Scalability with NSX
One of the first arguments I hear every time I start talking about NSX usually goes something like, “You are talking about handling networking within an x86 platform. There is no way that is going to scale the way ASIC can.”
I heard this very same argument just yesterday afternoon. And at least twice last week.
It is a very common misconception from someone who doesn’t understand the architecture behind NSX.
Let me first say that I agree unequivocally that if you were to replace your ASIC sitting at an aggregation point on your network (top-of-rack, end-of-row agg, etc) with an x86 solution, it will tank. No argument from me there. ASIC is necessary for that function.
The difference here is that the VMware DVSwitch (and in conjunction the NSX distributed logical router and firewall) is not sitting at an aggregation point, but a distribution point. This is key.
If you think about it, we have been using the vSwitch since 2003. The VMware DVS or 1kv is probably pushing packets in your data center right now. Is it falling over? Why not?
The reason is that it is distributed. The vSwitch is running on a hypervisor that is probably supporting somewhere between 20-50 VMs (depending on the use case), and we stamp that out over and over again.
Lets think of this in terms of NSX.
NSX is your vSwitch on steroids. It can handle layer 2-7. It is also distributed. A common example that I hear Brad Hedlund give goes like this: If I have 100 hosts. each with two 10Gb uplinks. Then with NSX, that means I have a theoretical maximum throughput of 2 Terabit. That’s a 2Tb firewall, switch, and router.
On x86 by the way.
Oh, and I’m also eliminating hair-pinning. So that traffic out to my aggregation point is real North/South traffic. Not East/West transit traffic hair-pinning off of an external layer-3 interface.
When you distribute you are increasing your maximum throughput capability. If this fact was not true then the vSwich wouldn’t have made it past 2003. Heck, VMware might not have made it past 2003.
Now of course all of that traffic still needs to aggregate somewhere. It has to talk to “something” northbound. And yes, at that aggregation point you will have an ASIC.
The argument that NSX is running on x86 and therefore should not be involved in the management of network traffic is without merit. It is largely based on simple ignorance of the architecture.