Sie sind auf Seite 1von 208

VMware NSX:

Install, Configure, Manage


Lab Manual
NSX 6.2

VMware Education Services


VMware, Inc.
www.vmware.com/education

VMware NSX:
Install, Configure, Manage
NSX 6.2
Part Number EDU-EN-NICM62-LAB
Lab Manual
Copyright/Trademark
Copyright 2015 VMware, Inc. All rights reserved. This manual and its accompanying
materials are protected by U.S. and international copyright and intellectual property laws.
VMware products are covered by one or more patents listed at http://www.vmware.com/go/
patents. VMware is a registered trademark or trademark of VMware, Inc. in the United States
and/or other jurisdictions. All other marks and names mentioned herein may be trademarks
of their respective companies.
The training material is provided as is, and all express or implied conditions,
representations, and warranties, including any implied warranty of merchantability, fitness for
a particular purpose or noninfringement, are disclaimed, even if VMware, Inc., has been
advised of the possibility of such claims. This training material is designed to support an
instructor-led training course and is intended to be used for reference purposes in
conjunction with the instructor-led training course. The training material is not a standalone
training tool. Use of the training material for self-study without class attendance is not
recommended.
These materials and the computer programs to which it relates are the property of, and
embody trade secrets and confidential information proprietary to, VMware, Inc., and may not
be reproduced, copied, disclosed, transferred, adapted or modified without the express
written approval of VMware, Inc.
Technical review: Chris McCain, Rob Nendel
Technical editing: James Brook, Shalini Pallat
Production and publishing: Rhonda Jones, Saiesh Jaganath
The courseware for VMware instructor-led training relies on materials developed by the
VMware Technical Communications writers who produce the core technical documentation,
available at http://www.vmware.com/support/pubs.

www.vmware.com/education

TA B L E

OF

C ONTENTS

Lab 1: Configuring NSX Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1


Lab 2: Configuring and Deploying a VMware NSX Controller Cluster. . . . . . . . . . . . . . . . . . . . . . . 7
Lab 3: Creating and Configuring a Distributed Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Lab 4: Preparing for Virtual Networking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Lab 5: Configuring Logical Switch Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Lab 6: Configuring and Deploying an NSX Distributed Router . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Lab 7: Deploying an NSX Edge Services Gateway and Configuring Static Routing . . . . . . . . . . . . 51
Lab 8: Configuring and Testing Dynamic Routing on NSX Edge Appliances . . . . . . . . . . . . . . . . . 61
Lab 9: Configuring Equal Cost Multipathing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
Lab 10: Configuring L2 Bridging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
Lab 11: Configuring and Testing Network Address Translation on an NSX
Edge Services Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
Lab 12: Configuring Load Balancing with NSX Edge Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
Lab 13: Advanced Load Balancing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
Lab 14: Configuring NSX Edge High Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
Lab 15: Configuring Layer 2 VPN Tunnel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
Lab 16: Configuring IPsec Tunnels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
Lab 17: Configuring and Testing SSL VPN-Plus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149
Lab 18: Using NSX Edge Firewall Rules to Control Network Traffic . . . . . . . . . . . . . . . . . . . . . . 159
Lab 19: Using the VMware NSX Distributed Firewall Rules to Control Network Traffic . . . . . . 165
Lab 20: Configuring an Identity-Aware Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175
Lab 21: Using VMware NSX Service Composer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183
Lab 22: Configuring the Cross-vCenter NSX Feature . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189
Answer Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199

VMware NSX: Install, Configure, Manage

iii

iv

VMware NSX: Install, Configure, Manage

Lab 1

Configuring NSX Manager

Objective: Verifying the NSX Manager appliance settings


and registration to a vCenter Server system
In this lab, you will perform the following tasks:
1. Access Your Lab Environment
2. Review the NSX Manager Configuration
3. Verify That the vSphere Web Client Plug-In for NSX Manager Is Installed
4. License vCenter Server, the ESXi Hosts, and NSX Manager
5. Clean Up for the Next Lab

Lab 1 Configuring NSX Manager

Task 1: Access Your Lab Environment


You use a VMware Horizon View desktop or Remote Desktop Connection to connect to your
lab environment.
1. Use the information that is provided by your instructor to log in to your lab environment.

Task 2: Review the NSX Manager Configuration


In your lab environment, the VMware NSX Manager appliance is predeployed and preconfigured.
NSX Manager is also registered to the VMware vCenter Server appliance. You review the NSX
Manager deployment configuration. The review sequence matches the steps for configuring NSX
Manager after initial deployment.
Use the following information from the class configuration handout:
Your site name
NSX Manager host name
NSX Manager IPv4 address
NSX Manager subnet mask
NSX Manager default gateway
NSX Manager primary DNS server
vCenter Server name
IP address of the RRAS server
1. Log in to the NSX Manager user interface.
a. On the student desktop, double-click the Internet Explorer shortcut.
b. In the Internet Explorer window, click the NSX Manager - your_site_name bookmark.
c. Click the Continue to this website (not recommended) link when prompted with a

certificate warning message.


d. On the login page, log in as admin and enter the password VMware1!.
2. In the NSX Manager user interface, click View Summary.
a. View the NSX Manager appliance IP address, CPU, memory, and storage utilization.
b. Verify that the vPostgres, RabbitMQ, and NSX Management Service services are running.
3. Click the Manage tab on the top-left corner.
4. On the Manage tab, verify that Settings > General is selected in the left pane.

Lab 1 Configuring NSX Manager

5. Verify that the following general settings are configured:

NTP Server setting is the RRAS server. This server runs all the infrastructure services for
the lab environment.
Syslog Server is the IP address of the RRAS server.
Locale is en-US.
6. In the left pane, select Network and verify the values.
7. In the left pane, select NSX Management Service under Components and verify that the

following values are configured as specified:


Lookup Service: Not Configured
vCenter Server: Your vCenter Server name
vCenter Server User Name: administrator@vsphere.local
vCenter Server Status: Connected with a green dot icon

Task 3: Verify That the vSphere Web Client Plug-In for NSX Manager Is
Installed
In your lab environment, the VMware vSphere Web Client Plug-in for NSX Manager is
preinstalled and ready for use. You verify that the vSphere Web Client is installed.
Use the following information from the class configuration handout:
Your vCenter Server administrator login account
NSX Manager IPv4 address
1. In the Internet Explorer window, click the vSphere Web Client bookmark and click Continue

to this website (not recommended).


2. When prompted, log in with your vCenter Server administrator login account and enter the

password VMware1!.
3. Wait for the initial authentication to complete.

The initial authentication might take several minutes to complete.

Lab 1 Configuring NSX Manager

4. On the vSphere Web Client, point to the Home icon at the top and select Networking &

Security.
5. In the navigation pane on the left, review the list of VMware NSX features and select NSX

Managers.
6. In the middle pane, verify that your NSX Manager instance appears in the Objects list.

The IP address of the NSX Manager instance should match the NSX Manager IPv4 address.
If your NSX Manager instance does not appear in the Objects list, you must ask your instructor
for help.

Task 4: License vCenter Server, the ESXi Hosts, and NSX Manager
You license the vCenter Server system, the VMware ESXi hosts, and NSX Manager. Your
instructor provides the necessary licenses.
Use the following information from the class configuration handout:
Your ESXi hosts
1. Point to the Home icon at the top and click Administration.
2. In the left pane, click Licenses.
3. Assign a vCenter Server license key to the vCenter Server instance.
a. In the middle pane, click the Assets tab.
b. Click the vCenter Server Systems tab.
c. With your vCenter Server instance selected, click All Actions and select Assign License.
d. In the Assign License Key panel, click the plus sign to add the key.
e. In the License key text box, enter or paste the vCenter Server license key provided by the

instructor and click Next.


f. Review the expiration date and license capacity.
g. Click Next.
h. Click Finish.
i. In the Assign License panel, select the license key that you added and click OK.
4. Assign a VMware vSphere Enterprise Edition 6 license key to each ESXi host.
a. In the center pane, click the Hosts tab.
b. Select the first ESXi host in the list.
c. Press Shift and select your ESXi hosts.
4

Lab 1 Configuring NSX Manager

d. Click All Actions and select the Assign License Key link.

e. In the Assign License Key panel, click the plus sign to add the key.
f. In the License key text box, enter or paste the vSphere Enterprise 6 license key provided

by the instructor and click Next.


g. Review the expiration date and license capacity.
h. Click Next.
i. Click Finish.
j. In the Assign License panel, select the license key that you added and click OK.
k. In the hosts list, press Shift and click to select your ESXi hosts.
l. Right-click the selected hosts and select Connect from the pop-up menu.

You can also connect each host individually from the vCenter > Hosts and Clusters
inventory panel.
5. Assign a VMware NSX for vSphere license.
a. In the middle pane, click the Solutions tab.
b. Select the NSX for vSphere solution.
c. Click All Actions and select Assign License.
d. In the Assign License Key panel, click the plus sign.
e. In the License key text box, enter or paste the NSX for vSphere license key provided by

the instructor and click Next.


f. Review the expiration date and license capacity.
g. Click Next.
h. Click Finish.
i. In the Assign License panel, select the license key that you added and click OK.

Task 5: Clean Up for the Next Lab


You perform this action to prepare for the next lab.
1. Point to the Home icon at the top and select Networking & Security.

Lab 1 Configuring NSX Manager

Lab 1 Configuring NSX Manager

Lab 2

Configuring and Deploying a VMware


NSX Controller Cluster
Objective: Deploy a three-node VMware NSX Controller
cluster
In this lab, you will perform the following tasks:
1. Prepare for the Lab
2. Deploy the First VMware NSX Controller Instance
3. Verify That the First VMware NSX Controller Instance Is Operational
4. Deploy the Second VMware NSX Controller Instance
5. Verify That the Second VMware NSX Controller Instance Is Operational
6. Deploy the Third VMware NSX Controller Instance
7. Verify That the Third VMware NSX Controller Instance Is Operational
8. Clean Up for the Next Lab

Lab 2 Configuring and Deploying a VMware NSX Controller Cluster

Task 1: Prepare for the Lab


You prepare for the lab if you have closed windows or logged out of the VMware vSphere Web
Client interface.
Use the following information from the class configuration handout:
Your site name
Your vCenter Server administrator login account
1. If the Internet Explorer window is closed, double-click the Internet Explorer icon on the

student desktop.
2. If you are not logged in to the vSphere Web Client, click the vSphere Web Client -

your_site_name bookmark in the Internet Explorer window.


3. When prompted, log in with your VMware vCenter Server administrator login account and

enter the password VMware1!.


4. On the vSphere Web Client Home page, click Networking & Security.

Task 2: Deploy the First VMware NSX Controller Instance


You configure and deploy the first of three VMware NSX Controller instances.
Use the following information from the class configuration handout:
NSX Manager IPv4 address
Data center
Datastore
VMware NSX Controller pool gateway
VMware NSX Controller static IP pool range
1. In the left navigation pane, select Installation.
2. Click the Management tab
3. In the middle pane, click the green plus sign in the NSX Controller nodes panel.
4. In the Add Controller dialog box, configure and deploy the first VMware NSX Controller

instance.
a. Select the VMware NSX Manager IPv4 address from the NSX Manager drop-down

menu.
b. Select your data center from the Datacenter drop-down menu.
c. Select Management and Edge from the Cluster/Resource Pool drop-down menu.
8

Lab 2 Configuring and Deploying a VMware NSX Controller Cluster

d. Select your datastore from the Datastore drop-down menu.


e. Leave the host and folder selection blank.
f. Click the Connected To > Select link.
g. In the Select Network dialog box, select Distributed Portgroup from the Object Type

drop-down menu.
h. Click Management and click OK.
i. Click Select in the IP Pool row.
j. Click the New IP Pool link at the bottom of the Select IP Pool dialog box.
k. In the Add Static IP Pool dialog box, add a new pool.

Option

Action

Name

Enter Controller-Pool in the text box.

Gateway

Enter the gateway.

Prefix Length

Enter 24 in the text box.

Primary DNS

Leave blank.

Secondary DNS

Leave blank.

DNS Suffix

Leave blank.

Static IP Pool

Enter the VMware NSX Controller static IP pool range.

l. Click OK.
m. Select Controller-Pool in the Select IP Pool dialog box and click OK.
n. In the Add Controller dialog box, enter VMware1!VMware1! in the Password and

Confirm password text boxes.


o. Click OK.
5. Monitor the VMware NSX Controller deployment to completion.

If necessary, use the horizontal scroll bar to uncover the Status column.
Monitor the deployment until the status changes from Deploying to Normal.
The deployment process takes a few minutes to complete.

Lab 2 Configuring and Deploying a VMware NSX Controller Cluster

Task 3: Verify That the First VMware NSX Controller Instance Is


Operational
You use the vSphere Web Client and the VMware NSX Controller command line to determine the
operational status of the VMware NSX Controller cluster after adding one node.
1. Point to the vSphere Web Client Home icon and click Hosts and Clusters.
2. Expand the Hosts and Clusters inventory tree to expand each cluster.
3. Click the vSphere Refresh icon next to the current logged in user name.
4. In the Management and Edge cluster inventory, select the newly deployed VMware NSX

Controller virtual machine.


The virtual machine name starts with NSX_Controller_.
5. In the middle pane, review the Summary tab report.
Q1. What is the power status of the VMware NSX Controller instance?
1. Powered-on, based on the activated Play icon.
Q2. How many vCPUs does the VMware NSX Controller instance have?
2. 2
Q3. How much total memory does the VMware NSX Controller instance have?
3. 2,048 MB
Q4. How large is the VMware NSX Controller hard disk?
4. 20 GB
Q5. What port group is the VMware NSX Controller instance connected to?
5. Management
Q6. What is the IP address of the VMware NSX Controller instance?
6. IP address assigned from the Controller-Pool created in task 2.

6. Minimize the Internet Explorer window.


7. Use MTPuTTY to establish an SSH connection to the first VMware NSX Controller instance.
a. On the student desktop, double-click the MTPuTTY shortcut.
b. Select Server on the top-left corner and click Add Server
c. In the Properties window, enter the IP address from step 5 in the Server name text box and

select SSH as the Protocol.

10

Lab 2 Configuring and Deploying a VMware NSX Controller Cluster

d. Click OK.

Your newly added controller appears on the left side.


e. Double-click on the VMware NSX Controller IP address.
f. If prompted to confirm a PuTTY security alert, click Yes.

g. Log in as admin and enter the password VMware1!VMware1!


8. In the MTPuTTY window, run the following command to determine the cluster status for the

first node.
show control-cluster status
9. Review the command output.
Q7. How many enabled and activated roles are listed?
7. 5
Q8. Can VMware NSX Controller be safely restarted?
8. Yes

10. Run the following command to determine the startup nodes in the cluster and review the

command output.
show control-cluster startup-nodes
11. Run the following command to review a detailed cluster role report.

show control-cluster roles


12. Review the command output.
Q9. How many roles have been assigned with the first VMware NSX Controller
instance as master?
9. All 5 roles

13. Run the following command to review a cluster connections report.

show control-cluster connections


14. Review the command output.
Q10. How many roles have components actively listening on a network port?
10. 4 or 5
Q11. How many unique ports are used for role-based communications?
11. 7 ports: 443, 2878, 2888, 3888, 6632, 6633, 7777

Lab 2 Configuring and Deploying a VMware NSX Controller Cluster

11

15. Close the MTPuTTY window.


16. Restore the Internet Explorer window.

Task 4: Deploy the Second VMware NSX Controller Instance


You configure and deploy the second of three VMware NSX Controller instances.
Use the following information from the class configuration handout:
NSX Manager IPv4 address
Data center
Datastore
1. Point to the Home icon and select Networking & Security.
2. In the left navigation pane, select Installation.
3. In the middle pane, click the green plus sign in the NSX Controller nodes panel on the

Management tab.
4. In the Add Controller dialog box, configure and deploy the second VMware NSX Controller

instance.
a. Select your NSX Manager IPv4 address from the NSX Manager drop-down menu.
b. Select your data center from the Datacenter drop-down menu.
c. Select Management and Edge from the Cluster/Resource Pool drop-down menu.
d. Select your datastore from the Datastore drop-down menu.
e. Leave the host and folder selection blank.
f. Click Connected To > Select.
g. In the Select Network dialog box, click Distributed Portgroup from the Object Type

drop-down menu.
h. Click Management and click OK.
i. Click Select in the IP Pool row.
j. Select Controller-Pool and click OK.
NOTE

You do not need to configure the password. The password is configured for the first VMware
NSX Controller node. The password is common across all the VMware NSX Controller cluster
nodes.
k. Click OK.
12

Lab 2 Configuring and Deploying a VMware NSX Controller Cluster

5. Monitor the VMware NSX Controller deployment to completion.

If necessary, use the horizontal scroll bar to uncover the Status column.
Monitor the second node deployment until the status changes from Deploying to Normal.
The deployment process takes a few minutes to complete.

Task 5: Verify That the Second VMware NSX Controller Instance Is


Operational
You use the vSphere Web Client and the VMware NSX Controller command line to determine the
operational status of the VMware NSX Controller cluster after adding two nodes.
1. Point to the Home icon and select Hosts and Clusters.
2. Expand the Hosts and Clusters inventory tree.
3. Click the vSphere Refresh icon.
4. In the Management and Edge cluster inventory, select the second VMware NSX Controller

instance.
The VMware NSX Controller name starts with NSX_Controller_.
5. In the middle pane, review the Summary tab report.
Q1. What is the power status of the VMware NSX Controller instance?
1. Powered-on, based on the activated Play icon.
Q2. How many vCPUs does the VMware NSX Controller instance have?
2. 2
Q3. How much total memory does the VMware NSX Controller instance have?
3. 2048 MB
Q4. How large is the VMware NSX Controller hard disk?
4. 20 GB
Q5. What port group is the VMware NSX Controller instance connected to?
5. Management
Q6. What is the IP address of the VMware NSX Controller instance?
6. IP address assigned from the Controller-Pool created earlier.

6. Minimize the Internet Explorer window.

Lab 2 Configuring and Deploying a VMware NSX Controller Cluster

13

7. Use MTPuTTY to establish an SSH connection to the second VMware NSX Controller

instance.
a. On the student desktop, double-click the MTPuTTY shortcut.
b. Select Server in the top-left corner and click Add Server.
c. In the Properties window, enter the IP address from step 5 in the Server Name field and

select SSH as the Protocol.


d. Click OK.
e. Double-click the VMware NSX Controller IP address that you added to open the PuTTY

session.
f. If prompted to confirm a PuTTY security alert, click Yes.
g. Log in as admin and enter the password VMware1!VMware1!.
8. In the MTPuTTY window, run the following command to determine the cluster status for the

first node.
show control-cluster status
9. Review the command output.
Q7. How many enabled and activated roles are listed?
7. 5
Q8. Can the VMware NSX Controller instance be safely restarted?
8. Yes

10. Run the following command to determine the startup nodes in the cluster and review the

command output.
show control-cluster startup-nodes
11. Run the following command to review a detailed cluster role report.

show control-cluster roles


12. Review the command output.
Q9. How many roles have been assigned with the second VMware NSX Controller
instance as master?
9. Zero, none of the roles. Answers vary.

13. Run the following command to review a cluster connections report.

show control-cluster connections

14

Lab 2 Configuring and Deploying a VMware NSX Controller Cluster

14. Close the MTPuTTY window.


15. Restore the Internet Explorer window.

Task 6: Deploy the Third VMware NSX Controller Instance

You configure and deploy the third VMware NSX Controller instance.
Use the following information from the class configuration handout:
NSX Manager IPv4 address
Data center
Datastore
1. Point to the Home icon and select Networking & Security.
2. In the left navigation pane, select Installation,
3. In the middle pane, click the green plus sign in the NSX Controller nodes panel on the

Management tab.
4. In the Add Controller dialog box, configure and deploy the third VMware NSX Controller

instance.
a. Select your NSX Manager IPv4 address from the NSX Manager drop-down menu.
b. Select your data center from the Datacenter drop-down menu.
c. Select Management and Edge from the Cluster/Resource Pool drop-down menu.
d. Select your datastore from the Datastore drop-down menu.
e. Leave the host and folder selection blank.
f. Click Connected To > Select.
g. In the Select Network dialog box, select Distributed Port Group from the Object Type

drop-down menu.
h. Click Management and click OK.
i. Click Select in the IP Pool row, select Controller-Pool, and click OK
j. Click OK.
5. Monitor the VMware NSX Controller deployment to completion.

If necessary, use the horizontal scroll bar to uncover the Status column.
Monitor the third node deployment until the status changes from Deploying to Normal.
The deployment process takes a few minutes to complete.

Lab 2 Configuring and Deploying a VMware NSX Controller Cluster

15

Task 7: Verify That the Third VMware NSX Controller Instance Is


Operational
You use the vSphere Web Client and the VMware NSX Controller command line to determine the
operational status of the VMware NSX Controller cluster after adding three nodes.
1. Point to the Home icon and select Hosts and Clusters.
2. Expand the Hosts and Clusters inventory tree.
3. Click the vSphere Refresh icon.
4. In the Management and Edge Cluster inventory, select the third VMware NSX Controller

instance.
The VMware NSX Controller name starts with NSX_Controller_.
5. In the middle pane, review the Summary tab report.
Q1. What is the power status of the VMware NSX Controller instance?
1. Powered-on, based on the activated Play icon.
Q2. How many vCPUs does the VMware NSX Controller instance have?
2. 2
Q3. How much total memory does the VMware NSX Controller instance have?
3. 2048 MB
Q4. How large is the VMware NSX Controller hard disk?
4. 20 GB
Q5. What port group is the VMware NSX Controller instance connected to?
5. Management
Q6. What is the IP address of the VMware NSX Controller instance?
6. IP address assigned from the Controller-Pool created earlier.

6. Minimize the Internet Explorer window.


7. Use MTPuTTY to establish an SSH connection to the third VMware NSX Controller instance.
a. On the student desktop, double-click the MTPuTTY shortcut.
b. Click Server and select Add Server.
c. In the properties dialog box, enter the IP address from step 5 in the Server Name text box

and select SSH.


d. Click OK.
16

Lab 2 Configuring and Deploying a VMware NSX Controller Cluster

e. Double-click the VMware NSX Controller IP address.


f. If prompted to confirm a PuTTY security alert, click Yes.
g. Log in as admin and enter the password VMware1!VMware1!.
8. In the MTPuTTY window, run the following command to determine the cluster status for the

first node.
show control-cluster status
9. Review the command output.
Q7. How many enabled and activated roles are listed?
7. 5
Q8. Can the VMware NSX Controller instance be safely restarted?
8. Yes

10. Run the following command to determine the startup nodes in the cluster, and review the

command output.
show control-cluster startup-nodes
11. Run the following command to review a detailed cluster role report.

show control-cluster roles


12. Review the command output.
Q9. How many roles have been assigned with the second VMware NSX Controller
instance as master?
9. Zero, none of the roles. Answers vary.

13. Run the following command to review a cluster connections report.

show control-cluster connections


14. Click X to close the MTPuTTY window.
15. Restore the Internet Explorer window.

Task 8: Clean Up for the Next Lab


You prepare for the next lab.
1. Point to the Home icon and select Networking.
CAUTION

You must select Networking and not Networking & Security to prepare for the next lab.
Lab 2 Configuring and Deploying a VMware NSX Controller Cluster

17

18

Lab 2 Configuring and Deploying a VMware NSX Controller Cluster

Lab 3
3

Creating and Configuring a Distributed


Switch

Objective: Create and configure a distributed switch


In this lab, you will perform the following tasks:
1. Prepare for the Lab
2. Examine the Existing Distributed Switch Configuration
3. Create a Distributed Switch
4. Delete the New Distributed Switch
5. Clean Up for the Next Lab

Lab 3 Creating and Configuring a Distributed Switch

19

Task 1: Prepare for the Lab


You prepare for the lab if you have closed windows or logged out of the VMware vSphere Web
Client interface.
Use the following information from the class configuration handout:
Your site name
Your vCenter Server administrator login account
1. If the Internet Explorer window is closed, double-click the Internet Explorer icon on the

student desktop.
2. If you are not logged in to the vSphere Web Client, click the vSphere Web Client -

your_site_name bookmark in the Internet Explorer window.


3. When prompted, log in with your VMware vCenter Server administrator login account and

enter the password VMware1!.


4. Point to the vSphere Web Client Home icon and click Networking.

Task 2: Examine the Existing Distributed Switch Configuration


You examine the existing distributed switch configuration.
Use the following information from the class configuration handout:
Your existing distributed switch
1. In the left navigation pane, expand the vCenter Server inventory to see the existing network

configuration in your data center.


2. Select your exiting distributed switch in the left navigation pane.
3. In the middle pane, click the Manage tab and click Settings.
4. Click the Topology link.
5. In the distributed switch topology diagram, verify the settings
a. Expand Uplink1 and verify that the vmnic0 interface is attached to all the VMware

ESXi hosts.
b. Expand Uplink2 and verify that vmnic1 is attached to the uplink.
c. Expand Uplink3 and verify that vmnic2 is attached to the uplinks.

20

Lab 3 Creating and Configuring a Distributed Switch

6. In the middle pane on the left, click the Properties link and verify the settings.

Network I/O Control is enabled.


MTU size is 1600 bytes.
Discovery Protocol is enabled and set to Cisco Discovery Protocol.
7. Click each additional configuration link and verify the default settings.

Task 3: Create a Distributed Switch

You create a distributed switch.


Use the following information from the class configuration handout:
Data center
1. In the Networking inventory tree on the left, select your data center.
2. In the middle pane, click Actions and select Distributed Switch > New Distributed Switch.

In the New Distributed Switch dialog box, enter dvs-your_name in the Name text box and
click Next.
3. Under Select Version, leave Distributed switch: 6.0.0 selected and click Next.
4. Under Edit Settings, edit the distributed switch settings.
a. Change the number of uplinks to 2.
b. Leave Network I/O Control enabled.
c. Deselect the Create a default port group check box and click Next.
5. Under Ready to complete, review the configuration and click Finish.
6. Create a port group on the new distributed switch.
a. Select your new distributed switch in the Networking inventory tree, click Actions, and

select Distributed Port Group > New Distributed Port Group.


b. In the New Distributed Port Group dialog box, enter dvpg1 in the Name text box and click

Next.
c. In Configure Settings page, view the default settings and click Next.
d. In Ready to complete page, click Finish.

A new port group called dvpg1 appears in the Networking inventory tree under your new
distributed switch.

Lab 3 Creating and Configuring a Distributed Switch

21

7. Add the ESXi host to the new distributed switch.


a. In the Networking inventory tree, select your new distributed switch, click Actions, and

select Add and Manage Hosts.


b. In the Add and Manage Hosts dialog box, leave Add hosts selected and click Next.
c. Under Select Hosts, click the New hosts link, select all the ESXi hosts, and click OK.
d. Click Next.
e. Under Select network adapter tasks, deselect all the check boxes except Manage physical

adapters and click Next.


f. Under Manage physical network adapters, click Next.
g. Click OK when the warning window appears.

You must not select any physical adapters because all adapters are attached to an existing
switch and you are creating the new switch for practice.
h. Under Analyze impact, click Next.
i. Under Ready to complete, click Finish.

Task 4: Delete the New Distributed Switch


You use the vSphere Web Client to delete the new distributed switch.
1. Select your new distributed switch from the Networking inventory pane and click Actions.
2. Select Add and Manage Hosts.
3. In the Add and Manage Hosts window, select Remove Hosts and click Next.
4. On the Select hosts page, click Attached Hosts and select all the hosts in the Select member

hosts drop-down menu.


5. Click OK.
6. Click Next.
7. Click Finish on the Ready to complete page.
8. In the middle pane, click the Related Objects tab and click the Hosts tab.
9. Verify that the list is empty.
10. In the middle pane, click Actions and select Delete.
11. Click Yes when prompted with a warning message.
12. Verify that the distributed switch is removed from the Networking inventory pane.

22

Lab 3 Creating and Configuring a Distributed Switch

Task 5: Clean Up for the Next Lab


You prepare for the next lab.
1. Point to the Home icon and select Networking & Security.

Lab 3 Creating and Configuring a Distributed Switch

23

24

Lab 3 Creating and Configuring a Distributed Switch

Lab 4

Preparing for Virtual Networking

:
4

Objective: Install the NSX for vSphere modules in ESXi


hosts and configure the VXLAN IP pools and a transport
zone
In this lab, you will perform the following tasks:
1. Prepare for the Lab
2. Install NSX for vSphere Modules on the ESXi Hosts
3. Configure VXLAN on the ESXi Hosts
4. Configure the VXLAN ID Pool
5. Configure a Local Transport Zone
6. Clean Up for the Next Lab

Lab 4 Preparing for Virtual Networking

25

Task 1: Prepare for the Lab


You prepare for the lab if you have closed windows or logged out of the VMware vSphere Web
Client interface.
Use the following information from the class configuration handout:
Your site name
Your vCenter Server administrator login account
1. If the Internet Explorer window is closed, double-click the Internet Explorer icon on the

student desktop.
2. If you are logged out of the vSphere Web Client, log in to the vSphere Web Client.
a. In the Internet Explorer window, click the vSphere Web Client - your_site_name

bookmark.
b. When prompted, log in with your VMware vCenter Server administrator login account

and enter the password VMware1!.

Task 2: Install NSX for vSphere Modules on the ESXi Hosts


You install the VMware NSX for vSphere modules on the VMware ESXi hosts that are
assigned to two different clusters.
1. On the vSphere Web Client Home page, click Networking & Security.
2. In the left navigation pane, select Installation.
3. In the middle pane, click the Host Preparation tab.
4. For each listed cluster, point to Not Installed in the Installation Status column, click the gear

icon, and select Install.


5. Click Yes when prompted to confirm.

The following clusters are listed:


Management and Edge
Compute
6. Monitor the installation status of each cluster.

The installation status changes from Installing to a green check mark and the VXLAN column
contains an active Not Configured link.

26

Lab 4 Preparing for Virtual Networking

Task 3: Configure VXLAN on the ESXi Hosts


For each cluster, you specify the distributed switch and IP pool to be used for VXLAN networking.
Use the following information from the class configuration handout:
VTEP gateway IP address
IP range for VTEPs
1. For the Compute cluster, click the Not Configured link provided in the VXLAN column to

open the Configure VXLAN networking dialog box.


a. Verify that the Switch selection is vds-Datacenter.
b. Verify that the VLAN setting is 0.
c. Verify that the MTU setting is 1600.

d. For VMKNic IP Addressing, click Use IP Pool.


e. Select New IP Pool from the IP Pool drop-down menu.
f. In the Add Static IP Pool dialog box, configure an IP pool.

Option

Action

Name

Enter VTEP-Pool in the text box.

Gateway

Enter the VTEP Gateway IP address.

Prefix Length

Enter 24 in the text box.

Primary DNS

Leave blank.

Secondary DNS

Leave blank.

DNS Suffix

Leave blank.

Static IP Pool

Enter the IP range for VTEPs.

g. Click OK.
h. Leave VMKNic Teaming Policy as Fail Over and click OK.

Lab 4 Preparing for Virtual Networking

27

2. Wait for the update to complete and determine if an error message appears in the VXLAN

column for Compute Cluster A.


