Like any other infrastructure componet, backup of NSX manager is very critical as it helps in recovering configuration in event of a NSX manager corruption/failure etc.

Before software defined networking was introduced, backup of network configuration was a very cumbersome task as you have many components to backup such as Routers, Switches,Firewalls and what not. 

With introduction of NSX, all the networking intelligence were injected in NSX and this reduced the administrative overhead of backing up each networking components individually. With NSX you only have to worry about backing up NSX manager and the vDS at vCenter level which stores all your virtualwires. In this post we will learn how to backup NSX manager and distributed switches.

Configure NSX Manager Backup

To configure backup of NSX manager, login to NSX manager UI (https://NSX-FQDN/) and click on Backup & Restore option from home page.

You can send NSX manager backups to a remote FTP or SFTP server.… Read More

In this post I will be covering objective 3.3 of VCAP6-NV Deploy exam and we will discuss about following topics:

• Configure DHCP services according to a deployment plan:
  • Create/edit a DHCP IP Pool
  • Create/edit DHCP Static Binding
  • Configure DHCP relay
• Configure DNS services
• Configure NAT services to provide access to services running on privately addressed virtual machines

Lets get started.

Configure DHCP services on NSX Edge

NSX Edge Service Gateway provides IP addressing  using static address and via DHCP. In general any DHCP server needs a pool of IP which can be distributed to clients which boots over network and ask for IP via DHCP. Edge gateway is not different. Edge gateway DHCP can provide IP address, default gateway, netmask and DNS server to the DHCP clients which boots over network.

Create/Edit a DHCP IP Pool

Double click on NSX edge on which you want to configure DHCP and navigate to Manage > DHCP > Pools and click on + button to add a new IP pool.… Read More

What is L2 VPN?

From VMware NSX Administration Guide

With L2 VPN, you can stretch multiple logical networks (both VLAN and VXLAN) across geographical sites. Virtual machines remain on the same subnet when they are moved between sites and their IP addresses do not change.

L2 VPN thus allows enterprises to seamlessly migrate workloads backed by VXLAN or VLAN between physically separated locations. For cloud providers, L2 VPN provides a mechanism to on-board tenants without modifying existing IP addresses for workloads and applications.

Below diagram shows how a VXLAN was extended between sites using L2 VPN

                                                 Graphic Thanks to VMware

Lets jump into lab and configure a L2 VPN.

Before deploying/modifying any ESG for L2 VPN connectivity, we need a trunk portgroup on vDS. In  my lab I have created a dvportgroup in both site A & B. 

L2 VPN Server configuration

To configure a L2 VPN, double click  on edge where you want to configure server settings and navigate to Manage > Interfaces and edit the first availble free vNIC.… Read More

SSL VPN on NSX Edge Gateway allows end-user to connect to a private network through a SSL-VPN tunnel so that the end-user can access the application/services which are hosted on remote site, on their local network. Application/services can be accessed via Web-based SSL client or a regular client. 

Below image taken from NSX Administration Guide demonstrates the process of connecting to private network via SSL-VPN

                                           Graphic Thanks to VMware

To configure SSL VPN, double click on the Edge Gateway and navigate to Manage > SSL VPN-Plus tab. 

Go to Server Settings and click on Change button.

Select the ESG IP to which end user will connect via SSL VPN and select the appropriate encryption algo. make sure port 443 is populated. Hit OK to save settings.

Go to IP Pool page and click on + button to add a pool of IP. 

This is the local IP which end user gets when they connect to SSL VPN. … Read More

NSX Edge Services Gateway supports site to site IPSec VPN. You can create IPSec VPN between an ESG and any other network device (hardware/software) which supports IPSec or you can have ESG at both source and target site for this purpose. 

Using IPSec VPN, you can create a secure connection between two sites and route the internal subnets between those two sites. Just ensure you don’t have an overlapping subnets behind the edge gateway. You can create more than one IPSec tunnel on ESG and number of tunnels is directly dependent on size of NSX edge. 

