- A
- ACL (Access Control List), firewall, 203, 204
- AD (Active Directory), 47–51
- addressing, effective address, 66
- Administrative Distance, 157
- APIs (Application Program Interfaces), 273
- ARP (Address Resolution Protocol), 24, 85, 281
- gratuitous, poisoning and, 216–218
- L2 headers, 79–81
- L3 headers, 79–81
- tables, VNI and, 74–75
- B
- bandwidth, ECMP, troubleshooting, 159–160
- BDR (Backup Designated Router), 133
- BGP (Border Gateway Protocol), 118, 120–123, 138
- eBGP, 29, 120, 151, 161, 287
- iBGP, 29, 120, 151, 161, 287
- blocked traffic, 218–220
- blueprints, 249
- deploying, NSX services, consuming, 271–273
- NSX services, consuming, 271–273
- bridges, 284
- transparent bridging, 102
- Broadcast
- Layer 2 flooding, 83
- Logical Switches, 84–85
- replication modes, 83–84
- browser, as REST client, 274
- C
- centralized routing, versus distributed, 140–141
- CLI (Command Line Interface)
- DLR, 156–157
- ESG, 156–157
- planes of operation, 17
- Client Integration Plug-ins, 44
- clusters, NSX Controller, 26
- CMP (Cloud Management Platform), 247
- colocation, –3
- control plane, DLR, 108
- Cross-vCenter NSX, 51
- D
- data centers,
- company built,
- workloads,
- Dead Timer, 139
- deployment
- DLR (Distributed Logical Router), 125–134
- ESG (Edge Services Gateway), 144–151
- Layer 2 Bridge, 90–101
- Logical Switch, 84
- NSX Controller, 49
- DevOps, vRA and, 248–249
- DFW (Distributed Firewall), 29, 203, 206
- ESXi hosts, 220–221
- IDFW (Identity Distributed Firewall), 220
- IP addresses, 215–216
- maintenance, 207–209
- native rules, 206
- rules, 210–214
- enabling by default, 218
- security groups, 233–236
- segregating, 214–215
- VIBs (vSphere Installation Bundles), 206
- VMs, excluding from inspection, 207
- DHCP relay, 194–196
- DLR configuration, 196–197
- DHCP service, ESG and, 191–192
- configuration as, 192–194
- distributed routing, versus centralized, 140–141
- Distributed Virtual Port Group, 94
- DLR (Distributed Logical Router), 28, 107–108, 138, 286
- Administrative Distance, 157
- CLI commands, 156–157
- control planes, 108
- default behaviors, 157
- deploying, 125–134
- ECMP and, 157–159
- efficiency, 111–115
- ESXi hosts and, 107–115
- forwarding address, 284–285
- Layer 2 Bridge and, 91
- Deployment Configuration, 96
- deployment status, 96
- LIF (Logical Interfaces), IP addresses, 115
- LIFs (logical interfaces), 29
- LR Control VM and, 285–286
- MAC addresses, 115–116
- overview, 140
- physical router comparison, 117
- protocol address, 284–285
- DNAT (destination NAT), ESG (Edge Services Gateway), configuring, 169–171
- DNS (Domain Name System), 138
- DNS Relay, 198–199
- ESG, configuration, 199–200
- DNS Server, open ports and, 40
- DoS (Denial of Service) attacks, 237
- DR (Designated Router), 133
- DRS (Distributed Resource Scheduler), , 19
- DVFilter (Distributed Virtual Filter), 24
- dynamic security groups, 224
- ECMP (Equal Cost Multi-Path) mode, 30, 157–159
- bandwidth, troubleshooting, 159–160
- enabling, 287
- North-South traffic, 157
- Edge Appliance VM, Layer 2 Bridge and, 93
- Edge Firewall, 203
- Edge HA, 138–139
- effective addresses, 66
- encapsulation, GRE (Generic Routing Encapsulation), 187
- entitlements, configuring, 268–270
- ESG (Edge Services Gateway), 19, 28, 29, 87–88, 110, 138, 287
- Administrative Distance, 157
- CLI commands, 156–157
- Cross-vCenter NSX, 51
- default behaviors, 157
- deploying, 144–151
- DHCP relay, 194–196
- DLR configuration, 196–197
- DHCP service, 191–192
- configuration as server, 192–194
- DNAT, configuring, 169–171
- DNS Relay, 198–199
- ECMP and, 157–159
- firewall, 29
- Layer 2 VPN, 178–179
- load balancer, 171–173
- load balancing, 29
- LR Control VM, 117
