VMware NSX Cookbook E-Book

VMware NSX Cookbook

Copyright © 2018 Packt Publishing

All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.

Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the authors, nor Packt Publishing or its dealers and distributors, will be held liable for any damages caused or alleged to have been caused directly or indirectly by this book.

Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.

Commissioning Editor: Vijin BorichaAcquisition Editor: Namrata PatilContent Development Editor: Deepti ThoreTechnical Editor: Sayali ThanekarCopy Editor: Safis EditingProject Coordinator: Shweta H BirwatkarProofreader: Safis EditingIndexer: Aishwarya GangawaneGraphics: Jisha ChirayilProduction Coordinator: Aparna Bhagat

First published: March 2018

Production reference: 1270318

Published by Packt Publishing Ltd. Livery Place 35 Livery Street Birmingham B3 2PB, UK.

ISBN 978-1-78217-425-7

www.packtpub.com

Mapt is an online digital library that gives you full access to over 5,000 books and videos, as well as industry leading tools to help you plan your personal development and advance your career. For more information, please visit our website.

Why subscribe?

Spend less time learning and more time coding with practical eBooks and Videos from over 4,000 industry professionals

Improve your learning with Skill Plans built especially for you

Get a free eBook or video every month

Mapt is fully searchable

Copy and paste, print, and bookmark content

PacktPub.com

Did you know that Packt offers eBook versions of every book published, with PDF and ePub files available? You can upgrade to the eBook version at www.PacktPub.com and as a print book customer, you are entitled to a discount on the eBook copy. Get in touch with us at [email protected] for more details.

At www.PacktPub.com, you can also read a collection of free technical articles, sign up for a range of free newsletters, and receive exclusive discounts and offers on Packt books and eBooks.

Foreword

At the time of writing, I am right in the middle of nowhere in the western United States. Yet—through the magic of a communications network spanning the globe—I could pay for my breakfast without any form of cash and get a confirmation in a bit under thirty seconds from my bank over 13,000 kilometers away. Meanwhile, people in the VMware vExpert community were communicating with me, and I asked a digital personal assistant living in my cellphone for the most direct route back to the hotel.

Even though we sometimes take this for granted a bit too much, it is undeniable that over the last 50 years, digital telecommunication networks have revolutionized the way we work, live, and communicate, from the humble beginnings of ARPANET all the way to the most recent revolutionary development of software-defined networking, which is where the book that you are currently holding comes in.

This book will help you understand the concepts of VMware NSX for vSphere, provide you with the technical details behind the product, and give you a great overview of all the different components, including external products such as vRealize Log Insight, and the variety of API integrations available. For beginning and advanced readers equally, there's something to be found that should make this book worthwhile for you, as either a reference guide, a study book, or as a general introduction into VMware NSX for vSphere.

For me personally, I like the fact that this book is interspersed with command-line snippets that will make your life easier when working with the product. It adds serious value to each individual recipe by showing you alternate ways to configure something, troubleshoot issues, or validate your configuration, and teaches you how the product works beyond the standard GUI-based configuration.

By reading this book, I've actually learned that I have been wrong about a technical fact since I've started working with NSX in late 2013, so I'm more than certain that there's something left to be learned, regardless of your skill level and your technical knowledge.Sjors Robroek VCDX-NV #237 and Senior Consultant at VMware

Contributors

About the authors

Bayu Wibowo is a seasoned network virtualization consultant in the APJ arena. With over 10 years of industry experience, he has rapidly earned reputation and awards for his community involvement as Cisco Champion, VMware vExpert NSX, and VMTN Community Warrior. Working as a network virtualization consultant for Datacom, he now plays an integral part in the implementation of multiple innovative technologies, including VMware NSX, Open Networking, and numerous more. Follow him on Twitter @bayupw.

Tony Sangha is a senior consulting architect at VMware Professional Services with over 12 years of experience in networking and security roles, who has worked for a systems integrator across various industry verticals. He guides customers across Australia and New Zealand to design and implement a Software Defined Datacenter using VMware technologies and specializes in VMware NSX. He has presented at multiple VMUG and vForum events across ANZ and is an active community contributor via his blog and open source projects on GitHub. You can follow him on Twitter at @tsangha.

About the reviewer

Dmitri Kalintsev possesses a long career working in provider networking—from system administration and operations to engineering and architecture. He then switched gears to building VMware-based public cloud infrastructure followed by transition to the vendor world. For the last few years, Dmitri has worked in solution architecture, product management, and product engineering roles concerned with a range of software networking products. He can be found on Twitter as @dkalintsev.

Packt is searching for authors like you

If you're interested in becoming an author for Packt, please visit authors.packtpub.com and apply today. We have worked with thousands of developers and tech professionals, just like you, to help them share their insight with the global tech community. You can make a general application, apply for a specific hot topic that we are recruiting an author for, or submit your own idea.

Table of Contents

Title Page

Copyright and Credits

VMware NSX Cookbook

Packt Upsell

Why subscribe?

PacktPub.com

Foreword

Contributors

About the authors

About the reviewer

Packt is searching for authors like you

Preface

Who this book is for

What this book covers

To get the most out of this book

Download the example code files

Download the color images

Conventions used

Sections

Getting ready

How to do it...

How it works...

There's more...

See also

Get in touch

Reviews

Getting Started with VMware NSX for vSphere

Introduction

Choosing the right VMware NSX for vSphere edition

Getting ready

How to do it...

There's more...

VMware NSX editions

Evaluating VMware NSX

Support and Subscription (SnS)

VMware vRealize Log Insight for NSX

VMware NSX Monitoring Tools

See also

Selecting ESXi hosts and network adapters

VXLAN Offload

Receive Side Scaling

Downloading NSX for vSphere

Getting ready

How to do it...

Checking the Product Interoperability Matrix

Downloading media via the VMware downloads website

Downloading media via the VMware Software Manager

See also

Deploying the NSX Manager virtual appliance

Getting ready

How to do it...

