Hi,
I have an interesting question. Is the concept described below possible with the NSX (nativly or creatively)? The idea is to force all internet-bound traffic to pass a specific VM, not for routing, just layer 2 packet flow. In the example below, VM1 (192.168.1.50), which resides on host ESX1 wants to get to the internet using its gateway 192.168.1.254, a physical firewall. I would like it so that packets must flow Via VM2 as illustrated by the orange line in the (sloppy) diagram below. I assume that promiscuous and forged transmit would need to be allowed. in the physical world, this would be equivalent to placing a man-in-the-middle device between the Lan and firewall, so that the flow looks like this: PC > Switch > Man-in-the-middle Device > Firewall.
Also, i have a question about promiscuous mode and forged transmit. When creating a Logical Switch, it automatically creates a dvPortGroup on the appropriate DSwitch (depending on the transport zone config). If i now wish to change the promiscuous/forged security settings for a specific logical switch, do i change it on the PortGroup level? What if the logical switch was pushed to multiple DSwitches, would I need to manually adjust the settings on each PortGroup within each Dswitch?
Take a look at the NSX Design Guide ( VMware® NSX for vSphere Network Virtualization Design Guide ver 3.0) for information around this subject.
> If i now wish to change the promiscuous/forged security settings for a specific logical switch, do i change it on the PortGroup level?
Yes, it is always better to enable promiscuous/forged security settings at PortGroup level instead of DVSwitch Level.
What if the logical switch was pushed to multiple DSwitches, would I need to manually adjust the settings on each PortGroup within each Dswitch?
This question looks to be trick but Yes you have to enable promiscuous/forged security settings at each pg within each DVS.
Hi,
Thanks for the info. Could you possibly point me to the section in which this design is described?