NSX

VMwareNSX

Recently, VMware released its latest version of NSX, 6.3.3. With it came a number of bug fixes and some new features. One of the main new features to come along has to do with the NSX controllers. Starting with 6.3.3, the OS for the NSX controllers will be powered by Photon OS. Because a new OS is used, that means that your current NSX controllers will not be upgraded, but rather they will be deleted and recreated as part of the install process. There are also some other new features, that I will not dive too deep into, but just list:

Guest Introspection supports Windows Server 2016

New NSX API to retrieve a list of all unresolved alarms on NSX Manager

Crypto Module Changes Affecting FIPS Compliance

  • NSS and OpenSwan: The NSX Edge IPsec VPN uses the Mozilla NSS crypto module. Due to critical security issues, NSX 6.3.3 moved to a newer version of NSS that has not been FIPS certified. VMware affirms that the module works correctly, but it is no longer formally validated.
  • NSS and Password Entry: The NSX Edge password hashing use the Mozilla NSS crypto module. Due to critical security issues, NSX 6.3.3 moved to a newer version of NSS that has not been FIPS certified. VMware affirms that the module works correctly, but it is no longer formally validated.
  • Controller and Clustering VPN: The NSX Controller uses IPsec VPN to connect Controller clusters. The IPsec VPN uses the VMware Linux kernel crypto module (Photon 1 environment), which is in the process of being CMVP validated.

 

Upgrade Process

In this blog post, I will take your through the steps to upgrade your current NSX environment to 6.3.3

First check compatibility with your current NSX environment. That can easily be done here.

The NSX components have to be upgraded in a certain order:

  1. NSX Manager
  2. NSX Controller Cluster
  3. VIBs on the host clusters
  4. NSX edges
  5. Guest Introspection (If enabled)

To begin our upgrade process, navigate to your NSX Manager and log in as the admin.

nsx01

Read Full Article

591812795EM002_The_2015_Mis

About a year and a half ago, I really became interested in VMware NSX. What made NSX so interesting to me was that it touched two aspects of technology that I really have a passion for…virtualization and networking. I remember when I was first introduced to NSX. I thought to myself….”its a neat concept….but I can’t see having my network in software”. But the more I began to explore use cases for NSX, and realizing that 95% of the data center that I worked in was virtualized, it really made more sense. This lead me to dive even deeper into learning NSX. At the time, I didn’t have a homelab so I made good use of the VMware HOLs to play with NSX to further my learning. Using the VMware HOLs, I was able to get some good time at the “steering wheel” working with NSX and it helped me in my studies for my VCP6-NV. I was able to achieve that goal last year at VMworld US. Working more with NSX has made me want to share my thoughts, “how-tos”, and opinions about it and ultimately give back to the vCommunity. That “giving back” has in turn helped me to deepen my knowledge on NSX and other VMware products. That is why I am pleasantly surprised and honored to be awarded with vExpert NSX status for 2017.  Read Full Article

VMwareNSX

A NSX edge can be used to relay name resolution requests from clients to external DNS servers. As the NSX relay these requests, it caches the response from the DNS server. In this blog post, I will show you how to configure the DNS servers on the NSX edge.

First, navigate the Networking & Security.

dns01 Read Full Article

VMwareNSX

NSX Edge provides network address translation (NAT) service to assign a public address to a computer within a private network. The NSX edge supports using source NAT (SNAT) and destination NAT (DNAT). SNAT is used for translating a internal IP address to a public external address. Since external IP addresses have no knowledge of internal IP addresses, NAT is needed for communication. DNAT allows access from outside/external networks to internal private networks. NAT is important for providing access to services within your private network and for providing the ability to access services that are external to your network. For ex: In order for a machine on your private network to be able to access the internet, NAT is need. In this blog post, I’ll show you how to configure source NAT (SNAT) on a NSX edge device to do just that.

In our example, we will have a VM (VM01) with a IP address of 10.1.2.20 that is attached to a NSX logical switch (Tenant A). In order for this VM to access the internet, we will translate it’s IP to an IP that is internet accessible. Right now, as you can see, we cannot access the outside world. We test this by pinging Google’s public DNS (8.8.8.8).

nat

Let’s get started with changing this and making the VM accessible to the internet. Read Full Article

VMwareNSX

One of the services that the NSX Edge (ESG) provides is IP address pooling and one-to-one static IP address allocation and external DNS services. NSX Edge listens to the internal interface for DHCP requests and uses the internal interface IP as the default gateway for clients. In this post, I’ll show you how to configure DCHP on the NSX Edge to provide IP addresses to clients on a logical switch.

First, navigate to Networking & Security > NSX Edges and select you ESG. Then navigate to Manage > DHCP > Pools. Under Pools, click the green “+”.

dhcp01 Read Full Article

VMwareNSX

In this blog post we will be deploying the NSX manager appliance. This is the first step in beginning to deploy NSX in your VMware environment. First things first, after downloading the NSX OVA file, right click on the cluster you want to deploy the appliance in and click Deploy OVF Template. Browse to and select the NSX OVA file and click Next.

man01

Read Full Article

VMwareNSX

The NSX service composer is one of my favorite features of NSX. I’ve never really considered myself to be lazy when it comes to doing something the right way…but I’ve never been one to overwork myself to do that. Dad always said “Work smarter, not harder”. The service composer is a combination of both. It’s a way to create multiple rules in your virtual infrastructure for items that are alike or that need to have the same type of services allowed or denied. For you Cisco guys, this is a familiar concept. Think objects and object groups on a ASA. For example, say I have a group of 6 web servers that I want to block ICMP traffic. Well that would normally mean that I would have to create 6 individual rules, one for each web server, to block this. With the service composer, however, I can create one rule. With the use of security groups and security policies, service composer makes life easy…and that doesn’t mean that you’re lazy 🙂

In this blog post, I will show you how to use the service composer to create a security policy and apply it to multiple servers.

First navigate to Networking & Security > Service Composer

sc2 Read Full Article