VMware NSX

 View Only
  • 1.  Deploying NSX dfw in a production environment

    Posted May 19, 2022 01:12 PM

    Hi dears,

    I ran nsx v and T before on separate harsdware and on greenfield implementations

    this time i need to test DFW on a production environment, and i need to account for every downtime probability

    i need to do host preparation for a cluster of 4 hosts
    i learned that i will need to move my test vms to NSX segments in order to check fw rules

    what about my hosts
    will host preparation cause downtime ?
    will i need to move these hosts to a new n-vds and create an uplink profile for them ? this surely will cause downtime
    note that i dont have spare uplinks

    i understand that i wont need vteps, there will be no virtual routing
    My Regards



  • 2.  RE: Deploying NSX dfw in a production environment

    Posted May 20, 2022 12:30 PM

    As long as you have capacity, the hosts should prepare one at a time. As for connectivity, network will have to have some outage due to migration of VM network. Prepare the hosts without workload and then migrate VM machines to them from another cluster to minimise downtime and give you a roll-back option.



  • 3.  RE: Deploying NSX dfw in a production environment

    Broadcom Employee
    Posted May 20, 2022 07:19 PM

    Host preparation will not cause any downtime for workloads. 



  • 4.  RE: Deploying NSX dfw in a production environment

    Posted May 26, 2022 02:53 PM

    Thanks this is great information



  • 5.  RE: Deploying NSX dfw in a production environment

    Broadcom Employee
    Posted May 30, 2022 12:24 PM

    If you are only using NSX-T DFW. you can prepare ESX hosts with security only. where using NSX-T you can do DFW for VDS port groups. But keep in mind security only will not provide networking and overlay functions. only DFW will work.

    If you would like to use NSX-T for more than DFW, please prepare ESX hosts with Networking and security. where you can use DFW and Networking, Overlay, basically all NSX feature set. But DFW will not work for VDS port groups. and you need to move your VM's to NSX-T Overlay or VLAN backed segments. keep in mind you don't need to have N-VDS. you can prepare ESX hosts with existing VDS switches as well, which is called as Converged VDS(C-VDS) (Yes, in this process you need to configure uplink profiles and transport node profile). and hence don't need to bother about limited uplinks and downtime. once you prepare ESX with existing VDS. NSX-T VLAN Segments or Overlay segments will appear under that C-VDS and you can move VM's from VDS port group to NSX-T segments under same VDS. this VM's movement shouldn't cause any big downtime rather than a ping loss. and host preparation will not cause any downtime.

     

    Hope this helps!