Documente Academic
Documente Profesional
Documente Cultură
Table of Contents
Lab Overview - HOL-1803-05-NET - SocaiLab: Getting Started with VMware NSX ............ 3
Lab Guidance .......................................................................................................... 4
Module 1 - NSX Manager Installation and Configuration (15 Minutes) ............................ 10
Introduction........................................................................................................... 11
Hands-on Labs Interactive Simulation: NSX Installation and Configuration - Part
1............................................................................................................................ 13
Hands-on Labs Interactive Simulation: NSX Installation and Configuration - Part
2............................................................................................................................ 16
Module 1 Conclusion ............................................................................................. 17
Module 2 - Logical Switching (30 minutes) ..................................................................... 19
Logical Switching - Module Overview .................................................................... 20
Logical Switching .................................................................................................. 21
Scalability and Availability .................................................................................... 48
Module 2 Conclusion ............................................................................................. 52
Module 3 - Logical Routing (60 minutes)......................................................................... 54
Routing Overview .................................................................................................. 55
Dynamic and Distributed Routing ......................................................................... 57
Centralized Routing............................................................................................... 86
ECMP and High Availability.................................................................................. 105
Prior to moving on - Please complete the following cleanup steps ..................... 154
Module 3 Conclusion ........................................................................................... 159
Module 4 - Service Composer and Distributed Firewall Overview (45 minutes) ............ 161
Distributed Firewall - Micro-segmentation Overview ........................................... 162
Improved IP Discovery Mechanism for Virtual Machines and SpoofGuard........... 191
Security Groups Overview................................................................................... 206
Security Policy Overview ..................................................................................... 211
Review of Service Composer Canvas .................................................................. 221
Module 4 - Conclusion ......................................................................................... 229
Module 5 - Intelligent Grouping (30 minutes) ............................................................... 232
Intelligent Grouping ............................................................................................ 233
Log on to the End of Support Virtual Machines ................................................... 234
Security Group Creation ...................................................................................... 242
Limit VM Access .................................................................................................. 248
Verify Limited Access from Windows XP VMs ...................................................... 262
Module 5 Conclusion ........................................................................................... 266
Module 6 - User Based Security with a Jump Box (45 minutes)..................................... 268
User Based Security in a Jump Box Scenario....................................................... 269
Explore Link between NSX and Active Directory ................................................. 270
Use Security Objects based on AD Groups.......................................................... 279
Define Internal Application Firewall Rules ........................................................... 295
Testing User Identity Based Rules ....................................................................... 301
Module 6 Conclusion ........................................................................................... 312
HOL-1803-05-NET Page 1
HOL-1803-05-NET
HOL-1803-05-NET Page 2
HOL-1803-05-NET
Lab Overview -
HOL-1803-05-NET -
SocaiLab: Getting Started
with VMware NSX
HOL-1803-05-NET Page 3
HOL-1803-05-NET
Lab Guidance
Note: It will take more than 90 minutes to complete this lab. You should
expect to only finish 2-3 of the modules during your time. The modules are
independent of each other so you can start at the beginning of any module
and proceed from there. You can use the Table of Contents to access any
module of your choosing.
The Table of Contents can be accessed in the upper right-hand corner of the
Lab Manual.
VMware NSX is the platform for Network Virtualization. You will gain hands-on
experience with Logical Switching, Distributed Logical Routing, Dynamic Routing,
Distributed Firewall and Logical Network Services. This lab introduces the core
capabilities of VMware NSX in vSphere environments used to enable Network and
Security virtualization.
• (15 minutes) - Basic - This module will walk you through a basic install of NSX
including deploying the .ova, configuring NSX Manager, deploying controllers and
preparing hosts.
• (30 minutes) - Basic - This module will cover the creation of logical switches and
add virtual machines to the logical switches.
• (60 minutes) - Basic - This module will demonstrate the dynamic and distributed
routing capabilities supported on the NSX platform by providing routes between a
3-tier application.
• (45 minutes) - Basic - This module will cover the Distributed Firewall and Service
Composer creating firewall rules between a 3-tier application.
• (30 Minutes) - Basic - This module will help understand how NSX can help secure
applications and virtual machines using dynamic inclusion with security groups.
