VMware Networking Community
mehrantgs
Enthusiast
Enthusiast
‎12-07-2022 01:17 AM
Jump to solution

NSX-T DFW Does not work

Hi everyone

I'm using NSX-T 3.2.1 and after creating a "reject" rule for VMs backed by VDS VLANs, it just returns 3 or 4 " destination Unreachable" message and then allows traffic to pass (but it works file on overlay segments). has anyone encountered similar condition before? thanks

Labels (1)
Labels

  • Hi

0 Kudos
1 Solution

Accepted Solutions
aggarwalvinay31
Enthusiast
Enthusiast
‎12-08-2022 09:08 AM
Jump to solution

Hi,

From question, I assume you have VMs connected to VDS port group and trying to apply dfw rule to VM. If this is the case, then it will not work as you have prepared host cluster for both Networking and Security as you mentioned using Overlay Segments. You need to create VLAN backed segment in NSX-T and move VM to NSX-T segment in vcenter in this case to apply dfw rule to them.

In order to apply dfw rule on VDS port groups, you need to prepare cluster with Security only option. Please refer below article for same - 

https://docs.vmware.com/en/VMware-NSX-T-Data-Center/3.2/administration/GUID-E9FBE567-D136-41AF-B8D6-...

Hope this helps.

View solution in original post

3 Replies
aggarwalvinay31
Enthusiast
Enthusiast
‎12-08-2022 09:08 AM
Jump to solution

Hi,

From question, I assume you have VMs connected to VDS port group and trying to apply dfw rule to VM. If this is the case, then it will not work as you have prepared host cluster for both Networking and Security as you mentioned using Overlay Segments. You need to create VLAN backed segment in NSX-T and move VM to NSX-T segment in vcenter in this case to apply dfw rule to them.

In order to apply dfw rule on VDS port groups, you need to prepare cluster with Security only option. Please refer below article for same - 

https://docs.vmware.com/en/VMware-NSX-T-Data-Center/3.2/administration/GUID-E9FBE567-D136-41AF-B8D6-...

Hope this helps.

mehrantgs
Enthusiast
Enthusiast
‎12-10-2022 03:34 AM
Jump to solution

Many thanks aggarwalvinay31

I found your answer helpful but I wonder why it shouldn't work on underlay when I'm using overlay networking?

and as i said it works for 3 or 4 second and then it releases the traffic, and of course somewhere else i saw that it has been mentioned DFW is irrespective to the network and will work on both overlay and underlays. anyway thanks again for your response 🙂

 

 

0 Kudos
aggarwalvinay31
Enthusiast
Enthusiast
‎12-11-2022 11:02 PM
Jump to solution

Hi,

It may have been about NSX-V wherein DFW applied to logical switch or VDS port group regardless. But currently with NSX-T, in order to apply DFW on VDS port group, ESXi cluster needs to be prepared with security only feature.