WIXLIB

Smart Software is Indispensable,Smart Networking Hardware isFundamentalAl da Silva, Consulting Systems Engineer, CoE- APAC, Juniper NetworksCedric Rajendran, Staff Engineer-TS, VMware

AgendaValue of the SDDCSDDC Vision & NSX OverviewConvergence of Overlay & UnderlaySecurity in the SDDCManagement IntegrationDemo

Value of SDDC

Network challenges in real termsPOST VIRTUALIZATIONWeeksTimeLatency in CommunicationsSecondsSpinning up Server ResourcesProvisioningthe Network and Security

Network was built for bare metal serversVIRTUAL COMPUTE100%46%VIRTUAL COMPUTEShare of virtualized servers andstorage is growing rapidly71%PHYSICAL COMPUTE54%0%PHYSICAL COMPUTE29%Time20112015

VMware’s SDDC VisionSoftware-Defined Data Center Priorities:Data CenterVirtualization andStandardizationStreamlined andAutomated DataCenter OpsSecurity ControlsNative toInfrastructureHigh Availabilityand ResilientInfrastructureApplication d Data Center Outcomes:CapEx ReductionOpEx ReductionEffortless SecurityImproved UptimeITaaS

NSX Perspective7

MetaFabric Guiding PrinciplesSimpleSmartOpenEasy to buySelf-healingEmbrace open standardsEasy to deployProactiveEnable choiceEasy to operateEvent CorrelationAlleviate lock-inEasy to secureSecurity intelligenceStandard APIs

Juniper’s MetaFabric DifferentiatorsHigh-PerformanceDC FabricsVirtual NetworkingIntelligence DC Switches VXLAN switching Any topology NSX SDN-overlaybridging gateway Fabric technologies Operational ease Highly available Massively scalable Open standards API/tool automatable In-hypervisor &in-switch cloudanalytics engine Adaptive loadbalancing of“elephant & mice”flows / flowletsData CenterInterconnectJoint Managementand Automation Best-of-breed WANand DCI routing Web 2.0-style GUI VPLS and E-VPN Correlate physicaland virtual networks NSX SDN-overlayrouting gateway Universal SDNGateway for multipleVXLAN & MPLSoverlays In-VM-Routerscaling to 160Gbps Manage DC network Monitor vMotion Analytics collectorwith network and inVM applicationvisibilityComplementaryNetwork Security NSX hypervisor FWand virtual networkmicro-segmentation Juniper DC L2-7perimeter with highperformance NGFW Juniper in-VM FWoffers Anti-APT/UTMwith vSphereintegratedmanagement

BETTER TOGETHERNOW YOURNETWORK ISplugged intoSDDC: Virtualization & AutomationMetaFabric: Performance & Automation Maximize agility and flexibility DC programmatic control Common policy across DC High performance and scalable Secure and reliable foundation Physical-Virtual Ops. simplificationNSX Virtual NetworkingPhysical-to-Virtual Switching & RoutingVMware Compute Virtualization VM-aware Management and VNFsTHE SDDC1. Seamless forwarding across physical and virtual infrastructure2. Virtualization-aware network management and orchestration3. Analytics and visibility of both physical and virtual

Convergence ofOverlay &Underlay

How overlays treat the networkSDDCIP Network

How the network actually isSDDC

VXLAN replication modes - MulticastStandard VxLAN implementation (RFC7348)Multicast in the underlayData Plane Learning (i.e. No controllerrequired for endpoint learning)

VXLAN replication modes - Unicast ModeProprietary unicast replication method.Unicast to remote UTEP with replicate locally bitsetDefault option while configuring VNINot recommended for large scale deployments.

VXLAN replication modes - Hybrid ModeOnly medium to large scale deploymentoption.Underlay performs L2 multicast replication.Unicast to MTEP for L2 replication in otherVxLAN transport zones.

