Designing the Modern Data Center Network · PDF file1 Designing the Modern Data Center Network Dr. Chip Copper Strategic Technologist

1

Designing the Modern Data Center NetworkDr. Chip CopperStrategic Technologist

1975 Mainframes, PCsSNA arch, private lines

1st Platform

1995Client-serverLAN/WAN, Internet, and IP networks

2nd Platform

3rd PlatformCloud, mobile, social, and data analytics

2015

The Industry is in a Mega Transition

Cloud spending> $500BIoT > $1.7T

> 1.5B people affected by data hacks

Mobile phones> 2.1B

By 2020

© 2016 BROCADE COMMUNICATIONS SYSTEMS, INC. 2

Evolutionary Steps to Revolutionary Results• We understand that change can

be difficult…• …we de-risk the transformation

by encouraging an evolutionary approach to revolutionary results

• Examples:‒ Branch Office SDN/Network Virtualization.‒ Hybrid Cloud with Fabrics, SDN and VNFs‒ Automate Management of Existing Infrastructure

with Brocade SDN Controller‒ Encryption for Securing the New IP Edge

• Change at your pace, in your own way

Conventional Strategy

Non-Linear Strategy

Traditional

Enterprise

Digitized Enterprise

Enterprise as

Digital Business


Reference Architecture


Primary Data Center

Fabric

BorderDCI

VisibilityAnalytics

ServersStorage Virtualization

Secondary Data Center

ServersStorage Virtualization

Fabric

BorderDCI

VisibilityAnalytics

Branch Office

Campus Switches

WiFi

NFV

Internet

NFV

Network Advisor

Automation & Orchestration Network

Advisor

http://www.google.com/url?q=http://www.vectorworks2014.it/2014/new_features.html&sa=U&ei=9EigU_acLMOEogSrlIH4Ag&ved=0CDoQ9QEwEg&usg=AFQjCNH1UrYo9CZJn-gQWxBXOT-LJmaafQ


Evolution of Datacenter Architectures

© 2015 BROCADE COMMUNICATIONS SYSTEMS, INC 5

3-tier Architecture

Core

Agg

Acce

ss

Scale-out Layer 2 Fabric Architecture

Overlays with NSX or Virtual Fabrics

Leaf

/ Sp

ine

Core

Scale Out

Scale-out Layer 3 Fabric Architecture

Overlays with NSX or BGP/EVPN

10G

DC POD N Edge Services POD

SUPER SPINE

BORDER LEAF

WAN EDGE

INTERNET DC INTERCONNECT

DC POD 1

SPINE

LEAF

Learning from Massive Scale Deployments


Source: https://code.facebook.com/posts/360346274145943/introducing-data-center-fabric-the-next-generation-facebook-data-center-network/

#ASKBROCADE

https://code.facebook.com/posts/360346274145943/introducing-data-center-fabric-the-next-generation-facebook-data-center-network/

Datacenter POD


SPINE

LEAF

IP Routing Core

COMPUTE Firewall Firewall

Border Leaf

Traditional Clos Architecture

LAG LAG

Datacenter Multi-fabric Physical Architecture(5-stage folded Clos)


BORDER LEAF

SPINE

LEAF 10G 10G

10G 10G 10G 10G

DC POD N

Compute and Infrastructure/Management Racks Edge Racks

Edge Services POD

SUPER SPINE

WAN EDGE

INTERNET DC INTERCONNECT

L2 LinksL3 Links

#ASKBROCADE

10G 10G 10G 10G

DC POD 1

Compute and Infrastructure/Management Racks

Choosing the Right Fabric


• Topology Agnostic• Layer 2 Fabric TRILL Transport• Embedded Automation • Scale to 48 Switches

VCS IP

• Clos Topology• Layer 3 Fabric IP Transport• Open Automation • Scale to 100’s of Switches

