VCP-NV Blueprint v1.0 Geoff Wilmington @vWilmo
VCP-NV Study Guide All demonstrations are done using the vSphere Web Client where they can be explicitly done so. The C# client is only used where there are no other alternatives. The Web Client is where NSX is managed, time to get over it.
Section 1 – Define VMware NSX Technology and Architecture Objective 1.1 – Describe the Benefits of a VMware NSX Implementation
Identify challenges within a physical network interface o Vendor-specific o Rigid o Complex o Slow to provision/manual provisioning o Limited by physical equipment and topology Explain common VMware NSX terms o Logical Switching Capable of reproducing both Layer 2/3 switching functions virtually and fully decoupled from the physical underlying hardware o NSX Gateway Layer 2 gateway for connectivity to physical workloads and legacy VLANs o Logical Routing Routing provided to logical switches and dynamic routing between virtual networks o Logical Firewall Distributed firewall that runs at kernel line rate and it virtualization and identity aware and has activity monitoring o Logical Load Balancer Fully featured load balancer with SSL termination o Logical VPN Site-to-Site and Remote Access software VPN o NSX API RESTful API for cloud management platform integration Describe and differentiate functions and services performed by VMware NSX o NSX is completely decoupled from the physical hardware. Physical hardware only provides the packet forwarding environment in which the complex software networks use. The virtual networks it provides can be reconfigured on the fly and repurposed. This allows network services to move with the virtual machine workload or be added and removed at will o NSX allows the reproduction of an entire networking environment from Layer 2 through Layer 7 all in software. NSX also allows the integration of load balancers, VPN, router
VCP-NV Blueprint v1.0 Geoff Wilmington @vWilmo and firewall when logical network services are deployed without difference to the other workload configurations. o NSX has a RESTful API. This allows workflows to be created that can deploy massive or small scale networks in a matter of seconds rather than the typical days, weeks or months as standard with a physical deployment. This also means that no underlying physical infrastructure changes are necessary to deploy a new network configuration. o NSX has Service Composer that allows consumption of network services through policies. Policies can be assigned to one or groups of machines. Any new virtual that is added to a group will inherit that group’s policy automatically. This extends the ability to quickly provision similar network service need workloads to a policy. o NSX has the ability to extend its capabilities through third party integrated services. These included third party firewalls, load balancers and application delivery services through vendor partnerships. Describe common use cases for VMware NSX o Data Center Automation Sped up network provisioning Simplified service insertion both physical and virtual Streamlined DMZ changes o Self-Server Enterprise IT Rapid app deployment that includes automated network and service provisioning for private clouds and test/dev Isolated test/dev/prod that can exist on the same physical infrastructure o Multi-tenant clouds Automated network provisioning for tenants that’s fully customizable and completely isolated Maximizes hardware sharing across tenants
Objective 1.2 – Describe VMware NSX Architecture
Identify the components in a VMware NSX stack o Consumption Cloud Management Platforms o Management Plane NSX Manager Centralized network management Housed in virtual appliance Provides aggregated system view of network components Maps 1:1 with a vCenter Maps 1:many NSX Edge, vShield Endpoint, and NSX Data Security o Control Plane NSX Controller Distributed State Management system Controls virtual networks and overlay transport tunnels Central control point for all logical switches
VCP-NV Blueprint v1.0 Geoff Wilmington @vWilmo
Maintains information about o All virtual machines o Hosts o Logical Switches o VXLANs Support three modes o Multicast Requires PIM/IGMP on the physical network equipment for the VXLAN control plane. Really only used when upgrading from older legacy environments o Unicast Replicates Broadcast, Unknown Unicast, and Multicast (BUM) traffic on the local host and requires no physical network to do so. o Hybrid Some of the BUM traffic is offloaded for performance reasons to the first hop switch. Requires IGMPsnooping but not PIM on the first hop switch Removes the need for PIM and IGMP multicast protocols on physical network hardware NSX Edge Provides edge security and gateway services to isolate virtualized networks Can be installed as o Logical distributed router Provides East-West routing in tenant IP space and data path isolation. Provides same host inter-VLAN routing without travelling across a traditional router interface o Services gateway Provides common services such as DHCP, VPN, NAT, dynamic routing and load balancing to connect isolated and stub networks to uplink networks Typically deployed for DMZ VPN Extranets Multi-tenant Cloud environments Provides the following services o Dynamic Routing o Firewall o Network Address Translation (NAT) o Dynamic Host Configuration Protocol (DHCP)
VCP-NV Blueprint v1.0 Geoff Wilmington @vWilmo o o o o o o o
Site-to-Site Virtual Private Network (VPN) L2 VPN SSL VPN-Plus Load Balancing High Availability Multi-interface Edge
Data Plane NSX vSwitch Operates in the hypervisor Software abstraction layer for servers and physical network Allows virtual workloads to exist on any physical datacenter network infrastructure Host Level Kernel Modules o Port Security o VXLAN o Distributed firewall (DFW) o Distributed Routing (DR) Supports VXLAN, STT, and GRE Overlay network which provides o Flexible Layer 2 over existing IP networks without physical redesign o Provisions East-West and North-South communications o Maintains isolation between tenants o Agnostic of the overlay network and VMs and workloads appear on the same physical Layer 2 network Scales massively with hypervisor Features o Port Mirroring o NetFlow/IPFIX o Config backup and restore o Network Health Check o QoS o LACP o Toolkit for Traffic Management Monitoring Troubleshooting Identify common physical network topologies o Production networks vary greatly from environment to environment. There are several other types of networking topologies such as leaf/spine, layer 2 fabric, and multi-tier. The most common in datacenters that are being adapted for network virtualization is the multi-tier topology. Multi-tier
VCP-NV Blueprint v1.0 Geoff Wilmington @vWilmo A layered network approach consisting of core, distribution, and access types of configuration. Common layouts for Multi-Tier Core o Consists of highly redundant, usually expensive and very fast pieces of switching/routing hardware. Provides the fast switching for the datacenter Distribution o Consists of smarter routers that typically handle QoS, routing and filtering, and/or WAN connectivity for the environment Access o The layer in which users or servers connect into the network. Usually composed of highly dense per-port connection ‘cheaper’ switches and may or may not leverage layer 3 capabilities. Leaf-Spine Leaf switches o Located typically Top-of-Rack and within a cabinet o Minimally configured on the server side o Can be configured with LACP or LBT on the server side to ensure reliability in case of link failure o Server side connections have VLANs with SVIs o Spine side connection is point-to-point Layer 3 connection running a dynamic routing protocol like BGP, OSPF, or IS-IS. Prefixes are advertised to determine equal-cost multi-pathing Spine switches o Only connect to leaf switches o All ports are routed ports providing a point-to-point link to each leaf switch o Spine-to-spine links not typically required o Run routing protocols to provide a view of entire environment and route traffic accordingly. Common layouts for leaf-spine Edge Racks o Provide connectivity for the datacenter to edge networks o Connect to VLANs in physical network o Host centralized physical services Infrastructure Racks o Provide the management resources for the environment vCloud Director vCenter NSX Manager NSX Controllers
VCP-NV Blueprint v1.0 Geoff Wilmington @vWilmo
Cloud Management Platforms o Could be where storage is provided from as well Compute Racks o Provide the compute resources for tenant/datacenter environments o Interoperate with the existing network o Repeatable design o VLANs do not extend past the rack o VLANs are not needed for VMs within rack, handled by VXLAN Describe a basic NSX topology o This was the best picture I could find to describe a basic NSX topology o Consists of Physical Servers Network switches Multi-hypervisor Virtual Data Plane o NSX Switch vSphere Distributed Switches Open vSwitch Edge Services Router Control Plane o NSX Controller Cluster Management Plane o NSX Manager o NSX API o Partner Extensibility o Operations Cloud o Cloud Management Platforms
VCP-NV Blueprint v1.0 Geoff Wilmington @vWilmo
Differentiate functional services delivered by a VMware NSX stack o Logical Layer 2 Enables the extension of a layer 2 IP Subnet anywhere within the NSX fabric irrespective of the physical underlying infrastructure o Distributed Layer 3 Routing Routing can be done from the hypervisor and doesn’t require the use of a physical router. When used in conjunction with NSX Edge, can allow the virtual network to extend and interoperate with the physical network via use of routing protocols like OSPF, BGP, and IS-IS o Distributed Firewall Security is done in the kernel and at the vNIC level. This provides less physical bottlenecks that would be created going to a physical appliance. Also since it’s done in kernel, security is done at line-rate. o Logical Load-balancing SSL termination for Layer 4 – 7 services o SSL VPN Services Used to enable Layer 2 VPN services
Objective 1.3 – Differentiate VMware Network and Security Technologies
Identify upgrade requirements for ESXi hosts o Hardware
VCP-NV Blueprint v1.0 Geoff Wilmington @vWilmo Always refer to the VMware HCL when upgrading to check if the hardware you’re using is still on the HCL or has fallen off. New versions deprecate many older hardware types
Identify steps required to upgrade a vSphere implementation o In a typical vSphere implementation that consists of only core vSphere technologies the traditional path of upgrade is as follows vCenter Server Check VMware Product Interoperability Matrix first Backup vCenter Database Backup SSL certs Run Host Upgrade Checker and resolve issues Upgrade components using Simple Install or Custom Install depending on needs o vCenter Server o vSphere Web Client o ESXi Dump Collector o Syslog Collector o Auto Deploy o Authentication Proxy o Enable IPv6 Support (if necessary) o Linked Mode Re-apply Licensing vSphere Update Manager Backup VUM Database Upgrade VUM Update VUM Plug-in vSphere Hosts Backup Host configuration Migrate all VMs off host Upgrade new version of ESXi Apply any custom VIBs if necessary Re-license if necessary Repeat on remaining hosts Upgrade VM hardware and Tools Take VM snapshots that will remove themselves after a period of time if necessary Upgrade Hardware and Tools Check functionality Describe core vSphere networking technologies o vSphere Standard Switch Behaves similarly to a physical switch
VCP-NV Blueprint v1.0 Geoff Wilmington @vWilmo
o
o
o
o o
o
o
o
o
Sends traffic from one VM to another Can be connected to physical switches via uplink adapters Does not have advanced functionality of a physical switch, however Standard Port Group Used to create port configuration options Bandwidth limits VLAN tagging Defines how the virtual switch and the physical switch are connected Typically one or more port groups are associated with a vSphere standard switch vSphere Distributed Switch A switch that is capable of spanning across multiple hosts in a datacenter Centralized provisioning, administration and monitoring for virtual networks Configured at the vCenter level Helps to maintain consistency across multiple hosts for VMs Host Proxy Switch Hidden on each host Associated with the Distributed Switch Replicates the network configuration set on the distributed switch Distributed Port Connects a port to a host VMkernel or VM network adapter Distributed Port Group Associated with the Distributed Switch Sets configuration options for the member ports connected Defines how a connection is made from the Distributed Switch to the network NIC Teaming Multiple network connections associated to a single switch Provides failover or load sharing capabilities depending on configuration VLAN Standard 802.1Q Allows a network to be segmented to further isolate traffic as if they were physically connected using a different connection VMkernel TCP/IP Networking Layer Provides connectivity to hosts Handles infrastructure traffic duties IP Storage vMotion Management Fault Tolerance Virtual SAN IP Storage Block or file-based network storage Uses IP for connectivity
VCP-NV Blueprint v1.0 Geoff Wilmington @vWilmo
iSCSI NFS o TCP Segmentation Offload Allows TCP/IP stack to emit large (up to 64KB) frames with MTU smaller Network adapter separates the larger frame into smaller MTU-sized frames and adjusts the TCP/IP header Describe vCloud Networking and Security technologies o Firewall Services Stateful inspection firewall Can be placed at the Perimeter o vCloud Networking and Security Edge vNIC o vCloud Networking and Security App Uses vCenter Objects to create policy upon Provides multiple vNICs for network segmentation o NAT Maps network to port addresses DMZ capabilities No need to manually change IP addressing Common application layer gateway protocol enablement o VPN Standard IPsec VPN Supports standard IKE and AES encryption engines o SSL Implemented at the Edge Gateway Resembles JumpBox or Bastion host implementation for remote troubleshooting Approach enables smaller attack surface Good for audits and security administration o Load Balancer Provides load balancing capabilities Increases availability Supports server LB algorithms Round-robin Cookie-based Session-based o Edge High Availability Provided through a pair of Edge devices Active/Standby Continuously synchronized Fails over after 10 seconds of session loss to resume traffic o Data Security
VCP-NV Blueprint v1.0 Geoff Wilmington @vWilmo
Security for Windows-based servers Scans CIFS shares Uses template-based scanning Used to identify improperly secured and access-controlled files o VXLAN UDP based Used to extend a layer 2 subnet across disparate Layer 3 segments Not held to the 4096 VLANs Capable for 16 million segments Does not require any additional physical hardware vCNS Edge performs the VXLAN-to-VLAN translations Enterprise Plus Edition required to provide troubleshooting and traffic stats o vCloud Ecosystem Framework Standard APIs that allow third-party tool integration Describe and differentiate VMware NSX for vSphere and VMware NSX for third-party hypervisors o Physical hardware/Networking components Network hardware vSphere NSX o Same/No differences Third-Party o Same/No differences Physical Servers vSphere NSX o Same/No differences Third-Party o Same/No differences o NSX Components Data Plane vSphere o vSphere Distributed Switch Third-Party o Open vSwitch Control Plane vSphere o Virtual Distributed Switch enables multicast free VXLAN o Control plane programming of the Virtual Distributed Router Third-Party o Controller programs the vSwitch forwarding plane Management Plane vSphere o Can be access via the NSX Manager interface or through the vSphere Web Client UI
VCP-NV Blueprint v1.0 Geoff Wilmington @vWilmo
Third-party o Only accessible through the NSX Manager interface Cloud Management Platform vSphere o VMware vCloud Automation Center o vCloud Director o OpenStack Neutron Plug-in for NSX Third-Party o OpenStack Neutron Plug-in for NSX o CloudStack
Objective 1.4 – Contrast Physical and Virtual Network Technologies
Differentiate logical and physical topologies o Logical Network topologies Easier to scale methodically using software methods and automated scripting of new networks Relies on compute hardware to provide the CPU and RAM resources to drive network connectivity, routing and switching as well as other edge services to make the topology functional o Physical Network topologies Scaling requires more equipment Require routers/Layer 3 Switches to provide inter-VLAN communication Typically configured in a tiered approach where each piece of equipment performs a specific duty Differentiate logical and physical components (i.e. switches, routers, etc.) o Logical Switches Rely on physical compute resources to provide the switching power required for the networking topology Can be added, edited, and or removed very quickly Can be configured with new networks quickly Routers Rely on physical compute resources to provide the switching power required for the networking topology Can be added, edited, and or removed very quickly Can be configured to route traffic regardless of underlying infrastructure in ways that that infrastructure was not designed for with no changes
o
VCP-NV Blueprint v1.0 Geoff Wilmington @vWilmo Can be peered with physical routers as needed and like any other router through layer 3 routing protocols East-West routing decisions happen within the hypervisor
Cabling Connections are established through VTEPs and broken down by logical switches at the layer 2 and layer 3 network boundaries Physical cabling is no longer required and all new and existing networks are piped over VXLAN segment IDs that ride an underlying transport VLAN on the physical switch
Physical Switches Generally high cost and very fast Scaling requires either more switches combined into a stack configuration or by adding more blades to chassis with more ports ASIC driven Routers Generally high cost and very fast Interfaces are typically high bandwidth and very costly Typically deployed redundantly and rely on software load balancing and or first hop gateway protocols to ensure high availability of network access Can be peered with logical routers as needed through layer 3 routing protocols Cabling Copper cabling is typically used at the access layer although fiber optics can be used for access layer connectivity to physical servers Differentiate logical and physical services (i.e. firewall, NAT, etc.) o Logical Firewall Kernel and vNIC level application Highly scalable by being applied within the kernel Low overhead Line rate performance Can be used to enforce East-West as well as North-South policies NAT Can be configured in an HA type of configuration that can survive host failure using vSphere HA and provide as little downtime as possible for end-users. Can be re-deployed if appliance is broken easily Load Balancer Can be configured in an HA type of configuration.
o
VCP-NV Blueprint v1.0 Geoff Wilmington @vWilmo Different types of load balancers depending on need can be inserted into NSX to provide a diversity of services and vendor options simply in software Workloads are distributed across servers
VXLAN Requires a VLAN on a physical switch to provide the transport network, however no additional configuration is required. Number of logical switches that can be created can be expanded and contracted easily SSL VPN Can be configured in an HA type of configuration that can survive host failure using vSphere HA and provide as little downtime as possible for end-users. Can be re-deployed if appliance is broken easily
Physical Firewall Typically a hardware appliance, and very fast depending on traffic workloads Next-generation Firewalls provide L4-L7 packet inspections and policy enforcement as well as unified threat management Typically used to enforce North-South traffic policies Configured in HA to ensure reliability and availability of protection services Limited by hardware NAT Typically performed at the firewall level Can be performed by a router Load Balancer Typically hardware appliances that are configured in HA format Capable of scaling to large amounts of connections but are constrained to the resources inherent with the hardware. SSL VPN Typically handled at the firewall level, possibly in an HA pair configuration Limited by hardware resources and hardware network constraints Differentiate between physical and logical security constructs o The things to understand are that logical security constructs free the administrator from having to manage separate physical devices separately. o With service integration into NSX, you can manage the entire set of security groupings, endpoint services and data security from one policy that can be applied to any number of virtual machines exactly the same way.
o
o
VCP-NV Blueprint v1.0 Geoff Wilmington @vWilmo Typically in a physical approach one would have to go into each device and setup each service independently from another vendor. This results in human errors and security policies and services being applied incorrectly. Being logical, you now also have access to provide security services against users, applications, as well as virtual machines
Objective 1.5 – Explain VMware NSX Integration with Third-Party Products and Services
Describe integration with third-party hypervisors o NSX Multi-hypervisor version is required to work with KVM o Uses Open vSwitch instead of vSphere Distributed Switch Describe integration with third-party cloud automation o NSX supports third-party cloud management platforms such as OpenStack o NSX’s REST API allows integration, management and automation Describe integration with third-party services o Network services There’s no mention of f5 in the blueprint or in the documents that the blueprint references, however from a network services standpoint, f5 does offer integration for L3-L7 services f5 BIG-IP/BIG-IQ Provides more granular control over load-balancing aspects Used in conjunction with BIG-IQ to manage all load-balancers within the datacenter o Security services Palo Alto Networks Extends the East-West security of traffic with NSX Provides a uniformity of firewall interfaces if also using Palo Alto hardware firewalls Provides anti-malware, Intrusion Prevention Systems, URL filtering, and file and content blocking Can be used in conjunction with Panorama to globally manage security policies and provide reporting Integrates with NSX security policies and containers with regard to virtual machines, users, and applications that can be updated dynamically Scaled linearly just like the Distributed Kernel-based NSX Firewall. Any new host gets a Palo Alto VM firewall appliance Describe integration with third-party hardware o Network Interface Cards NSX integration with third-party NICs is contingent upon how those NICs are presented to the vSphere host. With regard to UCS they are virtual NICs and are not capable of LACP bonding. Take this into consideration when designing. o Terminating overlay networks
VCP-NV Blueprint v1.0 Geoff Wilmington @vWilmo With regard to Cisco UCS, UCS Adapter vNICs cannot establish LACP to the Fabric Interconnects. If you use one VTEP vmknic per vSphere host, choose a teaming policy of Fail Over. This will restrict VXLAN encapsulated traffic to one vNIC Manually register a third-party service with NSX o Register Open the vSphere Web Client Select ‘Networking & Security’ Select ‘Service Definitions’ Select the ‘+’ Input a ‘Name’ Input a ‘Version’ as necessary Select a ‘Service Manager’ Input a ‘Description’ as necessary Select a ‘Deployment Mechanism’ Select the ‘+’ under Attributes as necessary Input a ‘Key’ Input a ‘Name’ as necessary Input a ‘Value’ as necessary Select a ‘Service Categories’ as necessary The ‘Configure Service Manager’ tab comes up if you selected ‘Create New Service Manager’ in the ‘General Properties’ tab Input a ‘Name’ Input a ‘Description’ as necessary Input a ‘Administration URL’ as necessary Input a ‘Base API URL’ as necessary Input a ‘Name’ under ‘Credentials’ as necessary Input a ‘Password’ under ‘Credentials’ as necessary Input a ‘Retype Password’ under ‘Credentials’ as necessary Input a ‘Thumbprint’ under ‘Credentials’ as necessary Input a ‘Vendor ID’ under ‘Vendor Details’ as necessary Input a ‘Vendor Name’ under ‘Vendor Details’ as necessary Select the ‘+’ under ‘Add service configurations’ as necessary Input a ‘Configuration ID’ Input a ‘Name’ Input a ‘Description’ as necessary Select the ‘+’ under Attributes as necessary Input a ‘Key’ Input a ‘Name’ as necessary Input a ‘Value’ as necessary Select the ‘+’ under ‘Add profile configurations’ as necessary Input a ‘Configuration ID’ Input a ‘Name’
VCP-NV Blueprint v1.0 Geoff Wilmington @vWilmo
Input a ‘Description’ as necessary Select the ‘+’ under Attributes as necessary Input a ‘Key’ Input a ‘Name’ as necessary Input a ‘Value’ as necessary Select a ‘Transports’ Confirm Install a third-party service with NSX o Install Open the vSphere Web Client Select ‘Networking & Security’ Select ‘Installations’ Select ‘Service Deployments’ Select the ‘+’ Select a ‘Select services’ from the list Select a ‘Specify Schedule’ as necessary Deploy now Schedule the deployment Select a ‘Datacenter’ Select a ‘Cluster’ from the list Select a ‘Datastore’ Select a ‘Network’ Select a ‘IP assignment’ Confirm
Objective 1.6 – Explain VMware NSX Integration with vCloud Automation Center (vCAC)
Describe integration with vCAC o Network Profiles Network Interface Configuration NSX Edge Services Router Configuration o Security Groups o Reservation Configuration External Network Profile Transport Zone Routed Gateway Explain NSX deployment capabilities built into vCAC o Using Network Profiles, vCAC and deploy NSX capabilities such as Logical switches Logical routers Load Balancers Network services NAT IPAM
VCP-NV Blueprint v1.0 Geoff Wilmington @vWilmo
DHCP List NSX components that can be pre-created using vCAC o Logical switches o Logical routers o Transport Zone Describe Network Profiles available in vCAC o Routed Gives you the ability to provide IP addressing to a tier or N-Tier application o NAT Gives you the ability to provide a 1:1 or 1:Many NAT profile. Makes a great profile to deploy for deploying overlapping IP space o Private No external connectivity. An isolated network Explain NSX preparation tasks that must be completed prior to attaching a network profile to a blueprint o NSX Manger must be registered as a vCenter endpoint in vCAC first o A data collection must be run to gather in resources o A Network Profile needs to be built Configure a Network Profile Routed NAT Private An IP Range must be selected or generated Explain vCAC preparation tasks that must be completed prior to deploying a machine with ondemand network services o NSX Manger must be registered as a vCenter endpoint in vCAC first o A data collection must be run to gather in resources o A Network Profile needs to be built Configure a Network Profile Routed NAT Private An IP Range must be selected or generated o A machine blueprint must be created Single Multi-Machine o Network profile associated o Publish blueprint for deployment
Section 2 – Plan and Configure vSphere Networking
VCP-NV Blueprint v1.0 Geoff Wilmington @vWilmo
Objective 2.1 – Define Benefits of Running VMware NSX on Physical Network Fabrics
Identify physical network topologies (Layer 2 Fabric, Multi-Tier, Leaf/Spine, etc.) o Layer 2 Fabric This is typically a large layer 2 broadcast domain that allows mobility within workloads due to not having to change IP addressing. The traffic is all contained within the same broadcast domain and all endpoints can talk to all endpoints. o Multi-Tier Core Consists of highly redundant, usually expensive and very fast pieces of switching/routing hardware. Provides the fast switching for the datacenter Distribution Consists of smarter routers that typically handle QoS, routing and filtering, and/or WAN connectivity for the environment Access The layer in which users or servers connect into the network. Usually composed of highly dense per-port connection ‘cheaper’ switches and may or may not leverage layer 3 capabilities. o
Leaf/Spine Typically composed of a spine/aggregation layer where all network ports are layer 3 routed point-to-point links to the Leaf switches. Loss of a spine switch results in the Layer 3 routing protocol, OSPF, BGP, IS-IS, re-routing traffic around the affected node so as not to interrupt services. Links can be and are typically over-subscribed. Identify physical network trends o Didn’t find anything in any of the documents on this specifically so I’m going to assume they’re referring to what physical networks look like in most datacenters. o Most of the architectures you’d probably encounter are Cisco-style architectures. o Multi-tier Collapsed core The most common being the Access, Distribution, and Core configurations. Some organizations collapse their Core layer into their Distribution layer. In smaller organizations this may make more sense from a cost perspective as the typical Distribution and Core layers are comprised of very expensive pieces of hardware 3 Layer Comprised of an access layer for end user and server connectivity, a distribution layer for security, QoS, and routing services, and a high-
VCP-NV Blueprint v1.0 Geoff Wilmington @vWilmo speed switching Core layer for incredibly fast switching where traffic doesn’t really need to leave that switch. Typically found in larger organizations that need massive amounts of ports at the access layer and high speed switching at the core. Scales out decently.
