In October 2016, I took the VCP6-NV exam and failed. While this was not the first exam I have failed, it was eye opening. After seeing the question set, I realized my understanding of the exam was incorrect. I wrote a post In February, I went to retake the exam but due to an issue with the Pearson systems I couldn’;t sit on the day. On the 31st of March I sat the exam for the second time and passed.
Layer2 Invisibility L2 traffic is a major blind spot for many companies. Most security filtering only happens when traffic traverses a Layer3 boundary. If traffic does not cross this boundary, it is not scanned and not seen. Attackers can move unseen within a L2 network, due to this lack of visibility. Physical firewalls work well for North-South traffic. They do not perform as well for east-west. Creating a shell, that offers no internal protection.
QoS is a method of providing a minimal Quality of Service to network traffic. This is done through adding values to the Ethernet or packet headers. By adding these values, priority can be assigned to network traffic types. Some services do not a significant amount of bandwidth but are sensitive to latency. These services can benefit from QoS. Networks use QoS as a way to give priority where needed. A service provider often provides a level of service for their clients.
The NSX Edge can be configured to provide site-to-site VPN connectivity using IPsec. If you’;re not familiar with IPsec, I suggest having a read up on that first. As IPsec is a standard, information already published will be transferable. An NSX Edge can connect to any other device that supports IPsec. If a peer is not an NSX Edge, you need to verify that it will be compatible. The NSX Edge supports the following.
Today I took a shot at the VCP6-NV exam. Leading up to the exam I was feeling good. Through my head, I could run through packet flows, the security types. I knew how to put the pieces together and make NSX work. Even could recall those trivia details that after an exam we always just end up googling when building a design. Let’;s start on the positive, what went right. A large part of my NSX based questions revolved around behaviour and steps.
The Logical Router (Distributed Logical Router) is installed on ESXi hosts as a VIB by the NSX manager during host preparation. The installation does not require any interruption to ESXi hosts. Removal of the VIB does require a host restart though. The DLR runs in kernel space and sits on the data plane. A Logical Router is defined as an instance. Each DLR created is an instance and participating hosts receive a copy of the instance.
Whenever evaluating a product / technology, the question of “What problem does this solve?” should always be asked. Many times. This is how we understand the value and justify the expense, which can be very substantial. With that in mind, lets jump into some NSX Use Cases. Security NSX has a lot of features and capabilities, but security is probably the biggest draw card, especially micro-segmentation. In a traditional network, it’s very difficult and cumbersome to segregate workloads on the same L2 domain.
Switching: NSX switching resides on the data plane and utilises VMware vDS. Logical Switches are port groups on a vDS that are used for VXLAN traffic. Distributed port groups can also be used, but only for VLAN traffic. Routing: Distributed routing, enabling routing to take place in kernel, without the need for traffic to enter the physical network. Dynamic routing is supported with OSPF, BGP and ISIS. Active / Active routing failover with physical routing.
Let’s crack open a can of acronym soup, because NSX is full of them. Seriously, typing about NSX makes my pinky fingers real shift workers. Software Defined Networking (SDN): Software-defined anything refers to decoupling the management from physical architecture. SDN is moving the management and configuration of the Datacentre Network away from the physical devices (underlay) to a central platform (overlay). Network Edge: In NSX the Edge (or NSX Edge) is the point where traffic leaves NSX network to traverse another (Typically physical) network.