- naming, 145
- NAT, 29
- NAT (Network Address Translation), 164–165
- DNAT, configuring, 166–167
- SNAT, configuring, 166
- NAT Traversal, 188
- network placement, 163–164
- routing, 29
- sizing, 30
- SNAT, configuring, 167–169
- SSL VPN, 179
- configuring, 180–186
- split tunneling, 180
- ESP (Encapsulation Security Payload), 188
- ESXi,
- clusters
- NSX Manager as primary, 55–56
- preparing, 54
- segment ID pool, 55
- universal segment ID, range, 56
- VXLAN configuration, 55
- ESXi hosts
- IDFW (Identity Distributed Firewall), 220–221
- learning routes, 108–109
- open ports and, 40
- F
- fault tolerance, 141
- FCS (Frame Check Sequence), 80
- Fibre Channel,
- firewall, 12, 279
- ACL (Access Control List), 203, 204
- DFW (Distributed Firewall), 29, 206
- IDFW (Identity Distributed Firewall), 220
- maintenance, 207–209
- three-tier application, 208–209
- VM-to-VM traffic, 204
- firewalls,
- floating static route, 157
- Forwarding Address, 118, 134–135
- FQDN (Fully Qualified Domain Name), 198
- full-duplex communication, –2
- G
- gratuitous ARP, poisoning and, 216–218
- GRE (Generic Routing Encapsulation), 187
- guest introspection, 237–238
- GUI (Graphical User Interface), planes of operation, 17
- H
- HA (high availability), 138–140
- adding, 139–140
- fault tolerance and, 141
- NSX Manager, 41–43
- HA (High Availability), , 19
- hairpinning, 208
- half-duplex communication, –2
- hardware switches, VTEPS, 103–104
- HTTP GET commands, 273
- hybrid mode, 35–36
- hypervisor,
- I
- IaaS (Infrastructure as a Service), vRA, 249
- iBGP (internal BGP), 151, 161, 287
- identity services, vRA and, 249
- IDFW (Identity Distributed Firewall), 220
- IDS/IP (Intrusion Detection and Prevention Systems), 224
- DoS (Denial of Service) attacks, 237
- IOChain, 24, 204–206, 289
- DVFilter (Distributed Virtual Filter), 24
- security, 24
- service insertion and, 236
- IP, discovery, 290
- IP addressing
- DFW (Distributed Firewall), 215–216
- DLR LIFs, 115
- NSX Manager, 43–44
- IPS (Intrusion Prevention Systems), 223, 237
- IPsec VPN, 187–188
- NAT Traversal, 188
- Route-Based, 187–188
- Site-to-Site VPN configuration, 188–190
- IS-IS (Intermediate System to Intermediate System) routing protocol, 142
- ISAKMP (Internet Security Association and Key Management), 188
- iSCSI,
- K
- Kaspersky Security for Visualization, 224
- kernel, versus VM (virtual machine), 140
- L
- LACP (Link Aggregation Control Protocol), 24
- latency, hairpinning, 208
- Layer 2 Bridge, 87–88, 102, 283
- architecture, 88–89
- challenges, 89
- deployment, 90–101
- Distributed Virtual Port Group, 100
- DLR (Distributed Logical Router), 91
- Edge Appliance VM and, 93
- LR Control VM, 88
- native bridging, 103
- transparent bridging, 102
- Layer 2 VPN, 102
- ESG (Edge Services Gateway), 178–179
- LBT (Load Balanced Teaming), 24
- LDAP (Lightweight Directory Access Protocol), 47–51
- LIF (Logical Interface), DLR, IP addresses, 115
- LIFs (logical interfaces), 29
- load balancing, ESG load balancer, 171–173
- Logical Switch, 62
- creating, 85, 90
- deploying, 84
- hardware
- Overlay Switch, 72–73
- Switch Security module, 81–82
- Transport Zone, 73
- vDS (virtual Distributed Switch), 72
- Logical Switches, 71
- Lookup Service URL, 49
- LR (Logical Router), 88
- LR Control VM, 285–286
- BGP and, 118
- ESG (Edge Services Gateway), 117
- Layer 2 Bridge and, 88
- OSPF and, 117, 118
- VM (virtual machine), 108–111
- LSAs (Link State Advertisements), 119
- M
- MAC Address
- DLR, 115–116
- FCS (Frame Check Sequence), 80
- security, 66
- MAC table
- centralized, 75–76
- VNI and, 74–75
- McAfee MOVE, 224
- microsegmentation, 12, 208
- migration, physical to virtual environment, 89
