Beruflich Dokumente
Kultur Dokumente
VMware NSX:
Install, Configure, Manage
NSX 6.2
Part Number EDU-EN-NICM62-LAB
Lab Manual
Copyright/Trademark
Copyright 2015 VMware, Inc. All rights reserved. This manual and its accompanying
materials are protected by U.S. and international copyright and intellectual property laws.
VMware products are covered by one or more patents listed at http://www.vmware.com/go/
patents. VMware is a registered trademark or trademark of VMware, Inc. in the United States
and/or other jurisdictions. All other marks and names mentioned herein may be trademarks
of their respective companies.
The training material is provided as is, and all express or implied conditions,
representations, and warranties, including any implied warranty of merchantability, fitness for
a particular purpose or noninfringement, are disclaimed, even if VMware, Inc., has been
advised of the possibility of such claims. This training material is designed to support an
instructor-led training course and is intended to be used for reference purposes in
conjunction with the instructor-led training course. The training material is not a standalone
training tool. Use of the training material for self-study without class attendance is not
recommended.
These materials and the computer programs to which it relates are the property of, and
embody trade secrets and confidential information proprietary to, VMware, Inc., and may not
be reproduced, copied, disclosed, transferred, adapted or modified without the express
written approval of VMware, Inc.
Technical review: Chris McCain, Rob Nendel
Technical editing: James Brook, Shalini Pallat
Production and publishing: Rhonda Jones, Saiesh Jaganath
The courseware for VMware instructor-led training relies on materials developed by the
VMware Technical Communications writers who produce the core technical documentation,
available at http://www.vmware.com/support/pubs.
www.vmware.com/education
TA B L E
OF
C ONTENTS
iii
iv
Lab 1
NTP Server setting is the RRAS server. This server runs all the infrastructure services for
the lab environment.
Syslog Server is the IP address of the RRAS server.
Locale is en-US.
6. In the left pane, select Network and verify the values.
7. In the left pane, select NSX Management Service under Components and verify that the
Task 3: Verify That the vSphere Web Client Plug-In for NSX Manager Is
Installed
In your lab environment, the VMware vSphere Web Client Plug-in for NSX Manager is
preinstalled and ready for use. You verify that the vSphere Web Client is installed.
Use the following information from the class configuration handout:
Your vCenter Server administrator login account
NSX Manager IPv4 address
1. In the Internet Explorer window, click the vSphere Web Client bookmark and click Continue
password VMware1!.
3. Wait for the initial authentication to complete.
4. On the vSphere Web Client, point to the Home icon at the top and select Networking &
Security.
5. In the navigation pane on the left, review the list of VMware NSX features and select NSX
Managers.
6. In the middle pane, verify that your NSX Manager instance appears in the Objects list.
The IP address of the NSX Manager instance should match the NSX Manager IPv4 address.
If your NSX Manager instance does not appear in the Objects list, you must ask your instructor
for help.
Task 4: License vCenter Server, the ESXi Hosts, and NSX Manager
You license the vCenter Server system, the VMware ESXi hosts, and NSX Manager. Your
instructor provides the necessary licenses.
Use the following information from the class configuration handout:
Your ESXi hosts
1. Point to the Home icon at the top and click Administration.
2. In the left pane, click Licenses.
3. Assign a vCenter Server license key to the vCenter Server instance.
a. In the middle pane, click the Assets tab.
b. Click the vCenter Server Systems tab.
c. With your vCenter Server instance selected, click All Actions and select Assign License.
d. In the Assign License Key panel, click the plus sign to add the key.
e. In the License key text box, enter or paste the vCenter Server license key provided by the
d. Click All Actions and select the Assign License Key link.
e. In the Assign License Key panel, click the plus sign to add the key.
f. In the License key text box, enter or paste the vSphere Enterprise 6 license key provided
You can also connect each host individually from the vCenter > Hosts and Clusters
inventory panel.
5. Assign a VMware NSX for vSphere license.
a. In the middle pane, click the Solutions tab.
b. Select the NSX for vSphere solution.
c. Click All Actions and select Assign License.
d. In the Assign License Key panel, click the plus sign.
e. In the License key text box, enter or paste the NSX for vSphere license key provided by
Lab 2
student desktop.
2. If you are not logged in to the vSphere Web Client, click the vSphere Web Client -
instance.
a. Select the VMware NSX Manager IPv4 address from the NSX Manager drop-down
menu.
b. Select your data center from the Datacenter drop-down menu.
c. Select Management and Edge from the Cluster/Resource Pool drop-down menu.
8
drop-down menu.
h. Click Management and click OK.
i. Click Select in the IP Pool row.
j. Click the New IP Pool link at the bottom of the Select IP Pool dialog box.
k. In the Add Static IP Pool dialog box, add a new pool.
Option
Action
Name
Gateway
Prefix Length
Primary DNS
Leave blank.
Secondary DNS
Leave blank.
DNS Suffix
Leave blank.
Static IP Pool
l. Click OK.
m. Select Controller-Pool in the Select IP Pool dialog box and click OK.
n. In the Add Controller dialog box, enter VMware1!VMware1! in the Password and
If necessary, use the horizontal scroll bar to uncover the Status column.
Monitor the deployment until the status changes from Deploying to Normal.
The deployment process takes a few minutes to complete.
10
d. Click OK.
first node.
show control-cluster status
9. Review the command output.
Q7. How many enabled and activated roles are listed?
7. 5
Q8. Can VMware NSX Controller be safely restarted?
8. Yes
10. Run the following command to determine the startup nodes in the cluster and review the
command output.
show control-cluster startup-nodes
11. Run the following command to review a detailed cluster role report.
11
Management tab.
4. In the Add Controller dialog box, configure and deploy the second VMware NSX Controller
instance.
a. Select your NSX Manager IPv4 address from the NSX Manager drop-down menu.
b. Select your data center from the Datacenter drop-down menu.
c. Select Management and Edge from the Cluster/Resource Pool drop-down menu.
d. Select your datastore from the Datastore drop-down menu.
e. Leave the host and folder selection blank.
f. Click Connected To > Select.
g. In the Select Network dialog box, click Distributed Portgroup from the Object Type
drop-down menu.
h. Click Management and click OK.
i. Click Select in the IP Pool row.
j. Select Controller-Pool and click OK.
NOTE
You do not need to configure the password. The password is configured for the first VMware
NSX Controller node. The password is common across all the VMware NSX Controller cluster
nodes.
k. Click OK.
12
If necessary, use the horizontal scroll bar to uncover the Status column.
Monitor the second node deployment until the status changes from Deploying to Normal.
The deployment process takes a few minutes to complete.
instance.
The VMware NSX Controller name starts with NSX_Controller_.
5. In the middle pane, review the Summary tab report.
Q1. What is the power status of the VMware NSX Controller instance?
1. Powered-on, based on the activated Play icon.
Q2. How many vCPUs does the VMware NSX Controller instance have?
2. 2
Q3. How much total memory does the VMware NSX Controller instance have?
3. 2048 MB
Q4. How large is the VMware NSX Controller hard disk?
4. 20 GB
Q5. What port group is the VMware NSX Controller instance connected to?
5. Management
Q6. What is the IP address of the VMware NSX Controller instance?
6. IP address assigned from the Controller-Pool created earlier.
13
7. Use MTPuTTY to establish an SSH connection to the second VMware NSX Controller
instance.
a. On the student desktop, double-click the MTPuTTY shortcut.
b. Select Server in the top-left corner and click Add Server.
c. In the Properties window, enter the IP address from step 5 in the Server Name field and
session.
f. If prompted to confirm a PuTTY security alert, click Yes.
g. Log in as admin and enter the password VMware1!VMware1!.
8. In the MTPuTTY window, run the following command to determine the cluster status for the
first node.
show control-cluster status
9. Review the command output.
Q7. How many enabled and activated roles are listed?
7. 5
Q8. Can the VMware NSX Controller instance be safely restarted?
8. Yes
10. Run the following command to determine the startup nodes in the cluster and review the
command output.
show control-cluster startup-nodes
11. Run the following command to review a detailed cluster role report.
14
You configure and deploy the third VMware NSX Controller instance.
Use the following information from the class configuration handout:
NSX Manager IPv4 address
Data center
Datastore
1. Point to the Home icon and select Networking & Security.
2. In the left navigation pane, select Installation,
3. In the middle pane, click the green plus sign in the NSX Controller nodes panel on the
Management tab.
4. In the Add Controller dialog box, configure and deploy the third VMware NSX Controller
instance.
a. Select your NSX Manager IPv4 address from the NSX Manager drop-down menu.
b. Select your data center from the Datacenter drop-down menu.
c. Select Management and Edge from the Cluster/Resource Pool drop-down menu.
d. Select your datastore from the Datastore drop-down menu.
e. Leave the host and folder selection blank.
f. Click Connected To > Select.
g. In the Select Network dialog box, select Distributed Port Group from the Object Type
drop-down menu.
h. Click Management and click OK.
i. Click Select in the IP Pool row, select Controller-Pool, and click OK
j. Click OK.
5. Monitor the VMware NSX Controller deployment to completion.
If necessary, use the horizontal scroll bar to uncover the Status column.
Monitor the third node deployment until the status changes from Deploying to Normal.
The deployment process takes a few minutes to complete.
15
instance.
The VMware NSX Controller name starts with NSX_Controller_.
5. In the middle pane, review the Summary tab report.
Q1. What is the power status of the VMware NSX Controller instance?
1. Powered-on, based on the activated Play icon.
Q2. How many vCPUs does the VMware NSX Controller instance have?
2. 2
Q3. How much total memory does the VMware NSX Controller instance have?
3. 2048 MB
Q4. How large is the VMware NSX Controller hard disk?
4. 20 GB
Q5. What port group is the VMware NSX Controller instance connected to?
5. Management
Q6. What is the IP address of the VMware NSX Controller instance?
6. IP address assigned from the Controller-Pool created earlier.
first node.
show control-cluster status
9. Review the command output.
Q7. How many enabled and activated roles are listed?
7. 5
Q8. Can the VMware NSX Controller instance be safely restarted?
8. Yes
10. Run the following command to determine the startup nodes in the cluster, and review the
command output.
show control-cluster startup-nodes
11. Run the following command to review a detailed cluster role report.
You must select Networking and not Networking & Security to prepare for the next lab.
Lab 2 Configuring and Deploying a VMware NSX Controller Cluster
17
18
Lab 3
3
19
student desktop.
2. If you are not logged in to the vSphere Web Client, click the vSphere Web Client -
ESXi hosts.
b. Expand Uplink2 and verify that vmnic1 is attached to the uplink.
c. Expand Uplink3 and verify that vmnic2 is attached to the uplinks.
20
6. In the middle pane on the left, click the Properties link and verify the settings.
In the New Distributed Switch dialog box, enter dvs-your_name in the Name text box and
click Next.
3. Under Select Version, leave Distributed switch: 6.0.0 selected and click Next.
4. Under Edit Settings, edit the distributed switch settings.
a. Change the number of uplinks to 2.
b. Leave Network I/O Control enabled.
c. Deselect the Create a default port group check box and click Next.
5. Under Ready to complete, review the configuration and click Finish.
6. Create a port group on the new distributed switch.
a. Select your new distributed switch in the Networking inventory tree, click Actions, and
Next.
c. In Configure Settings page, view the default settings and click Next.
d. In Ready to complete page, click Finish.
A new port group called dvpg1 appears in the Networking inventory tree under your new
distributed switch.
21
You must not select any physical adapters because all adapters are attached to an existing
switch and you are creating the new switch for practice.
h. Under Analyze impact, click Next.
i. Under Ready to complete, click Finish.
22
23
24
Lab 4
:
4
25
student desktop.
2. If you are logged out of the vSphere Web Client, log in to the vSphere Web Client.
a. In the Internet Explorer window, click the vSphere Web Client - your_site_name
bookmark.
b. When prompted, log in with your VMware vCenter Server administrator login account
The installation status changes from Installing to a green check mark and the VXLAN column
contains an active Not Configured link.
26
Option
Action
Name
Gateway
Prefix Length
Primary DNS
Leave blank.
Secondary DNS
Leave blank.
DNS Suffix
Leave blank.
Static IP Pool
g. Click OK.
h. Leave VMKNic Teaming Policy as Fail Over and click OK.
27
2. Wait for the update to complete and determine if an error message appears in the VXLAN
menu.
e. Leave VMKNic Teaming Policy as Fail Over and click OK.
6. Wait for the update to complete and click the vSphere Web Client Refresh icon.
7. Verify that the Management and Edge cluster VXLAN status is Configured with a green check
mark.
If the VXLAN status is not Configured, wait and refresh again until the status changes.
