VMware Cloud Community
kmcd03
Contributor
Contributor
‎08-15-2023 09:33 AM
Jump to solution

using NSX-T distributed firewall in VCF 4.5 environment

I would like to start using NSX-T distributed firewall (dFW) in my VCF 4.5 domains, but won't be using logical routing at this time.

VCF has prepared the nodes, e.g. created transport zone, the uplink and transport node profiles, configured NSX on the nodes, etc.

If I want to start using dFW, but don't care about overlay, do I simply create a segment with a VLAN in NSX Manager and associate it with the transport zone created by VCF? Then binding VMs vNIC to the VDS portgroup so dFW policies and rules are applied.

Or should I create a new VLAN transport zone and associate with hosts in the domain?  And then create the segment and bind VM vNICs.

Thanks!

0 Kudos
1 Solution

Accepted Solutions
CyberNils
Hot Shot
Hot Shot
‎08-15-2023 11:34 PM
Jump to solution

Hi, you need to attach a VLAN TZ to be able to create VLAN Backed Segments. Take a look at my blog post for details:

https://cybernils.net/2023/07/17/creating-vlan-backed-segments-in-vmware-cloud-foundation-vcf/

 



Nils Kristiansen
https://cybernils.net/

View solution in original post

0 Kudos
4 Replies
CyberNils
Hot Shot
Hot Shot
‎08-15-2023 11:34 PM
Jump to solution

Hi, you need to attach a VLAN TZ to be able to create VLAN Backed Segments. Take a look at my blog post for details:

https://cybernils.net/2023/07/17/creating-vlan-backed-segments-in-vmware-cloud-foundation-vcf/

 



Nils Kristiansen
https://cybernils.net/
0 Kudos
mkeshsundrani
Enthusiast
Enthusiast
‎08-16-2023 12:03 AM
Jump to solution

Also read through below 7 minutes blog, would give you much more insight on how to use DFW only feature in NSX-T,

https://www.vgarethlewis.com/2022/06/20/vmware-nsx-micro-segmentation-only-deployment/

Credit to Gareth Lewis -Blog

0 Kudos
kmcd03
Contributor
Contributor
‎08-16-2023 01:28 PM
Jump to solution

Thank you for documenting this.

I was leaning towards creating a new vlan TZ.  And applying to the nodes using the Transport Node Profile that VCF created. 

Is  attaching, or detaching, the TNP to a Baseline WLD disruptive?  I assume in this case only adding additional TZ to the nodes, so it won't take VMs or nodes offline.

0 Kudos
CyberNils
Hot Shot
Hot Shot
‎08-16-2023 11:38 PM
Jump to solution

It should not be disruptive as far as I know.



Nils Kristiansen
https://cybernils.net/
0 Kudos