An error indicates a transitory condition that occurs early in the process of applying the
VXLAN configuration to the cluster. The vSphere Web Client interface has not updated to
display the actual status.
3. Click the vSphere Web Client Refresh icon on the left of the logged-in user name.
4. Verify that the Compute cluster VXLAN status is Configured with a green check mark.
5. For the Management and Edge cluster, click the Not Configured link provided in the VXLAN

column to open the Configure VXLAN networking dialog box.


a. Verify that the Switch selection is vds-Datacenter.
b. Verify that the VLAN setting is 0.
c. Verify that the MTU setting is 1600.
d. For VMKNic IP Addressing, click Use IP Pool and select VTEP-Pool from the drop-down

menu.
e. Leave VMKNic Teaming Policy as Fail Over and click OK.
6. Wait for the update to complete and click the vSphere Web Client Refresh icon.
7. Verify that the Management and Edge cluster VXLAN status is Configured with a green check

mark.
If the VXLAN status is not Configured, wait and refresh again until the status changes.
8. Click the Logical Network Preparation tab and verify that VXLAN Transport is selected.
9. In the Clusters and Hosts list, expand each cluster.
10. For each host, confirm that the host has a vmk# interface.
Q1. What is the number of VTEPs on each host?
1. One
Q2. Which is the switch that is connected to each hosts VMKNic?
2. vds-Datacenter

28

Lab 4 Preparing for Virtual Networking

Task 4: Configure the VXLAN ID Pool


You configure the ID range that is used to identify VXLAN networks.
Use the following information from the class configuration handout:
Segment ID range
1. On the Logical Network Preparation tab, click Segment ID.
2. Click Edit to open the Segment ID pool dialog box and configure settings.

Option

Action

Segment ID Pool

Enter the segment ID range.

Enable multicast addressing

Leave the check box deselected.

3. Click OK.

Task 5: Configure a Local Transport Zone


A transport zone specifies the hosts and clusters that are associated with logical switches that are
created in the zone. Hosts in a transport zone are automatically added to the logical switches that
you create. This process is similar to manually adding hosts to the distributed switch.
1. On the Logical Network Preparation tab, click Transport Zones.
2. Click the green plus sign to open the New Transport Zone dialog box and configure a transport

zone.
Option

Action

Name

Enter Local Transport Zone in the text box.

Control Plane Mode

Click the Unicast button.

Select clusters to add

Select the check box for each cluster.

3. Click OK.
4. Wait for the update to complete and verify that Local Transport Zone appears in the transport

zones list with a Control Plane Mode of Unicast.

Lab 4 Preparing for Virtual Networking

29

Task 6: Clean Up for the Next Lab


You perform this action to prepare for the next lab.
1. In the vSphere Web Client, remain in the Networking & Security view.

30

Lab 4 Preparing for Virtual Networking

Lab 5

Configuring Logical Switch Networks

Objective: Create and test logical switches for the WebTier, App-Tier, and DB-Tier transport networks
5

In this lab, you will perform the following tasks:


1. Prepare for the Lab
2. Create Logical Switches
3. Verify That Logical Switch Port Groups Appear in vSphere
4. Migrate Virtual Machines to Logical Switches
5. Test Network Connectivity
6. Clean Up for the Next Lab

Lab 5 Configuring Logical Switch Networks

31

Task 1: Prepare for the Lab


You prepare for the lab if you have closed windows or logged out of the VMware vSphere Web
Client interface.
Use the following information from the class configuration handout:
Your site name
Your vCenter Server administrator login account
1. If the Internet Explorer window is closed, double-click the Internet Explorer icon on the

student desktop.
2. If you are not logged in to the vSphere Web Client, click the vSphere Web Client - your-

site_name bookmark in the Internet Explorer window.


3. When prompted, log in with your VMware vCenter Server administrator login account and

enter the password VMware1!.


4. On the vSphere Web Client Home page, click Networking & Security.

Task 2: Create Logical Switches


You create logical switches for the Transit, Web-Tier, App-Tier, and DB-Tier networks.
1. In the left navigation pane, select Logical Switches.
2. In the center pane, click the green plus sign to open the New Logical Switch dialog box and

configure the Transit-Network switch.


a. Enter Transit-Network in the Name text box.
b. For Transport Zone, click Change and select Local Transport Zone.
c. Click OK.

The replication mode changes to Unicast.


d. Click OK.
3. Wait for the update to complete and verify that Transit-Network appears with a status of

Normal.
4. Click the green plus sign to open the New Logical Switch dialog box and configure the Web-

Tier switch.
a. Enter Web-Tier in the Name text box.
b. For Transport Zone, click Change and select Local Transport Zone.
c. Click OK.
d. Click OK.
32

Lab 5 Configuring Logical Switch Networks

5. Wait for the update to complete and verify that Web-Tier appears with a status of Normal.
6. Click the green plus sign to create a logical switch.
7. In the New Logical Switch dialog box, configure the App-Tier switch.
a. Enter App-Tier in the Name text box.
b. For Transport Zone, click Change and select Local Transport Zone.
c. Click OK.
d. Click OK.
8. Wait for the update to complete and verify that App-Tier appears with a status of Normal.
9. Click the green plus sign to create a logical switch.
10. In the New Logical Switch dialog box, configure the DB-Tier switch.
a. Enter DB-Tier in the Name text box.
b. For Transport Zone, click Change and select Local Transport Zone.
c. Click OK.

d. Click OK.
11. Wait for the update to complete and verify that DB-Tier appears with a status of Normal.

Task 3: Verify That Logical Switch Port Groups Appear in vSphere


You verify that logical switch port groups appear in the VMware vSphere networking inventory.
1. Point to the vSphere Web Client Home icon and select Networking.

You must click the vSphere Networking icon. You must not click the VMware NSX
Networking and Security icon.
2. Expand the Networking inventory tree.
3. Click the vSphere Web Client Refresh icon.
4. Drag the pane divider to the right to expand the horizontal size of the inventory pane so that the

port group names appear completely.


5. In the vds-Datacenter inventory, find port groups with names ending with the following:

Transit-Network
Web-Tier
App-Tier
DB-Tier
Lab 5 Configuring Logical Switch Networks

33

6. If the specified port groups do not appear in the vds-Datacenter inventory, refresh the vSphere

Web Client and ensure that the port groups appear.


a. Wait for 1 minute.
b. Click the vSphere Web Client Refresh icon.
7. Review the networking inventory.
Q1. Can the ID number associated with a VXLAN logical switch be determined from
the port group name?
1. Yes, the ID follows the sid keyword in the port group name.

Task 4: Migrate Virtual Machines to Logical Switches


You use the vSphere Web Client plug-in for VMware NSX Manager to migrate virtual machines
to logical switches.
1. Point to the vSphere Web Client Home icon and select Networking & Security.
2. In the left navigation pane, select Logical Switches.
3. In the center pane, select the Web-Tier logical switch.
4. Click Actions and select Add VM.
5. In the Web-Tier - Add Virtual Machines dialog box, migrate web virtual machines to the Web-

Tier logical switch.


a. In the Available Objects list, select web-sv-01a and web-sv-02a and click the right arrow.
b. Click Next.
c. In the Select vNICs list, select the Network Adapter 1 (VM Network) check box for

web-sv-01a and web-sv-02a.


d. Click Next.
e. Click Finish.
6. In the Logical Switches list, double-click the Web-Tier entry to manage that object.
7. Click the Related Objects tab and click Virtual Machines.
Q1. Do the web-sv-01a and web-sv-02a virtual machines appear in the virtual
machines list?
1. Yes
Q2. Do any other virtual machines appear in the list?
2. No

34

Lab 5 Configuring Logical Switch Networks

8. At the top of the left inventory pane, click the Networking & Security back arrow.
9. In the Logical Switches list, select the App-Tier logical switch.
10. Click Actions and select Add VM.
11. In the Add Virtual Machines dialog box, migrate the app virtual machine to the App-Tier logical

switch.
a. In the Available Objects list, select the app-sv-01a.
b. Click the right arrow.
c. Click Next.
d. In the Select vNICs list, select the Network Adapter 1 (VM Network) check box for

app-sv-01a.
e. Click Next.
f. Click Finish.
12. In the Logical Switches list, select the DB-Tier logical switch.

13. Click Actions and select Add VM.


14. In the Add Virtual Machines dialog box, migrate the DB virtual machine to the DB-Tier logical

switch.
a. In the Available Objects list, select the db-sv-01a.
b. Click the right arrow.
c. Click Next.
d. In the Select VNICs list, select the Network Adapter 1 (VM Network) check box for

db-sv-01a.
e. Click Next.
f. Click Finish.

Task 5: Test Network Connectivity


You test connectivity between virtual machines, between a physical system and the virtual
machines, and between hosts using virtual switch monitoring tools.
1. Point to the vSphere Web Client Home icon and select VMs and Templates.
2. Expand the VMs and Templates inventory tree.

The following virtual machines are found in the Discovered virtual machine folder:
web-sv-01a
Lab 5 Configuring Logical Switch Networks

35

web-sv-02a
app-sv-01a
db-sv-01a
3. Power on each virtual machine.
a. Select the virtual machine in the inventory.
b. Select Power On from the Actions drop-down menu.
4. Record the IP address assigned to each of the virtual machines.

web-sv-01a IP address __________


web-sv-02a IP address __________
app-sv-01a IP address __________
db-sv-01a IP address __________
To view an IP address assignment, you can select the virtual machine in the inventory. The IP
address assignment appears at the top of the Summary tab report.
The IP address information is also provided in your lab topology handout on the Lab Networks
and IP Addressing page.
5. Test connectivity from the web-sv-01a virtual machine by using a console window.
a. In the VMs and Templates inventory tree, select the web-sv-01a virtual machine.
b. Select Open Console from the Actions drop-down menu.

It might take a minute for the console window to initialize. Point to the console window,
wait until the mouse pointer becomes a hand icon, click anywhere inside the console
window, and press Enter.
c. Log in as root and enter the password VMware1!.
d. At the command prompt, run the following command to query the ARP cache.

arp -an
Q1. Did the command return any entries?
1. No

e. At the command prompt, run the following command to ping the web-sv-02a virtual

machine.
ping ip_address
ip_address is the web-sv-02a IP address recorded in step 4.

36

Lab 5 Configuring Logical Switch Networks

Q2. Did the ping command receive replies from the web-sv-02a virtual machine?
2. Yes

f. Press Ctrl+C to stop the ping command.


g. At the command prompt, run the following command to query the ARP cache.

arp -an
Q3. Did the command return any entries?
3. Yes, the web-sv-02a virtual machine.

h. At the command prompt, run the following command to ping the app-sv-01a virtual

machine.
ping ip_address
ip_address is the app-sv-01a IP address recorded in step 4.
Q4. Did the ping command receive replies from the app-sv-01a virtual machine?
4. No

i. Press Ctrl+C to stop the ping command.


j. At the command prompt, run the following command to ping the db-sv-01a virtual

machine.
ping ip_address
ip_address is the db-sv-01a IP address recorded in step 4.
Q5. Did the ping command receive replies from the db-sv-01a virtual machine?
5. No

k. Press Ctrl+C to stop the ping command.


l. Review the ping tests.
Q6. If any ping test failed, what might be the root cause?
6. East-West routing has not been established between the logical switch networks.

m. In the Internet Explorer window, press Ctrl+Alt to release the mouse cursor.
n. Leave the web-sv-01a console tab open for the remainder of the class.
o. In the Internet Explorer window, click the vSphere Web Client - your_site_name tab.
6. Use the Command Prompt window to test connectivity from the desktop.
a. Minimize the Internet Explorer window.

Lab 5 Configuring Logical Switch Networks

37

b. On the desktop, double-click the Command Prompt shortcut.


c. In the Command Prompt window, run the following command to ping the web-sv-01a

virtual machine.
ping ip_address
ip_address is the web-sv-01a IP address recorded in step 4.
Q7. Did the ping command receive replies from the web-sv-01a virtual machine?
7. No
Q8. If no ICMP replies were received, why?
8. As is the case with East-West routing, North-South routing has not yet been established.

d. Leave the Command Prompt window open for the remainder of the class.
7. Test connectivity between the ESXi hosts VTEP.

You test connectivity between two ESXi hosts, but you can perform this test to validate VTEP
connectivity between all the hosts.
a. Restore the Internet Explorer window.
b. Point to the vSphere Web Client Home icon and select Networking & Security.
c. In the left navigation pane, select Installation.
d. In the center pane, select Logical Network Preparation and click VXLAN Transport.
e. Expand both the clusters and make a note of vmk2 IP address for esxi-your_site_name-

04.vclass.local and esxi-your_site_name-05.vclass.local.


f. Minimize Internet Explorer and open MTPuTTY.
g. Double-click on esxi-your_site_name-04.

A putty session is opened to the ESXi host.


h. Enter the vmkping ++netstack=vxlan -d -s 1572 -I vmk2

IP_address_of_esxi-your_site_name-05_vmk2_from-step_7e command.

The ping command should be successful. The VTEPs on the ESXi hosts can communicate
with each other and the physical network is configured to support VXLAN frames.
i. Click X to close the PuTTY session.
j. Minimize MTPuTTY.
k. Restore Internet Explorer window on the student desktop.

38

Lab 5 Configuring Logical Switch Networks

Task 6: Clean Up for the Next Lab


You perform these actions to prepare for the next lab.
1. In the vSphere Web Client interface, stay in the Networking & Security view.
2. In the Internet Explorer, leave the following tabs open:

vSphere Web Client


web-sv-01a
3. On the desktop, leave the Command Prompt and MTPuTTY windows open.

Lab 5 Configuring Logical Switch Networks

39

40

Lab 5 Configuring Logical Switch Networks

Lab 6

Configuring and Deploying an NSX


Distributed Router

Objective: Configure East-West routing by deploying a


distributed logical router
In this lab, you will perform the following tasks:
1. Prepare for the Lab

2. Configure and Deploy a VMware NSX Distributed Logical Router


3. Verify the Distributed Router Deployment and Configuration
4. Test Connectivity
5. Use the VMware NSX Controller CLI Commands to Verify the Distributed Router Deployment
6. Clean Up for the Next Lab

Lab 6 Configuring and Deploying an NSX Distributed Router

41

Task 1: Prepare for the Lab


You prepare for the lab if you have closed windows or logged out of the VMware vSphere Web
Client interface.
Use the following information from the class configuration handout:
Your site name
Your vCenter Server administrator login account
1. If a Command Prompt window is not open on the student desktop, open the window.
a. On the student desktop, double-click the Command Prompt shortcut.
b. Position the Command Prompt window at a convenient location on the desktop.
2. If the Internet Explorer window is closed, double-click the Internet Explorer icon on the

student desktop.
3. If you are not logged in to the vSphere Web Client, click the vSphere Web Client -

your_site_name bookmark in the Internet Explorer window.


4. When prompted, log in with your VMware vCenter Server administrator login account and

enter the password VMware1!.


5. In the Internet Explorer window, if the web-sv-01a console tab is not open, open the console

tab.
a. Point to the vSphere Web Client Home icon and click VMs and Templates.
b. Expand the inventory tree and select Discovered virtual machine > web-sv-01a.
c. Select Open Console from the Actions drop-down menu.
d. If prompted to log in, log in as root and enter the password VMware1!.
e. Press Ctrl+Alt to release the mouse cursor and click the vSphere Web Client tab.

Task 2: Configure and Deploy a VMware NSX Distributed Logical


Router
You configure and deploy a VMware NSX distributed logical router that is connected to each of
the logical switches.
Use the following information from the class configuration handout:
Your site name
Data center
Datastore
42

Lab 6

Configuring and Deploying an NSX Distributed Router

IP address for Transit-Network LIF


IP address for Web-Tier Interface LIF
IP address for App-Tier Interface LIF
IP address for DB-Tier Interface LIF
1. Point to the vSphere Web Client Home icon and click Networking & Security.
2. In the left navigation pane, select NSX Edges.
3. In the center pane, click the green plus sign to open the New NSX Edge dialog box.
4. On the Name and description page, click Logical (Distributed) Router.
5. Enter Distributed Router - your_site_name in the Name text box and click Next.
6. On the CLI credentials page, enter VMware1!VMware1! in the password text box and the

Confirm password text box.


7. Select the Enable SSH Access check box and click Next.
8. On the Configure Deployment page, verify that your data center is selected.
9. Under NSX Edge Appliances, click the green plus sign to open the Add NSX Edge Appliance

dialog box.
a. Select Management and Edge from the Cluster/Resource Pool drop-down menu.

b. Select your datastore from the Datastore drop-down menu.


c. Leave all other fields blank and click OK.
10. Click Next.
11. On the Configure interfaces page, click the Connected To > Select link under HA Interface

Configuration.
12. In the Connect NSX Edge to a Network dialog box, click Distributed Portgroup.
13. Click Management and click OK.
14. Under Configure Interfaces of this NSX Edge, click the green plus sign to open the Add

Interface dialog box and configure the first of the four interfaces.
a. Enter Transit-Network in the Name text box.
b. For Type, leave UpLink selected.
c. Click the Connected To > Select link.
d. Click Transit-Network and click OK.
e. Click the green plus sign under Configure Subnets.
f. Enter the IP address for Transit-Network LIF in the Primary IP Address text box.
Lab 6 Configuring and Deploying an NSX Distributed Router

43

g. Enter 27 in the Subnet prefix length text box.


h. Leave all other settings at default value and click OK.
15. Under Configure Interfaces of this NSX Edge, click the green plus sign to open the Add Interface

dialog box and configure the second of the four interfaces.


a. Enter Web-Tier in the Name text box.
b. For Type, click Internal.
c. Click the Connected To > Select link.
d. Click Web-Tier and click OK.
e. Click the green plus sign under Configure Subnets.
f. Enter the IP address for Web-Tier Interface LIF in the IP Address text box.
g. Enter 24 in the Subnet prefix length text box.
h. Leave all other settings at default value and click OK.
16. Under Configure Interfaces of this NSX Edge, click the green plus sign to open the Add

Interface dialog box and configure the third of the four interfaces.
a. Enter App-Tier in the Name text box.
b. For Type, click Internal.
c. Click the Connected To > Select link.
d. Click App-Tier and click OK.
e. Click the green plus sign under Configure Subnets.
f. Enter the IP address for App-Tier Interface LIF in the IP Address text box.
g. Enter 24 in the Subnet prefix length text box.
h. Leave all other settings at default value and click OK.
17. Under Configure Interfaces of this NSX Edge, click the green plus sign to open the Add

Interface dialog box and configure the fourth interface.


a. Enter DB-Tier in the Name text box.
b. For Type, click Internal.
c. Click the Connected To > Select link.
d. Click DB-Tier and click OK.
e. Click the green plus sign under Configure Subnets.
f. Enter the IP address for DB-Tier Interface LIF in the IP Address text box.
g. Enter 24 in the Subnet prefix length text box.
h. Leave all other settings at the default value and click OK.
44

Lab 6

Configuring and Deploying an NSX Distributed Router

18. Compare the interface configurations to the following table.

Name

IP Address

Subnet Prefix Length

Connected To

Transit-Network

From Handout

27

Transit-Network

Web-Tier

From Handout

24

Web-Tier

App-Tier

From Handout

24

App-Tier

DB-Tier

From Handout

24

DB-Tier

19. If an entry is not configured correctly, select the entry and click the pencil icon to edit the entry.
20. Click Next.
21. On the Default gateway settings page, deselect Configure Default Gateway and click Next.
22. On the Ready to complete page, review the configuration report and click Finish.
23. Above the edge list, monitor the deployment to completion.

The deployment is complete when 0 installations are active.

Task 3: Verify the Distributed Router Deployment and Configuration


You verify that the distributed router is configured correctly and is deployed successfully.

Use the following information from the class configuration handout:


Your site name
1. In the edge list, verify that the Distributed Router - your_site_name entry displays Logical

Router as the type.


2. Double-click the Distributed Router entry to manage that object.
3. Click the Manage tab and verify that Settings is selected.
4. In the settings category panel, select Interfaces.
5. In the Interfaces list, verify that each interface shows a green check mark in the Status column.
6. In the settings category panel, select Configuration.
7. At the bottom of the center pane, find the Logical Router Appliances panel.
Q1. On which datastore is the logical router Edge Appliance deployed?
1. Datastore selected during the deployment of the logical router.
Q2. On which host is the logical router Edge Appliance running?
2. Can be either host that is assigned to Management and Edge Cluster.

Lab 6 Configuring and Deploying an NSX Distributed Router

45

8. Point to the vSphere Web Client Home icon and click Hosts and Clusters.
9. Expand the inventory tree so that all the inventory for each cluster appears.
10. In the inventory tree, find and select the Distributed Router - your_site_name virtual machine

and review the Summary tab report.


11. Expand the VM Hardware section in the middle pane to view the hardware settings.

The Distributed Router item name starts with the text Distributed Router and appears in the
Management and Edge cluster.
Q3. How many vCPUs does the virtual machine have?
3. 1
Q4. How much memory does the virtual machine have?
4. 512 MB
Q5. How large is the hard disk?
5. 500 MB
Q6. How many network adapters are connected to port groups?
6. 2.

Task 4: Test Connectivity


You test connectivity between virtual machines, between a physical system and the virtual
machines, and between hosts using virtual switch monitoring tools.
1. Point to the vSphere Web Client Home icon and click VMs and Templates.
2. Record the IP address assigned to each of the following virtual machines found in the
Discovered virtual machine folder.

web-sv-01a IP address __________


web-sv-02a IP address __________
app-sv-01a IP address __________
db-sv-01a IP address __________
The IP address information can also be found in your lab topology handout on the Lab
Networks and IP Addressing page.
3. Test connectivity from the web-sv-01a virtual machine.
a. In the Internet Explorer window, click the web-sv-01a tab.

46

Lab 6

Configuring and Deploying an NSX Distributed Router

b. At the command prompt, run the following command to ping the web-sv-02a virtual

machine.
ping ip_address
ip_address is the web-sv-02a IP address recorded in step 2.
Q1. Did the ping command receive replies from the web-sv-02a virtual machine?
1. Yes

c. Press Ctrl+C to stop the ping command.


d. At the command prompt, run the following command to ping the app-sv-01a virtual

machine.
ping ip_address
ip_address is the app-sv-01a IP address recorded in step 2.
Q2. Did the ping command receive replies from the app-sv-01a virtual machine?
2. Yes

e. Press Ctrl+C to stop the ping command.


f. At the command prompt, run the following command to ping the db-sv-01a virtual

machine.
ping ip_address

ip_address is the db-sv-01a IP address recorded in step 2.


Q3. Did the ping command receive replies from the db-sv-01a virtual machine?
3. Yes

g. Press Ctrl+C to stop the ping command.


h. Review the results of the ping tests.
Q4. Do these results differ from the ping tests you performed after creating the
logical switches before adding the distributed router?
4. Yes

i. At the command prompt, run the following command to query the ARP cache.

arp -an
Q5. Did the command return any entries?
5. Yes, the other node on the Web-Tier network and the router interface.

j. Press Ctrl+Alt to release the mouse cursor and click the vSphere Web Client tab.

Lab 6 Configuring and Deploying an NSX Distributed Router

47

4. Use a Command Prompt window to test connectivity from the student desktop system.
a. Minimize the Internet Explorer window.
b. In the Command Prompt window, run the following command to ping the web-sv-01a

virtual machine.
ping ip_address
ip_address is the web-sv-01a IP address recorded in step 2.
Q6. Did the ping command receive replies from the web-sv-01a virtual machine?
6. No

c. In the Command Prompt window, run the following command to ping the web-sv-02a

virtual machine.
ping ip_address
ip_address is the web-sv-02a IP address recorded in step 2.
Q7. Did the ping command receive replies from the web-sv-02a virtual machine?
7. No
Q8. If no ICMP replies were received during the preceding tests, why?
8. North-South routing is yet to be established.

d. Leave the Command Prompt window open.

Task 5: Use the VMware NSX Controller CLI Commands to Verify the
Distributed Router Deployment
You log in to the VMware NSX Controller instance that owns the VNI slice and examine logical
switch tables.
1. On the student desktop, double-click the MTPuTTY shortcut.
2. In the MTPuTTY window, connect to any of the VMware NSX Controller nodes by double-

clicking on the IP address of one of the VMware NSX Controller nodes added earlier.
a. If you are prompted to confirm a PuTTY security alert, click Yes.
b. Log in as admin and enter the password VMware1!VMware1!.
3. At the command prompt, run the following command to determine which VMware NSX

Controller node owns the VNI slice.


show control-cluster logical-switches vni vni_id
vni_id is 5001 for StudentA and 6001 for StudentB.
48

Lab 6

Configuring and Deploying an NSX Distributed Router

4. If you are not connected to the VMware NSX Controller instance that owns the slice, configure

the connection.
a. Record the IP address of the VMware NSX Controller instance that owns the slice.

__________
b. Double-click the IP address of the VMware NSX Controller node recorded in step a.
c. If you are prompted to confirm a PuTTY security alert, click Yes.
d. Log in as admin and enter the password VMware1!VMware1!.
5. At the command prompt, run the following commands and review the command output.

show control-cluster logical-switches vtep-table vni_id


show control-cluster logical-switches mac-table vni_id
show control-cluster logical-switches arp-table vni_id
vni_id is 5001 for StudentA and 6001 for StudentB.
6. If the ARP-table is empty, you can repeat task 4, step 3 to repopulate the table.

Task 6: Clean Up for the Next Lab


You perform these actions to prepare for the next lab.
1. Restore the Internet Explorer Window.

2. Point to the vSphere Web Client Home icon and click Networking & Security.
3. In the Internet Explorer window, leave the following tabs open.

vSphere Web Client


web-sv-01a
4. On the student desktop, leave the Command Prompt and MTPUTTY windows open.

Lab 6 Configuring and Deploying an NSX Distributed Router

49

50

Lab 6

Configuring and Deploying an NSX Distributed Router

Lab 7

Deploying an NSX Edge Services


Gateway and Configuring Static Routing :
Objective: Configure and deploy an NSX Edge services
gateway to provide perimeter routing
In this lab, you will perform the following tasks:
1. Prepare for the Lab
2. Configure and Deploy an NSX Edge Gateway
3. Verify the NSX Edge Gateway Deployment
4. Configure Static Routes on the NSX Edge Gateway

5. Configure Static Routes on the Distributed Router


6. Test Connectivity Between an External Network and a Logical Switch Network
7. Clean Up for the Next Lab

Lab 7 Deploying an NSX Edge Services Gateway and Configuring Static Routing

51

Task 1: Prepare for the Lab


You perform these actions to prepare for the lab if you have closed windows or logged out of the
VMware vSphere Web Client interface.
Use the following information from the class configuration handout:
Your site name
Your vCenter Server administrator login account
1. If a Command Prompt window is not open on the student desktop, open the window.
a. On the student desktop, click the Command Prompt shortcut in the task bar.
b. Position the Command Prompt window at a convenient location on the desktop.
2. If the Internet Explorer window is closed, double-click the Internet Explorer icon on the

student desktop.
3. If you are not logged in to the vSphere Web Client, click the vSphere Web Client -

your_site_name bookmark in the Internet Explorer window.


4. When prompted, log in with your vCenter Server administrator login account and enter the

password VMware1!.
5. In the Internet Explorer window, if the web-sv-01a console tab is not open, open the console

tab.
a. Point to the vSphere Web Client Home icon and click the VMs and Templates icon.
b. Expand the inventory tree and select Discovered virtual machine > web-sv-01a.
c. Select Open Console from the Actions drop-down menu.
d. If prompted to log in, log in as root and enter the password VMware1!.
e. Press Ctrl+Alt to release the mouse cursor and click the vSphere Web Client tab.

Task 2: Configure and Deploy an NSX Edge Gateway


You configure and deploy a VMware NSX Edge services gateway to provide North-South routing
and other network services.
Use the following information from the class configuration handout:
Your site name
Data center
Datastore
IP address for the NSX Edge uplink
52

Lab 7 Deploying an NSX Edge Services Gateway and Configuring Static Routing

IP address of the NSX Edge internal interface


IP address of the NSX Edge default gateway
1. Take your mouse to the vSphere Web Client Home icon and click Networking & Security.
2. In the left navigation pane, select NSX Edges.
3. In the middle pane, click the green plus sign to open the New NSX Edge dialog box.
4. On the Name and description page, leave Edge Services Gateway selected.
5. Enter Perimeter Gateway - your_site_name in the Name text box and click Next.
6. On the CLI credentials page, enter VMware1!VMware1! in the Password and Confirm

password text boxes.


7. Select the Enable SSH access check box and click Next.
8. On the Configure deployment page, verify that your data center is selected.
9. Verify that the Appliance Size selection is Compact.
10. Under NSX Edge Appliances, click the green plus sign to open the Add NSX Edge Appliance

dialog box.
a. Select Management and Edge from the Cluster/Resource Pool drop-down menu.
b. Select your datastore from the Datastore drop-down menu.
c. Leave all other fields at default value and click OK.
11. Click Next.
12. On the Configure Interfaces page, click the green plus sign to open the Add NSX Edge

Interface dialog box and configure the first of the two interfaces.

a. Enter Uplink-Interface in the Name text box.


b. For Type, leave UpLink selected.
c. Click the Connected To > Select link.
d. Click Distributed Portgroup.
e. Click the Production button and click OK.
f. Click the green plus sign.
g. Enter the IP address for the NSX Edge uplink in the Primary IP Address text box.
h. Enter 24 in the Subnet prefix length text box.
i. Leave all other settings at default value and click OK.

Lab 7 Deploying an NSX Edge Services Gateway and Configuring Static Routing

53

13. Click the green plus sign to open the Add NSX Edge Interface dialog box and configure the

second interface.
a. Enter Transit-Network in the Name text box.
b. For Type, click Internal.
c. Click the Connected To > Select link.
d. Click the Transit-Network button and click OK.
e. Click the green plus sign.
f. Enter the IP address of the NSX Edge internal interface in the Primary IP Address text

box.
g. Enter 27 in the Subnet prefix length text box.
h. Leave all other fields at default value and click OK.
14. Compare the interface configurations to the following table.

Subnet Prefix
Length

Connected
To

IP address for the NSX


Edge uplink

24

Production

IP address of the NSX


Edge internal interface

27

TransitNetwork

Name

IP Address

Uplink-Network
Transit-Network

15. If any interface is not configured correctly, select that entry and click the pencil icon to edit the

entry.
16. Click Next.
17. On the Default gateway settings page, select the Configure Default Gateway check box.
18. Verify that the vNIC selection is Uplink-Interface.
19. Enter the IP address of the NSX Edge default gateway in the Gateway IP text box.
20. Leave all other settings at default value and click Next.
21. On the Firewall and HA page, select the Configure Firewall default policy check box.
22. For the Default Traffic Policy, click Accept.

You must set the Default Traffic Policy to Accept before proceeding.
23. Leave all the other fields at the default values and click Next.
54

Lab 7 Deploying an NSX Edge Services Gateway and Configuring Static Routing

24. On the Ready to Complete page, review the configuration report and click Finish.
25. Above the edge list, monitor the deployment to completion.

The deployment is complete when 0 installations are active.

