One of the challenges for customers who wanted to use NSX-V for microseg only was that the vShield filter had to process all traffic. So that meant an increase CPU utilization and packet latency with load even if the DFW wasn’t doing an active filtering, just inspection. Yes, you could exclude certain VM’s but most found that difficult operationally. And N-VDS was operationally kludgy in VLAN backed mode.
With the vSphere 7 vDS and NSX-T 3, is this addressed?
Meaning can you identify certain otherwise native VLAN backed PG’s to fall under the NSX-T DFW and then be subject to inspection while the other traffic isn’t?
Further can you still use technologies like Spoofguard to ensure the VM isn’t trying to bypass FW rules by IP or MAC masquerading?
Any sort of slideware on this topic would be helpful.
With NSX-T 3.0 and VDS 7.0 you still need to create VLAN backed segments on NSX-T to be able to use DFW. Native DVS PortGroups are not affected by DFW. This way you can connect only the workloads you want to NSX-T Segments and whatever you leave on a dVPG will remain without inspection. Whatever you connect to an NSX-T segment can have segment profiles (Segment Profiles ) configured to use Spoofguard and other features as well.