rutgerblom.com

NSX-T Recoverability – Part 1

September 15, 2019
Like everything else in life, stuff can break in your NSX-T environment too. When that happens it’s important to understand how to get things back on track again.

In the following blog articles I’m going through a couple of NSX-T failure scenarios and look at how to recover from them. As usual I’m doing this mainly to learn something myself. By writing about it in a blog article others might learn something as well.

Quick note

Before starting I just want to state the obvious: If you ever experience an issue in your NSX-T production environment, the first and only thing you should do is open a VMware support request. Highly skilled experts who are dealing with all kind of NSX-T issues on a daily basis will help you in the best possible way with your specific issue.

Management plane failure & recovery

As you might know the NSX architecture consists of three main components: The management plane, the control plane, and the data plane. As of NSX-T version 2.4 the management plane and the control plane are living in the same virtual appliance, but from a functional point of view they are still as decoupled as before.

One of the advantages with this architecture is that failure of one plane will not (immediately) affect the functioning of another. For example, a management plane failure won’t cause immediate issues at the data plane.

Of course, NSX-T without a properly functioning management plane gets pretty annoying after a while and restoring it to normal operations will probably be a high priority in most environments. Let’s have a closer look at that.

The lab environment

The following is a very simple and high level overview of my lab environment:

This is by no means a VMware validated or supported design. Just my lab environment.

A compute cluster with two ESXi transport nodes on the left, an edge cluster with two edge VMs on the right, and a management cluster containing vCenter and the collapsed NSX-T management/controller cluster in the middle. Today our focus is the management cluster.

Current state of the management plane

The NSX-T management cluster is currently in a healthy and stable state. We see three manager nodes connected and synced. Life is good.

Backup is configured and seems to be working fine too:

In other words, we’re ready for some mayhem!

One manager/controller node down

One of the management/controller nodes is gone. Somebody accidentally deleted the virtual appliance. It happens (in my lab).

The “get cluster status” NSX manager CLI command output clearly shows that the group status is degraded and that one of the nodes is down:

Even though the management cluster is now running in a degraded state, the majority of the cluster is still up and running (we have quorum) and NSX-T management operations aren’t affected at this point.

It’s not an optimal situation and we do want to return to a stable three node management cluster as soon as possible.

One manager/controller node down recovery

To recover from a one node failure we simply need to deploy a new manager/controller appliance that will replace the missing one.

We’ll first remove the orphaned node from the management cluster using the “detach node <node-id>” NSX manager CLI command:

The management cluster now returns to a stable state:

This is just a cosmetic improvement of course. We still need to deploy a new manager/controller appliance and join it to the cluster to get back to a production-grade management cluster.

Joining the new appliance to the cluster with the “join” command:

And after 10 minutes or so we once again have a stable three node management cluster. Easy!

Two manager/controller nodes down

Is a two nodes down scenario all that different from the previous one? The answer is yes.

With two nodes missing, the cluster loses quorum and can’t operate as a cluster anymore. The management plane goes into read-only mode. It’s not a disaster, but not a good situation either.

You’ll notice things like not being able to connect to the cluster’s VIP anymore and when logging in to the surviving node’s UI directly you are greeted with something like this:

We need to fix this, but how?

Two manager/controller nodes down recovery

We first need to deactivate the cluster. We do this by running the “deactivate cluster” manager CLI command on the surviving node:

This leaves us with a single, but operational manager/controller node. We should now be able to login to the manager UI on the VIP address again.

Checking under System > Overview we see a single operational node:

From here we can just deploy two new manager/controller nodes, join them with the surviving node to form a cluster, and get back to this:

Three manager/controller nodes down

Now we lost all three of the manager/controller nodes. We are running NSX-T without a management plane (and central control plane for that matter). Don’t panic! Packets are still flowing as the the data plane is not affected by the management plane outage remember?

But of course, it’s now just a matter of time before things will get really problematic. We need to do something.

Three manager/controller nodes down recovery

Without any surviving nodes the only option we have is to perform a restore from an NSX-T backup.

The first step here is to deploy a new manager/controller appliance. Once deployed we need to configure and perform a restore.

Navigate to System > Backup & Restore > Restore. Click on Edit to enter the details of your SFTP server containing the NSX-T backups:

After clicking on Save you should be presented with a list of the available backups:

Pick the backup you want to restore from and click Restore. Read the warning message. It tells you what to expect during the restore process:

Pretty soon after starting the restore you are disconnected from the UI. After 10 minutes or so we should be able to log in again. When navigating to System > Backup & Restore > Restore, the following message is displayed:

Okay, this makes sense. We’ll deploy two more appliances, form a cluster, and then resume the restore process. Once we’ve done that we should see the following confirmation under System > Backup & Restore > Restore:

Don’t mind the timestamps in the screenshot above. That was just me taking a break 😉 The whole recovery process, deployment of manager nodes included, actually took less than an hour. Not too bad.

Summary

Recoverability of the NSX-T management plane is rather good I would say. We went through a couple of failure/recovery scenarios:
- Loss of one manager/controller node:
  1. clean up orphaned node
  2. deploy new node
- Loss of two manager/controller nodes:
  1. deactivate cluster
  2. deploy two new nodes
- Loss of three manager/controller nodes:
  1. deploy new node
  2. restore from NSX-T backup
  3. deploy two more nodes
  4. finish restore operation
In my very simple lab environment it was never any problem to get the management plane back up and running again. Thanks to NSX’s architecture the actual networking (data plane functions) was not affected at any point during the management plane outages.

