Amr_Kabary
Contributor
Contributor

Deploying NSX dfw in a production environment

Hi dears,

I ran nsx v and T before on separate harsdware and on greenfield implementations

this time i need to test DFW on a production environment, and i need to account for every downtime probability

i need to do host preparation for a cluster of 4 hosts
i learned that i will need to move my test vms to NSX segments in order to check fw rules

what about my hosts
will host preparation cause downtime ?
will i need to move these hosts to a new n-vds and create an uplink profile for them ? this surely will cause downtime
note that i dont have spare uplinks

i understand that i wont need vteps, there will be no virtual routing
My Regards

Labels (2)
0 Kudos
4 Replies
CallistoJag
Contributor
Contributor

As long as you have capacity, the hosts should prepare one at a time. As for connectivity, network will have to have some outage due to migration of VM network. Prepare the hosts without workload and then migrate VM machines to them from another cluster to minimise downtime and give you a roll-back option.

0 Kudos
Sreec
VMware Employee
VMware Employee

Host preparation will not cause any downtime for workloads. 

Cheers,
Sree | VCIX-5X| VCAP-5X| VExpert 6x|Cisco Certified Specialist
Please KUDO helpful posts and mark the thread as solved if answered
mburger
Contributor
Contributor

Thanks this is great information

0 Kudos
chandrakm
VMware Employee
VMware Employee

If you are only using NSX-T DFW. you can prepare ESX hosts with security only. where using NSX-T you can do DFW for VDS port groups. But keep in mind security only will not provide networking and overlay functions. only DFW will work.

If you would like to use NSX-T for more than DFW, please prepare ESX hosts with Networking and security. where you can use DFW and Networking, Overlay, basically all NSX feature set. But DFW will not work for VDS port groups. and you need to move your VM's to NSX-T Overlay or VLAN backed segments. keep in mind you don't need to have N-VDS. you can prepare ESX hosts with existing VDS switches as well, which is called as Converged VDS(C-VDS) (Yes, in this process you need to configure uplink profiles and transport node profile). and hence don't need to bother about limited uplinks and downtime. once you prepare ESX with existing VDS. NSX-T VLAN Segments or Overlay segments will appear under that C-VDS and you can move VM's from VDS port group to NSX-T segments under same VDS. this VM's movement shouldn't cause any big downtime rather than a ping loss. and host preparation will not cause any downtime.

 

Hope this helps!

 

0 Kudos