Monthly Archives: July 2017

NSX – IS-IS

Configure IS-IS Protocol

Intermediate System to Intermediate System (IS-IS) is a routing protocol designed to move information by determining the best route for datagrams through a packet-switched network.

A two-level hierarchy is used to support large routing domains. A large domain may be divided into areas. Routing within an area is referred to as Level 1 routing. Routing between areas is referred to as Level 2 routing. A Level 2 Intermediate System (IS) keeps track of the paths to destination areas. A Level 1 IS keeps track of the routing within its own area. For a packet going to another area, a Level 1 IS sends the packet to the nearest Level 2 IS in its own area, regardless of what the destination area is. Then the packet travels via Level 2 routing to the destination area, where it may travel via Level 1 routing to the destination. This is referred to as Level-1-2. Continue reading

NSX – Configure route redistribution to support a multi-protocol environment

Configure Route Redistribution

By default, routers share routes with other routers running the same protocol. In a multi-protocol environment, you must configure route redistribution for cross-protocol route sharing.

Procedure

1. Log in to the vSphere Web Client.

2. Click Networking & Security and then click NSX Edges.

3. Double-click an NSX Edge.

4. Click Routing and then click Route Redistribution.

Continue reading

NSX – Manage User rights

A user’s role defines the actions the user is allowed to perform on a given resource. The role determine the user’s authorized activities on the given resource, ensuring that a user has access only to the functions necessary to complete applicable operations. This allows domain control over specific resources, or system-wide control if your right has no restrictions.

The following rules are enforced:

  • A user can only have one role.
  • You cannot add a role to a user, or remove an assigned role from a user. You can, however, change the assigned role for a user.

Enterprise Administrator  = NSX operations and security.
NSX Administrator = NSX operations only: for example, install virtual appliances, configure port groups.
Security Administrator = NSX security only: for example, define data security policies, create port groups, create reports for NSX modules.
Auditor = Read only.

Assign roles to user accounts

1. Log into the vSphere Web Client.

2. Click Networking and Security.

3. Click NSX Managers on the left-hand-side.

4. Select the NSX Manager, click Manage, followed by Users.

Continue reading

NSX – Implement identity service support for Active Directory, NIS, and LDAP with Single Sign-On (SSO)

I think we have already covered this… but not issues going through the process again!

You can a register one or more Windows domains with an NSX Manager and associated vCenter server. NSX Manager gets group and user information as well as the relationship between them from each domain that it is registered with. NSX Manager also retrieves Active Directory (AD) credentials.

Once NSX Manager retrieves AD credentials, you can create security groups based on user identity, create identity-based firewall rules, and run Activity Monitoring reports.

This is achieved by joining the NSX Manager to the domain. To do this go the Networking and Security plugin, then NSX Managers and select the NSX Manager you want to join to the domain. Once you have got this screen loaded up click on Manage then Domains:

Continue reading

NSX – Enable data collection for single/multiple virtual machines

Activity Monitoring provides visibility into your virtual network to ensure that security policies at your organization are being enforced correctly.

A Security policy may mandate who is allowed access to what applications. The Cloud administrator can generate Activity Monitoring reports to see if the IP based firewall rule that they set is doing the intended work. By providing user and application level detail, Activity Monitoring translates high level security policies to low level IP address and network based implementation.

Once you enable data collection for Activity Monitoring, you can run reports to view inbound traffic (such as virtual machines being accessed by users) as well as outbound traffic (resource utilization, interaction between inventory containers, and AD groups that accessed a server).

To enable Data Collection on a single Virtual Machine:

1. Log in to the vSphere Web Client.

2. Click vCenter and then click VMs and Templates.

3. Select a virtual machine from the left inventory panel.

4. Click the Manage tab and then click the Settings tab.

5. Click NSX Activity Monitoring from the left panel.

Continue reading

NSX – Monitor health and status of infrastructure components

vSphere

Hopefully my VCAP-DCA should get me past this one… probably asking about capacity or vCenter services etc. etc. I’m not going to cover this (apologies for this post as well… short and sweet):

NSX Manager

Checking the NSX Manager services, CPU utilisation, RAM utilisation and storage use is always a good start. I’ve covered this already in another post but log into the NSX Manager and click on the Summary button: Continue reading

NSX – Troubleshoot Logical Router interface and route mappings

Same as my previous post, this post is really just my notes on the logical-router commands from the controller cluster:

I only have 1 DLR so this is listed above (really just interested in the LR-ID (in my case this is 0x1388)).

You can also pull back the routing table of the DLR by running the following command (unfortunately my Hands on Lab expired and I can’t really be bothered setting up routing again… so the routing table of this DLR has no entries… I’ve stole a pic from the web with what it should look like):

NSX – Troubleshoot Logical Switch transport zone and NSX Edge mappings

Most of this blog is going to be around using show control-cluster logical-switches, seems like the most likely avenue for troubleshooting Logical Switches and mappings… maybe?

This has listed the controller responsible for each VNI (Segment/Logical Switch)… now we know that VNI 5002 and 5004 are being managed by the controller I have SSH’s to we can run a few more detailed commands. First we can show the vtep-table: Continue reading