VMware NSX Overlay TunnelsOverlay attributes L2 extension over Layer 3 underlay Any to any at massive scale, up to 16 millionVxLANVxLANlogical segments Overlay address are hidden from underlayUnderlay attributes Ideally a single element to manage (OneFabric) All links active 100% of the time All features on every portVTEP – Virtual Tunnel End Point Predictable latency and performance In Service Software Upgrade

SDDC : The Network PerspectiveL2 transport over L3 networkWhat you DO getIncreased logical scalewith SDDC NetworkingApplication Orchestration and ProvisioningLogical separation of tenants and appsSoftware upgradesWhat you DON’T getwith SDDC NetworkingConfiguration of the underlayRouting protocol configurationProvisioning of new nodes and core facing linksManagement and monitoring of network elements and interactions

All Devices Need to CommunicateProvide SDN-to-non-SDN translation, same IP subnetSDN to IP (Layer 2)Layer2Provide SDN-to-non-SDN translation, different IP subnetSDN to IP (Layer 3)Layer3Provide SDN-to-SDN translation, same or different IP subnet, same or different overlaySDN to SDNSDNProvide SDN-to-WAN translation, same or different IP subnet, same or different encapsulationSDN to WANWANRemoteDataCenterPublicCloudInternet

Virtual Chassis Fabric – The Ideal SDDC FabricSingle point of managementEthernet Fabric – L2/L3 for entire DC or PodsSingle VTEP/L2 Gateway on any port (with OVSDBintegration) Simplified multicast support (No need for PIM) Virtual Chassis FabricFlexibility in size, interface types, future expansionSpine-Leaf topology for predictable performanceand maximum resilienceAFS for even ECMP distribution of traffic (ElephantFlow Handling)

How VCF presents the networkSDDCSingle Switch ManagementPlug and Play ImplementationVTEP AnywhereDeterministic PerformanceFlowlet based load balancingSet and forget operation

VCF – Bidirectional Multicast Distribution Trees for BUM and multicastIGMP Snooping Configurationigmp-snooping {vlan VXLAN {l2-querier {source-address 10.10.10.254;}interface ae0.0 {multicast-router-interface;}interface ae1.0 {multicast-router-interface;}interface ae2.0 {multicast-router-interface;}}vlan default;} Multicast Distribution Trees (MDT) One minimal cost tree rooted ateach node Total of N trees Shared among all members to carrytraffic in both directionsSW1SW2SW3SW4RERE Benefits: Predictable latency and replication points Automatic load rebalance on topologychangeVLAN203 {vlan-id 203;}VXLAN {description "This is the VLAN created to enable interhost VXLAN overlays";vlan-id 1001;l3-interface irb.1001;}default {vlan-id 1;}L1L2L3L4 SW 5Load balancing among N trees BUM traffic : VLAN-ID (hw-token) mapped to tree-id Known multicast: multicast next-hop (IPMC) assigned to tree-idSW 16

IP Fabric Multicast ComplexitiesPIM Multicast RoutingSpineIGMP Snooping ConfigurationIP FabricLeaf

Intelligent Underlays: Adaptive Flowlet SplicingDynamic load balancing algorithm for VCFVNVNoverlayVN Virtual Chassis Fabricunderlay TCP flow splicingNo packet re-orderingLoad and queue depth measures used forflowlet balancingBetter ECMP utilisation for overlay and underlaytraffic.More predictable and balanced performance

Networking End to EndHosted/ManagedCampus andBranchWANInternetPublic Cloud(Hybrid)MX (USG)Junos SpaceNetwork DirectorMX (USG)ANY NETWORK OR SDNVirtual & PhysicalSecurityVirtual & PhysicalSecurityQFX, EX, and QFabic SwitchingQFX, EX, and QFabic SwitchingPrivate CloudPrivate CloudMulti-Data Center, Multi-Cloud, One Network Architecture

MX-Series – Universal SDN GatewayWANGWWANLayer 3GWLayer 2GWVMware NSX/BMS Pod 1SDNGWDC 1VMware NSX/BMS Pod 2VMware NSX/BMS Pod nDC 2

EVPN and VM Traffic Optimizer on the MXLayer-2 Stretch Between Data CentersDC #2DC #1Ethernet VPN Advantages Traffic is load balanced across all WAN links MAC tables are populated via control planeunicast (similar to BGP L3VPNs) No packet flooding on the WANDC #1VM L2 Location Awareness with VM-TO VM Traffic Optimizer detects L2-connected VMsand their migration across data centersWANDynamic WAN gateway optimizationVMDC #2Avoid traffic trombones with normal EVPNOriginal pathDC #3Usual path after VM migrationVM-TO path

