1. Verify that the prerequisites are met to run Distributed Firewall (DFW).
VMware vCenter Server 5.5 (or later)
VMware ESXi 5.1 (or later)
VMware NSX 6.0 (or later)
2. Verify that the DFW VIBs are successfully installed on each of the ESXi hosts in the cluster. To do this, on each of the ESXi host that is on the cluster, run this commands:
Previous VIBs might be installed (** from 6.3.0 onwards this shouldn’t be an issues) if this is an issue the hosts might require a reboot.
vCenter Networking and Secuity Plugin might be playing up.
There a re some basic checks we can do which I’ll go through below:
1. Log into the Web Client.
2. Click Networking and Security.
3. Click Installation, then Host Preparation. This will show all vCenter Server cluster and hosts. I’m working through this blog series using VMware Hands On Labs… so as expected my hosts are all green and healthy!)
2. Under Appliance Management, click Download Tech Support Log (you can also click the cog at the top right hand side of the screen) Continue reading →
Full disclosure I am not a networking guy… so… I might have got this completely wrong!!
First here is a diagram that visually shows the problem with Universal Logical Switches and Universal Logical Routers:
In the example above we have a VM in DC2 that is looking to get out to the internet (excuse the simplified diagrams). The problem is the VM running in DC2 will have no way to guarantee which ESG is used to break out to the web. This is because the Universal DLR in DC2 will have two paths to reach the intranet: one via the NSX Edge in DC1 and another over the NSX Edge over DC2.
This is because the Logical Router Control VM that owns the routing adjacency to the NSX Edges sees both NSX Edges as equally weighted to reach anything north bound and it can choose either NSX Edge to forward the traffic to. Continue reading →
Logical router kernel modules in the host perform routing between VXLAN networks, and between virtual and physical networks. An NSX Edge appliance provides dynamic routing ability if needed. A universal logical router provides east-west routing between universal logical switches.
1. In the vSphere Web Client, navigate to Home > Networking & Security > NSX Edges. Select the Primary NSX Manager to add a universal logical router.
The process for configuring a default gateway on a ESG or DLR is identical. Static routes are OK for small sites with not many networks. As the amount of networks increase the use of dynamic routing protocols are beneficial.
1. Log into the vSphere Web Client. Click Networking and Security, then NSX Edges. Double-Click the Edge (ESG or DLR) that you want to configure the Default Gateway on then click the Routing tab and finally click Static Routes:
The process for configuring a default gateway on a ESG or DLR is identical. What does a Default Gateway do… well anything not defined in the routing table (either as static or dynamic route (OSPF or BGP) will be sent to this interface.
To configure the default gateway complete the following:
1. Log into the vSphere Web Client. Click Networking and Security, then NSX Edges. Double-Click the Edge (ESG or DLR) that you want to configure the Default Gateway on.
2. Click the Routing tab then click Global Configuration.
Last item in Objective 6.3 – Configure and Manage Universal Logical Security Objects, again quite a quick one to step through the process of creating Universal Services and Service Groups.
1. Log into the vSphere client and navigate to Networking and Security, then NSX Managers, then the Primary NSX Manager, Manage, Grouping Objects, Services:
2. Click the green plus icon.
3. Fill in the Name, Description, Select the Protocol and then depending on your selection you will be presented with options (in the case of TCP you are asked for destination ports) then be sure to click the “Mark this object for Universal Synchronisation” check box. Continue reading →