This is an operational nightmare! 3 different networks, 2 different sets of routers, at least 2 different network admins! And you are saying you are making "ACI easier"? I think this is not the right approach to position NSX benefits my friend. However, thanks for the explanation! very clear :)
💯 Agree - I personally have seen sub-optimal routing scenarios and they lock us into buying more tier 0 gateways as logical nodes cannot support enough traffic? WTH
Now dealing with east/west - north and south is looks like we love to create problems. Thinking in traffic can go any direction in any structure could be better. More complexity does not make the solution smart.
Thank you for highlighted the power of ACI, VLAN have local significance, any-cast gateways, and a robust underlay. As you mentioned ACI is a robust underlay for virtual and physical workloads, that is policy driven using APIC, as you mention configure them once and everything you can do through NSX, but why, if i can manage the virtual and physical workloads from APIC and integrate Vcenter with APIC to automate the creation of port groups, (understand you need to do one time hooks), why i need to spend on compute for the edge and DLR, if i can do all the functions using ACI without having a bottle neck sending the traffic to edge/DLR to speak to outside world and for physical/virtual communication, also why i need to have VXLAN to VLAN mapping if i can do it on the ACI leaf? and regarding security using contracts i can protect my workloadd in stateless manner and if needed i can use AVS to do the distributed fire-walling, and it is a VMWARE certified VIB ubder pubs.vmware.com/vsphere-60/index.jsp?topic=%2Fcom.vmware.vsphere.security.doc%2FGUID-751034F3-5337-4DB2-8272-8DAC0980EACA.html&resultof=%22%56%49%42%22%20%22%76%69%62%22%20. and i am limited to VMWARE hypervisor, what about if i need to have Hyper-V or KVM i need to use the EDGE to communicate with them?, in ACI you can have multi-hypervisor support, never the less dont forget about the telemetry counters that can give visibility to what is happening on the integrated fabric. i need to thank you for clearing the confusion i have, really i dont need NSX for my environment and it is nice to hear from VMWARE that ACI is a Robust solution.
CCIE Boy, Thanks for listening to video. I am not sure if that was intent of video. It was not a comparison but how customers are using both solutions, you can do whatever you like and i am glad you are not confused anymore. Regarding VLAN local significance we wont need that with trunking only (4) Vlans's. Is that not the reason for using VXLAN to not hit Vlan limit . I have yet to see customers hitting bottle neck with in kernal routing. Also AVS is not supported in Vsphere 6.0 and onwards which is clearly documented in release notes. To be clear NSX also supports KVM and Hyper-V is coming.
Naman-TechShare Thank you for the video on how the ACI fabric helps NSX. Question: Why won't VMW certify AVS? It has certified N1000v. AVS is compatible and supported by Cisco. Official support will start on Dec 8. For ESXi 6.0. It is not required however for any micro-segmentation security in ACI.
Thanks and thanks for the video. Can you clarify if NSX-v supports KVM and/or if this is only with NSX-T? Also, does NSX offer feature parity with NSX-v for KVM? Thanks!
Sad comment from a sad Cisco sales rep. ACI is a great switching platform, but thats all it is. It requires specific physical Cisco boxes. You can however use NSX at Amazon, and extend your cloud there. Good luck doing that with ACI.. Also, ACI cant do micro segmentation or VXLAN without AVS, and AVS is not supported by VMware. So Cisco really are stuck between a rock and a hard place.
Good One, but in One Datacenter design , why do we need NSX along with ACI ?. running NSX overlay is required in multi DC design but with ACI Multisite / Multipod , we dont even need NSX. NSX and ACI integration is only layer 3 neighborship , thats it. another issue is in Multi Dc design the SRM ( site recovery manager) traffic would be coming of only one site....
In NSX, all overlay traffic is mapped to a single port group when it exits the host. This is called the vxlan vlan. I'm not familiar with EPGs, but I don't think you would want to manipulate a packet encapsulated by vxlan any further.
Thank you 😊 Very informative Video.If possible, could you please explain the use of Vxlan vlan which we allowed on trunk link. Will it be used to encapsulate all internal Vxlan ?
