In NSX-V, traffic redirection to partner services is at a rule level, and not at the section level. That is, a single section in NSX-V can have rules redirecting the network traffic to multiple service profiles of a single partner service or multiple partner services.

However, in NSX, redirection is at a policy level. Therefore, if a single firewall section in NSX-V has rules redirecting to multiple service profiles, multiple NSX policies will be created.

Read the scenarios in this topic for examples about rule ordering in NSX.

This topic uses the following acronyms:
  • SP: Service Profile
  • SG: Security Group
  • SC: Service Chain

Scenario 1: Single Partner Service, Single Service Profile

A single network introspection partner service is running. This partner service contains a single service profile.

Rule configuration in NSX-V is as follows:
  • SP1 is bound to SG-1 and SG-2.
  • Network traffic from SG-A to SG-B is redirected to SP-1.
  • Network traffic from SG-P to SG-Q is redirected to SP-1.
Migrated rule configuration in NSX is as follows:
  • SC-1 contains SP-1 in the forward and reverse path of the traffic.
  • Network traffic from SG-A to SG-B is redirected to SC-1. This rule is applied on SG-1 and SG-2.
  • Network traffic from SG-P to SG-Q is redirected to SC-1. This rule is applied on SG-1 and SG-2.
NSX-V NSX

Section 1

  • Rule 1: SG-A to SG-B, Redirect to SP-1
  • Rule 2: SG-P to SG-Q, Redirect to SP-1

Policy 1 (Redirect to SC-1)

  • Rule 1: SG-A to SG-B, Redirect to SC-1
  • Rule 2: SG-P to SG-Q, Redirect to SC-1

Scenario 2: Single Partner Service, Multiple Service Profiles

A partner service has two service profiles SP-1 and SP-2.

Case 2A: SP-1 has higher priority than SP-2

In NSX-V, SP-1 is bound to SG-1, and SP-2 is bound to SG-2.

In NSX, SC-1 contains SP-1, and SC-2 contains SP-2 in the forward and reverse path of the traffic.

In this case, rules redirecting to SC-1 are placed first in the NSX rule table.

NSX-V NSX
Section 1
  • Rule 1: SG-A to SG-B, Redirect to SP-1
  • Rule 2: SG-P to SG-Q, Redirect to SP-2
Policy 1 (Redirect to SC-1)
  • Rule 1: SG-A to SG-B, Redirect to SC-1
Policy 2 (Redirect to SC-2)
  • Rule 2: SG-P to SG-Q, Redirect to SC-2
Case 2B: SP-2 has higher priority than SP-1

In NSX-V, SP-1 is bound to SG-1, and SP-2 is bound to SG-2 and SG-3.

In NSX, SC-1 contains SP-1, and SC-2 contains SP-2 in the forward and reverse path of the traffic.

In this case, rules redirecting to SC-2 are placed first in the NSX rule table.

NSX-V NSX
Section 1
  • Rule 1: SG-A to SG-B, Redirect to SP-1
  • Rule 2: SG-P to SG-Q, Redirect to SP-2
Section 2
  • Rule 3: SG-P to SG-Q, Redirect to SP-1
Policy 1 (Redirect to SC-2)
  • Rule 2: SG-P to SG-Q, Redirect to SC-2
Policy 2 (Redirect to SC-1)
  • Rule 1: SG-A to SG-B, Redirect to SC-1
Policy 3 (Redirect to SC-1)
  • Rule 3: SG-P to SG-Q, Redirect to SC-1

Scenario 3: Two Partner Services, One Service Profile Per Partner

Service-1 from partner 1 has higher precedence than Service-2 from partner 2. Service-1 contains SP-1 and Service-2 contains SP-2. In NSX-V, SP-1 is bound to SG-1, and SP-2 is bound to SG-2 and SG-3.

NSX-V NSX
Section 1
  • Rule 1: SG-A to SG-B, Redirect to SP-1
  • Rule 2: SG-A to SG-C, Redirect to SP-1
  • Rule 3: SG-P to SG-Q, Redirect to SP-2
  • Rule 4: SG-A to SG-D, Redirect to SP-1
Section 2
  • Rule 5: SG-P to SG-Q, Redirect to SP-1
Policy 1 (Redirect to SC-1)
  • Rule 1: SG-A to SG-B, Redirect to SC-1
  • Rule 2: SG-A to SG-C, Redirect to SC-1
  • Rule 4: SG-A to SG-D, Redirect to SC-1
Policy 2 (Redirect to SC-1)
  • Rule 5: SG-P to SG-Q, Redirect to SC-1
Policy 3 (Redirect to SC-2)
  • Rule 3: SG-P to SG-Q, Redirect to SC-2