VMware Networking Community
dimpct
Contributor
Contributor
‎05-26-2022 04:53 AM

NSX-T microsegmentation objects

Hi all,

 

We have recently started migrating from NSX-V and we noticed a couple important differences in distributed firewall.

First of all, while adding VMs as source or destination, we have to create a group for VMs and cannot add directly one or multiple VMs.

Is it how it works?

Furthermore, we have a vCenter server with 1 mgmt cluster and 3 compute clusters and have activate NSX-T (security only) on one cluster to test all functionality and create all necessary rules. During this step we found that we can select VMs only from the NSX-T prepared cluster and not VMs from the other clusters. Is this an expected behavior?

 

Thanks,

Dimitris

0 Kudos
1 Reply
engyak
Enthusiast
Enthusiast
‎05-30-2022 08:50 AM

Yep, everything needs to be an NSGroup.

Is the NSX Manager talking to (configured as a Compute Manager) the management vCenter?

What are you trying to add it to? NSX Data Center attempts to enforce traffic in separate stages (at source vNIC, at destination vNIC) - I don't specifically recall being unable to use external VMs in inventory objects but it's not outside the realm of possibility that this changed to ensure enforcement is possible.

This doc seems to infer that EAM (ESX Agent Monitor) is responsible for adding VMs to inventory on a host-by-host basis: https://docs.vmware.com/en/VMware-NSX-T-Data-Center/3.2/administration/GUID-79749A9D-4DC7-4C24-B667-... 

My best guess is that you need to add as an external object to avoid implying that because a VM object is present, it can be enforced on with both stages.

0 Kudos