In an NSX environment, each overlay segment is uniquely identified by a VNI ID (Virtual Network Identifier). The VNI is used to distinguish different overlay networks within the NSX environment and is essential for troubleshooting, as it helps administrators identify specific segments where traffic is encapsulated and isolated.

The answer is C. Group all by means of tags membership.

Tags are metadata that can be applied to physical servers, virtual machines, logical ports, and logical segments in NSX. Tags can be used for dynamic security group membership, which allows for granular and flexible enforcement of security policies based on various criteria1

In the scenario, the company is deploying NSX micro-segmentation to secure a simple application composed of web, app, and database tiers. The naming convention will be:

WKS-WEB-SRV-XXX

WKY-APP-SRR-XXX

WKI-DB-SRR-XXX

The optimal way to group them to enforce security policies from NSX is to use tags membership. For example, the company can create three tags: Web, App, and DB, and assign them to the corresponding VMs based on their names. Then, the company can create three security groups: Web-SG, App-SG, and DB-SG, and use the tags as the membership criteria. Finally, the company can create and apply security policies to the security groups based on the desired rules and actions2

Using tags membership has several advantages over the other options:

It is more scalable and dynamic than using Edge as a firewall between tiers. Edge firewall is a centralized solution that can create bottlenecks and performance issues when handling large amounts of traffic3

It is more simple and efficient than doing a service insertion to accomplish the task. Service insertion is a feature that allows for integrating third-party services with NSX, such as antivirus or intrusion prevention systems. Service insertion is not necessary for basic micro-segmentation and can introduce additional complexity and overhead.

It is more flexible and granular than creating an Ethernet based security policy. Ethernet based security policy is a type of policy that uses MAC addresses as the source or destination criteria. Ethernet based security policy is limited by the scope of layer 2 domains and does not support logical constructs such as segments or groups.

To learn more about tags membership and how to use it for micro-segmentation in NSX, you can refer to the following resources:

VMware NSX Documentation: Security Tag 1

VMware NSX Micro-segmentation Day 1: Chapter 4 - Security Policy Design 2

VMware NSX 4.x Professional: Security Groups

VMware NSX 4.x Professional: Security Policies

esxcfg-nics -l: This command lists all physical NICs on the ESXi host along with their link status, allowing you to check if any vmnic link status is down.

esxcli network nic list: This command provides a list of network interfaces with their details, including link status, making it useful for verifying if the link status of a vmnic is down.

The ifconfig command is used to display the network configuration of interfaces, including the Tunnel Endpoint (TEP) IP on a bare metal transport node. This command provides details about IP addresses, subnet masks, and other network settings for each interface on the node.

The set auth-policy command in the NSX CLI is used to configure the authentication policy for local users. This command allows administrators to adjust settings related to password policies, lockout policies, and other authentication-related parameters for local user accounts on NSX Manager.