Translate

Total Pageviews

My YouTube Channel

Sunday 31 March 2019

Entries in VTEP Table, MAC Table and ARP Table - NSX-T

As we all know there are different entries in different table available in NSX-T, Lets take a look what are these entries available in VTEP Table, MAC Table and ARP Table.


NSX-T Interoperability Matrices with All VMware Solutions

Tuesday 26 March 2019

NSX-T 2.2 Distributed Firewall (DFW)

Firewall is one of the security feature. In NSX-T Distributed firewall is applied at vNIC Level of the VM. This means it gets applied to the VM regardless of vMotion of the VM.

DFW Components
Note:-
There is no toggling between stateful and stateless once it is defined

Firewall Rules are enforced as follows:
  1. Rules are processed in top-to-bottom ordering.
  2. Each packet is checked against the top rule in the rule table before moving down the subsequent rules in the table.
  3. The first rule in the table that matches the traffic parameters is enforced.
How to Configure Distributed Firewall Rules
1. Login to NSX Manager UI


2. Firewall > Configuration > Select the Existing Section > Click on Add Section Above


3. Configure the section details
Note:-
There is no toggling between stateful and stateless once it is defined

4. Add rule in Section
Select Section > Click on 3 dot icon > add rule


5. Configure Rule Details. In my example i am dropping all type of traffic destined for Web Server Logical SwitchVMs > Publish


6. Now Verify the Rule Functionality. Check Ping to any Web Server VM or anything else.

To Know more about Firewall Rules Click Here

NSX-T 2.2 Understanding Traceflow

Use Traceflow to inspect the path of a packet as it travels from one logical port on the logical network to another logical port on the same network. Traceflow traces the transport node-level path of a packet injected at a logical port. The trace packet traverses the logical switch overlay, but is not visible to interfaces attached to the logical switch. In other words, no packet is actually delivered to the test packet’s intended recipients. This is one of troubleshooting tool to check where the packet is getting dropped.

Traceflow Traffic Types

Credit : VMware Docs
How to Use Traceflow
1. Login to NSX Manager UI


2.  Tools  > Traceflow > Unicast > Configure Source and Target > Trace






3. Once trace is completed, you can view the results. In this example i was tracing the connectivity between two VMs where one is on ESXi and another is on KVM




Monday 25 March 2019

NSX-T 2.2 Logical Load Balancer

The NSX-T logical load balancer offers:-
  1. high-availability service for applications and 
  2. distributes the network traffic load among multiple servers.
The load balancer distributes incoming service requests evenly among multiple servers in such a way that the load distribution is transparent to users. Load balancing helps in achieving optimal resource utilization, maximizing throughput, minimizing response time, and avoiding overload.

You can map a virtual IP address to a set of pool servers for load balancing. The load balancer accepts TCP, UDP, HTTP, or HTTPS requests on the virtual IP address and decides which pool server to use.

Depending on your environment needs, you can scale the load balancer performance by increasing the existing virtual servers and pool members to handle heavy network traffic load.

Note:
  1. Logical load balancer is supported only on the Tier-1 logical router. 
  2. One load balancer can be attached only to a Tier-1 logical router.
Load Balancing Topologies

In-Line
Image Source: VMware Docs
One-Arm
Image Source: VMware Docs
NSX-T Load Balancer Features
  • Layer 4 - TCP and UDP
  • Layer 7 - HTTP and HTTPS with load balancer rules support
  • Server pools - static and dynamic with NSGroup
  • Persistence - Source-IP and Cookie persistence mode
  • Health check monitors - Active monitor which includes HTTP, HTPPS, TCP, UDP, and ICMP, and passive monitor
  • SNAT - Transparent, Automap, and IP List
  • HTTP upgrade
NSX-T Load Balancer Maximums
1. LB per NSX Edge


2. Max. Number of Virtual Servers and Pool Members Per LB


Configuring Load Balancer 
In this scenario we have two web servers behind Load Balancer. These two servers are going to be the part of one server pool and i have another sorry server pool with web server to display sorry message.
1. Create Server Pool
Server pool consists of one or more servers that are configured and running the same application. A single pool can be associated to both Layer 4 and Layer 7 virtual servers.
Prerequisites
  • If you use dynamic pool members, a NSGroup must be configured.
  • Depending on the monitoring you use, verify that active or passive health monitors are configured. 
Load Balancing > Server Pools > Server Pools > Add > Click on Next
Choose One of the Load Balancing Algorithm
Source: VMware Docs


Configure the SNAT Translation > Next



Add Pool Members > Next
Membership Type can be
  • Static
  • Dynamic

Select Active Health Monitor > Finish


2. Create Virtual Servers
Load Balancing > Virtual Servers > Virtual Servers > Add > Next


Configure VIP and Port Number > Next

Select Server Pool Created in Previous Step > Next


Click on Finish


3. Create Load Balancer
Load Balancing > Load Balancers > Load Balancer > Ok


Attach Load Balancer to a Virtual Server
Select Load Balancer > Actions > Attach to a Virtual Server


Attach Load Balancer to Tier-1 Logical Router


4. Configure Route Advertisement for LB VIP Routes on Tier-1 Router


5. Configure Route Redistribution For LB VIP Routes on Tier-0 Router


Now test the connectivity of these servers by using LB VIP (192.168.100.7)

If you want Sorry Server Configuration, Create Server Pool for Sorry Servers and Bind them Virtual Server Configuration.


NSX-T 2.2 NAT (Network Address Translation)

NAT is not new concept in Networking, In this i will discuss what are the different types of NAT available at Tier-0 and Tier-1 Router and How to Configure NAT.