Security in the SDDC

Enemies in Your Internal Network: The Zero TrustUse CaseMajor security breaches originate from a compromised low security system withlow security internal network access, this is used to attack high value targetsEast-west traffic comprises around 80% of datacenter network traffic onaverage (Gartner/ixiacom)Network architects have attempted to increase security by dividing the networkinto an ever increasing number of network segmentsEven with the large number of network segments, traditional firewalls areunable to control the traffic of IP adjacent workloads29

Security follows the Virtual Machine30

Micro-SegmentationFine-grained policies enable firewall controls and advanced security down to the level of the virtualNIC.The NSX Distributed Firewall (DFW) can apply firewall rules before traffic ever hits the (virtual) wirePerformance is near line rateDFW allows the application of firewall policy to IP adjacent virtual workloadsIntegration with the industry’s leading security products31

The Solution Landscape is ExpandingStand-alone Virtual Appliance78SDN96HypervisorEmbedded Compute Chipset2Router/SLB/etc.5Security Service3Secure Fabric (Silicon)1Cloud ServicesHypervisor Kernel ModuleVT-xVM12Virtual Appliance with API HooksVA4LibrariesSDN ServiceVA10App AApp BApp CPaaSHost OSContainers or PaaSStand-AlonePhysical SecurityApplianceVMHypervisorVT-x11 In a guest OS/VM or App(Virtualized or Bare Metal)

Integrated Physical and Virtual SecurityMANAGEMENT AND SECURITY SERVICESSecurityDirectorJuniper Secure HypervisorDoS PreventionDoSAppSecureSRX SeriesVirtual Network

SRX Series Services GatewaysBRANCH2TbCAMPUSDATA CENTERUp to 2 Tbps FWthroughput and 100 millionconcurrent sessions scalingSRX5800High-End SRXSRX5600SRX5400SRX3600SRX3400Branch 0SRX220Integrated Routing, Switching and SecurityUnprecedented ScaleSingle Junos

Maximum Performance and Scale Express Path – Elephant FlowsArea Border RouterEnterprise Border Firewall10G/40G/100G linksDramatically increases secured traffic withextremely high bandwidth flowsSite/CampusAccess to ScienceDMZ resourcesSuitable for express downloads and datatransfers of large amounts of dataScience DMZ Switch/Router10G/40G/100G linksReduces packet path latencySRX5000Site/Campus LANData Transfer ClusterProject X Data Project YDTNTransfer NodePrice/Performance gains

SRX in Virtual FormatJunos Routing Protocols and SDKJunos Rich and Extensible Security CURITYFirewallAnti-VirusAppTrackVPNWeb FilteringAppFWNATContent FilteringAppQoSRoutingAnti-SpamIPSJunos Space – Security Director & Virtual Director, CLI, JWEB, SNMP, HA/FT

Virtual Security SolutionsDo make sense Higher guest virtual machinedensitiesOne virtual instance of anti-malware software one virtual instanceof anti-malware signature databasevSRXHigher performance for criticalapplications and business processesEasy deployment and automaticprotection of the newly created virtualmachineVMVMVMVMVMVMVMHigher return on investmentHypervisorSecurity gaps are eliminated (e.g. instant-ongaps, scanning storms etc.)x86 BoxVMVMVMVMVM

ManagementIntegration

Today’s Reality in Operations ManagementMonitoring Data OverloadAlert StormsN/wVIOver-provisioningStorageFinger Pointing39

Operations Management GoalsGoalStatus QuoQuality ofService Are you able to meet or exceed service level expectations? Can you remediate issues before end users are impacted?OperationalEfficiency What is your average Mean Time to Incident & Resolution? Do you manage your infrastructure capacity?ControlandCompliance Is your IT infrastructure compliant to regulatory standards? Can you proactively enforce IT standards in your organization?40

NSX Operations DashboardNSX deployment compliance checksHealth of VM’s hosting NSX servicesTopN stats including VXLANs, VM’sHealth, capacity, performance views ofall NSX services deployed41

NSX VisibilityAll NSX resourcesHealth of the NSXcomponentsOpen AlertsHeat map of the hypervisor in NSXTransport ZoneTop N logical networks andVMs42