VMware Cloud Community
hardingp
Contributor
Contributor
‎07-28-2009 11:40 AM

Nexus 1000v vs. vShield zones

I am deciding whether to implement vShield in the initial license of vSphere.

I am getting the Enterprise version of vSphere which includes the Nexus 1000v and the Virtual distributed switch.

What am I trying to get more information on, is what vShield can offer for security that the Nexus 1000v cannot. I understand that vShield installs as a virtual, and filters traffic through its own portgroup and offers some reporting and management features.

However, from an actual security perspective. It seems unecessary to acquire vShield if you are running the n1000v.

For instance:

vShield offers:

-Bridge, firewall, or isolate virtual machine zones based on logical trust or organizational boundaries

Nexus 1000v also offers zone isolation based on policies on a more robust level?

Can anyone give me a quick comparison on the 2 products and if they even work with each other? Why would you run both?

0 Kudos
5 Replies
RParker
Immortal
Immortal
‎07-28-2009 11:51 AM

Nexus 1000v also offers zone isolation based on policies on a more robust level?

First Nexus is a Cisco product, not a VM Ware product, so you can't get any better performance / Security than the Nexus on ESX. It replaces the vSwitch on ESX enterprise plus.

vSheld is a design of the switch setup in ESX, they really aren't the same thing. You can use vShield with or Without the Nexus.

vShield allows central management across your vCenter.

0 Kudos
hardingp
Contributor
Contributor
‎07-28-2009 11:53 AM

Let me re-iterate

If I didn't buy the Cisco Nexus 1000v...

What similar features would vShield offer?

0 Kudos
RParker
Immortal
Immortal
‎07-28-2009 11:56 AM

What similar features would vShield offer?

It's all right there.

Nexus replaces the vSwitch, it's like replacing your thermostat in your house with a electronic one. If you had many houses you could manage ALL your houses from one place. (with vShield).

That's the difference. You can't compare the two, they aren't the same thing, one is management the other technology. a basic thermostat will work (ESX VM Ware switch) electronic one offers more robust, more precise control, etc... (Cisco Nexus).

0 Kudos
admin
Immortal
Immortal
‎07-28-2009 02:11 PM

vShield Zones in NOT for management. It is true that vShield and the N1KV are two very different products. A better analogy would be to compare a physical Nexus switch with a Checkpoint Firewall.

In short, vShield Zones is a virtual firewall that provides stateful firewalling and flow visibility for your virtual environment. The vShield Appliance is installed as a layer 2 bridge between an internal and an external vSwitch to provide an inline path from which to firewall. It also provides flow visibility between VMs to the point where you can see VM to VM traffic statistics and allows you to make decisions on firewalling that traffic from the flow reports.

The N1KV is a replacement for the VMware vDS. The key security feature of the N1KV are pretty much what you can get from a physical Nexus switch with the exception of 802.1x. For example it gives you the ability to do MAC filtering, port based ACLs, and a number of other security features.

0 Kudos
carlosVSZ
VMware Employee
VMware Employee
‎07-28-2009 02:26 PM

The Nexus 1000v and vShield zones are two separate things, let me explain.

VMware offers two types of virtual switches, the traditional or legacy vSwitch and the new vDS (vNetwork Distributed Switch), a federated network switching platform that spans several VMware vSphere servers.

The Nexus 1000v is a third-party vDS switch developed by Cisco and is a software implementation of a Cisco Nexus switch that can replace VMware's vDS and legacy vSwitch in the vNetwork layer.

vShield Zones is not a virtual switch but a virtual firewall that fully integrates with the vSphere environment and provides stateful firewalling and traffic flows for your virtual environment.

0 Kudos