Learning NSX Step by Step : Configuring SSL VPN-Plus on VMware NSX Edge Gateway

VMware NSX SSL VPN-Plus allows remote users to access private networks behind a NSX Edge Gateway. You can access applications and servers running in the private network. Below is a diagram is taken from the NSX Admin Guide of the clients connect to the private network and also the support operating systems for the SSL VPN client:

Demonstration

To configure network access SSL VPN-Plus. Login to vCenter Web Client and go to “Network and Security”

Click on NSX Edge. Double click on Edge Gateway Services account

Click on SSL VPN-Plus Tab.

Create an IP Pool for the client connecting via VPN.

Add the Private Network you want to allow user connecting over VPN.

Select the Authentication Server Type.

Start the SSL VPN Service

Open the browser and browse external IP address over https. https://<External_IP_Address_of_ESG>

 

Verify the communication from VPN Client to internal network.

Conclusion

This concludes the configuration of SSL VPN-Plus on a VMware NSX Edge Gateway Services router. Hope this will be informative for you. Please share if you find worth sharing it. Thanks for Reading!!!

Learning NSX Step by Step – Configuring Dynamic Routing using OSPF in VMware NSX

Introduction

Dynamic Routing provides the necessary forwarding information between Layer 2 broadcast domains.  There are 3 types of Dynamic Routing supported by VMware NSX OSPF, BGP, and IS-IS. NSX Edge supports OSPF, an interior gateway protocol that routes IP packets only within a single routing domain. It gathers link state information from available routers and constructs a topology map of the network. OSPF routing policies provide a dynamic process of traffic load balancing between routes of equal cost. An OSPF network is divided into routing areas to optimize traffic. An area is a logical collection of OSPF networks, routers, and links that have the same area identification. Areas are identified by an Area ID.

Demonstration

 

What’s New in NSX for vSphere 6.2.3

VMware NSX delivers an operational model for networking that forms the foundation of the Software-Defined Data Center. VMware NSX provides a complete set of logical networking elements and services—including logical switching, routing, firewalling, load balancing, VPN, quality of service (QoS), and monitoring. RecentlyVMware released a new version of VMware NSX (6.2.3)  Build 3979471.

New in 6.2.3

Changes introduced in NSX vSphere 6.2.3:

  • Logical Switching and Routing
    • NSX Hardware Layer 2 Gateway Integration: expands physical connectivity options by integrating 3rd-party hardware gateway switches into the NSX logical network
    • New VXLAN Port 4789 in NSX 6.2.3 and later: Before version 6.2.3, the default VXLAN UDP port number was 8472. See the NSX Upgrade Guide for details.
  • Networking and Edge Services
    • New Edge DHCP Options: DHCP Option 121 supports static route option, which is used for DHCP server to publish static routes to DHCP client; DHCP Options 66, 67, 150 supports DHCP options for PXE Boot; and DHCP Option 26 supports configuration of DHCP client network interface MTU by DHCP server.
    • Increase in DHCP Pool, static binding limits: The following are the new limit numbers for various form factors: Compact: 2048; Large: 4096; Quad large: 4096; and X-large: 8192.
    • Edge Firewall adds SYN flood protection: Avoid service disruptions by enabling SYN flood protection for transit traffic. Feature is disabled by default, use the NSX REST API to enable it.
    • NSX Edge — On Demand Failover: Enables users to initiate on-demand failover when needed.
    • NSX Edge — Resource Reservation: Reserves CPU/Memory for NSX Edge during creation. Admin user can modify the CPU/Memory settings after NSX Edge deployment using REST API to configure VM appliances.
    • Change in NSX Edge Upgrade Behavior: Replacement NSX Edge VMs are deployed before upgrade or redeploy. The host must have sufficient resources for four NSX Edge VMs during the upgrade or redeploy of an Edge HA pair. Default value for TCP connection timeout is changed to 21600 seconds from the previous value of 3600 seconds.
    • Cross VC NSX — Universal Distributed Logical Router (DLR) Upgrade: Auto upgrade of Universal DLR on secondary NSX Manager, once upgraded on primary NSX Manager
    • Flexible SNAT / DNAT rule creation: vnicId no longer needed as an input parameter; removed requirement that the DNAT address must be the address of an NSX Edge VNIC.
    • NSX Edge VM (ESG, DLR) now shows both Live Location and Desired Location. NSX Manager and NSX APIs including GET api/4.0/edges//appliances now return configuredResourcePool and configuredDataStore in addition to current location.
  • Security Services
    • Distributed Firewall — TFTP ALG: enables use cases such as network boot for VMs.
    • Firewall — Granular Rule Filtering: simplifies troubleshooting by providing granular rule filters in UI, based on Source, Destination, Action, Enabled/Disabled, Logging, Name, Comments, Rule ID, Tag, Service, Protocol.
    • Guest Introspection — Windows 10 support
    • SSL VPN Client — Mac OS El Capitan support
    • Service Composer — Performance Improvements: enables faster startup/reboot of NSX Manager by optimizing synchronization between security policy and firewall service, and disabling auto-save of firewall drafts by default.
    • Service Composer — Status Alarms: raises system alarm if security policy is out-of-sync, and takes specific actions based on alarm code to resolve issue.
  • Operations and Troubleshooting
    • NSX Dashboard: Simplifies troubleshooting by providing visibility into the overall health of NSX components in one central view.
    • Traceflow Enhancement — Network Introspection Services: Enhances ability to trace a packet from source to destination, by identifying whether packets were forwarded to 3rd-party network introspection services, and whether the packet comes back from the 3rd-party service VM or not.
    • SNMP Support: Configure SNMP traps for events from NSX Manager, NSX Controller, and Edge.
    • Logging is now enabled by default for SSL VPN and L2 VPN. The default log level is notice.
    • Firewall rules UI now displays configured IP protocols and TCP/UDP port numbers associated with services.
    • NSX Edge technical support logs have been enhanced to report memory consumption per process.
    • Central CLI Enhancements
      • Central CLI for Host Health: Shows host health status, with 30+ checks in one command (including network config, VXLAN config, resource utilization, etc.)
      • Central CLI for Packet Capture: Provides ability to capture packet on the host and transfer the capture file to user’s remote server. This eliminates the need to open up hypervisor access to network administrators, when troubleshooting logical network issues.
    • Technical support bundle per host: Gathers per-host logs and creates a bundle that can be saved and submitted to VMware technical support for assistance.
  • Licensing Enhancements
    • Change in default license & evaluation key distribution: default license upon install is “NSX for vShield Endpoint”, which enables use of NSX for deploying and managing vShield Endpoint for anti-virus offload capability only. Evaluation license keys can be requested through VMware sales.
    • License usage reporting: NSX license usage counts are displayed on NSX Manager’s Summary UI and also retrievable via API. NSX license usage counts will no longer be reported through vCenter licensing service.
  • Solution Interoperability
    • Customer Experience Improvement Program: NSX supports reporting system statistics via the VMware Customer Experience Improvement Program (CEIP). Participation is optional and is configured in the vSphere Web Client.
    • VMware vRealize Log Insight 3.3.2 for NSX provides intelligent log analytics for NSX, with monitoring and troubleshooting capabilities and customizable dashboards for network virtualization, flow analysis and alerts. This version accepts NSX Standard/Advanced/Enterprise edition license keys issued for NSX 6.2.2+.

Reference : NSX for vSphere 6.2.3 Release Notes

NSX Step by Step – Configuring HA for EDGE Appliances

High Availability for VMware NSX Edge appliance doesn’t work like the HA works for vSphere. HA for NSX Edge Appliance ensures the availability for Edge Appliance by installing an active pair of Edge. HA for NSX Edge appliance can be enabled either during the installation of Edge appliance or after installing Edge Appliance.

Once HA is enabled for NSX Edge appliance one appliance will act as primary ( active ) and the other will act as Secondary ( standby ) appliance. It is always recommend to have both the appliance deployed on separate resource pools and datastores. If both the appliance are stored on same datastore, datastore should be shared across all the host in cluster. Post deployment, the primary appliance maintains a heartbeat with the standby appliance and sends service updates through an internal interface. If a heartbeat is not received from the primary appliance within the specified time (default value is 15 seconds), the primary appliance is declared dead. The standby appliance moves to the active state, takes over the interface configuration of the primary appliance, and starts the NSX Edge services that were running on the primary appliance.

Configuring High availability on existing standalone appliance.

  • Log in to the vSphere Web Client.
  • Click Networking & Security and then click NSX Edges.
  • Double-click an NSX Edge.
  • Click the Manage tab and then click the Settings tab.

Screenshot
In the HA Configuration panel, click Change. Select Enable and provide Management IP’s from the non-overlaping range assigned to Edge appliance interfaces. Management IP must be assigned from /30 subnet.

Screenshot-1

Once enabled, VMware NSX will deploy an secondary Edge Appliance.

Screenshot-3

Screenshot-2

Post configuration you can verify HA configuration either from UI or from command line once connected to any Edge appliance.