In theory size and complexity of an NSX-T environment shouldn’t matter much for management plane recovery procedures. As I said before, open a VMware support case if anything ever breaks in your NSX-T environment. It’s the smartest thing to do.
VMware Advanced Design NSX-T Data Center 2.4 Exam Review

September 1, 2019
On August 30th 2019 I passed the brand new VMware Advanced Design NSX-T Data Center 2.4 exam.

Let me tell you a little more about this exam and how I prepared for it.

About the exam

As far as I know 3V0-41.19 is the first ever design exam within the network virtualization certification track. A deploy exam based on NSX for vSphere has been around for a while (which I reviewed a while back). As the name implies the design exam is based entirely on NSX-T 2.4.

Let’s look at a couple of things from the all important exam guide:
- 50 questions
- 105 minutes (plus additional time for non-native English speakers)
- Passing score 300
So on average you have a couple of minutes for each question.
In my experience most of the questions took less than a minute to answer so that left me with some more time for the trickier ones.
- 1 year of experience designing NSX-T Data Center solutions
- 2 or more years designing physical and virtual data centers/networks
The above aren’t strict requirements of course. I can imagine that candidates having this experience will have an easier time preparing for the exam and are also more likely to pass it.
Experience with (VMware) design and the fact that I had worked extensively with NSX-T for the last 8 months certainly helped me.

Preparing for the exam

How do you prepare for an exam like this? The following are my personal recommendations partly based on my own experience.

Know your NSX-T [V2.4]

You might think this exam is all about high-level architecture and designs, but you would be wrong.

You will need a very good technical understanding of the NSX-T solutions. Preferably your are on VCP-NV 2019 (NSX-T 2.4) level before going for this exam. Read the previous post to learn a little more about what it takes to get to that level.

Know your NSX-T design [V2.4]

Naturally. You should also have good knowledge about the different NSX-T designs and design decisions within areas like:
- Physical infrastructure design
- Compute host cluster design
- Edge design
- Logical networking design
The Architecture and Design for VMware NSX-T Workload Domains document (part of VMware Validated Design 5.1) is a really good read and covers a lot of the designs and design decisions.

Then there is another piece of documentation that I recommend you study: The VMware NSX-T Reference Design Guide. Outdated as it is (based on NSX-T 2.0) it still is a great resource if you want to learn about NSX-T design.

Identify requirements, risks, constraints, and assumptions

You might have seen these before. As a VMware architect working on a design, you are expected to be able to categorize the information collected during interviews and workshops with project stakeholders as either being a requirement, a risk, a constraint, or an assumption.

It’s not all that hard really, but you really need to understand this. When I was studying this for the VCAP-DCV Design exam I found this site to have a pretty good explanation of it all.

Attend the VMware NSX-T Data Center: Design [V2.4] course

This is the recommended course as preparation for the exam. Full disclosure, I did not attend this course (yet) so I can’t say much about it, but it’s supposed to be really good.

Watch the VMworld sessions about NSX-T design

Every year William Lam puts together a nice list with links to all the recorded VMworld sessions. As a matter of fact he just did this for the VMworld 2019 US recordings.

At a minimum you should watch the following sessions:
- CNET1072BU – NSX-T Design for Small to Mid-Sized Data Centers
- CNET1334BU – NSX-T Design for Multi-Site Networking and Disaster Recovery
There are many other recorded sessions on NSX-T that you might want to check out as well.

Summary

I really enjoyed this exam. The scenarios in the questions were realistic and easy to relate to. Some of the questions were challenging while others were pretty easy.

I felt pretty well prepared ahead of the exam. And it turned out well for me so there’s really no reason it shouldn’t for you.

Good luck!
VMware Professional NSX-T Data Center 2.4 Exam Review

August 31, 2019
I recently passed the Professional NSX-T Data Center 2.4 (2V0-41.19) exam and in this short post I would like to share my experience with the exam and some recommendations for preparing for the exam.

About the exam

As with all VMware exams there is an excellent exam guide available. That guide should be the first thing you study. It contains all the information you need to plan your preparation.

Some things from the current exam guide (it’s subject to change):
- 70 questions
- 100 minutes (plus additional time for non-native English speakers)
- Passing score 300
70 questions to be answered within 100 minutes. With good preparation this is fair. Time was not an issue for me during this exam. I did receive extra time being a non-native English speaker, but 100 minutes would’ve been enough.
- 6 months experience installing, configuring, managing, and troubleshooting NSX-T 2.4 solutions
- 6 months hands-on experience with Linux and KVM
- 1 year of experience working in IT and with VMware vSphere and its command line
This candidate profile looks reasonable to me. I recommend that you have a good look at NSX-T on Linux and KVM. VMware is serious about running NSX-T on these platforms.

Preparing for the exam

Everyone has their own preferred way of preparing for an exam. Also, different exams require different ways of preparing. The following is what helped me pass 2V0-41.19.

Working with NSX-T

I was lucky enough to be part of several PSO engagements that involved NSX-T. Actually, my last project was a complete NSX-T implementation where I participated from the design phase all the way to the day 2 operations.

Thanks to this kind of real-life exposure to NSX-T I developed a pretty solid understanding of the product and its components which in turn was very beneficial in preparing for an exam like this.

Studying the NSX-T 2.4 documentation

Over and over again. Which I was kind of forced to do for my work anyway.

The official NSX-T documentation contained much (but not all) of the theory I needed to master. I knew it more or less by heart ahead of the exam.

