Add VDOM support for NSX-T 6.4.3
By configuring the service chain and service index, NSX-T east-west traffic can be redirected to a designated FortiGate VDOM.
The following commands have been added:
config nsxt setting set liveness {enable | disable} set service <service name> end
config nsxt service-chain edit <ID> set name <chain name> config service-index edit <forward index> set reverse-index <integer> set name <index name> set vd <VDOM> next end next end
Where:
reverse-index <integer> |
Value from (1 - 255, default = 1). |
After upgrading, the |
To redirect traffic from the root to the vd1 VDOM:
- Enable liveness detection:
(global) # config nsxt setting set liveness enable end
- Configure the service chain and service index:
(global) # config nsxt service-chain edit 1 config service-index edit 1 set vd "vd1" next end next end
- Configure the GENEVE interface linked with port2:
(vd1) #config system geneve edit "vd1-int" set interface "port2" set vni 1 set remote-ip 10.0.0.1 next edit "vd1-ext" set interface "port2" set vni 2 set remote-ip 10.0.0.1 next end
- Configure the GENEVE interface as a virtual wire pair:
(vd1) #config system virtual-wire-pair edit "1" set member "vd1-int" "vd1-ext" next end
- Configure the firewall policy:
(vd1) # config firewall policy edit 1 set srcintf "vd1-int" "vd1-ext" set dstintf "vd1-int" "vd1-ext" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ALL" set ssl-ssh-profile "certificate-inspection" set logtraffic all set capture-packet enable set auto-asic-offload disable next end
- Verify the traffic:
(vd1) # diagnose sniffer packet any icmp 4 Using Original Sniffing Mode interfaces=[any] filters=[icmp] 1.088228 vd1-int in 172.16.10.92 -> 172.16.20.94: icmp: echo request 1.088244 vd1-ext out 172.16.10.92 -> 172.16.20.94: icmp: echo request 1.088618 vd1-ext in 172.16.10.92 -> 172.16.20.94: icmp: echo request 1.088626 vd1-int out 172.16.10.92 -> 172.16.20.94: icmp: echo request