– On NSX-T can create DHCP servers to handle DHCP requests and create DHCP relay services to relay DHCP traffic to external DHCP servers. However, you should not configure a DHCP server on a logical switch and also configure a DHCP relay service on a router port that the same logical switch is connected.
– With NSX we have the possibility to use NSX Edge Firewalling for North-South Traffic and NSX Distributed Firewalling (DFW) for East-West Traffic. When you use a centralized firewall in the network, the system must transport all traffic through the host firewall, which can lead to network overhead and latency (not need using/configuring local firewall on each Window/Linux VM).
– The NSX DFW is active in the hypervisor kernel and enforced on each VM network adapter. This setup can help limit lateral movement between VMs and offer a centralized configuration feature independent of OS and applications. When network traffic travels through a firewall and the system finds a rule that matches the traffic parameters, the system enforces the rule and processing stops. When rules match, traffic is either allowed through or blocked, according to the configurations.
1/Configure DHCP Server on T1 SR Router:
– Menu Networking > DHCP
– Click add DHCP PROFILE
– Configur Dynamic IP on Tier-1 Gateways
– Click on t1-lab-gw > Edit
– Click Set DHCP Configuration
– Click Save
– Conifugre DHCP Range Provisioning For Segment connected to T1-Gateway
– Click on app-seg-vlan201 > Edit
– Click SET DHCP CONFIG
2/Add Firewall Rules in Distributed Firewall (DFW):
Menu Security > Distributed Firewall under East West Security > Tab Application
– Click on Add Policy and give new name
– Add Rules for new created policy for Blocking ICMP traffic and allowing HTTP traffic between 2 VM Test on same segment. Edit Source, Destination and Services of new rule
– Set Service
– Create other rule for allowing HTTP traffic between VM in Group App-Servers
– Click Publish
– Now with effected with 2 new rules VM on same app segment cannot ping to each others
– But still allow using HTTP traffic for connect to App service