According to the VMware Cloud Foundation 9.0.2 Design Library and NSX Segment Profiles Design Section, “If you do not associate a custom segment profile when you create a segment, the NSX Manager automatically associates a corresponding default system-defined segment profile.” These default segment profiles provide baseline Layer 2 networking configurations — including SpoofGuard, Segment Security, MAC Discovery, and QoS controls — that ensure security and operational compliance for most workload use cases.
The guide explains that these defaults “cannot be deleted or modified” but “can be inherited by custom segment profiles,” offering a reliable starting point for secure and consistent lifecycle management. The rationale for using them in a design is to maintain operational simplicity, consistent enforcement of baseline security policies, and reduced administrative overhead when deploying or scaling segments across workload domains.
This approach aligns with the VCF design principles of standardization, automation, and maintainability, ensuring that the network fabric adheres to validated security baselines without requiring complex customization unless dictated by specific use cases (such as industrial or multi-tenant environments).
References (VMware Cloud Foundation documents):
VMware Cloud Foundation 9.0.2 — NSX Segment Profiles and Default Behavior (pp. 1700–1703).
VMware Cloud Foundation 9.0.1 — NSX Networking Design Guide: Segment Profiles and Default Settings Overview.
VMware Cloud Foundation 9.0 Design Recommendations — VCF-NSX-DES-RCMD-SEG-PROFILE-001.
