For Role Based Access Control (RBAC) in NSX-T we need to configure integration with VMware Identity Manager.
There’s an excellent VMware blog post that explains in detail how to set up vIDM and how to configure the integration in NSX Manager.
The problem
When setting this up myself I ran into a small problem that stopped me from completing the configuration.
When I tried to add the vIDM configuration in NSX Manager I received an error:
“Invalid VMware Identity Manager thumbprint specified.”. That’s very strange as that is the correct thumbprint. I checked it once more from the vIDM CLI:
It definitely is the same thumbprint. What’s going on here?
Troubleshooting
Then it hit me that I had replaced the vIDM’s default self-signed SSL certificate with a CA-signed certificate signed as per the vIDM documentation. Could it be that the “vidm.rainpole.local_cert.pem” file was not replaced during that process and in fact still is the default self-signed certificate? I had a closer look at that PEM file:
Ouch! This is indeed the default self-signed certificate. No wonder NSX Manager doesn’t like the thumbprint. It doesn’t correspond to the active vIDM appliance SSL certificate.
The solution
To get the actual certificate fingerprint I ran the following command from my jump host:
And there it was! I pasted the fingerprint into the NSX Manager’s vIDM configuration, hit Save and the thumbprint was accepted:
Lesson learned
Do not log in to the vIDM appliance CLI to get the SSL certificate thumbprint. Instead let openssl connect to the vIDM web server to fetch the thumbprint of the active SSL certificate and you know you’re good.
Back in February VMware announced version 2.4 of NSX-T calling it a “landmark release in the history of NSX”. The new and enhanced features introduced in version 2.4 are indeed impressive:
Converged NSX Manager appliance – bringing together management, policy, and central control services in one appliance with 3-node clustering support. Thus we now have high availability and a scale-out architecture for the management plane.
Simplified user interface – making configuration and administration of the NSX platform much intuitive.
A declarative policy model – specify your network and security requirements in a JSON file and send it to the API which will then deploy and configure all the necessary components to achieve the required outcome.
Advanced security features – L7 application context-based firewalling, identity-based firewalling, FQDN/URL whitelisting, guest introspection, and E-W service insertion.
Higher levels of scale, better performance – Bigger, better, faster.
With a “what’s new” list like this I have no other option than to upgrade my only weeks old 2.3 installation. Let’s see how that works out.
The lab environment
Just a quick recap of my lab environment in the form of some diagrams.
On a high level the environment looks like this.
Zooming in on an ESXi transport node that is hosting an Edge VM:
And finally the routing topology as I’ve configured it:
Most of the components are running in a nested environment.
The upgrade
VMware released an excellent upgrade guide which is a must-read if you’re about to upgrade to version 2.4. The upgrade checklist especially is a great resource for getting through the process and I highly recommend to follow it at all times.
Upgrade bundle
I start by downloading the 2.4 upgrade bundle which a 7,3 GB MUB package you fetch from VMware.com.
Once downloaded I log in to my NSX Manager and navigate to System > Utilities > Upgrade. On the landing page I see the different components and their current version. I click on the “Proceed to Upgrade” button:
Under “1. Bundle And Status” I upload the MUB package:
The uploading and subsequently unpacking of the bundle will take some time.
System upgrade
Once done I click on “Begin Upgrade”. I accept the license agreement (what else?) and start the system upgrade:
The upgrade coordinator gives me a clear overview and the option to run pre-checks to see if the different components are ready for an upgrade to version 2.4:
Running pre-checks is not mandatory, but highly recommended so I’ll do that:
In my lab environment I received one non-critical issue on NSX Manager:
Well, this is a lab environment so I’m good here and will continue with the system upgrade.
The upgrade coordinator starts with the (ESXi) hosts. Here we have some options:
We can upgrade in serial or in parallel and decide for which conditions we want to pause the process. Under “Host Groups” I see that the coordinator has created a group containing the hosts in scope. Under Actions > Change Upgrade Mode I can decide which mode I want to use:
This is a lab environment so I’ll do an in-place upgrade. Notice the warning though and understand that “Maintenance” mode is a better fit for a production environment. I’m pretty happy with the defaults and click “Start” to fire off the upgrade of my hosts.
Once the hosts have been upgraded we should see a confirmation that everything went successful:
Clicking on “Next” brings me to “3. Edges” where I see more or less the same options as for the hosts.
The upgrade coordinator has placed my two Edge VMs in a group. The defaults look fine to me so I’m clicking “Start” to get the Edge VM upgrade process underway.
Clicking on the group you can see the installation progress per node:
Once this is completed I click “Next” to proceed to “4. Controller Nodes”:
This is probably the quickest part in the upgrade process.
One of the architectural changes in NSX-T 2.4 is the convergence of manager, policy, and central controller services into one appliance. In other words we won’t be working with dedicated controller nodes anymore after the management plane upgrade. The existing controller nodes can simply be deleted after the upgrade.
Clicking “Next” brings me to the “5. Management Nodes”:
The “Plan” here is to allow transport node connections after a single node cluster is formed. This is a lab and I’m happy with just one cluster node at this point. I can always add more nodes later on if I want to.
Not much else to look at here so I’m starting the upgrade of the management plane by clicking the “Start” button.
I’m not planning on doing any CRUD (create, update, delete) operations on managed objects during the upgrade so I click on “Start” (again):
And the upgrade of the management plane is underway:
The node restarts as part of the upgrade so you will loose connection to the web interface at some point. Once the upgrade is completed you can log in again and will land on the new “NSX-T Overview” page:
Verification
Let’s just verify that the upgrade completed successfully by going to System > Upgrade:
Things are looking good. It seems the upgrade was indeed successful.
Another pretty important thing is verifying that the components are up and running. For this I’ll check the new dashboard under Home > Dashboards > System:
Green circles usually mean things are good (I should set up automatic backup though).
New user interface
The user interface got a pretty big overhaul in version 2.4 and it takes some time before you find your way around.
Different parts of the UI are handled by different underlying managers:
As you can see the UI is basically divided in two parts where one part is handled by Policy Manager and the other part by NSX Manager.
