Which Virtual Machine cannot be protected by the Distributed Firewall?

Which Virtual Machine cannot be protected by the Distributed Firewall?

Which Virtual Machine cannot be protected by the Distributed Firewall?

A.
A Virtual Machine connected to a vDS Portgroup running on an ESXi 5.1 host.

B.
A Virtual Machine connected to a vSS Portgroup running on an ESXi 5.5 host.

C.
A Virtual Machine connected to a vDS Portgroup running on an ESXi 5.5 host.

D.
A Virtual Machine connected to a logical switch running on an ESXi 5.1 host.

Show Hint

Leave a Reply 12

Your email address will not be published. Required fields are marked *

redtantra

redtantra

B ? vSS Groups are not supported on NSX-V

Reply

BlackBurn

BlackBurn

I agree, I also think it should be B.

Reply

Gallego

Gallego

I think it is D:

We can use NSX dFW windout enable network virtualization (VXLAN and NSX Controller) on the Cluster.
NSX dFW can work on both VSS or vDS
NSX DFW operates at the VM vNIC level, meaning that a VM is always protected irrespective of the way it is connected to the logical network.
VM can be connected to a VDS VLAN-backed port-group or to a Logical Switch (VXLAN-backed port-group).

https://communities.vmware.com/message/2450217

Reply

Michael

Michael

If I look at comment from Experts: http://www.routetocloud.com/2015/04/nsx-distributed-firewall-deep-dive/

NSX DFW Pre-requirements:

vMware Distributed switch (vDS)
version 5.1 or later.
VSS is not supported

It’s imported to mention that NSX DFW can work on VXLAN port-group or VLAN port-group. Enable dFW on vSS is not tested by VMware and No supported mean if you enable it, it may work.

But later in a forum: https://communities.vmware.com/message/2450217

We can use NSX dFW windout enable network virtualization (VXLAN and NSX Controller) on the Cluster.
NSX dFW can work on both VSS or vDS
NSX DFW operates at the VM vNIC level, meaning that a VM is always protected irrespective of the way it is connected to the logical network.
VM can be connected to a VDS VLAN-backed port-group or to a Logical Switch (VXLAN-backed port-group).

So yes but no but yes but no……invalid question 🙂

Reply

Patrick

Patrick

This VMware KB clearly states, that ESXi 5.1 is a minimum requirement for dvFirewall support.

Based on that, I don’t see how D can be the answer. I also can’t find anywhere that states VSS are supported by dvFirewall. Based on that, my answer is B.

Reply

Studying_for_VCA6-NV

Studying_for_VCA6-NV

This was of interest to me from:
https://pubs.vmware.com/NSX-6/topic/com.vmware.nsx.admin.doc/GUID-C18E7269-6CE2-4588-BEB7-54B1B8FE88BA.html

Firewall rules are enforced only on clusters on which the network virtualization hardware has been installed. See the vShield Installation and Upgrade Guide.

Add a Distributed Firewall Rule
You add firewall rules at the global scope. You can then narrow down the scope (datacenter, cluster, DISTRIBUTED VIRTUAL PORT GROUP, network, virtual machine, vNIC, or virtual wire)

In reading all the previous links, this is a horrendous question. The VMware employee states it can work with VSS, while all other deep dives and admin guides indicate VDS as a pre-req. I’d have to say B is the more correct answer. The logical switch in D, is it an NSX logical switch? If so, you know that the VM is then connected to a VDS, and thus can be protected by the distributed firewall. Terrible question.

Reply

Nobody

Nobody

The same VMware employee say:
Table 1 list vSphere pre-requirements for NSX DFW

vCenter ESXi host NSX Manager VMtools vSphere Switch
5.5 or later 5.1,5.5 6.0 or later VMtoool must install VMware (vDS) version 5.1
and run on VM guest OS or later.
if DFW policy base on VSS is not supported
vCenter objects.
VMtools can be Any version

http://www.routetocloud.com/2015/04/nsx-distributed-firewall-deep-dive/

Reply

SCHT

SCHT

I believe the reason could be ESXi5.1 does not support NSX Logical Switch.

Reply

gman

gman

Just an FYI – forget about the damn test for a minute, just buy test king study kit and remember the answers they provide regardless of whether they are correct or not, why? because you will score 100% on the exam, period.. done it 2x now using test king, even when I know the answers are wrong..

Example is this question, guess what, NSX DFW does work with VSS, how do I know this? I just ran into this in my environment, and sure enough, a VM was placed on VSS in the NSX protected cluster, and it wasn’t communicating to anything, put it on the NSX exclusion list and guess what? It started working immediately. NSX is protecting VMs on VSS in the NSX cluster.. keep this in mind so you don’t do what I did and lose network connectivity…

Reply