VMware Networking Community
Yacudzer
Enthusiast
Enthusiast

NSX-v edge Internal and external interfaces

When I configuring interfaces - I can to setup type of it: internal, uplink and trunk.

pastedImage_0.png

When I configuring firewall rules - I can to use different vNIC groups: internal and external.

I think that internal interfaces compiles to internal vNIC group in firewall,

uplink is external vNIC group (is it true??), but whats groups compiles  trunk interface and subinterfaces?

pastedImage_1.png

Tags (3)
Reply
0 Kudos
4 Replies
nachogonzalez
Commander
Commander

Hi Yacudzer

I assume you are creating a firewall rule on an edge service gateway instance (ESG) and not on a distributed firewall (DFW)

On ESG's you can only create firewall rules on internal (downstream) or external (uplink) interfaces.
If you select vNIC Group and then select vse, the rule applies to traffic generated by the NSX Edge. If you select internal or external, the rule applies to traffic coming from any internal or uplink interface of the selected NSX Edge instance. The rule is automatically updated when you configure additional interfaces. Note that firewall rules on internal interfaces do not work for a Logical Router.


For more information please check this Add an NSX Edge Firewall Rule

Warm regards

Reply
0 Kudos
Yacudzer
Enthusiast
Enthusiast

nachogonzalez​, thanks, but I can read the documentation myself.

My question is about trunk interface. How rules "internal" and "external" apply to trunk interface and subinterfaces?

Reply
0 Kudos
nachogonzalez
Commander
Commander

Sorry, I might not have been clear.

On a Edge Service Gateway rules can only be applied to internal and External interfaces.

Reply
0 Kudos
MostafaElSayedF
Enthusiast
Enthusiast

Yacudzer​ You cannot create any firewall role for Sub interface on Edge as mentioned by VMware "A sub interface cannot be used for HA or Logical Firewall. You can, however, use the IP address of t..." but for trunk you can create a firewall and select from the vNIC Group the interface name you write it when you was configuring the trunk interface in the interface tab.

Edge interfaces

pastedImage_0.png

Firewall vNIC Group Drop menu

pastedImage_0.png

This is How you can do. But let me ask you why you want to do this? we can find different solution more easy and more supportable. Share you bussnis requirement or the design you want to go with and lets think all together.

I hope this answer your question and i hope that this become answer or helpful comment for you. also, for More details and more information just follow my blog http://www.syncgates.com.

I hope this answer your question and i hope that this become answer or helpful comment for you. also, for More details and more information just follow my blog https://www.syncgates.com Mostafa Fahmy
Reply
0 Kudos