Wednesday, July 3, 2019

Getting a bit more seriously into networking

Hey everyone!

I am going to be writing more and more in this blog (which may move somewhere else than blogger). These are the 5 big areas I want to focus on:

  1. Studying for the VCAP-NV Deploy exam, which I want to do ASAP. Some resources are free!
  2. Taking advantage of my additional OpenFlow compliant Northbound Networks Zodiac GX switches to learn more about Open vSwitch and SDN in general.
  3. Run NSX-V and NSX-T in my homelab, both with vCenter and without ;)
  4. Take advantage of the VeloCloud Edge 510 and associated software that I have access to now thanks to being part of the VMware Ambassadors of the Office of the CTO
  5. Indulge in OpenBSD systems for routing, firewalling and web serving. I have access to a Public IP where I will be able to create a DMZ and that way be able to put several ideas to test.

Lots of learning to be done in the following months, but I just love and genuinely geek out over this stuff. Let me know if I should read your blogs, I'll be definitely doing lots of reading and compiling of links to recommend to others!


Thursday, March 2, 2017

A "Thank You" post - passed the VCP-NV 2V0-642! A look back

Wow, what a ride it has been.

This blog, from the beginning, has been dedicated to helping a current VMware admin who works in DataCenter Virtualization, to get accustomed with network virtualization, and a big thing for me has been pointing out free resources and opportunities to get the equivalent certs and training that this VMware administrator had to take. So I made posts like:

I was able to talk from this point of view, since that was exactly me! The more I learned about NSX, and the more I looked for information, the more resources I found from amazing people who give a lot back for free. 

I'm also very proud to have been selected vExpertNSX in 2016. This was because I shared my enthusiasm for NSX with my VMUGparticipated in SocialLabsvBrownBag and the large latin community. There are many, many, many others that are ahead, technically, over me - this has always been the case in many things - but I decided that I would do my part in letting people know this is the next big thing. If anything, what I want people to feel is a sense of excitement of what's possible, that wasn't possible before!

I decided my first big milestone would be getting the VCP6-NV certification. You may remember from this post that the VCP6.2 NV beta dates coincided with Elver Sena's book release during VMworld (where I actually met him, and got my signed copy!). Meeting Elver was super cool (we got an interview in Spanish done), and having his book, plus the accessible cost of the exam, made me take the plunge, and I got the happy news today that I passed! I wholeheartedly recommend getting the premium edition from Pearson, as those 4 practice exams have lots of questions that I feel helped me a lot!

I think there is a lot more to come for NSX, much more than what we have already seen. I highlighted it is a unique product that offers capabilities no other product can match, especially in security. Likewise, it requires some skills, and busting silos inside companies. I even have some ideas for what will come in the future, when NSX will simply be able to handle all IT assets in the company, starting with IPAM. I know now its next step is that it will be able to handle all IT assets, being the one glue for real visibility and automation, on premises and in the cloud.

My next milestone> I'm looking forward to more experience with NSX (vExperts have both NSX and vRealize Network Insight licenses for homelab use, while vExpertNSX's have had it for a little more time than that) and taking on the VCAP6-NV exam. I already have some great vCommunity resources lined up from Gabriel Maciel and Clinton Prentice and Iwan Hoogendoorn. I just wish I had some real networking switches to play with, but I hear Tim Davis, the official Face of #vExpertNSX, may find some cheap for my homelab - and with a little work, we can make some cool blog posts!

If anything in this blog post, I want you to Get excited about NSX, and do something about it. Go for that first cert, push for a POC or some licenses in your company, and play with it. Dive deep. I guarantee you that it is time well spent, and may I hear about your success soon!

PD, if anyone is still thinking you can't download NSX, I would like to remind you that you can; because it's the only supported upgrade of VCNS, almost all paying customers can access the bits, and this has been the case since NSX 6.2.3. The documentation is public, you can play all day in the HOLs, and everything you need to "hop on" is available. 

Friday, February 17, 2017

NSX Micro-segmentation Day 1 book by Wade Holmes

VMware's Wade Holmes (VCDX #15) just released a NSX micro-segmentation book in time for the RSA conference. In about 70 pages he focuses on day 1 concepts and considerations. This is incredibly valuable, since the majority of companies begin their NSX journey by first adopting micro-segmentation.

The PDF book is free, and if you were lucky to attend the conference, you may get in in print! See the blog post and PDF link below:

I will read this soon and provide a more in-depth commentary on the book; I am also planning a install series with more of a concept and mindset, and how to work with the networking/server/security teams overall.

Sunday, November 20, 2016

VCNS to #NSX upgrade (spanish) Me and @J_Kolkes for #vBrownBag LATAM

End of support for VCNS was announced for September 2016. One of our vBrownBagLATAM members, Jorge Torres, was tasked with doing the upgrade to NSX and was getting conflicting information - the official docs said one thing and the actual AV product he was using was saying another thing, and he also needed to include a vSphere upgrade.

vBrownBag is a community of people helping each other learn. As such, we decided to do a session to review all of the documentation together and invited other experts to participate such as Elver Sena, author of the official VCP-NV book, and Stalin Pena, VCIX-NV. The result was the following session; I led by reviewing the main documentation available, Jorge did a specific session on his product and then we opened the conversation.

I'm happy to present this entry in this blog and introduce you to the world of vBrownBag if you didn't know about it!

