Configure and Manage Universal Logical Security Objects in NSX

Configure Universal MAC Sets

 

In NSX version lower than 5.4, Mac sets can be created by navigating to Networking and Security, Select the Primary NSX Manager > Manage > Grouping Objects > MAC Sets.

In NSX 6.4 this is available under Networking & Security > Groups and Tags > MAC Sets.

Click on + button to add a new MAC Set.

Provide a name for the MAC set and add the mac addresses that will be part of the universal MAC set. Make sure to check mark the option “Mark this object for Universal Synchronisation”.

In NSX 6.4 you will not get this option. You just have to toggle the “Universal Synchronization” option. Hit Add button post adding your MAC addresses.

This MAC set will now be available in your secondary NSX manager also.

You can use this MAC set while creating distributed firewall rules for Layer 2.

Configure Universal IP Sets

 

To add a new IP Set, switch to IP Sets tab and hit on Add button

Provide a name for the IP Set and add the subnets which will be part of this and toggle the “Universal Synchronization” option.

Now this IP Set can be used while creating distributed firewall rules for layer 2.

Configure Universal Security Groups

 

A security group is a collection of assets or grouping objects from your vSphere inventory. These objects include: 

  • Virtual data center, cluster, port groups etc
  • Security tags, IPs, MAC etc
  • Active Directory groups (if NSX is integrated with AD)
  • Virtual Machines

Security groups can have dynamic membership criteria based on security tags, VM name or logical switch name. Dynamic membership can expand and shrink based on what criteria are defined. 

For example, all VM’s that have the security tag “web” will be automatically added to a specific security group destined for Web servers. If a tag is removed from one of the web servers, that server will be automatically removed from the security group.

An example of a static Security Group might be where a VM is manually assigned to a group. Group membership never changes unless the VM is manually removed or other VMs are added.

Universal security groups are defined on the primary NSX manager and are marked for universal synchronization with secondary NSX managers. To create a universal security group, navigate to Security Groups tab and make sure primary NSX manager is selected and click on Add button.

Provide a name for the security group and toggle the universal synchronization button.

Note for NSX 6.4: Universal security groups cannot have dynamic membership criteria defined unless they are marked for use in an active standby deployment scenario.

Define dynamic memberships. For e.g I selected that if any VM name contains “Universal-App”, it will be added to this security group. If you have 100’s of VM which have this name common among them, you don’t need to add each and every VM manually. 

“Select Objects to Include” contains a list of statically defined items. I did not add anything statically yet to this security group.

On Ready to complete page, review your settings and hit finish.

Now this security group is available to you while creating the L3 distributed firewall.

Configure Universal Firewall Rules

 

To create a universal firewall rules, Navigate to Networking & Security > Firewall > General and click on Add Section (DFW rules can be created in their own section)

Specify name for the section and toggle the Universal Synchronization button to make the firewall rule section a universal one. Click on Add.

Click on Add rule to add a new rule in the newly created section. I just added a default test rule to accept any traffic. Click on Publish button to save the configuration.

Post creation of rule, I validated that the new section + rule is visible under my secondary NSX manager as well.

Configure Universal Services and Service Groups

 

Create a Service

To add a new service, select the services tab under Groups and Tags (for NSX 6.4) and click on Add.

Specify name of the service and select the protocol, ports and the layer at which this service will operate. Toggle the Universal Synchronization button and hit Add.

I added a custom service for App > Web communication on TCP port 8443.

I verified that newly created service is available under secondary NSX manager also.

Create Service Groups

Service group is a collection of services that are grouped together. You can add a new group from Service Groups tab by clicking on Add button. 

Specify name for the service group and select Object Type as Services and search the services you want to add to this service group and click on right arrow button to add them. Make sure to toggle the universal synchronization button to make the service group universal.

I added two of my custom services which I created for my Multi-Tier-App in this service group.

I verified that my newly created service group is visible under my secondary NSX manager as well.

And that’s it for this post.

I hope you find this post informational. Feel free to share this on social media if it is worth sharing. Be sociable 🙂

Leave a ReplyCancel reply