NSX – Configure Guest Introspection

Install Guest Introspection

Installing Guest Introspection installs a new vib and a service virtual machine on each host in the cluster. Guest Introspection is required for NSX Data Security, Activity Monitoring, and several third-party security solutions.

If you want to assign an IP address to the NSX Guest Introspection service virtual machine from an IP pool, create the IP pool before installing NSX Guest Introspection.

1. On the Installation tab, click Service Deployments.

2. Click the New Service Deployment icon.

Continue reading

NSX – Troubleshoot DHCP/DNS/NAT service issues

Troubleshoot DHCP service issues

If you are troubleshooting make sure you have enabled logging and changed the mode to debug or error etc. This sends the logs to the syslog server configured for the ESG.

You must restart the DHCP service on client virtual machines in the following situations:

  • You changed or deleted a DHCP pool, default gateway, or DNS server.
  • You changed the internal IP address of the NSX Edge instance

Continue reading

NSX – Configure L2 VPN service to stretch multiple logical networks across geographical sites

You first enable the L2 VPN service on the NSX Edge instance and then configure a server and then a client. I’m going to try and use a Hands on Lab to spin up two ESGs and stretch a L2 network between them both.

You need to use the Trunk interface to setup L2 VPNs, so here are the steps for that:

1. Click on Settings tab. Click on Interfaces Select a vNIC and click on the pencil icon to bring up the Edit NSX Edge Interface wizard.

2. Enter an interface name then set Type: Trunk. Click on the Select link next to the text box for Connected To and attach the interface to a standard or distributed port group:

Continue reading

NSX – Download Technical Support logs from NSX Edge instances

You normally download the Technical Support Logs from the Edge Services Gateway if experiencing issues.

Should you be running the ESG in HA mode the logs for both are downloaded at the same time. Select the Edge Services Gateway that you wish to download the Technical Support Logs from.

Right-click and select Download Tech Support Logs:

Once they are gathered click Download and then save them:

NSX – Enable SSH after Edge is deployed

Very quick post being filed under every day is a school day!

I deployed an Edge Service Gateway without ticking (or more specifically unticking) the Enable SSH button. Along comes some routing issue and I would really like to SSH onto the Edge and do a show ip route but I could not figure out how to enable SSH after the Edge is deployed. Much digging later the only way I could see is to open Networking and Security then browse to NSX Edges, highlight the Edge you want to enable SSH on and click Actions:

Once here click “Change CLI Credentials”:

Type in a password (you can reuse the existing password you set) and tick “Enable SSH”.

Job done!

NSX – Configure IPSec VPN service to enable site to site communication

What a pita this has been, the process is reasonably straight forward but trying to do this in a nested environment is a pain!! The settings below should be done of both ESGs (in my (hands on) lab I created two ESGs with a directly connected “Internal” Logical Switch and an “Internet” Logical Switch and used a DLR to act as the Internet Router.

Something like this:

10.10.100.0/24 >Site 1 ESG Internal (10.10.100.1) > Site 1 ESG Internet (10.10.10.1) > Internet DLR (10.10.10.254) > Internet DLR (20.20.20.254) > Site 2 ESG Internet (20.20.20.1) > Site 2 ESG Internal (20.20.200.1) > 20.20.200.0/24

Enable IPSec VPN Service

You must enable the IPSec VPN service for traffic to flow from the local subnet to the peer subnet

1. Log in to the vSphere Web Client.

2. Click Networking & Security and then click NSX Edges.

3. Double-click an NSX Edge.

4. Click the Manage tab and then click the VPN tab.

5. Click IPSec VPN.

Continue reading