VMware Networking Community
NovaSupa
Contributor
Contributor
‎08-05-2016 11:52 PM
Jump to solution

Question on Service Insertion

I'm reading through the NSX reference guide, pg 78 and came across this image and the following description. .."Traffic exiting the guest VM always follows the path with increasing slot-ID number, so a packet would first be redirected to slot 2 and then slot 4. Traffic reaching the guest VM follows the path in the reverse slot-ID order; first slot 4 and then slot 2."

As per image, Slot 4 directs to a Partner Services VM. Does this imply that if i were using a 3rd party service e.g. Palo, Fortinet, Symantec etc, that traffic gets redirected to a VM that is responsible for carrying out the requested service, and if this is the case, would this "Service VM" be responsible for providing services for "X" number of VM's? I'm thinking bottleneck here and so forth.

Thanks much,

Service Insertion.PNG

Tags (1)
0 Kudos
1 Solution

Accepted Solutions
mtmtkm
Contributor
Contributor
‎08-07-2016 06:38 PM
Jump to solution

Hi

As you know, traffic redirection is defined in each Security Policy, so any traffic that go into/go out from Security Group that tied with the Security Policy will be redirected to Service VM.

Since Service VMs are deployed on every ESXi hosts, all redirection happens inside VM kernel so there's no physical network interaction. Plus, DFW comes into first to drop all unnecessary packets before redirecting to Service VM so it's very efficient.


Each vendor should have some guideline for Service VM sizing. For example, Service VM on Trend Micro Deep Security needs to be modified depending on how many VMs are working on each ESXi hosts.


P85)

http://docs.trendmicro.com/all/ent/ds/v9.6_sp1/en-us/Deep_Security_96_SP1_Install_Guide_nsx_EN.pdf

Hope this helps!

View solution in original post

0 Kudos
2 Replies
mtmtkm
Contributor
Contributor
‎08-07-2016 06:38 PM
Jump to solution

Hi

As you know, traffic redirection is defined in each Security Policy, so any traffic that go into/go out from Security Group that tied with the Security Policy will be redirected to Service VM.

Since Service VMs are deployed on every ESXi hosts, all redirection happens inside VM kernel so there's no physical network interaction. Plus, DFW comes into first to drop all unnecessary packets before redirecting to Service VM so it's very efficient.


Each vendor should have some guideline for Service VM sizing. For example, Service VM on Trend Micro Deep Security needs to be modified depending on how many VMs are working on each ESXi hosts.


P85)

http://docs.trendmicro.com/all/ent/ds/v9.6_sp1/en-us/Deep_Security_96_SP1_Install_Guide_nsx_EN.pdf

Hope this helps!

0 Kudos
NovaSupa
Contributor
Contributor
‎08-10-2016 01:00 AM
Jump to solution

Thank you much for the response. Absolutely helped!

Blue

0 Kudos