Link to home
Start Free TrialLog in
Avatar of compdigit44
compdigit44

asked on

Understanding VMware NSX

I have been reading up NSX and have a few questions.

1) Currently our network is flat but it broken out in to 20 - 30 different vLan. Since NSX lays over the top of the physical network, does this mean that the host would not care what physical vLan they are associated with on the physical network?

2) We are not a hosting provider but are large organization with ~10k users and 900 VMs at this time. I under stand NSX can provide better  security closer to the application, what else can it provide?

In short I am trying to understand the product better and to see what value it could bring to our environment
Avatar of Wasim Shaikh
Wasim Shaikh
Flag of United Arab Emirates image

NSX uses an overlay technology VXLAN, that helps in virtualizing the network.
assuming the VLAN that you have right now is to isolate specific traffic or services., NSX will help you to eliminate and ease in isolation of traffic and services.
Services like logical switches, logical router, logical firewall, load balancing and many more can be managed in much better way and from single interface.
The physical host that will be used to virtualize the workload will be connected to your physical VLANs, whereas the virtual workload will be using features provided by NSX.

refer design guide here, and see how it can solve issues that you face in existing infrastructure.
Avatar of compdigit44
compdigit44

ASKER

Thank you for your reply. So NSX does not care what vLan that under lying host are on??
1. Yes, it is transparent. Traditionally, tenants are segmented from one another using VLAN IDs (VID). It has now to use of VXLAN. In the NSX architecture, a VM boots and the host registers with the NSX controller. The controller consults a table that identifies the tenant and returns the topology the host should participate in to the vSwitch. The key identifier for virtual isolation is the VNI, which maps to a tenant's VXLAN-segmented topology. What is required is to set up VXLAN port group.
This is configured during the initial VXLAN configuration process. It includes physical NICs, VLAN information, teaming policy, and so on. These port group parameters dictate how VXLAN traffic is carried in and out of the host VTEP through the physical NICs. As shown in the diagram, VLAN 2000 is used as the transport VLAN for VXLAN traffic. The transport VLAN has no relation to the logical Layer 2 networks or virtual wires that you will create.
http://blogs.vmware.com/vsphere/2013/04/vxlan-series-different-components-part-1.html

2. For the security aspect, the biggest is likely the use of micro-segmentation such that it utilizes network virtualization based overlays for isolation, and distributed kernel based firewalling for segmentation through ubiquitous centrally managed policy control which can be fully API driven. This is on top of the application aware that to ride on the "Cloud-native" networking  which the hypervisor emplaced the security checks in the virtual layer. This has a good summary (catch the conclusion for an overview.
NSX is the means to provide micro-segmentation through centralized policy controls, distributed stateful firewalling, overlay- based isolation, and service-chaining of partner services to address the security needs of the rapidly evolving information technology landscape.
http://blogs.vmware.com/networkvirtualization/2016/06/micro-segmentation-defined-nsx-securing-anywhere.html#.WHMtuz_2NMU
Very interesting, so if I am understanding thing correctly you could have a unlieing physical network with host on a 192.168.1.x IP but in NSX everything is using a 10.x.x.x IP and yet talking to one another is setup to do so. If this is the case wouldn't this do aware with the traditional network teams as we know it. I am having a hard time see how I could sell this to my manager since we are not an ISP but use VLans heavily not to mention the cost factor
You are into the vxlan setting to allow the VLANS. Indeed not something straightfoward but the gist of it is to extend the L2 across L3. The offloading of the underlying routing logic is virtualised to be centrally managed without changing or even knowing the underlying virtual switch.
so really in the future there will be overlap of the traditional network groups and server admins...
ASKER CERTIFIED SOLUTION
Avatar of btan
btan

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial