Configure Universal MAC Sets

In NSX version lower than 5.4, Mac sets can be created by navigating to Networking and Security, Select the Primary NSX Manager > Manage > Grouping Objects > MAC Sets.

In NSX 6.4 this is available under Networking & Security > Groups and Tags > MAC Sets.

Click on + button to add a new MAC Set.

Provide a name for the MAC set and add the mac addresses that will be part of the universal MAC set. Make sure to check mark the option “Mark this object for Universal Synchronisation”.

In NSX 6.4 you will not get this option. You just have to toggle the “Universal Synchronization” option. Hit Add button post adding your MAC addresses.

This MAC set will now be available in your secondary NSX manager also.

You can use this MAC set while creating distributed firewall rules for Layer 2.… Read More

Create/configure Universal Logical Switches (ULS)

Any Logical Switches created in a Universal Transport Zone are Universal Logical Switches and it provides Layer 2 connectivity across VC boundaries. You can connect 2 VM’s that are running in different vCenter instance to a ULS and can ping across.

Universal Logical Switches can only be created on the Primary NSX Manager and once created, they are Synced to secondary NSX Manager . 

To create a universal LS, login to vCenter Web Client and navigate to Networking & Security > Logical Switches and select Primary NSX manager from the drop down and click on + button.

Provide a name for the ULS and make sure to attach it to universal transport zone else it will be created as a local LS. 

I created 2 universal LS for a 3-Tier app in my lab.

Let’s test the connectivity between the VM’s.

I have 2 VM’s named ‘Universal-App-01’ and ‘Universal-DB-01’ and they are currently connected to my management network and have IP’s 172.18.10.2 and 172.18.10.3 respectively.… Read More

What is Cross vCenter NSX?

Cross-vCenter NSX feature was introduced in NSX 6.2 and it allows central management of network virtualization and security policies across multiple vCenter Server systems. In a cross-vCenter NSX environment, you can have multiple vCenter Servers, each of which must be paired with its own NSX Manager. One NSX Manager is assigned the role of primary NSX Manager, and the others are assigned the role of secondary NSX Manager.

Cross vCenter NSX components

Cross vCenter NSX introduces universal objects; such as:

• Universal Controller Cluster (UCC)
• Universal Transport Zone (UTZ)
• Universal Logical Switch (ULS)
• Universal Distributed Logical Router (UDLR)
• Universal IP Set/MAC Set
• Universal Security Group/Service/Service Group
• Universal distributed firewall rules.

In a Cross vCenter NSX architecture, all universal objects are created on primary NSX manager and it is then synchronized to all secondary NSX managers via the Universal Synchronization Service. This service only runs on primary NSX manager.… Read More

Role Based Access Control is a mechanism for controlling access and restricting actions of users by adding user accounts to groups that have delegated permissions. The NSX Manager has its own authentication database and permission roles you can assign to users.

In this post we will learn how to configure role based access in NSX. 

Implement identity service support for Active Directory, NIS, and LDAP with SSO

To be frank this topic is very confusing and I am not sure what VMware intends us to do here. One use case of associating NSX with Active Directory is that you can use identity based firewall. And may be associating NSX with AD is what VMware might meant by this topic.

To add AD authentication to NSX, login to vCenter Web Client and navigate to Networking & Security > NSX Managers and click on the NSX Manager where you to add AD authentication and select Domains tab.… Read More

Configure logging for NSX components according to a deployment plan

1: Configure Syslog on NSX Manager

To configure NSX manager to send logs to a centralized syslog server, login to NSX manager UI and click on “Manage Appliance Settings”

Under Syslog server click on Edit button

Punch in your syslog server IP and port 514 and select UDP as protocol and hit OK.

Post configuring syslog on NSX manager, I verified that it is forwarding the logs to syslog manager.

Configure Syslog on NSX Controllers

There is no method available from GUI to set syslog settings on NSX controller and you can only set it via Rest API. The steps of configuring syslog on controllers via Rest API is explained on page 57 of NSX API Guide

1: Get a list of deployed controllers: You can fire below API call to get list of all the deployed controllers

You will get details of all the deployed controllers (if you have more than one).… Read More

Like any other infrastructure componet, backup of NSX manager is very critical as it helps in recovering configuration in event of a NSX manager corruption/failure etc.

Before software defined networking was introduced, backup of network configuration was a very cumbersome task as you have many components to backup such as Routers, Switches,Firewalls and what not. 

