Re: Microsegmentation with bare-metal servers

Jey10 · ‎01-18-2019

Hi,

I'm working on an SDN project for a company and we are analyzing NSX. I've found that we can use Hardware gateways (best that software GW in my case) to get consistent workloads between virtual and physical servers that can be managed both in NSX. I know that an IP gateway is needed in this case for the exchange between bare metal and virtual servers.

But I'd like to do if we can do microsegmentation wit bare-metal flows the same way as with VMs ? Can we really overcome the IP and do microsegmentation for bare metal the same way ?

Thanks,

Jérémy

Beingnsxpaddy · ‎01-19-2019

Dear Jey10 if you are considering the NSX-v then micro-segmentation is limited to the virtual infrastructure, however NSX-T is coming with support to other platforms as well, hence it would be worth checking the product and if that fits in your use case.

Regards

Pradhuman

VCIX-NV, VCAP-NV, VCP2X-DCVNV

Regards Pradhuman VCIX-NV, VCAP-NV, vExpert, VCP2X-DCVNV If my Answer resolved your query don't forget to mark it as "Correct Answer".

Sreec · ‎01-20-2019

You may please validate below links. There is a federated solution that is available from Arista and VMware which will allow us to extend the microsegmentation to physical worlkloads as well and it is possible with NSX-V

https://www.arista.com/assets/data/pdf/TechBulletins/Microsegmentation-Arista-VMware-Technical-Brief...

https://blogs.vmware.com/networkvirtualization/2018/08/nsx-portfolio-vcn-vmworld-2018.html/

https://www.marketwatch.com/press-release/arista-introduces-secure-cloud-networking-2018-08-21

There are many other supported hardware VTEP gateways as well. But when it comes to Security policies there are limitations with the integrations

https://www.cisco.com/c/en/us/products/collateral/switches/nexus-9000-series-switches/white-paper-c1...

Currently, this integration works only for Layer 2.

● Security, ACLs, and QoS are not supported for hardware VTEPs.

● BUM traffic is replicated in software by RSNs within a vSphere and NSX cluster (this is not an OVSDB limitation, but an NSX-specific implementation).

● When this feature is enabled, a DLR cannot be used for the logical switch in NSX.

https://blogs.vmware.com/networkvirtualization/2018/08/nsx-portfolio-vcn-vmworld-2018.html/

Cheers,
Sree | VCIX-5X| VCAP-5X| VExpert 7x|Cisco Certified Specialist
Please KUDO helpful posts and mark the thread as solved if answered

Jey10 · ‎01-24-2019

Thanks both for your answers.

Sreec, your first link is very interesting but finally, it says it can extend micro-seg but they don't say how. Apparently it's only by associating cloudvision and NSX, it doesn't talk about hardware gateway. But I just talked an entire day this week with 2 experts from Arista that told me that micro-seg isn't done with cloudvision and there is the HW GW but with the limitations you gave.

So I think they're using the word micro-seg abusively there.

I would believe in it if they told me so.

Anyway thank you very much for the answers and docs.

Sreec · ‎01-25-2019

I couldn't agree more on this topic . Long story short - Bare-metal plus Virtual workload micro segmentation is not as feature rich as we want and that's why I explicitly called out few points in the last thread. It might change over a period of time , NSX-T is certainly supported for such designs.

Cheers,
Sree | VCIX-5X| VCAP-5X| VExpert 7x|Cisco Certified Specialist
Please KUDO helpful posts and mark the thread as solved if answered

All

Microsegmentation with bare-metal servers