VMware Networking Community
SilenCN
Contributor
Contributor
‎03-22-2023 10:43 PM
Jump to solution

NSX-T 4.x DFW on Segment/DVPG

In NSX-T 4.x releases, distributed security can be extended to VDS.
Q1: For Distributed security, what is the functional difference between DVPG and segmentation?
Q2: When the "network and security" NSX installation method is adopted, the ESXi transport node adopts VDS instead of N-VDS. In this case, why can't Distributed security be enabled on both DVPG and segment and can only use Distributed Security on segment?

Tags (2)
Reply
0 Kudos
1 Solution

Accepted Solutions
dragance
VMware Employee
VMware Employee
‎03-23-2023 02:07 AM
Jump to solution

Hello @SilenCN:

Q1 - DVPG is construct from vDS inside vCenter (only VLAN based etc), while segment is NSX construct (which can be overlay and VLAN based etc) - meaning these are created and maintained at two distinct places - vCenter and NSX mgr

useful link - https://docs.vmware.com/en/VMware-NSX/4.0/administration/GUID-F1E8452D-1EC5-4E4A-8C10-9BCD6353B4E9.h...

Q2 - network and security setup utilises different NSX vibs for installation under transport nodes and transformation between security only OR network and security scenario means removal of existing - which means that NSX hosts prepped with networking and security do not auto-discover existing vDS/DVPGs from vCenter, and segments are only option for this type of scenarios

HTH,

Dragan

View solution in original post

Reply
5 Replies
dragance
VMware Employee
VMware Employee
‎03-23-2023 02:07 AM
Jump to solution

Hello @SilenCN:

Q1 - DVPG is construct from vDS inside vCenter (only VLAN based etc), while segment is NSX construct (which can be overlay and VLAN based etc) - meaning these are created and maintained at two distinct places - vCenter and NSX mgr

useful link - https://docs.vmware.com/en/VMware-NSX/4.0/administration/GUID-F1E8452D-1EC5-4E4A-8C10-9BCD6353B4E9.h...

Q2 - network and security setup utilises different NSX vibs for installation under transport nodes and transformation between security only OR network and security scenario means removal of existing - which means that NSX hosts prepped with networking and security do not auto-discover existing vDS/DVPGs from vCenter, and segments are only option for this type of scenarios

HTH,

Dragan

Reply
steffen_richter
Hot Shot
Hot Shot
‎03-23-2023 11:34 PM
Jump to solution

To add to that - this "Security-only" feature is a niche use case. It works as its designed - to work with DVPGs only here. In regular NSX, NSX cant manage DVPGs - they dont belong to NSX, but vSphere. You have to choose.

N-VDS is deprecated on ESXi since 3.x in general, 4.x only supports VDS on ESXi (or C-VDS as we say, Centralized vDS). Does not have to do anything with the Security-only use case.

You can achieve the same thing with the "regular" way of doing things in NSX-T. You´d only have to create some config items in NSX on your own then (Transport Zone, Uplink Profile, Transport Node Profile) and could easily create VLAN segments from within in NSX and fully manage them from there.

With the Security-only use case you´d still be creating the PGs from the vSphere Client on the vDS itself, managing parts of its configuration from there, other parts (some Segment Profiles) from within NSX.

So if you can deal with creating VLAN Segments from within NSX UI, I´d def. go with the "regular" way of doing things.

BR
Steffen

VCI since 2009
Reply
0 Kudos
SilenCN
Contributor
Contributor
‎03-27-2023 01:56 AM
Jump to solution

Thank you very much for your answer, I should have understood! For DVPG and Segment, they belong to vCenter and NSX respectively on the management plane, so is there any difference between the control plane, or is there any difference in the specific principle and function of implementing distributed security?

Reply
0 Kudos
dragance
VMware Employee
VMware Employee
‎03-27-2023 06:48 AM
Jump to solution

Both scenarios - DVPG or segment - in security only scenario NSX setup are totally OK from distributed security perspective. DVPG will be created inside vDS setup and segments are created on NSX side, replicated into vCenter vDS config.

BR,

Dragan

Reply
0 Kudos
prashantpandey2
Contributor
Contributor
‎04-05-2023 01:55 AM
Jump to solution

Point number 2 from below document might help.

2: Prepare the vCenter Cluster ( ESXi Hosts) for the NSX Distributed Security

 

https://docs.vmware.com/en/VMware-NSX-T-Data-Center/3.2/nsx-security-quick-start/GUID-48E622AE-8231-...

Reply