Task 3: Verify the NSX Edge Gateway Deployment


You verify the state of the deployed NSX Edge services gateway appliance by reviewing appliance
configuration reports.
Use the following information from the class configuration handout:
Your site name
1. In the edge list, verify that the Perimeter Gateway - your_site_name type is NSX Edge.
2. Double-click the Perimeter Gateway entry to manage that object.
3. In the middle pane, click the Manage tab and click Settings.
4. In the settings category panel, select Interfaces and verify that each configured interface has a

green check mark in the Status column.


5. In the settings category panel, select Configuration.
6. At the bottom of the middle pane, find the NSX Edge Appliances list.
Q1. On what datastore is the perimeter gateway appliance deployed?
1. The datastore chosen during the deployment.
Q2. On which host is the perimeter gateway appliance running?
2. Can be any ESXi host in the Management and Edge cluster.

7. Point to the vSphere Web Client Home icon and click Hosts and Clusters.
8. Expand the Hosts and Clusters inventory tree so that the inventory of each cluster is shown.
9. Click the vSphere Web Client Refresh icon.
10. Select the perimeter gateway appliance in the Management and Edge cluster inventory.

The appliance virtual machine name starts with Perimeter Gateway - your_site_name and is
followed by a number, for example, Perimeter Gateway - Your Site-0.
11. In the middle pane, review the Summary tab report.
12. Expand VM Hardware section to review the hardware settings.
Q3. How many vCPUs does the appliance have?
3. 1

Lab 7 Deploying an NSX Edge Services Gateway and Configuring Static Routing

55

Q4. How much total memory does the appliance have?


4. 512 MB
Q5. What is the size of the appliance hard disk?
5. 500 MB
Q6. How many network adapters does the appliance have?
6. 10
Q7. How many network adapters are connected to port groups?
7. 2

Task 4: Configure Static Routes on the NSX Edge Gateway


You configure a static route that specifies the transit network interface on the distributed router as
the next hop for traffic destined to the Web-Tier, App-Tier, or DB-Tier logical switch networks.
Use the following information from the class configuration handout:
Workload VM network
IP address of the distributed logical router uplink
1. Point to the vSphere Web Client Home icon and click Networking & Security.
2. In the left navigation pane, select NSX Edges.
3. In the edge list, double-click the Perimeter Gateway entry to manage that object.
4. In the middle pane, click Routing on the Manage tab.
5. In the routing category panel, select Static Routes.
6. Click the green plus sign to open the Add Static Route dialog box.
a. Select Transit-Network from the Interface drop-down menu.
b. Enter the workload VM network in the Network text box.
c. Enter the IP address of the distributed logical router uplink in the Next Hop text box.

This value is the Distributed Router interface on the Transit network.


d. Leave all other settings at default value and click OK.
7. Above the static routes list, click Publish Changes.
8. Wait for the update to complete and verify that the new route with a type of user appears in the

list.

56

Lab 7 Deploying an NSX Edge Services Gateway and Configuring Static Routing

Task 5: Configure Static Routes on the Distributed Router


You configure a static route that specifies the transit network interface on the NSX Edge services
gateway as the next hop for traffic destined to the Management network.
Use the following information from the class configuration handout:
Student desktop network
IP address of the perimeter gateway internal interface
1. In the left navigation pane, click the Networking & Security back arrow.
2. In the edge list, double-click the Distributed Router entry to manage that object.
3. In the middle pane, click Routing on the Manage tab.
4. In the routing category panel, verify that Static Routes is selected.
5. Click the green plus sign to open the Add Static Route dialog box.
a. Select Transit-Network from the Interface drop-down menu.
b. Enter the student desktop network in the Network text box.
c. Enter the IP address of the perimeter gateway internal interface in the Next Hop text box.

This address is the address of the perimeter gateway interface on the Transit network.
d. Leave all other settings at default value and click OK.
6. Above the static routes list, click Publish Changes.
7. Wait for the update to complete and confirm that the new route with the type of user appears in

the list.

You use the static routes defined on the distributed router and the NSX Edge services gateway to test
bidirectional communication over the transit network.
Use the following information from the class configuration handout:
Student desktop IP address
IP address of web-sv01a
IP address of web-sv-02a
IP address of app-sv-01a
IP address of db-sv-01a

Lab 7 Deploying an NSX Edge Services Gateway and Configuring Static Routing

57

Task 6: Test Connectivity Between an External Network and a Logical


Switch Network

1. In the Internet Explorer window, click the web-sv-01a tab.


2. At the web-sv-01a command prompt, run the following command to ping the student desktop

system.
ping student_desktop_IP_address
3. Verify that ICMP echo replies are received and press Ctrl+C to stop the ping command.

The ping test demonstrates the bidirectional connectivity between the logical switch network
and the Management network for traffic that is initiated on the Web-Tier network. If the ping
command does not receive the expected replies, you can ask your instructor for assistance.
4. In the Internet Explorer window, press Ctrl+Alt to release the mouse cursor, open a new

browser tab, and browse the web-sv-01a IP address.


http://IP_address_of_web-sv-01a
5. After the web-sv-01a Web page is displayed, browse the web-sv-02a IP address.

http://IP_address_of_web-sv-02a
6. After the web-sv-02a Web page is displayed, close the Internet Explorer tab that is used to

browse the Web servers.


The ping and HTTP tests that are conducted verify bidirectional connectivity between the
Management and Web-Tier networks for connections initiated in either direction.
7. Minimize the Internet Explorer window.
8. On the student desktop, run the following command in the Command Prompt window to verify

that the static routes enable bidirectional connectivity between the Management network and
the App-Tier logical switch network.
ping IP_address_of_app-sv-01a
9. Verify that ICMP echo replies are received and press Ctrl+C to stop the ping command.
10. Run the following command to verify that the static routes enable bidirectional connectivity

between the Management network and the DB-Tier logical switch network.
Ping IP_address_of_db-sv-01a
11. Verify that ICMP echo replies are received and press Ctrl+C to stop the ping command.
12. Leave the Command Prompt window open.
13. Restore the Internet Explorer window and click the vSphere Web Client tab.

58

Lab 7 Deploying an NSX Edge Services Gateway and Configuring Static Routing

Task 7: Clean Up for the Next Lab


You perform these actions to prepare for the next lab.
1. In the left navigation pane, click the Networking & Security back arrow.
2. In the Internet Explorer window, leave the following tabs open.

vSphere Web Client


web-sv-01a
3. On the student desktop, leave the Command Prompt and MTPUTTY windows open.

Lab 7 Deploying an NSX Edge Services Gateway and Configuring Static Routing

59

60

Lab 7 Deploying an NSX Edge Services Gateway and Configuring Static Routing

Lab 8

Configuring and Testing Dynamic


Routing on NSX Edge Appliances

Objective: Configure OSPF to establish bidirectional


connectivity between the Management network and the
Web-Tier, App-Tier, and DB-Tier logical switch networks
In this lab, you will perform the following tasks:
1. Prepare for the Lab
2. Remove Static Routes from the Perimeter Gateway
3. Configure OSPF on the Perimeter Gateway
4. Redistribute the Perimeter Gateway Subnets
5. Remove Static Route on the Distributed Router
6. Configure OSPF on the Distributed Router

7. Redistribute Distributed Router Internal Subnets


8. Troubleshoot Connectivity Between the Logical Switch Networks and the Management

Network
9. Resolve the Connectivity Issue
10. Clean Up for the Next Lab

Lab 8 Configuring and Testing Dynamic Routing on NSX Edge Appliances

61

Task 1: Prepare for the Lab


You perform these actions to prepare for the lab if you have closed windows or logged out of the
VMware vSphere Web Client interface.
Use the following information from the class configuration handout:
Your site name
Your vCenter Server administrator login account
1. If a Command Prompt window is not open on the student desktop, open the window.
a. On the student desktop, double-click the Command Prompt shortcut.
b. Position the Command Prompt window to a convenient location on the desktop.
2. If the Internet Explorer window is closed, double-click the Internet Explorer icon on the

student desktop.
3. If you are not logged in to the vSphere Web Client, click the vSphere Web Client -

your_site_name bookmark in the Internet Explorer window.


4. When prompted, log in with your vCenter Server administrator login account and enter the

password VMware1!.
5. In the Internet Explorer window, if the web-sv-01a console tab is not open, open the console tab.
a. Point to the vSphere Web Client Home icon and click VMs and Templates.
b. Expand the inventory tree and select Discovered virtual machine > web-sv-01a.
c. Select Open Console from the Actions drop-down menu.
d. If prompted to log in, log in as root by using the password VMware1!.
e. Press Ctrl+Alt to release the mouse cursor and click the vSphere Web Client tab.
6. Point to the vSphere Web Client Home icon and click Networking & Security.

62

Lab 8 Configuring and Testing Dynamic Routing on NSX Edge Appliances

Task 2: Remove Static Routes from the Perimeter Gateway


You remove the static routes that you configured in an earlier lab and use the Open Shortest Path
First (OSPF) routing protocol to configure dynamic routing.
Use the following information from the class configuration handout:
IP address of web-sv-01a
1. Minimize the Internet Explorer window.
2. On the student desktop, run the following command in the Command Prompt window to test

bidirectional connectivity between the Management network and the Web-Tier logical switch
network.
ping IP_address_of web-sv-01a
3. Verify that ICMP echo replies are received.

If ICMP echo replies are not received, you might be performing this lab without first
configuring static routing when the VMware NSX Edge services gateway was deployed in an
earlier lab. You can ask your instructor for assistance if the expected replies are not observed.
4. Leave the Command Prompt window open.
5. Restore the Internet Explorer window.
6. In the left navigation pane, select NSX Edges.
7. In the edge list, double-click the Perimeter Gateway entry to manage that object.
8. In the middle pane, click the Manage tab and click Routing.
9. In the routing category panel, select Static Routes.
10. In the static routes list, select the static route created in the previous lab and click the red X icon

to delete the entry.

11. Above the static routes list, click Publish Changes.


12. Minimize the Internet Explorer window.

bidirectional connectivity between the Management Network and the Web-Tier logical switch
network.
ping IP_address_of_web-sv-01a

14. Verify that ICMP echo replies are not received.

A TTL expired in transit message appears.


15. Leave the Command Prompt window open.
16. Restore the Internet Explorer window.

Lab 8 Configuring and Testing Dynamic Routing on NSX Edge Appliances

63

13. On the student desktop, run the following command in the Command Prompt window to test

Task 3: Configure OSPF on the Perimeter Gateway


You configure OSPF on the perimeter gateway so that the routes to the logical switch networks are
learned from the distributed router over the transit network.
1. In the routing categories list, select Global Configuration.
2. In the Dynamic Routing Configuration panel, click Edit to open the Edit Dynamic Routing

Configuration dialog box.


a. Select Uplink-Interface - ip address from the Router ID drop-down menu.
b. Click OK.
c. On the top of the Global Configuration page, click Publish Changes.
3. In the routing category panel, select OSPF.
4. Click Edit for OSPF Configuration.
5. In the OSPF Configuration dialog box, select the Enable OSPF check box and click OK.
6. Click Publish Changes at the top of the OSPF page.
7. Above the Area Definitions list, click the green plus sign to open the New Area Definition

dialog box.
a. Enter 829 in the Area ID text box.
b. Leave all other settings at the default value and click OK.
8. Under Area Interface Mapping, click the green plus sign at the bottom of the OSPF page to

open the New Area to Interface Mapping dialog box.


a. Select Transit-Network from the drop-down menu.
b. Select 829 from the Area drop-down menu.
c. Leave all other fields at the default value and click OK.
9. At the top of the OSPF page, click Publish Changes.

Task 4: Redistribute the Perimeter Gateway Subnets


You configure which type of subnets are advertised by the perimeter gateway through OSPF.
1. In the routing category panel, select Route Redistribution.
2. Under the Route Redistribution table, click the green plus sign at the bottom of the page to open

the New Redistribution criteria dialog box.


a. Under Allow learning from, select the Connected check box.

Subnets that are connected to the perimeter gateway can be learned.


b. Leave all other settings at the default value and click OK.
64

Lab 8 Configuring and Testing Dynamic Routing on NSX Edge Appliances

3. In the Route Redistribution Status panel, determine if a green check mark appears next to OSPF

at the top of the page.


4. If a green check mark does not appear, change the redistribution setting.
a. On the right side of the Route Redistribution Status panel, click Edit.
b. In the Change redistribution settings dialog box, select the OSPF check box.
c. Click OK.
d. In the Route Redistribution Status panel, verify that a green check mark appears next to

OSPF at the top of the page.


5. At the top of the page, click Publish Changes.

Task 5: Remove Static Route on the Distributed Router


You remove the static routes configured in an earlier lab in preparation to configure dynamic routing
by using the OSPF routing protocol.
1. At the top of the left navigation page, click the Networking & Security back arrow.
2. In the edge list, double-click the Distributed Router entry to manage that object.
3. In the middle pane, click the Manage tab and click Routing.
4. In the routing category panel, select Static Routes.
5. In the static routes list, select the static route created in the previous lab and click the red X to

delete the entry.


6. Above the static routes list, click Publish Changes.

Task 6: Configure OSPF on the Distributed Router


You configure OSPF on the distributed router.
Use the following information from the class configuration handout:

Protocol IP address for the distributed logical router OSPF configuration


Forwarding IP address for distributed logical router OSPF configuration
1. In the routing category panel, select Global Configuration.
2. On the right side of the Dynamic Routing Configuration panel, click Edit.
3. In the Edit Dynamic Routing Configuration dialog box, select Transit-Interface - ip address

from the Router ID drop-down menu.


This setting must be specified before OSPF can be configured.

Lab 8 Configuring and Testing Dynamic Routing on NSX Edge Appliances

65

4. Leave all other fields at the default value and click OK.

Do not select the Enable OSPF check box. For management purposes, OSPF can be enabled or
disabled in the Global Configuration page, after initially configuring it elsewhere. An error
message is displayed if OSPF is enabled in Global Configuration without first configuring the
OSPF parameters. This condition is unique to NSX Edge instances of type Distributed Router.
5. At the top of the Global Configuration page, click Publish Changes.
6. In the routing category panel, select OSPF.
7. On the right side of the OSPF Configuration panel, click Edit to open the OSPF Configuration

dialog box.
a. Select the Enable OSPF check box.
b. Enter the Protocol IP address for the distributed logical router OSPF configuration in the

Protocol Address text box.


c. Enter the forwarding IP address for distributed logical router OSPF configuration in the

Forwarding Address text box.


d. Click OK.
8. In the Area Definitions panel, click the green plus sign to open the New Area Definition dialog

box.
a. Enter 829 in the Area ID text box.
b. Leave all other fields at the default value and click OK.
9. In the Area to Interface Mapping panel, click the green plus sign to open the New Area to

Interface Mapping dialog box.


a. Verify that the Interface selection is Transit-Interface.
b. Select 829 from the Area drop-down menu.
c. Leave all other fields at default value and click OK.
10. At the top of the OSPF configuration page, click Publish Changes.
11. After the changes are published, verify that OSPF Configuration Status is Enabled.

Task 7: Redistribute Distributed Router Internal Subnets


You configure which type of subnets are advertised by the distributed router through OSPF.
1. In the routing category panel, select Route Redistribution.

66

Lab 8 Configuring and Testing Dynamic Routing on NSX Edge Appliances

2. In the Route Redistribution table, select the single entry that appears, click the pencil icon to

open the Edit Redistribution criteria dialog box, and verify the following settings.
Prefix Name: Any
Learner Protocol: OSPF
Allow Learning From: Connected
Action: Permit
3. Click Cancel.

If the default route redistribution entry does not appear in the list or is not configured as
specified, you must create a new route redistribution by clicking the green plus sign and
configuring the criteria as specified in step 2.

Task 8: Troubleshoot Connectivity Between the Logical Switch


Networks and the Management Network
You verify the OSPF configuration and troubleshoot connectivity between a logical switch network
that is connected to the distributed router and the Management network.
Use the following information from the class configuration handout:
IP address of web-sv-01a
Router ID for distributed logical router
Protocol IP address for the distributed logical router OSPF configuration
Forwarding IP address for distributed logical router OSPF configuration
Router ID for the perimeter gateway
1. Minimize the Internet Explorer window.
2. On the student desktop, run the following command in the Command Prompt window to test

ping IP_address_of_web-sv-01a
3. Verify that ICMP echo replies are not received.
4. Leave the Command Prompt window open.
5. Restore the Internet Explorer window.

Lab 8 Configuring and Testing Dynamic Routing on NSX Edge Appliances

67

bidirectional connectivity between the Management Network and the Web-Tier logical switch
network.

6. Verify the distributed router configuration.

If any option is incorrectly configured, you can correct the configuration.


a. In the routing category panel, select Global Configuration.
b. In the Dynamic Routing Configuration panel, verify that the following options are

configured as shown.
Router ID: Router ID for distributed logical router
OSPF: Green check mark
c. In the routing category panel, select Static Routes.
d. In the static routes table, verify that no static routes are defined.
e. In the routing category panel, select OSPF.
f. In the OSPF Configuration panel, verify that the following options are set as specified.

Status: Enabled
Protocol Address: Protocol IP address for the distributed logical router OSPF
configuration
Forwarding Address: Forwarding IP address for distributed logical router OSPF
configuration
g. In the Area Definitions panel, verify that Area 829 is defined with Normal for Type and

None for Authentication.


h. In the Area to Interface Mapping panel, verify that area 829 has been mapped to Transit-

Interface.
i. In the routing category panel, select Route Redistribution.
j. In the Route Redistribution Status panel, verify that a green check mark appears next to

OSPF.
k. In the Route Redistribution table, verify that an entry exists with the following criteria.

Learner: OSPF
From: Connected
Prefix: Any
Action: Permit
7. In the left navigation pane, click the Networking & Security back arrow.
8. In the edge list, double-click the Perimeter Gateway entry to manage that object.
9. In the middle pane, click the Manage tab and click Routing.
68

Lab 8 Configuring and Testing Dynamic Routing on NSX Edge Appliances

10. Verify the perimeter gateway configuration.

If any option is incorrectly configured, you can correct the configuration.


a. In the routing category panel, select Global Configuration.
b. In the Dynamic Routing Configuration panel, verify that the following options are

configured as shown.
Router ID: Router ID for the perimeter gateway
OSPF: Green check mark
c. In the routing category panel, select Static Routes.
d. In the static routes table, verify that no static routes are defined.
e. In the routing category panel, select OSPF.
f. At the top of the OSPF page, verify that the OSPF Status is Enabled.
g. In the Area Definitions panel, verify that Area 829 is defined with Normal for Type and

None for Authentication.


h. In the Area to Interface Mapping panel, verify that area 829 is mapped to Transit-Interface.
i. In the routing category panel, select Route Redistribution.
j. In the Route Redistribution Status panel, verify that a green check mark appears next to

OSPF.
k. In the Route Redistribution table, verify that an entry exists with the following criteria.

Learner: OSPF
From: Connected
Prefix: Any
Action: Permit

Q1. Are the configuration settings for Distributed Router and perimeter gateway
exactly as specified in the preceding steps?
1. Yes

11. In the left navigation pane, click the Networking & Security back arrow.
12. In the edge list, double-click the Distributed Router entry.
13. In the middle pane, click the Manage tab and click Settings.

Lab 8 Configuring and Testing Dynamic Routing on NSX Edge Appliances

69

14. In the settings category panel, select Interfaces.


Q2. Are the logical switch networks, Web-Tier, App-Tier, and DB-Tier, connected to
Distributed Router interfaces?
2. Yes

15. On the Manage tab, click Routing.


16. In the routing category list, select Static Routes.
Q3. Is the absence of static routes on Distributed Router an issue (are there
subnets not directly connected that Distributed Router should advertise)?
3. No, only directly connected subnets must be advertised.

17. In the routing category panel, select Route Redistribution.


Q4. Is the configured Route Redistribution entry sufficiently configured so that
subnets known to the Distributed Router can be learned through OSPF?
4. Yes, Direct connected can be learned, which is sufficient.

18. In the left navigation pane, click the Networking & Security back arrow.
19. In the edge list, double-click the Perimeter Gateway entry to manage that object.
20. In the middle pane, click the Manage tab and click Settings.
21. In the settings category panel, select Interfaces.
Q5. Is the Management network attached to the perimeter gateway?
5. No

22. On the Manage tab, click Routing.


23. In the routing category panel, select Static Routes.
Q6. Is the Management network identified by a static route?
6. No

24. In the routing category panel, select Route Redistribution.


Q7. Is the current route redistribution configured to allow the learning of static
routes through OSPF?
7. No, Connected is the only selection. Static routes should be added.

70

Lab 8 Configuring and Testing Dynamic Routing on NSX Edge Appliances

Task 9: Resolve the Connectivity Issue


You configure the perimeter gateway with a static route to the Management network and configure
OSPF to advertise static routes.
Use the following information from the class configuration handout:
Student desktop/management network
Next hop IP address
IP address of web-sv-01a
IP address of app-sv-01a
IP address of db-sv-01a
1. In the routing category panel, select Static Routes.
2. Click the green plus sign to open the Add Static Route dialog box.
a. Select Uplink-Interface from the Interface drop-down menu.
b. Enter the student desktop/management network in the Network text box.
c. Enter the next hop IP address in the Next Hop text box.

This address is the address of the RAS router on the Production network.
d. Leave all other settings at default value and click OK.
3. Click Publish Changes.
4. In the routing category panel, select Route Redistribution.
5. In the Route Redistribution table, select the single entry that appears and click the pencil icon to

open the Edit Redistribution criteria dialog box.


a. Under Allow learning from, select the Static Routes check box.
b. Click OK.
6. At the top of the Route Redistribution page, click Publish Changes.

The configuration change instructs the perimeter gateway to allow learning of both connected
subnets and static routes through OSPF. The distributed router receives a route to the
Management network from the perimeter gateway with a next hop of the perimeter gateway
interface on the transit network.
7. Minimize the Internet Explorer window.

Lab 8 Configuring and Testing Dynamic Routing on NSX Edge Appliances

71

8. On the student desktop, run the following command in the Command Prompt window to test

bidirectional connectivity between the Management network and the Web-Tier logical switch
network.
ping IP_address_of_web-sv-01a
9. Verify that ICMP echo replies are received.

If ICMP replies are not received, you must wait for 60 seconds and repeat step 8 until the ICMP
replies are received.
10. Run the following ping tests to verify connectivity between the Management network and the

App-Tier and DB-Tier logical switch networks.


ping IP_address_of_app-sv-01a
ping IP_address_of_db-sv-01a
11. Leave the Command Prompt window open.
12. Restore the Internet Explorer window.

Task 10: Clean Up for the Next Lab


You perform these actions to prepare for the next lab.
1. In the left navigation pane, click the Networking & Security back arrow.
2. In the Internet Explorer window, leave the following tabs open.

vSphere Web Client


web-sv-01a
3. On the student desktop, leave the Command Prompt window open.

72

Lab 8 Configuring and Testing Dynamic Routing on NSX Edge Appliances

Lab 9

Configuring Equal Cost Multipathing

Objective: Configure ECMP to load balance traffic in the


North-South direction
In this lab, you will perform the following tasks:
1. Prepare for the Lab
2. Deploy an Additional NSX Edge Router
3. Configure Routing for Perimeter Gateway - ECMP Edge
4. Configure Static Route on Perimeter Gateway - ECMP Edge
5. Configure Route Redistribution for Perimeter Gateway - ECMP Edge
6. Verify the Relationship Between the Distributed Logical Router Routing Table and the

Neighbor
7. Enable ECMP
8. Disable ECMP and Clean Up for the Next Lab

Lab 9 Configuring Equal Cost Multipathing

73

Task 1: Prepare for the Lab


You perform these actions to prepare for the lab if you have closed windows or logged out of the
VMware vSphere Web Client interface.
Use the following information from the class configuration handout:
Your site name
Your vCenter Server administrator login account
1. If a Command Prompt window is not open on the student desktop, open the window.
a. On the student desktop, click the Command Prompt shortcut in the task bar.
b. Position the Command Prompt window at a convenient location on the desktop.
2. If the Internet Explorer window is closed, double-click the Internet Explorer icon on the

student desktop.
3. If you are not logged in to the vSphere Web Client, click the vSphere Web Client -

your_site_name bookmark in the Internet Explorer window.


4. When prompted, log in with your vCenter Server administrator login account and enter the

password VMware1!.

Task 2: Deploy an Additional NSX Edge Router


You configure and deploy an additional VMware NSX Edge services gateway to demonstrate the
Equal Cost Multipathing (ECMP) capability of the distributed logical router.
Use the following information from the class configuration handout:
Data center
Datastore
IP address for the Perimeter Gateway - ECMP Edge uplink
IP address for the Perimeter Gateway - ECMP Edge internal interface
IP address of the Edge default gateway
1. Point to the vSphere Web Client Home icon and click Networking & Security.
2. In the left navigation pane, select NSX Edges.
3. In the middle pane, click the green plus sign to open the New NSX Edge dialog box.
4. On the Name and description page, leave Edge Services Gateway selected.
5. Enter Perimeter Gateway - ECMP in the Name text box and click Next.

74

Lab 9 Configuring Equal Cost Multipathing

6. On the CLI credentials page, enter VMware1!VMware1! in the Password and Confirm

password text boxes.


7. Select the Enable SSH access check box and click Next.
8. On the Configure deployment page, verify that your data center is selected.
9. Verify that the Appliance Size selection is Compact.
10. Under NSX Edge Appliances, click the green plus sign to open the Add NSX Edge Appliance

dialog box.
a. Select Management and Edge from the Cluster/Resource Pool drop-down menu.
b. Select your datastore from the Datastore drop-down menu.
c. Leave all other fields at default value and click OK.
11. Click Next.
12. On the Configure Interfaces page, click the green plus sign to open the Add NSX Edge

Interface dialog box and configure the first of the two interfaces.
a. Enter Uplink-Interface in the Name text box.
b. For Type, leave UpLink selected.
c. Click the Connected To > Select link.
d. Click Distributed Portgroup.
e. Click Production and click OK.
f. Click the green plus sign.
g. Enter the IP address for the Perimeter Gateway - ECMP Edge uplink in the Primary IP

Address text box.


h. Enter 24 in the Subnet prefix length text box.
i. Leave all other settings at default value and click OK.
13. Click the green plus sign to open the Add NSX Edge Interface dialog box and configure the

second interface.
a. Enter Transit-Network in the Name text box.
b. For Type, click Internal.

c. Click the Connected To > Select link.


d. Click Transit-Network and click OK.
e. Click the green plus sign

Lab 9 Configuring Equal Cost Multipathing

75

f. Enter the IP address for the Perimeter Gateway - ECMP Edge internal interface in the

Primary IP Address text box.


g. Enter 27 in the Subnet prefix length text box.
h. Leave all other fields at default value and click OK.
14. Compare the interface configurations to the table.

Subnet Prefix
Length

Connected
To

IP address for the


Perimeter Gateway ECMP Edge uplink

24

Production

IP address for the


Perimeter Gateway ECMP Edge internal
interface

27

TransitNetwork

Name

IP Address

Uplink-Interface

Transit-Network

15. If any interface is not configured correctly, select that entry and click the pencil icon to edit the

entry.
16. Click Next.
17. On the Default gateway settings page, select the Configure Default Gateway check box.
18. Verify that the vNIC selection is Uplink-Interface.
19. Enter the IP address of the Edge default gateway in the Gateway IP text box.
20. Leave all other settings at default value and click Next.
21. On the Firewall and HA page, select the Configure Firewall default policy check box.
22. For the Default Traffic Policy, click Accept.

You must accept the default traffic policy before proceeding.


23. Leave all the other fields at the default values and click Next.
24. On the Ready to Complete page, review the configuration report and click Finish.
25. Above the edge list, monitor the deployment to completion.

The deployment is complete when 0 installations are active.

76

Lab 9 Configuring Equal Cost Multipathing

Task 3: Configure Routing for Perimeter Gateway - ECMP Edge


You configure OSPF routing and create a static route on the Perimeter Gateway - ECMP edge.
1. Double-click Perimeter Gateway - ECMP Edge in the middle pane.
2. Click Routing under the Manage tab.
3. In the routing categories list, select Global Configuration.
4. In the Dynamic Routing Configuration panel, click Edit to open the Edit Dynamic Routing

Configuration dialog box.


a. Select Uplink-Interface - ip address from the Router ID drop-down menu.
b. Click OK.
c. At the top of the Global Configuration page, click Publish Changes.
5. In the routing category panel, select OSPF.
6. Click Edit for OSPF Configuration.
7. In the OSPF Configuration dialog box, select the Enable OSPF check box and click OK.
8. Click Publish Changes at the top of the OSPF page.
9. Above the Area Definitions list, click the green plus sign to open the New Area Definition

dialog box.
a. Enter 829 in the Area ID text box.
b. Leave all other settings at the default value and click OK.
10. Under Area Interface Mapping, click the green plus sign at the bottom of the OSPF page to

open the New Area to Interface Mapping dialog box.


a. Select Transit-Interface from the drop-down menu.
b. Select 829 from the Area drop-down menu.
c. Leave all other fields at the default value and click OK.
11. At the top of the OSPF page, click Publish Changes.

Task 4: Configure Static Route on Perimeter Gateway - ECMP Edge


You configure Perimeter Gateway with a static route to the Management network.

Use the following information from the class configuration handout:


Student desktop/management network
Next hop IP address

Lab 9 Configuring Equal Cost Multipathing

77

1. In the routing category panel, select Static Routes.


2. Click the green plus sign to open the Add Static Route dialog box.
a. Select Uplink-Interface from the Interface drop-down menu.
b. Enter the student desktop/management network in the Network text box.

This address is the management network address.


c. Enter the next hop IP address in the Next Hop text box.

This address is the address of the RAS router on the Production network.
d. Leave all other settings at default value and click OK.
3. Click Publish Changes.

Task 5: Configure Route Redistribution for Perimeter Gateway - ECMP


Edge
You configure which type of subnets are advertised by Perimeter Gateway through OSPF.
1. In the routing category panel, select Route Redistribution.
2. Under the Route Redistribution table, click the green plus sign at the bottom of the page to open

the New Redistribution criteria dialog box.


a. Under Allow learning from, select the Connected and Static routes check boxes.
b. Leave all other settings at the default value and click OK.
3. In the Route Redistribution Status panel, determine if a green check mark appears next to OSPF

at the top of the page.


4. If a green check mark does not appear, change the redistribution setting.
a. On the right side of the Route Redistribution Status panel, click Edit.
b. In the Change redistribution settings dialog box, select the OSPF check box.
c. Click OK.
d. In the Route Redistribution Status panel, verify that a green check mark appears next to

OSPF at the top of the page.


5. At the top of the page, click Publish Changes.

78

Lab 9 Configuring Equal Cost Multipathing

Task 6: Verify the Relationship Between the Distributed Logical Router


Routing Table and the Neighbor
You verify the OSPF configuration and routing table on the distributed logical router.
Use the following information from the class configuration handout:
Your site name
1. Point to the vSphere Web Client Home icon and select Hosts and Clusters.
2. Expand the inventory and select the Distributed Router-your_site_name-0 VM.
3. Click Actions in the middle pane and select Open Console.
4. Log in to the Distributed Router VM with user name admin and password

VMware1!VMware1!
5. Enter the show ip ospf neighbor command and verify that the logical router has formed

adjacency with both the edge routers.


6. Enter the show ip route command to display the routing table.

The logical router adds only one edge router as the next hop to reach the management network.
ECMP is not enabled.

