VMware Networking Community
hs77
Enthusiast
Enthusiast
Jump to solution

DFW

Distributed Firewall (DFW) rules are stored where. Are they stored in NSX Controller or in NSX Manager or on the ESXi hosts.

Secondly can we use Microsegmentation with DFW without using VXLAN overlays.

1 Solution

Accepted Solutions
grosas
Community Manager
Community Manager
Jump to solution

Hi hs77


"Distributed Firewall (DFW) rules are stored where.
  Are they stored in NSX Controller or in NSX Manager or on the ESXi hosts."

     Rule configuration operations (add, edit, delete, import, export) are all done through the NSX Manager.  Data plane execution of the rules is on the ESXi host, at the VM vNIC.

    

     NSX Controllers are used for virtual network state management (VXLAN, Logical Routing).  They're not utilized with the Distributed Firewall.

"Secondly can we use Microsegmentation with DFW without using VXLAN overlays."

     Yes definitely.  Rule enforcement will happen regardless of the transport.  If VXLAN is in use, the enforcement will happen prior to encapsulation (or after decapsulation).

_____________________________________
Gabe Rosas (VMware HCX team at VMware)
Blog: hcx.design
LinkedIn: /in/gaberosas
Twitter: gabe_rosas

View solution in original post

1 Reply
grosas
Community Manager
Community Manager
Jump to solution

Hi hs77


"Distributed Firewall (DFW) rules are stored where.
  Are they stored in NSX Controller or in NSX Manager or on the ESXi hosts."

     Rule configuration operations (add, edit, delete, import, export) are all done through the NSX Manager.  Data plane execution of the rules is on the ESXi host, at the VM vNIC.

    

     NSX Controllers are used for virtual network state management (VXLAN, Logical Routing).  They're not utilized with the Distributed Firewall.

"Secondly can we use Microsegmentation with DFW without using VXLAN overlays."

     Yes definitely.  Rule enforcement will happen regardless of the transport.  If VXLAN is in use, the enforcement will happen prior to encapsulation (or after decapsulation).

_____________________________________
Gabe Rosas (VMware HCX team at VMware)
Blog: hcx.design
LinkedIn: /in/gaberosas
Twitter: gabe_rosas