A frequent NSX-T anti-pattern is rebuilding the exact VLAN design as segments: one segment per tier, per app, per environment, per whatever. It’s understandable – teams want familiarity. But NSX-T decouples network segmentation from security segmentation.
In many cases, you can reduce segments dramatically and rely on DFW for isolation. That simplifies routing, reduces operational overhead, and makes troubleshooting more deterministic.
Instead of: Segment-Web; Segment-App; Segment-DB
You can do: Segment-AppOverlay
…and enforce access with DFW.
Pros
- Fewer segments/gateways to manage
- Simpler routing tables and north-south integration
- Faster policy changes without network redesign
Cons
- Requires confidence in DFW and operational rigor
- Legacy teams/tools may “expect” VLAN separation
NSX-T gives you the option to simplify topology and express isolation through policy. Use segments for real trust boundaries and routing needs – not as a default substitute for every VLAN you used to have.