With introduction of NSX, all the networking intelligence were injected in NSX and this reduced the administrative overhead of backing up each networking components individually. With NSX you only have to worry about backing up NSX manager and the vDS at vCenter level which stores all your virtualwires. In this post we will learn how to backup NSX manager and distributed switches.

Configure NSX Manager Backup

To configure backup of NSX manager, login to NSX manager UI (https://NSX-FQDN/) and click on Backup & Restore option from home page.

You can send NSX manager backups to a remote FTP or SFTP server.… Read More

In this post I will be covering objective 3.3 of VCAP6-NV Deploy exam and we will discuss about following topics:

• Configure DHCP services according to a deployment plan:
  • Create/edit a DHCP IP Pool
  • Create/edit DHCP Static Binding
  • Configure DHCP relay
• Configure DNS services
• Configure NAT services to provide access to services running on privately addressed virtual machines

Lets get started.

Configure DHCP services on NSX Edge

NSX Edge Service Gateway provides IP addressing  using static address and via DHCP. In general any DHCP server needs a pool of IP which can be distributed to clients which boots over network and ask for IP via DHCP. Edge gateway is not different. Edge gateway DHCP can provide IP address, default gateway, netmask and DNS server to the DHCP clients which boots over network.

Create/Edit a DHCP IP Pool

Double click on NSX edge on which you want to configure DHCP and navigate to Manage > DHCP > Pools and click on + button to add a new IP pool.… Read More

What is L2 VPN?

From VMware NSX Administration Guide

With L2 VPN, you can stretch multiple logical networks (both VLAN and VXLAN) across geographical sites. Virtual machines remain on the same subnet when they are moved between sites and their IP addresses do not change.

L2 VPN thus allows enterprises to seamlessly migrate workloads backed by VXLAN or VLAN between physically separated locations. For cloud providers, L2 VPN provides a mechanism to on-board tenants without modifying existing IP addresses for workloads and applications.

Below diagram shows how a VXLAN was extended between sites using L2 VPN

                                                 Graphic Thanks to VMware

Lets jump into lab and configure a L2 VPN.

Before deploying/modifying any ESG for L2 VPN connectivity, we need a trunk portgroup on vDS. In  my lab I have created a dvportgroup in both site A & B. 

L2 VPN Server configuration

To configure a L2 VPN, double click  on edge where you want to configure server settings and navigate to Manage > Interfaces and edit the first availble free vNIC.… Read More

SSL VPN on NSX Edge Gateway allows end-user to connect to a private network through a SSL-VPN tunnel so that the end-user can access the application/services which are hosted on remote site, on their local network. Application/services can be accessed via Web-based SSL client or a regular client. 

Below image taken from NSX Administration Guide demonstrates the process of connecting to private network via SSL-VPN

                                           Graphic Thanks to VMware

To configure SSL VPN, double click on the Edge Gateway and navigate to Manage > SSL VPN-Plus tab. 

Go to Server Settings and click on Change button.

Select the ESG IP to which end user will connect via SSL VPN and select the appropriate encryption algo. make sure port 443 is populated. Hit OK to save settings.

Go to IP Pool page and click on + button to add a pool of IP. 

This is the local IP which end user gets when they connect to SSL VPN. … Read More

NSX Edge Services Gateway supports site to site IPSec VPN. You can create IPSec VPN between an ESG and any other network device (hardware/software) which supports IPSec or you can have ESG at both source and target site for this purpose. 

Using IPSec VPN, you can create a secure connection between two sites and route the internal subnets between those two sites. Just ensure you don’t have an overlapping subnets behind the edge gateway. You can create more than one IPSec tunnel on ESG and number of tunnels is directly dependent on size of NSX edge. 

As per VMware NSX Administration guide, Number of IPSec Tunnels that can be created per ESG is as follows:

Following are the algorithms which are supported by NSX IPSec VPN:

• AES (AES128-CBC)

• AES256 (AES256-CBC)

• Triple DES (3DES192-CBC)

• AES-GCM (AES128-GCM)

• DH-2 (Diffie–Hellman group 2)

• DH-5 (Diffie–Hellman group 5)

• DH-14 (Diffie–Hellman group 14)

• DH-15 (Diffie–Hellman group 15)

• DH-16 (Diffie–Hellman group 16)

Lets jump into lab now and learn how to configure IPsec VPN.… Read More