o
Leaf/Spine Not necessarily a Cisco-style approach although Cisco is adopting this style of architecture. Spine/Aggregation o Typically comprised of high bandwidth switches/routers that run nothing but layer 3 protocols to create the network o Has a connection to every leaf in the topology but doesn’t necessarily have connectivity to another spine. o Scales out easily, however cost may be a factor due to port and connector costs being high as the ports are usually 10Gb/40Gb. They need to be this large to satisfy the bandwidth requirements that could come from a leaf node Leaf o The number of leaf ports is equal to the number of spine switches. Every leaf is connected to every spine o Typically layer 2 on one side, and layer three on the other. Point-to-point layer 3 links connect the leaf to the spine Explain the purpose of a Spine node o Only connect to leaf switches o All ports are routed ports providing a point-to-point link to each leaf switch o Spine-to-spine links not typically required o Run routing protocols to provide a view of entire environment and route traffic accordingly Explain the purpose of a Leaf node o Located typically Top-of-Rack and within a cabinet o Minimally configured on the server side o Can be configured with LACP or LBT on the server side to ensure reliability in case of link failure o Server side connections have VLANs with SVIs o Spine side connection is point-to-point Layer 3 connection running a dynamic routing protocol like BGP, OSPF, or IS-IS. Prefixes are advertised to determine equal-cost multipathing Identify virtual network topologies (Enterprise, Service Provider Multi-Tenant, Multi-Tenant Scalable) o Enterprise Could be setup as a collapsed or separate cluster scenario depending on size of environment
VCP-NV Blueprint v1.0 Geoff Wilmington @vWilmo Typically flat networks depending on size, but could span multiple VLANs depending on VM needs Most likely would only span one VDS Would follow a Leaf/Spine or Muti-tiered network device approach from a hardware standpoint Would have an Edge services router connected to a physical router via Layer 3 North-South and East-West decisions happen at the hypervisor layer o Service Provider Multi-Tenant This type of configuration as separate tenant infrastructures where all necessary services are contained within the tenant. This includes security routing and virtual infrastructures. Connections outside the tenant would be some type of layer 2 or layer 3 communication into the service provider backbone. East-West traffic is handled in the hypervisor in a distributed fashion North-South traffic is handled by the NSX Edge service router o Multi-Tenant Scalable Same configuration from a tenant perspective as the Service Provider multitenant configuration Simply add another tenant connected to an NSX Edge Services router which is connected to the external network Explain benefits of Multi-Instance TCP/IP stack o I assume this is in reference to being able to run the same or different instances of TCP/IP completely independent of each other o This provides the ability to run multiple instances of the same virtual machine with the same IP addressing without the two knowing about each other. Provides the ability to test or run applications with a common configuration multiple times. o This allows an organization with limited IP space to overlap IP addressing and create the same environment multiple times Describe challenges in a Layer 2 Fabric topology o Broadcast domain size can get very large. o MAC address tables and forwarding tables can get extremely large. Much larger than hardware switches can provide. Most Cisco switches support up to 8000 unique MACs in their CAM tables Describe challenges in a Multi-Tier topology o Scales decently. Easy to add access layer ports but could result in higher costs due to more distribution or core layer needs o Access layer switches could be oversubscribed port ASIC-sharing and not provide nonblocking full bandwidth to each port Describe challenges in a Leaf/Spine topology o The biggest visible challenge is cabling. All spine nodes need connections to all leaf nodes. This results in a cost challenge depending on port type, i.e. 10GbE, SFP, OM3 fiber, etc
VCP-NV Blueprint v1.0 Geoff Wilmington @vWilmo o Oversubscription could present a challenge if not properly designed for. Depending on the number of servers and hosts below the ToR Leaf switches, there could be a demand that exceeds the uplinks to the spine layer. Differentiate physical/virtual QoS implementation o Physical QoS Provides Layer 2 and Layer 3 classifications Has to classify traffic at the switch level o Virtual QoS Allows tenant-based traffic classification Hypervisor sets the traffic classification and represents the boundary When virtual QoS is used, the physical network trusts the QoS headers from the VXLAN encapsulation and prioritizes accordingly Differentiate single/multiple vSphere Distributed Switch (vDS) Distributed Logical Router implementations o Single A single VLAN is constrained to one VLAN that provides the VXLAN transport zone o Multiple A multiple VDS deployment would peer via Layer 3 to extend the VXLAN transport zone across racks Differentiate NSX Edge High Availability (HA)/Scale-out NSX NSX Edge HA implementations o HA NSX Edge Active/standby configuration Use of a First hop redundancy protocol is used as the default gateway On Edge failure, the standby Edge assumes the IP address and a GARP is sent o Scale-out NSX Edge Layer 3 peered by routing protocols to physical routers which all peer with a distributed virtual router. Provides multiple paths out of the distributed router to the core network Differentiate Collapsed/Separate vSphere Cluster topologies o Collapsed topology I assume they’re referring to running all management components in the same cluster as you would normal workload servers Sharing of resources that could be used for workloads would have to be done with the management components. o Separate topology I assume they’re referring to separating management duty servers into their own cluster and keeping normal workload servers in their own Management servers have their own resources to pull from that do not detract from the normal workload servers’ cluster. All normal workload servers would consume the compute cluster resources. Differentiate Layer 3 and Converged cluster infrastructures o Layer 3
o
VCP-NV Blueprint v1.0 Geoff Wilmington @vWilmo This follows the compute, infrastructure, and edge rack scenario Allows maximum scalability with the addition of a rack All racks are layer 3 connected with the NSX Edge devices peering via Layer 3 routing protocols Converged I assume this means keeping all the management components in the same cluster with the rest of the workloads. Scales poorly Flat Layer 2 connectivity as a VLAN
Objective 2.2 – Describe Physical Infrastructure Requirements for a VMware NSX Implementation
Identify management and edge cluster requirements o Management/Infrastructure cluster Houses vCenter, NSX Manager, NSX Controllers, CMP, and any other IP-storage related components Should be able to scale and offers high availability of services No tenant specific addressing o Edge cluster Bridges the overlay network world with the physical network world NSX Edge is placed here to maintain separation Highly available Describe minimum/optimal physical infrastructure requirements for a VMware NSX implementation o Minimum Existing networks are just fine for deployments. Support for multi-tier and leaf/spine networks MTU would need to be increased to 1600 or use of fragmentation would occur A separate management cluster that’s not o Optimal Leaf/Spine configuration with separate compute, infrastructure, and edge resource racks Leaf – ToR switching with ECMP connectivity to the Spine layer, high bandwidth interconnects to all Spine nodes Spine – full layer 3 routed, high bandwidth interconnects to all Leaf nodes Compute racks o Repeatable design o No VLANs for virtual machines o VLANs do not extend past the compute racks Infrastructure racks o Houses all the management components o Houses IP storage
VCP-NV Blueprint v1.0 Geoff Wilmington @vWilmo
Edge racks o Hosts centralized services o Provides the bridge between the physical and virtual worlds Describe how traffic types are handled in a physical infrastructure o All traffic types are given their own physical VLAN to provide the layer 2 boundary for the network o A vSphere host typically sources 3 or more traffic types, management, tenant, IP storage and vMotion. These traffic types are usually separated into physical VLANs with L3 SVI’s tied to the leaf nodes in their respective racks for their gateways of their layer 2 networks Determine use cases for available virtual architectures Describe ESXi host vmnic requirements o MTU set to 1550 or higher, preferably 1600 o Connected to a trunk port on a switch to allow multiple VLANs to span its connection Differentiate virtual to physical switch connection methods o Virtual Virtual switch connections can be established regardless of underlying infrastructure. Can scale to many ports without needing to change anything on the physical layer o Physical Physical switch connections are limited to physical ports within a piece of hardware Any new connections require running a new cable connection Scale depends on equipment and architecture Describe VMkernel networking recommendations o vmknic IP configuration per traffic type in the respective VLAN or subnet o static route configuration per subnet, to handle proper traffic routing to the respective gateways
Section 3 – Configure and Manage vSphere Networking Objective 3.1 – Configure and Manage vSphere Standard Switches (vSS)
Identify vSS capabilities o Provides network connectivity to hosts and virtual machines o VLAN tagging o Security MAC Address Changes Promiscuous mode Forged Transmits o Traffic Shaping o Failover and Load Balancing o Total virtual network switch ports per host is 4096
VCP-NV Blueprint v1.0 Geoff Wilmington @vWilmo
o Maximum active ports per host is 1016 o Port groups per standard switch is 512 o vSS port groups per host is 1000 Add/Configure/Remove vmnics on a vSS o Add vmnic Open the vSphere Web Client Select ‘vCenter’ Select ‘Hosts and Clusters’ Select a host Select ‘Manage’ Select ‘Networking’ Select the ‘Virtual Switches’ Select a vSwitch from the list Select the network card icon Select a ‘+’ icon Select a vmnic from the list Select OK Verify from the display that another vmnic was added o Configure vmnic Open the vSphere Web Client Select ‘vCenter’ Select ‘Hosts and Clusters’ Select a host Select ‘Manage’ Select ‘Networking’ Select the ‘Physical adapters’ Select a vmnic from the list Select the ‘pencil’ icon to edit Make change Select OK o Remove vmnic Open the vSphere Web Client Select ‘vCenter’ Select ‘Hosts and Clusters’ Select a host Select ‘Manage’ Select ‘Networking’ Select the ‘Virtual Switches’ Select a vSwitch from the list Select the network card icon Select a vmnic from the list Select the ‘X’ icon from the list to remove the vmnic Select OK
VCP-NV Blueprint v1.0 Geoff Wilmington @vWilmo
Verify from the display that another vmnic was removed Configure vmkernel ports for network services o Configure Open the vSphere Web Client Select ‘vCenter’ Select ‘Hosts and Clusters’ Select a host Select ‘Manage’ Select ‘Networking’ Select ‘VMkernel adapters Select the ‘Add host networking’ icon Select the ‘VMkernel Network Adapter’ and click Next Choose either a new vSS or an existing one from the menu and click Next Label the Network, select the VLAN ID if necessary, IP Settings, TCP/IP stack and select any services that are necessary and click Next Input the IP address information for the interface and click Next Confirm Add/Edit/Remove port groups on a vSS o Add Open the vSphere Web Client Select ‘vCenter’ Select ‘Hosts and Clusters’ Select a host Select ‘Manage’ Select ‘Networking’ Select the ‘Virtual Switches’ Select the ‘Add host networking’ icon Select the ‘Virtual Machine Port Group for a Standard Switch’ Choose either a new vSS or an existing one from the menu and click Next Label the Network and select the VLAN ID if necessary and click Next Confirm o Edit Open the vSphere Web Client Select ‘vCenter’ Select ‘Hosts and Clusters’ Select a host Select ‘Manage’ Select ‘Networking’ Select the ‘Virtual Switches’ In the diagram below that shows the port groups, click on the name of the port group. This brings up the ‘pencil’ icon to edit Edit any of the settings Properties
VCP-NV Blueprint v1.0 Geoff Wilmington @vWilmo
Security Traffic Shaping Teaming and Failover Confirm o Remove Open the vSphere Web Client Select ‘vCenter’ Select ‘Hosts and Clusters’ Select a host Select ‘Manage’ Select ‘Networking’ Select the ‘Virtual Switches’ In the diagram below that shows the port groups, click on the name of the port group. This brings up the ‘X’ icon to remove Confirm Determine use cases for a vSphere Standard Switch o Licensing concerns, available in all versions of vSphere o Advanced features like NIOC are not needed in environment If there are no advanced features that would require the vDS, using the vSS is a better choice o vSphere Standard Switches are easy to configure and manage for small environments, especially when used in conjunction with Host Profiles to ensure consistency of configuration across hosts.
Objective 3.2 – Configure and Manage vSphere Distributed Switches (vDS)
Identify vDS capabilities o Centralized management and monitoring of the networking of all hosts that its associated with o Provides unified configuration across all hosts to ensure configuration uniformity o Associated at the Data center level o Hidden host proxy switch houses the settings on each host for the vDS o Capable of 60000 ports per distributed switch o Capable of 128 distributed switches per vCenter o Capable of 16 distributed switches per host o Distributed switches and span up to 1000 hosts o Total virtual network switch ports per host 4096 o Maximum active ports per host 1016 Create/Delete a vDS o Create Open the vSphere Web Client Select ‘vCenter’ Select ‘Hosts and Clusters’ Right Click on the Datacenter object and select ‘New Distributed Switch’
VCP-NV Blueprint v1.0 Geoff Wilmington @vWilmo
Delete To delete, first ensure that no hosts are connected to the switch! Open the vSphere Web Client Select ‘Networking’ Select the datacenter where the switch resides Select the switch Right Click the switch and go down to ‘All vCenter Actions’ Select the ‘Remove from Inventory’ option Confirm Add/Remove ESXi hosts from a vDS o Add To delete, first ensure that no hosts are connected to the switch! Open the vSphere Web Client Select ‘Networking’ Select the datacenter where the switch resides Select the switch Right Click the switch and select ‘Add and Manage Hosts’ From this screen you can simply add hosts or add hosts and manage host networking at the same time Select ‘Add hosts’ and click Next Select the ‘New Hosts’ button Check the boxes of the hosts you want to add and click OK Confirm and click Next Only select ‘Manage physical adapters’ for now and click Next Select the vmnics on each host that you want to add as uplinks and click ‘Assign uplink’ Assign which uplink that vmnic will be or click on ‘Auto Assign’ and click OK when finished Repeat for any other hosts you’re adding and click Next when finished Verify any impacts and click Next Confirm o Remove To delete, first ensure that no hosts are connected to the switch! Open the vSphere Web Client Select ‘Networking’ Select the datacenter where the switch resides Select the switch Right Click the switch and select ‘Add and Manage Hosts’ Select the ‘Remove hosts’ option and click Next o
Name the Switch and click Next Select the appropriate version based on the version of vSphere running on the hosts in the cluster. Functions that are available in each version are listed Select the number of uplinks that each host will provide to the switch, enable Network I/O Control if necessary, create a default port group if you’d like (I avoid) and name the new port group. Click Next. Confirm
VCP-NV Blueprint v1.0 Geoff Wilmington @vWilmo
Click on the ‘Attached Hosts’ button Check the box of the host you want to remove and click OK Confirm and click Next Confirm again Edit general vSphere vDS settings Open the vSphere Web Client Select ‘Networking’ Select the datacenter where the switch resides Select the switch Select the ‘Manage’ button Select the ‘Settings’ button to open the general settings Topology o Shows the uplinks, vmkernel and VMs connected and how they are connected to the dvSwitch. o Modifications can be made to nearly every point of the dvSwitch from this view Properties o General properties of the dvSwitch o Name, MTU, Number and names of uplinks, Discovery protocols and NIOC LACP o Allows LACP LAG configurations on the dvSwitch for connections to multiple switches o Change LAG names, port count, mode and load-balancing techniques Private VLAN o Allows the ability to add private VLANs that are configured on the physical switches NetFlow o Enables NetFlow connections, edit the collector details and sampling rates Port mirroring o Enables configuration of mirroring of port details to an external source o SPAN, RSPAN, ERSPAN and mirroring to another distributed port Health check o When enabled monitors VLAN, MTU and Network Adapter Teaming issues at a 1 minute interval Add/Configure/Remove dvPortgroups o Add Open the vSphere Web Client Select ‘Networking’ Select the datacenter where the switch resides Select the switch Right Click and select ‘New Distributed Port Group’
VCP-NV Blueprint v1.0 Geoff Wilmington @vWilmo
Name the port group and click Next Configure port binding Configure port allocation – elastic is a good default Configure the number of ports Select a network resource pool if necessary Select a VLAN Configure Advanced default policies if necessary Click Next when ready Confirm o Configure Open the vSphere Web Client Select ‘Networking’ Select the datacenter where the switch resides Select the switch Select the port group you’d like to configure Right Click on the port group you’d like to change Select Edit Settings Change settings Confirm o Remove Open the vSphere Web Client Select ‘Networking’ Select the datacenter where the switch resides Select the switch Select the port group you’d like to remove Right Click the port group and go down to ‘All vCenter Actions’ Select the ‘Remove from Inventory’ option Confirm Configure dvPort settings o Configure Open the vSphere Web Client Select ‘Networking’ Select the datacenter where the switch resides Select the switch Select the port group you’d like to make modifications to a port Select the ‘Ports’ button Select a port from the list and click the ‘pencil’ button that show up Change settings Confirm Add/Remove uplink adapters to dvUplink groups o Add Open the vSphere Web Client Select ‘Networking’ Select the datacenter where the switch resides Select the switch Right Click the switch and select ‘Add and Manage Hosts’
VCP-NV Blueprint v1.0 Geoff Wilmington @vWilmo
Select ‘Manage host networking’ Select the ‘Attached hosts’ button Check the box(es) of the hosts you’d like to add an adapter to and click OK Select ‘Manage physical adapters’ Select a vmnic and then select ‘Assign uplink’ Select uplink number to assign vmnic to and click OK Verify impact Confirm o Remove Open the vSphere Web Client Select ‘Networking’ Select the datacenter where the switch resides Select the switch Right Click the switch and select ‘Add and Manage Hosts’ Select ‘Manage host networking’ Select the ‘Attached hosts’ button Check the box(es) of the hosts you’d like to remove an adapter from and click OK Select the vminc and then select ‘Unassign adapter’ Confirm message Verify impact Confirm Create/Configure/Remove virtual adapters o Create Open the vSphere Web Client Select ‘Networking’ Select the datacenter where the switch resides Select the switch Right Click the switch and select ‘Add and Manage Hosts’ Select ‘Manage host networking’ Select the ‘Attached hosts’ button Check the box(es) of the hosts you’d like to add an adapter to and click OK Select ‘Manage VMkernel adapters’ Select ‘New Adapter’ Choose distributed port group Select the IP stack Enable any services necessary vMotion Fault Tolerance Management Virtual SAN Input IP settings or select DHCP Confirm o Configure Open the vSphere Web Client Select ‘Networking’
VCP-NV Blueprint v1.0 Geoff Wilmington @vWilmo
Select the datacenter where the switch resides Select the switch Right Click the switch and select ‘Add and Manage Hosts’ Select ‘Manage host networking’ Select the ‘Attached hosts’ button Check the box(es) of the hosts you’d like to configure an adapter on and click OK Select ‘Manage VMkernel adapters’ Select the vmk and select ‘Edit adapter’ Make changes Confirm Verify impact Confirm o Remove Open the vSphere Web Client Select ‘Networking’ Select the datacenter where the switch resides Select the switch Right Click the switch and select ‘Add and Manage Hosts’ Select ‘Manage host networking’ Select the ‘Attached hosts’ button Select ‘Manage VMkernel adapters’ Check the box(es) of the hosts you’d like to remove an adapter from and click OK Select ‘Manage VMkernel adapters’ Select the vmk and select ‘Remove’ Verify impact Confirm Migrate virtual adapters to/from a vSS o Migrate to Open the vSphere Web Client Select ‘Networking’ Select the datacenter where the switch resides Select the switch Right Click the switch and select ‘Add and Manage Hosts’ Select ‘Manage host networking’ Select the ‘Attached hosts’ button Select ‘Manage VMkernel adapters’ Select the vmk you want to migrate and select ‘Assign port group’ Select the port group Confirm Verify impact Confirm o Migrate from Open the vSphere Web Client Select ‘Hosts and Clusters
VCP-NV Blueprint v1.0 Geoff Wilmington @vWilmo
Select the datacenter where the switch resides Select the host that has the vmk to migrate Select the ‘Manage’ tab Select Virtual Switches’ Select the vSwitch you want to move to Select the fourth icon from the left ‘Migrate a VMkernel network adapter to the selected switch’ Select the vmk to migrate Name the vmk and select VLAN ID if necessary Verify impact Confirm Migrate virtual machines to/from a vDS o Migrate to Open the vSphere Web Client Select ‘Networking’ Select the datacenter where the switch resides Select the switch Right Click the switch and select ‘Add and Manage Hosts’ Select ‘Manage host networking’ Select the ‘Attached hosts’ button Select ‘Migrate virtual machine networking’ Select the VM(s) you want to move Select ‘Assign port group’ Select a port group Confirm o Migrate from Open the vSphere Web Client Select ‘Networking’ Select the datacenter where the switch resides Select the switch Right Click the switch and select ‘Migrate VM to Another Network’ Select the source network, dvportgroup Select the destination network, vSwitch VM network Select the VM(s) you want to move Confirm Monitor dvPort state o Monitor Open the vSphere Web Client Select ‘Networking’ Select the datacenter where the switch resides Select the switch Expand and select the dvportgroup you have a port you want to monitor Select ‘Ports’ Select the port to monitor Select the left most icon to start monitoring
VCP-NV Blueprint v1.0 Geoff Wilmington @vWilmo Confirm you see the ‘Time Statistics Updated’ and other columns in the pane updating Stop when complete Review Determine use cases for a vDS o The biggest use case for vDS would be for managing the network connectivity on a large amount of hosts. The vDS allows standardization of networking configurations throughout a datacenter. o The vDS has advanced features not available on the vSS such as Network IO Control and port monitoring capabilities.