• (45 Minutes) - Basic - This module will demonstrate the capabilities of the Identity
Based Firewall feature and how it can provide security with Active Directory
integration.
• (30 Minutes) - Basic - This module will demonstrate application micro-
segmentation with Application Rule Manager.
Lab Captains:
HOL-1803-05-NET Page 4
HOL-1803-05-NET
This lab manual can be downloaded from the Hands-on Labs Document site found here:
http://docs.hol.vmware.com
This lab may be available in other languages. To set your language preference and have
a localized manual deployed with your lab, you may utilize this document to help guide
you through the process:
http://docs.hol.vmware.com/announcements/nee-default-language.pdf
1. The area in the RED box contains the Main Console. The Lab Manual is on the tab
to the Right of the Main Console.
2. A particular lab may have additional consoles found on separate tabs in the upper
left. You will be directed to open another specific console if needed.
3. Your lab starts with 90 minutes on the timer. The lab can not be saved. All your
work must be done during the lab session. But you can click the EXTEND to
increase your time. If you are at a VMware event, you can extend your lab time
twice, for up to 30 minutes. Each click gives you an additional 15 minutes.
Outside of VMware events, you can extend your lab time up to 9 hours and 30
minutes. Each click gives you an additional hour.
HOL-1803-05-NET Page 5
HOL-1803-05-NET
During this module, you will input text into the Main Console. Besides directly typing it
in, there are two very helpful methods of entering data which make it easier to enter
complex data.
You can also click and drag text and Command Line Interface (CLI) commands directly
from the Lab Manual into the active window in the Main Console.
You can also use the Online International Keyboard found in the Main Console.
1. Click on the Keyboard Icon found on the Windows Quick Launch Task Bar.
HOL-1803-05-NET Page 6
HOL-1803-05-NET
In this example, you will use the Online Keyboard to enter the "@" sign used in email
addresses. The "@" sign is Shift-2 on US keyboard layouts.
HOL-1803-05-NET Page 7
HOL-1803-05-NET
When you first start your lab, you may notice a watermark on the desktop indicating
that Windows is not activated.
One of the major benefits of virtualization is that virtual machines can be moved and
run on any platform. The Hands-on Labs utilizes this benefit and we are able to run the
labs out of multiple datacenters. However, these datacenters may not have identical
processors, which triggers a Microsoft activation check through the Internet.
Rest assured, VMware and the Hands-on Labs are in full compliance with Microsoft
licensing requirements. The lab that you are using is a self-contained pod and does not
have full access to the Internet, which is required for Windows to verify the activation.
Without full access to the Internet, this automated process fails and you see this
watermark.
HOL-1803-05-NET Page 8
HOL-1803-05-NET
Please check to see that your lab is finished all the startup routines and is ready for you
to start. If you see anything other than "Ready", please wait a few minutes. If after 5
minutes your lab has not changed to "Ready", please ask for assistance.
HOL-1803-05-NET Page 9
HOL-1803-05-NET
HOL-1803-05-NET Page 10
HOL-1803-05-NET
Introduction
VMware NSX is the leading network virtualization platform that delivers the operational
model of a virtual machine for the network. Just as server virtualization
provides extensible control of virtual machines running on a pool of server hardware,
network virtualization with NSX provides a centralized API to provision and configure
many isolated logical networks that run on a single physical network.
Logical networks decouple virtual machine connectivity and network services from the
physical network, giving cloud providers and enterprises the fexibility to place or
migrate virtual machines anywhere in the data center while still supporting layer-2 /
layer-3 connectivity and layer 4-7 network services.
Within this module we will be using an Interactive Simulation to focus on how to perform
the actual deployment of NSX within your environment. Within the lab environment the
actual deployment has already been completed for you.
HOL-1803-05-NET Page 11
HOL-1803-05-NET
NSX Components
HOL-1803-05-NET Page 12
HOL-1803-05-NET
HOL-1803-05-NET Page 13
HOL-1803-05-NET
This part of the lab is presented as a Hands-on Labs Interactive Simulation. This will
allow you to experience steps which are too time-consuming or resource intensive to do
HOL-1803-05-NET Page 14
HOL-1803-05-NET
live in the lab environment. In this simulation, you can use the software interface as if
you are interacting with a live environment.
