Hi everyone
I'm using NSX-T 3.2.1 and after creating a "reject" rule for VMs backed by VDS VLANs, it just returns 3 or 4 " destination Unreachable" message and then allows traffic to pass (but it works file on overlay segments). has anyone encountered similar condition before? thanks
Hi,
From question, I assume you have VMs connected to VDS port group and trying to apply dfw rule to VM. If this is the case, then it will not work as you have prepared host cluster for both Networking and Security as you mentioned using Overlay Segments. You need to create VLAN backed segment in NSX-T and move VM to NSX-T segment in vcenter in this case to apply dfw rule to them.
In order to apply dfw rule on VDS port groups, you need to prepare cluster with Security only option. Please refer below article for same -
Hope this helps.
Hi,
From question, I assume you have VMs connected to VDS port group and trying to apply dfw rule to VM. If this is the case, then it will not work as you have prepared host cluster for both Networking and Security as you mentioned using Overlay Segments. You need to create VLAN backed segment in NSX-T and move VM to NSX-T segment in vcenter in this case to apply dfw rule to them.
In order to apply dfw rule on VDS port groups, you need to prepare cluster with Security only option. Please refer below article for same -
Hope this helps.
Many thanks aggarwalvinay31
I found your answer helpful but I wonder why it shouldn't work on underlay when I'm using overlay networking?
and as i said it works for 3 or 4 second and then it releases the traffic, and of course somewhere else i saw that it has been mentioned DFW is irrespective to the network and will work on both overlay and underlays. anyway thanks again for your response 🙂
Hi,
It may have been about NSX-V wherein DFW applied to logical switch or VDS port group regardless. But currently with NSX-T, in order to apply DFW on VDS port group, ESXi cluster needs to be prepared with security only feature.