Objective 3.3 – Configure and Manage vSS and vDS Policies
Identify common vSS and vDS policies o Common to both vSS and vDS Security Promiscuious Mode MAC address changes Forged transmits Traffic Shaping VLAN Teaming and Failover Configure dvPortgroup blocking policies o Configure Open the vSphere Web Client Select ‘Networking’ Select the datacenter where the switch resides Select the switch Expand and select the dvportgroup you have a port you want to block Select ‘Ports’ Select the port to block Select the ‘pencil’ button Select ‘Miscellaneous’ Check the ‘Override’ box to block the port Confirm Configure load balancing and failover policies o Configure load balancing Open the vSphere Web Client Select ‘Networking’ Select the datacenter where the switch resides Select the switch Expand and select the dvportgroup you have a port you want to configure Right Click and select ‘Edit Settings’ Select ‘Teaming and failover’ Configure load balancing
VCP-NV Blueprint v1.0 Geoff Wilmington @vWilmo Route based on IP hash (requires etherchannel on the physical switch side) o Choose an uplink based on a hash of the source and destination IP addresses of each packet. For non-IP packets whatever is at those offsets is used to compute the hash Route based on source MAC hash o Choose an uplink based on the hash of the source Ethernet Route based on originating virtual port o Choose an uplink based on the virtual port where the traffic entered the switch Use explicit failover order o Always use the active link order list Route based on physical NIC load (vDS only) o Choose an uplink based on the load of the physical NICs o Configure failover policies Open the vSphere Web Client Select ‘Networking’ Select the datacenter where the switch resides Select the switch Expand and select the dvportgroup you have a port you want to configure Right Click and select ‘Edit Settings’ Select ‘Teaming and failover’ Link Status Only o Depends totally on the link status of the network connection. Doesn’t take into account any misconfigurations on the switch themselves unless that misconfiguration results in the link status being down. Cable pulls or power failures type of failover. Beacon Probing (don’t use with IP-hash load balancing) o Sends and listens to beacons on all NICs in addition to link status. Detects previous types of failures that link status can’t detect. Notify switches (don’t use with Microsoft NLB in unicast mode) o Whenever there is a failover event, a notification is sent to the switch to update its address tables Failback o If set to Yes, the physical adapter that failed if higher in the order will be returned to active duty immediately o If set to No, the physical adapter will not switch back to active duty until the second physical adapter Failover order (don’t configure standby with IP-hash load balancing) Configure VLAN settings o Configure Open the vSphere Web Client Select ‘Networking’ Select the datacenter where the switch resides
VCP-NV Blueprint v1.0 Geoff Wilmington @vWilmo
Select the switch Expand and select the dvportgroup you have a port you want to configure Right Click and select ‘Edit Settings’ Select ‘VLAN’ None o No VLAN tagging applied VLAN o One VLAN can be applied o Virtual Switch Tagging 1-4095 o Virtual Guest Tagging 4095 VLAN Trunking o Multiple VLANs can be applied, comma separated Private VLAN o Associates traffic with a private VLAN Configure traffic shaping policies o Configure Open the vSphere Web Client Select ‘Networking’ Select the datacenter where the switch resides Select the switch Expand and select the dvportgroup you have a port you want to configure Right Click and select ‘Edit Settings’ Select ‘Traffic shaping’ Ingress/Egress traffic shaping o Average Bandwidth Sets the number of bits per second allowed to travel across a port over a period of time o Peak Bandwidth Can’t be smaller than average. Combined total of all bandwidth and burst bonus o Burst Size Maximum size of burst traffic allowed Enable TCP Segmentation Offload (TOE) support for a virtual machine o Configure Requires network adapter for VM must be VMXNET 2(Enhanced) or VMXNET 3 If VM does not have this, copy MAC address from old network adapter and create a new one using this adapter type and replace the MAC address with the old one. Supported for Windows 2000 and higher versions TSO requires enablement in three places o VMkernel Typically enabled by default o VM Open the vSphere Web Client Select ‘VMs and Templates’ Select the VM (VM must be offline!)
VCP-NV Blueprint v1.0 Geoff Wilmington @vWilmo
Right Click and select ‘Edit Settings’ Select ‘VM Options’ Select the ‘Advanced’ section Select ‘Edit Configuration’ Add the line ‘ethernetx.features = “0x2” where ‘x’ is the number of the vNIC of the VM. Confirm o Guest OS Nothing required unless you’re running Windows 2000 Enable Jumbo Frame support on appropriate components o Comments Jumbo Frames must be enabled end-to-end. This means on all pieces of networking from the host to the switch to the storage devices Involves increasing the MTU from 1500 to 9000 being the maximum o Enable vSS Open the vSphere Web Client Select ‘Hosts and Clusters’ Select a host Select ‘Networking’ Select ‘Virtual switches’ Select a vSS Select the ‘pencil’ to edit settings Select ‘Properties’ Increase MTU to 9000 Confirm o Enable vDS Open the vSphere Web Client Select ‘Networking’ Select the datacenter where the switch resides Select the switch Right Click the switch and select ‘Edit Settings’ Select ‘Advanced’ Increase MTU to 9000 Confirm o Enable VMkernel Has to be enabled at the host level for each VMkernel Open the vSphere Web Client Select ‘Hosts and Clusters’ Select a host Select ‘Networking’ Select ‘VMkernel adapters’ Select a vmk from the list Select the ‘pencil’ icon Select ‘NIC settings’ Increase MTU to 9000 Confirm
VCP-NV Blueprint v1.0 Geoff Wilmington @vWilmo o
Enable VM Just as with TCP Segmentation Offload, the only requirement from the VM perspective is a network adapter that is VMXNET 2(Enhanced) or VMXNET 3. Determine appropriate VLAN configuration for a vSphere implementation o Avoid using VLAN 1 as it is the default VLAN and is a security risk o I tend to configure VLANs for all traffic types. This spreads out the broadcast domains for each traffic type. Enables easier troubleshooting and better security. The physical adapters that come into each host are trunked for all necessary VLANs to traverse the links. Each VMkernel is configured with the appropriate VLAN for each traffic type and IP addressing. IP Storage Management vMotion Fault Tolerance Virtual SAN Virtual Machine Network(s)
Section 4 – Install and Upgrade VMware NSX Objective 4.1 – Configure Environment for Network Virtualization
Configure the physical infrastructure (MTU, Dynamic Routing for edge, etc.) o Configure MTU The MTU of the physical network needs to be 1550 (standard VXLAN size) or higher. Recommended 1600 MTU. Dynamic Routing for Edge Prepare a new vSphere infrastructure o Configure Quality of Service (QoS) o Configure Link Aggregation Control Protocol (LACP) Configure an existing vSphere infrastructure o Upgrade VMware Tools Do not upgrade or uninstall VMware Tools that come with NSX components vShield Endpoint and NSX Data Security require virtual machines have hardware version 7 or 8 and VMware Tools version 8.6 that comes with ESXi 5.0 Patch 3. Explain how IP address assignments work in VMware NSX o IP Address Groups Used for source and destination firewall rules o IP Pools Typically used in configuring SSL VPNs o vNIC-to-IP Address assignment Used when configuring SpoofGuard Identify minimum permissions required to deploy NSX in a vSphere environment o There’s no cut and dry place in the documentation that specifically states these are the minimum permissions however there are some suggestions you can discern
VCP-NV Blueprint v1.0 Geoff Wilmington @vWilmo
Add and power on virtual machines Access to the datastore where VMs will be copied to and stored User role – NSX Administrator NSX Operations only o Allows install virtual machines o Configure port groups o Only vCenter users can be assigned this role If you want to be able to deploy security you’ll need full Enterprise Administrator User scope No restriction Only vCenter users can be put into scope
Objective 4.2 – Deploy VMware NSX Components
Install NSX Manager o Prerequistes Resilient management cluster HA/DRS vMotion TCP 443 to/from and among vCenter ESXi host NSX Data Security TCP 443 from REST Client to NSX Manager TCP 80 and 443 NSX Manager user interface vSphere SDK Obtain OVA file for deployment o Installation Open the vSphere Web Client Select ‘Hosts and Clusters’ Select a host Right Click the host Select ‘Deploy OVF Template’ Browse to file either via URL or by local file Accept EULA Name NSX Manager if necessary and select install location Select storage Setup network to manager the NSX Manager machine Configure IPv4 or IPv6 only, or dual stack configuration Input root user password and confirm by re-typing Input CLI user password and confirm by re-typing Input CLI privilege mode password and confirm by re-typing Select ‘Network Properties’
VCP-NV Blueprint v1.0 Geoff Wilmington @vWilmo
Input Hostname Input IPv4 IP address and gateway Input IPv6 address, prefix, and gateway (if necessary) Select ‘DNS’ Input DNS server IP addresses and domain search list Select ‘Services Configuration’ Input NTP server information Enable SSH if necessary (do eeet) Confirm Power on machine after deployment Verify you can log into the appliance by browsing to https://
Accept certificate Input username ‘admin’ with password of ‘default’ Register NSX Manager with vCenter Server o Prerequisites vCenter account with admin access to sync NSX Manager and vCenter Server Ensure that vCenter password doesn’t have non-Ascii characters If using SSO for NSX Manager requires vCenter 5.5 or later SSO install on the vCenter Server o Register Log into the NSX Manager Select ‘Manage vCenter Registration’ Select ‘Configure’ Input IP address of vCenter, username and password Input IP address of port number of NSX Management Service Confirm connected Install NSX License o Obtain Trial licenses are valid for 60 days and function immediately Other licenses are downloaded from license portal o Install Open the vSphere Web Client Select ‘Administration’ Select ‘Licenses’ under the ‘Licensing’ tab Select ‘Solutions’ Select the ‘NSX for vSphere’ solution Select ‘Assign License Key’ Use the drop-down and select ‘Assign a new license key’ Input the license key and an optional label Select ‘Decode’ If functional, click OK Prepare ESXi hosts o Prerequisites Hosts must be attached to a dvSwitch prior that NSX will use o Three VIBs are installed for all hosts to be prepared
VCP-NV Blueprint v1.0 Geoff Wilmington @vWilmo
VXLAN Distributed Firewall Logical Routing o Do not make any changes while going through the installation process with any services or components o Prepare Open the vSphere Web Client Select ‘Networking & Security’ Select ‘Installation’ Select ‘Host Preparation’ Observe the ‘Installation Status’ column If status is ‘Not Ready’ select ‘Resolve’ (reboot may occur) Once column lists ‘Install’, select ‘Install’ to begin process Deploy NSX Controllers o Controllers should be deployed in either 3 or 5 sets. Always an odd number to establish quorum between them, scale and redundancy o Deploy Open the vSphere Web Client Select ‘Networking & Security’ Select ‘Installation’ Select ‘Management’ In the ‘NSX Controller nodes’ section select the ‘+’ button Select the appropriate NSX Manager Select the datacenter Select the cluster/resource pool Select the datastore where the controller will be placed Select the host in which the controller will be deployed Connect the controller to the appropriate dvSwitch port group Select the appropriate IP pool Click OK Assign Segment ID pool and Multicast addresses o Segment IDs separate traffic for each NSX Manager o Multicast addresses are used if no NSX controllers are deployed to help spread traffic across the multicast range specified o Multicast is also needed for hybrid configurations or using vSphere 5.1 hosts o Assign Open the vSphere Web Client Select ‘Networking & Security’ Select ‘Installation’ Select ‘Logical Network Preparation’ Select the appropriate NSX Manager from the drop-down Select ‘Segment ID’ Select ‘Edit’ Input the appropriate number of Segment IDs (number of logical switches) Enable or disable Multicast If Enable, put in a multicast range
VCP-NV Blueprint v1.0 Geoff Wilmington @vWilmo
Click OK Configure VXLAN Transport o Prerequisites All hosts must be part of a dvSwitch Hosts must have gone through the ‘Host Preparation’ first o Configure Open the vSphere Web Client Select ‘Networking & Security’ Select ‘Installation’ Select ‘Host Preparation’ Find the Cluster that you want to configure ‘VXLAN’ In the ‘VXLAN’ column, click ‘Configure’ Select the appropriate switch Input the VLAN ID Ensure MTU is at least 1550, 1600 recommended Select ‘VMKnic IP Addressing’, if IP pool select appropriate IP pool Select ‘VMKnic Teaming Policy Select ‘VTEP’ ID number (modifying the default number that comes up is not recommended) Install NSX Edge o NSX Edge Services Gateway Open the vSphere Web Client Select ‘Networking & Security’ Select ‘NSX Edges’ Click on the ‘+’ Select ‘Edge Services Gateway’ Select ‘Enable High Availability’ as necessary Input a display name Input a DNS hostname Input a description Input a tenant name as necessary Input CLI username and craziest password requirements ever Select ‘Enable SSH access’ as necessary Select the ‘Datacenter’ Select an ‘Appliance Size’ Compact Large Quad Large X-Large Select ‘Enable auto rule generation’ which is defaulted to enabled only if you need to manually create traffic flow rules Select the ‘+’ o Logical Distributed Router Open the vSphere Web Client Select ‘Networking & Security’
VCP-NV Blueprint v1.0 Geoff Wilmington @vWilmo
Select ‘NSX Edges’ Select the ‘+’ Select ‘Logical (Distributed) Router Select ‘Enable High Availability’ if necessary Input a name for the router Input a DNS hostname Input a description Input a tenant name as necessary Input CLI username and craziest password requirements ever Select ‘Enable SSH access’ if necessary Select the ‘Datacenter’ Select the ‘+’ Select the ‘Cluster/Resource Pool’ Select the ‘Datastore’ Select the ‘Host’ as necessary Select the ‘Folder’ as necessary Select the ‘Select’ link for ‘Connected To’ of the management interface Select ‘Logical Switch’ or ‘Distributed Portgroup’ as necessary Select the appropriate network Select the ‘+’ Select the ‘+’ again to add an IP subnet and prefix Input IP address and prefix length Select the ‘+’ under ‘Configure interfaces of this NSX Edge’ Input a name Select whether interface is ‘Internal’ or ‘Uplink’ Select the ‘Select’ link for ‘Connected To’ Select ‘Logical Switch’ or Distributed Portgroup’ as necessary Select the appropriate network Select the ‘+’ under ‘Configure Subnets’ Select the ‘+’ again to add an IP subnet and prefix Input IP address and prefix length If ‘Enable High Availability’ was originally selected configure parameters Input ‘Declare Dead Time Input Management IPs Confirm Install vShield Endpoint o Prerequisites Supported vCenter and ESXi on each host in cluster Hosts must be prepared and network virtualization vibs installed NSX Manager 5.5 must be running o Install Open the vSphere Web Client Select ‘Networking & Security’ Select ‘Installation’ Select ‘Service Deployments’ Select the ‘+’
VCP-NV Blueprint v1.0 Geoff Wilmington @vWilmo
Select ‘VMware Endpoint’ Select ‘Deploy Now’ (default) or set a deployment schedule using ‘Schedule the deployment’ Select the ‘Datacenter’ Select the cluster Select the ‘Datastore’ Select the ‘Network’ Select the ‘IP assignment’ Confirm Install Data Security o Prerequisites vShield Endpoint installed If you want to assign an IP address, pre-create an IP pool o Install Open the vSphere Web Client Select ‘Networking & Security’ Select ‘Installation’ Select ‘Service Deployments’ Select the ‘+’ Select ‘VMware Data Security’ Select ‘Deploy Now’ (default) or set a deployment schedule using ‘Schedule the deployment’ Select the ‘Datacenter’ Select the cluster Select the ‘Datastore’ Select the ‘Network’ – network needs to be able to communicate with NSX Manager port group Select the ‘IP assignment’ Confirm Create an IP pool o Prerequisites An empty network and IP range to assign o Create Open the vSphere Web Client Select ‘Networking & Security’ Select ‘NSX Managers’ Select the appropriate NSX Manager from the list Select ‘Manage’ Select ‘Grouping Objects’ Select ‘IP Pools’ Select the ‘+’ Input a ‘Name’ Input the ‘Gateway’ Input a ‘Prefix Length’ Input Primary and Secondary DNS as necessary Input a ‘DNS Suffix’
VCP-NV Blueprint v1.0 Geoff Wilmington @vWilmo Input a ‘Static IP Pool’ if you want to set a small range or set of IP addresses Confrim
Objective 4.3 – Upgrade Existing vCNS/NSX Implementation
Verify upgrade prerequisites have been met o vShield Manager 5.5 is the only version that can be upgraded to NSX Manager. Prior versions need to be upgraded to at least 5.5 first. o vCenter Server is at least 5.5 o vShield Data Security has been uninstalled o vShield Edge instances prior to 5.5 have been upgraded to 5.5 Don’t uninstall a deployed instance of vShield Manager! Upgrade vCNS 5.5 to NSX 6.x o Download the upgrade bundle for vShield manager and place somewhere vShield Manager can access the bundle o Open the vSphere Client o Select Home o Select ‘vShield’ o Log into vShield Manager o Select ‘Settings and Reports’ o Select ‘Updates’ o Select ‘Upload Upgrade Bundle’ o Browse to file o Select ‘Upload’ o Select ‘Install’ once complete o Select ‘Confirm Install’ o Wait for upgrade to complete o Confirm by browsing to vShield Manager IP address o Verify upgrade o Shutdown NSX Manager VM and increase memory to 12GB and vCPU to 4 Upgrade vCNS Virtual Wires to NSX Logical Switches o Prerequisites vShield Manager has been upgrade to NSX Manager Recommended to do upgrades during a maintenance window o Upgrade Open the vSphere Web Client Select ‘Networking & Security’ Select ‘Installation’ Select ‘Host Preparation’ Look for ‘legacy’ in the ‘Installation Status’ column Select ‘Install’ or ‘Upgrade’ for each status not showing only ‘Uninstall’ Installation takes place. Ensure that the green check mark shows up afterwards in the ‘Installation Status’ column Upgrade to NSX Components o Upgrade to NSX Firewall Prerequisites
VCP-NV Blueprint v1.0 Geoff Wilmington @vWilmo
o
o
o
vShield Manager has been upgraded to NSX Manager Virtual wires have been upgraded to logical switches. Non-VXLAN requires network virtualization vibs installed Upgrade Open the vSphere Web Client Select ‘Networking & Security’ Select ‘Installation’ Select ‘Host Preparation’ Select ‘Upgrade’ on the pop-up window that appears Installation takes place. Ensure that green check mark shows up afterwards in the ‘Firewall’ column Upgrade to NSX Edge Prerequisites vShield Manager has been upgraded to NSX Manager Virtual wires have been upgraded to logical switches Check NSX Edge requirements for X-Large version Upgrade Open the vSphere Web Client Select ‘Networking & Security’ Select ‘NSX Edges’ Select an Edge device from list Select ‘Actions’ Select ‘Upgrade Version’ Installation takes place. Ensure that the ‘Version’ column changes to ‘6.0.0’ and that the ‘Status’ column changes to ‘Deployed’ Upgrade vShield Endpoint from 5.5 to 6.x Prerequisites dvSwitch is created and attached to all hosts in cluster Shared datastore between all hosts vShield Manager has been upgrade to NSX Manager Virtual wires have been upgraded to logical switches Upgrade Open the vSphere Web Client Select ‘Networking & Security’ Select ‘Installation’ Select ‘Services Deployments’ Select ‘VMware Endpoint’ from list Check ‘Installation Status’ column for ‘Upgrade Available’ Select ‘Upgrade Available’ Select ‘Datastore’ Select ‘Network’ Confirm Installation takes place. Ensure ‘Installation Status’ says ‘Succeeded’ Upgrade to NSX Data Security Prerequisites
VCP-NV Blueprint v1.0 Geoff Wilmington @vWilmo None Upgrade There is no direct upgrade for Data Security Uninstall Data Security Upgrade NSX Manager Redeploy Data Security. If Data Security is not uninstalled, upgrade must be done via REST call Upgrade NSX Manager from 6.0 to 6.x o Upgrade Download the upgrade bundle for NSX Manager and place somewhere NSX Manager can access the bundle Browse to the NSX Manager web interface Log in Select ‘Upgrade’ from the home screen Select the ‘Upgrade’ option under ‘Upgrade NSX Management Service’ Browse to upgrade file location Select Continue Select ‘Enable SSO’ if necessary Select ‘Upgrade’ Installation takes place. Wait for browser page to refresh. Login and verify upgrade Update vSphere Clusters after NSX upgrade o Prerequisites NSX Manager must be upgraded to 6.0.x first Upgrade will require reboot o Upgrade Open the vSphere Web Client Select ‘Networking & Security’ Select ‘Installation’ Select ‘Host Preparation’ Look for ‘Update’ in the ‘Installation Status’ column for each cluster Hosts will be placed into maintenance mode, VMs evacuated, and then hosts rebooted. If manual vMotion is necessary, you’ll have to intervene. Look for a ‘Not Ready’ status in the ‘Installation Status’ column. You can select the red arrow icon to show any errors that will need to be resolved. Select ‘Resolve’ once errors are taken care of. Installation takes place. Wait for hosts to reboot and look for the version to show the new version in the ‘Installation Status’ column
Objective 4.4 – Expand Transport Zone to Include New Cluster(s)
Explain the function of a Transport Zone o Transport Zones define the span of a logical switch across clusters in a datacenter o A Transport Zone is the physical network backing the logical network o The span can be increased or contracted by adding or removing clusters from the Transport Zone