Playing with NSX-T

This exam tests once’s theoretical knowledge on pretty much all of the solutions within NSX-T. For me building, breaking and trying out things in an NSX-T lab environment was a great way to learn the product.

So if you have the possibility to install an NSX-T lab environment I strongly recommend you do that.

If setting up your own NSX-T lab is not an option you can always have a look at one of the VMware NSX-T hands-on labs. Especially HOL-1926-01-NET is a good one to play around with.

Attending the VMware NSX-T Data Center: Install, Configure, Manage [v2.4] course

This course is the recommended course for the exam. It’s also one of the four courses you can choose from in case you want to become certified (VCP-NV 2019) on passing this exam.

This course is one of the better VMware courses I’ve attended. I also want to give a lot of credit to teacher Adrian Vizoso. A subject matter expert with the ability to explain relatively complex matter in an easy to understand way.

The course goes through a lot of theory, but also contains plenty of labs. So you will gain hands on experience with the different NSX-T solutions.

Perhaps I wasn’t exactly new to NSX-T at the time I attended this course, but about half of the attendees were. By the end of the course they had developed a good basic understanding of the platform and definitely felt better prepared for the exam.

Summary

The Professional NSX-T Data Center 2.4 exam is by no means an easy exam. Even though I felt well prepared it was actually a bit harder than I expected.

That being said, with good preparation and hands-on experience you should be able to pass this exam without too much trouble.

I wish you good luck with the studies and the exam itself!

NSX-T Data Path Visibility – Part 3

July 19, 2019

Hi and welcome back. We’re looking into the NSX-T data path and investigating different points at which we can capture network traffic.

You may remember from part one that virtual machine “app01” (172.16.2.50) is trying to ping another virtual machine called “web01” (172.16.1.53), but it’s receiving “request timeout”. We’re trying to find out where in the data path we’re having an issue.

So far we have seen the ICMP packets at the following points:

We captured traffic pre (1) and post (2) distributed firewall. Next, we ran captures before (3) and after (4) traffic got routed by the distributed logical router. In part two we first observed the ICMP packets going through the N-VDS uplink (5) and then again at the vmnic (6). Here we had to dig a bit deeper as the packets got Geneve encapsulated.

Reference points

In this final part of the series we look at the remainder of the data path for the ICMP packets. More precisely we will cover these points today:

Reference point 1 – vmnic

After the encapsulated packets traveled the overlay transport VLAN, they arrive at the destination ESXi host’s physical NIC. What do we see at this point? Let’s see:

nsxcli -c start capture interface vmnic2 direction input file vmnic2_in.pcap

Opening the pcap file in Wireshark reveals the following:

So, this confirms that the ICMP packets survived their journey over the physical network and have indeed arrived at ESXi02’s physical NIC.

Reference point 2 – Post N-VDS Uplink

At this point the ICMP packets should have been decapsulated by the receiving TEP. To see the packets right after decapsulation, we need to use the pktcap-uw command which supports the “stage” parameter when capturing traffic at the uplink level. This is something nsxcli does not support yet.

As pktcap-uw doesn’t interpret packet contents, we will capture traffic to a pcap file:

pktcap-uw --uplink vmnic2 --dir 0 --stage post --srcip 172.16.2.50 -o /tmp/post_uplink.pcap

To read the contents of the pcap file we can use Wireshark, but in this case we’ll do a quick read using the tcpdump-uw command:

tcpdump-uw -r /tmp/post_uplink.pcap

And there we see the ICMP packets right after being decapsulated.

Reference point 3 – Pre DVfilter

After decapsulation the packets are heading towards the destination virtual machine (web01). Remember they were already routed to the destination NSX-T segment on the source ESXi host. Distributed routing FTW!

Before the packets get access to web01’s guest OS, they once again need to go through a distributed firewall filter. This time the one that is applied to web01’s vNIC slot 2.

First we need to get hold of the filter’s name:

summarize-dvfilter | less -p web01

Next we capture traffic pre this filter:

nsxcli -c start capture dvfilter nic-2780521-eth0-vmware-sfw.2 stage pre expression srcip 172.16.2.50

And we’re seeing the ICMP packets!

Reference point 2 – Post DVfilter

Now let’s see if we can see the packets after it being processed by the distributed firewall rules:

nsxcli -c start capture dvfilter nic-2780521-eth0-vmware-sfw.2 stage post expression srcip 172.16.2.50

Nothing coming through! Some DFW rule must still be dropping the ICMP packets.

Let’s have a look in NSX Manager:

Another DFW rule dropping ICMP traffic destined for web01! How could we have missed that! 😉

After changing the rule’s action to “allow” the capture immediately starts showing output:

And the app01 virtual machine starts receiving its replies:

What we should’ve done instead

The whole ICMP timeout issue was kind of hypothetical of course. If we ever need to troubleshoot VM-to-VM communication in NSX-T the first tool that comes to mind is Traceflow in NSX Manager. Using Traceflow the ICMP issue in our scenario would have been solved in a second. Let’s have a look.

In NSX Manager navigate to Advanced Network & Security > Tools > Traceflow:

We pick the source (app01) and destination (web01) virtual machine we click “Trace“:

In a matter of seconds the trace result shows us exactly where in the data path we’re having an issue.