Source NAT (SNAT) - Tier 1
It changes the source address in the IP header of a packet. It can also change the source port in the TCP/UDP headers. The typical usage is to change a private address/port into a public address/port for packets leaving your network.You can create a rule to either enable or disable source NAT.

Prerequisites for SNAT
  1. The tier-0 router must have an uplink connected to a VLAN-based logical switch.
  2. The tier-0 router must have routing (static or BGP) and route redistribution configured on its uplink to the physical architecture.
  3. The tier-1 routers must each have an uplink to a tier-0 router configured. It must be backed by an edge cluster.
  4. The tier-1 routers must have downlink ports and route advertisement configured.
  5. The VMs must be attached to the correct logical switches.
Destination NAT (DNAT) - Tier 1
Destination NAT changes the destination address in IP header of a packet. It can also change the destination port in the TCP/UDP headers. The typical usage of this is to redirect incoming packets with a destination of a public address/port to a private IP address/port inside your network.You can create a rule to either enable or disable destination NAT.

Prerequisites for DNAT
  1. The tier-0 router must have an uplink connected to a VLAN-based logical switch.
  2. The tier-0 router must have routing (static or BGP) and route redistribution configured on its uplink to the physical architecture.
  3. The tier-1 routers must each have an uplink to a tier-0 router configured. It must be backed by an edge cluster.
  4. The tier-1 routers must have downlink ports and route advertisement configured.
  5. The VMs must be attached to the correct logical switches.
Reflexive NAT - Tier 0
When a tier-0 logical router is running in Active-Active ECMP mode, you cannot configure stateful NAT where asymmetrical paths might cause issues. For Active-Active ECMP routers, you can use reflexive NAT (sometimes called stateless NAT).

For reflexive NAT, you can configure a single source address to be translated, or a range of addresses. If you configure a range of source addresses, you must also configure a range of translated addresses. The size of the two ranges must be the same. The address translation will be deterministic, meaning that the first address in the source address range will be translated to the first address in the translated address range, the second address in the source range will be translated to the second address in the translated range, and so on.

Prerequisites for Reflexive NAT
  1. The tier-0 router must have an uplink connected to a VLAN-based logical switch.
  2. The tier-0 router must have routing (static or BGP) and route redistribution configured on its uplink to the physical architecture.
  3. The tier-1 routers must each have an uplink to a tier-0 router configured. It must be backed by an edge cluster.
  4. The tier-1 routers must have downlink ports and route advertisement configured.
  5. The VMs must be attached to the correct logical switches.
How to Configure SNAT and DNAT
1. Login to NSX Manager UI

2.  Create Tier 1 Logical Router and Connect it with Tier 0 Logical Router
Routing > Routers > Add > Tier -1


3.  Configure the Logical Router Details
4. Create Logical Switch
Switching > Switches > Add


5. Create a Router Port in Tier 1 Logical Router to connect it to Logical Switch
Routing > Routers > Select Tier 1 Logical Router > Configuration > Ports > Add


6. Add SNAT rule in Tier 1 Logical Router
Routing > Routers > Select Tier 1 Logical Router > Services > NAT > Add NAT Rule


7. Likewise add DNAT Rule too


8. Configure Route Advertisement in Tier 1 Logical Router
Routing > Routers > Select Tier 1 Logical Router > Routing > Route Advertisement > Edit > configure it > Save


9. Configure Route Redistribution in Tier-0 Logical Router
Routing > Routers > Select Tier 0 Logical Router > Routing > Route Redistribution > Select the Desired Sources > Save



Sunday 24 March 2019

NSX-T 2.2 Centralized Port in Tier-1 Router

In NSX-T Tier-1 Router, you can configure Centralized Port. This port can be used to connect your VM's with Physical Network without Tier-0 Router.

How to Create Centralized Port in Tier-1 Router

1. Login to NSX Manager UI


2. Routing > Routers > Select Tier-1 Router > Configuration > Ports > Add > Add Centralized Port


3. Attach your VM with Logical Switch Where Centralized Port is Connected and Ping to Another Machine in Physical Network for Communication Check.

NSX-T 2.2 - Configuring ECMP in Tier-0 Logical Router

Equal cost multi-path (ECMP) routing protocol increases the north and south communication bandwidth by adding an uplink to the tier-0 logical router and configure it for each Edge node in an NSX Edge cluster. The ECMP routing paths are used to load balance traffic and provide fault tolerance for failed paths.

ECMP paths are automatically created from the VMs attached to logical switches to the Edge nodes on which the tier-0 logical router is instantiated. A maximum of eight ECMP paths are supported.

Note:- ECMP cannot be enabled when BGP is enabled. You Must DISABLE BGP First to Enable ECMP.


How to Enable ECMP
1. Login to NSX Manager UI

2. Routing > Routers > Select Tier-0 Router > Routing > BGP > Edit > Disable BGP First (If Enabled) > Save it >  Click on Edit again > Toggle Status to Enabled > Toggle ECMP to Enabled > Save it.


NSX-T 2.2 NIOC Profile on an N-VDS Switch

Those who are from vSphere Background they are aware of NIOC (Network I/O Control). This feature in vSphere we have to guarantee the minimum bandwidth to system traffic running on NSX-T hosts, enable and configure network resource management on an NSX-T distributed switch. Network I/O Control version 3 for NSX-T supports resource management of system traffic related to virtual machines and to infrastructure services, such as vSphere Fault Tolerance, and so on. System traffic is strictly associated with an vSphere ESXi host.

Note:-You can reserve no more than 75 percent of the bandwidth of a physical network adapter

How to Create New NIOC Profile in NSX-T
1. Login to NSX Manager UI

2. Fabric > Profiles > NIOC Profiles > Add > Configure Profile as per use case > Click on Add