Arrived in San Francisco yesterday and today we are out at the VMware campus in Palo Alto for a series of partner workshops. I have selected the NSX deep dive track.
Our three hosts for the day were Thanos Sioutas, Paul Cassell and Brian Hara. All three presenters are former Cisco employees, which apparently must be a prerequisite for getting hired as something like 70% of the VMware Network Service Business Unit are ex Cisco.
It was a big group with about 60 people in the room from all different kinds of partner organisations. Seemed that the general level of understanding of NSX is fairly rudimentary based on the numerous questions from the audience. Considering this was billed as a deep dive NDA session for partners it was a little disappointing to get bogged down in some of the basic concepts, but I guess there was plenty of time to ask questions so there were no burning issues that people did not have an opportunity to bring up.
VMware quietly released NSX 6.2 last week, and the VMware team were happy to discuss some of the new features. Most of the reported changes to 6.2 were around increasing scalability limits, so I took notes of any references to changes with 6.2. However it really does appear that 6.2 is a fairly minor upgrade so probably not a lot of new stuff for NSX will be discussed this week.
The first session with Thanos was basic revision, covering what is in the design guide. Nothing new here.
The second session with Paul discussed lessons learnt with the Distributed Firewall. Most of the content appeared to be taken from the DFW Policy Rules Configuration whitepaper published here http://www.vmware.com/files/pdf/products/nsx/WhitePaper-DFW-Policy-Rules-Configuration-Guide.pdf
A couple of good pointers here including:
- Lessons learnt with firewall rules applying to sticky IP addresses and no VMtools installed on the guest. The typical use case here is VDI scenarios. This is addressed in 6.2 by enabling the new dhcp / arp snooping feature.
- Use security tags as a criteria for creating security groups, avoid applying rules directly to host names or IP addresses
- Make sure that if you have a requirement to vMotion machines to another cluster that the end points are configured on the other cluster (obvious, but easy enough to overlook :))
- There was a discussion on the best way to utilize Palo Alto networks firewall in conjunction with the DFW. The PAN firewall throughput can be a bottleneck, so the architecture needs to split out groups to limit traffic flowing to PAN. For example use DFW for multi tier layering, but use PAN for external vnic of web server.
- There was a number of recommendations on how to use the “applied to” scope. Key scenarios were multi tenant environments with overlapping IP subnets. Second obscure scenario where there are multiple vNICs bound to a VM and you want to apply different rules to each vNIC (I have no clue why you would want to do this either).
- Application Level Gateways (ALGs) apply to most protocols except for TFTP. This means that is you try and PXE boot through the DFW you are going to have a lot of fun.
Had a break for lunch out on the terrace. This really is a beautiful spot, even in the middle of a drought.
Brian stepped up after lunch to do an NSX demo. After the demo we were supposed to do the public on line labs, but nobody really wanted to spend their time doing something that can be done anytime and any place. Also the 6.2 labs have not been updated on the VMware labs site.
After the demo it broke down into a general Q&A session with all of the VMware guys in the room. Nothing really new here.