Beruflich Dokumente
Kultur Dokumente
Table of Contents
Lab Overview - HOL-1703-SDC-1 - VMware NSX: Introduction and Feature Tour............... 3
Lab Guidance .......................................................................................................... 4
Module 1 - Installation Walk Through (30 minutes)......................................................... 11
Special Note on Module 1...................................................................................... 12
Introduction to Deploying NSX .............................................................................. 13
Deploying the NSX Manager OVA.......................................................................... 15
Registering NSX with vCenter ............................................................................... 28
Configuring Syslog and NSX Manager Backups..................................................... 35
Deploying NSX Controllers .................................................................................... 42
Preparing a Cluster for NSX................................................................................... 53
Configuring and verifying VXLAN Tunnel End Points ............................................. 56
Creating VXLAN Network Identifier Pools .............................................................. 62
Creating Transport Zones ...................................................................................... 65
NSX Manager Dashboard ...................................................................................... 67
Module 1 Conclusion ............................................................................................. 70
Module 2 - Logical Switching (30 minutes) ..................................................................... 72
Logical Switching - Module Overview .................................................................... 73
Logical Switching .................................................................................................. 74
Scalability/Availability ......................................................................................... 105
Module 2 Conclusion ........................................................................................... 110
Module 3 - Logical Routing (60 minutes)....................................................................... 112
Routing Overview ................................................................................................ 113
Dynamic and Distributed Routing ...................................................................... 115
Centralized Routing............................................................................................. 149
ECMP and High Availability.................................................................................. 168
Prior to moving to Module 3 - Please complete the following cleanup steps ....... 217
Module 3 Conclusion ........................................................................................... 222
Module 4 - Edge Services Gateway (60 minutes).......................................................... 224
Introduction to NSX Edge Services Gateway ....................................................... 225
Deploy Edge Services Gateway for Load Balancer .............................................. 226
Configure Edge Services Gateway for Load Balancer.......................................... 243
Edge Services Gateway Load Balancer - Verify Configuration ............................. 255
Edge Services Gateway Firewall ......................................................................... 268
DHCP Relay ......................................................................................................... 279
Configuring L2VPN .............................................................................................. 309
Module 4 Conclusion ........................................................................................... 372
Module 5 - Physical to Virtual Bridging (60 minutes) .................................................... 373
Native Bridging ................................................................................................... 374
Introduction to Hardware VTEP with Arista.......................................................... 418
Hands-on Lab Interactive Simulation: Hardware VTEP with Arista ...................... 424
Bridging Design Considerations .......................................................................... 425
Module 5 Conclusion ........................................................................................... 437
HOL-1703-SDC-1
Page 1
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 2
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 3
HOL-1703-SDC-1
Lab Guidance
Note: It will take more than 90 minutes to complete this lab. You should
expect to only finish 2-3 of the modules during your time. The modules are
independent of each other so you can start at the beginning of any module
and proceed from there. You can use the Table of Contents to access any
module of your choosing.
The Table of Contents can be accessed in the upper right-hand corner of the
Lab Manual.
VMware NSX is the network virtualization platform for the Software-Defined Data Center
(SDDC) and the main focus of this lab. Throughout this lab we will guide you through the
basic features of NSX. We start off by walking you through a typical installation of NSX
and all of the required components. We then go into Logical Switching and Logical
Routing so that you have a better understanding of these concepts. We then cover the
Edge Services Gateway and how it can provide common services such as DHCP, VPN,
NAT, Dynamic Routing and Load Balancing. We then finally cover off how to bridge a
physical VLAN to a VXLAN and then the Distributed Firewall. The complete Lab Module
list is below and all modules are completely independant so you can freely move
between different modules.
Lab Module List:
Module 1 - Installation Walk Through (30 minutes) - Basic - This module will
walk you through a basic install of NSX including deploying the .ova, configuring
NSX Manager, deploying controllers and preparing hosts.
Module 2 - Logical Switching (30 minutes) - Basic - This module will walk you
through the basics of creating logical switches and attaching virtual machines to
logical switches.
Module 3 - Logical Routing (60 minutes) - Basic - This module will help us
understand some of the routing capabilities supported in the NSX platform and
how to utilize these capabilities while deploying a three tier application.
Module 4 - Edge Services Gateway (60 minutes) - Basic - This module will
demonstrate the capabilities of the Edge Services Gateway and how it cam
provide common services such as DHCP, VPN, NAT, Dynamic Routing and Load
Balancing.
Module 5 - Physical to Virtual Bridging (30 minutes) - Basic - This module will
guide us through the configuration of a L2 Bridging instance between a traditional
VLAN and a NSX Logical Switch. There will also be an offline demonstration of
NSX integration with Arista hardware VXLAN-capable switches.
Module 6 - Distributed Firewall (45 minutes) - Basic - This module will cover
the Distributed Firewall and creating firewall rules between a 3-tier application.
Lab Captains:
HOL-1703-SDC-1
Page 4
HOL-1703-SDC-1
Module 1
Kingdom
Module 2
Module 3
Module 4
Module 5
Module 6
This lab manual can be downloaded from the Hands-on Labs Document site found here:
[http://docs.hol.pub/HOL-2017]
This lab may be available in other languages. To set your language preference and have
a localized manual deployed with your lab, you may utilize this document to help guide
you through the process:
http://docs.hol.vmware.com/announcements/nee-default-language.pdf
HOL-1703-SDC-1
Page 5
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 6
HOL-1703-SDC-1
You can also click and drag text and Command Line Interface (CLI) commands directly
from the Lab Manual into the active window in the Main Console.
HOL-1703-SDC-1
Page 7
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 8
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 9
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 10
HOL-1703-SDC-1
Module 1 - Installation
Walk Through (30
minutes)
HOL-1703-SDC-1
Page 11
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 12
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 13
HOL-1703-SDC-1
NSX Components
HOL-1703-SDC-1
Page 14
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 15
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 16
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 17
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 18
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 19
HOL-1703-SDC-1
Review Details
1. Check the box to Accept extra configuration options.
2. Click Next to continue.
HOL-1703-SDC-1
Page 20
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 21
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 22
HOL-1703-SDC-1
Select Storage
1. Ensure the virtual disk format is Thick Provision Lazy Zeroed.
2. Select a VM Storage Policy, if you have them configured within your environment,
otherwise leave it set to Datastore Default.
3. Select the datastore to deploy the NSX Manager appliance to.
4. Click Next to continue and wait for the selections to be validated.
HOL-1703-SDC-1
Page 23
HOL-1703-SDC-1
Setup Networks
1. Select the Management network for the NSX Manager appliance.
2. Click Next to continue.
HOL-1703-SDC-1
Page 24
HOL-1703-SDC-1
Customize Template
1.
2.
3.
4.
5.
6.
Enter and confirm the password for the default CLI user for NSX Manager.
Enter and confirm the password for the privilege mode user for NSX Manager.
Enter the required hostname.
Enter the IPv4 address, Netmask and Gateway addresses.
Enter the IPv6 address, Prefix and Gateway if required.
Enter the DNS Server and Search list (If you have multiple entries use a space to
separate).
7. Enter the NTP Server list (If you have multiple entries use a space to separate).
8. Check the box to Enable SSH if required.
9. Click Next to continue.
HOL-1703-SDC-1
Page 25
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 26
HOL-1703-SDC-1
Ready to Complete
1. Verify all your settings are correct.
2. Check the box to Power on after deployment.
3. Click Finish.
HOL-1703-SDC-1
Page 27
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 28
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 29
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 30
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 31
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 32
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 33
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 34
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 35
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 36
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 37
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 38
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 39
HOL-1703-SDC-1
Configure minute
1. Finally configure the minute to perform the backup.
2. Click Schedule to confirm your settings.
HOL-1703-SDC-1
Page 40
HOL-1703-SDC-1
Exclude logs
1. Select the logs that you wish to exclude by checking the box.
2. Click OK to confirm.
Initiate a backup
1. You can either wait for the configured scheduled time to perform a backup or click
the Backup button to start the process.