This has some immediate practical consequences. In version 2.3 my logical switches and logical routers were created by NSX Manager. For that reason they are found under “Advanced Networking & Security”:
Moving forward the Policy Manager/Simplified UI should be used (as much as possible) to create and manage NSX-T objects.
Simplified UI
So let’s have a very brief look at the Simplified UI.
Under “Networking” I see some new NSX-T terminology:
Logical switches are called “Segments” and logical routers are now called “Gateways”. Nothing too shocking, but good to know.
A look under “Security” shows that things are categorized in “East West Security” and “North South Security” which makes sense:
Have a closer look at the distributed firewall shows some new stuff as well.
First of all we can now choose a default connectivity strategy:
It’s set to “none” as I upgraded from version 2.3. For new deployments the default is “Blacklist” (AnyAllow as the catchall rule).
Next we see that there are now predefined categories that we can use when building a security policy model for the East-West firewall:
Conclusion
Upgrading my lab environment from version 2.3 to version 2.4 was a painless process. Good documentation and the upgrade coordinator made it a fairly straight forward process.
The NSX-T 2.4 upgrade is bigger than the minor version adjustment implies. We have some architectural changes, an almost completely new UI and some new terminology. There are many other things as well that I haven’t touched upon in this post, but will explore in more detail in upcoming posts.
All in all I would definitely say that version 2.4 is a landmark release in the history of NSX-T. With this release NSX-T also reaches feature parity with NSX-v and that should make it the SDN platform of choice moving forward.
Welcome to the final part of this series. We’ve come a long way. After configuring North-South dynamic routing between the Tier-0 logical router and the “physical” (pfSense) router in part 5, it’s now time to add a Tier-1 logical router and some logical switches.
Tier-1 logical router
The purpose of Tier-1 routers is to facilitate for true multi-tenancy in the NSX platform. Tenants have their own T1 routers that connect to an administrator’s T0 router. Changes in the physical network do not necessarily affect tenants Tier-1 routers.
Multi-tenancy with T1 routers
A Tier-1 logical router needs to be connected to a Tier-0 logical router to get the northbound physical router access. The connection between T1 and T0 is established over a special routerlink. This link is assigned a /31 subnet within the 100.64.0.0/10 reserved address space (RFC6598).
Deploying the Tier-1 logical router
In NSX Manager I navigate to Networking > Routing. Click on the “+ Add” button and choose “Tier-1 Router”:
A couple of things need to be specified here. I’m calling my T1 “tier-1-01” and pick the “tier-0-01” Tier-0 router I created in part 5. I also need to pick an Edge cluster, Failover Mode, Edge cluster members (Edge transport nodes), and a preferred member.
Clicking “Add” deploys the Tier-1 router.
When clicking on the new Tier-1 router and having a look under Configuration > Router Ports I can see the special router port used for the routerlink to the Tier-0 router:
Logical networks created in NSX should be advertised to the Tier-0 and ultimately the physical router. For this to happen I need to configure Routing > Route Advertisement:
Here I choose to advertise everything that is available.
And that’s it for the basic configuration of my Tier-1 router. The logical router topology looks like this at this point:
Creating Tier-1 downlink ports
Downlink ports are Tier-1 router ports connecting to logical switches. They serve as a default gateways for the virtual machines that are in the same subnet.
I will create three downlink ports for now. I will deploy the classic three tiered network segments: web, app, and db.
On the Tier-1 router I once again navigate to Configuration > Router Ports. Adding the first router port called “rp-web”:
As you see I configured IP address 10.204.244.1/24 for this interface. It’s basically here I decide that the web IP subnet is 10.204.244.0/24.
You may have noticed that I also created a new logical switch called “ls-web” in the process. Its configured like this:
The logical is switch is part of the “overlay01” transport zone. No surprise here.
I repeat these steps to create the “rp-app”, and “rp-db” router ports and their associated logical switches
Downlink router portsLogical switches
The topology with the logical switches attached to the Tier-1 router:
Looking on the Tier-1 router under Routing > Route Advertisement I can see that my three subnets are being advertised:
Verifying routing
Let’s see if the distributed router on the Tier-0 has these networks in its forwarding table. I log in to one of the Edge VMs CLI and change to the Tier-0 DR context:
get logical-router
Listing the logical routers
The Tier-0 DR is living in VRF 6.
vrf 6 get forwarding
There are, among others, the three IP subnets associated with my newly created router ports. I see that the routerlink subnet 10.64.160.0/31 is used to get to the logical networks which seems to make sense.
Let’s also having a look at the Tier-0 SR context
vrf 3 get forwarding
Beautiful! My new networks ended up all the way there too. As you can see the Tier-0 SR uses the intra tier transit link as the gateway to get to these networks. This is also as expected.
The million dollar question is: Are my new logical networks known on the physical network? Let’s check the forwarding table at my pfSense:
Absolutely. I’m seeing my three IP subnets in pfSense’s forwarding table. I can even ping the Tier-1 “rp-web” router port from the pfSense:
So this is where the NSX admin takes a step back and the VI admin comes in and starts deploying VMs on the new logical networks. 😉
Connecting a virtual machine
Speaking of which, how do I connect a VM to an NSX-T port group? It turns out to be really easy. NSX-T logical networks show up as N-VDS port groups in vCenter:
And therefore connecting a VM to an NSX-T logical network is done the usual way:
Conclusion
That’s it! This was a very basic NSX-T deployment in 6 parts. I hope you enjoyed it. There is much more to look at and configure in NSX-T, but the main platform is in place.
From here it will be about enabling features and possibly scaling out a bit. I expect to return to this lab environment in coming blog posts.
One thing that happened while I was writing the series was the NSX-T 2.4 release. There are a bunch of new features and improvements in version 2.4 and my next blog post might very well be about upgrading this environment to 2.4. Stay tuned!
Things are working out pretty well so far so I’ll simply stick to this plan and go on with setting up NSX routing.