- MTU (Maximum Transmission Unit), 69
- Multicast
- Layer 2 flooding, 83
- Logical Switches, 84–85
- replication modes, 83–84
- N
- NAT (Network Address Translation), 138, 164–165
- DNAT, configuring, 166–167
- SNAT, configuring, 166
- NAT Traversal, 188
- NDP (Neighbor Discovery Protocol), 210
- network introspection
- DoS (Denial of Service) attacks, 237
- IDS (intrusion detection and), 236–237
- IPS (Intrusion Prevention Systems), 236–237
- Layer 7 and, 236–237
- networks
- colocation, –3
- history, –2
- provisioning, –4
- resources, inefficient allocation,
- workload-to-server ratio,
- NFS,
- NFV (Network Function Virtualization), 137–138
- BGP, configuring, 151–154
- centralized routing, versus distributed, 140–141
- distributed routing, versus centralized, 140–141
- ESG (Edge Services Gateway), deploying, 144–151
- HA (high availability), adding, 139–140
- OSPF, configuring, 154–155
- routing
- LIFs (logical interfaces), 143
- protocols, 142–143
- static routes, 155–156
- transport zones, 142
- NIC teaming, virtual switches, 65–66
- NIOC (Network I/O Control), 24
- North-South traffic, 28, 110, 115, 135, 140, 285
- DFW (Distributed Firewall), 29
- ECMP and, 157–160
- ESG router, 173
- NSSA (not-so-stubby area), 133
- NSX, 10–12
- components, 18
- controllers, 25–26
- design routing, 132–134
- firewall, 12, 279
- NSX Controller, 24, 280–281
- adding, 50
- clustering, 26
- deploying, 49
- primary NSX Manager, 53–54
- open ports, 40
- password rules, 50–51
- placement, 49–50
- roles, 26–28
- NSX Edge, 286–287
- appliance size, 147
- Cluster and Datastore selection, 147
- Configure Deployment, 146
- Configure Interfaces, 148
- Default Gateway Settings, 149
- DLR (Distributed Logical Router), 28
- eBGP and, 29
- ESG (Edge Services Gateway), 28
- Firewall and High Availability, 150
- iBGP and, 29
- interfaces, adding, 149
- Load Balancing service, 30
- NFV (Network Function Virtualization), 137–138
- resource requirements, 41
- settings, 146
- NSX Edge Services Gateway. See ESG (Edge Services Gateway)
- NSX Manager, 18, 280
- installation, 44–46
- AD/LDAP, adding, 47–51
- storage, 45
- vCenter association, 46–47
- linking multiple
- primary, 53–54
- secondary, 53–54
- universal components, 51–52
- memory requirements, 41
- NSX-V (NSX Data Center for vSphere), 39–40
- Client Interaction Plug-in, 44
- DRS, 41–43
- HA (high availability), 41–43
- IP addresses, 43–44
- name resolution, 40
- port groups, 43–44
- ports, open, 40
- resource requirements, 40–41
- OVA (Open Virtual Appliance) files, 41
- OVA files, 19
- prerequisites, 39–44
- primary
- controller deployment, 53–54
- Enhanced Link Mode, 53
- REST APIs, 274
- secondary
- controller deployment, 53–54
- Enhanced Link Mode, 53
- universal transport zone, 56–57
- secondary manager, 58–59
- vSphere distributed switches, 57–58
- NSX Virtual Switch, 22
- NSX-V (NSX Data Center for vSphere), 39–40
- Client Interaction Plug-in, 44
- DRS, 41–43
- HA (high availability), 41–43
- IP addresses, 43–44
- name resolution, 40
- ports
- open, 40
- port groups, 43–44
- resource requirements, 40–41
- NTP (Network Time Protocol) server, 47
- NTP Time Server, open ports and, 40
- O
- OSPF (Open Shortest Path First), 119–120, 138
- configuring, 154–155
- design rules, 285
- planes of operation, 17
- OVA (Open Virtual Appliance) files, 19
- overlay networks, 32–34
- Overlay Switch, 72–73
- OVSDB (Open vSwitch Database management protocol), 104
- P
- passwords, NSX Controller, 50–51
- planes of operation, 16, 280
- CLI (Command Line Interface), 17
- control, 17
- data, 17
- GUI (Graphical User Interface), 17
- management, 17
- OSPF (Open Shortest Path First), 17
- portability,
- ports, groups, 43–44