Same Hardware

Same Software

Brocade Data Center Design Stack


Automation

Virtualization

VCS FabricLayer 2 Optimized Fabric

IP FabricLayer 3 Optimized Fabric

Controller based VMware NSX, VXLAN

AutomationPython, Ansible, Puppet, YANG model, REST, Netconf, OpenStack,

VMware vRealize plugins, OpenFlow

Controller-less BGP-EVPN, VXLAN

Brocade Network Operating System (NOS)

Brocade VDX Ethernet SwitchesPlatforms

Fabrics

VRF

L3 Multi-Tenancy w/ VxLAN

• VxLAN Based L3 Multi-Tenancy

• VRF + L3 VNI • Standards based Interop• No MPLS complexity• RT/RD Import Export Policies

supported• Scale 2000 Tenants/TOR

S1 S2 S3 S4

L3 VNI L3 VNI

VRF

L3 VNI

VRFVRF

L3 VNI L3 VNI

VRF VRF

L3 VNI

L3-VNIL3-VNI

Controller-less Overlay

© 2015 BROCADE COMMUNICATIONS SYSTEMS, INC. 12#ASKBROCADE

Standards based BGP/EVPN control plane VXLAN data plane

CORE

Severs/Blades Severs/Blades Severs/Blades Severs/Blades

Border Leaf Border Leaf

eBGP Underlay eBGP OverlayiBGP Underlay

EVI EVI

Mac/ IP

EVI

Mac/ IP

BGP-EVPN

Controller-based Overlay

© 2015 BROCADE COMMUNICATIONS SYSTEMS, INC. 13#ASKBROCADE

VMware Integration - NSX

CORE

Severs/Blades Severs/Blades Severs/Blades Severs/Blades

Border Leaf Border Leaf

NSX

OVSdb

VMware Integration


VTEP Gateway

vCenter

vRealize

LAG LAG

Rack Level IntegrationFabric Level Integration

VCS IP

Operational Workflow Categories


Operations & ManagementTroubleshooting & Remediation

Data CollectionInfrastructure, Service Provisioning, Validation

Data Center Automation


Logical Chassis

LAGLAG

Brocade Workflow Composer

Future Today

Automation & Integration Framework

(A&I)

VCS IP





http://www.google.com/url?q=http://www.networknuts.net/certification/linux/puppet-fundamentals-training-delhi/&sa=U&ei=QUmgU4TyIITyoAS52oH4BA&ved=0CDgQ9QEwEQ&usg=AFQjCNGO7d6aGkZDUdaSEyeWO1_Rdf2-Tg

http://www.google.com/url?q=http://www.networknuts.net/certification/linux/puppet-fundamentals-training-delhi/&sa=U&ei=QUmgU4TyIITyoAS52oH4BA&ved=0CDgQ9QEwEQ&usg=AFQjCNGO7d6aGkZDUdaSEyeWO1_Rdf2-Tg

Automation & Integration

Feed back from Data Center Resources

Perform actions and changes to Data Center Resources


Private ASN

Network InfrastructureCloud

Infrastructure Operations Support Services

Points of Integration

Value of Integration

Data Center Compute Infrastructure Storage

Network Validation with InSpecBringing CI/CD practices to networking

• Configuration Automation is important…

• ... Network Validation shows you didnt break something!

• Built on common CI/CD tool from Chef (InSpec)‒ Based on rSpec testing framework

• Extend for network use cases


Change Config

Validate Change

Proceed or Rollback?

Bring continuous integration and testing, to

network deployments

Data Center Network VisibilityBlind Spots Where More Visibility is Required

Security Virtualization Overlays Data Recording


Palo AltoFireEye

VMwareHyper-VKVM

VxLANNVGRE

NSA Massive Data RepositoryBig Data Analytics

Analytics ToolsData Center Network

(Brocade)Packet Broker

Brocade Network Visibility Architecture

SIEM

Forensics

IDS / IPS

NPM

IT Management

APM


Visibility Manager API Interface

Stream 1

Stream 2

Stream n

Brocade Flow Optimizer

Network Taps / Span Ports

SDNSDN

https://www.google.com/url?sa=i&rct=j&q=&esrc=s&source=images&cd=&cad=rja&uact=8&ved=0CAcQjRxqFQoTCOv32JHRwsgCFUopiAodje0P0w&url=https://www.washingtonpost.com/news/comic-riffs/wp/2015/09/01/todays-animated-doodle-illuminates-a-new-family-of-google-graphics/&bvm=bv.105039540,d.cGU&psig=AFQjCNH2iiocOu9_1fHTuQUecYJhDi-nnA&ust=1444935133901480