Tier-0 logical router
The Tier-0 logical router acts as a gateway service between the logical and physical network. A Tier-0 logical router has downlink ports to Tier-1 logical routers and uplink ports that connect to the external network. Tier-0 logical routers support things like BGP dynamic routing and ECMP.
Deploying the Tier-0 logical router
No reason to wait. In NSX Manager I navigate to Networking > Routing:
Here I’m clicking on the “+Add” button and choose “Tier-0 Router”:
I’m calling the Tier-0 router “tier-0-01” and select the Edge cluster I created in part four. I’m leaving the high-availability mode at the default “Active-Active” meaning that traffic is load balanced across all members of the Edge cluster.
Creating Tier-0 router ports
With the Tier-0 router deployed I will now create four router ports (of which two will be used at this point). I click the “tier-0-01” logical router and navigate to Configuration > Router Ports:
Clicking the “+Add” button brings up the following form:
I will use these are settings for the four router ports in my lab:
Setting
Router Port #1
Router Port #2
Router Port #3
Router Port #4
Name
rp-uplink01-tn-edge-01
rp-uplink02-tn-edge-01
rp-uplink01-tn-edge-02
rp-uplink02-tn-edge-02
Type
Uplink
Uplink
Uplink
Uplink
MTU
1500
1500
1500
1500
Transport Node
tn-edge-01
tn-edge-01
tn-edge-02
tn-edge-02
URPF Mode
Strict
Strict
Strict
Strict
Logical Switch
ls-uplink01
ls-uplink02
ls-uplink01
ls-uplink02
Logical Switch Port Name
sp-uplink01-tn-edge-01
sp-uplink02-tn-edge-01
sp-uplink01-tn-edge-02
sp-uplink02-tn-edge-02
IP Address/mask
172.27.11.2/24
172.27.12.2/24
172.27.11.3/24
172.27.12.3/24
The four router ports once they are created:
As you can see each Edge transport node has two uplink router ports.
Configuring Tier-0 dynamic routing
In my lab I will use BGP dynamic routing between Tier-0 and pfSense. On the Tier-0 router navigate to Routing > BGP:
First I enable BGP and ECMP and set the local AS to 65000:
Next I’m going to add the BGP neighbor by clicking the”+Add” button under “Neighbors”:
The neighbor address is 172.27.11.1 and the remote AS is 65001 as configured on the pfSense. I also modify the values for “keep alive” and “hold down” to 4 and 12 seconds respectively.
Under “Local Address” I will only select the two router ports in VLAN 2711 for now:
Note that the IP addresses of the Tier-0 uplink router ports have already been added as BGP neighbors in the pfSense configuration.
Finally, under “Address Families” I add and enable “IPV4_UNICAST”:
The BGP neighbor has now been configured:
The last thing I want to enable on the Tier-0 router is route redistribution. I click on Routing > Route Redistribution:
I create a new criteria called “redist-all” and select all sources:
This ensures that the Tier-0 will redistribute routes from all available sources.
Verifying Tier-0 dynamic routing
Let’s start by checking if the BGP neighbor connection status looks healthy. I select the “tier-0-01” router and click on Actions > Generate BGP Summary:
This generates a list with the current neighbor connection status:
To verify that routes are received from the pfSense router, I log in to one of the Edge VMs and run the following commands:
get logical-routers
Listing the logical router instances on the Edge VM. It’s VRF 3 (service router) I’m interested in. Changing to VRF 3’s context:
vrf 3
And now I run:
get route
This command lists the routes in the VRF 3 context. I can see a number of routes coming from the pfSense router via BGP (b).
To test actual traffic flow I ping an IP addresses located in the physical network from within the VRF 3 context:
It looks like North-South traffic flow is operational!
Diagram
Let’s finish with a diagram of the routing topology I built so far:
Availability? Not really, but this is a lab environment. I do not recommend using this setup in a production environment. I will deploy another pfSense router and create additional BGP peerings to make my lab look more like a production deployment, but that’s for another time. 😉
Conclusion
In this part I deployed the Tier-0 logical router and configured North-South dynamic routing. After some basic verification and testing things seem to be working. This piece of NSX infrastructure is critical when it comes to logical networks being able to communicate with the physical network and vice versa.
In the next part I will continue setting up routing by deploying a Tier-1 logical router and some logical L2 networks.
Welcome back! I’m still busy installing NSX-T in my lab. I prepared the vSphere distributed switch, configured the NSX transport zones, and created the transit logical switches in part three. I will now continue with setting up the NSX transport nodes.
Hypervisor transport nodes
I’ll start with turning my ESXi hosts into NSX transport nodes. In part one I added my vCenter system to NSX Manager where it is called a “Compute Manager”. This connection between NSX Manager and vCenter comes in handy when deploying and configuring certain components of the NSX solution. This is definitely the case when preparing ESXi hosts.
In NSX Manager I navigate to Fabric > Nodes:
Under the first tab “Hosts” I change the “Managed by” to my compute manager (my vCenter):
Once the compute manager is selected it shows the vSphere cluster and, when expanded, the ESXi hosts:
There are two ways I can go about installing NSX on my ESXi hosts. Either I install the VIBS on individual hosts, or I configure the installation on the cluster level. In my lab I’m going for the latter and click the “Configure Cluster” button.
Here I enable automatic installation of NSX which will automatically install the NSX VIBS to all ESXi hosts in the cluster. Managing installation on the cluster level allows for automatic creation of transport nodes as well. I’m a huge fan of automating so I enable this one too:
Some input is required here:
Transport Zone – my ESXi transport nodes participate in overlay networking so here I pick the “overlay01” transport zone.
Uplink Profile – A template for the ESXi hosts uplinks. I create a new uplink profile that matches my lab environment called “Overlay-Uplink-Profile”. I change the teaming policy to “Load balance source” and type “uplink-1,uplink2” under “Active Uplinks”. Finally I change the “Transport VLAN” to “1614”.
