Set up redirection rules to send traffic to third-party services inserted at a Tier-0 or Tier-1 router.

Prerequisites

  • Register and deploy third-party services on NSX-T.
  • Configure Tier-0 or Tier-1 router.

Procedure

  1. From your browser, log in with admin privileges to an NSX Manager at https://<nsx-manager-ip-address>.
  2. Select Security > North South Security > Network Introspection (N-S) > Add Policy.
    A policy section is similar to a firewall section where you define rules that determine how traffics flows.
  3. Set Redirection To field for a service instance or a service chain to a Tier-0 or Tier-1 logical router to perform network introspection of traffic flowing between source and destination entities.
  4. To add a policy, click Publish.
  5. Click the vertical ellipsis on a section and click Add Rule.
  6. Edit the Source field to add a group by defining membership criteria, static members, IP/MAC addresses, or active directory groups. Membership criteria can be defined from one of these types: Virtual Machine, Logical Switch, Logical Port, IP Set. You can select static members from one of these categories: Group, Segment, Segment Port, Virtual Network Interface, or Virtual Machine.
  7. Click Save.
  8. To add a destination group, edit the Destination field.
  9. In the Applied To field, you can do one of the following:
    • For a service inserted at Tier-0 logical router, select the uplink of Tier-0 router.
    • For a service inserted at Tier-1 logical router, you do not need to select any uplinks.
  10. Each rule can be enabled individually. After you enable a rule, it is applied to the traffic that matches the rule.
  11. Click Advanced Settings to configure the traffic direction and to enable logging.
  12. In the Action field, select Redirect to redirect traffic along the service instance or Do Not Redirect not to apply network introspection on the traffic.
  13. Click Publish.
  14. To revert a published rule, select a rule and click Revert.
  15. To add a policy, click + Add Policy.
  16. To clone a policy or a rule, select the policy or rule and click Clone.
  17. To enable a rule, enable the Enable/Disable icon or select the rule and from the menu click Enable > Enable Rule.
  18. After enabling or disabling a rule, click Publish to enforce the rule.

Results

Based on the actions set, north-south traffic is redirected to the service instance for network introspection.