VMware Networking Community
microkrish
Contributor
Contributor

Do we really need the NSX controllers for enabling only DFW in the cluster?

Hi

Do we really need the NSX controllers for enabling only DFW in the cluster?. Not going to use the VXLAN just keep the existing VLAN's allowed to the cluster.

The requirement is to firewall the traffic between the VLAN's/Subnet's and within the same subnet we have subset of IP pools.

Thanks in advance.

Reply
0 Kudos
7 Replies
ChrisBCarlson
Enthusiast
Enthusiast

i took the training this summer and i remember that question being asked. And to answer your question No i do not think you need to controllers.. i am not 100% certain but that is what i remember

Reply
0 Kudos
HeathReynolds
Enthusiast
Enthusiast

I believe you are correct. You should be able to simply deploy NSX manager

and prepare the cluster members for DFW without deploying the controllers.

I am 99% sure I've done this when I was testing DFW and log insight.

On Tue, Dec 2, 2014 at 12:37 PM, ChrisBCarlson <

My sometimes relevant blog on data center networking and virtualization : http://www.heathreynolds.com
Reply
0 Kudos
ddesmidt
VMware Employee
VMware Employee

NSX Controllers are in charge of:

  • Logical Switches (VXLAN)
  • The dynamic routing (OSPF / BGP) of Distributed Logical Routers

In other words, if you do use:

  • VLAN (and not VXLAN)
  • Edge
  • DLR without dynamic routing

Then you do not need Controllers.

Dimitri

rbudavari
Community Manager
Community Manager

Just to clarify - the Controllers are not responsible for Dynamic Routing, but for all Distributed Logical Routing synchronization (Routes and LIFs). So DLR without Dynamic Routing still requires the NSX Controllers.

Also, confirming DFW can be used for VLAN backed dvPortgroups without NSX Controllers.

werme
VMware Employee
VMware Employee

Can you also confirm if the DFW can be used for Cisco Nexus 1Kv? From what I understand it should be ok.

Reply
0 Kudos
HeathReynolds
Enthusiast
Enthusiast

I don't think that is going to work, everything I have seen lists using the

VMware distributed switch as a requirement for all of the components of NSX

for vSphere, not just the overlay parts.

It's time to pick a networking stack, when I was a customer I had to rip

out the 1kv for VDS when we made the NSX decision.

If you want to help replace some of the delegation to the network team that

1kv provides I would flesh out the network teams requirements and look at

providing them with PowerCLI scripts delivered through power gui. That's

what we did, worked well for us.

On Wed, Dec 3, 2014 at 4:19 PM, werme <communities-emailer@vmware.com>

My sometimes relevant blog on data center networking and virtualization : http://www.heathreynolds.com
Reply
0 Kudos
rbudavari
Community Manager
Community Manager

NSX features (including DFW) are supported on the vSphere Distributed Switch

Reply
0 Kudos