IP Assignment – Transport nodes doing overlay networking use tunnel endpoints (TEPs) where L2 frames are encapsulated and transported over L3 to other TEPs. TEPs need an IP address and it is here one configures how IP addresses should be assigned to the TEPs. I create an IP Pool called “tep-pool” with a range of “172.16.14.50 – 172.16.14.70” and CIDR “172.16.14.0/24” which is the IP subnet assigned to the transport VLAN (1614) in my lab environment.
Physical NICs – Here I specify the ESXi host’s physical NICs that will be used for NSX networking. In my environment the ESXi hosts have dedicated NICS for NSX networking. These are “vmnic2” which I map to “uplink-1” and “vmnic3” which I map to “uplink-2”.
Below a screen when all information is entered:
Once I click the “Add” button the NSX installation kicks off immediately:
After a minute or so things are looking pretty good:
Under the “Transport Nodes” tab I see that the three ESXi hosts have been successfully configured as transport nodes:
Edge transport nodes
With the ESXi hosts prepared I’m moving on with the Edge. As the name implies the NSX Edge is where NSX meets the physical network. In my lab I’m going to deploy two Edge VMs.
I start by adding the following DNS records to DNS:
edge-01 – 172.16.11.58
edge-02 – 172.16.11.59
Next, in NSX Manager I navigate to Fabric > Nodes and click on the “Edges” tab:
Here I click in the “+Add Edge VM” button. I fill out name and FQDN and choose to deploy a small Edge VM:
After clicking “Next” I need to specify some information about the vSphere environment where this Edge VM will be hosted. After I choose my compute manager I can pick the objects for cluster, resource pool, and datastore from the drop-down lists:
On the next page configure the network settings for the Edge VM:
First I specify the IP address, gateway, and port group for the Edge VM’s management interface. Then I configure the three so called “datapath” interfaces. These are the Edge VM’s interfaces that will be part of the data plane. I’m assigning interface #1 to the “pg-transport” port group, interface #2 to the “pg-uplink01” port group, and interface #3 to the “pg-uplink02” port group.
When I click “Finish” NSX Manager starts deploying the Edge VM right away.
Having a look in vCenter shows me the new Edge virtual machine:
After a couple of minutes the Edge VM deployment is completed and has the following status:
The manager connectivity is up and running which is good. I still need to configure this Edge VM as a transport node before it can participate in actual NSX networking.
Before doing that I will deploy the second Edge VM. I basically repeat the steps above assigning IP address 172.16.11.59/24 to the management interface instead. Here are the two Edge VMs listed:
Now let’s configure them as transport nodes.
I select edge-01, click the “Actions” button, and choose “Configure as Transport Node”:
On the “General” screen I type a name for this transport node (tn-edge-01) and select the transport zones the Edge VM will be part of: overlay01, uplink01, and uplink02:
On the “N-VDS” tab I need to create an N-VDS for each of the selected transport zones.
I click on the “+ Add N-VDS” button and star configuring the first N-VDS “overlay01”:
I’m using the “nsx-default-edge-vm-uplink-hostswitch-profile” and the “tep-pool” IP pool to assign an IP address to the TEPs. Datapath virtual NIC “fp-eth0” is mapped to “uplink-1”.
I click the “+ Add N-VDS” once more to create the second N-VDS called “uplink01”:
I choose “uplink01” as the switch name and map “fp-eth1” to “uplink-1” .
I click the “+ Add N-VDS” a third time to add the last N-VDS called “uplink02”:
I choose “uplink02” as the switch name and map “fp-eth2” to “uplink-1” .
With the three N-VDS’s configured I click the “Save” button and the Edge VM is configured as a transport node. I repeat the above steps to configure the second edge “edge-02” as transport node “tn-edge-02”.
Both Edge VMs are now configured as transport nodes. Looking under Fabric > Nodes > Edges I can see that a connection with the controller cluster has been established and that each Edge vm has a transport node associated:
Looking under Fabric > Nodes > Transport Nodes I see five transport nodes. Three ESXi hosts and two Edge VMs:
There is one last thing I need to do and that is create an Edge Cluster. This is done under Fabric > Nodes > Edge Clusters.
I’m clicking the “+Add” button to start creating the Edge Cluster:
I add both of the edge transport nodes to “edge-cluster”. I click the “Add” button to finish the cluster creation. Edge cluster in place!
Conclusion
That was quite a bit of work, but now all the transport nodes are configured and everything should be in place to start doing some serious NSX networking. We’ll have a look at that in the next part. Until then, take care!
Welcome back! I’m in the middle of installing NSX-T in my vSphere lab environment. In part one I installed NSX Manager, in part two I deployed the NSX Controller Cluster. Now it’s time start working on what it’s all about: The data plane.
High-level overview
Setting up a complete NSX-T data plane involves installing and configuring several components. We have East-West distributed routing, North-South centralized routing, and security. Then there are the additional services like load balancing, NAT, DHCP and partner integrations.
The order in which you set things up depends primarily on what you’re trying to achieve. I noticed that different documents and guides also use different approaches.
So, I put together bits and pieces from different sources and came up with the following high-level plan for my NSX-T data plane deployment:
Prepare the vSphere distributed switch
Configure transport zones
Create logical switches
Prepare & configure ESXi hosts
Deploy & configure Edge VMs
Configure routing
In this article I will prepare the distributed switch, add the transport zones, and create the logical switches for the uplinks. Just to keep things digistible 🙂
Preparing the vSphere Distributed Switch
The NSX Edge VMs, that will be deployed later on, connect to four different VLANs: management, transport (carrying logical networks), and two uplink VLANs. I already have a distributed port group that maps to the management VLAN, so I need to create the ones for transport and the uplinks.
In vCenter, navigate to Networking, right-click the distributed switch and select Distributed Port Group > New Distributed Port Group. I’m calling this port group “pg-transport”.
On the next page I set “VLAN type” to “VLAN” and “VLAN ID” to “1614”. Click “Next” and finish the port group creation.
I repeat this process for the two port groups for the uplinks (VLAN 2711 and 2712). Once done it looks like this:
And the ESXi host’s network configuration now looks something like this:
Here I have the VDS with its 5 port groups as well as a pair of unused NICs which I will use for NSX networking later on.
