Edu en Nicm62 Lab Ie

VMware NSX:
Install, Configure, Manage

Lab Manual
NSX 6.2
VMware Education Services

VMware, Inc.
www.vmware.com/education
VMware NSX:
Install, Configure, Manage
NSX 6.2
Part Number EDU-EN-NICM62-LAB
Lab Manual
Copyright/Trademark
Copyright 2015 VMware, Inc. All rights reserved. This manual and its accompanying
materials are protected by U.S. and international copyright and intellectual property laws.
VMware products are covered by one or more patents listed at http://www.vmware.com/go/
patents. VMware is a registered trademark or trademark of VMware, Inc. in the United States
and/or other jurisdictions. All other marks and names mentioned herein may be trademarks
of their respective companies.
The training material is provided as is, and all express or implied conditions,
representations, and warranties, including any implied warranty of merchantability, fitness for
a particular purpose or noninfringement, are disclaimed, even if VMware, Inc., has been
advised of the possibility of such claims. This training material is designed to support an
instructor-led training course and is intended to be used for reference purposes in
conjunction with the instructor-led training course. The training material is not a standalone
training tool. Use of the training material for self-study without class attendance is not
recommended.
These materials and the computer programs to which it relates are the property of, and
embody trade secrets and confidential information proprietary to, VMware, Inc., and may not
be reproduced, copied, disclosed, transferred, adapted or modified without the express
written approval of VMware, Inc.
Technical review: Chris McCain, Rob Nendel
Technical editing: James Brook, Shalini Pallat
Production and publishing: Rhonda Jones, Saiesh Jaganath
The courseware for VMware instructor-led training relies on materials developed by the
VMware Technical Communications writers who produce the core technical documentation,
available at http://www.vmware.com/support/pubs.
www.vmware.com/education
TA B L E
OF
C ONTENTS
Lab 1: Configuring NSX Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

Lab 2: Configuring and Deploying a VMware NSX Controller Cluster. . . . . . . . . . . . . . . . . . . . . . . 7
Lab 3: Creating and Configuring a Distributed Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Lab 4: Preparing for Virtual Networking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Lab 5: Configuring Logical Switch Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Lab 6: Configuring and Deploying an NSX Distributed Router . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Lab 7: Deploying an NSX Edge Services Gateway and Configuring Static Routing . . . . . . . . . . . . 51
Lab 8: Configuring and Testing Dynamic Routing on NSX Edge Appliances . . . . . . . . . . . . . . . . . 61
Lab 9: Configuring Equal Cost Multipathing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
Lab 10: Configuring L2 Bridging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
Lab 11: Configuring and Testing Network Address Translation on an NSX
Edge Services Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
Lab 12: Configuring Load Balancing with NSX Edge Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
Lab 13: Advanced Load Balancing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
Lab 14: Configuring NSX Edge High Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
Lab 15: Configuring Layer 2 VPN Tunnel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
Lab 16: Configuring IPsec Tunnels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
Lab 17: Configuring and Testing SSL VPN-Plus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149
Lab 18: Using NSX Edge Firewall Rules to Control Network Traffic . . . . . . . . . . . . . . . . . . . . . . 159
Lab 19: Using the VMware NSX Distributed Firewall Rules to Control Network Traffic . . . . . . 165
Lab 20: Configuring an Identity-Aware Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175
Lab 21: Using VMware NSX Service Composer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183
Lab 22: Configuring the Cross-vCenter NSX Feature . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189
Answer Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199
VMware NSX: Install, Configure, Manage
iii
iv
VMware NSX: Install, Configure, Manage
Lab 1
Configuring NSX Manager
Objective: Verifying the NSX Manager appliance settings

and registration to a vCenter Server system
In this lab, you will perform the following tasks:
1. Access Your Lab Environment
2. Review the NSX Manager Configuration
3. Verify That the vSphere Web Client Plug-In for NSX Manager Is Installed
4. License vCenter Server, the ESXi Hosts, and NSX Manager
5. Clean Up for the Next Lab
Lab 1 Configuring NSX Manager
Task 1: Access Your Lab Environment

You use a VMware Horizon View desktop or Remote Desktop Connection to connect to your
lab environment.
1. Use the information that is provided by your instructor to log in to your lab environment.
Task 2: Review the NSX Manager Configuration

In your lab environment, the VMware NSX Manager appliance is predeployed and preconfigured.
NSX Manager is also registered to the VMware vCenter Server appliance. You review the NSX
Manager deployment configuration. The review sequence matches the steps for configuring NSX
Manager after initial deployment.
Use the following information from the class configuration handout:
Your site name
NSX Manager host name
NSX Manager IPv4 address
NSX Manager subnet mask
NSX Manager default gateway
NSX Manager primary DNS server
vCenter Server name
IP address of the RRAS server
1. Log in to the NSX Manager user interface.
a. On the student desktop, double-click the Internet Explorer shortcut.
b. In the Internet Explorer window, click the NSX Manager - your_site_name bookmark.
c. Click the Continue to this website (not recommended) link when prompted with a
certificate warning message.

d. On the login page, log in as admin and enter the password VMware1!.
2. In the NSX Manager user interface, click View Summary.
a. View the NSX Manager appliance IP address, CPU, memory, and storage utilization.
b. Verify that the vPostgres, RabbitMQ, and NSX Management Service services are running.
3. Click the Manage tab on the top-left corner.
4. On the Manage tab, verify that Settings > General is selected in the left pane.
5. Verify that the following general settings are configured:
NTP Server setting is the RRAS server. This server runs all the infrastructure services for
the lab environment.
Syslog Server is the IP address of the RRAS server.
Locale is en-US.
6. In the left pane, select Network and verify the values.
7. In the left pane, select NSX Management Service under Components and verify that the
following values are configured as specified:

Lookup Service: Not Configured
vCenter Server: Your vCenter Server name
vCenter Server User Name: administrator@vsphere.local
vCenter Server Status: Connected with a green dot icon
Task 3: Verify That the vSphere Web Client Plug-In for NSX Manager Is
Installed
In your lab environment, the VMware vSphere Web Client Plug-in for NSX Manager is
preinstalled and ready for use. You verify that the vSphere Web Client is installed.
Your vCenter Server administrator login account
1. In the Internet Explorer window, click the vSphere Web Client bookmark and click Continue
to this website (not recommended).

2. When prompted, log in with your vCenter Server administrator login account and enter the
password VMware1!.
3. Wait for the initial authentication to complete.
The initial authentication might take several minutes to complete.
4. On the vSphere Web Client, point to the Home icon at the top and select Networking &
Security.
5. In the navigation pane on the left, review the list of VMware NSX features and select NSX
Managers.
6. In the middle pane, verify that your NSX Manager instance appears in the Objects list.
The IP address of the NSX Manager instance should match the NSX Manager IPv4 address.
If your NSX Manager instance does not appear in the Objects list, you must ask your instructor
for help.
Task 4: License vCenter Server, the ESXi Hosts, and NSX Manager
You license the vCenter Server system, the VMware ESXi hosts, and NSX Manager. Your
instructor provides the necessary licenses.
Your ESXi hosts
1. Point to the Home icon at the top and click Administration.
2. In the left pane, click Licenses.
3. Assign a vCenter Server license key to the vCenter Server instance.
a. In the middle pane, click the Assets tab.
b. Click the vCenter Server Systems tab.
c. With your vCenter Server instance selected, click All Actions and select Assign License.
d. In the Assign License Key panel, click the plus sign to add the key.
e. In the License key text box, enter or paste the vCenter Server license key provided by the
instructor and click Next.

f. Review the expiration date and license capacity.
g. Click Next.
h. Click Finish.
i. In the Assign License panel, select the license key that you added and click OK.
4. Assign a VMware vSphere Enterprise Edition 6 license key to each ESXi host.
a. In the center pane, click the Hosts tab.
b. Select the first ESXi host in the list.
c. Press Shift and select your ESXi hosts.
4
d. Click All Actions and select the Assign License Key link.
e. In the Assign License Key panel, click the plus sign to add the key.
f. In the License key text box, enter or paste the vSphere Enterprise 6 license key provided
by the instructor and click Next.

g. Review the expiration date and license capacity.
h. Click Next.
i. Click Finish.
j. In the Assign License panel, select the license key that you added and click OK.
k. In the hosts list, press Shift and click to select your ESXi hosts.
l. Right-click the selected hosts and select Connect from the pop-up menu.
You can also connect each host individually from the vCenter > Hosts and Clusters
inventory panel.
5. Assign a VMware NSX for vSphere license.
a. In the middle pane, click the Solutions tab.
b. Select the NSX for vSphere solution.
c. Click All Actions and select Assign License.
d. In the Assign License Key panel, click the plus sign.
e. In the License key text box, enter or paste the NSX for vSphere license key provided by
the instructor and click Next.

f. Review the expiration date and license capacity.
g. Click Next.
h. Click Finish.
i. In the Assign License panel, select the license key that you added and click OK.
Task 5: Clean Up for the Next Lab

You perform this action to prepare for the next lab.
1. Point to the Home icon at the top and select Networking & Security.
Lab 2
Configuring and Deploying a VMware

NSX Controller Cluster
Objective: Deploy a three-node VMware NSX Controller
cluster
1. Prepare for the Lab
2. Deploy the First VMware NSX Controller Instance
3. Verify That the First VMware NSX Controller Instance Is Operational
4. Deploy the Second VMware NSX Controller Instance
5. Verify That the Second VMware NSX Controller Instance Is Operational
6. Deploy the Third VMware NSX Controller Instance
7. Verify That the Third VMware NSX Controller Instance Is Operational
Lab 2 Configuring and Deploying a VMware NSX Controller Cluster
Task 1: Prepare for the Lab

You prepare for the lab if you have closed windows or logged out of the VMware vSphere Web
Client interface.
Your site name
1. If the Internet Explorer window is closed, double-click the Internet Explorer icon on the
student desktop.
2. If you are not logged in to the vSphere Web Client, click the vSphere Web Client -
your_site_name bookmark in the Internet Explorer window.

3. When prompted, log in with your VMware vCenter Server administrator login account and
enter the password VMware1!.

4. On the vSphere Web Client Home page, click Networking & Security.
Task 2: Deploy the First VMware NSX Controller Instance

You configure and deploy the first of three VMware NSX Controller instances.
Data center
Datastore
VMware NSX Controller pool gateway
VMware NSX Controller static IP pool range
1. In the left navigation pane, select Installation.
2. Click the Management tab
3. In the middle pane, click the green plus sign in the NSX Controller nodes panel.
4. In the Add Controller dialog box, configure and deploy the first VMware NSX Controller
instance.
a. Select the VMware NSX Manager IPv4 address from the NSX Manager drop-down
menu.
b. Select your data center from the Datacenter drop-down menu.
c. Select Management and Edge from the Cluster/Resource Pool drop-down menu.
8
d. Select your datastore from the Datastore drop-down menu.

e. Leave the host and folder selection blank.
f. Click the Connected To > Select link.
g. In the Select Network dialog box, select Distributed Portgroup from the Object Type
drop-down menu.
h. Click Management and click OK.
i. Click Select in the IP Pool row.
j. Click the New IP Pool link at the bottom of the Select IP Pool dialog box.
k. In the Add Static IP Pool dialog box, add a new pool.
Option
Action
Name
Enter Controller-Pool in the text box.
Gateway
Enter the gateway.
Prefix Length
Enter 24 in the text box.
Primary DNS
Leave blank.
Secondary DNS
Leave blank.
DNS Suffix
Leave blank.
Static IP Pool
Enter the VMware NSX Controller static IP pool range.
l. Click OK.
m. Select Controller-Pool in the Select IP Pool dialog box and click OK.
n. In the Add Controller dialog box, enter VMware1!VMware1! in the Password and
Confirm password text boxes.

o. Click OK.
5. Monitor the VMware NSX Controller deployment to completion.
If necessary, use the horizontal scroll bar to uncover the Status column.
Monitor the deployment until the status changes from Deploying to Normal.
The deployment process takes a few minutes to complete.
Task 3: Verify That the First VMware NSX Controller Instance Is

Operational
You use the vSphere Web Client and the VMware NSX Controller command line to determine the
operational status of the VMware NSX Controller cluster after adding one node.
1. Point to the vSphere Web Client Home icon and click Hosts and Clusters.
2. Expand the Hosts and Clusters inventory tree to expand each cluster.
3. Click the vSphere Refresh icon next to the current logged in user name.
4. In the Management and Edge cluster inventory, select the newly deployed VMware NSX
Controller virtual machine.

The virtual machine name starts with NSX_Controller_.
5. In the middle pane, review the Summary tab report.
Q1. What is the power status of the VMware NSX Controller instance?
1. Powered-on, based on the activated Play icon.
Q2. How many vCPUs does the VMware NSX Controller instance have?
2. 2
Q3. How much total memory does the VMware NSX Controller instance have?
3. 2,048 MB
Q4. How large is the VMware NSX Controller hard disk?
4. 20 GB
Q5. What port group is the VMware NSX Controller instance connected to?
5. Management
Q6. What is the IP address of the VMware NSX Controller instance?
6. IP address assigned from the Controller-Pool created in task 2.
6. Minimize the Internet Explorer window.

7. Use MTPuTTY to establish an SSH connection to the first VMware NSX Controller instance.
a. On the student desktop, double-click the MTPuTTY shortcut.
b. Select Server on the top-left corner and click Add Server
c. In the Properties window, enter the IP address from step 5 in the Server name text box and
select SSH as the Protocol.
10
d. Click OK.
Your newly added controller appears on the left side.

e. Double-click on the VMware NSX Controller IP address.
f. If prompted to confirm a PuTTY security alert, click Yes.
g. Log in as admin and enter the password VMware1!VMware1!

8. In the MTPuTTY window, run the following command to determine the cluster status for the
first node.
show control-cluster status
9. Review the command output.
Q7. How many enabled and activated roles are listed?
7. 5
Q8. Can VMware NSX Controller be safely restarted?
8. Yes
10. Run the following command to determine the startup nodes in the cluster and review the
command output.
show control-cluster startup-nodes
11. Run the following command to review a detailed cluster role report.
show control-cluster roles

Q9. How many roles have been assigned with the first VMware NSX Controller
instance as master?
9. All 5 roles
13. Run the following command to review a cluster connections report.
show control-cluster connections

Q10. How many roles have components actively listening on a network port?
10. 4 or 5
Q11. How many unique ports are used for role-based communications?
11. 7 ports: 443, 2878, 2888, 3888, 6632, 6633, 7777
11
15. Close the MTPuTTY window.

16. Restore the Internet Explorer window.
Task 4: Deploy the Second VMware NSX Controller Instance

You configure and deploy the second of three VMware NSX Controller instances.
Data center
Datastore
1. Point to the Home icon and select Networking & Security.
3. In the middle pane, click the green plus sign in the NSX Controller nodes panel on the
Management tab.
4. In the Add Controller dialog box, configure and deploy the second VMware NSX Controller
instance.
a. Select your NSX Manager IPv4 address from the NSX Manager drop-down menu.
f. Click Connected To > Select.
g. In the Select Network dialog box, click Distributed Portgroup from the Object Type
drop-down menu.
i. Click Select in the IP Pool row.
j. Select Controller-Pool and click OK.
NOTE
You do not need to configure the password. The password is configured for the first VMware
NSX Controller node. The password is common across all the VMware NSX Controller cluster
nodes.
k. Click OK.
12
Monitor the second node deployment until the status changes from Deploying to Normal.
Task 5: Verify That the Second VMware NSX Controller Instance Is

Operational
operational status of the VMware NSX Controller cluster after adding two nodes.
1. Point to the Home icon and select Hosts and Clusters.
2. Expand the Hosts and Clusters inventory tree.
3. Click the vSphere Refresh icon.
4. In the Management and Edge cluster inventory, select the second VMware NSX Controller
instance.
The VMware NSX Controller name starts with NSX_Controller_.
2. 2
3. 2048 MB
4. 20 GB
5. Management
6. IP address assigned from the Controller-Pool created earlier.
13
7. Use MTPuTTY to establish an SSH connection to the second VMware NSX Controller
instance.
b. Select Server in the top-left corner and click Add Server.
c. In the Properties window, enter the IP address from step 5 in the Server Name field and
select SSH as the Protocol.

d. Click OK.
e. Double-click the VMware NSX Controller IP address that you added to open the PuTTY
session.
g. Log in as admin and enter the password VMware1!VMware1!.
first node.
7. 5
Q8. Can the VMware NSX Controller instance be safely restarted?
8. Yes
10. Run the following command to determine the startup nodes in the cluster and review the
command output.

Q9. How many roles have been assigned with the second VMware NSX Controller
instance as master?
9. Zero, none of the roles. Answers vary.
14
14. Close the MTPuTTY window.

Task 6: Deploy the Third VMware NSX Controller Instance
You configure and deploy the third VMware NSX Controller instance.
Data center
Datastore
2. In the left navigation pane, select Installation,
3. In the middle pane, click the green plus sign in the NSX Controller nodes panel on the
Management tab.
4. In the Add Controller dialog box, configure and deploy the third VMware NSX Controller
instance.
a. Select your NSX Manager IPv4 address from the NSX Manager drop-down menu.
f. Click Connected To > Select.
g. In the Select Network dialog box, select Distributed Port Group from the Object Type
drop-down menu.
i. Click Select in the IP Pool row, select Controller-Pool, and click OK
j. Click OK.
Monitor the third node deployment until the status changes from Deploying to Normal.
15
Task 7: Verify That the Third VMware NSX Controller Instance Is

Operational
operational status of the VMware NSX Controller cluster after adding three nodes.
1. Point to the Home icon and select Hosts and Clusters.
2. Expand the Hosts and Clusters inventory tree.
3. Click the vSphere Refresh icon.
4. In the Management and Edge Cluster inventory, select the third VMware NSX Controller
instance.
The VMware NSX Controller name starts with NSX_Controller_.
2. 2
3. 2048 MB
4. 20 GB
5. Management
6. IP address assigned from the Controller-Pool created earlier.

7. Use MTPuTTY to establish an SSH connection to the third VMware NSX Controller instance.
b. Click Server and select Add Server.
c. In the properties dialog box, enter the IP address from step 5 in the Server Name text box
and select SSH.

d. Click OK.
16
e. Double-click the VMware NSX Controller IP address.

g. Log in as admin and enter the password VMware1!VMware1!.
first node.
7. 5
Q8. Can the VMware NSX Controller instance be safely restarted?
8. Yes
10. Run the following command to determine the startup nodes in the cluster, and review the
command output.

Q9. How many roles have been assigned with the second VMware NSX Controller
instance as master?
9. Zero, none of the roles. Answers vary.

14. Click X to close the MTPuTTY window.

You prepare for the next lab.
1. Point to the Home icon and select Networking.
CAUTION
You must select Networking and not Networking & Security to prepare for the next lab.
17
18
Lab 3
3
Creating and Configuring a Distributed

Switch
Objective: Create and configure a distributed switch

2. Examine the Existing Distributed Switch Configuration
3. Create a Distributed Switch
4. Delete the New Distributed Switch
Lab 3 Creating and Configuring a Distributed Switch
19

Client interface.
Your site name
student desktop.


4. Point to the vSphere Web Client Home icon and click Networking.
Task 2: Examine the Existing Distributed Switch Configuration

You examine the existing distributed switch configuration.
Your existing distributed switch
1. In the left navigation pane, expand the vCenter Server inventory to see the existing network
configuration in your data center.

2. Select your exiting distributed switch in the left navigation pane.
3. In the middle pane, click the Manage tab and click Settings.
4. Click the Topology link.
5. In the distributed switch topology diagram, verify the settings
a. Expand Uplink1 and verify that the vmnic0 interface is attached to all the VMware
ESXi hosts.
b. Expand Uplink2 and verify that vmnic1 is attached to the uplink.
c. Expand Uplink3 and verify that vmnic2 is attached to the uplinks.
20
6. In the middle pane on the left, click the Properties link and verify the settings.
Network I/O Control is enabled.

MTU size is 1600 bytes.
Discovery Protocol is enabled and set to Cisco Discovery Protocol.
7. Click each additional configuration link and verify the default settings.
Task 3: Create a Distributed Switch
You create a distributed switch.

Data center
1. In the Networking inventory tree on the left, select your data center.
2. In the middle pane, click Actions and select Distributed Switch > New Distributed Switch.
In the New Distributed Switch dialog box, enter dvs-your_name in the Name text box and
click Next.
3. Under Select Version, leave Distributed switch: 6.0.0 selected and click Next.
4. Under Edit Settings, edit the distributed switch settings.
a. Change the number of uplinks to 2.
b. Leave Network I/O Control enabled.
c. Deselect the Create a default port group check box and click Next.
5. Under Ready to complete, review the configuration and click Finish.
6. Create a port group on the new distributed switch.
a. Select your new distributed switch in the Networking inventory tree, click Actions, and
select Distributed Port Group > New Distributed Port Group.

b. In the New Distributed Port Group dialog box, enter dvpg1 in the Name text box and click
Next.
c. In Configure Settings page, view the default settings and click Next.
d. In Ready to complete page, click Finish.
A new port group called dvpg1 appears in the Networking inventory tree under your new
distributed switch.
21
7. Add the ESXi host to the new distributed switch.

a. In the Networking inventory tree, select your new distributed switch, click Actions, and
select Add and Manage Hosts.

b. In the Add and Manage Hosts dialog box, leave Add hosts selected and click Next.
c. Under Select Hosts, click the New hosts link, select all the ESXi hosts, and click OK.
d. Click Next.
e. Under Select network adapter tasks, deselect all the check boxes except Manage physical
adapters and click Next.

f. Under Manage physical network adapters, click Next.
g. Click OK when the warning window appears.
You must not select any physical adapters because all adapters are attached to an existing
switch and you are creating the new switch for practice.
h. Under Analyze impact, click Next.
i. Under Ready to complete, click Finish.
Task 4: Delete the New Distributed Switch

You use the vSphere Web Client to delete the new distributed switch.
1. Select your new distributed switch from the Networking inventory pane and click Actions.
2. Select Add and Manage Hosts.
3. In the Add and Manage Hosts window, select Remove Hosts and click Next.
4. On the Select hosts page, click Attached Hosts and select all the hosts in the Select member
hosts drop-down menu.

5. Click OK.
6. Click Next.
7. Click Finish on the Ready to complete page.
8. In the middle pane, click the Related Objects tab and click the Hosts tab.
9. Verify that the list is empty.
10. In the middle pane, click Actions and select Delete.
11. Click Yes when prompted with a warning message.
12. Verify that the distributed switch is removed from the Networking inventory pane.
22

You prepare for the next lab.
23
24
Lab 4
Preparing for Virtual Networking
:
4
Objective: Install the NSX for vSphere modules in ESXi

hosts and configure the VXLAN IP pools and a transport
zone
2. Install NSX for vSphere Modules on the ESXi Hosts
3. Configure VXLAN on the ESXi Hosts
4. Configure the VXLAN ID Pool
5. Configure a Local Transport Zone
Lab 4 Preparing for Virtual Networking
25

Client interface.
Your site name
student desktop.
2. If you are logged out of the vSphere Web Client, log in to the vSphere Web Client.
a. In the Internet Explorer window, click the vSphere Web Client - your_site_name
bookmark.
b. When prompted, log in with your VMware vCenter Server administrator login account
and enter the password VMware1!.
Task 2: Install NSX for vSphere Modules on the ESXi Hosts

You install the VMware NSX for vSphere modules on the VMware ESXi hosts that are
assigned to two different clusters.
3. In the middle pane, click the Host Preparation tab.
4. For each listed cluster, point to Not Installed in the Installation Status column, click the gear
icon, and select Install.

5. Click Yes when prompted to confirm.
The following clusters are listed:

Management and Edge
Compute
6. Monitor the installation status of each cluster.
The installation status changes from Installing to a green check mark and the VXLAN column
contains an active Not Configured link.
26
Task 3: Configure VXLAN on the ESXi Hosts

For each cluster, you specify the distributed switch and IP pool to be used for VXLAN networking.
VTEP gateway IP address
IP range for VTEPs
1. For the Compute cluster, click the Not Configured link provided in the VXLAN column to
open the Configure VXLAN networking dialog box.

a. Verify that the Switch selection is vds-Datacenter.
b. Verify that the VLAN setting is 0.
c. Verify that the MTU setting is 1600.
d. For VMKNic IP Addressing, click Use IP Pool.

e. Select New IP Pool from the IP Pool drop-down menu.
f. In the Add Static IP Pool dialog box, configure an IP pool.
Option
Action
Name
Enter VTEP-Pool in the text box.
Gateway
Enter the VTEP Gateway IP address.
Prefix Length
Primary DNS
Leave blank.
Secondary DNS
Leave blank.
DNS Suffix
Leave blank.
Static IP Pool
Enter the IP range for VTEPs.
g. Click OK.
h. Leave VMKNic Teaming Policy as Fail Over and click OK.
27
2. Wait for the update to complete and determine if an error message appears in the VXLAN
column for Compute Cluster A.