8. Click the Logical Network Preparation tab and verify that VXLAN Transport is selected.
9. In the Clusters and Hosts list, expand each cluster.
10. For each host, confirm that the host has a vmk# interface.
Q1. What is the number of VTEPs on each host?
1. One
Q2. Which is the switch that is connected to each hosts VMKNic?
2. vds-Datacenter
28
Option
Action
Segment ID Pool
3. Click OK.
zone.
Option
Action
Name
3. Click OK.
4. Wait for the update to complete and verify that Local Transport Zone appears in the transport
29
30
Lab 5
Objective: Create and test logical switches for the WebTier, App-Tier, and DB-Tier transport networks
5
31
student desktop.
2. If you are not logged in to the vSphere Web Client, click the vSphere Web Client - your-
Normal.
4. Click the green plus sign to open the New Logical Switch dialog box and configure the Web-
Tier switch.
a. Enter Web-Tier in the Name text box.
b. For Transport Zone, click Change and select Local Transport Zone.
c. Click OK.
d. Click OK.
32
5. Wait for the update to complete and verify that Web-Tier appears with a status of Normal.
6. Click the green plus sign to create a logical switch.
7. In the New Logical Switch dialog box, configure the App-Tier switch.
a. Enter App-Tier in the Name text box.
b. For Transport Zone, click Change and select Local Transport Zone.
c. Click OK.
d. Click OK.
8. Wait for the update to complete and verify that App-Tier appears with a status of Normal.
9. Click the green plus sign to create a logical switch.
10. In the New Logical Switch dialog box, configure the DB-Tier switch.
a. Enter DB-Tier in the Name text box.
b. For Transport Zone, click Change and select Local Transport Zone.
c. Click OK.
d. Click OK.
11. Wait for the update to complete and verify that DB-Tier appears with a status of Normal.
You must click the vSphere Networking icon. You must not click the VMware NSX
Networking and Security icon.
2. Expand the Networking inventory tree.
3. Click the vSphere Web Client Refresh icon.
4. Drag the pane divider to the right to expand the horizontal size of the inventory pane so that the
Transit-Network
Web-Tier
App-Tier
DB-Tier
Lab 5 Configuring Logical Switch Networks
33
6. If the specified port groups do not appear in the vds-Datacenter inventory, refresh the vSphere
34
8. At the top of the left inventory pane, click the Networking & Security back arrow.
9. In the Logical Switches list, select the App-Tier logical switch.
10. Click Actions and select Add VM.
11. In the Add Virtual Machines dialog box, migrate the app virtual machine to the App-Tier logical
switch.
a. In the Available Objects list, select the app-sv-01a.
b. Click the right arrow.
c. Click Next.
d. In the Select vNICs list, select the Network Adapter 1 (VM Network) check box for
app-sv-01a.
e. Click Next.
f. Click Finish.
12. In the Logical Switches list, select the DB-Tier logical switch.
switch.
a. In the Available Objects list, select the db-sv-01a.
b. Click the right arrow.
c. Click Next.
d. In the Select VNICs list, select the Network Adapter 1 (VM Network) check box for
db-sv-01a.
e. Click Next.
f. Click Finish.
The following virtual machines are found in the Discovered virtual machine folder:
web-sv-01a
Lab 5 Configuring Logical Switch Networks
35
web-sv-02a
app-sv-01a
db-sv-01a
3. Power on each virtual machine.
a. Select the virtual machine in the inventory.
b. Select Power On from the Actions drop-down menu.
4. Record the IP address assigned to each of the virtual machines.
It might take a minute for the console window to initialize. Point to the console window,
wait until the mouse pointer becomes a hand icon, click anywhere inside the console
window, and press Enter.
c. Log in as root and enter the password VMware1!.
d. At the command prompt, run the following command to query the ARP cache.
arp -an
Q1. Did the command return any entries?
1. No
e. At the command prompt, run the following command to ping the web-sv-02a virtual
machine.
ping ip_address
ip_address is the web-sv-02a IP address recorded in step 4.
36
Q2. Did the ping command receive replies from the web-sv-02a virtual machine?
2. Yes
arp -an
Q3. Did the command return any entries?
3. Yes, the web-sv-02a virtual machine.
h. At the command prompt, run the following command to ping the app-sv-01a virtual
machine.
ping ip_address
ip_address is the app-sv-01a IP address recorded in step 4.
Q4. Did the ping command receive replies from the app-sv-01a virtual machine?
4. No
machine.
ping ip_address
ip_address is the db-sv-01a IP address recorded in step 4.
Q5. Did the ping command receive replies from the db-sv-01a virtual machine?
5. No
m. In the Internet Explorer window, press Ctrl+Alt to release the mouse cursor.
n. Leave the web-sv-01a console tab open for the remainder of the class.
o. In the Internet Explorer window, click the vSphere Web Client - your_site_name tab.
6. Use the Command Prompt window to test connectivity from the desktop.
a. Minimize the Internet Explorer window.
37
virtual machine.
ping ip_address
ip_address is the web-sv-01a IP address recorded in step 4.
Q7. Did the ping command receive replies from the web-sv-01a virtual machine?
7. No
Q8. If no ICMP replies were received, why?
8. As is the case with East-West routing, North-South routing has not yet been established.
d. Leave the Command Prompt window open for the remainder of the class.
7. Test connectivity between the ESXi hosts VTEP.
You test connectivity between two ESXi hosts, but you can perform this test to validate VTEP
connectivity between all the hosts.
a. Restore the Internet Explorer window.
b. Point to the vSphere Web Client Home icon and select Networking & Security.
c. In the left navigation pane, select Installation.
d. In the center pane, select Logical Network Preparation and click VXLAN Transport.
e. Expand both the clusters and make a note of vmk2 IP address for esxi-your_site_name-
IP_address_of_esxi-your_site_name-05_vmk2_from-step_7e command.
The ping command should be successful. The VTEPs on the ESXi hosts can communicate
with each other and the physical network is configured to support VXLAN frames.
i. Click X to close the PuTTY session.
j. Minimize MTPuTTY.
k. Restore Internet Explorer window on the student desktop.
38
39
40
Lab 6
41
student desktop.
3. If you are not logged in to the vSphere Web Client, click the vSphere Web Client -
tab.
a. Point to the vSphere Web Client Home icon and click VMs and Templates.
b. Expand the inventory tree and select Discovered virtual machine > web-sv-01a.
c. Select Open Console from the Actions drop-down menu.
d. If prompted to log in, log in as root and enter the password VMware1!.
e. Press Ctrl+Alt to release the mouse cursor and click the vSphere Web Client tab.
Lab 6
dialog box.
a. Select Management and Edge from the Cluster/Resource Pool drop-down menu.
Configuration.
12. In the Connect NSX Edge to a Network dialog box, click Distributed Portgroup.
13. Click Management and click OK.
14. Under Configure Interfaces of this NSX Edge, click the green plus sign to open the Add
Interface dialog box and configure the first of the four interfaces.
a. Enter Transit-Network in the Name text box.
b. For Type, leave UpLink selected.
c. Click the Connected To > Select link.
d. Click Transit-Network and click OK.
e. Click the green plus sign under Configure Subnets.
f. Enter the IP address for Transit-Network LIF in the Primary IP Address text box.
Lab 6 Configuring and Deploying an NSX Distributed Router
43
Interface dialog box and configure the third of the four interfaces.
a. Enter App-Tier in the Name text box.
b. For Type, click Internal.
c. Click the Connected To > Select link.
d. Click App-Tier and click OK.
e. Click the green plus sign under Configure Subnets.
f. Enter the IP address for App-Tier Interface LIF in the IP Address text box.
g. Enter 24 in the Subnet prefix length text box.
h. Leave all other settings at default value and click OK.
17. Under Configure Interfaces of this NSX Edge, click the green plus sign to open the Add
Lab 6
Name
IP Address
Connected To
Transit-Network
From Handout
27
Transit-Network
Web-Tier
From Handout
24
Web-Tier
App-Tier
From Handout
24
App-Tier
DB-Tier
From Handout
24
DB-Tier
19. If an entry is not configured correctly, select the entry and click the pencil icon to edit the entry.
20. Click Next.
21. On the Default gateway settings page, deselect Configure Default Gateway and click Next.
22. On the Ready to complete page, review the configuration report and click Finish.
23. Above the edge list, monitor the deployment to completion.
45
8. Point to the vSphere Web Client Home icon and click Hosts and Clusters.
9. Expand the inventory tree so that all the inventory for each cluster appears.
10. In the inventory tree, find and select the Distributed Router - your_site_name virtual machine
The Distributed Router item name starts with the text Distributed Router and appears in the
Management and Edge cluster.
Q3. How many vCPUs does the virtual machine have?
3. 1
Q4. How much memory does the virtual machine have?
4. 512 MB
Q5. How large is the hard disk?
5. 500 MB
Q6. How many network adapters are connected to port groups?
6. 2.
46
Lab 6
b. At the command prompt, run the following command to ping the web-sv-02a virtual
machine.
ping ip_address
ip_address is the web-sv-02a IP address recorded in step 2.
Q1. Did the ping command receive replies from the web-sv-02a virtual machine?
1. Yes
machine.
ping ip_address
ip_address is the app-sv-01a IP address recorded in step 2.
Q2. Did the ping command receive replies from the app-sv-01a virtual machine?
2. Yes
machine.
ping ip_address
i. At the command prompt, run the following command to query the ARP cache.
arp -an
Q5. Did the command return any entries?
5. Yes, the other node on the Web-Tier network and the router interface.
j. Press Ctrl+Alt to release the mouse cursor and click the vSphere Web Client tab.
47
4. Use a Command Prompt window to test connectivity from the student desktop system.
a. Minimize the Internet Explorer window.
b. In the Command Prompt window, run the following command to ping the web-sv-01a
virtual machine.
ping ip_address
ip_address is the web-sv-01a IP address recorded in step 2.
Q6. Did the ping command receive replies from the web-sv-01a virtual machine?
6. No
c. In the Command Prompt window, run the following command to ping the web-sv-02a
virtual machine.
ping ip_address
ip_address is the web-sv-02a IP address recorded in step 2.
Q7. Did the ping command receive replies from the web-sv-02a virtual machine?
7. No
Q8. If no ICMP replies were received during the preceding tests, why?
8. North-South routing is yet to be established.
Task 5: Use the VMware NSX Controller CLI Commands to Verify the
Distributed Router Deployment
You log in to the VMware NSX Controller instance that owns the VNI slice and examine logical
switch tables.
1. On the student desktop, double-click the MTPuTTY shortcut.
2. In the MTPuTTY window, connect to any of the VMware NSX Controller nodes by double-
clicking on the IP address of one of the VMware NSX Controller nodes added earlier.
a. If you are prompted to confirm a PuTTY security alert, click Yes.
b. Log in as admin and enter the password VMware1!VMware1!.
3. At the command prompt, run the following command to determine which VMware NSX
Lab 6
4. If you are not connected to the VMware NSX Controller instance that owns the slice, configure
the connection.
a. Record the IP address of the VMware NSX Controller instance that owns the slice.
__________
b. Double-click the IP address of the VMware NSX Controller node recorded in step a.
c. If you are prompted to confirm a PuTTY security alert, click Yes.
d. Log in as admin and enter the password VMware1!VMware1!.
5. At the command prompt, run the following commands and review the command output.
2. Point to the vSphere Web Client Home icon and click Networking & Security.
3. In the Internet Explorer window, leave the following tabs open.
49
50
Lab 6
Lab 7
Lab 7 Deploying an NSX Edge Services Gateway and Configuring Static Routing
51
student desktop.
3. If you are not logged in to the vSphere Web Client, click the vSphere Web Client -
password VMware1!.
5. In the Internet Explorer window, if the web-sv-01a console tab is not open, open the console
tab.
a. Point to the vSphere Web Client Home icon and click the VMs and Templates icon.
b. Expand the inventory tree and select Discovered virtual machine > web-sv-01a.
c. Select Open Console from the Actions drop-down menu.
d. If prompted to log in, log in as root and enter the password VMware1!.
e. Press Ctrl+Alt to release the mouse cursor and click the vSphere Web Client tab.
Lab 7 Deploying an NSX Edge Services Gateway and Configuring Static Routing
dialog box.
a. Select Management and Edge from the Cluster/Resource Pool drop-down menu.
b. Select your datastore from the Datastore drop-down menu.
c. Leave all other fields at default value and click OK.
11. Click Next.
12. On the Configure Interfaces page, click the green plus sign to open the Add NSX Edge
Interface dialog box and configure the first of the two interfaces.
Lab 7 Deploying an NSX Edge Services Gateway and Configuring Static Routing
53
13. Click the green plus sign to open the Add NSX Edge Interface dialog box and configure the
second interface.
a. Enter Transit-Network in the Name text box.
b. For Type, click Internal.
c. Click the Connected To > Select link.
d. Click the Transit-Network button and click OK.
e. Click the green plus sign.
f. Enter the IP address of the NSX Edge internal interface in the Primary IP Address text
box.
g. Enter 27 in the Subnet prefix length text box.
h. Leave all other fields at default value and click OK.