Summary

It’s been quite a journey. Let’s summarize:

We looked at 10 points in the NSX-T data path. At each of these points we captured traffic. The following table is an overview of the command used at each point:

Point	Capture Command
1	nsxcli -c start capture dvfilter nic-2103285-eth0-vmware-sfw.2 stage pre expression dstip 172.16.1.53
2	nsxcli -c start capture dvfilter nic-2103285-eth0-vmware-sfw.2 stage post expression dstip 172.16.1.53
3	nsxcli -c start capture interface vdrPort direction output expression dstip 172.16.1.53
4	nsxcli -c start capture interface vdrPort direction input expression dstip 172.16.1.53
5	nsxcli -c start capture interface uplink1 direction output expression dstip 172.16.1.53
6	nsxcli -c start capture interface vmnic2 direction output file vmnic2_out.pcap
7	nsxcli -c start capture interface vmnic2 direction input file vmnic2_in.pcap
8	pktcap-uw –uplink vmnic2 –dir 0 –stage post –srcip 172.16.2.50 -o /tmp/post_uplink.pcap
9	nsxcli -c start capture dvfilter nic-2780521-eth0-vmware-sfw.2 stage pre expression srcip 172.16.2.50
10	nsxcli -c start capture dvfilter nic-2780521-eth0-vmware-sfw.2 stage post expression srcip 172.16.2.50

There are other tools available to gain visibility into the NSX-T data path. We talked briefly about the Traceflow tool in NSX Manager. The Port Mirror module in NSX Manager is another very powerful tool. And then of course we have VMware’s flagship product for analyzing, optimizing and troubleshooting network traffic vRealize Network insight.

I still believe it’s important to also have a good understanding of the NSX-T data path on the level we discussed in these articles. It makes troubleshooting and working with higher level tools easier.

NSX-T Data Path Visibility – Part 2

July 14, 2019
Welcome back! We’re looking at how to gain visibility at different points in the NSX-T data path.

You may remember from part one that virtual machine “app01” (172.16.2.50) is trying to ping another virtual machine called “web01” (172.16.1.53), but it’s receiving “request timeout”. We’re trying to find out where in the data path we’re having an issue.

So far we captured packets at several points in the NSX-T data path:

We looked at traffic pre (1) and post (2) distributed firewall. Here we actually found a small issue with a missing DFW rule. Then we ran captures before (3) and after (4) traffic got routed by the distributed logical router.

Reference points

The NSX-T control plane provided information about the location of the destination IP address. Traffic is now heading towards the physical network.

The points we’ll have a closer look at today are the N-VDS uplink and the vmnic as shown in the diagram below:

Reference point 1 – N-VDS Uplink

To see the relevant traffic at the N-VDS uplink, we run the following command:
```
nsxcli -c start capture interface uplink1 direction output expression dstip 172.16.1.53
```
As you can see the ICMP echo requests are arriving at the uplink. No issues here it seems so we’ll move on to the next point.

Reference point 2 – vmnic

So this should be easy. We’re starting a new capture by running:
```
nsxcli -c start capture interface vmnic2 direction output expression dstip 172.16.1.53
```
Nothing? No output? Traffic seems to have vanished between the N-VDS uplinks and the physical NICs.

Let’s see if there’s traffic on vmnic2 at all:
```
nsxcli -c start capture interface vmnic2 direction output
```
There’s plenty of traffic. So where are the ICMP packets?

Welcome to Geneve

As in Generic Network Virtualization Encapsulation that is. The protocol providing network overlay capability in NSX-T.

The Geneve protocol’s job is to set up a tunnelling mechanism between NSX-T transport nodes. Each transport node has one or more tunnel endpoints (TEPs) that encapsulate and decapsulate layer 2 frames that are originating from or destined to NSX-T logical networks.

This encapsulation/decapsulation process is running close to the physical NICs. Some server grade NICs even have capabilities to offload the TEPs.
See the VMware Compatibility Guide for supported NICs that offer Geneve offload capabilities:

So that’s all great and cool, but now the ICMP packets went down a Geneve tunnel and we lost visibility!

Nope.

Wireshark to the rescue

The good thing with Geneve is that it’s open to third party tools, like Wireshark, that can decode the encapsulated packets. Let’s have a look at that.

First we need to capture vmnic2’s outbound traffic once more, but this time we’re saving the output to a pcap formatted file:
```
nsxcli -c start capture interface vmnic2 direction output file vmnic2_out.pcap
```
After 30 seconds or so we terminate the capture. The pcap file can be found under /tmp on the ESXi host. Using a tool like WinSCP (Windows) or Cyberduck (MacOS) or just native scp (Linux/MacOS) we can easily copy the file to a machine with Wireshark installed.

Let’s open this file in Wireshark and have a look:

Yes, a bunch of packets, but we want to find the ICMP packets. Could it be as easy as typing “ip.dst == 172.16.1.53” as the display filter?

Yes, it is that easy! Wireshark decoded the Geneve packets and we can query on the attributes of the encapsulated packets.

A closer look at the one of these captured frames:

Wireshark makes it quite easy to understand the Geneve frame’s structure. Below the Geneve header we have the entire encapsulated ICMP packet originating from the NSX-T logical network (segment “App”). Pretty nice!

We could also use the tcpdump-uw command on the ESXi host to look at the contents of a pcap file, but I prefer to use Wireshark with its excellent Geneve decoder for a more user friendly experience.

Conclusion

For a moment I thought we had lost visibility into the NSX-T data path. It turned out that the ICMP packets were being encapsulated. The encapsulation does mean some additional steps for detailed visibility, but all in all it’s a pretty quick process.