Task 7: Enable ECMP


You enable ECMP on the distributed logical router.
1. Click the vSphere Web Client - your_site_name tab in Internet Explorer.
2. Point to the vSphere Web Client Home icon and select Networking & Security
3. Select NSX Edges in the Networking & Security navigation pane.
4. Double click the Distributed Router instance in the middle pane.
5. Select Routing under the Manage tab.
6. Select Global Configuration.
7. Click Enable next to ECMP under Routing Configuration.
8. Click Publish Changes at the top of the Routing Configuration page.

Lab 9 Configuring Equal Cost Multipathing

9. Click the Distributed Router VM tab in Internet Explorer.

79

10. Enter the show ip route command to display the routing table.

An entry for each Edge router exists as the next hop towards the management network. The
distributed logical router can now use the two paths to distribute the load.
NOTE

You might need to wait for 30 seconds for the command to display the expected output.

Task 8: Disable ECMP and Clean Up for the Next Lab


You disable ECMP on the distributed logical router and prepare for the next lab.
1. Click the vSphere Web Client - your_site_name tab in Internet Explorer.
2. Click Disable next to ECMP under Routing Configuration.
3. Click Publish Changes at the top of the Routing Configuration page.
4. Click Networking and Security at the top corner in the left pane.
5. Select Perimeter Gateway - ECMP and click the red X to delete the additional Edge router.
6. Close the Distributed Router tab in Internet Explorer and leave the vSphere Web Client open.

80

Lab 9 Configuring Equal Cost Multipathing

10

Lab 10

Configuring L2 Bridging

Objective: Configure L2 bridging in the software


In this lab, you will perform the following tasks:
1. Prepare for the Lab
2. Create a Port Group on the Distributed Switch for L2 Bridging
3. Move web-sv-01a and web-sv-02a to the Host That Runs the Distributed Logical Router

Control VM
4. Examine the Network Connectivity Between Web VMs and Resolve the Issue
5. Clean Up for the Next Lab

Lab 10 Configuring L2 Bridging

81

Task 1: Prepare for the Lab


You perform these actions to prepare for the lab if you have closed windows or logged out of the
VMware vSphere Web Client interface.
Use the following information from the class configuration handout:
Your site name
Your vCenter Server administrator login account
1. If the Internet Explorer window is closed, double-click the Internet Explorer icon on the

student desktop.
2. If you are not logged in to the vSphere Web Client, log in to the vSphere Web Client.
3. In the Internet Explorer window, click the vSphere Web Client - your_site_name bookmark.
4. When prompted, log in with your vCenter Server administrator login account and enter the

password VMware1!.
5. In the Internet Explorer window, if the web-sv-01a and web-sv-02a console tabs are not open,

open the console tabs.


6. On the vSphere Web Client Home tab, click the Inventories > VMs and Templates icon.
7. Expand the inventory tree and select Discovered virtual machine > web-sv-01a.
8. Select Open Console from the Actions drop-down menu.
9. If prompted to log in, log in as root and enter the password VMware1!.
10. Press Ctrl+Alt to release the pointer and click the vSphere Web Client tab.
11. Repeat steps 7 through 10 for web-sv-02a.
12. Point to the vSphere Web Client Home icon and click the Networking tab.

Task 2: Create a Port Group on the Distributed Switch for L2 Bridging


You create a port group that is used for setting up an L2 bridge.
1. In the left navigation pane, select vds-Datacenter.
2. In the middle pane, click Actions and select Distributed Port Group > New Distributed Port

Group.
3. In the New Distributed Port Group window, enter L2PG in the Name text box and click Next.

82

Lab 10 Configuring L2 Bridging

10

4. On the Configure settings page, select VLAN from the VLAN type drop-down menu and

enter 10 as the VLAN ID.


NOTE

In the lab environment, the physical network is not configured to support VLAN 10. You
use a dummy VLAN ID of 10 because setting up bridging requires the port group to be
configured with a VLAN ID.
5. Click Next.
6. Click Finish on the Ready to Complete page.
7. Point to the Home icon and click VMs and Templates.
8. Select the web-sv-02a VM from the left navigation pane and click Actions in the middle pane.
9. Click Edit Settings.
10. In the VMs Edit Settings dialog box, select the L2PG (vds-datacenter) port group from the

Network Adapter 1 drop-down menu and click OK.

Task 3: Move web-sv-01a and web-sv-02a to the Host That Runs the
Distributed Logical Router Control VM
You move the web-sv-01a and web-sv-02a virtual machines to the VMware ESXi host running
the distributed logical router control VM. This task is not required in production environments. This
task is performed in the lab because the physical network is not configured to support VLAN 10.
1. Select the Distributed Router - your_site_name-0 VM from the left navigation pane.
2. Click the Summary tab in the middle pane and identify the ESXi host on which the Distributed

Router-0 VM is running.
3. Select the web-sv-01a virtual machine in the left navigation pane.
4. Click Actions in the middle pane and select Migrate.
5. Select Change Compute resource only on the Select the migration type page.
6. Click Next.
7. Click the radio button next to the ESXi host where the Distributed Router - your_site_name-0

VM resides.
8. Click Next.
9. Click Next on the Select Network page.
10. Click Next on the Select vMotion priority page.

Lab 10 Configuring L2 Bridging

83

11. Click Finish.


12. Repeat steps 3 through 9 for web-sv-02a.
13. Point to the Home icon and select Networking & Security.

Task 4: Examine the Network Connectivity Between Web VMs and


Resolve the Issue
You verify whether the Web VMs can communicate with each other and fix the issue if they cannot
communicate.
Use the following information from the class configuration handout:
IP address of web-sv-02a
1. Click the win-sv-01a VM tab in the Internet Explorer window.

You might need to reopen the VMs console.


2. Start a ping to the web-sv-02a VM window.

ping IP_address_of_web-sv-02a
Q1. Does ping work?
1. No, because web-sv-01a is connected to a logical switch and web-sv-02a is connected to a
port group with VLAN ID 10. An L2 bridge is required to establish connectivity between the two
Web VMs.

3. Click the vSphere Web Client tab in Internet Explorer window.


4. Select the NSX Edges link in the left navigation pane.
5. Double-click the Distributed Router instance in the middle pane.
6. Click Bridging in the Manage tab.
7. Click the green plus sign under bridging.
8. In the Add Bridge dialog box, enter L2Bridge in the Name row.
9. Click the Logical Switch icon in the Logical Switches row and select Web-Tier.
10. Click OK.
11. Click the network icon in the Distributed Port Group row and select L2PG.
12. Click OK.
13. Click OK.
14. Click Publish under the Manage tab.

84

Lab 10 Configuring L2 Bridging

10

15. Click the web-sv-01a VM tab in the Internet Explorer window.


16. Start a ping request to web-sv-02a.
Q2. Is the ping to web-sv-02a successful?
2. Yes. The L2 bridge created in the previous steps established layer 2 connectivity between the
two Web VMs.

Task 5: Clean Up for the Next Lab


You perform these actions to prepare for the next lab.
1. Click the vSphere Web Client tab in Internet Explorer.
2. Select the bridge instance and click the red X sign to delete the bridge instance.
3. Click Publish.
4. Point to the Home icon and select VMs and Templates.
5. Select the web-sv-02a VM in the left navigation pane and click Actions.
6. Click Edit Settings.
7. In the web-sv-02a Edit Settings dialog box, select the Web-Tier logical switch from the

Network Adapter 1 drop-down menu.


8. Click OK.
9. Migrate the web-sv-01a and web-sv-02a virtual machines back to the Compute cluster.
10. Point to the Home icon and select Networking & Security.

Lab 10 Configuring L2 Bridging

85

86

Lab 10 Configuring L2 Bridging

11

Lab 11

Configuring and Testing Network


Address Translation on an NSX Edge
Services Gateway

Objective: Use destination NAT and source NAT rules to


establish a one-to-one relationship between the IP
address of a Web server on an internal subnet and an IP
address in an externally accessible subnet
In this lab, you will perform the following tasks:
1. Prepare for the Lab
2. Verify Nontranslated Packet Addressing
3. Configure an Additional IP Address on the Uplink Interface of the Perimeter Gateway
4. Configure a Destination NAT Rule
5. Use the Destination NAT Translation to Test Connectivity
6. Verify Nontranslated Packet Addressing Before Defining a Source NAT Rule
7. Configure a Source NAT Rule
8. Use the Source NAT Translation to Test Connectivity
9. Configure a Destination NAT Rule for web-sv-02a
10. Clean Up for the Next Lab
Lab 11 Configuring and Testing NAT on an NSX Edge Services Gateway

87

Task 1: Prepare for the Lab


You perform these actions to prepare for the lab if you have closed windows or logged out of the
VMware vSphere Web Client interface.
Use the following information from the class configuration handout:
Your site name
Your vCenter Server administrator login account
1. If a Command Prompt window is not open on the student desktop, open the window.
a. On the student desktop, double-click the Command Prompt shortcut.
b. Position the Command Prompt window at a convenient location on the desktop.
2. If the Internet Explorer window is closed, double-click the Internet Explorer icon on the

student desktop.
3. If you are not logged in to the vSphere Web Client, click the vSphere Web Client -

your_site_name bookmark in the Internet Explorer window.


4. When prompted, log in with your vCenter Server administrator login account and enter the

password VMware1!.
5. In the Internet Explorer window, if the web-sv-01a console tab is not open, open the tab.
a. Point to the vSphere Web Client Home tab and click VMs and Templates.
b. Expand the inventory tree and select Discovered virtual machine > web-sv-01a.
c. Select Open Console from the Actions drop-down menu.
d. If prompted to log in, log in as root and enter the password VMware1!.
e. Press Ctrl+Alt to release the mouse cursor and click the vSphere Web Client tab.
6. On the vSphere Web Client Home page, click Networking & Security.

Task 2: Verify Nontranslated Packet Addressing


You use the packet capture capabilities of VMware NSX Edge to verify source and destination
addressing of packets that are exchanged by the student desktop system and the web-sv-01a Web
server.
Use the following information from the class configuration handout:
IP address of the perimeter gateway
IP address of web-sv-01a
NAT IP address 1
Student desktop IP address
88

Lab 11 Configuring and Testing NAT on an NSX Edge Services Gateway

1. Minimize the Internet Explorer window.


2. On the student desktop, double-click the MTPuTTY shortcut.
3. In the MTPuTTY window, click Server and select Add server.

11

4. In the Properties pop-up window, enter the IP Address of the perimeter gateway in the Server

name text box.


5. Select SSH as the protocol.
6. Click OK.
7. Double-click the IP address that you added.
8. When prompted with a PuTTY Security Alert, click Yes.
9. Log in as admin and enter the password VMware1!VMware1!.
10. If you cannot log in because SSH access was not enabled during the deployment of the NSX

Edge instance, or if the password was entered incorrectly, change the CLI credentials.
a. Restore the Internet Explorer window.
b. In the left navigation pane, select NSX Edges.
c. In the edge list, select the Perimeter Gateway - your_site_name entry and select Change

CLI Credentials from the Actions drop-down menu.


d. In the Change CLI credentials, enter VMware1!VMware1! in the Password and Retype

Password text boxes.


e. Verify that the Enable SSH Access check box is selected and click OK.
f. Restart this task by going back to step 1.
11. Run the following command to begin capturing HTTP traffic on the uplink interface.

All commands are case-sensitive.


debug packet display interface vNic_0 port_80
Include the port_80 filter as the last argument of the command. The last argument is the filter
expression. The filter expression must be expressed with underscore characters where spaces
might normally appear.
12. Leave the traffic capture running in the MTPuTTY window and restore the Internet Explorer

window.
13. In the Internet Explorer window, open a new browser tab and go to http://IP_address_of_web-

sv-01a to browse the web-sv-01a Web server.

Lab 11 Configuring and Testing NAT on an NSX Edge Services Gateway

89

14. After the Web page is displayed, go to http://NAT_IP_address_1 to verify that no response is

received.
The NAT IP address 1 is the NAT address that you associate with the web-sv-01a virtual
machine.
15. After Internet Explorer reports that the page cannot be displayed, close the browser tab and

minimize the Internet Explorer window.


16. In the MTPuTTY window, examine the packets that are captured to determine source and

destination addressing format.


Packet addressing is always reported in the following format:
time protocol source-address : source-port > destination-address : destination-port
17. In the packet capture output, examine the addressing of each packet and verify that the

following addresses are involved in the exchange.


Student desktop IP address.
IP address of web-sv-01a
Q1. In the packet capture, do you observe any packets exchanged between the
student desktop system and the NAT IP address?
1. No

18. Leave the packet capture running in the MTPuTTY window.


19. Restore the Internet Explorer window.

Task 3: Configure an Additional IP Address on the Uplink Interface of


the Perimeter Gateway
You configure a secondary IP address to the uplink interface of the NSX Edge Services Gateway.
This IP address is used for creating the NAT rule.
Use the following information from the class configuration handout:
NAT IP address 1
1. In the left navigation pane, select NSX Edges.
2. In the edge list, double-click the Perimeter Gateway - your_site_name entry to manage that

object.
3. In the middle pane, click the Manage tab and click Settings.
4. In the settings category panel, select Interfaces.

90

Lab 11 Configuring and Testing NAT on an NSX Edge Services Gateway

5. In the interfaces list, select the vNIC# 0 entry that is associated with Uplink-Interface and click

the pencil icon.


6. In the Edit NSX Edge Interface dialog box, select the existing IP address and click the pencil

icon.

11

7. Enter the NAT IP address 1 in the Secondary IP address text box.


8. Click OK to commit the interface changes.
9. In the interfaces list, verify that vNIC# 0 has two IP addresses configured.

Task 4: Configure a Destination NAT Rule


You create a destination NAT (DNAT) rule for translating the NAT IP address 1 to the IP address of
web-sv-01a. A DNAT rule can be assigned to any interface. You can assign destination NAT rules to
only the interface that receives the network traffic to be translated, such as the uplink interface.
Use the following information from the class configuration handout:
NAT IP address 1
IP address of web-sv-01a
1. Under the Manage tab, click NAT.
2. Above the NAT rules list, click the green plus sign and select Add DNAT Rule.
3. In the Add DNAT Rule dialog box, add the destination NAT rule.
a. Select Uplink-Interface from the Applied On drop-down menu.
b. Enter the NAT IP address 1 in the Original IP/Range text box.
c. Enter the IP address of web-sv-01a in the Translated IP/Range text box.

This address is the address of the web-sv-01a Web server virtual machine that is attached to
the Web-Tier logical switch network. The Web-Tier network is accessible from the
perimeter gateway through an OSPF-learned route that has a next hop of Application Edge
router on the transport network.
d. Select the Enabled check box.
e. Leave all other settings at the default value and click OK.
4. Above the NAT rules list, click Publish Changes.
5. Wait for the update to complete and verify that the new destination NAT rule appears in the list

with a Rule Type of USER.

Lab 11 Configuring and Testing NAT on an NSX Edge Services Gateway

91

Task 5: Use the Destination NAT Translation to Test Connectivity


You verify whether the DNAT rule works as expected by using the packet display capability of the
NSX Edge Services Gateway command line.
Use the following information from the class configuration handout:
NAT IP address 1
Student desktop IP address
IP address of web-sv-01a
1. In the Internet Explorer window, open a new browser tab and go to http://NAT_IP_address_1 to

browse the web-sv-01a Web server by using the destination NAT address.
2. After the Web page is displayed, keep the Web server tab open and minimize the Internet

Explorer window.
3. In the MTPuTTY window, determine packet addressing and verify that the following two IP

addresses are involved in the exchange.


Student desktop IP address
This address is the IP address of the ControlCenter.
NAT address IP 1
This address is the destination NAT original address. For packets sent to this address, the
destination was transformed from NAT address 1 to web-sv-01as IP before being
forwarded by NSX Edge. For response packets sent from the Web server, the source
address was translated so that the packets appear as if originating from the destination NAT
address to maintain the integrity of the client-server connection.
4. Press Ctrl+C to stop the packet capture.
5. Run the following command to begin capturing packets on the Transit-Interface.

debug packet display interface vNic_1 port_80


6. Restore the Internet Explorer window and click the page refresh icon to reload the Web server

page.
7. After the Web page is displayed, close the browser tab and minimize the Internet Explorer

window.
8. In the MTPuTTY window, determine packet addressing and verify that the following two IP

addresses are involved in the exchange.


Student desktop IP address

92

Lab 11 Configuring and Testing NAT on an NSX Edge Services Gateway

IP address of web-sv-01a
This address is the destination NAT translated address of the web-sv-01a Web server. The
packets captured on the transit network are forwarded from perimeter gateway to
distributed router with the destination address translated.

11

9. Press Ctrl+C to stop the packet capture and leave the MTPuTTY window open.
10. Review the tests performed so far in this lab.
Q1. If response traffic was not translated based on the destination NAT mapping,
what source address would the packets have when received by the student
desktop?
1. The nontranslated IP address of web-sv-01a.
Q2. For a TCP connection being established from student desktop to destination
NAT IP for web-sv-01a, would the student desktop associate response packets
from web-sv-01a with that connection?
2. No, regardless of any TCP flag sequencing or handshake condition that might be set, the IP
addresses do not match.

Task 6: Verify Nontranslated Packet Addressing Before Defining a


Source NAT Rule
You verify the source and destination address of packets exchanged between the student desktop and
the web-sv-01a Web server virtual machine before applying a source NAT translation.
Use the following information from the class configuration handout:
Student desktop IP address
IP address of web-sv-01a
1. In the MTPuTTY window, run the following command to begin capturing ICMP packets on the

uplink interface.
debug packet display interface vNic_0 icmp
2. Leave the packet capture running, restore the Internet Explorer window, and click the web-sv-

01a console tab.


3. At the web-sv-01a command prompt, run the following command to ping the student desktop

system.
ping student_desktop_IP_address
4. After at least one ICMP echo request and echo reply are reported, press Ctrl+C to stop the ping

command.

Lab 11 Configuring and Testing NAT on an NSX Edge Services Gateway

93

5. Press Ctrl+Alt to release the mouse cursor and minimize the Internet Explorer window.
6. In the MTPuTTY window, determine the source and destination addressing and verify that the

following two IP addresses are involved in the ICMP exchange.


Student Desktop IP address.
IP address of web-sv-01a
This address is the nontranslated IP address of the web-sv-01a Web server virtual machine.
The captured exchange shows that the web-sv-01a Web server IP address is unaffected by the
destination NAT rule when traffic is initiated from that address. The original web-sv-01a Web
server IP address is maintained as the packets leave perimeter gateway in transit to the student
desktop system.
7. Restore the Internet Explorer window and click the vSphere Web Client tab.

Task 7: Configure a Source NAT Rule


You create a source NAT (SNAT) rule to translate the IP address of web-v-01a to NAT IP address 1
for outgoing connections. An SNAT rule can be assigned to any interface. You can assign SNAT
rules to the interface that connects to the translated network, but not to the interface that received the
original packet.
Use the following information from the class configuration handout:
IP address of web-sv-01a
NAT IP address 1
1. Above the NAT rules list, click the green plus sign and select Add SNAT Rule.
2. In the Add SNAT Rule dialog box, configure the original and the translated source IP address.
a. Select Uplink-Interface from the Applied On drop-down menu.
b. Enter the IP address of web-sv-01a in the Original Source IP/Range text box.
c. Enter the NAT IP address 1 in the Translated Source IP/Range text box.

This address is the translated source IP address.


d. Select the Enabled check box.
e. Leave all other fields at the default value and click OK.
3. Above the NAT rules list, click Publish Changes.

94

Lab 11 Configuring and Testing NAT on an NSX Edge Services Gateway

Task 8: Use the Source NAT Translation to Test Connectivity


Packets sent from the web-sv-01a Web server virtual machine appear as originating from the
perimeter gateways external subnet.
Use the following information from the class configuration handout:

11

Student desktop IP address


NAT IP address 1
1. In the Internet Explorer window, select the web-sv-01a console tab.
2. At the web-sv-01a command prompt, run the following command to ping the student desktop

system.
ping student_desktop_IP_address
3. After at least one ICMP request and reply have been reported, press Ctrl+C to stop the ping

command.
4. Press Ctrl+Alt to release the mouse cursor and minimize the Internet Explorer window.
5. In the MTPuTTY window, determine source and destination addressing and verify that the

following two IP addresses are involved in the ICMP exchange.


Student desktop IP address.
NAT IP address 1
This address is the translated IP address of the web-sv-01a Web server virtual machine.
6. Press Ctrl+C to stop the packet capture.
7. Restore the Internet Explorer window and click the vSphere Web Client tab.

Task 9: Configure a Destination NAT Rule for web-sv-02a


For upcoming labs, the internal IP address of both Web server virtual machines must be translated.
You configure a destination NAT rule for the web-sv-02a Web server virtual machine.
Use the following information from the class configuration handout:
NAT IP address 2
IP address of web-sv-02a
1. Perform task 3 to add another IP address to the uplink interface of perimeter gateway.
a. Assign the NAT IP address 2.

You must use a comma to specify the second secondary IP address to the interface.

Lab 11 Configuring and Testing NAT on an NSX Edge Services Gateway

95

2. Perform task 4 to create a destination NAT rule on the perimeter gateway.


a. Use the following parameters.

Assigned On: Uplink-Interface


Original IP/Range: NAT IP address 2
Translated IP/Range: IP address of web-sv-02a
Enabled: Select the check box.
Leave all other fields at the default value (undefined).
3. Test your configuration.
a. In the MTPuTTY window, run the following command to begin capturing HTTP traffic on

the uplink interface.


debug packet display interface vNic_0 port_80
b. In Internet Explorer, open a new browser tab and go to http://NAT_IP_address_2.
c. After the Web page opens, close the new browser tab.
d. In the MTPuTTY window, verify that the following two addresses are involved in the

HTTP exchange.
Student desktop IP address
NAT IP address 2
e. Press Ctrl+C to stop the packet capture.
NOTE

If the test does not produce the expected results, review your configuration carefully,
ensure that the destination NAT rule is enabled and is applied on the Uplink-Interface, and
try the test again. If the test continues to fail, you can ask your instructor for assistance.
Both destination NAT rules must be defined and working for upcoming labs.

Task 10: Clean Up for the Next Lab


You perform these actions to prepare for the next lab.
1. On the student desktop, leave the MTPuTTY window and the Command Prompt window open.
2. In the Internet Explorer window, click the vSphere Web Client tab.
3. At the top of the left navigation page, click the Networking & Security back arrow.
4. In the Internet Explorer window, leave the following tabs open.

vSphere Web Client


web-sv-01a
96

Lab 11 Configuring and Testing NAT on an NSX Edge Services Gateway

Lab 12
12

Configuring Load Balancing with NSX


Edge Gateway

Objective: Configure a round-robin load balancer to


distribute traffic between two Web servers and verify the
round-robin operation by using traffic capture tools
In this lab, you will perform the following tasks:
1. Prepare for the Lab
2. Verify the Lack of Connectivity
3. Add an IP Address to the Uplink Interface
4. Enable the Load Balancer Service and Configure an Application Profile
5. Create a Server Pool
6. Create a Virtual Server
7. Use the Packet Capture Capabilities of NSX Edge to Verify Round-Robin Load Balancing
8. Examine NAT Rule Changes
9. Migrate the Web-Tier Logical Switch to the Perimeter Gateway
10. Reposition the Virtual Server and Examine NAT Rule Changes
11. Use a Packet Capture to Verify Round-Robin Operation
12. Clean Up for the Next Lab

Lab 12 Configuring Load Balancing with NSX Edge Gateway

97

Task 1: Prepare for the Lab


You perform these actions to prepare for the lab if you have closed windows or logged out of the
VMware vSphere Web Client interface.
Use the following information from the class configuration handout:
Your site name
Your vCenter Server administrator login account
1. If a Command Prompt window is not open on the student desktop, open the window.
a. On the student desktop, double-click the Command Prompt shortcut.
b. Position the Command Prompt window at a convenient location on the desktop.
2. If the MTPuTTY window is not open on the student desktop, open the MTPuTTY window.
a. On the student desktop, double-click the MTPuTTY shortcut.
b. In the MTPuTTY window, double-click the IP Address of the Perimeter Gateway saved

session.
c. If prompted to confirm a PuTTY security alert, click Yes.
d. Log in as admin and enter the password VMware1!VMware1!.
3. If the Internet Explorer window is closed, double-click the Internet Explorer icon on the

student desktop.
4. If you are not logged in to the vSphere Web Client, log in to the vSphere Web Client.
a. In the Internet Explorer window, click the vSphere Web Client - your_site_name

bookmark.
b. When prompted, log in with your vCenter Server administrator login account and enter the

password VMware1!.
5. In the Internet Explorer window, if the web-sv-01a console tab is not open, open the console

tab.
a. On the vSphere Web Client Home tab, click VMs and Templates.
b. Expand the inventory tree and select Discovered virtual machine > web-sv-01a.
c. Select Open Console from the Actions drop-down menu.
d. If prompted to log in, log in as root and enter the password VMware1!.
e. Press Ctrl+Alt to release the pointer and click the vSphere Web Client tab.
f. Click the vSphere Web Client Home icon.
6. On the vSphere Web Client Home tab, click Networking & Security.
98

Lab 12 Configuring Load Balancing with NSX Edge Gateway

Task 2: Verify the Lack of Connectivity


You open a Web browser and browse the IP address to be assigned to the load balancer virtual
server.
Use the following information from the class configuration:
VIP 1 IP address
1. In the Internet Explorer window, open a new browser tab and go to https://VIP 1 IP address.
2. Verify that the page does not open.

12

Internet Explorer shows a Server not found message.


3. Close the new browser tab and click the vSphere Web Client tab.

Task 3: Add an IP Address to the Uplink Interface


To use an IP address for network address translation (NAT) rules or a load balancer virtual server
that is not the default IP address assigned to an VMware NSX Edge interface, the IP address must
be explicitly added to the interface. The IP address must be explicitly configured so that the NSX
Edge appliance can receive incoming packets on that interface from the upstream device.
Use the following information from the class configuration handout:
NAT IP address 1
NAT IP address 2
VIP 1 IP address
1. In the left navigation pane, select NSX Edges.
2. In the edge list, double-click the Perimeter Gateway-your_site_name entry to manage that

object.
3. In the middle pane, click the Manage tab and click Settings.
4. In the settings category panel, select Interfaces.
5. In the interfaces list, select the vNIC# 0 interface and click the pencil icon.
6. In the Edit NSX Edge Interface dialog box, select the IP address entry in the Configure

Subnets section and click the pencil icon.


7. Enter the VIP 1 IP address in the Secondary IP address text box.

You must use a comma to separate the IP addresses.


8. Click OK to commit the interface changes.

Lab 12 Configuring Load Balancing with NSX Edge Gateway

99

9. In the interfaces list, find the vNIC #0 entry, click the Show All link in the IP address column,

and verify that the following addresses appear in the list.


Primary address of the interface
NAT address for web-sv-01a: NAT IP address 1
NAT address for web-sv-02a: NAT IP address 2
New address for the load balancer virtual server: VIP 1 IP address
10. Click OK to close the Assigned IP Addresses dialog box.

Task 4: Enable the Load Balancer Service and Configure an


Application Profile
You enable the load balancer service and configure for HTTPS with SSL passthrough.
1. Under the Manage tab, click Load Balancer.
2. In the load balancer category panel, select Global Configuration.
3. Click Edit on the right side of the global configuration page.
4. In the Edit load balancer global configuration page, select the Enable Load balancer check

box, leave all the other fields at the default value, and click OK.
5. In the load balancer category panel, select Application Profiles.
6. Above the top panel, click the green plus sign to open the New Profile dialog box.
a. Enter App-Profile in the Name text box.
b. Select HTTPS for Type.
c. Select the Enable SSL Passthrough check box.
d. Leave all the other fields at the default value and click OK.

Task 5: Create a Server Pool


You create a round-robin server pool that contains the two Web server virtual machines as members
providing HTTPS.
Use the following information from the class configuration handout:
IP address of web-sv-01a
IP address of web-sv-02a

100

Lab 12 Configuring Load Balancing with NSX Edge Gateway

1. In the load balancer category panel, select Pools.


2. Above the top panel, click the green plus sign to open the New Pool dialog box.
a. Enter Server-Pool in the Name text box.
b. Verify that the Algorithm selection is ROUND-ROBIN.
c. Verify that the Monitors selection is NONE.
d. Below Members, click the green plus sign to open the New Member dialog box and add the

first server.
Action

Name

Enter Web-sv-01a in the text box.

IP Address

Enter the IP address of web-sv-01a in the text box.

Port

Enter 443 in the text box.

All other settings

Leave at the default value.

12

Option

e. Click OK to close the New Member dialog box.


f. Under Members, click the green plus sign to open the New Member dialog box and add a

second server.
Option

Action

Name

Enter Web-sv-02a in the text box.

IP Address

Enter the IP address of web-sv-02a in the text box.

Port

Enter 443 in the text box.

All other settings

Leave at the default value.

g. Click OK to close the New Member dialog box.


h. Click OK to close the New Pool dialog box.

Lab 12 Configuring Load Balancing with NSX Edge Gateway

101

Task 6: Create a Virtual Server


The virtual server is positioned in a two-arm configuration on the external network that is attached
to the uplink interface of the perimeter gateway.
Use the following information from the class configuration handout:
VIP 1 IP address
1. In the load balancer category panel, select Virtual Servers.
2. Above the top panel, click the green plus sign to open the New Virtual Server dialog box.
a. Verify that the Enabled check box is selected.
b. Verify that the Application Profile selection is App-Profile.
c. Enter VIP in the Name text box.
d. Enter the VIP 1 IP address in the IP Address text box.
e. Select HTTPS from the Protocol drop-down menu.
f. Verify that the Port setting has changed to 443.
g. Select Server-Pool from the Default Pool drop-down menu.
h. Leave all other settings at default value and click OK.

Task 7: Use the Packet Capture Capabilities of NSX Edge to Verify


Round-Robin Load Balancing
You monitor the HTTPS traffic that traverses the transit network to verify round-robin distribution
as the perimeter gateway assigns sessions to servers in the pool.
Use the following information from the class configuration handout:
VIP 1 IP address
1. Minimize the Internet Explorer window.
2. In the MTPuTTY window, run the following command to begin capturing SSL packets on the

transit interface.
debug packet display interface vNic_1 port_443
3. Leave the packet capture running and restore the Internet Explorer window.
4. In the Internet Explorer window, open a new browser tab and go to https://VIP_1_IP_address.
5. If Internet Explorer reports a certificate warning, click the Continue to this website (not

recommended) link.

102

Lab 12 Configuring Load Balancing with NSX Edge Gateway

6. Minimize the Internet Explorer window.


7. In the MTPuTTY window, examine the captured packets to determine source and destination

addressing, and verify that the exchange is between a combination of the following IP addresses.
The IP address of the Transit network interface of the perimeter gateway edge.
The IP addresses of one of the Web servers on the Web-Tier logical switch network.
8. Consider the packet exchange you examined.

