Easy Segmentation & Operation with NSX-T 3.0

In the NSX-T Datacenter, segments are virtual layer 2 domains. With NSX-T you can do VLAN based or overlay-backed segmentation. The VLAN backed segments are usually done for bridging traffic to the devices usually outside of the NSX-T deployment. Such as gateway, physical firewall, etc. In this blog, we will discuss how easy segmentation and operation with NSX-T 3.0 done using the overlay-backed options.

In an overlay-backed segment, L2 traffic between VMs on different hosts is tunneled between the hosts. NSX-T instantiates and maintains this IP tunnel without the need for any segment-specific configuration on the physical switches. As a result, the virtual network infrastructure is decoupled from the physical network infrastructure.

Segmentation Considerations

Firstly, the default the maximum number of MAC addresses can learn on an overlay-backed segment is 2048. However this limit can be changed using API, moreover, usually, this limit is more than sufficient to address most of the enterprise need.

With segments, NSX-T also gives various profiles to address the QoS, IP discovery, and security, etc needs of LAN.  For instance, you can have a specific QoS policy for preferred traffic to guarantee performance. Moreover, you can use IP discovery mechanisms such as DHCP snooping, ARP snooping, etc.

As shown in the above diagram, to demonstrate segmentation three segments are created.  Those are Web, App, and DB segments.  Each of these segments will have its own subnets and VMs will get assigned IP addresses from each subnet. Please note that the subnet assignment can be done using the static method or DHCP

Segments Configuration & Verification

The configuration of all three segments shown in the above topology can be done by following the below steps.

1. On the NSX UI Home page, navigate to Networking – Connectivity – Segments.
2. Click Add SEGMENT and configure the segment

As shown above, leave the default values for all the other options

Finally, click save and exit out of the segment configuration window

And once the segments are created you could easily verify them using the NSX-T and vCenter UI and also CLI

Indeed, you can also verify the created segments using CLI on NSX manager

As shown above, once the segments are created, it will be shown as a port-group on the vCenter. And the next step would be to map the appropriate VMs to the corresponding segments.  Once the segment association to the VMs is done,  you would be able to establish connectivity between the VMs in the same segments.

Furthermore, NSX-T also gives various UI options to verify the created segments. This includes information such as associated virtual machines, topology, and traffic seen in each of the segments.  Additionally, the connectivity can also be verified using NSX-T trace flow features, which gives traffic trace for each of the touch-points in the path. Some of the screenshot on this is given below.

Summary & Next Steps

In short, the visibility and verification advancement added part of NSX-T 3.0 is taken the overall solution to the next level.  Especially the topology view option and trace-flow is a feature to look for when you run the solution part of your DAY2OPS.  Finally, I would also recommend you to visit other related blogs: “Exploring distributed IDS“, NSX micro-segmentation & NSX based DMZ part of your reading. Happy learning