What do people think of VMware NSX especially after VMworld

K

KapsZ28

2[H]4U
Joined
May 29, 2009
Messages
2,114
Is it all hype or is this truly the direction we are headed in? Is it good for Service Providers or more geared towards large enterprises?

Personally I want to get on board and at least test it out, but our CTO feels differently, but of course he comes from a networking background and it seems most people that were or are network engineers seem to hesitate the most.

For us, I think there is a pretty decent use case for it. Here is a list of items I would like to replace with NSX if it really is fully capable.

Firewalls:
Cisco ASAs, and probably at least 50 virtual pfSense firewalls.

Load Balancers:
HAProxy, Ngnix, NetScaler, Stingray

In addition I would like to leverage gateway antivirus, plus we just received a bunch of 10Gb Arista switches.

Do you think we have a decent use case and is it worth the investment? What do people not like about it?
 
To me, it is the future. Everything is moving towards being converged, and fully software managed - with the underlying hardware just doing what the software instructs it to do. I for one welcome this change as it *should* make management more cohesive, especially in more complex environments. The NSX HOL are terrific at demonstrating just how awesome network virtualization is.
 
Love it, can't wait to mess with it more in the lab if we ever get access to download it.
 
QHalo said:
Love it, can't wait to mess with it more in the lab if we ever get access to download it.
Click to expand...

Sadly I have access to it and the equipment to setup a POC, but my CTO just isn't interested at all.
 
Done the HOL and that's great. Have a lab here at work that I'd love to toss it in. You're lucky Kapz28, well not about the CTO part.
 
QHalo said:
Done the HOL and that's great. Have a lab here at work that I'd love to toss it in. You're lucky Kapz28, well not about the CTO part.
Click to expand...

Yeah, I will keep pushing. At least to setup a POC. We are trying to work with our VAR to bring more IaaS in but they want to white label it. If that really happens, NSX will definitely make the management of security and networking easier.
 
So I am arguing over NSX with friends, and one said the following.

Again, the current world of host systems on LANs is brainf'd because we never had a legit, simple, broadly deployed ES-IS protocol. ARP on Ethernet worked, and we've been paying for it ever since.
Click to expand...

What is my counter argument for this?
 
Huge fan of VMware NSX. What I like is that it's pretty elegant and simple and easy to merge in to an existing environment if you aren't doing a new build. We're starting to do customer briefings on it and the primary driver for those is security. PCI, HIPAA, etc. Customers want easier ways to segment those environments and do "integrated" anti-malware, IPS/IDS, and better firewalling (think Palo Alto).

It's easy to talk to customers about NSX. You can focus in on the services such as dfw (Distributed Firewalling), dlr (Distributed Logical Router), ESGs (Edge Services Gateways), and VXLAN (network abstraction/overlay).

I pitch it, right now, as almost a vCNS/vShield on steroids along with the VXLAN functionality and if you look at NSXv, that's really what it is. It's just now getting a lot more focus and attention.
 
NetJunkie said:
Huge fan of VMware NSX. What I like is that it's pretty elegant and simple and easy to merge in to an existing environment if you aren't doing a new build. We're starting to do customer briefings on it and the primary driver for those is security. PCI, HIPAA, etc. Customers want easier ways to segment those environments and do "integrated" anti-malware, IPS/IDS, and better firewalling (think Palo Alto).

It's easy to talk to customers about NSX. You can focus in on the services such as dfw (Distributed Firewalling), dlr (Distributed Logical Router), ESGs (Edge Services Gateways), and VXLAN (network abstraction/overlay).

I pitch it, right now, as almost a vCNS/vShield on steroids along with the VXLAN functionality and if you look at NSXv, that's really what it is. It's just now getting a lot more focus and attention.
Click to expand...

Great, thanks for the info. Question about the Distributed Firewall. Since "All participating hypervisors collectively become one Firewall" does that mean if you lose an ESXi host, the firewall continues to operate with zero downtime? You don't have to worry about HA kicking in and the firewall restarting?

Also, how do those compare to say a Cisco ASA? My goal would be to replace the ToR Cisco ASA's, especially when two are required for a HA setup. For example, a single client setup using two 5515-X IPS Edition at $5k a piece. Cost really adds up. So I am curious to see how NSX compares with the built in firewall and IPS. I know you can use Palo Alto (which I would love to use), but I am guessing there is additional cost to add those into NSX.
 
KapsZ28 said:
Great, thanks for the info. Question about the Distributed Firewall. Since "All participating hypervisors collectively become one Firewall" does that mean if you lose an ESXi host, the firewall continues to operate with zero downtime? You don't have to worry about HA kicking in and the firewall restarting?

Also, how do those compare to say a Cisco ASA? My goal would be to replace the ToR Cisco ASA's, especially when two are required for a HA setup. For example, a single client setup using two 5515-X IPS Edition at $5k a piece. Cost really adds up. So I am curious to see how NSX compares with the built in firewall and IPS. I know you can use Palo Alto (which I would love to use), but I am guessing there is additional cost to add those into NSX.
Click to expand...

The dfw is distributed. Every vSphere host has a dfw kernel module. Policies are applied at the vNIC level of VMs. So a vSphere host falling doesn't affect any other host. That's the beauty of the dfw. If you are blocking traffic between VM1 and VM2, that traffic will get blocked at the kernel level on the vSphere host where VM1 lives. Never hits the wire.

For things like ToR ASAs it's perfect. It's fast. It's capable. I wouldn't use it for perimeter firewalling but for things like tenant separation it is great.
 
NetJunkie said:
The dfw is distributed. Every vSphere host has a dfw kernel module. Policies are applied at the vNIC level of VMs. So a vSphere host falling doesn't affect any other host. That's the beauty of the dfw. If you are blocking traffic between VM1 and VM2, that traffic will get blocked at the kernel level on the vSphere host where VM1 lives. Never hits the wire.

For things like ToR ASAs it's perfect. It's fast. It's capable. I wouldn't use it for perimeter firewalling but for things like tenant separation it is great.
Click to expand...

Edge devices are for perimeter firewalling :)
 
Palo Altos are awesome firewalls. Haven't used the VM version but we have 5020s, 500s and 200s. Panorama makes it super easy.
 
NetJunkie said:
Yeah. I actually meant to put a paragraph on that and forgot. :)

But I wouldn't use it for true org perimeter. DC perimeter, yes.
Click to expand...

We use the ASA's with very basic settings, NAT and Access Rules. Not even IPS generally speaking. Usually just in front of the customer servers at our DC with IPSec tunnels setup to their other sites if they have them. Would an Edge device be a good replacement for that?
 
KapsZ28 said:
We use the ASA's with very basic settings, NAT and Access Rules. Not even IPS generally speaking. Usually just in front of the customer servers at our DC with IPSec tunnels setup to their other sites if they have them. Would an Edge device be a good replacement for that?
Click to expand...

Yes. ESGs do NAT and ACLs just fine. Their purpose in life, really.
 
I think it is time for me to start adding up all our devices and make a use case for NSX.
 
Is NSX available or going to be available via VSPP?

What is the price range on Palo Alto firewalls? vm based ones. Can't find pricing and really don't like "call us for pricing" models
 
kalex1114 said:
Is NSX available or going to be available via VSPP?

What is the price range on Palo Alto firewalls? vm based ones. Can't find pricing and really don't like "call us for pricing" models
Click to expand...

NSX is available for VSPP. It is 20 points per VM protected by NSX with a minimum buy in of 250 VMs.

I don't know any pricing for third party apps.
 
You must log in or register to reply here.
Back
Top