Dave Welch (@OraVBCA), CTO and Chief Evangelist
SEC2238 Security and Microsegmentation in the SDDC – 10:30AM
Srinivas Nimmagadda – VMware manager in NSX project.
My encounter on Monday with the scaled organization canceling its Oracle support contract provided my motivation to take in this session.
This session seemed to be an excellent cross between a conceptual primer and detailed technical information of interest to network and security administrators.
Memorable was Srinivas’ description of a bank with 500K rules on the perimeter firewall. “How many of us remove rules when apps are pulled down? We’re so scared to pull down rules because we don’t know what the impact will be. That’s aside from the overhead of all the packets traveling round trip to the perimeter firewall.”
“Keep everything you currently have. Just add this (NSX).”
Q: Any Denial of Service capability built in yet? A: They’re working on it.
Q: Point-to-point encryption between microsegments? A: You can do it manually setting up two NSX points between an IPSEC tunnel. But they’re working on built-in encryption between two microsegments.
What I wanted to see were the performance numbers comparing with and without NSX. He showed a slide with enabled NSX firewall with 1K rules: visually it looked to me like about 19.4 Gbps vs. 19.6 Gbps without. “But we’re building on top of this to improve performance. These numbers are for distributed firewalls. Each partner has its own performance numbers that it publishes.”
This session reminded me of a comment made to me Wednesday morning by a Director of IT Infrastructure at a large public entity. “IT technology innovators that segment themselves based on proprietary hardware are severely limiting their markets.” The comment was made in reference to Cisco and Oracle. Interesting perspective.
After the session, I checked for a public NSX download. NSX isn’t yet a public download per anything I can find. This July 17, 2014 blog is the best description of the product acquisition/implementation process I can find. I would imagine the eventual availability of such a public download would led to the perceived maturity of the product.
VAPP2272 Oracle 12c Multitenancy vs. OS-Level Virtualization (ala VMware vSphere): A Balanced Comparison – 12:00PM
by EMC’s Jeff Browning
I was impressed with the conceptual simplicity of the various evaluation criteria in Jeff Browning’s DB 12c vs. VMware comparison session. Jeff said he founded the criteria on a Gartner note.
Jeff said there’s no mechanism to reserve portions of DB Cache even at 12c R2. The current workaround: use non-standard block sizes unique to Pluggable Databases and assign each non-standard block size its own caches.
Quite certain the 12c DB Performance Tuning Guide would reveal a method to partition the database cache at the Pluggable Database level, I rifled through the guide. Jeff indeed hadn’t overlooked anything.
Jeff brought up an interesting point: vSphere-level snapshots may be history with the advent of all-flash arrays. Taking a flash array-level snap takes between three to four minutes. A full vSphere-level snap copy in six minutes is hardly worth the trouble. Additionally there are dedupe advantages with array-level snaps.
The session was fairly brief at 35 minutes. There were a handful of questions that focused mostly on how granular should the workload per VM ratio be, and the trade-offs of installing and patching a larger number of Database executable and OS instances. In what turned into a group discussion, I argued for granularity. When I facilitated the GE Appliances & Lighting architecture team discussion a couple years ago, I advocated for what I call the atomic model: one workload per database home/OS image/VM. At the time I said any vSphere virtualization beats no vSphere virtualization. So if in the short run enterprises P2V boxes with multiple Oracle instances per VM, that’s fine. Then in the spring of 2013 while preparing for an IOUG presentation, the GE Appliances & Lighting architects got back to me. “You totally understated the criticalness of atomic workloads, Dave. We can always automate and script our way through deployment and patching. But we can’t automate and script our way around business units that don’t want to be dragged along with each other’s outages.” The secondary benefit of granularity is VMs with smaller resource allocations are easier for DRS to load balance than their larger counterparts.
I’d almost rather quit my job than miss VMworld.
To quote House of Brick VP Client Solutions Jim Ogborn, my last customer’s more important than my next. Due to very welcome scheduling pressure, I didn’t even submit a presentation abstract for VMworld 2014.
Folks that don’t have conference passes should be aware of these 28 free 2014 sessions available at this link with a free VMworld account registration.
Congratulations to Michael Corey – Ntirety and Jeff Szastak – VMware for being selected for a free 2014 online session: VAPP1318 – Virtualizing Databases Doing IT Right – The Sequel
Now that the show is over, 100% of VMworld 2013 session content is available with a free VMworld account registration. That includes the 2013 session BCO5884 GE Appliances and Lighting & House of Brick: Making Stretch DR Invisible to Oracle on VMware Workloads.