We've basically completed our server virtualization/consolodation, and we're now working on virtualizing many of our appliances, and the next one coming down the pike is our firewall. Compute wise, it's not too onerous - we have many servers with higher CPU and network I/O requirements.
The main concern is with the networking on the firewall, or more specifically, getting the networking to the guest VM.
On the physical firewall, we have 8 NICs in use (eth0 to eth7), so that's within VM limits. The issue is getting all the 'raw' traffic into the firewall for processing. On the phyical box, we would just plug our internal network into eth0 and the raw internet into eth1, and our MPLS circuit into eth2 etc. If we had enough spare NICs on a host, we could obviously mirror that. Of course, that would lock the guest down to that specific host.
Since we would ideally like to have some host mobility, we could carve up some bandwidth on one of the 10G connections, and VLAN all the external internet, MPLS etc up to a dedicated vDS (or a Nexus 1000V), Since we can't dedicate a 10G connection for this guest, this would be using the same trunks as the guest networks, vMotion traffic etc (not that bandwidth is an issue). Since it would have to be the shared trunk, all the 'dirty, pre firewall traffic' would have to terminate in our core to be fed up.
Now, we could obviously terminate all the 'dirty' traffic in a seperate switch, VLAN it all there, and then trunk that into the core for onward trunking to the hosts, which makes our old school networking guys a little happier, but not much.
The other option is to dedicate a host to the firewal guest, and to that only, but that doesn't give us the HA features etc that we are aiming for. It would work for now, but won't really be an option in a year or so when we move to a blade environment, and there aren't slots to dedicate 10 NICs to a host.
Does anyone have ant suggestions on how best to handle the networking aspect of this? Has anyone virtualized their firewall already, and if so how did they do it? Or are we pushing the boundaries here? In the world of SDN, how do we handle this?
G