Replacing the NSX Manager certificate

Certificate Signing Request

How to do it...

PKCS#12 certificate

How to do it...

Registering vCenter server with NSX Manager

Getting ready

How to do it...

Registering the NSX Manager with the vCenter server

Registering the NSX Manager with the PSC

How it works...

There's more...

Applying the NSX license

Getting ready

How to do it...

Deploying the NSX Controller Cluster

Getting ready

How to do it...

Configuring an NSX IP pool

NSX Controller Cluster deployment

DRS Anti-Affinity Rules

Configuring DRS Anti-Affinity Rules via PowerCLI

There's more...

Separate vCenter environment

Controller password parameters

Preparing a vSphere cluster for NSX

Getting ready

How to do it...

How it works...

Enabling NSX in a brownfield environment

Validating NSX VIB installation

Distributed Firewall communication

Controller communication

Getting ready

How to do it...

Manually checking VIB installation

Checking NSX component communication

Configuring VMware NSX Logical Switch Networks

Introduction

VMware NSX Logical Switch and VXLAN

VMware NSX Transport Zone

VMware NSX Replication Modes

VMware NSX Controller Disconnected Operation Mode

Configuring VXLAN Networking

Getting ready

IP address for VTEP VMkernel

Using DHCP for an IP pool

VDS teaming options for NSX

Single VTEP with LACP

Multi-VTEP with Route Based on Originating Port ID

How to do it...

Configuring VXLAN Networking

Validating VXLAN and VTEP configuration

How it works...

Testing VXLAN VTEP VMkernel

There's more...

See also

Configuring a VXLAN Segment ID

Getting ready

How to do it...

How it works...

There's more...

See also

Creating a NSX Transport Zone

Getting ready

How to do it...

How it works...

There's more...

Creating a NSX Logical Switch

Getting ready

How to do it...

How it works...

See also

Connecting a Virtual Machine to an NSX Logical Switch

Getting ready

How to do it...

How it works...

See also

Testing an NSX Logical Switch

Getting ready

How to do it...

Ping

Broadcast

How it works...

There's more...

See also

Enabling the Controller Disconnected Operation Mode on a Transport Zone

Getting ready

How to do it...

How it works...

Configuring VMware NSX Logical Routing

Introduction

Configuring the Distributed Logical Router

Getting ready

How to do it...

How it works...

There's more...

DLR CVM hardware requirements

HA interface

Configuring the Distributed Logical Router for dynamic routing

Getting ready

How to do it...

How it works...

There's more...

Route redistribution

Forwarding versus protocol address

Graceful restart

Deploying and configuring the NSX ESG in HA mode

Getting ready

How to do it...

How it works...

There's more...

Understanding and configuring the NSX ESG for routing

Getting ready

How to do it...

How it works...

There's more...

Configuring VMware NSX Layer 2 Bridging

Introduction

Software-Based Gateway Layer 2 Bridging

Bridging and Routing

Hardware VTEP Gateway

Configuring Software-Based Gateway Layer 2 Bridging

Getting ready

How to do it...

Configuring bridging

Verifying Bridging Configuration

How it works...

There's more...

Selecting a hardware VTEP gateway

Getting ready

How to do it...

There's more...

See also

Integrating Hardware VTEP Gateway with VMware NSX

Getting ready

How to do it...

Configuring the Replication Cluster

Connecting a Hardware VTEP Gateway to an NSX Controller

Adding a Hardware VTEP Gateway to NSX

How it works...

See also

Extending VMware NSX Logical Switch to Hardware VTEP Gateway

Getting ready

How to do it...

How it works...

There's more...

See also

Configuring VMware NSX Edge Services Gateway

Introduction

Configuring a DNS relay

Getting ready

How to do it...

There's more...

Configuring a DHCP server

Getting ready

How to do it...

There's more...

Configuring an Edge Firewall

Getting ready

How to do it...

There's more...

Configuring Network Address Translation

Getting ready

How to do it...

Configuring an SNAT rule

Configure a DNAT rule

How it works...

There's more...

Configuring Load Balancing

Getting ready

How to do it...

Deploying an NSX Edge Load Balancer

Configuring an NSX Edge Load Balancer

Verifying the NSX edge load balancer configuration

How it works...

There's more...

Configuring IPSEC VPN

Getting ready

How to do it...

How it works...

Configuring SSL VPN

Getting ready

How to do it...

How it works...

There's more...

Configuring High Availability

Getting ready

How to do it...

How it works...

Configuring VMware NSX Distributed Firewall (DFW) and SpoofGuard

Introduction

DFW Topology and Policy

See also

Verifying NSX DFW component status

Getting ready

How to do it...

Verifying Firewall Installation Status

Verifying vShield Stateful Firewall (vsfwd) Status and Connection

How it works...

See also

Configuring IP Discovery for Virtual Machines

Getting ready

How to do it...

How it works...

Verifying the Learnt IP address

Working with SpoofGuard

Getting ready

How to do it...

How it works...

There's more...

Excluding Virtual Machines from DFW Protection

Getting ready

How to do it...

How it works...

There's more...

Configuring DFW Session Timeout

Getting ready

How to do it...

How it works...

Creating Security Policy Rules from the Firewall Table Menu

Getting ready

How to do it...

Creating Firewall Sections

Creating Firewall Rules

How it works...

DFW Rule ID and Logs

DFW Saved Configurations

See also

Creating Security Policy Rules from the Service Composer menu

Getting ready

How to do it...

Creating a Security Group using Static Inclusion

Creating a Security Group using Dynamic Membership

Creating a Security Group using Security Tag as the Dynamic Membership Criteria

Creating a Security Policy

How it works...

Verifying DFW rules

Getting ready

How to do it...

Using NSX Manager central CLI

Using ESXi Host CLI

Leveraging the DFW Applied To field

Getting ready

How to do it...

Changing Firewall Default Applied To settings from the Firewall Table Menu

Changing Service Composer Firewall Default Applied To Settings

There's more...

