Can Basalt provide software-defined networking without NSX?

Yes. Basalt is an OVS-native software-defined networking control plane with VLAN, flat, and VXLAN zones, OpenFlow-enforced security groups, and managed L3 routers, so microsegmentation and routing are built in rather than delegated to NSX.

Networking capabilities

Software-defined networking without NSX

Basalt networking is the SDN control plane, not a thin wrapper around someone else’s SDN. It programs OVS, composes policy, and manages tenant routing from the same platform that places compute.

Networking is part of Basalt’s three-component architecture, inherits the controls described in platform security, integrates directly with compute attachment workflows, and is the network foundation for replacing NSX.

Network Zones

Basalt implements three concrete zone types: VLAN, flat, and VXLAN. That is the actual platform inventory, not the six-zone variant sometimes found in sales-deck language. Each zone can carry per-zone IPv4 and IPv6 configuration, MTU, DHCP, and DNS settings.

The control plane is OVS-native. Basalt defines the logical network, renders the OVS bridge and port intent on hosts, and owns the enforcement path. It is the SDN rather than a management veneer around an external network product.

Security Groups

Security groups are enforced through an OpenFlow pipeline on OVS: table 0 classifies traffic, table 10 handles egress, table 20 handles ingress, and conntrack provides stateful evaluation. Stateful return traffic is automatically allowed, which prevents operators from duplicating reverse rules by hand.

Policy is composed in three layers: zone-wide rules, VM rules, and NIC-specific rules. Basalt calculates the effective policy merge, installs anti-spoof guards, and applies the result at the virtual edge. Microsegmentation is built in — no NSX add-on required.

Managed L3 Routers

Tenant routers bridge zones to uplinks and provide NAT, static routes, BGP, OSPF, stateful firewalling, DHCP, and DNS. Under the hood Basalt uses Linux network namespaces with FRR daemons such as bgpd and ospfd, nftables for packet policy, and dnsmasq for DHCP and DNS services.

Router HA uses VRRPv3 through keepalived with active/standby placements. The result is one control plane for L2 networking, microsegmentation, and L3 routing instead of three separate systems that operators must reconcile manually.

Uplink Profiles

Uplink profiles describe physical NIC configuration for hosts: bond mode, VLAN trunks, MTU, LLDP, and the traffic classes each uplink can carry. Capability flags distinguish SDN underlay, management, migration, storage, and tenant egress roles so placement and validation can reason about the network fabric.

DHCP Reservations

DHCP reservations pin static IPv4 or IPv6 addresses to MAC addresses. That gives operators deterministic guest addressing without abandoning DHCP-driven bootstrapping and without hard-coding address intent inside the guest image.