NSX-T is designed to address the emerging application frameworks and architectures that have heterogeneous endpoints and technology stacks. In addition to vSphere, these environments may also include other hypervisors, containers, bare metal, and public clouds. vRealize Network Insight supports NSX-T deployments where the VMs are managed by vCenter.
Considerations
- vRealize Network Insight supports only the NSX-T setups in which vCenter manages the ESXi hosts.
- vRealize Network Insight supports NSGroups, NSX-T Firewall Rules, IPSets, NSX-T Logical Ports, NSX-T Logical Switches, NSX-T distributed firewall IPFIX flows, Segment, Group, and Policy Based VPN.
- vRealize Network Insight supports both NSX-V and NSX-T deployments. When you use NSX in your queries, the results include both NSX-V and NSX-T entities. NSX Manager lists both NSX-V and NSX-T Managers. NSX Security Groups list both NSX-T and NSX-V security groups. If NSX-V or NSX-T is used instead of NSX, then only those entities are displayed. The same logic applies to the entities such as firewall rules, IPSets, and logical switches.
- With NSX-T 2.4 release, vRealize Network Insight supports NSX Declarative Policy Management which simplifies and automate network and security configurations through outcome-driven policy statements.
Note: Micro-segmentation for Security Group is done based on NSX Policy data. But in case there is no corresponding NSX Policy Group, the standalone NS Group is included in the Micro-segmentation analysis. For more details on NS Group, see NSX-T product documentation.
To Add an NSX-T Manager as a Data Source
Here are the prerequisites for adding an NSX-T Manager as a data source:
- You must have at least the Read only privilege.
- You must add all the vCenters associated with NSX-T Manager as data sources in vRealize Network Insight.
Note: If you add the NSX-T Manager before adding vCenter, then vRealize Network Insight takes around 4 hours to stabilize.
- Ensure that there are no logical switches in the exclusion list in the Distributed Firewall (DFW). If there are any logical switches in this list, then the flows are not reported for any VMs attached to these logical switches.
To add an NSX-T Manager:
- On the Accounts and Data Source page under Settings, click Add Source.
- Under VMware Manager in the Select an Account or Data Type page, select VMware NSX-T Manager.
- Provide the user credentials.
Note:
- If you have more than one management node in a single NSX-T deployment, you must add only one node as a data source in vRealize Network Insight or use Virtual IP (VIP) (of those nodes). If you add more than one management node, then vRealize Network Insight may not function properly.
- It is recommended to use VIP when you add NSX-T as a data source. If you add a management node IP instead of VIP, and later if you want to add a VIP or other management node IP, then you have to delete the existing data source to add the new VIP or Management IP.
- Ensure that each management node in the cluster is reachable from the collector.
- If IPFIX is not required, the user must be a local user with the audit level permissions. But if IPFIX is required then the user must have one of the following permissions: enterprise_admin, network_engineer, or security_engineer.
- (Optional) Select Enable DFW IPFIX to update the IPFIX settings on NSX-T. By selecting this option, vRealize Network Insight receives DFW IPFIX flows from NSX-T. For more information on enabling IPFIX, see Enable VMware NSX-T DFW IPFIX.
Note:
- DFW IPFIX is not supported in the Standard Edition of NSX-T.
- vRealize Network Insight does not support NSX-T Switch IPFIX flows.
- (Optional) If you want to collect latency metrics data, select Enable latency metric collection check box. If you select this option, vRealize Network Insight receives latency metrics such as VTEP - VTEP, vNIC - pNIC, pNIC - vNIC, vNIC - vNIC from NSX-T. For more information about network latency, see Network Latency Statistics.
Note:
- This option is available only for NSX-T 2.5 and later.
- VTEP - VTEP is available from NSX-T 2.5 and later.
- vNIC - pNIC, pNIC - vNIC, vNIC - vNIC are available from NSX-T 3.0.2 and later.
- To enable latency metric collection, you must have enterprise_admin permission.
- Ensure that the port 1991 is open on the collector to receive the latency data from the ESXi node.
- This option is available only for NSX-T 2.5 and later.
- (Optional) To enable the flow collection from NSX Intelligence, select the Enable NSX Intelligence check box.
NSX Intelligence provides deep packet inspection with the application layer visibility. After receiving flows from NSX Intelligence, you can see L7 (application layer) information such as App-Id.
Note: To enable NSX Intelligence in vRealize Network Insight, you must deploy the NSX Intelligence appliance. vRealize Network Insight supports NSX Intelligence 1.2 with NSX-T 3.1 and later.NSX Intelligence takes at least 12 minutes to process and send the flow information to vRealize Network Insight.