See also

Deploying Network or Guest Introspection Services

Getting ready

How to do it...

Registering Service Definition

Deploying the Service VM

Installing VMware Tools for Guest Introspection

How it works...

Blocking Non-IP Layer 2 Traffic

There's more...

See also

Configuring the Identity Firewall

Getting ready

How to do it...

Registering a Microsoft Active Directory Domain with NSX Manager

Creating Security Rules using Active Directory Objects

How it works...

There's more...

Configuring Cross-vCenter NSX

Introduction

Configuring Primary and Secondary NSX Manager(s)

Getting ready

How to do it...

How it works...

There's more...

Enhanced Linked Mode

NSX Manager roles

Universal Synchronization Service Management and Troubleshooting

Creating a Universal Transport Zone and adding a vSphere cluster to the Universal Transport Zone

Getting ready

How to do it...

How it works...

Creating a Universal Logical Switch

Getting ready

How to do it...

How it works...

Creating a Universal Logical Router

Getting ready

How to do it...

How it works...

There's more...

See also

Deployment models

Local Egress

Adding a VM to a Universal Logical Switch

Getting ready

How to do it...

How it works...

Understanding and configuring the Universal Distributed Firewall

Getting ready

How to do it...

Creating Universal IPSets

Adding a web-tier-to-web-tier Universal Firewall Rule and Universal Section

Adding a web-tier-to-app-tier Universal Firewall Rule

Adding a app-tier-to-db-tier Universal Firewall Rule

How it works...

There's more...

Backing up and Restoring VMware NSX Components

Introduction

Backing up NSX Manager

Getting ready

How to do it...

How it works...

There's more...

See also

Restoring NSX Manager

Getting ready

How to do it...

Restoring NSX Controller Nodes

Getting ready

How to do it...

There's more...

See also

Restoring a Logical Switch Backing Port Group

Getting ready

How to do it...

How it works...

Restoring NSX Edge

Getting ready

How to do it...

How it works...

There's more...

Exporting NSX DFW Rules configuration from the Firewall Menu

Getting ready

How to do it...

There's more...

Restoring NSX DFW Rules configuration from the Firewall Menu

Getting ready

How to do it...

How it works...

Exporting NSX Security Policy from the Service Composer Menu

Getting ready

How to do it...

Restoring NSX Security Policy from the Service Composer Menu

Getting ready

How to do it...

Managing User Accounts in VMware NSX

Introduction

NSX Manager virtual appliance user account

Creating a service user account for vCenter server registration

Getting ready

How to do it...

Creating a user account

Adding an SSO user account as an SSO administrator

Registering NSX Manager registration with the vCenter server

How it works...

There's more...

Granting access to NSX

Getting ready

How to do it...

Assigning a vCenter role to a user account

Assigning an NSX role to a user account

How it works...

Creating and Managing CLI user accounts in NSX manager

Getting ready

How to do it...

Entering configuration mode in the NSX Manager CLI

Creating a CLI user account in the NSX Manager CLI

Granting REST API access to a CLI user account

Changing the enable password and CLI user account password

Verifying and saving configuration in the NSX Manager CLI

Clearing a VTY session

How it works...

There's more...

See also

Upgrading VMware NSX

Introduction

Preparing for VMware NSX upgrade

Getting ready

How to do it...

Checking the VMware Product Interoperability Matrices

Checking the VMware NSX upgrade path

Checking for Third-Party Integrations Compatibility

Reviewing VMware NSX for vSphere Release Notes and Upgrade Documents

Reviewing deprecated and discontinued features

Downloading VMware NSX upgrade bundles

There's more...

Verifying VMware NSX working state

Getting ready

How to do it...

Verifying NSX Manager virtual appliance working state

Verifying NSX components working state

Verifying vSphere components

There's more...

Upgrading VMware NSX Manager

Getting ready

How to do it...

There's more...

Upgrading NSX controller node

Getting ready

How to do it...

How it works...

Upgrading VMware NSX Host Clusters

Getting ready

How to do it...

How it works...

There's more...

Upgrading VMware NSX Edge

Getting ready

How to do it...

How it works...

Upgrading Network and Security Service Deployments

Getting ready

How to do it...

There's more...

Managing and Monitoring VMware NSX Platform

Introduction

NSX Logs

NSX Manager

vCenter Server

ESXi host

NSX Edge Gateway VM

Monitoring tools

Flow Monitoring

Application Rule Manager

Endpoint Monitoring

vRealize Log Insight for NSX

vRealize Network Insight

Monitoring NSX using NSX Dashboard

Getting ready

How to do it...

How it works...

There's more...

Configuring the NSX Components Syslog

Getting ready

How to do it...

Configuring the NSX Manager syslog

Configuring the NSX Controller Node Syslog

Configuring the NSX Edge Log

How it works...

There's more...

Configuring and viewing the NSX Distributed Firewall Log

Getting ready

How to do it...

Configuring the NSX DFW logs

Viewing the NSX DFW log from the ESXi host console

How it works...

Configuring vRealize Log Insight for NSX

Getting ready

How to do it...

Installing VMware NSX for the vSphere Content Pack

Navigating the NSX Content Pack Dashboards

Filtering DFW rules from the interactive analytics menu

How it works...

Enabling NSX Flow Monitoring

Getting ready

How to do it...

Enabling Flow Monitoring collection

Enabling and exporting Flow Monitoring collection

How it works...

Using Application Rule Manager

Getting ready

How to do it...

How it works...

There's more...

Using NSX Endpoint Monitoring

Getting ready

How to do it...

Verifying the prerequisites for endpoint monitoring

Starting endpoint monitoring data collection

How it works...

Leveraging the VMware NSX REST API for Management and Automation

Introduction

vCenter-Managed Object Reference ID (MoRef ID)

Using the REST API with the Postman REST client

Getting ready

How to do it...