Configuring NSX transport zones
Transport zones in NSX are containers that define the reach of the transport nodes. I briefly mentioned transports nodes in part two. Transport nodes are the hypervisor hosts and NSX Edges that participate in an NSX overlay. For hypervisor hosts, this means that its VMs can communicate over NSX logical switches. For NSX Edges, this means it will have logical router uplinks and downlinks.
My lab environment will start out with three transport zones: uplink01, uplink02, and overlay01.
Log in to NSX Manager. In the menu at the left select Fabric > Transport Zones.
I start by creating a transport zone called “uplink01”. This is a VLAN transport zone that will be used by the NSX Edge later on:
I’m repeating this process to create the “uplink02” VLAN transport zone.
The third transport zone is an Overlay transport zone. It will be used by the host transport nodes and the NSX Edge:
The three transport zones listed:
Creating logical switches
Next I’ll create two logical switches. These two will facilitate the transit between NSX and the pfSense router. In NSX Manager choose Networking > Switching.
The first logical switch, “ls-uplink01”, I add to transport zone “uplink01” and configured with VLAN 2711 :
I repeat this process to create a second logical switch called “ls-uplink02”. I add it to transport zone “uplink02” and configure it with VLAN Id 2712.
Conclusion
Taking small steps, but getting there. I created the necessary port groups on the vSphere distributed switch which are needed for the Edge VMs. I then went on to create the transport zones as well as two logical switches from NSX Manager.
In the next part I will continue with setting up the transport nodes; The ESXi hosts and the NSX Edge.
Welcome back! I’m in the process of installing NSX-T in my lab environment. So far I have deployed NSX Manager which is the central management plane component of the NSX-T platform. Today I will continue the installation and add a NSX-T controller to the lab environment.
Control plane
The control plane in NSX is responsible for maintaining runtime state based on configuration from the management plane, providing topology information reported by the data plane, and pushing stateless configuration to the data plane.
With NSX the control plane is split in two parts, the central control plane (CCP) which runs on the controller cluster nodes, and the local control plane (LCP) which runs on the transport nodes. A transport node is basically a server participating in NSX-T networking.
Now that I’m mentioning these planes, here’s a good diagram showing the interaction between them
Deploying the controller cluster
In a production NSX-T environment the controller cluster must have three members (controller nodes). The controller nodes are placed on three separate hypervisor hosts to avoid a single point of failure. In a lab environment like this a single controller node in the CCP is acceptable.
First I’m adding a new DNS record for the controller node. This is not required, but a good practice imho.
Name
IP address
nsxcontroller-01
172.16.11.57
An NSX-T controller node can be deployed in several ways. I added my vCenter system as a compute manager in part one, so perhaps the most convenient way is to deploy the controller node from the NSX Manager GUI. Other options include using the OVA package or the NSX Manager API.
I decided to deploy the controller node using the NSX Manager API. For this I need to prepare a small piece of JSON code that will be the body in the API call:
This code instructs the NSX Manager API to deploy one NSX-T controller node with a small form factor. Most things in the code above are pretty self-explanatory. I fetched the values for “management_network_id”, “compute_id”, and “storage_id” from the vCenter managed object browser (https://vcenter.rainpole.local/mob). The “vc_id” is found in NSX Manager under “Fabric” > “Compute Managers” under the “ID” column:
Learning by doing is my preferred method of getting to know a product or technology I haven’t worked with before.
Take NSX-T for example. On the surface NSX-T seems to be just another flavour of network virtualisation technology by VMware. But having a closer look I quickly realised NSX-T is quite a different beast compared to NSX-V.
So, in order to learn more about the product I’m going to install NSX-T in a lab environment. In the coming blog posts you can follow along as I’m setting this up.
In this first part I’ll quickly introduce my lab environment and then continue with the deployment of the management plane main component: NSX Manager.
Lab environment
My small NSX-T lab will use the following components:
pfSense router with OpenBGPD package
Windows Server 2016 (AD/DNS)
NetApp NFS storage
vCenter 6.7
ESXi 6.7
NSX-T 2.3
The blog post series is about setting up NSX-T so I deployed some things in advance. A pfSense router, vCenter, three ESXi hosts in a cluster, and a Windows AD/DNS server have been installed and configured.
Here is a simple diagram of the environment the way it looks right now.
The ESXi hosts are equipped with four NICs. Two of them are used by vSphere and the other two are unassigned and will be used by NSX-T networking.
I configured some VLANs on the pfSense router which are trunked down to the ESXi hosts. The pfSense router has the OpenBGPD package installed so that I can do some dynamic routing later on.
I left out the details of the non-nested infrastructure. The three ESXi hosts are nested (running as VMs). vCenter, the Windows server, and pfSense are running outside of the nested environment.
Networking
I configured the following networks:
VLAN ID
VLAN Function
CIDR
Gateway
1611
Management
172.16.11.0/24
172.16.11.253
1612
vMotion
172.16.12.0/24
172.16.12.253
1614
Transport
172.16.14.0/24
172.16.12.253
2711
Uplink01
172.27.11.0/24
172.27.11.1
2712
Uplink02
172.27.12.0/24
172.27.12.1
Yes, /24 subnets all the way. This is a lab environment so I don’t really have to worry about wasting IP addresses. In a production environment I would most likely be using smaller subnets.
DNS and hostnames
I’m using the “rainpole.local” DNS domain name for this lab and created the following DNS records in advance:
Name
IP address
dc01-0
172.16.11.10
esxi01
172.16.11.51
esxi02
172.16.11.52
esxi03
172.16.11.53
vcenter
172.16.11.50
ntp
172.16.11.10
nsxmanager
172.16.11.56
More DNS records will probably be added during the deployment.
Installing NSX Manager
The first thing I need to do is install NSX Manager. For vSphere the NSX Manager installation is done by deploying an OVA package.
The OVA deployment is a straight forward process. I choose a small deployment configuration as this is for lab purposes:
I pick the management network (VLAN 1611) as the destination network for “Network 1” and IPv4 as the protocol:
I need to fill in the required details on the “Customize template” page. I have selected”nsx-manager” as the “Rolename”.
