NSX

VMwareNSX

Configure Security Groups

Security Groups are a way to define objects that you want to group together to protect. They can be statically defined or defined dynamically. Security Groups can be defined using some of the following objects:

  • Clusters, port groups, resource pools
  • Security tags, IP Sets, MAC Sets, other security groups
  • Active Directory groups – If the NSX Manager is registered with Active Directory
  • VMs, vNICs, Logical Switch

Grouping objects together can make the application of firewall rules that much easier and cut down on the amount of rules that need to be generated in NSX

To create a security group, navigate to Networking & Security > Service Composer > Security Groups. Click the “New Security Group” icon.

sg01 Read Full Article

VMwareNSX

Identity based firewall allows you to make distributed firewall rules based off Active Directory users and groups. A few things need to be in place for this to work. You must have a cluster that is prepared for NSX. You must setup AD synchronization so that NSX can see the users and groups and you must have Guest Introspection and/or AD Event Log Scraper in place. Guest Introspection must be deployed on the clusters where IDFW VMs are running. When network events are created, a guest agent installed on the VM (VMware Tools full installation) forward the information through guest introspection on to the NSX manager. With Active Directory event log scraper, you must point the NSX manager to a AD domain controller. The NSX manager then pulls the events from the AD security event log and filter through the firewall rules accordingly. IDFW monitors where AD users log in, maps the login to a IP address, and that is used by the DFW to apply rules. Read Full Article

VMwareNSX
In this blog post I will cover section 4 object 4.1 of the VCAP6-NV Deploy exam.

Objective 4.1 – Configure and Manage Logical Firewall Services

  • Configure Edge and Distributed Firewall rules according to a deployment plan:
    • Create/configure Firewall rule sections for specific departments
    • Create/configure Identity-based firewall (IDFW) for specific users/groups
  • Configure SpoofGuard policies to enhance security
  • Filter firewall rules to narrow a scope

Read Full Article

VMwareNSX
In this blog post I will cover section 3 object 3.3 of the VCAP6-NV Deploy exam.

Objective 3.3 – Configure and Manage Additional VMware NSX Edge Services

  • Configure DHCP services according to a deployment plan:
    • Create/edit a DHCP IP Pool
    • Create/edit DHCP Static Binding
    • Configure DHCP relay
  • Configure DNS services
  • Configure NAT services to provide access to services running on privately addressed virtual machines

Read Full Article

Oh my, how fast a year has flown by and my how much has changed! Last year, in February, I came to the realization that if I really wanted to increase my knowledge and advance my career, then I needed to invest in a homelab. So, I made an investment and purchased a SuperMicro 5028D-TN4T system bundle from WiredZone. It has been a year since I did my initial review of this system and since then I have made good use out of it and decided to come back with my thoughts. Read Full Article

VMwareNSX
In this blog post I will cover section 3 object 3.2 of the VCAP6-NV Deploy exam.

Objective 3.2 – Configure and Manage Logical Virtual Private Networks (VPNs)

  • Configure IPSec VPN service to enable site to site communication
  • Configure SSL VPN service to allow remote users to access private networks
  • Configure L2 VPN service to stretch multiple logical networks across geographical sites

Read Full Article

VMwareNSX

Using NSX Edge, you can create a L2 VPN that can stretch multiple logical networks, whether VLAN or VXLAN, across geographical sites. With L2 VPN, a VM can remain on the same subnet when moved between sites and their IP addresses do not have to change. To configure a L2 VPN, you configure a L2 VPN server (destination Edge) and an L2 VPN client (source Edge). Then you enable L2 VPN services on both. But before we can create the L2 VPN, we must create a trunk port on our NSX edge. Read Full Article