VMware Networking Community
Hamidreza74
Enthusiast
Enthusiast

NSX-T scale up

Hi
I read NSX-T VMware Configuration Maximums, is there any way to scale up NSX-T and increase these limitation?

Reply
0 Kudos
8 Replies
p0wertje
Hot Shot
Hot Shot

Hi,

 

What limitation are you specifically talking about?

Cheers,
p0wertje | VCIX6-NV | JNCIS-ENT | vExpert
Please kudo helpful posts and mark the thread as solved if solved
Hamidreza74
Enthusiast
Enthusiast

Create System 16000 Wide Tier-0 Gateway Firewall Rules

I Deployed VRF instead of individual T0 in my datacenter.
this limitation is Per VRF or not?
is there any way to scale up NSX-T, to increase this limitation?

Reply
0 Kudos
p0wertje
Hot Shot
Hot Shot

Hi

 

16000 is system-wide. according to configmax. Afaik that does not mean you cannot create more. It is not a hard limit.
The numbers are based on tests that VMware did that are save.
(There are VMware employers reading the forums also, so please correct me when I am wrong 🙂 )

NSX-T is, as more SDN-like solutions,  for an E-W use case. This means firewalling on an E-W base and not so for N-S
Yes, you can use it as N-S with the edge firewall rules, but it is limited.

You could do some 'generic' firewall rules on the edge and more specific, application-based, rules on the distributed firewall.

Cheers,
p0wertje | VCIX6-NV | JNCIS-ENT | vExpert
Please kudo helpful posts and mark the thread as solved if solved
Sreec
VMware Employee
VMware Employee

The limitation is 5000 per Tier-0 and 16,000 for system-wide rules. That being said, I'm curious to know about this design and use case which is crossing those numbers? 

Cheers,
Sree | VCIX-5X| VCAP-5X| VExpert 7x|Cisco Certified Specialist
Please KUDO helpful posts and mark the thread as solved if answered
Hamidreza74
Enthusiast
Enthusiast

our use-case was for private cloud that each Department has individual T1, VRF, firewall. in that scenario, as you say "The limitation is 5000 per Tier-0" we can just 5000 rule and this number for our environment is not enough

Reply
0 Kudos
Sreec
VMware Employee
VMware Employee

Thanks for the update. Having worked with many service providers I have never come across any scale limitations from day one. That being said, if you are 100% sure that those firewall rules are optimized and they are needed for the right reason, you have to start using Microsegmentation rules (100,000 system-wide rules supported). Have you also checked traffic patterns in your design?  Like @p0wertje  mentioned, most likely E-W traffic requirements will be high and the Zero Trust approach is the best bet. Is this an NSX-T with a VCD/VRA  platform? What are the underlying solutions used in the Private cloud? 

Cheers,
Sree | VCIX-5X| VCAP-5X| VExpert 7x|Cisco Certified Specialist
Please KUDO helpful posts and mark the thread as solved if answered
Hamidreza74
Enthusiast
Enthusiast

NO
we use Opennubula and VSphere in our solution.
each department have dedicated T1, T0, LB, FW, but for the limitation of T0(160) we use VRF instead of T0 now our concern is about Limited Rule in the future, for Now, it's not big deal but for the future, we reach to this limitation

Reply
0 Kudos
Hamidreza74
Enthusiast
Enthusiast

Does anybody have an idea?

Reply
0 Kudos