14. Compare the interface configurations to the following table.
Subnet Prefix
Length
Connected
To
24
Production
27
TransitNetwork
Name
IP Address
Uplink-Network
Transit-Network
15. If any interface is not configured correctly, select that entry and click the pencil icon to edit the
entry.
16. Click Next.
17. On the Default gateway settings page, select the Configure Default Gateway check box.
18. Verify that the vNIC selection is Uplink-Interface.
19. Enter the IP address of the NSX Edge default gateway in the Gateway IP text box.
20. Leave all other settings at default value and click Next.
21. On the Firewall and HA page, select the Configure Firewall default policy check box.
22. For the Default Traffic Policy, click Accept.
You must set the Default Traffic Policy to Accept before proceeding.
23. Leave all the other fields at the default values and click Next.
54
Lab 7 Deploying an NSX Edge Services Gateway and Configuring Static Routing
24. On the Ready to Complete page, review the configuration report and click Finish.
25. Above the edge list, monitor the deployment to completion.
7. Point to the vSphere Web Client Home icon and click Hosts and Clusters.
8. Expand the Hosts and Clusters inventory tree so that the inventory of each cluster is shown.
9. Click the vSphere Web Client Refresh icon.
10. Select the perimeter gateway appliance in the Management and Edge cluster inventory.
The appliance virtual machine name starts with Perimeter Gateway - your_site_name and is
followed by a number, for example, Perimeter Gateway - Your Site-0.
11. In the middle pane, review the Summary tab report.
12. Expand VM Hardware section to review the hardware settings.
Q3. How many vCPUs does the appliance have?
3. 1
Lab 7 Deploying an NSX Edge Services Gateway and Configuring Static Routing
55
list.
56
Lab 7 Deploying an NSX Edge Services Gateway and Configuring Static Routing
This address is the address of the perimeter gateway interface on the Transit network.
d. Leave all other settings at default value and click OK.
6. Above the static routes list, click Publish Changes.
7. Wait for the update to complete and confirm that the new route with the type of user appears in
the list.
You use the static routes defined on the distributed router and the NSX Edge services gateway to test
bidirectional communication over the transit network.
Use the following information from the class configuration handout:
Student desktop IP address
IP address of web-sv01a
IP address of web-sv-02a
IP address of app-sv-01a
IP address of db-sv-01a
Lab 7 Deploying an NSX Edge Services Gateway and Configuring Static Routing
57
system.
ping student_desktop_IP_address
3. Verify that ICMP echo replies are received and press Ctrl+C to stop the ping command.
The ping test demonstrates the bidirectional connectivity between the logical switch network
and the Management network for traffic that is initiated on the Web-Tier network. If the ping
command does not receive the expected replies, you can ask your instructor for assistance.
4. In the Internet Explorer window, press Ctrl+Alt to release the mouse cursor, open a new
http://IP_address_of_web-sv-02a
6. After the web-sv-02a Web page is displayed, close the Internet Explorer tab that is used to
that the static routes enable bidirectional connectivity between the Management network and
the App-Tier logical switch network.
ping IP_address_of_app-sv-01a
9. Verify that ICMP echo replies are received and press Ctrl+C to stop the ping command.
10. Run the following command to verify that the static routes enable bidirectional connectivity
between the Management network and the DB-Tier logical switch network.
Ping IP_address_of_db-sv-01a
11. Verify that ICMP echo replies are received and press Ctrl+C to stop the ping command.
12. Leave the Command Prompt window open.
13. Restore the Internet Explorer window and click the vSphere Web Client tab.
58
Lab 7 Deploying an NSX Edge Services Gateway and Configuring Static Routing
Lab 7 Deploying an NSX Edge Services Gateway and Configuring Static Routing
59
60
Lab 7 Deploying an NSX Edge Services Gateway and Configuring Static Routing
Lab 8
Network
9. Resolve the Connectivity Issue
10. Clean Up for the Next Lab
61
student desktop.
3. If you are not logged in to the vSphere Web Client, click the vSphere Web Client -
password VMware1!.
5. In the Internet Explorer window, if the web-sv-01a console tab is not open, open the console tab.
a. Point to the vSphere Web Client Home icon and click VMs and Templates.
b. Expand the inventory tree and select Discovered virtual machine > web-sv-01a.
c. Select Open Console from the Actions drop-down menu.
d. If prompted to log in, log in as root by using the password VMware1!.
e. Press Ctrl+Alt to release the mouse cursor and click the vSphere Web Client tab.
6. Point to the vSphere Web Client Home icon and click Networking & Security.
62
bidirectional connectivity between the Management network and the Web-Tier logical switch
network.
ping IP_address_of web-sv-01a
3. Verify that ICMP echo replies are received.
If ICMP echo replies are not received, you might be performing this lab without first
configuring static routing when the VMware NSX Edge services gateway was deployed in an
earlier lab. You can ask your instructor for assistance if the expected replies are not observed.
4. Leave the Command Prompt window open.
5. Restore the Internet Explorer window.
6. In the left navigation pane, select NSX Edges.
7. In the edge list, double-click the Perimeter Gateway entry to manage that object.
8. In the middle pane, click the Manage tab and click Routing.
9. In the routing category panel, select Static Routes.
10. In the static routes list, select the static route created in the previous lab and click the red X icon
bidirectional connectivity between the Management Network and the Web-Tier logical switch
network.
ping IP_address_of_web-sv-01a
63
13. On the student desktop, run the following command in the Command Prompt window to test
dialog box.
a. Enter 829 in the Area ID text box.
b. Leave all other settings at the default value and click OK.
8. Under Area Interface Mapping, click the green plus sign at the bottom of the OSPF page to
3. In the Route Redistribution Status panel, determine if a green check mark appears next to OSPF
65
4. Leave all other fields at the default value and click OK.
Do not select the Enable OSPF check box. For management purposes, OSPF can be enabled or
disabled in the Global Configuration page, after initially configuring it elsewhere. An error
message is displayed if OSPF is enabled in Global Configuration without first configuring the
OSPF parameters. This condition is unique to NSX Edge instances of type Distributed Router.
5. At the top of the Global Configuration page, click Publish Changes.
6. In the routing category panel, select OSPF.
7. On the right side of the OSPF Configuration panel, click Edit to open the OSPF Configuration
dialog box.
a. Select the Enable OSPF check box.
b. Enter the Protocol IP address for the distributed logical router OSPF configuration in the
box.
a. Enter 829 in the Area ID text box.
b. Leave all other fields at the default value and click OK.
9. In the Area to Interface Mapping panel, click the green plus sign to open the New Area to
66
2. In the Route Redistribution table, select the single entry that appears, click the pencil icon to
open the Edit Redistribution criteria dialog box, and verify the following settings.
Prefix Name: Any
Learner Protocol: OSPF
Allow Learning From: Connected
Action: Permit
3. Click Cancel.
If the default route redistribution entry does not appear in the list or is not configured as
specified, you must create a new route redistribution by clicking the green plus sign and
configuring the criteria as specified in step 2.
ping IP_address_of_web-sv-01a
3. Verify that ICMP echo replies are not received.
4. Leave the Command Prompt window open.
5. Restore the Internet Explorer window.
67
bidirectional connectivity between the Management Network and the Web-Tier logical switch
network.
configured as shown.
Router ID: Router ID for distributed logical router
OSPF: Green check mark
c. In the routing category panel, select Static Routes.
d. In the static routes table, verify that no static routes are defined.
e. In the routing category panel, select OSPF.
f. In the OSPF Configuration panel, verify that the following options are set as specified.
Status: Enabled
Protocol Address: Protocol IP address for the distributed logical router OSPF
configuration
Forwarding Address: Forwarding IP address for distributed logical router OSPF
configuration
g. In the Area Definitions panel, verify that Area 829 is defined with Normal for Type and
Interface.
i. In the routing category panel, select Route Redistribution.
j. In the Route Redistribution Status panel, verify that a green check mark appears next to
OSPF.
k. In the Route Redistribution table, verify that an entry exists with the following criteria.
Learner: OSPF
From: Connected
Prefix: Any
Action: Permit
7. In the left navigation pane, click the Networking & Security back arrow.
8. In the edge list, double-click the Perimeter Gateway entry to manage that object.
9. In the middle pane, click the Manage tab and click Routing.
68
configured as shown.
Router ID: Router ID for the perimeter gateway
OSPF: Green check mark
c. In the routing category panel, select Static Routes.
d. In the static routes table, verify that no static routes are defined.
e. In the routing category panel, select OSPF.
f. At the top of the OSPF page, verify that the OSPF Status is Enabled.
g. In the Area Definitions panel, verify that Area 829 is defined with Normal for Type and
OSPF.
k. In the Route Redistribution table, verify that an entry exists with the following criteria.
Learner: OSPF
From: Connected
Prefix: Any
Action: Permit
Q1. Are the configuration settings for Distributed Router and perimeter gateway
exactly as specified in the preceding steps?
1. Yes
11. In the left navigation pane, click the Networking & Security back arrow.
12. In the edge list, double-click the Distributed Router entry.
13. In the middle pane, click the Manage tab and click Settings.
69
18. In the left navigation pane, click the Networking & Security back arrow.
19. In the edge list, double-click the Perimeter Gateway entry to manage that object.
20. In the middle pane, click the Manage tab and click Settings.
21. In the settings category panel, select Interfaces.
Q5. Is the Management network attached to the perimeter gateway?
5. No
70
This address is the address of the RAS router on the Production network.
d. Leave all other settings at default value and click OK.
3. Click Publish Changes.
4. In the routing category panel, select Route Redistribution.
5. In the Route Redistribution table, select the single entry that appears and click the pencil icon to
The configuration change instructs the perimeter gateway to allow learning of both connected
subnets and static routes through OSPF. The distributed router receives a route to the
Management network from the perimeter gateway with a next hop of the perimeter gateway
interface on the transit network.
7. Minimize the Internet Explorer window.
71
8. On the student desktop, run the following command in the Command Prompt window to test
bidirectional connectivity between the Management network and the Web-Tier logical switch
network.
ping IP_address_of_web-sv-01a
9. Verify that ICMP echo replies are received.
If ICMP replies are not received, you must wait for 60 seconds and repeat step 8 until the ICMP
replies are received.
10. Run the following ping tests to verify connectivity between the Management network and the
72
Lab 9
Neighbor
7. Enable ECMP
8. Disable ECMP and Clean Up for the Next Lab
73
student desktop.
3. If you are not logged in to the vSphere Web Client, click the vSphere Web Client -
password VMware1!.
74
6. On the CLI credentials page, enter VMware1!VMware1! in the Password and Confirm
dialog box.
a. Select Management and Edge from the Cluster/Resource Pool drop-down menu.
b. Select your datastore from the Datastore drop-down menu.
c. Leave all other fields at default value and click OK.
11. Click Next.
12. On the Configure Interfaces page, click the green plus sign to open the Add NSX Edge
Interface dialog box and configure the first of the two interfaces.
a. Enter Uplink-Interface in the Name text box.
b. For Type, leave UpLink selected.
c. Click the Connected To > Select link.
d. Click Distributed Portgroup.
e. Click Production and click OK.
f. Click the green plus sign.
g. Enter the IP address for the Perimeter Gateway - ECMP Edge uplink in the Primary IP
second interface.
a. Enter Transit-Network in the Name text box.
b. For Type, click Internal.
75
f. Enter the IP address for the Perimeter Gateway - ECMP Edge internal interface in the
Subnet Prefix
Length
Connected
To
24
Production
27
TransitNetwork
Name
IP Address
Uplink-Interface
Transit-Network
15. If any interface is not configured correctly, select that entry and click the pencil icon to edit the
entry.
16. Click Next.
17. On the Default gateway settings page, select the Configure Default Gateway check box.
18. Verify that the vNIC selection is Uplink-Interface.
19. Enter the IP address of the Edge default gateway in the Gateway IP text box.
20. Leave all other settings at default value and click Next.
21. On the Firewall and HA page, select the Configure Firewall default policy check box.
22. For the Default Traffic Policy, click Accept.
76
dialog box.
a. Enter 829 in the Area ID text box.
b. Leave all other settings at the default value and click OK.
10. Under Area Interface Mapping, click the green plus sign at the bottom of the OSPF page to
77
This address is the address of the RAS router on the Production network.
d. Leave all other settings at default value and click OK.
3. Click Publish Changes.
78
VMware1!VMware1!
5. Enter the show ip ospf neighbor command and verify that the logical router has formed
The logical router adds only one edge router as the next hop to reach the management network.
