NSX-T VLAN Transport Zone and Service Insertion

BlackBurn1983 · ‎06-27-2022

I'm working on a migration from NSX-V with Service Insertion (Palo Alto Networks) to NSX-T.

The current (NSX-V) design doesn't use any overlays, only service insertion.
Since it is a relatively small environment (8 hosts and 4 VLANs within VMware) and no need for overlay networking, I was thinking about only using VLAN Transport zone, which keeps everything clean and simple.

- Is it supported to not use any Overlay Transport zone and only VLAN Transport zone it seems to work in my nested lab setup ?
- Is service insertion (host-based) supported ?

I'm waiting for some eval licenses to test it (service insertion) out, documentation is very sparse on this. As far as my understanding goes, it is done at the NIC level, so I assume it works ?

ShahabKhan · ‎06-28-2022

Hi,

Regarding your first question, it is correct you don't need overlay transport zone for micro-segmentation only use-case in NSX-T. But if you are using service insertion, then it is mandatory to have host prepared with overlay transport zone.

For second question, I would recommend to refer documentation from Palo Alto.

BlackBurn1983 · ‎06-28-2022

Thanks for your answer, the below response is just for completeness, might others have the same question.

I build the lab including service insertion with PAN firewalls as service in a host-based deployment.
It works great with an overlay for the PAN firewalls and all VMs on VLANs, so no bridging required.

A great benefit is that if a firewall (service) fails, traffic is redirected to another service, even in a host based setup.
This worked perfect!

All

NSX-T VLAN Transport Zone and Service Insertion