In the next part we’ll continue the journey down the NSX-T data path as traffic arrives at the destination ESXi host. Hopefully I’ll find out why the virtual machine isn’t receiving ICMP replies in the process.
NSX-T Data Path Visibility – Part 1

July 6, 2019
Having good insight into the different components of a network communication path is key when managing networks. This goes for physical networks and for software defined networks.

Today I’m having a closer look at the NSX-T data path and more specifically how to capture network traffic at different reference points in the NSX-T data path.

The environment

A semi logical overview of my lab environment:

A simple setup. Two ESXi hosts participating in logical NSX-T networking. Two segments each with a virtual machine connected. The two segments are linked to the same distributed logical router which is a Tier-1 gateway in my environment.

The reference points

The beauty of the NSX-T data path is that you can tap into it from many different points. Thanks to this this it’s quite easy to get a holistic picture of a traffic flow. This is invaluable in about any network troubleshooting scenario.

Below a simplified diagram of the reference points in the part of the NSX-T data path that we’ll have a closer look at in this article:

This might look a bit intimidating at first, but it is not too bad actually. All these reference points can be looked into from one and the same ESXi host and by using the same command. Let’s have a look.

Reference point 1 – Pre DVfilter

Perhaps we want to capture a virtual machine’s network traffic before it’s being processed by NSX distributed firewall rules.

For this we first need to find the name of the filter in vNic slot 2. It’s at slot 2 the applied NSX DFW rules are living.

On the ESXi host where the virtual machine of interest is running, type the following command:
```
summarize-dvfilter | less -p virtual_machine_name 
```
For example:
```
summarize-dvfilter | less -p app01
```
Now that I know the filter name (nic-2103285-eth0-vmware-sfw.2) I can start capturing packets before they enter the filter.

For example:
```
nsxcli -c start capture dvfilter nic-2103285-eth0-vmware-sfw.2 stage pre expression dstip 172.16.1.53
```
Here the “stage pre” parameter instructs the “nsxcli start capture” command to capture packets before they enter the filter. The output of the command looks like this in my case:

The output shows that virtual machine app01 (172.16.2.50) is trying to ping virtual machine web01 (172.16.1.53) . I’m only seeing echo requests though and no echo replies. Something is not working. Time to look on the other side of the filter!

Reference point 2 – Post DVfilter

So, I run the same command but change “stage pre” to “stage post” to capture packets after they’ve gone through the filter:
```
nsxcli -c start capture dvfilter nic-2103285-eth0-vmware-sfw.2 stage post expression dstip 172.16.1.53
```
After waiting 20 seconds or so I still don’t see any echo requests coming through. In other words the filter in slot 2 (DFW) is dropping the ICMP echo requests. No wonder that I don’t see any echo replies!

I quickly create a DFW rule that allows outbound ICMP to 172.16.1.53. All good now, right?

Wrong! It wasn’t that easy. It seldom is.

Alright, but let’s look at traffic after the filter once more:
```
nsxcli -c start capture dvfilter nic-2103285-eth0-vmware-sfw.2 stage post expression dstip 172.16.1.53
```
This time the echo requests are coming through at least. But no, still no echo replies. The problem must be further down the data path.

Reference point 3 – vdrPort output

The next component down the NSX-T data path that we can tap into is the vdrPort. The vdrPort is the component that funnels traffic to and from the distributed logical router on an ESXi host:

So let’s continue to investigate the “mystery” with my ICMP traffic. To capture traffic as it enters the the vdrPort I run the following command:
```
nsxcli -c start capture interface vdrPort direction output expression dstip 172.16.1.53
```
The “direction output” parameter might seem a bit counter intuitive here, but understand that the flow direction is with regard to the underlying N-VDS and not the T1 downlink interface (LIF). A quick diagram hopefully explains it:

The capture ouput clearly shows that the ICMP packets arrive at the vdrPort so that seems fine:

Reference point 4 – vdrPort input

How about after the DLR kernel module has spent some quality time with the packets?

It’s as simple as changing “output” to “input” in the nsxcli command:
```
nsxcli -c start capture interface vdrPort direction input expression dstip 172.16.1.53
```
The ICMP packets got routed to the Segment Web. If you look closely you’ll note that the source MAC address has changed. So everything is working as expected here.

Summary

In this part we captured traffic at four different reference points on the NSX-T data path. We followed virtual machine traffic from when it just left the guest OS all the way to where it got routed by the Tier-1 Gateway onto the next NSX-T segment.

In the next part we will continue our journey on the NSX-T data path as the packets hit the physical network. Stay tuned!
NSX DFW Quick Tip: Tag and Trace

June 20, 2019

Anybody working with NSX micro-segmentation knows the importance of monitoring application traffic and the associated distributed firewall rules.

Today I just want to share a simple and quick way to increase visibility in the NSX distributed firewall logs.

For this short article I’m using NSX-T 2.4.1 and vRealize Log Insight 4.8. vRealize Log Insight has been configured as the syslog target within NSX-T and on the ESXi hosts.

Step 1 – Enable DFW rule logging

It all starts by enabling logging for the distributed firewall rules of interest. This can be done in a number of different ways, but today I’ll stick to the NSX Manager UI.

Select Security > Distributed Firewall and select the firewall rule(s) of interest. Click the three dots in the bar on the top and select Enable > Enable rule logs:

Step 2 – Tag the rule

Click the little gear icon all the way on the right side of the rule:

Now add a tag with a name that makes sense to you. In my example I will add the infra-dns tag to the rule. Click Apply:

Step 3 – Happy tracing!

