NCP-MCI-6.5 Configure Cluster Networking and Network Security

Configure Cluster Networking and Network Security Detailed Explanation

Networking is a foundational component of a Nutanix cluster. Understanding how virtual networking works, how to configure VLANs, isolate traffic, and implement advanced features like NIC Teaming, Microsegmentation, and VPC will allow you to effectively manage and secure network traffic.

3.1 Nutanix Cluster Networking Overview

Nutanix leverages hypervisor-based networking to handle the flow of traffic within and between Virtual Machines (VMs) as well as management and storage communication.

Virtual Networking

Virtual networking in Nutanix is based on virtual switches that allow VMs to communicate with each other and external systems. These switches are created and managed by the hypervisor running on each node.

How It Works

• Virtual Switch (vSwitch):
  • Think of a vSwitch as a virtual version of a physical network switch. It connects VMs to each other and to external networks.
  • Each VM has one or more virtual network interfaces (vNICs) that connect to the vSwitch.
  • The vSwitch manages traffic within the cluster and forwards traffic outside the cluster when needed.

vSwitch (Virtual Switch)

The vSwitch operates at Layer 2 of the OSI model (Data Link Layer), allowing VMs in the same VLAN to communicate with each other.

Key Features of vSwitch:

1. Layer 2 Networking:

   • Provides basic switching functionality. VMs on the same subnet can communicate directly.

2. VLAN Configuration:

   • VLANs (Virtual LANs) isolate network traffic by logically segmenting VMs into different groups.

3. NIC Teaming:

   • Aggregates multiple physical NICs to provide:
     • Redundancy: If one NIC fails, traffic continues on the other NICs.
     • Performance: Load-balancing distributes traffic across all active NICs.

Nutanix AHV Networking

Nutanix AHV uses Open vSwitch (OVS) as its default virtual switch. OVS is an open-source virtual switch that is highly flexible and powerful.

Key Characteristics of OVS:

• VLAN Tagging:

  • OVS supports VLAN tags to separate traffic logically. For example:
    • VLAN 10: Management Traffic
    • VLAN 20: Storage Traffic
    • VLAN 30: VM Traffic

• Quality of Service (QoS):

  • Allows administrators to prioritize critical workloads by limiting or guaranteeing bandwidth for specific VMs.

• Integration:

  • OVS integrates seamlessly with Nutanix Prism to simplify configuration and monitoring.

Summary of 3.1 Nutanix Cluster Networking Overview

• Nutanix uses virtual switches (vSwitches) to manage VM networking.
• VLANs segment traffic to isolate workloads logically.
• NIC Teaming improves redundancy and performance.
• AHV uses Open vSwitch (OVS) as its default networking component, which supports VLAN tagging and QoS.

3.2 Configuring Cluster Network Components

3.2.1 VLAN Configuration

What is a VLAN?

A VLAN (Virtual LAN) is used to segment network traffic logically without requiring separate physical switches or cables. VLANs improve security, performance, and traffic isolation.

Steps to Configure VLANs in Nutanix

1. Access Prism Element:

   • Log into Prism Element.

2. Create VLAN IDs:

   • Go to Network Configuration.
   • Add VLAN IDs based on your network design. For example:
     • VLAN 10: Management Traffic
     • VLAN 20: Storage Traffic
     • VLAN 30: VM Traffic

3. Assign VLAN Tags to vNICs:

   • While creating or editing a VM:
     • Navigate to VM → Network Settings.
     • Assign the VLAN ID to the VM’s virtual NIC (vNIC).

4. Verify VLAN Configuration:

   • Use the Prism Dashboard to ensure the traffic flows correctly through the assigned VLANs.

Benefits of VLANs:

• Traffic Isolation: Separates workloads for better security (e.g., isolating storage traffic from VM traffic).
• Performance Improvement: Reduces unnecessary broadcast traffic.
• Simplified Management: Allows logical segmentation without changing physical infrastructure.

3.2.2 Network Segmentation

Network segmentation further improves security and traffic management by isolating different types of traffic into separate VLANs.

Why is Network Segmentation Important?

