VCAP6-NV Deploy (3V0-643) Study Guide

Section 1 – Prepare VMware NSX Infrastructure

Objective 1.1 – Deploy VMware NSX Infrastructure components

Objective 1.2 – Prepare Host Clusters for Network Virtualization

Objective 1.3 – Configure and Manage Transport Zones

Section 2 – Create and Manage VMware NSX Virtual Networks

Objective 2.1 – Create and Manage Logical Switches

Objective 2.2 – Configure and Manage Layer 2 Bridging

Objective 2.3 – Configure and Manage Routing

Section 3 – Deploy and Manage VMware NSX Network Services

Objective 3.1 – Configure and Manage Logical Load Balancing

Objective 3.2 – Configure and Manage Logical Virtual Private Networks (VPNs)

Objective 3.3 – Configure and Manage Additional VMware NSX Edge Services

Section 4 – Secure a vSphere Data Center with VMware NSX

Objective 4.1 – Configure and Manage Logical Firewall Services

Objective 4.2 – Configure and Manage Service Composer

Section 5 – Perform Operational Management of a VMware NSX Implementation

Objective 5.1 – Backup and Restore Network Configurations

Objective 5.2 – Monitor a VMware NSX Implementation

Objective 5.3 – Configure and Manage Role Based Access Control

Section 6 – Configure Cross vCenter Networking and Security

Objective 6.1 – Configure Cross vCenter VMware NSX infrastructure components

Objective 6.2 – Configure and Manage Universal Logical Network Objects

Objective 6.3 – Configure and Manage Universal Logical Security Objects

Section 7 – Perform Advanced VMware NSX Troubleshooting

Objective 7.1 – Troubleshoot Common VMware NSX Installation/Configuration Issues

Objective 7.2 – Troubleshoot VMware NSX Connectivity Issues

Objective 7.3 – Troubleshoot VMware NSX Edge Services Issues

Section 8 – Utilize API Commands to Manage a VMware NSX Deployment

Objective 8.1 – Administer and Execute calls using the VMware NSX vSphere API

Tools

NSX Installation Guide

NSX Administration Guide

VMware NSX Brownfield Deployment Guide

VMware NSX Network Virtualization Design Guide

NSX Command Line Interface Reference Guide

NSX Troubleshooting Guide

NSX 6.2 API Guide

 

Objective 1.2 – Prepare Host Clusters for Network Virtualization

Prepare vSphere Distributed Switching for NSX

NSX works only with distributed switch and not with standard switches. Before you deploy NSX and start configuring stuffs, you have to make sure that you have fully configured the VDS and have migrated portgroups/uplinks etc from VSS to VDS.

One of the most important requirement for NSX is to set the minimum MTU at VDS to 1600 bytes. So before you start adding hosts to VDS, make sure that appropriate MTU is already configured on VDS.

The requirement for 1600 bytes is due to the original Ethernet frame being wrapped (encapsulated) with additional headers for VXLAN, UDP and IP; thus increasing its size, and is now called a VXLAN Encapsulated Frame.

To verify/configure MTU on vDS, select the vDS from list and navigate to Manage > Settings > Properties tab and hit edit button.

Under ‘Advanced’ tab, change the MTU to 1600 and hit OK.Read More

Objective 1.1- Deploy VMware NSX Infrastructure Components

Deploy the NSX Manager Virtual Appliance

Deploying NSX Manager is a straight forward task like deploying any other appliance from ova file. I have already covered the steps of deployment in one of my old post so I am not repeating the steps of deployment again.

Integrate the NSX Manager with vCenter Server

Once NSX Manager is deployed, next task is to integrate it with vCenter server. To do so, login to NSX Manager UI (https://NSX-FQDN) and from home page click on Manage vCenter Registration. 

Under ‘NSX Management Service’, click on edit button for vCenter Server.

Specify vCenter Server IP/FQDN and credentials via which NSX will communicate with vCenter server. User account used can be vCenter server local administrator or a service account.

Important: If you are using a service account for NSX registration with vCenter, make sure that account is added to Administrators group in vCenter in advance before doing the registration.Read More

Getting Started With NSX REST API

What is REST API?

if you are new to Rest API and wondering what exactly it is and what do we do using API, then I would recommend reading this article first before moving down further in this post. Also I found this article very useful to understand how Rest API works.

Before starting the topics of objective 8.1, I want to pen down few facts about Rest API.

  • The NSX Manager accepts API requests on TCP port 443 over HTTP application protocol.
  • You need a rest client to execute Rest API calls. There are plenty of clients available such as Postman and CURL (linux based). You can also integrate the Rest client in your browser. For mozilla firefox you can add this extension and for chrome you can add this
  • Rest API’s are usually used when you can’t do something from GUI (because there is no option available) or when you want to automate stuffs using scripting or some other tools.
Read More

Troubleshoot VMware NSX Edge Services Issues

Troubleshoot VPN service issues

There are 3 types of VPN which you can configure on NSX edges:

  • SSL-VPN Plus
  • IPSec VPN
  • L2 VPN

Lets start with troubleshooting IPSec VPN.