12

Q1. Which extra operation is the perimeter gateway performing on packets that
leave the Transit network interface, on the way to the Web server virtual
machines?
1. NAT
Q2. Why is the perimeter gateway performing this extra operation instead of
maintaining the original source address of the student desktop system?
2. Because the load balancer is operating in nontransparent mode and proxying sessions
between itself and the Web servers on behalf of the original client.
Q3. What setting would you enable on the load balancer so that the original source
addresses are maintained?
3. Transparent mode

9. Leave the packet capture running.


10. Restore the Internet Explorer window and click the vSphere Web Client tab.
11. In the load balancer category panel, select Pools.
12. In the pool list, select pool-1 and click the pencil icon.
13. In the Edit Pool dialog box, select the Transparent check box at the bottom and click OK.
14. Open another tab in the Internet Explorer window and enter https://VIP_1_IP_address.
15. Minimize the Internet Explorer window.
16. In the MTPuTTY window, examine the captured packets to determine the source and

destination addressing, and verify that the exchange is between a combination of the following
IP addresses.
The address of the student desktop system. With transparent mode enabled, the original
source address has been maintained in packets forwarded to the Web server. Sessions are
still proxied by the perimeter gateway by using a different source port than the source port
that is used by the original client.
The address of one of the Web servers on the Web-Tier logical switch network.

Lab 12 Configuring Load Balancing with NSX Edge Gateway

103

17. On the student desktop, double-click the Firefox shortcut.


18. In Firefox, go to https://VIP_1_IP_address.
19. When Firefox reports a problem with the Web site security certificate, click the I understand

the Risks link.


20. Click Add Exception and click Confirm Security Exception.
21. Wait for the Web page to be displayed, which might take a few moments, and minimize the

Firefox window.
22. In the MTPuTTY window, examine the captured packets to determine the source and

destination addressing, and verify that the exchange is between a combination of the following
IP addresses.
This address is the IP address of the student desktop system.
The IP address of one of the Web servers on the Web logical switch network. The address
that appears in the most recent capture should be the Web server that is not seen in the
previous capture.
23. Press Ctrl+C to stop the packet capture.
24. Restore the Internet Explorer window and click the vSphere Web Client tab.

Task 8: Examine NAT Rule Changes


An NSX Edge instance automatically defines NAT rules for various features to facilitate the
operation of those features.
1. Under the Manage tab, click NAT.
2. In the NAT rules list, find the destination NAT rule that has VIP 1 IP address in the Original IP

Address Column and a blank Rule Type.


All other rules have a Rule Type of USER.
The blank rule type is an autogenerated destination NAT rule that the system created as part of
the virtual server configuration.
3. Examine the destination NAT rule.
4. Expand and examine the Original IP Address and Translated IP Address fields.
Q1. Is the original IP address being translated in any way by this rule?
1. No, the original and translated IP addresses are both VIP1 IP address.
Q2. Is the port range being translated in any way by this rule?
2. No

104

Lab 12 Configuring Load Balancing with NSX Edge Gateway

Q3. If this rule performs no apparent translation, why did the system define it?
3. To force the traffic into the NAT logic of the NSX Edge services gateway where a member
server can be selected and the actual destination NAT can be performed. Traffic received on the
virtual server IP address must undergo a destination NAT translation after the destination server
is selected from the pool, based on the configured load-balancing algorithm. Because server
selection is dynamic, the destination NAT rule triggers the destination NAT operation where
further logic can be applied.

12

Q4. Given that a virtual server uses a destination NAT rule to trigger member server
selection, do you think that a virtual server can operate normally using a pool
of member servers with IP addresses that are also defined by destination NAT
rules?
4. No, a virtual server cannot operate on a pool of destination NAT-defined addresses. Such
functionality would require recursive application of the NAT logic to each packet that is received.
The system is not designed to accommodate that type of operation. Only one NAT rule can be
applied to any packet received.
Q5. Which interface is the destination NAT rule applied on?
5. Uplink-Interface

Task 9: Migrate the Web-Tier Logical Switch to the Perimeter Gateway


You migrate the Web-Tier logical switch so that the network is connected directly to the perimeter
gateway. The load balancer virtual server is moved to the directly connected Web-Tier network to
show side-by-side operation of the load balancer.
Use the following information from the class configuration handout:
Web-Tier-Temp interface IP address
1. At the top of the left navigation pane, click the Networking & Security back arrow.
2. In the edge list, double-click the Distributed Router - your_site_name entry to manage that

object.
3. In the middle pane, click the Manage tab and click Settings.
4. In the settings category panel, select Interfaces,
5. In the interfaces list, select the Web-Interface entry and click the disconnect icon.
6. Wait for the update to complete and verify that a disconnect icon appears in the Web-Interface

Status column.
7. At the top of the left navigation pane, click the Networking & Security back arrow.
8. In the edge list, double-click the Perimeter Gateway - your_site_name entry to manage that

object.

Lab 12 Configuring Load Balancing with NSX Edge Gateway

105

9. In the middle pane, click the Manage tab and click Settings.
10. In the settings category panel, select Interfaces.
11. Select the vNIC# 2 interface and click the pencil icon to open the Edit NSX Edge Interface

dialog box.
a. Enter Web-Tier-Temp in the Name text box.
b. Verify that the Type selection is Internal.
c. Click the Connected To > Select link.
d. Click Web-Tier and click OK.
e. Above the IP Address table, click the green plus sign to open the Add Subnet dialog box.
f. Enter the Web-Tier-Temp interface IP address in the Primary IP address text box.

The new interface that you are configuring on the perimeter gateway replaces the
distributed router interface that you disconnected in step 5 by using the same IP address.
g. Enter 24 in the Subnet Prefix Length text box.
h. Click OK to commit the interface changes.

Task 10: Reposition the Virtual Server and Examine NAT Rule Changes
The virtual server is repositioned to be on the same subnet as the pool members, in a one-armed
configuration.
Use the following information from the class configuration handout:
VIP 2 IP address
1. Under the Manage tab, click Load Balancer.
2. In the load balancer category panel, select Virtual Servers.
3. In the virtual servers list, select the single virtual server that is defined and click the pencil icon.
4. In the Edit Virtual Server dialog box, change the IP Address field to the VIP 2 IP address and

click OK.
For this example, the primary IP address of an interface is used for the virtual server.
5. Under the Manage tab, click NAT.

106

Lab 12 Configuring Load Balancing with NSX Edge Gateway

6. In the NAT rules list, find the destination NAT rule that has VIP 2 IP address in the Original IP

Address column.
Q1. Has the system autoremoved the destination NAT rule for the old virtual server
IP address of original VIP 1 IP address?
1. Yes
Q2. Is the new rule translating the original IP address or port in any way?
2. No

12

Q3. Based on the virtual server destination NAT rules that you have examined so
far, is there any difference in the actual operation performed by NSX Edge on
traffic to be sent to a member server?
3. No, the operations are the same.

7. Examine each of the new destination NAT rule columns carefully, thinking back to the previous

destination NAT rule that you examined when the virtual server was positioned on the UplinkInterface network.
Q4. Other than a primary interface IP address being used as the virtual server IP
address in this example, what is the primary difference between the two
positions in terms of traffic flow and sequence of operations on the edge when
traffic is received, transformed, and subsequently sent to a member server?
4. The destination NAT translation occurs on the outbound interface. In this case, vNic_2 facing
the network that the member servers are attached to. The previous destination NAT rule was
applied on the receiving interface because destination NAT rules must be applied on the interface
connected to the network that contains the original IP address to be translated, regardless of
ingress or egress.

Task 11: Use a Packet Capture to Verify Round-Robin Operation


You use the same techniques learned so far to verify proxy mode operation.
Use the following information from the class configuration handout:
VIP 2 IP address
Student desktop IP address
1. Minimize the Internet Explorer window.
2. In the MTPuTTY window, run the following command to begin capturing SSL packets on the

Web-Tier-Temp interface.
debug packet display interface vNic_2 port_443
3. Leave the packet capture running and restore the Internet Explorer window.
Lab 12 Configuring Load Balancing with NSX Edge Gateway

107

4. In the Internet Explorer window, open another tab and go to https://VIP_2_IP_address.

While performing the interim tasks in this activity, after migrating the Web-Tier virtual switch,
the OSPF routing table automatically updates and both perimeter gateway and distributed router
are aware of the new network location.
5. When Internet Explorer reports a problem with the Web sites certificate, click the Continue to

this website (not recommended) link.


6. After the Web page is displayed, close the browser tab used to browse the Web page and

minimize the Internet Explorer window.


7. In the MTPuTTY window, examine the captured packets to determine source and destination

addressing, and verify that the exchange is between a combination of the following IP addresses.
The IP address of the student desktop.
These address of one of the Web servers on the Web logical switch network.
8. Leave the packet capture running.
9. Restore the Firefox window and go to https://VIP_2_IP_address.
10. When Firefox reports a problem with the Web site security certificate, click the I understand

the Risks link.


11. Click Add Exception and click Confirm Security Exception.
12. Wait for the Web page to be displayed, which might take a few moments, and close the Firefox

window.
13. In the MTPuTTY window, examine the captured packets and verify that the exchange is

between a combination of the following IP addresses.


Student desktop IP address
At this point, the load balancer is still set to Transparent mode. Thus, the source that you
should be looking for is the student desktop where the request is originating
IP Address of one of the Web servers.
The address that appears in the capture should be the Web server not seen in the previous
capture.
14. Press Ctrl+C to stop the packet capture.
15. Restore the Internet Explorer window and, if not already active, click the vSphere Web Client

tab.

108

Lab 12 Configuring Load Balancing with NSX Edge Gateway

Task 12: Clean Up for the Next Lab


You perform these actions to prepare for the next lab.
1. On the student desktop, leave the MTPuTTY window and the Command Prompt window open.
2. In the vSphere Web Client, click the Networking & Security back arrow.
3. In the Internet Explorer window, leave the following tabs open.

vSphere Web Client

Lab 12 Configuring Load Balancing with NSX Edge Gateway

12

web-sv-01a

109

110

Lab 12 Configuring Load Balancing with NSX Edge Gateway

Lab 13

Advanced Load Balancing

:
13

Objective: Configure a load balancer to provide SSL


security for a Web site
In this lab, you will perform the following tasks:
1. Prepare for the Lab
2. Generate a Certificate
3. Modify the Existing Load Balancer
4. Capture Network Traffic at the Perimeter Gateway
5. Migrate the Web-Tier Logical Switch Back to the Distributed Router
6. Clean Up for the Next Lab

This lab requires that you complete the previous lab (Configuring Load Balancing with NSX Edge
Gateway). If you did not perform the previous lab, ask your instructor for guidance.

Lab 13 Advanced Load Balancing

111

Task 1: Prepare for the Lab


You perform these actions to prepare for the lab if you have closed windows or logged out of the
VMware vSphere Web Client interface.
Use the following information from the class configuration handout:
Your site name
Your vCenter Server administrator login account
1. If a Command Prompt window is not open on the student desktop, open the window.
a. On the student desktop, double-click the Command Prompt shortcut.
b. Position the Command Prompt window to a convenient location on the desktop.
2. If the MTPuTTY window is not open on the student desktop, open the MTPuTTY window.
a. On the student desktop, double-click the MTPuTTY shortcut.
b. In the MTPuTTY window, double-click the IP Address of Edge Services GW.
c. If prompted to confirm a PuTTY security alert, click Yes.
d. Log in as admin using the VMware1!VMware1! password.
3. If the Internet Explorer window has been closed, double-click the Internet Explorer icon on

the student desktop.


4. If you are not logged in to the vSphere Web Client, open the vSphere Web Client.
a. In the Internet Explorer window, click the vSphere Web Client - your_site_name

bookmark.
b. When prompted, log in with your vCenter Server administrator login account and enter the

password VMware1!.
5. In the Internet Explorer window, if the web-sv-01a console tab is not open, open the console

tab.
a. Point to the vSphere Web Client Home icon and click the VMs and Templates icon.
b. Expand the inventory tree and select Discovered virtual machine > web-sv-01a.
c. Select Open Console from the Actions drop-down menu.
d. If prompted to log in, log in as root using the VMware1! password.
e. Press Ctrl+Alt to release the pointer and click the vSphere Web Client tab.
f. Click the vSphere Web Client Home icon.
6. On the vSphere Web Client Home tab, click the Networking & Security icon.

112

Lab 13 Advanced Load Balancing

Task 2: Generate a Certificate


You generate a certificate request and instruct the VMware NSX Edge instance to create a selfsigned certificate from that request.
Use the following information from the class configuration handout:
VIP 2 IP address
1. In the left navigation pane, select NSX Edges.
2. In the edge list, double-click the Perimeter Gateway - your_site_name entry to manage that

object.
3. Click the Manage tab and click Settings.
4. In the settings category panel, select Certificates.

13

5. Select Generate CSR from the Actions drop-down menu to open the Generate CSR dialog

box.
a. Enter the VIP 2 IP address in the Common Name text box.
b. Enter ABC Medical in the Organization Name text box.
c. Enter NSBU in Organization Unit text box.
d. Enter Palo Alto in the Locality text box.
e. Enter CA in the State text box.
f. Select United States (US) in the Country field.
g. Verify that RSA is the selected Message Algorithm.
h. Verify that 2048 is the selected Key Size.
i. Leave all other settings at default value and click OK.
6. In the certificate list, select the newly generated signing request and select Self Sign Certificate

from the Actions drop-down menu.


7. When prompted, enter 365 in the Number of days text box and click OK.

Task 3: Modify the Existing Load Balancer


You update the application profile to include the self-signed certificate, and update the server pool to
use HTTP instead of HTTPS. You consider the Web server as not having its own certificate for this
lab. The self-signed certificate is used instead for communication between clients and the virtual
server. Communication between the virtual server and the member servers uses HTTP.

Lab 13 Advanced Load Balancing

113

Use the following information from the class configuration handout:


VIP 2 IP address
1. On the Manage tab, click the Load Balancer button.
2. In the load balancer category panel, select Application Profiles.
3. Select the single application profile that is listed and click the pencil icon.
4. In the Edit Profile dialog box, select the service certificate.
a. Deselect the Enable SSL Passthrough check box.
b. At the bottom of the dialog box, click Configure Service Certificate and leave the VIP 2

IP address selected in the certificate list.


c. Leave all other settings at the default value and click OK.
5. In the load balancer category panel, select Pools.
6. Select the single pool that appears and click the pencil icon.
7. In the Edit Pool dialog box, update each member server that is listed.
a. Select the member server and click the pencil icon.
b. In the Edit Member dialog box, change both the Port and the Monitor Port to 80 and

click OK.
You must ensure that both member servers are updated.
8. Click OK to close the Edit Pool dialog box.

Task 4: Capture Network Traffic at the Perimeter Gateway


You examine two different packet captures. A packet capture on the uplink interface is examined to
verify the SSL communication between clients and the virtual server. A packet capture on the transit
network is examined to verify round-robin operation.
Use the following information from the class configuration handout:
VIP 2 IP address
1. Minimize the Internet Explorer window.
2. In the MTPuTTY window, begin capturing SSL traffic on the uplink interface by running the

following command.
debug packet display interface vNic_0 port_443
3. Leave the packet capture running and position the window so that you remember that it contains

the uplink capture.


114

Lab 13 Advanced Load Balancing

4. Double-click the perimeter gateway IP address in the MTPuTTY application.

Another session is started to the PuTTY perimeter gateway.


5. Log in as admin and enter the VMware1!VMware1! password.
6. In the new PuTTY window, begin capturing HTTP traffic on the web-tier-temp interface by

running the following command.


debug packet display interface vNic_2 port_80
The two packet captures show the load balancer virtual server receiving SSL traffic and
connecting to a pool member server using HTTP.
7. On the student desktop, open a new tab in the Internet Explorer application.

You must ensure that you use Internet Explorer for the following tests.

13

8. In the Internet Explorer window, go to https://VIP_2_IP_address.


9. When Internet Explorer reports a problem with the Web sites security certificate, click the

Continue to this website (not recommended) link.


The Web site security message might appear after a minute. After you click the continue link,
the Web page might be displayed after a minute.
10. Minimize the Internet Explorer window.
11. Select the MTPuTTY window that contains the uplink interface capture.
12. In the MTPuTTY window, examine the captured packets and verify that the exchange is

between a combination of the following IP addresses.


This IP address of the student desktop system.
This address is the virtual IP (vIP) address of the load balancer in the one-arm
configuration (VIP 2 IP Address).
13. Press Ctrl+C to stop the traffic capture.
14. Select the PuTTY window that contains the transit interface capture.
15. In the PuTTY window, examine the captured packets and verify that the exchange is between a

combination of the following IP addresses.


The IP address of the student system that is maintained in transparent mode.
The IP address of one of the Web servers on the Web-Tier logical switch.
16. Restore the Internet Explorer window.
17. Close the Internet Explorer tab.
18. Keep the original MTPuTTY window open.
Lab 13 Advanced Load Balancing

115

Task 5: Migrate the Web-Tier Logical Switch Back to the Distributed


Router
You must restore the lab environment to its original state by migrating the Web-Tier logical switch
back to the distributed router. Later labs fail if the configuration is not restored.
1. In the load balancer category panel, select Virtual Servers.
2. Select the single virtual server that is listed and click the pencil icon to open the Edit Virtual

Server dialog box.


a. Change the IP address field to VIP 1 IP address.

The virtual server IP address must be moved back to the uplink network because the WebTier logical switch is migrated back to the distributed router.
b. Click OK.
3. Under the Manage tab, click Settings.
4. In the settings category panel, select Interfaces.
5. In the interface list, select the Web-Tier-Temp interface and click the disconnect icon.
6. Wait for the update to complete and verify that a disconnect icon appears in the Web-Tier-Temp

Status column.
7. Select the Web-Tier-Temp interface, click the red X to delete the interface and click OK when

prompted to confirm.
You must ensure that you delete the correct interface.
8. Wait for the update to complete and verify that vNIC# 2 has been reset.
9. At the top of the left navigation pane, click the Networking & Security left arrow button.
10. In the edge list, double-click the Distributed Router entry to manage that object.
11. In the settings category panel, select Interfaces.
12. In the interface list, select the Web-Interface interface entry and click the green check mark

icon to reattach the logical switch.


13. Wait for the update to complete and verify that a green check mark icon appears in the Web-

Interface Status column.

Task 6: Clean Up for the Next Lab


You perform these actions to prepare for the next lab.
1. On the student desktop, leave the MTPuTTY window and the Command Prompt window open.
2. In the vSphere Web Client, click the Networking & Security back arrow.
116

Lab 13 Advanced Load Balancing

3. In the Internet Explorer window, leave the following tabs open.

vSphere Web Client


web-sv-01a

13

Lab 13 Advanced Load Balancing

117

118

Lab 13 Advanced Load Balancing

Lab 14

Configuring NSX Edge High Availability :

14

Objective: Configure high availability and use the NSX


Edge command line to determine the current high
availability status and view heartbeat traffic
In this lab, you will perform the following tasks:
1. Prepare for the Lab
2. Configure NSX Edge High Availability
3. Examine the High Availability Service Status and Heartbeat
4. Force a Failover Condition
5. Restore the Failed Node
6. Clean Up for the Next Lab

Lab 14 Configuring NSX Edge High Availability

119

Task 1: Prepare for the Lab


You perform these actions to prepare for the lab if you have closed windows or logged out of the
VMware vSphere Web Client interface.
Use the following information from the class configuration handout:
Your site name
Your vCenter Server administrator login account
1. If a Command Prompt window is not open on the student desktop, open the window.
a. On the student desktop, double-click the Command Prompt shortcut.
b. Position the Command Prompt window at a convenient location on the desktop.
2. If the MTPuTTY window is not open on the student desktop, open the MTPuTTY window.
a. On the student desktop, double-click the MTPuTTY shortcut.
b. In the MTPuTTY window, double-click Perimeter Gateway IP Address.
c. If prompted to confirm a PuTTY security alert, click Yes.
d. Log in as admin and enter the password VMware1!VMware1!.
3. If the Internet Explorer window is closed, double-click the Internet Explorer icon on the

student desktop.
4. If you are not logged in to the vSphere Web Client, log in to the vSphere Web Client.
a. In the Internet Explorer window, click the vSphere Web Client - your_site_name

bookmark.
b. When prompted, log in with Your vCenter Server administrator login account and enter the

password VMware1!.
5. In the Internet Explorer window, if the web-sv-01a console tab is not open, open the console

tab.
a. On the vSphere Web Client Home tab, click the VMs and Templates icon.
b. Expand the inventory tree and select Discovered virtual machine > web-sv-01a.
c. Select Open Console from the Actions drop-down menu.
d. If prompted to log in, log in as root and enter the password VMware1!.
e. Press Ctrl+Alt to release the pointer and click the vSphere Web Client tab.
f. Click the vSphere Web Client Home icon.
6. On the vSphere Web Client Home tab, click the Networking & Security icon.

120

Lab 14 Configuring NSX Edge High Availability

Task 2: Configure NSX Edge High Availability


You configure the perimeter gateway for high availability.
1. In the left navigation pane, select NSX Edges.
2. In the edge list, double-click the Perimeter Gateway - your_site_name entry to manage that

object.
3. In the middle pane, click the Manage tab and click Settings.
4. In the Settings category list, select Configuration.
5. On the Configuration page, in the HA Configuration panel, determine the current high

availability status of the edge.


The status is Disabled.
6. In the HA Configuration panel, click the Change link to configure and enable high availability.
7. In the Change HA configuration dialog box, configure the settings.
a. Click Enable.

Classless Inter-Domain Routing (CIDR) format.


192.168.222.1/30
192.168.222.2/30
c. Leave all the remaining settings at the default value and click OK.
8. Wait for the high availability configuration update to finish and verify that the HA status in the

HA Configuration panel is Enabled.


9. Point to the vSphere Web Client Home icon and click Hosts and Clusters.
10. Expand the Hosts and Clusters inventory tree so that the Management and Edge Cluster

inventory is shown.
11. In the Management and Edge Cluster inventory, find all virtual machines with names starting

with Perimeter Gateway.


12. Select each perimeter gateway virtual machine and review the Summary tab.
Q1. How many instances of the perimeter gateway did you find?
1. Two
Q2. Which host is Perimeter Gateway-0 running on?
2. Any of the ESXi hosts in the Management and Edge Cluster.

Lab 14 Configuring NSX Edge High Availability

121

14

b. In the two text boxes for configuring Management IPs, enter the following IP addresses in

Q3. Which host is Perimeter Gateway-1 running on?


3. Any of the ESXi hosts in the Management and Edge Cluster, but on a different host than the
other node.
Q4. Are the NSX Edge instances running on different hosts?
4. Yes, by default, high availability peer nodes are maintained on different hosts.

13. Remain in the Hosts and Clusters inventory.

Task 3: Examine the High Availability Service Status and Heartbeat


You use command-line tools to query the high availability service status and examine the heartbeat
network traffic.
1. Minimize the Internet Explorer window.
2. In the MTPuTTY window, run the following command to show the status of the high

availability service.
show service highavailability
3. Examine the command output.

This command uses the generic vshield-edge name for the VMware NSX Edge instances.
Refer to the trailing -0 or -1 to associate what the command is showing with the perimeter
gateway nodes. The active node name is shown as the value of highavailability Unit Name.
Q1. Which of the perimeter gateway nodes is active?
1. Perimeter Gateway-0 is active. This node should be the same for all students at this stage.
Q2. Are both peer nodes in good health?
2. Yes, as denoted in the Peer Host list.
Q3. Are the file synchronization and connection synchronization services
necessary for failover running?
3. Yes, both services are shown as running.
NOTE

Based on the sequence of actions taken so far, the active node should be the vshield-edge-2-0
(Perimeter Gateway-0) node. Remember which node was listed as active, you will cause a
failover in the next task.

122

Lab 14 Configuring NSX Edge High Availability

4. At the command prompt, run the following command to display high availability heartbeat

packets captured on the transit network interface.


debug packet display interface vNic_1
net_192.168.222.0_mask_255.255.255.252
This command displays high availability heartbeat packets that are captured on the transit
network interface.
5. Examine the exchange and verify that the two high availability nodes are actively

communicating status to each other.


You should see packets exchanged between the following IP addresses.
192.168.222.1
192.168.222.2
6. Keep the traffic capture running and restore the Internet Explorer window.

Task 4: Force a Failover Condition


1. In the Hosts and Clusters inventory tree, select Perimeter Gateway-0, or whichever of the two

perimeter gateway nodes was listed as active in the preceding task.


2. Select Shut Down Guest OS from the Actions drop-down menu and click Yes when prompted

to confirm.
3. Monitor the appliance shutdown until the task shows as complete in the recent tasks pane and a

running indicator icon no longer appears on the virtual machine in the cluster inventory.
4. Minimize the Internet Explorer window.
5. Click OK to dismiss the MTPuTTY alert and close the MTPuTTY window.

The SSH session to the perimeter gateway is terminated because the virtual machine is shut
down.
6. In the MTPUTTY application, double-click the Perimeter Gateway IP Address.
7. Log in as admin and enter the password VMware1!VMware1!.
8. Run the following command to show the status of the high availability.

show service highavailability

Lab 14 Configuring NSX Edge High Availability

123

14

You power off the high availability active node to force a failover to the standby node.

9. Examine the command output.

The active node name is shown as the value of highavailability Unit Name.
Q1. Which of the perimeter gateway nodes is active?
1. Perimeter Gateway-1 is active. This node should be the same for all students at this stage.
Q2. Are both peer nodes in good health?
2. No, vshield-edge-#-0 is unreachable.
Q3. Are services necessary for failover running, specifically file synchronization
and connection synchronization?
3. Yes, both services show as running.
Q4. Has a failover occurred?
4. Yes, from Perimeter Gateway-0 to Perimeter Gateway-1.

10. At the command prompt, run the following command to display high availability heartbeat

packets captured on the transit network interface.


debug packet display interface vNic_1
net_192.168.222.0_mask_255.255.255.252
This command displays high availability heartbeat packets captured on the transit network
interface.
11. Examine the packet exchange and verify that only the active node is communicating heartbeat

information and is receiving no replies from the peer node.


12. Keep the traffic capture running and restore the Internet Explorer window.

Task 5: Restore the Failed Node


You power on the stopped node to restore the high availability pair and use command-line tools to
examine changes in the high availability service configuration.
1. In the Hosts and Clusters inventory, verify that the shut-down high availability node is still

selected and select Power On from the Actions menu.


2. Minimize the Internet Explorer window.
3. In the MTPuTTY window, monitor the packet capture until you observe both nodes

communicating heartbeat information again.


4. Press Ctrl+C to stop the packet capture.

124

Lab 14 Configuring NSX Edge High Availability

5. Run the following command to show the status of the high availability service.

show service highavailability


6. Examine the command output.

The active node name is shown as the value of highavailability Unit Name.
Q1. Which of the perimeter gateway nodes is active?
1. Perimeter Gateway-1 is active. This node should be the same for all students at this stage.
Q2. Are both peer nodes in good health?
2. Yes
Q3. Are services necessary for failover running, specifically file synchronization
and connection synchronization?
3. Yes, both services show as running.
Q4. Has a failback occurred?

14

4. No, the failover node remains active and the restored node assumes standby status.

Task 6: Clean Up for the Next Lab


You perform these actions to prepare for the next lab.
1. Leave the MTPuTTY window open.
2. Leave the Command Prompt window open.
3. Restore the Internet Explorer window, point to the vSphere Web Client Home icon, and select

Networking.
4. In the Internet Explorer window, leave the following tabs open.

vSphere Web Client


web-sv-01a

Lab 14 Configuring NSX Edge High Availability

125

126

Lab 14 Configuring NSX Edge High Availability

Lab 15

Configuring Layer 2 VPN Tunnel

Objective: Configure a Layer 2 VPN tunnel between two


NSX Edge services gateway appliances
In this lab, you will perform the following tasks:
1. Prepare for the Lab
2. Create a Port Group on the Distributed Switch for the Sink Port

15

3. Create a Trunk Interface for the Perimeter Gateway


4. Configure the Perimeter Gateway as an L2VPN Server
5. Prepare the Remote Site for Setting Up an L2VPN Tunnel
6. Create an NSX Edge Gateway at the Remote Site
7. Create a Logical Switch and Attach the Switch to the Remote Gateway
8. Configure the Remote Gateway as an L2VPN Client
9. Update the web-sv-02a Web Server at the Remote Site
10. Test Tunnel Connectivity
11. Clean Up for the Next Lab

Lab 15 Configuring Layer 2 VPN Tunnel

127

Task 1: Prepare for the Lab


You perform these actions to prepare for the lab if you have closed windows or logged out of the
VMware vSphere Web Client interface.
Use the following information from the class configuration handout:
Your site name
Your vCenter Server administrator login account
1. If a Command Prompt window is not open on the student desktop, open the window.
a. On the student desktop, double-click the Command Prompt shortcut.
b. Position the Command Prompt window at a convenient location on the desktop.
2. If the MTPuTTY window is not open on the student desktop, open the MTPuTTY window.
a. On the student desktop, double-click the MTPuTTY shortcut.
b. In the MTPuTTY window, double-click the Perimeter Gateway - your_site_name IP

address.
c. If prompted to confirm a PuTTY security alert, click Yes.
d. Log in as admin and enter the password VMware1!VMware1!.
3. If the Internet Explorer window is closed, double-click the Internet Explorer icon on the

student desktop.
4. If you are not logged in to the vSphere Web Client, log in to the vSphere Web Client.
a. In the Internet Explorer window, click the vSphere Web Client - Your Site Name

bookmark.
b. When prompted, log in with your vCenter Server administrator login account and enter the

password VMware1!.
5. In the Internet Explorer window, if the web-sv-01a console tab is not open, open the console

tab.
a. On the vSphere Web Client Home tab, click VMs and Templates.
b. Expand the inventory tree and select Discovered virtual machine > web-sv-01a.
c. Select Open Console from the Actions drop-down menu.
d. If prompted to log in, log in as root and enter the password VMware1!.
e. Press Ctrl+Alt to release the pointer and click the vSphere Web Client tab.
f. Point to the vSphere Web Client Home icon, click Networking.

128

Lab 15 Configuring Layer 2 VPN Tunnel

Task 2: Create a Port Group on the Distributed Switch for the Sink Port
You create a port group on the distributed switch for the sink interface used by the L2VPN feature.
1. Expand the inventory tree and select vds-datacenter.
2. In the middle pane, click Actions and select Distributed Port Group > New Distributed Port

Group.
3. Enter L2VPN-Trunk in the Name text box in the New Distributed Port Group window.
4. Click Next.
5. Leave the default settings on the Configure Settings page and click Next.
6. Click Finish on the Ready to complete page.

Task 3: Create a Trunk Interface for the Perimeter Gateway


You create a Trunk interface on the perimeter gateway for the L2VPN feature. You must remove the
Web-Tier logical switch from the distributed logical router, so that you can connect the Web-Tier
logical switch as a subinterface on the perimeter gateway.
Use the following information from the class configuration handout:
IP address of Subint-to-Web-Tier for the L2VPN client edge
1. Point to the Home icon of the vSphere Web Client and select Networking & Security.

