NSX-T is designed to address the emerging application frameworks and architectures that have heterogeneous endpoints and technology stacks. In addition to vSphere, these environments may also include other hypervisors, containers, bare metal, and public clouds.

vRealize Network Insight supports NSX-T deployments where the VMs are managed by VMware vCenter.

Considerations

  • vRealize Network Insight supports only the NSX-T setups in which VMware vCenter manages the ESXi hosts.
  • vRealize Network Insight supports NSGroups, NSX-T Firewall Rules, IPSets, NSX-T Logical Ports, NSX-T Logical Switches, NSX-T distributed firewall IPFIX flows, Segment, Group, and Policy Based VPN.
  • vRealize Network Insight supports both NSX-V and NSX-T deployments. When you use NSX in your queries, the results include both NSX-V and NSX-T entities. NSX Manager lists both NSX-V and NSX-T Managers. NSX Security Groups list both NSX-T and NSX-V security groups. If NSX-V or NSX-T is used instead of NSX, then only those entities are displayed. The same logic applies to the entities such as firewall rules, IPSets, and logical switches.
  • With NSX-T 2.4 release, vRealize Network Insight supports NSX Declarative Policy Management which simplifies and automate network and security configurations through outcome-driven policy statements.
    Note: Micro-segmentation for Security Group is done based on NSX Policy data. But in case there is no corresponding NSX Policy Group, the standalone NS Group is included in the Micro-segmentation analysis. For more details on NS Group, see NSX-T product documentation.

Prerequisites

Here are the prerequisites for adding an NSX-T Manager as a data source:
  • You must have at least the Read only privilege.
  • You must add all the VMware vCenter associated with NSX-T Manager as data sources in vRealize Network Insight.
    Note: If you add the NSX-T Manager before adding VMware vCenter, then vRealize Network Insight takes around 4 hours to stabilize.
  • Ensure that there are no logical switches in the exclusion list in the Distributed Firewall (DFW). If there are any logical switches in this list, then the flows are not reported for any VMs attached to these logical switches.

Procedure

  1. Go to Settings > Accounts and Data Sources > Add Source.
  2. Under VMware Manager, select VMware NSX-T Manager.
  3. Provide the user credentials.
    Option Action
    Collector VM Select a collector VM from the drop-down menu.
    IP Address/FQDN Enter the IP address or the FQDN details.
    Username Enter the user name.
    Password Enter the password.
    Note:
    • If you have more than one management node in a single NSX-T deployment, you must add only one node as a data source in vRealize Network Insight or use Virtual IP (VIP) (of those nodes). If you add more than one management node, then vRealize Network Insight may not function properly.
    • It is recommended to use VIP when you add NSX-T as a data source. If you add a management node IP instead of VIP, and later if you want to add a VIP or other management node IP, then you have to delete the existing data source to add the new VIP or Management IP.
    • Ensure that each management node in the cluster is reachable from the collector.
    • If IPFIX is not required, the user must be a local user with the audit level permissions. But if IPFIX is required then the user must have one of the following permissions: enterprise_admin, network_engineer, or security_engineer.
    Note: You must add the data source using either IP address or FQDN. Do not add the data source using both IP address and FQDN.
  4. Click Validate.
  5. (Optional) Select Enable DFW IPFIX to update the IPFIX settings on NSX-T. By selecting this option, vRealize Network Insight receives DFW IPFIX flows from NSX-T. For more information on enabling IPFIX, see Enable VMware NSX-T DFW IPFIX.
    Note:
    • DFW IPFIX is not supported in the Standard Edition of NSX-T.
    • vRealize Network Insight does not support NSX-T Switch IPFIX flows.
  6. (Optional) If you want to collect latency metrics data, select Enable latency metric collection check box. If you select this option, vRealize Network Insight receives latency metrics such as VTEP - VTEP, vNIC - pNIC, pNIC - vNIC, vNIC - vNIC from NSX-T. For more information about network latency, see Network Latency Statistics.
    Note:
    • This option is available only for NSX-T 2.5 and later.
      • VTEP - VTEP is available from NSX-T 2.5 and later.
      • vNIC - pNIC, pNIC - vNIC, vNIC - vNIC are available from NSX-T 3.0.2 and later.
    • To enable latency metric collection, you must have enterprise_admin permission.
    • Ensure that the port 1991 is open on the collector to receive the latency data from the ESXi node.
  7. (Optional) To enable the flow collection from NSX Intelligence, select the Enable NSX Intelligence check box.

    NSX Intelligence provides deep packet inspection with the application layer visibility. After receiving flows from NSX Intelligence, you can see L7 (application layer) information such as App-Id.

    Note: To enable NSX Intelligence in vRealize Network Insight, you must deploy the NSX Intelligence appliance. vRealize Network Insight supports NSX Intelligence 1.2 with NSX-T 3.1 and later.

    NSX Intelligence takes at least 12 minutes to process and send the flow information to vRealize Network Insight.

    Note: To enable the flow collection from NSX Intelligence, you must select the Enable DFW IPFIX check box as vRealize Network Insight uses the DFW IPFIX as a primary source of flows.

    L7 information is not available for dropped flows as it is not supported by NSX Intelligence.