2. Once completed you should see a new backup in the history which can be
restored when needed.
HOL-1703-SDC-1
Page 41
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 42
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 43
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 44
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 45
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 46
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 47
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 48
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 49
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 50
HOL-1703-SDC-1
Controller deploying
1. The first controller should start deploying and take approximately 5 - 10 minutes.
HOL-1703-SDC-1
Page 51
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 52
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 53
HOL-1703-SDC-1
Installation in Progress
The VMware Infrastructure Bundles (vibs) are now being pushed down to all ESXi hosts
in the cluster which should only take a few minutes and the hosts do not require a
reboot.
HOL-1703-SDC-1
Page 54
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 55
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 56
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 57
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 58
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 59
HOL-1703-SDC-1
1.
2.
3.
4.
HOL-1703-SDC-1
Page 60
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 61
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 62
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 63
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 64
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 65
HOL-1703-SDC-1
4. Select the clusters that you would like added to the Transport Zone. Any logical
switches created in this Transport Zone will automatically be added to the
clusters selected here.
5. Click OK to confirm.
HOL-1703-SDC-1
Page 66
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 67
HOL-1703-SDC-1
Dashboard View
Viewing the Dashboard we get an instant view of the overall health of the NSX
environment. The Dashboard alerts us to any potential issues with the NSX Manager,
Controllers, Hosts, Firewall and Logical Switches.
HOL-1703-SDC-1
Page 68
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 69
HOL-1703-SDC-1
Module 1 Conclusion
In this module we showed the simplicity in which NSX can be installed and configured to
start providing layer two through seven services within software.
We covered the installation and configuration of the NSX Manager appliance which
included deployment, integrating with vCenter and configuring logging and backups. We
then covered the deployment of NSX Controllers as the control plane and installation of
the VMware Infrastructure Bundles (vibs) which are kernel modules pushed down to the
hypervisor. Finally we showed the automated deployment of VXLAN Tunnel Endpoints
(VTEP's), creation of a VXLAN Network Identifier pool (VNI's) and the creation of a
Transport Zone.
HOL-1703-SDC-1
Page 70
HOL-1703-SDC-1
Lab Captains:
Module 1
Kingdom
Module 2
Module 3
Module 4
Module 5
Module 6
HOL-1703-SDC-1
Page 71
HOL-1703-SDC-1
Module 2 - Logical
Switching (30 minutes)
HOL-1703-SDC-1
Page 72
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 73
HOL-1703-SDC-1
Logical Switching
In this section we will be:
1.
2.
3.
4.
5.
6.
HOL-1703-SDC-1
Page 74
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 75
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 76
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 77
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 78
HOL-1703-SDC-1
addresses that are part of the same IP subnet). Additionally, IGMP snooping should be
configured on the physical switches to optimize the delivery of L2 multicast traffic.
Hybrid mode offers operational simplicity similar to unicast mode IP multicast routing
configuration is not required in the physical network while leveraging the L2 multicast
capability of physical switches.
So the Three modes of control plane configuration are:
Unicast : The control plane is handled by an NSX controller. All unicast traffic
leverages headend replication. No multicast IP addresses or special network
configuration is required.
Multicast: Multicast IP addresses on the physical network are used for the
control plane. This mode is recommended only when you are upgrading from
older VXLAN deployments. Requires PIM/IGMP on physical network.
Hybrid : The optimized unicast mode. Offloads local traffic replication to physical
network (L2 multicast). This requires IGMP snooping on the first-hop switch, but
does not require PIM. First-hop switch handles traffic replication for the subnet.
Hybrid mode is recommended for large-scale NSX deployments.
HOL-1703-SDC-1
Page 79
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 80
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 81
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 82
HOL-1703-SDC-1
Click OK.
HOL-1703-SDC-1
Page 83
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 84
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 85
HOL-1703-SDC-1
2. Click Next.
HOL-1703-SDC-1
Page 86
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 87
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 88
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 89
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 90
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 91
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 92
HOL-1703-SDC-1
Next to the Network Adaptor, click on the drop down menu of interfaces.
Select VM-RegionA01-vDS-COMP (RegionA01-vDS-COMP)
Check the Connected box next to it.
Click OK.
Repeat the same steps for Web-04a which you can find under RegionA01-COMP2
cluster.
HOL-1703-SDC-1
Page 93
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 94
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 95
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 96
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 97
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 98
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 99
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 100
HOL-1703-SDC-1
Open Putty
1. Click Start.
2. Clickthe Putty Application icon from the Start Menu.
You are connecting from the MainConsole which is in 192.168.110.0/24 subnet. The
traffic will go through the NSX Edge and then to the Web Interface.
HOL-1703-SDC-1
Page 101
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 102
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 103
HOL-1703-SDC-1
web-04a
***Note you might see DUP! packets. This is due to the nature of VMware's nested lab
environment. This will not happen in a production environment.
****Do not close your Putty Session. Minimize the window for later use.
HOL-1703-SDC-1
Page 104
HOL-1703-SDC-1
Scalability/Availability
In this section, you will take a look at the controller scalability and availability. The
Controller cluster in the NSX platform is the control plane component that is responsible
in managing the switching and routing modules in the hypervisors. The controller cluster
consists of controller nodes that manage specific logical switches. The use of a
controller cluster in managing VXLAN based logical switches eliminates the need for
multicast support from the physical network infrastructure.
For resiliency and performance, production deployments must deploy a controller
cluster with multiple nodes. The NSX controller cluster represents a scale-out distributed
system, where each controller Node is assigned a set of roles that define the type of
tasks the node can implement. Controller nodes are deployed in odd numbers. The
current best practice (and the only supported configuration) is for the cluster to have
three nodes of active-active-active load sharing and redundancy.
In order to increase the scalability characteristics of the NSX architecture, a slicing
mechanism is utilized to ensure that all the controller nodes can be active at any given
time.
Should a controller(s) fail, data plane (VM) traffic will not be affected. Traffic will
continue. This is because the logical network information has been pushed down to the
logical switches (the data plane). What you cannot do is make add/moves/changes
without the control plane (controller cluster) intact.
HOL-1703-SDC-1
Page 105
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 106
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 107
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 108
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 109
HOL-1703-SDC-1
Module 2 Conclusion
In this module we demonstrated the following key benefits of the NSX platform.
The speed at which you can provision logical switches and interface them with virtual
machines and external networks.
Platform scalability is demonstrated by the ability to scale the transport zones as well as
the controller nodes.
HOL-1703-SDC-1
Page 110
HOL-1703-SDC-1
Module
Module
Module
Module
Module
2
3
4
5
6
HOL-1703-SDC-1
Page 111
HOL-1703-SDC-1
Module 3 - Logical
Routing (60 minutes)
HOL-1703-SDC-1
Page 112
HOL-1703-SDC-1
Routing Overview
Lab Module Overview
In the previous module you saw that users can create isolated logical switches/networks
with few clicks. To provide communication across these isolated logical layer 2 networks,
routing support is essential. In the NSX platform the distributed logical router allows you
to route traffic between logical switches. One of the key differentiating feature of this
logical router is that the routing capability is distributed in the hypervisor. By
incorporating this logical routing component users can reproduce complex routing
topologies in the logical space. For example, in a three tier application connected to
three logical switches, the routing between the tiers is handled by this distributed
logical router.