• Prevents unauthorized access to critical workloads.
• Reduces the attack surface for malicious actors.
• Ensures optimal traffic performance by separating workloads.

Techniques for Network Segmentation

1. Separate Management, Storage, and VM Traffic:

   • Use separate VLANs for each type of traffic:
     • VLAN 10: Management traffic (e.g., cluster management and API communication).
     • VLAN 20: Storage traffic (used by CVMs and nodes for data replication).
     • VLAN 30: Virtual machine (VM) traffic.

2. Microsegmentation (Nutanix Flow):

   • Provides granular traffic control between VMs by creating firewall rules.
   • Microsegmentation allows you to:
     • Block unnecessary communication between VMs.
     • Allow only approved traffic based on rules (e.g., by category, IP, or VM name).

Best Practices for Network Segmentation:

• Use VLANs to separate traffic types (management, storage, VM).
• Enable microsegmentation for workloads requiring strict security policies.
• Avoid mixing critical and non-critical traffic on the same VLAN.

3.2.3 NIC Teaming and Bonding

NIC Teaming aggregates multiple physical NICs (Network Interface Cards) to improve redundancy and performance.

Types of NIC Teaming

1. Active-Active:

   • All NICs are active and share network traffic.
   • Use Case: Maximizes performance while providing redundancy.

2. Active-Backup:

   • One NIC is active, while the others remain on standby.
   • If the active NIC fails, traffic switches to a backup NIC.
   • Use Case: Simple redundancy for critical workloads.

Configuring NIC Teaming in AHV

1. Access Prism:

   • Navigate to Network Configuration → NIC Teaming.

2. Create a Bond:

   • Select the physical NICs to include in the bond.
   • Choose the bonding mode:
     • Active-Active: Balanced performance and redundancy.
     • Active-Backup: High availability with simple failover.

3. Verify Configuration:

   • Ensure that the network bond appears healthy in the Prism Dashboard.

Benefits of NIC Teaming:

• High Availability: Prevents downtime due to NIC failures.
• Improved Performance: Distributes traffic across multiple NICs.
• Simplified Management: Reduces the complexity of managing multiple NICs.

Summary of Configuring Cluster Network Components

• VLANs segment traffic logically for better isolation and performance.
• Network Segmentation separates traffic types (e.g., management, storage, and VMs) for security.
• NIC Teaming provides redundancy and performance by aggregating physical NICs.

3.3 Advanced Networking Features

Advanced networking features in Nutanix provide greater control, security, and flexibility in managing network traffic. These features include Network I/O Control, Microsegmentation with Nutanix Flow, and Virtual Private Cloud (VPC). Let’s break them down step by step with detailed explanations, examples, and use cases.

3.3.1 Network I/O Control

What is Network I/O Control?

Network I/O Control allows administrators to prioritize network traffic by defining Quality of Service (QoS) policies. This ensures that critical workloads get the bandwidth they need, while non-critical traffic can be limited to avoid contention.

Why is Network I/O Control Important?

• Prevents a single VM or application from consuming too much bandwidth.
• Ensures critical VMs (like databases or business-critical apps) get priority access to the network.
• Improves overall network performance and stability.

How to Configure Network I/O Control

1. Access Prism Element:

   • Go to Prism → Network Configuration.

2. Set QoS Policies for vNICs:

   • Navigate to the VM configuration page.
   • Select the vNIC (virtual NIC) for the VM.
   • Define bandwidth limits (minimum and maximum values) for the vNIC.
     • Example:
       • Critical VM: Minimum 500 Mbps, Maximum 1 Gbps.
       • Non-Critical VM: Maximum 100 Mbps.

3. Apply and Monitor:

   • Save the settings.
   • Monitor the effect of QoS policies using Prism Dashboards to ensure they are applied correctly.

Use Case Example

Imagine you have two VMs:

• VM1: A database server running critical transactions.
• VM2: A file-sharing server with less critical traffic.

Using Network I/O Control:

• Set a minimum bandwidth of 500 Mbps for VM1 to ensure its transactions are never delayed.
• Limit VM2 to a maximum of 100 Mbps to avoid it consuming excessive bandwidth.

