A user’s role defines the actions the user is allowed to perform on a given resource. The role determine the user’s authorized activities on the given resource, ensuring that a user has access only to the functions necessary to complete applicable operations. This allows domain control over specific resources, or system-wide control if your right has no restrictions.
The following rules are enforced:
- A user can only have one role.
- You cannot add a role to a user, or remove an assigned role from a user. You can, however, change the assigned role for a user.
Enterprise Administrator = NSX operations and security.
NSX Administrator = NSX operations only: for example, install virtual appliances, configure port groups.
Security Administrator = NSX security only: for example, define data security policies, create port groups, create reports for NSX modules.
Auditor = Read only.
Assign roles to user accounts
1. Log into the vSphere Web Client.
2. Click Networking and Security.
3. Click NSX Managers on the left-hand-side.
4. Select the NSX Manager, click Manage, followed by Users.
I think we have already covered this… but not issues going through the process again!
You can a register one or more Windows domains with an NSX Manager and associated vCenter server. NSX Manager gets group and user information as well as the relationship between them from each domain that it is registered with. NSX Manager also retrieves Active Directory (AD) credentials.
Once NSX Manager retrieves AD credentials, you can create security groups based on user identity, create identity-based firewall rules, and run Activity Monitoring reports.
This is achieved by joining the NSX Manager to the domain. To do this go the Networking and Security plugin, then NSX Managers and select the NSX Manager you want to join to the domain. Once you have got this screen loaded up click on Manage then Domains:
Activity Monitoring provides visibility into your virtual network to ensure that security policies at your organization are being enforced correctly.
A Security policy may mandate who is allowed access to what applications. The Cloud administrator can generate Activity Monitoring reports to see if the IP based firewall rule that they set is doing the intended work. By providing user and application level detail, Activity Monitoring translates high level security policies to low level IP address and network based implementation.
Once you enable data collection for Activity Monitoring, you can run reports to view inbound traffic (such as virtual machines being accessed by users) as well as outbound traffic (resource utilization, interaction between inventory containers, and AD groups that accessed a server).
To enable Data Collection on a single Virtual Machine:
1. Log in to the vSphere Web Client.
2. Click vCenter and then click VMs and Templates.
3. Select a virtual machine from the left inventory panel.
4. Click the Manage tab and then click the Settings tab.
5. Click NSX Activity Monitoring from the left panel.
Hopefully my VCAP-DCA should get me past this one… probably asking about capacity or vCenter services etc. etc. I’m not going to cover this (apologies for this post as well… short and sweet):
Checking the NSX Manager services, CPU utilisation, RAM utilisation and storage use is always a good start. I’ve covered this already in another post but log into the NSX Manager and click on the Summary button: Continue reading
Bit stumped by this one… could mean lots of things. Off the top of my head:
Web Client – Networking – select the dvSwitch you want to check and then Manage – Settings – Health Check, click edit and enable the VLAN and MTU and Team and Failover checks:
Couple of places need syslog setup in a NSX environment… first up is the ESXi hosts, not really an NSX specific thing but this can be done quickly by going to your vCenter, select your host then go to the Advanced System Settings and locate Syslog.global.logHost enter the details for the Syslog Server.
Same as my previous post, this post is really just my notes on the logical-router commands from the controller cluster:
I only have 1 DLR so this is listed above (really just interested in the LR-ID (in my case this is 0x1388)).
You can also pull back the routing table of the DLR by running the following command (unfortunately my Hands on Lab expired and I can’t really be bothered setting up routing again… so the routing table of this DLR has no entries… I’ve stole a pic from the web with what it should look like):
Most of this blog is going to be around using show control-cluster logical-switches, seems like the most likely avenue for troubleshooting Logical Switches and mappings… maybe?
This has listed the controller responsible for each VNI (Segment/Logical Switch)… now we know that VNI 5002 and 5004 are being managed by the controller I have SSH’s to we can run a few more detailed commands. First we can show the vtep-table: Continue reading
1. Verify that the prerequisites are met to run Distributed Firewall (DFW).
- VMware vCenter Server 5.5 (or later)
- VMware ESXi 5.1 (or later)
- VMware NSX 6.0 (or later)
2. Verify that the DFW VIBs are successfully installed on each of the ESXi hosts in the cluster. To do this, on each of the ESXi host that is on the cluster, run this commands:
First up… overall status of the controller cluster:
1. Log into the Web Client.
2. Click Networking and Security.
3. Click Installation, then Management. From this screen make sure the controllers are healthy and connected (not red boxes under peers etc.):