Sunday, 31 March 2019
Tuesday, 26 March 2019
NSX-T 2.2 Distributed Firewall (DFW)
Firewall is one of the security feature. In NSX-T Distributed firewall is applied at vNIC Level of the VM. This means it gets applied to the VM regardless of vMotion of the VM.
DFW Components
Note:-
There is no toggling between stateful and stateless once it is defined
Firewall Rules are enforced as follows:
1. Login to NSX Manager UI
2. Firewall > Configuration > Select the Existing Section > Click on Add Section Above
3. Configure the section details
Note:-
There is no toggling between stateful and stateless once it is defined
4. Add rule in Section
Select Section > Click on 3 dot icon > add rule
5. Configure Rule Details. In my example i am dropping all type of traffic destined for Web Server Logical SwitchVMs > Publish
6. Now Verify the Rule Functionality. Check Ping to any Web Server VM or anything else.
To Know more about Firewall Rules Click Here
DFW Components
Note:-
There is no toggling between stateful and stateless once it is defined
Firewall Rules are enforced as follows:
- Rules are processed in top-to-bottom ordering.
- Each packet is checked against the top rule in the rule table before moving down the subsequent rules in the table.
- The first rule in the table that matches the traffic parameters is enforced.
1. Login to NSX Manager UI
2. Firewall > Configuration > Select the Existing Section > Click on Add Section Above
3. Configure the section details
Note:-
There is no toggling between stateful and stateless once it is defined
4. Add rule in Section
Select Section > Click on 3 dot icon > add rule
5. Configure Rule Details. In my example i am dropping all type of traffic destined for Web Server Logical SwitchVMs > Publish
6. Now Verify the Rule Functionality. Check Ping to any Web Server VM or anything else.
To Know more about Firewall Rules Click Here
NSX-T 2.2 Understanding Traceflow
Use Traceflow to inspect the path of a packet as it travels from one logical port on the logical network to another logical port on the same network. Traceflow traces the transport node-level path of a packet injected at a logical port. The trace packet traverses the logical switch overlay, but is not visible to interfaces attached to the logical switch. In other words, no packet is actually delivered to the test packet’s intended recipients. This is one of troubleshooting tool to check where the packet is getting dropped.
Traceflow Traffic Types
How to Use Traceflow
1. Login to NSX Manager UI
2. Tools > Traceflow > Unicast > Configure Source and Target > Trace
3. Once trace is completed, you can view the results. In this example i was tracing the connectivity between two VMs where one is on ESXi and another is on KVM
Traceflow Traffic Types
Credit : VMware Docs |
1. Login to NSX Manager UI
2. Tools > Traceflow > Unicast > Configure Source and Target > Trace
3. Once trace is completed, you can view the results. In this example i was tracing the connectivity between two VMs where one is on ESXi and another is on KVM
Monday, 25 March 2019
NSX-T 2.2 Logical Load Balancer
The NSX-T logical load balancer offers:-
You can map a virtual IP address to a set of pool servers for load balancing. The load balancer accepts TCP, UDP, HTTP, or HTTPS requests on the virtual IP address and decides which pool server to use.
Depending on your environment needs, you can scale the load balancer performance by increasing the existing virtual servers and pool members to handle heavy network traffic load.
Note:
In-Line
One-Arm
NSX-T Load Balancer Features
1. LB per NSX Edge
2. Max. Number of Virtual Servers and Pool Members Per LB
Configuring Load Balancer
In this scenario we have two web servers behind Load Balancer. These two servers are going to be the part of one server pool and i have another sorry server pool with web server to display sorry message.
1. Create Server Pool
Server pool consists of one or more servers that are configured and running the same application. A single pool can be associated to both Layer 4 and Layer 7 virtual servers.
