VMware Networking Community
rajeevsrikant
Expert
Expert
‎04-17-2017 02:57 AM
Jump to solution

NSX DFW + Default Gateway

Question on NSX DFW behaviour.

I have 3 VMs.

VM1 - VNI 5001

VM2 - VNI 5002

VM3 - VN1 5002

I am applying policy as below

VM1 -> VM2 -> Allow

VM2 -> ANY -> Block

By this I am allowing VM1 to allow to communicate to VM2. Both are in different segment & it will be routed through DLR.

My question is I have allowed VM1 to communicate only to VM2 . But when VM1 tries to communicate to Default Gateway , which is a different IP, how this will work.

Will VM1 be communicate to D.G & if not how the routing will work to talk to different segment,

0 Kudos
1 Solution

Accepted Solutions
bayupw
Leadership
Leadership
‎04-17-2017 05:30 PM
Jump to solution

If you are using L3/L4 rules (General tab) DFW match against source IP and destination IP.

In the IP Packet Payload, Source IP address and Destination address remain unchanged throughout the network even when transiting on different subnet.

In your case, the IP Packet Payload would have the Source IP=VM1 IP, the Destination IP=VM2 IP and DFW rules match against these two IP.

What will change throughout the transit hop by hop is the MAC addresses.

Ethernet MAC Header from VM1 will have Source MAC=VM1, Destination MAC=Default Gateway/Router

After routed to VM2 network, Source MAC=Default Gateway/Router, Destination MAC=VM2

See this post: http://www.eventhelix.com/RealtimeMantra/Networking/ip_routing.htm#.WPVcf4jfrRY

This is applicable for VLAN and VXLAN

Bayu Wibowo | VCIX6-DCV/NV
Author of VMware NSX Cookbook http://bit.ly/NSXCookbook
https://github.com/bayupw/PowerNSX-Scripts
https://nz.linkedin.com/in/bayupw | twitter @bayupw

View solution in original post

0 Kudos
4 Replies
lhoffer
VMware Employee
VMware Employee
‎04-17-2017 07:01 AM
Jump to solution

Yes, VM1 will be able to reach the default gateway when the destination is VM2 as permitted by your firewall policy.  Rough sequence of events will be that when VM1 wants to send traffic to VM2 on a different subnet, it'll ARP for its default gateway and use the MAC address associated with the DLR gateway LIF in VNI 5001 as the destination address in the L2 frame it sends, however, the L3 packet will still have VM2's IP address as the destination (thus still matching the DFW rule which permits it).

rajeevsrikant
Expert
Expert
‎04-17-2017 04:50 PM
Jump to solution

So this is still applicable to DFW if the VM are part of VLAN & not part of VXLAN

0 Kudos
bayupw
Leadership
Leadership
‎04-17-2017 05:30 PM
Jump to solution

If you are using L3/L4 rules (General tab) DFW match against source IP and destination IP.

In the IP Packet Payload, Source IP address and Destination address remain unchanged throughout the network even when transiting on different subnet.

In your case, the IP Packet Payload would have the Source IP=VM1 IP, the Destination IP=VM2 IP and DFW rules match against these two IP.

What will change throughout the transit hop by hop is the MAC addresses.

Ethernet MAC Header from VM1 will have Source MAC=VM1, Destination MAC=Default Gateway/Router

After routed to VM2 network, Source MAC=Default Gateway/Router, Destination MAC=VM2

See this post: http://www.eventhelix.com/RealtimeMantra/Networking/ip_routing.htm#.WPVcf4jfrRY

This is applicable for VLAN and VXLAN

Bayu Wibowo | VCIX6-DCV/NV
Author of VMware NSX Cookbook http://bit.ly/NSXCookbook
https://github.com/bayupw/PowerNSX-Scripts
https://nz.linkedin.com/in/bayupw | twitter @bayupw
0 Kudos
rajeevsrikant
Expert
Expert
‎04-17-2017 05:45 PM
Jump to solution

Thanks got it.

0 Kudos