Hey Stephen... Good day ... As always yours all vedios are excellent... Just a request we didn't find vedios on vRNI and vRLI please make a series on that also please.....
Thanks for watching. I haven't done those video's yet. More than likely in the New Year. It is difficult to impossible to get the software now because of recent changes at VMUG and Broadcom..
Another great tutorial- good job man. A quick question, in the video (and as far as I have checked other videos) you are focusing on HA on NSX/FW as "Gateway" - but what if we have NSX as bare metal firewall in layer 2? The with no HA, topology would be like Layer2 SW1 -> Layer2 bare metal firewall -> Layer2 SW2 -> Layer3 device. I know it may look crazy and there are a lot background on this, so let's assume that this is what it is. So two questions: 1) What options do we have for HA? Do we still have active/active solution for L2 firewalling? if so, how? 2) Assume the scenario that for whatever reason, we have active/standby bare metal firewall connected to two layer 2 active/active switches. in this scenario, when the incoming packet reaches the switch connected to the standby firewall, it gets black holed - the reason is that the standby firewall, don't disable its ports connected to the switch. So switch has no idea that it is connected to the standby firewall. So to me, there would be two options: Either the standby firewall, disables its port to the layer2 switches, or we use active/active on the firewall end What would be your view? Cheers,
Thanks for watching. I was using the Firewall as an example, any of the supported services the same thing would happen. Now I am not sure when you are referring to Bare Metal Firewall.. Are you referring to using a Bare Metal Server for the NSX edge instead of a VM?? If so, same thing applies, the HA is done on the individual SR component of the Stateful service you want.. Have a good one.
Another Great Video. Thank you so much. regarding this new Active/Active Stateful feature which is great by the way, I have two questions: If I'm not mistaken we have ECMP at DR-To-SR based on the 5 tuple hashing , then we have another hashing algorithm( based on the destination IP ) that may punt the traffic to the correct edge for stateful traffic! so there is a chance of some kind of hair pinned traffic between edges! I don't understand the point of doing this!! specially when I'm looking for other vendors firewall approaches for active/active cluster . so maybe there could be a way that new TCP or UDP stateful connections flows to the correct edge node from DR at the first place, then for the return traffic we can do the punting!
I agree with you.. If you have 2 Edge nodes in the cluster 50% of the traffic will be punted, The number increases as you add more Edge nodes. So with four Edge nodes 75% of the traffic would get punted.. I am sure that in a future relase this will change, but for now it is what we have.. Thanks for watching and have a great day
My second question is about federation. this feature is not supported in NSX federation :( do you have any idea that Broadcom/VMWare is going to add this feature or any other way so we can use stateful active/active in federation as well?
Hey Stephen... Good day ... As always yours all vedios are excellent... Just a request we didn't find vedios on vRNI and vRLI please make a series on that also please.....
Thanks for watching. I haven't done those video's yet. More than likely in the New Year. It is difficult to impossible to get the software now because of recent changes at VMUG and Broadcom..
Another great tutorial- good job man. A quick question, in the video (and as far as I have checked other videos) you are focusing on HA on NSX/FW as "Gateway" - but what if we have NSX as bare metal firewall in layer 2? The with no HA, topology would be like Layer2 SW1 -> Layer2 bare metal firewall -> Layer2 SW2 -> Layer3 device. I know it may look crazy and there are a lot background on this, so let's assume that this is what it is. So two questions:
1) What options do we have for HA? Do we still have active/active solution for L2 firewalling? if so, how?
2) Assume the scenario that for whatever reason, we have active/standby bare metal firewall connected to two layer 2 active/active switches. in this scenario, when the incoming packet reaches the switch connected to the standby firewall, it gets black holed - the reason is that the standby firewall, don't disable its ports connected to the switch. So switch has no idea that it is connected to the standby firewall.
So to me, there would be two options: Either the standby firewall, disables its port to the layer2 switches, or we use active/active on the firewall end
What would be your view?
Cheers,
Thanks for watching. I was using the Firewall as an example, any of the supported services the same thing would happen. Now I am not sure when you are referring to Bare Metal Firewall.. Are you referring to using a Bare Metal Server for the NSX edge instead of a VM?? If so, same thing applies, the HA is done on the individual SR component of the Stateful service you want.. Have a good one.
Another Great Video. Thank you so much. regarding this new Active/Active Stateful feature which is great by the way, I have two questions: If I'm not mistaken we have ECMP at DR-To-SR based on the 5 tuple hashing , then we have another hashing algorithm( based on the destination IP ) that may punt the traffic to the correct edge for stateful traffic! so there is a chance of some kind of hair pinned traffic between edges! I don't understand the point of doing this!! specially when I'm looking for other vendors firewall approaches for active/active cluster . so maybe there could be a way that new TCP or UDP stateful connections flows to the correct edge node from DR at the first place, then for the return traffic we can do the punting!
I agree with you.. If you have 2 Edge nodes in the cluster 50% of the traffic will be punted, The number increases as you add more Edge nodes. So with four Edge nodes 75% of the traffic would get punted.. I am sure that in a future relase this will change, but for now it is what we have.. Thanks for watching and have a great day
My second question is about federation. this feature is not supported in NSX federation :( do you have any idea that Broadcom/VMWare is going to add this feature or any other way so we can use stateful active/active in federation as well?
Sorry. I have not heard anything about Federation as of yet.. Have a good one