You’ll have to wait until traffic hits your tagged firewall rule, but once it does, log in to vRealize Log Insight and select the Interactive Analytics tab. Here you type your firewall rule’s tag in the search bar and hit search:

Voilà! Log entries for the firewall rule.

Conclusion

Placing tags on firewall rules makes it just a little easier to find and follow up on log entries for these rule. Yes, we do have the firewall rule ID too, but that’s a number and not very human readable.
Getting Started with the NSX-T API and Postman

June 16, 2019
Wether you like it or not, the API plays a significant role when installing, configuring, and managing an NSX-T environment. Sooner or later you will be facing tasks that either require you to use the API or simply are much faster to complete using the API.

Luckily, with the right tools and some preparation, getting started with API-based management isn’t all that hard.

In this article I will show you how I set up REST API Client Postman for interaction with the NSX-T API.

Step 1 – Download and install Postman

A pretty obvious first step. We need to download and install Postman. Get it from https://www.getpostman.com/.

Step 2 – Create a Postman environment

After we’ve installed Postman, we should create a Postman environment for our NSX-T environment.

An environment in Postman is a place where you create and store variables with their values. These can then be used within API requests. Using environment variables is a real time saver.

To create an environment in Postman choose File > New and select Environment.

Give the environment a name and add the following variables:

Variable Value
baseUrl your-nsx-manager-fqdn
nsx-manager-user your-nsx-manager-user
nsx-manager-password your-nsx-manager-password

In Postman:

Step 3 – Download the NSX-T OpenAPI specifications

Both the Manager API and the Policy API are described in the OpenAPI format. You can download their specifications using a GET request.

The Manager API specification can be fetched at:
```
https://{{baseUrl}}/api/v1/spec/openapi/nsx_api.json
```
The Policy API specification is at:
```
https://{{baseUrl}}/policy/api/v1/spec/openapi/nsx_policy_api.json
```
We immediately make use of the “baseUrl” environment variable. Don’t forget to select the environment (in the top right corner) so that Postman knows where to fetch it’s value.

We also need to authenticate when connecting to the NSX-T API. This is configured under “Authorization“. Select “Basic Auth” from the “Type” list.
Instead of entering the NSX-T credentials in the Username and Password fields, you type a “{” and select the “nsx-manager-user” variable from the list that pops up:

Tick the “Show Password” box and then repeat this “trick”, but now select the “nsx-manager-password” variable instead:

Click the Send button to fetch the OpenAPI specifications.

Step 4 – Import the NSX-T OpenAPI specifications

The specifications are downloaded and available in the body of the GET requests:

Copy the contents of the request body by clicking on the two overlapping squares icon in the right corner and wait until it says “Copied to clipboard“:

Next, click the “Import” button in the upper left corner of the Postman application window and select “Paste Raw Text“. Paste the contents of the request body into the text box and then click the “Import” button:

In the dialog that pops up make sure that you only select “Generate a Postman Collection” and click “Next“:

After a couple of seconds you should see a new collection in Postman. For the Manager API the collection is called “NSX-T Manager API” and for the Policy API the collection is called “NSX-T Data Center Policy API“:

Step 5 – Configure Authorization

We also want all of the API requests in the collections to perform basic auth using the “nsx-manager-user” and “nsx-manager-password” variables that we defined in the Postman environment. This is configured at the collection level.

For each collection right-click and select “Edit“:

Click the “Autorization” tab and select “Basic Auth” from the “Type” list. Enter “{{nsx-manager-user}}” for “Username” and “{{nsx-manager-password}}” for “Password“. Click the “Update” button to save the changes:

The requests within the collections will now use these “parent” authorization settings.

Conclusion

It takes some minutes, but now that everything has been set up it will be less of a hassle to get started.

Who knows, next time when you need to configure or deploy something in NSX-T you might be doing it using one of the NSX-T API requests in Postman. 😉
Add NSX-T Tags To Virtual Machines with PowerShell

June 9, 2019
NSX tags on virtual machines often play a fundamental role in a NSX micro-segmentation security framework. Tags are used as the criteria for security group membership which in turn are used as source or destination in distributed firewall policy rules.

Tagging virtual machines in NSX-T can be done in a number of ways. We essentially have two interfaces to work with; the API and the UI.

VM tagging via the API

The API documentation explains how we can send a request to /api/v1/fabric/virtual-machines?action=update_tags.
A POST request with the following request body will assign the tag “scope: os” and “tag: linux” to a particular virtual machine (identified by the external_id).
```
{     
    "external_id": "50306b16-8840-5912-b0fd-eca1f1b317bb",     
    "tags": [         
        {"scope": "os", "tag": "linux"}  
    ] 
}
```
Using Postman the request looks like this:

Similarly, we can fetch the currently assigned NSX-T tags by sending a GET request to /api/v1/fabric/virtual-machines. Use the display_name and included_fields parameters to narrow down the result:

It’s important to understand that when tagging virtual machines through the API directly, existing virtual machine tags are replaced with the ones specified in the request body.

VM tagging in the UI

Tagging virtual machines in the NSX Manager UI is very straight forward. Under Inventory > Virtual Machines you click the three vertically aligned dots in front of a virtual machine and choose Edit:

You can now start adding tags which consist of an optional value for Scope and a mandatory value for Tag. Click Save when done.

Tip: If you want to list virtual machines with a certain tag you can make use of the natural language search capability in NSX Manager. For example you can write something like this in the global search bar: virtual machine where tags tag = ‘linux’

The Challenge

All good and well, but as you probably noticed assigning NSX-T tags in one of these ways is done on a per virtual machine basis.

