I’m looking to deploy NSX-T 3 in a nested ESX 7 environment. I currently have three physical ESXi 7 hosts connected via two uplinks to a Cisco nexus with several vlans available (mainly 502). I have 4 ESXi 7 hosts deployed as VMs on top of these 3 physical.
What I cant quite figure out is how to isolate them from the physical ESXi network traffic. In the past i would probably try and use a pfsense router VM to route between a vswitch that had network access to one that had no uplinks. Trouble is that only works if all VMs are on the same host. So I’m wondering if i need to use private vlans with vlan 502 being the primary… and some other number as secondary that pfsense will route between, but again, it only seems to work if all the VMs are on the same host. Any ideas? I’m trying to limit needing to make any changes to the cisco nexus, simply using vlan 502 as my pfsense wan link as a route out of this nested environment where all the nsx testing will happen.