I read NSX-T VMware Configuration Maximums, is there any way to scale up NSX-T and increase these limitation?
What limitation are you specifically talking about?
Create System 16000 Wide Tier-0 Gateway Firewall Rules
I Deployed VRF instead of individual T0 in my datacenter.
this limitation is Per VRF or not?
is there any way to scale up NSX-T, to increase this limitation?
16000 is system-wide. according to configmax. Afaik that does not mean you cannot create more. It is not a hard limit.
The numbers are based on tests that VMware did that are save.
(There are VMware employers reading the forums also, so please correct me when I am wrong 🙂 )
NSX-T is, as more SDN-like solutions, for an E-W use case. This means firewalling on an E-W base and not so for N-S
Yes, you can use it as N-S with the edge firewall rules, but it is limited.
You could do some 'generic' firewall rules on the edge and more specific, application-based, rules on the distributed firewall.
The limitation is 5000 per Tier-0 and 16,000 for system-wide rules. That being said, I'm curious to know about this design and use case which is crossing those numbers?
our use-case was for private cloud that each Department has individual T1, VRF, firewall. in that scenario, as you say "The limitation is 5000 per Tier-0" we can just 5000 rule and this number for our environment is not enough
Thanks for the update. Having worked with many service providers I have never come across any scale limitations from day one. That being said, if you are 100% sure that those firewall rules are optimized and they are needed for the right reason, you have to start using Microsegmentation rules (100,000 system-wide rules supported). Have you also checked traffic patterns in your design? Like @p0wertje mentioned, most likely E-W traffic requirements will be high and the Zero Trust approach is the best bet. Is this an NSX-T with a VCD/VRA platform? What are the underlying solutions used in the Private cloud?
we use Opennubula and VSphere in our solution.
each department have dedicated T1, T0, LB, FW, but for the limitation of T0(160) we use VRF instead of T0 now our concern is about Limited Rule in the future, for Now, it's not big deal but for the future, we reach to this limitation
Does anybody have an idea?