VCP-NV Blueprint v1.0 Geoff Wilmington @vWilmo o
Supports three modes Multicast Requires PIM/IGMP on the physical network equipment for the VXLAN control plane. Really only used when upgrading from older legacy environments Unicast Replicates Broadcast, Unknown Unicast, and Multicast (BUM) traffic on the local host and requires no physical network to do so. Hybrid Some of the BUM traffic is offloaded for performance reasons to the first hop switch. Requires IGMP-snooping but not PIM on the first hop switch Add a Transport Zone o Add Open the vSphere Web Client Select ‘Networking & Security’ Select ‘Installation’ Select ‘Logical Network Preparation’ Select the ‘+’ Input a ‘Name’ Input a ‘Description’ Select the ‘Control Plane Mode’ ‘Select the clusters to add’ Expand/Contract a Transport Zone o Expand Open the vSphere Web Client Select ‘Networking & Security’ Select ‘Installation’ Select ‘Logical Network Preparation’ Select a Transport Zone from the list Select ‘Actions’ Select ‘Add Clusters’ ‘Select cluster to add’ Select a cluster o Contract Open the vSphere Web Client Select ‘Networking & Security’ Select ‘Installation’ Select ‘Logical Network Preparation’ Select a Transport Zone from the list Select ‘Actions’ Select ‘Remove Clusters’ ‘Select cluster to add’ Deselect cluster Edit a Transport Zone
VCP-NV Blueprint v1.0 Geoff Wilmington @vWilmo o
Edit
Open the vSphere Web Client Select ‘Networking & Security’ Select ‘Installation’ Select ‘Logical Network Preparation’ Select a Transport Zone from the list Select ‘Actions’ Select ‘Edit Settings’ Make edits Change the Control Plane mode for a Transport Zone o Edit Open the vSphere Web Client Select ‘Networking & Security’ Select ‘Installation’ Select ‘Logical Network Preparation’ Open the vSphere Web Client Select ‘Networking & Security’ Select ‘Installation’ Select ‘Logical Network Preparation’ Select a Transport Zone from the list Select ‘Actions’ Select ‘Edit Settings’ Changed Mode
Section 5 – Configure VMware NSX Virtual Networks Objective 5.1 – Create and Administer Logical Switches
Configure IP address assignments o Configure Open the vSphere Web Client Select ‘Networking & Security’ Select ‘NSX Managers’ Select the NSX Manager you want to configure IP address assignments Select ‘Grouping Objects’ Select ‘IP Pools’ Select the ‘+’ Input a ‘Name’ Input a ‘Gateway’ Input a ‘Prefix Length’ Input a Primary/Secondary DNS and Suffix as necessary Input a ‘Static IP Pool’ of addresses to use Confirm Add/Remove a logical switch o Add Open the vSphere Web Client
VCP-NV Blueprint v1.0 Geoff Wilmington @vWilmo
Select ‘Networking & Security’ Select ‘Logical Switches’ Select the ‘+’ Input a ‘Name’ Input a ‘Description’ as necessary Select a ‘Transport Zone’ Select the ‘Control Plane Mode’ o Remove Open the vSphere Web Client Select ‘Networking & Security’ Select ‘Logical Switches’ Select the Logical Switch from the list to remove Select ‘Actions’ Select ‘Remove’ Confirm Modify control plane mode o Modify Open the vSphere Web Client Select ‘Networking & Security’ Select ‘Logical Switches’ Select the Logical Switch from the list to modify Select the ‘pencil’ Modify Connect a logical switch to an NSX Edge gateway o Connect Open the vSphere Web Client Select ‘Networking & Security’ Select ‘Logical Switches’ Select the Logical Switch from the list to connect Select ‘Actions’ Select the ‘Add NSX Edge’ Select the NSX Edge from the list Logical Router o Input a ‘Name’ o Select a ‘Type’ o Select ‘Connectivity Status’ o Configure Subnets o Confirm Edge Services Gateway o Select a vnic o Input a vnic ‘Name’ o Select a ‘Type’ o Select ‘Connectivity Status’ o Configure Subnets o Input ‘MAC Addresses’ if necessary o Input MTU
VCP-NV Blueprint v1.0 Geoff Wilmington @vWilmo
o Confirm Deploy services to a logical switch o Prerequisites One or more 3rd party appliances need to be installed prior o Deploy Open the vSphere Web Client Select ‘Networking & Security’ Select ‘Logical Switches’ Select the Logical Switch from the list to deploy Select ‘Actions’ Select the ‘Add Service Profile’ Select the ‘Service’ Select the ‘Filter’ Confirm Connect/Disconnect virtual machines o Connect Open the vSphere Web Client Select ‘Networking & Security’ Select ‘Logical Switches’ Select the Logical Switch from the list to connect a VM to Select ‘Actions’ Select ‘Add Virtual Machine’ Select ‘Virtual Machine(s)’ from list Select ‘vnic’ for each machine Confirm o Disconnect Open the vSphere Web Client Select ‘VMs and Templates’ Select the VM from the list to disconnect Select ‘Manage’ Select ‘Settings’ Select ‘Edit’ Select a new vnic network to attach to Confirm Test logical switch connectivity o Test Open the vSphere Web Client Select ‘Networking & Security’ Select ‘Logical Switches’ Select the Logical Switch you want to test (double-click it) Select ‘Monitor’ Select ‘Ping’ Use ‘Browse’ to set the source and destination host Select ‘Start Test’ Results show up at bottom. Verify green check marks Determine distributed virtual switch type and version for a given NSX implementation
VCP-NV Blueprint v1.0 Geoff Wilmington @vWilmo o o
vDS must be at 5.5 version vDS vendor types must be consistent throughout the NSX implementation to avoid any inconsistencies
Objective 5.2 – Configure VXLAN
Identify where to install and configure VXLAN o Install VXLAN is installed each host in the cluster as a vib during ‘Host Preparation’ o Configure VXLAN is configured on a per-cluster basis Each cluster is mapped to a vDS and now participate in the logical network Identify physical network requirements o Physical requirement is MTU to 1600 (1550 at least), but can be fragmented o A normal VLAN on the physical switch for VXLAN transport traffic to traverse o DHCP on VXLAN transport VLAN for dynamic assignment of VMKnics if used o 5-tuple hash distribution for LACP o If using hybrid Transport, IGMP-snopping on first hop switch Prepare a cluster for VXLAN o Configure all control plane components Physical network MTU Physical network transport VLAN, DHCP if necessary LACP IGMP-snooping depending on Transport type o Run ‘Host Preparation’ to deploy VXLAN vib to hosts in cluster Determine the appropriate teaming policy for a given implementation o This chart is straight from the ‘NSX Installation and Upgrade Guide’ Teaming Mode Multiple VTEPs Created vDS Version Source port Yes 5.5 LACPv2 No 5.5 LBT Yes 5.5 Source MAC (MAC Hash) Yes 5.5 Failover No 5.1 and later Etherchannel (ensure blade No 5.1 and later chassis supports Etherchannel before enabling) LACPv1 No 5.1
Add/Edit/Expand/Contract transport zones o Add Open the vSphere Web Client Select ‘Networking & Security’ Select ‘Installation’ Select ‘Logical Network Preparation’ Select ‘Transport Zones’
VCP-NV Blueprint v1.0 Geoff Wilmington @vWilmo o
Select the ‘+’ Input a ‘Name’ Input a ‘Description’ as necessary Select ‘Control Plane Mode’ Select ‘Select clusters to add’
Edit
Open the vSphere Web Client Select ‘Networking & Security’ Select ‘Installation’ Select ‘Logical Network Preparation’ Select ‘Transport Zones’ Select the Transport Zone you wish to edit Right-click and select ‘Edit Settings’ Make edits o Expand Open the vSphere Web Client Select ‘Networking & Security’ Select ‘Installation’ Select ‘Logical Network Preparation’ Select ‘Transport Zones’ Select the Transport Zone you wish to expand Right-click and select ‘Edit Settings’ Add a Cluster to the Transport Zone o Contract Open the vSphere Web Client Select ‘Networking & Security’ Select ‘Installation’ Select ‘Logical Network Preparation’ Select ‘Transport Zones’ Select the Transport Zone you wish to contract Right-click and select ‘Edit Settings’ Remove a Cluster to the Transport Zone Prepare VXLAN Tunnel End Points (VTEPs) on clusters o Prepare VTEPs are prepared depending on the number of uplinks and the teaming policy in place You’ll need IP addressing through either IP Pool or via DHCP server
Objective 5.3 – Configure and Manage Layer 2 Bridging
Identify High Availability requirements for Layer 2 Bridging o VLAN must be configured on the host that has the secondary NSX Edge VM Add a Layer 2 Bridge to an NSX Edge device o Add Open the vSphere Web Client Select ‘Networking & Security’
VCP-NV Blueprint v1.0 Geoff Wilmington @vWilmo
Select ‘NSX Edges Select an NSX Edge of type ‘Logical Router’ Double-click device to open new section Select ‘Manager’ Select Bridging’ Select the ‘+’ Input a ‘Name’ Select the ‘Logical Switch’ Select the ‘Distributed Virtual Port Group’ Determine when Layer 2 Bridging would be required for a given NSX implementation o Layer 2 bridges are necessary to migrate workloads from virtual to physical devices with no IP address impact Determine when multiple Layer 2 Bridges are required for a given NSX implementation o Multiple Layer 2 Bridges are required if there are HA requirements for the bridge o Multiple Layer 2 Bridges could be required for allowing different tenant networks onto different physical networks o Multiple Layer 2 Bridge instances can be used to map to multiple VLANs as they are a 1:1 relation of bridge instance to VLAN
Objective 5.4 – Configure and Manage Logical Routers
Describe and differentiate router interfaces o Management Interface Out of band access to the router, typically dedicated and not on a network where normal network traffic flows exist Only accepts traffic on this interface destined to the router itself Used to provide access to the router if the normal network connectivity is down o Network Interface Receives and transmits traffic flows between network interfaces on the device Determine controller and logical switch requirements for logical router deployment o Controller requirements At least three controller nodes o Logical Switch requirements At least one logical switch Add a logical router o Add Open the vSphere Web Client Select ‘Networking & Security’ Select ‘NSX Edges’ Select the ‘+’ Select ‘Install Type’ of ‘Logical (Distributed) Router’ Select ‘Enable High Availability’ as necessary Input a ‘Name’ Input a ‘Hostname’ as necessary Input a ‘Description’ as necessary Input a ‘Tenant’ as necessary
VCP-NV Blueprint v1.0 Geoff Wilmington @vWilmo
Input a CLI ‘User Name’ Input a CLI ‘Password’ otherwise known as the most complex password ever Select ‘Enable SSH access’ as necessary Configure distributed routing o Configure Follow all steps from ‘Add a logical router’ first Select ‘Datacenter’ Select the ‘+’ Select ‘Cluster/Resource Pool’ Select ‘Datastore’ Select ‘Host’ if necessary Select ‘Folder’ if necessary The rest of the additions are covered in the topics below Configure a management interface o Configure Follow all steps from ‘Configure distributed routing’ first Select the ‘Select’ link under ‘Connected To’ Select the ‘Logical Switch’ or ‘Distributed Port Group’ Select the ‘+’ under ‘Management Interface Configuration’ Select the ‘+’ again Input an IP address Input a Prefix length Select the ‘+’ under ‘Configure interfaces of this NSX Edge’ Input a ‘Name’ Select the ‘Type’ Select the ‘Select’ link Select the ‘Logical Switch’ or ‘Distributed Port Group’ Select the ‘Connectivity Status’ Select the ‘+’ Select the ‘+’ again Input an IP address Input a Prefix length The rest of the additions are covered in the topics below Configure High Available for a logical router o Configure If ‘Enable High Availability’ was selected perform the steps below Follow all steps from ‘Configuring a management interface’ first Input a ‘Declare Dead Time’ in seconds Input ‘Management IPs’ Configure edge routing o Configure Open the vSphere Web Client Select ‘Networking & Security’ Select ‘NSX Edges’ Select the ‘NSX Edge’ Services Gateway in the list Select ‘Manage’
VCP-NV Blueprint v1.0 Geoff Wilmington @vWilmo
Select ‘Routing’ Select ‘Edit’ under ‘Default Gateway’ Select the ‘vNIC’ Input a ‘Gateway IP’ Input a ‘MTU’ Input a ‘Description’ as necessary Select ‘Edit’ under ‘Dynamic Routing Configuration’ Select a ‘Router ID’ or use the ‘Add Custom ID’ to add one Enable routing protocol Enable logging Configure routing protocols o Static Open the vSphere Web Client Select ‘Networking & Security’ Select ‘NSX Edges’ Select the ‘NSX Edge’ Services Gateway in the list Select ‘Manage’ Select ‘Routing’ Select ‘Static Routes’ Select the ‘+’ Input a ‘Description’ as necessary Select the ‘Interface’ Input a ‘Network’ in CIDR format – example: 10.10.10.0/24 Input the ‘Next Hop’ IP address as necessary Input the ‘MTU’ as necessary Repeat process for however many static routes you require Select ‘Publish Changes’ to complete o OSPF Open the vSphere Web Client Select ‘Networking & Security’ Select ‘NSX Edges’ Select the ‘NSX Edge’ Services Gateway in the list Select ‘Manage’ Select ‘Routing’ Select ‘OSPF’ Select ‘Enable’ Select the ‘+’ under ‘Area Definitions’ Input an ‘Area ID’ in the form of a decimal number or IP address Select ‘Type’ (typically NSSA) Select ‘Authentication’ None Password o Enter password in ‘Value’ field MD5 o Enter MD5 hash in ‘Value’ field Select the ‘+’ under ‘Area to Interface Mapping’
VCP-NV Blueprint v1.0 Geoff Wilmington @vWilmo
o
o
BGP
IS-IS
Select a ‘vNIC’ Select an ‘Area’ Modify ‘Advanced’ as necessary Input a ‘Hello Interval’ o Default interval in which ‘Hello’ packets are sent out the interface Input a ‘Dead Interval’ o Default interval in which at least one ‘Hello’ packet must be received before the router is considered dead Input a ‘Priority’ o Priority is used to determine the designated router. Input a ‘Cost’ o Cost is inversely proportional to the bandwidth of the link. The lower the cost the better the bandwidth of the connection Select ‘Publish Changes’ to complete Open the vSphere Web Client Select ‘Networking & Security’ Select ‘NSX Edges’ Select the ‘NSX Edge’ Services Gateway in the list Select ‘Manage’ Select ‘Routing’ Select ‘Edit’ Select ‘Enable BGP’ Input a ‘Local AS’ Select the ‘+’ in the ‘Neighbours’ section Input an ‘IP Address’ of the neighbor Input a ‘Remote AS’ that the neighbor is in Input a ‘Weight’ as necessary Input a ‘Keep Alive Timer’ as necessary Input a ‘Hold Down Timer’ as necessary Input a ‘Password’ as necessary MD5 must be configured on both neighbors with the same password as above or no connection will be made Select the ‘+’ under ‘BGP Filters’ Select a ‘Direction’ Select an ‘Action’ Input a ‘Network’ in CIDR format – example: 10.10.10.0/24 Input an ‘IP Prefix GE’ as necessary Input an ‘IP Prefix LE’ as necessary Select ‘Publish Changes’ to complete Listed as ‘Experimental’ from a support standpoint Open the vSphere Web Client Select ‘Networking & Security’ Select ‘NSX Edges’
VCP-NV Blueprint v1.0 Geoff Wilmington @vWilmo
Select the ‘NSX Edge’ Services Gateway in the list Select ‘Manage’ Select ‘Routing’ Select ‘IS-IS’ Select ‘Edit’ under ‘IS-IS Configuration’ Select ‘Enable IS-IS’ Input a ‘System ID’ Select an ‘IS Type’ Level 1 – intra-area routing information is shared with other Level 1 routers Level 2 – inter-area routing information in shared with other Level 2 routers Level 1-2 – inter-area and intra-area routing information is shared between both levels and are used to connect the two areas together. Input a ‘Domain Password’ Used to check for Level 2 link state packets Input a ‘Area Password’ Used to check for Level 1 link state packets Select ‘Edit’ under ‘Areas’ Input an IP address for ‘Area1’ Input an IP address for ‘Area2’ as necessary Input an IP address for ‘Area3’ as necessary Select the ‘+’ under ‘Interface Mapping’ Select an ‘Interface’ Select a ‘Circuit Type’ Modify Advanced area as necessary Input a ‘Hello Interval’ o Default interval in which ‘Hello’ packets are sent out the interface Input a ‘Hello Multiplier’ o Default interval in which ‘hello’ packets are not received the connection be declared dead Input a ‘LSP Interval’ o Default interval in which LSP packets are transmitted Input a ‘Metric’ o Default value for determining cost of a link Input a ‘Priority’ o Default value for determining the priority of the interface. Higher priority becomes the designated router Input a ‘Mesh Group’ o A value that represents the number of the Mesh Group in which a router belongs Input a ‘Password’ o A value that allows the routers to begin conversing Configure default gateway o Configure
VCP-NV Blueprint v1.0 Geoff Wilmington @vWilmo
Open the vSphere Web Client Select ‘Networking & Security’ Select ‘NSX Edges’ Select the ‘NSX Edge’ Services Gateway in the list Select ‘Manage’ Select ‘Routing’ Select ‘Global Configuration Select ‘Edit’ under ‘Default Gateway’ Select the ‘vNIC’ Input a ‘Gateway IP’ Input a ‘MTU’ Input a ‘Description’ as necessary Select ‘Publish Changes’ to complete Add/Delete a static route o Add Open the vSphere Web Client Select ‘Networking & Security’ Select ‘NSX Edges’ Select the ‘NSX Edge’ Services Gateway in the list Select ‘Manage’ Select ‘Routing’ Select ‘Static Routes’ Select the ‘+’ Input a ‘Description’ as necessary Select the ‘Interface’ Input a ‘Network’ in CIDR format – example: 10.10.10.10/24 Input the ‘Next Hop’ IP address as necessary Input the ‘MTU’ as necessary Repeat process for however many static routes you require Select ‘Publish Changes’ to complete o Remove Open the vSphere Web Client Select ‘Networking & Security’ Select ‘NSX Edges’ Select the ‘NSX Edge’ Services Gateway in the list Select ‘Manage’ Select ‘Routing’ Select ‘Static Routes’ Select the Static Route from the list you want to remove Select the ‘X’ Select ‘Publish Changes’ Determine if cross-protocol route sharing is needed for a given NSX implementation o Cross-protocol route sharing is done when routers need to talk to each other that are not running the same routing protocols o Called Route Redistribution
VCP-NV Blueprint v1.0 Geoff Wilmington @vWilmo
Section 6 – Configure and Manage NSX Network Services Objective 6.1 – Configure and Manage Logical Load Balancing
Identify general ESXi host troubleshooting guidelines o This is a pretty broad topic and really vague but as in regards to NSX I would check the following: Ensure hardware being used is on the VMware HCL Ensure uplink assignments and network adapters are configured the same way on each host in the cluster Use the CLI to check that the VIBs installed properly during host preparation esxcli software vib list VIB names o esx-dvfilter-switch-security o esx-vsip o esx-vxlan Configure global load balancing configuration o Configure Open the vSphere Web Client Select ‘Networking & Security’ Select ‘NSX Edges’ Select the ‘NSX Edge’ Services Gateway in the list Select ‘Manage’ Select ‘Load Balancer’ Select ‘Edit’ Enable services Select ‘Enable Load balancer’ o Allows NSX Edge load balancer to distribute traffic to internal servers for load balancing Select ‘Enable Service Insertion’ o Allows 3rd party integration Select ‘Acceleration Enabled’ o Uses the fasters L4 LB engine rather than the L7 LB engine Select ‘Logging’ o Select ‘Log Level’ o Collects traffic logs Create a service monitor o Create Open the vSphere Web Client Select ‘Networking & Security’ Select ‘NSX Edges’ Select the ‘NSX Edge’ Services Gateway in the list Select ‘Manage’ Select ‘Load Balancer’
VCP-NV Blueprint v1.0 Geoff Wilmington @vWilmo
Select ‘Service Monitoring’ Select the ‘+’ Input a ‘Name’ Input an ‘Interval’ to check for ping Input a ‘Timeout’ for maximum time in which the service has to respond Input a ‘Max Retries’ for maximum number of times that a ping has to fail before service is declared dead Input a ‘Type’ for the way the health check is sent to the server HTTP HTTPS TCP Input an ‘Expect’ value HTTP – the value that will be returned in HTTP response line HTTPS – the value that will be returned in HTTP response line Select a ‘Method’ GET POST OPTIONS Input a ‘URL’ if using HTTP(S) Input a ‘Send’ value as necessary Input a ‘Receive’ value as necessary Input an ‘Extension’ as an advanced option for monitoring parameters Add/Edit/Delete a server pool o Add Open the vSphere Web Client Select ‘Networking & Security’ Select ‘NSX Edges’ Select the ‘NSX Edge’ Services Gateway in the list Select ‘Manage’ Select ‘Load Balancer’ Select ‘Pools’ Select the ‘+’ Input a ‘Name’ for the pool Input a ‘Description’ as necessary Select a ‘Algorithm’ for load balancing ROUND-ROBIN o Used to select a server based on weight and is the smoothest and fairest policy to ensure server processing time is equally distributed IP-HASH o Server is selected based on source/destination IP address hash of each packet LEASTCONN o Connections are distributed to the server with the least amount of connections URI
o
VCP-NV Blueprint v1.0 Geoff Wilmington @vWilmo o Used to hash the left part of the URI and divided by the weight of the running servers. This means that the requests will always hit the same server each time as long as that server doesn’t go down Select the ‘+’ under ‘Members’ Input a ‘Name’ as necessary Input the member ‘IP Address’ Input the ‘Port’ for traffic Input the ‘Monitoring Port’ as necessary for receiving monitoring pings Input the ‘Weight’ as a proportion of the amount of traffic the member will handle as necessary Input the ‘Max Connections’ as necessary for the maximum number of connections allowed Input the ‘Min Connections’ as necessary for the minimum number of connections allowed Select ‘Enabled’
Edit
Open the vSphere Web Client Select ‘Networking & Security’ Select ‘NSX Edges’ Select the ‘NSX Edge’ Services Gateway in the list Select ‘Manage’ Select ‘Load Balancer’ Select ‘Pools’ Select the ‘Pool ID’ you want to Edit Select the ‘pencil’ Make edits Confirm o Delete Open the vSphere Web Client Select ‘Networking & Security’ Select ‘NSX Edges’ Select the ‘NSX Edge’ Services Gateway in the list Select ‘Manage’ Select ‘Load Balancer’ Select ‘Pools’ Select the ‘Pool ID’ you want to remove Select the ‘X’ Confirm Add/Edit/Delete an application profile o Add Open the vSphere Web Client Select ‘Networking & Security’ Select ‘NSX Edges’ Select the ‘NSX Edge’ Services Gateway in the list Select ‘Manage’