- Protocol Address, 118, 134–135
- protocols, routing protocols
- BGP, 142
- IS-IS, 142
- OSPF, 142
- OSPF (Open Shortest Path First), 154–155
- R
- RARP (Reverse ARP), 57
- RBAC (Role-Based Access Control), 30–32
- overlay networks, 32–34
- underlay networks, 32–34
- replication mode
- hybrid mode, 35–36
- multicast mode, 34
- unicast mode, 35
- resource allocation,
- REST APIs (Representational State Transfer Application Program Interfaces), 18, 247, 273, 291
- browser as client, 274
- HTTP DELETE, 273, 276
- HTTP GET, 273, 275
- HTTP POST, 273, 275–276
- HTTP PUT, 273
- HTTP requests, 273–274
- NSX Manager, 274
- Route-Based IPsec VPN, 187–188
- routers
- static routes, configuring, 155–156
- VXLANs, 69
- routing, 123–125
- BGP (Border Gateway Protocol), 120–123
- centralized versus distributed, 140–141
- distributed versus centralized, 140–141
- DLR, 140
- DLR and
- CLI commands, 156–167
- default behaviors, 157
- ECMP, 157–159
- ESG and
- CLI commands, 156–167
- default behaviors, 157
- fault tolerance, 141
- host failure, 141
- kernel, versus VM (virtual machine), 140–141
- LIFs (logical interfaces), 143
- OSPF (Open Shortest Path First), 119–120
- protocols
- subnets, 26
- transport zones, 142
- routing tables, 118
- rules, DFW (Distributed Firewall), 210–214
- S
- SDDC (Software Defined Data Center), , 279, 280
- East-West traffic, 110
- North-South, 110
- SDDC (Software Defined Data Centers), virtualization, 13
- SDN (Software-Defined Networking), 137–138
- security
- Kaspersky Security for Visualization, 224
- McAfee MOVE, 224
- virtualization, –10
- vSS, 66–67
- Security Composer
- security groups, 224
- defining, 227–228, 229–230
- DFW rules and, 233–236
- dynamic, 224
- dynamic inclusion, 225–226, 229–230, 245
- security tags, 231–232, 232–233
- static, 224
- static exclusion, 226–227, 231
- static inclusion, 226, 227–228
- security policies
- creating, 239–243
- enforcing, 243–244
- security groups, 224
- defining
- dynamic inclusion, 229–230, 245
- static inclusion, 227–228
- DFW rules and, 233–236
- dynamic, 224
- dynamic inclusion, 225–226, 229–230, 245, 290
- security tags
- assign to VM, 232–233
- creating, 232
- group creation, 231–232
- security policies, Security Composer
- creating, 239–243
- enforcing, 243–244
- servers, workload-to-server ratio,
- Service Composer, 223, 224
- dynamic membership, 224
- QUARANTINE.GROUP, 225
- QUARANTINE.POLICY, 225
- WEB.GROUP, 224
- WEB.POLICY, 225
- service insertion, 236
- guest introspection, 237–238
- IOChain, 236
- network introspection, 236–237
- providers, 238
- SVM (Service VM), 238
- service integration, 88
- services
- blueprints, consuming, 271–273
- catalogs, adding items, 267–268
- defining, 266–267
- sharding, 26–28
- SLAs (Service-Level Agreements), vRA and, 272–273
- slicing, 26–28
- SNAT (source NAT), ESG (Edge Services Gateway), configuring, 167–169
- split-brain, 139
- SSL VPN (Secure Sockets Layer VPN), 179
- configuring, 180–186
- split tunneling, 180
- SSO (single sign-on), 47
- static routes, configuring, 155–156
- static security groups, 224
- storage
- allocating,
- virtualization and,
- subnets, routing between, 26
- SVM (Service VMs), 238
- Switch Security module, 81–82
- switches, 61
- Logical Switch, 62
- vDS (virtual Distributed Switch), 62
- virtual switches
- NIC teaming, 65–66
- port groups, 64
- vSS (vSphere Standard Switch (vSS) Standard Switch (vSS)), 62
- swsec (switch security), 24
- Syslog Server, open ports and, 40
- T
- tables, VNI (Virtual Network Information), 73
- Thick Provision Eager Zeroed virtual disk format, 45
- Thick Provision Lazy Zeroed virtual disk format, 45
- Thin Provision virtual disk format, 45
- three-tier application, 208–209
