Monthly Archives: July 2017

NSX – Troubleshoot distributed and edge firewall implementations

1. Verify that the prerequisites are met to run Distributed Firewall (DFW).

  • VMware vCenter Server 5.5 (or later)
  • VMware ESXi 5.1 (or later)
  • VMware NSX 6.0 (or later)

2. Verify that the DFW VIBs are successfully installed on each of the ESXi hosts in the cluster. To do this, on each of the ESXi host that is on the cluster, run this commands:

Continue reading

NSX – Troubleshoot host preparation issues

Common problems with host preparation are:

  • EAM fails to deploy VIBs
    • Might be DNS issues
    • Might be Firewall
    • Might be VUM vs. EAM issues
  • Previous VIBs might be installed (** from 6.3.0 onwards this shouldn’t be an issues) if this is an issue the hosts might require a reboot.
  • vCenter Networking and Secuity Plugin might be playing up.

There a re some basic checks we can do which I’ll go through below:

1. Log into the Web Client.

2. Click Networking and Security.

3. Click Installation, then Host Preparation. This will show all vCenter Server cluster and hosts. I’m working through this blog series using VMware Hands On Labs… so as expected my hosts are all green and healthy!)

Continue reading

NSX – Troubleshoot NSX Manager services

This post will focus on the NSX Manager, firstly showing how to check the service status on the gui then some NSX Manager log checks.

1. Open a Web browser window and type the IP address assigned to the NSX Manager.

2. Log in to the NSX Manager virtual appliance by using the user name admin and the password you set during installation and click Log In.

Continue reading

NSX – Configure local egress

Full disclosure I am not a networking guy… so… I might have got this completely wrong!!

First here is a diagram that visually shows the problem with Universal Logical Switches and Universal Logical Routers:

In the example above we have a VM in DC2 that is looking to get out to the internet (excuse the simplified diagrams). The problem is the VM running in DC2 will have no way to guarantee which ESG is used to break out to the web. This is because the Universal DLR in DC2 will have two paths to reach the intranet: one via the NSX Edge in DC1 and another over the NSX Edge over DC2.

This is because the Logical Router Control VM that owns the routing adjacency to the NSX Edges sees both NSX Edges as equally weighted to reach anything north bound and it can choose either NSX Edge to forward the traffic to.
Continue reading

NSX – Create/configure Universal Distributed Logical Routers

Logical router kernel modules in the host perform routing between VXLAN networks, and between virtual and physical networks. An NSX Edge appliance provides dynamic routing ability if needed. A universal logical router provides east-west routing between universal logical switches.

1. In the vSphere Web Client, navigate to Home > Networking & Security > NSX Edges. Select the Primary NSX Manager to add a universal logical router.

Continue reading

NSX – Configure static routes

The process for configuring a default gateway on a ESG or DLR is identical. Static routes are OK for small sites with not many networks. As the amount of networks increase the use of dynamic routing protocols are beneficial.

1. Log into the vSphere Web Client. Click Networking and Security, then NSX Edges. Double-Click the Edge (ESG or DLR) that you want to configure the Default Gateway on then click the Routing tab and finally click Static Routes:

Continue reading

NSX – Configure default gateway parameters

The process for configuring a default gateway on a ESG or DLR is identical.  What does a Default Gateway do… well anything not defined in the routing table (either as static or dynamic route (OSPF or BGP) will be sent to this interface.

To configure the default gateway complete the following:

1. Log into the vSphere Web Client. Click Networking and Security, then NSX Edges. Double-Click the Edge (ESG or DLR) that you want to configure the Default Gateway on.

2. Click the Routing tab then click Global Configuration.

Continue reading

NSX – Configure Universal services and service groups

Last item in Objective 6.3 – Configure and Manage Universal Logical Security Objects, again quite a quick one to step through the process of creating Universal Services and Service Groups.

1. Log into the vSphere client and navigate to Networking and Security, then NSX Managers, then the Primary NSX Manager, Manage, Grouping Objects, Services:

2. Click the green plus icon.

3. Fill in the Name, Description, Select the Protocol and then depending on your selection you will be presented with options (in the case of TCP you are asked for destination ports) then be sure to click the “Mark this object for Universal Synchronisation” check box. Continue reading