15

2. Click NSX Edges in the left navigation pane.


3. Double-click the Distributed Router - your_site_name.
4. Click Settings under the Manage tab.
5. Click Interfaces link under Settings.
6. Select the Web-Tier interface and click the red X at the top.
7. Click OK in the Delete Configuration window.
8. Click the back arrow next to Networking & Security in the left navigation pane.
9. Double-click Perimeter Gateway - your_site_name in the middle pane.
10. Click the Settings tab under the Manage tab.
11. Click Interfaces under the Settings tab.
12. In the interfaces list, select the vnic2 row and click the pencil icon at the top.
13. Enter L2VPN Trunk in the Name text box in the Edit NSX Edge Interface window.
14. Select Trunk from the Type drop-down menu.
Lab 15 Configuring Layer 2 VPN Tunnel

129

15. For Connected To, click the Select link.


16. Click the Distributed Portgroup tab in the Connect NSX Edge to a Network window.
17. Select L2VPN-Trunk and click OK.
18. Click the plus sign under the Sub Interfaces section.
19. Enter Subint-to-Web-Tier in the Name text box in the Add Sub Interface window.
20. Enter 10 in the Tunnel Id text box.
21. Leave Network selected for Backing Type.
22. Click the Select link for Network and select the Web-Tier logical switch.
23. Click OK.
24. Click the plus sign in the Configure Subnets section.
25. Enter the IP address of Subint-to-Web-Tier for the L2VPN client edge in the Primary IP

Address text box.


26. Enter 24 in the Subnet Prefix Length text box.
27. Click OK.
28. Click OK.

Task 4: Configure the Perimeter Gateway as an L2VPN Server


You configure the L2VPN server service on the perimeter gateway.
1. Verify that the Perimeter Gateway - your_site_name is selected in the left navigation pane.
2. Click the VPN tab under the Manage tab.
3. Select L2VPN in the middle pane.
4. Click the Enable button for L2VPN Service Status.

You must not click the Publish now.


5. Click Server for L2VPN mode.
6. Click Change for Global Configuration Details.
a. Leave Listener IP as your perimeter gateways primary IP.
b. Leave Listener Port as 443.
c. Select AES128-SHA for Encryption Algorithm.
d. Leave Use System Generated Certificate selected under the Certificate Details section.
7. Click OK.
130

Lab 15 Configuring Layer 2 VPN Tunnel

8. Click the green plus sign in the Site Configuration Details section.
9. Select the Enable Peer Site check box.
10. Enter L2VPN-your_site_name in the Name text box.
11. Enter vpnuser as the user ID.
12. Enter VMware1! as the password and confirm the password.
13. Click Select Sub Interfaces for Stretched Interfaces.
14. Select Subint-to-Web-Tier in the Available Objects section.
15. Click the blue right arrow.
16. Click OK.
17. Click OK in the Add Peer Site window.
18. Click Publish Changes at the top.
19. Verify that the L2VPN service status is Enabled.

Task 5: Prepare the Remote Site for Setting Up an L2VPN Tunnel


You create a port group on the distributed switch at the remote site for setting up L2VPN
connectivity.

15

Use the following information from the class configuration handout:


Your remote site
Remote site vCenter Server administrator login account
1. Open a tab in the Internet Explorer application and click the vSphere Web Client - your_

remote_site shortcut.
You will be logged in to the remote site Web client with your cached credentials. You can do
one of the following to log in to the remote site:
Click the user, log out, and log in again with the remote site vCenter Server administrator
login account.
Use a different browser.
2. Log in with the remote site vCenter Server administrator login account and enter the password

VMware1!.
3. Click the Networking icon on the Home page.
4. Expand the inventory in the left navigation pane and select vds-datacenter.

Lab 15 Configuring Layer 2 VPN Tunnel

131

5. Click Actions in the middle pane and select Distributed Port Group > New Distributed Port

Group.
6. Enter L2VPN-RemoteSiteTrunk in the Name text box in the New Distributed Port Group

window.
7. Click Next.
8. Leave the default setting in the Configure Settings page and click Next.
9. Click Finish.

Task 6: Create an NSX Edge Gateway at the Remote Site


You add an VMware NSX gateway at the remote site for setting up L2VPN connectivity between
local and remote sites.
Use the following information from the class configuration handout:
Datastore to use at remote site
L2VPN client edge Uplink-Interface IP
L2VPN client edge gateway IP
1. Point to the vSphere Web Client Home icon and select Networking & Security.
2. Select NSX Edges in the left navigation pane.
3. Click the green plus sign in the middle pane to create an NSX Edge instance.
4. Enter Remote Gateway in the Name text box and leave all the other default settings.
5. Click Next.
6. Enter VMware1!VMware1! as the password and confirm the password.
7. Select the Enable SSH Access check box next.
8. Click Next.
9. Click the green plus sign in the NSX Edge Appliance section.
10. Select Management and Edge from the Cluster/Resource Pool drop-down menu.
11. Click the datastore to use at remote site for Datastore.
12. Click OK.
13. Click Next on the Configure deployment page.
14. Click the green plus sign in the Configure interfaces window.
15. Enter Uplink-Interface in the Name text box.

132

Lab 15 Configuring Layer 2 VPN Tunnel

16. Leave Uplink selected for Type.


17. Click the Select link for Connected To.
18. Click the Distributed Portgroup tab and select Production.
19. Click OK.
20. Click the green plus sign in the Configure subnets section.
21. Enter the L2VPN client edge Uplink-Interface IP in the Primary IP Address text box.
22. Enter 24 in the Subnet prefix length text box.
23. Click OK in the Add NSX Edge Interface window.
24. Click Next in the Configure Interfaces window.
25. Enter the L2VPN client edge gateway IP in the Gateway IP text box on the Default gateway

settings page.
26. Leave all other settings at default and click Next.
27. Select the Configure Firewall default policy check box on the Firewall and HA page.
28. Click Accept for Default Traffic Policy.
29. Leave all settings at default and click Next.
30. Click Finish on the Ready to complete page.

15

31. Monitor the progress until the NSX Edge deployment is complete.

Task 7: Create a Logical Switch and Attach the Switch to the Remote
Gateway
You create a logical switch and attach it to the new remote gateway.
Use the following information from the class configuration handout:
IP address of Subint-to-Web-Tier for the L2VPN client edge
1. Click Logical Switches in the left navigation pane.
2. Click the green plus sign in the middle pane.
3. Enter L2VPN in the Name text box in the New Logical Switch window.
4. Click the Change link for Transport Zone.
5. Select Local Transport Zone and click OK.
6. Leave all settings at default and click OK.
7. Select NSX Edges in the left navigation pane.
Lab 15 Configuring Layer 2 VPN Tunnel

133

8. Double-click Remote Gateway in the middle pane.


9. Click the Settings tab under the Manage tab.
10. Click the Interfaces link on the Settings tab.
11. Click vnic1 in the list of interfaces and click the pencil icon at the top.
12. Enter L2VPN Trunk - Client in the Name text box in the Edit NSX Edge interface

window.
13. Select Trunk from the Type drop-down menu.
14. Click the Select link for Connected To.
15. Click the Distributed Portgroup tab in the Connect NSX Edge to a Network window.
16. Select L2VPN-RemoteSiteTrunk and click OK.
17. Click the green plus sign in the Sub Interfaces section.
18. Enter Subint-to-Web-Tier in the Name text box in the Add Sub Interface window.
19. Enter 10 in the Tunnel Id text box.
20. Leave Network selected for Backing Type.
21. Click the Select link for Network, select L2VPN, and click OK.
22. Click the green plus sign in the Configure Subnets section.
23. Enter the IP address of Subint-to-Web-Tier for the L2VPN client edge in the Primary IP

Address text box.


24. Enter 24 in the Subnet Prefix Length text box.
25. Click OK in the Add Sub Interface window.
26. Click OK in the Edit NSX Edge Interface window.

Task 8: Configure the Remote Gateway as an L2VPN Client


You configure the perimeter gateway as a VPN client.
Use the following information from the class configuration handout:
L2VPN server listener IP
1. Confirm that remote gateway is selected in the left navigation pane.
2. Under the Manage tab, click VPN.
3. In the VPN category list, select L2VPN.
4. On the L2VPN configuration page, click Client next to L2VPN Mode.
134

Lab 15 Configuring Layer 2 VPN Tunnel

5. Click Change to open the Client Settings dialog box.


a. Enter the L2VPN server listener IP in the Server Address text box.
b. Verify that the listener port is 443.
c. Select AES128-SHA from the Encryption Algorithm list.
d. Click the Select Sub Interfaces link, click the Subint-to-Web-Tier object, and click the

blue right arrow.


e. Click OK.
f. In the User Details section, enter vpnuser in the User Id text box.
g. Enter VMware1! in the Password text box.
h. Enter VMware1! in the Re-Type Password text box.
i. Click OK.
6. Click Enable.
7. Click Publish Changes.
8. Wait for the update to complete and verify that the L2VPN service status appears as Enabled.
9. At the bottom of the L2VPN configuration page, click Fetch Status and expand the Tunnel

Status section.

15

10. Verify that the tunnel Status is Up.


a. If the tunnel status is Down, wait a minute and click Fetch Status.
b. If the tunnel remains down, review the lab and verify that you made all configuration

changes correctly.

Task 9: Update the web-sv-02a Web Server at the Remote Site


You change the networking configuration on web-sv-02a located in the remote site inventory.
Use the following information from the class configuration handout:
web-sv-02a IP address at the remote site
web-sv-02a default gateway at the remote site
Your remote site

Lab 15 Configuring Layer 2 VPN Tunnel

135

1. Point to the Home icon of the vSphere Web Client and click the VMs and Templates icon.
2. In the inventory pane, select Discovered virtual machine > web-sv-02a and select Open

Console from the Actions drop-down menu.


3. Click Continue to this web site (note recommended) if prompted with a certificate-related

warning.
It might take a minute for the console window to initialize
4. Point to the console window, wait until the pointer becomes a hand icon, click anywhere in the

console window, and press Enter.


5. If prompted to log in, log in as root and enter the VMware1! password.
6. At the web-sv-02a command prompt, run the following command to change the IP address of

the web-sv-02a virtual machine.


ifconfig eth1 web-sv-02a_IP_address_at_the_remote_site netmask
255.255.255.0
7. Run the following command to change the default gateway used by the virtual machine.

route add default gw web-sv02a_default_gateway_at_the_remote_site eth1


8. Run the following command to verify that the IP address is assigned.

ifconfig.
9. Click the vSphere Web Client - your_remote_site tab in the Internet Explorer window.

Task 10: Test Tunnel Connectivity


You perform connectivity tests to determine the functional state of the L2VPN tunnel.
1. In the inventory pane, select Discovered virtual machine > web-sv-02a.
2. Click Actions in the middle pane and select the Edit Settings link.
3. Select the L2VPN logical switch from the Network Adapter 1 drop-down menu.
CAUTION

You must select the L2VPN logical switch and not the port group. If you do not see the L2VPN
logical switch in the drop-down menu, click Show more networks, expand the Name column,
and select the L2VPN logical switch.
4. Click OK twice.
5. In the Internet Explorer window, select the tab for the web-sv-02a VM.

136

Lab 15 Configuring Layer 2 VPN Tunnel

6. At the web-sv-02a command prompt, run the following command to view the network interface

configuration.
ifconfig
7. Record the eth0 hardware (HWaddr) address. __________
8. At the command prompt, ping the web-sv-01a VM on the Web-Tier logical switch of your

VMware vCenter Server.


ping web-sv-01a_IP_address
Internet Control Message Protocol (ICMP) echo replies are received.
a. Leave the ping command running.
b. If ICMP echo replies are not received, press Ctrl+C to stop the ping command, wait for one

minute, and repeat step 8.


9. Press Ctrl+Alt to release the pointer.
10. In the Internet Explorer window, select the web-sv-01a console tab.
11. Consider the following configuration.

A Layer 2 tunnel connects two NSX Edge gateways and extends the Web-Tier logical switch
network. You have initiated a continuous ping from the Web server on the branch gateway side
of the tunnel to the Web server on the perimeter gateway side of the tunnel.

15

Q1. If you capture traffic on the web-sv-01 virtual machine, on the perimeter
gateway side of the tunnel, what is the source IP address that the incoming
ping packets would have?
1. The address of the web-sv-02a virtual machine.
Q2. What is the source hardware (MAC) address that the frames would have?
2. The MAC address of web-sv-02a because the tunnel wraps Layer 2 traffic and when
decapsulated, the hardware address is preserved.

12. At the web-sv-01a command prompt, examine the Address Resolution Protocol (ARP) table.

arp -a
13. In the ARP table output, find the hardware address and the IP address of the web-sv-02a virtual

machine.
Q3. Is the hardware address the same that you recorded in step 7?
3. Yes

Lab 15 Configuring Layer 2 VPN Tunnel

137

Q4. Is this what you expected to see? If not, why?


4. Yes, tunnel decapsulation ensures original source MAC/IP address.

The hardware address for web-sv-02a is preserved when the tunnel traffic is decapsulated by the
perimeter gateway. Because this is a Layer 2 tunnel, response frames sent to that MAC address
are intercepted for encapsulation back to the sending node. This tunnel differs from an IPsec
tunnel, for example, where you might see the source IP with the hardware address of the
gateway interface that faces the destination.

Task 11: Clean Up for the Next Lab


You perform these actions to prepare for the next lab.
1. Leave the MTPuTTY window open.
2. Leave the Command Prompt window open.
3. Restore the Internet Explorer window.
4. In the web-sv-02a console tab, press Ctrl+C to stop the ping command.
5. Press Ctrl+Alt to release the pointer and click the vSphere Web Client - your_site_name tab.
6. In the Internet Explorer window, leave the following tabs open for the next lab.

vSphere Web Client - your_site_name


vSphere Web Client - your_remote_site
Console to web-sv-01a
Console to web-sv-02a

138

Lab 15 Configuring Layer 2 VPN Tunnel

Lab 16

Configuring IPsec Tunnels

Objective: Configure, test, and troubleshoot an IPsec


tunnel designed to connect the HQ and Branch sites
In this lab, you will perform the following tasks:
1. Prepare for the Lab
2. Prepare the Perimeter Gateway for IPsec Tunneling
3. Configure Perimeter Gateway as an IPsec Tunnel Endpoint
4. Prepare the Remote Gateway for IPsec Tunneling
5. Update the web-sv-02a Web Server in the Remote Site vCenter Server Inventory

16

6. Configure Remote Gateway as an IPsec Tunnel Endpoint


7. Test VPN Tunnel Connectivity
8. Disable IPSec on the Perimeter Gateway and Enable OSPF
9. Clean Up for the Next Lab

Lab 16 Configuring IPsec Tunnels

139

Task 1: Prepare for the Lab


You perform these actions to prepare for the lab if you have closed windows or logged out of the
VMware vSphere Web Client interface.
Use the following information from the class configuration handout:
Your site name
Your remote site
Your vCenter Server administrator login account
Remote site vCenter Server administrator login account
1. If a Command Prompt window is not open on the student desktop, open the window.
a. On the student desktop, double-click the Command Prompt shortcut.
b. Position the Command Prompt window at a convenient location on the desktop.
2. If the MTPuTTY window is not open on the student desktop, open the MTPuTTY window.
a. On the student desktop, double-click the MTPuTTY shortcut.
b. In the MTPuTTY window, double-click the Perimeter Gateway -your_site_name entry.
c. If prompted to confirm a PuTTY security alert, click Yes.
d. Log in as admin and enter the password VMware1!VMware1!.
3. If the Internet Explorer window is closed, double-click the Internet Explorer icon on the

student desktop.
4. If you are not logged in to the local vSphere Web Client, log in to the local vSphere Web Client.
a. In the Internet Explorer window, click the vSphere Web Client - your_site_name

bookmark.
b. When prompted, log in with your VMware vCenter Server administrator login account

and enter the password VMware1!.


5. In the Internet Explorer window, if the web-sv-01a console tab is not open, open the console

tab.
a. On the vSphere Web Client Home tab, click the Inventories > VMs and Templates icon.
b. Expand the inventory tree and select Discovered virtual machine > web-sv-01a.
c. Select Open Console from the Actions drop-down menu.
d. If prompted to log in, log in as root and enter the password VMware1!.
e. Press Ctrl+Alt to release the pointer and click the vSphere Web Client tab.
f. Click the vSphere Web Client Home icon
140

Lab 16 Configuring IPsec Tunnels

6. If you are not logged in to the remote site vSphere Web Client, login to the remote site vSphere

Web Client.
a. In the Internet Explorer window, click the vSphere Web Client - your_remote_site

bookmark.
b. When prompted, log in with your remote site VMware vCenter Server administrator

login account and enter the password VMware1!.


You might be logged in with cached credentials. You must log in with the remote site vCenter
Server administrator account.
7. In the remote site vCenter Server inventory window, if the web-sv-02a console tab is not open,

open the console tab.


a. On the vSphere Web Client Home tab, click the Inventories > VMs and Templates icon.
b. Expand the inventory tree and select Discovered virtual machine > web-sv-02a.
c. Select Open Console from the Actions drop-down menu.
d. If prompted to log in, log in as root and enter the password VMware1!.
e. Press Ctrl+Alt to release the pointer and click the vSphere Web Client tab.

Task 2: Prepare the Perimeter Gateway for IPsec Tunneling


You perform the necessary configuration changes to enable IPsec tunneling on the perimeter
gateway.
Use the following information from the class configuration handout:
Workload VM network

16

IP address of the distributed router uplink interface


1. Click the vSphere Web Client - your_site_name tab in Internet Explorer.
2. Point to the Web Client Home icon and click Networking & Security.
3. In the left navigation pane, select NSX Edges.
4. In the edge list, double-click the Perimeter Gateway - your_site_name entry to manage that

object.
5. In the middle pane, click the Manage tab and click VPN.
6. In the VPN category panel, select L2VPN.
7. In the L2VPN status panel, click Delete Configuration and click Yes when prompted to

confirm.

Lab 16 Configuring IPsec Tunnels

141

8. Wait for the update to complete and verify that the L2VPN configuration has been reset and the

service status is Disabled.


It might take up to a minute for the update to complete.
9. Under the Manage tab, click Routing.
10. In the routing category panel, select OSPF.
11. In the OSPF Configuration panel, click Edit.
12. In the Edit Configuration dialog box, deselect the Enable OSPF check box and click OK.

The perimeter gateway is configured as an IPsec tunnel endpoint exposing the Web-Tier
network. The networks that are exposed by an IPsec tunnel endpoint must either be directattached subnets or subnets reachable through static routing. You cannot expose subnets that are
only reachable through a dynamic routing update from OSPF or one of the other supported
routing protocols.
13. Click Publish Changes and wait for the update to complete.
14. In the routing category panel, select Static Routes.
15. Click the green plus sign to open the Add Static Route dialog box.
a. Select Transit-Interface from the Interface drop-down menu.
b. Enter the workload VM network in the Network text box.
c. Enter the IP address of the distributed router uplink interface in the Next Hop text box.

This address is the interface address of the distributed router on the Transit network.
d. Click OK.
16. Click Publish Changes and wait for the update to complete.

Task 3: Configure Perimeter Gateway as an IPsec Tunnel Endpoint


You configure the perimeter gateway as an IPsec virtual private network (VPN) tunnel endpoint that
provides tunnel-based access to the Web-Tier network.
Use the following information from the class configuration handout:
IP address of the perimeter gateway
Local subnet
IP address of the remote gateway
Remote subnet

142

Lab 16 Configuring IPsec Tunnels

1. Under the Manage tab, click VPN.


2. In the VPN category panel, select IPSec VPN.
3. Above the tunnel endpoint list, click the green plus symbol icon to open the Add IPSec VPN

dialog box.
a. Verify that the Enabled check box is selected.
b. Enter Local-Remote in the Name text box.
c. Enter Local in the Local Id text box.
d. Enter the IP address of the perimeter gateway in the Local Endpoint text box.

This address is the same address that identified the perimeter gateway as an L2VPN server
in the previous lab.
e. Enter the local subnet in the Local Subnets text box.

Spaces are not allowed in the local subnets specification. You must enter the specification
exactly as shown.
f. Enter Remote in the Peer Id text box.
g. Enter the IP address of the remote gateway in the Peer Endpoint text box.
h. Enter the remote subnet in the Peer Subnets text box.
i. Leave AES selected for Encryption Algorithm.
j. Leave PSK selected.
k. Enter VMware1! in the Pre-Shared key text box.
l. Select the Display shared key check box and verify that the shared key is exactly
VMware1!.

16

m. Leave all remaining settings at the default value and click OK.
4. In the top status panel, click Enable.
5. Click Publish Changes and wait for the update to complete.
6. In the status panel, verify that the IPSec VPN Service Status is Enabled.

Task 4: Prepare the Remote Gateway for IPsec Tunneling


You configure the remote gateway to enable IPsec VPN tunneling.
Use the following information from the class configuration handout:
IP address of the Web-Tier subinterface on the remote gateway
1. In the Internet Explorer application, select the vSphere Web Client - your_remote_site tab.
2. Point to the vSphere Web Client Home icon and click the Networking & Security.
Lab 16 Configuring IPsec Tunnels

143

3. Select NSX Edges in the left navigation pane.


4. In the edge list, double-click the Remote Gateway entry to manage that object.
5. In the middle pane, click the Manage tab and click VPN.
6. In the VPN category panel, select L2VPN.
7. In the L2VPN status panel, click Delete Configuration.
8. Click Yes when prompted to confirm.
9. Wait for the update to complete and verify that the L2VPN configuration has been reset and the

service status is Disabled.


It might take up to a minute for the update to complete.
10. Under the Manage tab, click Settings.
11. In the settings category panel, select Interfaces.
12. In the interface list, select the L2VPN Trunk - Client interface and click the pencil icon.
13. In the Edit NSX Edge Interface dialog box, select the entry in the Sub Interfaces list and click

the pencil icon.


14. In the Edit Sub Interface dialog box, select the entry in Configure Subnets and click the pencil

icon.
15. Change the primary IP address to IP address of the Web-Tier subinterface on the remote

gateway.
16. Click OK to close the Edit Sub Interface dialog box.
17. Click OK to commit the interface changes.

Task 5: Update the web-sv-02a Web Server in the Remote Site vCenter
Server Inventory
You change the networking configuration on web-sv-02a to match the branch topology.
Use the following information from the class configuration handout:
IP address of web-sv-02a
Default gateway for web-sv-02a
1. In the Internet Explorer window, click the web-sv-02a console tab.
2. At the web-sv-02a command prompt, run the following command to change the IP address of

the web-sv-02a virtual machine.


ifconfig eth1 IP_address_of_web-sv-02a netmask 255.255.255.0
144

Lab 16 Configuring IPsec Tunnels

3. Run the following command to change the default gateway used by the virtual machine.

route add default gw default_gateway_for_web-sv-02a eth1


4. Run the following command to verify that the IP address has been assigned correctly.

ifconfig
5. Run the following command to verify that the default gateway has been configured correctly.

route

Task 6: Configure Remote Gateway as an IPsec Tunnel Endpoint


You configure remote gateway as an IPsec VPN tunnel endpoint that provides tunnel-based access
to the remote Web-Tier network.
Use the following information from the class configuration handout:
IP address of the remote gateway
Remote subnet
IP address of the perimeter gateway
Local subnet
1. In the Internet Explorer window, press Ctrl+Alt to release the pointer.
2. Click the vSphere Web Client - your_remote_site tab for the remote site.
3. In the middle pane, click VPN under the Manage tab.
4. In the VPN category panel, select IPSec VPN.

dialog box.
a. Select the Enabled check box.
b. Enter Local-Remote in the Name text box.
c. Enter Remote in the Local Id text box.
d. Enter the IP address of the remote gateway in the Local Endpoint text box.
e. Enter the remote subnet in the Local Subnets text box.
f. Enter Local in the Peer Id text box.
g. Enter the IP address of the perimeter gateway in the Peer Endpoint text box.
h. Enter the local subnet without spaces in the Peer Subnets text box.
i. Leave AES selected as the Encryption Algorithm.
Lab 16 Configuring IPsec Tunnels

145

16

5. Above the tunnel endpoint list, click the green plus symbol icon to open the New IPSec VPN

j. Leave PSK selected.


k. Enter VMware1! in the Pre-Shared key text box.
l. Select the Display shared key check box and verify that the shared key is exactly VMware1!.
m. Leave all remaining settings at the default value and click OK.
6. Click Enable.
7. Click Publish Changes and wait for the update to complete.
8. In the status panel, verify that the IPSec VPN Service Status is Enabled.

Task 7: Test VPN Tunnel Connectivity


You use ping tests to determine connectivity status of the IPsec VPN tunnel.
Use the following information from the class configuration handout:
IP address of web-sv-01a
1. Wait for one minute for the VPN tunnels to be established and click the Show IPSec Statistics

link.
2. In the IPSec VPN Statistics pop-up panel, verify that the single VPN connection that is listed in

the top table has a green check mark in the Channel State column.
3. Select the single connection listed in the top table.
4. Verify that a single tunnel is listed in the bottom table with a green check mark in the Tunnel

State column.
5. Close the IPSec VPN Statistics pop-up panel.

The VPN connection between the two VMware NSX Edge gateway appliances is established
and a tunnel is open.
6. In the Internet Explorer window, click the web-sv-02a console tab.
7. At the web-sv-02a command prompt, start a ping to the IP address of the web-sv-01a VM.

The ping should be successful confirming connectivity between the two sites using IPSec VPN.

Task 8: Disable IPSec on the Perimeter Gateway and Enable OSPF


You disable IPSec on the perimeter gateway. You also enable OSPF on the perimeter gateway to
establish routing.
1. In the Internet Explorer application, select the vSphere Web Client - your_site_name tab.
2. Select NSX Edges in the left navigation pane.

146

Lab 16 Configuring IPsec Tunnels

3. Double click Perimeter Gateway - your_site_name to open the configuration of your

perimeter gateway.
4. Select the VPN tab under the Manage tab.
5. Select IPSec VPN in the middle pane.
6. Click Disable next to IPSec VPN Service Status.
7. Click Publish Changes and wait for the screen to update.
8. Click the Routing tab under the Manage tab.
9. Select OSPF in the middle pane.
10. Click Edit for OSPF Configuration.
11. Select the Enable OSPF check box in the OSPF Configuration pop-up window.
12. Click OK.
13. Click Publish Changes.

Task 9: Clean Up for the Next Lab


You perform these actions to prepare for the next lab.
1. Leave the MTPuTTY window open.
2. Leave the Command Prompt window open.
3. In the Internet window, close the web-sv-02a console tab.
4. Click the vSphere Web Client tab for the remote site.

16

5. At the top of the left navigation pane, click the Networking & Security left arrow.
6. In the Internet window, leave the following tabs open for the next lab.

vSphere Web Client - your_site_name


vSphere Web Client - your_remote_site
Console to web-sv-01a

Lab 16 Configuring IPsec Tunnels

147

148

Lab 16 Configuring IPsec Tunnels

Lab 17

Configuring and Testing SSL VPN-Plus :


Objective: Configure an SSL VPN-Plus portal page and a
direct-access client package
In this lab, you will perform the following tasks:
1. Prepare for the Lab
2. Configure SSL VPN-Plus Server Settings
3. Configure a Local Authentication Server and a Local User
4. Enable SSL VPN-Plus and Test Portal Access
5. Configure an IP Pool and Private Networks
6. Create and Test an Installation Package
7. Test Network Access by Using the SSL VPN-Plus Client Application
8. Review the Client Configuration and Examine Traffic

Lab 17 Configuring and Testing SSL VPN-Plus

17

9. Clean Up for the Next Lab

149

Task 1: Prepare for the Lab


You perform these actions to prepare for the lab if you have closed windows or logged out of the
VMware vSphere Web Client interface.
Use the following information from the class configuration handout:
Your site name
Your remote site
Your vCenter Server administrator login account
Remote site vCenter Server administrator login account
1. If a Command Prompt window is not open on the student desktop, open the window.
a. On the student desktop, double-click the Command Prompt shortcut.
b. Position the Command Prompt window to a convenient location on the desktop.
2. If the MTPuTTY window is not open on the student desktop, open the MTPuTTY window.
a. On the student desktop, double-click the MTPuTTY shortcut.
b. In the MTPuTTY window, double-click the Perimeter Gateway -your_site_name entry.
c. If prompted to confirm a PuTTY security alert, click Yes.
d. Log in as admin and enter the password VMware1!VMware1!.
3. If the Internet Explorer window is closed, double-click the Internet Explorer icon on the

student desktop.
4. If you are not logged in to the vSphere Web Client, log in to the vSphere Web Client.
a. In the Internet Explorer window, click the vSphere Web Client - your_site_name

bookmark.
b. When prompted, log in with your VMware vCenter Server administrator login account

and enter the password VMware1!.


5. In the Internet Explorer window, if the web-sv-01a console tab is not open, open the console

tab.
a. On the vSphere Web Client Home tab, click Inventories > VMs and Templates.
b. Expand the inventory tree and select Discovered virtual machine > web-sv-01a.
c. Select Open Console from the Actions drop-down menu.
d. If prompted to log in, log in as root and enter the password VMware1!.
e. Press Ctrl+Alt to release the pointer.

150

Lab 17 Configuring and Testing SSL VPN-Plus

f. Click the vSphere Web Client tab.


g. Click the vSphere Web Client Home icon.
6. If you are not logged in to the remote site vSphere Web Client, login to the remote site vSphere

Web Client.
a. In the Internet Explorer window, click the vSphere Web Client - your_remote_site

bookmark.
b. When prompted, log in with the remote site vCenter Server administrator login account and

enter the password VMware1!.


7. On the vSphere Web Client Home tab, click Inventories > Networking & Security.

Task 2: Configure SSL VPN-Plus Server Settings


You configure SSL VPN-Plus to enable remote gateway at your remote site to act as a VPN server.
1. In the left navigation pane, select NSX Edges.
2. In the edge list, double-click the Remote Gateway entry to manage that object.
3. In the middle pane, click the Manage tab and click SSL VPN-Plus.
4. In the SSL VPN-Plus category panel, select Server Settings and click Change.
5. In the Change Server Settings dialog box, configure the server settings.
a. For IPv4 Address, leave the Primary address selected.
b. For IPv6 Address, leave None selected.
c. Leave the port specification of 443.
d. Select AES256-SHA from the Cipher List.
e. For Server Certificate, leave the Use Default Certificate check box selected.
f. Click OK.

17

Task 3: Configure a Local Authentication Server and a Local User


You configure remote gateway to provide local authentication services.
1. In the SSL VPN-Plus category panel, select Authentication.
2. In the middle pane, click the green plus sign icon to open the Add Authentication Server dialog

box.
a. Select LOCAL from the Authentication Server Type drop-down menu.
b. Deselect the Enable password policy check box.

Lab 17 Configuring and Testing SSL VPN-Plus

151

c. Deselect the Enable account lockout policy check box.


d. Leave all other settings at the default value and click OK.
3. In the SSL VPN-Plus category panel, select Users.
4. In the middle pane, click the green plus sign to open the Add User dialog box.
a. Enter vpn-user in the User ID text box.
b. Enter VMware1! in the Password text box and the Re-type Password text box.
c. Select the Password never expires check box.
d. Leave all other settings at the default value and click OK.