Thanks for your feedback A One Networking. Yes so this is our transport Vlan, whenever VXLAN traffic comes out of our hosts it will be encapsulated with this transport VLAN. If you think about it you have reduced your VLAN additions in your physical network and programmatically you can now create virtual logical switches without making changes to underlay network. Simplifies your underlay configuration a lot and make it easy to implement. Hope this helps.
Good job, very good explanation. Question: What if I want to integrate a firewall from a third party, say a Fortigate VM. How would that come into picture?
yes you can do that. VMWare integrates with Fortinet and in that you case your L7 traffic inspection can be service chained to fortinet appliance. You can create security policies in NSX and define what individual traffic need to go to Fortinet.
The downside of this design is that baremetal to VM trafic is considered as north south although it should be considered as east west since this is intra datacenter...
Yes you can but separating traffic keep connectivity simple, predictable, and fast-converging during failure. Please refer to VMware NSX running on ACI design guide to ensure you are following recommended design communities.vmware.com/docs/DOC-30849
Not a good decision tbh - I have personally seen sub-optimal routing scenarios as a result. VMware does lock us in to the products when tier 0 gateways cannot support enough throughput. Please leave networking to the networking team and focus on compute.
Watching you draw out each and every little square, combined with your difficult to read micro handwriting made this a lesson in patience and to be honest, just adds unneeded distractions. My mind wants to keep reading the words 'backwards' and the overlay with the contrast of your body doesn't help. Stick to the boring visual software, it works for a reason.
Great instructor, nice video, excellent communication and presentation
Good explanation. Even myself who is not a network expert, but a simple VMware admin, understands this!
Great video, very clear and concise explanations. I will be, sharing this with my partners!
This is an operational nightmare! 3 different networks, 2 different sets of routers, at least 2 different network admins! And you are saying you are making "ACI easier"? I think this is not the right approach to position NSX benefits my friend. However, thanks for the explanation! very clear :)
💯 Agree - I personally have seen sub-optimal routing scenarios and they lock us into buying more tier 0 gateways as logical nodes cannot support enough traffic? WTH
Good work naman
Right on the money. Beautifully done. Two thumbs up!!
Now dealing with east/west - north and south is looks like we love to create problems. Thinking in traffic can go any direction in any structure could be better. More complexity does not make the solution smart.
So impressive and real world example
Awesome Naman
Awesome video. clear explanation .good Work
very well explained, thank you for taking the time!
well you're just throwing away all the ACI functionality this way
Right? So the engineer who design something like this is just throwing away money
Thank you for highlighted the power of ACI, VLAN have local significance, any-cast gateways, and a robust underlay. As you mentioned ACI is a robust underlay for virtual and physical workloads, that is policy driven using APIC, as you mention configure them once and everything you can do through NSX, but why, if i can manage the virtual and physical workloads from APIC and integrate Vcenter with APIC to automate the creation of port groups, (understand you need to do one time hooks), why i need to spend on compute for the edge and DLR, if i can do all the functions using ACI without having a bottle neck sending the traffic to edge/DLR to speak to outside world and for physical/virtual communication, also why i need to have VXLAN to VLAN mapping if i can do it on the ACI leaf? and regarding security using contracts i can protect my workloadd in stateless manner and if needed i can use AVS to do the distributed fire-walling, and it is a VMWARE certified VIB ubder pubs.vmware.com/vsphere-60/index.jsp?topic=%2Fcom.vmware.vsphere.security.doc%2FGUID-751034F3-5337-4DB2-8272-8DAC0980EACA.html&resultof=%22%56%49%42%22%20%22%76%69%62%22%20.
and i am limited to VMWARE hypervisor, what about if i need to have Hyper-V or KVM i need to use the EDGE to communicate with them?, in ACI you can have multi-hypervisor support, never the less dont forget about the telemetry counters that can give visibility to what is happening on the integrated fabric.
i need to thank you for clearing the confusion i have, really i dont need NSX for my environment and it is nice to hear from VMWARE that ACI is a Robust solution.