An error indicates a transitory condition that occurs early in the process of applying the
VXLAN configuration to the cluster. The vSphere Web Client interface has not updated to
display the actual status.
3. Click the vSphere Web Client Refresh icon on the left of the logged-in user name.
4. Verify that the Compute cluster VXLAN status is Configured with a green check mark.
5. For the Management and Edge cluster, click the Not Configured link provided in the VXLAN
column to open the Configure VXLAN networking dialog box.

a. Verify that the Switch selection is vds-Datacenter.
b. Verify that the VLAN setting is 0.
c. Verify that the MTU setting is 1600.
d. For VMKNic IP Addressing, click Use IP Pool and select VTEP-Pool from the drop-down
menu.
e. Leave VMKNic Teaming Policy as Fail Over and click OK.
6. Wait for the update to complete and click the vSphere Web Client Refresh icon.
7. Verify that the Management and Edge cluster VXLAN status is Configured with a green check
mark.
If the VXLAN status is not Configured, wait and refresh again until the status changes.
8. Click the Logical Network Preparation tab and verify that VXLAN Transport is selected.
9. In the Clusters and Hosts list, expand each cluster.
10. For each host, confirm that the host has a vmk# interface.
Q1. What is the number of VTEPs on each host?
1. One
Q2. Which is the switch that is connected to each hosts VMKNic?
2. vds-Datacenter
28
Task 4: Configure the VXLAN ID Pool

You configure the ID range that is used to identify VXLAN networks.
Segment ID range
1. On the Logical Network Preparation tab, click Segment ID.
2. Click Edit to open the Segment ID pool dialog box and configure settings.
Option
Action
Segment ID Pool
Enter the segment ID range.
Enable multicast addressing
Leave the check box deselected.
3. Click OK.
Task 5: Configure a Local Transport Zone

A transport zone specifies the hosts and clusters that are associated with logical switches that are
created in the zone. Hosts in a transport zone are automatically added to the logical switches that
you create. This process is similar to manually adding hosts to the distributed switch.
1. On the Logical Network Preparation tab, click Transport Zones.
2. Click the green plus sign to open the New Transport Zone dialog box and configure a transport
zone.
Option
Action
Name
Enter Local Transport Zone in the text box.
Control Plane Mode
Click the Unicast button.
Select clusters to add
Select the check box for each cluster.
3. Click OK.
4. Wait for the update to complete and verify that Local Transport Zone appears in the transport
zones list with a Control Plane Mode of Unicast.
29

You perform this action to prepare for the next lab.
1. In the vSphere Web Client, remain in the Networking & Security view.
30
Lab 5
Configuring Logical Switch Networks
Objective: Create and test logical switches for the WebTier, App-Tier, and DB-Tier transport networks
5

2. Create Logical Switches
3. Verify That Logical Switch Port Groups Appear in vSphere
4. Migrate Virtual Machines to Logical Switches
5. Test Network Connectivity
Lab 5 Configuring Logical Switch Networks
31

Client interface.
Your site name
student desktop.
2. If you are not logged in to the vSphere Web Client, click the vSphere Web Client - your-
site_name bookmark in the Internet Explorer window.


Task 2: Create Logical Switches

You create logical switches for the Transit, Web-Tier, App-Tier, and DB-Tier networks.
1. In the left navigation pane, select Logical Switches.
2. In the center pane, click the green plus sign to open the New Logical Switch dialog box and
configure the Transit-Network switch.

a. Enter Transit-Network in the Name text box.
b. For Transport Zone, click Change and select Local Transport Zone.
c. Click OK.
The replication mode changes to Unicast.

d. Click OK.
3. Wait for the update to complete and verify that Transit-Network appears with a status of
Normal.
4. Click the green plus sign to open the New Logical Switch dialog box and configure the Web-
Tier switch.
a. Enter Web-Tier in the Name text box.
c. Click OK.
d. Click OK.
32
5. Wait for the update to complete and verify that Web-Tier appears with a status of Normal.
6. Click the green plus sign to create a logical switch.
7. In the New Logical Switch dialog box, configure the App-Tier switch.
a. Enter App-Tier in the Name text box.
c. Click OK.
d. Click OK.
8. Wait for the update to complete and verify that App-Tier appears with a status of Normal.
9. Click the green plus sign to create a logical switch.
10. In the New Logical Switch dialog box, configure the DB-Tier switch.
a. Enter DB-Tier in the Name text box.
c. Click OK.
d. Click OK.
11. Wait for the update to complete and verify that DB-Tier appears with a status of Normal.
Task 3: Verify That Logical Switch Port Groups Appear in vSphere

You verify that logical switch port groups appear in the VMware vSphere networking inventory.
1. Point to the vSphere Web Client Home icon and select Networking.
You must click the vSphere Networking icon. You must not click the VMware NSX
Networking and Security icon.
2. Expand the Networking inventory tree.
3. Click the vSphere Web Client Refresh icon.
4. Drag the pane divider to the right to expand the horizontal size of the inventory pane so that the
port group names appear completely.

5. In the vds-Datacenter inventory, find port groups with names ending with the following:
Transit-Network
Web-Tier
App-Tier
DB-Tier
33
6. If the specified port groups do not appear in the vds-Datacenter inventory, refresh the vSphere
Web Client and ensure that the port groups appear.

a. Wait for 1 minute.
b. Click the vSphere Web Client Refresh icon.
7. Review the networking inventory.
Q1. Can the ID number associated with a VXLAN logical switch be determined from
the port group name?
1. Yes, the ID follows the sid keyword in the port group name.
Task 4: Migrate Virtual Machines to Logical Switches

You use the vSphere Web Client plug-in for VMware NSX Manager to migrate virtual machines
to logical switches.
1. Point to the vSphere Web Client Home icon and select Networking & Security.
2. In the left navigation pane, select Logical Switches.
3. In the center pane, select the Web-Tier logical switch.
4. Click Actions and select Add VM.
5. In the Web-Tier - Add Virtual Machines dialog box, migrate web virtual machines to the Web-
Tier logical switch.

a. In the Available Objects list, select web-sv-01a and web-sv-02a and click the right arrow.
b. Click Next.
c. In the Select vNICs list, select the Network Adapter 1 (VM Network) check box for
web-sv-01a and web-sv-02a.

d. Click Next.
e. Click Finish.
6. In the Logical Switches list, double-click the Web-Tier entry to manage that object.
7. Click the Related Objects tab and click Virtual Machines.
Q1. Do the web-sv-01a and web-sv-02a virtual machines appear in the virtual
machines list?
1. Yes
Q2. Do any other virtual machines appear in the list?
2. No
34
8. At the top of the left inventory pane, click the Networking & Security back arrow.
9. In the Logical Switches list, select the App-Tier logical switch.
11. In the Add Virtual Machines dialog box, migrate the app virtual machine to the App-Tier logical
switch.
a. In the Available Objects list, select the app-sv-01a.
b. Click the right arrow.
c. Click Next.
d. In the Select vNICs list, select the Network Adapter 1 (VM Network) check box for
app-sv-01a.
e. Click Next.
f. Click Finish.
12. In the Logical Switches list, select the DB-Tier logical switch.

14. In the Add Virtual Machines dialog box, migrate the DB virtual machine to the DB-Tier logical
switch.
a. In the Available Objects list, select the db-sv-01a.
b. Click the right arrow.
c. Click Next.
d. In the Select VNICs list, select the Network Adapter 1 (VM Network) check box for
db-sv-01a.
e. Click Next.
f. Click Finish.
Task 5: Test Network Connectivity

You test connectivity between virtual machines, between a physical system and the virtual
machines, and between hosts using virtual switch monitoring tools.
1. Point to the vSphere Web Client Home icon and select VMs and Templates.
2. Expand the VMs and Templates inventory tree.
The following virtual machines are found in the Discovered virtual machine folder:
web-sv-01a
35
web-sv-02a
app-sv-01a
db-sv-01a
3. Power on each virtual machine.
a. Select the virtual machine in the inventory.
b. Select Power On from the Actions drop-down menu.
4. Record the IP address assigned to each of the virtual machines.
web-sv-01a IP address __________

app-sv-01a IP address __________
db-sv-01a IP address __________
To view an IP address assignment, you can select the virtual machine in the inventory. The IP
address assignment appears at the top of the Summary tab report.
The IP address information is also provided in your lab topology handout on the Lab Networks
and IP Addressing page.
5. Test connectivity from the web-sv-01a virtual machine by using a console window.
a. In the VMs and Templates inventory tree, select the web-sv-01a virtual machine.
b. Select Open Console from the Actions drop-down menu.
It might take a minute for the console window to initialize. Point to the console window,
wait until the mouse pointer becomes a hand icon, click anywhere inside the console
window, and press Enter.
c. Log in as root and enter the password VMware1!.
d. At the command prompt, run the following command to query the ARP cache.
arp -an
Q1. Did the command return any entries?
1. No
e. At the command prompt, run the following command to ping the web-sv-02a virtual
machine.
ping ip_address
ip_address is the web-sv-02a IP address recorded in step 4.
36
Q2. Did the ping command receive replies from the web-sv-02a virtual machine?
2. Yes
f. Press Ctrl+C to stop the ping command.

g. At the command prompt, run the following command to query the ARP cache.
arp -an
3. Yes, the web-sv-02a virtual machine.
h. At the command prompt, run the following command to ping the app-sv-01a virtual
machine.
ping ip_address
ip_address is the app-sv-01a IP address recorded in step 4.
Q4. Did the ping command receive replies from the app-sv-01a virtual machine?
4. No
i. Press Ctrl+C to stop the ping command.

j. At the command prompt, run the following command to ping the db-sv-01a virtual
machine.
ping ip_address
ip_address is the db-sv-01a IP address recorded in step 4.
Q5. Did the ping command receive replies from the db-sv-01a virtual machine?
5. No
k. Press Ctrl+C to stop the ping command.

l. Review the ping tests.
Q6. If any ping test failed, what might be the root cause?
6. East-West routing has not been established between the logical switch networks.
m. In the Internet Explorer window, press Ctrl+Alt to release the mouse cursor.
n. Leave the web-sv-01a console tab open for the remainder of the class.
o. In the Internet Explorer window, click the vSphere Web Client - your_site_name tab.
6. Use the Command Prompt window to test connectivity from the desktop.
a. Minimize the Internet Explorer window.
37
b. On the desktop, double-click the Command Prompt shortcut.

c. In the Command Prompt window, run the following command to ping the web-sv-01a
virtual machine.
ping ip_address
7. No
Q8. If no ICMP replies were received, why?
8. As is the case with East-West routing, North-South routing has not yet been established.
d. Leave the Command Prompt window open for the remainder of the class.
7. Test connectivity between the ESXi hosts VTEP.
You test connectivity between two ESXi hosts, but you can perform this test to validate VTEP
connectivity between all the hosts.
a. Restore the Internet Explorer window.
b. Point to the vSphere Web Client Home icon and select Networking & Security.
c. In the left navigation pane, select Installation.
d. In the center pane, select Logical Network Preparation and click VXLAN Transport.
e. Expand both the clusters and make a note of vmk2 IP address for esxi-your_site_name-
04.vclass.local and esxi-your_site_name-05.vclass.local.

f. Minimize Internet Explorer and open MTPuTTY.
g. Double-click on esxi-your_site_name-04.
A putty session is opened to the ESXi host.

h. Enter the vmkping ++netstack=vxlan -d -s 1572 -I vmk2
IP_address_of_esxi-your_site_name-05_vmk2_from-step_7e command.
The ping command should be successful. The VTEPs on the ESXi hosts can communicate
with each other and the physical network is configured to support VXLAN frames.
i. Click X to close the PuTTY session.
j. Minimize MTPuTTY.
k. Restore Internet Explorer window on the student desktop.
38

You perform these actions to prepare for the next lab.
1. In the vSphere Web Client interface, stay in the Networking & Security view.
2. In the Internet Explorer, leave the following tabs open:
vSphere Web Client

web-sv-01a
3. On the desktop, leave the Command Prompt and MTPuTTY windows open.
39
40
Lab 6
Configuring and Deploying an NSX

Distributed Router
Objective: Configure East-West routing by deploying a

distributed logical router
2. Configure and Deploy a VMware NSX Distributed Logical Router

3. Verify the Distributed Router Deployment and Configuration
4. Test Connectivity
5. Use the VMware NSX Controller CLI Commands to Verify the Distributed Router Deployment
Lab 6 Configuring and Deploying an NSX Distributed Router
41

Client interface.
Your site name
1. If a Command Prompt window is not open on the student desktop, open the window.
a. On the student desktop, double-click the Command Prompt shortcut.
b. Position the Command Prompt window at a convenient location on the desktop.
student desktop.


5. In the Internet Explorer window, if the web-sv-01a console tab is not open, open the console
tab.
a. Point to the vSphere Web Client Home icon and click VMs and Templates.
b. Expand the inventory tree and select Discovered virtual machine > web-sv-01a.
c. Select Open Console from the Actions drop-down menu.
d. If prompted to log in, log in as root and enter the password VMware1!.
e. Press Ctrl+Alt to release the mouse cursor and click the vSphere Web Client tab.
Task 2: Configure and Deploy a VMware NSX Distributed Logical

Router
You configure and deploy a VMware NSX distributed logical router that is connected to each of
the logical switches.
Your site name
Data center
Datastore
42
Lab 6
Configuring and Deploying an NSX Distributed Router
IP address for Transit-Network LIF

IP address for Web-Tier Interface LIF
IP address for App-Tier Interface LIF
IP address for DB-Tier Interface LIF
1. Point to the vSphere Web Client Home icon and click Networking & Security.
2. In the left navigation pane, select NSX Edges.
3. In the center pane, click the green plus sign to open the New NSX Edge dialog box.
4. On the Name and description page, click Logical (Distributed) Router.
5. Enter Distributed Router - your_site_name in the Name text box and click Next.
6. On the CLI credentials page, enter VMware1!VMware1! in the password text box and the
Confirm password text box.

7. Select the Enable SSH Access check box and click Next.
8. On the Configure Deployment page, verify that your data center is selected.
9. Under NSX Edge Appliances, click the green plus sign to open the Add NSX Edge Appliance
dialog box.
a. Select Management and Edge from the Cluster/Resource Pool drop-down menu.
b. Select your datastore from the Datastore drop-down menu.

c. Leave all other fields blank and click OK.
10. Click Next.
11. On the Configure interfaces page, click the Connected To > Select link under HA Interface
Configuration.
12. In the Connect NSX Edge to a Network dialog box, click Distributed Portgroup.
13. Click Management and click OK.
14. Under Configure Interfaces of this NSX Edge, click the green plus sign to open the Add
Interface dialog box and configure the first of the four interfaces.
b. For Type, leave UpLink selected.
c. Click the Connected To > Select link.
d. Click Transit-Network and click OK.
e. Click the green plus sign under Configure Subnets.
f. Enter the IP address for Transit-Network LIF in the Primary IP Address text box.
43
g. Enter 27 in the Subnet prefix length text box.

h. Leave all other settings at default value and click OK.
15. Under Configure Interfaces of this NSX Edge, click the green plus sign to open the Add Interface
dialog box and configure the second of the four interfaces.

a. Enter Web-Tier in the Name text box.
b. For Type, click Internal.
d. Click Web-Tier and click OK.
f. Enter the IP address for Web-Tier Interface LIF in the IP Address text box.
Interface dialog box and configure the third of the four interfaces.
a. Enter App-Tier in the Name text box.
d. Click App-Tier and click OK.
f. Enter the IP address for App-Tier Interface LIF in the IP Address text box.
Interface dialog box and configure the fourth interface.

a. Enter DB-Tier in the Name text box.
d. Click DB-Tier and click OK.
f. Enter the IP address for DB-Tier Interface LIF in the IP Address text box.
h. Leave all other settings at the default value and click OK.
44
Lab 6
18. Compare the interface configurations to the following table.
Name
IP Address
Subnet Prefix Length
Connected To
Transit-Network
From Handout
27
Transit-Network
Web-Tier
From Handout
24
Web-Tier
App-Tier
From Handout
24
App-Tier
DB-Tier
From Handout
24
DB-Tier
19. If an entry is not configured correctly, select the entry and click the pencil icon to edit the entry.
20. Click Next.
21. On the Default gateway settings page, deselect Configure Default Gateway and click Next.
22. On the Ready to complete page, review the configuration report and click Finish.
23. Above the edge list, monitor the deployment to completion.
The deployment is complete when 0 installations are active.
Task 3: Verify the Distributed Router Deployment and Configuration

You verify that the distributed router is configured correctly and is deployed successfully.

Your site name
1. In the edge list, verify that the Distributed Router - your_site_name entry displays Logical
Router as the type.

2. Double-click the Distributed Router entry to manage that object.
3. Click the Manage tab and verify that Settings is selected.
4. In the settings category panel, select Interfaces.
5. In the Interfaces list, verify that each interface shows a green check mark in the Status column.
6. In the settings category panel, select Configuration.
7. At the bottom of the center pane, find the Logical Router Appliances panel.
Q1. On which datastore is the logical router Edge Appliance deployed?
1. Datastore selected during the deployment of the logical router.
Q2. On which host is the logical router Edge Appliance running?
2. Can be either host that is assigned to Management and Edge Cluster.
45
9. Expand the inventory tree so that all the inventory for each cluster appears.
10. In the inventory tree, find and select the Distributed Router - your_site_name virtual machine
and review the Summary tab report.

11. Expand the VM Hardware section in the middle pane to view the hardware settings.
The Distributed Router item name starts with the text Distributed Router and appears in the
Management and Edge cluster.
Q3. How many vCPUs does the virtual machine have?
3. 1
Q4. How much memory does the virtual machine have?
4. 512 MB
Q5. How large is the hard disk?
5. 500 MB
Q6. How many network adapters are connected to port groups?
6. 2.
Task 4: Test Connectivity

You test connectivity between virtual machines, between a physical system and the virtual
machines, and between hosts using virtual switch monitoring tools.
1. Point to the vSphere Web Client Home icon and click VMs and Templates.
2. Record the IP address assigned to each of the following virtual machines found in the
Discovered virtual machine folder.

app-sv-01a IP address __________
db-sv-01a IP address __________
The IP address information can also be found in your lab topology handout on the Lab
Networks and IP Addressing page.
3. Test connectivity from the web-sv-01a virtual machine.
a. In the Internet Explorer window, click the web-sv-01a tab.
46
Lab 6
b. At the command prompt, run the following command to ping the web-sv-02a virtual
machine.
ping ip_address
1. Yes
c. Press Ctrl+C to stop the ping command.

d. At the command prompt, run the following command to ping the app-sv-01a virtual
machine.
ping ip_address
ip_address is the app-sv-01a IP address recorded in step 2.
Q2. Did the ping command receive replies from the app-sv-01a virtual machine?
2. Yes
e. Press Ctrl+C to stop the ping command.

f. At the command prompt, run the following command to ping the db-sv-01a virtual
machine.
ping ip_address
ip_address is the db-sv-01a IP address recorded in step 2.

Q3. Did the ping command receive replies from the db-sv-01a virtual machine?
3. Yes
g. Press Ctrl+C to stop the ping command.

h. Review the results of the ping tests.
Q4. Do these results differ from the ping tests you performed after creating the
logical switches before adding the distributed router?
4. Yes
i. At the command prompt, run the following command to query the ARP cache.
arp -an
5. Yes, the other node on the Web-Tier network and the router interface.
j. Press Ctrl+Alt to release the mouse cursor and click the vSphere Web Client tab.
47
4. Use a Command Prompt window to test connectivity from the student desktop system.
a. Minimize the Internet Explorer window.
b. In the Command Prompt window, run the following command to ping the web-sv-01a
virtual machine.
ping ip_address
6. No
c. In the Command Prompt window, run the following command to ping the web-sv-02a
virtual machine.
ping ip_address
7. No
Q8. If no ICMP replies were received during the preceding tests, why?
8. North-South routing is yet to be established.
d. Leave the Command Prompt window open.
Task 5: Use the VMware NSX Controller CLI Commands to Verify the
Distributed Router Deployment
You log in to the VMware NSX Controller instance that owns the VNI slice and examine logical
switch tables.
1. On the student desktop, double-click the MTPuTTY shortcut.
2. In the MTPuTTY window, connect to any of the VMware NSX Controller nodes by double-
clicking on the IP address of one of the VMware NSX Controller nodes added earlier.
a. If you are prompted to confirm a PuTTY security alert, click Yes.
b. Log in as admin and enter the password VMware1!VMware1!.
3. At the command prompt, run the following command to determine which VMware NSX
Controller node owns the VNI slice.

show control-cluster logical-switches vni vni_id
vni_id is 5001 for StudentA and 6001 for StudentB.
48
Lab 6
4. If you are not connected to the VMware NSX Controller instance that owns the slice, configure
the connection.
a. Record the IP address of the VMware NSX Controller instance that owns the slice.
__________
b. Double-click the IP address of the VMware NSX Controller node recorded in step a.
c. If you are prompted to confirm a PuTTY security alert, click Yes.
d. Log in as admin and enter the password VMware1!VMware1!.
5. At the command prompt, run the following commands and review the command output.
show control-cluster logical-switches vtep-table vni_id

show control-cluster logical-switches mac-table vni_id
show control-cluster logical-switches arp-table vni_id
vni_id is 5001 for StudentA and 6001 for StudentB.
6. If the ARP-table is empty, you can repeat task 4, step 3 to repopulate the table.

1. Restore the Internet Explorer Window.
3. In the Internet Explorer window, leave the following tabs open.
vSphere Web Client

web-sv-01a
4. On the student desktop, leave the Command Prompt and MTPUTTY windows open.
49
50
Lab 6
Lab 7
Deploying an NSX Edge Services

Gateway and Configuring Static Routing :
Objective: Configure and deploy an NSX Edge services
gateway to provide perimeter routing
2. Configure and Deploy an NSX Edge Gateway
3. Verify the NSX Edge Gateway Deployment
4. Configure Static Routes on the NSX Edge Gateway
5. Configure Static Routes on the Distributed Router

6. Test Connectivity Between an External Network and a Logical Switch Network
Lab 7 Deploying an NSX Edge Services Gateway and Configuring Static Routing
51

You perform these actions to prepare for the lab if you have closed windows or logged out of the
VMware vSphere Web Client interface.
Your site name
a. On the student desktop, click the Command Prompt shortcut in the task bar.
student desktop.

password VMware1!.
tab.
a. Point to the vSphere Web Client Home icon and click the VMs and Templates icon.
Task 2: Configure and Deploy an NSX Edge Gateway

You configure and deploy a VMware NSX Edge services gateway to provide North-South routing
and other network services.
Your site name
Data center
Datastore
IP address for the NSX Edge uplink
52
IP address of the NSX Edge internal interface

IP address of the NSX Edge default gateway
1. Take your mouse to the vSphere Web Client Home icon and click Networking & Security.
3. In the middle pane, click the green plus sign to open the New NSX Edge dialog box.
4. On the Name and description page, leave Edge Services Gateway selected.
5. Enter Perimeter Gateway - your_site_name in the Name text box and click Next.
6. On the CLI credentials page, enter VMware1!VMware1! in the Password and Confirm
password text boxes.

