Last week we held a webinar on Micro-segmentation with VMware NSX where VMware Certified Instructor John Krueger discussed the major features and capabilities of VMware NSX 6.1 and how in a software defined data center, a zero trust security model becomes achievable when taking advantage of features in VMware NSX. The conversation led to several questions, some of which we wanted to share with you.
Where can find step-by-step instruction for installation & configuration of NSX on ESX host?
Please see the NSX Installation and Upgrade Guide
What about network tools (reporting, monitoring, …) are they provided by NSX?
NSX provides Flow Monitoring for watching traffic through the Distributed Firewall. There is also a packet capture utility built into ESXi that is VXLAN aware, and can capture traffic at any point from the vNIC egress to physical uplink egress, and most points in between. NSX can take advantage of that capture utility and provides a traceflow function to capture and allow you to analyze traffic from one VM all the way to another across the Logical Network. NSX also provides auditing and logging for administrator activity. VMware provides a Management Pack for vRealize Operations Manager for deep insight into NSX, its Logical Network topologies and components, and a Content Pack for vRealize LogInsight for a more visual syslog analysis.
If NSX extends the L2 boundaries of a Data Center, how does redundancy and configuration protection works between two data centers? Will only one NSX Appliance manage both data centers? Or will each DC have its own NSX appliance?
If I have multiple physical sites managed by a common vCenter Server, the NSX Manager will exist only in one site (likely on your management cluster). Because NSX has a 1-to-1 relationship with vCenter Server, if I have multiple NSX Managers, that implies multiple vCenter Servers. There is currently no synchronization between them.
NSX has to go through physical hardware to get to a different ESX host. Routing and firewall make a lot of sense to do at the hypervisor level but what are some of the benefits on the switch level if you still have physical hardware?
Because the routing and firewalling happen within the hypervisor, the network requirements for the physical infrastructure are lessened, making the physical easier to operate, less of a touch point, and a more stable asset.
Is the micro-segmentation concept based on the VXLAN VNI separation? Or is it more of an NSX logical segmentation on top?
Micro-segmentation is based on the fact that we can now provide security filtering at the virtual NIC, so that each NIC is now segmented and protected within the environment.
What is future of existing network engineers with introduction of VMware NSX?
I think they have a very bright future. Generally, the network engineers will be the ones managing the virtualized networks, not the vSphere administrators.
A recording of the webinar is now available on demand, along with all our other webinars from the past few months. Check them out.