*** SPECIAL NOTE *** The simulation you are about to do is comprised of two parts.
The first part will finish at the end of NSX Manager configuration. To continue to the
second half of the simulation you will need click on "Return to the Lab" in the upper
right of the screen. The manual will also outline the steps at the conclusion of the NSX
Manager configuration.
1. Click here to open the interactive simulation. It will open in a new browser
window or tab.
2. When finished, click the “Return to the lab” link to continue with this lab.
HOL-1803-05-NET Page 15
HOL-1803-05-NET
1. Click here to open the interactive simulation. It will open in a new browser
window or tab.
2. When finished, click the “Return to the lab” link to continue with this lab.
HOL-1803-05-NET Page 16
HOL-1803-05-NET
Module 1 Conclusion
In this module we showed the simplicity in which NSX can be installed and configured to
start providing layer two through seven services within software.
We covered the installation and configuration of the NSX Manager appliance which
included deployment, integrating with vCenter and configuring logging and backups. We
then covered the deployment of NSX Controllers as the control plane and installation of
the VMware Infrastructure Bundles (vibs) which are kernel modules pushed down to the
hypervisor. Finally we showed the automated deployment of VXLAN Tunnel Endpoints
(VTEP's), creation of a VXLAN Network Identifier pool (VNI's) and the creation of a
Transport Zone.
If you are looking for additional information on deploying NSX then review the NSX 6.3
Documentation Center via the URL below:
• Go to http://tinyurl.com/hkexfcl
• (15 minutes) - Basic - This module will walk you through a basic install of NSX
including deploying the .ova, configuring NSX Manager, deploying controllers and
preparing hosts.
• (30 minutes) - Basic - This module will cover the creation of logical switches and
add virtual machines to the logical switches.
• (60 minutes) - Basic - This module will demonstrate the dynamic and distributed
routing capabilities supported on the NSX platform by providing routes between a
3-tier application.
• (45 minutes) - Basic - This module will cover the Distributed Firewall and Service
Composer creating firewall rules between a 3-tier application.
• (30 Minutes) - Basic - This module will help understand how NSX can help secure
applications and virtual machines using dynamic inclusion with security groups.
• (45 Minutes) - Basic - This module will demonstrate the capabilities of the Identity
Based Firewall feature and how it can provide security with Active Directory
integration.
• (30 Minutes) - Basic - This module will demonstrate application micro-
segmentation with Application Rule Manager.
Lab Captains:
HOL-1803-05-NET Page 17
HOL-1803-05-NET
HOL-1803-05-NET Page 18
HOL-1803-05-NET
Module 2 - Logical
Switching (30 minutes)
HOL-1803-05-NET Page 19
HOL-1803-05-NET
• Review the NSX controller cluster. The NSX controller cluster has eliminated the
requirement for multicast protocol support on the physical fabric, and also
provides functions such as VTEP, IP and MAC resolution.
• Create a Logical Switch and attach two VMs to the Logical Switch.
• Review the scalability and high availability of the NSX platform.
HOL-1803-05-NET Page 20
HOL-1803-05-NET
Logical Switching
In this section, we will be doing the following:
Open a browser by double clicking on the Google Chrome icon on the desktop.
The home page should be the vSphere Web Client. Otherwise, click on the vSphere Web
Client Taskbar icon for Google Chrome.
HOL-1803-05-NET Page 21
HOL-1803-05-NET
1. Click Installation.
2. Click Host Preparation.
HOL-1803-05-NET Page 22
HOL-1803-05-NET
You will see that the data plane components, also called network virtualization
components, are installed on the hosts in our clusters. These components include the
following: Hypervisor level kernel modules for Port Security, VXLAN, Distributed Firewall
and Distributed Routing.
Firewall and VXLAN functions are configured and enabled on each cluster after the
installation of the network virtualization components. The port security module assists
the VXLAN function while the distributed routing module is enabled once the NSX edge
logical router control VM is configured.