  8. In the Nickname text box, enter a nickname.
  9. In the Notes (Optional) text box, add a note if necessary.
  10. Click Submit.

Examples for Queries

Here are some examples for queries related to NSX-T:

Table 1. Queries for NSX-T
Queries Search Results
NSX-T Manager where VC Manager=10.197.53.214 NSX-T Manager where this particular VC Manager has been added as the compute manager.
NSX-T Logical Switch Lists all the NSX-T Logical switches present in the instance of vRealize Network Insight. including the details on whether it is a system-created or a user-created switch.
NSX-T Logical Ports where NSX-T Logical Switch = 'DB-Switch' Lists the NSX-T logical ports belonging to that particular NSX-T logical switch, DB-Switch.
VMs where NSX-T Security Group = 'Application-Group'

Or

VMs where NSGroup = ‘Application-Group’
Lists all the VMs in that particular security group, Application-Group.
NSX-T Firewall Rule where Action='ALLOW' Lists all the NSX-T Firewall Rules which have their action set as ALLOW.
NSX-T Firewall Rule where Destination Security Group = ‘CRM-Group’ Lists the firewall rules where the CRM-Group is the Destination Security Group. The results include both Direct Destination Security Groups and Indirect Destination Security Groups.
NSX-T Firewall Rule where Direct Destination Security Group = ‘CRM-Group’ Lists the firewall rules where the CRM-Group is the Destination Security Group. The results include only the Direct Destination Security Groups.
VMs where NSX-T Logical Port = ‘App_Port-Id-1’ Lists all the VMs which have that particular NSX-T Logical Port.
NSX-T Transport Zone Lists the VLAN and the overlay transport zone and the respective details associated with it including the type of the transport node.
Note: vRealize Network Insight does not support KVM as a data source.
NSX-T Router Lists the TIER 1 and TIER 0 routers. Click the router shown in the results to view more details associated with it including the NSX-T Edge Cluster and the HA mode.
Table 2. Queries for NSX Policy
NSX Policy Segment Lists all the NSX Policy Segments present in the instance of vRealize Network Insight.
NSX Policy Manager Lists all the NSX Policy Manages present in the instance of vRealize Network Insight.
NSX Policy Group Lists all the NSX Policy Groups present in the instance of vRealize Network Insight.
NSX Policy Firewall Lists all the NSX Policy Firewalls present in the instance of vRealize Network Insight.
NSX Policy Firewall Rule Lists all the NSX Policy Firewall Rules present in the instance of vRealize Network Insight.
NSX Policy Firewall Rule where Action = 'ALLOW' Lists all the NSX Policy Firewall Rules which have their action set as ALLOW.
NSX Policy Based VPN Lists all the NSX Policy Based VPNs present in the instance of vRealize Network Insight.
Note: If NSX-T 2.4 and VMware Cloud (VMC) are added as data sources in your vRealize Network Insight, then to get the NST-T entities, you must add SDDC type = ONPREM filter in your query. For example, NSX Policy Based VPN where Tier0 = ‘’ and SDDC Type = ‘ONPREM’.

Support for NSX-T Metrics

The following table displays the vRealize Network Insight entities that support the NSX-T metrics currently and the widgets that display these metrics on the corresponding entity dashboards.
Entities Widgets on the Entity Dashboard Supported NSX-T Metrics
Logical Switch

Logical Switch Packet Metrics

Logical Switch Byte Metrics

Multicast and Broadcast Rx

Multicast and Broadcast Tx

Unicast Rx

Unicast Tx

Dropped Rx

Dropped Tx

Rx Packets (Total)

Tx Packets (Total)

Logical Port

Logical Port Packet Metrics

Logical Port Byte Metrics

Multicast and Broadcast Rx

Multicast and Broadcast Tx

Unicast Rx

Unicast Tx

Rx Packets (Total)

Tx Packets (Total)

Router Interface

Router Interface Metrics

Rx Packets

Tx Packets

Dropped Rx Packets

Dropped Tx Packets

Rx Bytes

Tx Bytes

Firewall Rule

Firewall Rule Metrics

Hit Count

Flow Bytes

Flow Packets

Here are some sample queries for NSX-T Metrics:
  • nsx-t logical switch where Rx Packet Drops > 0

    This query lists all the logical switches where the count of the dropped received packets is greater than 0.

  • nsx-t logical port where Tx Packet Drops > 0

    This query lists all the logical ports where the count of the dropped transmitted packets is greater than 0.

  • top 10 nsx-t firewall rules order by Connection count

    This query lists the top 10 firewall rules based on the connection count(Hit Count).

Security Planning for NSX-T

To plan security for the NSX-T network, you can select the scope as NSXT Layer2 Network and use the following query:
plan NSX-T Layer2 Network ‘<NAME_OF_NSX_T_LOGICAL_SEGMENT>’
You can also obtain the same result by performing the following steps:
  1. Select Plan & Assess > Security Planning from the Navigation side bar.
  2. Select either NSX-T L2 Network or NSX Policy Segment as the scope from the drop-down menu.
Note: NSX-T related entities such as NSX-T L2 Network and NSX Policy Segment are available in the scope. You can use these NSX-T related entities for security planning.