nsxv4746
Contributor
Contributor

VMtools + NSX Micro Segmentation

Jump to solution

1 basic question.

To use NSX Micro Segmetation for Virutal workloads is it mandatory to have VMtools on the Virtual Work loads.

For ex - I have a virtual workload (appliance kind) in which no VMtools are installed.

Can it be part of NSX Micro Segmentation where policies can be applied ?

0 Kudos
1 Solution

Accepted Solutions
mdac
Enthusiast
Enthusiast

Yep, that's totally fine - from an NSX perspective, any version of Tools should work. This includes "guest managed" versions based on open-vm-tools.

My blog: https://vswitchzero.com Follow me on Twitter: @vswitchzero

View solution in original post

0 Kudos
5 Replies
HassanAlKak88
Expert
Expert

Hello,

Kindly check the below NSX features which will help on absence of VMware tools:

Please consider marking this answer "CORRECT" or "Helpful" if you think your question have been answered correctly.

Cheers,

VCIX6-NV|VCP-NV|VCP-DC|

@KakHassan

linkedin.com/in/hassanalkak


Cheers,
vExpert2020-2019||vExpert-NSX2020||VCIX6-NV||VCAP-NV-DCV||VCP-NV-DC-CMA||CCNA-R&S
Twitter: @KakHassan
LinkedIn: linkedin.com/in/hassanalkak
0 Kudos
Beingnsxpaddy
Enthusiast
Enthusiast

Dear nsxv4746​,

You can always use micro-segmentation for any virtual workload with NSX-v, however if VMtools are not installed then IP based discovery is the way out.

Rest would suggest you to refer these articles, to get better understanding what feature and method you wanna use, as it has context aware segmentation feature which could be useful.

Context-Aware Micro-segmentation - an innovative approach to Application and User Identity Firewall ...

https://www.virtual-allan.com/vmware-nsx-for-vsphere-6-4-released/

IP address discovery mechanisms for VMs: Authoritative enforcement of security policies based on VM names, or other vCenter-based attributes requires that NSX know the IP address of the VM. NSX 6.2 introduced the option to discover the VM's IP address using DHCP snooping, or ARP snooping. In NSX 6.4.0, the number of ARP discovered IPs have been increased up to 128 and are configurable from 1 to 128.  These new discovery mechanisms enable NSX to enforce IP address-based security rules on VMs that do not have VMware Tools installed.

Regards Pradhuman VCIX-NV, VCAP-NV, vExpert, VCP2X-DCVNV If my Answer resolved your query don't forget to mark it as "Correct Answer".
0 Kudos
mdac
Enthusiast
Enthusiast

As others mentioned above, VMware tools is used as the default method of mapping virtual machine objects to actual IP addresses. Since the firewall is ultimately enforced based on translated IPs, NSX needs some way to determine each VMs IPs. That said, you only need VMware Tools or some other IP detection mechanism enabled (like ARP/DHCP snooping) if you are using inventory objects - like VMs, clusters, etc - in your firewall rules. For VMs that can't have tools installed, or if you don't want to use ARP snooping, you could create IP sets that contain the IP addresses of VMs.

I talk a bit about IP detection in NSX troubleshooting scenario 5 if you are interested in learning more:

https://vswitchzero.com/2018/02/26/nsx-troubleshooting-scenario-5-solution/

Thanks,

Mike

My blog: https://vswitchzero.com Follow me on Twitter: @vswitchzero
0 Kudos
nsxv4746
Contributor
Contributor

I have few VMs which has the below VMtools running.

pastedImage_0.png

Its mentioned guest managed. So is it fine so that the NSX detects it automatically by itself.

0 Kudos
mdac
Enthusiast
Enthusiast

Yep, that's totally fine - from an NSX perspective, any version of Tools should work. This includes "guest managed" versions based on open-vm-tools.

My blog: https://vswitchzero.com Follow me on Twitter: @vswitchzero

View solution in original post

0 Kudos