1 basic question.
To use NSX Micro Segmetation for Virutal workloads is it mandatory to have VMtools on the Virtual Work loads.
For ex - I have a virtual workload (appliance kind) in which no VMtools are installed.
Can it be part of NSX Micro Segmentation where policies can be applied ?
Yep, that's totally fine - from an NSX perspective, any version of Tools should work. This includes "guest managed" versions based on open-vm-tools.
Hello,
Kindly check the below NSX features which will help on absence of VMware tools:
Please consider marking this answer "CORRECT" or "Helpful" if you think your question have been answered correctly.
Cheers,
VCIX6-NV|VCP-NV|VCP-DC|
Dear nsxv4746,
You can always use micro-segmentation for any virtual workload with NSX-v, however if VMtools are not installed then IP based discovery is the way out.
Rest would suggest you to refer these articles, to get better understanding what feature and method you wanna use, as it has context aware segmentation feature which could be useful.
https://www.virtual-allan.com/vmware-nsx-for-vsphere-6-4-released/
IP address discovery mechanisms for VMs: Authoritative enforcement of security policies based on VM names, or other vCenter-based attributes requires that NSX know the IP address of the VM. NSX 6.2 introduced the option to discover the VM's IP address using DHCP snooping, or ARP snooping. In NSX 6.4.0, the number of ARP discovered IPs have been increased up to 128 and are configurable from 1 to 128. These new discovery mechanisms enable NSX to enforce IP address-based security rules on VMs that do not have VMware Tools installed.
As others mentioned above, VMware tools is used as the default method of mapping virtual machine objects to actual IP addresses. Since the firewall is ultimately enforced based on translated IPs, NSX needs some way to determine each VMs IPs. That said, you only need VMware Tools or some other IP detection mechanism enabled (like ARP/DHCP snooping) if you are using inventory objects - like VMs, clusters, etc - in your firewall rules. For VMs that can't have tools installed, or if you don't want to use ARP snooping, you could create IP sets that contain the IP addresses of VMs.
I talk a bit about IP detection in NSX troubleshooting scenario 5 if you are interested in learning more:
https://vswitchzero.com/2018/02/26/nsx-troubleshooting-scenario-5-solution/
Thanks,
Mike
I have few VMs which has the below VMtools running.
Its mentioned guest managed. So is it fine so that the NSX detects it automatically by itself.
Yep, that's totally fine - from an NSX perspective, any version of Tools should work. This includes "guest managed" versions based on open-vm-tools.