VCP-NV Blueprint v1.0 Geoff Wilmington @vWilmo
Select ‘Load Balancer’ Select ‘Application Profiles’ Select the ‘+’ Input a ‘Name’ Select ‘Type’ – below are the different paths associated with creating the Application Profile based on decisions made in the interface TCP o Select ‘Persistence’ as necessary None Source IP Sessions are tracked via source IP address. Load balancer checks to see if connection was made previously and if so, returns connection state to the same member MSRDP HTTP o Input an ‘HTTP Redirect URL’ as necessary Could be used to redirect HTTP traffic to HTTPS site o Select ‘Persistence’ as necessary None Cookie Persistence is kept by using a cookie when a client connects for the first time. Subsequent visits return the client to the appropriate server Input a ‘Cookie Name’ Select ‘Mode’ o Insert o Prefix o App Session Source IP Sessions are tracked via source IP address. Load balancer checks to see if connection was made previously and if so, returns connection state to the same member o Select ‘Insert X-Forwarded-For-HTTP’ as necessary Header for identifying the IP address of the client to a web-server connecting through a load balancer HTTPS o Select ‘Enable SSL Passthrough’ as necessary o Input an ‘HTTP Redirect URL’ as necessary o Select ‘Persistence’ as necessary None Cookie
o
o o
o
VCP-NV Blueprint v1.0 Geoff Wilmington @vWilmo Persistence is kept by using a cookie when a client connects for the first time. Subsequent visits return the client to the appropriate server Input a ‘Cookie Name’ Source IP Sessions are tracked via source IP address. Load balancer checks to see if connection was made previously and if so, returns connection state to the same member Select ‘Insert X-Forwarded-For-HTTP’ as necessary Header for identifying the IP address of the client to a web-server connecting through a load balancer Select ‘Enable Pool Side SSL’ as necessary Select ‘Pool Certificates’ from list Select ‘Virtual Server Certificates’ from list Select ‘Cipher’ Select ‘Client Authentication’ Ignore Required
Edit
Open the vSphere Web Client Select ‘Networking & Security’ Select ‘NSX Edges’ Select the ‘NSX Edge’ Services Gateway in the list Select ‘Manage’ Select ‘Load Balancer’ Select ‘Application Profiles’ Select the application profile from the list you want to edit Select the ‘pencil’ Make Edits Confirm o Delete Open the vSphere Web Client Select ‘Networking & Security’ Select ‘NSX Edges’ Select the ‘NSX Edge’ Services Gateway in the list Select ‘Manage’ Select ‘Load Balancer’ Select ‘Application Profiles’ Select the application profile from the list you want to delete Select the ‘X’ Confirm Add/Edit/Delete virtual servers o Add Open the vSphere Web Client Select ‘Networking & Security’
VCP-NV Blueprint v1.0 Geoff Wilmington @vWilmo
o
Select ‘NSX Edges’ Select the ‘NSX Edge’ Services Gateway in the list Select ‘Manage’ Select ‘Load Balancer’ Select ‘Virtual Servers’ Select the ‘+’ Input a ‘Name’ Input a ‘Description’ as necessary Input a ‘IP Address’ that the load balancer is listening on Select the ‘Protocol’ HTTP HTTPS TCP Input a ‘Port’ Select a ‘Default Pool’ as necessary Select a ‘Application Profile’ Select the ‘+’ to add an ‘Application Rule as necessary Input a ‘Connection Limit’ as necessary Input a ‘Connection Rate Limit’ as necessary Confirm
Edit
Open the vSphere Web Client Select ‘Networking & Security’ Select ‘NSX Edges’ Select the ‘NSX Edge’ Services Gateway in the list Select ‘Manage’ Select ‘Load Balancer’ Select ‘Virtual Servers’ Select the virtual server from the list you want to edit Select the ‘pencil’ Make edits Confirm o Delete Open the vSphere Web Client Select ‘Networking & Security’ Select ‘NSX Edges’ Select the ‘NSX Edge’ Services Gateway in the list Select ‘Manage’ Select ‘Load Balancer’ Select ‘Virtual Servers’ Select the virtual server from the list you want to delete Select the ‘X’ Confirm Configure global server load balancing o Configure
VCP-NV Blueprint v1.0 Geoff Wilmington @vWilmo I’m not really sure how this is much different than the first item in the objective. You need to follow the same steps to configure global server load balancing Open the vSphere Web Client Select ‘Networking & Security’ Select ‘NSX Edges’ Select the ‘NSX Edge’ Services Gateway in the list Select ‘Manage’ Select ‘Load Balancer’ Select ‘Edit’ Enable services Select ‘Enable Load balancer’ o Allows NSX Edge load balancer to distribute traffic to internal servers for load balancing Select ‘Enable Service Insertion’ o Allows 3rd party integration Select ‘Acceleration Enabled’ o Uses the fasters L4 LB engine rather than the L7 LB engine Select ‘Logging’ o Select ‘Log Level’ o Collects traffic logs Determine appropriate NSX Edge instance size based on load balancing requirements o The X-Large NSX Edge is best for environments with a large amount of concurrent load balancer connections
Objective 6.2 – Configure and Manage Logical Virtual Private Networks (VPN)
Configure IPSec VPN o Add/Edit/Disable IPSec VPN Service Add Open the vSphere Web Client Select ‘Networking & Security’ Select ‘NSX Edges’ Select the ‘NSX Edge’ Services Gateway in the list Select ‘Manage’ Select ‘VPN’ Select ‘IPSec VPN’ Select the ‘+’ Select ‘Enabled’ Input a ‘Name’ as necessary Input the IP address of the NSX Edge as ‘Local ID’ Input the IP address of the ‘Local Endpoint’ o If the VPN is IP to IP, the ‘Local Endpoint’ and ‘Local ID’ can be the same Input the ‘Local Subnets’ that will be shared in CIDR notation – example: 10.10.10.0/24 Input a ‘Peer ID’
VCP-NV Blueprint v1.0 Geoff Wilmington @vWilmo o
Certificate Authentication ID be equal to the common name of the peer’s certificate o PSK Can be any string o VMware recommendations Use the public IP address of the VPN or FQDN as the peer ID Input a ‘Peer Endpoint’ o If left blank, NSX Edge will wait for peer to connect Input a ‘Peer Subnets’ o Use a comma to separate subnets Select ‘Encryption Algorithm’ o AES o AES256 o 3DES o AES-GCM o Encryption must match on peer side as well Select ‘Authentication’ o PSK o Certificate Defined at the global level Input a ‘Pre-Shared Key’ o Must match peer side for connection to establish Select ‘Diffie-Hellman Group’ o DH2 o DH5 o Group must match on peer side as well Select ‘Enable Perfect-Forward Secrecy(PFS)’ Select ‘Publish Changes’ to complete
Edit Open the vSphere Web Client Select ‘Networking & Security’ Select ‘NSX Edges’ Select the ‘NSX Edge’ Services Gateway in the list Select ‘Manage’ Select ‘VPN’ Select ‘IPSec VPN’ Select the VPN connect you wish to edit Select the ‘pencil’ Make edits Select ‘Publish Changes’ to complete Disable Open the vSphere Web Client Select ‘Networking & Security’
VCP-NV Blueprint v1.0 Geoff Wilmington @vWilmo
o
o
Select ‘NSX Edges’ Select the ‘NSX Edge’ Services Gateway in the list Select ‘Manage’ Select ‘VPN’ Select ‘IPSec VPN’ Select the VPN connect you wish to delete Select the ‘X’ Confirm Select ‘Publish Changes’ to complete Configure IPSec VPN parameters Configure Configuring the VPN parameters is no different than adding a VPN connection as above I’m adding in how to configure Global IPSec VPN parameters as that is not mentioned in the blueprint but is something I feel is worthwhile knowledge Open the vSphere Web Client Select ‘Networking & Security’ Select ‘NSX Edges’ Select the ‘NSX Edge’ Services Gateway in the list Select ‘Manage’ Select ‘VPN’ Select ‘IPSec VPN’ Select the ‘Change’ link under ‘Global Configuration Status’ Input a ‘Pre-Shared Key’ that will be used globally on all VPN connections where the ‘Peer ID’ is blank Select ‘Display shared key’ to see the key in plaintext Select ‘Enable Certificate Authentication’ Select an appropriate certificate from any of the lists o Service Certificates o CA Certificates o CRL Select ‘Publish Changes’ to complete Enable logging Enable Open the vSphere Web Client Select ‘Networking & Security’ Select ‘NSX Edges’ Select the ‘NSX Edge’ Services Gateway in the list Select ‘Manage’ Select ‘VPN’ Select ‘IPSec VPN’ Select the ‘>’ next to ‘Logging Policy Select ‘Enable Logging’ Select the ‘Log Level’
VCP-NV Blueprint v1.0 Geoff Wilmington @vWilmo
Select ‘Publish Changes’ to complete Configure Layer 2 VPN o Enable Layer 2 VPN Enable Open the vSphere Web Client Select ‘Networking & Security’ Select ‘NSX Edges’ Select the ‘NSX Edge’ Services Gateway in the list Select ‘Manage’ Select ‘VPN’ Select ‘L2 VPN’ Select ‘Enable’ You will get a notification stating you need to configure ‘Server’ and ‘Client’ o Add Layer 2 VPN Client/Server Add Client Open the vSphere Web Client Select ‘Networking & Security’ Select ‘NSX Edges’ Select the ‘NSX Edge’ Services Gateway in the list Select ‘Manage’ Select ‘VPN’ Select ‘L2 VPN’ Select ‘Client Select ‘Change’ Select the ‘>’ next to ‘Client Details’ Input a ‘Server Address’ o Must be different than the server obviously, but can be on the same subnet Input a ‘Listener Port’ if necessary, 443 is the default and most often used Select a ‘Internal Interface’ Input a ‘Description’ as necessary Select the ‘>’ next to ‘User Details’ Input a ‘User ID’ Input a ‘Password’ Input the ‘Password again in ‘Re-type ‘Password’ Select the ‘>’ next to ‘Proxy Settings’ Select ‘Enable Secure Proxy’ as necessary o Input the ‘Address’ of the proxy o Input the ‘Port’ of the proxy o Input a ‘User Name’ as necessary o Input a ‘Password’ as necessary Select ‘Validate Server Certificate’ as necessary o Select a Certificate from the list
VCP-NV Blueprint v1.0 Geoff Wilmington @vWilmo
Not selecting ‘Validate Server Certificate’ disables Select ‘Publish Changes’ to complete Add Server Open the vSphere Web Client Select ‘Networking & Security’ Select ‘NSX Edges’ Select the ‘NSX Edge’ Services Gateway in the list Select ‘Manage’ Select ‘VPN’ Select ‘L2 VPN’ Select ‘Server’ Select ‘Change’ Select the ‘>’ next to ‘Server Details’ Input a ‘Listener IP’ for the external interface of the NSX Edge Input a ‘Listener Port’ if necessary, 443 is the default and most often used Select a ‘Encryption Algorithm’ o RC4-MD4 o AES128-SHA o AES256-SHA o DES-CBC3-SHA Select ‘Internal Interface’ Select the ‘>’ next to ‘User Details’ Input a ‘User ID’ Input a ‘Password’ Input the ‘Password again in ‘Re-type ‘Password’ Select a ‘Server Certificate’ from list If none, select ‘Use System Generated Certificate’ Select ‘Publish Changes’ to complete o View Layer 2 VPN Statistics View Open the vSphere Web Client Select ‘Networking & Security’ Select ‘NSX Edges’ Select the ‘NSX Edge’ Services Gateway in the list Select ‘Manage’ Select ‘VPN’ Select ‘L2 VPN’ Select ‘Fetch Status’ View statistics Configure Network Access/Web Access SSL VPN-Plus o Edit Client Configurations Edit Open the vSphere Web Client Select ‘Networking & Security’
VCP-NV Blueprint v1.0 Geoff Wilmington @vWilmo
o
Select ‘NSX Edges’ Select the ‘NSX Edge’ Services Gateway in the list Select ‘Manage’ Select ‘SSL VPN-PLUS’ Select ‘Client Configuration’ Select ‘Change’ Select ‘Tunneling mode’ o Full The default gateway becomes the NSX Edge Gateway and all traffic flows through the NSX Edge Gateway including: Local Internet VPN traffic Select ‘Exclude local subnets’ as necessary Input a ‘Default gateway’ as necessary o Split Only traffic destined to the VPN network or networks behind the VPN flow over the VPN. All other traffic flows through the normal default gateway of the network on the client side Select ‘Enable auto reconnect’ as necessary Select ‘Client upgrade notification’ as necessary Edit General Settings Edit Open the vSphere Web Client Select ‘Networking & Security’ Select ‘NSX Edges’ Select the ‘NSX Edge’ Services Gateway in the list Select ‘Manage’ Select ‘SSL VPN-PLUS’ Select ‘General Settings’ Select ‘Change’ Select ‘Prevent multiple logon using same username’ as necessary o Only allows the same user to logon once Select ‘Enable compression’ as necessary o TCP data compression for improved data transfer speeds Select ‘Enable logging’ as necessary o Maintains the log of all traffic passing through the SSL VPN Select ‘Force virtual keyboard’ as necessary o Remote users can only enter web or client login through the virtual keyboard only Select ‘Randomize keys of virtual keyboard’ as necessary o Randomizes the virtual keyboard Select ‘Enable forced timeout’ as necessary
VCP-NV Blueprint v1.0 Geoff Wilmington @vWilmo
o
o
o Input a ‘Forced timeout’ in minutes o Disconnects user after a certain period input in the field Input a ‘Session idle timeout’ value as necessary o Default 10 minutes o Disconnects users after a certain period of inactivity on the VPN connection input in the field Input a ‘User notification’ as necessary o Default – nothing o Message displayed to the user on successful connection attempt Select ‘Enable public URL access’ as necessary o Remote user is allowed access to any site not specifically configured by the administrator on the web portal Edit Web Portal Designs Edit Open the vSphere Web Client Select ‘Networking & Security’ Select ‘NSX Edges’ Select the ‘NSX Edge’ Services Gateway in the list Select ‘Manage’ Select ‘SSL VPN-PLUS’ Select ‘Portal Customization’ Select ‘Change’ under ‘Web Portal Design’ Input a ‘Portal Title’ Input a ‘Company Name’ Select a ‘Logo’ Change ‘Colors’ as necessary o Title Background o Menu bar Background o Logo Background o Body Background o List Row o List Alternate Row o Title Text Select ‘Change’ under ‘Full Access Client Design’ Select a ‘Banner’ as necessary Select ‘Icons’ as necessary o Connected o Connected with error o Disconnected o Desktop Select ‘Set to default’ if you want to revert all changes Add/Edit/Delete IP Pools Add Open the vSphere Web Client Select ‘Networking & Security’
VCP-NV Blueprint v1.0 Geoff Wilmington @vWilmo
o
Select ‘NSX Edges’ Select the ‘NSX Edge’ Services Gateway in the list Select ‘Manage’ Select ‘SSL VPN-PLUS’ Select ‘IP Pool’ Select the ‘+’ Input a ‘IP Range’ and ‘To’ Input a ‘Netmask’ Input a ‘Gateway’ Input a ‘Description’ as necessary Select ‘Status’ o Enabled o Disabled Input a ‘Primary DNS’ as necessary Input a ‘Secondary DNS’ as necessary Input a ‘DNS Suffix’ as necessary Input a ‘WINS Server’ as necessary
Edit
Open the vSphere Web Client Select ‘Networking & Security’ Select ‘NSX Edges’ Select the ‘NSX Edge’ Services Gateway in the list Select ‘Manage’ Select ‘SSL VPN-PLUS’ Select ‘IP Pool’ Select the ‘IP Pool’ you want to edit Select the ‘pencil’ Make edits Delete Open the vSphere Web Client Select ‘Networking & Security’ Select ‘NSX Edges’ Select the ‘NSX Edge’ Services Gateway in the list Select ‘Manage’ Select ‘SSL VPN-PLUS’ Select ‘IP Pool’ Select the ‘IP Pool’ you want to delete Select the ‘X’ Confirm Enable/Disable IP Pools Enable Open the vSphere Web Client Select ‘Networking & Security’ Select ‘NSX Edges’ Select the ‘NSX Edge’ Services Gateway in the list
VCP-NV Blueprint v1.0 Geoff Wilmington @vWilmo
o
Select ‘Manage’ Select ‘SSL VPN-PLUS’ Select ‘IP Pool’ Select the ‘IP Pool’ you want to enable Select the ‘checkmark’ Disable Open the vSphere Web Client Select ‘Networking & Security’ Select ‘NSX Edges’ Select the ‘NSX Edge’ Services Gateway in the list Select ‘Manage’ Select ‘SSL VPN-PLUS’ Select ‘IP Pool’ Select the ‘IP Pool’ you want to disable Select the ‘crossout’ Add/Edit/Delete Private Networks Add Open the vSphere Web Client Select ‘Networking & Security’ Select ‘NSX Edges’ Select the ‘NSX Edge’ Services Gateway in the list Select ‘Manage’ Select ‘SSL VPN-PLUS’ Select ‘Private Networks’ Select the ‘+’ Input a ‘Network’ Input a ‘Netmask’ Input a ‘Description’ as necessary Select ‘Send Traffic’ o Over Tunnel o Bypass Tunnel Select ‘Enable TCP Optimization’ as necessary Input ‘Ports’ as necessary Select ‘Status’ o Enabled o Disabled Edit Open the vSphere Web Client Select ‘Networking & Security’ Select ‘NSX Edges’ Select the ‘NSX Edge’ Services Gateway in the list Select ‘Manage’ Select ‘SSL VPN-PLUS’ Select ‘Private Networks’ Select the ‘Private Network’ you want to edit
VCP-NV Blueprint v1.0 Geoff Wilmington @vWilmo
o
o
Select the ‘pencil’ Make edits Delete Open the vSphere Web Client Select ‘Networking & Security’ Select ‘NSX Edges’ Select the ‘NSX Edge’ Services Gateway in the list Select ‘Manage’ Select ‘SSL VPN-PLUS’ Select ‘Private Networks’ Select ‘Private Networks’ Select the ‘Private Network’ you want to delete Select the ‘X’ Confirm Enable/Disable Private Networks Enable Open the vSphere Web Client Select ‘Networking & Security’ Select ‘NSX Edges’ Select the ‘NSX Edge’ Services Gateway in the list Select ‘Manage’ Select ‘SSL VPN-PLUS’ Select ‘Private Networks’ Select the ‘Private Network’ you want to enable Select the ‘checkmark’ Disable Open the vSphere Web Client Select ‘Networking & Security’ Select ‘NSX Edges’ Select the ‘NSX Edge’ Services Gateway in the list Select ‘Manage’ Select ‘SSL VPN-PLUS’ Select ‘Private Networks’ Select the ‘Private Network’ you want to disable Select the ‘crossout’ Add/Edit/Delete Installation Packages Add Open the vSphere Web Client Select ‘Networking & Security’ Select ‘NSX Edges’ Select the ‘NSX Edge’ Services Gateway in the list Select ‘Manage’ Select ‘SSL VPN-PLUS’ Select ‘Installation Packages’ Select the ‘+’
VCP-NV Blueprint v1.0 Geoff Wilmington @vWilmo
Input a ‘Profile Name’ Input a ‘Gateway’ o Add another gateway as necessary using the ‘+’ Select ‘Create installation package for’ o Windows Default o Linux o Mac Input a ‘Description’ as necessary Select a ‘Status’ o Enabled o Disabled Select ‘Installation Parameters for Windows’ as necessary o Start client on logon o Allow remember password o Enable silent mode installation o Hide SSL client network adapter o Hide client system tray icon o Create desktop icon Default o Enable silent mode operation o Server security certificate validation
Edit Delete
Open the vSphere Web Client Select ‘Networking & Security’ Select ‘NSX Edges’ Select the ‘NSX Edge’ Services Gateway in the list Select ‘Manage’ Select ‘SSL VPN-PLUS’ Select ‘Installation Packages’ Select the ‘Installation Package’ you want to edit Select the ‘pencil’ Make edits Open the vSphere Web Client Select ‘Networking & Security’ Select ‘NSX Edges’ Select the ‘NSX Edge’ Services Gateway in the list Select ‘Manage’ Select ‘SSL VPN-PLUS’ Select ‘Installation Packages’ Select ‘Installation Packages’ Select the ‘Installation Package’ you want to delete Select the ‘X’ Confirm
VCP-NV Blueprint v1.0 Geoff Wilmington @vWilmo o
o
Add/Edit/Delete Users Add Open the vSphere Web Client Select ‘Networking & Security’ Select ‘NSX Edges’ Select the ‘NSX Edge’ Services Gateway in the list Select ‘Manage’ Select ‘SSL VPN-PLUS’ Select ‘Users’ Select the ‘+’ Input a ‘User ID’ Input a ‘Password’ and again Input a ‘First Name’ as necessary Input a ‘Last Name’ as necessary Input a ‘Description’ as necessary Select ‘Password never expires’ as necessary (may not be a best practice) Select ‘Allow change password’ as necessary o Select ‘Change password on next login’ as necessary Select ‘Status’ o Enabled o Disabled Edit Open the vSphere Web Client Select ‘Networking & Security’ Select ‘NSX Edges’ Select the ‘NSX Edge’ Services Gateway in the list Select ‘Manage’ Select ‘SSL VPN-PLUS’ Select ‘Users’ Select ‘User’ from list you want to edit Select the ‘pencil’ Make edits Delete Open the vSphere Web Client Select ‘Networking & Security’ Select ‘NSX Edges’ Select the ‘NSX Edge’ Services Gateway in the list Select ‘Manage’ Select ‘SSL VPN-PLUS’ Select ‘Users’ Select ‘User’ from list you want to delete Select the ‘X’ Confirm Add/Edit/Delete Login/Logoff script
VCP-NV Blueprint v1.0 Geoff Wilmington @vWilmo
Add
o
Open the vSphere Web Client Select ‘Networking & Security’ Select ‘NSX Edges’ Select the ‘NSX Edge’ Services Gateway in the list Select ‘Manage’ Select ‘SSL VPN-PLUS’ Select ‘Login/Logoff Script’ Select the ‘+’ Browse to ‘Script’ Select ‘Type’ o Login o Logoff o Both Input a ‘Description’ as necessary Select ‘Status’ o Enabled o Disabled
Edit
Open the vSphere Web Client Select ‘Networking & Security’ Select ‘NSX Edges’ Select the ‘NSX Edge’ Services Gateway in the list Select ‘Manage’ Select ‘SSL VPN-PLUS’ Select ‘Login/Logoff Script’ Select ‘Login/Logoff Script’ you want to edit Select the ‘pencil’ Make edits Delete Open the vSphere Web Client Select ‘Networking & Security’ Select ‘NSX Edges’ Select the ‘NSX Edge’ Services Gateway in the list Select ‘Manage’ Select ‘SSL VPN-PLUS’ Select ‘Login/Logoff Script’ Select ‘Login/Logoff Script’ you want to delete Select the ‘X’ Confirm Enable/Disable Login/Logoff script Enable Open the vSphere Web Client Select ‘Networking & Security’ Select ‘NSX Edges’
VCP-NV Blueprint v1.0 Geoff Wilmington @vWilmo
Select the ‘NSX Edge’ Services Gateway in the list Select ‘Manage’ Select ‘SSL VPN-PLUS’ Select ‘Login/Logoff Script’ Select ‘Login/Logoff Script’ you want to enable Select the ‘checkmark’ Disable Open the vSphere Web Client Select ‘Networking & Security’ Select ‘NSX Edges’ Select the ‘NSX Edge’ Services Gateway in the list Select ‘Manage’ Select ‘SSL VPN-PLUS’ Select ‘Login/Logoff Script’ Select ‘Login/Logoff Script’ you want to disable Select the ‘crossout’ Determine appropriate VPN service type for a given NSX implementation o SSL VPN-Plus Typically used to allow remote users access to the corporate network to access private applications o IPSec VPN Typically used to provide site-to-site connectivity between NSX Edge and remote sites o L2 VPN Typically used to extend the datacenter across geographical boundaries so that virtual machines can retain their network connectivity Determine appropriate NSX Edge instance size based on load balancing requirements o The Large NSX Edge supports more concurrent SSL VPN-Plus users. o If more than one type of Edge Service is being provided, i.e. Load Balancing as well as SSL VPN purposes, an NSX Edge larger than the ‘Large’ size may be necessary to accommodate the load on the appliance.
