PinoyAko
Contributor
Contributor

NSX on Multiple Network Zones in a vSphere Cluster

Jump to solution

Hello,

i am noob in NSX. i have been reading articles with regards to NSX implementation. but here's what keeps me thinking, how would i implement NSX on an environment with multiple secured zone in a single cluster, like i used to do using vDS?

say, i have a 32-node cluster. this cluster have 4 vDS, each vDS represents a network zone (zone1, zone2, dmz1, dmz2).

Management, vMotion, FT vmknics were isolated with dedicated pNICs using vSwitch (standard).

each vDS has it's own pNICs as uplinks,

each host have 8 pNICs.

thanks for you inputs in advance.

0 Kudos
1 Solution

Accepted Solutions
vmmeup
Expert
Expert

I assume that because you have 4 separate vDS's you are looking to keep them isolated form each other.  You can still do this in NSX.  If for example 1 of your 4 Vds was for a management cluster or management plain you could create a transport zone for each of the other 3 to connect back to the management zone to then be connected to a centralized edge gateway so they could then be connected to the outside world.  The edge gateway contains firewall etc so no need to worry about that.  IF you were really concerned you could dpely an edge gateway for each of the vDS and not connect them together at all and just have the zone for VDS with the logical switches for that vDS and then have an edge gateway within.

There are truly lots of options.  Between the distributed firewall and the Edge Gateways firewalls you may even be able to simplify things.

Sid Smith ----- VCP, VTSP, CCNA, CCA(Xen Server), MCTS Hyper-V & SCVMM08 [http://www.dailyhypervisor.com] - Don't forget to award points for correct and helpful answers. 😉

View solution in original post

0 Kudos
5 Replies
kjb007
Immortal
Immortal

Adding NSX into the mix will not take away form what you're already able to do, but rather add to it.  You can still maintain those zones that you are currently using, if you want to do that, or enhance them by creating logical switches and adding additional security and backing each individual vm vNic with firewall and policy rules.

-KjB

vExpert/VCP/VCAP vmwise.com / @vmwise -KjB
PinoyAko
Contributor
Contributor

Thanks kjb007

But how would it work with the VTEPs in this case? what should be the setup?

i am not sure with my understanding though.

thanks in advance.

0 Kudos
RussH
Enthusiast
Enthusiast

Hi,

Since you have one cluster, there would be one "Transport Zone" within NSX and 1xVTEPs (or 2 for failover) which all NSX Logical Switches would use for encap/decap. You would need to select which vDS you would want to attach the the VTEPS to.

Speaking more generally - NSX affords you a greater amount of granularity/control/security than was previously possible - you may wish to evaluate how you could re-architect your security zones.

Cheers

vmmeup
Expert
Expert

I assume that because you have 4 separate vDS's you are looking to keep them isolated form each other.  You can still do this in NSX.  If for example 1 of your 4 Vds was for a management cluster or management plain you could create a transport zone for each of the other 3 to connect back to the management zone to then be connected to a centralized edge gateway so they could then be connected to the outside world.  The edge gateway contains firewall etc so no need to worry about that.  IF you were really concerned you could dpely an edge gateway for each of the vDS and not connect them together at all and just have the zone for VDS with the logical switches for that vDS and then have an edge gateway within.

There are truly lots of options.  Between the distributed firewall and the Edge Gateways firewalls you may even be able to simplify things.

Sid Smith ----- VCP, VTSP, CCNA, CCA(Xen Server), MCTS Hyper-V & SCVMM08 [http://www.dailyhypervisor.com] - Don't forget to award points for correct and helpful answers. 😉

View solution in original post

0 Kudos
PinoyAko
Contributor
Contributor

Thanks guys, these inputs made me think of re-designing then.

The setup that i was trying to illustrate do have the following considerations/constraints:

1. Physical network team and infrastructure are not ready for NSX setup, yet capable of slight change (e.g. MTU change)

2. PCI compliance and other audit limits (fully isolated layers of networking), but open for logical isolation.

3. Multiple site locations.

I should then be looking more into Edge gateways approach/strategy

Again, thanks for giving the lights...

0 Kudos