NSX-T with Jam, trouble with DFW, SOLVED!

Introduction:

Congratulations to Omkar, the winner of the first Spill the NSX-T Reader Challenge!

And thank you Chris, our Ireland based correspondent that delivered the winning prize, a cup of tea. 🙂

Here is a brief summary of the issue:

• Two Guest VMs, VM1 and VM2, residing on the same NSX-T prepared ESXi host
• Both Guest VMs are the same Photon OS build
• The ESXi hosts overall NSX-T status is completely healthy
• Both Guests have IP connectivity to the Internet
• Both Guest VMs appear correctly in the NSX-T Inventory
• There is no DFW exclusion list
• Only VM1 appears in the Guest-VM-Group address set:
• VM1 has DFW rules applied, but VM2 does not

Additional problem description details are found here: https://spillthensxt.com/nsx-t-with-jam-trouble-with-dfw/

Question:

Why does VM2’s DFW Filter have “No rules.”?

Some Useful Clues that were Provided:

- VM1 is connected to DvsPortset-1
- VM2 is connected to DvsPortset-0

[root@esxcna01-s1:~] net-stats -l
 PortNum          Type SubType SwitchName       MACAddress         ClientName
 50331650            4       0 DvsPortset-0     00:50:56:01:44:05  vmnic0
 50331652            4       0 DvsPortset-0     00:50:56:01:10:b9  vmnic1
 50331654            3       0 DvsPortset-0     00:50:56:01:44:05  vmk0
 50331655            3       0 DvsPortset-0     00:50:56:6a:5e:cf  vmk1
 50331656            5       9 DvsPortset-0     00:50:56:96:c5:31  VM2.eth0
 67108866            4       0 DvsPortset-1     00:50:56:01:10:bb  vmnic2
 67108868            3       0 DvsPortset-1     00:50:56:6a:99:31  vmk10
 67108869            3       0 DvsPortset-1     00:50:56:66:0f:29  vmk50
 67108871            5       9 DvsPortset-1     00:50:56:96:98:58  VM1.eth0

• VM1 has an attached VIF and Logical Port
• VM2 has no attached VIF and is not associated with a Logical Port

Some Additional Details that would have been helpful:

- VM1 is on a N-VDS:
- VM2 does not appear on this N-VDS:

[root@esxcna01-s1:~] nsxdp-cli vswitch instance list
 DvsPortset-1 (NSXToverlay)       c0 8d c9 87 a2 d6 40 c4-9f 34 2c b7 9c bf 3d 76
 Total Ports:1536 Available:1516
   Client                         PortID          DVPortID                             MAC                  Uplink
   Management                     67108865                                             00:00:00:00:00:00    n/a
   vmnic2                         67108866        uplink1                              00:00:00:00:00:00
   Shadow of vmnic2               67108867                                             00:50:56:58:f5:37    n/a
   vmk10                          67108868        10                                   00:50:56:6a:99:31    vmnic2
   vmk50                          67108869        b7f52c2a-11ed-43c4-8e8e-c9a156e65e64 00:50:56:66:0f:29    void
   vdr-vdrPort                    67108870        vdrPort                              02:50:56:56:44:52    vmnic2
   VM1.eth0                       67108871        74908cb5-3374-4f6a-89b2-d207aa8c2d87 00:50:56:96:98:58    vmnic2  <--- VM1 is on N-VDS

- additional VM connection details:

[root@esxcna01-s1:~]  esxcli network vm list
 World ID  Name  Num Ports  Networks
 --------  ----  ---------  ------------------------------------
    69749  VM1           1  8093a9f4-3d71-4700-af97-a6dcc291e704          <--- this is an N-VDS logical port
    71259  VM2           1  dvportgroup-18                                <--- this is a vDS port group


 [root@esxcna01-s1:~]  esxcli network vm port list -w 69749
    Port ID: 67108871
    vSwitch: DvsPortset-1
    Portgroup: 8093a9f4-3d71-4700-af97-a6dcc291e704
    DVPort ID:
    MAC Address: 00:50:56:96:98:58
    IP Address: 0.0.0.0
    Team Uplink: vmnic2
    Uplink Port ID: 67108866
    Active Filters: vmware-sfw

 [root@esxcna01-s1:~]  esxcli network vm port list -w 71259
    Port ID: 50331656
    vSwitch: DSwitch-CAI-Management
    Portgroup: dvportgroup-18
    DVPort ID: 19
    MAC Address: 00:50:56:96:c5:31
    IP Address: 0.0.0.0
    Team Uplink: vmnic0
    Uplink Port ID: 50331650
    Active Filters: vmware-sfw, dvfilter-generic-vmware

Omkar’s correct Answer:

VM2 is connected to DVS ( DvsPortset-0) hence it is out the scope of DFW hence “No rules.” whereas VM1 is connected to N-VDS (DvsPortset-1) which will be the candidate for DFW rules.

In a very close second place is Alexis, with a correct answer submitted on Twitter just after Omkar, and just missing out on a cup of tea:

When the ESXi host is prepared for NSX-T, all vNICs see the DFW dvfilter applied in slot 2, regardless of the switch they are connected to. This is by design.

The issue is that VM2 is on a vDS portgroup.  An NSX-T DFW prerequisite is that guest VMs must have their vNIC connected to an N-VDS logical switch that is associated with an NSX-T Transport Zone.

Other Reader responses:

Donald, I like where you are going with this. The IP Discovery Switching Profile is key to the correct IP being discovered in the VM Inventory, but in this case, VM1 and VM2 IPs were correctly discovered.

Chris, good observation, the missing attached VIF was key.

I hope you all enjoyed the first Spill the NSX-T Reader Challenge!