An Overview of NSX-T Profiles

All the profiles in NSX-T can be quite confusing at the beginning. In this article I want to take a look on the most important ones and how they relate to each other.

  • In which profile do I have to define the Transport VLAN?
  • Where do I map the physical adapters in my host to the uplink definitions?
  • Where does this N-VDS comes from?
  • … and so on.

Questions like the ones above might come up now and then when you start working with NSX-T. To setup up a working virtual network infrastructure it is crucial to understand these profiles, where they are used and how they interact. So let’s take a closer look on the profiles in NSX-T 2.4.

NSX-T profiles at a glance.

The diagram above shows:

  • Profiles and other logical items are marked with a green header
  • Datapath items have a blue one.
  • Transport Node refers to a single Node, but the same settings are configured in a Transport Node Profile which can be attached to a vSphere Cluster.
  • The red-framed items for Segments are accessible via Advanced Settings.

Note: We will discuss Transport Node Profiles in one of the upcoming posts.

Now lets talk through some of the highlights:

Transport Zone

This is one of the first objects you have to create: You select its type (VLAN or Overlay) and define an N-VDS. When you then assign a Transport Node to the Transport Zone it automatically inherits the N-VDS defined in the TZ. Please note the arrow at the Transport Node going from the Transport Zone to the N-VDS.

Uplink Profile

Although NSX-T comes with some pre-defined Uplink Profiles I would recommend to create your own ones. This type of profile basically defines all the aspects on how to attach a Transport Node (ESXi, KVM, Edge) to the network: It defines the Transport VLAN, MTU size and the NIC configuration.

I like to see the Transport Node setup split up into 4 layers:

  1. You create a Transport Zone and
  2. define its N-VDS name.
  3. Then you use the Uplink Profile
  4. to attach your Transport Node to this construct.

Segments and Segment Profiles

Segments (aka Logical Switches) always belong to one Transport Zone. Depending on the type of TZ you can configure different options like Replication Mode for Overlay based Segments or Teaming Policies for VLAN Segments.

Note: We will cover Teaming Policies in an upcoming article.

NSX-T comes with a lot of Segment Profiles out of the box and most of them will work for the majority of use cases. Nevertheless following a (very short) summary:

  • Spoof Guard: Enable/disable Port Bindings basedon IP/MAC
  • IP Discovery: Configure ARP and/or DHCP snooping, etc.
  • MAC Discovery: Setup MAC Change and MAC Learning rules
  • Segment Security: BPDU and DHCP Filter, Rate Limits, etc.
  • QoS: DSCP (trusted or untrusted), CoS, Bandwidth limitations

These profiles are attached at the Segment level but can be overwritten on the Segment Port level.

Whats Next…

In the upcoming posts I want to talk about:

  • VLAN traffic pinning using Teaming Policies
  • VMkernal Adapter management using Transport Node Profiles
Bal Birdy on LinkedinBal Birdy on Twitter
Bal Birdy
Bal is an Open Group Certified IT Architect, and VCDX #269, specializing in the network and security arena, with over 15 years experience in enterprise level network/system technologies. His goal has always been to maintain a holistic view of the architecture allowing him to understand how various technology streams may impact the networking/infrastructure space.
Bal has a proven record of delivering on enterprise network designs, leading data center and site migrations as a result of business mergers and acquisitions, and vendor migrations e.g. Cisco to Checkpoint/Juniper. As part of this he worked across several business sectors: Utilities, Banking, Retail and Government, and can base designs around sector specific standards e.g. PCI-DSS, DSD and ISM. He is proficient in several technology areas including Cisco, Juniper, F5, VMware, Citrix and Microsoft. These skills are supported by non-technical certifications: Prince2 Project Management Practitioner, ITILv3, TOGAF 9.1 Certified and Open Group Certified IT Architect – Open CA.
In addition to supporting the Livefire Team, Bal leads several innovation efforts within the VMware WRACE organization, including projects investigating the use of Virtual Reality/Augmented Reality, AI/ML and Interactive 360, to support customer and partner enablement.

BSc (Hons) Computer Science
VCDX-NV #269
Open Group Certificated Architect
Member of the Associated of Enterprise Architects

Leave a Reply

%d bloggers like this: