One of the challenges for customers who wanted to use NSX-V for microseg only was that the vShield filter had to process all traffic. So that meant an increase CPU utilization and packet latency with load even if the DFW wasn’t doing an active filtering, just inspection. Yes, you could exclude certain VM’s but most found that difficult operationally. And N-VDS was operationally kludgy in VLAN backed mode.
With the vSphere 7 vDS and NSX-T 3, is this addressed?
Meaning can you identify certain otherwise native VLAN backed PG’s to fall under the NSX-T DFW and then be subject to inspection while the other traffic isn’t?
Further can you still use technologies like Spoofguard to ensure the VM isn’t trying to bypass FW rules by IP or MAC masquerading?
Any sort of slideware on this topic would be helpful.