Learning NSX Step by Step : Configuring SSL VPN-Plus on VMware NSX Edge Gateway

VMware NSX SSL VPN-Plus allows remote users to access private networks behind a NSX Edge Gateway. You can access applications and servers running in the private network. Below is a diagram is taken from the NSX Admin Guide of the clients connect to the private network and also the support operating systems for the SSL VPN client:


To configure network access SSL VPN-Plus. Login to vCenter Web Client and go to “Network and Security”

Click on NSX Edge. Double click on Edge Gateway Services account

Click on SSL VPN-Plus Tab.

Create an IP Pool for the client connecting via VPN.

Add the Private Network you want to allow user connecting over VPN.

Select the Authentication Server Type.

Start the SSL VPN Service

Open the browser and browse external IP address over https. https://<External_IP_Address_of_ESG>


Verify the communication from VPN Client to internal network.


This concludes the configuration of SSL VPN-Plus on a VMware NSX Edge Gateway Services router. Hope this will be informative for you. Please share if you find worth sharing it. Thanks for Reading!!!

Learning NSX Step by Step – Configuring NSX SpoofGuard Policy


Spoofing also referred to as ARP Spoofing is a practice attacker use to penetrate networks. They spoof legitimate traffic on a network so that it appears to be coming from the trusted source on the network.

VMware NSX SpoofGuard keeps track of the ARP addresses to IP addresses and if there is any change in them.  Leveraging VMware NSX SpoofGuard, VMware NSX can block the system automatically if there is an unexpected change of IP address to ARP address.

You can configure SpoofGuard either  in Automatic or Manual mode:

  • Automatically trust IP assignments on their first use  – Configuring this mode will automatically trust the first IP address reported to the NSX Manager. This mode is not recommended to be configured in a DHCP environment as IP addresses are dynamic and will change dynamically.
  • Manually inspect and approve all IP assignment before use – Configuring this mode will prevent all traffic by default will present the set of IP addresses discovered for approval by users.

Configuring SpoofGuard Policy

Login to vSphere Web Client and click on “Network and Security”

Click on SpoofGuard

Choose the appropriate mode, Automatically or Manual

Select the appropriate “Object Type”

As we configured mode as Manual select the VM and approve the IP Address

Click on App IP to add the additional IP Address.

Click on “Clear Approved IP” if you want to clear the approved IP Addresses.


This concludes the configuration of SpoofGuard policy in VMware NSX environment. SpoofGuard policy provides an automated way to get virtual machine blocked in case of any spoof. Hope this would be informative for you. Do share if you find this worth sharing it. Thanks for Reading!!!


Learning NSX Step by Step – Configuring DNS Server on Edge Router


You can configure a VMware NSX edge to relay name resolution requests from clients to external DNS servers. Once configured VMware NSX Edge Services Gateway (ESG)  will forward name resolution request from clients to an external DNS Server. An ESG will relay client application requests to the DNS servers to fully resolve a network name and cache the response from the servers

In this blog, I will show you how to configure the DNS servers on the NSX edge.

Log in to the vSphere Web Client. Click Networking & Security 

Click NSX EdgesDouble-click on NSX Edge.

Click on Configuration –> DNS Configuration

Click Enable DNS Service to enable the DNS service. Type the IP Address of External DNS Server. Configure “Cache Size” and “Enable Logging” in case required

Post configuration NSX edge will relay the name resolution requests for any VM’s traffic that flow through it, to the configured external DNS servers.


This concludes the configuration of an external DNS server on Vmware NSX Edge Gateway Servies Router. Hope this will be informative for you. Please share if you find worth sharing it. Thanks for Reading!!!.



Learning NSX Step by Step – Configuring DHCP Services in VMware NSX


One of the services that the NSX Edge provides is IP address pooling and one-to-one static IP address allocation and external DNS services. NSX Edge listens to the internal interface for DHCP requests and uses the internal interface IP as the default gateway for clients.

In VMware NSX Edge DHCP service comply to the following guidelines:

  • Listens on the NSX Edge internal interface for DHCP discovery.
  • Uses the IP address of the internal interface on NSX Edge as the default gateway address for all clients and the broadcast and subnet mask values of the internal interface for the container network.

Lab Environment


In this post, I’ll show you how to configure

    • DHCP on the NSX Edge to provide IP addresses to clients on a logical switch.
    • DHCP on the NSX EDGE to provide IP Address to the clients connected to Distributed Logical Router(DLR) and DLR configured as DHCP Relay Server.


This concludes the demonstration of configuring DHCP Services on VMware NSX Edge Router. Hope this will be informative for you. Please do share if you find worth sharing it. Thanks for Reading!!!



Learning NSX Step by Step – Configuring Dynamic Routing using OSPF in VMware NSX


Dynamic Routing provides the necessary forwarding information between Layer 2 broadcast domains.  There are 3 types of Dynamic Routing supported by VMware NSX OSPF, BGP, and IS-IS. NSX Edge supports OSPF, an interior gateway protocol that routes IP packets only within a single routing domain. It gathers link state information from available routers and constructs a topology map of the network. OSPF routing policies provide a dynamic process of traffic load balancing between routes of equal cost. An OSPF network is divided into routing areas to optimize traffic. An area is a logical collection of OSPF networks, routers, and links that have the same area identification. Areas are identified by an Area ID.



VMware NSX Step by Step – Creating Logical Switch


Logical Switches are no more different than the physical switches in the network. Similar to physical switches, It allows you to create a broadcast domain and isolate the Virtual Machines in the network. Once you create a logical switch is new distributed port group gets added on a distributed switch. The reason why we say it logical because a unique VNI (VXLAN Network Identifier) get associated to it to overlays the L2 network. Logical switching enables the extension of an L2 segment / IP subnet anywhere in the fabric independent of the physical network design. Endpoints, either virtual and physical, can connect to logical segments and establish connectivity independently from their physical location in the data center network.

The NSX Controller cluster controls logical switches and maintains information about virtual machines, ESXi hosts, logical switches, and VXLANs. All logical switches created within the transport zone inherit VMware NSX transport zone settings.

Logical Switch – Key Points

  • Logical Switch in an NSX Environment is a virtual network segment which is a distributed port group tagged with a unique VNI on a distributed switch.
  • Logical Switch can span distributed switch by associating with a port group in each distributed switch.
  • All hosts that are part of the same vDS supports VMotion.
  • A distributed port group is automatically created on all the VTEPs (ESXi hosts) that are part of the same underlying Transport Zone once you add a Logical Switch
  • A Virtual Machine vNIC then connects to each Logic Switch as appropriate.



This concludes the demonstration of creating a logical switch and connecting virtual machines vNIC’s to it. Hope this will be informative for you. Please do share if you find worth sharing it. Thanks for Reading !!!.