You are totally right and i agree with you. But it will be very challenging to build nsx-t on 1G network, he will require to at least upgrade the network cards and check the network supportability.

Hi,

Thanks for the reply.  So I am already into the deployment with NSX-V 6.4  I assume I can migrate later if needed?

I deployed, NSX, Controllers and hosts in my LAB cluster.  I plan to tear down NSX from the LAB cluster once I have it working and understand it and can deploy to the production compute cluster.

So I went with the following:

1 - vCenter

2 - Clusters - one for Management and Edge - One for Compute.

1 - Lab cluster

I have 5 hosts in the Management/Edge Cluster and 7 hosts in the compute cluster and 3 hosts in the Lab cluster with some older Dell Servers running ESXi 6.0.  All run DvSwitches.

I put in the management cluster my vCenter, NSX Controllers, NSX Manager etc.  I also have a number of my internal servers on that cluster and they live in a separate VLAN and subnet.

I put in my Compute Cluster all of the client servers.  They are currently separated by VLAN and firewalls.

So far it seems to be working and all status lights are green.

I do have a new question.

I am not sure I understand how I would need to deploy VXLAN?  Since I have multi-tenant and need zero trusts.  When I set up the VXLAN on the hosts it asks for a VLAN number.  Do I leave it as 0 or do I use my tagged management VLAN number that all my management devices are running on or do I need one for each client network?  Also, it is asking for an IP pool or DHCP.  What subnet should that use?  I new one that doesn't route anywhere or my VM management subnet??  Any help to deploy VXLAN would be helpful.  Remember I need multi-tenant and microsegmetation and security.

Any help is greatly appreciated.

Thanks

VXLAN mainly work on the virtual environment only between the VM's and the virtual routers (distributed logical router) and the edge gateway is only converting the vxlan traffic to the vlan. so the only interface need to be connected to the VLAN traffic is the edge gateway uplink interface.

All the traffic of the VXLAN transferred between the esxi hosts transferred in a tunnel named (VTEP) and this is the VMK created for the NSX per host and you can dedecate a vlan for it or put it in the management vlan and better for security is to but it in isolated vlan / subnet (and this is the ip pool which you are asking about).

And for the micro-segmentation is done by diffault in the nsx after you install the nsx manager and add the vcenter and install the nsx vib on the hosts the firewall service on the host start by default all what you need is to configure the firewall. needless to say or to remind you that the better design for the firewall always the consolidated rules do not but multiple roles to serve same service (design it in smart way and use the grouping to save the processing of the roles) .

I hope this answer your question and i hope that this become answer or helpful comment for you. also, for More details and more information just follow my blog http://www.syncgates.com.

Thanks for the reply.

So to get the load balancer working for 2 web servers I only need an edge gateway and no need to setup VXLAN?  If I do or want to setup VXLAN, you are recommending setting up a new subnet, VLAN ID on my switch core?  When I setup VXLAN it want an IP Pool and that asks for a gateway.  Do I just enter an IP or does it need to route out? So if it does I need to create an L3 interface with an IP on my switch core so it can route out.

Hope the question makes sense.

Thanks

Load balancer is one of the network services and the edge, which require  the VXLAN setup. {only micro-segmentation not requiring the VXLAN}.

If you will put all the VTEPs in the same switch without different subnet with no multisite or multi subnet setup, you can isolate it.  but the Gateway is must in the VTEP Pool configuration. so, you can configure it on the switch and no need for it to reach the core switch.

I hope this answer your question and i hope that this become answer or helpful comment for you. also, for More details and more information just follow my blog http://www.syncgates.com.