This is problematic in an enterprise environment with thousands of virtual machines where large scale tagging operations are a requirement. Imagine a micro-segmentation project where large groups of virtual machines need to be zoned and isolated based on tags (OS tags, tier tags, business group tags, etc). You can’t start doing this per VM and still expect to meet your project’s deadline.

And then tagging via the REST API directly using a tool like Postman has the additional problem that it replaces existing tags so extra care needs to be taken to ensure the desired result.

The Solution

So, it’s pretty obvious that large scale tagging of virtual machines in NSX-T isn’t supposed to be done using the methods mentioned above.

Instead you could let some automation/orchestration tool take care of it. Terraform’s NSX-T provider can do it without too much hassle by using the nsxt_vm_tags resource. There are probably others.

Then you can always code something yourself. Maybe use one of the NSX-T SDKs Python or JAVA for example. There’s also a Go library for NSX-T and some Go scripts for bulk tagging of virtual machines.

In short, if you have some developer skills you will probably have little trouble putting together something that does virtual machine tagging for you in a satisfying way.

Me

I’m not a developer and I also don’t feel like introducing a new automation/orchestration solution just to be able to bulk tag virtual machines for an NSX-T micro-segmentation project (although I really like Terraform).

Bound by these self-inflicted constraints I’m left with scrambling together bits and pieces and try to make the best out of it.

A PowerShell script

This is more or less the reason behind the little PowerShell script nsxt_add_vm_tag.ps1 seeing the light of day. Combining PowerCLI and the NSX-T REST API to get the task done:

Note: You need PowerShell Core with the VMware PowerCLI Core module for this script to work.

Script walkthrough

After gathering the values for some variables including the $newtag and optionally $newscope, the script starts with some PowerCLI to query vCenter for the virtual machines that should be added to the scope:
```
Connect-VIServer -Server $vcenter -Credential $vccred
$vms = Get-Cluster $vccluster | Get-VM | ForEach-Object { $_ | Get-View }
```
Criteria can of course be added to Get-VM to narrow the result to VM names, VM folders, VMs with certain vSphere tags, and so on.

Next we enter a ForEach loop where the magic is performed. The InstanceUuid is extracted for each virtual machine. This is used by NSX-T where it’s called external_id:
```
foreach ($vm in $vms) {
    $vmid = $vm.Config.InstanceUuid
```
The whole goal here is to add tags, not replace existing ones. The part below gets hold of the currently assigned tags. Some regex matching is used to polish the data so it contains just the relevant parts:
```
$geturl = "https://$nsxmanager/api/v1/fabric/virtual-machines?external_id=$vmid&included_fields=tags"
$getrequest = Invoke-RestMethod -Uri $geturl -Authentication Basic -Credential $nsxcred -Method Get -ContentType "application/json" -SkipCertificateCheck
$getresult = $getrequest.results | ConvertTo-Json -Compress
$currenttags = [regex]::match($getresult,'\[([^\)]+)\]').Groups[1].Value
```
We prepare the JSON::
```
$JSON = @"
    {"external_id":"$vmid","tags":  [{"scope":"$newscope","tag":"$newtag"},$currenttags]}
"@
```
And finally we POST the new tag plus the already assigned tags to the API:
```
Invoke-RestMethod -Uri $posturl -Authentication Basic -Credential $nsxcred -Method Post -Body $JSON -ContentType "application/json" -SkipCertificateCheck
```
The script in action

Some screens where you see how it works:

And the result in NSX Manager shows that the new tag is added while the existing tag is still there:

Conclusion

Beautiful, right? No, but it seems to accomplish the simple task of adding NSX-T tags to a large number of virtual machines in one sweep.

I’ve uploaded this script to Github so you can easily access it. I’m sure it can be improved in many ways and I encourage you to do so!

A final word. There might me different and better approaches to achieve the same result. If you know of one I would be very interested to learn more about it so please let me know 🙂
Setting Up NSX-T Backup

June 1, 2019
One of the first things to configure after deploying the NSX Manager nodes is backup. No NSX-T implementation should ever get configured let alone go live without a working backup (and restore) in place.

Let’s have a look at how to set this up.

Backup target

NSX-T uses SFTP (TCP port 22) to transfer backup files to a backup target running an SFTP server. A Linux machine fits quite nice for this purpose simply because the (nearly) builtin SSH service makes it very easy to set up.

In this article I’m using Ubuntu 18.04, but you can basically use any Linux distribution that you prefer. I won’t go through the Ubuntu OS installation steps in this article. In short, you perform a standard Ubuntu server installation and add/enable the OpenSSH server.

Configuration

Once the Ubuntu server is up and running we need to spend some minutes on configuring it as a proper NSX-T backup target.

We want to use a dedicated service account for the NSX-T backup and restore operations. This account shouldn’t be able to do more than log in via SFTP and write NSX-T backup files to a directory.

To achieve the SFTP restriction we install a package called Restricted SSH (rssh). On Ubuntu that package is installed the ordinary way:
```
sudo apt install rssh
```
We then need to make one change in /etc/rssh.conf:
```
sudo nano /etc/rssh.conf
```
Accounts using the rssh shell should be allowed to login via SFTP and SFTP only. So we need to uncomment allowsftp. Save the file when done.

Next we create the service account itself:
```
sudo useradd -s /usr/bin/rssh nsx-backup
```
The “-s” parameter specifies that the account will use rssh as its shell.