In this module you will demonstrate the following
1) How traffic flows when the routing is handled by an external physical router or NSX
edge services gateway.
2) Then we will go through the configuration of the Logical Interfaces (LIFs) on the
Logical router and enable routing between the App and DB tiers of the Application
3) Later we will configure dynamic routing protocols across the distributed logical router
and the NSX Edge services gateway. We will show how internal route advertisements to
the external router are controlled.
4) Finally we will see how various routing protocols, such as ECMP(Equal Cost Multipath
Routing), can be used to scale and protect the Edge service gateway.
This module will help us understand some of the routing capabilities supported in the
NSX platform and how to utilize these capabilities while deploying a three tier
application.
HOL-1703-SDC-1
Page 113
HOL-1703-SDC-1
Second, a text file (README.txt) has been placed on the desktop of the environment
allowing you to easily copy and paste complex commands or passwords in the
associated utilities (CMD, Putty, console, etc). Certain characters are often not present
on keyboards throughout the world. This text file is also included for keyboard layouts
which do not provide those characters.
The text file is README.txt and is found on the desktop.
HOL-1703-SDC-1
Page 114
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 115
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 116
HOL-1703-SDC-1
database) are on different logical switches and NSX Edge providing routing between
tiers.
The web server will return a web page with customer information stored in the
database.
HOL-1703-SDC-1
Page 117
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 118
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 119
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 120
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 121
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 122
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 123
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 124
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 125
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 126
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 127
HOL-1703-SDC-1
Add Subnets
1.
2.
3.
4.
HOL-1703-SDC-1
Page 128
HOL-1703-SDC-1
Complete the same steps as the previous two steps for the DB_Tier Interface:
Name DB_Tier
Connect to DB_Tier_Logical_Switch
IP address 172.16.30.1 and a subnet prefix length of 24
Once the system completes adding and configuring the DB_Interface. Verify that both
the App_Tier and DB_Tier Interfaces match the picture above.
HOL-1703-SDC-1
Page 129
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 130
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 131
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 132
HOL-1703-SDC-1
Publish Changes
1. Click the Publish Changes button in the dialog box again to push the updated
configuration to the distributed-edge device.
HOL-1703-SDC-1
Page 133
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 134
HOL-1703-SDC-1
Enable OSPF
1.
2.
3.
4.
5.
Note: For the Distributed Router the "Protocol Address" field is required to send the
Control traffic to the Distribute router Control Virtual Machine. The Forwarding address is
where all the normal data path traffic will be sent. The screen will return to the main
"OSPF" configuration window. The green "Publish Changes" dialog box will be displayed.
Note: The separation of control plane and data plane traffic in NSX creates the
possibility of maintaining the routing instance's data forwarding capability while the
control function is restarted or reloaded. This function is referred to as "Graceful
Restart" or "Non-stop Forwarding".
DO NOT PUBLISH CHANGES YET!Rather than publishing changes at every step, we'll
continue though the configuration changes and publish them all at once.
HOL-1703-SDC-1
Page 135
HOL-1703-SDC-1
Note: The Area ID for OSPF is very important. There are several types of
OSPF areas. Be sure to check the correct area the edge devices should be in
to work properly with the rest of the OSPF configuration within the network.
HOL-1703-SDC-1
Page 136
HOL-1703-SDC-1
Publish Changes
1. Click the Publish Changes button in the dialog box again to push the updated
configuration to the distributed-edge device.
HOL-1703-SDC-1
Page 137
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 138
HOL-1703-SDC-1
Publish Changes
1. Click the Publish Changes button in the dialog box again to push the updated
configuration to the distributed-edge device.
HOL-1703-SDC-1
Page 139
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 140
HOL-1703-SDC-1
Enable OSPF
1. Click the Enable OSPF dialog box
2. Verify that the Enable Graceful Restart dialog box is checked
HOL-1703-SDC-1
Page 141
HOL-1703-SDC-1
3. Then click OK
Note: The Area ID for OSPF is very important. There are several types of OSPF
areas. Be sure to check the correct area the edge devices should be in to work
properly with the rest of the OSPF configuration within the network.
HOL-1703-SDC-1
Page 142
HOL-1703-SDC-1
1.
2.
3.
4.
Publish Changes
1. Click the Publish Changes button in the dialog box again to push the updated
configuration to the distributed-edge device.
HOL-1703-SDC-1
Page 143
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 144
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 145
HOL-1703-SDC-1
Publish Changes
1. Click the Publish Changes button in the dialog box again to push the updated
configuration to the distributed-edge device.
HOL-1703-SDC-1
Page 146
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 147
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 148
HOL-1703-SDC-1
Centralized Routing
In this section, we will look at various elements to see how the routing is done
northbound from the edge. This includes how OSPF dynamic routing is controlled,
updated, and propagated throughout the system. We will verify the routing on the
perimeter edge appliance through the virtual routing appliance that runs and routes the
entire lab.
Special Note: On the desktop you will find a file names README.txt. It
contains the CLI commands needed in the lab exercises. If you can't type
them you can copy and paste them into the putty sessions. If you see a
number with "french brackets - {1}" this tells you to look for that CLI
command for this module in the text file.
HOL-1703-SDC-1
Page 149
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 150
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 151
HOL-1703-SDC-1
Navigate to Perimeter-Gateway VM
Select VMs and Templates
HOL-1703-SDC-1
Page 152
HOL-1703-SDC-1
2. Select Perimeter-Gateway-01-0
3. Select Summary Tab
4. Click Launch Remote Console
HOL-1703-SDC-1
Page 153
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 154
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 155
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 156
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 157
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 158
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 159
HOL-1703-SDC-1
Confirm Delete
Click Yes
Publish Change
1. Click the Publish Changes button to push the configuration change.
HOL-1703-SDC-1
Page 160
HOL-1703-SDC-1
You will now see that the vPod Router (192.168.250.1) has dropped from the list.
Show Routes
1. Type show ip route and Press Enter
show ip route
Now you can see that the only routes being learned via OSPF is from the Distributed
Router (192.168.5.2)
HOL-1703-SDC-1
Page 161
HOL-1703-SDC-1
Since no routes exist between you control center and the virtual networking
environment, the web app should fail.
1. Click on the HOL - Multi-Tier App Tab
2. Click Refresh.
The application may take a few moments to actually time out, you may need to select
the red "x" to stop the browser. If you do see customer data, it may be cached from
before and you may need to close and re-open the browser to correct it.
HOL-1703-SDC-1
Page 162
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 163
HOL-1703-SDC-1
Publish Change
1. Click the Publish Changes button to push the configuration change.
HOL-1703-SDC-1
Page 164
HOL-1703-SDC-1
You will now see that the vPod Router (192.168.100.1) is shown as a neighbor.
HOL-1703-SDC-1
Page 165
HOL-1703-SDC-1
Show Routes
The default route, and connected network from the vPod Router (192.168.100.1) are
now back in the list.
HOL-1703-SDC-1
Page 166
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 167
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 168
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 169
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 170
HOL-1703-SDC-1
Set Password
1.
2.
3.
4.
HOL-1703-SDC-1
Page 171
HOL-1703-SDC-1
NOTE - All passwords for NSX Edges are 12 character complex passwords.
HOL-1703-SDC-1
Page 172
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 173
HOL-1703-SDC-1
Continue Deployment
1. Click Next
HOL-1703-SDC-1
Page 174
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 175
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 176
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 177
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 178
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 179
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 180
HOL-1703-SDC-1
Continue Deployment
IMPORTANT! Before continuing, review the information and that the IP
Addresses and Subnet Prefix numbers are correct.
