In NSX-V, traffic redirection to partner services is at a rule level, and not at the section level. That is, a single section in NSX-V can have rules redirecting the network traffic to multiple service profiles of a single partner service or multiple partner services.
However, in NSX, redirection is at a policy level. Therefore, if a single firewall section in NSX-V has rules redirecting to multiple service profiles, multiple NSX policies will be created.
Read the scenarios in this topic for examples about rule ordering in NSX.
- SP: Service Profile
- SG: Security Group
- SC: Service Chain
Scenario 1: Single Partner Service, Single Service Profile
A single network introspection partner service is running. This partner service contains a single service profile.
- SP1 is bound to SG-1 and SG-2.
- Network traffic from SG-A to SG-B is redirected to SP-1.
- Network traffic from SG-P to SG-Q is redirected to SP-1.
- SC-1 contains SP-1 in the forward and reverse path of the traffic.
- Network traffic from SG-A to SG-B is redirected to SC-1. This rule is applied on SG-1 and SG-2.
- Network traffic from SG-P to SG-Q is redirected to SC-1. This rule is applied on SG-1 and SG-2.
NSX-V | NSX |
---|---|
Section 1
|
Policy 1 (Redirect to SC-1)
|
Scenario 2: Single Partner Service, Multiple Service Profiles
A partner service has two service profiles SP-1 and SP-2.
- Case 2A: SP-1 has higher priority than SP-2
-
In NSX-V, SP-1 is bound to SG-1, and SP-2 is bound to SG-2.
In NSX, SC-1 contains SP-1, and SC-2 contains SP-2 in the forward and reverse path of the traffic.
In this case, rules redirecting to SC-1 are placed first in the NSX rule table.
NSX-V NSX Section 1- Rule 1: SG-A to SG-B, Redirect to SP-1
- Rule 2: SG-P to SG-Q, Redirect to SP-2
Policy 1 (Redirect to SC-1)- Rule 1: SG-A to SG-B, Redirect to SC-1
Policy 2 (Redirect to SC-2)- Rule 2: SG-P to SG-Q, Redirect to SC-2
- Case 2B: SP-2 has higher priority than SP-1
-
In NSX-V, SP-1 is bound to SG-1, and SP-2 is bound to SG-2 and SG-3.
In NSX, SC-1 contains SP-1, and SC-2 contains SP-2 in the forward and reverse path of the traffic.
In this case, rules redirecting to SC-2 are placed first in the NSX rule table.
NSX-V NSX Section 1- Rule 1: SG-A to SG-B, Redirect to SP-1
- Rule 2: SG-P to SG-Q, Redirect to SP-2
Section 2- Rule 3: SG-P to SG-Q, Redirect to SP-1
Policy 1 (Redirect to SC-2)- Rule 2: SG-P to SG-Q, Redirect to SC-2
Policy 2 (Redirect to SC-1)- Rule 1: SG-A to SG-B, Redirect to SC-1
Policy 3 (Redirect to SC-1)- Rule 3: SG-P to SG-Q, Redirect to SC-1
Scenario 3: Two Partner Services, One Service Profile Per Partner
Service-1 from partner 1 has higher precedence than Service-2 from partner 2. Service-1 contains SP-1 and Service-2 contains SP-2. In NSX-V, SP-1 is bound to SG-1, and SP-2 is bound to SG-2 and SG-3.
NSX-V | NSX |
---|---|
Section 1
Section 2
|
Policy 1 (Redirect to SC-1)
|
Policy 2 (Redirect to SC-1)
|
|
Policy 3 (Redirect to SC-2)
|