Objective 6.3 – Configure and Manage DHCP/DNS/NAT
Add/Edit a DHCP IP pool o Add Open the vSphere Web Client Select ‘Networking & Security’ Select ‘NSX Edges’ Select the ‘NSX Edge’ Services Gateway in the list Select ‘Manage’ Select ‘DHCP’ Select ‘Pools’ Select the ‘+’ Select ‘Auto Configure DNS’ as necessary Select ‘Lease never expires’ as necessary
VCP-NV Blueprint v1.0 Geoff Wilmington @vWilmo o
Input a ‘Start IP’ Input a ‘End IP’ Input a ‘Domain Name’ as necessary Input a ‘Primary Name Server’ as necessary Input a ‘Secondary Name Server’ as necessary Input a ‘Default Gateway’ as necessary Input a ‘Lease Time’ as necessary Default – 86400 seconds
Edit
Open the vSphere Web Client Select ‘Networking & Security’ Select ‘NSX Edges’ Select the ‘NSX Edge’ Services Gateway in the list Select ‘Manage’ Select ‘DHCP’ Select ‘Pools’ Select the ‘Pool’ you want to edit Select the ‘pencil’ Make edits Enable a DHCP IP pool o Enable Open the vSphere Web Client Select ‘Networking & Security’ Select ‘NSX Edges’ Select the ‘NSX Edge’ Services Gateway in the list Select ‘Manage’ Select ‘DHCP’ Select ‘Enable’ Select ‘Enable logging’ as necessary Select a ‘Log level’ as necessary Select ‘Publish Changes’ Add/Edit DHCP static binding o Add Open the vSphere Web Client Select ‘Networking & Security’ Select ‘NSX Edges’ Select the ‘NSX Edge’ Services Gateway in the list Select ‘Manage’ Select ‘DHCP’ Select ‘Bindings’ Select the ‘+’ Select ‘Auto Configure DNS’ as necessary Select ‘Lease never expires’ as necessary Select a ‘Interface’ Select a ‘VM Name’ Select a ‘VM vNIC Index’
VCP-NV Blueprint v1.0 Geoff Wilmington @vWilmo o
Input a ‘Host Name’ Input a ‘IP Address’ Input a ‘Domain Name’ as necessary Input a ‘Primary Name Server’ as necessary Input a ‘Secondary Name Server’ as necessary Input a ‘Default Gateway’ as necessary Input a ‘Lease Time’ as necessary Default – 86400 secondsEdit Select ‘Publish Changes’
Edit
Open the vSphere Web Client Select ‘Networking & Security’ Select ‘NSX Edges’ Select the ‘NSX Edge’ Services Gateway in the list Select ‘Manage’ Select ‘DHCP’ Select ‘Bindings’ Select the ‘Binding’ you want to edit Select the ‘pencil’ Make edits Select ‘Publish Changes’ Configure DNS services o Configure Open the vSphere Web Client Select ‘Networking & Security’ Select ‘NSX Edges’ Select the ‘NSX Edge’ Services Gateway in the list Select ‘Manage’ Select ‘Settings’ Select ‘Configuration’ Select ‘Change’ under ‘DNS Configurations’ Select ‘Enable DNS Service’ Input a ‘DNS Server 1’ Input a ‘DNS Server 2’ as necessary Input a ‘Cache Size’ Default – 16 Select ‘Enable logging’ as necessary Select ‘Log level’ Add Source NAT (SNAT) rule o Add Open the vSphere Web Client Select ‘Networking & Security’ Select ‘NSX Edges’ Select the ‘NSX Edge’ Services Gateway in the list Select ‘Manage’
VCP-NV Blueprint v1.0 Geoff Wilmington @vWilmo
Select ‘NAT’ Select the ‘+’ Select ‘Add SNAT Rule’ Select a ‘Applied On’ interface Input a ‘Original Source IP/Range’ Input a ‘Translated Source IP/Range’ Input a ‘Description’ as necessary Select ‘Enabled’ as necessary Select ‘Enable logging’ as necessary Select ‘Publish Changes’ Add Destination NAT (DNAT) rule o Add Open the vSphere Web Client Select ‘Networking & Security’ Select ‘NSX Edges’ Select the ‘NSX Edge’ Services Gateway in the list Select ‘Manage’ Select ‘NAT’ Select the ‘+’ Select a ‘Applied On’ interface Input a ‘Original IP/Range’ Select a ‘Protocol’ as necessary Input a ‘Original Port/Range’ or Select ‘any’ Input a ‘Translated IP/Range’ Input a ‘Translated IP/Range’ Select ‘any’ Input a ‘Description’ as necessary Select ‘Enabled’ as necessary Select ‘Enable logging’ as necessary Select ‘Publish Changes’
Objective 6.4 – Configure and Manage Edge Services High Availability
Describe NSX Edge High Availability o NSX Edge appliance is paired with another appliance in an active/standby configuration o NSX Edge configuration is replicated from primary to standby appliance o All NSX Edge services run on the active appliance o Primary and standby use a heartbeat interface to provide service updates o Heartbeat time out period is default of 15 seconds and then declared dead o NSX Edge verifies that primary and standby are not on the same host Explain Edge High Availability best practices o Place primary and standby appliances on different datastores and in separate resource pools If same datastore is used, must be shared across all hosts If datastore is local, both appliances will be placed on the same host (bad practice in my opinion) o Configure syslog services to debug system events
VCP-NV Blueprint v1.0 Geoff Wilmington @vWilmo o If you manually vMotion the primary and standby appliance to the same host, be sure to move them apart when done. o Link-local addressing will be assigned by default for NSX Edge HA pair, however establishing a known management IP address might be beneficial for documentation and ease of complexity Describe service availability during an Edge High Availability failover o Service is slightly interrupted while VPN and Load Balancer TCP sessions are reestablished o If VM is unrecoverable, old one will need to be deleted and a new one created o If VM is recovered, the new VM will assume the configuration of the active, and stay in standby mode Differentiate NSX Edge High Availability and vSphere High Availability o NSX Edge High Availability HA is established through an active/standby appliance-based system Heartbeat occurs over internal network for services sync Will only survive one failure event if vSphere HA is not utilized. Failure to resolve the primary failure could result in NSX Edge being compromised Heartbeat timeout on appliances is default of 15 seconds o vSphere High Availability NSX Edge is treated like any other VM and is restarted on another host during a host failure Responsible for restarting all VMs on a host, given priority values Uses both datastore and network heartbeating functions to battle against falsepositives Configure NSX Edge High Availability o Configure heartbeat settings Open the vSphere Web Client Select ‘Networking & Security’ Select ‘NSX Edges’ Select the ‘NSX Edge’ Services Gateway in the list Select ‘Manage’ Select ‘Settings’ Select the ‘Change’ under ‘HA Configuration’ Select ‘HA Status’ Enabled Disabled Select a ‘vNIC’ as necessary Select a ‘Declare Dead Time’ as necessary Default – 15 seconds o Configure management IP addresses Open the vSphere Web Client Select ‘Networking & Security’ Select ‘NSX Edges’ Select the ‘NSX Edge’ Services Gateway in the list Select ‘Manage’ Select ‘Settings’
VCP-NV Blueprint v1.0 Geoff Wilmington @vWilmo
Select the ‘Change’ under ‘HA Configuration’ Select ‘HA Status’ Enabled Disabled Input the ‘Management IPs’ as necessary Will use link-local addressing unless otherwise stated Modify an existing Edge High Availability deployment o Modify Open the vSphere Web Client Select ‘Networking & Security’ Select ‘NSX Edges’ Select the ‘NSX Edge’ Services Gateway in the list Select ‘Manage’ Select ‘Settings’ Select the ‘Change’ under ‘HA Configuration’ Make edits Determine resource pool requirements for a given Edge High Availability configuration o Should be in separate resource pools if possible
Section 7 – Configure and Administer Network Security Objective 7.1 – Configure and Administer Logical Firewall Services
Add/Edit/Delete an Edge Firewall rule o Add Open the vSphere Web Client Select ‘Networking & Security’ Select ‘NSX Edges’ Select the ‘NSX Edge’ Services Gateway in the list Select ‘Manage’ Select ‘Firewall’ Rules can be added several different ways Add above or below an existing rule o Select the ‘+’ icon from the ‘No.’ column on the rule you want to add above or below o Select a position Add Above Add Below Add a rule by copying an existing rule o Select the ‘+’ icon from the ‘No.’ column on the rule you want to copy o Select ‘Copy’ o Select the ‘+’ icon from the ‘No.’ column on the rule you want to place this new rule above or below
VCP-NV Blueprint v1.0 Geoff Wilmington @vWilmo o
Select a position Paste Above Paste Below Add a rule anywhere in the firewall table o Select the ‘+’ and a new rule will be added above the ‘Default Rule’ in the list Select the ‘+’ in the ‘Name’ column Input a ‘Rule Name’ as necessary Source can be set two ways Select the ‘+’ o Any o Specific Cluster o Distributed Port Group o Datacenter o IP Sets o Network o Resource Pool o Security Group o Logical Switch o Virtual App o Virtual Machine o vNIC Group Select the ‘IP’ o Input a ‘Source IP Address’ Destination can be set two ways Select the ‘+’ o Any o Specific Cluster o Distributed Port Group o Datacenter o IP Sets o Network o Resource Pool o Security Group o Logical Switch o Virtual App o Virtual Machine o vNIC Group Select the ‘IP’ o Input a ‘Destination IP Address’ Service can be set two ways Select the ‘+’
o
Edit
o
Delete
VCP-NV Blueprint v1.0 Geoff Wilmington @vWilmo o Choose an existing Service/Service Group or select ‘New’ and create a new one Select the ‘Service’ icon o Select a ‘Protocol’ o Select ‘Advanced options’ as necessary Input ‘Source ports’ Actions can be taken two ways Select ‘Action’ o Accept o Deny Select ‘Log’ as necessary o Log o Do not log Input ‘Comments’ as necessary Select the ‘>’ under ‘Advanced Options’ Select ‘Match on’ as necessary o Translated o Original Select ‘Enable Rule Direction’ as necessary o Incoming o Outgoing Select ‘Publish Changes’ Open the vSphere Web Client Select ‘Networking & Security’ Select ‘NSX Edges’ Select the ‘NSX Edge’ Services Gateway in the list Select ‘Manage’ Select ‘Firewall’ Select the rule you want to edit Make edits Select ‘Publish Changes’ Open the vSphere Web Client Select ‘Networking & Security’ Select ‘NSX Edges’ Select the ‘NSX Edge’ Services Gateway in the list Select ‘Manage’ Select ‘Firewall’ Select the rule you want to delete Select the ‘X’ Confirm
VCP-NV Blueprint v1.0 Geoff Wilmington @vWilmo
Select ‘Publish Changes’ Configure Source/Destination/Service/Action rule components o Configure Source Open the vSphere Web Client Select ‘Networking & Security’ Select ‘NSX Edges’ Select the ‘NSX Edge’ Services Gateway in the list Select ‘Manage’ Select ‘Firewall’ Select the rule you want to configure the ‘Source’ on Source can be set two ways Select the ‘+’ o Any o Specific Cluster o Distributed Port Group o Datacenter o IP Sets o Network o Resource Pool o Security Group o Logical Switch o Virtual App o Virtual Machine o vNIC Group Select the ‘IP’ o Input a ‘Source IP Address’ Select ‘Publish Changes’ o Configure Destination Open the vSphere Web Client Select ‘Networking & Security’ Select ‘NSX Edges’ Select the ‘NSX Edge’ Services Gateway in the list Select ‘Manage’ Select ‘Firewall’ Select the rule you want to configure the ‘Destination’ on Destination can be set two ways Select the ‘+’ o Any o Specific Cluster o Distributed Port Group o Datacenter o IP Sets o Network
VCP-NV Blueprint v1.0 Geoff Wilmington @vWilmo
o
o
o Resource Pool o Security Group o Logical Switch o Virtual App o Virtual Machine o vNIC Group Select the ‘IP’ o Input a ‘Destination IP Address’ Select ‘Publish Changes’ Configure Service Open the vSphere Web Client Select ‘Networking & Security’ Select ‘NSX Edges’ Select the ‘NSX Edge’ Services Gateway in the list Select ‘Manage’ Select ‘Firewall’ Select the rule you want to configure the ‘Service’ on Service can be set two ways Select the ‘+’ o Choose an existing Service/Service Group or select ‘New’ and create a new one Select the ‘Service’ icon o Select a ‘Protocol’ o Select ‘Advanced options’ as necessary Input ‘Source ports’ Select ‘Publish Changes’ Configure Action Open the vSphere Web Client Select ‘Networking & Security’ Select ‘NSX Edges’ Select the ‘NSX Edge’ Services Gateway in the list Select ‘Manage’ Select ‘Firewall’ Select the rule you want to configure the ‘Action on Actions can be taken two ways Select ‘Action’ o Accept o Deny Select ‘Log’ as necessary o Log o Do not log Input ‘Comments’ as necessary Select the ‘>’ under ‘Advanced Options’
VCP-NV Blueprint v1.0 Geoff Wilmington @vWilmo
Select ‘Match on’ as necessary o Translated o Original Select ‘Enable Rule Direction’ as necessary o Incoming o Outgoing Select ‘Publish Changes’ Change the order of an Edge Firewall rule – this seems to be the same exact item as the one on priority. I can’t find anything in the Admin document that suggests something different. It even refers to changing priority as changing the order. o Change Open the vSphere Web Client Select ‘Networking & Security’ Select ‘NSX Edges’ Select the ‘NSX Edge’ Services Gateway in the list Select ‘Manage’ Select ‘Firewall’ Select the rule you want to change the order on Select the ‘Move Rule Up’ or ‘Move Rule Down’ icon Select ‘Publish Changes’ Change the priority of an Edge Firewall rule o Change Open the vSphere Web Client Select ‘Networking & Security’ Select ‘NSX Edges’ Select the ‘NSX Edge’ Services Gateway in the list Select ‘Manage’ Select ‘Firewall’ Select the rule you want to change the priority on Select the ‘Move Rule Up’ or ‘Move Rule Down’ icon Select ‘Publish Changes’
Objective 7.2 – Configure Distributed Firewall Services
Differentiate between Layer 2 and Layer 3 rules o Layer 2 rules Processed before Layer 3 rules Can only filter based on vCenter objects like port groups and vnics o Layer 3 rules Processed after Layer 2 rules Can filter on IP as well as any layer 2 objects Differentiate between entity-based and identity-based rules
VCP-NV Blueprint v1.0 Geoff Wilmington @vWilmo o o
Entity-based rules Identity-based rules These rules are based on user identities Identify firewall rule entities o Datacenter o Cluster o Network o Virtual App o Resource Pool o Virtual Machine o vNIC o Logical switch o IPSet o Security group Explain rule processing order o Rules are processed in the order in which they exist in the firewall table o They can be moved around as necessary o The default catch-all rule exists at the bottom of the list can cannot be removed Explain rule segregation o Rules can be separated to allow finer granularity o Can be done at Layer 3 or Layer 2 Add/Delete a Distributed Firewall rule o Add Open the vSphere Web Client Select ‘Networking & Security’ Select ‘Firewall’ Select ‘Configuration’ Select either ‘General’ for Layer 3 or ‘Ethernet’ for Layer 2 Rules can be added several different ways Add above or below an existing rule o Select the ‘+’ icon from the ‘No.’ column on the rule you want to add above or below o Select a position Add Above Add Below Add a rule by copying an existing rule o Select the ‘+’ icon from the ‘No.’ column on the rule you want to copy o Select ‘Copy’ o Select the ‘+’ icon from the ‘No.’ column on the rule you want to place this new rule above or below o Select a position
VCP-NV Blueprint v1.0 Geoff Wilmington @vWilmo
Paste Above Paste Below Add a rule anywhere in the firewall table o Select the ‘+’ and a new rule will be added above the ‘Default Rule’ in the list Select the ‘+’ in the ‘Name’ column Input a ‘Rule Name’ as necessary Source can be set two ways Select the ‘View’ o Any o Specific Cluster o Distributed Port Group o Datacenter o IP Sets o Network o Resource Pool o Security Group o Logical Switch o Virtual App o Virtual Machine o vNIC Group Select the items from ‘Available’ Select the ‘>’ to move items over Select the ‘>’ under ‘Advanced Options’ o Negate Source as necessary Select the ‘IP’ o Input a ‘Source IP Address’ Destination can be set two ways Select the ‘+’ o Any o Specific Cluster o Distributed Port Group o Datacenter o IP Sets o Network o Resource Pool o Security Group o Logical Switch o Virtual App o Virtual Machine o vNIC Group
VCP-NV Blueprint v1.0 Geoff Wilmington @vWilmo
Select the items from ‘Available’ Select the ‘>’ to move items over Select the ‘>’ under ‘Advanced Options’ o Negate Source as necessary Select the ‘IP’ o Input a ‘Destination IP Address’ Service can be set two ways Select the ‘+’ o Choose an existing Service/Service Group or select ‘New’ and create a new one Select the ‘Service’ icon o Select a ‘Protocol’ o Select ‘Advanced options’ as necessary Input ‘Source ports’ Actions can be taken two ways Select ‘Action’ o Accept o Deny Select ‘Log’ as necessary o Log o Do not log Input ‘Comments’ as necessary Select ‘Publish Changes’
o Delete Open the vSphere Web Client Select ‘Networking & Security’ Select ‘Firewall’ Select ‘Configuration’ Select either ‘General’ for Layer 3 or ‘Ethernet’ for Layer 2 Select the rule you want to delete Select the ‘X’ Select ‘Publish Changes’ Configure Source/Destination/Service/Action rule components o Configure Source Open the vSphere Web Client Select ‘Networking & Security’ Select ‘Firewall’ Select ‘Configuration’ Select either ‘General’ for Layer 3 or ‘Ethernet’ for Layer 2 Select the rule you want to configure the ‘Source’ on Source can be set two ways Select the ‘+’
VCP-NV Blueprint v1.0 Geoff Wilmington @vWilmo
o
o
o Any o Specific Cluster o Distributed Port Group o Datacenter o IP Sets o Network o Resource Pool o Security Group o Logical Switch o Virtual App o Virtual Machine o vNIC Group Select the ‘IP’ o Input a ‘Source IP Address’ Select ‘Publish Changes’ Configure Destination Open the vSphere Web Client Select ‘Networking & Security’ Select ‘Firewall’ Select ‘Configuration’ Select either ‘General’ for Layer 3 or ‘Ethernet’ for Layer 2 Select the rule you want to configure the ‘Destination’ on Destination can be set two ways Select the ‘+’ o Any o Specific Cluster o Distributed Port Group o Datacenter o IP Sets o Network o Resource Pool o Security Group o Logical Switch o Virtual App o Virtual Machine o vNIC Group Select the ‘IP’ o Input a ‘Destination IP Address’ Select ‘Publish Changes’ Configure Service Open the vSphere Web Client Select ‘Networking & Security’
VCP-NV Blueprint v1.0 Geoff Wilmington @vWilmo
Select ‘Firewall’ Select ‘Configuration’ Select either ‘General’ for Layer 3 or ‘Ethernet’ for Layer 2 Select the rule you want to configure the ‘Service’ on Service can be set two ways Select the ‘+’ o Choose an existing Service/Service Group or select ‘New’ and create a new one Select the ‘Service’ icon o Select a ‘Protocol’ o Select ‘Advanced options’ as necessary Input ‘Source ports’ Select ‘Publish Changes’ o Configure Action Open the vSphere Web Client Select ‘Networking & Security’ Select ‘Firewall’ Select ‘Configuration’ Select either ‘General’ for Layer 3 or ‘Ethernet’ for Layer 2 Select the rule you want to configure the ‘Action on Actions can be taken two ways Select ‘Action’ o Accept o Deny Select ‘Log’ as necessary o Log o Do not log Input ‘Comments’ as necessary Select the ‘>’ under ‘Advanced Options’ Select ‘Match on’ as necessary o Translated o Original Select ‘Enable Rule Direction’ as necessary o Incoming o Outgoing Select ‘Publish Changes’ Change the order of a Distributed Firewall rule o Change Open the vSphere Web Client Select ‘Networking & Security’ Select ‘Firewall’ Select ‘Configuration’
VCP-NV Blueprint v1.0 Geoff Wilmington @vWilmo
Select either ‘General’ for Layer 3 or ‘Ethernet’ for Layer 2 Select the rule you want to change the order on Select the ‘Move Rule Up’ or ‘Move Rule Down’ icon Select ‘Publish Changes’ Add/Merge/Delete a Distributed Firewall rule section o Add Open the vSphere Web Client Select ‘Networking & Security’ Select ‘Firewall’ Select ‘Configuration’ Select either ‘General’ for Layer 3 or ‘Ethernet’ for Layer 2 Select the rule you want to add a section on Select the ‘+’ in the ‘No.’ column Select ‘Add Section’ Input a ‘Section Name’ Select ‘Publish Changes’ o Merge Open the vSphere Web Client Select ‘Networking & Security’ Select ‘Firewall’ Select ‘Configuration’ Select either ‘General’ for Layer 3 or ‘Ethernet’ for Layer 2 Select the section you want to merge a section with Right-click the ‘Section’ and select ‘Merge section’ Select ‘Merge with above section’ or ‘Merge with below section’ as necessary Select ‘Publish Changes’ o Delete Open the vSphere Web Client Select ‘Networking & Security’ Select ‘Firewall’ Select ‘Configuration’ Select either ‘General’ for Layer 3 or ‘Ethernet’ for Layer 2 Select the ‘Section’ you want to delete – Section must not have any rules in it Right-click the ‘Section’ and select ‘Delete section’ Select ‘Publish Changes’ Determine publishing requirements for rules in a given NSX implementation o Firewall rules are only enforced on clusters on which you have enabled the firewall o Firewall rules can be saved and published later if necessary NSX can save up to 100 configurations. After limit is exceeded, only configurations marked ‘Preserve Configuration’ are preserved. Others will be deleted to make room for preserved. Import/Export Distributed Firewall Configuration o Import
VCP-NV Blueprint v1.0 Geoff Wilmington @vWilmo
Open the vSphere Web Client Select ‘Networking & Security’ Select ‘Firewall’ Select ‘Saved Configurations’ Select either ‘General’ for Layer 3 or ‘Ethernet’ for Layer 2 Select the ‘Import Configuration’ icon Select ‘Browse’ and find the XML file o Export Open the vSphere Web Client Select ‘Networking & Security’ Select ‘Firewall’ Select ‘Configuration’ Select either ‘General’ for Layer 3 or ‘Ethernet’ for Layer 2 Select the ‘Export Configuration’ icon Select ‘Download’ Save XML Load Distributed Firewall configuration o Load Open the vSphere Web Client Select ‘Networking & Security’ Select ‘Firewall’ Select ‘Configuration’ Select either ‘General’ for Layer 3 or ‘Ethernet’ for Layer 2 – you have to load each separately Select the ‘Load Saved Configuration’ icon Select a ‘Configuration’ Confirm Determine need for excluding virtual machines from distributed firewall protection o vCenter living on the same cluster that the firewall is in use on o Any partner service machines that vCenter needs should be excluded o NSX Manager and service virtual machines are excluded Configure and manage SpoofGuard o Create a SpoofGuard policy Create Open the vSphere Web Client Select ‘Networking & Security’ Select ‘SpoofGuard’ Select the ‘+’ Input a ‘Policy Name’ Select ‘SpoofGuard’ o Enabled o Disabled
VCP-NV Blueprint v1.0 Geoff Wilmington @vWilmo
o
o
Select a ‘Operation Mode’ o Automatically trust IP assignments on their first use o Manually inspect and approve all IP assignment before use Select ‘Allow local address’ as necessary Select the ‘+’ Select an item to ‘View’ o Distributed Virtual Port Group o Network o Logical Switch Select a ‘Network’ Approve IP addresses – this process is done if ‘Manually inspect and approve all IP assignment before use’ is selected during creation of a SpoofGuard Policy Approve Open the vSphere Web Client Select ‘Networking & Security’ Select ‘SpoofGuard’ Select the ‘SpoofGuard’ policy from the list Select one of the items from the ‘View’ list o Active Virtual NICs o Active Virtual NICs Since Last Published o Virtual NICs IP Required Approval o Virtual NICs with Duplicate IP o Inactive Virtual NICs o Unpublished Virtual NICs IP Approval can be done two ways o Single IP Address Select single IP address Select ‘Approve’ o Multiple IP Addresses Select vNIC Select ‘Approve Detected IP(s)’ Edit/Clear IP addresses Edit Open the vSphere Web Client Select ‘Networking & Security’ Select ‘SpoofGuard’ Select the ‘SpoofGuard’ policy from the list Select one of the items from the ‘View’ list o Active Virtual NICs o Active Virtual NICs Since Last Published o Virtual NICs IP Required Approval o Virtual NICs with Duplicate IP o Inactive Virtual NICs
VCP-NV Blueprint v1.0 Geoff Wilmington @vWilmo
Clear
o Unpublished Virtual NICs IP Select the ‘Virtual NIC’ Select the ‘pencil’ Select the ‘+’ Select a ‘IP Address’ o IPv4 o IPv6 Input a ‘Value’ Open the vSphere Web Client Select ‘Networking & Security’ Select ‘SpoofGuard’ Select the ‘SpoofGuard’ policy from the list Select one of the items from the ‘View’ list o Active Virtual NICs o Active Virtual NICs Since Last Published o Virtual NICs IP Required Approval o Virtual NICs with Duplicate IP o Inactive Virtual NICs o Unpublished Virtual NICs IP Select the ‘Virtual NIC’ Under the ‘Approved IP’ column select ‘Clear’
Objective 7.3 – Configure and Manage Service Composer
Identify assets that can be used with a Security Group o vCenter containers Clusters Port Groups Datacenters o Security Tags o IPSet o MACSet o Security Groups o Directory Groups (if connected to Active Directory) o Regular Expressions Identify services contained in a Security Policy – graph taken from page 117 of the NSX Administration Guide. Easier and simpler
Service Firewall rules
Description Rules that define the traffic to be allowed to, from, or within the security group
Applies to vNIC
Endpoint service
Network introspection services
Data Security or third party solution provider services such as anti-virus or vulnerability management services Services that monitor your network such as IPS