ECMP is not enabled.
79
10. Enter the show ip route command to display the routing table.
An entry for each Edge router exists as the next hop towards the management network. The
distributed logical router can now use the two paths to distribute the load.
NOTE
You might need to wait for 30 seconds for the command to display the expected output.
80
10
Lab 10
Configuring L2 Bridging
Control VM
4. Examine the Network Connectivity Between Web VMs and Resolve the Issue
5. Clean Up for the Next Lab
81
student desktop.
2. If you are not logged in to the vSphere Web Client, log in to the vSphere Web Client.
3. In the Internet Explorer window, click the vSphere Web Client - your_site_name bookmark.
4. When prompted, log in with your vCenter Server administrator login account and enter the
password VMware1!.
5. In the Internet Explorer window, if the web-sv-01a and web-sv-02a console tabs are not open,
Group.
3. In the New Distributed Port Group window, enter L2PG in the Name text box and click Next.
82
10
4. On the Configure settings page, select VLAN from the VLAN type drop-down menu and
In the lab environment, the physical network is not configured to support VLAN 10. You
use a dummy VLAN ID of 10 because setting up bridging requires the port group to be
configured with a VLAN ID.
5. Click Next.
6. Click Finish on the Ready to Complete page.
7. Point to the Home icon and click VMs and Templates.
8. Select the web-sv-02a VM from the left navigation pane and click Actions in the middle pane.
9. Click Edit Settings.
10. In the VMs Edit Settings dialog box, select the L2PG (vds-datacenter) port group from the
Task 3: Move web-sv-01a and web-sv-02a to the Host That Runs the
Distributed Logical Router Control VM
You move the web-sv-01a and web-sv-02a virtual machines to the VMware ESXi host running
the distributed logical router control VM. This task is not required in production environments. This
task is performed in the lab because the physical network is not configured to support VLAN 10.
1. Select the Distributed Router - your_site_name-0 VM from the left navigation pane.
2. Click the Summary tab in the middle pane and identify the ESXi host on which the Distributed
Router-0 VM is running.
3. Select the web-sv-01a virtual machine in the left navigation pane.
4. Click Actions in the middle pane and select Migrate.
5. Select Change Compute resource only on the Select the migration type page.
6. Click Next.
7. Click the radio button next to the ESXi host where the Distributed Router - your_site_name-0
VM resides.
8. Click Next.
9. Click Next on the Select Network page.
10. Click Next on the Select vMotion priority page.
83
ping IP_address_of_web-sv-02a
Q1. Does ping work?
1. No, because web-sv-01a is connected to a logical switch and web-sv-02a is connected to a
port group with VLAN ID 10. An L2 bridge is required to establish connectivity between the two
Web VMs.
84
10
85
86
11
Lab 11
87
student desktop.
3. If you are not logged in to the vSphere Web Client, click the vSphere Web Client -
password VMware1!.
5. In the Internet Explorer window, if the web-sv-01a console tab is not open, open the tab.
a. Point to the vSphere Web Client Home tab and click VMs and Templates.
b. Expand the inventory tree and select Discovered virtual machine > web-sv-01a.
c. Select Open Console from the Actions drop-down menu.
d. If prompted to log in, log in as root and enter the password VMware1!.
e. Press Ctrl+Alt to release the mouse cursor and click the vSphere Web Client tab.
6. On the vSphere Web Client Home page, click Networking & Security.
11
4. In the Properties pop-up window, enter the IP Address of the perimeter gateway in the Server
Edge instance, or if the password was entered incorrectly, change the CLI credentials.
a. Restore the Internet Explorer window.
b. In the left navigation pane, select NSX Edges.
c. In the edge list, select the Perimeter Gateway - your_site_name entry and select Change
window.
13. In the Internet Explorer window, open a new browser tab and go to http://IP_address_of_web-
89
14. After the Web page is displayed, go to http://NAT_IP_address_1 to verify that no response is
received.
The NAT IP address 1 is the NAT address that you associate with the web-sv-01a virtual
machine.
15. After Internet Explorer reports that the page cannot be displayed, close the browser tab and
object.
3. In the middle pane, click the Manage tab and click Settings.
4. In the settings category panel, select Interfaces.
90
5. In the interfaces list, select the vNIC# 0 entry that is associated with Uplink-Interface and click
icon.
11
This address is the address of the web-sv-01a Web server virtual machine that is attached to
the Web-Tier logical switch network. The Web-Tier network is accessible from the
perimeter gateway through an OSPF-learned route that has a next hop of Application Edge
router on the transport network.
d. Select the Enabled check box.
e. Leave all other settings at the default value and click OK.
4. Above the NAT rules list, click Publish Changes.
5. Wait for the update to complete and verify that the new destination NAT rule appears in the list
91
browse the web-sv-01a Web server by using the destination NAT address.
2. After the Web page is displayed, keep the Web server tab open and minimize the Internet
Explorer window.
3. In the MTPuTTY window, determine packet addressing and verify that the following two IP
page.
7. After the Web page is displayed, close the browser tab and minimize the Internet Explorer
window.
8. In the MTPuTTY window, determine packet addressing and verify that the following two IP
92
IP address of web-sv-01a
This address is the destination NAT translated address of the web-sv-01a Web server. The
packets captured on the transit network are forwarded from perimeter gateway to
distributed router with the destination address translated.
11
9. Press Ctrl+C to stop the packet capture and leave the MTPuTTY window open.
10. Review the tests performed so far in this lab.
Q1. If response traffic was not translated based on the destination NAT mapping,
what source address would the packets have when received by the student
desktop?
1. The nontranslated IP address of web-sv-01a.
Q2. For a TCP connection being established from student desktop to destination
NAT IP for web-sv-01a, would the student desktop associate response packets
from web-sv-01a with that connection?
2. No, regardless of any TCP flag sequencing or handshake condition that might be set, the IP
addresses do not match.
uplink interface.
debug packet display interface vNic_0 icmp
2. Leave the packet capture running, restore the Internet Explorer window, and click the web-sv-
system.
ping student_desktop_IP_address
4. After at least one ICMP echo request and echo reply are reported, press Ctrl+C to stop the ping
command.
93
5. Press Ctrl+Alt to release the mouse cursor and minimize the Internet Explorer window.
6. In the MTPuTTY window, determine the source and destination addressing and verify that the
94
11
system.
ping student_desktop_IP_address
3. After at least one ICMP request and reply have been reported, press Ctrl+C to stop the ping
command.
4. Press Ctrl+Alt to release the mouse cursor and minimize the Internet Explorer window.
5. In the MTPuTTY window, determine source and destination addressing and verify that the
You must use a comma to specify the second secondary IP address to the interface.
95
HTTP exchange.
Student desktop IP address
NAT IP address 2
e. Press Ctrl+C to stop the packet capture.
NOTE
If the test does not produce the expected results, review your configuration carefully,
ensure that the destination NAT rule is enabled and is applied on the Uplink-Interface, and
try the test again. If the test continues to fail, you can ask your instructor for assistance.
Both destination NAT rules must be defined and working for upcoming labs.
Lab 12
12
97
session.
c. If prompted to confirm a PuTTY security alert, click Yes.
d. Log in as admin and enter the password VMware1!VMware1!.
3. If the Internet Explorer window is closed, double-click the Internet Explorer icon on the
student desktop.
4. If you are not logged in to the vSphere Web Client, log in to the vSphere Web Client.
a. In the Internet Explorer window, click the vSphere Web Client - your_site_name
bookmark.
b. When prompted, log in with your vCenter Server administrator login account and enter the
password VMware1!.
5. In the Internet Explorer window, if the web-sv-01a console tab is not open, open the console
tab.
a. On the vSphere Web Client Home tab, click VMs and Templates.
b. Expand the inventory tree and select Discovered virtual machine > web-sv-01a.
c. Select Open Console from the Actions drop-down menu.
d. If prompted to log in, log in as root and enter the password VMware1!.
e. Press Ctrl+Alt to release the pointer and click the vSphere Web Client tab.
f. Click the vSphere Web Client Home icon.
6. On the vSphere Web Client Home tab, click Networking & Security.
98
12
object.
3. In the middle pane, click the Manage tab and click Settings.
4. In the settings category panel, select Interfaces.
5. In the interfaces list, select the vNIC# 0 interface and click the pencil icon.
6. In the Edit NSX Edge Interface dialog box, select the IP address entry in the Configure
99
9. In the interfaces list, find the vNIC #0 entry, click the Show All link in the IP address column,
box, leave all the other fields at the default value, and click OK.
5. In the load balancer category panel, select Application Profiles.
6. Above the top panel, click the green plus sign to open the New Profile dialog box.
a. Enter App-Profile in the Name text box.
b. Select HTTPS for Type.
c. Select the Enable SSL Passthrough check box.
d. Leave all the other fields at the default value and click OK.
100
first server.
Action
Name
IP Address
Port
12
Option
second server.
Option
Action
Name
IP Address
Port
101
transit interface.
debug packet display interface vNic_1 port_443
3. Leave the packet capture running and restore the Internet Explorer window.
4. In the Internet Explorer window, open a new browser tab and go to https://VIP_1_IP_address.
5. If Internet Explorer reports a certificate warning, click the Continue to this website (not
recommended) link.
102
addressing, and verify that the exchange is between a combination of the following IP addresses.
The IP address of the Transit network interface of the perimeter gateway edge.
The IP addresses of one of the Web servers on the Web-Tier logical switch network.
8. Consider the packet exchange you examined.
12
Q1. Which extra operation is the perimeter gateway performing on packets that
leave the Transit network interface, on the way to the Web server virtual
machines?
1. NAT
Q2. Why is the perimeter gateway performing this extra operation instead of
maintaining the original source address of the student desktop system?
2. Because the load balancer is operating in nontransparent mode and proxying sessions
between itself and the Web servers on behalf of the original client.
Q3. What setting would you enable on the load balancer so that the original source
addresses are maintained?
3. Transparent mode
destination addressing, and verify that the exchange is between a combination of the following
IP addresses.
The address of the student desktop system. With transparent mode enabled, the original
source address has been maintained in packets forwarded to the Web server. Sessions are
still proxied by the perimeter gateway by using a different source port than the source port
that is used by the original client.
The address of one of the Web servers on the Web-Tier logical switch network.
103
Firefox window.
22. In the MTPuTTY window, examine the captured packets to determine the source and
destination addressing, and verify that the exchange is between a combination of the following
IP addresses.
This address is the IP address of the student desktop system.
The IP address of one of the Web servers on the Web logical switch network. The address
that appears in the most recent capture should be the Web server that is not seen in the
previous capture.
23. Press Ctrl+C to stop the packet capture.
24. Restore the Internet Explorer window and click the vSphere Web Client tab.
104
Q3. If this rule performs no apparent translation, why did the system define it?
3. To force the traffic into the NAT logic of the NSX Edge services gateway where a member
server can be selected and the actual destination NAT can be performed. Traffic received on the
virtual server IP address must undergo a destination NAT translation after the destination server
is selected from the pool, based on the configured load-balancing algorithm. Because server
selection is dynamic, the destination NAT rule triggers the destination NAT operation where
further logic can be applied.
12
Q4. Given that a virtual server uses a destination NAT rule to trigger member server
selection, do you think that a virtual server can operate normally using a pool
of member servers with IP addresses that are also defined by destination NAT
rules?
4. No, a virtual server cannot operate on a pool of destination NAT-defined addresses. Such
functionality would require recursive application of the NAT logic to each packet that is received.
The system is not designed to accommodate that type of operation. Only one NAT rule can be
applied to any packet received.
Q5. Which interface is the destination NAT rule applied on?
5. Uplink-Interface
object.
3. In the middle pane, click the Manage tab and click Settings.
4. In the settings category panel, select Interfaces,
5. In the interfaces list, select the Web-Interface entry and click the disconnect icon.
6. Wait for the update to complete and verify that a disconnect icon appears in the Web-Interface
Status column.
7. At the top of the left navigation pane, click the Networking & Security back arrow.
8. In the edge list, double-click the Perimeter Gateway - your_site_name entry to manage that
object.
105
9. In the middle pane, click the Manage tab and click Settings.
10. In the settings category panel, select Interfaces.
11. Select the vNIC# 2 interface and click the pencil icon to open the Edit NSX Edge Interface
dialog box.
a. Enter Web-Tier-Temp in the Name text box.
b. Verify that the Type selection is Internal.
c. Click the Connected To > Select link.
d. Click Web-Tier and click OK.
e. Above the IP Address table, click the green plus sign to open the Add Subnet dialog box.
f. Enter the Web-Tier-Temp interface IP address in the Primary IP address text box.
The new interface that you are configuring on the perimeter gateway replaces the
distributed router interface that you disconnected in step 5 by using the same IP address.
g. Enter 24 in the Subnet Prefix Length text box.
h. Click OK to commit the interface changes.
