NSX

Configure IPSec VPN on VMware NSX

VMwareNSX

NSX edge supports site to site IPSec VPN to remote sites. You can configure multiple internal networks to connect to through the VPN tunnel. Subnets and internal networks behind the NSX edge must not have overlapping addresses. The size of the edge device determines the number of tunnels that are supported. The number of tunnels needed can be found out by using a simple equation of : “local subnets x peer subnets = number of tunnels needed”. Below is a chart taken from the NSX Administrator’s Guide outlining the number of IPSec tunnels that a edge device can handle depending on the size and also the supported algorithms.

Read Full Article

Road to VCAP6-NV: Objective 3.1 – Configure and Manage Logical Load Balancing

VMwareNSX
In this blog post I will cover section 3 objective 3.1 of the VCAP6-NV Deploy exam.

Objective 3.1 – Configure and Manage Logical Load Balancing

  • Configure the appropriate Load Balancer model for a given application topology
  • Configure SSL off-loading
  • Configure a service monitor to define health check parameters for a specific type of network traffic
  • Optimize a server pool to manage and share backend servers
  • Configure an application profile and rules
  • Configure virtual servers

Read Full Article

Road to VCAP6-NV: Objective 2.3 – Configure and Manage Routing

VMwareNSX
In this blog post I will cover section 2 objective 2.3 of the VCAP6-NV Deploy exam.

Objective 2.3 – Configure and Manage Routing

  • Deploy the appropriate NSX Edge (ESG/LDR) device according to a deployment plan
  • Configure centralized and distributed routing
  • Configure default gateway parameters
  • Configure static routes
  • Select and configure appropriate dynamic routing protocol according to a deployment plan:
    • OSPF
    • BGP
    • IS-IS
  • Configure route redistribution to support a multi-protocol environment

Read Full Article

Road to VCAP6-NV: Objective 1.2 – Prepare Host Clusters for Network Virtualization

VMwareNSX

In this blog post, I will cover section 1 objective 1.2 of the VCAP6-NV Deploy exam.

Objective 1.2 – Prepare Host Clusters for Network Virtualization

  • Prepare vSphere Distributed Switching for NSX
  • Prepare a cluster for NSX
    • Add/Remove Hosts from cluster
  • Configure the appropriate teaming policy for a given implementation
  • Configure VXLAN Transport parameters according to a deployment plan

Read Full Article

Road to VCAP6-NV: Objective 1.1 – Deploy VMware NSX Infrastructure components

VMwareNSX

In this blog post, I will cover section 1 objective 1.1 of the VCAP6-NV Deploy exam.

Objective 1.1 – Deploy VMware NSX Infrastructure components

  • Deploy the NSX Manager virtual appliance
  • Integrate the NSX Manager with vCenter Server
    • Configure Single Sign On
    • Specify a Syslog Server
  • Implement and Configure NSX Controllers
  • Exclude virtual machines from firewall protection according to a deployment plan

Read Full Article

Road to VCAP6-NV Blog Series

Well….here goes nothing! I’ve decided that the next certification that I will pursue will be the VCAP6-NV Deploy. (I sure hope I don’t regret this! 😳) With all the hype surrounding NSX and SDDC, what better time than now to really focus on the software defined network. More and more companies are starting to adopt NSX to harden their security, help them get into network automation with products like vRealize Automation, or even to help protect and migrate workloads to public cloud. So to stay relevant….I better jump on the bandwagon sooner than later.

Read Full Article

Upgrading VMware NSX to 6.3.3

VMwareNSX

Recently, VMware released its latest version of NSX, 6.3.3. With it came a number of bug fixes and some new features. One of the main new features to come along has to do with the NSX controllers. Starting with 6.3.3, the OS for the NSX controllers will be powered by Photon OS. Because a new OS is used, that means that your current NSX controllers will not be upgraded, but rather they will be deleted and recreated as part of the install process. There are also some other new features, that I will not dive too deep into, but just list:

Guest Introspection supports Windows Server 2016

New NSX API to retrieve a list of all unresolved alarms on NSX Manager

Crypto Module Changes Affecting FIPS Compliance

  • NSS and OpenSwan: The NSX Edge IPsec VPN uses the Mozilla NSS crypto module. Due to critical security issues, NSX 6.3.3 moved to a newer version of NSS that has not been FIPS certified. VMware affirms that the module works correctly, but it is no longer formally validated.
  • NSS and Password Entry: The NSX Edge password hashing use the Mozilla NSS crypto module. Due to critical security issues, NSX 6.3.3 moved to a newer version of NSS that has not been FIPS certified. VMware affirms that the module works correctly, but it is no longer formally validated.
  • Controller and Clustering VPN: The NSX Controller uses IPsec VPN to connect Controller clusters. The IPsec VPN uses the VMware Linux kernel crypto module (Photon 1 environment), which is in the process of being CMVP validated.

 

Upgrade Process

In this blog post, I will take your through the steps to upgrade your current NSX environment to 6.3.3

First check compatibility with your current NSX environment. That can easily be done here.

The NSX components have to be upgraded in a certain order:

  1. NSX Manager
  2. NSX Controller Cluster
  3. VIBs on the host clusters
  4. NSX edges
  5. Guest Introspection (If enabled)

To begin our upgrade process, navigate to your NSX Manager and log in as the admin.

nsx01

Read Full Article