To troubleshoot any VPN issues, you should have knowledge of how to configure a VPN service so that you can verify that issue is not because of a mis-configured settings. To review the implementation and configuration of the IPSec VPN service refer to article

To run troubleshooting commands on the ESG where IPSec VPN service is configured, connect to the edge via SSH.

To view full list of commands for ipsec, run command: show service ipsec ? 

Check IPSec VPN service status: show service ipsec

To see IPSec configuration  run command: show config ipsec

Additionally you can configure the ESG (where IPSec is configured) to forward logs to a centralized syslog server.

Once syslog server is configured on ESG, you will find following log files forwarded to the syslog server.Read More

Troubleshoot VMware NSX Connectivity Issues

Monitor and analyze virtual machine traffic with Flow Monitoring

Flow monitoring is used to capture ingress/egress traffic of VM’s in a NSX environment. Flow monitoring is disabled by default and you need to enable it before you can use this tool. Once Flow monitoring is enabled, you need to wait for some time to let this tool gather data about your vSphere environment (much like how vROPS gather data before generating reports/recommendations etc)

Flow monitoring can be enabled by navigating to Networking & Security > Flow Monitoring > Configuration and clicking on Enable. 

Under Flow Exclusion, you can exclude any object which you don’t want to monitor. For example, you can select option “destination” under Exclusion Settings and click on + button to specify a destination container for which flow monitoring data won’t be gathered. 

Flow Monitoring Dashboard

Here you can see Top Flows, Top Destinations and Top Sources of your environment. Read More

Troubleshoot Common VMware NSX Installation/Configuration Issues

Troubleshoot NSX Manager Services

If you are facing any NSX related issues, then NSX manager UI is the first place to verify which service or services are impacted. Typically you can check status of following services from NSX Manager UI (https://NSX-FQDN/login.jsp)

  • vPostgres 
  • RabbitMQ: 
  • NSX Management Service
  • NSX Universal Synchronization Service (Only when you have Cross vCenter NSX Configured)

If any service is in stopped state, try to start or restart it.

You can also check logs from NSX manager CLI to determine what is broken. The two important logs you can check are: NSX Manager log and the System log. These logs can be viwed by firing commands: show log manager & show log system. You can append the word follow to watch the logs in real time (similar to linux tail command)

 

If any of the service is crashing, or not starting, you can check the bottom of the log to see the latest entries and it should give you more information on why it’s not starting.Read More

Configure and Manage Universal Logical Security Objects in NSX

Configure Universal MAC Sets

 

In NSX version lower than 5.4, Mac sets can be created by navigating to Networking and Security, Select the Primary NSX Manager > Manage > Grouping Objects > MAC Sets.

In NSX 6.4 this is available under Networking & Security > Groups and Tags > MAC Sets.

Click on + button to add a new MAC Set.

Provide a name for the MAC set and add the mac addresses that will be part of the universal MAC set. Make sure to check mark the option “Mark this object for Universal Synchronisation”.

In NSX 6.4 you will not get this option. You just have to toggle the “Universal Synchronization” option. Hit Add button post adding your MAC addresses.

This MAC set will now be available in your secondary NSX manager also.

You can use this MAC set while creating distributed firewall rules for Layer 2.Read More

Configuring VMware Cross vCenter NSX-Part 2

Create/configure Universal Logical Switches (ULS)

Any Logical Switches created in a Universal Transport Zone are Universal Logical Switches and it provides Layer 2 connectivity across VC boundaries. You can connect 2 VM’s that are running in different vCenter instance to a ULS and can ping across.

Universal Logical Switches can only be created on the Primary NSX Manager and once created, they are Synced to secondary NSX Manager . 

To create a universal LS, login to vCenter Web Client and navigate to Networking & Security > Logical Switches and select Primary NSX manager from the drop down and click on + button.

Provide a name for the ULS and make sure to attach it to universal transport zone else it will be created as a local LS. 

I created 2 universal LS for a 3-Tier app in my lab.

Let’s test the connectivity between the VM’s.

I have 2 VM’s named ‘Universal-App-01’ and ‘Universal-DB-01’ and they are currently connected to my management network and have IP’s 172.18.10.2 and 172.18.10.3 respectively.Read More

Configuring VMware Cross-vCenter NSX

What is Cross vCenter NSX?

Cross-vCenter NSX feature was introduced in NSX 6.2 and it allows central management of network virtualization and security policies across multiple vCenter Server systems. In a cross-vCenter NSX environment, you can have multiple vCenter Servers, each of which must be paired with its own NSX Manager. One NSX Manager is assigned the role of primary NSX Manager, and the others are assigned the role of secondary NSX Manager.

Cross vCenter NSX components

Cross vCenter NSX introduces universal objects; such as:

  • Universal Controller Cluster (UCC)
  • Universal Transport Zone (UTZ)
  • Universal Logical Switch (ULS)
  • Universal Distributed Logical Router (UDLR)
  • Universal IP Set/MAC Set
  • Universal Security Group/Service/Service Group
  • Universal distributed firewall rules.

In a Cross vCenter NSX architecture, all universal objects are created on primary NSX manager and it is then synchronized to all secondary NSX managers via the Universal Synchronization Service. This service only runs on primary NSX manager.Read More