Configure and Manage NSX Edge Gateway Services (DHCP, DNS and NAT)

In this post I will be covering objective 3.3 of VCAP6-NV Deploy exam and we will discuss about following topics:

  • Configure DHCP services according to a deployment plan:
    • Create/edit a DHCP IP Pool
    • Create/edit DHCP Static Binding
    • Configure DHCP relay
  • Configure DNS services
  • Configure NAT services to provide access to services running on privately addressed virtual machines

Lets get started.

Configure DHCP services on NSX Edge

NSX Edge Service Gateway provides IP addressing  using static address and via DHCP. In general any DHCP server needs a pool of IP which can be distributed to clients which boots over network and ask for IP via DHCP. Edge gateway is not different. Edge gateway DHCP can provide IP address, default gateway, netmask and DNS server to the DHCP clients which boots over network.

Create/Edit a DHCP IP Pool

Double click on NSX edge on which you want to configure DHCP and navigate to Manage > DHCP > Pools and click on + button to add a new IP pool.

Specify the start and end ip for the pool and the subnet mask. Optionally you can specify default gateway and DNS server settings etc. 

Adjust lease time as per your need and hit OK.

Hit publish changes to save configuration.

Create/Edit DHCP Static Binding

Static binding is useful for those situation when you want a VM or set of VM’s to get a fixed IP everytime they request an IP from the DHCP server. You can bind the VM’s Mac Address with a fixed IP to do so. The IP address you bind must not overlap with IP defined in the pool.

To configure static binding, move to Bindings page and click on + button.

Select use MAC Binding and specify following:

  • Mac Address of the VM
  • Hostname of the VM
  • Fixed IP which VM should get always
  • Subnet mask

Optionally you can specify default gateway and DNS setails.

Make sure to check “Lease Never Expires” and hit OK.

Hit publish changes to save configuration. 

Configure DHCP Relay

DHCP Relay feature of NSX allows you to use an existing DHCP server in your infrastructure. The Edge gateway when configured for DHCP Relay just forwards the DHCP request to an existing DHCP Server in your environment.

Note: Edge DHCP Relay does not support overlapping IP address space and does not support DHCP Service and DHCP Relay configured on the same ESG interface.

To configure DHCP Relay, go to relay page and click on Edit button.

NSX ESG supports following methods for relaying DHCP messages:

  • IP Sets
  • IP Addresses
  • Domain Names
  • A combination of above

In my lab I am using IP address + Domain name method as shown in below screenshot.

Once the DHCP server address is added, click on + button under “DHCP Relay Agents”.

A relay agent is the interface of the ESG that relays the DHCP messages to the external DHCP Server.

Select the appropriate ESG interface and hit OK. Make sure to publish chnages to save config.

Configure DNS Service on NSX Edge

NSX Edge can be configured to forward name resolution to external DNS servers. 

To configure DNS service on ESG, double click on the edge where DNS will be configured and navigate to Manage > Configuration > DNS Configuration. Click on change to add DNS server details.

Select the interface which is going towards your ISP or existing DNS server in your infrastructure.

Check mark “Enable DNS Service” and provide the DNS server IP address. Optionally you can enable logging for audit purpose.

Configure NAT services on NSX Edge

Network Address Translation (NAT) is used to assign a public ip address to a machine in private network. NSX edge supports both SNAT and DNAT features.

SNAT is used for translating a internal IP address to a public IP address. SNAT is used for internal to external communication. A typical example of SNAT is how internet access is provided to end users in a company.

End users computers are on a private network and network administrators configure SNAT on a Router/Firewall device to map it to a public IP address. When end users opens a web page, their source IP hits router/firewall and that private ip is then translated to public address and end user is able to browse internet. 

DNAT allows access from outside/external networks to internal private networks. For example an end user wants to access a server (RDP or SSH) which is sitting on a private network from outside of corp network. A DNAT rule can be created on ESG to translate a public ip address to a private ip address on a specific port. User then connects to the public ip and when traffic hits ESG, it is converted into an internal ip address. 

Configure Source NAT (SNAT) on Edge Gateway

To configure NAT service on ESG, double click on the edge where NAT will be configured and navigate to Manage > NAT and click on + button and select “Add SNAT Rule

Select the interface via which internal traffic will reach outside network (internet) and punch in the source ip of the VM for which you are creating rule and the public ip address of the ESG. 

Hit OK and click on publish chnages to save configuration

Lets test the conenctivity from VM. I initiated ping to google.com from server 192.168.109.5 and I am able to ping it.

Configure Destination NAT (DNAT) on Edge Gateway

To configure NAT service on ESG, double click on the edge where NAT will be configured and navigate to Manage > NAT and click on + button and select “Add DNAT Rule

Select the interface on which traffic will land from outside and punch in the original ip (public ip) and the private ip to which this public ip will translate to.  You can make the rule more granular by specifying source port and destination port. 

Make sure to check mark “Enabled” and hit OK and click on publish chnages to save configuration.

To test the connectivity, I connected to my VM via public ip over port 22 and you can see a successful login to server 192.168.109.5. 

And that’s it for this post.

I  hope you enjoyed reading this post. Feel free to share this on social media if it is worth sharing. Be sociable 

Leave a ReplyCancel reply