VMware NSX

Hi

I have a question regarding NSX Design with VDI and VSI Infrastructure.

At the moment the customer has a vCenter for VDI and one for VSI, now he plan to implement NSX.

For me there are three Options how to implement NSX in this scenario.

Option 1:

Two Standalone NSX Manager (one for VSI and one for VDI) and vCenters in Enhanced Linked Mode.

Option 2:

Cross-vCenter NSX with the two vCenters, but here i'm losing some NSX features.

Option 3:

One NSX Manger, one vCenter for VSI and VDI.

Do anyone have some experiences with a setup like this? And which option do you think is the best or do you have other options how to implement?

Thank you very much for the feedback.

Andi

What kind of features do you think you'll be missing when using Cross-vCenter NSX? And is there enough budget to buy NSX Enterprise licenses? If not, you don't have Cross-vCenter functionality.

What does the customer need in terms of functionality? What are the sizes of the VSI and VDI clusters?

Also, personally, I would recommend not to do VSI and VDI in the same vCenter.

As far as I know, you can only use this security objects in Universal DFW rules: Universal IP Sets, Universal MAC Sets, Universal Security Groups, Universal Services, Universal Service Groups.

And no securits tags, dynimac OS filter, ...

The main functions will be security and SDN.  In the VSI-Cluster 6 Hosts and VDI-Cluster only two with about 100 VMs.

If the recommended option is Cross-vCenter NSX then there is enough budget. =)

What about the Option 1?

Is VSI = Virtual Server Infrastructure?

NSX 6.3 has several cross-vcenter enhancements including Universal Security Tags NSX-V 6.3: Cross-VC NSX Security Enhancements - The Network Virtualization Blog

It depends on your requirements and environment.

VDI environment (including the vCenter) is normally separated to provide isolation of environment, usability & administrative purposes, change management, and upgrades.

So you can make any changes or upgrades independently.

Therefore, I would not go with option 3.

Option 2 is required when you need to create security policies across server virtualisation & VDI environment using Universal Objects or rules across both environment using objects.

For example, you have some VDI grouped using Security Group e.g. VDI_Finance using VM name or IDFW, then you have Finance App in server virtualisation environment under Security Group (SG) Finance_App. If you have Cross-vCenter, you can create Security Policy Allow from SG VDI_Finance to Finance_App and apply to both environment or to all DFW.

Now with the same security policy requirements, if you are going with Option 1, you would need to create and apply two separate Security Policy

1. Allow from SG VDI_Finance to IP Set Finance_App (range of IP addresses) apply to NSX Manager/vCenter VDI

2. Allow from IP Set VDI_Finance (range of IP addresses) to SG Finance_App (range of IP addresses) apply to NSX Manager/vCenter server virtualisation

IP Set must be used on objects that is not visible from the local NSX/vCenter

If you have many security policy requirements across different environment, then its worth to use Cross-VC.

If you don't have that many or even no security policy across environment, then option 1 would be sufficient.

Yes, VSI is Virtual Server Infrastructure.

Thank you very much for your input. I understand what you mean.

Is there no Design Guide / Best Practices from VMware how to install NSX if you are using VDI and VSI?

For VDI, refer to the below link.

VMware® NSX for vSphere End-User Computing Design Guide