vrandom yet another random IT blog

NSX & vSphere Standard Switch Compatibility


Is the NSX Distributed Firewall supported on vSphere Standard Switches?

Whilst designing changes to an existing large environment the above question arose today.

TLDR; Yes - but its not supported.


Its important to understand the context of this discussion:

  • The environment in question only requires the Distributed Firewall, not any network virtualization functionality.

Does it work?

Distributed Switches are obviously widely used with NSX as they are required for the network virtualization functionality. However from using NSX in lab environments, I’m sure the distributed firewall functioned across vNics connected to both Standard and Distributed Switches. Was I imagining it?

Testing the DFW

Firstly I created a CoreOS VM, which is connected to a vSphere Standard Switch: net

This VM is connected only to the VSS: vm

Now lets test the existing network connectivity by pinging a Google DNS server:

CoreOS stable (835.11.0)
core@test-vss ~ $ netstat -rn
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface         UG        0 0          0 ens192   U         0 0          0 ens192
core@test-vss ~ $ ping
PING ( 56(84) bytes of data.
64 bytes from icmp_seq=1 ttl=54 time=5.65 ms
64 bytes from icmp_seq=2 ttl=54 time=5.34 ms
64 bytes from icmp_seq=3 ttl=54 time=5.49 ms
--- ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2003ms
rtt min/avg/max/mdev = 5.346/5.499/5.652/0.124 ms

Okay so existing connectivity is fully functional, lets create a Distributed Firewall Rule to block ICMP: rules

Now lets retest connectivity with this rule in place:

core@test-vss ~ $ ping
PING ( 56(84) bytes of data.
From icmp_seq=1 Destination Host Prohibited
From icmp_seq=2 Destination Host Prohibited
From icmp_seq=3 Destination Host Prohibited
From icmp_seq=4 Destination Host Prohibited
--- ping statistics ---
4 packets transmitted, 0 received, +4 errors, 100% packet loss, time 2999ms


So the Distributed Firewall does function on VSS connected vNics. However, given the confusion we reached out to VMware and recieved the below clarification:

[VMware] GSS division will not officially support DFW on VSS.

So there you have it, it does work, but isn’t supported by VMware, so obviously shouldn’t be utilized in production environments.


I’m still waiting on a clear public reference for this, and will update this post once one is provided.