Requesting the HTTP GET REST API via Postman

Requesting the HTTP POST REST API via Postman

How it works...

Using the REST API with cURL

Getting ready

How to do it...

Requesting the HTTP GET REST API via cURL

Requesting the HTTP POST REST API via cURL

How it works...

Generating a cURL script from Postman

There's more...

Using the REST API with PowerShell

Getting ready

How to do it...

Requesting the HTTP GET REST API via PowerShell

Requesting the HTTP POST REST API via PowerShell

How it works...

There's more...

Using the REST API with Python

Getting ready

How to do it...

Requesting the HTTP GET REST API via Python

Requesting the HTTP POST REST API via Python

How it works...

There's more...

Using the vRealize Orchestrator plugin for NSX

Getting ready

How to do it...

Checking the VMware Product Interoperability Matrices

Downloading the vRO plugin for NSX

Installing the vRO plugin for NSX

Running an NSX-vRO workflow

How it works...

There's more...

See also

Other Books You May Enjoy

Leave a review - let other readers know what you think

Preface

VMware NSX is a network virtualization solution that provides network and security services embedded into the VMware ESXi™ hypervisor. NSX for vSphere implements routing, switching, load balancing and firewalling through software constructs that scale as you scale out your compute infrastructure. NSX also provides the ability to integrate with third party vendors to deliver rich guest and network introspection services via software constructs. By decoupling from the physical hardware, NSX allows greater security, workload mobility, and automation, which form the foundational tenants of an NSX deployment.

At the time of writing of this book, there are three VMware NSX offerings available, which are as follows:

VMware NSX for vSphere

VMware NSX-T

VMware NSX Cloud (

https://cloud.vmware.com/nsx-cloud

)

This book will cover VMware NSX for vSphere and has been written using version 6.3, but has also incorporated new features from 6.4 in the relevant sections of the book.

The recipes covered throughout this book provide the foundational knowledge required to get started with NSX, but also covers the required content in depth, so that you can make informed design decisions for your VMware NSX implementation.

Who this book is for

This book aims to be useful for both new and seasoned VMware NSX for vSphere administrators. It is intended to be used by those that have never deployed NSX and by those that have it deployed already but are looking to leverage new or advanced functionality.

NSX-v runs on vSphere and connects to your existing network. Therefore, intermediate networking and virtualization knowledge is assumed and is essential to understand the correct deployment of NSX in your environment.

What this book covers

Chapter1, Getting Started with VMware NSX for vSphere, explains how to choose the right VMware NSX for vSphere Edition, select compatible software and hardware, and deploy the foundational components of NSX.

Chapter 2, Configuring VMware NSX Logical Switch Networks, covers how to set up logical switch networks based on Virtual Extensible LAN (VXLAN) and how to connect virtual machines to the newly created logical switches.

Chapter3, Configuring VMware NSX Logical Routing, introduces the Distributed Logical Router for East-West routing in your datacenter and the Edge Services Gateway for North-South routing to your virtual networks.

Chapter4, Configuring VMware NSX Layer 2 Bridging, covers how layer 2 bridging works and its configuration for both software and hardware.

Chapter5, Configuring VMware NSX Edge Services Gateway, acts as the Swiss Army knife of NSX and provides all the rich network services. The topics covered in this chapter include DNS Relay, DHCP Server, firewall, load balancing, and virtual private networks.

Chapter6, Configuring VMware NSX Distributed Firewall (DFW) and SpoofGuard, covers how to configure the NSX Distributed Firewall. The topics include configuration of Security Policy, Grouping Constructs, Firewall Rules, and advanced Guest and Network Introspection services.

Chapter7, Configuring Cross-vCenter NSX, covers how to extend your NSX deployment across vCenter boundaries and how to deliver distributed services across geographical dispersed sites.

Chapter8, Backing up and Restoring VMware NSX Components, covers recipes to perform backup and restore of NSX components for disaster recovery and day-to-day operations.

Chapter9, Managing User Accounts in VMware NSX, explains how to manage and create user accounts in NSX Manager and vSphere Web Client based on roles for accessing VMware NSX.

Chapter10, Upgrading VMware NSX, gives you an understanding of how to plan and perform a VMware NSX for vSphere upgrade.

Chapter11, Managing and Monitoring VMware NSX Platform, focuses on monitoring NSX using built-in dashboards, working with logs, and using flow monitoring tools available natively within NSX. This chapter also covers how to use Application Rule Manager and Endpoint Monitoring.

Chapter12, Leveraging the VMware NSX REST API for Management and Automation, introduces you to working with the NSX REST API and demonstrates how to use a plethora of tools for accessing the NSX REST API, such as Postman, cURL, PowerShell, Python, and vRealize Orchestrator.

To get the most out of this book

The book was written using vSphere version 6.5 and NSX-v version 6.3. vSphere 5.5 and later can be used, but you should independently validate all software components are compatible with the version of NSX you are deploying via the VMware Product Interoperability Matrices (https://www.vmware.com/resources/compatibility/sim/interop_matrix.php), and all hardware should be checked via the VMware Hardware Compatibility Guide (HCL) (http://www.vmware.com/go/hcl).

To install VMware for vSphere you will need to obtain the appropriate software; unfortunately, without a valid contract you will need contact the VMware sales team (http://www.vmware.com/company/contact_sales.html) to obtain it.

All recipes require a supported guest operating system, web browser, and Adobe Flash Player to access the vSphere Web Client. The minimum supported requirements are vSphere version-dependent; for example, the requirements for vSphere 6.5 are documented at the following URL:https://docs.vmware.com/en/VMware-vSphere/6.5/com.vmware.vsphere.install.doc/GUID-F6D456D7-C559-439D-8F34-4FCF533B7B42.html. Additionally, you will need an SSH client to access ESXi hosts and/or NSX components.