Data Center Interconnect


VDX 6740

VDX 6740

VDX 6740

VDX 6740

Existing Router

Existing Router

Existing Router

Existing Router

WAN(MPLS/IP)

Existing Router

Existing Router

VDX 6740 VDX 6740

DC Interconnect

Underlay Control Plane• Multi-hop eBGP between DCI Edges• Private 4 byte ASN• Each DCI Edge switch peers with all other

DCI Edge switches

THREE DATA CENTER ARCHITECTURE

Data Center 3Networks



Data Center Interconnect


VDX 6740

VDX 6740

VDX 6740

VDX 6740

Existing Router

Existing Router

Existing Router

Existing Router

WAN(MPLS/IP)

Existing Router

Existing Router

VDX 6740 VDX 6740

DC Interconnect

ASN 64101

ASN 64301

ASN 64201

Underlay Control Plane• Multi-hop eBGP between DCI Edges• Private 4 byte ASN• Each DCI Edge switch peers with all other

DCI Edge switches

Controller-less Overlay• BGP/EVPN• Each DCI Edge pair configured as VTEP• VXLAN tunnels between DCI Edges• Layer 2 or Layer 3 extension services

Multi-hop eBGP

Underlay

EVPN OverlayData Center 1Networks



UNDERLAY / OVERLAY NETWORKING

A Portfolio of Purpose-Built Fabrics

© 2016 BROCADE COMMUNICATIONS SYSTEMS, INC.

Campus FabricStorage Fabrics Data Center Fabrics

2

Network Virtualization Options


VMware NSX IntegrationVirtual Fabrics BGP/EVPN

Controller-less native Ethernet Fabric multi-tenancy solution based

on TRILL Fine Grained Labeling

Controller-based solution from VMware that integrates with

Brocade VCS to seamlessly extend VXLAN networks between virtual

and non-virtualized assets.

VTEP Gateway

NSX

Controller-less overlay tunnel solution using BGP/EVPN

supporting multi-tenancy and VLAN extension

EVI EVI

Mac/ IP

VCS IPVCS IP

…And With More Experience Than Anyone ElseThink Big, Start Now.

Brocade is changing the networking landscape

and shaking up the industry with our core

beliefs – we will not compromise our vision and focus on the new IP and what it stands for…

We’re All In.

Open With a Purpose

Innovation-Centric, Software-Enabled

EcosystemDriven

Your Own Pace,Your Own Way

The New Wayof Doing Business


In SummaryEvolutionary Steps to Revolutionary Results

Move Faster and Be More Efficient Than Your Competitors

The Data Center is Everywhere, and Anywhere

The New IP as an Architecture Allows You To Do More with Security

We are so Confident in Our Solution You Can Remove Us Anytime You Want

Never Buy Another Network Again… Ever


Thank you

27

Huntsville Technology DayMay 10, 2016

Rick SimmonsDirector, Federal Software Sales

© 2015 BROCADE COMMUNICATIONS SYSTEMS, INC. COMPANY PROPRIETARY INFORMATION

Brocade Software Networking Leadership

© 2015 BROCADE COMMUNICATIONS SYSTEMS, INC. INTERNAL USE ONLY 2

Nov

2012

Jan

2013

BRCDacquires Vyatta

Why Brocade?