Task 10: Reposition the Virtual Server and Examine NAT Rule Changes
The virtual server is repositioned to be on the same subnet as the pool members, in a one-armed
configuration.
Use the following information from the class configuration handout:
VIP 2 IP address
1. Under the Manage tab, click Load Balancer.
2. In the load balancer category panel, select Virtual Servers.
3. In the virtual servers list, select the single virtual server that is defined and click the pencil icon.
4. In the Edit Virtual Server dialog box, change the IP Address field to the VIP 2 IP address and
click OK.
For this example, the primary IP address of an interface is used for the virtual server.
5. Under the Manage tab, click NAT.
106
6. In the NAT rules list, find the destination NAT rule that has VIP 2 IP address in the Original IP
Address column.
Q1. Has the system autoremoved the destination NAT rule for the old virtual server
IP address of original VIP 1 IP address?
1. Yes
Q2. Is the new rule translating the original IP address or port in any way?
2. No
12
Q3. Based on the virtual server destination NAT rules that you have examined so
far, is there any difference in the actual operation performed by NSX Edge on
traffic to be sent to a member server?
3. No, the operations are the same.
7. Examine each of the new destination NAT rule columns carefully, thinking back to the previous
destination NAT rule that you examined when the virtual server was positioned on the UplinkInterface network.
Q4. Other than a primary interface IP address being used as the virtual server IP
address in this example, what is the primary difference between the two
positions in terms of traffic flow and sequence of operations on the edge when
traffic is received, transformed, and subsequently sent to a member server?
4. The destination NAT translation occurs on the outbound interface. In this case, vNic_2 facing
the network that the member servers are attached to. The previous destination NAT rule was
applied on the receiving interface because destination NAT rules must be applied on the interface
connected to the network that contains the original IP address to be translated, regardless of
ingress or egress.
Web-Tier-Temp interface.
debug packet display interface vNic_2 port_443
3. Leave the packet capture running and restore the Internet Explorer window.
Lab 12 Configuring Load Balancing with NSX Edge Gateway
107
While performing the interim tasks in this activity, after migrating the Web-Tier virtual switch,
the OSPF routing table automatically updates and both perimeter gateway and distributed router
are aware of the new network location.
5. When Internet Explorer reports a problem with the Web sites certificate, click the Continue to
addressing, and verify that the exchange is between a combination of the following IP addresses.
The IP address of the student desktop.
These address of one of the Web servers on the Web logical switch network.
8. Leave the packet capture running.
9. Restore the Firefox window and go to https://VIP_2_IP_address.
10. When Firefox reports a problem with the Web site security certificate, click the I understand
window.
13. In the MTPuTTY window, examine the captured packets and verify that the exchange is
tab.
108
12
web-sv-01a
109
110
Lab 13
:
13
This lab requires that you complete the previous lab (Configuring Load Balancing with NSX Edge
Gateway). If you did not perform the previous lab, ask your instructor for guidance.
111
bookmark.
b. When prompted, log in with your vCenter Server administrator login account and enter the
password VMware1!.
5. In the Internet Explorer window, if the web-sv-01a console tab is not open, open the console
tab.
a. Point to the vSphere Web Client Home icon and click the VMs and Templates icon.
b. Expand the inventory tree and select Discovered virtual machine > web-sv-01a.
c. Select Open Console from the Actions drop-down menu.
d. If prompted to log in, log in as root using the VMware1! password.
e. Press Ctrl+Alt to release the pointer and click the vSphere Web Client tab.
f. Click the vSphere Web Client Home icon.
6. On the vSphere Web Client Home tab, click the Networking & Security icon.
112
object.
3. Click the Manage tab and click Settings.
4. In the settings category panel, select Certificates.
13
5. Select Generate CSR from the Actions drop-down menu to open the Generate CSR dialog
box.
a. Enter the VIP 2 IP address in the Common Name text box.
b. Enter ABC Medical in the Organization Name text box.
c. Enter NSBU in Organization Unit text box.
d. Enter Palo Alto in the Locality text box.
e. Enter CA in the State text box.
f. Select United States (US) in the Country field.
g. Verify that RSA is the selected Message Algorithm.
h. Verify that 2048 is the selected Key Size.
i. Leave all other settings at default value and click OK.
6. In the certificate list, select the newly generated signing request and select Self Sign Certificate
113
click OK.
You must ensure that both member servers are updated.
8. Click OK to close the Edit Pool dialog box.
following command.
debug packet display interface vNic_0 port_443
3. Leave the packet capture running and position the window so that you remember that it contains
You must ensure that you use Internet Explorer for the following tests.
13
115
The virtual server IP address must be moved back to the uplink network because the WebTier logical switch is migrated back to the distributed router.
b. Click OK.
3. Under the Manage tab, click Settings.
4. In the settings category panel, select Interfaces.
5. In the interface list, select the Web-Tier-Temp interface and click the disconnect icon.
6. Wait for the update to complete and verify that a disconnect icon appears in the Web-Tier-Temp
Status column.
7. Select the Web-Tier-Temp interface, click the red X to delete the interface and click OK when
prompted to confirm.
You must ensure that you delete the correct interface.
8. Wait for the update to complete and verify that vNIC# 2 has been reset.
9. At the top of the left navigation pane, click the Networking & Security left arrow button.
10. In the edge list, double-click the Distributed Router entry to manage that object.
11. In the settings category panel, select Interfaces.
12. In the interface list, select the Web-Interface interface entry and click the green check mark
13
117
118
Lab 14
14
119
student desktop.
4. If you are not logged in to the vSphere Web Client, log in to the vSphere Web Client.
a. In the Internet Explorer window, click the vSphere Web Client - your_site_name
bookmark.
b. When prompted, log in with Your vCenter Server administrator login account and enter the
password VMware1!.
5. In the Internet Explorer window, if the web-sv-01a console tab is not open, open the console
tab.
a. On the vSphere Web Client Home tab, click the VMs and Templates icon.
b. Expand the inventory tree and select Discovered virtual machine > web-sv-01a.
c. Select Open Console from the Actions drop-down menu.
d. If prompted to log in, log in as root and enter the password VMware1!.
e. Press Ctrl+Alt to release the pointer and click the vSphere Web Client tab.
f. Click the vSphere Web Client Home icon.
6. On the vSphere Web Client Home tab, click the Networking & Security icon.
120
object.
3. In the middle pane, click the Manage tab and click Settings.
4. In the Settings category list, select Configuration.
5. On the Configuration page, in the HA Configuration panel, determine the current high
inventory is shown.
11. In the Management and Edge Cluster inventory, find all virtual machines with names starting
121
14
b. In the two text boxes for configuring Management IPs, enter the following IP addresses in
availability service.
show service highavailability
3. Examine the command output.
This command uses the generic vshield-edge name for the VMware NSX Edge instances.
Refer to the trailing -0 or -1 to associate what the command is showing with the perimeter
gateway nodes. The active node name is shown as the value of highavailability Unit Name.
Q1. Which of the perimeter gateway nodes is active?
1. Perimeter Gateway-0 is active. This node should be the same for all students at this stage.
Q2. Are both peer nodes in good health?
2. Yes, as denoted in the Peer Host list.
Q3. Are the file synchronization and connection synchronization services
necessary for failover running?
3. Yes, both services are shown as running.
NOTE
Based on the sequence of actions taken so far, the active node should be the vshield-edge-2-0
(Perimeter Gateway-0) node. Remember which node was listed as active, you will cause a
failover in the next task.
122
4. At the command prompt, run the following command to display high availability heartbeat
to confirm.
3. Monitor the appliance shutdown until the task shows as complete in the recent tasks pane and a
running indicator icon no longer appears on the virtual machine in the cluster inventory.
4. Minimize the Internet Explorer window.
5. Click OK to dismiss the MTPuTTY alert and close the MTPuTTY window.
The SSH session to the perimeter gateway is terminated because the virtual machine is shut
down.
6. In the MTPUTTY application, double-click the Perimeter Gateway IP Address.
7. Log in as admin and enter the password VMware1!VMware1!.
8. Run the following command to show the status of the high availability.
123
14
You power off the high availability active node to force a failover to the standby node.
The active node name is shown as the value of highavailability Unit Name.
Q1. Which of the perimeter gateway nodes is active?
1. Perimeter Gateway-1 is active. This node should be the same for all students at this stage.
Q2. Are both peer nodes in good health?
2. No, vshield-edge-#-0 is unreachable.
Q3. Are services necessary for failover running, specifically file synchronization
and connection synchronization?
3. Yes, both services show as running.
Q4. Has a failover occurred?
4. Yes, from Perimeter Gateway-0 to Perimeter Gateway-1.
10. At the command prompt, run the following command to display high availability heartbeat
124
5. Run the following command to show the status of the high availability service.
The active node name is shown as the value of highavailability Unit Name.
Q1. Which of the perimeter gateway nodes is active?
1. Perimeter Gateway-1 is active. This node should be the same for all students at this stage.
Q2. Are both peer nodes in good health?
2. Yes
Q3. Are services necessary for failover running, specifically file synchronization
and connection synchronization?
3. Yes, both services show as running.
Q4. Has a failback occurred?
14
4. No, the failover node remains active and the restored node assumes standby status.
Networking.
4. In the Internet Explorer window, leave the following tabs open.
125
126
Lab 15
15
127
address.
c. If prompted to confirm a PuTTY security alert, click Yes.
d. Log in as admin and enter the password VMware1!VMware1!.
3. If the Internet Explorer window is closed, double-click the Internet Explorer icon on the
student desktop.
4. If you are not logged in to the vSphere Web Client, log in to the vSphere Web Client.
a. In the Internet Explorer window, click the vSphere Web Client - Your Site Name
bookmark.
b. When prompted, log in with your vCenter Server administrator login account and enter the
password VMware1!.
5. In the Internet Explorer window, if the web-sv-01a console tab is not open, open the console
tab.
a. On the vSphere Web Client Home tab, click VMs and Templates.
b. Expand the inventory tree and select Discovered virtual machine > web-sv-01a.
c. Select Open Console from the Actions drop-down menu.
d. If prompted to log in, log in as root and enter the password VMware1!.
e. Press Ctrl+Alt to release the pointer and click the vSphere Web Client tab.
f. Point to the vSphere Web Client Home icon, click Networking.
128
Task 2: Create a Port Group on the Distributed Switch for the Sink Port
You create a port group on the distributed switch for the sink interface used by the L2VPN feature.
1. Expand the inventory tree and select vds-datacenter.
2. In the middle pane, click Actions and select Distributed Port Group > New Distributed Port
Group.
3. Enter L2VPN-Trunk in the Name text box in the New Distributed Port Group window.
4. Click Next.
5. Leave the default settings on the Configure Settings page and click Next.
6. Click Finish on the Ready to complete page.
15
129
8. Click the green plus sign in the Site Configuration Details section.
9. Select the Enable Peer Site check box.
10. Enter L2VPN-your_site_name in the Name text box.
11. Enter vpnuser as the user ID.
12. Enter VMware1! as the password and confirm the password.
13. Click Select Sub Interfaces for Stretched Interfaces.
14. Select Subint-to-Web-Tier in the Available Objects section.
15. Click the blue right arrow.
16. Click OK.
17. Click OK in the Add Peer Site window.
18. Click Publish Changes at the top.
19. Verify that the L2VPN service status is Enabled.
15
remote_site shortcut.
You will be logged in to the remote site Web client with your cached credentials. You can do
one of the following to log in to the remote site:
Click the user, log out, and log in again with the remote site vCenter Server administrator
login account.
Use a different browser.
2. Log in with the remote site vCenter Server administrator login account and enter the password
VMware1!.
3. Click the Networking icon on the Home page.
4. Expand the inventory in the left navigation pane and select vds-datacenter.
131
5. Click Actions in the middle pane and select Distributed Port Group > New Distributed Port
Group.
6. Enter L2VPN-RemoteSiteTrunk in the Name text box in the New Distributed Port Group
window.
7. Click Next.
8. Leave the default setting in the Configure Settings page and click Next.
9. Click Finish.
132
settings page.
26. Leave all other settings at default and click Next.
27. Select the Configure Firewall default policy check box on the Firewall and HA page.
28. Click Accept for Default Traffic Policy.
29. Leave all settings at default and click Next.
30. Click Finish on the Ready to complete page.
15
31. Monitor the progress until the NSX Edge deployment is complete.
Task 7: Create a Logical Switch and Attach the Switch to the Remote
Gateway
You create a logical switch and attach it to the new remote gateway.