Task 4: Enable SSL VPN-Plus and Test Portal Access


You enable SSL VPN-Plus and test portal access using a browser.
Use the following information from the class configuration handout:
IP address of the remote gateway
1. In the SSL VPN-Plus category panel, select Dashboard.
2. In the Status panel, click Enable and click Yes when prompted to confirm.
3. Wait for the update to complete and verify that the service status is Enabled.
4. In the Internet Explorer window, open a new browser tab and go to https://

IP_address_of_remote_gateway.
5. When prompted with the Web sites certificate warning, click the Continue to this website (not

recommended) link.
6. In the VMware SSL VPN-Plus portal page, log in as vpn-user and enter the password

VMware1!.
7. On the user portal page, verify that one tab labeled Tools is shown with a Change Password link

available.
8. Click the Logout link in the black status bar on the upper-right corner of the page and click OK

when prompted to confirm.


9. In the Internet Explorer window, close the portal tab and click the vSphere Web Client -

your_remote_site tab.

152

Lab 17 Configuring and Testing SSL VPN-Plus

Task 5: Configure an IP Pool and Private Networks


You configure an IP pool and private networks in preparation for direct-network connectivity by an
SSL VPN-Plus client.
Use the following information from the class configuration handout:
Remote site web-sv-02a VM network
1. In the SSL VPN-Plus category panel, select IP Pool.
2. On the IP Pool configuration page, click the green plus sign to open the Add IP Pool dialog box.
a. Enter 192.168.170.2 in the first IP Range text box.
b. Enter 192.168.170.254 in the second IP Range text box.
c. Enter 255.255.255.0 in the Netmask text box.
d. Enter 192.168.170.1 in the Gateway text box.
e. Leave all other settings at the default value and click OK.
3. In the SSL VPN-Plus category panel, select Private Networks.
4. On the Private Networks configuration page, click the green plus sign to open the Add Private

Networking dialog box.


a. Enter the remote site web-sv-02a VM network in the Network text box.
b. Leave all other settings at the default value and click OK.

Task 6: Create and Test an Installation Package


You create and configure an installation package.
Use the following information from the class configuration handout:
IP address of the remote gateway
1. In the SSL VPN-Plus category panel, select Installation Package.

17

2. On the Installation Package configuration page, click the green plus sign to open the Add

Installation Package dialog box.


a. Enter Test Package in the Profile Name text box.
b. In the Gateway table, enter the IP address of the remote gateway in the Gateway column

text box, leave the port at 443, and click OK to confirm the entry.

Lab 17 Configuring and Testing SSL VPN-Plus

153

c. In the Installation Parameters for Windows list, select the following check boxes.

Allow remember password


Enable silent mode installation
Create desktop icon
d. Click OK.
3. In the Internet Explorer window, open a new browser tab and go to https://

IP_address_of_remote_gateway.
4. When prompted to log in, log in as vpn-user and enter the password VMware1!.
5. In the SSL VPN-Plus portal, click the Test Package link on the Full Access tab.

A new browser window opens.


6. In the new Internet Explorer browser window, click the Please click here to start the

installation link.
7. When prompted, click Run.

The SSL VPN-Plus test package is installed on the student desktop.


8. Close the new Internet Explorer window that opened when you started the installation.
9. In the SSL VPN-Plus portal, click the Logout link in the black status bar on the upper-right

corner of the page and click OK when prompted to confirm.


10. Close the portal tab.

Task 7: Test Network Access by Using the SSL VPN-Plus Client


Application
You use the SSL VPN-Plus client application to test direct access to networks available through the
SSL VPN-Plus tunnel.
Use the following information from the class configuration handout:
IP address of web-sv-02a
1. Minimize the Internet Explorer window.
2. In the Command Prompt window, run the following command to try to ping the web-sv-02a

located in the remote site vCenter Server inventory.


ping IP_address_of_web-sv-02a
The ping command does not receive Internet Control Message Protocol (ICMP) echo replies.
3. Leave the Command Prompt window open.
154

Lab 17 Configuring and Testing SSL VPN-Plus

4. On the student desktop, find a new shortcut titled VMware Tray.

The VMware Tray shortcut was added when the SSL VPN-Plus test package was installed from
the portal page.
5. Double-click the VMware Tray shortcut to start the SSL VPN-Plus Client application and click

Login.
6. When prompted, log in as vpn-user and enter the password VMware1!.
7. Click OK when prompted to confirm that the connection has been established.
8. In the Command Prompt window, run the following command to ping the web-sv-02a server.

ping IP_address_of_web-sv-02a
The ping command receives ICMP echo replies.

Task 8: Review the Client Configuration and Examine Traffic


You review the SSL VPN-Plus client configuration and verify tunnel connectivity using traffic
capture tools.
Use the following information from the class configuration handout:
IP address of the remote gateway
IP address of web-sv-02a
1. On the student desktop, double-click the VMware Tray shortcut again.

When the SSL VPN-Plus client is running, double-clicking the program icon opens the statistics
window. The statistics window can also be opened from the client application icon that is
running in the system tray.
2. In the SSL VPN-Plus Client - Statistics window, click the Advanced tab.
Q1. What is the gateway address and port for the network configuration?

17

1. IP address of the remote gateway:443


Q2. Which local subnets are exposed to the tunnel client?
2. Web-Tier subnet/255.255.255.0
Q3. Which IP address is assigned to the encapsulated packets that traverse the
tunnel?
3. An IP address from the range configured for the IP pool

3. On the student desktop, double-click the MTPuTTY shortcut.


4. Click Server > Add Server.
Lab 17 Configuring and Testing SSL VPN-Plus

155

5. Enter the IP address of the remote gateway in the Server Name text box and select SSH as the

protocol.
6. Click OK.
7. In the MTPuTTY window, double-click the IP address of the remote gateway in the left pane.
8. When prompted, click Yes to confirm the PuTTY security alert.
9. Log in as admin and enter the password VMware1!VMware1!.
10. Run the following command to begin capturing ICMP packets on the internal network.

debug packet display interface vNic_1 icmp


Q4. If you capture packets on the NSX Edge side of the SSL VPN-Plus tunnel, on an
interface connected to the destination subnet, what source IP address do ping
packets have?
4. The IP address assigned to the SSL VPN-Plus client out of the IP pool specified in the tunnel
profile.

11. Leave the packet capture running and switch to the Command Prompt window.
12. Run the following command to ping the web-sv-02a server.

ping IP_address_of_web-sv-02a
13. Switch to the MTPuTTY window and verify that an ICMP exchange has occurred between the

following IP addresses.
This address is the IP address assigned to the SSL VPN-Plus Client application running on
the student desktop system.
This address is the IP address of the web-sv-02a server.
14. Press Ctrl+C to stop the packet capture.
15. Close the MTPuTTY window for the Remote Gateway.
16. Minimize MTPUTTY.
17. On the student desktop, double-click the VMware Tray icon.
18. Click Logout on the General tab and click Yes when prompted to confirm.

Task 9: Clean Up for the Next Lab


You perform these actions to prepare for the next lab.
1. Leave the MTPuTTY window open.
2. Leave the Command Prompt window open.

156

Lab 17 Configuring and Testing SSL VPN-Plus

3. Restore the Internet Explorer window.


4. Close the vSphere Web Client - your_remote_site and web-sv-02a tabs in the Internet

Explorer window.
5. Click the vSphere Web Client - your_site_name tab in the Internet Explorer window.
6. Verify that you are in the Networking & Security inventory view.
7. In the Internet window, leave the following tabs open for the next lab.

vSphere Web Client


Console to web-sv-01a

17

Lab 17 Configuring and Testing SSL VPN-Plus

157

158

Lab 17 Configuring and Testing SSL VPN-Plus

Lab 18

Using NSX Edge Firewall Rules to


Control Network Traffic

Objective: Define NSX Edge firewall rules to restrict


traffic to one or more Web servers
In this lab, you will perform the following tasks:
1. Prepare for the Lab
2. Restrict Inbound Web Server Traffic to HTTP and HTTPS
3. Determine How the Firewall Rule Interacts with Other NSX Edge Features
4. Clean Up for the Next Lab

18

Lab 18 Using NSX Edge Firewall Rules to Control Network Traffic

159

Task 1: Prepare for the Lab


You perform these actions to prepare for the lab if you have closed windows or logged out of the
VMware vSphere Web Client interface.
Use the following information from the class configuration handout:
Your site name
Your vCenter Server administrator login account
IP address of the perimeter gateway
1. If a Command Prompt window is not open on the student desktop, open the window.
a. On the student desktop, double-click the Command Prompt shortcut.
b. Position the Command Prompt window to a convenient location on the desktop.
2. If the MTPuTTY window is not open on the student desktop, open the MTPuTTY window.
a. On the student desktop, double-click the MTPuTTY shortcut.
b. In the MTPuTTY window, double-click the IP address of the perimeter gateway.
c. If prompted to confirm a PuTTY security alert, click Yes.
d. Log in as admin and enter the password VMware1!VMware1!.
3. If the Internet Explorer window is closed, double-click the Internet Explorer icon on the

student desktop.
4. If you are not logged in to the vSphere Web Client, log in to the vSphere Web Client.
a. In the Internet Explorer window, click the vSphere Web Client - your_site_name

bookmark.

b. When prompted, log in with your VMware vCenter Server administrator login account

and enter the password VMware1!.

5. In the Internet Explorer window, if the web-sv-01a console tab is not open, open the console

tab.
a. On the vSphere Web Client Home tab, click Inventories > VMs and Templates.
b. Expand the inventory tree and select Discovered virtual machine > web-sv-01a.
c. Select Open Console from the Actions drop-down menu.

160

Lab 18

Using NSX Edge Firewall Rules to Control Network Traffic

d. If prompted to log in, log in as root and enter the password VMware1!.
e. Press Ctrl+Alt to release the pointer and click the vSphere Web Client tab.
f. Click the vSphere Web Client Home icon.
6. Point to the vSphere Web Client Home icon, click Networking & Security.

Task 2: Restrict Inbound Web Server Traffic to HTTP and HTTPS


You configure a new firewall rule to restrict traffic destined for a Web server to HTTP and HTTPS.
Use the following information from the class configuration handout:
IP address of web-sv-01a
1. In the left navigation pane, select NSX Edges.
2. In the edge list, double-click the Perimeter Gateway - your_site_name entry to manage that

object.
3. In the middle pane, click the Manage tab and click Firewall.
4. In the firewall rules list, find the rule named Default Rule.
5. If necessary, use the horizontal scroll bar to uncover the Action column.
6. Point to the Action cell until a plus sign icon appears.
7. Click the plus sign icon.
8. Select Deny from Action drop-down menu.
9. Click Log and click OK.
10. Above the rule list, click Publish and wait for the update to complete.
11. In the Internet Explorer window, open a new browser tab and go to https://IP_address_of_web-

sv-01a.
12. Verify that the Web page cannot be displayed and close the browser tab.
13. If not active, click the vSphere Web Client - your_site_name tab.
14. On the Firewall configuration page, click the green plus sign to create a row in the rules table.

The new row is highlighted.

18

15. Point to the Name cell and click the plus sign.
16. Enter Allowed to Web Servers in the Rule Name text box and click OK.

Lab 18 Using NSX Edge Firewall Rules to Control Network Traffic

161

17. Point to the Destination cell, click the plus sign, and configure settings in the Specify

Destination pop-up configuration panel.


a. Select IP Sets from the Object Type drop-down menu.
b. Click the New IP Set link at the bottom of the pop-up panel to open the Add IP Addresses

dialog box.
Option

Action

Name

Enter Local Web Servers in the text box.

Description

Leave blank.

IP Addresses

Enter the IP address of web-sv-01a in the text box.

c. Click OK to close the Add IP Addresses dialog box.


d. Click OK to close the Specify Destination window.
18. Point to the Service cell, click the plus sign, and configure the service in the pop-up

configuration panel.
a. Enter HTTP in the search text box.
b. Select generic HTTP and HTTPS services in the Available Objects pane.
c. Click the right arrow to move HTTP and HTTPS to the Selected Objects pane.
d. Click OK to close the pop-up configuration panel.
19. Verify that the Action for the new rule is Accept.
20. Click Publish and wait for the update to complete.
21. In the Internet Explorer window, open a new browser tab and go to https://IP_address_of_web-

sv-01a.
22. Verify that the Web page is displayed or that you are prompted with a certificate related

warning, and close the browser tab.


23. If not active, click the vSphere Web Client - your_site_name tab.

162

Lab 18

Using NSX Edge Firewall Rules to Control Network Traffic

Task 3: Determine How the Firewall Rule Interacts with Other NSX
Edge Features
You determine how a firewall rule interacts with an existing destination NAT rule.
Use the following information from the class configuration handout:
Load balancer VIP IP address
IP address of web-sv-01a
DNAT IP address of web-sv-01a
1. In the Internet Explorer window, open a new browser tab and go to https://

load_balancer_VIP_IP_address.
2. Verify that the Web page is not displayed and close the browser tab.
3. If not active, click the vSphere Web Client tab.
Q1. Because the virtual server for load balancing HTTP traffic was configured with
the web-sv-01a Web server as a member server, will the rule that you just
created allow HTTP connections to the virtual server IP address?
1. No

4. In the Internet Explorer window, open a new browser tab and go to https://DNAT_IP_of_web-

sv-01a.
This address is the destination NAT address for the web-sv-01a Web server.
5. Verify that the Web page cannot be displayed and close the browser tab.
6. If not active, click the vSphere Web Client - your_site_name tab.
7. In the middle pane, click Grouping Objects under the Manage tab.
8. In the category panel, select IP Sets.
9. In the IP Set list, select the Local Web Servers entry.
10. Click the pencil icon to open the Edit IP Addresses dialog box.
a. In the IP Addresses text box, enter the IP address of web-sv-01a and the DNAT IP address

of web-sv-01a, separated by a comma.


b. Click OK.

sv-01a.
12. Verify that the Web page is displayed or that you are prompted with a certificate warning, and

close the browser tab.


Lab 18 Using NSX Edge Firewall Rules to Control Network Traffic

163

18

11. In the Internet Explorer window, open a new browser tab and go to https://DNAT_IP_of_web-

13. If not active, click the vSphere Web Client - your_site_name tab.
14. In the middle pane, click Firewall under the Manage tab.
15. In the rule list, select the Allowed to Web Servers rule.
16. Click the red X icon to delete the rule and click OK when prompted to confirm.
17. Point to the Default Rule Action cell.
18. Click the plus sign.
19. Select Accept from the Action drop-down menu.
20. Click OK.
21. Click Publish and wait for the update to complete.

Task 4: Clean Up for the Next Lab


You perform these actions to prepare for the next lab.
1. Leave the MTPuTTY window open.
2. Leave the Command Prompt window open.
3. At the top of the left navigation pane, click the Networking & Security left arrow button.
4. In the Internet Explorer window, leave the following tabs open for the next lab.

vSphere Web Client - your_site_name


Console to web-sv-01a

164

Lab 18

Using NSX Edge Firewall Rules to Control Network Traffic

Lab 19

Using the VMware NSX Distributed


Firewall Rules to Control Network Traffic :
Objective: Define the VMware NSX Distributed Firewall
rules to restrict traffic to one or more Web servers and
between application tiers
In this lab, you will perform the following tasks:
1. Prepare for the Lab
2. Create a Distributed Firewall Section
3. Configure Cross-Tier Rules
4. Restrict Inbound Web Server Traffic to HTTP and HTTPS
5. Review Distributed Firewall Log Entries
6. Restore a Saved Distributed Firewall Configuration
7. Clean Up for the Next Lab

19

Lab 19 Using the VMware NSX Distributed Firewall Rules to Control Network Traffic

165

Task 1: Prepare for the Lab


You perform these actions to prepare for the lab if you have closed windows or logged out of the
VMware vSphere Web Client interface.
Use the following information from the class configuration handout:
Your site name
Your vCenter Server administrator login account
IP address of the perimeter gateway
1. If a Command Prompt window is not open on the student desktop, open the window.
a. On the student desktop, double-click the Command Prompt shortcut.
b. Position the Command Prompt window to a convenient location on the desktop.
2. If the MTPuTTY window is not open on the student desktop, open the MTPuTTY window.
a. On the student desktop, double-click the MTPuTTY shortcut.
b. In the MTPuTTY window, double-click the IP address of the perimeter gateway.
c. If prompted to confirm a PuTTY security alert, click Yes.
d. Log in as admin using the VMware1!VMware1! password.
3. If the Internet Explorer window is closed, double-click the Internet Explorer icon on the

student desktop.
4. If you are not logged in to the vSphere Web Client, open the vSphere Web Client.
a. In the Internet Explorer window, click the vSphere Web Client - your_site_name

bookmark.
b. When prompted, log in with your VMware vCenter Server administrator login account,

using the VMware1! password.


5. In the Internet Explorer window, if the web-sv-01a console tab is not open, open the console

tab.
a. On the vSphere Web Client Home tab, click the Inventories > VMs and Templates icon.
b. Expand the inventory tree and select Discovered virtual machine > web-sv-01a.
c. Select Open Console from the Actions drop-down menu.
d. If prompted to log in, log in as root using the VMware1! password.
e. Press Ctrl+Alt to release the pointer and click the vSphere Web Client tab.
f. Click the vSphere Web Client Home icon.
6. Point to the vSphere Web Client Home icon, click Networking & Security icon.
166

Lab 19 Using the VMware NSX Distributed Firewall Rules to Control Network Traffic

Task 2: Create a Distributed Firewall Section


You create a section that contains your custom firewall rules.
1. In the left navigation pane, select Firewall.
2. In the middle pane, verify that General is selected on the Configuration tab.
3. In the section list, find the Default Section Layer3 entry.
4. If necessary, use the horizontal scroll bar to uncover the icons that appear on the far right of the

default section.
5. Click the folder icon.
6. In the pop-up configuration panel, create a section.
a. Enter Test Section in the Section name text box.
b. Leave Add section above selected.
c. Click OK.
7. Click Publish Changes and wait for the update to complete.

Task 3: Configure Cross-Tier Rules


You configure rules to allow basic connectivity between the Web-Tier, App-Tier, and DB-Tier
networks.
1. If necessary, use the horizontal scroll bar to uncover the icons on the far-right side of the Test

Section entry and click the green plus sign to create a rule.
2. Expand Test Section and find the new rule entry.
3. Point to the Name cell and click the pencil sign.
4. Enter Allowed Web To App in the Rule Name text box and click OK.
5. Point to the Source cell and click the pencil sign to open the Specify Source configuration

panel.
a. Select Logical Switch from the Object Type pane.
b. Select Web-Tier in the Available Objects pane and click the blue right arrow to move the

switch into the Selected Objects list.


c. Click OK.
6. Point to the Destination cell and click the pencil sign to open the Specify Destination

configuration panel.
a. Select Logical Switch from the Object Type drop-down menu.

switch into the Selected Objects list.


Lab 19 Using the VMware NSX Distributed Firewall Rules to Control Network Traffic

167

19

b. Select App-Tier in the Available Objects list and click the blue right arrow to move the

7. Click OK.
8. Point to the Services cell and click the pencil sign to open the Specify Service configuration

panel.
a. Click the New Service link that appears in the lower-left corner of the pop-up panel.
b. Enter the following details in the Add Service dialog box.

Option

Action

Name

Enter Tomcat-8443 in the text box.

Description

Leave blank.

Protocol

Leave TCP selected.

Destination ports

Enter 8443 in the text box.

Enable inheritance...

Leave at the default value (deselected).

c. Click OK twice to close the Add Service dialog box.


9. Click Publish Changes and wait for the update to complete.
10. Click the green plus sign above the rules list to create a rule.

If the icon is not active, select any rule in the Test Section rule list.
11. Point to the Name cell and click the pencil sign.
12. Enter Allowed App To DB in the Rule Name text box and click OK.
13. Point to the Source cell and click the pencil sign to open the Specify Source configuration

panel.
a. Select Logical Switch from the Object Type drop-down menu.
b. Select App-Tier from the Available Objects list and click the blue right arrow to move the

switch into the Selected Objects list.


c. Click OK.
14. Point to the Destination cell and click the pencil sign to open the Specify Destination

configuration panel.
a. Select Logical Switch from the Object Type drop-down menu.
b. Select DB-Tier from the Available Objects list and click the blue right arrow to move the

switch into the Selected Objects list.


168

Lab 19 Using the VMware NSX Distributed Firewall Rules to Control Network Traffic

15. Click OK.


16. Point to the Services cell and click the pencil sign to open the pop-up configuration panel.
a. Enter SQL in the search text box.
b. In the Available services list, scroll down to find the generic MySQL service.
c. Select the MySQL service and click the blue right arrow to move the service to the

Selected Objects list.


d. Click OK.
17. Click Publish Changes and wait for the update to complete.

Task 4: Restrict Inbound Web Server Traffic to HTTP and HTTPS


You configure a firewall rule that restricts network traffic that is destined for a Web server to HTTP
and HTTPS.
Use the following information from the class configuration handout:
IP address of web-sv-01a
NAT IP address of web-sv-01a
1. In the Internet Explorer window, open a new browser tab and go to https://IP_address_of_web-

sv-01a.
2. Verify that the Web page is displayed or that you are prompted with an untrusted connection

message, and close the browser tab.


3. Click the vSphere Web Client - your_site_name tab.
4. In the firewall section list, expand the Default Section Layer3 entry.
5. Point to the Default Rule Action cell and click the pencil sign.
6. Select Block from the Action drop-down menu.
7. Click Log and click OK.
8. Click Publish Changes and wait for the update to complete.
9. In the Internet Explorer window, open a new browser tab and go to https://P_address_of_web-

sv-01a.
10. If the Web page is displayed, click the Internet Explorer refresh icon to reload the page.
11. Verify that the Web page is not displayed and close the browser tab.
12. Click the vSphere Web Client - your_site_name tab.

19

Lab 19 Using the VMware NSX Distributed Firewall Rules to Control Network Traffic

169

13. Click the green plus sign above the rules list to create a rule in Test Section.

If the icon is not active, you can select any rule in the Test Section rule list and click the green
plus sign.
14. Point to the Name cell and click the pencil sign.
15. Enter Allowed to Web Servers in the Rule Name text box and click OK.
16. Point to the Destination cell and click the pencil sign to open the Specify Destination

configuration panel.
a. Select Logical Switch from the Object Type drop-down menu.
b. Select Web-Tier from the Available Objects list and click the blue right arrow to move the

Web-Tier entry to the Selected Objects list on the right.


c. Click OK.
17. Point to the Services cell and click the pencil sign to open the Specify Service configuration

panel.
a. Enter HTTP in the search text box.
b. Select the generic HTTP and HTTPS services in the Available Objects list and click the

blue right arrow to move those services to the Selected Objects list.
c. Click OK.
18. Point to the Action cell and click the pencil sign that appears.
19. Click Log and click OK.
20. Click Publish Changes and wait for the update to complete.
21. In the Internet Explorer window, open a new browser tab and go to https://IP_address_of_web-

sv-01a.
22. Verify that the Web page is displayed or that you are prompted with an untrusted connection

message, and close the browser tab.


23. Click the vSphere Web Client - your_site_name tab.
24. Point to Web-Tier in the Destination cell and click the red X icon that appears to remove Web-

Tier from the Destination cell.


25. Point to the Destination cell and click IP.
26. In the pop-up configuration panel, add the IP address of the Web server.
a. Leave IPv4 selected.

170

Lab 19 Using the VMware NSX Distributed Firewall Rules to Control Network Traffic

b. Enter the IP Address of web-sv-01a in the Value text box.

This address is the IP address of the Web server on the Web-Tier logical switch network.
c. Click OK.
27. Click Publish Changes and wait for the update to complete.
28. In the Internet Explorer window, open a new browser tab and go to https://

NAT_IP_address_of_web-sv-01a.
This address is the destination NAT address that you configured earlier for the web-sv-01a Web
server.
29. Click the Internet Explorer page refresh icon to reload the page.
30. Verify that the Web page is displayed or that you are prompted with an untrusted connection

message, and close the browser tab.


31. Click the vSphere Web Client - your_site_name tab.
32. Read the following summary.

In the previous lab, attempts to browse the destination NAT address were blocked by the
firewall rule defined on the perimeter gateway until the destination IP set was expanded to
include the destination NAT address.
Q1. Why does the Distributed Firewall rule allow browser connections to the Web
server through the destination NAT address, when the rule explicitly defines
web-sv-01as IP as the only valid destination?
1. Distributed Firewall rules work on true source and destination addresses and objects. Such
rules are not affected by transforms (such as destination NAT translations) performed by NSX
Edge devices.

Task 5: Review Distributed Firewall Log Entries


You review log entries that detail connections that have been allowed or blocked by firewall rules.
1. In the Internet Explorer window, select the web-sv-01a tab.
2. At the web-sv-01a command prompt, attempt to ping the following servers.

IP address of app-sv-01a.
IP address of db-sv-01a.
3. Press Ctrl+C to stop each ping command after lack of connectivity is confirmed.
4. Press Ctrl+Alt to release the pointer and click the vSphere Web Client - your_site_name tab.

Lab 19 Using the VMware NSX Distributed Firewall Rules to Control Network Traffic

19

5. Point to the vSphere Web Client Home icon and select Hosts and Clusters.

171

6. Select the web-sv-01a VM in the left navigation pane and identify the host where the VM is

running.
The host name can be seen in the Summary tab of the VM.
7. Minimize the Internet Explorer window and restore the MYTPUTTY application.
8. Double-click the ESXi host where the web-sv-01a VM resides in the MYTPUTTY application.
9. Open the dfwpktlogs.log file with the vi text editor by using vi dfwpktlogs.log.

The syntax to open the log file is vi /var/log/dfwpktlogs.log.


10. Search for the PASS string in the log file.

To search for the keyword PASS, you must use /PASS in the vi editor.
Log entries describing connections that were allowed because of the a firewall rule appear.
11. Search for the DROP string in the log file.

Log entries describing connections that were dropped because of a firewall rule appear.
12. Restore the Internet Explorer application.

Task 6: Restore a Saved Distributed Firewall Configuration


You restore the firewall configuration from a saved backup.
1. Point to the vSphere Web Client Home icon and click Networking & Security.
2. In the left navigation pane, select Firewall.
3. In the middle pane, click the Saved Configurations tab.

The configuration list contains several new entries that were autosaved by the system.
4. Click the Configuration tab.
5. Under General and Ethernet, click the Load saved configuration icon.
6. In the Load Saved Configuration dialog box, scroll down and select the oldest autosaved

configuration with todays date and click OK.


The oldest autosaved configuration was saved when Test Section was created, before new rules
are defined.
7. When prompted to confirm, read the message and click Yes.
8. Click Publish Changes and wait for the update to complete.

172

Lab 19 Using the VMware NSX Distributed Firewall Rules to Control Network Traffic

Task 7: Clean Up for the Next Lab


You perform these actions to prepare for the next lab.
1. Leave the MTPuTTY window open.
2. Leave the Command Prompt window open.
3. In the Internet Explorer window, leave the following tabs open for the next lab.

vSphere Web Client - your_site_name


Console to web-sv-01a

19

Lab 19 Using the VMware NSX Distributed Firewall Rules to Control Network Traffic

173

174

Lab 19 Using the VMware NSX Distributed Firewall Rules to Control Network Traffic

20

Lab 20

Configuring an Identity-Aware Firewall

Objective: Configure an identity-aware firewall


In this lab, you will perform the following tasks:
1. Prepare for the Lab
2. Prepare the Infrastructure for an Identity-Aware Firewall
3. Add an Active Directory Domain to the NSX Manager Instance
4. Configure Identity-Aware Firewall Rules
5. Verify the Identity-Aware Firewall Configuration
6. Clean Up for the Next Lab

Lab 20 Configuring an Identity-Aware Firewall

175

Task 1: Prepare for the Lab


You perform these actions to prepare for the lab if you have closed windows or logged out of the
VMware vSphere Web Client interface.
Use the following information from the class configuration handout:
Your site name
Your vCenter Server administrator login account
IP address of the perimeter gateway
1. If a Command Prompt window is not open on the student desktop, open the window.
a. On the student desktop, double-click the Command Prompt shortcut.
b. Position the Command Prompt window at a convenient location on the desktop.
2. If the Internet Explorer window is closed, double-click the Internet Explorer icon on the

student desktop.
3. If you are not logged in to the vSphere Web Client, log in to the vSphere Web Client.
a. In the Internet Explorer window, click the vSphere Web Client - your_site_name

bookmark.
b. When prompted, log in with your VMware vCenter Server administrator login account

and enter the password VMware1!.


4. In the Internet Explorer window, open the console tab of the Windows7 VM.
a. On the vSphere Web Client Home tab, click Inventories > Hosts and Clusters.
b. Expand the inventory tree and select Windows7.
c. Power on the virtual machine and wait for the operation to complete.
d. Select Open Console from the Actions drop-down menu.

You must not login to the VM now.


e. Press Ctrl+Alt to release the pointer and click the vSphere Web Client tab.
f. Point to the vSphere Web Client Home icon and click Networking & Security.

176

Lab 20 Configuring an Identity-Aware Firewall

20

Task 2: Prepare the Infrastructure for an Identity-Aware Firewall


You deploy Guest Introspection and enable Activity Monitoring for the Compute cluster. These
features are prerequisites for configuring the identity-aware firewall.
Use the following information in the class configuration handout:
Data center
1. Click the Installation link in the left navigation pane.
2. Click the Service Deployments tab in the middle pane.
3. Click the green plus sign in the Network & Security Service Deployments pane.
4. Select the Guest Introspection check box in the Select Service & Schedule window and click

Next.
5. Ensure that your data center is selected in the Datacenter field.
6. Select the Compute check box and click Next.
7. Enter the following details in the Select storage and Management Network page
a. Datastore: Name of your data store
b. Network: Management
8. Click the Change link under IP Assignment.
9. Select Use IP Pool in the Select IP Pool assignment mode.
10. Click Controller-Pool.
11. Click OK.
12. Click Next.
13. Click Finish on the Ready to complete page.

You can configure Activity Monitoring for the Compute cluster while Guest Introspection is
deployed.
14. Click the Service Composer link in the left navigation pane.
15. Click the Security Groups tab in the middle pane.
16. Right-click the Activity Monitoring Data Collection group and select Edit Security Group.
17. Click Select objects to include in the Edit Security Group window.
18. Click the down arrow next to Object Type and select Cluster.

Lab 20 Configuring an Identity-Aware Firewall

177

19. Select Compute in the Available Objects pane and click the right blue arrow to move the

Compute cluster to the Selected Objects pane.


20. Click Finish.
21. Click the Installation link in the left navigation pane.
22. Verify that the deployment of Guest Introspection is complete and the installation status appears

as Succeeded.

Task 3: Add an Active Directory Domain to the NSX Manager Instance


You add an Active Directory domain to the NSX Manager instance for configuring an identityaware firewall.
Use the following information from the class configuration handout:
NSX Manager IP address
1. Click the Management tab in the middle pane.
2. Click your NSX Manager IP address under the NSX Manager pane.
3. Click the Domains tab under the Manage tab.
4. Click the green plus sign to add a new AD domain.
5. Enter vclass.local as the name and vlcass as the NetBIOS name in the Add Domain

window and click Next.


6. Enter the details in the LDAP Options page.

Server: dc.vclass.local
Username: administrator
Password: VMware1!
7. Leave all other default settings and click Next.
8. Leave the default settings in the Security Event Log Access page and click Next.
9. Click Finish on the Ready to complete page.
10. Click the arrow next to Networking & Security on the top corner of the left navigation pane.