Benefits of Network I/O Control

• Prioritization: Guarantees bandwidth for high-priority workloads.
• Prevents Contention: Limits resource-hogging VMs.
• Improved Performance: Optimizes overall network usage.

3.3.2 Microsegmentation with Nutanix Flow

What is Microsegmentation?

Microsegmentation is a zero-trust networking model that provides granular control over traffic between VMs. Instead of relying only on external firewalls, microsegmentation enforces security rules inside the cluster to protect East-West traffic (traffic between VMs).

How Nutanix Flow Works

Nutanix Flow uses distributed firewalls to enforce network security rules. These firewalls are:

• Stateful: Keep track of active connections and only allow legitimate traffic.
• Distributed: Rules are applied at the VM level, rather than a centralized location.

Steps to Configure Microsegmentation in Nutanix Flow

1. Access Nutanix Flow:

   • Log into Prism Central → Navigate to Security → Flow.

2. Define Categories for VMs:

   • Group VMs based on attributes like:
     • Application Type (e.g., Web Server, Database Server).
     • Environment (e.g., Development, Production).
     • Tags or IP Addresses.

3. Create Security Policies:

   • Define firewall rules to allow or block specific traffic between categories.
   • Example Rules:
     • Allow: Web Servers → Database Servers (TCP Port 3306).
     • Deny: Development → Production Environment.

4. Apply Policies to VMs:

   • Attach the security policies to relevant VMs or categories.

5. Monitor Traffic:

   • Use Prism Central → Flow to view real-time traffic flows and validate security rules.

Example Scenario

• Web Server VMs: Must communicate with Database VMs.
• Development VMs: Should not communicate with Production VMs.

Using Nutanix Flow:

• Allow Web → Database communication on Port 3306.
• Block any Development → Production traffic.

Benefits of Microsegmentation

1. Improved Security:

   • Limits East-West traffic, reducing the attack surface for malware and lateral movement.

2. Granular Control:

   • Enforces security rules at the VM level with fine-grained policies.

3. Simplified Management:

   • Policies are applied based on categories or attributes, making management easy.

3.3.3 Virtual Private Cloud (VPC)

What is a Virtual Private Cloud (VPC)?

A VPC allows you to create isolated private networks within a Nutanix cluster. VPCs logically segment workloads to provide better security and network control.

Key Features of VPC

• Logical Isolation: Workloads in different VPCs cannot directly communicate with each other.
• IP Address Management: Assign IP ranges for VMs within the VPC.
• Routing: Control traffic flow between subnets and VPCs.

Steps to Configure VPC in Nutanix

1. Access Prism Central:

   • Go to Prism Central → Network Configuration → VPCs.

2. Create a New VPC:

   • Provide a name for the VPC.
   • Define the IP address range (CIDR block) for the VPC.
     • Example: 10.10.0.0/24 for a subnet with 256 IPs.

3. Create Subnets:

   • Divide the VPC into smaller subnets. For example:
     • Subnet 1: 10.10.1.0/24 for Web Servers.
     • Subnet 2: 10.10.2.0/24 for Database Servers.

4. Assign VMs to the VPC:

   • While creating or editing VMs, attach their vNICs to the desired VPC and subnet.

5. Verify Connectivity:

   • Test the communication between VMs within the VPC and verify isolation from other networks.

Benefits of VPC

• Isolation: Ensures workloads in one VPC are isolated from others.
• Security: Provides logical segmentation for sensitive applications.
• Network Control: Simplifies IP management and routing within private networks.

Summary of Advanced Networking Features

1. Network I/O Control: Prioritize and limit bandwidth for critical workloads.
2. Microsegmentation with Nutanix Flow:
   • Implements zero-trust security with granular firewall rules for East-West traffic.
3. Virtual Private Cloud (VPC):
   • Provides logical network isolation for workloads.

3.4 Network Security Best Practices

Network security is essential in any IT environment, and Nutanix provides tools and best practices to ensure that your cluster and workloads are protected.

3.4.1 Security Policies

What are Security Policies?

Security policies are sets of rules that determine what traffic is allowed or denied between VMs, subnets, or categories in your Nutanix cluster. These policies are enforced using tools like Nutanix Flow and VLAN segmentation.

