In this blog post I will cover section 5 objective 5.2 of the VCAP6-NV Deploy exam.

Objective 5.2 – Monitor a VMware NSX Implementation

Skills and Abilities

• Configure logging for NSX components according to a deployment plan
• Monitor health of networking services
• Monitor health and status of infrastructure components:

  • vSphere
  • NSX Manager
  • Control Cluster

• Enable data collection for single/multiple virtual machines


Configure logging for NSX components according to a deployment plan

To configure logging for our ESXi host, navigate to the host and click Configure > Advanced System Settings. You can click Edit and search for syslog. Edit the settings for Syslog.global.logHost and enter in your syslog server’s FQDN or IP and port number.

log01 Read Full Article

In this blog post I will cover section 5 objective 5.1 of the VCAP6-NV Deploy exam.

Objective 5.1 – Backup and Restore Network Configurations

Skills and Abilities

  • Schedule/Backup/Restore NSX Manager data
  • Export/Restore vSphere Distributed Switch configuration
  • Export/Import Service Composer profiles
  • Save/Export/Import/Load Distributed Firewall configurations


Schedule/Backup/Restore NSX Manager data

Having backups of your NSX environment is highly recommended in case you ever need to restore your config back to a working state in the event of a failure. A NSX backup will contain all of the NSX configuration, including controllers, logical switches, logical routers, firewall rules and other things that were configured within NSX. It is also good to have the vCenter database and distributed switch configs backed up so that you have a complete recovery point.

To begin setting up the backup, log in to the NSX Manager.


Read Full Article

In this blog post I will cover section 4 objective 4.2 of the VCAP6-NV Deploy exam.

Objective 4.2 – Configure and Manage Service Composer

Skills and Abilities

  • Create/configure Service Composer according to a deployment plan:
    • Configure Security Groups
    • Configure Security Policies
    • Configure Activity Monitoring for a Security Policy
  • Create/edit/delete Security Tags
  • Configure Network Introspection
  • Configure Guest Introspection

Read Full Article


Configure Security Groups

Security Groups are a way to define objects that you want to group together to protect. They can be statically defined or defined dynamically. Security Groups can be defined using some of the following objects:

  • Clusters, port groups, resource pools
  • Security tags, IP Sets, MAC Sets, other security groups
  • Active Directory groups – If the NSX Manager is registered with Active Directory
  • VMs, vNICs, Logical Switch

Grouping objects together can make the application of firewall rules that much easier and cut down on the amount of rules that need to be generated in NSX

To create a security group, navigate to Networking & Security > Service Composer > Security Groups. Click the “New Security Group” icon.

sg01 Read Full Article


Identity based firewall allows you to make distributed firewall rules based off Active Directory users and groups. A few things need to be in place for this to work. You must have a cluster that is prepared for NSX. You must setup AD synchronization so that NSX can see the users and groups and you must have Guest Introspection and/or AD Event Log Scraper in place. Guest Introspection must be deployed on the clusters where IDFW VMs are running. When network events are created, a guest agent installed on the VM (VMware Tools full installation) forward the information through guest introspection on to the NSX manager. With Active Directory event log scraper, you must point the NSX manager to a AD domain controller. The NSX manager then pulls the events from the AD security event log and filter through the firewall rules accordingly. IDFW monitors where AD users log in, maps the login to a IP address, and that is used by the DFW to apply rules. Read Full Article

In this blog post I will cover section 4 objective 4.1 of the VCAP6-NV Deploy exam.

Objective 4.1 – Configure and Manage Logical Firewall Services

  • Configure Edge and Distributed Firewall rules according to a deployment plan:
    • Create/configure Firewall rule sections for specific departments
    • Create/configure Identity-based firewall (IDFW) for specific users/groups
  • Configure SpoofGuard policies to enhance security
  • Filter firewall rules to narrow a scope

Read Full Article

In this blog post I will cover section 3 objective 3.3 of the VCAP6-NV Deploy exam.

Objective 3.3 – Configure and Manage Additional VMware NSX Edge Services

  • Configure DHCP services according to a deployment plan:
    • Create/edit a DHCP IP Pool
    • Create/edit DHCP Static Binding
    • Configure DHCP relay
  • Configure DNS services
  • Configure NAT services to provide access to services running on privately addressed virtual machines

Read Full Article

Oh my, how fast a year has flown by and my how much has changed! Last year, in February, I came to the realization that if I really wanted to increase my knowledge and advance my career, then I needed to invest in a homelab. So, I made an investment and purchased a SuperMicro 5028D-TN4T system bundle from WiredZone. It has been a year since I did my initial review of this system and since then I have made good use out of it and decided to come back with my thoughts. Read Full Article

In this blog post I will cover section 3 objective 3.2 of the VCAP6-NV Deploy exam.

Objective 3.2 – Configure and Manage Logical Virtual Private Networks (VPNs)

  • Configure IPSec VPN service to enable site to site communication
  • Configure SSL VPN service to allow remote users to access private networks
  • Configure L2 VPN service to stretch multiple logical networks across geographical sites

Read Full Article


Using NSX Edge, you can create a L2 VPN that can stretch multiple logical networks, whether VLAN or VXLAN, across geographical sites. With L2 VPN, a VM can remain on the same subnet when moved between sites and their IP addresses do not have to change. To configure a L2 VPN, you configure a L2 VPN server (destination Edge) and an L2 VPN client (source Edge). Then you enable L2 VPN services on both. But before we can create the L2 VPN, we must create a trunk port on our NSX edge. Read Full Article