Prerequisites
Choose One of the Load Balancing Algorithm
Configure the SNAT Translation > Next
Add Pool Members > Next
Membership Type can be
Select Active Health Monitor > Finish
2. Create Virtual Servers
Load Balancing > Virtual Servers > Virtual Servers > Add > Next
Configure VIP and Port Number > Next
Select Server Pool Created in Previous Step > Next
Click on Finish
3. Create Load Balancer
Load Balancing > Load Balancers > Load Balancer > Ok
Attach Load Balancer to a Virtual Server
Select Load Balancer > Actions > Attach to a Virtual Server
Attach Load Balancer to Tier-1 Logical Router
4. Configure Route Advertisement for LB VIP Routes on Tier-1 Router
5. Configure Route Redistribution For LB VIP Routes on Tier-0 Router
Now test the connectivity of these servers by using LB VIP (192.168.100.7)
If you want Sorry Server Configuration, Create Server Pool for Sorry Servers and Bind them Virtual Server Configuration.
- high-availability service for applications and
- distributes the network traffic load among multiple servers.
You can map a virtual IP address to a set of pool servers for load balancing. The load balancer accepts TCP, UDP, HTTP, or HTTPS requests on the virtual IP address and decides which pool server to use.
Depending on your environment needs, you can scale the load balancer performance by increasing the existing virtual servers and pool members to handle heavy network traffic load.
Note:
- Logical load balancer is supported only on the Tier-1 logical router.
- One load balancer can be attached only to a Tier-1 logical router.
In-Line
Image Source: VMware Docs |
Image Source: VMware Docs |
- Layer 4 - TCP and UDP
- Layer 7 - HTTP and HTTPS with load balancer rules support
- Server pools - static and dynamic with NSGroup
- Persistence - Source-IP and Cookie persistence mode
- Health check monitors - Active monitor which includes HTTP, HTPPS, TCP, UDP, and ICMP, and passive monitor
- SNAT - Transparent, Automap, and IP List
- HTTP upgrade
1. LB per NSX Edge
2. Max. Number of Virtual Servers and Pool Members Per LB
Configuring Load Balancer
In this scenario we have two web servers behind Load Balancer. These two servers are going to be the part of one server pool and i have another sorry server pool with web server to display sorry message.
1. Create Server Pool
Server pool consists of one or more servers that are configured and running the same application. A single pool can be associated to both Layer 4 and Layer 7 virtual servers.
Prerequisites
- If you use dynamic pool members, a NSGroup must be configured.
- Depending on the monitoring you use, verify that active or passive health monitors are configured.
Choose One of the Load Balancing Algorithm
Source: VMware Docs |
Configure the SNAT Translation > Next
Add Pool Members > Next
Membership Type can be
- Static
- Dynamic
Select Active Health Monitor > Finish
2. Create Virtual Servers
Load Balancing > Virtual Servers > Virtual Servers > Add > Next
Configure VIP and Port Number > Next
Select Server Pool Created in Previous Step > Next
Click on Finish
3. Create Load Balancer
Load Balancing > Load Balancers > Load Balancer > Ok
Attach Load Balancer to a Virtual Server
Select Load Balancer > Actions > Attach to a Virtual Server
Attach Load Balancer to Tier-1 Logical Router
4. Configure Route Advertisement for LB VIP Routes on Tier-1 Router
5. Configure Route Redistribution For LB VIP Routes on Tier-0 Router
Now test the connectivity of these servers by using LB VIP (192.168.100.7)
If you want Sorry Server Configuration, Create Server Pool for Sorry Servers and Bind them Virtual Server Configuration.
NSX-T 2.2 NAT (Network Address Translation)
NAT is not new concept in Networking, In this i will discuss what are the different types of NAT available at Tier-0 and Tier-1 Router and How to Configure NAT.
Source NAT (SNAT) - Tier 1
It changes the source address in the IP header of a packet. It can also change the source port in the TCP/UDP headers. The typical usage is to change a private address/port into a public address/port for packets leaving your network.You can create a rule to either enable or disable source NAT.
Prerequisites for SNAT
Destination NAT changes the destination address in IP header of a packet. It can also change the destination port in the TCP/UDP headers. The typical usage of this is to redirect incoming packets with a destination of a public address/port to a private IP address/port inside your network.You can create a rule to either enable or disable destination NAT.
Prerequisites for DNAT
When a tier-0 logical router is running in Active-Active ECMP mode, you cannot configure stateful NAT where asymmetrical paths might cause issues. For Active-Active ECMP routers, you can use reflexive NAT (sometimes called stateless NAT).
