VMware NSX

 View Only
  • 1.  Push traffic Via a specific VM

    Posted Oct 04, 2017 01:18 AM

    Hi,

    I have an interesting question. Is the concept described below possible with the NSX (nativly or creatively)? The idea is to force all internet-bound traffic to pass a specific VM, not for routing, just layer 2 packet flow. In the example below, VM1 (192.168.1.50), which resides on host ESX1 wants to get to the internet using its gateway 192.168.1.254, a physical firewall. I would like it so that packets must flow Via VM2 as illustrated by the orange line in the (sloppy) diagram below. I assume that promiscuous and forged transmit would need to be allowed.  in the physical world, this would be equivalent to placing a man-in-the-middle device between the Lan and firewall, so that the flow looks like this: PC > Switch > Man-in-the-middle Device > Firewall.

    Also, i have a question about promiscuous mode and forged transmit. When creating a Logical Switch, it automatically creates a dvPortGroup on the appropriate DSwitch (depending on the transport zone config). If i now wish to change the promiscuous/forged security settings for a  specific logical switch, do i change it on the PortGroup level? What if the logical switch was pushed to multiple DSwitches, would I need to manually adjust the settings on each PortGroup within each Dswitch?



  • 2.  RE: Push traffic Via a specific VM

    Posted Oct 06, 2017 07:27 PM

    Take a look at the NSX Design Guide ( VMware® NSX for vSphere Network Virtualization Design Guide ver 3.0​) for information around this subject.



  • 3.  RE: Push traffic Via a specific VM

    Posted Oct 15, 2017 08:15 PM

    Hi,

    Thanks for the info. Could you possibly point me to the section in which this design is described?



  • 4.  RE: Push traffic Via a specific VM

    Posted Oct 07, 2017 07:27 AM

    > If i now wish to change the promiscuous/forged security settings for a  specific logical switch, do i change it on the PortGroup level?

    Yes, it is always better to enable promiscuous/forged security settings at PortGroup level instead of DVSwitch Level.

    What if the logical switch was pushed to multiple DSwitches, would I need to manually adjust the settings on each PortGroup within each Dswitch?

    This question looks to be trick but Yes you have to enable promiscuous/forged security settings at each pg within each DVS.