Once the virtual appliance is deployed it needs to be started. It will take some minutes to boot and get things up and running. Once ready I can log in to the NSX Manager web interface at https://nsxmanager.rainpole.local using the previously configured admin account:
The first time I log in I need to accept the license agreement and answer the question about the CEIP program. I then end up at the “NSX Overview” page:
One thing I notice immediately is how elegant NSX Manager interface is. I really like the layout of the HTML5 interface with a menu on the left side that pops out when moving the mouse cursor over it.
I took some time to look around in the web interface just to familiarise myself. After all I’ll be spending quite some time in the web interface during the NSX-T deployment.
The dashboard shows status and health overview of of the platform and its components. It’s pretty empty right now as you see 🙂
Adding a compute manager
Although there is no relationship between NSX Manager and vCenter like there is in NSX-V, it is possible to add vCenter systems as a so called compute managers. This is not required but having this link in place makes deploying NSX-T components on vSphere more convenient.
In the menu on the left I choose “Fabric” > “Compute Manager” and click “+Add”. I fill out the details of my vCenter system and then click on the “Add” button:
After a short registration process vCenter is added to NSX Manager:
Housekeeping
Under “System” I find some items that are of interest at this point:
Two things I would probably want to have a look at straight after deploying NSX Manager in a production environment are certificates and backup.
It is under “Trust” certificates are managed. Default self-signed certificates often need to be replaced with ones that are signed by a trusted CA. This is done over here, partly. An API call is actually needed to activate a newly imported certificate.
Backup can be configured entirely in the GUI. This is done under “Utilities” > “Backup”. Here we configure scheduling/interval and backup destination:
It is here I learn that there are three types of backup:
Cluster backup – includes the desired state of the virtual network
Node backup – includes the NSX Manager appliance configuration
Inventory backup – includes the set of ESX and KVM hosts and edges
Time synchronisation is important and a NTP server can be configured during the NSX Manager deployment. If I want to change the NTP configuration after deployment I need to use the NSX Manager CLI or API. Using the CLI the following command will configure “ntp.rainpole.local” as a time source:
set ntp-server ntp.rainpole.local
Likewise, if I need to (re-)configure DNS this is done via the NSX Manager CLI or API. Configuring the Windows AD/DNS server in my lab as the DNS server is done with this CLI command:
set name-servers 172.16.11.10
Conclusion
Installing and configuring NSX Manager in my lab environment was an easy process. The web interface looks really good with a nice layout. I’m a bit surprised to see that some, what I consider, basic configuration can’t be done in the GUI (NTP, DNS, logging), but I’m sure this will be added to the GUI in future releases of NSX Manager.
In the next part I’ll continue my NSX-T deployment journey and set up the control plane.
Welcome back! In part two we deployed the data plane for the East-West traffic in our cross-vCenter NSX environment. In this part we continue with the setting up the components for the North-South traffic.
Current state
A quick look at the current state of our cross-vCenter NSX lab environment.
The management plane and the control plane are operational and configured for cross-vCenter NSX. We have deployed the data plane components for East-West traffic; two universal logical switches and a universal distributed logical router.
NSX Edge
The NSX edge is responsible for the central on-ramp/off-ramp routing between the NSX logical networks (VXLANs) and the physical network. It’s a central function and is deployed as virtual appliances (edge services gateways) by NSX Manager.
Local egress
There are some design considerations surrounding the NSX edge. In a cross-vCenter NSX environment spanning multiple physical sites one consideration is of particular interest: should each site use a local edge for North-South egress (local egress), or should one site act as the central edge for the other sites?
You might remember from part two that we deployed the universal distributed router with local egress enabled. So what we’ll do, is set up our fictional sites “DC-SE” and “DC-US” with active/active egress. This is actually a less common/popular type of cross-vCenter NSX deployment as it introduces asynchronous traffic flows (traffic egresses one site and ingresses at another site) which need to be dealt with somehow.
Deployment
When local egress is a requirement we need to deploy some additional components. We need a UDLR control VM at each site. Each site will also use a separate transit universal logical switch.
So, let’s create the transit logical switches first and come back to the control VMs a little later.
Log in at the DC-SE’s vCenter and navigate to Networking and Security > Logical Switches. Click the “+ Add” button. Type a name for the logical switch. In my case I’ll call it “ULS Transit SE”. This logical switch will use the universal transport zone “UTZ” that we created in part one. Click “Add“. Repeat these steps to add the second transit universal logical switch. I’m calling this one “ULS Transit US”.
With the transit switches created we continue with the deployment of the ESG appliances. For this lab we’ll deploy just one ESG per site. At DC-SE navigate to Networking and Security > NSX Edges. Click the “+Add” button and choose “Edge Services Gateway”.
Give the ESG a name. In my lab it’s called “esg-se”.
Configure a user name and password. Enable SSH.
Configure the appliance VM deployment. A compact sized appliance will do for this lab.
Next we configure two interfaces on the ESG: one uplink and one internal. Starting with the uplink interface that we connect to a VLAN-backed distributed port group (VLAN 70 at my DC-SE site). This one connects the ESG with the pfSense router. I’m assigning IP address 10.0.70.2/24 to this interface (the pfSense router’s interface is configured with 10.0.70.1/24).
The internal interface connects the ESG with the “ULS Transit SE” logical switch. It is the link between the ESG and the UDLR. I’m assigning 192.168.100.1/29 to this interface.
We also configure a default gateway on “esg-se” which points to the next-hop router on the “physical” network. In my case this is 10.0.70.1 (pfSense router).
Review the configuration and click “Finish” to deploy the ESG appliance.
At the DC-US’s vCenter we basically repeat these steps for the ESG deployment over there. The unique settings for the ESG at DC-US in my lab are:
Name
esg-us
Uplink interface IP (VLAN 700)
10.1.70.2/24
Internal interface connected to
ULS Transit US
Internal interface IP
192.168.101.1/29
Default gateway
10.1.70.1
Universal Distributed Logical Router
We need to revisit the UDLR to deploy the additional UDLR control VM at DC-US as well as configure connectivity between the UDLR and the new transit logical switches.