7. Select the Enable SSH access check box and click Next.
8. On the Configure deployment page, verify that your data center is selected.
9. Verify that the Appliance Size selection is Compact.
dialog box.
c. Leave all other fields at default value and click OK.
11. Click Next.
12. On the Configure Interfaces page, click the green plus sign to open the Add NSX Edge
Interface dialog box and configure the first of the two interfaces.
a. Enter Uplink-Interface in the Name text box.

d. Click Distributed Portgroup.
e. Click the Production button and click OK.
f. Click the green plus sign.
g. Enter the IP address for the NSX Edge uplink in the Primary IP Address text box.
h. Enter 24 in the Subnet prefix length text box.
i. Leave all other settings at default value and click OK.
53
13. Click the green plus sign to open the Add NSX Edge Interface dialog box and configure the
second interface.
d. Click the Transit-Network button and click OK.
e. Click the green plus sign.
f. Enter the IP address of the NSX Edge internal interface in the Primary IP Address text
box.
h. Leave all other fields at default value and click OK.
14. Compare the interface configurations to the following table.
Subnet Prefix
Length
Connected
To
IP address for the NSX

Edge uplink
24
Production
IP address of the NSX

Edge internal interface
27
TransitNetwork
Name
IP Address
Uplink-Network
Transit-Network
15. If any interface is not configured correctly, select that entry and click the pencil icon to edit the
entry.
16. Click Next.
17. On the Default gateway settings page, select the Configure Default Gateway check box.
18. Verify that the vNIC selection is Uplink-Interface.
19. Enter the IP address of the NSX Edge default gateway in the Gateway IP text box.
20. Leave all other settings at default value and click Next.
21. On the Firewall and HA page, select the Configure Firewall default policy check box.
22. For the Default Traffic Policy, click Accept.
You must set the Default Traffic Policy to Accept before proceeding.
23. Leave all the other fields at the default values and click Next.
54
24. On the Ready to Complete page, review the configuration report and click Finish.
Task 3: Verify the NSX Edge Gateway Deployment

You verify the state of the deployed NSX Edge services gateway appliance by reviewing appliance
configuration reports.
Your site name
1. In the edge list, verify that the Perimeter Gateway - your_site_name type is NSX Edge.
2. Double-click the Perimeter Gateway entry to manage that object.
4. In the settings category panel, select Interfaces and verify that each configured interface has a
green check mark in the Status column.

5. In the settings category panel, select Configuration.
6. At the bottom of the middle pane, find the NSX Edge Appliances list.
Q1. On what datastore is the perimeter gateway appliance deployed?
1. The datastore chosen during the deployment.
Q2. On which host is the perimeter gateway appliance running?
2. Can be any ESXi host in the Management and Edge cluster.
8. Expand the Hosts and Clusters inventory tree so that the inventory of each cluster is shown.
9. Click the vSphere Web Client Refresh icon.
10. Select the perimeter gateway appliance in the Management and Edge cluster inventory.
The appliance virtual machine name starts with Perimeter Gateway - your_site_name and is
followed by a number, for example, Perimeter Gateway - Your Site-0.
12. Expand VM Hardware section to review the hardware settings.
Q3. How many vCPUs does the appliance have?
3. 1
55
Q4. How much total memory does the appliance have?

4. 512 MB
Q5. What is the size of the appliance hard disk?
5. 500 MB
Q6. How many network adapters does the appliance have?
6. 10
Q7. How many network adapters are connected to port groups?
7. 2
Task 4: Configure Static Routes on the NSX Edge Gateway

You configure a static route that specifies the transit network interface on the distributed router as
the next hop for traffic destined to the Web-Tier, App-Tier, or DB-Tier logical switch networks.
Workload VM network
IP address of the distributed logical router uplink
3. In the edge list, double-click the Perimeter Gateway entry to manage that object.
4. In the middle pane, click Routing on the Manage tab.
5. In the routing category panel, select Static Routes.
6. Click the green plus sign to open the Add Static Route dialog box.
a. Select Transit-Network from the Interface drop-down menu.
b. Enter the workload VM network in the Network text box.
c. Enter the IP address of the distributed logical router uplink in the Next Hop text box.
This value is the Distributed Router interface on the Transit network.

d. Leave all other settings at default value and click OK.
7. Above the static routes list, click Publish Changes.
8. Wait for the update to complete and verify that the new route with a type of user appears in the
list.
56
Task 5: Configure Static Routes on the Distributed Router

You configure a static route that specifies the transit network interface on the NSX Edge services
gateway as the next hop for traffic destined to the Management network.
Student desktop network
IP address of the perimeter gateway internal interface
1. In the left navigation pane, click the Networking & Security back arrow.
2. In the edge list, double-click the Distributed Router entry to manage that object.
3. In the middle pane, click Routing on the Manage tab.
4. In the routing category panel, verify that Static Routes is selected.
a. Select Transit-Network from the Interface drop-down menu.
b. Enter the student desktop network in the Network text box.
c. Enter the IP address of the perimeter gateway internal interface in the Next Hop text box.
This address is the address of the perimeter gateway interface on the Transit network.
7. Wait for the update to complete and confirm that the new route with the type of user appears in
the list.
You use the static routes defined on the distributed router and the NSX Edge services gateway to test
bidirectional communication over the transit network.
Student desktop IP address
IP address of web-sv01a
IP address of web-sv-02a
IP address of app-sv-01a
IP address of db-sv-01a
57
Task 6: Test Connectivity Between an External Network and a Logical

Switch Network
1. In the Internet Explorer window, click the web-sv-01a tab.

2. At the web-sv-01a command prompt, run the following command to ping the student desktop
system.
ping student_desktop_IP_address
3. Verify that ICMP echo replies are received and press Ctrl+C to stop the ping command.
The ping test demonstrates the bidirectional connectivity between the logical switch network
and the Management network for traffic that is initiated on the Web-Tier network. If the ping
command does not receive the expected replies, you can ask your instructor for assistance.
4. In the Internet Explorer window, press Ctrl+Alt to release the mouse cursor, open a new
browser tab, and browse the web-sv-01a IP address.

http://IP_address_of_web-sv-01a
5. After the web-sv-01a Web page is displayed, browse the web-sv-02a IP address.
http://IP_address_of_web-sv-02a
6. After the web-sv-02a Web page is displayed, close the Internet Explorer tab that is used to
browse the Web servers.

The ping and HTTP tests that are conducted verify bidirectional connectivity between the
Management and Web-Tier networks for connections initiated in either direction.
8. On the student desktop, run the following command in the Command Prompt window to verify
that the static routes enable bidirectional connectivity between the Management network and
the App-Tier logical switch network.
ping IP_address_of_app-sv-01a
10. Run the following command to verify that the static routes enable bidirectional connectivity
between the Management network and the DB-Tier logical switch network.
Ping IP_address_of_db-sv-01a
12. Leave the Command Prompt window open.
13. Restore the Internet Explorer window and click the vSphere Web Client tab.
58

vSphere Web Client

web-sv-01a
3. On the student desktop, leave the Command Prompt and MTPUTTY windows open.
59
60
Lab 8
Configuring and Testing Dynamic

Routing on NSX Edge Appliances
Objective: Configure OSPF to establish bidirectional

connectivity between the Management network and the
Web-Tier, App-Tier, and DB-Tier logical switch networks
2. Remove Static Routes from the Perimeter Gateway
3. Configure OSPF on the Perimeter Gateway
4. Redistribute the Perimeter Gateway Subnets
5. Remove Static Route on the Distributed Router
6. Configure OSPF on the Distributed Router
7. Redistribute Distributed Router Internal Subnets

8. Troubleshoot Connectivity Between the Logical Switch Networks and the Management
Network
9. Resolve the Connectivity Issue
Lab 8 Configuring and Testing Dynamic Routing on NSX Edge Appliances
61

Your site name
b. Position the Command Prompt window to a convenient location on the desktop.
student desktop.

password VMware1!.
5. In the Internet Explorer window, if the web-sv-01a console tab is not open, open the console tab.
a. Point to the vSphere Web Client Home icon and click VMs and Templates.
d. If prompted to log in, log in as root by using the password VMware1!.
62
Task 2: Remove Static Routes from the Perimeter Gateway

You remove the static routes that you configured in an earlier lab and use the Open Shortest Path
First (OSPF) routing protocol to configure dynamic routing.
2. On the student desktop, run the following command in the Command Prompt window to test
bidirectional connectivity between the Management network and the Web-Tier logical switch
network.
ping IP_address_of web-sv-01a
3. Verify that ICMP echo replies are received.
If ICMP echo replies are not received, you might be performing this lab without first
configuring static routing when the VMware NSX Edge services gateway was deployed in an
earlier lab. You can ask your instructor for assistance if the expected replies are not observed.
8. In the middle pane, click the Manage tab and click Routing.
10. In the static routes list, select the static route created in the previous lab and click the red X icon
to delete the entry.

bidirectional connectivity between the Management Network and the Web-Tier logical switch
network.
ping IP_address_of_web-sv-01a
14. Verify that ICMP echo replies are not received.
A TTL expired in transit message appears.

63
Task 3: Configure OSPF on the Perimeter Gateway

You configure OSPF on the perimeter gateway so that the routes to the logical switch networks are
learned from the distributed router over the transit network.
1. In the routing categories list, select Global Configuration.
2. In the Dynamic Routing Configuration panel, click Edit to open the Edit Dynamic Routing
Configuration dialog box.

a. Select Uplink-Interface - ip address from the Router ID drop-down menu.
b. Click OK.
c. On the top of the Global Configuration page, click Publish Changes.
3. In the routing category panel, select OSPF.
4. Click Edit for OSPF Configuration.
5. In the OSPF Configuration dialog box, select the Enable OSPF check box and click OK.
6. Click Publish Changes at the top of the OSPF page.
7. Above the Area Definitions list, click the green plus sign to open the New Area Definition
dialog box.
a. Enter 829 in the Area ID text box.
b. Leave all other settings at the default value and click OK.
8. Under Area Interface Mapping, click the green plus sign at the bottom of the OSPF page to
open the New Area to Interface Mapping dialog box.

a. Select Transit-Network from the drop-down menu.
b. Select 829 from the Area drop-down menu.
c. Leave all other fields at the default value and click OK.
9. At the top of the OSPF page, click Publish Changes.
Task 4: Redistribute the Perimeter Gateway Subnets

You configure which type of subnets are advertised by the perimeter gateway through OSPF.
1. In the routing category panel, select Route Redistribution.
2. Under the Route Redistribution table, click the green plus sign at the bottom of the page to open
the New Redistribution criteria dialog box.

a. Under Allow learning from, select the Connected check box.
Subnets that are connected to the perimeter gateway can be learned.

64
3. In the Route Redistribution Status panel, determine if a green check mark appears next to OSPF
at the top of the page.

4. If a green check mark does not appear, change the redistribution setting.
a. On the right side of the Route Redistribution Status panel, click Edit.
b. In the Change redistribution settings dialog box, select the OSPF check box.
c. Click OK.
d. In the Route Redistribution Status panel, verify that a green check mark appears next to
OSPF at the top of the page.

5. At the top of the page, click Publish Changes.
Task 5: Remove Static Route on the Distributed Router

You remove the static routes configured in an earlier lab in preparation to configure dynamic routing
by using the OSPF routing protocol.
1. At the top of the left navigation page, click the Networking & Security back arrow.
5. In the static routes list, select the static route created in the previous lab and click the red X to
delete the entry.

Task 6: Configure OSPF on the Distributed Router

You configure OSPF on the distributed router.
Protocol IP address for the distributed logical router OSPF configuration

Forwarding IP address for distributed logical router OSPF configuration
1. In the routing category panel, select Global Configuration.
2. On the right side of the Dynamic Routing Configuration panel, click Edit.
3. In the Edit Dynamic Routing Configuration dialog box, select Transit-Interface - ip address
from the Router ID drop-down menu.

This setting must be specified before OSPF can be configured.
65
4. Leave all other fields at the default value and click OK.
Do not select the Enable OSPF check box. For management purposes, OSPF can be enabled or
disabled in the Global Configuration page, after initially configuring it elsewhere. An error
message is displayed if OSPF is enabled in Global Configuration without first configuring the
OSPF parameters. This condition is unique to NSX Edge instances of type Distributed Router.
5. At the top of the Global Configuration page, click Publish Changes.
7. On the right side of the OSPF Configuration panel, click Edit to open the OSPF Configuration
dialog box.
a. Select the Enable OSPF check box.
b. Enter the Protocol IP address for the distributed logical router OSPF configuration in the
Protocol Address text box.

c. Enter the forwarding IP address for distributed logical router OSPF configuration in the
Forwarding Address text box.

d. Click OK.
8. In the Area Definitions panel, click the green plus sign to open the New Area Definition dialog
box.
b. Leave all other fields at the default value and click OK.
9. In the Area to Interface Mapping panel, click the green plus sign to open the New Area to
Interface Mapping dialog box.

a. Verify that the Interface selection is Transit-Interface.
10. At the top of the OSPF configuration page, click Publish Changes.
11. After the changes are published, verify that OSPF Configuration Status is Enabled.
Task 7: Redistribute Distributed Router Internal Subnets

You configure which type of subnets are advertised by the distributed router through OSPF.
66
2. In the Route Redistribution table, select the single entry that appears, click the pencil icon to
open the Edit Redistribution criteria dialog box, and verify the following settings.
Prefix Name: Any
Learner Protocol: OSPF
Allow Learning From: Connected
Action: Permit
3. Click Cancel.
If the default route redistribution entry does not appear in the list or is not configured as
specified, you must create a new route redistribution by clicking the green plus sign and
configuring the criteria as specified in step 2.
Task 8: Troubleshoot Connectivity Between the Logical Switch

Networks and the Management Network
You verify the OSPF configuration and troubleshoot connectivity between a logical switch network
that is connected to the distributed router and the Management network.
Router ID for distributed logical router
Protocol IP address for the distributed logical router OSPF configuration
Forwarding IP address for distributed logical router OSPF configuration
Router ID for the perimeter gateway
3. Verify that ICMP echo replies are not received.
67
bidirectional connectivity between the Management Network and the Web-Tier logical switch
network.
6. Verify the distributed router configuration.
If any option is incorrectly configured, you can correct the configuration.

a. In the routing category panel, select Global Configuration.
b. In the Dynamic Routing Configuration panel, verify that the following options are
configured as shown.
Router ID: Router ID for distributed logical router
OSPF: Green check mark
c. In the routing category panel, select Static Routes.
d. In the static routes table, verify that no static routes are defined.
e. In the routing category panel, select OSPF.
f. In the OSPF Configuration panel, verify that the following options are set as specified.
Status: Enabled
Protocol Address: Protocol IP address for the distributed logical router OSPF
configuration
Forwarding Address: Forwarding IP address for distributed logical router OSPF
configuration
g. In the Area Definitions panel, verify that Area 829 is defined with Normal for Type and
None for Authentication.

h. In the Area to Interface Mapping panel, verify that area 829 has been mapped to Transit-
Interface.
i. In the routing category panel, select Route Redistribution.
j. In the Route Redistribution Status panel, verify that a green check mark appears next to
OSPF.
k. In the Route Redistribution table, verify that an entry exists with the following criteria.
Learner: OSPF
From: Connected
Prefix: Any
Action: Permit
68
10. Verify the perimeter gateway configuration.
If any option is incorrectly configured, you can correct the configuration.

a. In the routing category panel, select Global Configuration.
b. In the Dynamic Routing Configuration panel, verify that the following options are
configured as shown.
Router ID: Router ID for the perimeter gateway
OSPF: Green check mark
c. In the routing category panel, select Static Routes.
d. In the static routes table, verify that no static routes are defined.
e. In the routing category panel, select OSPF.
f. At the top of the OSPF page, verify that the OSPF Status is Enabled.
g. In the Area Definitions panel, verify that Area 829 is defined with Normal for Type and
None for Authentication.

h. In the Area to Interface Mapping panel, verify that area 829 is mapped to Transit-Interface.
i. In the routing category panel, select Route Redistribution.
j. In the Route Redistribution Status panel, verify that a green check mark appears next to
OSPF.
k. In the Route Redistribution table, verify that an entry exists with the following criteria.
Learner: OSPF
From: Connected
Prefix: Any
Action: Permit
Q1. Are the configuration settings for Distributed Router and perimeter gateway
exactly as specified in the preceding steps?
1. Yes
12. In the edge list, double-click the Distributed Router entry.
69

Q2. Are the logical switch networks, Web-Tier, App-Tier, and DB-Tier, connected to
Distributed Router interfaces?
2. Yes
15. On the Manage tab, click Routing.

16. In the routing category list, select Static Routes.
Q3. Is the absence of static routes on Distributed Router an issue (are there
subnets not directly connected that Distributed Router should advertise)?
3. No, only directly connected subnets must be advertised.

Q4. Is the configured Route Redistribution entry sufficiently configured so that
subnets known to the Distributed Router can be learned through OSPF?
4. Yes, Direct connected can be learned, which is sufficient.
Q5. Is the Management network attached to the perimeter gateway?
5. No
22. On the Manage tab, click Routing.

Q6. Is the Management network identified by a static route?
6. No

Q7. Is the current route redistribution configured to allow the learning of static
routes through OSPF?
7. No, Connected is the only selection. Static routes should be added.
70
Task 9: Resolve the Connectivity Issue

You configure the perimeter gateway with a static route to the Management network and configure
OSPF to advertise static routes.
Student desktop/management network
Next hop IP address
IP address of app-sv-01a
IP address of db-sv-01a
a. Select Uplink-Interface from the Interface drop-down menu.
b. Enter the student desktop/management network in the Network text box.
c. Enter the next hop IP address in the Next Hop text box.
This address is the address of the RAS router on the Production network.
3. Click Publish Changes.
5. In the Route Redistribution table, select the single entry that appears and click the pencil icon to
open the Edit Redistribution criteria dialog box.

a. Under Allow learning from, select the Static Routes check box.
b. Click OK.
6. At the top of the Route Redistribution page, click Publish Changes.
The configuration change instructs the perimeter gateway to allow learning of both connected
subnets and static routes through OSPF. The distributed router receives a route to the
Management network from the perimeter gateway with a next hop of the perimeter gateway
interface on the transit network.
71
bidirectional connectivity between the Management network and the Web-Tier logical switch
network.
9. Verify that ICMP echo replies are received.
If ICMP replies are not received, you must wait for 60 seconds and repeat step 8 until the ICMP
replies are received.
10. Run the following ping tests to verify connectivity between the Management network and the
App-Tier and DB-Tier logical switch networks.

ping IP_address_of_app-sv-01a
ping IP_address_of_db-sv-01a

vSphere Web Client

web-sv-01a
3. On the student desktop, leave the Command Prompt window open.
72
Lab 9
Configuring Equal Cost Multipathing
Objective: Configure ECMP to load balance traffic in the

North-South direction
2. Deploy an Additional NSX Edge Router
3. Configure Routing for Perimeter Gateway - ECMP Edge
4. Configure Static Route on Perimeter Gateway - ECMP Edge
5. Configure Route Redistribution for Perimeter Gateway - ECMP Edge
6. Verify the Relationship Between the Distributed Logical Router Routing Table and the
Neighbor
7. Enable ECMP
8. Disable ECMP and Clean Up for the Next Lab
Lab 9 Configuring Equal Cost Multipathing
73

Your site name
a. On the student desktop, click the Command Prompt shortcut in the task bar.
student desktop.

password VMware1!.
Task 2: Deploy an Additional NSX Edge Router

You configure and deploy an additional VMware NSX Edge services gateway to demonstrate the
Equal Cost Multipathing (ECMP) capability of the distributed logical router.
Data center
Datastore
IP address for the Perimeter Gateway - ECMP Edge uplink
IP address for the Perimeter Gateway - ECMP Edge internal interface
IP address of the Edge default gateway
3. In the middle pane, click the green plus sign to open the New NSX Edge dialog box.
4. On the Name and description page, leave Edge Services Gateway selected.
5. Enter Perimeter Gateway - ECMP in the Name text box and click Next.
74
6. On the CLI credentials page, enter VMware1!VMware1! in the Password and Confirm
password text boxes.

7. Select the Enable SSH access check box and click Next.
8. On the Configure deployment page, verify that your data center is selected.
9. Verify that the Appliance Size selection is Compact.
dialog box.
11. Click Next.
12. On the Configure Interfaces page, click the green plus sign to open the Add NSX Edge
Interface dialog box and configure the first of the two interfaces.
a. Enter Uplink-Interface in the Name text box.
d. Click Distributed Portgroup.
e. Click Production and click OK.
f. Click the green plus sign.
g. Enter the IP address for the Perimeter Gateway - ECMP Edge uplink in the Primary IP
Address text box.

h. Enter 24 in the Subnet prefix length text box.
13. Click the green plus sign to open the Add NSX Edge Interface dialog box and configure the
second interface.

d. Click Transit-Network and click OK.
e. Click the green plus sign
75
f. Enter the IP address for the Perimeter Gateway - ECMP Edge internal interface in the
Primary IP Address text box.

h. Leave all other fields at default value and click OK.
14. Compare the interface configurations to the table.
Subnet Prefix
Length
Connected
To
IP address for the

Perimeter Gateway ECMP Edge uplink
24
Production
IP address for the

Perimeter Gateway ECMP Edge internal
interface
27
TransitNetwork
Name
IP Address
Uplink-Interface
Transit-Network
15. If any interface is not configured correctly, select that entry and click the pencil icon to edit the
entry.
16. Click Next.
17. On the Default gateway settings page, select the Configure Default Gateway check box.
18. Verify that the vNIC selection is Uplink-Interface.
19. Enter the IP address of the Edge default gateway in the Gateway IP text box.
21. On the Firewall and HA page, select the Configure Firewall default policy check box.
22. For the Default Traffic Policy, click Accept.
You must accept the default traffic policy before proceeding.

23. Leave all the other fields at the default values and click Next.
24. On the Ready to Complete page, review the configuration report and click Finish.
76
Task 3: Configure Routing for Perimeter Gateway - ECMP Edge

You configure OSPF routing and create a static route on the Perimeter Gateway - ECMP edge.
1. Double-click Perimeter Gateway - ECMP Edge in the middle pane.
2. Click Routing under the Manage tab.
3. In the routing categories list, select Global Configuration.
4. In the Dynamic Routing Configuration panel, click Edit to open the Edit Dynamic Routing
Configuration dialog box.

a. Select Uplink-Interface - ip address from the Router ID drop-down menu.
b. Click OK.
c. At the top of the Global Configuration page, click Publish Changes.
7. In the OSPF Configuration dialog box, select the Enable OSPF check box and click OK.
8. Click Publish Changes at the top of the OSPF page.
9. Above the Area Definitions list, click the green plus sign to open the New Area Definition
dialog box.
10. Under Area Interface Mapping, click the green plus sign at the bottom of the OSPF page to
open the New Area to Interface Mapping dialog box.

a. Select Transit-Interface from the drop-down menu.
c. Leave all other fields at the default value and click OK.
11. At the top of the OSPF page, click Publish Changes.
Task 4: Configure Static Route on Perimeter Gateway - ECMP Edge

You configure Perimeter Gateway with a static route to the Management network.

Student desktop/management network
Next hop IP address
77

a. Select Uplink-Interface from the Interface drop-down menu.
b. Enter the student desktop/management network in the Network text box.
This address is the management network address.

c. Enter the next hop IP address in the Next Hop text box.
This address is the address of the RAS router on the Production network.
Task 5: Configure Route Redistribution for Perimeter Gateway - ECMP

Edge
You configure which type of subnets are advertised by Perimeter Gateway through OSPF.
2. Under the Route Redistribution table, click the green plus sign at the bottom of the page to open
the New Redistribution criteria dialog box.

a. Under Allow learning from, select the Connected and Static routes check boxes.
3. In the Route Redistribution Status panel, determine if a green check mark appears next to OSPF
at the top of the page.

4. If a green check mark does not appear, change the redistribution setting.
a. On the right side of the Route Redistribution Status panel, click Edit.
b. In the Change redistribution settings dialog box, select the OSPF check box.
c. Click OK.
d. In the Route Redistribution Status panel, verify that a green check mark appears next to
OSPF at the top of the page.

5. At the top of the page, click Publish Changes.
78
Task 6: Verify the Relationship Between the Distributed Logical Router

Routing Table and the Neighbor
You verify the OSPF configuration and routing table on the distributed logical router.
Your site name
1. Point to the vSphere Web Client Home icon and select Hosts and Clusters.
2. Expand the inventory and select the Distributed Router-your_site_name-0 VM.
3. Click Actions in the middle pane and select Open Console.
4. Log in to the Distributed Router VM with user name admin and password
VMware1!VMware1!
5. Enter the show ip ospf neighbor command and verify that the logical router has formed
adjacency with both the edge routers.