1. Click Next
HOL-1703-SDC-1
Page 181
HOL-1703-SDC-1
2. Click Next
HOL-1703-SDC-1
Page 182
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 183
HOL-1703-SDC-1
Finalize Deployment
Click Finish to start deployment
Edge Deploying
It will take a couple of minutes for the Edge to deploy.
1. We will notice under status for Edge-7 that it says Busy, also it shows 1 item
installing. This means the deployment is in process.
2. We can click the refresh icon on the web client to speed up the auto refresh on
this screen.
HOL-1703-SDC-1
Page 184
HOL-1703-SDC-1
Once the status says Deployed you can move on to the next step.
Note: If the status of the Edge-7 cannot be seen, scrolling to the window to the right will
allow for the deployment status to be viewed.
HOL-1703-SDC-1
Page 185
HOL-1703-SDC-1
Publish Changes
1. Click the Publish Changes button in the dialog box again to push the updated
configuration to the distributed-edge device.
HOL-1703-SDC-1
Page 186
HOL-1703-SDC-1
Enable OSPF
1.
2.
3.
4.
HOL-1703-SDC-1
Page 187
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 188
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 189
HOL-1703-SDC-1
Publish Changes
1. Click the Publish Changes button in the dialog box again to push the updated
configuration to the distributed-edge device.
Enable BGP
1.
2.
3.
4.
5.
HOL-1703-SDC-1
Page 190
HOL-1703-SDC-1
Publish Changes
1. Click the Publish Changes button in the dialog box again to push the updated
configuration to the distributed-edge device.
HOL-1703-SDC-1
Page 191
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 192
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 193
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 194
HOL-1703-SDC-1
Publish Changes
1. Click the Publish Changes button in the dialog box again to push the updated
configuration to the distributed-edge device.
Enable ECMP
We are now going to enable ECMP on both the Distributed Router and the Perimeter
Gateways
1. Click the back button, Networking and Security in the Navigator panel
HOL-1703-SDC-1
Page 195
HOL-1703-SDC-1
Click
Click
Click
Click
Manage tab
Routing Tab
Global Configuration in left pane
ENABLE Button next to ECMP
HOL-1703-SDC-1
Page 196
HOL-1703-SDC-1
Publish Change
1. Click the Publish Changes to push the configuration change.
HOL-1703-SDC-1
Page 197
HOL-1703-SDC-1
Click
Click
Click
Click
Manage tab
Routing Tab
Global Configuration in left pane
Enable buttonnext to ECMP
Publish Change
1. Click the Publish Changes to push the configuration change.
HOL-1703-SDC-1
Page 198
HOL-1703-SDC-1
Click
Click
Click
Click
Manage tab
Routing Tab
Global Configuration in left pane
ENABLE Button next to ECMP
Publish Change
1. Click the Publish Changes to push the configuration change.
HOL-1703-SDC-1
Page 199
HOL-1703-SDC-1
Topology Overview
At this stage, this is the topology of the lab. This includes the new Perimeter Gateway
that has been added, routing configured, and ECMP turned on.
HOL-1703-SDC-1
Page 200
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 201
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 202
HOL-1703-SDC-1
This shows us that the Distributed Router now has two OSPF neighbors. The neighbors
are the Perimeter-Gateway-1(192.168.100.3) and Perimeter-Gateway-2
(192.168.100.4).
Note: tab completion works on Edge devices in NSX.
HOL-1703-SDC-1
Page 203
HOL-1703-SDC-1
Note: the vPod Router network segments and default route are advertised via both
Perimeter Gateway network addresses. The red arrows above are pointing to the
addresses of both the Perimeter-Gateway-01 and Perimeter-Gateway-02.
Leave this window open for the following steps.
HOL-1703-SDC-1
Page 204
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 205
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 206
HOL-1703-SDC-1
Show Routes
1. Enter show ip bgp and press Enter
show ip bgp
2. In this section you notice that all networks have two next hop routers listed, and this
is because Perimeter-Gateway-01 (192.168.100.3) and Perimeter-Gateway-02
(192.168.100.4) are both Established neighbors for these networks.
HOL-1703-SDC-1
Page 207
HOL-1703-SDC-1
At this point, any traffic connected to the distributed router can egress out either of the
perimeter gateways with ECMP.
Leave this window open for following steps.
HOL-1703-SDC-1
Page 208
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 209
HOL-1703-SDC-1
Confirm Shutdown
1. Click Yes
HOL-1703-SDC-1
Page 210
HOL-1703-SDC-1
You will see pings from the control center to the database server (db-01a) start.
Leave this window open and running as you go to the next step.
Note: only the Perimeter-Gateway-02 is now available to acces the vPod Router network
segments.
HOL-1703-SDC-1
Page 211
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 212
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 213
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 214
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 215
HOL-1703-SDC-1
Show Routes
Let's check the status of the routes on the Distributed Router 01 since we powered
Perimeter-Gateway-01back up.
1. Enter show ip route and press Enter
show ip route
Note: we should now see that all vPod Router networks have returned to dual
connectivity.
HOL-1703-SDC-1
Page 216
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 217
HOL-1703-SDC-1
Delete Edge-7
We need to delete the Edge we just created
1. Select NSX Edges
2. Select Edge-7
3. Click Red X to Delete
Confirm Delete
1. Click Yes to confirm deletion
HOL-1703-SDC-1
Page 218
HOL-1703-SDC-1
Click
Click
Click
Click
Manage tab
Routing Tab
Global Configuration in left pane
DISABLE Button next to ECMP
Publish Change
1. Click Publish Changes to push the configuration change.
HOL-1703-SDC-1
Page 219
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 220
HOL-1703-SDC-1
Click
Click
Click
Click
Manage tab
Routing Tab
Global Configuration in left pane
DISABLE Button next to ECMP
Publish Change
1. Click Publish Changes to push the configuration change.
HOL-1703-SDC-1
Page 221
HOL-1703-SDC-1
Module 3 Conclusion
In this module we showed the routing capabilities of NSX for both the hypervisor kernel
service, Distributed Logical Router, as well as, the advanced services features of the
NSX Edge Services Gateways.
We covered the migration of Logical Switches from Edge Services Gateway to the
Distributed Logical Router (DLR), and the configuration of a dynamic routing protocol
between the Edge and DLR. We also reviewed the centralized routing capabilities of the
Edge Services Gateway, and dynamic route peering information. Last, we were able to
demonstrate the scalability and availability of the Edge Services Gateways in an ECMP
(Equal Cost Multipath) route configuration. We deployed a new Edge Services Gateway,
and established route peering with both the DLR and vPod Router to increase
throughput, and availability leveraging ECMP. We also cleaned up our ECMP
configuration to prepare for moving to another module in this lab environment.
HOL-1703-SDC-1
Page 222
HOL-1703-SDC-1
Module 6 - Distributed Firewall (45 minutes) - Basic - This module will cover
the Distributed Firewall and creating firewall rules between a 3-tier application.
Lab Captains:
Module 1
Kingdom
Module 2
Module 3
Module 4
Module 5
Module 6
HOL-1703-SDC-1
Page 223
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 224
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 225
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 226
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 227
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 228
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 229
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 230
HOL-1703-SDC-1
We will be selecting a Compact sized Edge for this new Edge Services Gateway, but it's
worth remembering that these Edge Service Gateways can also be upgraded to a larger
size after deployment. To continue with the new Edge Service Gateway creation:
1. Click the green plus (+) sign icon to open the Add NSX Edge Appliances popup
window.
