At times I have trouble focusing on writing articles for some of the presentations I am exposed to at Tech Field Day. Because of that, I really wanted to try something different. This article is more of my free-formed thoughts about NSX and why I’m excited to deploy it at my current $job. From the time I heard that the NSX team was going to be presenting at TFD15 for 4 hours, I knew that I would be writing this article because. Unfortunately it took me far too long to gather up this half formed thought.
First things first – NSX and Micro-Segmentation
I love the concept of Micro-Segmentation that NSX enables. Think of NSX as a virtual distributed firewall that is integrated with your hypervisor, but it really is so much more. This allows you to connect a security policy directly to the vNIC of your guest VM’s. Attaching it to the VM allows that policy to follow the VM anywhere, and everywhere it goes. You don’t have to worry about inter- or intra-VLAN segmentation as all of that is done on each vNIC. On top of that, NSX’s firewall is PCI DSS 3.2 compliant! Another rather compelling feature is VMware’s Application Rule Manager that allows you to analyze VM traffic in order to baseline your traffic and build a policy. Not only is this essential when you start letting the systems guys play in your networking playground, but it can offload some of the tedious work to folks that probably understand the application a little better. ;)
Let’s talk Virtualized Networking Overylays
No matter how sexy Micro-Segmentation seems, I think NSX’s real game changer comes from it’s ability to fully virtualize the network inside of VMware’s virtual compute infrastructure. Let’s all just imagine for a moment a world without OTV. It’s beautiful, isn’t it? We all know that extending L2 across DC’s is a horrible idea, just ask Ivan, although I think he prefers ACI… Luckily since NSX allows you to fully virtualize the VXLAN extension, you don’t have to worry about it. But… how? It’s rather simple actually. Your virtual infrastructure is containerize and NSX forms a Layer-3 peering relationship (BGP/OSPF) with the reset of your network. This is a perfectly simple solution to a very complicated problem versus trying to extend L2 across multiple DCs. This simple solution allows you to announce what is locally to each DC, and the network simply decides what is closer using time test dynamic routing protocols. When you’re able to virtualize the network higher up and simply remove the complexity from the actual data transport I believe you end up with a much more resilient network.
How far does this go? Well, how about your Azure VPNs – get rid of them. NSX can now talk directly to Azure or most other IaaS providers like AWS. This allows you to extend that virtual overlay into hosted space allowing you to dynamically move those workloads without complicating your networking, without convoluted cloud security concerns, and without having to re-ip workloads you wish to move to the cloud. This is such a HUGE win for both sides of the fence.
Back to reality
All of this sounds amazing in theory, but I have yet to experience any of it in the reality of a complicated enterprise network. The micro-segmentation offered here is quite robust and more than just a simple ACL applied to an Port or SVI, this is a full fledged stateful firewall / application layer gateway. Very cool stuff indeed, but I have my own concerns. This is far away from my tried and true adage of keep it simple. One of the serious architecture questions that came up during this presentation was CPU contention, i.e. what happens when the firewall starts getting flooded with traffic? VMware tells us to not worry about these things, but I certainly would like a deeper dive into why this shouldn’t be an issue.
Since I haven’t had a chance to play with NSX yet, I wanted to throw some links out to other NFD delegates that also wrote on this topic.
Extra special disclaimer
While my usual TFD Disclaimer applies here, I felt the need to add to it. Most companies during the coarse of an event hand out swag and trinkets and other miscellaneous low cost items to the delegates. But this year, it seems VMware has gone a bit above and beyond. In addition to the usual swag items, VMware has offered each and every one of us the following items.
- Online VMware NSX: Install, Configure, Manage course
- Test preparation
- Voucher for vSphere foundation and VCP-Network Virtualization certification exams
Honestly, none of us know what to say. We’re highly thankful to VMware for being so generous, but at the same time we have to emphasize that in no way does their generosity influence our opinions in the things we choose to write about them.
Network engineer turned management currently servicing the enterprise data center market. I started working on networks in the ’90s and still feel like that was just a few years ago. Jack of all trades, master of none; I love to learn about everything. Feel free to ask me about photography, woodworking, nhra, watches, or even networking! — For feedback, please leave a comment on the article in question, and I’ll respond as soon as I can. For everything else including fan mail or death threats, contact me via twitter.