appliances
which can be supported in NSX

DNS / Syslog Server Targets 2,000

DNS Service Instances 10,000

NSX Edge Services Gateway CONFIDENTIAL 30 | 34


NSX for vSphere Scale
• Edge Routing Limits

Large-Edge X-Large-Edge
Max Limit Compact-Edge

BGP routes 20k 50k 250k


BGP neighbors 10 20 50
OSPF routes 20k 50k 100k
OSPF adjacencies 10 20 40

Routes redistributed into BGP no limit no limit no limit

Routes redistributed into OSPF 2k 5k 20k

Total number of routes 20k 50k 250k

NSX Edge Services Gateway CONFIDENTIAL 31 | 34


Questions

NSX for vSphere Component Overview CONFIDENTIAL 34 | 34