BlueGrass168
Contributor
Contributor

Do I still have to setup Tier 0 and 1 Gateways if I just want to use NSX Distributed Firewall

Hello,

 

I am new to Nsx and running a Trial license and see if Nsx is beneficial to my network.

 

In my understanding of the NSX Distributed Firewall, it works on the Distribution Switch level.

 

I want to know if I do not need to set up Tier 0 and 1 Gateways.

 

I can find my VM on the inventory group now,

And I have set up a Firewall rule to try to block a VM Guest under the Distribution Switch, but no luck yet.

0 Kudos
6 Replies
ShahabKhan
VMware Employee
VMware Employee

No you don't need T0 & T1 for micro-segmentation only use-case.

jeffersonc47
Enthusiast
Enthusiast

As mentioned you do not need T0s/T1s if you're just using distributed firewall. You have two options for a security-only use case:

* Use the quick start wizard to do a security only deployment (see https://blog.redlogic.nl/en/nsxt-32-dfw-vds for an example). This will only install/configure the pieces of NSX-T needed for the DFW (and other security components).

* Do a standard deployment but simply don't deploy any overlay networks/gateways/etc. This is a little more work up front in that you need to configure host TEPs, but it provides a simpler migration path if you decide you want overlay networks later. (If you deploy security-only using the quick-start wizard above, you have to completely unconfigure/reconfigure the hosts if you decide you want to add overlay networks.)

BlueGrass168
Contributor
Contributor

Um... I saw the Blog and it said Cluster needed.

 

So, I have to set up 3-node Cluster with Virtual IP anyway first, right?

0 Kudos
ShahabKhan
VMware Employee
VMware Employee

In Production, yes you should have atleast 3 NSX-T Managers cluster deployed. But, for PoC or Lab you can go with single NSX-T Manager.

BlueGrass168
Contributor
Contributor

AR. I find what's wrong here now.

 

It is requesting the VSphere Cluster, not the NSX cluster.

I can deploy the Distribution Firewall via Wizard now.

 

I am trying to remove it and create all the settings manually again.

This will ensure I understand what is going on with the NSZ operation.

 

But then I hit a problem - I wonder if we can not create the Distributed Port Group manually, and it must be created via the Wizard

Seems it is no way for me to create the Distributed Port Group on the below page?

 

Q1.JPG?

Tags (1)
0 Kudos
jdmac
Contributor
Contributor

Will NDS/IPS, NDR and Guest Introspection work on VLAN backed segments?

0 Kudos