Use the following information from the class configuration handout:
IP address of Subint-to-Web-Tier for the L2VPN client edge
1. Click Logical Switches in the left navigation pane.
2. Click the green plus sign in the middle pane.
3. Enter L2VPN in the Name text box in the New Logical Switch window.
4. Click the Change link for Transport Zone.
5. Select Local Transport Zone and click OK.
6. Leave all settings at default and click OK.
7. Select NSX Edges in the left navigation pane.
Lab 15 Configuring Layer 2 VPN Tunnel
133
window.
13. Select Trunk from the Type drop-down menu.
14. Click the Select link for Connected To.
15. Click the Distributed Portgroup tab in the Connect NSX Edge to a Network window.
16. Select L2VPN-RemoteSiteTrunk and click OK.
17. Click the green plus sign in the Sub Interfaces section.
18. Enter Subint-to-Web-Tier in the Name text box in the Add Sub Interface window.
19. Enter 10 in the Tunnel Id text box.
20. Leave Network selected for Backing Type.
21. Click the Select link for Network, select L2VPN, and click OK.
22. Click the green plus sign in the Configure Subnets section.
23. Enter the IP address of Subint-to-Web-Tier for the L2VPN client edge in the Primary IP
Status section.
15
changes correctly.
135
1. Point to the Home icon of the vSphere Web Client and click the VMs and Templates icon.
2. In the inventory pane, select Discovered virtual machine > web-sv-02a and select Open
warning.
It might take a minute for the console window to initialize
4. Point to the console window, wait until the pointer becomes a hand icon, click anywhere in the
ifconfig.
9. Click the vSphere Web Client - your_remote_site tab in the Internet Explorer window.
You must select the L2VPN logical switch and not the port group. If you do not see the L2VPN
logical switch in the drop-down menu, click Show more networks, expand the Name column,
and select the L2VPN logical switch.
4. Click OK twice.
5. In the Internet Explorer window, select the tab for the web-sv-02a VM.
136
6. At the web-sv-02a command prompt, run the following command to view the network interface
configuration.
ifconfig
7. Record the eth0 hardware (HWaddr) address. __________
8. At the command prompt, ping the web-sv-01a VM on the Web-Tier logical switch of your
A Layer 2 tunnel connects two NSX Edge gateways and extends the Web-Tier logical switch
network. You have initiated a continuous ping from the Web server on the branch gateway side
of the tunnel to the Web server on the perimeter gateway side of the tunnel.
15
Q1. If you capture traffic on the web-sv-01 virtual machine, on the perimeter
gateway side of the tunnel, what is the source IP address that the incoming
ping packets would have?
1. The address of the web-sv-02a virtual machine.
Q2. What is the source hardware (MAC) address that the frames would have?
2. The MAC address of web-sv-02a because the tunnel wraps Layer 2 traffic and when
decapsulated, the hardware address is preserved.
12. At the web-sv-01a command prompt, examine the Address Resolution Protocol (ARP) table.
arp -a
13. In the ARP table output, find the hardware address and the IP address of the web-sv-02a virtual
machine.
Q3. Is the hardware address the same that you recorded in step 7?
3. Yes
137
The hardware address for web-sv-02a is preserved when the tunnel traffic is decapsulated by the
perimeter gateway. Because this is a Layer 2 tunnel, response frames sent to that MAC address
are intercepted for encapsulation back to the sending node. This tunnel differs from an IPsec
tunnel, for example, where you might see the source IP with the hardware address of the
gateway interface that faces the destination.
138
Lab 16
16
139
student desktop.
4. If you are not logged in to the local vSphere Web Client, log in to the local vSphere Web Client.
a. In the Internet Explorer window, click the vSphere Web Client - your_site_name
bookmark.
b. When prompted, log in with your VMware vCenter Server administrator login account
tab.
a. On the vSphere Web Client Home tab, click the Inventories > VMs and Templates icon.
b. Expand the inventory tree and select Discovered virtual machine > web-sv-01a.
c. Select Open Console from the Actions drop-down menu.
d. If prompted to log in, log in as root and enter the password VMware1!.
e. Press Ctrl+Alt to release the pointer and click the vSphere Web Client tab.
f. Click the vSphere Web Client Home icon
140
6. If you are not logged in to the remote site vSphere Web Client, login to the remote site vSphere
Web Client.
a. In the Internet Explorer window, click the vSphere Web Client - your_remote_site
bookmark.
b. When prompted, log in with your remote site VMware vCenter Server administrator
16
object.
5. In the middle pane, click the Manage tab and click VPN.
6. In the VPN category panel, select L2VPN.
7. In the L2VPN status panel, click Delete Configuration and click Yes when prompted to
confirm.
141
8. Wait for the update to complete and verify that the L2VPN configuration has been reset and the
The perimeter gateway is configured as an IPsec tunnel endpoint exposing the Web-Tier
network. The networks that are exposed by an IPsec tunnel endpoint must either be directattached subnets or subnets reachable through static routing. You cannot expose subnets that are
only reachable through a dynamic routing update from OSPF or one of the other supported
routing protocols.
13. Click Publish Changes and wait for the update to complete.
14. In the routing category panel, select Static Routes.
15. Click the green plus sign to open the Add Static Route dialog box.
a. Select Transit-Interface from the Interface drop-down menu.
b. Enter the workload VM network in the Network text box.
c. Enter the IP address of the distributed router uplink interface in the Next Hop text box.
This address is the interface address of the distributed router on the Transit network.
d. Click OK.
16. Click Publish Changes and wait for the update to complete.
142
dialog box.
a. Verify that the Enabled check box is selected.
b. Enter Local-Remote in the Name text box.
c. Enter Local in the Local Id text box.
d. Enter the IP address of the perimeter gateway in the Local Endpoint text box.
This address is the same address that identified the perimeter gateway as an L2VPN server
in the previous lab.
e. Enter the local subnet in the Local Subnets text box.
Spaces are not allowed in the local subnets specification. You must enter the specification
exactly as shown.
f. Enter Remote in the Peer Id text box.
g. Enter the IP address of the remote gateway in the Peer Endpoint text box.
h. Enter the remote subnet in the Peer Subnets text box.
i. Leave AES selected for Encryption Algorithm.
j. Leave PSK selected.
k. Enter VMware1! in the Pre-Shared key text box.
l. Select the Display shared key check box and verify that the shared key is exactly
VMware1!.
16
m. Leave all remaining settings at the default value and click OK.
4. In the top status panel, click Enable.
5. Click Publish Changes and wait for the update to complete.
6. In the status panel, verify that the IPSec VPN Service Status is Enabled.
143
icon.
15. Change the primary IP address to IP address of the Web-Tier subinterface on the remote
gateway.
16. Click OK to close the Edit Sub Interface dialog box.
17. Click OK to commit the interface changes.
Task 5: Update the web-sv-02a Web Server in the Remote Site vCenter
Server Inventory
You change the networking configuration on web-sv-02a to match the branch topology.
Use the following information from the class configuration handout:
IP address of web-sv-02a
Default gateway for web-sv-02a
1. In the Internet Explorer window, click the web-sv-02a console tab.
2. At the web-sv-02a command prompt, run the following command to change the IP address of
3. Run the following command to change the default gateway used by the virtual machine.
ifconfig
5. Run the following command to verify that the default gateway has been configured correctly.
route
dialog box.
a. Select the Enabled check box.
b. Enter Local-Remote in the Name text box.
c. Enter Remote in the Local Id text box.
d. Enter the IP address of the remote gateway in the Local Endpoint text box.
e. Enter the remote subnet in the Local Subnets text box.
f. Enter Local in the Peer Id text box.
g. Enter the IP address of the perimeter gateway in the Peer Endpoint text box.
h. Enter the local subnet without spaces in the Peer Subnets text box.
i. Leave AES selected as the Encryption Algorithm.
Lab 16 Configuring IPsec Tunnels
145
16
5. Above the tunnel endpoint list, click the green plus symbol icon to open the New IPSec VPN
link.
2. In the IPSec VPN Statistics pop-up panel, verify that the single VPN connection that is listed in
the top table has a green check mark in the Channel State column.
3. Select the single connection listed in the top table.
4. Verify that a single tunnel is listed in the bottom table with a green check mark in the Tunnel
State column.
5. Close the IPSec VPN Statistics pop-up panel.
The VPN connection between the two VMware NSX Edge gateway appliances is established
and a tunnel is open.
6. In the Internet Explorer window, click the web-sv-02a console tab.
7. At the web-sv-02a command prompt, start a ping to the IP address of the web-sv-01a VM.
The ping should be successful confirming connectivity between the two sites using IPSec VPN.
146
perimeter gateway.
4. Select the VPN tab under the Manage tab.
5. Select IPSec VPN in the middle pane.
6. Click Disable next to IPSec VPN Service Status.
7. Click Publish Changes and wait for the screen to update.
8. Click the Routing tab under the Manage tab.
9. Select OSPF in the middle pane.
10. Click Edit for OSPF Configuration.
11. Select the Enable OSPF check box in the OSPF Configuration pop-up window.
12. Click OK.
13. Click Publish Changes.
16
5. At the top of the left navigation pane, click the Networking & Security left arrow.
6. In the Internet window, leave the following tabs open for the next lab.
147
148
Lab 17
17
149
student desktop.
4. If you are not logged in to the vSphere Web Client, log in to the vSphere Web Client.
a. In the Internet Explorer window, click the vSphere Web Client - your_site_name
bookmark.
b. When prompted, log in with your VMware vCenter Server administrator login account
tab.
a. On the vSphere Web Client Home tab, click Inventories > VMs and Templates.
b. Expand the inventory tree and select Discovered virtual machine > web-sv-01a.
c. Select Open Console from the Actions drop-down menu.
d. If prompted to log in, log in as root and enter the password VMware1!.
e. Press Ctrl+Alt to release the pointer.
150
Web Client.
a. In the Internet Explorer window, click the vSphere Web Client - your_remote_site
bookmark.
b. When prompted, log in with the remote site vCenter Server administrator login account and
17
box.
a. Select LOCAL from the Authentication Server Type drop-down menu.
b. Deselect the Enable password policy check box.
151
IP_address_of_remote_gateway.
5. When prompted with the Web sites certificate warning, click the Continue to this website (not
recommended) link.
6. In the VMware SSL VPN-Plus portal page, log in as vpn-user and enter the password
VMware1!.
7. On the user portal page, verify that one tab labeled Tools is shown with a Change Password link
available.
8. Click the Logout link in the black status bar on the upper-right corner of the page and click OK
your_remote_site tab.
152
17
2. On the Installation Package configuration page, click the green plus sign to open the Add
text box, leave the port at 443, and click OK to confirm the entry.
153
c. In the Installation Parameters for Windows list, select the following check boxes.
IP_address_of_remote_gateway.
4. When prompted to log in, log in as vpn-user and enter the password VMware1!.
5. In the SSL VPN-Plus portal, click the Test Package link on the Full Access tab.
installation link.
7. When prompted, click Run.
The VMware Tray shortcut was added when the SSL VPN-Plus test package was installed from
the portal page.
5. Double-click the VMware Tray shortcut to start the SSL VPN-Plus Client application and click
Login.
6. When prompted, log in as vpn-user and enter the password VMware1!.
7. Click OK when prompted to confirm that the connection has been established.
8. In the Command Prompt window, run the following command to ping the web-sv-02a server.
ping IP_address_of_web-sv-02a
The ping command receives ICMP echo replies.
When the SSL VPN-Plus client is running, double-clicking the program icon opens the statistics
window. The statistics window can also be opened from the client application icon that is
running in the system tray.
2. In the SSL VPN-Plus Client - Statistics window, click the Advanced tab.
Q1. What is the gateway address and port for the network configuration?
17
155
5. Enter the IP address of the remote gateway in the Server Name text box and select SSH as the
protocol.
6. Click OK.
7. In the MTPuTTY window, double-click the IP address of the remote gateway in the left pane.
8. When prompted, click Yes to confirm the PuTTY security alert.
9. Log in as admin and enter the password VMware1!VMware1!.
10. Run the following command to begin capturing ICMP packets on the internal network.
11. Leave the packet capture running and switch to the Command Prompt window.
12. Run the following command to ping the web-sv-02a server.
ping IP_address_of_web-sv-02a
13. Switch to the MTPuTTY window and verify that an ICMP exchange has occurred between the
following IP addresses.
This address is the IP address assigned to the SSL VPN-Plus Client application running on
the student desktop system.
This address is the IP address of the web-sv-02a server.
14. Press Ctrl+C to stop the packet capture.
15. Close the MTPuTTY window for the Remote Gateway.
16. Minimize MTPUTTY.
17. On the student desktop, double-click the VMware Tray icon.
18. Click Logout on the General tab and click Yes when prompted to confirm.
156
Explorer window.
5. Click the vSphere Web Client - your_site_name tab in the Internet Explorer window.
6. Verify that you are in the Networking & Security inventory view.
7. In the Internet window, leave the following tabs open for the next lab.
17
157
158
Lab 18
18
159
student desktop.