Software NetworkingLeadership

OpenArchitecture

Enterprise, Cloud& NFV

#2 DatacenterNetwork Vendor

Worldwide

Large PartnersInnovation Solutions

Mar

2015

Dec

2014

BRCD Selected

for Domain 2.0

Feb

2015

VistaPointeAnalytics

Industry-Leading vRouter Benchmark

Aug

2014

LaunchesvRouter

SDN & NFVIn Production

Jan

2014

BRCD PlatinumMembership

LaunchesvRouter

Jun

2014

BRCDSets vRouter

Speed Record

Nov

2015

BRCD OpensEurope

Software R&DOffices

July

2015

Industry-FirstCommercial Release

BRCD ACQUISITIONS

RiverbedSteelApp

ConnectemvEPC

BRCDVirtualizes

ADC Services

Nov

2015

BRCD wins 2014 NFV

Innovator of the Year from Technology Marketing

Corporation

The Brocade vADC FamilyA Comprehensive Approach To Application Delivery

© 2015 Brocade Communications Systems, Inc. CONFIDENTIAL—For Internal Use Only 3

• Load Balancer / Traffic Manager / ADC• Provides reliability, availability, offload,

security, scripting, and more• Traffic Script

• Web Application Firewall• Defends your web applications against

Layer-7 attacks

• Elastic and adaptive services director

• Automates licensing, & metering of ADC services

• Disruptive licensing model

Services Director

Virtual Traffic Manager

Virtual Web Application Firewall

How Brocade is DifferentBorn Virtual. Not all virtual products live up to their name.


Software ADC

Legacy Hardware ADC

The Competition Brocade

Purpose Built for Software:

Virtual and Cloud

Process Automation:

Get Ready for the SDN World

Hyper-Scale and

Performance on Demand

Powerful Programmability

Build the network you need


Reduce your networking expenses

Distribute resources from a shared pool, allowing you to reduce your server footprint and ensure cost savings

Guard against increased cyber security risks

Apply customized rules to inspect and block attacks against your network

© 2015 BROCADE COMMUNICATIONS SYSTEMS, INC. COMPANY PROPRIETARY INFORMATION 6

Brocade Application Delivery

Controller (ADC) – A Layered

Security Solution


Current Approach

Great Start to Securing Data

Public Key Infrastructure (PKI)Customer /

User

Resident Authority

(RA)

Certificate Authority

(CA)

Certificate Validation Authority

(VA)

Web Application

Fed Civilian PIVi Card

DoD CAC Card


Federal Memorandums and Directives

Today’s world...circle of trust


“Meet the Parents” Robert De Niro to Ben Stiller

Application Micro-Segmentation: Securing the Enterprise

© 2016 BROCADE COMMUNICATIONS SYSTEMS, INC. INTERNAL USE ONLY

What is Micro-Segmentation?


Micro-Segmentation“East-west (machine-to-machine) data movement is increasing in volume as workloads become movable and thus more demanding on their infrastructures. At the same time, perimeter-only, firewall-based security has proved weak in a world of advanced cyber-attacks. Evolving security models, such as software-defined and distributed firewalls, are beneficial, but they also create new management complexities. In these environments, IT teams are finding it difficult to deploy a tight approach to security. To improve security profiles, organizations are now turning to techniques such as micro-segmentation to amplify and distribute current defenses. Micro-segmentation divides a network into smaller zones and provides protection by making security adaptive and multilayered. It provisions services closer to the applications, between application tiers and even to the machines within tiers.

Taken from “Micro-Segmentation: A Better Way to Defend the Data Center”; eWeek, Chris Preimesberger; posted July 28, 2015


Benefits of Micro-Segmentation• Zero Trust Security*

In the micro-segmentation model, there is no default trust for any entity—users, devices, applications and network—regardless of placement or location. The entire mechanism is based on denying all communication until explicitly allowed (via explicit policies) and permitting only what is necessary from trusted sources………

• Application-Aware Security*Micro-segmentation policy groups are generally created based on application tiers, workload profiles, placement zones and other factors. They are not based on rigid IP addresses or subnets. Policies also are enforced right at the virtual machines or containers hosting the application tiers. Workloads and data access are secured at the source as an application-centric securitymodel.

