VMware vCloud Networking and Security

Whats New
Venky Deshpande, Sr. Technical Marketing Manager, VMware
Grant Suzuki, Sr. Technical Marketing Manager, VMware

2010 VMware Inc. All rights reserved

Internal Only
The information about to be presented is confidential and is covered
by the terms of VMwares Key Employment Agreement and Business
Conduct Guidelines.
These agreements outline your obligations regarding confidential
information which apply to VMware employees both during and
following employment at the company.
VMware anticipates that you will observe these, together with other
employment obligations that protect VMwares confidential
information and other important interests.

Software Defined Datacenter

VMware Service Manager

Cloud Provisioning

Automated
Application
Provisioning
Service Delivery

vCloud Director
Software
defined
Storage

Software
defined
Networking

Software
Defined
Security

vSphere

Policy-based provisioning
Software
defined
Availability

Software defined
datacenter services
Runs todays and
tomorrows apps

Management and Operations

Components of vCloud Networking and Security

Extensible Platform
On demand services with vendor choice

vCloud Networking

Management and Operations

Logical Network: VDS and VXLAN

Extensible Platform

VMware Network Virtualization

ALLOWS TO POOL COMPUTE INDEPENDENT OF

PHYSICAL NETWORK TOPOLOGY
5

Evolution of virtual logical network

vSwitch

Distributed
Switch

VXLAN
Distributed
Switch

Abstract at a host level

Abstract across many

hosts

Depends on physical
constructs for isolation

Depends on physical
constructs for isolation

Distributed
Switch

Abstract across all hosts

Networks isolation
independent of physical
network constructs

What are the Problems with current Networks ?

Compute resource are tied to Layer 2 network boundary

Cant make use of resources that are available in different rack
Because they are in separate Layer 2 Domain

Network infrastructure is not flexible to support On Demand

infrastructure service.
Networks are pre provisioned and difficult to change on the fly
Rigid hierarchical network design that is dictated by physical switch capacity

Cant provision large number of isolated networks

Limitation of number of VLANs (4k)

Limited Mobility due to the layer 2 restrictions and IP name space

challenges
7

Logical view of VXLAN

Logical Network

VXLAN: Dev

Redundant
vShield Edges

VXLAN
Distributed
Switch

VLAN: 100

Distributed
Switch

Operational Improvements in VDS

Network Health Check support

Configuration Backup and Restore
Rollback and Recovery
Distributed port Auto expand
MAC address management
LACP support

Network Monitoring and Trouble shooting Enhancements

Remote port mirroring support. Compatible with Ciscos RSPAN

Support for encapsulated remote port mirroring via GRE tunnel.
This is also called as ERSPAN.

IPFIX (NetFlow v10)

Template based NetFlow records helps monitor VXLAN traffic
NetFlow v5 is not supported on VDS.

Enhanced SNMP support

V1, V2 and V3 support
Networking MIBs support
Virtual Switch related MIBs

10

Other Enhancements

Netdump support on VDS

Single Root IO Virtualization (SR-IOV) Support
Standard that allows one PCI express (PCIe) adapter to be presented as
multiple separate logical IO devices. Customers who want to offload IO
processing to the adapters and reduce network latency can make use of this
feature.

Scalability improvements
Number of VDS per vCenter Server 128
Number of static port group 10,000
Number of distributed virtual ports 60,000
Number of Hosts per VDS 500

11

Management and Operations

Logical Network Services: Firewall, Load Balancing, VPN, DNS

Forwarding, DHCP, Data Security

Extensible Platform

VMware Network Virtualization

Attach Services per Logical Network

12

Improved vCloud Networking and Security Key Logical Network

Services
vShield Edge

High Availability Firewall

Site-to-Site IP-Sec VPN
Remote access SSL VPN
Load Balancer

vShield App Distributed Firewall

Traffic Flow Monitor redesigned
vCloud 3rd Party Service Plugins

13

Edge High Availability Firewall

Inside Portgroup

HA
Pair

Edge
(active)

Edge
(standby)

Outside Portgroup

VMware vSphere

14

Edge Firewall UI

New Firewall rule view1

Rule table and controls will also

be the same in vShield App!

Firewall Rule ID will also

show up in Syslog!
15

Improved Interface Density and Flexibility

Internal

vShield Edge 5.0

1 External
1 Internal

From 2 predefined
to 10 user defined
interfaces.

External

vShield Edge 5.0 was limited

to 1 Internal interface and 1
External interface.
16

Internal-1

Internal-2

Internal-3

Internal-4

Internal-5

Internal-6

Internal-7

Internal-8

vShield Edge 5.1

10 User defined
Interfaces

External-1

External-2

One possible example of how

vShield Edge 5.1 with 10
interfaces can be configured.

vShield Edge Scale-Up

24,000 connections per

second1

Large (New for 5.1)

2 vCPU, 64-bit
8192 MB vRAM
10 vNetwork Interfaces

Full (New for 5.1)

2 vCPU, 32-bit
1024 MB vRAM
10 vNetwork Interfaces

Compact
1 vCPU, 32-bit
256MB vRAM
10 vNetwork Interfaces

17

Flexibility of Multiple External IP Ranges for Edge Services

VXLAN: Dev

In 5.0.1 there was a

limitation of just one
subnet on external Edge
interfaces.

In 5.1, secondary classless

10.1.0.0/16, 74.32.1.64/30

inter-domain routing (CIDR)

blocks can be added and
assigned to particular
logical services.
Customers can add
external subnets ondemand, without reinstalling

Can restrict which subnet

pool is available per
service

18

Cloud Load Balancing Accelerates Performance of Applications

VXLAN: Dev

19

Edge SSL-VPN Secure Access Server

Management
Network

Production
Network

Edge Gateway

VMware vSphere

SSL-VPN

20

IPsec VPN supports AES-NI

Up to 40% performance increase by supporting the new Intel AES-NI (AES New Encryption Instruction Set). 1
The vSE offloads the AES encryption of data to the hardware on supported Intel Xeon and 2nd generation Intel Core
processors.

No user configuration needed to enable. AES-NI support in hardware is auto-detected.

Supports certificate authentication, pre-shared key mode and IP Unicast traffic.

21

Management and Operations

Choice and Flexibility through Standard APIs and Open Architecture

Extensible Platform

Logical Network Services

vShield Edge + vShield App + Data
VMware
SecurityNetwork Virtualization

Extend to Insert 3rd Party Services

22

Framework for integration of third-party networking and security

services

vCloud Service Automation Framework

Inside Virtual
Server

Edge of Virtual
Server

Edge of Virtual
Network

Access into the

workloads.
i.e. AV solution
would plug-in here
without needing an
agent.

Access to network
data into/out of the
guest.
I.e. Host IPS
agentless solution.

Access to network
data into/out of the
Virtual Datacenter.
I.e. Network IPS
plug-in at DC edge.

Integration Points for Security and Networking

Virtual DC 1

Virtual DC 2

Virtual DC 3

Management and Context

23

Extensibility to other VMware Products

New in vCenter Networking and Security 5.1, API access to Traffic

statistics is available.

This can be accessed by VMware Charge Back or another traffic

monitoring solution.
The following statistics can be fetched from Edge using an API Get command
over HTTPS:
vNetwork interace index number
Time stamp for the fetched record
Receive rate in Bytes/second
Transmit rate in Bytes/second

Output will be in XML

Requires vShieldAdmin, securityAdmin or superUser role rights.

24

Thank you for listening!

25