178

Lab 20 Configuring an Identity-Aware Firewall

You configure two rules in the Default section of the distributed firewall. One rule allows SSH
connections to the win-sv-01a VM for domain group AD-SSH. This group includes the
administrator user accounts. The other rule blocks the SSH connection to the win-sv-01a VM for all
other users.
1. Click the Firewall link in the left navigation pane.
1. If necessary, use the horizontal scroll bar to uncover the icons on the far-right side of the

Default Section entry and click the green plus sign to create a rule.
2. Expand Default Section and find the new rule entry.
3. Point to the Name cell and click the pencil sign.
4. Enter Allowed SSH to Admins in the Rule Name text box and click OK.
5. Point to the Source cell and click the pencil sign to open the Specify Source configuration

panel.
a. Select Security Group from the Object Type drop-down menu.
b. Click the New Security Group link at the bottom left of the Specify Source window.
c. Enter AD-SSH in the Name text box of the Add Security Group window.
d. Click Select Objects to include on the left.
e. Click the down-arrow next to Object Type and select Directory Group.
f. Select AD-SSH in the Available Objects pane and click the blue right arrow to move the

group to the Selected Objects pane.


g. Click Finish.
h. Click OK on the Specify Source window.
6. Point to the Destination cell and click the pencil sign to open the Specify Destination

configuration panel.
a. Select Cluster from the Object Type drop-down menu.
b. Select the Compute cluster object and click the blue right arrow to move the cluster into

the Selected Objects list.


7. Click OK.

Lab 20 Configuring an Identity-Aware Firewall

179

20

Task 4: Configure Identity-Aware Firewall Rules

8. Point to the Services cell and click the pencil sign to open the Specify Service configuration

panel.
a. Enter SSH in the Filter text box and press Enter.
b. Select SSH in the Available Objects pane and click the blue right arrow to move SSH to the

Selected Objects pane.


c. Click OK.
9. Click the green plus sign above the rules list to create a rule.

You must ensure that this rule appears below the rule that you created. You can use the Move
rule up or down buttons to arrange the rules appropriately.
If the icon is not active, you can select any rule in the Test Section rule list.
10. Point to the Name cell and click the pencil sign.
11. Enter Blocked SSH for Normal Users in the Rule Name text box and click OK.
12. Leave any as the value in the Source cell.
13. Point to the Destination cell and click the pencil sign to open the pop-up configuration panel.
a. Select Cluster from the Object Type drop-down menu.
b. Select the Compute cluster object and click the blue right arrow to move the cluster into

the Selected Objects list.


14. Click OK.
15. Point to the Services cell and click the pencil sign to open the pop-up configuration panel.
a. Enter SSH in the Filter text box and press Enter.
b. Select SSH in the Available Objects pane and click the blue right arrow to move SSH to the

Selected Objects pane.


c. Click OK.
16. Point to the Action cell and click the pencil sign to open the pop-up configuration.
a. Click the down arrow next to Action and select Block.
b. Click OK.
17. Click Publish Changes at the top of the middle pane.

180

Lab 20 Configuring an Identity-Aware Firewall

You log in to the Windows7 VM by using two accounts. The administrator user account can SSH to
web-sv-01a VM, which is a part of the Compute cluster. However, the normal user account cannot
SSH to the web-sv-01a VM. This test confirms that the identity-aware firewall functions as
expected.
Use the following information from the class configuration handout:
Admin user for Windows VM
IP address of web-sv-01a
Normal user for Windows VM
1. Click the Windows7 VM tab in Internet Explorer.
2. Click Send Ctrl+Alt+Delete at the top-right corner of the VMs remote console.
3. Click Switch User in the VMs console.
4. Click Other User.
5. Log in as the Admin user for Windows VM and enter the password VMware1!.
6. Double-click the putty application located in the putty folder in the C: drive.
7. Click Run in the Security Warning window.
8. Enter the IP address of web-sv-01a VM in the Host Name (or IP address) text box of the

PuTTY application.
A login prompt appears confirming that the domain administrator account can SSH to the websv-01a VM.
9. Close the PuTTY application.
10. Log out from the Windows7 VM.
11. Click Send Ctrl+Alt+Delete at the top-right corner of the VMs remote console.
12. Click Switch User in the VMs console.
13. Click Other User.
14. Log in as normal user for Windows VM and enter the password VMware1!.
15. Double-click the putty application located in the putty folder in the C: drive.
16. Click Run in the Security Warning window.
17. Enter the IP address of web-sv-01a VM in the Host Name (or IP address) text box of the

PuTTY application.

Lab 20 Configuring an Identity-Aware Firewall

181

20

Task 5: Verify the Identity-Aware Firewall Configuration

18. Click OK in the Connection timed out window.

This message confirms that the normal user cannot SSH to web-sv-01a VM.
19. Close the PuTTY application.
20. Open Internet Explorer by clicking the Internet Explorer icon in the Windows taskbar.
21. Enter https://IP_address_of_web-sv-01a.
22. Verify that either the page opens or you receive warning about the Web sites certificate.

The normal user can access the Web services on web-sv-01a VM.

Task 6: Clean Up for the Next Lab


You perform these actions to prepare for the next lab.
1. Close the Windows7 VMs tab in the Internet Explorer window.
2. In the Internet Explorer window, leave the following tabs open for the next lab.

vSphere Web Client - your_site_name


Console to web-sv-01a

182

Lab 20 Configuring an Identity-Aware Firewall

21

Lab 21

Using VMware NSX Service Composer :


Objective: Define VMware NSX Service Composer
security groups and security policies
In this lab, you will perform the following tasks:
1. Prepare for the Lab
2. Create a Security Group
3. Create a Security Policy
4. Verify the Policy Functionality Before the Virus Is Found
5. Verify the Policy Functionality After the Virus Is Found
6. Clean Up for the Next Lab

Lab 21 Using VMware NSX Service Composer

183

Task 1: Prepare for the Lab


You perform these actions to prepare for the lab if you have closed windows or logged out of the
VMware vSphere Web Client interface.
Use the following information from the class configuration handout:
Your site name
Your vCenter Server administrator login account
1. If a Command Prompt window is not open on the student desktop, open the window.
a. On the student desktop, double-click the Command Prompt shortcut.
b. Position the Command Prompt window to a convenient location on the desktop.
2. If the Internet Explorer window is closed, double-click the Internet Explorer icon on the

student desktop.
3. If you are not logged in to the vSphere Web Client, log in to the vSphere Web Client.
a. In the Internet Explorer window, click the vSphere Web Client - your_site_name

bookmark.
b. When prompted, log in with your vCenter Server administrator login account and enter the

password VMware1!.
4. On the vSphere Web Client Home icon, click the Networking & Security icon.

Task 2: Create a Security Group


You create a security group that includes Web servers in the Compute clusters.
1. In the left navigation pane, select Service Composer.
2. In the middle pane, click the Security Groups tab.
3. Click the New Security Group icon to open the New Security Group dialog box.
4. Enter Quarantine Group in the Name text box.
5. Click Next.
6. In the Criteria Details area, click the VM Name drop-down menu and leave Contains selected.
7. Enter virus in the text box.
8. Click Next.
9. On the Select Objects to Include page, click Next.
10. On the Select Objects to Exclude page, click the Object Type drop-down menu and select

Distributed Virtual Port Group.


184

Lab 21 Using VMware NSX Service Composer

11. In the Available Objects pane, select Management.


12. Click the right arrow icon to add the distributed port group to the Selected Objects pane.
13. Click Next.

21

14. Review the settings in the Ready to complete pane and click Finish.

Task 3: Create a Security Policy


You configure a security policy to isolate ports in the security group.
1. In the middle pane, click the Security Policies tab.
2. Click the Create Security Policy icon.
3. On the Name and description page, enter Isolate Compromised VMs in the name text

box.
4. Leave all other settings at default value and click Next.
5. On the Guest Introspection Services page, click Next.
6. On the Firewall Rules page, click the green plus icon.
7. In the New Firewall Rule dialog box, enter Block all Traffic in the Name text box.
8. Click Block for Action.
9. In the Source section, click the Change link.
10. In the Firewall Rule Select Source dialog box, select Any.
11. Click OK.
12. In the Destination section, click the Change link.
13. In the Firewall Rule Select Destination dialog box, leave the setting as Policys Security

Groups.
14. Leave all other settings at the default value and click OK.
15. Click Next
16. On the Network Introspection Services page, click Next.
17. Click Finish.
18. Click Actions and click the Apply Policy icon.
19. In the pop-up menu, select the Quarantine Group check box.
20. Click OK.

Lab 21 Using VMware NSX Service Composer

185

Task 4: Verify the Policy Functionality Before the Virus Is Found


You verify the security policy configuration before the virus is found.
1. At the student desktop command prompt, ping the web-sv-01a VM.

ping -t web-sv-01a
The pings should be received.
2. Go back to the VMware vSphere Web Client.
3. Ensure that Service Composer is selected in the left navigation pane.
4. Click the Canvas tab in the middle pane.

The Quarantine Group is represented as a box. A security policy is associated with Quarantine
Group. You can identify the name of the security policy by clicking on the icon on the top-right
corner of the box. The number of VMs added to the group is zero.
5. Point to the Home icon and select VMs and Templates.
6. Select the web-sv-01a VM from the left navigation pane.
7. Click the Monitor tab in the middle pane.
8. Click the Service Composer tab and verify that no security services are associated with the VM

by clicking Guest Introspection Services, Firewall Rules, and Network Introspection


Services.

Task 5: Verify the Policy Functionality After the Virus Is Found


You verify the security policy configuration after a virus is found in the web-sv-01a VM.
1. Ensure that web-sv-01a is selected in the left navigation pane.
2. Click the Actions icon and select Rename.
3. Enter virus at the end of the VMs name.
4. Click OK.
5. Maximize the command prompt and verify if the ping requests time out.
6. Go back to the vSphere Web Client and click the refresh icon next to the user name.
7. Ensure that VM web-sv-01avirus is selected on the left navigation menu.
8. Click Monitor and select Service Composer.
9. Select Firewall Rules in the middle pane and verify if the firewall policy is applied to the VM.
10. Point to the Home icon and select Networking & Security.
186

Lab 21 Using VMware NSX Service Composer

11. Click Service Composer in the left navigation pane.


12. Select the Canvas tab.

The Quarantine Group has one VM associated with it.


web-sv-01virus.

Task 6: Clean Up for the Next Lab


You perform these actions to prepare for the next lab.
1. Point to the Home icon and select VM and Templates.
2. Select the web-sv-01avirus VM in the left navigation pane.
3. Click Actions and select Rename.
4. Delete virus from the VMs name.
5. Click OK.
6. Maximize the command prompt

The ping gets replies.


7. Enter Ctrl + C to stop the ping command.
8. Leave the Command Prompt window open.
9. In the Internet Explorer window, leave the following tabs open for the next lab.

vSphere Web Client - your_site_name


Console to web-sv-01a

Lab 21 Using VMware NSX Service Composer

187

21

13. Click the VM icon on top of the Quarantine Group box and verify that the name of the VM is

188

Lab 21 Using VMware NSX Service Composer

Lab 22
22

Configuring the Cross-vCenter NSX


Feature

Objective: Configure the cross-vCenter NSX feature and


leverage the universal objects like the universal logical
switch and the universal distributed firewall
In this lab, you will perform the following tasks:
1. Prepare for the Lab
2. Verify the Configuration of the NSX Manager Instances
3. Configure Primary and Secondary Roles for the NSX Manager Instances
4. Configure the Universal Segment ID Pool and the Universal Transport Zone
5. Create a Universal Logical Switch and Connect the Web Servers
6. Reconfigure the IP Address of the web-sv-02a Virtual Machine and Verify L2 Connectivity

Between the Virtual Machines


7. Configure the Universal Firewall Policy

This lab must be performed as a team.

Lab 22 Configuring the Cross-vCenter NSX Feature

189

Task 1: Prepare for the Lab


You perform these actions to prepare for the lab if you have closed windows or logged out of the
VMware vSphere Web Client interface.
Use the following information from the class configuration handout:
Your site name
Your remote site
1. If the Internet Explorer window is closed, double-click the Internet Explorer icon on the

student desktop.
2. If you are not logged in to the vSphere Web Client, log in to the vSphere Web Client.
a. In the Internet Explorer window, click the vSphere Web Client - your_site_name

bookmark.
b. When prompted, log in as administrator@vsphere.local and enter the password

VMware1!.
3. In the Internet Explorer window, if the web-sv-01a console tab is not open, open the console

tab.
a. On the vSphere Web Client Home tab, click Inventories > VMs and Templates.
b. Expand the inventory tree and select Discovered virtual machine > web-sv-01a.
c. Select Open Console from the Actions drop-down menu.
d. If prompted to log in, log in as root and enter the password VMware1!.
e. Press Ctrl+Alt to release the pointer and click the vSphere Web Client tab.
f. Point to the vSphere Web Client Home icon and click Networking & Security.
4. In the Internet Explorer window, open another tab and log in to the remote vSphere Web Client.
a. In the Internet Explorer window, click the vSphere Web Client - your_remote_site

bookmark.
b. When prompted, login as administrator@vsphere.localand enter the password

VMware1!.
5. In the Internet Explorer window, if the web-sv-02a console tab is not open, open the console

tab.
a. On the vSphere Web Client - your_remote_site Home tab, click Inventories - VMs and

Templates.
b. Expand the inventory tree and select Discovered virtual machine - web-sv-02a.

190

Lab 22 Configuring the Cross-vCenter NSX Feature

c. Click Actions in the middle pane and select Open Console.


d. If prompted to login, log in as root and enter the password VMware1!.
e. Press Ctrl+Alt to release the pointer and click the vSphere Web Client - your_remote_site

tab.
f. Point to the remote vSphere Web Client Home icon and select Networking & Security.
6. Select the vSphere Web Client - your_site_name tab in the Internet Explorer application.

You verify the segment ID pools and the IDs of the VMware NSX Manager instances. The crossvCenter NSX feature does not work properly if the segment ID pools and IDs overlap.
Use the following information from the class configuration handout:
IP address of nsxmgr-a
IP address of nsxmgr-b
1. Click the Installation link in the left navigation pane.
2. Click the Management tab in the middle pane.
3. Click the IP address of nsxmgr-a.
4. Click the Summary tab in the middle pane and record the ID value. __________
5. Click the arrow next to Networking & Security in the left navigation pane.
6. Click the IP address of nsxmgr-b.
7. Record the ID value in the Summary tab. __________

The ID values of the two NSX Managers must be different.


8. Click the arrow next to Networking & Security in the left navigation pane.
9. Click the Logical Network Preparation tab in the middle pane.
10. Click the Segment ID tab under Logical Network Preparation.
11. Select the IP address of nsxmgr-a from the NSX Manager drop-down menu.
12. Record the Segment ID pool value. __________
13. Select the IP address of nsxmgr-b from the NSX Manager drop-down menu.
14. Record the Segment ID pool value. __________

The Segment ID pool values must not overlap for the two NSX Manager instances.

Lab 22 Configuring the Cross-vCenter NSX Feature

191

22

Task 2: Verify the Configuration of the NSX Manager Instances

Task 3: Configure Primary and Secondary Roles for the NSX Manager
Instances
You promote one of the NSX Manager instances to the primary role. After the NSX Manager
instance is promoted, you register the other NSX Manager instance as secondary.
Use the following information from the class configuration handout:
IP address of nsxmgr-a
IP address of nsxmgr-b
IP range of NSX Controller nodes to be deleted
1. Click the Management tab in the middle pane.
2. Ensure that the IP address of nsxmgr-a is selected.
3. Click Actions and click Assign Primary Role.
4. Click Yes when the prompt appears.

nsxmgr-a is promoted to the Primary status. nsxmgr-b is standalone.


5. In the NSX Controller nodes section of the middle pane, select the VMware NSX Controller

node with an IP address in the range of nodes to be deleted.


6. Click the red X icon to delete the NSX Controller node.
7. Click Yes when the prompt appears.
8. Repeat steps 5 through 7 to delete the remaining two NSX Controller nodes in the IP range of

nodes to be deleted.
9. Select the IP address of nsxmgr-a in the NSX Managers section.
10. Click Actions and select Add Secondary NSX Manager.
11. Verify that the IP address of nsxmgr-b is populated against the NSX Manager field of the Add

Secondary NSX Manager window.


12. Enter the user name admin and enter VMware1! in the Password and Confirm password text

boxes.
13. Click OK.
14. Select Yes when prompted with nsxmgr-bs thumbprint.
15. Wait for a minute and refresh the vSphere Web Client.

The status of all the NSX Controller nodes should be green before proceeding to the next task.
nsxmgr-a and nsxmgr-b use the same set of NSX Controller nodes.

192

Lab 22 Configuring the Cross-vCenter NSX Feature

Task 4: Configure the Universal Segment ID Pool and the Universal


Transport Zone
You configure the universal segment ID pool and the universal transport zone for leveraging the
universal objects like the universal logical switches.
Use the following information from the class configuration handout:
IP address of nsxmgr-a
IP address of nsxmgr-b

22

1. Click the Logical Network Preparation tab in the middle pane.


2. Ensure that the IP address of nsxmgr-a is selected next to NSX Manager in the middle pane.
3. Click the Segment ID tab.
4. Click Edit.
5. Enter 7000-7999 in the Universal Segment ID pool text box in the Edit Segments and

Multicast Address Allocation window.


6. Click OK.
7. Click the Transport Zones tab in the middle pane.
8. Click the green plus sign.
9. Select the Mark this object for Universal Synchronization check box.
10. Enter Universal Transport Zone in the Name text box.
11. Leave the replication mode as Unicast.
12. Select the Compute and Management and Edge clusters in the Selects clusters that will be

part of the Transport Zone section.


13. Click OK.
14. Select the IP address of nsxmgr-b from the NSX Manager drop-down menu.

The universal transport zone is already replicated to the secondary NSX Manager.
15. Select Universal Transport Zone and click Actions.
16. Select Connect Clusters.
17. Select the Compute and Management and Edge check box.
18. Click OK.

Lab 22 Configuring the Cross-vCenter NSX Feature

193

Task 5: Create a Universal Logical Switch and Connect the Web


Servers
You create a universal logical switch to extend layer connectivity between workloads running on
hosts managed by different VMware vCenter Server systems.
1. Click the Logical Switches link in the left navigation pane.
2. Select the IP address of the primary NSX Manager from the NSX Manager drop-down menu.
3. Click the green plus sign to create a new logical switch.
4. Enter Universal-Web-Tier in the Name text box.
5. Click the Change link for Transport Zone and select Universal Transport Zone.
6. Click OK.
7. Click OK in the New Logical Switch window.
8. Select Universal-Web-Tier and click Actions.
9. Select Add VM.
10. Select web-sv-01a in the Available Objects pane and click the right arrow to move the object to

Selected Objects pane.


11. Click Next.
12. Select the check box next to web-sv-01as network adapter and click Next.
13. Click Finish.
14. Select the IP address of nsxmgr-b from the NSX Manager drop-down menu.
15. Repeat steps 8 through 13 for the web-sv-02a virtual machine in the remote vCenter Server

inventory.

Task 6: Reconfigure the IP Address of the web-sv-02a Virtual Machine


and Verify L2 Connectivity Between the Virtual Machines
You reconfigure the IP address of the web-sv-02a VM to be on the same subnet as the web-sv-01a
VM.
Use the following information from the class configuration handout:
IP address of web-sv-02a
Datastore

194

Lab 22 Configuring the Cross-vCenter NSX Feature

1. Click the web-sv-02a tab in the Internet Explorer application.


2. Enter the following command to change the IP address of the virtual machine.

ifconfig eth1 IP_address_of_web-sv-02a netmask 255.255.255.0


3. Enter the ping IP_address_of_web-sv-01a virtual machine command.
4. Verify that ping gets a response.

22

The two virtual machines are running on different hosts, on different subnets managed by
different vCenter Server systems. Using universal logical switches, you can achieve Layer 2
connectivity between the virtual machines.
5. Leave the ping command running on the web-sv-02a virtual machine.
6. Click the vSphere Web Client - your_site_name tab in the Internet Explorer window.
7. Point to Home and select Hosts and Clusters.
8. Select the web-sv-01a virtual machine located in Site-A-Datacenter.
9. Click Actions and click Rename.
10. Enter SiteA at the end of the virtual machines name.
11. Click OK.
12. Click Actions and select Migrate.
13. Select Change both compute resource and storage and click Next.
14. Expand Site-B-Datacenter and expand Compute.
15. Select one of the VMware ESXi hosts in the Compute cluster.
16. Click Next.
17. Select the destination datastore in the Select storage window and click Next.
18. Select the Discovered virtual machine folder and click Next.
19. Select the logical switch that includes universalwire in its name from the Destination

Network drop-down menu.


20. Click Next.
21. Click Next in the Select vMotion priority window.
22. Click Finish.
23. Click the web-sv-02a tab in the Internet Explorer application.

Lab 22 Configuring the Cross-vCenter NSX Feature

195

24. Verify that ping is still getting a response.


25. Click the vSphere Web Client - your_site_name tab in the Internet Explorer application.
26. Click the refresh icon to refresh the vSphere Web Client view.
27. Verify that web-sv-01aSiteA is moved to a host in Site-B-Datacenter.
NOTE

You performed live migration of a virtual machine from one vCenter Server system to another
without causing outage and without the need to change the IP address of the virtual machine.
28. Point to the Home icon and select Networking & Security.

Task 7: Configure the Universal Firewall Policy


You configure the universal firewall policy and confirm that the policy is replicated to the secondary
NSX Manager. The cross-vCenter NSX feature allows an administrator to configure security
policies once and those policies follow the virtual machines as they are moved from one part of the
infrastructure to another.
1. Click the Firewall link in the left navigation pane.
2. Select the primary NSX Manager from the NSX Manager drop-down menu.
3. Scroll towards the right by using the scroll bar at the bottom of the page and click the folder

icon to create a section.


4. Enter Universal Section as the section name.
5. Select the Mark this section for Universal Synchronization check box.
6. Click OK.
7. Click Publish Changes.
8. Scroll towards the right and click the green plus sign in the Universal Section row.
9. Expand Universal Section.
10. Point to the pencil icon in the Name column and click the pencil icon.
11. Enter web-sv-01a as the rule name and click OK.
12. Click the IP icon in the Destination column.
13. Enter the IP address of web-sv-01a virtual machine in the Value text box.
14. Click OK.

196

Lab 22 Configuring the Cross-vCenter NSX Feature

15. Click the pencil icon in the Service column.


16. Enter http in the filter text box and press Enter.
17. Select HTTP and HTTPS and move them to the Selected Objects pane.
18. Click OK.
19. Click Publish Changes.
20. Select the IP address of nsxmgr-b from the NSX Manager drop-down menu.

Lab 22 Configuring the Cross-vCenter NSX Feature

22

The Universal Section and the rule in the Universal Section are already replicated to the
secondary NSX Manager.

197

198

Lab 22 Configuring the Cross-vCenter NSX Feature

Answer Key
Lab 2: Configuring and Deploying a VMware NSX Controller Cluster
Task 3: Verify That the First VMware NSX Controller Instance Is Operational . . . . . . . . . .10
1.
2.
3.
4.
5.
6.

Powered-on, based on the activated Play


icon.
2
2,048 MB
20 GB
Management
IP address assigned from the Controller-Pool
created in task 2.

7.
8.
9.
10.
11.

5
Yes
All 5 roles
4 or 5
7 ports: 443, 2878, 2888, 3888, 6632, 6633,
7777

Task 5: Verify That the Second VMware NSX Controller Instance Is Operational . . . . . . .13
1.
2.
3.
4.
5.

Powered-on, based on the activated Play


icon.
2
2048 MB
20 GB
Management

6.
7.
8.
9.

IP address assigned from the Controller-Pool


created earlier.
5
Yes
Zero, none of the roles. Answers vary.

Task 7: Verify That the Third VMware NSX Controller Instance Is Operational . . . . . . . . .16
1.
2.
3.
4.
5.

Powered-on, based on the activated Play


icon.
2
2048 MB
20 GB
Management

6.
7.
8.
9.

IP address assigned from the Controller-Pool


created earlier.
5
Yes
Zero, none of the roles. Answers vary.

Lab 4: Preparing for Virtual Networking


Task 3: Configure VXLAN on the ESXi Hosts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .27
1.

One

Answer Key

2.

vds-Datacenter

199

Lab 5: Configuring Logical Switch Networks


Task 3: Verify That Logical Switch Port Groups Appear in vSphere . . . . . . . . . . . . . . . . . .33
1.

Yes, the ID follows the sid keyword in the port


group name.

Task 4: Migrate Virtual Machines to Logical Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . .34


1.

Yes

2.

No

Task 5: Test Network Connectivity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .35


1.
2.
3.
4.
5.

No
Yes
Yes, the web-sv-02a virtual machine.
No
No

6.
7.
8.

East-West routing has not been established


between the logical switch networks.
No
As is the case with East-West routing, NorthSouth routing has not yet been established.

Task 6: Clean Up for the Next Lab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .39

Lab 6: Configuring and Deploying an NSX Distributed Router


Task 3: Verify the Distributed Router Deployment and Configuration. . . . . . . . . . . . . . . . .45
1.
2.

Datastore selected during the deployment of


the logical router.
Can be either host that is assigned to
Management and Edge Cluster.

3.
4.
5.
6.

1
512 MB
500 MB
2.

Task 4: Test Connectivity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .46


1.
2.
3.
4.

Yes
Yes
Yes
Yes

5.
6.
7.
8.

Yes, the other node on the Web-Tier network


and the router interface.
No
No
North-South routing is yet to be established.

Lab 7: Deploying an NSX Edge Services Gateway and Configuring Static


Routing
Task 3: Verify the NSX Edge Gateway Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .55
1.
2.
3.
4.
5.
6.
7.

200

The datastore chosen during the deployment.


Can be any ESXi host in the Management and
Edge cluster.
1
512 MB
500 MB
10
2

Answer Key

Lab 8: Configuring and Testing Dynamic Routing on NSX Edge Appliances


Task 8: Troubleshoot Connectivity Between the Logical Switch Networks and the Management Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .67
1.
2.
3.
4.

Yes
Yes
No, only directly connected subnets must be
advertised.
Yes, Direct connected can be learned, which
is sufficient.

5.
6.
7.

No
No
No, Connected is the only selection. Static
routes should be added.

Lab 10: Configuring L2 Bridging


Task 4: Examine the Network Connectivity Between Web VMs and Resolve the Issue. . .84
1.

No, because web-sv-01a is connected to a


logical switch and web-sv-02a is connected to
a port group with VLAN ID 10. An L2 bridge is
required to establish connectivity between the
two Web VMs.

2.

Yes. The L2 bridge created in the previous


steps established layer 2 connectivity
between the two Web VMs.

Lab 11: Configuring and Testing Network Address Translation on an NSX


Edge Services Gateway
Task 2: Verify Nontranslated Packet Addressing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .88
1.

No

Task 5: Use the Destination NAT Translation to Test Connectivity. . . . . . . . . . . . . . . . . . .92


1.

The nontranslated IP address of web-sv-01a.

2.

No, regardless of any TCP flag sequencing or


handshake condition that might be set, the IP
addresses do not match.

Lab 12: Configuring Load Balancing with NSX Edge Gateway


Task 7: Use the Packet Capture Capabilities of NSX Edge to Verify Round-Robin
Load Balancing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .102
1.
2.

3.

NAT
Because the load balancer is operating in
nontransparent mode and proxying sessions
between itself and the Web servers on behalf
of the original client.
Transparent mode

Answer Key

201

Task 8: Examine NAT Rule Changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .104


1.
2.
3.

No, the original and translated IP addresses


are both VIP1 IP address.
No
To force the traffic into the NAT logic of the
NSX Edge services gateway where a member
server can be selected and the actual
destination NAT can be performed. Traffic
received on the virtual server IP address must
undergo a destination NAT translation after
the destination server is selected from the
pool, based on the configured load-balancing
algorithm. Because server selection is

4.

5.

dynamic, the destination NAT rule triggers the


destination NAT operation where further logic
can be applied.
No, a virtual server cannot operate on a pool
of destination NAT-defined addresses. Such
functionality would require recursive
application of the NAT logic to each packet
that is received. The system is not designed to
accommodate that type of operation. Only one
NAT rule can be applied to any packet
received.
Uplink-Interface

Task 10: Reposition the Virtual Server and Examine NAT Rule Changes . . . . . . . . . . . .106
1.
2.
3.
4.

rule was applied on the receiving interface


because destination NAT rules must be
applied on the interface connected to the
network that contains the original IP address
to be translated, regardless of ingress or
egress.

Yes
No
No, the operations are the same.
The destination NAT translation occurs on the
outbound interface. In this case, vNic_2 facing
the network that the member servers are
attached to. The previous destination NAT

Lab 14: Configuring NSX Edge High Availability


Task 2: Configure NSX Edge High Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .121
1.
2.

Two
Any of the ESXi hosts in the Management and
Edge Cluster.

3.

4.

Any of the ESXi hosts in the Management and


Edge Cluster, but on a different host than the
other node.
Yes, by default, high availability peer nodes
are maintained on different hosts.

Task 3: Examine the High Availability Service Status and Heartbeat . . . . . . . . . . . . . . . .122
1.

Perimeter Gateway-0 is active. This node


should be the same for all students at this
stage.

2.
3.

Yes, as denoted in the Peer Host list.


Yes, both services are shown as running.

Task 4: Force a Failover Condition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .123


1.

2.

Perimeter Gateway-1 is active. This node


should be the same for all students at this
stage.
No, vshield-edge-#-0 is unreachable.

3.
4.

Yes, both services show as running.


Yes, from Perimeter Gateway-0 to Perimeter
Gateway-1.

Task 5: Restore the Failed Node. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .124


1.

2.
3.

202

Perimeter Gateway-1 is active. This node


should be the same for all students at this
stage.
Yes
Yes, both services show as running.

4.

No, the failover node remains active and the


restored node assumes standby status.

Answer Key

Lab 15: Configuring Layer 2 VPN Tunnel


Task 10: Test Tunnel Connectivity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .136
1.
2.

The address of the web-sv-02a virtual


machine.
The MAC address of web-sv-02a because the
tunnel wraps Layer 2 traffic and when

3.
4.

decapsulated, the hardware address is


preserved.
Yes
Yes, tunnel decapsulation ensures original
source MAC/IP address.

Lab 17: Configuring and Testing SSL VPN-Plus


Task 8: Review the Client Configuration and Examine Traffic . . . . . . . . . . . . . . . . . . . . .155
1.
2.

IP address of the remote gateway:443


Web-Tier subnet/255.255.255.0

3.

An IP address from the range configured for


the IP pool

Lab 18: Using NSX Edge Firewall Rules to Control Network Traffic
Task 3: Determine How the Firewall Rule Interacts with Other NSX Edge Features . . . .163
1.

No

Lab 19: Using the VMware NSX Distributed Firewall Rules to Control Network Traffic
Task 4: Restrict Inbound Web Server Traffic to HTTP and HTTPS . . . . . . . . . . . . . . . . .169
1.

Distributed Firewall rules work on true source


and destination addresses and objects. Such
rules are not affected by transforms (such as
destination NAT translations) performed by
NSX Edge devices.

Answer Key

203

204

Answer Key