Extending Policy Control with NSX SD-WAN by VeloCloud

Paul H. Mauritz
President, CEO

The holy grail of policy control is consistent, secure, end-to-end control. That means identifying users or end devices at the point they connect to the network, assigning policy, and enforcing that policy through to the end target. To do this requires managing that traffic through all the different parts of the infrastructure – LAN network, WAN network, data center network, servers, and down to the applications, no matter the location, even including multiple cloud infrastructures. That’s the real prize for software-defined networking.

One of the many things that makes this difficult is that traffic between end users and end applications typically traverses three very different networks: data center, WAN, and LAN. VMware’s NSX already handles the data center portion of this puzzle by providing network virtualization and segmentation for traffic within data centers. NSX extends to AWS and now also MS Azure to add control for total cloud, hybrid cloud, cross-cloud, and multi-cloud deployments.

Moving Policy Closer to Users

Which leaves the other two pieces of that data puzzle: WAN and LAN. These are harder to control. You likely do not own your WAN and so are subject to your providers rules. You may have multiple types of connections and multiple providers. And on your LAN, you probably have many categories of users and devices, many of which are out of your control.  Fortunately, VMware’s acquisition of VeloCloud in December 2017, and the integration of it as NSX SD-WAN by VeloCloud, adds tools to extend policy control into the WAN and LAN (or user edge, for mobile and home office/small office users).

If you’re not familiar with NSX SD-WAN by VeloCloud’s model, it uses a combination of edge and hub appliances, managed by a cloud-based orchestrator. These appliances can be either physical or virtual, hosted on premises or in a cloud. SD-WAN in general provides the ability to use any WAN, or a mixture of WANs. Most SD-WAN solutions, including VeloCloud, allow load balancing between multiple WAN links based on policy, with consistent policies between sites.

Consider branch offices that have multiple types of traffic such as general corporate, guest, and protected. NSX will segment this once it reaches the data center – should it not also be segmented across the WAN? By using NSX SD-WAN you can set up BGP peering between NSX and the VeloCloud edge gateways so that routes are propagated across the SD-WAN per segment. Since that segment’s routes are the only ones associated with that end host or category or traffic group, that traffic can only access its appropriate segment of the data center. You can then extend the segmentation by leveraging NSX’s tagging and groups to create firewall rules. This gives you coordinated security from the WAN edge into the data center and to the application.

Policy can also be extended to users and user groups by leveraging VMware’s AirWatch mobile device management. This integrated solution takes the security groups from NSX and brings them into AirWatch. You then set up a policy within NSX SD-WAN by VeloCloud for how to treat that AirWatch traffic. When user tries to access data center resources across the WAN, then NSX SD-WAN by VeloCloud will optimize it and send it across the best link. Policies can be set for other types of traffic and applications also.

I was glad to hear that NSX SD-WAN by VeloCloud supports some virtual network functions (VNFs) at the edge gateways. As enterprises decentralize, it often makes sense to have some services locally. Using network function virtualization lets you leverage central policies to distribute these services such as authentication, routing, firewalling, etc. throughout the enterprise without needing additional hardware. This also helps with bandwidth use throughout the whole system, as this traffic is contained locally rather than backhauled through the WAN to the data centers.

Are We There Yet?

Accomplishing a true, end-to-end policy utopia requires a single policy creation platform and coordinated, synchronized policy enforcement points. I’m not necessarily talking about a single pane of glass, rather an integrated solution. In the current solution there is central control but multiple places to set and synchronize policy. The components are integrated in that they will talk to each other and work together, but there is not yet one definitive source for all policy truth.

At the recent Dell Technology World conference, Pat Gelsinger, VMware CEO, said that his vision is “a ubiquitous software layer from data center, to cloud, to edge.”  I like the way VMware is delivering on this vision. The parts are coming together to connect and secure all the parts of modern data communication, with network services delivered in software when and where they are needed.

To read the original blog post, view Gestalt IT’s post here.

Leave a Reply


Nick Kelly

Cybersecurity Engineer, Cisco

Nick has over 20 years of experience in Security Operations and Security Sales. He is an avid student of cybersecurity and regularly engages with the Infosec community at events like BSides, RVASec, Derbycon and more. The son of an FBI forensics director, Nick holds a B.S. in Criminal Justice and is one of Cisco’s Fire Jumper Elite members. When he’s not working, he writes cyberpunk and punches aliens on his Playstation.


Virgilio “BONG” dela Cruz Jr.

CCDP, CCNA V, CCNP, Cisco IPS Express Security for AM/EE
Field Solutions Architect, Tech Data

Virgilio “Bong” has sixteen years of professional experience in IT industry from academe, technical and customer support, pre-sales, post sales, project management, training and enablement. He has worked in Cisco Technical Assistance Center (TAC) as a member of the WAN and LAN Switching team. Bong now works for Tech Data as the Field Solutions Architect with a focus on Cisco Security and holds a few Cisco certifications including Fire Jumper Elite.


John Cavanaugh

CCIE #1066, CCDE #20070002, CCAr
Chief Technology Officer, Practice Lead Security Services, NetCraftsmen

John is our CTO and the practice lead for a talented team of consultants focused on designing and delivering scalable and secure infrastructure solutions to customers across multiple industry verticals and technologies. Previously he has held several positions including Executive Director/Chief Architect for Global Network Services at JPMorgan Chase. In that capacity, he led a team managing network architecture and services.  Prior to his role at JPMorgan Chase, John was a Distinguished Engineer at Cisco working across a number of verticals including Higher Education, Finance, Retail, Government, and Health Care.

He is an expert in working with groups to identify business needs, and align technology strategies to enable business strategies, building in agility and scalability to allow for future changes. John is experienced in the architecture and design of highly available, secure, network infrastructure and data centers, and has worked on projects worldwide. He has worked in both the business and regulatory environments for the design and deployment of complex IT infrastructures.