How to Define Security Policies in Nutanix Flow

1. Access Prism Central:

   • Log into Prism Central → Security → Flow.

2. Define Categories:

   • Group VMs based on their function or attributes. Common categories include:
     • Web Servers
     • Database Servers
     • Application Servers
     • Production or Development environments

3. Create Security Policies:

   • Define rules to allow or deny traffic between VM categories.
   • Example Rules:
     • Allow: Web Servers → Database Servers (TCP Port 3306).
     • Deny: Development → Production traffic.
     • Allow: Management traffic to Nutanix CVMs and cluster nodes.

4. Attach Policies to Categories:

   • Apply the security policies to the relevant VM categories.

5. Test the Rules:

   • Validate that traffic flows according to your rules. Use Prism Central to monitor and adjust policies as needed.

Example Scenario

Let’s say you have the following workloads:

• Web Servers: Running on VLAN 30.
• Database Servers: Running on VLAN 40.
• Management Traffic: Running on VLAN 10.

Security Policies:

1. Allow traffic from Web Servers (VLAN 30) to Database Servers (VLAN 40) on TCP Port 3306.
2. Deny any traffic from Web Servers to the Management VLAN (VLAN 10).
3. Allow external access only to Web Servers on HTTP (Port 80) and HTTPS (Port 443).

This segmentation ensures:

• Web servers can access databases securely.
• Management traffic is isolated from workload traffic.
• External traffic is limited to specific ports, reducing the attack surface.

3.4.2 Monitoring Network Traffic

Monitoring network traffic helps you identify abnormal behavior, optimize performance, and ensure that your security policies are working effectively.

Using Prism for Network Monitoring

1. Access Network Traffic Analytics:

   • Go to Prism Central → Flow → Monitor.
   • View real-time traffic flows between VMs, categories, or VLANs.

2. Identify Abnormal Traffic:

   • Look for unusual traffic patterns, such as:
     • Excessive communication between unrelated VMs.
     • Traffic spikes on non-standard ports.
     • Unexpected external connections.

3. Analyze Bandwidth Usage:

   • Check which VMs or applications are consuming the most bandwidth.

4. Review Firewall Logs:

   • Use Nutanix Flow to see which security policies are being triggered (allowed or denied).

Integrating with External Monitoring Tools

Nutanix can integrate with third-party tools like Splunk, ELK (Elasticsearch, Logstash, Kibana), or Syslog servers for advanced traffic analysis.

• Steps to Integrate:
  1. Go to Prism Central → Settings → Syslog.
  2. Add the IP address and port of your Syslog server.
  3. Review network logs in the external tool for advanced analytics.

3.4.3 Network Isolation

Network isolation ensures that sensitive workloads, management traffic, and storage communication are protected from unauthorized access. Isolation can be achieved using VLANs, microsegmentation, and Virtual Private Clouds (VPCs).

1. Enforce Strict VLAN Segmentation

• Use separate VLANs for different types of traffic:

  • Management Traffic: VLAN 10
  • Storage Traffic: VLAN 20
  • VM Workload Traffic: VLAN 30
  • External Network: VLAN 40

• Benefits:

  • Prevents non-authorized VMs or users from accessing critical infrastructure.
  • Reduces broadcast traffic and improves performance.

2. Use Microsegmentation for Granular Isolation

• Nutanix Flow allows you to isolate traffic between VMs at a granular level.
• Examples:
  • Prevent communication between unrelated VMs, even if they are on the same VLAN.
  • Enforce strict firewall rules to allow only necessary traffic.

3. Leverage Virtual Private Clouds (VPCs)

• Use VPCs to create isolated private networks within your Nutanix cluster.
• Assign IP address ranges and control routing to ensure workloads are isolated.
• Example: A multi-tenant environment where:
  • Tenant 1 uses VPC-1 with IP range 10.1.0.0/24.
  • Tenant 2 uses VPC-2 with IP range 10.2.0.0/24.
  • Both tenants cannot communicate unless explicitly allowed.

3.4.4 Summary of Best Practices

1. Define Security Policies:

   • Use Nutanix Flow to enforce granular firewall rules.
   • Allow only the necessary traffic between workloads.

