– On NSX-T can create DHCP servers to handle DHCP requests and create DHCP relay services to relay DHCP traffic to external DHCP servers. However, you should not configure a DHCP server on a logical switch and also configure a DHCP relay service on a router port that the same logical switch is connected.

– With NSX we have the possibility to use NSX Edge Firewalling for North-South Traffic and NSX Distributed Firewalling (DFW) for East-West Traffic. When you use a centralized firewall in the network, the system must transport all traffic through the host firewall, which can lead to network overhead and latency (not need using/configuring local firewall on each Window/Linux VM).

– The NSX DFW is active in the hypervisor kernel and enforced on each VM network adapter. This setup can help limit lateral movement between VMs and offer a centralized configuration feature independent of OS and applications. When network traffic travels through a firewall and the system finds a rule that matches the traffic parameters, the system enforces the rule and processing stops. When rules match, traffic is either allowed through or blocked, according to the configurations.

1/Configure DHCP Server on T1 SR Router:

– Menu Networking > DHCP

– Click add DHCP PROFILE

– Configur Dynamic IP on Tier-1 Gateways

– Click on t1-lab-gw > Edit

– Click Set DHCP Configuration

– Click Save

– Conifugre DHCP Range Provisioning For Segment connected to T1-Gateway

– Click on app-seg-vlan201 > Edit


2/Add Firewall Rules in Distributed Firewall (DFW):

Menu Security > Distributed Firewall under East West Security > Tab Application

– Click on Add Policy and give new name

– Add Rules for new created policy for Blocking ICMP traffic and allowing HTTP traffic between 2 VM Test on same segment. Edit Source, Destination and Services of new rule

– Set Service

– Create other rule for allowing HTTP traffic between VM in Group App-Servers

– Click Publish

– Now with effected with 2 new rules VM on same app segment cannot ping to each others

– But still allow using HTTP traffic for connect to App service

Tags : AutomationContainerDevOpsK8sKubernetesLinux-Unix

Leave a Response

error: Content is protected !!