Log in at vCenter in DC-US and navigate to Networking and Security > NSX Edges and click on the universal distributed router. Select Configure > Appliance Settings. Click on “Add Edge Appliance VM“.
Configure the placement parameters and deploy the VM.
Once the control VM has been deployed we head over to vCenter at DC-SE and navigate to Networking and Security > NSX Edges and open up the universal distributed router. Select Configure > Interfaces and add a new uplink interface that connects to the “ULS Transit SE” logical switch. I configure this interface with IP address 192.168.100.2/29.
Add a second uplink interface to the UDLR and connect it to the “ULS Transit US” logical switch. I configure this one with IP address 192.168.101.2/29.
With the UDLR uplinks configured we’ll do a quick connectivity test. Open an SSH session to the ESGs and ping the IP address of the UDLR uplink interface connected to that ESG.
North-South routing
Now that we have a working L2 connection between the ESGs and the UDLR, we can focus on setting up the North-South routing in our cross-vCenter NSX environment.
In my lab I’ve configured an iBGP peering between the UDLR control VMs and their respective ESG appliance. I also configured an eBGP peering between the ESGs and the pfSense routers at each site. I won’t go through setting up dynamic routing with BGP, but here’s a summary of the configuration that I used in my lab:
Property
DC-SE
DC-US
pfSense Local AS
65502
65502
ESG default gateway IP
10.0.70.1
10.1.70.1
ESG Local AS
65510
65110
ESG BGP neighbors
10.0.70.1, 192.168.100.3
10.1.70.1, 192.168.101.3
ESG redistribution
connected
connected
UDLR default gateway
192.168.100.1
192.168.101.1
UDLR Local AS
65510
65510
UDLR protocol address
192.168.100.3
192.168.101.3
UDLR BGP neighbors
192.168.100.1
192.168.101.1
UDLR redistribution
connected
connected
Setting up dynamic routing in cross-vCenter NSX with local egress can be quite a job. Even in a small lab like this we need to configure routing parameters at 6 places: pfSense x 2, ESG x 2, UDLR control VM x 2.
The big picture
Now that we have configured North-South routing let’s have another look at the environment from above.
Let’s do a simple test with traceroute and see if local egress works. From AppServer-SE (192.168.0.20) we are egressing via “esg-se”:
From AppServer-US (192.168.0.22) we are egressing via “esg-us”:
A simple test, but local egress seems to work!
Conclusion
This concludes the blogpost series on cross-vCenter NSX. During these three posts we went through the process of setting up cross-vCenter NSX with local egress. We deployed and configured the different components and had a look at the data plane functions: universal East-West routing, universal distributed firewall and finally North-South routing in a cross-vCenter NSX environment.
All in all setting this up is a pretty straight forward process. Especially in a lab where we have control over the entire environment. 😉
Welcome back! In part one we prepared the management and control plane for cross-vCenter NSX. In this part we’re going to deploy the data plane for the East-West traffic in a cross-vCenter NSX environment.
Universal logical switch
We start by deploying logical switching between our two fictional sites “DC-SE” and “DC-US”. To accomplish this we create a “stretched” logical switch. In cross-vCenter NSX terminology this is called a universal logical switch.
With cross-vCenter NSX, the vCenter system paired with the primary NSX Manager is the point of administration for NSX universal constructs. In my environment the vCenter at DC-SE is paired with the primary NSX Manager.
Log in at the DC-SE’s vCenter and navigate to Networking and Security > Logical Switches. Click the “+ Add” button. Type a name for the logical switch,. In my lab I’ll call it “ULS App”. This logical switch will use the universal transport zone “UTZ” that was created in part one. Click “Add“.
By picking a universal transport zone for a logical switch, the logical switch itself becomes universal and will be synced to secondary NSX Managers.
Testing connectivity
We now have a logical switch that exists on both of the sites. The VXLAN tunneling protocol and the VTEPs are responsible for carrying the frames over layer 3 between the sites. If we now connect virtual machines on both sites to the same universal logical switch, we should have layer 2 connectivity between them.
Let’s test this by deploying a virtual machine at each site and connect them to the “ULS App” universal logical switch. I like Photon OS for lab purposes so I’m going to deploy two of these using the OVA.
Deploy the first virtual machine in DC-SE.
I’ll call it “AppServer-SE”.
And connect it to the “ULS App” logical switch.
Repeat this process over at DC-US. In my lab that virtual machine is called “AppServer-US”.
The first time we boot Photon OS deployed via the OVA, we need to change the root password. The default password is “changeme”.
I also want to set a hostname to avoid any confusion later on. Reboot the virtual machines after this.
At this point let’s have a look what the universal controller cluster knows about this logical segment. Start an SSH session to one of the NSX Managers and run the following command (replace “25000” with the VNI of your universal logical switch):
show logical-switch controller master vni 25000 mac
This looks good. The control plane has picked up the MAC addresses of both virtual machines. We can also see that the VTEPs of ESXi hosts on both sites are involved.
Do we have ARP entries?
show logical-switch controller master vni 25000 arp
Empty as expected. Let’s configure an IP address on the virtual machines.
AppServer-SE:
ifconfig eth0 192.168.0.10 netmask 255.255.255.0
AppServer-US:
ifconfig eth0 192.168.0.11 netmask 255.255.255.0
On both virtual machines we need to create iptables rules to allow ICMP:
iptables -A OUTPUT -p icmp -j ACCEPT iptables -A INPUT -p icmp -j ACCEPT
And let’s see if the virtual machines can ping each other:
It works! Do we have ARP entries at the control plane now?
show logical-switch controller master vni 25000 arp
There they are!
So, we have verified L2 connectivity between the virtual machines which are located at different sites. Multi-site VXLAN in action!
Step 2 – Universal distributed logical router
East-West routing in a cross-vCenter NSX scenario is accomplished by deploying a universal distributed logical router. So let’s do that.
