but mike.... my VMware SE told me I should always use tags!!! You're telling me I can just block an IP without the 5 extra clicks of putting it into a group?!?!?! - MADNESS. 😂
Looking for some advice. I have 3 Dell Power Edge T320 servers running ESXi 7.0. I also have a VMUG advantage subscription which gives me access to NSX-T amongst other products. I am deploying NSX-T to my lab and wondering if I need to have a 4th server to deploy edge? I kind of wanted to do a compute domain and workload domain to follow along with some hands on labs I found on line. Am I over thinking it?
If it was me, I would do this: T320 #1 - vCenter (12Gb), 2x nested ESXi (8gb RAM each). T320 #2- 2x more nested ESXi (12gb each - use these as the hosts that you'll run your NSX edges on). T320 #3- NSX-T Manager. That's it! Just nested ESXi and it's a tight fit, but you can make it all work with what you've got.
Thank you sir !! Can you please tell us if I apply the same rule on gateway firewall and DFW, which one would take precedence. I would imagine it is DFW since it sits in VMkernel and gateway is on the edge SR component.
DFW is always processed first! Gateway is processed as traffic goes through it. For inbound traffic from the internet that means it would hit the gateway FW first. But for normal outbound traffic from the VM, DFW first.
@@NRDYTech Hey Mike, great vid, i cant believe all this time i totally ignored the fact that u can directly add ip addresses at the source and destination sections 🤣 BTW was just wondering if u had any experience with customers who started with VLAN backed rules but are going to start using overlay backed networks and will have a mixture of Overlay and VLAN backed DFW rules, the reason i ask is because What if the customer was doing simple L2 Intra-VLAN protection using DFW, but complex L3 Inter-VLAN protection is performed at the physical firewall, But now if overlay backed networks are introduced, they can do more complex rules within DFW as the rules dont need to be defined at the physical firewall level but in turn may interfere with existing VLAN rules. The only way i can think of is by creating separate groups and rules to ensure the VLAN and Overlay rules don't mix with one another or is there a better way? Hope you don't mind me asking, and keep up the great work!!!
Just connected with you on linkedin fellow tech comrade! Under Phillip Balderos.
when i realised that we are working in same company!! LOL
but mike.... my VMware SE told me I should always use tags!!!
You're telling me I can just block an IP without the 5 extra clicks of putting it into a group?!?!?! - MADNESS. 😂
Haha! You just described me perfectly...but, I thought it was super cool that this is NOT a huge PITA anymore
I used that process with my last customer.
How about doing it on L7 firewall?
Regarding the rule, now web02a could not ping itself right?
any suggestions for lab or something to use to pass the nsx-deploy VCAP ?
Looking for some advice. I have 3 Dell Power Edge T320 servers running ESXi 7.0. I also have a VMUG advantage subscription which gives me access to NSX-T amongst other products. I am deploying NSX-T to my lab and wondering if I need to have a 4th server to deploy edge? I kind of wanted to do a compute domain and workload domain to follow along with some hands on labs I found on line. Am I over thinking it?
What is the specs on your Dell T320's? RAM/CPU?
@@NRDYTech 32gb RAM each and CPU is Intel Xeon E5-1400 v1 or v2 or E5-2400 v1.
If it was me, I would do this: T320 #1 - vCenter (12Gb), 2x nested ESXi (8gb RAM each). T320 #2- 2x more nested ESXi (12gb each - use these as the hosts that you'll run your NSX edges on). T320 #3- NSX-T Manager. That's it! Just nested ESXi and it's a tight fit, but you can make it all work with what you've got.
@@NRDYTech Nice! Thank you! I will give it a shot with that config
Thank you sir !! Can you please tell us if I apply the same rule on gateway firewall and DFW, which one would take precedence. I would imagine it is DFW since it sits in VMkernel and gateway is on the edge SR component.
DFW is always processed first! Gateway is processed as traffic goes through it. For inbound traffic from the internet that means it would hit the gateway FW first. But for normal outbound traffic from the VM, DFW first.
@@NRDYTech Hey Mike, great vid, i cant believe all this time i totally ignored the fact that u can directly add ip addresses at the source and destination sections 🤣
BTW was just wondering if u had any experience with customers who started with VLAN backed rules but are going to start using overlay backed networks and will have a mixture of Overlay and VLAN backed DFW rules, the reason i ask is because
What if the customer was doing simple L2 Intra-VLAN protection using DFW, but complex L3 Inter-VLAN protection is performed at the physical firewall, But now if overlay backed networks are introduced, they can do more complex rules within DFW as the rules dont need to be defined at the physical firewall level but in turn may interfere with existing VLAN rules.
The only way i can think of is by creating separate groups and rules to ensure the VLAN and Overlay rules don't mix with one another or is there a better way?
Hope you don't mind me asking, and keep up the great work!!!