Which Virtual Machine cannot be protected by the Distributed Firewall?
A.
A Virtual Machine connected to a vDS Portgroup running on an ESXi 5.1 host.
B.
A Virtual Machine connected to a vSS Portgroup running on an ESXi 5.5 host.
C.
A Virtual Machine connected to a vDS Portgroup running on an ESXi 5.5 host.
D.
A Virtual Machine connected to a logical switch running on an ESXi 5.1 host.
B ? vSS Groups are not supported on NSX-V
I agree, I also think it should be B.
I think it is D:
We can use NSX dFW windout enable network virtualization (VXLAN and NSX Controller) on the Cluster.
NSX dFW can work on both VSS or vDS
NSX DFW operates at the VM vNIC level, meaning that a VM is always protected irrespective of the way it is connected to the logical network.
VM can be connected to a VDS VLAN-backed port-group or to a Logical Switch (VXLAN-backed port-group).
https://communities.vmware.com/message/2450217
I vote B, here is the source
“t’s imported to mention that NSX DFW can work on VXLAN port-group or VLAN port-group. Enable dFW on vSS is not tested by VMware and No supported mean if you enable it, it may work.”
http://www.routetocloud.com/2015/04/nsx-distributed-firewall-deep-dive/
If I look at comment from Experts: http://www.routetocloud.com/2015/04/nsx-distributed-firewall-deep-dive/
NSX DFW Pre-requirements:
vMware Distributed switch (vDS)
version 5.1 or later.
VSS is not supported
It’s imported to mention that NSX DFW can work on VXLAN port-group or VLAN port-group. Enable dFW on vSS is not tested by VMware and No supported mean if you enable it, it may work.
But later in a forum: https://communities.vmware.com/message/2450217
We can use NSX dFW windout enable network virtualization (VXLAN and NSX Controller) on the Cluster.
NSX dFW can work on both VSS or vDS
NSX DFW operates at the VM vNIC level, meaning that a VM is always protected irrespective of the way it is connected to the logical network.
VM can be connected to a VDS VLAN-backed port-group or to a Logical Switch (VXLAN-backed port-group).
So yes but no but yes but no……invalid question 🙂
This VMware KB clearly states, that ESXi 5.1 is a minimum requirement for dvFirewall support.
Based on that, I don’t see how D can be the answer. I also can’t find anywhere that states VSS are supported by dvFirewall. Based on that, my answer is B.
With the KB this time – http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2125437
This was of interest to me from:
https://pubs.vmware.com/NSX-6/topic/com.vmware.nsx.admin.doc/GUID-C18E7269-6CE2-4588-BEB7-54B1B8FE88BA.html
Firewall rules are enforced only on clusters on which the network virtualization hardware has been installed. See the vShield Installation and Upgrade Guide.
Add a Distributed Firewall Rule
You add firewall rules at the global scope. You can then narrow down the scope (datacenter, cluster, DISTRIBUTED VIRTUAL PORT GROUP, network, virtual machine, vNIC, or virtual wire)
In reading all the previous links, this is a horrendous question. The VMware employee states it can work with VSS, while all other deep dives and admin guides indicate VDS as a pre-req. I’d have to say B is the more correct answer. The logical switch in D, is it an NSX logical switch? If so, you know that the VM is then connected to a VDS, and thus can be protected by the distributed firewall. Terrible question.
The same VMware employee say:
Table 1 list vSphere pre-requirements for NSX DFW
vCenter ESXi host NSX Manager VMtools vSphere Switch
5.5 or later 5.1,5.5 6.0 or later VMtoool must install VMware (vDS) version 5.1
and run on VM guest OS or later.
if DFW policy base on VSS is not supported
vCenter objects.
VMtools can be Any version
http://www.routetocloud.com/2015/04/nsx-distributed-firewall-deep-dive/
I believe the reason could be ESXi5.1 does not support NSX Logical Switch.
Correct answer is B.
Have a look at the below article :
http://www.vrandom.com/nsx/vss-compatibility/
Vmware does not officially support vSS with dFW
Just an FYI – forget about the damn test for a minute, just buy test king study kit and remember the answers they provide regardless of whether they are correct or not, why? because you will score 100% on the exam, period.. done it 2x now using test king, even when I know the answers are wrong..
Example is this question, guess what, NSX DFW does work with VSS, how do I know this? I just ran into this in my environment, and sure enough, a VM was placed on VSS in the NSX protected cluster, and it wasn’t communicating to anything, put it on the NSX exclusion list and guess what? It started working immediately. NSX is protecting VMs on VSS in the NSX cluster.. keep this in mind so you don’t do what I did and lose network connectivity…