Log in at the DC-SE vCenter system and navigate to Networking and Security > NSX Edges. Click the “+Add” button and choose “Universal Distributed Logical Router”.
Give it a name like “UDLR-01”. Make sure you enable “Local Egress” which we’ll talk about in part three. Also tick the “Deploy Control VMs” box.
Set a password and enable SSH.
Configure the control VM deployment and choose a connection for the HA interface.
At this point we’ll just add one internal interface to the UDLR and attach it to the “ULS-App” logical switch that we created earlier. In my environment I call the interface “App-Tier” and assign it IP address 192.168.0.1 with a 24 prefix.
Disable “Configure Default Gateway” and complete the deployment wizard.
Once the UDLR is deployed we can test connectivity from one of the virtual machines by running a ping to the “App-Tier” interface IP address.
That should work as expected. Let’s add another universal logical switch to the environment so we can test some basic routing.
Once again in the vCenter system paired with the primary NSX Manager, navigate to Networking and Security > Logical Switches. Click the “+ Add” button. Type a name for the universal logical switch. I call it “ULS DB” in my environment. Once again choose “UTZ” as the transport zone. Click “Add“
Once created select the new “ULS DB” switch and click on Actions > Connect Edge. Select the “UDLR-01” edge.
Give the interface a name. I call it “DB-Tier” and select “Internal” as the interface type. Make sure the connectivity status is set to “Connected“. Assign IP address 192.168.1.1 with a 24 prefix and click “Add“.
Deploy a new virtual machine at one of the sites and connect it to the “ULS DB” logical switch.
Once the virtual machine is deployed, set a hostname. Mine is called “DBServer-SE” and reboot. Next configure it with IP address 192.168.1.10/24. Add a rule to iptables to allow ICMP. You should now be able to ping the DB-Tier UDLR-01 interface (192.168.1.1):
Can we reach any of the virtual machines connected to the App Tier at this point? Yes, but as none of the virtual machines have a default gateway configured it won’t work. Let’s quickly fix this:
For the App server virtual machines:
route add default gw 192.168.0.1 eth0
For the DBServer virtual machine:
route add default gw 192.168.1.1 eth0
And now routing between the two segments should work:
We can also use the NSX traceflow utility to visualize the path of the ICMP packets. From any of the vCenter systems navigate to Networking and Security > Tools > Traceflow. Do a trace from the DBServer-SE to AppServer-US for example:
Step 3 – Universal distributed firewall
Now that we have cross-vCenter routing and switching working it’s time to look at security.
Just as with universal distributed logical routing and universal logical switching, we use universal objects for security when we want to propagate them cross-vCenter. It is worth noting that not all NSX security features are available for cross-vCenter NSX. The things that are not supported are:
Exclude list
SpoofGuard
Flow monitoring for aggregate flows
Network service insertion
Edge Firewall
Service Composer
Universal security groups can contain the following:
Universal IP Sets
Universal MAC Sets
Universal Security Groups
Universal Security Tags
Dynamic criteria
As you see with cross-vCenter NSX security we’re not able to use vCenter constructs when defining security policies. Remember there’s a 1:1 relationship between NSX Manager and vCenter. One NSX Manager has no clue about the vCenter objects of a vCenter system paired with another NSX Manager.
Let’s create a universal firewall rule for our newly deployed virtual machines. Log in at the DC-SE vCenter system and navigate to Networking and Security > Security > Firewall > General. We start by creating a new universal firewall section. Click on “Add Section“. Call it “Universal Rules” and make sure you enable “Universal Synchronization“.
Once we have a universal firewall section we can start creating universal firewall rules in it. Click on “Add Rule” so a new empty rule shows up in the universal section.
Click on “Enter rule name” and write “Allow MariaDB”. Edit the source field and in the “Specify Source” click on “Create new IP Set“. Name the IP set “App-Tier” and add the 192.168.0.0/24 CIDR.
Select “App-Tier as the source for our “Allow MariaDB” rule:
Repeat this same procedure to specify the destination in the firewall rule. Call the IP set “DB-Tier” and specify the 192.168.1.0/24 CIDR.
Next we need to specify the service in this rule. Search for and add the “MySQL” service. Click “Save“.
The universal firewall rule should look like this now.
Click “Publish” to save and activate the changes.
Now let’s see if we can hit on the rule. We won’t actually install any MariaDB/MySQL server. Instead we’ll run a simple netcat listener on DBServer-SE and do a netcat connect from AppServer-US as a quick proof of concept.
First we need to allow traffic on TCP port 3306 through the iptables firewall on DBServer-SE:
iptables -A INPUT -p tcp --dport 3306 -j ACCEPT
Next start a netcat listener on TCP port 3306:
nc -l -p 3306
Over at the AppServer-US we can try to connect to port 3306:
nc -zv 192.168.0.20 3306
With no “block” rule in our distributed firewall anywhere this is the expected result (of course). But let’s have a look at the stats for our MySQL firewall rule. This can be looked up in a couple of places: vCenter GUI, central CLI, syslog or on the ESXi host. Today I’ll look this up on the ESXi host. Log in to the ESXi host where AppServer-US is running.
We first need the name of the filter at IOChain slot 2 of the AppServer-U vNic:
summarize-dvfilter | grep AppServer-U -A5
In my environment the filter’s name is “nic-2110503-eth0-vmware-sfw.2”
We use the “vsipioctl” command to see statistics for the rules in this filter:
The ID for the MySQL firewall rule in my environment is “2147483648”. As we can see, the simple netcat connectivity test resulted in exactly 1 hit on the MySQL firewall rule we created earlier.
The ID of a firewall rule can be found at several places as well. The DFW GUI in vCenter is one of them.
Wrapping up
In this part we deployed the data plane components for facilitating East-West traffic in a cross-vCenter NSX environment: universal logical switching and universal distributed logical routing. We touched upon universal distributed firewalling as well.
In part three we will look at the components and configuration involved with the North-South traffic in a cross-vCenter NSX environment: The Edge tier.
rutgerblom.com 