VCP-NV Blueprint v1.0 Geoff Wilmington @vWilmo Virtual machines
Virtual machines
Identify common Service Composer use cases o Repeatable protection processes. Service Composer allows the creation of security services that can be applied consistently each deployment o End-to-end protection of a o Allows multiple services to be applied to virtual machines with precedence Differentiate Security Groups and Security Policies o Security Groups A static or dynamic grouping of virtual machines based on security tags and other criteria o Security Policies Are applied to Security Groups Consists of Endpoint Firewall Network introspection services Create/Edit a Security Group in Service Composer o Create Open the vSphere Web Client Select ‘Networking & Security’ Select ‘Service Composer’ Select ‘Security Groups’ Select the ‘+’ Input a ‘Name’ Input a ‘Description’ as necessary Select the ‘+’ to ‘Define Dynamic Membership’ This adds dynamic criteria that objects must meet to be part of the security group You can have multiple criteria and multiple criteria within one criteria (Inception) You do not have to perform this step Select ‘Filter’ Select the objects to include in the security group Security Group – group within a group Cluster Logical Switch Network Virtual App
VCP-NV Blueprint v1.0 Geoff Wilmington @vWilmo
o
Datacenter IP Sets Directory Group MAC Sets Security Tag vNIC Virtual Machine Resource Pool Distributed Port Group Select ‘Filter’ Select the objects you want to exclude regardless of whether it meets criteria or not Review Complete
Edit
Open the vSphere Web Client Select ‘Networking & Security’ Select ‘Service Composer’ Select ‘Security Groups’ Select the ‘Name’ of the Security Group you want to edit Select the ‘pencil’ Make edits Complete Create/Edit/Delete a Security Policy o Create Open the vSphere Web Client Select ‘Networking & Security’ Select ‘Service Composer’ Select ‘Security Policy’ Select the ‘+’ Input a ‘Name’ as necessary Input a ‘Description’ as necessary Select ‘Inherit security policy’ as necessary Select a ‘Parent policy’ to inherit the settings into this policy Select the ‘>’ under ‘Advanced options’ Input a ‘Weight’ Higher weights have higher precedence Value given is + 1000 o Adjust accordingly Select the ‘+’ to add ‘Endpoint Services’ as necessary Input a ‘Name’ Input a ‘Description’ as necessary Select a ‘Action’ Apply
VCP-NV Blueprint v1.0 Geoff Wilmington @vWilmo
Block Select a ‘Service Type’ Anti Virus Vulnerability Management Data Security Select a ‘Service Name’ Tied to the ‘Service Type’ selected above 3rd party driven Select a ‘Service Configuration’ Tied to the ‘Service Type’ selected above 3rd party driven Select a ‘State’ Enabled Disabled Select a ‘Enforce’ Yes No Select the ‘+’ to add a ‘Firewall Rule’ Input a ‘Name’ Input a ‘Description/Comments’ as necessary Select a ‘Action’ Allow Block Select a ‘Source’ Default – Policy’s Security Groups Select ‘Change’ to modify o Policy’s Security Group Dynamically includes all Security Groups where this policy is applied o Any o Select Security Groups Select a ‘Security Group(s)’ from the list Select a ‘Destination’ Default – Any Select ‘Change’ to modify o Policy’s Security Group Dynamically includes all Security Groups where this policy is applied o Any o Select Security Groups Select a ‘Security Group(s)’ from the list
VCP-NV Blueprint v1.0 Geoff Wilmington @vWilmo
Select a ‘Service’ Default – Any Select ‘Change’ to modify o Any o Select services and service groups Select a service or service group(s) from the list Select a ‘State’ Enabled - default Disabled Select a ‘Log’ Log Do not log – default Select the ‘+’ to add a ‘Network Introspection Service’ – 3rd party Input a ‘Name’ Input a ‘Description’ as necessary Select a ‘Action’ Redirect to service Do not redirect Select a ‘Service Name’ Select a ‘Profile’ Select a ‘Source’ Default – Policy’s Security Groups Select ‘Change’ to modify o Policy’s Security Group Dynamically includes all Security Groups where this policy is applied o Any o Select Security Groups Select a ‘Security Group(s)’ from the list Select a ‘Destination’ Default – Any Select ‘Change’ to modify o Policy’s Security Group Dynamically includes all Security Groups where this policy is applied o Any o Select Security Groups Select a ‘Security Group(s)’ from the list Select a ‘Protocol’ Any – default Specified
VCP-NV Blueprint v1.0 Geoff Wilmington @vWilmo o
o
TCP
Input a ‘Destination Port’ o UDP Input a ‘Destination Port’ Select the ‘>’ under ‘Advanced Options’ Input a ‘Source Port’ Select a ‘State’ Enabled Disabled Select a ‘Log’ Log Do not log Confirm
Edit
Open the vSphere Web Client Select ‘Networking & Security’ Select ‘Service Composer’ Select ‘Security Policy’ Select the ‘Name’ of the Security Policy you want to edit Select the ‘pencil’ Make edits Complete o Delete Open the vSphere Web Client Select ‘Networking & Security’ Select ‘Service Composer’ Select ‘Security Policy’ Select the ‘Name’ of the Security Policy you want to delete Select ‘Actions’ Select ‘X Delete’ Confirm Map a Security Policy to a Security Group o Map Open the vSphere Web Client Select ‘Networking & Security’ Select ‘Service Composer’ Select ‘Security Policy’ Select the ‘Name’ of the Security Policy you want to map Select the ‘Apply Security Policy’ icon Select a ‘Security Group(s)’ Add/Edit/Delete a Security Tag o Add
VCP-NV Blueprint v1.0 Geoff Wilmington @vWilmo o
Open the vSphere Web Client Select ‘Networking & Security’ Select ‘NSX Managers’ Select the appropriate NSX Manager from the list Select ‘Manage’ Select ‘Security Tags’ Select the ‘+’ for a ‘New Security Tag’ Input a ‘Name’ Input a ‘Description’
Edit
Open the vSphere Web Client Select ‘Networking & Security’ Select ‘NSX Managers’ Select the appropriate NSX Manager from the list Select ‘Manage’ Select ‘Security Tags’ Select a ‘Name’ of the security tag you want to edit Select the ‘pencil’ Make edits o Delete Open the vSphere Web Client Select ‘Networking & Security’ Select ‘NSX Managers’ Select the appropriate NSX Manager from the list Select ‘Manage’ Select ‘Security Tags’ Select a ‘Name’ of the security tag you want to delete Select the ‘X’ Confirm Assign and view a Security Tag o Assign Open the vSphere Web Client Select ‘Networking & Security’ Select ‘NSX Managers’ Select the appropriate NSX Manager from the list Select ‘Manage’ Select ‘Security Tags’ Select a ‘Name’ of the security tag you want to assign Select the ‘Assign Security Tag’ icon Select the virtual machine(s) you want to assign the tag to o View Open the vSphere Web Client Select ‘Networking & Security’
VCP-NV Blueprint v1.0 Geoff Wilmington @vWilmo
Select ‘NSX Managers’ Select the appropriate NSX Manager from the list Select ‘Manage’ Select ‘Security Tags’ Select a ‘Name’ of the security tag you want to assign Select the number in the ‘VM Count’ column This shows all VMs assigned that specific tag
Section 8 – Perform Operations Tasks in a VMware NSX Environment Objective 8.1 – Configure Roles, Permissions, and Scopes
Identify default roles o Enterprise Administrator NSX operations and security o NSX Administrator NSX operations only such as, install virtual appliances, configure port groups o Security Administrator NSX security only such as define data security policies, create port groups, create reports for NSX modules o Auditor Read only Explain Single Sign-On (SSO) integration o Improves user authentication security for vCenter users o Allows NSX to authenticate users from other identity sources such as AD, NIS and LDAP o Supports authentication using authenticated SAML tokens from trusted source via REST API calls o Can also acquire authentication SAML tokens from other VMware solutions Assign a role to a vCenter Server user o Assign Open the vSphere Web Client Select ‘Networking & Security’ Select ‘NSX Managers’ Select the appropriate NSX Manager from the list Select ‘Manage’ Select ‘Users’ Select the ‘+’ Select a ‘Identify User’ Specify a vCenter user Specify a vCenter group Select a ‘Select Roles’ Auditor
VCP-NV Blueprint v1.0 Geoff Wilmington @vWilmo
Security Administrator NSX Administrator Enterprise Administrator Select a ‘Limit Scope’ No restriction, user may access NSX global configuration Limit access to the port group, datacenter, or NSX Edge listed below Finish Assign objects to a user o The assumption here is that they are talking about adding permissions to specific objects in vCenter after adding NSX permissions. o Assign Open the vSphere Web Client Select ‘vCenter’ Select ‘Datacenters’ under ‘Inventory Lists’ Select a ‘Datacenter’ from the list Right-click and select ‘All vCenter Actions’ and then ‘Add Permission…’ Select ‘Add’ Select a ‘Domain’ Select a User or Group from the listings Select ‘Add’ Confirm Select a ‘Assigned Role’ from the list Select ‘Propagate to children’ Confirm Configure SSO o Prerequisites SSO service must be installed on the vCenter Server NTP must be used and time synced between SSO and the NSX Manager o Configure Log into the NSX Manager appliance Select ‘Manage Appliance Settings’ Select ‘NSX Management Service’ Select ‘Edit’ under ‘Lookup Service’ Input a ‘Lookup Service IP’ or DNS name Input a ‘Lookup Service Port’ 7444 – Default Input a ‘Administrator User name’ Input a ‘Password’ for the ‘Administrator User Name’ Confirm ‘Status’ is ‘Connected’ Enable/Disable a user account o Enable Open the vSphere Web Client
VCP-NV Blueprint v1.0 Geoff Wilmington @vWilmo
Select ‘Networking & Security’ Select ‘NSX Managers’ Select the appropriate NSX Manager from the list Select ‘Manage’ Select ‘Users’ Select the ‘User’ you want to enable Select the ‘checkmark’ o Disable Open the vSphere Web Client Select ‘Networking & Security’ Select ‘NSX Managers’ Select the appropriate NSX Manager from the list Select ‘Manage’ Select ‘Users’ Select the ‘User’ you want to disable Select the ‘crossout’ Edit/Delete a user account o Edit Open the vSphere Web Client Select ‘Networking & Security’ Select ‘NSX Managers’ Select the appropriate NSX Manager from the list Select ‘Manage’ Select ‘Users’ Select the ‘User’ you want to edit Select the ‘pencil Make edits o Delete Open the vSphere Web Client Select ‘Networking & Security’ Select ‘NSX Managers’ Select the appropriate NSX Manager from the list Select ‘Manage’ Select ‘Users’ Select the ‘User’ you want to delete Select the ‘X Confirm
Objective 8.2 – Describe NSX Automation
Identify API-only functionality o API’s can only perform the following functions GET – performs a read options to return properties of the object
VCP-NV Blueprint v1.0 Geoff Wilmington @vWilmo
PUT – performs a write or modify operation on the object POST – performs a create operation of an object DELETE – performs a deletion operation on the object Explain how REST APIs work o Use HTTP requests create, modify, or delete objects by the API o Typically communicated in XML-format Describe how to use the NSX API in a supported browser o Firefox Install RESTClient add-on Within Firefox browser, select ‘Tools’ Select ‘REST Client’ Select ‘Login’ Enter NSX credentials Select a ‘Method’ GET POST PUT DELETE Input a ‘URL’ of the REST API Accept any SSL or lack thereof messages Select ‘Send’ Response will appear in bottom window o Chrome Install Simple REST client add-on Within Chrome browser, select the REST client Accept any SSL or lack thereof messages Input a ‘URL’ of the REST API Select a ‘Method’ GET POST PUT DELETE Input an authorization line Select ‘Send’ Response will appear in window Identify port requirements for the NSX API o The NSX API only requires access to TCP 443 for REST API requests Describe common use cases for VMware NSX API o There’s no specific definition of ‘common use cases’ however they can be easily extrapolated by the API guide o Common use cases
VCP-NV Blueprint v1.0 Geoff Wilmington @vWilmo Create/modify/delete NSX objects and services via automated methods Create repeatable tasks for automation of NSX environment Explain how to access the VMware NSX API o REST API for NSX has several programming options Access method Firefox o Requires RESTClient add-on installed Chrome o Requires ‘Simple REST client’ add-on installed cURL o Requires ‘curl’ be installed (shocker) NSX credentials Method GET POST PUT DELETE Modify an existing API workflow o Not really sure how to do this without an existing workflow
Objective 8.3 – Monitor a VMware NSX Implementation
Identify available monitoring methods (UI, CLI, API, etc.) o NSX vSphere UI Activity Monitoring VM Activity Inbound Activity Outbound Activity Inter Container Interaction Outbound AD Group Activity Flow Monitoring Dashboard o Top Flows o Top Destinations o Top Sources Details by Service o Allowed Flows o Blocked Flows Live Flow o By vNIC o NSX CLI o NSX API
VCP-NV Blueprint v1.0 Geoff Wilmington @vWilmo o
vCOPS plugin for NSX Metrics for Control Plane Transport Layer Alerts Network traffic o VM o Alerting o vSphere Web Client Monitor infrastructure components o All of these types of components can be managed via the vSphere Web Client and through vCenter performance and health checks Control Cluster Health Open the vSphere Web Client Select ‘vCenter’ Select ‘Clusters’ Select the Control Cluster Select ‘Monitor’ View health and performance metrics from these tabs o Issues o Performance o Tasks o Events o Utilization Manager Health – you can see the VM appliance health of the NSX Manager from the vSphere client by simply looking at the same stats you would for the cluster or hypervisor as documented above and below this section. However you can also see much more items via the NSX Manager UI. It also shows service status Log into the NSX Manager Select ‘View Summary’ Hypervisor Health Open the vSphere Web Client Select ‘vCenter’ Select ‘Hosts’ Select any ‘Host’ Select ‘Monitor’ View health and performance metrics from these tabs o Issues o Performance o Tasks o Events o Utilization
VCP-NV Blueprint v1.0 Geoff Wilmington @vWilmo
Perform Inbound/Outbound activity monitoring o Inbound Open the vSphere Web Client Select ‘Networking & Security’ Select ‘Activity Monitoring’ Select a ‘Outbound from’ group All observed AD groups – default – select to change Select a ‘Type’ o AD Group o Security Group o Desktop Pool Select a ‘Where destination virtual machine’ Includes Excludes Select a ‘Where destination virtual machine’ All observed destination virtual machines – default o Select to change o Select a virtual machine(s) from list Select a ‘And where destination application’ Includes Excludes Select a ‘And where destination application’ All observed destination applications – default o Select to change o Select an application(s) from list Select a ‘During period’ Select ‘Search’ o Outbound Open the vSphere Web Client Select ‘Networking & Security’ Select ‘Activity Monitoring’ Select a ‘Outbound from’ group All observed AD groups – default – select to change Select a ‘Type’ o AD Group o Security Group o Desktop Pool Select a ‘Where application’ Includes Excludes Select a ‘Where application’
VCP-NV Blueprint v1.0 Geoff Wilmington @vWilmo
All observed outbound applications – default o Select to change o Select an application(s) from list Select a ‘And where destination’ Includes Excludes Select a ‘And where destination’ All observed destinations – default o Select to change o Select a virtual machine(s) from list Select a ‘During period’ Select ‘Search’ Enable data collection for single/multiple virtual machines o Single virtual machine Open the vSphere Web Client Select ‘vCenter’ Select ‘Virtual Machines’ Select the virtual machine to do data collection with Select ‘Manage’ Select ‘Settings’ Select ‘NSX Activity Monitoring’ Select ‘Edit’ Confirm o Multiple virtual machine – requires being added to the Activity Monitoring Data Collection security group. Any machine placed into that security group will have data collected Open the vSphere Web Client Select ‘Networking & Security’ Select ‘Service Composer’ Select ‘Security Groups’ Select the ‘Activity Monitoring Data Collection’ group Select the ‘pencil’ Leave ‘Name’ Input a ‘Description’ as necessary Select the ‘+’ to ‘Define Dynamic Membership’ This adds dynamic criteria that objects must meet to be part of the security group You can have multiple criteria and multiple criteria within one criteria (Inception) You do not have to perform this step Select ‘Filter’ Select the virtual machines to include in the security group Select ‘Filter’
VCP-NV Blueprint v1.0 Geoff Wilmington @vWilmo Select the virtual machines you want to exclude regardless of whether it meets criteria or not Review Complete Perform virtual machine activity monitoring o Virtual machine activity monitoring Open the vSphere Web Client Select ‘Networking & Security’ Select ‘Activity Monitoring’ Select ‘VM Activity’ Select a ‘Where source Includes Excludes Select a ‘Where source All observed virtual machines – default o Select to change o Select a virtual machine(s) from list Select a ‘Where destination’ Includes Excludes Select a ‘Where destination’ All observed virtual machines – default o Select to change o Select a virtual machine(s) from list Select a ‘During period’ Select ‘Search’ Monitor activity between inventory containers (security groups, AD groups) o Monitor Open the vSphere Web Client Select ‘Networking & Security’ Select ‘Activity Monitoring’ Select ‘Inter Container Interaction’ Select a ‘Outbound from’ All observed AD groups – default o Select to change o Select a virtual machine(s) from list Select a ‘Where the destination’ Is Is not Select a ‘Where the destination’ All observed desktop pools – default o Select to change
VCP-NV Blueprint v1.0 Geoff Wilmington @vWilmo o
Select a ‘Type’ Desktop Pool Security group o Select item(s) from list Select a ‘During period’ Select ‘Search’ Analyze network and security metrics in vCOPS o Network Log into vCOps Select ‘NSX Topology’ dashboard Select a ‘Resource’ from the widget View ‘Metrics’ widget to get metrics o Security Not really sure where in vCOps this piece would fall under Monitor logical networks and services o Identify available statistics/counters Flow monitoring CLI NSX Edge NSX Controllers ESXi o Network/service health Network health check for vSphere Distributed Switch NSX Manager UI CLI NSX Edge NSX Controllers ESXi o Configure and collect data from network Pktcap-uw RSPAN/ERSPAN
Objective 8.4 – Perform Auditing and Compliance
Identify applicable logs for auditing o Management Plane logs NSX Manager o Data Plane logs vCenter Server o NSX Ticket Log o NSX Edge logs o Distributed Firewall logs Identify permissions for auditing
VCP-NV Blueprint v1.0 Geoff Wilmington @vWilmo o
Auditor role The auditor role has permissions to view configured policies and violation reports Identify common data security regulations supported by NSX Data Security o PCI – Payment Card Industry o PHI – Protected Health Information o PII – Personally Identifiable Information Identify common file formats supported by NSX Data Security – I’m not going to list them all as there’s probably 100+ of them o Microsoft Office file types such as DOC, DOCX, XLS, XLSX, PPT, PPTX, PST, etc o Compression tools such as ZIP, TAR, GZ, 7Z, etc o Mail formats MSG, EML, PST, MBX, etc o Text and Markup TXT, XML, HTM, HTML, etc Describe and differentiate information available in audit logs o NSX Manager Infrastructure changes User and object changes o NSX Edge Edge services o Distributed Firewall Rule violations Use flow monitoring to audit firewall rules o Add Firewall rule to Flow Monitoring Open the vSphere Web Client Select ‘Networking & Security’ Select ‘Flow Monitoring’ Select ‘Details By Service’ Select ‘Allowed Flows’ Select a flow from the list. This adds more data at the bottom Select a ‘RuleID’ to show the firewall rule that’s being used and bring up information about that rule Audit deleted users o Open the vSphere Web Client o Select ‘NSX Home’ o Select ‘Manage’ o Select ‘Edit’ o Input a ‘Ticket ID’
VCP-NV Blueprint v1.0 Geoff Wilmington @vWilmo o Audit log will show ‘Access Control’ under ‘Module’ column and an ‘Operation’ of ‘Delete’ when a user is deleted. This will also show the ‘User’ that performed the deletion in the ‘User’ column Audit infrastructure changes o Open the vSphere Web Client o Select ‘NSX Home’ o Select ‘Manage’ o Select ‘Edit’ o Input a ‘Ticket ID’ o Audit log will show the ‘Module’ which has the item, and the ‘Operation’ that took place by the ‘User’ View NSX Manager audit logs and change data o Requires NSX Ticket Logging to be enabled beforehand o Open the vSphere Web Client o Select ‘NSX Home’ o Select ‘Manage’ o View audit logs and change data Configure NSX Data Security o Configure Open the vSphere Web Client Select ‘Networking & Security’ Select ‘Data Security’ Select ‘Manage’ Select ‘Edit’ under ‘Regulations and standards to detect’ Select the ‘All’ link under ‘Select Regulations’ Select the ‘Regulations violated’ from the list you want to scan for If necessary, ‘Set Data Pattern’ for the regulation you’re scanning for Uses a Regular Expression to define the data to be scanned Select ‘Publish Changes’ to complete Create a Data Security policy o Prerequisites Ensure that NSX Data Security is configured o Create Open the vSphere Web Client Select ‘Networking & Security’ Select ‘Security Policies’ Select the ‘+’ Input a ‘Name’ as necessary Input a ‘Description’ as necessary Select ‘Inherit security policy’ as necessary Select a ‘Parent policy’ to inherit the settings into this policy Select the ‘>’ under ‘Advanced options’
VCP-NV Blueprint v1.0 Geoff Wilmington @vWilmo
Input a ‘Weight’ Higher weights have higher precedence Value given is + 1000 o Adjust accordingly Select the ‘+’ to add ‘Endpoint Services’ as necessary Input a ‘Name’ Input a ‘Description’ as necessary Select a ‘Action’ Apply Block Select a ‘Service Type’ Data Security Select a ‘Service Name’ VMware Data Security Select a ‘State’ Enabled Disabled Select a ‘Enforce’ Yes No Select the ‘+’ to add a ‘Firewall Rule’ Input a ‘Name’ Input a ‘Description/Comments’ as necessary Select a ‘Action’ Allow Block Select a ‘Source’ Default – Policy’s Security Groups Select ‘Change’ to modify o Policy’s Security Group Dynamically includes all Security Groups where this policy is applied o Any o Select Security Groups Select a ‘Security Group(s)’ from the list Select a ‘Destination’ Default – Any Select ‘Change’ to modify o Policy’s Security Group Dynamically includes all Security Groups where this policy is applied
VCP-NV Blueprint v1.0 Geoff Wilmington @vWilmo o o
Any Select Security Groups Select a ‘Security Group(s)’ from the list Select a ‘Service’ Default – Any Select ‘Change’ to modify o Any o Select services and service groups Select a service or service group(s) from the list Select a ‘State’ Enabled - default Disabled Select a ‘Log’ Log Do not log – default Select the ‘+’ to add a ‘Network Introspection Service’ – 3rd party Input a ‘Name’ Input a ‘Description’ as necessary Select a ‘Action’ Redirect to service Do not redirect Select a ‘Service Name’ Select a ‘Profile’ Select a ‘Source’ Default – Policy’s Security Groups Select ‘Change’ to modify o Policy’s Security Group Dynamically includes all Security Groups where this policy is applied o Any o Select Security Groups Select a ‘Security Group(s)’ from the list Select a ‘Destination’ Default – Any Select ‘Change’ to modify o Policy’s Security Group Dynamically includes all Security Groups where this policy is applied o Any o Select Security Groups Select a ‘Security Group(s)’ from the list
VCP-NV Blueprint v1.0 Geoff Wilmington @vWilmo
Select a ‘Protocol’ Any – default Specified o TCP Input a ‘Destination Port’ o UDP Input a ‘Destination Port’ Select the ‘>’ under ‘Advanced Options’ Input a ‘Source Port’ Select a ‘State’ Enabled Disabled Select a ‘Log’ Log Do not log Confirm Run a Data Security scan o Run Open the vSphere Web Client Select ‘Networking & Security’ Select ‘Data Security’ Select ‘Manage’ Select ‘Start’ View and download compliance reports o View Open the vSphere Web Client Select ‘Networking & Security’ Select ‘Data Security’ Select ‘Monitor’ Select ‘Reports’ Select ‘View Report’ Violation counts Violating files o Download Open the vSphere Web Client Select ‘Networking & Security’ Select ‘Data Security’ Select ‘Monitor’ Select ‘Dashboard’ Select ‘Download Complete Report’ for the scan listed under ‘Scan History’ you want to download
VCP-NV Blueprint v1.0 Geoff Wilmington @vWilmo
Select ‘Initiate Download’ for ‘List of violations’ as necessary Select ‘Initiate Download’ for ‘List of scanned VMs’ as necessary Select ‘Initiate Download’ for ‘Scan policy’ as necessary Create a regular expression o Regular expressions can be as simple as cat – returns anything matching ‘cat’ no matter where ‘cat’ is in the expression o Regular expressions can be more complicated as \bcat\b – returns only the matches that are ‘cat’ and disregards things like ‘cats’ or ‘catapult’ o Regular expressions can be as complex as \b[A-Za-z0-9._%-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,4}\b - returns any valid email address as a match