Screenshot-7

To further verify if Secondary appliance will becomes primary once primary goes down you can power off one or the appliance and verify the status.

Screenshot-5

Screenshot-4

This concludes the process to configure high availability of existing edge appliance. I hope this is informative for you. Thanks for Reading!!. Be Social and share it in Social media, if you feel worth sharing it.

Integrating VMware NSX with VMware vRealize Log Insight

VMware vRealize Log Insight is a log analyzer with capabilities to receive logs from almost any device. It can be used for quick and easy operation tasks, giving one a full picture of their environment. You can install or create your own content pack inside Log Insight to create dashboards and filtered data.

One of these content packs is for VMware NSX. You can get it here. In the NSX content pack, there are pages to troubleshoot or check on the entire NSX installation itself, logical switches audit and alerts, distributed logical router audit and events, layer 2 bridge messages, distributed firewall alerts and real-time traffic logs and NSX Edge messages.

Installing Content pack for VMware NSX

Login to VMware Log Insight using admin account. Click on Marketplace.

Screenshot

Select VMware NSX vSphere.  Select the check box and click on Install.

Screenshot-1

Post installation the new content pack will get listed in the list of Installed Content pack.

Screenshot-2

Click on Dashboard and choose VMware – NSX-vSphere.

Screenshot-3

You can now navigate between the pages to see the details of different components in NSX environment.

Screenshot-5

This concludes the installation of Content pack for NSX in VMware vRealize log insight for logs analysis. I hope this is informative for you. Thanks for Reading!!. Be Social and share it in Social media, if you feel worth sharing it.

NSX Step by Step – (Part – 32 ) – Monitoring NSX using vROPS

vRealize Operations Management pack for NSX is the  industry’s best-in- class solution for managing and operating NSX. You can install  vRealize Operations Management pack for NSX-vSphere 2.0 on your vROPS cluster. Once configured, vROPS will start collecting data. The management pack discovers, analyzes and represents the broad number of virtual networking services available within NSX-vSphere graphically. Administrators can view this data to quickly identify configuration, health and/or capacity problems within virtual NSX networks, and see the impact of these problems on vSphere hosts and virtual machines.

To install Management pack for NSX-vSphere login to vROPS using user id having sufficient right to install Management packs. Once logged in go to Administration –> Solutions. Click on + Sign.

Screenshot

Browse the location of downloaded Solution pack and click  upload.

Screenshot-1

Click Next.

Screenshot-2

Click Yes to proceed with the installation with unsigned certificate. Click Next.

Screenshot-3

Screenshot-5

Click on Finish.

Screenshot-6

Post installation, Solution pack is required to be configured.

Screenshot-7

As No credentials have been created yet. Click on ” + ” to create new credentials.

Screenshot-8

Provide the user account who have sufficient rights on NSX Manager and vCenter.

Screenshot-9

Provide the necessary details and Click on Test Connection.

Screenshot-10Save the settings once test is successful.

Screenshot-13

It would take few minutes to start collecting data.

Screenshot-14

Navigate through the Dashboard to get details on different components of NSX.

Screenshot-15

Screenshot-16

Screenshot-17

So in this post we covered installation and configuration of Solution pack for NSX in vROPS. Post configuration NSX environment can be monitored using vROPS. I hope this is informative for you. Thanks for Reading!!. Be Social and share it in Social media, if you feel worth sharing it.

NSX Step by Step – (Part – 31 ) – Working with Security Group

In VMware NSX Using Security groups administrators can associate and group workloads dynamically. These Security groups can be used to define rule sets in firewall for these dynamic workloads. Security groups can have the following types of memberships:

  • Dynamic Membership based on Security Tag, IP Set, Active Directory Group VM Name, OS Type, Computer Name, Security Group, etc
  • Static Membership based on manual selection
  • Inheritance through another Security Group. Also known as Nested.

In this post we will be creating security tag and then will be assigning the Security tag to Virtual Machine. Once done we will be creating a Security Group and a firewall rule for the Security Group.

To Create Security Tag

  • Log in to the vSphere Web Client.
  • Click Networking & Security and then click NSX Managers.
  • Click an NSX Manager in the Name column and then click the Manage tab.
  • Click the Security Tags tab.

Screenshot

Screenshot-1

Screenshot-2

 

Screenshot-3

Screenshot-4

Once we have Security Tag created and assigned to the virtual machine. Next step is to create a Security Group.

To create Security Group

  • Log in to the vSphere Web Client.
  • Click Networking & Security and then click NSX Managers.
  • Click an NSX Manager in the Name column and then click the Manage tab.
  • Click the Grouping tab.
  • Click the Security Group tab and then click the Add Security Group icon.