6. Enter the show ip route command to display the routing table.
The logical router adds only one edge router as the next hop to reach the management network.
ECMP is not enabled.
Task 7: Enable ECMP

You enable ECMP on the distributed logical router.
1. Click the vSphere Web Client - your_site_name tab in Internet Explorer.
2. Point to the vSphere Web Client Home icon and select Networking & Security
3. Select NSX Edges in the Networking & Security navigation pane.
4. Double click the Distributed Router instance in the middle pane.
5. Select Routing under the Manage tab.
6. Select Global Configuration.
7. Click Enable next to ECMP under Routing Configuration.
8. Click Publish Changes at the top of the Routing Configuration page.
9. Click the Distributed Router VM tab in Internet Explorer.
79
10. Enter the show ip route command to display the routing table.
An entry for each Edge router exists as the next hop towards the management network. The
distributed logical router can now use the two paths to distribute the load.
NOTE
You might need to wait for 30 seconds for the command to display the expected output.
Task 8: Disable ECMP and Clean Up for the Next Lab

You disable ECMP on the distributed logical router and prepare for the next lab.
2. Click Disable next to ECMP under Routing Configuration.
3. Click Publish Changes at the top of the Routing Configuration page.
4. Click Networking and Security at the top corner in the left pane.
5. Select Perimeter Gateway - ECMP and click the red X to delete the additional Edge router.
6. Close the Distributed Router tab in Internet Explorer and leave the vSphere Web Client open.
80
10
Lab 10
Configuring L2 Bridging
Objective: Configure L2 bridging in the software

2. Create a Port Group on the Distributed Switch for L2 Bridging
3. Move web-sv-01a and web-sv-02a to the Host That Runs the Distributed Logical Router
Control VM
4. Examine the Network Connectivity Between Web VMs and Resolve the Issue
Lab 10 Configuring L2 Bridging
81

Your site name
student desktop.
2. If you are not logged in to the vSphere Web Client, log in to the vSphere Web Client.
3. In the Internet Explorer window, click the vSphere Web Client - your_site_name bookmark.
password VMware1!.
5. In the Internet Explorer window, if the web-sv-01a and web-sv-02a console tabs are not open,
open the console tabs.

6. On the vSphere Web Client Home tab, click the Inventories > VMs and Templates icon.
7. Expand the inventory tree and select Discovered virtual machine > web-sv-01a.
8. Select Open Console from the Actions drop-down menu.
9. If prompted to log in, log in as root and enter the password VMware1!.
10. Press Ctrl+Alt to release the pointer and click the vSphere Web Client tab.
11. Repeat steps 7 through 10 for web-sv-02a.
12. Point to the vSphere Web Client Home icon and click the Networking tab.
Task 2: Create a Port Group on the Distributed Switch for L2 Bridging

You create a port group that is used for setting up an L2 bridge.
1. In the left navigation pane, select vds-Datacenter.
2. In the middle pane, click Actions and select Distributed Port Group > New Distributed Port
Group.
3. In the New Distributed Port Group window, enter L2PG in the Name text box and click Next.
82
10
4. On the Configure settings page, select VLAN from the VLAN type drop-down menu and
enter 10 as the VLAN ID.

NOTE
In the lab environment, the physical network is not configured to support VLAN 10. You
use a dummy VLAN ID of 10 because setting up bridging requires the port group to be
configured with a VLAN ID.
5. Click Next.
6. Click Finish on the Ready to Complete page.
7. Point to the Home icon and click VMs and Templates.
8. Select the web-sv-02a VM from the left navigation pane and click Actions in the middle pane.
9. Click Edit Settings.
10. In the VMs Edit Settings dialog box, select the L2PG (vds-datacenter) port group from the
Network Adapter 1 drop-down menu and click OK.
Task 3: Move web-sv-01a and web-sv-02a to the Host That Runs the
Distributed Logical Router Control VM
You move the web-sv-01a and web-sv-02a virtual machines to the VMware ESXi host running
the distributed logical router control VM. This task is not required in production environments. This
task is performed in the lab because the physical network is not configured to support VLAN 10.
1. Select the Distributed Router - your_site_name-0 VM from the left navigation pane.
2. Click the Summary tab in the middle pane and identify the ESXi host on which the Distributed
Router-0 VM is running.
3. Select the web-sv-01a virtual machine in the left navigation pane.
4. Click Actions in the middle pane and select Migrate.
5. Select Change Compute resource only on the Select the migration type page.
6. Click Next.
7. Click the radio button next to the ESXi host where the Distributed Router - your_site_name-0
VM resides.
8. Click Next.
9. Click Next on the Select Network page.
10. Click Next on the Select vMotion priority page.
83
11. Click Finish.

12. Repeat steps 3 through 9 for web-sv-02a.
Task 4: Examine the Network Connectivity Between Web VMs and

Resolve the Issue
You verify whether the Web VMs can communicate with each other and fix the issue if they cannot
communicate.
1. Click the win-sv-01a VM tab in the Internet Explorer window.
You might need to reopen the VMs console.

2. Start a ping to the web-sv-02a VM window.
Q1. Does ping work?
1. No, because web-sv-01a is connected to a logical switch and web-sv-02a is connected to a
port group with VLAN ID 10. An L2 bridge is required to establish connectivity between the two
Web VMs.
3. Click the vSphere Web Client tab in Internet Explorer window.

4. Select the NSX Edges link in the left navigation pane.
5. Double-click the Distributed Router instance in the middle pane.
6. Click Bridging in the Manage tab.
7. Click the green plus sign under bridging.
8. In the Add Bridge dialog box, enter L2Bridge in the Name row.
9. Click the Logical Switch icon in the Logical Switches row and select Web-Tier.
10. Click OK.
11. Click the network icon in the Distributed Port Group row and select L2PG.
12. Click OK.
13. Click OK.
14. Click Publish under the Manage tab.
84
10
15. Click the web-sv-01a VM tab in the Internet Explorer window.

16. Start a ping request to web-sv-02a.
Q2. Is the ping to web-sv-02a successful?
2. Yes. The L2 bridge created in the previous steps established layer 2 connectivity between the
two Web VMs.

1. Click the vSphere Web Client tab in Internet Explorer.
2. Select the bridge instance and click the red X sign to delete the bridge instance.
3. Click Publish.
4. Point to the Home icon and select VMs and Templates.
5. Select the web-sv-02a VM in the left navigation pane and click Actions.
6. Click Edit Settings.
7. In the web-sv-02a Edit Settings dialog box, select the Web-Tier logical switch from the
Network Adapter 1 drop-down menu.

8. Click OK.
9. Migrate the web-sv-01a and web-sv-02a virtual machines back to the Compute cluster.
85
86
11
Lab 11
Configuring and Testing Network

Address Translation on an NSX Edge
Services Gateway
Objective: Use destination NAT and source NAT rules to

establish a one-to-one relationship between the IP
address of a Web server on an internal subnet and an IP
address in an externally accessible subnet
2. Verify Nontranslated Packet Addressing
3. Configure an Additional IP Address on the Uplink Interface of the Perimeter Gateway
4. Configure a Destination NAT Rule
5. Use the Destination NAT Translation to Test Connectivity
6. Verify Nontranslated Packet Addressing Before Defining a Source NAT Rule
7. Configure a Source NAT Rule
8. Use the Source NAT Translation to Test Connectivity
9. Configure a Destination NAT Rule for web-sv-02a
Lab 11 Configuring and Testing NAT on an NSX Edge Services Gateway
87

Your site name
student desktop.

password VMware1!.
5. In the Internet Explorer window, if the web-sv-01a console tab is not open, open the tab.
a. Point to the vSphere Web Client Home tab and click VMs and Templates.
Task 2: Verify Nontranslated Packet Addressing

You use the packet capture capabilities of VMware NSX Edge to verify source and destination
addressing of packets that are exchanged by the student desktop system and the web-sv-01a Web
server.
IP address of the perimeter gateway
NAT IP address 1
88

3. In the MTPuTTY window, click Server and select Add server.
11
4. In the Properties pop-up window, enter the IP Address of the perimeter gateway in the Server
name text box.

5. Select SSH as the protocol.
6. Click OK.
7. Double-click the IP address that you added.
8. When prompted with a PuTTY Security Alert, click Yes.
9. Log in as admin and enter the password VMware1!VMware1!.
10. If you cannot log in because SSH access was not enabled during the deployment of the NSX
Edge instance, or if the password was entered incorrectly, change the CLI credentials.
a. Restore the Internet Explorer window.
b. In the left navigation pane, select NSX Edges.
c. In the edge list, select the Perimeter Gateway - your_site_name entry and select Change
CLI Credentials from the Actions drop-down menu.

d. In the Change CLI credentials, enter VMware1!VMware1! in the Password and Retype
Password text boxes.

e. Verify that the Enable SSH Access check box is selected and click OK.
f. Restart this task by going back to step 1.
11. Run the following command to begin capturing HTTP traffic on the uplink interface.
All commands are case-sensitive.

debug packet display interface vNic_0 port_80
Include the port_80 filter as the last argument of the command. The last argument is the filter
expression. The filter expression must be expressed with underscore characters where spaces
might normally appear.
12. Leave the traffic capture running in the MTPuTTY window and restore the Internet Explorer
window.
13. In the Internet Explorer window, open a new browser tab and go to http://IP_address_of_web-
sv-01a to browse the web-sv-01a Web server.
89
14. After the Web page is displayed, go to http://NAT_IP_address_1 to verify that no response is
received.
The NAT IP address 1 is the NAT address that you associate with the web-sv-01a virtual
machine.
15. After Internet Explorer reports that the page cannot be displayed, close the browser tab and
minimize the Internet Explorer window.

16. In the MTPuTTY window, examine the packets that are captured to determine source and
destination addressing format.

Packet addressing is always reported in the following format:
time protocol source-address : source-port > destination-address : destination-port
17. In the packet capture output, examine the addressing of each packet and verify that the
following addresses are involved in the exchange.

Student desktop IP address.
Q1. In the packet capture, do you observe any packets exchanged between the
student desktop system and the NAT IP address?
1. No
18. Leave the packet capture running in the MTPuTTY window.

Task 3: Configure an Additional IP Address on the Uplink Interface of

the Perimeter Gateway
You configure a secondary IP address to the uplink interface of the NSX Edge Services Gateway.
This IP address is used for creating the NAT rule.
NAT IP address 1
2. In the edge list, double-click the Perimeter Gateway - your_site_name entry to manage that
object.
90
5. In the interfaces list, select the vNIC# 0 entry that is associated with Uplink-Interface and click
the pencil icon.

6. In the Edit NSX Edge Interface dialog box, select the existing IP address and click the pencil
icon.
11
7. Enter the NAT IP address 1 in the Secondary IP address text box.

8. Click OK to commit the interface changes.
9. In the interfaces list, verify that vNIC# 0 has two IP addresses configured.
Task 4: Configure a Destination NAT Rule

You create a destination NAT (DNAT) rule for translating the NAT IP address 1 to the IP address of
web-sv-01a. A DNAT rule can be assigned to any interface. You can assign destination NAT rules to
only the interface that receives the network traffic to be translated, such as the uplink interface.
NAT IP address 1
1. Under the Manage tab, click NAT.
2. Above the NAT rules list, click the green plus sign and select Add DNAT Rule.
3. In the Add DNAT Rule dialog box, add the destination NAT rule.
a. Select Uplink-Interface from the Applied On drop-down menu.
b. Enter the NAT IP address 1 in the Original IP/Range text box.
c. Enter the IP address of web-sv-01a in the Translated IP/Range text box.
This address is the address of the web-sv-01a Web server virtual machine that is attached to
the Web-Tier logical switch network. The Web-Tier network is accessible from the
perimeter gateway through an OSPF-learned route that has a next hop of Application Edge
router on the transport network.
d. Select the Enabled check box.
e. Leave all other settings at the default value and click OK.
4. Above the NAT rules list, click Publish Changes.
5. Wait for the update to complete and verify that the new destination NAT rule appears in the list
with a Rule Type of USER.
91
Task 5: Use the Destination NAT Translation to Test Connectivity

You verify whether the DNAT rule works as expected by using the packet display capability of the
NSX Edge Services Gateway command line.
NAT IP address 1
1. In the Internet Explorer window, open a new browser tab and go to http://NAT_IP_address_1 to
browse the web-sv-01a Web server by using the destination NAT address.
2. After the Web page is displayed, keep the Web server tab open and minimize the Internet
Explorer window.
3. In the MTPuTTY window, determine packet addressing and verify that the following two IP
addresses are involved in the exchange.

This address is the IP address of the ControlCenter.
NAT address IP 1
This address is the destination NAT original address. For packets sent to this address, the
destination was transformed from NAT address 1 to web-sv-01as IP before being
forwarded by NSX Edge. For response packets sent from the Web server, the source
address was translated so that the packets appear as if originating from the destination NAT
address to maintain the integrity of the client-server connection.
4. Press Ctrl+C to stop the packet capture.
5. Run the following command to begin capturing packets on the Transit-Interface.

6. Restore the Internet Explorer window and click the page refresh icon to reload the Web server
page.
7. After the Web page is displayed, close the browser tab and minimize the Internet Explorer
window.
8. In the MTPuTTY window, determine packet addressing and verify that the following two IP
addresses are involved in the exchange.

92
This address is the destination NAT translated address of the web-sv-01a Web server. The
packets captured on the transit network are forwarded from perimeter gateway to
distributed router with the destination address translated.
11
9. Press Ctrl+C to stop the packet capture and leave the MTPuTTY window open.
10. Review the tests performed so far in this lab.
Q1. If response traffic was not translated based on the destination NAT mapping,
what source address would the packets have when received by the student
desktop?
1. The nontranslated IP address of web-sv-01a.
Q2. For a TCP connection being established from student desktop to destination
NAT IP for web-sv-01a, would the student desktop associate response packets
from web-sv-01a with that connection?
2. No, regardless of any TCP flag sequencing or handshake condition that might be set, the IP
addresses do not match.
Task 6: Verify Nontranslated Packet Addressing Before Defining a

Source NAT Rule
You verify the source and destination address of packets exchanged between the student desktop and
the web-sv-01a Web server virtual machine before applying a source NAT translation.
1. In the MTPuTTY window, run the following command to begin capturing ICMP packets on the
uplink interface.
debug packet display interface vNic_0 icmp
2. Leave the packet capture running, restore the Internet Explorer window, and click the web-sv-
01a console tab.

system.
4. After at least one ICMP echo request and echo reply are reported, press Ctrl+C to stop the ping
command.
93
5. Press Ctrl+Alt to release the mouse cursor and minimize the Internet Explorer window.
6. In the MTPuTTY window, determine the source and destination addressing and verify that the
following two IP addresses are involved in the ICMP exchange.

Student Desktop IP address.
This address is the nontranslated IP address of the web-sv-01a Web server virtual machine.
The captured exchange shows that the web-sv-01a Web server IP address is unaffected by the
destination NAT rule when traffic is initiated from that address. The original web-sv-01a Web
server IP address is maintained as the packets leave perimeter gateway in transit to the student
desktop system.
Task 7: Configure a Source NAT Rule

You create a source NAT (SNAT) rule to translate the IP address of web-v-01a to NAT IP address 1
for outgoing connections. An SNAT rule can be assigned to any interface. You can assign SNAT
rules to the interface that connects to the translated network, but not to the interface that received the
original packet.
NAT IP address 1
1. Above the NAT rules list, click the green plus sign and select Add SNAT Rule.
2. In the Add SNAT Rule dialog box, configure the original and the translated source IP address.
a. Select Uplink-Interface from the Applied On drop-down menu.
b. Enter the IP address of web-sv-01a in the Original Source IP/Range text box.
c. Enter the NAT IP address 1 in the Translated Source IP/Range text box.
This address is the translated source IP address.

d. Select the Enabled check box.
e. Leave all other fields at the default value and click OK.
3. Above the NAT rules list, click Publish Changes.
94
Task 8: Use the Source NAT Translation to Test Connectivity

Packets sent from the web-sv-01a Web server virtual machine appear as originating from the
perimeter gateways external subnet.
11

NAT IP address 1
1. In the Internet Explorer window, select the web-sv-01a console tab.
system.
3. After at least one ICMP request and reply have been reported, press Ctrl+C to stop the ping
command.
4. Press Ctrl+Alt to release the mouse cursor and minimize the Internet Explorer window.
5. In the MTPuTTY window, determine source and destination addressing and verify that the
following two IP addresses are involved in the ICMP exchange.

Student desktop IP address.
NAT IP address 1
This address is the translated IP address of the web-sv-01a Web server virtual machine.
Task 9: Configure a Destination NAT Rule for web-sv-02a

For upcoming labs, the internal IP address of both Web server virtual machines must be translated.
You configure a destination NAT rule for the web-sv-02a Web server virtual machine.
NAT IP address 2
1. Perform task 3 to add another IP address to the uplink interface of perimeter gateway.
a. Assign the NAT IP address 2.
You must use a comma to specify the second secondary IP address to the interface.
95
2. Perform task 4 to create a destination NAT rule on the perimeter gateway.

a. Use the following parameters.
Assigned On: Uplink-Interface

Original IP/Range: NAT IP address 2
Translated IP/Range: IP address of web-sv-02a
Enabled: Select the check box.
Leave all other fields at the default value (undefined).
3. Test your configuration.
a. In the MTPuTTY window, run the following command to begin capturing HTTP traffic on
the uplink interface.

b. In Internet Explorer, open a new browser tab and go to http://NAT_IP_address_2.
c. After the Web page opens, close the new browser tab.
d. In the MTPuTTY window, verify that the following two addresses are involved in the
HTTP exchange.
NAT IP address 2
e. Press Ctrl+C to stop the packet capture.
NOTE
If the test does not produce the expected results, review your configuration carefully,
ensure that the destination NAT rule is enabled and is applied on the Uplink-Interface, and
try the test again. If the test continues to fail, you can ask your instructor for assistance.
Both destination NAT rules must be defined and working for upcoming labs.

1. On the student desktop, leave the MTPuTTY window and the Command Prompt window open.
2. In the Internet Explorer window, click the vSphere Web Client tab.
3. At the top of the left navigation page, click the Networking & Security back arrow.
vSphere Web Client

web-sv-01a
96
Lab 12
12
Configuring Load Balancing with NSX

Edge Gateway
Objective: Configure a round-robin load balancer to

distribute traffic between two Web servers and verify the
round-robin operation by using traffic capture tools
2. Verify the Lack of Connectivity
3. Add an IP Address to the Uplink Interface
4. Enable the Load Balancer Service and Configure an Application Profile
5. Create a Server Pool
6. Create a Virtual Server
7. Use the Packet Capture Capabilities of NSX Edge to Verify Round-Robin Load Balancing
8. Examine NAT Rule Changes
9. Migrate the Web-Tier Logical Switch to the Perimeter Gateway
10. Reposition the Virtual Server and Examine NAT Rule Changes
11. Use a Packet Capture to Verify Round-Robin Operation
Lab 12 Configuring Load Balancing with NSX Edge Gateway
97

Your site name
2. If the MTPuTTY window is not open on the student desktop, open the MTPuTTY window.
b. In the MTPuTTY window, double-click the IP Address of the Perimeter Gateway saved
session.
c. If prompted to confirm a PuTTY security alert, click Yes.
student desktop.
bookmark.
b. When prompted, log in with your vCenter Server administrator login account and enter the
password VMware1!.
tab.
a. On the vSphere Web Client Home tab, click VMs and Templates.
e. Press Ctrl+Alt to release the pointer and click the vSphere Web Client tab.
f. Click the vSphere Web Client Home icon.
6. On the vSphere Web Client Home tab, click Networking & Security.
98
Task 2: Verify the Lack of Connectivity

You open a Web browser and browse the IP address to be assigned to the load balancer virtual
server.
Use the following information from the class configuration:
VIP 1 IP address
1. In the Internet Explorer window, open a new browser tab and go to https://VIP 1 IP address.
2. Verify that the page does not open.
12
Internet Explorer shows a Server not found message.

3. Close the new browser tab and click the vSphere Web Client tab.
Task 3: Add an IP Address to the Uplink Interface

To use an IP address for network address translation (NAT) rules or a load balancer virtual server
that is not the default IP address assigned to an VMware NSX Edge interface, the IP address must
be explicitly added to the interface. The IP address must be explicitly configured so that the NSX
Edge appliance can receive incoming packets on that interface from the upstream device.
NAT IP address 1
NAT IP address 2
VIP 1 IP address
2. In the edge list, double-click the Perimeter Gateway-your_site_name entry to manage that
object.
5. In the interfaces list, select the vNIC# 0 interface and click the pencil icon.
6. In the Edit NSX Edge Interface dialog box, select the IP address entry in the Configure
Subnets section and click the pencil icon.

7. Enter the VIP 1 IP address in the Secondary IP address text box.
You must use a comma to separate the IP addresses.

99
9. In the interfaces list, find the vNIC #0 entry, click the Show All link in the IP address column,
and verify that the following addresses appear in the list.

Primary address of the interface
NAT address for web-sv-01a: NAT IP address 1
NAT address for web-sv-02a: NAT IP address 2
New address for the load balancer virtual server: VIP 1 IP address
10. Click OK to close the Assigned IP Addresses dialog box.
Task 4: Enable the Load Balancer Service and Configure an

Application Profile
You enable the load balancer service and configure for HTTPS with SSL passthrough.
1. Under the Manage tab, click Load Balancer.
2. In the load balancer category panel, select Global Configuration.
3. Click Edit on the right side of the global configuration page.
4. In the Edit load balancer global configuration page, select the Enable Load balancer check
box, leave all the other fields at the default value, and click OK.
5. In the load balancer category panel, select Application Profiles.
6. Above the top panel, click the green plus sign to open the New Profile dialog box.
a. Enter App-Profile in the Name text box.
b. Select HTTPS for Type.
c. Select the Enable SSL Passthrough check box.
d. Leave all the other fields at the default value and click OK.
Task 5: Create a Server Pool

You create a round-robin server pool that contains the two Web server virtual machines as members
providing HTTPS.
100
1. In the load balancer category panel, select Pools.

2. Above the top panel, click the green plus sign to open the New Pool dialog box.
a. Enter Server-Pool in the Name text box.
b. Verify that the Algorithm selection is ROUND-ROBIN.
c. Verify that the Monitors selection is NONE.
d. Below Members, click the green plus sign to open the New Member dialog box and add the
first server.
Action
Name
Enter Web-sv-01a in the text box.
IP Address
Enter the IP address of web-sv-01a in the text box.
Port
All other settings
Leave at the default value.
12
Option
e. Click OK to close the New Member dialog box.

f. Under Members, click the green plus sign to open the New Member dialog box and add a
second server.
Option
Action
Name
Enter Web-sv-02a in the text box.
IP Address
Port
All other settings
Leave at the default value.
g. Click OK to close the New Member dialog box.

h. Click OK to close the New Pool dialog box.
101
Task 6: Create a Virtual Server

The virtual server is positioned in a two-arm configuration on the external network that is attached
to the uplink interface of the perimeter gateway.
VIP 1 IP address
1. In the load balancer category panel, select Virtual Servers.
2. Above the top panel, click the green plus sign to open the New Virtual Server dialog box.
a. Verify that the Enabled check box is selected.
b. Verify that the Application Profile selection is App-Profile.
c. Enter VIP in the Name text box.
d. Enter the VIP 1 IP address in the IP Address text box.
e. Select HTTPS from the Protocol drop-down menu.
f. Verify that the Port setting has changed to 443.
g. Select Server-Pool from the Default Pool drop-down menu.
Task 7: Use the Packet Capture Capabilities of NSX Edge to Verify

Round-Robin Load Balancing
You monitor the HTTPS traffic that traverses the transit network to verify round-robin distribution
as the perimeter gateway assigns sessions to servers in the pool.
VIP 1 IP address
2. In the MTPuTTY window, run the following command to begin capturing SSL packets on the
transit interface.
3. Leave the packet capture running and restore the Internet Explorer window.
4. In the Internet Explorer window, open a new browser tab and go to https://VIP_1_IP_address.
5. If Internet Explorer reports a certificate warning, click the Continue to this website (not
recommended) link.
102

7. In the MTPuTTY window, examine the captured packets to determine source and destination
addressing, and verify that the exchange is between a combination of the following IP addresses.
The IP address of the Transit network interface of the perimeter gateway edge.
The IP addresses of one of the Web servers on the Web-Tier logical switch network.
8. Consider the packet exchange you examined.
12
Q1. Which extra operation is the perimeter gateway performing on packets that
leave the Transit network interface, on the way to the Web server virtual
machines?
1. NAT
Q2. Why is the perimeter gateway performing this extra operation instead of
maintaining the original source address of the student desktop system?
2. Because the load balancer is operating in nontransparent mode and proxying sessions
between itself and the Web servers on behalf of the original client.
Q3. What setting would you enable on the load balancer so that the original source
addresses are maintained?
3. Transparent mode
9. Leave the packet capture running.