Two of the recipes in Chapter 4, Configuring VMware NSX Layer 2 Bridging, are based on hardware VTEP bridging, which requires compatible hardware. Unless you have a compatible piece of hardware, you may not be able to test this recipe. In this case, you can visit an online interactive simulation provided by VMware Hands-on Labs to walk through configuration steps in detail: http://docs.hol.vmware.com/hol-isim/HOL-2017/hol-1703-arista.htm.

The NSX Identity Firewall in Chapter 6, Configuring VMware NSX Distributed Firewall (DFW) and SpoofGuard, and Endpoint Monitoring in Chapter 11, Managing and Monitoring VMware NSX Platform, require a compatible desktop operating system. The specific list of compatible operating systems are covered in the respective chapters, and at the time of writing this book, was limited to Microsoft Windows operating systems only.

Chapter 7, Configuring Cross-vCenter NSX, is a multi-vCenter setup that requires additional compute infrastructure and virtual components for complete configuration. This includes a minimum of two vCenter servers, two NSX managers, and the relevant infrastructure components for each.

Chapter 8, Backing up and Restoring VMware NSX Components, covers backup and software of NSX components and requires deployment of either a File Transfer Protocol (FTP) or SSH File Transfer Protocol (SFTP) server.

VMware vRealize Log Insight (vRLI) is covered in Chapter 11, Managing and Monitoring VMware NSX Platform; deployment and configuration for vRLI is not within the scope of this book. However, VMware NSX customers are entitled for VMware vRealize Log Insight, see VMware KB 2145800 vRealize Log Insight for NSX FAQhttps://kb.vmware.com/s/article/2145800.

Chapter 12, Leveraging the VMware NSX REST API for Management and Automation, covers the NSX REST API and requires the following software installed on your administrative machine for testing:

Postman:

https://www.getpostman.com/

Windows PowerShell or PowerShell Core:

https://microsoft.com/powershell

Python 2.7 or Python 3:

https://www.python.org/downloads/

vRealize Orchestrator:

https://www.vmware.com/products/vrealize-orchestrator.html

NSX-vRO plugin

If you do not have an environment to work with NSX, you can still test-drive NSX on VMwareHands-on Lab(HOL):https://www.vmware.com/products/nsx/nsx-hol.html.

Download the example code files

You can download the example code files for this book from your account at www.packtpub.com. If you purchased this book elsewhere, you can visit www.packtpub.com/support and register to have the files emailed directly to you.

You can download the code files by following these steps:

Log in or register at

www.packtpub.com

.

Select the

SUPPORT

tab.

Click on

Code Downloads & Errata

.

Enter the name of the book in the

Search

box and follow the onscreen instructions.

Once the file is downloaded, please make sure that you unzip or extract the folder using the latest version of:

WinRAR/7-Zip for Windows

Zipeg/iZip/UnRarX for Mac

7-Zip/PeaZip for Linux

The code bundle for the book is also hosted on GitHub athttps://github.com/PacktPublishing/VMware-NSX-Cookbook. In case there's an update to the code, it will be updated on the existing GitHub repository.

We also have other code bundles from our rich catalog of books and videos available athttps://github.com/PacktPublishing/. Check them out!

Download the color images

We also provide a PDF file that has color images of the screenshots/diagrams used in this book. You can download it here: http://www.packtpub.com/sites/default/files/downloads/VMwareNSXCookbook_ColorImages.pdf.

Sections

In this book, you will find several headings that appear frequently (Getting ready,How to do it...,How it works...,There's more..., andSee also).

To give clear instructions on how to complete a recipe, use these sections as follows:

Getting ready

This section tells you what to expect in the recipe and describes how to set up any software or any preliminary settings required for the recipe.

How to do it...

This section contains the steps required to follow the recipe.

How it works...

This section usually consists of a detailed explanation of what happened in the previous section.

There's more...

This section consists of additional information about the recipe in order to make you more knowledgeable about the recipe.

See also

This section provides helpful links to other useful information for the recipe.

Get in touch

Feedback from our readers is always welcome.

General feedback: Email [email protected] and mention the book title in the subject of your message. If you have questions about any aspect of this book, please email us at [email protected].

Errata: Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you have found a mistake in this book, we would be grateful if you would report this to us. Please visit www.packtpub.com/submit-errata, selecting your book, clicking on the Errata Submission Form link, and entering the details.

Piracy: If you come across any illegal copies of our works in any form on the internet, we would be grateful if you would provide us with the location address or website name. Please contact us at [email protected] with a link to the material.

If you are interested in becoming an author: If there is a topic that you have expertise in and you are interested in either writing or contributing to a book, please visit authors.packtpub.com.

Reviews

Please leave a review. Once you have read and used this book, why not leave a review on the site that you purchased it from? Potential readers can then see and use your unbiased opinion to make purchase decisions, we at Packt can understand what you think about our products, and our authors can see your feedback on their book. Thank you!

For more information about Packt, please visit packtpub.com.

Getting Started with VMware NSX for vSphere

In this chapter, we will explore how to install and configure NSX for vSphere. We will be covering the following recipes:

Choosing the right VMware NSX for vSphere edition

Selecting ESXi hosts and network adapters

Downloading NSX for vSphere

Deploying the NSX Manager virtual appliance

Replacing the NSX Manager certificate

Registering vCenter server with NSX Manager

Applying the NSX licenses

Deploying the NSX Controller Cluster

Preparing a vSphere cluster for NSX

Validating NSX VIB installation

Checking NSX component communication

Introduction

This book aims to be useful for both new and seasoned VMware NSX for vSphere administrators. It is intended to be used by those that have never deployed NSX and by those that have it deployed already but are looking to leverage newer or advanced functionality. Intermediate networking and virtualization knowledge is assumed and is essential to understanding deployment of NSX into your environment.

Before we begin serving the main recipes of our cookbook, we will first provide an overview of what VMware NSX for vSphere is and what functionality it provides over traditional networking models.

