Networking

VMwareNSX
In this blog post I will cover section 5 objective 5.1 of the VCAP6-NV Deploy exam.

Objective 5.1 – Backup and Restore Network Configurations

Skills and Abilities

  • Schedule/Backup/Restore NSX Manager data
  • Export/Restore vSphere Distributed Switch configuration
  • Export/Import Service Composer profiles
  • Save/Export/Import/Load Distributed Firewall configurations

 

Schedule/Backup/Restore NSX Manager data

Having backups of your NSX environment is highly recommended in case you ever need to restore your config back to a working state in the event of a failure. A NSX backup will contain all of the NSX configuration, including controllers, logical switches, logical routers, firewall rules and other things that were configured within NSX. It is also good to have the vCenter database and distributed switch configs backed up so that you have a complete recovery point.

To begin setting up the backup, log in to the NSX Manager.

backup01

Read Full Article

VMwareNSX
In this blog post I will cover section 4 objective 4.2 of the VCAP6-NV Deploy exam.

Objective 4.2 – Configure and Manage Service Composer

Skills and Abilities

  • Create/configure Service Composer according to a deployment plan:
    • Configure Security Groups
    • Configure Security Policies
    • Configure Activity Monitoring for a Security Policy
  • Create/edit/delete Security Tags
  • Configure Network Introspection
  • Configure Guest Introspection

Read Full Article

VMwareNSX

Configure Security Groups

Security Groups are a way to define objects that you want to group together to protect. They can be statically defined or defined dynamically. Security Groups can be defined using some of the following objects:

  • Clusters, port groups, resource pools
  • Security tags, IP Sets, MAC Sets, other security groups
  • Active Directory groups – If the NSX Manager is registered with Active Directory
  • VMs, vNICs, Logical Switch

Grouping objects together can make the application of firewall rules that much easier and cut down on the amount of rules that need to be generated in NSX

To create a security group, navigate to Networking & Security > Service Composer > Security Groups. Click the “New Security Group” icon.

sg01 Read Full Article

VMwareNSX

Identity based firewall allows you to make distributed firewall rules based off Active Directory users and groups. A few things need to be in place for this to work. You must have a cluster that is prepared for NSX. You must setup AD synchronization so that NSX can see the users and groups and you must have Guest Introspection and/or AD Event Log Scraper in place. Guest Introspection must be deployed on the clusters where IDFW VMs are running. When network events are created, a guest agent installed on the VM (VMware Tools full installation) forward the information through guest introspection on to the NSX manager. With Active Directory event log scraper, you must point the NSX manager to a AD domain controller. The NSX manager then pulls the events from the AD security event log and filter through the firewall rules accordingly. IDFW monitors where AD users log in, maps the login to a IP address, and that is used by the DFW to apply rules. Read Full Article

VMwareNSX
In this blog post I will cover section 4 objective 4.1 of the VCAP6-NV Deploy exam.

Objective 4.1 – Configure and Manage Logical Firewall Services

  • Configure Edge and Distributed Firewall rules according to a deployment plan:
    • Create/configure Firewall rule sections for specific departments
    • Create/configure Identity-based firewall (IDFW) for specific users/groups
  • Configure SpoofGuard policies to enhance security
  • Filter firewall rules to narrow a scope

Read Full Article

VMwareNSX
In this blog post I will cover section 3 objective 3.3 of the VCAP6-NV Deploy exam.

Objective 3.3 – Configure and Manage Additional VMware NSX Edge Services

  • Configure DHCP services according to a deployment plan:
    • Create/edit a DHCP IP Pool
    • Create/edit DHCP Static Binding
    • Configure DHCP relay
  • Configure DNS services
  • Configure NAT services to provide access to services running on privately addressed virtual machines

Read Full Article

VMwareNSX
In this blog post I will cover section 3 objective 3.2 of the VCAP6-NV Deploy exam.

Objective 3.2 – Configure and Manage Logical Virtual Private Networks (VPNs)

  • Configure IPSec VPN service to enable site to site communication
  • Configure SSL VPN service to allow remote users to access private networks
  • Configure L2 VPN service to stretch multiple logical networks across geographical sites

Read Full Article

VMwareNSX

Using NSX Edge, you can create a L2 VPN that can stretch multiple logical networks, whether VLAN or VXLAN, across geographical sites. With L2 VPN, a VM can remain on the same subnet when moved between sites and their IP addresses do not have to change. To configure a L2 VPN, you configure a L2 VPN server (destination Edge) and an L2 VPN client (source Edge). Then you enable L2 VPN services on both. But before we can create the L2 VPN, we must create a trunk port on our NSX edge. Read Full Article

VMwareNSX

With SSL VPN-Plus, you can connect to private networks behind a NSX edge gateway. A user can then access applications and servers on the private network. Since this is a SSL VPN, a user can access the private networks by use of a web browser or a client that is installed on the local machine. Below is a diagram taken from the NSX Admin Guide of the clients connect to the private network and also the support operating systems for the SSL VPN client:

 

ssl01 Read Full Article

VMwareNSX

NSX edge supports site to site IPSec VPN to remote sites. You can configure multiple internal networks to connect to through the VPN tunnel. Subnets and internal networks behind the NSX edge must not have overlapping addresses. The size of the edge device determines the number of tunnels that are supported. The number of tunnels needed can be found out by using a simple equation of : “local subnets x peer subnets = number of tunnels needed”. Below is a chart taken from the NSX Administrator’s Guide outlining the number of IPSec tunnels that a edge device can handle depending on the size and also the supported algorithms.

Read Full Article