Tuesday, September 13, 2016

Opinion - NSX's tipping point, aka, it's first "vMotion"

As I study for my VCP6-NV (6.2) beta exam and I read Elver's excellent book, my thoughts wander off to the VMworld 2016 vExpert party and Pat Gelsinger explaining that he thought NSX hadn't reached it's big "oh wow!" moment yet - like when you showed someone a vSphere vMotion for the first time.

The more I've thought about what would make that happen for me, I realize that I believe that NSX should control IPAM in an organization. Hear me out.

IPAM - IP address management - is a perennial challenge in organizations. Any request for a new server is waiting on three things - approval, assigning specifics and delivery. Where it comes to assigning specifics, IPAM is a function that is either shared between network and sysadmin teams, or is owned by the networking team, with an enterprise solution deployed in the best cases, or an excel in a share in the worst cases. This is one of those things that I know very few organizations handle in exactly the same way today.

Lots of cloudy org's use DHCP instead of static IPAM to avoid this time-consuming step - why waste time on IP address assignment, when it's just a number. However, the majority of enterprises are still managing static IP assignment and probably won't move to this DHCP model (for many valid, and traditional, reasons).

NSX has a phenomenal capability that most other networking products don't have: it has native and absolute connections to each server's OS thanks to VMware tools. That means that NSX could in theory always 1) know all the real IP address of a server 2) change the IP addresses as needed 3) confirm that IP addresses are available using ARP as well

I bolded the word control in my statement above. I visualize an NSX-integrated IPAM solution where administrators never again have to set a static IP on a server. Once the VM is turned on and a nic is assigned, I envision NSX ensures the IP address on that VM and corrects/sets if it finds it to be non-compliant.

When your IP address management is tied to a solution that has the level of interaction that NSX has, talking about VLANs and IP addresses could become a thing of the past. This means you can gain the advantages of DHCP (just don't worry about assigning the IP addresses) while still having static addresses in your environment. It's a win-win scenario - no one can change an IP if it's not validated in the IPAM, and no one assigns an existing IP (or wrong IP address details, think of all the other things like DNS server information) that they shouldn't.

This, co-incidentally, also makes changing things like the default gateway IP on a whole subnet of servers a breeze. Try to do that today in a 100% automated, "this will just work" manner, without spending a lot of planning, testing and resources!

The other side of the IPAM coin - another big thing - that NSX should potentially do is help, or fully control, DNS after an IP address change. Remember, NSX sees every packet out there. 

If we just let it help (to appease MS AD for example) DNS, then I see it going like this. Sync operations after a change, in it's default settings, can take a while, due to several things. NSX could inspect the packets and since it knows the authoritative information thanks to it controlling IPAM, could even help DNS information to spread quickly, by doing things such as dropping outdated replies from DNS servers and prioritizing replies from updated ones.

If we let it fully control, then DNS sync operations become a thing of the past - with the level of effort that we push a change to each host's vib, the DNS information in the network is automagically updated. Wouldn't that be a sight! Would it be called Distributed DNS?

In essence, what I'm proposing is to let NSX take care of traditional "building block" services that a typical network needs. Why stand up DNS servers when each host can participate in a distributed and updated mesh that just provides that service? Why assign IP addresses when you have an underlying control plane that sees all traffic and can do it for you, in a much more reliable fashion than you could? This idea does not conflict the NSX designs of today, where we manage the network's IP addresses in a control plane, and the actual workloads are in a different plane.

I'm sure there are many more services that are crucial in today's TCP/IP world that could potentially be integrated - network virtualization is simply that big of a deal. TCP/IP got to where it is today because of it's robust survivability, but as many vendors with optimizations have shown us, there is both a functional and operational overhead that can be tweaked. That world is changing - we don't have to wait because of unknowns - with NSX, we know!

We can start abstracting more and more from the details and simplify. We already see this in the firewall rule making capabilities of NSX today, and I think the tipping point for NSX will be when the workload IP details will be  a "worry of the past" - IP addressing and name resoution "just work".

Don't agree? Would love to hear your comments below, or through twitter!


No comments:

Post a Comment