As per VMware NSX Administration guide, Number of IPSec Tunnels that can be created per ESG is as follows:

Following are the algorithms which are supported by NSX IPSec VPN:

• AES (AES128-CBC)

• AES256 (AES256-CBC)

• Triple DES (3DES192-CBC)

• AES-GCM (AES128-GCM)

• DH-2 (Diffie–Hellman group 2)

• DH-5 (Diffie–Hellman group 5)

• DH-14 (Diffie–Hellman group 14)

• DH-15 (Diffie–Hellman group 15)

• DH-16 (Diffie–Hellman group 16)

Lets jump into lab now and learn how to configure IPsec VPN.… Read More

VMware released NSX 6.4.0. this month and this version brought many features, improvements and bug fixes which are outlined in the Release Notes

Before upgrading to NSX 6.4.1, check VMware interop matrix to make sure your underlying infrastructure is compatible with this version. Your VMware vSphere should be at 6.0 U2 or greater to upgrade to NSX 6.4

I am currently running NSX 6.3.5 in my lab and I thought to upgrade it to 6.4. I wanted to play with Rest API option for NSX manager upgrade, as from GUI I have done several times.

You can find the instructions about upgrade via Rest API on page 124 of NSX-6.3-API-Guide

Lets walk through this step by step.

1: Download the NSX upgrade bundle: NSX 6.4 upgrade bundle can be downloaded from here

2: Upload the upgrade bundle: I have downloaded the upgrade bundle on one of my linux box where I have curl installed and I will be employing curl to fire Rest API.… Read More

Configure the appropriate Load Balancer model for a given application topology

The two main drivers for deploying a load balancer are scaling out an application (by distributing workload across multiple servers), along with improving its high-availability characteristics. 

NSX provides basic form of load balancing through Edge Gateway. The NSX Edge load balancer distributes network traffic across multiple servers to achieve optimal resource utilization. 

The NSX Edge services gateway supports two kinds of load balancer  deployments:

One-armed mode (or proxy mode): In proxy mode, the load balancer uses its own IP address as the source address to send requests to a backend server. The backend server views all traffic as being sent from the load balancer and responds to the load balancer directly. Following events take place when LB is deployed in proxy mode:

1. User connects to a VIP address (LB address) that is configured on the Edge gateway.
2. The ESG performs a destination NAT to replace the VIP with one of the servers in the configured pool.

… Read More

Deploy the appropriate NSX Edge (ESG/DLR) device according to a deployment plan

Method of deploying the Edge Services Gateway (ESG) and Distributed Logical Router (DLR) is same. In Fact both are NSX edges only, but difference lies in the functionality offered by ESG and DLR.

DLR optimizes East-West traffic in datacenter i.e traffic between the VM’s whereas ESG optimizes North-South traffic i.e traffic going out of datacenter. 

The ESG sits at the perimeter of your SDDC and connects to the external network. You may see sometimes ESG being referred as perimeter gateway as well.  The main services provided by ESG are: 

• NAT.
• DHCP.
• Firewall.
• Load balancing.
• L2 and L3 VPNs.

The ESG supports static, OSPF, BGP and IS-IS routing protocols. The DLR supports only BGP and OSPF protocol.

We can deploy ESG in HA mode where 2 edge VM’s are deployed in active/standby mode. The control and data plane reside inside the VM.… Read More

What is Layer 2 (L2) Bridging?

A Layer 2 (L2) Bridge allows connectivity between a logical switch (VXLAN based) and a VLAN based portgroup on vDS that shares the same IP address space i.e VMs connected to VXLAN and distributed portgroup are on same subnet. 

A possible use cases for this scenario can be, an application server on a logical switch need to reach a database server connected to the physical network or a customer wants to extend their application to the cloud but wants to keep certain components on-site and because its legacy application it cannot be re-IP’d or any other constraint.

Prior to NSX version 6.2, it was not possible to bridge a Logical Switch that was connected to a Distributed Logical Router: for that scenario it was required to connect the Logical Switch directly to an Edge Gateway.

With NSX 6.2 VMware introduced in-kernel software L2 Bridging capabilities that allow you to connect VLAN backed VMs to VMs connected VXLAN based network (virtual wires).… Read More

What is a Logical Switch?

Functionality of a Logical switch is very similar to that of a physical switch i.e they allow isolation of applications and tenants for security purpose. A logical switch when deployed, creates a broadcast domain to allow isolation of the VM’s running in infrastructure. Logical switches uses VXLAN to provide separation of duties.

The logical switch operates in the overlay and is totally independent of the physical network (the underlay). Logical switches are connected to Transport Zones which spans across one or more cluster or all cluster across a virtual datacenter.

To know more about logical switches, you can refer to this article which I wrote sometime back or can refer VMware documentation

Prerequisites for creating a Logical Switch

Before you go and start creating logical switches in your environment, you have to make sure you meet following requirements:

• vSphere distributed switches must be configured. You cannot deploy logical switches on standard switches.

… Read More