VMware NSX for vSphere is a core component of the VMware Software-Defined Data Center (SDDC); it is the component that enables network virtualization. Network virtualization provides a layer of abstraction over the physical network using a VXLAN network overlay. With NSX, network operations are now independent of the physical hardware, and functions such as logical firewalls, load balancers, logical routers, logical switches, and virtual private networks can be provisioned, modified, or torn down as part of an automated workflow.

Choosing the right VMware NSX for vSphere edition

VMware NSX has four licensing editions: standard, advanced, enterprise, and remote office/branch offices (ROBO). Each licensing tier provides distinctive functionality, available per CPU socket on a perpetual basis at the vSphere cluster level.

The standard and advanced editions are also available as per 100 users in a pack basis to align with virtual desktop deployments (vSphere for desktop). The enterprise edition is also available on per-VM term basis. You can upgrade from standard to advanced/enterprise and from advanced to enterprise.

Getting ready

Like vSphere licensing, VMware NSX is licensed per CPU socket. If you have a separate Management vSphere Cluster that is used for Infrastructure VMs and are not planning to protect it with the NSX Distributed Firewall or place NSX Edge Service Gateways onto it, you are not required to license the CPUs on that Management vSphere Cluster. The Compute vSphere cluster and Edge vSphere cluster need to be licensed.

How to do it...

From your vSphere inventory you will need to do the following:

Determine how many CPU sockets you need

Determine the NSX features required

If you are planning to integrate third-party partner solutions with NSX (

http://www.vmware.com/products/nsx/technology-partners.html

), check whether a specific NSX feature is required

Choose the NSX edition based on the features required

There's more...

The following sub-sections will detail the different tiers of NSX licensing and the features available in each. From there, how to evaluate and purchase VMware NSX will also be detailed.

VMware NSX editions

The four tiers of licenses are as follows:

Standard edition

Advanced edition

Enterprise edition

ROBO

The features available in each edition are as follows:

Product feature

Standard

Advanced

Enterprise

ROBO

Distributed Switching

●

●

●

●

Distributed Routing

●

●

NSX Edge Firewall

●

●

●

●

Network Address Translation (NAT)

●

●

●

●

SW L2 Bridging to physical environment

●

●

●

Dynamic routing with ECMP (Active-Active)

●

●

●

●

API-driven

●

●

●

●

Integration with vRealize and OpenStack

●

●

●

●

Automation of security policies with vRealize

●

●

●

NSX Edge Load Balancing

●

●

●

Distributed Firewalling

●

●

●

Integration with Active Directory

●

●

●

Service Insertion (third-party integration)

●

●

●

Cross vCenter NSX

●

Multisite NSX optimizations

●

VPN (IPSec and SSL)

●

●

Remote gateway

●

Integration with HW VTEPs

●

Evaluating VMware NSX

There are two ways to evaluate VMware products:

Deploy NSX in your environment and use an evaluation license for a limited time

Use VMware Hands-on Labs (

http://labs.hol.vmware.com/

) to experience VMware NSX in a virtual lab environment:

VMware NSX Hands-on Lab Intro (

http://www.vmware.com/go/try-nsx-en

)

VMware NSX Hands-on Lab Advanced (

http://www.vmware.com/go/try-nsx-adv-hol

)

Support and Subscription (SnS)

There are support and subscription plan options that you can purchase in addition to the product:

Basic support

: 12 hours a day technical support during business hours

Production support

: 24 hours (Severity 1), seven days a week support

The production support plan is recommended for production and critical environments. If you need higher-level support above production grade, additional support options such as Business Critical Support (BCS) or Mission Critical Support (MCS) can be purchased on top of production support. For more information on VMware support offerings, see https://www.vmware.com/support/services.html.

VMware vRealize Log Insight for NSX

VMware vRealize Log Insight is a log management engine that collects logs from a number of different sources and provides rich dashboards and search functionality.

Log Insight is available for NSX at no additional charge, you are entitled to one Log Insight CPU per NSX CPU license. The support and subscription is included with the NSX purchase. It is a fully functioning version of Log Insight but limited to vSphere and NSX data sources and content packs only. If you need more data sources and content packs, additional Log Insight licenses are required.

VMware NSX Monitoring Tools

There are several tools for monitoring VMware NSX. Some of these tools are built directly into the NSX platform, and others are separate feature-rich VMware products. These tools are as follows:

VMware NSX built-in tools

vRealize Network Insight

See also

For more information about the VMware NSX Neutron plugin license editions for VMware integrated OpenStack, see VMware KB 2145269 (https://kb.vmware.com/kb/2145269).

Selecting ESXi hosts and network adapters

Similar to the requirements of a VMware vSphere solution, choosing the correct hardware is still an important part of any NSX deployment; therefore, you need to follow the same process that you did for vSphere to ensure the hardware you are deploying is on the VMware Compatibility Guide (http://www.vmware.com/resources/compatibility/search.php).

The compatibility guide does not only list the supported servers, but you need to also check if your network interface card (I/O devices) is supported and features such as VXLAN Offload and Receive Side Scaling are also supported.

VXLAN Offload

VXLAN Offload is akin to TCP segmentation offload (TSO), but compared to TSO, which is designed for TCP packet headers, VXLAN encapsulates the original (source) packet from a virtual machine into a user datagram protocol (UDP) packet with its own unique header, known as the VXLAN header. Placing this additional header onto a packet invalidates traditional offloading mechanisms in-place and therefore increases load on the CPU as additional CPU cycles are needed to encapsulate and decapsulate every VXLAN packet. VXLAN is covered in greater detail in Chapter 2,Configuring VMware NSX Logical Switch Networks.

Receive Side Scaling

Receive Side Scaling (RSS) is a technique the Network Interface Card (NIC) employs to ensure that data processing for a particular connection is balanced across multiple CPU cores. Without RSS, all connections would be handled by a single CPU core, which can adversely affect network performance.

Downloading NSX for vSphere

In this recipe, we will download the installation media for NSX for vSphere. The installation media comes in the form of an open virtual application (OVA) that is distributed through the VMware downloads site (https://my.vmware.com/web/vmware/downloads).

