VMware Cloud Community
chulerico
Enthusiast
Enthusiast
‎04-24-2016 04:51 PM
Jump to solution

Traffic filtering and marking

Any body has used Traffic filtering and marking for traffic filtering, such as dropping traffic, creating port groups restrictions per vm's, or creating dmz like rule sets, etc?

thanks

Sam

0 Kudos
1 Solution

Accepted Solutions
MKguy
Virtuoso
Virtuoso
‎04-25-2016 07:24 AM
Jump to solution

Correct, you don't need NSX, this is a core feature of the distributed vSwitch available since vSphere 5.5, it allows you to create layer 2 and layer 3/4 firewall rules on distributed port groups or distributed ports.

I've used it to isolate VMs on DMZ networks similar to what a PVLAN setup would achieve and I would say it works good enough, at least on a small scale.

Check these links:

http://blogs.vmware.com/vsphere/2014/03/vsphere-distributed-switch-traffic-filtering.html

https://pubs.vmware.com/vsphere-60/topic/com.vmware.vsphere.networking.doc/GUID-67CA4C18-4F18-4E23-A...

-- http://alpacapowered.wordpress.com

View solution in original post

0 Kudos
5 Replies
vHaridas
Expert
Expert
‎04-24-2016 08:34 PM
Jump to solution

Refer below URLs, you can use VMware NSX for creating VM specific firewall rules, dmz...etc

Note, NSX is different product and has its own license.

Refer below URLs -

NSX and DMZ

http://www.routetocloud.com/2015/04/nsx-distributed-firewall-deep-dive/

http://blog.algosec.com/2015/08/tips-on-how-to-create-filtering-policies-for-vmware-nsx.html

if you ask this question in "VMware NSX community" you may get more answers on NSX.

Thanks,

Haridas

Please consider awarding points for "Correct" or "Helpful" replies. Thanks....!!! https://vprhlabs.blogspot.in/
0 Kudos
chulerico
Enthusiast
Enthusiast
‎04-25-2016 07:07 AM
Jump to solution

Haridas,

Thanks for the info, I'm aware of NSX, and that's actually one of the reason i'm asking (NSX is not cheap), I don't need per vm, per port group would be fine.

Sam

0 Kudos
MKguy
Virtuoso
Virtuoso
‎04-25-2016 07:24 AM
Jump to solution

Correct, you don't need NSX, this is a core feature of the distributed vSwitch available since vSphere 5.5, it allows you to create layer 2 and layer 3/4 firewall rules on distributed port groups or distributed ports.

I've used it to isolate VMs on DMZ networks similar to what a PVLAN setup would achieve and I would say it works good enough, at least on a small scale.

Check these links:

http://blogs.vmware.com/vsphere/2014/03/vsphere-distributed-switch-traffic-filtering.html

https://pubs.vmware.com/vsphere-60/topic/com.vmware.vsphere.networking.doc/GUID-67CA4C18-4F18-4E23-A...

-- http://alpacapowered.wordpress.com
0 Kudos
vHaridas
Expert
Expert
‎04-25-2016 08:26 AM
Jump to solution

@MKguy

Thanks for correcting me.

Please consider awarding points for "Correct" or "Helpful" replies. Thanks....!!! https://vprhlabs.blogspot.in/
0 Kudos
chulerico
Enthusiast
Enthusiast
‎04-27-2016 05:23 PM
Jump to solution

thanks for the info, that's exactly how I want to set it up.

Sam

0 Kudos