• DevOps Alignment*Micro-segmentation allows application owners to be responsible for their own app's security while allowing them to see only what they are entitled to see. This allows operators to analyze and manage applications more effectively and efficiently, without being granted universal control. These specific security clearances can prevent insider attacks and interference by barring actors from moving beyond individual purview.

• High Agility and OPEX Efficiency*Breaches in data centers can remain undetected for extended periods of time. Micro-segmentation enables the data center to be far more agile and quick to react with the ability to identify the breach almost immediately and to contain it within a narrow fault domain. At the same time, its multiple layers of security help to slow the attack's spread and enable operators to lock down the hacker and secure uncompromised data at a faster rate. It's a more agile, cost-effective approach to security.

* Information taken from “Micro-Segmentation: A Better Way to Defend the Data Center”; eWeek, Chris Preimesberger; posted July 28, 2015


Application Micro-Segmentation w/ vADC


“Duct taping an airbag on a 1965 Mustang to make it modern is almost impossible to work”

© 2015 BROCADE COMMUNICATIONS SYSTEMS, INC. COMPANY PROPRIETARY INFORMATION

Tony Scott, Federal CIO *Brocade Federal Forum 2015


Micro-Segmentation w/ vADC

User Requests

Application Micro-SegmentationMicro-Segmentation using vTM & Web App Firewall –Role Based Access


Brocade vADC

PKI ValidationAuthority

Darren

Larry

Carol

Identity/Attribute Management Server

User Requests

Certificate Status Check

Identity/Attribute Check

Web AppFirewall (typical)

Application Micro-SegmentationMicro-Segmentation using vTM & Web App Firewall –Workload Access


Brocade vADC

PKI ValidationAuthority

Group 1

Group 2

Group 3

Identity/Attribute Management Server

User Requests

Certificate Status Check

Identity/Attribute Check

Web AppFirewall (typical)

Group 1 Servers

Group 2 Servers

Group 3 Servers

Legend

RedUser

GreenUser

PurpleUser

Application Micro-Segmentation


• Meets Government standards / mandates

• Deployed throughout Federal Government

• Validates Digital Certificate using PKI

• Authenticates User(s)

Public Key Infrastructure

• Utilizes multi-factor authentication, more than two factor if needed

• Enforces Fine Grain Access permissions

• Enforces Micro-Segmentation based on policy, i.e. Role or Workload Based

• Utilizes PKI Validation and ID/Attribute Management

Brocade Virtual Traffic Manager

Brocade Web App Firewall

• Locks down Web Application vulnerabilities

• Highly agile and flexible for rapid deployment

• Enforces Zero Trust model and Application-Aware Security

Micro-Segmentation w/ vADCImpacts of Micro-Segmentation Achieves the defined Benefits of Micro-Segmentation

– Zero Trust Security Model• No internal or external user request is trusted - every user request is validated, authenticated, and authorized using multi-factor

authentication• Utilizes explicit policy enforcement to validate and authenticate user access – every user credential/request is validated and

authenticated using multi-factor authentication for fine grain access– Application Aware Security

• Utilizes defined Policy Groups, i.e. Application Tiers, Workload Profiles, etc. to enforce authorization and access• Security is enforced at the application/virtual machine level, i.e. web application firewall for each application or virtual machine

– DevOps Alignment• Multi-factor authentication, fine grain access and web application firewalls allow application owners to control security at the

application level• Fine grain access limits user purview, restricting any movement beyond, preventing or limiting insider threats and attacks.

– High Agility and OpEx Efficiency• Software based solution for both vTM and WAF provide a highly agile and flexible solution with the ability to deploy additional (or

contract and re-deploy) the number of instances rapidly • Multi-factor authentication, fine grain access, and web application firewall provide a cost effective layered security solution for

immediate breach identification and containment



Questions


© 2014 VMware Inc. All rights reserved.

