I’m a bit unclear in terms of policy migration in HW VN-Link, i.e.VM FEX. A port group is a product of the vSwitch construct, correct? If, say, a 1000v has a port profile configured with all its associated security and vlan characteristics, that profile is translated as a port group in vCenter. Moreover, the VM and the interface it is connected to on the 1000v are associated to that port group. When a VM is migrated from one host to another in the same vMotion cluster, the VM will remain attached (bound) to the same vethernet port on the 1000v. Therefore, the port group to which that vethernet is bound also remains the same and the policies follow. Simple enough.
But when one performs a HW VN-Link (HW FEX), the NIV capabilities of Palo are leveraged. In this case, my understanding is that the hypervisor is either bypassed altogether (VM Direct Path I/O), in which case vMotion is not possible because the hypervisor no longer has authoritative dominion over the VM, OR the 1000v simply acts as a pass-through that does noting more than aggregate the traffic from the downlinks to the uplinks, which are attached to the vNICs on the Palo. So, with the absence of a port profile and its associated port group (no vswitch construct being leveraged anymore), where does the VM’s policies reside?
The VEM on its own is not of any use so its free. It has to work with a VSM.
VSM for a Nexus1000v is a VM on any ESX host or can be hosted on the Nexus 1010 appliance.
The licenses are entered on the VSM and thats how the VEM are allowed to be a part of that distributed switch.
For a Nexus 1000v bundle (VEM+VSM) you need licenses ..its a revenue model as the Nexus1000 can work on any server/adapter out there i.e it is not free.
For VN-link in h/w, the VSM is the FI. The licenses are not required as its known that it is working on UCS as VN-link in h/w is only supported on that.
i.e it comes with the hardware and the hope is you will buy more UCS
Instead of having 2 VEM's - one for Nexus1000v and one for VN-link in h/w it was chosen to keep one VEM. That VEM moves to Nexus1000v or VN-link in h/w depending on a condition (dynamic vNICs). Much simpler as a new repository doesn't need to be made for VUM etc.
Also in line with the VN-link message i.e Vn-link in software (nexus1000v) and Vn-link in h/w require the same VEM. Currently the VSM is not the same for both but paves a way for them to be clubbed together at some point in the future if need be.
Hope it makes sense..and ..don't worry abt the "stars". If the reply addressed your question, we are good.