Cluster/Datastore placement
1. Select RegionA01-MGMT01 for your Cluster/Resource Pool placement
HOL-1703-SDC-1
Page 231
HOL-1703-SDC-1
Configure Deployment
1. Click Next button
HOL-1703-SDC-1
Page 232
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 233
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 234
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 235
HOL-1703-SDC-1
Configuring Subnets
1. Next, we will be configuring an IP address for this interface. Click the small green
plus (+) icon.
HOL-1703-SDC-1
Page 236
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 237
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 238
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 239
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 240
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 241
HOL-1703-SDC-1
Monitoring Deployment
To monitor deployment of the Edge Services Gateway:
1. Click on the Installing button while the Edge is still being deployed to see the
progress of the installing steps.
Afterwards, we should see the progress of the Edge deployment.
HOL-1703-SDC-1
Page 242
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 243
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 244
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 245
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 246
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 247
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 248
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 249
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 250
HOL-1703-SDC-1
Repeat above the process to add one more pool member using following information
Name: web-02a
IP Address: 172.16.10.12
Port: 443
Monitor Port: 443
HOL-1703-SDC-1
Page 251
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 252
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 253
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 254
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 255
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 256
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 257
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 258
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 259
HOL-1703-SDC-1
Login to OneArm-LoadBalancer-0
1. Login using user: admin and password: VMware1!VMware1!
HOL-1703-SDC-1
Page 260
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 261
HOL-1703-SDC-1
Start PuTTY
1. Click on the PuTTY shortcut on the Window's Launch Bar.
HOL-1703-SDC-1
Page 262
HOL-1703-SDC-1
SSH to web-01a.corp.local
1.
2.
3.
4.
Shutdown HTTPD
We will shutdown HTTPS to simulate the first failure condition
1. Type service httpd stop to shutdown HTTPD.
service httpd stop
Loadbalancer console
Type show service loadbalancer pool
HOL-1703-SDC-1
Page 263
HOL-1703-SDC-1
Because the service is down, the failure detail shows the client could not establish SSL
session.
HOL-1703-SDC-1
Page 264
HOL-1703-SDC-1
Shutdown web-01a
Navigate back to the Chrome browser and the vSphere Web Client.
1. In upper right corner search box of vSphere Web Client type "web-01a"
2. Click on web-01a
HOL-1703-SDC-1
Page 265
HOL-1703-SDC-1
Because now the VM is down, the failure detail shows the client could not establish L4
connection as oppose to L7 (SSL) connection in previous step.
Power web-01a on
Click back to the vSphere Web Client browser tab
1. Click Actions
HOL-1703-SDC-1
Page 266
HOL-1703-SDC-1
2. Click Power
3. Click Power On
Conclusion
In this lab we deployed and configured a new Edge Services Gateway and enabled load
balancing services for the 1-Arm LB Customer DB application.
This concludes the Edge Services Gateway Load Balancer lesson. Next, we will learn
more about the Edge Services Gateway Firewall.
HOL-1703-SDC-1
Page 267
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 268
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 269
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 270
HOL-1703-SDC-1
Publish Changes
We will not be making permanent changes to the Edge Services Gateway Firewall
setting.
1. Select Revert to roll back changes.
HOL-1703-SDC-1
Page 271
HOL-1703-SDC-1
Specify Source
Hover mouse in the upper right corner of the Source field and select the (+) symbol
1.
2.
3.
4.
5.
Click the Object Type drop down menu and select IP Sets
Click the New IP Set... hyperlink
Type Main Console in the IP Set Name text box
Type in the IP address of the Control Center: 192.168.110.10
Click OK
HOL-1703-SDC-1
Page 272
HOL-1703-SDC-1
Confirm Source
1. Confirm Main Console is in Selected Objects
2. Click OK
HOL-1703-SDC-1
Page 273
HOL-1703-SDC-1
Specify Destination
Hover mouse over upper right corner of the Destination column and select the (+)
symbol
1.
2.
3.
4.
Click
Click
Click
Click
the Object Type drop down menu and select Logical Switch
the Web_Tier_Logical_Switch
the right arrow to move the Web_Tier_Logical_Switch to Selected Objects
OK
Configure Action
1. In the upper right corner of the Action column, click the (+) icon
2. Click the Action drop down menu and select Deny
3. Click OK
HOL-1703-SDC-1
Page 274
HOL-1703-SDC-1
Publish Changes
1. Click Publish Changes
HOL-1703-SDC-1
Page 275
HOL-1703-SDC-1
1. Click the (+) symbol in the upper right corner of the Action column of the Main
Console FW Rule
2. Click the Action drop down menu and select the Accept option
3. Click OK
Publish Changes
1. Click Publish Changes
HOL-1703-SDC-1
Page 276
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 277
HOL-1703-SDC-1
Publish Changes
1. Click Publish Changes
Conclusion
In this lab we learned how to modify an existing Edge Services Gateway Firewall rule
and how to configure a new Edge Services Gateway Firewall rule that blocks external
access to the Customer DB App.
This concludes the Edge Services Gateway Firewall lesson. Next, we will move on to
learn more about how the Edge Services Gateway can manage DHCP services.
HOL-1703-SDC-1
Page 278
HOL-1703-SDC-1
DHCP Relay
In a network where there are only single network segments, DHCP clients can
communicate directly with their DHCP server. DHCP servers can also provide IP
addresses for multiple networks, even ones not on the same segments as themselves.
Though when serving up IP addresses for IP ranges outside its own, it is unable to
communicate with those clients directly. This is due to the clients not having a routable
IP address or gateway that they are aware of.
In these situations a DHCP Relay agent is required in order to relay the received
broadcast from DHCP clients by sending it to the DHCP server in unicast. The DHCP
server will select a DHCP scope based upon the range the unicast is coming from,
returning it to the agent address which is then broadcast back to the original network to
the client.
Areas to be covered in this lab:
Create a new network segment within NSX
Enable the DHCP Relay agent on the new network segment
Using a pre-created DHCP scope on a DHCP server this is on another network
segment, that requires layer 3 communication
Then network boot (PXE) a blank VM via DHCP scope options
In this lab, the following items have been pre-setup
Windows Server based DHCP Server, with appropriate DHCP scope and scope
options set
TFTP server for the PXE boot files: This server has been installed, configured and
OS files loaded.
HOL-1703-SDC-1
Page 279
HOL-1703-SDC-1
Lab Topology
This diagram lays out the final topology that will be created and used in this lab module.
HOL-1703-SDC-1
Page 280
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 281
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 282
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 283
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 284
HOL-1703-SDC-1
Add Interface
This section will attach the logical switch to an interface on the Perimeter Gateway.
1.
2.
3.
4.
5.
Click Manage
Click Settings
Click Interfaces
Select vnic9
Click the Pencil Icon to edit interface
HOL-1703-SDC-1
Page 285
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 286
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 287
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 288
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 289
HOL-1703-SDC-1
IP Addresses
We can manually specify IP addresses of DHCP servers in this method.
Domain Names
This method allows us to specify a DNS name that could be a single or multiple DHCP
server addresses.
HOL-1703-SDC-1
Page 290
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 291
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 292
HOL-1703-SDC-1
Create New VM
1.
2.
3.
4.
Expand RegionA01-COMP01
Select esx-02a.corp.local
Select Actions drop-down menu
Then click New Virtual Machine and New Virtual Machine
HOL-1703-SDC-1
Page 293
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 294
HOL-1703-SDC-1
Name the VM
1. Name = PXE VM
2. Click Next
HOL-1703-SDC-1
Page 295
HOL-1703-SDC-1
Select Host
1. Click Next
HOL-1703-SDC-1
Page 296
HOL-1703-SDC-1
Select Storage
Leave this as default
1. Click Next
HOL-1703-SDC-1
Page 297
HOL-1703-SDC-1
Select Compatibility
Leave this as default
1. Click Next
HOL-1703-SDC-1
Page 298
HOL-1703-SDC-1
Select Guest OS
Leave this as default
1. Select Linux under Guest OS Family
2. Select Other Linux (64-bit) under Guest OS Version
3. Click Next
HOL-1703-SDC-1
Page 299
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 300
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 301
HOL-1703-SDC-1
Complete VM Creation
1. Click Finish.
HOL-1703-SDC-1
Page 302
HOL-1703-SDC-1
Power Up VM
Power up the new VM.