HOL-1803-05-NET Page 23
HOL-1803-05-NET
As shown in the diagram, the hosts in the compute clusters are configured with VXLAN
Tunnel End Point (VTEP). The environment uses the 192.168.130.0/24 subnet for the
VTEP pool.
HOL-1803-05-NET Page 24
HOL-1803-05-NET
One of the key challenges with VXLAN deployment in the past is that multicast protocol
support is required from physical network devices. This challenge is addressed in the
NSX Platform by providing a controller based VXLAN implementation and removing any
need to configure multicast in the physical network. This mode (Unicast) is the default
mode and customers don't have to configure any multicast addresses while defining the
logical network pool.
If Multicast replication mode is chosen for a given Logical Switch, NSX relies on the
native L2/L3 multicast capability of the physical network to ensure VXLAN encapsulated
multi-destination traffic is sent to all VTEPs. In this mode, a multicast IP address must be
associated to each defined VXLAN L2 segment (i.e., Logical Switch). L2 multicast
capability is used to replicate traffic to all VTEPs in the local segment (i.e., VTEP IP
addresses that are part of the same IP subnet). Additionally, IGMP snooping should be
configured on the physical switches to optimize the delivery of L2 multicast traffic.
Hybrid mode offers operational simplicity similar to unicast mode – IP multicast routing
configuration is not required in the physical network – while leveraging the L2 multicast
capability of physical switches.
HOL-1803-05-NET Page 25
HOL-1803-05-NET
• Unicast : The control plane is handled by an NSX controller. All unicast traffic
leverages headend replication. No multicast IP addresses or special network
configuration is required.
• Multicast: Multicast IP addresses on the physical network are used for the
control plane. This mode is recommended only when you are upgrading from
older VXLAN deployments. Requires PIM/IGMP on physical network.
• Hybrid : The optimized unicast mode. Offloads local traffic replication to physical
network (L2 multicast). This requires IGMP snooping on the first-hop switch, but
does not require PIM. First-hop switch handles traffic replication for the subnet.
Hybrid mode is recommended for large-scale NSX deployments.
1. Click on Segment ID. Note that the Multicast addresses section above is blank.
As mentioned earlier, this is because we are using the default unicast mode with
a controller-based VXLAN implementation.
HOL-1803-05-NET Page 26
HOL-1803-05-NET
2. Double-click on RegionA0-Global-TZ.
A transport zone defines the span of a logical switch. Transport Zones dictate the
clusters that will participate in the use of a particular logical network. As you add new
clusters in your datacenter, you can increase the transport zone and thus increase the
span of the logical network. Once the logical switch spans across all compute clusters,
mobility and placement barriers (due to limited VLAN boundaries) are removed.
1. Click on the Manage tab. It will show the clusters that are part of this Transport
Zone.
HOL-1803-05-NET Page 27
HOL-1803-05-NET
After looking at the various NSX components and VXLAN configuration, we will now
create a NSX logical switch. The NSX logical switch creates logical broadcast domains or
segments to which an application or tenant virtual machine can be logically wired.
If you have already navigated to other pages, return to the Networking & Security
Section via the Home Section on vSphere Web Client (the steps can be found at the
start of this chapter).
HOL-1803-05-NET Page 28
HOL-1803-05-NET
HOL-1803-05-NET Page 29
HOL-1803-05-NET
HOL-1803-05-NET Page 30
HOL-1803-05-NET
We will cover more details on NSX Edge and routing in the subsequent modules.
For now, we will need to connect our logical switch to the NSX Edge Services Gateway,
Perimeter-Gateway-01. This will provide connectivity between VMs that are connected to
the logical switch and VMs that are not connected to the logical switch.
HOL-1803-05-NET Page 31
HOL-1803-05-NET
HOL-1803-05-NET Page 32
HOL-1803-05-NET
HOL-1803-05-NET Page 33
HOL-1803-05-NET
1. Click Finish.
HOL-1803-05-NET Page 34
HOL-1803-05-NET
After configuring the logical switch and providing access to the external network, it is
time to connect the web application virtual machines to this network.
