Our monthly webcasts always generate excellent questions from the audience. A few weeks ago, John Krueger the Principal Instructor for VMware Network and Virtualization training courses delivered Introduction to Micro-segmentation with VMware NSX and the questions were, as always, great. We pulled a few of them below, but you can read the entire list and watch the recording at your own convenience.


How many guest introspection virtual machines are needed for anti-virus functionality?
Guest introspection solutions will have one service virtual machine deployed per hypervisor.

Is it possible to live monitor in vRNI?
vRNI leverages IPFIX for flow monitoring. The DFW kernel modules collect and forward flow data every 10 seconds.

How would other network equipment like firewalls and routers read the security tags? What is required of them?
Security tags are an NSX construct, as such, physical network devices have no visibility.

Is there a use case where micro-segmentation can prevent a malware attack like Wanacry? Can you expand on this?
Here is a good resource to begin looking at leveraging micro-segmentation for malware prevention.

Do we need to extend a network segment within NSX? We will we be using vXLANs. Other options?
We can use vXLAN Logical Switches in NSX for extending networks, and we can support L2 bridging from vXLAN networks to your existing vLAN networks, if necessary.

Can you export NSX database and use that for “restore” NSX on a new Virtual Computer?
NSX does have a built-in backup/recovery system. For keeping multiple NSX/vCenter instances in sync, however, a programmatic workflow is the better way to approach the requirement.

Is there any NSX function that will fail if vCenter goes down? For example, patch Virtual Computer and reboot.
If vCenter is unavailable, then CRUD operations (Create, Remove, Update, Delete) will be unavailable until vCenter returns to service.  To your example, if vCenter is being patched, that is likely during an outage window already, so there should be no issue.

 Is there a limit on number of acls that can be applied on the interface /vm?
A given vNIC can have up to 1000 firewall rules applied.

How do you troubleshoot when NSX is blocking traffic or allowing that it shouldn’t?
To start with, you can verify if a flow is being filtered by a firewall with the help of traceflow. I would suggest you look at this documentation.