The Domain of CYBER & How to Respond to it’s Inherent Architectural Challenges

Scottie Ray@[email protected] Systems EngineerVMware Network & Security TeamPublic Sector

The Paradigm in the Domain of CYBER

CONFIDENTIAL 2

“In physical space, the reconnaissance is almost always easier than the

operation…in the CYBER domain, the reconnaissance is usually a more difficult

task than the follow on operation…it is tougher to penetrate a network and live on it undetected while extracting large

volumes of data from it than it is to ‘digitally speaking’ kick in the front door

and fry a circuit or two. ….An attack on a network to degrade it or destroy

information on it is generally a lesser included case of the technology and operational art needed to spy on that

same network.”

Trading Off Context and Isolation

3

Software Defined

Data Center (SDDC)

Any Application

SDDC Platform

Any x86

Any Storage

Any IP network

Data Center Virtualization

SDDC Platform

High Context

Low Isolation

High Isolation

Low Context

No Ubiquitous Enforcement

Traditional Approach

The M&M Approach to Security

CONFIDENTIAL 4

“In today’s new threat landscape, this M&M and ‘trust but verify’ is no longer an effective way of enforcing security.”

Forrester ResearchIn Response to NIST RF 130208119-3119-01I

“Developing a Framework to Improve Critical Infrastructure Cyber-Security”

But Micro-Segmentation has NOT been Operationally Feasible

CONFIDENTIAL 5

WAN

…

“X” firewalls

“X” + “1000 workloads

vs

A typical data center has:

Directing all traffic (virtual + physical) through chokepoint firewalls is inefficient

And a physical firewall per workload is cost prohibitive

SDDC Virtualization Layer – Delivers Both Context and Isolation

6

Software Defined

Data Center (SDDC)

Any Application

SDDC Platform

Any x86

Any Storage

Any IP network

Data Center Virtualization

High Context

High Isolation

Ubiquitous Enforcement

SDDC Approach

Secure Host Introspection

Taking a Step Towards “Zero-Trust”

7

DMZ/Web VLAN

App VLAN

Mission-A

Mission-B

Services/Management VLAN

DB VLAN

Mission-AMission-B

Services Mgmt

Mission-A Mission-B

Perimeter

firewall

Inside firewall

Perimeter

firewall

DMZ/Web

App

DB

Mission-A

App

DMZ/Web

DB

Mission-B

Services Mgmt

Services/Management

Group

Traditional Data Center NSX Data Center

CONFIDENTIAL

FY16 House NDAA Report

Cyber Defense Network Segmentation

The committee is aware that the Department of Defense is looking at modifying the way it builds,

maintains, and upgrades data center, including increased use of commercial cloud capabilities

and public-private partnerships. The committee is aware that as the Department increasingly

looks at software-defined networking, it could potentially reduce the mobility of cyber threats

across data center and other networks by increasing the compartmentalization and segmentation

between systems, and providing a mix of security techniques to enable access to those

compartments. Such actions have the potential to lessen the chance of a widespread or

catastrophic breach, including breaches caused by insider threats. The committee encourages

the Department to explore ways to use compartmentalization or segmentation as part of a

software-defined networking approach in order to increase the security of its networks.

The Beginning of Policy Shifts….again

Security Groups & Security Policies

Designated Consumers & Cloud Admins are able to select pre-defined security policies

already approved by the Security Admin in NSX

Security policies are applied to one or more security groups where workloads are

members

These security groups are created

on-demand by vRA at deployment time

WHAT you

want to

protect

HOW you want

to protect it

SECURITY GROUP

SECURITY POLICYMembers (VM, vNIC) and Context (user identity, security posture)

“Standard Web” Firewall – allow

inbound HTTP/S,

allow outbound ANY

IPS – prevent DOS

attacks, enforce

acceptable use

Services (Firewall, antivirus, IPS etc.) and Profiles (labels representing specific policies)