HOL-1803-05-NET Page 35
HOL-1803-05-NET
In order to be able to add the VMs to the logical switch that we created, we need to
make sure that the VMs network adapter is enabled and connects to the correct vDS.
HOL-1803-05-NET Page 36
HOL-1803-05-NET
HOL-1803-05-NET Page 37
HOL-1803-05-NET
HOL-1803-05-NET Page 38
HOL-1803-05-NET
HOL-1803-05-NET Page 39
HOL-1803-05-NET
HOL-1803-05-NET Page 40
HOL-1803-05-NET
HOL-1803-05-NET Page 41
HOL-1803-05-NET
1. Click Finish.
HOL-1803-05-NET Page 42
HOL-1803-05-NET
HOL-1803-05-NET Page 43
HOL-1803-05-NET
HOL-1803-05-NET Page 44
HOL-1803-05-NET
Open Putty
1. Click Start.
2. Click the Putty Application icon from the Start Menu.
You are connecting from the Main Console which is in the 192.168.110.0/24 subnet.
The traffic will go through the NSX Edge and then to the Web Interface.
HOL-1803-05-NET Page 45
HOL-1803-05-NET
1. Select web-03a.corp.local.
2. Click Open.
Note: If web-03a.corp.local does not show up as an option, you can put 172.16.40.11
as the IP address in the Host Name text field.
HOL-1803-05-NET Page 46
HOL-1803-05-NET
Remember to use the SEND TEXT option to send this command to the console.
(See Lab Guidance)
ping -c 2 web-04a
If you see DUP! packets, that is due to the nature of VMware's nested lab environment.
This will not happen in a production environment.
Do not close your Putty Session. Minimize the window for later use.
HOL-1803-05-NET Page 47
HOL-1803-05-NET
For resiliency and performance, production deployments must deploy a NSX controller
cluster with multiple NSX controller nodes. The NSX controller cluster represents a scale-
out distributed system, where each NSX controller node is assigned a set of roles. The
assigned role defines the types of task that can be implemented by the NSX controller
node. NSX controller nodes are deployed in odd numbers. The current best practice (and
the only supported configuration) is for the NSX cluster to have three NSX controller
nodes of active-active-active load sharing and redundancy.
If a NSX controller(s) fail, the data plane (VM) traffic will not be affected. Traffic will
continue as the logical network information has already been pushed down to the logical
switches (the data plane). However, you will not be able to edit (add/move/change)
without the control plane (NSX controller cluster).
HOL-1803-05-NET Page 48
HOL-1803-05-NET
HOL-1803-05-NET Page 49
HOL-1803-05-NET
1. Click Installation.
2. Click Management.
Under the NSX Controller nodes section, you can see that there are three NSX
controller nodes. NSX controller nodes are always deployed in odd numbers for high
availability and scalability.
HOL-1803-05-NET Page 50
HOL-1803-05-NET
1. Expand RegionA01
2. Click on one of the three NSX Controllers
3. Click Summary tab.
Observe the host that this NSX controller is residing on. The remaining two NSX
controllers will reside in two different hosts as well. In a production environment, all
three NSX controllers will reside on three different hosts with DRS anti-affinity rules to
avoid multiple failure of NSX controllers due to a single host outage.
HOL-1803-05-NET Page 51
HOL-1803-05-NET
Module 2 Conclusion
In this module, we demonstrated the following benefits of the NSX platform:
1. Network agility like the speedy provisioning and configuring of logical switches to
interface with virtual machines and external networks.
2. Scalability of the NSX architecture like the ability of the transport zone to quickly
span across multiple compute clusters and NSX controller cluster's capability as a
scale-out distributed system.
If you are keen to learn more about NSX, please visit the NSX 6.3 Documentation Center
via the following URL:
• Go to https://tinyurl.com/y9zy7cpn
• (15 minutes) - Basic - This module will walk you through a basic install of NSX
including deploying the .ova, configuring NSX Manager, deploying controllers and
preparing hosts.
• (30 minutes) - Basic - This module will cover the creation of logical switches and
add virtual machines to the logical switches.
• (60 minutes) - Basic - This module will demonstrate the dynamic and distributed
routing capabilities supported on the NSX platform by providing routes between a
3-tier application.
