Common problems with host preparation are:
- EAM fails to deploy VIBs
- Might be DNS issues
- Might be Firewall
- Might be VUM vs. EAM issues
- Previous VIBs might be installed (** from 6.3.0 onwards this shouldn’t be an issues) if this is an issue the hosts might require a reboot.
- vCenter Networking and Secuity Plugin might be playing up.
There a re some basic checks we can do which I’ll go through below:
1. Log into the Web Client.
2. Click Networking and Security.
3. Click Installation, then Host Preparation. This will show all vCenter Server cluster and hosts. I’m working through this blog series using VMware Hands On Labs… so as expected my hosts are all green and healthy!)
1. Log in to the NSX Manager virtual appliance.
2. Under Appliance Management, click Download Tech Support Log (you can also click the cog at the top right hand side of the screen) Continue reading
This post will focus on the NSX Manager, firstly showing how to check the service status on the gui then some NSX Manager log checks.
1. Open a Web browser window and type the IP address assigned to the NSX Manager.
2. Log in to the NSX Manager virtual appliance by using the user name admin and the password you set during installation and click Log In.
Full disclosure I am not a networking guy… so… I might have got this completely wrong!!
First here is a diagram that visually shows the problem with Universal Logical Switches and Universal Logical Routers:
In the example above we have a VM in DC2 that is looking to get out to the internet (excuse the simplified diagrams). The problem is the VM running in DC2 will have no way to guarantee which ESG is used to break out to the web. This is because the Universal DLR in DC2 will have two paths to reach the intranet: one via the NSX Edge in DC1 and another over the NSX Edge over DC2.
This is because the Logical Router Control VM that owns the routing adjacency to the NSX Edges sees both NSX Edges as equally weighted to reach anything north bound and it can choose either NSX Edge to forward the traffic to.
Logical router kernel modules in the host perform routing between VXLAN networks, and between virtual and physical networks. An NSX Edge appliance provides dynamic routing ability if needed. A universal logical router provides east-west routing between universal logical switches.
1. In the vSphere Web Client, navigate to Home > Networking & Security > NSX Edges. Select the Primary NSX Manager to add a universal logical router.
The process for configuring a default gateway on a ESG or DLR is identical. Static routes are OK for small sites with not many networks. As the amount of networks increase the use of dynamic routing protocols are beneficial.
1. Log into the vSphere Web Client. Click Networking and Security, then NSX Edges. Double-Click the Edge (ESG or DLR) that you want to configure the Default Gateway on then click the Routing tab and finally click Static Routes:
The process for configuring a default gateway on a ESG or DLR is identical. What does a Default Gateway do… well anything not defined in the routing table (either as static or dynamic route (OSPF or BGP) will be sent to this interface.
To configure the default gateway complete the following:
1. Log into the vSphere Web Client. Click Networking and Security, then NSX Edges. Double-Click the Edge (ESG or DLR) that you want to configure the Default Gateway on.
2. Click the Routing tab then click Global Configuration.
Last item in Objective 6.3 – Configure and Manage Universal Logical Security Objects, again quite a quick one to step through the process of creating Universal Services and Service Groups.
1. Log into the vSphere client and navigate to Networking and Security, then NSX Managers, then the Primary NSX Manager, Manage, Grouping Objects, Services:
2. Click the green plus icon.
3. Fill in the Name, Description, Select the Protocol and then depending on your selection you will be presented with options (in the case of TCP you are asked for destination ports) then be sure to click the “Mark this object for Universal Synchronisation” check box. Continue reading
Fourth item in Objective 6.3 – Configure and Manage Universal Logical Security Objects, again quite a quick one to step through the process of creating a Universal Firewall Rules.
Distributed Firewall in a cross-vCenter NSX environment allows centralized management of rules that apply to all vCenter Servers in your environment. It supports cross-vCenter vMotion which enables you to move workloads or virtual machines from one vCenter Server to another and seamlessly extends your software defined datacenter security.
As your datacenter needs scale out, the existing vCenter Server may not scale to the same level. This may require you to move a set of applications to newer hosts that are managed by a different vCenter Server. Or you may need to move applications from staging to production in an environment where staging servers are managed by one vCenter Server and production servers are managed by a different vCenter Server. Distributed Firewall supports these cross-vCenter vMotion scenarios by replicating firewall policies that you define for the primary NSX Manager on up to seven secondary NSX Managers.
From the primary NSX Manager you can create a distributed firewall rule section that is marked for universal synchronization. You can create one universal L2 rule section and one universal L3 rule section. These sections and their rules are synchronized to all secondary NSX Managers in your environment. Rules in other sections remain local to the appropriate NSX Manager.
The following Distributed Firewall features are not supported in a cross-vCenter NSX environment:
- Exclude list
- Flow monitoring for aggregate flows
- Network service insertion
- Edge Firewall
Service Composer does not support universal synchronization, so you cannot use it to create distributed firewall rules in the universal section.
1. Log into the vSphere client and navigate to Networking and Security, then Firewall, General Tab and then either click the New Section Button (Folder with the small green plus) to create a new firewall section or the larger green plus to create a firewall rule within an existing section:
Third item in Objective 6.3 coming up… Universal Security Groups
1. Log into the vSphere client and navigate to Networking and Security, then NSX Managers, then the Primary NSX Manager, Manage, Grouping Objects then Security Groups:
2. Click the green plus icon. Continue reading