12. In the pool list, select pool-1 and click the pencil icon.
13. In the Edit Pool dialog box, select the Transparent check box at the bottom and click OK.
14. Open another tab in the Internet Explorer window and enter https://VIP_1_IP_address.
16. In the MTPuTTY window, examine the captured packets to determine the source and
destination addressing, and verify that the exchange is between a combination of the following
IP addresses.
The address of the student desktop system. With transparent mode enabled, the original
source address has been maintained in packets forwarded to the Web server. Sessions are
still proxied by the perimeter gateway by using a different source port than the source port
that is used by the original client.
The address of one of the Web servers on the Web-Tier logical switch network.
103
17. On the student desktop, double-click the Firefox shortcut.

18. In Firefox, go to https://VIP_1_IP_address.
19. When Firefox reports a problem with the Web site security certificate, click the I understand
the Risks link.

20. Click Add Exception and click Confirm Security Exception.
21. Wait for the Web page to be displayed, which might take a few moments, and minimize the
Firefox window.
22. In the MTPuTTY window, examine the captured packets to determine the source and
destination addressing, and verify that the exchange is between a combination of the following
IP addresses.
This address is the IP address of the student desktop system.
The IP address of one of the Web servers on the Web logical switch network. The address
that appears in the most recent capture should be the Web server that is not seen in the
previous capture.
Task 8: Examine NAT Rule Changes

An NSX Edge instance automatically defines NAT rules for various features to facilitate the
operation of those features.
2. In the NAT rules list, find the destination NAT rule that has VIP 1 IP address in the Original IP
Address Column and a blank Rule Type.

All other rules have a Rule Type of USER.
The blank rule type is an autogenerated destination NAT rule that the system created as part of
the virtual server configuration.
3. Examine the destination NAT rule.
4. Expand and examine the Original IP Address and Translated IP Address fields.
Q1. Is the original IP address being translated in any way by this rule?
1. No, the original and translated IP addresses are both VIP1 IP address.
Q2. Is the port range being translated in any way by this rule?
2. No
104
Q3. If this rule performs no apparent translation, why did the system define it?
3. To force the traffic into the NAT logic of the NSX Edge services gateway where a member
server can be selected and the actual destination NAT can be performed. Traffic received on the
virtual server IP address must undergo a destination NAT translation after the destination server
is selected from the pool, based on the configured load-balancing algorithm. Because server
selection is dynamic, the destination NAT rule triggers the destination NAT operation where
further logic can be applied.
12
Q4. Given that a virtual server uses a destination NAT rule to trigger member server
selection, do you think that a virtual server can operate normally using a pool
of member servers with IP addresses that are also defined by destination NAT
rules?
4. No, a virtual server cannot operate on a pool of destination NAT-defined addresses. Such
functionality would require recursive application of the NAT logic to each packet that is received.
The system is not designed to accommodate that type of operation. Only one NAT rule can be
applied to any packet received.
Q5. Which interface is the destination NAT rule applied on?
5. Uplink-Interface
Task 9: Migrate the Web-Tier Logical Switch to the Perimeter Gateway

You migrate the Web-Tier logical switch so that the network is connected directly to the perimeter
gateway. The load balancer virtual server is moved to the directly connected Web-Tier network to
show side-by-side operation of the load balancer.
Web-Tier-Temp interface IP address
1. At the top of the left navigation pane, click the Networking & Security back arrow.
2. In the edge list, double-click the Distributed Router - your_site_name entry to manage that
object.
4. In the settings category panel, select Interfaces,
5. In the interfaces list, select the Web-Interface entry and click the disconnect icon.
6. Wait for the update to complete and verify that a disconnect icon appears in the Web-Interface
Status column.
7. At the top of the left navigation pane, click the Networking & Security back arrow.
object.
105
11. Select the vNIC# 2 interface and click the pencil icon to open the Edit NSX Edge Interface
dialog box.
a. Enter Web-Tier-Temp in the Name text box.
b. Verify that the Type selection is Internal.
d. Click Web-Tier and click OK.
e. Above the IP Address table, click the green plus sign to open the Add Subnet dialog box.
f. Enter the Web-Tier-Temp interface IP address in the Primary IP address text box.
The new interface that you are configuring on the perimeter gateway replaces the
distributed router interface that you disconnected in step 5 by using the same IP address.
g. Enter 24 in the Subnet Prefix Length text box.
h. Click OK to commit the interface changes.
Task 10: Reposition the Virtual Server and Examine NAT Rule Changes
The virtual server is repositioned to be on the same subnet as the pool members, in a one-armed
configuration.
VIP 2 IP address
1. Under the Manage tab, click Load Balancer.
3. In the virtual servers list, select the single virtual server that is defined and click the pencil icon.
4. In the Edit Virtual Server dialog box, change the IP Address field to the VIP 2 IP address and
click OK.
For this example, the primary IP address of an interface is used for the virtual server.
106
6. In the NAT rules list, find the destination NAT rule that has VIP 2 IP address in the Original IP
Address column.
Q1. Has the system autoremoved the destination NAT rule for the old virtual server
IP address of original VIP 1 IP address?
1. Yes
Q2. Is the new rule translating the original IP address or port in any way?
2. No
12
Q3. Based on the virtual server destination NAT rules that you have examined so
far, is there any difference in the actual operation performed by NSX Edge on
traffic to be sent to a member server?
3. No, the operations are the same.
7. Examine each of the new destination NAT rule columns carefully, thinking back to the previous
destination NAT rule that you examined when the virtual server was positioned on the UplinkInterface network.
Q4. Other than a primary interface IP address being used as the virtual server IP
address in this example, what is the primary difference between the two
positions in terms of traffic flow and sequence of operations on the edge when
traffic is received, transformed, and subsequently sent to a member server?
4. The destination NAT translation occurs on the outbound interface. In this case, vNic_2 facing
the network that the member servers are attached to. The previous destination NAT rule was
applied on the receiving interface because destination NAT rules must be applied on the interface
connected to the network that contains the original IP address to be translated, regardless of
ingress or egress.
Task 11: Use a Packet Capture to Verify Round-Robin Operation

You use the same techniques learned so far to verify proxy mode operation.
VIP 2 IP address
2. In the MTPuTTY window, run the following command to begin capturing SSL packets on the
Web-Tier-Temp interface.
3. Leave the packet capture running and restore the Internet Explorer window.
107
4. In the Internet Explorer window, open another tab and go to https://VIP_2_IP_address.
While performing the interim tasks in this activity, after migrating the Web-Tier virtual switch,
the OSPF routing table automatically updates and both perimeter gateway and distributed router
are aware of the new network location.
5. When Internet Explorer reports a problem with the Web sites certificate, click the Continue to
this website (not recommended) link.

6. After the Web page is displayed, close the browser tab used to browse the Web page and
minimize the Internet Explorer window.

7. In the MTPuTTY window, examine the captured packets to determine source and destination
addressing, and verify that the exchange is between a combination of the following IP addresses.
The IP address of the student desktop.
These address of one of the Web servers on the Web logical switch network.
8. Leave the packet capture running.
9. Restore the Firefox window and go to https://VIP_2_IP_address.
10. When Firefox reports a problem with the Web site security certificate, click the I understand
the Risks link.

11. Click Add Exception and click Confirm Security Exception.
12. Wait for the Web page to be displayed, which might take a few moments, and close the Firefox
window.
13. In the MTPuTTY window, examine the captured packets and verify that the exchange is
between a combination of the following IP addresses.

At this point, the load balancer is still set to Transparent mode. Thus, the source that you
should be looking for is the student desktop where the request is originating
IP Address of one of the Web servers.
The address that appears in the capture should be the Web server not seen in the previous
capture.
15. Restore the Internet Explorer window and, if not already active, click the vSphere Web Client
tab.
108

2. In the vSphere Web Client, click the Networking & Security back arrow.
vSphere Web Client
12
web-sv-01a
109
110
Lab 13
Advanced Load Balancing
:
13
Objective: Configure a load balancer to provide SSL

security for a Web site
2. Generate a Certificate
3. Modify the Existing Load Balancer
4. Capture Network Traffic at the Perimeter Gateway
5. Migrate the Web-Tier Logical Switch Back to the Distributed Router
This lab requires that you complete the previous lab (Configuring Load Balancing with NSX Edge
Gateway). If you did not perform the previous lab, ask your instructor for guidance.
Lab 13 Advanced Load Balancing
111

Your site name
b. In the MTPuTTY window, double-click the IP Address of Edge Services GW.
d. Log in as admin using the VMware1!VMware1! password.
3. If the Internet Explorer window has been closed, double-click the Internet Explorer icon on
the student desktop.

4. If you are not logged in to the vSphere Web Client, open the vSphere Web Client.
bookmark.
password VMware1!.
tab.
a. Point to the vSphere Web Client Home icon and click the VMs and Templates icon.
d. If prompted to log in, log in as root using the VMware1! password.
6. On the vSphere Web Client Home tab, click the Networking & Security icon.
112
Task 2: Generate a Certificate

You generate a certificate request and instruct the VMware NSX Edge instance to create a selfsigned certificate from that request.
VIP 2 IP address
object.
3. Click the Manage tab and click Settings.
4. In the settings category panel, select Certificates.
13
5. Select Generate CSR from the Actions drop-down menu to open the Generate CSR dialog
box.
a. Enter the VIP 2 IP address in the Common Name text box.
b. Enter ABC Medical in the Organization Name text box.
c. Enter NSBU in Organization Unit text box.
d. Enter Palo Alto in the Locality text box.
e. Enter CA in the State text box.
f. Select United States (US) in the Country field.
g. Verify that RSA is the selected Message Algorithm.
h. Verify that 2048 is the selected Key Size.
6. In the certificate list, select the newly generated signing request and select Self Sign Certificate
from the Actions drop-down menu.

7. When prompted, enter 365 in the Number of days text box and click OK.
Task 3: Modify the Existing Load Balancer

You update the application profile to include the self-signed certificate, and update the server pool to
use HTTP instead of HTTPS. You consider the Web server as not having its own certificate for this
lab. The self-signed certificate is used instead for communication between clients and the virtual
server. Communication between the virtual server and the member servers uses HTTP.
113

VIP 2 IP address
1. On the Manage tab, click the Load Balancer button.
2. In the load balancer category panel, select Application Profiles.
3. Select the single application profile that is listed and click the pencil icon.
4. In the Edit Profile dialog box, select the service certificate.
a. Deselect the Enable SSL Passthrough check box.
b. At the bottom of the dialog box, click Configure Service Certificate and leave the VIP 2
IP address selected in the certificate list.

c. Leave all other settings at the default value and click OK.
6. Select the single pool that appears and click the pencil icon.
7. In the Edit Pool dialog box, update each member server that is listed.
a. Select the member server and click the pencil icon.
b. In the Edit Member dialog box, change both the Port and the Monitor Port to 80 and
click OK.
You must ensure that both member servers are updated.
8. Click OK to close the Edit Pool dialog box.
Task 4: Capture Network Traffic at the Perimeter Gateway

You examine two different packet captures. A packet capture on the uplink interface is examined to
verify the SSL communication between clients and the virtual server. A packet capture on the transit
network is examined to verify round-robin operation.
VIP 2 IP address
2. In the MTPuTTY window, begin capturing SSL traffic on the uplink interface by running the
following command.
3. Leave the packet capture running and position the window so that you remember that it contains
the uplink capture.

114
4. Double-click the perimeter gateway IP address in the MTPuTTY application.
Another session is started to the PuTTY perimeter gateway.

5. Log in as admin and enter the VMware1!VMware1! password.
6. In the new PuTTY window, begin capturing HTTP traffic on the web-tier-temp interface by
running the following command.

The two packet captures show the load balancer virtual server receiving SSL traffic and
connecting to a pool member server using HTTP.
7. On the student desktop, open a new tab in the Internet Explorer application.
You must ensure that you use Internet Explorer for the following tests.
13
8. In the Internet Explorer window, go to https://VIP_2_IP_address.

9. When Internet Explorer reports a problem with the Web sites security certificate, click the
Continue to this website (not recommended) link.

The Web site security message might appear after a minute. After you click the continue link,
the Web page might be displayed after a minute.
11. Select the MTPuTTY window that contains the uplink interface capture.
12. In the MTPuTTY window, examine the captured packets and verify that the exchange is
between a combination of the following IP addresses.

This IP address of the student desktop system.
This address is the virtual IP (vIP) address of the load balancer in the one-arm
configuration (VIP 2 IP Address).
13. Press Ctrl+C to stop the traffic capture.
14. Select the PuTTY window that contains the transit interface capture.
15. In the PuTTY window, examine the captured packets and verify that the exchange is between a
combination of the following IP addresses.

The IP address of the student system that is maintained in transparent mode.
The IP address of one of the Web servers on the Web-Tier logical switch.
17. Close the Internet Explorer tab.
18. Keep the original MTPuTTY window open.
115
Task 5: Migrate the Web-Tier Logical Switch Back to the Distributed

Router
You must restore the lab environment to its original state by migrating the Web-Tier logical switch
back to the distributed router. Later labs fail if the configuration is not restored.
2. Select the single virtual server that is listed and click the pencil icon to open the Edit Virtual
Server dialog box.

a. Change the IP address field to VIP 1 IP address.
The virtual server IP address must be moved back to the uplink network because the WebTier logical switch is migrated back to the distributed router.
b. Click OK.
3. Under the Manage tab, click Settings.
5. In the interface list, select the Web-Tier-Temp interface and click the disconnect icon.
6. Wait for the update to complete and verify that a disconnect icon appears in the Web-Tier-Temp
Status column.
7. Select the Web-Tier-Temp interface, click the red X to delete the interface and click OK when
prompted to confirm.
You must ensure that you delete the correct interface.
8. Wait for the update to complete and verify that vNIC# 2 has been reset.
9. At the top of the left navigation pane, click the Networking & Security left arrow button.
12. In the interface list, select the Web-Interface interface entry and click the green check mark
icon to reattach the logical switch.

13. Wait for the update to complete and verify that a green check mark icon appears in the Web-
Interface Status column.

2. In the vSphere Web Client, click the Networking & Security back arrow.
116
vSphere Web Client

web-sv-01a
13
117
118
Lab 14
Configuring NSX Edge High Availability :
14
Objective: Configure high availability and use the NSX

Edge command line to determine the current high
availability status and view heartbeat traffic
2. Configure NSX Edge High Availability
3. Examine the High Availability Service Status and Heartbeat
4. Force a Failover Condition
5. Restore the Failed Node
Lab 14 Configuring NSX Edge High Availability
119

Your site name
b. In the MTPuTTY window, double-click Perimeter Gateway IP Address.
student desktop.
bookmark.
b. When prompted, log in with Your vCenter Server administrator login account and enter the
password VMware1!.
tab.
a. On the vSphere Web Client Home tab, click the VMs and Templates icon.
6. On the vSphere Web Client Home tab, click the Networking & Security icon.
120
Task 2: Configure NSX Edge High Availability

You configure the perimeter gateway for high availability.
object.
4. In the Settings category list, select Configuration.
5. On the Configuration page, in the HA Configuration panel, determine the current high
availability status of the edge.

The status is Disabled.
6. In the HA Configuration panel, click the Change link to configure and enable high availability.
7. In the Change HA configuration dialog box, configure the settings.
a. Click Enable.
Classless Inter-Domain Routing (CIDR) format.

192.168.222.1/30
192.168.222.2/30
c. Leave all the remaining settings at the default value and click OK.
8. Wait for the high availability configuration update to finish and verify that the HA status in the
HA Configuration panel is Enabled.

10. Expand the Hosts and Clusters inventory tree so that the Management and Edge Cluster
inventory is shown.
11. In the Management and Edge Cluster inventory, find all virtual machines with names starting
with Perimeter Gateway.

12. Select each perimeter gateway virtual machine and review the Summary tab.
Q1. How many instances of the perimeter gateway did you find?
1. Two
Q2. Which host is Perimeter Gateway-0 running on?
2. Any of the ESXi hosts in the Management and Edge Cluster.
121
14
b. In the two text boxes for configuring Management IPs, enter the following IP addresses in
Q3. Which host is Perimeter Gateway-1 running on?

3. Any of the ESXi hosts in the Management and Edge Cluster, but on a different host than the
other node.
Q4. Are the NSX Edge instances running on different hosts?
4. Yes, by default, high availability peer nodes are maintained on different hosts.
13. Remain in the Hosts and Clusters inventory.
Task 3: Examine the High Availability Service Status and Heartbeat

You use command-line tools to query the high availability service status and examine the heartbeat
network traffic.
2. In the MTPuTTY window, run the following command to show the status of the high
availability service.
show service highavailability
3. Examine the command output.
This command uses the generic vshield-edge name for the VMware NSX Edge instances.
Refer to the trailing -0 or -1 to associate what the command is showing with the perimeter
gateway nodes. The active node name is shown as the value of highavailability Unit Name.
Q1. Which of the perimeter gateway nodes is active?
1. Perimeter Gateway-0 is active. This node should be the same for all students at this stage.
Q2. Are both peer nodes in good health?
2. Yes, as denoted in the Peer Host list.
Q3. Are the file synchronization and connection synchronization services
necessary for failover running?
3. Yes, both services are shown as running.
NOTE
Based on the sequence of actions taken so far, the active node should be the vshield-edge-2-0
(Perimeter Gateway-0) node. Remember which node was listed as active, you will cause a
failover in the next task.
122
4. At the command prompt, run the following command to display high availability heartbeat
packets captured on the transit network interface.

debug packet display interface vNic_1
net_192.168.222.0_mask_255.255.255.252
This command displays high availability heartbeat packets that are captured on the transit
network interface.
5. Examine the exchange and verify that the two high availability nodes are actively
communicating status to each other.

You should see packets exchanged between the following IP addresses.
192.168.222.1
192.168.222.2
6. Keep the traffic capture running and restore the Internet Explorer window.
Task 4: Force a Failover Condition

1. In the Hosts and Clusters inventory tree, select Perimeter Gateway-0, or whichever of the two
perimeter gateway nodes was listed as active in the preceding task.

2. Select Shut Down Guest OS from the Actions drop-down menu and click Yes when prompted
to confirm.
3. Monitor the appliance shutdown until the task shows as complete in the recent tasks pane and a
running indicator icon no longer appears on the virtual machine in the cluster inventory.
5. Click OK to dismiss the MTPuTTY alert and close the MTPuTTY window.
The SSH session to the perimeter gateway is terminated because the virtual machine is shut
down.
6. In the MTPUTTY application, double-click the Perimeter Gateway IP Address.
8. Run the following command to show the status of the high availability.
123
14
You power off the high availability active node to force a failover to the standby node.
The active node name is shown as the value of highavailability Unit Name.
2. No, vshield-edge-#-0 is unreachable.
Q3. Are services necessary for failover running, specifically file synchronization
and connection synchronization?
3. Yes, both services show as running.
Q4. Has a failover occurred?
4. Yes, from Perimeter Gateway-0 to Perimeter Gateway-1.
10. At the command prompt, run the following command to display high availability heartbeat
packets captured on the transit network interface.

debug packet display interface vNic_1
net_192.168.222.0_mask_255.255.255.252
This command displays high availability heartbeat packets captured on the transit network
interface.
11. Examine the packet exchange and verify that only the active node is communicating heartbeat
information and is receiving no replies from the peer node.

12. Keep the traffic capture running and restore the Internet Explorer window.
Task 5: Restore the Failed Node

You power on the stopped node to restore the high availability pair and use command-line tools to
examine changes in the high availability service configuration.
1. In the Hosts and Clusters inventory, verify that the shut-down high availability node is still
selected and select Power On from the Actions menu.

3. In the MTPuTTY window, monitor the packet capture until you observe both nodes
communicating heartbeat information again.

124
5. Run the following command to show the status of the high availability service.

The active node name is shown as the value of highavailability Unit Name.
2. Yes
Q3. Are services necessary for failover running, specifically file synchronization
and connection synchronization?
3. Yes, both services show as running.
Q4. Has a failback occurred?
14
4. No, the failover node remains active and the restored node assumes standby status.

1. Leave the MTPuTTY window open.
3. Restore the Internet Explorer window, point to the vSphere Web Client Home icon, and select
Networking.
vSphere Web Client

web-sv-01a
125
126
Lab 15
Configuring Layer 2 VPN Tunnel
Objective: Configure a Layer 2 VPN tunnel between two

NSX Edge services gateway appliances
2. Create a Port Group on the Distributed Switch for the Sink Port
15
3. Create a Trunk Interface for the Perimeter Gateway

4. Configure the Perimeter Gateway as an L2VPN Server
5. Prepare the Remote Site for Setting Up an L2VPN Tunnel
6. Create an NSX Edge Gateway at the Remote Site
7. Create a Logical Switch and Attach the Switch to the Remote Gateway
8. Configure the Remote Gateway as an L2VPN Client
9. Update the web-sv-02a Web Server at the Remote Site
10. Test Tunnel Connectivity
Lab 15 Configuring Layer 2 VPN Tunnel
127

Your site name
b. In the MTPuTTY window, double-click the Perimeter Gateway - your_site_name IP
address.
student desktop.
a. In the Internet Explorer window, click the vSphere Web Client - Your Site Name
bookmark.
password VMware1!.
tab.
a. On the vSphere Web Client Home tab, click VMs and Templates.
f. Point to the vSphere Web Client Home icon, click Networking.
128
Task 2: Create a Port Group on the Distributed Switch for the Sink Port
You create a port group on the distributed switch for the sink interface used by the L2VPN feature.
1. Expand the inventory tree and select vds-datacenter.
2. In the middle pane, click Actions and select Distributed Port Group > New Distributed Port
Group.
3. Enter L2VPN-Trunk in the Name text box in the New Distributed Port Group window.
4. Click Next.
5. Leave the default settings on the Configure Settings page and click Next.
Task 3: Create a Trunk Interface for the Perimeter Gateway

You create a Trunk interface on the perimeter gateway for the L2VPN feature. You must remove the
Web-Tier logical switch from the distributed logical router, so that you can connect the Web-Tier
logical switch as a subinterface on the perimeter gateway.
IP address of Subint-to-Web-Tier for the L2VPN client edge
1. Point to the Home icon of the vSphere Web Client and select Networking & Security.
15
2. Click NSX Edges in the left navigation pane.

3. Double-click the Distributed Router - your_site_name.
4. Click Settings under the Manage tab.
5. Click Interfaces link under Settings.
6. Select the Web-Tier interface and click the red X at the top.
7. Click OK in the Delete Configuration window.
8. Click the back arrow next to Networking & Security in the left navigation pane.
9. Double-click Perimeter Gateway - your_site_name in the middle pane.
10. Click the Settings tab under the Manage tab.
11. Click Interfaces under the Settings tab.
12. In the interfaces list, select the vnic2 row and click the pencil icon at the top.
13. Enter L2VPN Trunk in the Name text box in the Edit NSX Edge Interface window.
14. Select Trunk from the Type drop-down menu.
129
15. For Connected To, click the Select link.

16. Click the Distributed Portgroup tab in the Connect NSX Edge to a Network window.
17. Select L2VPN-Trunk and click OK.
18. Click the plus sign under the Sub Interfaces section.
19. Enter Subint-to-Web-Tier in the Name text box in the Add Sub Interface window.
20. Enter 10 in the Tunnel Id text box.
21. Leave Network selected for Backing Type.
22. Click the Select link for Network and select the Web-Tier logical switch.
23. Click OK.
24. Click the plus sign in the Configure Subnets section.
25. Enter the IP address of Subint-to-Web-Tier for the L2VPN client edge in the Primary IP
Address text box.

26. Enter 24 in the Subnet Prefix Length text box.
27. Click OK.
28. Click OK.
Task 4: Configure the Perimeter Gateway as an L2VPN Server

You configure the L2VPN server service on the perimeter gateway.
1. Verify that the Perimeter Gateway - your_site_name is selected in the left navigation pane.
2. Click the VPN tab under the Manage tab.
3. Select L2VPN in the middle pane.
4. Click the Enable button for L2VPN Service Status.
You must not click the Publish now.