- traffic
- 5-tuple, 210
- blocked, 218–220
- hairpinning, 208
- microsegmentation, 208
- three-tier application, 208–209
- transparent bridging, 102
- Transport Zone, Logical Switches, 73
- transport zones, routing, 142
- Trend Micro Intrusion Detection and Prevention Systems, 224
- troubleshooting, bandwidth, ECMP, 159–160
- U
- underlay networks, 32–34
- unicast mode, 35
- Unknown unicast
- Layer 2 flooding, 83
- Logical Switches, 84–85
- replication modes, 83–84
- URLs (Uniform Resource Locators), 273
- UUID (Universally Unique Identifier), 41–42
- V
- vCenter Server, 20
- NSX Manager association, 46–47
- open ports, 40
- vDS (virtual Distributed Switch), 62, 67
- acquiring, 68
- features, 68
- Logical Switch, 72
- VDSs (vSphere Distributed Switches), 21, 54
- VIBs (vSphere Installation Bundles), 23–24
- DFW (Distributed Firewall), 206
- virtual disks
- Thick Provision Eager Zeroed, 45
- Thick Provision Lazy Zeroed, 45
- Thin Provision, 45
- virtual environment, migrating from physical, 89
- virtual machines,
- virtual switches
- NIC teaming, 65–66
- port groups, 64
- virtualization, –7, 286
- planes of operation, 16
- CLI (Command Line Interface), 17
- control, 17
- data, 17
- GUI (Graphical User Interface), 17
- management, 17
- OSPF (Open Shortest Path First), 17
- security and, –10
- storage and,
- virtualwire, 72
- VM (virtual machine)
- DFW, excluding from inspection, 207
- firewalls, 204
- versus kernel, 140
- SVM (Service VM), 238
- VM-to-VM traffic, East-West traffic, 204
- vMotion,
- DRS (Distributed Resource Scheduler),
- VMware,
- DRS (Distributed Resource Scheduler), 19
- HA (High Availability), , 19
- hypervisor,
- virtual machines,
- vMotion,
- VMware Identity Manager, 248
- VMware vSphere Enterprise Plus, VDS (vSphere Distributed Switch), 21
- VNI (Virtual Network Information)
- collecting, 74–75
- MAC table, 74–76
- VTEP table, 76–78
- VPNs (virtual private networks)
- IPsec VPN, 187–188
- NAT Traversal, 188
- Site-to-Site VPN configuration, 188–190
- SSL VPN, 179
- configuring, 180–186
- split tunneling, 180
- vRA (vRealize Automation), 247, 248
- Advanced edition, 249–250
- blueprints, 249
- DevOps, 249
- Enterprise edition, 249–250
- environments, 248–249
- identity services, 249
- iterative development, 249
- multi-cloud environments, 248
- NSX integration
- automation endpoints, 250–252
- external networks, 255–258
- NAT network profile, 255–258
- network profiles, 253–254
- NSX Manager, 252–253
- reservations, 258–260
- routed networks, 255–258
- portal of services, 248–249
- setup, 248
- SLAs and, 272–273
- vRealize Automation, 18
- vRealize Easy Installer, 248
- vRealize Suite Lifecycle Manager, 248
- vRO (vRealize Orchestrator)
- blueprints
- adding workflow, 264–265
- one machine, 261–264
- entitlements, 268–270
- vRA catalog, request service, 265–268
- vSS (vSphere Standard Switch (vSS) Standard Switch (vSS)), 62
- ESXi host, 63
- NIC teaming, 65–66
- port groups, 64
- security, 66–67
- traffic shaping, 63
- VTEP (VXLAN Tunnel Endpoint), 33–34, 85–86, 103–104, 281–282
- hardware, 283
- open ports and, 40
- table, VNI, 76–78
- VVD (VMware Validated Designs), 248
- VXLANs (Virtual eXtensible LANs), 22, 26, 68–69, 87–88, 282
- encapsulation, 86
- Layer 2 Bridge, 87–88, 102
- architecture, 88–89
- challenges, 89
- deployment, 90–101
- Distributed Virtual Port Group, 100
- DLR (Distributed Logical Router), 91
- Edge Appliance VM and, 93
- LR Control VM, 88
- routers, 69
- tunneling protocol, 32–33
- W–Z
- web computing,
- workload-to-server ratio,
- workloads, data centers,
..................Content has been hidden....................
You can't read the all page of ebook, please click
here login for view all page.