I while back I talked to VMware’s Martin Casado about their Goldilocks Zone concept within the VMware hypervisor. The ability to implement security concepts such as micro-segmentation with your virtual infrastructure is a great example of this Goldilocks concept. However, as I probed about how this benefits the physical network the gap of a complete security vision starts to dissipate. Most enterprises continue a large number of physical workloads that don’t exclusively interact with virtual instances that can take advantage of hypervisor-based security innovations. This is where the relationship with hardware vendors come into play.
I spoke with Arista Networks during VMworld and asked them what are they doing to bridge the gap in capability between solutions such as NSX and the physical network. The engineer I spoke with was quick to point out that you still get the benefits of east-west firewall policies when a physical node is communicating with a virtual workload. Both ingress and egress traffic to the virtual NIC can have policies applied to the VM. It’s when two physical nodes that communicate with each other directly don’t have the benefit of the Goldilocks Zone of security. Viewing it from a technical perspective the limitation makes perfect sense, it’s still a practical problem for an end-to-end security program.
Arista is actually actively working to solve this problem. The advantage of the network overlay approach used by NSX is that physical ports can participate in a virtual overlay via VXLAN. By associating two physical parts as part of the same VXLAN, you essentially extend the network overlay to include all of the VM’s and physical hosts into the same logical switch. You still have the problem that NSX can’t control the policy of the two ports that communicate directly. That is unless the switch has code on it that allows for this type of extension of the logical vSwitch.
According to the engineer I spoke to at VMworld, this is exactly what Arista is working on. They are working through what needs to be done from a code or ASIC perspective to extend NSX Firewall policy to VTEP’s on the physical network. This has an impact well beyond just Firewall capability. If VMware and Arista stay the course then, physical ports on the network can become objects in vCenter and leveraged in other products that use vCenter objects such as vCAC or vCOPs (Now vRealize).
I don’t normally get all excited about yet to be released features or software but, I have to say this is some really cool innovation if Arista can pull it off.