Objective 8.5 – Administer Logging
Identify content contained in technical support bundles o NSX Manager Core dump information Version Network statistics Processes File system Event log Flow records Audit logs o NSX Edge Core dump information Version Network statistics Processes File system Event log Flow records Audit logs Identify where to locate component/service specific log information o NSX Manager If syslog is configured, all NSX Manager log information is sent to the syslog server If syslog is not configured, you can find the Audit logs and System Events in the Monitor tab of the NSX Manager o NSX Edge If syslog is configured, all NSX Edge log information is sent to the syslog server
VCP-NV Blueprint v1.0 Geoff Wilmington @vWilmo If syslog is not configured, you can find the System Events in the Monitor tab of the NSX Edge device Explain usage of CLI for logging o NSX Manager virtual appliance ‘show log follow’ Events shown o Power On o Power Off o Interface Down o Interface Up Configure Syslog(s) o Configure NSX Manager Log into NSX Manager Select ‘Manage Appliance Settings’ Select ‘General’ Select ‘Edit’ under ‘Syslog Server’ Input a ‘Syslog Server’ Input a ‘Port’ Select a ‘Protocol’ TCP UDP o Configure NSX Edge Open the vSphere Web Client Select ‘Networking & Security’ Select ‘NSX Edges’ Select the ‘NSX Edge’ Services Gateway in the list Select ‘Manage’ Select ‘Settings’ Select ‘Configuration’ Select ‘Change’ under ‘Syslog servers’ Input a ‘Syslog Server 1’ Input a ‘Syslog Server 2’ as necessary Select a ‘Protocol’ TCP UDP Configure logging for Dynamic Routing information o Configure Open the vSphere Web Client Select ‘Networking & Security’ Select ‘NSX Edges’ Select the ‘NSX Edge’ Services Gateway in the list Select ‘Manage’
VCP-NV Blueprint v1.0 Geoff Wilmington @vWilmo
Select ‘Global Configuration’ Select ‘Edit’ under ‘Dynamic Routing Configuration’ Select ‘Enable Logging’ Select ‘Log Level’ Select ‘Publish Changes’ Log Distributed Firewall rule processing information o Configure Open the vSphere Web Client Select ‘Networking & Security’ Select ‘Firewall’ Select a rule from the list and select the ‘+’ in the ‘Action’ column Select ‘Log’ Log Do not log Select ‘Publish Changes’ Log Edge Firewall rule processing information o Configure Open the vSphere Web Client Select ‘Networking & Security’ Select ‘NSX Edges’ Select the ‘NSX Edge’ Services Gateway in the list Select ‘Manage’ Select ‘Firewall’ Select a rule from the list and select the ‘+’ in the ‘Action’ column Select ‘Log’ Log Do not log Select ‘Publish Changes’ Log address translation information o Configure Open the vSphere Web Client Select ‘Networking & Security’ Select ‘NSX Edges’ Select the ‘NSX Edge’ Services Gateway in the list Select ‘Manage’ Select ‘NAT’ Select a rule from the list and select the ‘pencil’ Select ‘Enable Logging’ Select ‘Publish Changes’ Log VPN traffic o Configure IPSec VPN logging Open the vSphere Web Client
VCP-NV Blueprint v1.0 Geoff Wilmington @vWilmo
Select ‘Networking & Security’ Select ‘NSX Edges’ Select the ‘NSX Edge’ Services Gateway in the list Select ‘Manage’ Select ‘VPN’ Select the ‘>’ under ‘Logging Policy’ Select ‘Enable Logging’ Select a ‘Log Level’ Select ‘Publish Changes’ o Configure SSL VPN-Plus logging Open the vSphere Web Client Select ‘Networking & Security’ Select ‘NSX Edges’ Select the ‘NSX Edge’ Services Gateway in the list Select ‘Manage’ Select ‘SSL VPN-Plus’ Select ‘General Settings’ Select ‘Change’ Select ‘Enable Logging’ Select ‘Publish Changes’ Configure basic/advanced Load Balancer logging o Configure basic Open the vSphere Web Client Select ‘Networking & Security’ Select ‘NSX Edges’ Select the ‘NSX Edge’ Services Gateway in the list Select ‘Manage’ Select ‘Load Balancer’ Select ‘Global Configurations’ Select ‘Edit’ Select ‘Logging’ Select a ‘Log Level’ Select ‘Publish Changes’ o Configure advanced Open the vSphere Web Client Select ‘Networking & Security’ Select ‘NSX Edges’ Select the ‘NSX Edge’ Services Gateway in the list Select ‘Manage’ Select ‘Load Balancer’ Select ‘Application Rules’ Add the following application rules as necessary # log the name of the virtual server
VCP-NV Blueprint v1.0 Geoff Wilmington @vWilmo o capture request header Host len 32 # log the amount of data uploaded during a POST o capture request header Content-Length len 10 # log the beginning of the referrer o capture request header Referer len 20 # server name (useful for outgoing proxies only) o capture response header Server len 20 # logging the content-length is useful with "option logasap" o capture response header Content-Length len 10 # log the expected cache behaviour on the response o capture response header Cache-Control len 8 # the Via header will report the next proxy's name o capture response header Via len 20 # log the URL location during a redirection o capture response header Location len 20 Select ‘Publish Changes’ Log DHCP assignments o Configure Open the vSphere Web Client Select ‘Networking & Security’ Select ‘NSX Edges’ Select the ‘NSX Edge’ Services Gateway in the list Select ‘Manage’ Select ‘DHCP’ Select ‘Pools’ Select ‘Enable Logging’ Select a ‘Log level’ Select ‘Publish Changes’ Log DNS resolutions o Configure Open the vSphere Web Client Select ‘Networking & Security’ Select ‘NSX Edges’ Select the ‘NSX Edge’ Services Gateway in the list Select ‘Manage’ Select ‘Settings’ Select ‘Configuration’ Select ‘Change’ under ‘DNS Configuration’ Select ‘Enable Logging’ Select ‘Log level’ Select ‘Publish Changes’ Log security policy session information o Configure
VCP-NV Blueprint v1.0 Geoff Wilmington @vWilmo
Open the vSphere Web Client Select ‘Networking & Security’ Select ‘Service Composer’ Select ‘Security Policies’ Select a security policy from the list and select the ‘pencil’ Select ‘Firewall Rules’ as necessary Select a rule Select the ‘pencil’ Select ‘Log’ Log Do not log Select ‘Network Introspection Services’ Select an item Select the ‘pencil’ Select ‘Log’ Log Do not log Confirm Download NSX Edge tech support logs o Download Open the vSphere Web Client Select ‘Networking & Security’ Select ‘NSX Edges’ Select the ‘NSX Edge’ Services Gateway in the list Select ‘Actions’ Select ‘Download Tech Support Logs’ Select the link that is generated Generate NSX Manager tech support logs o Generate Log into the NSX Manager Select ‘Download Tech Support Log Select ‘Download’
Objective 8.6 – Backup and Recover Configurations
Identify remote backup destinations o NSX Manager backup SFTP FTP Explain how to backup and recover various components o NSX Manager Backup Log into the NSX Manager Select ‘Backup & Restore’ Select ‘Change’ under ‘FTP Server Settings’
VCP-NV Blueprint v1.0 Geoff Wilmington @vWilmo
Input a ‘IP/Host name’ Select a ‘Transport Protocol’ o FTP o SFTP Input a ‘Username’ Input a ‘Password’ Input a ‘Backup Directory’ Input a ‘Filename Prefix’ Input a ‘Pass Phrase’ Select ‘Change’ under ‘Scheduling’ Select a ‘Backup Frequency’ o Weekly o Daily o Hourly Select a ‘Day of week’ Select a ‘Hour of day’ Select a ‘Minute’ Select ‘Change’ under ‘Exclude’ Select ‘Audit Logs’ as necessary Select ‘System Events’ as necessary Select ‘Flow Records’ as necessary Recover Log into the NSX Manager Select ‘Backup & Restore’ Select ‘Restore’ under ‘Backup History’ Confirm o NSX Edge NSX Edge can be re-deployed as necessary if it fails to work and will not respond to a force sync Backup None available Restore Done using re-deploy Open the vSphere Web Client Select ‘Networking & Security’ Select ‘NSX Edges’ Select the ‘NSX Edge’ Services Gateway in the list Select ‘Actions’ Select ‘Redeploy’ Confirm Schedule backups
VCP-NV Blueprint v1.0 Geoff Wilmington @vWilmo o I’m only aware of being able to schedule the backups of NSX Manager at this time o NSX Manager schedule Log into the NSX Manager Select ‘Backup & Restore’ Select ‘Change’ under ‘FTP Server Settings’ Input a ‘IP/Host name’ Select a ‘Transport Protocol’ FTP SFTP Input a ‘Username’ Input a ‘Password’ Input a ‘Backup Directory’ Input a ‘Filename Prefix’ Input a ‘Pass Phrase’ Select ‘Change’ under ‘Scheduling’ Select a ‘Backup Frequency’ Weekly Daily Hourly Select a ‘Day of week’ Select a ‘Hour of day’ Select a ‘Minute’ Select ‘Change’ under ‘Exclude’ Select ‘Audit Logs’ as necessary Select ‘System Events’ as necessary Select ‘Flow Records’ as necessary Export/Restore vSphere Distributed Switch configuration o Export Open the vSphere Web Client Select ‘Networking’ Select the VDS you want to export the configuration on Right-click the VDS and select ‘All vCenter Actions’ Select ‘Export Configuration’ Select ‘Configurations to export’ Distributed switch and all port groups Distributed switch only Input a ‘Description’ as necessary Confirm saving of file Select a location to save o Restore Open the vSphere Web Client Select ‘Networking’
VCP-NV Blueprint v1.0 Geoff Wilmington @vWilmo
Select the VDS you want to export the configuration on Right-click the VDS and select ‘All vCenter Actions’ Select ‘Restore Configuration’ Select the file from a location Select ‘Restore distributed switch and all port groups’ as necessary or Select ‘Restore distributed switch only Verify Import/Export Service Composer profiles o Import Open the vSphere Web Client Select ‘Networking & Security’ Select ‘Service Composer’ Select ‘Security Policies’ Select ‘Import Configuration’ icon Browse to ‘.blueprint’ file Input a ‘Suffix’ as necessary Verify o Export Open the vSphere Web Client Select ‘Networking & Security’ Select ‘Service Composer’ Select ‘Security Policies’ Select ‘Actions’ Select ‘Export Configuration’ Input a ‘Name’ Input a ‘Description’ as necessary Input a ‘Prefix’ Select the ‘Security Policies’ to export Confirm Select location of ‘.blueprint’ file Perform NSX Manager backup and restore operations o Backup Log into the NSX Manager Select ‘Backup & Restore’ Select ‘Change’ under ‘FTP Server Settings’ Input a ‘IP/Host name’ Select a ‘Transport Protocol’ FTP SFTP Input a ‘Username’ Input a ‘Password’ Input a ‘Backup Directory’
VCP-NV Blueprint v1.0 Geoff Wilmington @vWilmo
o
Input a ‘Filename Prefix’ Input a ‘Pass Phrase’ Select ‘Change’ under ‘Scheduling’ Select a ‘Backup Frequency’ Weekly Daily Hourly Select a ‘Day of week’ Select a ‘Hour of day’ Select a ‘Minute’ Select ‘Change’ under ‘Exclude’ Select ‘Audit Logs’ as necessary Select ‘System Events’ as necessary Select ‘Flow Records’ as necessary
Restore Log into the NSX Manager Select ‘Backup & Restore’ Select ‘Restore’ under ‘Backup History’ Confirm
Section 9 – Troubleshoot a VMware Network Virtualization Implementation Objective 9.1 – Identify Tools Available for Troubleshooting
Identify filters available for packet capture o --srcmac Capture or trace packets that have a specific source MAC address. Use colons to separate the octets in it. o --dstmac Capture or trace packets that have a specific destination MAC address. Use colons to separate the octets in it o --mac Capture or trace packets that have a specific source or destination MAC address. Use colons to separate the octets in it o --ethtype <0xEthertype> Capture or trace packets at Layer 2 according to the next level protocol that consumes packet payload Ethertype corresponds to the EtherType field in Ethernet frames. It represents the type of next level protocol that consumes the payload of the frame For example, to monitor traffic for the Link Layer Discovery Protocol (LLDP) protocol, type –ethtype 0x88CC
VCP-NV Blueprint v1.0 Geoff Wilmington @vWilmo o
--vlan Capture or trace packets that belong to a VLAN o --srcip Capture or trace packets that have a specific source IPv4 address or subnet o --dstip Capture or trace packets that have a specific destination IPv4 address or subnet o --ip Capture or trace packets that have a specific source or destination IPv4 address or subnet o --proto <0xIP_protocol_number> Capture or trace packets at Layer 3 according to the next level protocol that consumes the payload For example, to monitor traffic for the UDP protocol, type --proto 0x11 o --srcport Capture or trace packets according to their source TCP port o --dstport Capture or trace packets according to their destination TCP port o --tcpport Capture or trace packets according to their source or destination TCP port o --vxlan Capture or trace packets that belong to a VLAN Capture and trace uplink, vmknic, and physical NIC packets o Uplink These can be captured using the pktcap-uw utility within ESXi pktcap-uw --uplink o Vmknic These can be captured using the pktcap-uw utility within ESXi pktcap-uw --vmk vmk0 o Physical NIC I’m assuming that they’re referring to changing the direction in which packets are captured on the uplink. Identify and track NSX infrastructure changes o Identify and track Open the vSphere Web Client Select ‘NSX Home’ Select ‘Manage’ Select ‘Edit’ Input a ‘Ticket ID’ Audit log will show the ‘Module’ which has the item, and the ‘Operation’ that took place by the ‘User’ Output packet data for use by a protocol analyzer
VCP-NV Blueprint v1.0 Geoff Wilmington @vWilmo o When running any of the pktcap commands add the following to save as a pcap file that can be opened with Wireshark -o ./save.pcap Capture and analyze traffic flows o Capture Determine which filter you need to use to monitor the traffic you want to see Launch SSH client and log into ESXi host Run command pktcap-uw -o ./save.pcap Terminate capture when you feel you have monitored a sufficient amount of traffic Copy file to location where Wireshark is installed Load file and analyze Mirror network traffic for analysis o There are several types of mirroring available in the VDS Distributed Port Mirroring Remote Mirroring Source Remote Mirroring Destination Encapsulated Remote Mirroring (L3) Source Distributed Port Mirroring (legacy) NetFlow o I’m going to walk through mirroring to an analysis VM on the same VDS o Mirror Open the vSphere Web Client Select ‘Networking’ Select the VDS you want to mirror a port from Select ‘Manage’ Select ‘Port mirroring’ Select the ‘+’ Select ‘Distributed Port Mirroring’ Input a session ‘Name’ Select ‘Status’ Enabled Select ‘Normal I/O on destination ports as necessary Disallowed Allowed Select ‘Mirror packet length’ as necessary Input a packet length Select a ‘Sampling rate’ Input a ‘Description’ as necessary Select the ‘+’ of ‘Select distributed ports to add to this port mirroring session or select the ‘+’ of Add distribution ports as a source for this port mirroring session
VCP-NV Blueprint v1.0 Geoff Wilmington @vWilmo
Select a ‘Port ID’ Select the ‘+’ of ‘Select distributed ports to add to this port mirroring session or select the ‘+’ of Add distribution ports as a destination for this port mirroring session Select the destination ‘Port ID’ of the analysis VM Complete Performa a network health check o Perform Open the vSphere Web Client Select ‘Networking’ Select the vSphere Distributed Switch you want to run the health check on Select ‘Manage’ Select ‘Health Check’ Select ‘Edit’ Select ‘VLAN and MTU’ Enabled Select ‘Teaming and failover Enabled Select ‘Monitor’ Verify ‘Overall health’ is ‘Normal’ Configure vSphere Distributed Switch alarms o Configure Open the vSphere Web Client Select ‘Networking’ Select the vSphere Distributed Switch you want to enable alarms on Select ‘Manage’ Select ‘Alarm Definitions’ Select the ‘+’ Input a ‘Alarm name’ Input a ‘Description’ as necessary Select ‘Enable this alarm’ Select the ‘+’ under ‘Trigger if ANY of the following events occur’ Select a ‘Event’ from the list Select a ‘Status’ Select the ‘+’ under ‘The following conditions must be satisfied for the trigger to fire’ Select a ‘Argument’ Select a ‘Operator’ Select a ‘Value’ Select the ‘+’ under ‘Specify the actions to take when the alarm state changes’ Select a ‘Action’ Select a ‘Repeat actions every ‘x’ minutes
VCP-NV Blueprint v1.0 Geoff Wilmington @vWilmo
Repeat process for however many alarms you wish to set
Objective 9.2 – Troubleshoot Common NSX Installation/Configuration Issues
Identify ports required for NSX communication o TCP 443 Downloading OVA on ESX host for deployment REST APIs NSX Manager interface o TCP 80 Initiate vSphere SDK connection Messaging between NSX Manager and NSX host modules o TCP 1234 Communication between ESX host and NSX Controller Clusters o 56711 Rabbit MQ o TCP 22 CLI console access Closed by default Troubleshoot lookup service configuration o Verify that NSX Manager and Lookup service appliances are in time sync. Use NTP if not already o Check DNS settings for name resolution Troubleshoot vCenter Server link o Confirm administrative privileges o Check DNS Troubleshoot licensing issues o Verify license is installed correctly, default trial is 60 days o Verify that trial license isn’t expired o Verify that the license has enough capacity Troubleshoot permissions issues o Verify that the user or group is granted permission to the objects in vCenter as well as NSX Manager o Verify that the user or group has been assigned the correct role Troubleshoot host preparation issues o Click Resolve to automatically resolve any host preparation issues encountered by NSX o Rebooting the host if unable to resolve may be necessary o Errors are verbose enough that they will point you in the direction on how to resolve Troubleshoot IP pool issues o Verify that the IP range isn’t spanning a known occupied range
Objective 9.3 – Troubleshoot Common NSX Component Issues
VCP-NV Blueprint v1.0 Geoff Wilmington @vWilmo
Differentiate NSX Edge logging and troubleshooting commands o NSX Edge Log Launch SSH client and log into a NSX Edge Run command Show log o NSX Edge troubleshooting commands Typically to troubleshoot you would use commands such as below show ip route ping show arp show ip Verify NSX Controller cluster status and roles o UI – you can only see the cluster status from the UI that I can find Open the vSphere Web Client Select ‘Networking & Security’ Select ‘Installation’ Select ‘Management’ Under ‘NSX Controller nodes’ look in the ‘Status’ column for ‘Normal’ o CLI Launch SSH client and log into a NSX Controller Run command for cluster status show control-cluster status Run command for cluster roles show control-cluster roles Verify NSX Controller node connectivity o Check Controller status Launch SSH client and log into a NSX Controller Run command show control-cluster status o Check Controller connections Check NSX Controller API service o Launch SSH client and log into a NSX Controller o Run command show control-cluster connections o Verify that ‘api_provider’ is ‘listening’ Validate VXLAN and Logical Router mapping tables o VXLAN mapping Launch SSH client and log into the ESXi host Run command esxcli network vswitch dvs vmware vxlan network list --vds-name
VCP-NV Blueprint v1.0 Geoff Wilmington @vWilmo o
Logical router mapping Launch SSH client and log into a NSX Controller Run command You need to get the LR-id first, before you can see it’s routing table show control-cluster logical-routers instance all show control-cluster logical-routers routes List Logical Router instances and statistics o Instances Launch SSH client and log into a NSX Controller Run command o Statistics Launch SSH client and log into a NSX Controller Run command show control-cluster logical-router stats Verify Logical Router interface and route mapping tables o Logical Router Interfaces Launch SSH client and log into a NSX controller Run command show control-cluster logical-routers interface-summary o Route mapping tables Launch SSH client and log into a NSX controller Run command show control-cluster logical-routers routes Verify active controller connections o Launch SSH client and log into a NSX Controller o Run command show control-cluster connections View Bridge instances and learned MAC addresses o Bridge instances – ESXi host Launch SSH client and log into the ESXi host Run command Net-vdr --bridge –l o Bridge instances – logical router Launch SSH client and log into a NSX controller Run command show control-cluster logical-routers instance all o Gets the LR_-Id you need for the next command show control-cluster logical-routers bridges all o Learned MAC addresses Launch SSH client and log into the ESXi host
VCP-NV Blueprint v1.0 Geoff Wilmington @vWilmo
Run command net-vdr –b --mac default+edge-1 Display Logical Router instances o Launch SSH client and log into a NSX Controller o Run command show control-cluster logical-routers instance all Verify NSX Manager services status o Verify Log into the NSX Manager Select ‘View Summary’ View Logical Interfaces and routing tables o Logical Interfaces Launch SSH client and log into a NSX controller Run command show control-cluster logical-routers interface-summary o Routing tables Launch SSH client and log into a NSX controller Run command show control-cluster logical-routers routes Analyze NSX Edge statistics o Analyze Open the vSphere Web Client Select ‘Networking & Security’ Select ‘NSX Edges’ Select the ‘NSX Edge’ Services Gateway in the list Select ‘Monitor’ Select ‘Statistics’
Objective 9.4 – Troubleshoot Common Connectivity Issues
Review netcap logs for control plane connectivity issues o I assume they’re referring to the netcpa logs on the ESXi hosts o Launch SSH client and log into the ESXi host o Run command cat /var/logl/netcpa.log Verify VXLAN, VTEP, MAC, and ARP mapping tables o VXLAN o VTEP Launch SSH client and log into a NSX Controller Run command show control-cluster logical switches vtep-table
VCP-NV Blueprint v1.0 Geoff Wilmington @vWilmo o
o
MAC ARP
Launch SSH client and log into a NSX Controller Run command show control-cluster logical-switches mac-table
Launch SSH client and log into a NSX Controller Run command show control-cluster logical-switches arp-table List VNI configuration o List You need to know the number of the VNI you want to see the configuration of Launch SSH client and log into a NSX Controller Run command show control-cluster logical-switches vni View VXLAN connection tables and statistics o VXLAN connection tables Launch SSH client and log into a NSX Controller Run command show control-cluster logical-switches connection-table Perform VTEP connectivity tests o UI Open the vSphere Web Client Select ‘Networking & Security’ Select ‘Logical Switches’ Select a ‘Logical Switch’ from the list and double-click Select ‘Monitor’ Select ‘Ping’ Select ‘Browse’ under ‘Source host’ Select a host Select ‘Browse’ under ‘Destination host’ Select a host Select a ‘Size of test packet’ VXLAN Standard Minimum Select ‘Start Test’ Verify results are successful o CLI Launch SSH client and log into the ESXi host Run command ping ++netstack=vxlan –d –s 1600 –I Tests for MTU misconfiguration and if the packets are being fragmented ping ++netstack=vxlan –I
VCP-NV Blueprint v1.0 Geoff Wilmington @vWilmo Tests for MTU misconfiguration and if successful, means the packets are being fragmented
Objective 9.5 – Troubleshoot Common vSphere Networking Issues
Verify network configuration o Verify that default gateways are correct vmkping o Verify that load balancing settings are correct Make sure vmnic isn’t in standby or in unused position o Ensure VLAN tag is correct if using tagging Verify a given virtual machine is configured with the correct network resources o Verify that the vNIC is connected o Verify that the vNIC is connected to the correct port group o Ensure that VMware Tools are installed to get the proper driver for the network adapter Troubleshoot virtual switch and port group configuration issues o Verify spelling of port group is similar across all hosts o Verify security settings are similar across all hosts Troubleshoot physical network adapter configuration issues o Verify that MTU is set correctly vmkping –s o Verify that network connection is actually plugged in and working UI Host networking, check that vmnic has status of ‘Connected’ CLI esxcli network nic list o Verify that network adapter and physical switch port speed and duplex match o Ensure that if VLAN tagging is used, that the physical switch port is set to Trunk Identify the root cause of a network issue based on troubleshooting information o This is a tricky objective to talk about. Usually once you understand the root cause, resolving the issue is pretty straightforward. o If you notice a cable connection is showing ‘Not Connected’ or crossed out, you take a look at the cabling. If the cable is broken or bad you replace it. o If you notice that vMotion is not working and you check port group naming and see the names are slightly off, you change the name to match. o This is really just common sense stuff
VCP-NV Blueprint v1.0 Geoff Wilmington @vWilmo