4. If you are not logged in to the vSphere Web Client, log in to the vSphere Web Client.
a. In the Internet Explorer window, click the vSphere Web Client - your_site_name
bookmark.
b. When prompted, log in with your VMware vCenter Server administrator login account
5. In the Internet Explorer window, if the web-sv-01a console tab is not open, open the console
tab.
a. On the vSphere Web Client Home tab, click Inventories > VMs and Templates.
b. Expand the inventory tree and select Discovered virtual machine > web-sv-01a.
c. Select Open Console from the Actions drop-down menu.
160
Lab 18
d. If prompted to log in, log in as root and enter the password VMware1!.
e. Press Ctrl+Alt to release the pointer and click the vSphere Web Client tab.
f. Click the vSphere Web Client Home icon.
6. Point to the vSphere Web Client Home icon, click Networking & Security.
object.
3. In the middle pane, click the Manage tab and click Firewall.
4. In the firewall rules list, find the rule named Default Rule.
5. If necessary, use the horizontal scroll bar to uncover the Action column.
6. Point to the Action cell until a plus sign icon appears.
7. Click the plus sign icon.
8. Select Deny from Action drop-down menu.
9. Click Log and click OK.
10. Above the rule list, click Publish and wait for the update to complete.
11. In the Internet Explorer window, open a new browser tab and go to https://IP_address_of_web-
sv-01a.
12. Verify that the Web page cannot be displayed and close the browser tab.
13. If not active, click the vSphere Web Client - your_site_name tab.
14. On the Firewall configuration page, click the green plus sign to create a row in the rules table.
18
15. Point to the Name cell and click the plus sign.
16. Enter Allowed to Web Servers in the Rule Name text box and click OK.
161
17. Point to the Destination cell, click the plus sign, and configure settings in the Specify
dialog box.
Option
Action
Name
Description
Leave blank.
IP Addresses
configuration panel.
a. Enter HTTP in the search text box.
b. Select generic HTTP and HTTPS services in the Available Objects pane.
c. Click the right arrow to move HTTP and HTTPS to the Selected Objects pane.
d. Click OK to close the pop-up configuration panel.
19. Verify that the Action for the new rule is Accept.
20. Click Publish and wait for the update to complete.
21. In the Internet Explorer window, open a new browser tab and go to https://IP_address_of_web-
sv-01a.
22. Verify that the Web page is displayed or that you are prompted with a certificate related
162
Lab 18
Task 3: Determine How the Firewall Rule Interacts with Other NSX
Edge Features
You determine how a firewall rule interacts with an existing destination NAT rule.
Use the following information from the class configuration handout:
Load balancer VIP IP address
IP address of web-sv-01a
DNAT IP address of web-sv-01a
1. In the Internet Explorer window, open a new browser tab and go to https://
load_balancer_VIP_IP_address.
2. Verify that the Web page is not displayed and close the browser tab.
3. If not active, click the vSphere Web Client tab.
Q1. Because the virtual server for load balancing HTTP traffic was configured with
the web-sv-01a Web server as a member server, will the rule that you just
created allow HTTP connections to the virtual server IP address?
1. No
4. In the Internet Explorer window, open a new browser tab and go to https://DNAT_IP_of_web-
sv-01a.
This address is the destination NAT address for the web-sv-01a Web server.
5. Verify that the Web page cannot be displayed and close the browser tab.
6. If not active, click the vSphere Web Client - your_site_name tab.
7. In the middle pane, click Grouping Objects under the Manage tab.
8. In the category panel, select IP Sets.
9. In the IP Set list, select the Local Web Servers entry.
10. Click the pencil icon to open the Edit IP Addresses dialog box.
a. In the IP Addresses text box, enter the IP address of web-sv-01a and the DNAT IP address
sv-01a.
12. Verify that the Web page is displayed or that you are prompted with a certificate warning, and
163
18
11. In the Internet Explorer window, open a new browser tab and go to https://DNAT_IP_of_web-
13. If not active, click the vSphere Web Client - your_site_name tab.
14. In the middle pane, click Firewall under the Manage tab.
15. In the rule list, select the Allowed to Web Servers rule.
16. Click the red X icon to delete the rule and click OK when prompted to confirm.
17. Point to the Default Rule Action cell.
18. Click the plus sign.
19. Select Accept from the Action drop-down menu.
20. Click OK.
21. Click Publish and wait for the update to complete.
164
Lab 18
Lab 19
19
Lab 19 Using the VMware NSX Distributed Firewall Rules to Control Network Traffic
165
student desktop.
4. If you are not logged in to the vSphere Web Client, open the vSphere Web Client.
a. In the Internet Explorer window, click the vSphere Web Client - your_site_name
bookmark.
b. When prompted, log in with your VMware vCenter Server administrator login account,
tab.
a. On the vSphere Web Client Home tab, click the Inventories > VMs and Templates icon.
b. Expand the inventory tree and select Discovered virtual machine > web-sv-01a.
c. Select Open Console from the Actions drop-down menu.
d. If prompted to log in, log in as root using the VMware1! password.
e. Press Ctrl+Alt to release the pointer and click the vSphere Web Client tab.
f. Click the vSphere Web Client Home icon.
6. Point to the vSphere Web Client Home icon, click Networking & Security icon.
166
Lab 19 Using the VMware NSX Distributed Firewall Rules to Control Network Traffic
default section.
5. Click the folder icon.
6. In the pop-up configuration panel, create a section.
a. Enter Test Section in the Section name text box.
b. Leave Add section above selected.
c. Click OK.
7. Click Publish Changes and wait for the update to complete.
Section entry and click the green plus sign to create a rule.
2. Expand Test Section and find the new rule entry.
3. Point to the Name cell and click the pencil sign.
4. Enter Allowed Web To App in the Rule Name text box and click OK.
5. Point to the Source cell and click the pencil sign to open the Specify Source configuration
panel.
a. Select Logical Switch from the Object Type pane.
b. Select Web-Tier in the Available Objects pane and click the blue right arrow to move the
configuration panel.
a. Select Logical Switch from the Object Type drop-down menu.
167
19
b. Select App-Tier in the Available Objects list and click the blue right arrow to move the
7. Click OK.
8. Point to the Services cell and click the pencil sign to open the Specify Service configuration
panel.
a. Click the New Service link that appears in the lower-left corner of the pop-up panel.
b. Enter the following details in the Add Service dialog box.
Option
Action
Name
Description
Leave blank.
Protocol
Destination ports
Enable inheritance...
If the icon is not active, select any rule in the Test Section rule list.
11. Point to the Name cell and click the pencil sign.
12. Enter Allowed App To DB in the Rule Name text box and click OK.
13. Point to the Source cell and click the pencil sign to open the Specify Source configuration
panel.
a. Select Logical Switch from the Object Type drop-down menu.
b. Select App-Tier from the Available Objects list and click the blue right arrow to move the
configuration panel.
a. Select Logical Switch from the Object Type drop-down menu.
b. Select DB-Tier from the Available Objects list and click the blue right arrow to move the
Lab 19 Using the VMware NSX Distributed Firewall Rules to Control Network Traffic
sv-01a.
2. Verify that the Web page is displayed or that you are prompted with an untrusted connection
sv-01a.
10. If the Web page is displayed, click the Internet Explorer refresh icon to reload the page.
11. Verify that the Web page is not displayed and close the browser tab.
12. Click the vSphere Web Client - your_site_name tab.
19
Lab 19 Using the VMware NSX Distributed Firewall Rules to Control Network Traffic
169
13. Click the green plus sign above the rules list to create a rule in Test Section.
If the icon is not active, you can select any rule in the Test Section rule list and click the green
plus sign.
14. Point to the Name cell and click the pencil sign.
15. Enter Allowed to Web Servers in the Rule Name text box and click OK.
16. Point to the Destination cell and click the pencil sign to open the Specify Destination
configuration panel.
a. Select Logical Switch from the Object Type drop-down menu.
b. Select Web-Tier from the Available Objects list and click the blue right arrow to move the
panel.
a. Enter HTTP in the search text box.
b. Select the generic HTTP and HTTPS services in the Available Objects list and click the
blue right arrow to move those services to the Selected Objects list.
c. Click OK.
18. Point to the Action cell and click the pencil sign that appears.
19. Click Log and click OK.
20. Click Publish Changes and wait for the update to complete.
21. In the Internet Explorer window, open a new browser tab and go to https://IP_address_of_web-
sv-01a.
22. Verify that the Web page is displayed or that you are prompted with an untrusted connection
170
Lab 19 Using the VMware NSX Distributed Firewall Rules to Control Network Traffic
This address is the IP address of the Web server on the Web-Tier logical switch network.
c. Click OK.
27. Click Publish Changes and wait for the update to complete.
28. In the Internet Explorer window, open a new browser tab and go to https://
NAT_IP_address_of_web-sv-01a.
This address is the destination NAT address that you configured earlier for the web-sv-01a Web
server.
29. Click the Internet Explorer page refresh icon to reload the page.
30. Verify that the Web page is displayed or that you are prompted with an untrusted connection
In the previous lab, attempts to browse the destination NAT address were blocked by the
firewall rule defined on the perimeter gateway until the destination IP set was expanded to
include the destination NAT address.
Q1. Why does the Distributed Firewall rule allow browser connections to the Web
server through the destination NAT address, when the rule explicitly defines
web-sv-01as IP as the only valid destination?
1. Distributed Firewall rules work on true source and destination addresses and objects. Such
rules are not affected by transforms (such as destination NAT translations) performed by NSX
Edge devices.
IP address of app-sv-01a.
IP address of db-sv-01a.
3. Press Ctrl+C to stop each ping command after lack of connectivity is confirmed.
4. Press Ctrl+Alt to release the pointer and click the vSphere Web Client - your_site_name tab.
Lab 19 Using the VMware NSX Distributed Firewall Rules to Control Network Traffic
19
5. Point to the vSphere Web Client Home icon and select Hosts and Clusters.
171
6. Select the web-sv-01a VM in the left navigation pane and identify the host where the VM is
running.
The host name can be seen in the Summary tab of the VM.
7. Minimize the Internet Explorer window and restore the MYTPUTTY application.
8. Double-click the ESXi host where the web-sv-01a VM resides in the MYTPUTTY application.
9. Open the dfwpktlogs.log file with the vi text editor by using vi dfwpktlogs.log.
To search for the keyword PASS, you must use /PASS in the vi editor.
Log entries describing connections that were allowed because of the a firewall rule appear.
11. Search for the DROP string in the log file.
Log entries describing connections that were dropped because of a firewall rule appear.
12. Restore the Internet Explorer application.
The configuration list contains several new entries that were autosaved by the system.
4. Click the Configuration tab.
5. Under General and Ethernet, click the Load saved configuration icon.
6. In the Load Saved Configuration dialog box, scroll down and select the oldest autosaved
172
Lab 19 Using the VMware NSX Distributed Firewall Rules to Control Network Traffic
19
Lab 19 Using the VMware NSX Distributed Firewall Rules to Control Network Traffic
173
174
Lab 19 Using the VMware NSX Distributed Firewall Rules to Control Network Traffic
20
Lab 20
175
student desktop.
3. If you are not logged in to the vSphere Web Client, log in to the vSphere Web Client.
a. In the Internet Explorer window, click the vSphere Web Client - your_site_name
bookmark.
b. When prompted, log in with your VMware vCenter Server administrator login account
176
20
Next.
5. Ensure that your data center is selected in the Datacenter field.
6. Select the Compute check box and click Next.
7. Enter the following details in the Select storage and Management Network page
a. Datastore: Name of your data store
b. Network: Management
8. Click the Change link under IP Assignment.
9. Select Use IP Pool in the Select IP Pool assignment mode.
10. Click Controller-Pool.
11. Click OK.
12. Click Next.
13. Click Finish on the Ready to complete page.
You can configure Activity Monitoring for the Compute cluster while Guest Introspection is
deployed.
14. Click the Service Composer link in the left navigation pane.
15. Click the Security Groups tab in the middle pane.
16. Right-click the Activity Monitoring Data Collection group and select Edit Security Group.
17. Click Select objects to include in the Edit Security Group window.
18. Click the down arrow next to Object Type and select Cluster.
177
19. Select Compute in the Available Objects pane and click the right blue arrow to move the
as Succeeded.
Server: dc.vclass.local
Username: administrator
Password: VMware1!
7. Leave all other default settings and click Next.
8. Leave the default settings in the Security Event Log Access page and click Next.
9. Click Finish on the Ready to complete page.
10. Click the arrow next to Networking & Security on the top corner of the left navigation pane.
178
You configure two rules in the Default section of the distributed firewall. One rule allows SSH
connections to the win-sv-01a VM for domain group AD-SSH. This group includes the
administrator user accounts. The other rule blocks the SSH connection to the win-sv-01a VM for all
other users.