For reflexive NAT, you can configure a single source address to be translated, or a range of addresses. If you configure a range of source addresses, you must also configure a range of translated addresses. The size of the two ranges must be the same. The address translation will be deterministic, meaning that the first address in the source address range will be translated to the first address in the translated address range, the second address in the source range will be translated to the second address in the translated range, and so on.
Prerequisites for Reflexive NAT
1. Login to NSX Manager UI
2. Create Tier 1 Logical Router and Connect it with Tier 0 Logical Router
Routing > Routers > Add > Tier -1
3. Configure the Logical Router Details
4. Create Logical Switch
Switching > Switches > Add
5. Create a Router Port in Tier 1 Logical Router to connect it to Logical Switch
Routing > Routers > Select Tier 1 Logical Router > Configuration > Ports > Add
6. Add SNAT rule in Tier 1 Logical Router
Routing > Routers > Select Tier 1 Logical Router > Services > NAT > Add NAT Rule
7. Likewise add DNAT Rule too
8. Configure Route Advertisement in Tier 1 Logical Router
Routing > Routers > Select Tier 1 Logical Router > Routing > Route Advertisement > Edit > configure it > Save
9. Configure Route Redistribution in Tier-0 Logical Router
Routing > Routers > Select Tier 0 Logical Router > Routing > Route Redistribution > Select the Desired Sources > Save
Source NAT (SNAT) - Tier 1
It changes the source address in the IP header of a packet. It can also change the source port in the TCP/UDP headers. The typical usage is to change a private address/port into a public address/port for packets leaving your network.You can create a rule to either enable or disable source NAT.
Prerequisites for SNAT
- The tier-0 router must have an uplink connected to a VLAN-based logical switch.
- The tier-0 router must have routing (static or BGP) and route redistribution configured on its uplink to the physical architecture.
- The tier-1 routers must each have an uplink to a tier-0 router configured. It must be backed by an edge cluster.
- The tier-1 routers must have downlink ports and route advertisement configured.
- The VMs must be attached to the correct logical switches.
Destination NAT changes the destination address in IP header of a packet. It can also change the destination port in the TCP/UDP headers. The typical usage of this is to redirect incoming packets with a destination of a public address/port to a private IP address/port inside your network.You can create a rule to either enable or disable destination NAT.
Prerequisites for DNAT
- The tier-0 router must have an uplink connected to a VLAN-based logical switch.
- The tier-0 router must have routing (static or BGP) and route redistribution configured on its uplink to the physical architecture.
- The tier-1 routers must each have an uplink to a tier-0 router configured. It must be backed by an edge cluster.
- The tier-1 routers must have downlink ports and route advertisement configured.
- The VMs must be attached to the correct logical switches.
When a tier-0 logical router is running in Active-Active ECMP mode, you cannot configure stateful NAT where asymmetrical paths might cause issues. For Active-Active ECMP routers, you can use reflexive NAT (sometimes called stateless NAT).
For reflexive NAT, you can configure a single source address to be translated, or a range of addresses. If you configure a range of source addresses, you must also configure a range of translated addresses. The size of the two ranges must be the same. The address translation will be deterministic, meaning that the first address in the source address range will be translated to the first address in the translated address range, the second address in the source range will be translated to the second address in the translated range, and so on.
Prerequisites for Reflexive NAT
- The tier-0 router must have an uplink connected to a VLAN-based logical switch.
- The tier-0 router must have routing (static or BGP) and route redistribution configured on its uplink to the physical architecture.
- The tier-1 routers must each have an uplink to a tier-0 router configured. It must be backed by an edge cluster.
- The tier-1 routers must have downlink ports and route advertisement configured.
- The VMs must be attached to the correct logical switches.
