VMware Networking Community
cbg2008
Contributor
Contributor
‎08-04-2021 10:36 PM

DFW Optimization

If there is a security policy let's say 

 

WEB group should only talk to APP group through TCP port 8080. Why don't we optimise resources by applying policies only to destination group  instead of marking both the groups in "Applied to" field

I mean if we apply policies just at destination group , we can still achieve protection with reduced resource utilisation (We are not applying policy at source thus saving resources)..

Or the main goal is to save overall traffic and so we are applying policy at both source/destination at the cost of higher resource utilisation.

Am I missing something? 

Labels (2)
Labels
0 Kudos
4 Replies
Sreec
VMware Employee
VMware Employee
‎08-04-2021 11:09 PM

If you are using Policy level "Applied To" - then rules level "Applied To" is ignored. That being said, it is recommended to configure Applied To at the Rule level or policy level  ( Source&Destination) if both source and destination are on NSX. 

Cheers,
Sree | VCIX-5X| VCAP-5X| VExpert 7x|Cisco Certified Specialist
Please KUDO helpful posts and mark the thread as solved if answered
0 Kudos
cbg2008
Contributor
Contributor
‎08-04-2021 11:18 PM

Yes both source and destination are on NSX only. Will there be any issues if I just apply the policy at destination group apart from unnecessary traffic  on the network.

 

I am just weighing pros and cons of current implementation as in if we can just limit policy applicability at destination groups, we can save some resources at source groups 

0 Kudos
Sreec
VMware Employee
VMware Employee
‎08-04-2021 11:38 PM

There are no major implications with the proposed model in the earlier thread. If you are hitting a performance issue, feel free to raise a ticket with support. Also please do review https://communities.vmware.com/t5/VMware-NSX-Documents/NSX-T-Security-Reference-Guide/ta-p/2815645 (Page 56) there are a few more examples based on Source and Destination

Cheers,
Sree | VCIX-5X| VCAP-5X| VExpert 7x|Cisco Certified Specialist
Please KUDO helpful posts and mark the thread as solved if answered
jackuggge
Contributor
Contributor
‎08-05-2021 09:05 AM

How to neglect unnecessary traffic than, for example on Modern Agriculture SOFTWARE

we are getting no ROI, so help us?

suggest us best way to enhance .

0 Kudos