5. Click Server for L2VPN mode.
6. Click Change for Global Configuration Details.
a. Leave Listener IP as your perimeter gateways primary IP.
b. Leave Listener Port as 443.
c. Select AES128-SHA for Encryption Algorithm.
d. Leave Use System Generated Certificate selected under the Certificate Details section.
7. Click OK.
130
8. Click the green plus sign in the Site Configuration Details section.
9. Select the Enable Peer Site check box.
10. Enter L2VPN-your_site_name in the Name text box.
11. Enter vpnuser as the user ID.
12. Enter VMware1! as the password and confirm the password.
13. Click Select Sub Interfaces for Stretched Interfaces.
14. Select Subint-to-Web-Tier in the Available Objects section.
15. Click the blue right arrow.
16. Click OK.
17. Click OK in the Add Peer Site window.
18. Click Publish Changes at the top.
19. Verify that the L2VPN service status is Enabled.
Task 5: Prepare the Remote Site for Setting Up an L2VPN Tunnel

You create a port group on the distributed switch at the remote site for setting up L2VPN
connectivity.
15

Your remote site
Remote site vCenter Server administrator login account
1. Open a tab in the Internet Explorer application and click the vSphere Web Client - your_
remote_site shortcut.
You will be logged in to the remote site Web client with your cached credentials. You can do
one of the following to log in to the remote site:
Click the user, log out, and log in again with the remote site vCenter Server administrator
login account.
Use a different browser.
2. Log in with the remote site vCenter Server administrator login account and enter the password
VMware1!.
3. Click the Networking icon on the Home page.
4. Expand the inventory in the left navigation pane and select vds-datacenter.
131
5. Click Actions in the middle pane and select Distributed Port Group > New Distributed Port
Group.
6. Enter L2VPN-RemoteSiteTrunk in the Name text box in the New Distributed Port Group
window.
7. Click Next.
8. Leave the default setting in the Configure Settings page and click Next.
9. Click Finish.
Task 6: Create an NSX Edge Gateway at the Remote Site

You add an VMware NSX gateway at the remote site for setting up L2VPN connectivity between
local and remote sites.
Datastore to use at remote site
L2VPN client edge Uplink-Interface IP
L2VPN client edge gateway IP
1. Point to the vSphere Web Client Home icon and select Networking & Security.
2. Select NSX Edges in the left navigation pane.
3. Click the green plus sign in the middle pane to create an NSX Edge instance.
4. Enter Remote Gateway in the Name text box and leave all the other default settings.
5. Click Next.
6. Enter VMware1!VMware1! as the password and confirm the password.
7. Select the Enable SSH Access check box next.
8. Click Next.
9. Click the green plus sign in the NSX Edge Appliance section.
10. Select Management and Edge from the Cluster/Resource Pool drop-down menu.
11. Click the datastore to use at remote site for Datastore.
12. Click OK.
13. Click Next on the Configure deployment page.
14. Click the green plus sign in the Configure interfaces window.
15. Enter Uplink-Interface in the Name text box.
132
16. Leave Uplink selected for Type.

17. Click the Select link for Connected To.
18. Click the Distributed Portgroup tab and select Production.
19. Click OK.
20. Click the green plus sign in the Configure subnets section.
21. Enter the L2VPN client edge Uplink-Interface IP in the Primary IP Address text box.
22. Enter 24 in the Subnet prefix length text box.
23. Click OK in the Add NSX Edge Interface window.
24. Click Next in the Configure Interfaces window.
25. Enter the L2VPN client edge gateway IP in the Gateway IP text box on the Default gateway
settings page.
26. Leave all other settings at default and click Next.
27. Select the Configure Firewall default policy check box on the Firewall and HA page.
28. Click Accept for Default Traffic Policy.
29. Leave all settings at default and click Next.
15
31. Monitor the progress until the NSX Edge deployment is complete.
Task 7: Create a Logical Switch and Attach the Switch to the Remote
Gateway
You create a logical switch and attach it to the new remote gateway.
IP address of Subint-to-Web-Tier for the L2VPN client edge
1. Click Logical Switches in the left navigation pane.
2. Click the green plus sign in the middle pane.
3. Enter L2VPN in the Name text box in the New Logical Switch window.
4. Click the Change link for Transport Zone.
5. Select Local Transport Zone and click OK.
6. Leave all settings at default and click OK.
133
8. Double-click Remote Gateway in the middle pane.

9. Click the Settings tab under the Manage tab.
10. Click the Interfaces link on the Settings tab.
11. Click vnic1 in the list of interfaces and click the pencil icon at the top.
12. Enter L2VPN Trunk - Client in the Name text box in the Edit NSX Edge interface
window.
13. Select Trunk from the Type drop-down menu.
14. Click the Select link for Connected To.
15. Click the Distributed Portgroup tab in the Connect NSX Edge to a Network window.
16. Select L2VPN-RemoteSiteTrunk and click OK.
17. Click the green plus sign in the Sub Interfaces section.
18. Enter Subint-to-Web-Tier in the Name text box in the Add Sub Interface window.
19. Enter 10 in the Tunnel Id text box.
20. Leave Network selected for Backing Type.
21. Click the Select link for Network, select L2VPN, and click OK.
22. Click the green plus sign in the Configure Subnets section.
23. Enter the IP address of Subint-to-Web-Tier for the L2VPN client edge in the Primary IP
Address text box.

24. Enter 24 in the Subnet Prefix Length text box.
25. Click OK in the Add Sub Interface window.
26. Click OK in the Edit NSX Edge Interface window.
Task 8: Configure the Remote Gateway as an L2VPN Client

You configure the perimeter gateway as a VPN client.
L2VPN server listener IP
1. Confirm that remote gateway is selected in the left navigation pane.
2. Under the Manage tab, click VPN.
3. In the VPN category list, select L2VPN.
4. On the L2VPN configuration page, click Client next to L2VPN Mode.
134
5. Click Change to open the Client Settings dialog box.

a. Enter the L2VPN server listener IP in the Server Address text box.
b. Verify that the listener port is 443.
c. Select AES128-SHA from the Encryption Algorithm list.
d. Click the Select Sub Interfaces link, click the Subint-to-Web-Tier object, and click the
blue right arrow.

e. Click OK.
f. In the User Details section, enter vpnuser in the User Id text box.
g. Enter VMware1! in the Password text box.
h. Enter VMware1! in the Re-Type Password text box.
i. Click OK.
6. Click Enable.
8. Wait for the update to complete and verify that the L2VPN service status appears as Enabled.
9. At the bottom of the L2VPN configuration page, click Fetch Status and expand the Tunnel
Status section.
15
10. Verify that the tunnel Status is Up.

a. If the tunnel status is Down, wait a minute and click Fetch Status.
b. If the tunnel remains down, review the lab and verify that you made all configuration
changes correctly.
Task 9: Update the web-sv-02a Web Server at the Remote Site

You change the networking configuration on web-sv-02a located in the remote site inventory.
web-sv-02a IP address at the remote site
web-sv-02a default gateway at the remote site
Your remote site
135
1. Point to the Home icon of the vSphere Web Client and click the VMs and Templates icon.
2. In the inventory pane, select Discovered virtual machine > web-sv-02a and select Open
Console from the Actions drop-down menu.

3. Click Continue to this web site (note recommended) if prompted with a certificate-related
warning.
It might take a minute for the console window to initialize
4. Point to the console window, wait until the pointer becomes a hand icon, click anywhere in the
console window, and press Enter.

5. If prompted to log in, log in as root and enter the VMware1! password.
6. At the web-sv-02a command prompt, run the following command to change the IP address of
the web-sv-02a virtual machine.

ifconfig eth1 web-sv-02a_IP_address_at_the_remote_site netmask
255.255.255.0
7. Run the following command to change the default gateway used by the virtual machine.
route add default gw web-sv02a_default_gateway_at_the_remote_site eth1

8. Run the following command to verify that the IP address is assigned.
ifconfig.
9. Click the vSphere Web Client - your_remote_site tab in the Internet Explorer window.
Task 10: Test Tunnel Connectivity

You perform connectivity tests to determine the functional state of the L2VPN tunnel.
1. In the inventory pane, select Discovered virtual machine > web-sv-02a.
2. Click Actions in the middle pane and select the Edit Settings link.
3. Select the L2VPN logical switch from the Network Adapter 1 drop-down menu.
CAUTION
You must select the L2VPN logical switch and not the port group. If you do not see the L2VPN
logical switch in the drop-down menu, click Show more networks, expand the Name column,
and select the L2VPN logical switch.
4. Click OK twice.
5. In the Internet Explorer window, select the tab for the web-sv-02a VM.
136
6. At the web-sv-02a command prompt, run the following command to view the network interface
configuration.
ifconfig
7. Record the eth0 hardware (HWaddr) address. __________
8. At the command prompt, ping the web-sv-01a VM on the Web-Tier logical switch of your
VMware vCenter Server.

ping web-sv-01a_IP_address
Internet Control Message Protocol (ICMP) echo replies are received.
a. Leave the ping command running.
b. If ICMP echo replies are not received, press Ctrl+C to stop the ping command, wait for one
minute, and repeat step 8.

9. Press Ctrl+Alt to release the pointer.
10. In the Internet Explorer window, select the web-sv-01a console tab.
11. Consider the following configuration.
A Layer 2 tunnel connects two NSX Edge gateways and extends the Web-Tier logical switch
network. You have initiated a continuous ping from the Web server on the branch gateway side
of the tunnel to the Web server on the perimeter gateway side of the tunnel.
15
Q1. If you capture traffic on the web-sv-01 virtual machine, on the perimeter
gateway side of the tunnel, what is the source IP address that the incoming
ping packets would have?
1. The address of the web-sv-02a virtual machine.
Q2. What is the source hardware (MAC) address that the frames would have?
2. The MAC address of web-sv-02a because the tunnel wraps Layer 2 traffic and when
decapsulated, the hardware address is preserved.
12. At the web-sv-01a command prompt, examine the Address Resolution Protocol (ARP) table.
arp -a
13. In the ARP table output, find the hardware address and the IP address of the web-sv-02a virtual
machine.
Q3. Is the hardware address the same that you recorded in step 7?
3. Yes
137
Q4. Is this what you expected to see? If not, why?

4. Yes, tunnel decapsulation ensures original source MAC/IP address.
The hardware address for web-sv-02a is preserved when the tunnel traffic is decapsulated by the
perimeter gateway. Because this is a Layer 2 tunnel, response frames sent to that MAC address
are intercepted for encapsulation back to the sending node. This tunnel differs from an IPsec
tunnel, for example, where you might see the source IP with the hardware address of the
gateway interface that faces the destination.

4. In the web-sv-02a console tab, press Ctrl+C to stop the ping command.
5. Press Ctrl+Alt to release the pointer and click the vSphere Web Client - your_site_name tab.
6. In the Internet Explorer window, leave the following tabs open for the next lab.
vSphere Web Client - your_site_name

vSphere Web Client - your_remote_site
Console to web-sv-01a
138
Lab 16
Configuring IPsec Tunnels
Objective: Configure, test, and troubleshoot an IPsec

tunnel designed to connect the HQ and Branch sites
2. Prepare the Perimeter Gateway for IPsec Tunneling
3. Configure Perimeter Gateway as an IPsec Tunnel Endpoint
4. Prepare the Remote Gateway for IPsec Tunneling
5. Update the web-sv-02a Web Server in the Remote Site vCenter Server Inventory
16
6. Configure Remote Gateway as an IPsec Tunnel Endpoint

7. Test VPN Tunnel Connectivity
8. Disable IPSec on the Perimeter Gateway and Enable OSPF
Lab 16 Configuring IPsec Tunnels
139

Your site name
Your remote site
b. In the MTPuTTY window, double-click the Perimeter Gateway -your_site_name entry.
student desktop.
4. If you are not logged in to the local vSphere Web Client, log in to the local vSphere Web Client.
bookmark.

tab.
a. On the vSphere Web Client Home tab, click the Inventories > VMs and Templates icon.
f. Click the vSphere Web Client Home icon
140
6. If you are not logged in to the remote site vSphere Web Client, login to the remote site vSphere
Web Client.
a. In the Internet Explorer window, click the vSphere Web Client - your_remote_site
bookmark.
b. When prompted, log in with your remote site VMware vCenter Server administrator
login account and enter the password VMware1!.

You might be logged in with cached credentials. You must log in with the remote site vCenter
Server administrator account.
7. In the remote site vCenter Server inventory window, if the web-sv-02a console tab is not open,
open the console tab.

Task 2: Prepare the Perimeter Gateway for IPsec Tunneling

You perform the necessary configuration changes to enable IPsec tunneling on the perimeter
gateway.
Workload VM network
16
IP address of the distributed router uplink interface

2. Point to the Web Client Home icon and click Networking & Security.
object.
5. In the middle pane, click the Manage tab and click VPN.
6. In the VPN category panel, select L2VPN.
7. In the L2VPN status panel, click Delete Configuration and click Yes when prompted to
confirm.
141
8. Wait for the update to complete and verify that the L2VPN configuration has been reset and the
service status is Disabled.

It might take up to a minute for the update to complete.
9. Under the Manage tab, click Routing.
11. In the OSPF Configuration panel, click Edit.
12. In the Edit Configuration dialog box, deselect the Enable OSPF check box and click OK.
The perimeter gateway is configured as an IPsec tunnel endpoint exposing the Web-Tier
network. The networks that are exposed by an IPsec tunnel endpoint must either be directattached subnets or subnets reachable through static routing. You cannot expose subnets that are
only reachable through a dynamic routing update from OSPF or one of the other supported
routing protocols.
13. Click Publish Changes and wait for the update to complete.
a. Select Transit-Interface from the Interface drop-down menu.
b. Enter the workload VM network in the Network text box.
c. Enter the IP address of the distributed router uplink interface in the Next Hop text box.
This address is the interface address of the distributed router on the Transit network.
d. Click OK.
Task 3: Configure Perimeter Gateway as an IPsec Tunnel Endpoint

You configure the perimeter gateway as an IPsec virtual private network (VPN) tunnel endpoint that
provides tunnel-based access to the Web-Tier network.
Local subnet
IP address of the remote gateway
Remote subnet
142
1. Under the Manage tab, click VPN.

2. In the VPN category panel, select IPSec VPN.
3. Above the tunnel endpoint list, click the green plus symbol icon to open the Add IPSec VPN
dialog box.
a. Verify that the Enabled check box is selected.
b. Enter Local-Remote in the Name text box.
c. Enter Local in the Local Id text box.
d. Enter the IP address of the perimeter gateway in the Local Endpoint text box.
This address is the same address that identified the perimeter gateway as an L2VPN server
in the previous lab.
e. Enter the local subnet in the Local Subnets text box.
Spaces are not allowed in the local subnets specification. You must enter the specification
exactly as shown.
f. Enter Remote in the Peer Id text box.
g. Enter the IP address of the remote gateway in the Peer Endpoint text box.
h. Enter the remote subnet in the Peer Subnets text box.
i. Leave AES selected for Encryption Algorithm.
j. Leave PSK selected.
k. Enter VMware1! in the Pre-Shared key text box.
l. Select the Display shared key check box and verify that the shared key is exactly
VMware1!.
16
m. Leave all remaining settings at the default value and click OK.
4. In the top status panel, click Enable.
6. In the status panel, verify that the IPSec VPN Service Status is Enabled.
Task 4: Prepare the Remote Gateway for IPsec Tunneling

You configure the remote gateway to enable IPsec VPN tunneling.
IP address of the Web-Tier subinterface on the remote gateway
1. In the Internet Explorer application, select the vSphere Web Client - your_remote_site tab.
2. Point to the vSphere Web Client Home icon and click the Networking & Security.
143

4. In the edge list, double-click the Remote Gateway entry to manage that object.
5. In the middle pane, click the Manage tab and click VPN.
6. In the VPN category panel, select L2VPN.
7. In the L2VPN status panel, click Delete Configuration.
8. Click Yes when prompted to confirm.
9. Wait for the update to complete and verify that the L2VPN configuration has been reset and the
service status is Disabled.

It might take up to a minute for the update to complete.
10. Under the Manage tab, click Settings.
12. In the interface list, select the L2VPN Trunk - Client interface and click the pencil icon.
13. In the Edit NSX Edge Interface dialog box, select the entry in the Sub Interfaces list and click
the pencil icon.

14. In the Edit Sub Interface dialog box, select the entry in Configure Subnets and click the pencil
icon.
15. Change the primary IP address to IP address of the Web-Tier subinterface on the remote
gateway.
16. Click OK to close the Edit Sub Interface dialog box.
Task 5: Update the web-sv-02a Web Server in the Remote Site vCenter
Server Inventory
You change the networking configuration on web-sv-02a to match the branch topology.
Default gateway for web-sv-02a
1. In the Internet Explorer window, click the web-sv-02a console tab.
2. At the web-sv-02a command prompt, run the following command to change the IP address of
the web-sv-02a virtual machine.

ifconfig eth1 IP_address_of_web-sv-02a netmask 255.255.255.0
144
3. Run the following command to change the default gateway used by the virtual machine.
route add default gw default_gateway_for_web-sv-02a eth1

4. Run the following command to verify that the IP address has been assigned correctly.
ifconfig
5. Run the following command to verify that the default gateway has been configured correctly.
route
Task 6: Configure Remote Gateway as an IPsec Tunnel Endpoint

You configure remote gateway as an IPsec VPN tunnel endpoint that provides tunnel-based access
to the remote Web-Tier network.
Remote subnet
Local subnet
1. In the Internet Explorer window, press Ctrl+Alt to release the pointer.
2. Click the vSphere Web Client - your_remote_site tab for the remote site.
3. In the middle pane, click VPN under the Manage tab.
4. In the VPN category panel, select IPSec VPN.
dialog box.
a. Select the Enabled check box.
b. Enter Local-Remote in the Name text box.
c. Enter Remote in the Local Id text box.
d. Enter the IP address of the remote gateway in the Local Endpoint text box.
e. Enter the remote subnet in the Local Subnets text box.
f. Enter Local in the Peer Id text box.
g. Enter the IP address of the perimeter gateway in the Peer Endpoint text box.
h. Enter the local subnet without spaces in the Peer Subnets text box.
i. Leave AES selected as the Encryption Algorithm.
145
16
5. Above the tunnel endpoint list, click the green plus symbol icon to open the New IPSec VPN
j. Leave PSK selected.

k. Enter VMware1! in the Pre-Shared key text box.
l. Select the Display shared key check box and verify that the shared key is exactly VMware1!.
m. Leave all remaining settings at the default value and click OK.
6. Click Enable.
8. In the status panel, verify that the IPSec VPN Service Status is Enabled.
Task 7: Test VPN Tunnel Connectivity

You use ping tests to determine connectivity status of the IPsec VPN tunnel.
1. Wait for one minute for the VPN tunnels to be established and click the Show IPSec Statistics
link.
2. In the IPSec VPN Statistics pop-up panel, verify that the single VPN connection that is listed in
the top table has a green check mark in the Channel State column.
3. Select the single connection listed in the top table.
4. Verify that a single tunnel is listed in the bottom table with a green check mark in the Tunnel
State column.
5. Close the IPSec VPN Statistics pop-up panel.
The VPN connection between the two VMware NSX Edge gateway appliances is established
and a tunnel is open.
6. In the Internet Explorer window, click the web-sv-02a console tab.
7. At the web-sv-02a command prompt, start a ping to the IP address of the web-sv-01a VM.
The ping should be successful confirming connectivity between the two sites using IPSec VPN.
Task 8: Disable IPSec on the Perimeter Gateway and Enable OSPF

You disable IPSec on the perimeter gateway. You also enable OSPF on the perimeter gateway to
establish routing.
1. In the Internet Explorer application, select the vSphere Web Client - your_site_name tab.
146
3. Double click Perimeter Gateway - your_site_name to open the configuration of your
perimeter gateway.
4. Select the VPN tab under the Manage tab.
5. Select IPSec VPN in the middle pane.
6. Click Disable next to IPSec VPN Service Status.
7. Click Publish Changes and wait for the screen to update.
8. Click the Routing tab under the Manage tab.
9. Select OSPF in the middle pane.
11. Select the Enable OSPF check box in the OSPF Configuration pop-up window.
12. Click OK.

3. In the Internet window, close the web-sv-02a console tab.
4. Click the vSphere Web Client tab for the remote site.
16
5. At the top of the left navigation pane, click the Networking & Security left arrow.
6. In the Internet window, leave the following tabs open for the next lab.

vSphere Web Client - your_remote_site
147
148
Lab 17
Configuring and Testing SSL VPN-Plus :

Objective: Configure an SSL VPN-Plus portal page and a
direct-access client package
2. Configure SSL VPN-Plus Server Settings
3. Configure a Local Authentication Server and a Local User
4. Enable SSL VPN-Plus and Test Portal Access
5. Configure an IP Pool and Private Networks
6. Create and Test an Installation Package
7. Test Network Access by Using the SSL VPN-Plus Client Application
8. Review the Client Configuration and Examine Traffic
Lab 17 Configuring and Testing SSL VPN-Plus
17
149

Your site name
Your remote site
b. In the MTPuTTY window, double-click the Perimeter Gateway -your_site_name entry.
student desktop.
bookmark.

tab.
a. On the vSphere Web Client Home tab, click Inventories > VMs and Templates.
e. Press Ctrl+Alt to release the pointer.
150
f. Click the vSphere Web Client tab.

g. Click the vSphere Web Client Home icon.
6. If you are not logged in to the remote site vSphere Web Client, login to the remote site vSphere
Web Client.
bookmark.
b. When prompted, log in with the remote site vCenter Server administrator login account and

7. On the vSphere Web Client Home tab, click Inventories > Networking & Security.
Task 2: Configure SSL VPN-Plus Server Settings

You configure SSL VPN-Plus to enable remote gateway at your remote site to act as a VPN server.
2. In the edge list, double-click the Remote Gateway entry to manage that object.
3. In the middle pane, click the Manage tab and click SSL VPN-Plus.
4. In the SSL VPN-Plus category panel, select Server Settings and click Change.
5. In the Change Server Settings dialog box, configure the server settings.
a. For IPv4 Address, leave the Primary address selected.
b. For IPv6 Address, leave None selected.
c. Leave the port specification of 443.
d. Select AES256-SHA from the Cipher List.
e. For Server Certificate, leave the Use Default Certificate check box selected.
f. Click OK.
17
Task 3: Configure a Local Authentication Server and a Local User

You configure remote gateway to provide local authentication services.
1. In the SSL VPN-Plus category panel, select Authentication.
2. In the middle pane, click the green plus sign icon to open the Add Authentication Server dialog
box.
a. Select LOCAL from the Authentication Server Type drop-down menu.
b. Deselect the Enable password policy check box.
151
c. Deselect the Enable account lockout policy check box.

d. Leave all other settings at the default value and click OK.
3. In the SSL VPN-Plus category panel, select Users.
4. In the middle pane, click the green plus sign to open the Add User dialog box.
a. Enter vpn-user in the User ID text box.
b. Enter VMware1! in the Password text box and the Re-type Password text box.
c. Select the Password never expires check box.
d. Leave all other settings at the default value and click OK.
Task 4: Enable SSL VPN-Plus and Test Portal Access

You enable SSL VPN-Plus and test portal access using a browser.
1. In the SSL VPN-Plus category panel, select Dashboard.
2. In the Status panel, click Enable and click Yes when prompted to confirm.
3. Wait for the update to complete and verify that the service status is Enabled.
4. In the Internet Explorer window, open a new browser tab and go to https://
IP_address_of_remote_gateway.
5. When prompted with the Web sites certificate warning, click the Continue to this website (not
recommended) link.
6. In the VMware SSL VPN-Plus portal page, log in as vpn-user and enter the password
VMware1!.
7. On the user portal page, verify that one tab labeled Tools is shown with a Change Password link
available.
8. Click the Logout link in the black status bar on the upper-right corner of the page and click OK
when prompted to confirm.

9. In the Internet Explorer window, close the portal tab and click the vSphere Web Client -
your_remote_site tab.
152
Task 5: Configure an IP Pool and Private Networks

You configure an IP pool and private networks in preparation for direct-network connectivity by an
SSL VPN-Plus client.
Remote site web-sv-02a VM network
1. In the SSL VPN-Plus category panel, select IP Pool.
2. On the IP Pool configuration page, click the green plus sign to open the Add IP Pool dialog box.
a. Enter 192.168.170.2 in the first IP Range text box.
b. Enter 192.168.170.254 in the second IP Range text box.
c. Enter 255.255.255.0 in the Netmask text box.
d. Enter 192.168.170.1 in the Gateway text box.
e. Leave all other settings at the default value and click OK.
3. In the SSL VPN-Plus category panel, select Private Networks.
4. On the Private Networks configuration page, click the green plus sign to open the Add Private
Networking dialog box.

a. Enter the remote site web-sv-02a VM network in the Network text box.
Task 6: Create and Test an Installation Package

You create and configure an installation package.
1. In the SSL VPN-Plus category panel, select Installation Package.
17
2. On the Installation Package configuration page, click the green plus sign to open the Add
Installation Package dialog box.

a. Enter Test Package in the Profile Name text box.
b. In the Gateway table, enter the IP address of the remote gateway in the Gateway column
text box, leave the port at 443, and click OK to confirm the entry.
153
c. In the Installation Parameters for Windows list, select the following check boxes.
Allow remember password

Enable silent mode installation
Create desktop icon
d. Click OK.
IP_address_of_remote_gateway.
4. When prompted to log in, log in as vpn-user and enter the password VMware1!.
5. In the SSL VPN-Plus portal, click the Test Package link on the Full Access tab.
A new browser window opens.

