Re: NSX DFW on top of ACI?

jbain44 · ‎12-09-2016

Hello,

I'm wondering if anybody has done NSX DFW mode only on top of ACI? I have a customer who may want to run both. I see plenty of stuff where full blown NSX is running on top of ACI as an Underlay only but if I want to leverage App Profiles and use VMM to control the VDS how would NSX Manager and NSX DFW code play with that. I'm assuming it wouldn't care but wondering of the caveats that might arise with ACI controlling the VDS instead of Vcenter.

Thoughts? Anybody done this or know if it can be done successfully?

Thanks!

rdmarsyla · ‎03-16-2017

To answer your question.... as you guessed yes you can absolutely do this because NSX's DFW doesn't really care whether or not the distributed switch was provisioned by the APIC. I work for a Cisco Partner and we have done this setup in a lab environment and from all testing done it appears to work without flaw.

Personally I don't like the APIC's interaction with the vDS inside of vSphere. Any manipulation of the vDS or the objects provisioned by the APIC will cause a slew of errors to be thrown out. And in most cases the error message of the APIC indicates that you have to delete the VMM controller and recreate it to resolve the issue... which essentially is removing the vDS and immediately rebuilding it.... kinda like pulling the tablecloth out from underneath the fine china... only it has to put it right back after you pull it, kinda sketchy and prone to packet loss for VMs if you ask me.

But to conclude.. I personally like using the DFW to help build a micro-segmentation use-case rather than depending upon the AVS as VMware will NOT support the AVS running in vSphere.

Hope this helps!