Wednesday, November 2, 2016

Awesome community VCAP6-NV study guide by @clint_nz

I've been meaning to highlight the amazing work being done by Clinton Prentice, @clint_nz , at his blog As you all probably know, the first VCIX-NV certification is being slowly replaced with deployment and design vcap6 certifications, which when combined would then become the new VCIX-NV.

Clinton is going through the VCAP6-NV Deploy blueprint (1.2 from what I can tell) doing a blog (with practical demo!) for each of the blueprint items. It's phenomenal, difficult and time consuming work, and I just want to make sure he gets the shout outs he deserves :) Definitely will be a shoe-in the next time vExpertNSX applications open!

You can see all his posts by accessing his tag directly:

As far as I know, this is the only public study guide on this new certification so far - not to take away from previous VCIX-NV study guides such as Iwan's

Wednesday, October 12, 2016

VMware NSX Youtube channel

I figured I hadn't showcased the VMware NSX Youtube channel. There's great videos in there that you can't find anywhere else, as well as in the main VMware channel. Pay attention also to their playlists, as they have great compilations that include videos that are not particularly on their channel, but complement - such as the OpenvSwitch videos with Ben Pfaff.

I leave you with this very fun "Introduction to NSX" video - can't believe this one is 3 years old!

Tuesday, September 13, 2016

Opinion - NSX's tipping point, aka, it's first "vMotion"

As I study for my VCP6-NV (6.2) beta exam and I read Elver's excellent book, my thoughts wander off to the VMworld 2016 vExpert party and Pat Gelsinger explaining that he thought NSX hadn't reached it's big "oh wow!" moment yet - like when you showed someone a vSphere vMotion for the first time.

The more I've thought about what would make that happen for me, I realize that I believe that NSX should control IPAM in an organization. Hear me out.

IPAM - IP address management - is a perennial challenge in organizations. Any request for a new server is waiting on three things - approval, assigning specifics and delivery. Where it comes to assigning specifics, IPAM is a function that is either shared between network and sysadmin teams, or is owned by the networking team, with an enterprise solution deployed in the best cases, or an excel in a share in the worst cases. This is one of those things that I know very few organizations handle in exactly the same way today.

Lots of cloudy org's use DHCP instead of static IPAM to avoid this time-consuming step - why waste time on IP address assignment, when it's just a number. However, the majority of enterprises are still managing static IP assignment and probably won't move to this DHCP model (for many valid, and traditional, reasons).

NSX has a phenomenal capability that most other networking products don't have: it has native and absolute connections to each server's OS thanks to VMware tools. That means that NSX could in theory always 1) know all the real IP address of a server 2) change the IP addresses as needed 3) confirm that IP addresses are available using ARP as well

I bolded the word control in my statement above. I visualize an NSX-integrated IPAM solution where administrators never again have to set a static IP on a server. Once the VM is turned on and a nic is assigned, I envision NSX ensures the IP address on that VM and corrects/sets if it finds it to be non-compliant.

When your IP address management is tied to a solution that has the level of interaction that NSX has, talking about VLANs and IP addresses could become a thing of the past. This means you can gain the advantages of DHCP (just don't worry about assigning the IP addresses) while still having static addresses in your environment. It's a win-win scenario - no one can change an IP if it's not validated in the IPAM, and no one assigns an existing IP (or wrong IP address details, think of all the other things like DNS server information) that they shouldn't.

This, co-incidentally, also makes changing things like the default gateway IP on a whole subnet of servers a breeze. Try to do that today in a 100% automated, "this will just work" manner, without spending a lot of planning, testing and resources!

The other side of the IPAM coin - another big thing - that NSX should potentially do is help, or fully control, DNS after an IP address change. Remember, NSX sees every packet out there. 

If we just let it help (to appease MS AD for example) DNS, then I see it going like this. Sync operations after a change, in it's default settings, can take a while, due to several things. NSX could inspect the packets and since it knows the authoritative information thanks to it controlling IPAM, could even help DNS information to spread quickly, by doing things such as dropping outdated replies from DNS servers and prioritizing replies from updated ones.

If we let it fully control, then DNS sync operations become a thing of the past - with the level of effort that we push a change to each host's vib, the DNS information in the network is automagically updated. Wouldn't that be a sight! Would it be called Distributed DNS?

In essence, what I'm proposing is to let NSX take care of traditional "building block" services that a typical network needs. Why stand up DNS servers when each host can participate in a distributed and updated mesh that just provides that service? Why assign IP addresses when you have an underlying control plane that sees all traffic and can do it for you, in a much more reliable fashion than you could? This idea does not conflict the NSX designs of today, where we manage the network's IP addresses in a control plane, and the actual workloads are in a different plane.

I'm sure there are many more services that are crucial in today's TCP/IP world that could potentially be integrated - network virtualization is simply that big of a deal. TCP/IP got to where it is today because of it's robust survivability, but as many vendors with optimizations have shown us, there is both a functional and operational overhead that can be tweaked. That world is changing - we don't have to wait because of unknowns - with NSX, we know!

We can start abstracting more and more from the details and simplify. We already see this in the firewall rule making capabilities of NSX today, and I think the tipping point for NSX will be when the workload IP details will be  a "worry of the past" - IP addressing and name resoution "just work".

Don't agree? Would love to hear your comments below, or through twitter!