2. Monitor Traffic:

   • Use Prism to monitor real-time traffic flows.
   • Integrate with external tools like Splunk for advanced analysis.

3. Enforce Network Isolation:

   • Use VLANs to separate management, storage, and workload traffic.
   • Enable microsegmentation for granular control.
   • Implement VPCs for isolated private networks.

4. Review Logs Regularly:

   • Check firewall logs and network analytics to ensure policies are working effectively.

3.5 Troubleshooting Network Issues

3.5.1 Common Networking Issues

Networking problems in a Nutanix cluster can arise from misconfigurations, hardware failures, or software issues. Here are the most common issues:

1. Misconfigured VLANs

   • Symptoms:
     • VMs cannot communicate with each other.
     • Network traffic is not reaching its destination.
   • Root Cause:
     • Incorrect VLAN tagging on vNICs or switches.

2. Network Interface (NIC) Failures

   • Symptoms:
     • Loss of connectivity for VMs or cluster services.
     • High packet loss or latency.
   • Root Cause:
     • Physical NIC failure or issues with NIC bonding configuration.

3. Incorrect Firewall Rules

   • Symptoms:
     • Traffic between VMs is blocked unexpectedly.
     • Applications fail to communicate across subnets.
   • Root Cause:
     • Firewall rules (e.g., Nutanix Flow) are blocking legitimate traffic.

4. IP Address Conflicts

   • Symptoms:
     • Network connectivity issues for specific VMs or services.
     • Duplicate IP warnings in Prism or external monitoring tools.
   • Root Cause:
     • Two devices are configured with the same IP address.

5. Routing and Connectivity Issues

   • Symptoms:
     • VMs cannot reach external networks or internet services.
     • Management services are unreachable.
   • Root Cause:
     • Misconfigured routes, default gateways, or DNS settings.

3.5.2 Tools for Network Troubleshooting

Nutanix provides built-in tools, and you can use common network troubleshooting commands to identify and resolve issues.

1. Prism Dashboard

The Prism Dashboard provides a real-time overview of network health and traffic.

Steps to Check Network Status in Prism:

1. Log into Prism Element or Prism Central.
2. Navigate to Network → Dashboard.
3. Check the following:
   • Network traffic statistics (e.g., bandwidth usage).
   • Alerts related to network errors or performance issues.
   • NIC and VLAN status.

2. Nutanix Cluster Check (NCC)

The Nutanix Cluster Check (NCC) tool performs automated health checks and identifies misconfigurations or errors.

Running NCC for Network Diagnostics

1. Access the CVM (Controller Virtual Machine) via SSH.

2. Run the following command:

   ncc health_checks network_checks
   

3. Review Results:

   • NCC will display warnings or errors related to VLANs, NICs, or connectivity.
   • Address any issues reported in the output.

3. Common Network Commands

Here are useful Linux commands for troubleshooting network issues:

Command	Description	Example
ping	Tests connectivity to a specific IP.	ping 8.8.8.8
traceroute	Shows the path packets take to reach a host.	traceroute google.com
ifconfig	Displays NIC configurations and statuses.	ifconfig
ovs-vsctl	Manages Open vSwitch settings.	ovs-vsctl show
netstat	Displays network statistics.	netstat -an

4. Open vSwitch (OVS) Commands

Since Nutanix AHV uses Open vSwitch (OVS), OVS-specific commands are important for identifying issues.

Examples of OVS Commands:

1. View OVS Configuration:

   • Check the virtual switch configuration and ports:

     ovs-vsctl show
     

2. Check Port Status:

   • Verify if the VM's vNIC is connected to the vSwitch:

     ovs-ofctl show br0
     

   • Replace br0 with the appropriate OVS bridge name.

3. Monitor Traffic:

   • View real-time traffic statistics on a virtual switch:

     ovs-appctl fdb/show br0
     

3.5.3 Troubleshooting Steps for Common Issues

Issue 1: Misconfigured VLANs

Symptoms:

• VMs cannot communicate with each other.

