VMware Networking Community
3back
Enthusiast
Enthusiast
‎10-01-2018 04:49 AM

Window vcenter with NSX 6.3.5 Exclusion List issue

Hi All

My customer is using bare metal version window vcenter now. I ever follow the below link but that just only can choose VM put in the Exclusion List. How can I do the same effect with window vcenter?

NSX 6 Documentation Center

0 Kudos
4 Replies
Sreec
VMware Employee
VMware Employee
‎10-01-2018 05:09 AM

DFW Exclusion List is only for Virtual Objects , either service VM's or workload/management VM's . However you could still configure rules based on IP/IP sets at DFW/Edge level for any incoming/outgoing traffic irrespective of the workload type(Physical/Virtual) . So my advice would be to leverage traditional F/W since VC is a bare-metal or allow only rules for VC to communicate management VM's  if there is a use case.

Cheers,
Sree | VCIX-5X| VCAP-5X| VExpert 7x|Cisco Certified Specialist
Please KUDO helpful posts and mark the thread as solved if answered
3back
Enthusiast
Enthusiast
‎10-01-2018 07:42 AM

Thanks Sreec. Customer do not skilled in DFW environment. They possible input mistake to make it whole VCenter malfunction such as:(Deny any any). Do I just only use your advise to do it?    

0 Kudos
Sreec
VMware Employee
VMware Employee
‎10-02-2018 03:38 AM

By default traffic is allowed for both L2/L3 rules , just keep that in mind. If you are worried about deny rules getting pushed , better exclude management components ( For eg : AD/DNS/NTP if they are running in VM form factor) to start of with and while customer gain more knowledge/confidence with the product ,you should educate them regarding the usage various rule creation options and general considerations to be followed.

Cheers,
Sree | VCIX-5X| VCAP-5X| VExpert 7x|Cisco Certified Specialist
Please KUDO helpful posts and mark the thread as solved if answered
0 Kudos
dyadin
Enthusiast
Enthusiast
‎10-31-2018 12:03 AM

Normally vCenter needs two kind of communitations:

1. vCenter <--> ESXi management vmkernal.

In your case, vCenter will not be infected by any DFW rules in this situation, because both of them is not managed by NSX DFW, Their communication simply does not go through DFW.

2. vCenter <--> Other management VMs links vRops, vRealize Automation, DNS, AD etc.

In this situation, communication might be infected, the solution is add all these management VMs into NSX exclusion list.

Please consider marking this answer "correct" or "helpful" if you think your query have been answered correctly. Cheers, Matt Zhang VCIX-NV | VCP-NV-CMA-DTM | CCDA | CCIE R&S
0 Kudos