Getting ready

To download NSX for vSphere, the following prerequisites must be satisfied:

Valid VMware software entitlements that enable you to download the installation media

Access to the VMware downloads website

Access to VMware software manager. Download and install VMware software manager first (

https://www.vmware.com/go/download-software-manager-en

)

VMware product interoperability matrix has been consulted so you know which version is compatible with your environment

How to do it...

The following sections will explain how to check that your infrastructure supports the version of NSX you are implementing and how to obtain the download media.

Checking the Product Interoperability Matrix

In this section, we will check to make sure the version of NSX we are deploying is compatible with the other VMware solutions in our environment.

Navigate your web browser to the VMware product interoperability matrix webpage (

http://www.vmware.com/go/interop

)

Select your vSphere solution as the first solution

Add VMware NSX for vSphere as your second solution

Add any other solutions that are specific to your environment

Ensure all solution versions are compatible with one another before proceeding to download the NSX installation media

The following screenshot shows the official VMware product interoperability matrices that should be referenced before downloading NSX for vSphere:

Downloading media via the VMware downloads website

In this section we will download the installation media from the VMware downloads website as follows:

From your web browser, navigate to the VMware downloads website (

https://my.vmware.com/web/vmware/downloads

).

Scroll down to the

Networking & Security

menu item and click on

Download Product

Click on go to

Downloads

against your licensed tier for VMware NSX for vSphere 6.3.1 or whichever version is compatible with your environment

Click on

Download Now

Downloading media via the VMware Software Manager

In this section, we will download the VMware NSX installation media using the VMware Software Manager, in contrast to a manual download via the downloads website:

Open the

VMware

Download Service

application:

Click on the

VMware vSphere

software suite

Select

VMware vSphere 6.5

Select the licensing tier of your vSphere environment

On the

VMware NSX for vSphere

menu pane, select the download button:

See also

To make sure that your vSphere and NSX version is supported by VMware, check the VMware life cycle product matrix (http://www.vmware.com/go/lifecycle). This list contains a list of unsupported products as well.

Deploying the NSX Manager virtual appliance

Deploying the NSX Manager virtual appliance is the first step to enabling network virtualization in your vSphere environment. In this recipe, you will go through the steps to enable your environment for NSX.

The following diagram depicts the logical process of enabling your environment for network virtualization, and the first four steps will be covered in this chapter:

Getting ready

Before deploying NSX Manager, the following prerequisites need to be satisfied:

Static IP address and portgroup for NSX Manager

Firewall ports open between NSX Manager, vCenter server, and ESXi VMKernel 0 Interface on each host (refer to

Appendix

for a complete list of ports)

Forward and reverse DNS entries for NSX Manager

NTP server is accessible; minimum of four is recommended for accurate time

Shared datastore for the appliance to be deployed onto

Satisfy minimum requirements for NSX Manager

Fill in the following table before deployment (removing prefilled data to reflect your environment):

Component

Value

NSX appliance name

nsxmgr-01a

NSX Manager hostname

nsxmgr-01a

vSphere cluster

RegionA01

Datastore

vsanDatastore

vSphere network (Portgroup)

VM Network

IPv4 address

192.168.1.111

Subnet mask

255.255.255.0

Default gateway

192.168.1.254

Domain name

corp.local

DNS server(s)

192.168.1.100

NTP servers(s)

192.168.1.100 (Use four in production)

Enable SSH

yes

CLI password

VMware1!

CLI privilege password

VMware1!

How to do it...

The following steps will detail how to deploy the NSX Manager appliance:

Log into the vSphere Web Client

Select

Hosts and Clusters

, right-click on the target cluster and select

Deploy OVF Template

Select

Local File

and locate the NSX Manager OVA downloaded earlier; click on

Next

Type in the

Name

of the virtual appliance and click on

Next

Select the vSphere cluster and resource where you want to deploy NSX Manager and select

Next

Review details,

Accept

license agreements and click on

Next

Select the shared datastore of where you want the virtual appliance to be deployment onto

Select the VLAN-backed portgroup as defined earlier and click on

Next

Fill in the template details as highlighted in the preceding table and click on

Next

Ensure all details are correct and click on

Finish

:

Replacing the NSX Manager certificate

When you first deploy the NSX Manager, it creates a self-signed certificate. Using a self-signed certificate is generally not a recommended security practice. It is recommended to deploy a signed certificate from your internal certificate authority. NSX Manager supports two ways of deploying a signed certificate, which are as follows:

Certificate signing request to a

Certificate Authority

(

CA

)

Importing a PKCS#12 certificate archive (bundle) onto the NSX Manager, which includes the private and public key for NSX Manager and certificate chain of any subordinate CAs in your environment

In the following recipes, we will explore how you can create a certificate signing request on NSX Manager and how to import a PKCS#12 certificate bundle onto the NSX Manager.

Certificate Signing Request

A Certificate Signing Request (CSR) is the first part in a three-step process; this process involves the following steps:

The NSX Manager creating a CSR

The CSR is sent as a request to the certificate authority, which then signs the certificate and sends back a signed certificate

Importing the signed certificate into the NSX Manager

How to do it...

The procedure to complete a certificate signing request is as follows:

Log into NSX Manager via your web browser

Click on

Manage Appliance Settings

Click on

SSL Certificates

Click on

Generate CSR

and follow the prompts as per the following screenshot:

Click on

OK

and select

Download CSR

Send the CSR file to your security administrator and get the certificate signed

With the returned certificate, click on

Import

so you can import the correct certificate into the NSX Manager

Reboot the NSX Manager to complete the process of importing a signed certificate into the NSX Manager

PKCS#12 certificate

Importing PKCS#12 into the NSX Manager is used when the certificate signing was not completed using the CSR method outlined in the previous recipe. The PKCS#12 format is typically used in scripted installations of NSX Manager and other components. If a CSR was not generated by the NSX Manager itself, it is required that the PKCS#12 archive is imported into NSX Manager.

