NSX Edge vs vShield Edge: Part 1 - Feature and Performance Matrix
I was having a discussion internally about why we where looking to productize the NSX Edges for our vCloud Director Virtual Datacenter offering over the existing vCNS vShield Edges. A quick search online didn’t come up with anything concrete so I’ve decided to list out the differences as concisely as possible. This post will go through a basic side by side comparison of the features and performance numbers…I’ll then extend the series to go into specific differences between the key features. As a reminder vCloud Director is not NSX aware just yet, but through some (http://anthonyspiteri.net/nsx-vcloud-retrofit-overlapping-networks-in-vcd-with-nsx-virtual-wires/) you can have NSX Edges providing network services for vCD Datacenters. !(/images/2015/06/vshield_logo.png)Firstly…what is an Edge device?
The Edge Gateway (NSX-v or vCNS) connects isolated, stub networks to shared (uplink) networks by providing common gateway services such as DHCP, VPN, NAT, dynamic routing (NSX Only) , and Load Balancing. Common deployments of Edges include in the DMZ, VPN Extranets, and multi-tenant Cloud environments where the Edge creates virtual boundaries for each tenant.
Below is a list of services provided by each version. The + signifies an enhanced version of the service offered by the NSX Edge.
| Service | Description | vSheld Edge | NSX Edge |
| Firewall | Supported rules include IP 5-tuple configuration with IP and port ranges for stateful inspection for all protocols | ✔ | ✔ |
| NAT | Separate controls for Source and Destination IP addresses, as well as port translation | ✔ | ✔ |
| DHCP | Configuration of IP pools, gateways, DNS servers, and search domains | ✔ | ✔+ |
| Site to Site VPN | Uses standardized IPsec protocol settings to interoperate with all major VPN vendors | ✔ | ✔ |
| SSL VPN | SSL VPN-Plus enables remote users to connect securely to private networks behind a NSX Edge gateway | ✔ | ✔+ |
| Load Balancing | Simple and dynamically configurable virtual IP addresses and server groups | ✔ | ✔+ |
| High Availability | High availability ensures an active NSX Edge on the network in case the primary NSX Edge virtual machine is unavailable | ✔ | ✔+ |
| Syslog | Syslog export for all services to remote servers | ✔ | ✔ |
| L2 VPN | Provides the ability to stretch your L2 network. | ✔ | |
| Dynamic Routing | Provides the necessary forwarding information between layer 2 broadcast domains, thereby allowing you to decrease layer 2 broadcast domains and improve network efficiency and scale. Provides North-South connectivity, thereby enabling tenants to access public networks. | ✔ |
Below is a table that shows the different sizes of each edge appliance and what (if any) impact that has to the performance of each service. As a disclaimer the below numbers have been cherry picked from different sources and are subject to change…I’ll keep them as up to date as possible
| vShield Edge (Compact) | vShield Edge (Large) | vShield Edge (X-Large) | NSX Edge (Compact) | NSX Edge (Large) | NSX Edge (Quad-Large) | NSX Edge (X-Large) | |
| vCPU | 1 | 2 | 2 | 1 | 2 | 4 | 6 |
| Memory | 256MB | 1GB | 8GB | 512MB | 1GB | 1GB | 8GB |
| Disk | 320MB | 320MB | 4.4GB | 512MB | 512MB | 512MB | 4.5GB |
| Interfaces | 10 | 10 | 10 | 10 | 10 | 10 | 10 |
| Sub Interfaces (Trunk) | - | - | - | 200 | 200 | 200 | 200 |
| NAT Rules | 2000 | 2000 | 2000 | 2000 | 2000 | 2000 | 2000 |
| FW Rules | 2000 | 2000 | 2000 | 2000 | 2000 | 2000 | 2000 |
| DHCP Pools | 10 | 10 | 10 | 20,000 | 20,000 | 20,000 | 20,000 |
| Static Routes | 100 | 100 | 100 | 2048 | 2048 | 2048 | 2048 |
| LB Pools | 64 | 64 | 64 | 64 | 64 | 64 | 64 |
| LB Virtual Servers | 64 | 64 | 64 | 64 | 64 | 64 | 64 |
| LB Server / Pool | 32 | 32 | 32 | 32 | 32 | 32 | 32 |
| IPSec Tunnels | 64 | 64 | 64 | 512 | 1600 | 4096 | 6000 |
| SSLVPN Tunnels | 25 | 100 | 50 | 100 | 100 | 1000 | |
| Concurrent Sessions | 64,000 | 1,000,000 | 1,000,000 | 64,000 | 1,000,000 | 1,000,000 | 1,000,000 |
| Sessions/Second | 8,000 | 50,000 | |||||
| LB Connections/s (L7 Proxy) | 46,000 | 50,000 | |||||
| LB Concurrent Connections (L7 Proxy) | 8,000 | 60,000 | |||||
| LB Connections/s (L4 Mode) | 50,000 | 50,000 | |||||
| LB Concurrent Connections (L4 Mode) | 600,000 | 1,000,000 | |||||
| BGP Routes | - | - | - | 20,000 | 50,000 | 250,000 | 250,000 |
| BGP Neighbors | - | - | - | 10 | 20 | 50 | 50 |
| BGP Routes Redistributed | - | - | - | No Limit | No Limit | No Limit | No Limit |
| OSPF Routes | - | - | - | 20,000 | 50,000 | 100,000 | 100,000 |
| OSPF Adjacencies | - | - | - | 10 | 20 | 40 | 40 |
| OSPF Routes Redistributed | - | - | - | 2000 | 5000 | 20,000 | 20,000 |
| Total Routes | - | - | - | 20,000 | 50,000 | 250,000 | 250,000 |
Note: I still have a few numbers to complete specifically around NSX Edge Load Balancing and I’m also trying to chase up throughput numbers for Firewall and LB. From the table above it’s clear to see that the NSX Edge provides advanced networking services and higher levels of performance. Dynamic Routing is a huge part of the reason why and NSX Edge fronting a vCloud vDC opens up so many possibilities for true Hybrid Cloud. vCNS’s future is a little cloudy, with vCNS 5.1 going EOL last September and 5.5 only available through the vCloud Suite with support ending on 19/09/2016. When you deploy edges with vCloud Director (or in vCloud Air On Demand) you deploy the 5.5.x version so short term understanding the differences is still important…however the future lies with the NSX Edge so don’t expect the VSE numbers to change or features to be added. References: https://www.vmware.com/files/pdf/products/nsx/vmw-nsx-network-virtualization-design-guide.pdf https://pubs.vmware.com/NSX-6/index.jsp#com.vmware.nsx.admin.doc/GUID-3F96DECE-33FB-43EE-88D7-124A730830A4.html http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2042799