Screenshot

Type a name and description for the security group and click Next.

Screenshot-1

Define the criteria that an object must meet for it to be added to the security group you are creating

Screenshot-2

Screenshot-3

Screenshot-4

Click Finish Screenshot-5

Screenshot-6 Screenshot-7 Screenshot-8

Now when we will create a firewall usle on the Security Group, it will automatically add the Virtual Machines associated wiiiiiiScreenshot-9

In this post we grouped Virtual machines using Security Tag. Post creation we created a firewall rule based on those security tags. I hope this is informative for you. Thanks for Reading!!. Be Social and share it in Social media, if you feel worth sharing it.

.

NSX Step by Step – (Part – 30 ) – Configuring Centralized logging

It is recommended that you specify the same syslog server for the NSX component and vCenter Server to get a complete picture when viewing logs on the syslog server.

To Configure Syslog Server for NSX Manager

  • Log in to the NSX Manager virtual appliance.
  • Under Appliance Management, click Manage Appliance Settings.
  • From the Settings panel, click General.
  • Click Edit next to Syslog Server.

Screenshot-3

Screenshot-4

Screenshot-5

To configure Syslog Server for NSX Edge

  • Log in to the vSphere Web Client.
  • Click Networking & Security and then click NSX Edges.
  • Double-click a NSX Edge.
  • Click the Monitor tab and then click the Settings tab.

Screenshot

Screenshot-1

Screenshot-2

I hope this is informative for you. Thanks for Reading!!. Be Social and share it in Social media, if you feel worth sharing it.

NSX Step by Step – (Part – 29 ) – Managing User Roles

A user’s role defines the actions the user is allowed to perform on a given resource. The role determine the user’s authorized activities on the given resource.

  • Enterprise Administrator : NSX operations and security.
  • NSX Administrator : NSX operations only: user can install virtual appliances, configure port groups.
  • Security Administrator : NSX security only: user can define data security policies, create port groups, create reports for NSX modules.
  • Auditor : Read only

For Managing Roles for NSX Users

  • Log in to the vSphere Web Client.
  • Click Networking & Security and then click NSX Managers.
  • Click an NSX Manager in the Name column and then click the Manage tab.
  • Click Users.
  • Click Add.

Screenshot

Screenshot-1

Screenshot-2

 

Screenshot-3

In this post we discussed the process to assign roles to vCenter users. In next post I will be discussing the process to configure Syslog server in NSX Manager and Edge Routers. I hope this is informative for you. Thanks for Reading!!. Be Social and share it in Social media, if you feel worth sharing it.

 

NSX Step by Step – ( Part -28 ) – Common NSX Operational Activity

In this post I will be covering few common Administrative task we might be required to perform as operational activity.

Excluding Virtual Machines from Distributed Firewall Protection

Excluding virtual machines from firewall protection is useful for instances where vCenter Server resides in the same cluster where firewall is being utilized. Once a virtual machine is added to exclusion list, no traffic from excluded virtual machines will go through the Firewall. NSX Manager and service virtual machines are automatically excluded from firewall protection. In addition, you should exclude the vCenter server and partner service virtual machines to allow traffic to flow freely.

Screenshot

Screenshot-1

Screenshot-2
Collecting Technical Support Log

You can download technical support logs for each NSX Edge instance. If high availability is enabled for the NSX Edge instance, support logs from both NSX Edge virtual machines are downloaded. This diagnostic information contains product specific logs and configuration files from the host on which the product is run. The information is gathered using a specific script or tool for each product.

Screenshot

Screenshot-1

Similarly you can collect the Support logs of NSX Controller Cluster from the Action Menu.

Screenshot-9

Changing Logical Router appliance size

If you installed a compact NSX Edge instance, you can upgrade it to a large or x-large NSX Edge instance.

Screenshot-2

Screenshot-3

Screenshot-4

Changing Logging level on Edge appliance

On an NSX router you can change the control logging level by clicking on the ‘Actions’ menu and selecting ‘Change Log Level’

Screenshot-5

Screenshot-6

Changing NSX Controller password

After deployment of NSX Controllers you can change the password of NSX Controllers by clicking on Action Menu.

Screenshot-7

NSX Controller Snapshot

Before upgrade, you can take snapshot of NSX Controller Cluster from NSX UI. The snapshot includes the database of the entire controller cluster. All NSX Controllers should be in normal state before this activity. A valid NSX Controller cluster contains three controller nodes. Log in to the three controller nodes and run the show controller-cluster status command.

Screenshot-8