1. Login to NSX Manager UI
2. Create Tier 1 Logical Router and Connect it with Tier 0 Logical Router
Routing > Routers > Add > Tier -1
3. Configure the Logical Router Details
4. Create Logical Switch
Switching > Switches > Add
5. Create a Router Port in Tier 1 Logical Router to connect it to Logical Switch
Routing > Routers > Select Tier 1 Logical Router > Configuration > Ports > Add
6. Add SNAT rule in Tier 1 Logical Router
Routing > Routers > Select Tier 1 Logical Router > Services > NAT > Add NAT Rule
7. Likewise add DNAT Rule too
8. Configure Route Advertisement in Tier 1 Logical Router
Routing > Routers > Select Tier 1 Logical Router > Routing > Route Advertisement > Edit > configure it > Save
9. Configure Route Redistribution in Tier-0 Logical Router
Routing > Routers > Select Tier 0 Logical Router > Routing > Route Redistribution > Select the Desired Sources > Save
Sunday, 24 March 2019
NSX-T 2.2 Centralized Port in Tier-1 Router
In NSX-T Tier-1 Router, you can configure Centralized Port. This port can be used to connect your VM's with Physical Network without Tier-0 Router.
How to Create Centralized Port in Tier-1 Router
1. Login to NSX Manager UI
2. Routing > Routers > Select Tier-1 Router > Configuration > Ports > Add > Add Centralized Port
3. Attach your VM with Logical Switch Where Centralized Port is Connected and Ping to Another Machine in Physical Network for Communication Check.
1. Login to NSX Manager UI
2. Routing > Routers > Select Tier-1 Router > Configuration > Ports > Add > Add Centralized Port
3. Attach your VM with Logical Switch Where Centralized Port is Connected and Ping to Another Machine in Physical Network for Communication Check.
NSX-T 2.2 - Configuring ECMP in Tier-0 Logical Router
Equal cost multi-path (ECMP) routing protocol increases the north and south communication bandwidth by adding an uplink to the tier-0 logical router and configure it for each Edge node in an NSX Edge cluster. The ECMP routing paths are used to load balance traffic and provide fault tolerance for failed paths.
ECMP paths are automatically created from the VMs attached to logical switches to the Edge nodes on which the tier-0 logical router is instantiated. A maximum of eight ECMP paths are supported.
Note:- ECMP cannot be enabled when BGP is enabled. You Must DISABLE BGP First to Enable ECMP.
How to Enable ECMP
1. Login to NSX Manager UI
2. Routing > Routers > Select Tier-0 Router > Routing > BGP > Edit > Disable BGP First (If Enabled) > Save it > Click on Edit again > Toggle Status to Enabled > Toggle ECMP to Enabled > Save it.
ECMP paths are automatically created from the VMs attached to logical switches to the Edge nodes on which the tier-0 logical router is instantiated. A maximum of eight ECMP paths are supported.
Note:- ECMP cannot be enabled when BGP is enabled. You Must DISABLE BGP First to Enable ECMP.
How to Enable ECMP
1. Login to NSX Manager UI
2. Routing > Routers > Select Tier-0 Router > Routing > BGP > Edit > Disable BGP First (If Enabled) > Save it > Click on Edit again > Toggle Status to Enabled > Toggle ECMP to Enabled > Save it.
NSX-T 2.2 NIOC Profile on an N-VDS Switch
Those who are from vSphere Background they are aware of NIOC (Network I/O Control). This feature in vSphere we have to guarantee the minimum bandwidth to system traffic running on NSX-T hosts, enable and configure network resource management on an NSX-T distributed switch. Network I/O Control version 3 for NSX-T supports resource management of system traffic related to virtual machines and to infrastructure services, such as vSphere Fault Tolerance, and so on. System traffic is strictly associated with an vSphere ESXi host.
Note:-You can reserve no more than 75 percent of the bandwidth of a physical network adapter
How to Create New NIOC Profile in NSX-T
1. Login to NSX Manager UI
2. Fabric > Profiles > NIOC Profiles > Add > Configure Profile as per use case > Click on Add
Note:-You can reserve no more than 75 percent of the bandwidth of a physical network adapter
How to Create New NIOC Profile in NSX-T
1. Login to NSX Manager UI
2. Fabric > Profiles > NIOC Profiles > Add > Configure Profile as per use case > Click on Add
Subscribe to:
Posts (Atom)