NSX-v – Show dfw rules applied to VM

For my example, I’m using a very simple example, with only 3 VMs, connected to the same Logical Switch. They are all sitting on the same Host.

To start of, there are only default rules configured in the dfw, with a any-any-permit rule:

Let’s start with VM “Ubu1-1”. In order to investigate this VM, we need its MoRef ID.
There are multiple ways to get it. I personally prefer PowerCLI:

Get-VM -Name "Ubu1-1" | select name, id | fl

Name : ubu1-1
Id   : VirtualMachine-vm-764

Alternatively, since we need to login to NSX Manager next anyway, you can also drill down to the VM from there:

nsxv.cloudborn.lab> show cluster all
No.  Cluster Name   Cluster Id               Datacenter Name   Firewall Status          Firewall Fabric Status
1    MGMT           domain-c7                DC1               Not Ready                UNKNOWN
2    COMP           domain-c85               DC1               Enabled                  GREEN
nsxv.cloudborn.lab>
nsxv.cloudborn.lab> show cluster domain-c85
Datacenter: DC1
Cluster: COMP
No.  Host Name             Host Id                  Installation Status      Firewall Fabric Status
1    esxi2.cloudborn.lab   host-89                  Enabled                  GREEN
2    esxi3.cloudborn.lab   host-92                  Enabled                  GREEN
3    esxi4.cloudborn.lab   host-95                  Enabled                  GREEN
nsxv.cloudborn.lab>
nsxv.cloudborn.lab> show host host-89
Datacenter: DC1
Cluster: COMP
Host: esxi2.cloudborn.lab
No.  VM Name   VM Id     Power Status
1    ubu1-1    vm-764    on
2    ubu1-2    vm-765    on

nsxv.cloudborn.lab>

Either way, we see that VM “Ubu1-1” has MoRef-ID “vm-764
Let’s continue with VM details:

nsxv.cloudborn.lab> show vm vm-764
Datacenter: DC1
Cluster: COMP
Host: esxi2.cloudborn.lab
Host-ID: host-89
VM: ubu1-1
Virtual Nics List:
1.
Vnic Name      ubu1-1 - Network adapter 1
Vnic Id        500c72ea-5ea2-5a63-569b-80b259b010f4.000
Filters
Filter Name    nic-2110847-eth0-vmware-sfw.2
Filter Hash    4785

From here, we need the Filter Name “nic-2110847-eth0-vmware-sfw.2”
Now, we can finally check, which dfw rules are applied to this NIC (Ubu1-1 eth0):

nsxv.cloudborn.lab> show dfw host host-89 filter nic-2110847-eth0-vmware-sfw.2 rules
ruleset domain-c85 {
  # generation number: 1565198247068
  # realization time : 2019-08-07T18:52:27
  rule 1003 at 1 inout protocol ipv6-icmp icmptype 135 from any to any accept;
  rule 1003 at 2 inout protocol ipv6-icmp icmptype 136 from any to any accept;
  rule 1002 at 3 inout protocol udp from any to any port 67 accept;
  rule 1002 at 4 inout protocol udp from any to any port 68 accept;
  rule 1001 at 5 inout protocol any from any to any accept;
}

ruleset domain-c85_L2 {
  # generation number: 1565198247068
  # realization time : 2019-08-07T18:52:27
  rule 1004 at 1 inout ethertype any stateless from any to any accept;
}

Lines 5-9 are now showing us, that all rules, we have seen earlier in the GUI, are applied to eth0 on VM “Ubu1-1”. If a specific rule ID appears more than once (like 1003 & 1002 in our example), that means, there are multiple services included in this rule.

Lets configure a new dfw rule, which blocks ICMP from “Ubu1-1” to “Ubu1-2” and apply this rule to “LS1-192.168.1.0-24”.

Since this rule only blocks ICMP Echo from “Ubu1-1” to “Ubu1-2” a ping in opposite direction still works.

Let’s check which rules are now applied to both VMs eth0 interfaces.
VM “Ubu1-1” eth0:

nsxv.cloudborn.lab> show dfw host host-89 filter nic-2110847-eth0-vmware-sfw.2 rules
ruleset domain-c85 {
  # generation number: 1565217423197
  # realization time : 2019-08-07T22:37:03
  rule 1005 at 1 inout protocol icmp icmptype 8 from addrset ip-vm-764 to addrset ip-vm-765 drop;
  rule 1003 at 2 inout protocol ipv6-icmp icmptype 135 from any to any accept;
  rule 1003 at 3 inout protocol ipv6-icmp icmptype 136 from any to any accept;
  rule 1002 at 4 inout protocol udp from any to any port 67 accept;
  rule 1002 at 5 inout protocol udp from any to any port 68 accept;
  rule 1001 at 6 inout protocol any from any to any accept;
}

VM “Ubu1-2” eth0:

nsxv.cloudborn.lab> show dfw host host-89 filter nic-2209772-eth0-vmware-sfw.2 rules
ruleset domain-c85 {
  # generation number: 1565217423197
  # realization time : 2019-08-07T22:42:16
  rule 1005 at 1 inout protocol icmp icmptype 8 from addrset ip-vm-764 to addrset ip-vm-765 drop;
  rule 1003 at 2 inout protocol ipv6-icmp icmptype 135 from any to any accept;
  rule 1003 at 3 inout protocol ipv6-icmp icmptype 136 from any to any accept;
  rule 1002 at 4 inout protocol udp from any to any port 67 accept;
  rule 1002 at 5 inout protocol udp from any to any port 68 accept;
  rule 1001 at 6 inout protocol any from any to any accept;
}

We can see, that rule 1005 is applied to both VMs eth0 interfaces.

Note: Because I’ve selected the Logical Switch in the “Applied To” field for the rule, this rule is also applied to VM “Ubu1-2” eth0 too, even though it will never get hit by this VM. In our example, this is nothing to worry about. But if you think about enterprise environments with thousands of rules, this can potentially lead to issues. Especially, if you leave the “Applied To” field untouched, by default, the rule will be added to all VMs vNICs, managed by this distributed firewall. This will eventually lead to a situation where new rules are not properly applied to the VMs, or even worse, the host become unresponsive because it can’t handle the amount of rules anymore.

According to the NSX-v 6.4.5 Configuration Maximums, a single vNIC can have 3.500 rules attached to it. And a single Host can handle up to 10.000 rules ( –> VMware Configuration Maximums ).
At first glance, this seems to be a lot, but if you think about how many rules you need for standard services (dns, ntp, ldap,…) and now multiply them by the amount of VMs per host and maybe even multiply this by the amount of vNICs …

Leave a Reply

Your email address will not be published.