The PKCS#12 archive generally consists of the following:

A signed server certificate

A private key for the signed certificate

Root and intermediate certificate authority public keys

The PKCS#12 is also password-protected, so it's important to have the password before attempting to import the PKCS#12 archive into NSX Manager.

In some cases, the received signed certificate may not be in the PCKS#12 format. In this event, you must convert the certificates into the PKCS#12 format for import into the NSX Manager. This can be achieved using openSSL (https://www.openssl.org/), and the command to achieve this is as follows:

openssl pkcs12 -export -out server.p12 -inkey server.key -in server.crt -certfile CACert.crt

How to do it...

The procedure to import the PCKS#12 archive is as follows:

Log into the NSX Manager via your web browser

Click on

Manage Appliance Settings

Click on

SSL Certificates

Click on

Upload PCKS#12

Keystore

and browse to the file

Enter the password for archive and click on

Import

Reboot the NSX Manager to complete the process of importing the signed certificate

Registering vCenter server with NSX Manager

Once the NSX Manager appliance has been deployed and is accessible via https://nsxmgr-01a.corp.local, the next step is to register the NSX Manager as a solution against your vCenter deployment. NSX Manager and a vCenter server have a 1:1 relationship, and it's important to ensure that no other NSX Manager has previously been registered.

Getting ready

The following are things you need to consider before pairing the NSX Manager with the vCenter server:

Solution interoperability has been verified

vCenter server and vSphere environment are in a healthy state

Platform Services Controller

(

PSC

)

Fully Qualified Domain Name

(

FQDN

) can be resolved

vCenter server FQDN can be resolved

vCenter and PSC time settings are verified

A service account with administrator role in vCenter has been created for the NSX Manager to use for registration; for further information refer to

Chapter 9

,

Managing User Accounts in VMware NSX

TCP port

443

connectivity is required from the NSX Manager to the platform services controller and the vCenter server

How to do it...

The following section describes the steps to integrate NSX Manager with the vCenter server and the platform services controller, which are the first steps in enabling your environment for NSX.

Registering the NSX Manager with the vCenter server

The following are the steps to pair the NSX Manager with the vCenter server:

Log into the NSX Manager web administration page:

https://nsxmgr-01a.corp.local

Navigate to

Manage

|

NSX Management Services

, and on the

Lookup Service URL

click on

Edit

Type the Lookup Server Host as the PSC FQDN or vCenter Server FQDN if using an embedded PSC

For SSO Administrator

Use Name

, use the service account credentials defined

Click on

OK

to complete

When presented with the Trust Certificate dialog box, verify the SSL certificate thumbprint and click on

Yes

:

Registering the NSX Manager with the PSC

In this section we will register the NSX Manager with the Platform Services Controller for Single Sign-On services:

Navigate back to the NSX management service web page on the NSX Manager web administration page:

https://nsxmgr-01a.corp.local

On the vCenter Server menu, click on

Edit

:

Type the vCenter Server FQDN

Type the service account credentials for the vCenter Service account and click on

OK

:

Whe

n presented with the Trust Certificate dialog box, verify the SSL certificate thumbprint and click on

Yes

How it works...

The NSX Manager registers the com.vmware extension. This extension is installed on the vSphere web server as a plugin. When the plugin is installed onto the vSphere web server, any users that were logged in during integration will need to log out of the vSphere Web Client before they can start to consume the Networking & Security interface.

There's more...

If the event registration fails with the platform services controller, check the following commons issues first:

NTP Synchronization (time) for NSX Manager, platform services controller, and vCenter server is correct and aligned

DNS resolution for all components

Firewall ports are open if the NSX Manager and the PSC/vCenter server are separated in different security zones

Applying the NSX license

As described in choosing the right VMware NSX for vSphere edition, this section will describe the process of applying the license you have procured to utilize the features of NSX.

Getting ready

Things to verify before applying the NSX for vSphere license:

Correct license procured for installation of NSX

NSX has been integrated as a solution with your vSphere deployment

How to do it...

Perform the following steps to apply the NSX license to your installation:

Log into the vSphere Web Client and click on

Administration

Click on

Licenses

under the Licensing section on the sidebar

Select the

Licenses

tab and click on the plus sign:

Enter your license key and click on

Next

Create a descriptive name for your license and click on

Finish

Next, select the

Solutions

tab and select the NSX Installation:

Navigate to

Actions

|

Assign License

Select the license you added earlier and click on

OK

Deploying the NSX Controller Cluster

The NSX controller cluster is an integral part of any NSX for vSphere deployment; the NSX controller cluster is responsible for:

Managing the vSphere hypervisor routing and switching modules

Managing the ARP table, MAC table, and

VXLAN network identifier

(

VNI

) information of the entire vSphere for NSX deployment

Distributed Logical Router:

Interfaces

Layer 2 Bridging Tables

Routes

Getting ready

The following are things to consider before deploying the NSX controller cluster:

The controller cluster has three controllers in total and must be deployed in a cluster of three.

Each controller node should reside on a separate ESXi host; DRS anti-affinity rules should be used to enforce this rule. It is generally recommended to deploy controllers on a vSphere cluster with a minimum of four ESXi hosts.

Sufficient resources (vCPU, memory, and storage) on the vSphere cluster.

NSX controller nodes should be deployed onto shared storage that is highly available.

Each NSX controller requires an IPv4 address; these addresses are allocated via the NSX IP pool construct.

NSX controllers require connectivity to NSX Manager and vSphere management VMKernel IP addresses.

NSX controller should reside on a VLAN-backed PortGroup.

The NSX Controller IP Pool requires the following details prior to configuration. You can change values to suit your environment:

Component

Value

Name

IP-Pool-NSX-Controllers

Gateway

192.168.1.254

Prefix Length

24

Primary DNS

192.168.1.110

Secondary DNS

DNS Suffix

corp.local

Static IP Pool