6. In the new Internet Explorer browser window, click the Please click here to start the
installation link.
7. When prompted, click Run.
The SSL VPN-Plus test package is installed on the student desktop.

8. Close the new Internet Explorer window that opened when you started the installation.
9. In the SSL VPN-Plus portal, click the Logout link in the black status bar on the upper-right
corner of the page and click OK when prompted to confirm.

10. Close the portal tab.
Task 7: Test Network Access by Using the SSL VPN-Plus Client

Application
You use the SSL VPN-Plus client application to test direct access to networks available through the
SSL VPN-Plus tunnel.
2. In the Command Prompt window, run the following command to try to ping the web-sv-02a
located in the remote site vCenter Server inventory.

The ping command does not receive Internet Control Message Protocol (ICMP) echo replies.
154
4. On the student desktop, find a new shortcut titled VMware Tray.
The VMware Tray shortcut was added when the SSL VPN-Plus test package was installed from
the portal page.
5. Double-click the VMware Tray shortcut to start the SSL VPN-Plus Client application and click
Login.
6. When prompted, log in as vpn-user and enter the password VMware1!.
7. Click OK when prompted to confirm that the connection has been established.
8. In the Command Prompt window, run the following command to ping the web-sv-02a server.
The ping command receives ICMP echo replies.
Task 8: Review the Client Configuration and Examine Traffic

You review the SSL VPN-Plus client configuration and verify tunnel connectivity using traffic
capture tools.
1. On the student desktop, double-click the VMware Tray shortcut again.
When the SSL VPN-Plus client is running, double-clicking the program icon opens the statistics
window. The statistics window can also be opened from the client application icon that is
running in the system tray.
2. In the SSL VPN-Plus Client - Statistics window, click the Advanced tab.
Q1. What is the gateway address and port for the network configuration?
17
1. IP address of the remote gateway:443

Q2. Which local subnets are exposed to the tunnel client?
2. Web-Tier subnet/255.255.255.0
Q3. Which IP address is assigned to the encapsulated packets that traverse the
tunnel?
3. An IP address from the range configured for the IP pool

4. Click Server > Add Server.
155
5. Enter the IP address of the remote gateway in the Server Name text box and select SSH as the
protocol.
6. Click OK.
7. In the MTPuTTY window, double-click the IP address of the remote gateway in the left pane.
8. When prompted, click Yes to confirm the PuTTY security alert.
10. Run the following command to begin capturing ICMP packets on the internal network.
debug packet display interface vNic_1 icmp

Q4. If you capture packets on the NSX Edge side of the SSL VPN-Plus tunnel, on an
interface connected to the destination subnet, what source IP address do ping
packets have?
4. The IP address assigned to the SSL VPN-Plus client out of the IP pool specified in the tunnel
profile.
11. Leave the packet capture running and switch to the Command Prompt window.
12. Run the following command to ping the web-sv-02a server.
13. Switch to the MTPuTTY window and verify that an ICMP exchange has occurred between the
following IP addresses.
This address is the IP address assigned to the SSL VPN-Plus Client application running on
the student desktop system.
This address is the IP address of the web-sv-02a server.
15. Close the MTPuTTY window for the Remote Gateway.
16. Minimize MTPUTTY.
17. On the student desktop, double-click the VMware Tray icon.
18. Click Logout on the General tab and click Yes when prompted to confirm.

156

4. Close the vSphere Web Client - your_remote_site and web-sv-02a tabs in the Internet
Explorer window.
5. Click the vSphere Web Client - your_site_name tab in the Internet Explorer window.
6. Verify that you are in the Networking & Security inventory view.
7. In the Internet window, leave the following tabs open for the next lab.
vSphere Web Client

17
157
158
Lab 18
Using NSX Edge Firewall Rules to

Control Network Traffic
Objective: Define NSX Edge firewall rules to restrict

traffic to one or more Web servers
2. Restrict Inbound Web Server Traffic to HTTP and HTTPS
3. Determine How the Firewall Rule Interacts with Other NSX Edge Features
18
Lab 18 Using NSX Edge Firewall Rules to Control Network Traffic
159

Your site name
b. In the MTPuTTY window, double-click the IP address of the perimeter gateway.
student desktop.
bookmark.
tab.
160
Lab 18
Using NSX Edge Firewall Rules to Control Network Traffic
6. Point to the vSphere Web Client Home icon, click Networking & Security.
Task 2: Restrict Inbound Web Server Traffic to HTTP and HTTPS

You configure a new firewall rule to restrict traffic destined for a Web server to HTTP and HTTPS.
object.
3. In the middle pane, click the Manage tab and click Firewall.
4. In the firewall rules list, find the rule named Default Rule.
5. If necessary, use the horizontal scroll bar to uncover the Action column.
6. Point to the Action cell until a plus sign icon appears.
7. Click the plus sign icon.
8. Select Deny from Action drop-down menu.
9. Click Log and click OK.
10. Above the rule list, click Publish and wait for the update to complete.
11. In the Internet Explorer window, open a new browser tab and go to https://IP_address_of_web-
sv-01a.
12. Verify that the Web page cannot be displayed and close the browser tab.
13. If not active, click the vSphere Web Client - your_site_name tab.
14. On the Firewall configuration page, click the green plus sign to create a row in the rules table.
The new row is highlighted.
18
15. Point to the Name cell and click the plus sign.
16. Enter Allowed to Web Servers in the Rule Name text box and click OK.
161
17. Point to the Destination cell, click the plus sign, and configure settings in the Specify
Destination pop-up configuration panel.

a. Select IP Sets from the Object Type drop-down menu.
b. Click the New IP Set link at the bottom of the pop-up panel to open the Add IP Addresses
dialog box.
Option
Action
Name
Enter Local Web Servers in the text box.
Description
Leave blank.
IP Addresses
c. Click OK to close the Add IP Addresses dialog box.

d. Click OK to close the Specify Destination window.
18. Point to the Service cell, click the plus sign, and configure the service in the pop-up
configuration panel.
a. Enter HTTP in the search text box.
b. Select generic HTTP and HTTPS services in the Available Objects pane.
c. Click the right arrow to move HTTP and HTTPS to the Selected Objects pane.
d. Click OK to close the pop-up configuration panel.
19. Verify that the Action for the new rule is Accept.
20. Click Publish and wait for the update to complete.
sv-01a.
22. Verify that the Web page is displayed or that you are prompted with a certificate related
warning, and close the browser tab.

162
Lab 18
Task 3: Determine How the Firewall Rule Interacts with Other NSX
Edge Features
You determine how a firewall rule interacts with an existing destination NAT rule.
Load balancer VIP IP address
DNAT IP address of web-sv-01a
load_balancer_VIP_IP_address.
2. Verify that the Web page is not displayed and close the browser tab.
3. If not active, click the vSphere Web Client tab.
Q1. Because the virtual server for load balancing HTTP traffic was configured with
the web-sv-01a Web server as a member server, will the rule that you just
created allow HTTP connections to the virtual server IP address?
1. No
4. In the Internet Explorer window, open a new browser tab and go to https://DNAT_IP_of_web-
sv-01a.
This address is the destination NAT address for the web-sv-01a Web server.
5. Verify that the Web page cannot be displayed and close the browser tab.
7. In the middle pane, click Grouping Objects under the Manage tab.
8. In the category panel, select IP Sets.
9. In the IP Set list, select the Local Web Servers entry.
10. Click the pencil icon to open the Edit IP Addresses dialog box.
a. In the IP Addresses text box, enter the IP address of web-sv-01a and the DNAT IP address
of web-sv-01a, separated by a comma.

b. Click OK.
sv-01a.
12. Verify that the Web page is displayed or that you are prompted with a certificate warning, and
close the browser tab.

163
18
11. In the Internet Explorer window, open a new browser tab and go to https://DNAT_IP_of_web-
14. In the middle pane, click Firewall under the Manage tab.
15. In the rule list, select the Allowed to Web Servers rule.
16. Click the red X icon to delete the rule and click OK when prompted to confirm.
17. Point to the Default Rule Action cell.
18. Click the plus sign.
19. Select Accept from the Action drop-down menu.
20. Click OK.
21. Click Publish and wait for the update to complete.

3. At the top of the left navigation pane, click the Networking & Security left arrow button.

164
Lab 18
Lab 19
Using the VMware NSX Distributed

Firewall Rules to Control Network Traffic :
Objective: Define the VMware NSX Distributed Firewall
rules to restrict traffic to one or more Web servers and
between application tiers
2. Create a Distributed Firewall Section
3. Configure Cross-Tier Rules
4. Restrict Inbound Web Server Traffic to HTTP and HTTPS
5. Review Distributed Firewall Log Entries
6. Restore a Saved Distributed Firewall Configuration
19
Lab 19 Using the VMware NSX Distributed Firewall Rules to Control Network Traffic
165

Your site name
b. In the MTPuTTY window, double-click the IP address of the perimeter gateway.
d. Log in as admin using the VMware1!VMware1! password.
student desktop.
4. If you are not logged in to the vSphere Web Client, open the vSphere Web Client.
bookmark.
b. When prompted, log in with your VMware vCenter Server administrator login account,
using the VMware1! password.

tab.
d. If prompted to log in, log in as root using the VMware1! password.
6. Point to the vSphere Web Client Home icon, click Networking & Security icon.
166
Task 2: Create a Distributed Firewall Section

You create a section that contains your custom firewall rules.
1. In the left navigation pane, select Firewall.
2. In the middle pane, verify that General is selected on the Configuration tab.
3. In the section list, find the Default Section Layer3 entry.
4. If necessary, use the horizontal scroll bar to uncover the icons that appear on the far right of the
default section.
5. Click the folder icon.
6. In the pop-up configuration panel, create a section.
a. Enter Test Section in the Section name text box.
b. Leave Add section above selected.
c. Click OK.
Task 3: Configure Cross-Tier Rules

You configure rules to allow basic connectivity between the Web-Tier, App-Tier, and DB-Tier
networks.
1. If necessary, use the horizontal scroll bar to uncover the icons on the far-right side of the Test
Section entry and click the green plus sign to create a rule.
2. Expand Test Section and find the new rule entry.
3. Point to the Name cell and click the pencil sign.
4. Enter Allowed Web To App in the Rule Name text box and click OK.
5. Point to the Source cell and click the pencil sign to open the Specify Source configuration
panel.
a. Select Logical Switch from the Object Type pane.
b. Select Web-Tier in the Available Objects pane and click the blue right arrow to move the
switch into the Selected Objects list.

c. Click OK.
6. Point to the Destination cell and click the pencil sign to open the Specify Destination
a. Select Logical Switch from the Object Type drop-down menu.

167
19
b. Select App-Tier in the Available Objects list and click the blue right arrow to move the
7. Click OK.
8. Point to the Services cell and click the pencil sign to open the Specify Service configuration
panel.
a. Click the New Service link that appears in the lower-left corner of the pop-up panel.
b. Enter the following details in the Add Service dialog box.
Option
Action
Name
Enter Tomcat-8443 in the text box.
Description
Leave blank.
Protocol
Leave TCP selected.
Destination ports
Enable inheritance...
Leave at the default value (deselected).
c. Click OK twice to close the Add Service dialog box.

10. Click the green plus sign above the rules list to create a rule.
If the icon is not active, select any rule in the Test Section rule list.
12. Enter Allowed App To DB in the Rule Name text box and click OK.
panel.
b. Select App-Tier from the Available Objects list and click the blue right arrow to move the

c. Click OK.
b. Select DB-Tier from the Available Objects list and click the blue right arrow to move the

168
15. Click OK.

16. Point to the Services cell and click the pencil sign to open the pop-up configuration panel.
a. Enter SQL in the search text box.
b. In the Available services list, scroll down to find the generic MySQL service.
c. Select the MySQL service and click the blue right arrow to move the service to the
Selected Objects list.

d. Click OK.
Task 4: Restrict Inbound Web Server Traffic to HTTP and HTTPS

You configure a firewall rule that restricts network traffic that is destined for a Web server to HTTP
and HTTPS.
NAT IP address of web-sv-01a
sv-01a.
2. Verify that the Web page is displayed or that you are prompted with an untrusted connection
message, and close the browser tab.

3. Click the vSphere Web Client - your_site_name tab.
4. In the firewall section list, expand the Default Section Layer3 entry.
5. Point to the Default Rule Action cell and click the pencil sign.
6. Select Block from the Action drop-down menu.
9. In the Internet Explorer window, open a new browser tab and go to https://P_address_of_web-
sv-01a.
10. If the Web page is displayed, click the Internet Explorer refresh icon to reload the page.
11. Verify that the Web page is not displayed and close the browser tab.
19
169
13. Click the green plus sign above the rules list to create a rule in Test Section.
If the icon is not active, you can select any rule in the Test Section rule list and click the green
plus sign.
15. Enter Allowed to Web Servers in the Rule Name text box and click OK.
b. Select Web-Tier from the Available Objects list and click the blue right arrow to move the
Web-Tier entry to the Selected Objects list on the right.

c. Click OK.
panel.
a. Enter HTTP in the search text box.
b. Select the generic HTTP and HTTPS services in the Available Objects list and click the
blue right arrow to move those services to the Selected Objects list.
c. Click OK.
18. Point to the Action cell and click the pencil sign that appears.
sv-01a.

24. Point to Web-Tier in the Destination cell and click the red X icon that appears to remove Web-
Tier from the Destination cell.

25. Point to the Destination cell and click IP.
26. In the pop-up configuration panel, add the IP address of the Web server.
a. Leave IPv4 selected.
170
b. Enter the IP Address of web-sv-01a in the Value text box.
This address is the IP address of the Web server on the Web-Tier logical switch network.
c. Click OK.
NAT_IP_address_of_web-sv-01a.
This address is the destination NAT address that you configured earlier for the web-sv-01a Web
server.
29. Click the Internet Explorer page refresh icon to reload the page.

32. Read the following summary.
In the previous lab, attempts to browse the destination NAT address were blocked by the
firewall rule defined on the perimeter gateway until the destination IP set was expanded to
include the destination NAT address.
Q1. Why does the Distributed Firewall rule allow browser connections to the Web
server through the destination NAT address, when the rule explicitly defines
web-sv-01as IP as the only valid destination?
1. Distributed Firewall rules work on true source and destination addresses and objects. Such
rules are not affected by transforms (such as destination NAT translations) performed by NSX
Edge devices.
Task 5: Review Distributed Firewall Log Entries

You review log entries that detail connections that have been allowed or blocked by firewall rules.
1. In the Internet Explorer window, select the web-sv-01a tab.
2. At the web-sv-01a command prompt, attempt to ping the following servers.
IP address of app-sv-01a.
IP address of db-sv-01a.
3. Press Ctrl+C to stop each ping command after lack of connectivity is confirmed.
4. Press Ctrl+Alt to release the pointer and click the vSphere Web Client - your_site_name tab.
19
5. Point to the vSphere Web Client Home icon and select Hosts and Clusters.
171
6. Select the web-sv-01a VM in the left navigation pane and identify the host where the VM is
running.
The host name can be seen in the Summary tab of the VM.
7. Minimize the Internet Explorer window and restore the MYTPUTTY application.
8. Double-click the ESXi host where the web-sv-01a VM resides in the MYTPUTTY application.
9. Open the dfwpktlogs.log file with the vi text editor by using vi dfwpktlogs.log.
The syntax to open the log file is vi /var/log/dfwpktlogs.log.

10. Search for the PASS string in the log file.
To search for the keyword PASS, you must use /PASS in the vi editor.
Log entries describing connections that were allowed because of the a firewall rule appear.
11. Search for the DROP string in the log file.
Log entries describing connections that were dropped because of a firewall rule appear.
12. Restore the Internet Explorer application.
Task 6: Restore a Saved Distributed Firewall Configuration

You restore the firewall configuration from a saved backup.
2. In the left navigation pane, select Firewall.
3. In the middle pane, click the Saved Configurations tab.
The configuration list contains several new entries that were autosaved by the system.
4. Click the Configuration tab.
5. Under General and Ethernet, click the Load saved configuration icon.
6. In the Load Saved Configuration dialog box, scroll down and select the oldest autosaved
configuration with todays date and click OK.

The oldest autosaved configuration was saved when Test Section was created, before new rules
are defined.
7. When prompted to confirm, read the message and click Yes.
172


19
173
174
20
Lab 20
Configuring an Identity-Aware Firewall
Objective: Configure an identity-aware firewall

2. Prepare the Infrastructure for an Identity-Aware Firewall
3. Add an Active Directory Domain to the NSX Manager Instance
4. Configure Identity-Aware Firewall Rules
5. Verify the Identity-Aware Firewall Configuration
Lab 20 Configuring an Identity-Aware Firewall
175

Your site name
student desktop.
bookmark.

4. In the Internet Explorer window, open the console tab of the Windows7 VM.
a. On the vSphere Web Client Home tab, click Inventories > Hosts and Clusters.
b. Expand the inventory tree and select Windows7.
c. Power on the virtual machine and wait for the operation to complete.
d. Select Open Console from the Actions drop-down menu.
You must not login to the VM now.

f. Point to the vSphere Web Client Home icon and click Networking & Security.
176
20
Task 2: Prepare the Infrastructure for an Identity-Aware Firewall

You deploy Guest Introspection and enable Activity Monitoring for the Compute cluster. These
features are prerequisites for configuring the identity-aware firewall.
Use the following information in the class configuration handout:
Data center
1. Click the Installation link in the left navigation pane.
2. Click the Service Deployments tab in the middle pane.
3. Click the green plus sign in the Network & Security Service Deployments pane.
4. Select the Guest Introspection check box in the Select Service & Schedule window and click
Next.
5. Ensure that your data center is selected in the Datacenter field.
6. Select the Compute check box and click Next.
7. Enter the following details in the Select storage and Management Network page
a. Datastore: Name of your data store
b. Network: Management
8. Click the Change link under IP Assignment.
9. Select Use IP Pool in the Select IP Pool assignment mode.
10. Click Controller-Pool.
11. Click OK.
12. Click Next.
You can configure Activity Monitoring for the Compute cluster while Guest Introspection is
deployed.
14. Click the Service Composer link in the left navigation pane.
15. Click the Security Groups tab in the middle pane.
16. Right-click the Activity Monitoring Data Collection group and select Edit Security Group.
17. Click Select objects to include in the Edit Security Group window.
18. Click the down arrow next to Object Type and select Cluster.
177
19. Select Compute in the Available Objects pane and click the right blue arrow to move the
Compute cluster to the Selected Objects pane.

20. Click Finish.
22. Verify that the deployment of Guest Introspection is complete and the installation status appears
as Succeeded.
Task 3: Add an Active Directory Domain to the NSX Manager Instance

You add an Active Directory domain to the NSX Manager instance for configuring an identityaware firewall.
NSX Manager IP address
1. Click the Management tab in the middle pane.
2. Click your NSX Manager IP address under the NSX Manager pane.
3. Click the Domains tab under the Manage tab.
4. Click the green plus sign to add a new AD domain.
5. Enter vclass.local as the name and vlcass as the NetBIOS name in the Add Domain
window and click Next.

6. Enter the details in the LDAP Options page.
Server: dc.vclass.local
Username: administrator
Password: VMware1!
7. Leave all other default settings and click Next.
8. Leave the default settings in the Security Event Log Access page and click Next.
10. Click the arrow next to Networking & Security on the top corner of the left navigation pane.
178
You configure two rules in the Default section of the distributed firewall. One rule allows SSH
connections to the win-sv-01a VM for domain group AD-SSH. This group includes the
administrator user accounts. The other rule blocks the SSH connection to the win-sv-01a VM for all
other users.
1. Click the Firewall link in the left navigation pane.
1. If necessary, use the horizontal scroll bar to uncover the icons on the far-right side of the
Default Section entry and click the green plus sign to create a rule.
2. Expand Default Section and find the new rule entry.
4. Enter Allowed SSH to Admins in the Rule Name text box and click OK.
panel.
a. Select Security Group from the Object Type drop-down menu.
b. Click the New Security Group link at the bottom left of the Specify Source window.
c. Enter AD-SSH in the Name text box of the Add Security Group window.
d. Click Select Objects to include on the left.
e. Click the down-arrow next to Object Type and select Directory Group.
f. Select AD-SSH in the Available Objects pane and click the blue right arrow to move the
group to the Selected Objects pane.

g. Click Finish.
h. Click OK on the Specify Source window.
a. Select Cluster from the Object Type drop-down menu.
b. Select the Compute cluster object and click the blue right arrow to move the cluster into
the Selected Objects list.

7. Click OK.
179
20
Task 4: Configure Identity-Aware Firewall Rules
panel.
a. Enter SSH in the Filter text box and press Enter.
b. Select SSH in the Available Objects pane and click the blue right arrow to move SSH to the
Selected Objects pane.

c. Click OK.
9. Click the green plus sign above the rules list to create a rule.
You must ensure that this rule appears below the rule that you created. You can use the Move
rule up or down buttons to arrange the rules appropriately.
If the icon is not active, you can select any rule in the Test Section rule list.
11. Enter Blocked SSH for Normal Users in the Rule Name text box and click OK.
12. Leave any as the value in the Source cell.
13. Point to the Destination cell and click the pencil sign to open the pop-up configuration panel.
a. Select Cluster from the Object Type drop-down menu.
b. Select the Compute cluster object and click the blue right arrow to move the cluster into
the Selected Objects list.

14. Click OK.
15. Point to the Services cell and click the pencil sign to open the pop-up configuration panel.
a. Enter SSH in the Filter text box and press Enter.
b. Select SSH in the Available Objects pane and click the blue right arrow to move SSH to the

c. Click OK.
16. Point to the Action cell and click the pencil sign to open the pop-up configuration.
a. Click the down arrow next to Action and select Block.
b. Click OK.
17. Click Publish Changes at the top of the middle pane.
180
You log in to the Windows7 VM by using two accounts. The administrator user account can SSH to
web-sv-01a VM, which is a part of the Compute cluster. However, the normal user account cannot
SSH to the web-sv-01a VM. This test confirms that the identity-aware firewall functions as
expected.
Admin user for Windows VM
Normal user for Windows VM
1. Click the Windows7 VM tab in Internet Explorer.
2. Click Send Ctrl+Alt+Delete at the top-right corner of the VMs remote console.
3. Click Switch User in the VMs console.
4. Click Other User.
5. Log in as the Admin user for Windows VM and enter the password VMware1!.
6. Double-click the putty application located in the putty folder in the C: drive.
7. Click Run in the Security Warning window.
8. Enter the IP address of web-sv-01a VM in the Host Name (or IP address) text box of the
PuTTY application.
A login prompt appears confirming that the domain administrator account can SSH to the websv-01a VM.
9. Close the PuTTY application.
10. Log out from the Windows7 VM.
11. Click Send Ctrl+Alt+Delete at the top-right corner of the VMs remote console.
12. Click Switch User in the VMs console.
13. Click Other User.
14. Log in as normal user for Windows VM and enter the password VMware1!.
15. Double-click the putty application located in the putty folder in the C: drive.
16. Click Run in the Security Warning window.
17. Enter the IP address of web-sv-01a VM in the Host Name (or IP address) text box of the
PuTTY application.
181
20
Task 5: Verify the Identity-Aware Firewall Configuration
18. Click OK in the Connection timed out window.
This message confirms that the normal user cannot SSH to web-sv-01a VM.
19. Close the PuTTY application.
20. Open Internet Explorer by clicking the Internet Explorer icon in the Windows taskbar.
21. Enter https://IP_address_of_web-sv-01a.
22. Verify that either the page opens or you receive warning about the Web sites certificate.
The normal user can access the Web services on web-sv-01a VM.