Steps to Troubleshoot:

1. Verify VLAN configuration on the VM’s virtual NIC:

   • In Prism Element, go to VM → Network and check the assigned VLAN ID.

2. Verify VLAN configuration on the switch:

   • Ensure the physical switch ports connected to the Nutanix nodes are correctly tagged for the VLAN.

3. Use ovs-vsctl to check VLANs on Open vSwitch:

   ovs-vsctl show
   

4. Ping between VMs on the same VLAN to test connectivity:

   ping <destination VM IP>
   

Issue 2: Network Interface (NIC) Failures

Symptoms:

• Loss of connectivity for VMs or cluster services.

Steps to Troubleshoot:

1. Check NIC status in Prism:

   • Go to Hardware → NICs and look for errors or failures.

2. Verify NIC status using ifconfig:

   ifconfig eth0
   

3. If using NIC Teaming:

   • Confirm bonding mode (Active-Active or Active-Backup) is working.

4. Replace the failed NIC or move workloads to a different node.

Issue 3: Incorrect Firewall Rules

Symptoms:

• Traffic is unexpectedly blocked between VMs.

Steps to Troubleshoot:

1. Review firewall rules in Nutanix Flow:

   • Go to Prism Central → Security → Flow.
   • Verify if a Deny Rule is blocking traffic.

2. Test traffic flow using ping or telnet to check if specific ports are open:

   telnet <destination IP> <port>
   

3. Adjust the firewall rules in Flow to allow required communication.

Issue 4: Routing and Connectivity Issues

Symptoms:

• VMs cannot reach external networks.

Steps to Troubleshoot:

1. Verify default gateway settings for VMs:

   • Check VM configuration for correct gateway.

2. Use traceroute to identify where the packet drops:

   traceroute <destination IP>
   

3. Check DNS settings:

   • Verify that the DNS server IP is configured correctly in VM settings.

3.5.4 Summary of Troubleshooting Network Issues

1. Tools: Use Prism Dashboard, NCC, and OVS commands to identify and resolve issues.
2. Common Issues: Focus on VLAN misconfigurations, NIC failures, and firewall rule errors.
3. Steps: Verify configurations, test connectivity using basic commands, and adjust network policies as needed.

Configure Cluster Networking and Network Security (Additional Content)

This section expands on Nutanix cluster networking by addressing VLAN trunking, LACP, MTU tuning, Nutanix Flow vs. traditional firewalls, IPFIX monitoring, Zero Trust Networking, and advanced troubleshooting techniques.

1. Nutanix Cluster Networking Overview

1.1 VLAN Trunking vs. VLAN Access Ports

Nutanix Open vSwitch (OVS) supports both VLAN trunking and VLAN access ports, allowing administrators to design flexible network architectures.

VLAN Trunking

• Allows multiple VLANs to share a single physical network interface.
• Traffic is tagged with VLAN IDs.
• Example Use Case: Connecting Nutanix hosts to a switch carrying multiple VLANs.

VLAN Access Port

• Assigns a single VLAN to a specific port.
• Any traffic received is untagged before being processed.
• Example Use Case: Assigning a specific VLAN to a management interface.

Configuring VLAN Trunking on OVS

To allow multiple VLANs through a single network port:

ovs-vsctl set port eth1 trunks=10,20,30

To configure a VLAN access port for a specific interface:

ovs-vsctl set port eth0 tag=10

1.2 Native VLAN (Default VLAN)

• When untagged traffic is received on a VLAN trunk port, it is assigned the native VLAN.
• Default Nutanix OVS configuration sets VLAN 1 as the native VLAN.

Configuring a Native VLAN in Nutanix OVS

ovs-vsctl set port br0 tag=1

Use Case

• Ideal for management traffic such as Nutanix CVM communication.
• Ensures non-tagged traffic is properly handled within the cluster.

2. Configuring Cluster Network Components

2.1 LACP (Link Aggregation Control Protocol)

LACP dynamically manages NIC bonding, improving redundancy and load balancing.

LACP Modes

Mode	Description	Use Case
Active	Actively negotiates link aggregation with the switch.	Recommended for Nutanix hosts.
Passive	Waits for the switch to initiate link aggregation.	Use when the switch requires LACP initiation.

