VMware NSX

 View Only
  • 1.  NSX-T DFW Does not work

    Posted Dec 07, 2022 09:17 AM

    Hi everyone

    I'm using NSX-T 3.2.1 and after creating a "reject" rule for VMs backed by VDS VLANs, it just returns 3 or 4 " destination Unreachable" message and then allows traffic to pass (but it works file on overlay segments). has anyone encountered similar condition before? thanks



  • 2.  RE: NSX-T DFW Does not work
    Best Answer

    Posted Dec 08, 2022 05:09 PM

    Hi,

    From question, I assume you have VMs connected to VDS port group and trying to apply dfw rule to VM. If this is the case, then it will not work as you have prepared host cluster for both Networking and Security as you mentioned using Overlay Segments. You need to create VLAN backed segment in NSX-T and move VM to NSX-T segment in vcenter in this case to apply dfw rule to them.

    In order to apply dfw rule on VDS port groups, you need to prepare cluster with Security only option. Please refer below article for same - 

    https://docs.vmware.com/en/VMware-NSX-T-Data-Center/3.2/administration/GUID-E9FBE567-D136-41AF-B8D6-AE95416F4229.html

    Hope this helps.



  • 3.  RE: NSX-T DFW Does not work

    Posted Dec 10, 2022 11:35 AM

    Many thanks aggarwalvinay31

    I found your answer helpful but I wonder why it shouldn't work on underlay when I'm using overlay networking?

    and as i said it works for 3 or 4 second and then it releases the traffic, and of course somewhere else i saw that it has been mentioned DFW is irrespective to the network and will work on both overlay and underlays. anyway thanks again for your response

     

     



  • 4.  RE: NSX-T DFW Does not work

    Posted Dec 12, 2022 07:02 AM

    Hi,

    It may have been about NSX-V wherein DFW applied to logical switch or VDS port group regardless. But currently with NSX-T, in order to apply DFW on VDS port group, ESXi cluster needs to be prepared with security only feature.