For East-West Network Introspection, create a service segment and an overlay transport zone. However, you can back all other segments or logical switches on a VLAN transport zone.

East-West Network Introspection is applied to an entire NSX deployment. You can deploy the service at a cluster-level or on a per-host basis.

Multiple deployment methods are supported. One of them is host-based deployment. The type of deployment decides where service VMs run for a particular service. However, irrespective of the type of deployment, service VMs can be accessed by all East-West Network Introspection workloads. For example, a workload running on cluster A can use a service VM running on cluster B if there is no better alternative. So, picking a cluster-based deployment does not limit East-West Network Introspection to that cluster.

Even if you plan a deployment using only VLAN-backed segments, East-West traffic passes through overlay transport zones and overlay-backed segments. East-West Network Introspection is applied to all segments in the topology, whether they are backed by overlay or VLAN transport zones.

Requirements for East-West Network Introspection

  • IPv4 traffic only.
  • Ensure the transport nodes that host guest VMs and service VMs are configured with an overlay transport zone. An overlay transport zone is a requirement to use East-West Network Introspection on all the transport nodes in the system.
  • Create an overlay-backed service segment that will be used by East-West Network Introspection service.

  • All the segments must be backed by the same host switch on each host.

  • If a guest VM running on an ESXi host is connected to a VLAN segment but that ESXi host is not configured to an overlay transport zone, then traffic destined to a service VM is disrupted. Such a configuration can also cause traffic to be routed to a black hole.

vMotion of Guest VMs

During a vMotion, the guest VM can be successfully migrated to another host only if the destination host is configured with an overlay transport zone and there is a single host switch. However, if there is no overlay transport zone where the service segment is created or if there are multiple host switches configured, then the virtual NIC of the guest VM goes into disconnected state even after vMotion.

vMotion of Service VMs

  • Host-based SVM deployments: NSX does not support vMotion of Service VMs (SVM) that are deployed on individual hosts.

  • Cluster-based SVM deployments: Even though NSX allows vMotion of SVMs in a cluster-based SVM deployment, do not initate vMotion of SVMs to avoid loss of traffic.

Unsupported environments

  • IPv6 traffic.
  • A few transport nodes are configured for VLAN transport zone, while the remaining hosts are configured for VLAN and GENEVE (overlay) transport zones. Ensure all transport nodes are configured for both VLAN and GENEVE (overlay) transport zones.
  • Traffic leaving a guest VM virtual NIC carries the .1q VLAN tag.
  • Trunk port (which can carry multiple VLANs from guest VM) backed guest VMs.
  • Any topology involving multiple host switches does not support east-west network introspection.

An overlay-backed (GENEVE-backed) segment is provisioned for internal use by East-West Network Introspection. On the NSX Manager UI, go to Security → Network Introspection Settings → Service Segment.

Service Segment

NSX supports running of Service Insertion policies only on the VDS switch where the service segment is created. It does not allow Service Insertion policies to be applied on traffic passing through any other VDS switches configured on the same host.

For Service Insertion to work as per design, disable Service Insertion on all segments, VMs, containers or any other objects associated to VDS switches that do not back the service segment. Because Service Insertion policies will not be applied to traffic hitting these objects.

However, you can selectively disable SI using the exclusion list by calling API or from the UI. If Service Insertion is disabled for a given port, that port can be connected to either the VDS that backs service segment or any other VDS switch on the host without any loss of functionality or issue. Whenever Service Insertion is applied to traffic on an interface backed by an VDS switch that does not back the service segment, NSX raises alarms to signal that Service Insertion cannot work correctly to redirect traffic.

Traffic Classes Supported

  • L3 (IPv4) unicast
  • L3 (IPv4) multicast
  • L3 (IPv4) broadcast
  • L3 (non-IP) (for example, GRE and IPSec traffic)