1. Click the Firewall link in the left navigation pane.
1. If necessary, use the horizontal scroll bar to uncover the icons on the far-right side of the
Default Section entry and click the green plus sign to create a rule.
2. Expand Default Section and find the new rule entry.
3. Point to the Name cell and click the pencil sign.
4. Enter Allowed SSH to Admins in the Rule Name text box and click OK.
5. Point to the Source cell and click the pencil sign to open the Specify Source configuration
panel.
a. Select Security Group from the Object Type drop-down menu.
b. Click the New Security Group link at the bottom left of the Specify Source window.
c. Enter AD-SSH in the Name text box of the Add Security Group window.
d. Click Select Objects to include on the left.
e. Click the down-arrow next to Object Type and select Directory Group.
f. Select AD-SSH in the Available Objects pane and click the blue right arrow to move the
configuration panel.
a. Select Cluster from the Object Type drop-down menu.
b. Select the Compute cluster object and click the blue right arrow to move the cluster into
179
20
8. Point to the Services cell and click the pencil sign to open the Specify Service configuration
panel.
a. Enter SSH in the Filter text box and press Enter.
b. Select SSH in the Available Objects pane and click the blue right arrow to move SSH to the
You must ensure that this rule appears below the rule that you created. You can use the Move
rule up or down buttons to arrange the rules appropriately.
If the icon is not active, you can select any rule in the Test Section rule list.
10. Point to the Name cell and click the pencil sign.
11. Enter Blocked SSH for Normal Users in the Rule Name text box and click OK.
12. Leave any as the value in the Source cell.
13. Point to the Destination cell and click the pencil sign to open the pop-up configuration panel.
a. Select Cluster from the Object Type drop-down menu.
b. Select the Compute cluster object and click the blue right arrow to move the cluster into
180
You log in to the Windows7 VM by using two accounts. The administrator user account can SSH to
web-sv-01a VM, which is a part of the Compute cluster. However, the normal user account cannot
SSH to the web-sv-01a VM. This test confirms that the identity-aware firewall functions as
expected.
Use the following information from the class configuration handout:
Admin user for Windows VM
IP address of web-sv-01a
Normal user for Windows VM
1. Click the Windows7 VM tab in Internet Explorer.
2. Click Send Ctrl+Alt+Delete at the top-right corner of the VMs remote console.
3. Click Switch User in the VMs console.
4. Click Other User.
5. Log in as the Admin user for Windows VM and enter the password VMware1!.
6. Double-click the putty application located in the putty folder in the C: drive.
7. Click Run in the Security Warning window.
8. Enter the IP address of web-sv-01a VM in the Host Name (or IP address) text box of the
PuTTY application.
A login prompt appears confirming that the domain administrator account can SSH to the websv-01a VM.
9. Close the PuTTY application.
10. Log out from the Windows7 VM.
11. Click Send Ctrl+Alt+Delete at the top-right corner of the VMs remote console.
12. Click Switch User in the VMs console.
13. Click Other User.
14. Log in as normal user for Windows VM and enter the password VMware1!.
15. Double-click the putty application located in the putty folder in the C: drive.
16. Click Run in the Security Warning window.
17. Enter the IP address of web-sv-01a VM in the Host Name (or IP address) text box of the
PuTTY application.
181
20
This message confirms that the normal user cannot SSH to web-sv-01a VM.
19. Close the PuTTY application.
20. Open Internet Explorer by clicking the Internet Explorer icon in the Windows taskbar.
21. Enter https://IP_address_of_web-sv-01a.
22. Verify that either the page opens or you receive warning about the Web sites certificate.
The normal user can access the Web services on web-sv-01a VM.
182
21
Lab 21
183
student desktop.
3. If you are not logged in to the vSphere Web Client, log in to the vSphere Web Client.
a. In the Internet Explorer window, click the vSphere Web Client - your_site_name
bookmark.
b. When prompted, log in with your vCenter Server administrator login account and enter the
password VMware1!.
4. On the vSphere Web Client Home icon, click the Networking & Security icon.
21
14. Review the settings in the Ready to complete pane and click Finish.
box.
4. Leave all other settings at default value and click Next.
5. On the Guest Introspection Services page, click Next.
6. On the Firewall Rules page, click the green plus icon.
7. In the New Firewall Rule dialog box, enter Block all Traffic in the Name text box.
8. Click Block for Action.
9. In the Source section, click the Change link.
10. In the Firewall Rule Select Source dialog box, select Any.
11. Click OK.
12. In the Destination section, click the Change link.
13. In the Firewall Rule Select Destination dialog box, leave the setting as Policys Security
Groups.
14. Leave all other settings at the default value and click OK.
15. Click Next
16. On the Network Introspection Services page, click Next.
17. Click Finish.
18. Click Actions and click the Apply Policy icon.
19. In the pop-up menu, select the Quarantine Group check box.
20. Click OK.
185
ping -t web-sv-01a
The pings should be received.
2. Go back to the VMware vSphere Web Client.
3. Ensure that Service Composer is selected in the left navigation pane.
4. Click the Canvas tab in the middle pane.
The Quarantine Group is represented as a box. A security policy is associated with Quarantine
Group. You can identify the name of the security policy by clicking on the icon on the top-right
corner of the box. The number of VMs added to the group is zero.
5. Point to the Home icon and select VMs and Templates.
6. Select the web-sv-01a VM from the left navigation pane.
7. Click the Monitor tab in the middle pane.
8. Click the Service Composer tab and verify that no security services are associated with the VM
187
21
13. Click the VM icon on top of the Quarantine Group box and verify that the name of the VM is
188
Lab 22
22
189
student desktop.
2. If you are not logged in to the vSphere Web Client, log in to the vSphere Web Client.
a. In the Internet Explorer window, click the vSphere Web Client - your_site_name
bookmark.
b. When prompted, log in as administrator@vsphere.local and enter the password
VMware1!.
3. In the Internet Explorer window, if the web-sv-01a console tab is not open, open the console
tab.
a. On the vSphere Web Client Home tab, click Inventories > VMs and Templates.
b. Expand the inventory tree and select Discovered virtual machine > web-sv-01a.
c. Select Open Console from the Actions drop-down menu.
d. If prompted to log in, log in as root and enter the password VMware1!.
e. Press Ctrl+Alt to release the pointer and click the vSphere Web Client tab.
f. Point to the vSphere Web Client Home icon and click Networking & Security.
4. In the Internet Explorer window, open another tab and log in to the remote vSphere Web Client.
a. In the Internet Explorer window, click the vSphere Web Client - your_remote_site
bookmark.
b. When prompted, login as administrator@vsphere.localand enter the password
VMware1!.
5. In the Internet Explorer window, if the web-sv-02a console tab is not open, open the console
tab.
a. On the vSphere Web Client - your_remote_site Home tab, click Inventories - VMs and
Templates.
b. Expand the inventory tree and select Discovered virtual machine - web-sv-02a.
190
tab.
f. Point to the remote vSphere Web Client Home icon and select Networking & Security.
6. Select the vSphere Web Client - your_site_name tab in the Internet Explorer application.
You verify the segment ID pools and the IDs of the VMware NSX Manager instances. The crossvCenter NSX feature does not work properly if the segment ID pools and IDs overlap.
Use the following information from the class configuration handout:
IP address of nsxmgr-a
IP address of nsxmgr-b
1. Click the Installation link in the left navigation pane.
2. Click the Management tab in the middle pane.
3. Click the IP address of nsxmgr-a.
4. Click the Summary tab in the middle pane and record the ID value. __________
5. Click the arrow next to Networking & Security in the left navigation pane.
6. Click the IP address of nsxmgr-b.
7. Record the ID value in the Summary tab. __________
The Segment ID pool values must not overlap for the two NSX Manager instances.
191
22
Task 3: Configure Primary and Secondary Roles for the NSX Manager
Instances
You promote one of the NSX Manager instances to the primary role. After the NSX Manager
instance is promoted, you register the other NSX Manager instance as secondary.
Use the following information from the class configuration handout:
IP address of nsxmgr-a
IP address of nsxmgr-b
IP range of NSX Controller nodes to be deleted
1. Click the Management tab in the middle pane.
2. Ensure that the IP address of nsxmgr-a is selected.
3. Click Actions and click Assign Primary Role.
4. Click Yes when the prompt appears.
nodes to be deleted.
9. Select the IP address of nsxmgr-a in the NSX Managers section.
10. Click Actions and select Add Secondary NSX Manager.
11. Verify that the IP address of nsxmgr-b is populated against the NSX Manager field of the Add
boxes.
13. Click OK.
14. Select Yes when prompted with nsxmgr-bs thumbprint.
15. Wait for a minute and refresh the vSphere Web Client.
The status of all the NSX Controller nodes should be green before proceeding to the next task.
nsxmgr-a and nsxmgr-b use the same set of NSX Controller nodes.
192
22
The universal transport zone is already replicated to the secondary NSX Manager.
15. Select Universal Transport Zone and click Actions.
16. Select Connect Clusters.
17. Select the Compute and Management and Edge check box.
18. Click OK.
193
inventory.
194
22
The two virtual machines are running on different hosts, on different subnets managed by
different vCenter Server systems. Using universal logical switches, you can achieve Layer 2
connectivity between the virtual machines.
5. Leave the ping command running on the web-sv-02a virtual machine.
6. Click the vSphere Web Client - your_site_name tab in the Internet Explorer window.
7. Point to Home and select Hosts and Clusters.
8. Select the web-sv-01a virtual machine located in Site-A-Datacenter.
9. Click Actions and click Rename.
10. Enter SiteA at the end of the virtual machines name.
11. Click OK.
12. Click Actions and select Migrate.
13. Select Change both compute resource and storage and click Next.
14. Expand Site-B-Datacenter and expand Compute.
15. Select one of the VMware ESXi hosts in the Compute cluster.
16. Click Next.
17. Select the destination datastore in the Select storage window and click Next.
18. Select the Discovered virtual machine folder and click Next.
19. Select the logical switch that includes universalwire in its name from the Destination
195
You performed live migration of a virtual machine from one vCenter Server system to another
without causing outage and without the need to change the IP address of the virtual machine.
28. Point to the Home icon and select Networking & Security.
196
22
The Universal Section and the rule in the Universal Section are already replicated to the
secondary NSX Manager.
197
198
Answer Key
Lab 2: Configuring and Deploying a VMware NSX Controller Cluster
Task 3: Verify That the First VMware NSX Controller Instance Is Operational . . . . . . . . . .10
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
5
Yes
All 5 roles
4 or 5
7 ports: 443, 2878, 2888, 3888, 6632, 6633,
7777
Task 5: Verify That the Second VMware NSX Controller Instance Is Operational . . . . . . .13
1.
2.
3.
4.
5.
6.
7.
8.
9.
Task 7: Verify That the Third VMware NSX Controller Instance Is Operational . . . . . . . . .16
1.
2.
3.
4.
5.
6.
7.
8.
9.
One
Answer Key
2.
vds-Datacenter
199
Yes
2.
No
No
Yes
Yes, the web-sv-02a virtual machine.
No
No
6.
7.
8.
3.
4.
5.
6.
1
512 MB
500 MB
2.
Yes
Yes
Yes
Yes
5.
6.
7.
8.
200
Answer Key
Yes
Yes
No, only directly connected subnets must be
advertised.
Yes, Direct connected can be learned, which
is sufficient.
5.
6.
7.
No
No
No, Connected is the only selection. Static
routes should be added.
2.
No
2.
3.
NAT
Because the load balancer is operating in
nontransparent mode and proxying sessions
between itself and the Web servers on behalf
of the original client.
Transparent mode
Answer Key
201
4.
5.
Task 10: Reposition the Virtual Server and Examine NAT Rule Changes . . . . . . . . . . . .106
1.
2.
3.
4.
Yes
No
No, the operations are the same.
The destination NAT translation occurs on the
outbound interface. In this case, vNic_2 facing
the network that the member servers are
attached to. The previous destination NAT
Two
Any of the ESXi hosts in the Management and
Edge Cluster.
3.
4.
Task 3: Examine the High Availability Service Status and Heartbeat . . . . . . . . . . . . . . . .122
1.
2.
3.
2.
3.
4.
2.
3.
202
4.
Answer Key
3.
4.
3.
Lab 18: Using NSX Edge Firewall Rules to Control Network Traffic
Task 3: Determine How the Firewall Rule Interacts with Other NSX Edge Features . . . .163
1.
No
Lab 19: Using the VMware NSX Distributed Firewall Rules to Control Network Traffic
Task 4: Restrict Inbound Web Server Traffic to HTTP and HTTPS . . . . . . . . . . . . . . . . .169
1.
Answer Key
203
204
Answer Key