Set a (strong) password for the service account:
```
sudo passwd nsx-backup
```
To verify that the rssh restriction is working for the service account you can try to login with SSH:
```
ssh nsx-backup@backup.demo.local
```
As you can see SSH access is not allowed (restricted by rssh).

The last thing we need to configure is a directory where the NSX-T backups will be stored. I also modify the permissions so that the service account can write to the directory:
```
sudo mkdir /backup
sudo chmod -R 757 /backup
```
Now that all the necessary configuration on the backup target is in place we can tighten security by allowing only the NSX Manager nodes and maybe a jump host to access the server on port 22. For example:
```
sudo ufw allow from 10.2.129.12 to any port 22
sudo ufw allow from 10.2.129.13 to any port 22
sudo ufw allow from 10.2.129.14 to any port 22
sudo ufw allow from 10.2.129.15 to any port 22
sudo ufw enable
```
Alternatively (or additionally) you could use the NSX-T DFW to restrict access.

NSX-T backup configuration

The NSX-T backup can be configured in the NSX Manager UI or via the API. Let’s have a look at both.

Configuration using the UI

Log in to NSX Manager:

Navigate to System > Backup & Restore:

Click Edit in the upper right of the page and fill out the details for the backup target:

Click the Schedule tab:

Enable Automatic Backup and adjust the interval according to your requirements. Optionally you can enable Detect NSX configuration change which triggers a full backup each time a configuration change is detected by NSX Manager.

After hitting the Save button a backup process is fired off immediately which gives us the opportunity to verify that everything is working. Hopefully node and cluster backups are successful:

While we’re here we should also configure the backup target details under the Restore tab so that this is in place when we need it:

After filling out the details of the backup target and hitting the Save button, the list with available backups is updated and available backups are shown:

Configuration via the API

The same configuration can be done via the NSX-T API.

SHA256 fingerprint

First we need to fetch the SHA256 fingerprint of the SFTP backup target. Use the following JSON code:
```
{
     "server":"backup.demo.local",
     "port":22
  }
```
Send this code as the body of a POST request to the API at:
```
https://nsxmanager.demo.local/api/v1/cluster/backups?action=retrieve_ssh_fingerprint
```
The NSX-T API responds with the SHA256 fingerprint of the SFTP server:

Backup configuration

Specify the backup configuration in JSON. The JSON equivalent of the settings we used earlier in the UI looks like this:
```
{
    "backup_enabled" : true,
    "backup_schedule":{
       "resource_type": "IntervalBackupSchedule",
       "seconds_between_backups":3600
    },
    "remote_file_server":{
       "server":"backup.demo.local",
       "port":22,
       "protocol":{
          "protocol_name":"sftp",
          "ssh_fingerprint":"SHA256:2xe5wxwvEW37ar2Y6nXUJ3KDUWsmzx/dH8nAj0LPNVs",
          "authentication_scheme":{
             "scheme_name":"PASSWORD",
             "username":"nsx-backup",
             "password":"VMware1!"
          }
       },
       "directory_path":"/backup"
    },
    "passphrase":"VMware1!VMware1!",
    "inventory_summary_interval":300
 }
```
Send it as the body of a PUT request to the NSX-T API at:
```
https://nsxmanager.demo.local/api/v1/cluster/backups/config
```
Restore configuration

The restore settings in JSON format:
```
{
    "remote_file_server":{
       "server":"backup.demo.local",
       "port":22,
       "protocol":{
          "protocol_name":"sftp",
          "ssh_fingerprint":"SHA256:2xe5wxwvEW37ar2Y6nXUJ3KDUWsmzx/dH8nAj0LPNVs",
          "authentication_scheme":{
             "scheme_name":"PASSWORD",
             "username":"nsx-backup",
             "password":"VMware1!"
          }
       },
       "directory_path":"/backup"
    },
    "passphrase":"VMware1!VMware1!"
 }
```
Send this code as the body of a PUT request to the API at:
```
https://nsxmanager.demo.local/api/v1/cluster/restore/config
```
Listing the available backups

To retrieve a list of available backups you send a GET request to:
```
https://nsxmanager.demo.local/api/v1/cluster/restore/backuptimestamps
```
NSX-T follows the API-First approach and the entire platform including everything concerning backup and restore can be managed through the API. Check out the NSX-T API documentation for more details.

Retention

Unfortunately, there is no builtin backup retention in NSX-T like we have in the vCenter VAMI. What we have is a Python cleanup script that we can run on the backup target to clean up old backups.

30 days retention example

To set up a 30 day retention period for NSX-T backups follow these steps:

1 – Copy the Python script from an NSX Manager node to the backup server. Using SCP for example:
```
sudo scp root@nsxmanager.lab.local:/var/vmware/nsx/file-store/nsx_backup_cleaner.py /sbin/ 
```
2 – Create a wrapper shell script under /etc/cron.daily. This wrapper script runs the “nsx_backup_cleaner.py” with the desired parameters:
```
sudo nano /etc/cron.daily/nsx_backup_cleaner.sh
```
3 – Copy the following lines into the script:
```
#!/bin/sh
/sbin/nsx_backup_cleaner.py -d /backup -k 30
```
4 – Save the script and make it executable:
```
sudo chmod +x /etc/cron.daily/nsx_backup_cleaner.sh
```
The script will run once a day, iterate through the NSX-T backups and delete the ones that are older than 30 days.

Conclusion

A working NSX-T backup is a critical component of every NSX-T platform. Luckily setting this up is a straight forward process.

There is always room for improvement. Support for some more file transfer protocols and builtin retention management would be nice. We might see something happening around this in future releases of NSX-T.