1. Click the Play button
HOL-1703-SDC-1
Page 303
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 304
HOL-1703-SDC-1
Image Booting
This screen will appear once the VM has a DHCP address and is downloading the PXE
image from the boot server. This screen will take about 1-2 mins, please move on to the
next step.
View Leases
We can look to see what address the VM took from the DHCP server.
1. Expand the sections by clicking on the arrows
2. Select Address Leases
HOL-1703-SDC-1
Page 305
HOL-1703-SDC-1
3. You will see the address 172.16.50.10 which is in the range we created earlier
View Options
We can also see the scope options used to boot the PXE Image
1. Select Scope Options
2. You will note option 66 & 67 were used
You can now close DHCP.
Access Booted VM
1. Return to the PXE VM console by selecting it from the taskbar.
HOL-1703-SDC-1
Page 306
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 307
HOL-1703-SDC-1
Verify Connectivity
Because of the dynamic routing already in place with the virtual network, we have
connectivity to the VM upon its creation. We can verify this by pinging it from the Main
Console.
1. Click the Command Prompt Icon in the taskbar.
2.
Type ping 172.16.50.10 and press enter.
option.)
ping 172.16.50.10
You will then see a ping response from the VM. You can now close this command
window.
Conclusion
In this lab we have completed the creation of a new network segment, then relayed the
DHCP requests from that network to an external DHCP server. In doing so we were able
to access additional boot options of this external DHCP server and PXE into a Linux OS.
This lab is now completed. Next, we will explore Edge Services Gateway L2VPN services.
HOL-1703-SDC-1
Page 308
HOL-1703-SDC-1
Configuring L2VPN
In this module we will be utilizing the L2VPN capabilities of the NSX Edge Gateway to
extend a L2 boundary between two separate vSphere clusters. To demonstrate a use
case based on this capability, we will deploy an an NSX Edge L2VPN Server on the
RegionA01-MGMT01 cluster and an NSX Edge L2VPN Client on the RegionA01-COMP01
cluster and finally test the tunnel status to verify a successful configuration.
HOL-1703-SDC-1
Page 309
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 310
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 311
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 312
HOL-1703-SDC-1
Click the Green Plus (+) sign to create NSX Edge Appliance.
Set Cluster/Resource Pool: RegionA01-MGMT01.
Set Datastore: RegionA01-ISCSI01-MGMT01 .
Set Host: esx-05a.corp.local.
Set Folder: Discovered virtual machine.
Click the OK button to submit this configuration.
HOL-1703-SDC-1
Page 313
HOL-1703-SDC-1
Add Interface
1. Click the Green Plus (+) sign to add interface.
HOL-1703-SDC-1
Page 314
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 315
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 316
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 317
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 318
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 319
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 320
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 321
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 322
HOL-1703-SDC-1
3. Click on the Select link next to the text box for Connected To.
HOL-1703-SDC-1
Page 323
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 324
HOL-1703-SDC-1
Name: L2VPN-Server-SubInterface
Tunnel Id: 1
Backing Type: Network
Click the Green Plus sign (+) icon.
Enter in 172.16.10.1 in the Primary IP Address field
Enter 24 for the Subnet Prefix Length.
Click the link for Select next to the Connected To.
HOL-1703-SDC-1
Page 325
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 326
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 327
HOL-1703-SDC-1
Add L2VPNServer-Uplink
1. Click OK.
HOL-1703-SDC-1
Page 328
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 329
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 330
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 331
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 332
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 333
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 334
HOL-1703-SDC-1
Publish Changes
1. Click the button Publish Changes.
Once complete, all prerequisites have been performed to continue on with configuring
the L2VPN service on this Edge Gateway.
HOL-1703-SDC-1
Page 335
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 336
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 337
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 338
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 339
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 340
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 341
HOL-1703-SDC-1
This concludes the configuration for the L2 VPN Server. Next, we will be deploying
another new NSX Edge Gateway which will act as the L2 VPN Client.
HOL-1703-SDC-1
Page 342
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 343
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 344
HOL-1703-SDC-1
Configure Settings
1. Leave default settings and click Next
HOL-1703-SDC-1
Page 345
HOL-1703-SDC-1
Ready to Complete
1. Click Finish
Repeat previous steps to configure Trunk-Network-RegionA01-vDS-COMP
HOL-1703-SDC-1
Page 346
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 347
HOL-1703-SDC-1
NSX Edges
1. Select NSX Edges
HOL-1703-SDC-1
Page 348
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 349
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 350
HOL-1703-SDC-1
Click the Green Plus sign (+) to create NSX Edge Appliance.
Cluster/Resource Pool: RegionA01-COMP01.
Datastore: RegionA01-ISCSI01-COMP01.
Host: esx-03a.corp.local.
Folder: Discovered virtual machine.
Click the OK button to submit this Edge VM placement config.
HOL-1703-SDC-1
Page 351
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 352
HOL-1703-SDC-1
Name: L2VPN-Client-Uplink
Type: Uplink
Click the Green Plus sign (+) icon to add a new IP address.
Enter 192.168.200.5 for the Primary IP Address.
Enter 24 for the Subnet Prefix Length.
Click on the Select link next to the "Connected To" text box to bring up the list of
networks to choose where this interface will be attached to.
HOL-1703-SDC-1
Page 353
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 354
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 355
HOL-1703-SDC-1
Click Next
1. Click Next
HOL-1703-SDC-1
Page 356
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 357
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 358
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 359
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 360
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 361
HOL-1703-SDC-1
2.
3.
4.
5.
6.
7.
8.
Name: L2VPN-Client-SubInterface.
Tunnel ID: 1
Backing Type: Network
Click the Green Plus (+) sign icon.
Enter 172.16.10.1 for the Primary IP Address.
Enter 24 for the Subnet Prefix Length.
Click Select next to the Network text box to bring up the list of networks
available to attach this Sub Interface to.
HOL-1703-SDC-1
Page 362
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 363
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 364
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 365
HOL-1703-SDC-1
Click
Click
Click
Click
on
on
on
on
HOL-1703-SDC-1
the
the
the
the
VPN sub-tab.
L2 VPN selection in the left-hand navigational bar.
radio button for Client in the L2VPN Mode area.
Change button in the Global Configuration Details area.
Page 366
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 367
HOL-1703-SDC-1
2. Click the right-facing arrow to move the object to the Selected Objects list.
3. Click the OK button.
HOL-1703-SDC-1
Page 368
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 369
HOL-1703-SDC-1
Publish Changes
1. Click Publish Changes.
HOL-1703-SDC-1
Page 370
HOL-1703-SDC-1
This concludes the lesson for configuring NSX Edge Services Gateway L2VPN services.
HOL-1703-SDC-1
Page 371
HOL-1703-SDC-1
Module 4 Conclusion
This concludes Module 4 - NSX Edge Services Gateway. We hope you have enjoyed the
lab! Please do not forget to fill out the survey when you are finished.
If you are looking for additional information on deploying NSX then review the NSX 6.2
Documentation Center via the URL below:
Go to https://pubs.vmware.com/NSX-62/index.jsp
If you have time remaining, here is a list of the other Modules that are part of this lab,
along with an estimated time to complete each one.
