NSX-T DFW Protection without N-VDS

xyker · ‎05-04-2019

Is is it possible to protect my VMs' that have interfaces connected to a regular port group on a VDS? We have a second interface on a number of VMs that are able to talk to our physical backup appliance on the same VLAN. We want to prevent the VMs from communicating with each other through the backup interface by using the DFW. We feel better about not having our heaviest traffic flow through the Edge VMs so we do not want to use the N-VDS for those interfaces. Is our understanding of the N-VDS flawed? How can we protect interfaces that are not part of an N-VDS?

mauricioamorim · ‎05-06-2019

You need to migrate those interfaces to the N-VDS to be able to apply micro-segmentation. You can just migrate those interfaces that are on a VDS to the N-VDS keeping it VLAN backed in the N-VDS so they communicate directly to the backup appliance. There is no need for this traffic to go through an Edge.

All

NSX-T DFW Protection without N-VDS