Configuring LACP on Nutanix AHV

Enable LACP Active Mode and configure load balancing:

ovs-vsctl set port bond0 lacp=active
ovs-vsctl set port bond0 bond_mode=balance-slb

2.2 MTU (Maximum Transmission Unit) Tuning

MTU tuning improves network performance by reducing packet fragmentation.

Recommended MTU Settings

Network Type	Recommended MTU
Management Traffic	1500 (default)
Storage Traffic (iSCSI, RDMA, NFS)	9000 (Jumbo Frames)

Configuring MTU on Nutanix OVS

ovs-vsctl set interface eth0 mtu_request=9000

Considerations

• All switches in the network must support Jumbo Frames.
• If MTU settings are inconsistent, packet drops may occur.

3. Advanced Networking Features

3.1 Nutanix Flow vs. Traditional Firewalls

Feature	Nutanix Flow (Microsegmentation)	Traditional Firewalls
Traffic Control	East-West (VM-to-VM)	North-South (External-to-Internal)
Deployment	Software-defined, no external hardware required	Requires physical or virtual appliances
Granularity	Per-VM firewall rules	Subnet-based filtering
Security Model	Zero Trust Networking (default deny)	Perimeter Security

Example Use Case

• Prevent unauthorized VM communication:

  Allow: Web-Servers → Database-Servers (TCP 3306)
  Deny: All → Database-Servers (Default Deny)
  

3.2 IPFIX (Network Flow Monitoring)

IPFIX is a network flow monitoring tool integrated into Nutanix Flow. It enables administrators to track VM communication patterns and detect anomalies.

Enabling IPFIX in Nutanix Flow

ncli flow enable-ipfix

Use Cases

• Monitoring East-West traffic between VMs.
• Integrating Nutanix Flow logs with SIEM tools (Splunk, ELK).
• Detecting security threats (unusual port scans, unauthorized access).

4. Network Security Best Practices

4.1 Nutanix Security Central

Security Central provides real-time security insights into Nutanix environments.

Key Features

• CVM Security Compliance: Detects vulnerabilities in Nutanix components.
• Network Security Monitoring: Ensures Nutanix Flow rules are properly enforced.

Accessing Nutanix Security Central

1. Go to Prism Central.
2. Navigate to Security Central.
3. Review alerts and compliance reports.

4.2 Zero Trust Networking

Zero Trust Networking (ZTN) enforces strict access controls, ensuring only authorized traffic is allowed.

Core Principles

Principle	Description
Default Deny	Block all traffic unless explicitly allowed.
Least Privilege Access	Limit access to the minimum required level.
Multi-Factor Authentication (MFA)	Secure critical management interfaces.

Example Zero Trust Rules

• Allow Web Servers to Access Databases:

  Allow: Web-Servers → Database-Servers (TCP 3306)
  

• Deny Development-to-Production Access:

  Deny: Dev-VLAN → Prod-VLAN
  

5. Troubleshooting Network Issues

5.1 Nutanix Health Monitoring (NCC Network Checks)

To perform a full network health check:

ncc health_checks network_checks

What It Detects

• Incorrect VLAN configurations.
• NIC failures.
• High network latency or packet loss.

5.2 Troubleshooting LACP Issues

To check LACP status:

ovs-appctl bond/show bond0

Common Issues and Solutions

Issue	Possible Cause	Solution
LACP not negotiating	Switch-side LACP not enabled	Ensure LACP is active on the switch
LACP Disabled in OVS	Incorrect bond settings	Run ovs-vsctl set port bond0 lacp=active

5.3 Connectivity Testing

Testing VLAN Connectivity

ping -I eth0 <destination IP>

Testing VLAN Routing

traceroute <destination IP>

Final Summary

Topic	Enhancements
Cluster Networking	Added VLAN Trunking, Native VLAN, LACP, MTU tuning.
Advanced Features	Expanded Nutanix Flow vs. Firewalls, IPFIX monitoring.
Security Best Practices	Added Security Central, Zero Trust Networking.
Troubleshooting	Improved NCC checks, LACP troubleshooting, ping/traceroute tests.