Click on the 'Table of Contents' button to quickly jump to a Module in the Manual
Lab Module List:
Module 1 - Installation Walk Through (30 minutes) - Basic - This module will
walk you through a basic install of NSX including deploying the .ova, configuring
NSX Manager, deploying controllers and preparing hosts.
Module 2 - Logical Switching (30 minutes) - Basic - This module will walk you
through the basics of creating logical switches and attaching virtual machines to
logical switches.
Module 3 - Logical Routing (60 minutes) - Basic - This module will help us
understand some of the routing capabilities supported in the NSX platform and
how to utilize these capabilities while deploying a three tier application.
Module 4 - Edge Services Gateway (60 minutes) - Basic - This module will
demonstrate the capabilities of the Edge Services Gateway and how it cam
provide common services such as DHCP, VPN, NAT, Dynamic Routing and Load
Balancing.
Module 5 - Physical to Virtual Bridging (30 minutes) - Basic - This module will
guide us through the configuration of a L2 Bridging instance between a traditional
VLAN and a NSX Logical Switch. There will also be an offline demonstration of
NSX integration with Arista hardware VXLAN-capable switches.
Module 6 - Distributed Firewall (45 minutes) - Basic - This module will cover
the Distributed Firewall and creating firewall rules between a 3-tier application.
Lab Captains:
Module 1
Kingdom
Module 2
Module 3
Module 4
Module 5
Module 6
HOL-1703-SDC-1
Page 372
HOL-1703-SDC-1
Module 5 - Physical to
Virtual Bridging (60
minutes)
HOL-1703-SDC-1
Page 373
HOL-1703-SDC-1
Native Bridging
NSX provides in-kernel software L2 Bridging capabilities, that allow organizations to
seamlessly connect traditional workloads and legacy VLANs to virtualized networks
using VXLAN. L2 Bridging is widely used in brownfield environments to simplify the
introduction of logical networks, as well as other scenarios that involve physical systems
that require L2 connectivity to virtual machines.
The logical routers can provide L2 bridging from the logical networking space within NSX
to the physical VLAN-backed network. This allows for the creation of a L2 bridge
between a logical switch and a VLAN, which enables the migration of virtual workloads
to physical devices with no impact on IP addresses. A logical network can leverage a
physical L3 gateway and access existing physical networks and security resources by
bridging the logical switch broadcast domain to the VLAN broadcast domain. In NSX-V
6.2, this function has been enhanced by allowing bridged Logical Switches to be
connected to Distributed Logical Routers. This operation was not permitted in previous
versions of NSX.
This module will guide us through the configuration of a L2 Bridging instance between a
traditional VLAN and anAccess NSX Logical Switch.
HOL-1703-SDC-1
Page 374
HOL-1703-SDC-1
Introduction
The picture above shows the L2 Bridging enhancements provided in NSX 6.2:
In NSX 6.0 and 6.1, it was not possible to bridge a Logical Switch that was
connected to a Distributed Logical Router: for that scenario it was required to
connect the Logical Switch directly to an Edge Services Gateway.
In NSX 6.2 this configuration is now possible, and allows optimized East-West
traffic flows.
You will now configure NSX L2 Bridging with NSX 6.2 in the newly supported
configuration.
HOL-1703-SDC-1
Page 375
HOL-1703-SDC-1
text file is also included for keyboard layouts which do not provide those
characters.
The text file is README.txt and is found on the desktop.
HOL-1703-SDC-1
Page 376
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 377
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 378
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 379
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 380
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 381
HOL-1703-SDC-1
Verify VLAN ID
1. Click on the "Summary" tab
2. Verify that the Port Group is configured on physical VLANID101.
HOL-1703-SDC-1
Page 382
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 383
HOL-1703-SDC-1
Migrate Web-01a
1.
2.
3.
4.
HOL-1703-SDC-1
Page 384
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 385
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 386
HOL-1703-SDC-1
Select Storage
1. Select the RegionA01-ISCSI01-MGMT01 storage.
2. Click Next.
HOL-1703-SDC-1
Page 387
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 388
HOL-1703-SDC-1
Select Bridged-Net-RegionA0-vDS-MGMT
1. Select Bridged-Net-RegionA0-vDS-MGMT network.
2. Click OK.
HOL-1703-SDC-1
Page 389
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 390
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 391
HOL-1703-SDC-1
Click Finish
1. Click Finish.
HOL-1703-SDC-1
Page 392
HOL-1703-SDC-1
Open VM Console
1. Click on the Summary tab and verify that the VM has a 172.16.10.11 IP address.
2. Click the Launch Remote Console.
HOL-1703-SDC-1
Page 393
HOL-1703-SDC-1
Wait until the ping times out: you have verified that the VM is isolated, as there are no
other devices on VLAN 101 and the L2 Bridging is not configured yet.
HOL-1703-SDC-1
Page 394
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 395
HOL-1703-SDC-1
Click Manage.
Click Settings.
Select Interfaces.
Highlight the Web_Tier.
Delete the Logical Switch from the Perimeter Gateway.
Click OK
Click OK.
Go back to Edges
1. Click Networking & Security back button to go back the Edges.
HOL-1703-SDC-1
Page 396
HOL-1703-SDC-1
Click Manage.
Click Settings.
Select interfaces from the left menu.
Click the Green plus sign icon to add the Web-Tier Logical Switch.
HOL-1703-SDC-1
Page 397
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 398
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 399
HOL-1703-SDC-1
Click the Green plus sign icon to configure the subnet primary IP address.
Enter "172.16.10.1" in the Primary IP Address.
Enter "24" in the Subnet Prefix Length.
Click OK.
HOL-1703-SDC-1
Page 400
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 401
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 402
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 403
HOL-1703-SDC-1
Publish Changes
To enable the L2 Bridging, click on the Publish Changes button, and wait until
the page refreshes.
HOL-1703-SDC-1
Page 404
HOL-1703-SDC-1
Verify L2 Bridging
NSX L2 Bridging has been configured. You will now verify L2 connectivity between the
"web-01a" VM, attached on VLAN 101, and the machines connected "Web-Tier-01"
Logical Switch
HOL-1703-SDC-1
Page 405
HOL-1703-SDC-1
The ping is now successful: you have verified connectivity between a VM attached on
VLAN 101 and the Distributed Logical Router that is the default gateway of the network,
through a L2 Bridge provided by NSX!
Note: you might experience "duplicate" pings during this test (responses appearing as
DUPs): this is due to the nature of the Hands-On Labs environment and is not going to
happen in a real scenario.
HOL-1703-SDC-1
Page 406
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 407
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 408
HOL-1703-SDC-1
Publish Changes
1. Click on the "Publish Changes" button to commit the configuration.
HOL-1703-SDC-1
Page 409
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 410
HOL-1703-SDC-1
Migrate Web-01a
1.
2.
3.
4.
HOL-1703-SDC-1
Page 411
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 412
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 413
HOL-1703-SDC-1
Select Storage
1. Select the RegionA01-ISCSI01-COMP01 storage.
2. Click Next.
HOL-1703-SDC-1
Page 414
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 415
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 416
HOL-1703-SDC-1
Click Finish
Click Finish.
Conclusion
Congratulations, you have successfully completed the NSX L2 Bridging module! In this
module we configured, and tested the bridging a traditional VLAN-backed PortGroup to
an NSX VXLAN Logical Switch.
HOL-1703-SDC-1
Page 417
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 418
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 419
HOL-1703-SDC-1
Component Overview
Several components are involved in the connection of the hardware gateway to NSX.
They are represented in the figure above.
