Monthly Archives: July 2017

NSX – Configure Universal firewall rules

Fourth item in Objective 6.3 – Configure and Manage Universal Logical Security Objects, again quite a quick one to step through the process of creating a Universal Firewall Rules.

Distributed Firewall in a cross-vCenter NSX environment allows centralized management of rules that apply to all vCenter Servers in your environment. It supports cross-vCenter vMotion which enables you to move workloads or virtual machines from one vCenter Server to another and seamlessly extends your software defined datacenter security.

As your datacenter needs scale out, the existing vCenter Server may not scale to the same level. This may require you to move a set of applications to newer hosts that are managed by a different vCenter Server. Or you may need to move applications from staging to production in an environment where staging servers are managed by one vCenter Server and production servers are managed by a different vCenter Server. Distributed Firewall supports these cross-vCenter vMotion scenarios by replicating firewall policies that you define for the primary NSX Manager on up to seven secondary NSX Managers.

From the primary NSX Manager you can create a distributed firewall rule section that is marked for universal synchronization. You can create one universal L2 rule section and one universal L3 rule section. These sections and their rules are synchronized to all secondary NSX Managers in your environment. Rules in other sections remain local to the appropriate NSX Manager.

The following Distributed Firewall features are not supported in a cross-vCenter NSX environment:

  • Exclude list
  • SpoofGuard
  • Flow monitoring for aggregate flows
  • Network service insertion
  • Edge Firewall

Service Composer does not support universal synchronization, so you cannot use it to create distributed firewall rules in the universal section.

1. Log into the vSphere client and navigate to Networking and Security, then Firewall, General Tab and then either click the New Section Button (Folder with the small green plus) to create a new firewall section or the larger green plus to create a firewall rule within an existing section:

Continue reading

NSX – Configure Universal IP sets

Second item in Objective 6.3 – Configure and Manage Universal Logical Security Objects, again quite a quick one to step through the process of creating a Universal IP Set

1. Log into the vSphere client and navigate to Networking and Security, then NSX Managers, then the Primary NSX Manager, Manage, Grouping Objects, IP Sets:

2. Click the green plus icon. Continue reading

NSX – Create/configure Universal Logical Switches

In a cross-vCenter NSX deployment, you can create universal logical switches, which can span all vCenters. The transport zone type determines whether the new switch is a logical switch or a universal logical switch. When you add a logical switch to a universal transport zone, the logical switch is universal.

1. In the vSphere Web Client, navigate to Home > Networking & Security > Logical Switches.

2. Select the primary NSX Manager.

3. Click the New Logical Switch (New Logical Switch) icon.

Continue reading

NSX – Create/manage Universal transport zones

Universal transport zones control the hosts that a universal logical switch can reach. A universal transport zone is created by the primary NSX Manager and is replicated to the secondary NSX Managers. Universal transport zones can span one or more vSphere clusters across the cross-vCenter NSX environment.

1. In vCenter, navigate to Home > Networking & Security > Installation and select the Logical Network Preparation tab.

2. Click Transport Zones and click the New Transport Zone (New Transport Zone) icon.

3. Select Mark this object for universal synchronization.

Continue reading

NSX – Configure Universal segment ID pools

The universal segment ID pool specifies a range for use when building logical network segments. Cross-vCenter NSX deployments use a unique universal segment ID Pool to ensure that the universal logical switches VXLAN network identifiers (VNIs) are consistent across all secondary NSX Managers.

The universal segment ID is defined once on the primary NSX Manager and then synced to all of the secondary NSX Managers. The universal segment ID range controls the number of universal logical switches that can be created. Note that the segment ID range must be unique across any NSX Manager that you plan use in a cross-vCenter NSX deployment. This example uses a high range to provide future scalability.

1. In vCenter, navigate to Home > Networking & Security > Installation and select the Logical Network Preparation tab.

Continue reading

NSX – Configure NSX manager roles (Primary, Secondary, Standalone, Transit)

The primary NSX Manager runs the controller cluster. Additional NSX Managers are secondary. The controller cluster that is deployed by the primary NSX Manager is a shared object and is referred to as the universal controller cluster. Secondary NSX Managers automatically import the universal controller cluster. There can be one primary NSX Manager and up to seven secondary NSX Managers in a cross-vCenter NSX environment.

NSX Managers can have one of four roles:

  • Primary
  • Secondary
  • Standalone
  • Transit

Primary, Secondary and Standalone roles are easy to understand. The Transit role is used when a primary or secondary NSX Manager is changed to Standalone and there are remaining universal objects in existence. Continue reading

NSX – Add Layer 2 Bridging

You can create an L2 bridge between a logical switch and a VLAN, which enables you to migrate virtual workloads to physical devices with no impact on IP addresses. A logical network can leverage a physical L3 gateway and access existing physical networks and security resources by bridging the logical switch broadcast domain to the VLAN broadcast domain.

The L2 bridge runs on the host that has the NSX Edge logical router virtual machine. An L2 bridge instance maps to a single VLAN, but there can be multiple bridge instances. The logical router cannot be used as a gateway for devices connected to a bridge.

If High Availability is enabled on the Logical Router and the primary NSX Edge virtual machine goes down, the bridge is automatically moved over to the host with the secondary virtual machine. For this seamless migration to happen, a VLAN must have been configured on the host that has the secondary NSX Edge virtual machine.

1. Log in to the vSphere Web Client.

2. Click Networking & Security and then click NSX Edges.

3. Double click a logical router. Continue reading