NSX & vSphere Standard Switch Compatibility13 Apr 2016
Is the NSX Distributed Firewall supported on vSphere Standard Switches?
Whilst designing changes to an existing large environment the above question arose today.
TLDR; Yes - but its not supported.
Its important to understand the context of this discussion:
- The environment in question only requires the Distributed Firewall, not any network virtualization functionality.
Does it work?
Distributed Switches are obviously widely used with NSX as they are required for the network virtualization functionality. However from using NSX in lab environments, I’m sure the distributed firewall functioned across vNics connected to both Standard and Distributed Switches. Was I imagining it?
Testing the DFW
Firstly I created a CoreOS VM, which is connected to a vSphere Standard Switch:
This VM is connected only to the VSS:
Now lets test the existing network connectivity by pinging a Google DNS server:
CoreOS stable (835.11.0) core@test-vss ~ $ netstat -rn Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface 0.0.0.0 10.9.22.193 0.0.0.0 UG 0 0 0 ens192 10.9.22.0 0.0.0.0 255.255.255.0 U 0 0 0 ens192 core@test-vss ~ $ ping 188.8.131.52 PING 184.108.40.206 (220.127.116.11) 56(84) bytes of data. 64 bytes from 18.104.22.168: icmp_seq=1 ttl=54 time=5.65 ms 64 bytes from 22.214.171.124: icmp_seq=2 ttl=54 time=5.34 ms 64 bytes from 126.96.36.199: icmp_seq=3 ttl=54 time=5.49 ms ^C --- 188.8.131.52 ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2003ms rtt min/avg/max/mdev = 5.346/5.499/5.652/0.124 ms
Okay so existing connectivity is fully functional, lets create a Distributed Firewall Rule to block ICMP:
Now lets retest connectivity with this rule in place:
core@test-vss ~ $ ping 184.108.40.206 PING 220.127.116.11 (18.104.22.168) 56(84) bytes of data. From 22.214.171.124: icmp_seq=1 Destination Host Prohibited From 126.96.36.199: icmp_seq=2 Destination Host Prohibited From 188.8.131.52: icmp_seq=3 Destination Host Prohibited From 184.108.40.206: icmp_seq=4 Destination Host Prohibited ^C --- 220.127.116.11 ping statistics --- 4 packets transmitted, 0 received, +4 errors, 100% packet loss, time 2999ms
So the Distributed Firewall does function on VSS connected vNics. However, given the confusion we reached out to VMware and recieved the below clarification:
[VMware] GSS division will not officially support DFW on VSS.
So there you have it, it does work, but isn’t supported by VMware, so obviously shouldn’t be utilized in production environments.
I’m still waiting on a clear public reference for this, and will update this post once one is provided.