CCIE Boy, Thanks for listening to video. I am not sure if that was intent of video. It was not a comparison but how customers are using both solutions, you can do whatever you like and i am glad you are not confused anymore. Regarding VLAN local significance we wont need that with trunking only (4) Vlans's. Is that not the reason for using VXLAN to not hit Vlan limit . I have yet to see customers hitting bottle neck with in kernal routing. Also AVS is not supported in Vsphere 6.0 and onwards which is clearly documented in release notes. To be clear NSX also supports KVM and Hyper-V is coming.
Naman-TechShare Thank you for the video on how the ACI fabric helps NSX. Question: Why won't VMW certify AVS? It has certified N1000v.
AVS is compatible and supported by Cisco. Official support will start on Dec 8. For ESXi 6.0. It is not required however for any micro-segmentation security in ACI.
Hi Chris: AVS is not supported with vpshere 6.0. Customers can refer to vsphere 6.0 release notes
Thanks and thanks for the video. Can you clarify if NSX-v supports KVM and/or if this is only with NSX-T? Also, does NSX offer feature parity with NSX-v for KVM? Thanks!
Sad comment from a sad Cisco sales rep.
ACI is a great switching platform, but thats all it is. It requires specific physical Cisco boxes. You can however use NSX at Amazon, and extend your cloud there. Good luck doing that with ACI..
Also, ACI cant do micro segmentation or VXLAN without AVS, and AVS is not supported by VMware. So Cisco really are stuck between a rock and a hard place.
Good One, but in One Datacenter design , why do we need NSX along with ACI ?. running NSX overlay is required in multi DC design but with ACI Multisite / Multipod , we dont even need NSX. NSX and ACI integration is only layer 3 neighborship , thats it. another issue is in Multi Dc design the SRM ( site recovery manager) traffic would be coming of only one site....
PKS,TKGI
Ummmm, did you write all of this backwards? Does VM have some backwards writing class all presenters must take?
its a secret can't share :-)
I would assume they mirror the video horizontally in post production ;) ...
Good work;
Can we have the video of NSX-T 2.4 with ACI?
"All is done without touching the ACI" ,but how it's done actually when port-groups are mapped to the EPGs inside ACI?
In NSX, all overlay traffic is mapped to a single port group when it exits the host. This is called the vxlan vlan. I'm not familiar with EPGs, but I don't think you would want to manipulate a packet encapsulated by vxlan any further.
Thank you 😊 Very informative Video.If possible, could you please explain the use of Vxlan vlan which we allowed on trunk link.
Will it be used to encapsulate all internal Vxlan ?
Thanks for your feedback A One Networking. Yes so this is our transport Vlan, whenever VXLAN traffic comes out of our hosts it will be encapsulated with this transport VLAN. If you think about it you have reduced your VLAN additions in your physical network and programmatically you can now create virtual logical switches without making changes to underlay network. Simplifies your underlay configuration a lot and make it easy to implement. Hope this helps.
Good job, very good explanation. Question: What if I want to integrate a firewall from a third party, say a Fortigate VM. How would that come into picture?
yes you can do that. VMWare integrates with Fortinet and in that you case your L7 traffic inspection can be service chained to fortinet appliance. You can create security policies in NSX and define what individual traffic need to go to Fortinet.
This link should help ua-cam.com/video/YpOuCU1bvT0/v-deo.html
The downside of this design is that baremetal to VM trafic is considered as north south although it should be considered as east west since this is intra datacenter...
Nice overview. One question/clarification: why you need two external EPGs for north-south traffic? Wouldn't one be enough?
Yes you can but separating traffic keep connectivity simple, predictable, and fast-converging during failure. Please refer to VMware NSX running on ACI design guide to ensure you are following recommended design communities.vmware.com/docs/DOC-30849
Not a good decision tbh - I have personally seen sub-optimal routing scenarios as a result. VMware does lock us in to the products when tier 0 gateways cannot support enough throughput. Please leave networking to the networking team and focus on compute.
Good explanation but the English needs some work.
Watching you draw out each and every little square, combined with your difficult to read micro handwriting made this a lesson in patience and to be honest, just adds unneeded distractions. My mind wants to keep reading the words 'backwards' and the overlay with the contrast of your body doesn't help. Stick to the boring visual software, it works for a reason.