Note: To enable the flow collection from NSX Intelligence, you must select the Enable DFW IPFIX check box as vRealize Network Insight uses the DFW IPFIX as a primary source of flows.L7 information is not available for dropped flows as it is not supported by NSX Intelligence.
Examples for Queries
Here are some examples for queries related to NSX-T:
| Queries | Search Results |
|---|---|
| NSX-T Manager where VC Manager=10.197.53.214 | NSX-T Manager where this particular VC Manager has been added as the compute manager. |
| NSX-T Logical Switch | Lists all the NSX-T Logical switches present in the instance of vRealize Network Insight. including the details on whether it is a system-created or a user-created switch. |
| NSX-T Logical Ports where NSX-T Logical Switch = 'DB-Switch' | Lists the NSX-T logical ports belonging to that particular NSX-T logical switch, DB-Switch. |
| VMs where NSX-T Security Group = 'Application-Group' Or VMs where NSGroup = ‘Application-Group’ |
Lists all the VMs in that particular security group, Application-Group. |
| NSX-T Firewall Rule where Action='ALLOW' | Lists all the NSX-T Firewall Rules which have their action set as ALLOW. |
| NSX-T Firewall Rule where Destination Security Group = ‘CRM-Group’ | Lists the firewall rules where the CRM-Group is the Destination Security Group. The results include both Direct Destination Security Groups and Indirect Destination Security Groups. |
| NSX-T Firewall Rule where Direct Destination Security Group = ‘CRM-Group’ | Lists the firewall rules where the CRM-Group is the Destination Security Group. The results include only the Direct Destination Security Groups. |
| VMs where NSX-T Logical Port = ‘App_Port-Id-1’ | Lists all the VMs which have that particular NSX-T Logical Port. |
| NSX-T Transport Zone | Lists the VLAN and the overlay transport zone and the respective details associated with it including the type of the transport node.
Note:
vRealize Network Insight does not support KVM as a data source.
|
| NSX-T Router | Lists the TIER 1 and TIER 0 routers. Click the router shown in the results to view more details associated with it including the NSX-T Edge Cluster and the HA mode. |
| NSX Policy Segment | Lists all the NSX Policy Segments present in the instance of vRealize Network Insight. |
| NSX Policy Manager | Lists all the NSX Policy Manages present in the instance of vRealize Network Insight. |
| NSX Policy Group | Lists all the NSX Policy Groups present in the instance of vRealize Network Insight. |
| NSX Policy Firewall | Lists all the NSX Policy Firewalls present in the instance of vRealize Network Insight. |
| NSX Policy Firewall Rule | Lists all the NSX Policy Firewall Rules present in the instance of vRealize Network Insight. |
| NSX Policy Firewall Rule where Action = 'ALLOW' | Lists all the NSX Policy Firewall Rules which have their action set as ALLOW. |
| NSX Policy Based VPN | Lists all the NSX Policy Based VPNs present in the instance of vRealize Network Insight. |
Note: If NSX-T 2.4 and
VMware Cloud (VMC) are added as data sources in your
vRealize Network Insight, then to get the NST-T entities, you must add
SDDC type = ONPREM filter in your query. For example,
NSX Policy Based VPN where Tier0 = ‘’ and SDDC Type = ‘ONPREM’.
Support for NSX-T Metrics
The following table displays the
vRealize Network Insight entities that support the NSX-T metrics currently and the widgets that display these metrics on the corresponding entity dashboards.
| Entities | Widgets on the Entity Dashboard | Supported NSX-T Metrics |
|---|---|---|
| Logical Switch | Logical Switch Packet Metrics Logical Switch Byte Metrics |
|
| Logical Port | Logical Port Packet Metrics Logical Port Byte Metrics |
|
| Router Interface | Router Interface Metrics |
|
| Firewall Rule | Firewall Rule Metrics |
|
Here are some sample queries for NSX-T Metrics:
nsx-t logical switch where Rx Packet Drops > 0This query lists all the logical switches where the count of the dropped received packets is greater than 0.
nsx-t logical port where Tx Packet Drops > 0This query lists all the logical ports where the count of the dropped transmitted packets is greater than 0.
top 10 nsx-t firewall rules order by Connection countThis query lists the top 10 firewall rules based on the connection count(
Hit Count).
Security Planning for NSX-T
To plan security for the NSX-T network, you can select the scope as
NSXT Layer2 Network and use the following query:
plan NSX-T Layer2 Network ‘<NAME_OF_NSX_T_LOGICAL_SEGMENT>’You can also obtain the same result by performing the following steps:
- Select from the Navigation side bar.
- Select either NSX-T L2 Network or NSX Policy Segment as the scope from the drop-down menu.
Note: NSX-T related entities such as
NSX-T L2 Network and
NSX Policy Segment are available in the scope. You can use these NSX-T related entities for security planning.