HOL-1703-SDC-1
Page 420
HOL-1703-SDC-1
The NSX controller is responsible for handling the interaction with the hardware
gateway. For this purpose, a connection is established between the NSX controller and a
dedicated piece of software called the Hardware Switch Controller (HSC). The HSC
can be embedded in the hardware gateway or can run as a separate standalone
appliance. The HSC can control one or several hardware gateways. Arista, for example,
leverages the CloudVision platform as a HSC, which acts as a single point of Integration
to NSX for all Arista hardware gateways. The HSC runs an OVSDB (Open vSwitch
Database) server, and the NSX controller connects as an OVSDB client. OVSDB is the
Open vSwitch Database Management Protocol detailed in RFC 7047. It is an open source
project that provides the capability of managing a database remotely.
The NSX controller will push the administrator-configured association between Logical
Switch and Physical Switch/Port/VLAN to the Hardware Gateway via the HSC. The NSX
Controller will also advertise a list of Replication Service Nodes (RSNs) that the
Hardware Gateway will leverage to forward Broadcast, Unknown unicast or Multicast
(BUM) traffic. The NSX Controller will advertise to the HSC the list of Hypervisor VTEPs
relevant to the Logical Switches configured on the Hardware Gateway. The NSX
Controller will also advertise to the HSC the association between the MAC address of the
VMs in the virtual network and the VTEP through which they can be reached.
Note: that there can be several NSX controllers in an NSX deployment, providing
redundancy and scale-out. The tasks mentioned as being performed by the NSX
Controller are in fact shared across all the NSX Controllers in the network. The HSC will
connect to all controllers.
HOL-1703-SDC-1
Page 421
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 422
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 423
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 424
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 425
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 426
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 427
HOL-1703-SDC-1
Note: for even smaller configurations in a single rack can be used to provide
connectivity for the edge and management cluster. The key concept is that the edge
cluster configuration is localized to a ToR pair to reduce the span of layer-2
requirements; this also helps localize the egress routing configuration to a pair of ToR
switches. The localization of edge components also allows flexibility in selecting the
appropriate hardware (CPU, memory and NIC) and features based on network-centric
functionalities such as firewall, NetFlow, NAT and ECMP routing.
HOL-1703-SDC-1
Page 428
HOL-1703-SDC-1
routing adjacencies with the next-hop L3 devices. The figure above depicts two types of
uplink connectivity from host containing edge ECMP VM.
HOL-1703-SDC-1
Page 429
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 430
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 431
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 432
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 433
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 434
HOL-1703-SDC-1
Conclusion
The VMware network virtualization solution addresses current challenges with physical
network and computing infrastructure, bringing flexibility, agility and scale to VXLANbased logical networks. Along with the ability to create on-demand logical networks
using VXLAN, the NSX Edge gateway helps users deploy various logical network services
such as firewall, DHCP or NAT. This is possible due to its ability to decouple the virtual
network from the physical network and then reproduce the properties and services in
the virtual environment.
In conclusion, Arista and VMware are delivering the industrys first scalable best-ofbreed solution for network virtualization in the Software Defined Data Center. Cloud
providers, enterprises and web customers will be able to drastically speed business
services, mitigate operational complexity, and reduce costs. All of this is available now
HOL-1703-SDC-1
Page 435
HOL-1703-SDC-1
from a fully automated and programmatic SDDC solution that bridges the virtual and
physical infrastructure.
HOL-1703-SDC-1
Page 436
HOL-1703-SDC-1
Module 5 Conclusion
In this module we showed the capability of NSX to bridge VLAN networks into VXLAN
logical networks. We performed the configuration of a Bridge within the NSX Distributed
Logical Router, to map a VLAN to VXLAN. We also performed a migration of a VM from a
Logical Switch to a VLAN-backed dvPortGroup to simulate the communication between
VMs. And last, we clicked through an offline demo of NSX integration with an Arista
Hardware VTEP to show the extension of a L2 Gateway into a hardware switch.
HOL-1703-SDC-1
Page 437
HOL-1703-SDC-1
Module
Module
Module
Module
Module
2
3
4
5
6
HOL-1703-SDC-1
Page 438
HOL-1703-SDC-1
Module 6 - Distributed
Firewall (45 minutes)
HOL-1703-SDC-1
Page 439
HOL-1703-SDC-1
Start the module from your desktop. The desktop is your Control center jumpbox in
the virtual environment. From this desktop you will access the vCenter Server
Appliance deployed in your virtual datacenter.
Special Note: On the desktop you will find a file names README.txt. It
contains the CLI commands needed in the lab exercises. If you can't type
them you can copy and paste them into the putty sessions. If you see a
number with "french brackets - {1}" this tells you to look for that CLI
command for this module in the text file.
HOL-1703-SDC-1
Page 440
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 441
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 442
HOL-1703-SDC-1
Open Installation
1. First click on Installation.
2. Click on the Host Preparation tab. The table will show the clusters in the
virtual datacenter.
You will see the Firewall is enabled for each cluster.
NSX is installed at the Cluster level, meaning that installation, removal, and
updates all are a cluster level definition. If later a new physical host is added to
the cluster it will have NSX added automatically. This provides a cluster level of
networking and security without fear of a VM migrating to a host without NSX.
HOL-1703-SDC-1
Page 443
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 444
HOL-1703-SDC-1
ping -c 2 172.16.30.11
(Note: You might see DUP! at the end of a Ping line. This is due to the nature of the
virtual lab environment using nested virtualization and promiscuous mode on the virtual
routers. You will not see this in production.)
HOL-1703-SDC-1
Page 445
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 446
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 447
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 448
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 449
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 450
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 451
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 452
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 453
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 454
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 455
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 456
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 457
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 458
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 459
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 460
HOL-1703-SDC-1
Pull down the Object Type and scroll down until you find Security Group.
Click on Web-tier.
Click on the top arrow to move the object to the right.
Click OK.
Set Service
1. Hover and Click the pencil in the Service Field.
HOL-1703-SDC-1
Page 461
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 462
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 463
HOL-1703-SDC-1
Set Destination
1. Hover and Click the pencil in the Destination Column.
HOL-1703-SDC-1
Page 464
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 465
HOL-1703-SDC-1
Set Service
1. Hover and Click the pencil in the Service Column.
HOL-1703-SDC-1
Page 466
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 467
HOL-1703-SDC-1
Click OK
1. Click OK.
HOL-1703-SDC-1
Page 468
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 469
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 470
HOL-1703-SDC-1
2. Ping app-01a.
ping -c 2 172.16.20.11
3. Ping db-01a.
ping -c 2 172.16.30.11
Pings are not allowed and will fail as ICMP is not allowed between tiers or tier members
in your rules. Without allowing for ICMP between the tiers the Default Rule now blocks
all other traffic.
HOL-1703-SDC-1
Page 471
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 472
HOL-1703-SDC-1
HOL-1703-SDC-1
Page 473
HOL-1703-SDC-1
Module 6 Conclusion
In this module we have used the Distributed Firewall (DFW) feature within NSX to
provide security policies for a typical 3 tier application. This module illustrates how we
can provide a small set of rules that can be applied to a large number of VMs. We can
use Micro-Segmentation to secure thousands of VMs in our environments with very little
administrative intervention.
HOL-1703-SDC-1
Page 474
HOL-1703-SDC-1
Module
Module
Module
Module
3
4
5
6
HOL-1703-SDC-1
Page 475
HOL-1703-SDC-1
Conclusion
Thank you for participating in the VMware Hands-on Labs. Be sure to visit
http://hol.vmware.com/ to continue your lab experience online.
Lab SKU: HOL-1703-SDC-1
Version: 20160906-074559
HOL-1703-SDC-1
Page 476