1. Close the Windows7 VMs tab in the Internet Explorer window.

182
21
Lab 21
Using VMware NSX Service Composer :

Objective: Define VMware NSX Service Composer
security groups and security policies
2. Create a Security Group
3. Create a Security Policy
4. Verify the Policy Functionality Before the Virus Is Found
5. Verify the Policy Functionality After the Virus Is Found
Lab 21 Using VMware NSX Service Composer
183

Your site name
student desktop.
bookmark.
password VMware1!.
4. On the vSphere Web Client Home icon, click the Networking & Security icon.
Task 2: Create a Security Group

You create a security group that includes Web servers in the Compute clusters.
1. In the left navigation pane, select Service Composer.
2. In the middle pane, click the Security Groups tab.
3. Click the New Security Group icon to open the New Security Group dialog box.
4. Enter Quarantine Group in the Name text box.
5. Click Next.
6. In the Criteria Details area, click the VM Name drop-down menu and leave Contains selected.
7. Enter virus in the text box.
8. Click Next.
9. On the Select Objects to Include page, click Next.
10. On the Select Objects to Exclude page, click the Object Type drop-down menu and select
Distributed Virtual Port Group.

184
11. In the Available Objects pane, select Management.

12. Click the right arrow icon to add the distributed port group to the Selected Objects pane.
13. Click Next.
21
14. Review the settings in the Ready to complete pane and click Finish.
Task 3: Create a Security Policy

You configure a security policy to isolate ports in the security group.
1. In the middle pane, click the Security Policies tab.
2. Click the Create Security Policy icon.
3. On the Name and description page, enter Isolate Compromised VMs in the name text
box.
5. On the Guest Introspection Services page, click Next.
6. On the Firewall Rules page, click the green plus icon.
7. In the New Firewall Rule dialog box, enter Block all Traffic in the Name text box.
8. Click Block for Action.
9. In the Source section, click the Change link.
10. In the Firewall Rule Select Source dialog box, select Any.
11. Click OK.
12. In the Destination section, click the Change link.
13. In the Firewall Rule Select Destination dialog box, leave the setting as Policys Security
Groups.
14. Leave all other settings at the default value and click OK.
15. Click Next
16. On the Network Introspection Services page, click Next.
17. Click Finish.
18. Click Actions and click the Apply Policy icon.
19. In the pop-up menu, select the Quarantine Group check box.
20. Click OK.
185
Task 4: Verify the Policy Functionality Before the Virus Is Found

You verify the security policy configuration before the virus is found.
1. At the student desktop command prompt, ping the web-sv-01a VM.
ping -t web-sv-01a
The pings should be received.
2. Go back to the VMware vSphere Web Client.
3. Ensure that Service Composer is selected in the left navigation pane.
4. Click the Canvas tab in the middle pane.
The Quarantine Group is represented as a box. A security policy is associated with Quarantine
Group. You can identify the name of the security policy by clicking on the icon on the top-right
corner of the box. The number of VMs added to the group is zero.
5. Point to the Home icon and select VMs and Templates.
6. Select the web-sv-01a VM from the left navigation pane.
7. Click the Monitor tab in the middle pane.
8. Click the Service Composer tab and verify that no security services are associated with the VM
by clicking Guest Introspection Services, Firewall Rules, and Network Introspection

Services.
Task 5: Verify the Policy Functionality After the Virus Is Found

You verify the security policy configuration after a virus is found in the web-sv-01a VM.
1. Ensure that web-sv-01a is selected in the left navigation pane.
2. Click the Actions icon and select Rename.
3. Enter virus at the end of the VMs name.
4. Click OK.
5. Maximize the command prompt and verify if the ping requests time out.
6. Go back to the vSphere Web Client and click the refresh icon next to the user name.
7. Ensure that VM web-sv-01avirus is selected on the left navigation menu.
8. Click Monitor and select Service Composer.
9. Select Firewall Rules in the middle pane and verify if the firewall policy is applied to the VM.
186
11. Click Service Composer in the left navigation pane.

12. Select the Canvas tab.
The Quarantine Group has one VM associated with it.

web-sv-01virus.

1. Point to the Home icon and select VM and Templates.
2. Select the web-sv-01avirus VM in the left navigation pane.
3. Click Actions and select Rename.
4. Delete virus from the VMs name.
5. Click OK.
6. Maximize the command prompt
The ping gets replies.

7. Enter Ctrl + C to stop the ping command.

187
21
13. Click the VM icon on top of the Quarantine Group box and verify that the name of the VM is
188
Lab 22
22
Configuring the Cross-vCenter NSX

Feature
Objective: Configure the cross-vCenter NSX feature and

leverage the universal objects like the universal logical
switch and the universal distributed firewall
2. Verify the Configuration of the NSX Manager Instances
3. Configure Primary and Secondary Roles for the NSX Manager Instances
4. Configure the Universal Segment ID Pool and the Universal Transport Zone
5. Create a Universal Logical Switch and Connect the Web Servers
6. Reconfigure the IP Address of the web-sv-02a Virtual Machine and Verify L2 Connectivity
Between the Virtual Machines

7. Configure the Universal Firewall Policy
This lab must be performed as a team.
Lab 22 Configuring the Cross-vCenter NSX Feature
189

Your site name
Your remote site
student desktop.
bookmark.
b. When prompted, log in as administrator@vsphere.local and enter the password
VMware1!.
tab.
f. Point to the vSphere Web Client Home icon and click Networking & Security.
4. In the Internet Explorer window, open another tab and log in to the remote vSphere Web Client.
bookmark.
b. When prompted, login as administrator@vsphere.localand enter the password
VMware1!.
tab.
a. On the vSphere Web Client - your_remote_site Home tab, click Inventories - VMs and
Templates.
b. Expand the inventory tree and select Discovered virtual machine - web-sv-02a.
190
c. Click Actions in the middle pane and select Open Console.

d. If prompted to login, log in as root and enter the password VMware1!.
e. Press Ctrl+Alt to release the pointer and click the vSphere Web Client - your_remote_site
tab.
f. Point to the remote vSphere Web Client Home icon and select Networking & Security.
6. Select the vSphere Web Client - your_site_name tab in the Internet Explorer application.
You verify the segment ID pools and the IDs of the VMware NSX Manager instances. The crossvCenter NSX feature does not work properly if the segment ID pools and IDs overlap.
IP address of nsxmgr-a
IP address of nsxmgr-b
3. Click the IP address of nsxmgr-a.
4. Click the Summary tab in the middle pane and record the ID value. __________
5. Click the arrow next to Networking & Security in the left navigation pane.
6. Click the IP address of nsxmgr-b.
7. Record the ID value in the Summary tab. __________
The ID values of the two NSX Managers must be different.

8. Click the arrow next to Networking & Security in the left navigation pane.
9. Click the Logical Network Preparation tab in the middle pane.
10. Click the Segment ID tab under Logical Network Preparation.
11. Select the IP address of nsxmgr-a from the NSX Manager drop-down menu.
12. Record the Segment ID pool value. __________
13. Select the IP address of nsxmgr-b from the NSX Manager drop-down menu.
14. Record the Segment ID pool value. __________
The Segment ID pool values must not overlap for the two NSX Manager instances.
191
22
Task 2: Verify the Configuration of the NSX Manager Instances
Task 3: Configure Primary and Secondary Roles for the NSX Manager
Instances
You promote one of the NSX Manager instances to the primary role. After the NSX Manager
instance is promoted, you register the other NSX Manager instance as secondary.
IP range of NSX Controller nodes to be deleted
2. Ensure that the IP address of nsxmgr-a is selected.
3. Click Actions and click Assign Primary Role.
4. Click Yes when the prompt appears.
nsxmgr-a is promoted to the Primary status. nsxmgr-b is standalone.

5. In the NSX Controller nodes section of the middle pane, select the VMware NSX Controller
node with an IP address in the range of nodes to be deleted.

6. Click the red X icon to delete the NSX Controller node.
7. Click Yes when the prompt appears.
8. Repeat steps 5 through 7 to delete the remaining two NSX Controller nodes in the IP range of
nodes to be deleted.
9. Select the IP address of nsxmgr-a in the NSX Managers section.
10. Click Actions and select Add Secondary NSX Manager.
11. Verify that the IP address of nsxmgr-b is populated against the NSX Manager field of the Add
Secondary NSX Manager window.

12. Enter the user name admin and enter VMware1! in the Password and Confirm password text
boxes.
13. Click OK.
14. Select Yes when prompted with nsxmgr-bs thumbprint.
15. Wait for a minute and refresh the vSphere Web Client.
The status of all the NSX Controller nodes should be green before proceeding to the next task.
nsxmgr-a and nsxmgr-b use the same set of NSX Controller nodes.
192
Task 4: Configure the Universal Segment ID Pool and the Universal

Transport Zone
You configure the universal segment ID pool and the universal transport zone for leveraging the
universal objects like the universal logical switches.
22
1. Click the Logical Network Preparation tab in the middle pane.

2. Ensure that the IP address of nsxmgr-a is selected next to NSX Manager in the middle pane.
3. Click the Segment ID tab.
4. Click Edit.
5. Enter 7000-7999 in the Universal Segment ID pool text box in the Edit Segments and
Multicast Address Allocation window.

6. Click OK.
7. Click the Transport Zones tab in the middle pane.
8. Click the green plus sign.
9. Select the Mark this object for Universal Synchronization check box.
10. Enter Universal Transport Zone in the Name text box.
11. Leave the replication mode as Unicast.
12. Select the Compute and Management and Edge clusters in the Selects clusters that will be
part of the Transport Zone section.

13. Click OK.
The universal transport zone is already replicated to the secondary NSX Manager.
15. Select Universal Transport Zone and click Actions.
16. Select Connect Clusters.
17. Select the Compute and Management and Edge check box.
18. Click OK.
193
Task 5: Create a Universal Logical Switch and Connect the Web

Servers
You create a universal logical switch to extend layer connectivity between workloads running on
hosts managed by different VMware vCenter Server systems.
1. Click the Logical Switches link in the left navigation pane.
2. Select the IP address of the primary NSX Manager from the NSX Manager drop-down menu.
3. Click the green plus sign to create a new logical switch.
4. Enter Universal-Web-Tier in the Name text box.
5. Click the Change link for Transport Zone and select Universal Transport Zone.
6. Click OK.
7. Click OK in the New Logical Switch window.
8. Select Universal-Web-Tier and click Actions.
9. Select Add VM.
10. Select web-sv-01a in the Available Objects pane and click the right arrow to move the object to

11. Click Next.
12. Select the check box next to web-sv-01as network adapter and click Next.
13. Click Finish.
15. Repeat steps 8 through 13 for the web-sv-02a virtual machine in the remote vCenter Server
inventory.
Task 6: Reconfigure the IP Address of the web-sv-02a Virtual Machine

and Verify L2 Connectivity Between the Virtual Machines
You reconfigure the IP address of the web-sv-02a VM to be on the same subnet as the web-sv-01a
VM.
Datastore
194
1. Click the web-sv-02a tab in the Internet Explorer application.

2. Enter the following command to change the IP address of the virtual machine.
ifconfig eth1 IP_address_of_web-sv-02a netmask 255.255.255.0

3. Enter the ping IP_address_of_web-sv-01a virtual machine command.
4. Verify that ping gets a response.
22
The two virtual machines are running on different hosts, on different subnets managed by
different vCenter Server systems. Using universal logical switches, you can achieve Layer 2
connectivity between the virtual machines.
5. Leave the ping command running on the web-sv-02a virtual machine.
6. Click the vSphere Web Client - your_site_name tab in the Internet Explorer window.
7. Point to Home and select Hosts and Clusters.
8. Select the web-sv-01a virtual machine located in Site-A-Datacenter.
9. Click Actions and click Rename.
10. Enter SiteA at the end of the virtual machines name.
11. Click OK.
12. Click Actions and select Migrate.
13. Select Change both compute resource and storage and click Next.
14. Expand Site-B-Datacenter and expand Compute.
15. Select one of the VMware ESXi hosts in the Compute cluster.
16. Click Next.
17. Select the destination datastore in the Select storage window and click Next.
18. Select the Discovered virtual machine folder and click Next.
19. Select the logical switch that includes universalwire in its name from the Destination
Network drop-down menu.

20. Click Next.
21. Click Next in the Select vMotion priority window.
22. Click Finish.
23. Click the web-sv-02a tab in the Internet Explorer application.
195
24. Verify that ping is still getting a response.

25. Click the vSphere Web Client - your_site_name tab in the Internet Explorer application.
26. Click the refresh icon to refresh the vSphere Web Client view.
27. Verify that web-sv-01aSiteA is moved to a host in Site-B-Datacenter.
NOTE
You performed live migration of a virtual machine from one vCenter Server system to another
without causing outage and without the need to change the IP address of the virtual machine.
Task 7: Configure the Universal Firewall Policy

You configure the universal firewall policy and confirm that the policy is replicated to the secondary
NSX Manager. The cross-vCenter NSX feature allows an administrator to configure security
policies once and those policies follow the virtual machines as they are moved from one part of the
infrastructure to another.
1. Click the Firewall link in the left navigation pane.
2. Select the primary NSX Manager from the NSX Manager drop-down menu.
3. Scroll towards the right by using the scroll bar at the bottom of the page and click the folder
icon to create a section.

4. Enter Universal Section as the section name.
5. Select the Mark this section for Universal Synchronization check box.
6. Click OK.
8. Scroll towards the right and click the green plus sign in the Universal Section row.
9. Expand Universal Section.
10. Point to the pencil icon in the Name column and click the pencil icon.
11. Enter web-sv-01a as the rule name and click OK.
12. Click the IP icon in the Destination column.
13. Enter the IP address of web-sv-01a virtual machine in the Value text box.
14. Click OK.
196
15. Click the pencil icon in the Service column.

16. Enter http in the filter text box and press Enter.
17. Select HTTP and HTTPS and move them to the Selected Objects pane.
18. Click OK.
22
The Universal Section and the rule in the Universal Section are already replicated to the
secondary NSX Manager.
197
198
Answer Key
Lab 2: Configuring and Deploying a VMware NSX Controller Cluster
Task 3: Verify That the First VMware NSX Controller Instance Is Operational . . . . . . . . . .10
1.
2.
3.
4.
5.
6.
Powered-on, based on the activated Play

icon.
2
2,048 MB
20 GB
Management
IP address assigned from the Controller-Pool
created in task 2.
7.
8.
9.
10.
11.
5
Yes
All 5 roles
4 or 5
7 ports: 443, 2878, 2888, 3888, 6632, 6633,
7777
Task 5: Verify That the Second VMware NSX Controller Instance Is Operational . . . . . . .13
1.
2.
3.
4.
5.

icon.
2
2048 MB
20 GB
Management
6.
7.
8.
9.

created earlier.
5
Yes
Zero, none of the roles. Answers vary.
Task 7: Verify That the Third VMware NSX Controller Instance Is Operational . . . . . . . . .16
1.
2.
3.
4.
5.

icon.
2
2048 MB
20 GB
Management
6.
7.
8.
9.

created earlier.
5
Yes
Zero, none of the roles. Answers vary.
Lab 4: Preparing for Virtual Networking

Task 3: Configure VXLAN on the ESXi Hosts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .27
1.
One
Answer Key
2.
vds-Datacenter
199
Lab 5: Configuring Logical Switch Networks

Task 3: Verify That Logical Switch Port Groups Appear in vSphere . . . . . . . . . . . . . . . . . .33
1.
Yes, the ID follows the sid keyword in the port

group name.
Task 4: Migrate Virtual Machines to Logical Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . .34

1.
Yes
2.
No
Task 5: Test Network Connectivity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .35

1.
2.
3.
4.
5.
No
Yes
Yes, the web-sv-02a virtual machine.
No
No
6.
7.
8.
East-West routing has not been established

between the logical switch networks.
No
As is the case with East-West routing, NorthSouth routing has not yet been established.
Task 6: Clean Up for the Next Lab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .39
Lab 6: Configuring and Deploying an NSX Distributed Router

Task 3: Verify the Distributed Router Deployment and Configuration. . . . . . . . . . . . . . . . .45
1.
2.
Datastore selected during the deployment of

the logical router.
Can be either host that is assigned to
Management and Edge Cluster.
3.
4.
5.
6.
1
512 MB
500 MB
2.
Task 4: Test Connectivity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .46

1.
2.
3.
4.
Yes
Yes
Yes
Yes
5.
6.
7.
8.
Yes, the other node on the Web-Tier network

and the router interface.
No
No
North-South routing is yet to be established.
Lab 7: Deploying an NSX Edge Services Gateway and Configuring Static

Routing
Task 3: Verify the NSX Edge Gateway Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .55
1.
2.
3.
4.
5.
6.
7.
200
The datastore chosen during the deployment.

Can be any ESXi host in the Management and
Edge cluster.
1
512 MB
500 MB
10
2
Answer Key
Lab 8: Configuring and Testing Dynamic Routing on NSX Edge Appliances

Task 8: Troubleshoot Connectivity Between the Logical Switch Networks and the Management Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .67
1.
2.
3.
4.
Yes
Yes
No, only directly connected subnets must be
advertised.
Yes, Direct connected can be learned, which
is sufficient.
5.
6.
7.
No
No
No, Connected is the only selection. Static
routes should be added.
Lab 10: Configuring L2 Bridging

Task 4: Examine the Network Connectivity Between Web VMs and Resolve the Issue. . .84
1.
No, because web-sv-01a is connected to a

logical switch and web-sv-02a is connected to
a port group with VLAN ID 10. An L2 bridge is
required to establish connectivity between the
two Web VMs.
2.
Yes. The L2 bridge created in the previous

steps established layer 2 connectivity
between the two Web VMs.
Lab 11: Configuring and Testing Network Address Translation on an NSX

Edge Services Gateway
Task 2: Verify Nontranslated Packet Addressing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .88
1.
No
Task 5: Use the Destination NAT Translation to Test Connectivity. . . . . . . . . . . . . . . . . . .92

1.
The nontranslated IP address of web-sv-01a.
2.
No, regardless of any TCP flag sequencing or

handshake condition that might be set, the IP
addresses do not match.
Lab 12: Configuring Load Balancing with NSX Edge Gateway

Task 7: Use the Packet Capture Capabilities of NSX Edge to Verify Round-Robin
Load Balancing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .102
1.
2.
3.
NAT
Because the load balancer is operating in
nontransparent mode and proxying sessions
between itself and the Web servers on behalf
of the original client.
Transparent mode
Answer Key
201
Task 8: Examine NAT Rule Changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .104

1.
2.
3.
No, the original and translated IP addresses

are both VIP1 IP address.
No
To force the traffic into the NAT logic of the
NSX Edge services gateway where a member
server can be selected and the actual
destination NAT can be performed. Traffic
received on the virtual server IP address must
undergo a destination NAT translation after
the destination server is selected from the
pool, based on the configured load-balancing
algorithm. Because server selection is
4.
5.
dynamic, the destination NAT rule triggers the

destination NAT operation where further logic
can be applied.
No, a virtual server cannot operate on a pool
of destination NAT-defined addresses. Such
functionality would require recursive
application of the NAT logic to each packet
that is received. The system is not designed to
accommodate that type of operation. Only one
NAT rule can be applied to any packet
received.
Uplink-Interface
Task 10: Reposition the Virtual Server and Examine NAT Rule Changes . . . . . . . . . . . .106
1.
2.
3.
4.
rule was applied on the receiving interface

because destination NAT rules must be
applied on the interface connected to the
network that contains the original IP address
to be translated, regardless of ingress or
egress.
Yes
No
No, the operations are the same.
The destination NAT translation occurs on the
outbound interface. In this case, vNic_2 facing
the network that the member servers are
attached to. The previous destination NAT
Lab 14: Configuring NSX Edge High Availability

Task 2: Configure NSX Edge High Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .121
1.
2.
Two
Any of the ESXi hosts in the Management and
Edge Cluster.
3.
4.
Any of the ESXi hosts in the Management and

Edge Cluster, but on a different host than the
other node.
Yes, by default, high availability peer nodes
are maintained on different hosts.
Task 3: Examine the High Availability Service Status and Heartbeat . . . . . . . . . . . . . . . .122
1.
Perimeter Gateway-0 is active. This node

should be the same for all students at this
stage.
2.
3.
Yes, as denoted in the Peer Host list.

Yes, both services are shown as running.
Task 4: Force a Failover Condition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .123

1.
2.

stage.
No, vshield-edge-#-0 is unreachable.
3.
4.
Yes, both services show as running.

Yes, from Perimeter Gateway-0 to Perimeter
Gateway-1.
Task 5: Restore the Failed Node. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .124

1.
2.
3.
202

stage.
Yes
Yes, both services show as running.
4.
No, the failover node remains active and the

restored node assumes standby status.
Answer Key
Lab 15: Configuring Layer 2 VPN Tunnel

Task 10: Test Tunnel Connectivity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .136
1.
2.
The address of the web-sv-02a virtual

machine.
The MAC address of web-sv-02a because the
tunnel wraps Layer 2 traffic and when
3.
4.
decapsulated, the hardware address is

preserved.
Yes
Yes, tunnel decapsulation ensures original
source MAC/IP address.
Lab 17: Configuring and Testing SSL VPN-Plus

Task 8: Review the Client Configuration and Examine Traffic . . . . . . . . . . . . . . . . . . . . .155
1.
2.
IP address of the remote gateway:443

Web-Tier subnet/255.255.255.0
3.
An IP address from the range configured for

the IP pool
Lab 18: Using NSX Edge Firewall Rules to Control Network Traffic
Task 3: Determine How the Firewall Rule Interacts with Other NSX Edge Features . . . .163
1.
No
Lab 19: Using the VMware NSX Distributed Firewall Rules to Control Network Traffic
Task 4: Restrict Inbound Web Server Traffic to HTTP and HTTPS . . . . . . . . . . . . . . . . .169
1.
Distributed Firewall rules work on true source

and destination addresses and objects. Such
rules are not affected by transforms (such as
destination NAT translations) performed by
NSX Edge devices.
Answer Key
203
204
Answer Key

Edu en Nicm62 Lab Ie

Hochgeladen von

Dokumentinformationen

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Edu en Nicm62 Lab Ie

Hochgeladen von

Copyright:

Verfügbare Formate

VMware NSX:

Install, Configure, Manage

VMware Education Services

Lab 1: Configuring NSX Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

VMware NSX: Install, Configure, Manage

VMware NSX: Install, Configure, Manage

Configuring NSX Manager

Objective: Verifying the NSX Manager appliance settings

Lab 1 Configuring NSX Manager

Task 1: Access Your Lab Environment

Task 2: Review the NSX Manager Configuration

certificate warning message.

Lab 1 Configuring NSX Manager

5. Verify that the following general settings are configured:

following values are configured as specified:

to this website (not recommended).

The initial authentication might take several minutes to complete.

Lab 1 Configuring NSX Manager

instructor and click Next.

Lab 1 Configuring NSX Manager

by the instructor and click Next.

the instructor and click Next.

Task 5: Clean Up for the Next Lab

Lab 1 Configuring NSX Manager

Lab 1 Configuring NSX Manager

Configuring and Deploying a VMware

Lab 2 Configuring and Deploying a VMware NSX Controller Cluster

Task 1: Prepare for the Lab

your_site_name bookmark in the Internet Explorer window.

enter the password VMware1!.

Task 2: Deploy the First VMware NSX Controller Instance

Lab 2 Configuring and Deploying a VMware NSX Controller Cluster

d. Select your datastore from the Datastore drop-down menu.

Enter Controller-Pool in the text box.

Enter the gateway.

Enter 24 in the text box.

Enter the VMware NSX Controller static IP pool range.

Confirm password text boxes.

Lab 2 Configuring and Deploying a VMware NSX Controller Cluster

Task 3: Verify That the First VMware NSX Controller Instance Is

Controller virtual machine.

6. Minimize the Internet Explorer window.

select SSH as the Protocol.

Lab 2 Configuring and Deploying a VMware NSX Controller Cluster

Your newly added controller appears on the left side.

g. Log in as admin and enter the password VMware1!VMware1!

show control-cluster roles

13. Run the following command to review a cluster connections report.

show control-cluster connections

Lab 2 Configuring and Deploying a VMware NSX Controller Cluster

15. Close the MTPuTTY window.

Task 4: Deploy the Second VMware NSX Controller Instance

Lab 2 Configuring and Deploying a VMware NSX Controller Cluster

5. Monitor the VMware NSX Controller deployment to completion.

Task 5: Verify That the Second VMware NSX Controller Instance Is

6. Minimize the Internet Explorer window.

Lab 2 Configuring and Deploying a VMware NSX Controller Cluster

select SSH as the Protocol.

show control-cluster roles

13. Run the following command to review a cluster connections report.

show control-cluster connections

Lab 2 Configuring and Deploying a VMware NSX Controller Cluster

14. Close the MTPuTTY window.

Task 6: Deploy the Third VMware NSX Controller Instance