VMware Networking Community
HywelB
Enthusiast
Enthusiast

New or Existing overlay

Hi,

When migrating a brownfield sites with a very flat network to NSX there is an understandable reason to use the existing VLAN's. This will leave to many VM's of different types and possibly different security requirements, whilst still achieving micro segmentation and improving security.

This has led to the debate, What criteria would you use to decide on whether to create new overlays on which to place your new VM's/applications? the following questions are bugging me:

1) Are there any security concerns with having the VM's on the same L2 overlay even though they are protected by the DFW?

2) Are there any limitations by putting many applications in the same overlay? does this affect the edge services in any way?

3) Concerned about overlay sprawl (1VM in its own network multiplied by hundreds ), should I be? best practices for server design are one one app per server, would similar follow with NSX, one app per overlay? 

I realise that security and business continuity policies may drive this but wondering what others do.

Thanks

Reply
0 Kudos
4 Replies
Sreec
VMware Employee
VMware Employee

1) Are there any security concerns with having the VM's on the same L2 overlay even though they are protected by the DFW?

From my experience the way people discuss and think about security is from different angle - Physical/Virtual/Application are most common entities and based on the packet flow - Inter-Site, Intra-Site , DMZ etc security measures differs . So i'm not sure from which angle you are thinking . However checking the packet flow for ingress/egress at vnic level is certainly a granular level option and nsx micro segmentation does it extremely well irrespective of the workload characteristics. MY Feedback is understand the workload mobility and traffic flow and later  configure DFW accordingly.

2) Are there any limitations by putting many applications in the same overlay? does this affect the edge services in any way?

     There are no hard limitations per overlay network(VNID). If isolation is the key criteria traditionally we go with VLAN and here VXLAN is the best bet .  I didn't get your second query - impact on edge ?  What services are we referring here ?  Ideally i don't recommend two many services(DHCP/VPN/LB/Routing) on same device and deployment option will be based on tenancy(Single tenant/Multi tenant etc) - In the both the cases there are advantages and disadvantages. If you look at below design , you can see two tenants connected to unique edge and establishing a routing pair with the upstream router while it fits for overlapping IP address and multi tenancy from a compute/storage perspective design demands more edges -so that way cluster sizing matters while the environment scale .

pastedImage_4.png

3) Concerned about overlay sprawl (1VM in its own network multiplied by hundreds ), should I be? best practices for server design are one one app per server, would similar follow with NSX, one app per overlay?

There is a significant difference in the way in which BUM (Broadcast, Unknown unicast, and Multicast)traffic is handled by NSX-v comparing with traditional flood&learn mechanism. Kindly read https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/products/nsx/vmw-nsx-network-virtu...  page no:33 to understand network requirement and packet flow in each replication mode. My preference is Unicast & hybrid mode which is fine for small/medium/large data centers. Again i want to emphasize on one  main point- overall cluster design(Number of cluster- separate/collapsed etc) , total number of site is also a deciding factor apart from considering the size of the environment,

Cheers,
Sree | VCIX-5X| VCAP-5X| VExpert 6x|Cisco Certified Specialist
Please KUDO helpful posts and mark the thread as solved if answered
HywelB
Enthusiast
Enthusiast

Thanks Scree,

1) Thanks, I think you've answered my question

2) With regards to the services question, I was really asking that if you have many different applications on the same VXLAN are you complicating the configuration of LB or routing on the edge gateway.

I think what I am really trying to understand is what are the pro/cons of these two options, with the DFW you are creating a level of segmentation anyway.

NSX Options.jpg

3) I think this statement on P33 really covers what I was asking "The logical switching capability in the NSX platform provides the ability to spin up isolated logical L2 networks with the same flexibility and agility that exists virtual machines" . So in a VM world we'd create a new VM with operating system for a specific application (generally following the one app per VM model), so in an NSX world would it be wrong to create a new VXLAN per application for new projects? I know I am getting bogged down in design options but trying to get the answers to questions I know I will be asked.

Reply
0 Kudos
Sreec
VMware Employee
VMware Employee

Since this is a three tier architecture first topology makes perfect sense since each tier is on its own L2 network with DFW Result- per app isolation. :smileycheck:

First Tier

  • Specific or ANY IP to Web Connection
  • HTTPS service
  • DFW at Web Tier logical switch and Edge F/W rule

Second Tier

  • Web to App
  • Web Tier to App tier Logical switch as source and destination
  • DFW at both logical switches for respective (TCP/UDP) protocol allowing only required ports

Third Tier

  • App to DB
  • App tier to DB tier as source and destination
  • DFW at both the logical switches with required DB port to be opened

pastedImage_1.png

Cheers,
Sree | VCIX-5X| VCAP-5X| VExpert 6x|Cisco Certified Specialist
Please KUDO helpful posts and mark the thread as solved if answered
amolnjadhav
Enthusiast
Enthusiast

> I think what I am really trying to understand is what are the pro/cons of these two options, with the DFW you are creating a level of segmentation anyway.

storage adapter.jpgNSX Options.jpg

I feel that first topology where as Web/APP/DB tier are in different VXLAN segments is more traditional than second diagram one VXLAN-id for projectA-zone1.

First Topology has it own advantages like,

            1. Let's consider your database tier "DB-Zone1" is on physical server you can only achieve the communication between Web-zone1 <+++++> DB tier "Physical Sever"   via L2-Bridge or L3 Routing "DLR => Edge". In this case 2nd topology  won't be that scale-able because Web/APP/DB are have same vxlan-ID.   .

           2. As A NSX operational engineer, 1st topology is more easy to troubleshoot then 2nd topology "Its my prospective"  

Please consider marking this answer "correct" or "helpful" if you think your query have been answered correctly. Regards Amol Jadhav VCP NSXT | VCP NSXV | VCIX6-NV | VCAP-DCA | CCNA | CCNP - BSCI
Reply
0 Kudos