Programmatic Approach to Security: An Example

NSX Security Tags can be used to define IF/THEN workflows for security services, e.g. IF

user selects a “Mission A” application, THEN place the VM in the “Mission A” security

group

INFRASTRUCTURE

APPS

Security Admin

“Mission A Policy” IF Tag = “Mission

A” THEN add VM

to Security Group

“Mission A” with

Security Policy

“Mission A”

Step 1: Security Admin pre-defines a Security Group and a Security Policy with dynamic membership based on a Security Tag

“Mission A App” Set Tag

“Mission A”

Cloud Admin

Multi-

Machine

Blueprint

Step 2: Cloud Admin creates a Multi-Machine Blueprint which sets a Security Tag. Cloud Admin needs no knowledge of Security Groups or Security Policies.

Programmatic Approach to Security: An Example (cont.)

NSX Security Tags can be used to define IF/THEN workflows for security services, e.g. IF

user selects a “Mission A” application, THEN place the VM in the “Mission A” security

group

INFRASTRUCTURE

APPS

Requests “Mission A App”

Service

Catalog

Step 3: End-User requests Application via the Service Catalog

Cloud

Consumer

Step 4: VM is automatically deployed with its Security Tag WHAT you

want to

protect

Step 5: VM is dynamically assigned to the relevant pre-defined Security Group

SG=Mission A

Security Groups & Tags assigned to a VM - Workload-Centric View

CONFIDENTIAL 12

Assigned Security TAG

Security Group VM belongs to

Virtual Machine

Combining Organic Capabilities with Best of Breed

Apply and visualize

security policies for

workloads, in one place.

Automate workflows

across best-of-breed

services, without custom

integration.

Provision and monitor

uptime of different services,

using one method.

NSX Network Virtualization Platform

Deploy Apply Automate

Built-In Services

Firewall Data Security (DLP)

Server Activity Monitoring VPN (IPSEC, SSL)

Third-Party Services

Antivirus DLP Firewall

Vulnerability

Management

Intrusion

Prevention

Identity and

Access Mgmt

…and more in progress

Security Policy

Management

Service Insertion Security PoliciesSecurity Groups Security Tags

External Network

VDS

Guest VMPartner

Service 1 VM

DFW

Filtering Module

Slot 2

Slot 4Traffic

Redirection

Module

Service Chaining

• DVSFilter contains 16 slots. Slots 0-3 and 13-16 are reserved for VMware use.

• Services are assigned the remaining slots in their registration order.

• Traffic comes out of the first service and is then sent to the next service in the order.

• Services are managed via a Guest or Network Introspection Policy creation

14

Network Security Services

Slot 5

Filtering Module

Partner

Service 2 VM

Workload-Centric View:All Security Policies Applied to a VM

CONFIDENTIAL

15

Automated Security in a Software Defined Data CenterQuarantine Vulnerable Systems until Remediated

16

Security Group = Quarantine Zone

Members = {Tag = ‘ANTI_VIRUS.VirusFound’, L2

Isolated Network}

Security Group = Web

TierPolicy Definition

Standard Desktop VM Policy

Anti-Virus – Scan

Quarantined VM Policy

Firewall – Block all except security tools

Anti-Virus – Scan and remediate

Understanding SDDC Network Virtualization

17

The Operational Model of a VM for the Networking

Internet

Native Isolation

192.168.2.10

192.168.2.10

192.168.2.11

192.168.2.11

Support for Physical Workloads and VLANs

Logical Switch

Logical Router

NSX

Logical Firewall

Logical Load Balancer

NSX with a Cloud Management PlatformDynamic Configuration and Deployment of Logical Network & Security Services

On Demand Application DeliveryvRealize Automation

Resource Reservation

Multi-Machine

Blueprint

Service Catalog

Cloud

Management

Platform

Network Profiles

Security Policies

Security Groups

Web

App

Database

VM VM

VM VM VM

VM

Thank you

CONFIDENTIAL22

Designing the Modern Data Center Network · PDF file1 Designing the Modern Data Center Network Dr. Chip Copper Strategic Technologist

Documents