• (45 minutes) - Basic - This module will cover the Distributed Firewall and Service
Composer creating firewall rules between a 3-tier application.
• (30 Minutes) - Basic - This module will help understand how NSX can help secure
applications and virtual machines using dynamic inclusion with security groups.
• (45 Minutes) - Basic - This module will demonstrate the capabilities of the Identity
Based Firewall feature and how it can provide security with Active Directory
integration.
• (30 Minutes) - Basic - This module will demonstrate application micro-
segmentation with Application Rule Manager.
Lab Captains:
HOL-1803-05-NET Page 52
HOL-1803-05-NET
HOL-1803-05-NET Page 53
HOL-1803-05-NET
Module 3 - Logical
Routing (60 minutes)
HOL-1803-05-NET Page 54
HOL-1803-05-NET
Routing Overview
Lab Module Overview
In the previous module, we experienced the ease and convenience of creating isolated
logical switches/networks with a few clicks. To provide communication across these
isolated logical layer 2 networks, routing support is essential. In the NSX platform, the
distributed logical router allows you to route traffic between logical switches and the
routing capability is distributed in the hypervisor. By incorporating this logical routing
component, NSX can reproduce complex routing topologies in the logical space. For
example, a three-tier application will be connected to three logical switches and the
routing between the tiers handled by this distributed logical router.
This module will help us understand some of the routing capabilities supported in the
NSX platform and how to utilize these capabilities while deploying a three-tier
application.
• Examine traffic flow when the routing is handled by an external physical router or
NSX Edge Services Gateway.
• Configure the Distributed Logical Router and it's Logical Interfaces (LIFs) to
enable routing between app-tier and db-tier of the 3-tier application.
• Configure dynamic routing protocols on the Distributed Logical Router and NSX
Edge Services Gateway and understand the control of internal route
advertisements to external router.
• Scale and protect the NSX Edge Services Gateway through the use of other
routing protocols such as ECMP (Equal Cost Multipath Routing).
HOL-1803-05-NET Page 55
HOL-1803-05-NET
Many of the modules will have you enter Command Line Interface (CLI) commands.
There are two ways to send CLI commands to the lab.
1. Highlight the CLI command in the manual and use Control+c to copy to
clipboard.
2. Click on the console menu item SEND TEXT.
3. Press Control+v to paste from the clipboard to the window.
4. Click the SEND button.
Second, a text file (README.txt) has been placed on the desktop of the environment
allowing you to easily copy and paste complex commands or passwords in the
associated utilities (CMD, Putty, console, etc). Certain characters are often not present
on keyboards throughout the world. This text file is also included for keyboard layouts
which do not provide those characters.
HOL-1803-05-NET Page 56
HOL-1803-05-NET
The above picture shows this lab's environment where both Application VM and
Database VM reside on the same physical host. The red arrows show the traffic flow
between the two VMs.
HOL-1803-05-NET Page 57
HOL-1803-05-NET
5. The traffic is sent to the host which the Database VM is residing on.
6. The traffic reaches the Database VM from the host.
At the end of this lab, we will review the traffic flow diagram after distributed routing is
configured. This will help us to understand the positive impact that distributed routing
has on network traffic.
• Open a browser by double clicking on the Google Chrome icon on the desktop.
The home page should be the vSphere Web Client. Otherwise, click on the vSphere Web
Client Taskbar icon for Google Chrome.
HOL-1803-05-NET Page 58
HOL-1803-05-NET
Before you start the configuration for Distributed Routing, let's verify that the 3-tier Web
Application is working correctly. The three tiers of the application (web, app and
database) are on different logical switches and NSX Edge is providing routing between
these tiers.
• The web server will return a web page with customer information stored in the
database.
HOL-1803-05-NET Page 59
HOL-1803-05-NET
As you have seen in the earlier topology, the three logical switches or three tiers of the
application are terminated on the Perimeter Gateway (NSX Edge). The Perimeter
Gateway (NSX Edge) provides the routing between the three tiers. We are going to
change that topology by removing the App and DB interfaces from the Perimeter
Gateway (NSX Edge). After deleting the interfaces, we will move those interfaces on to
the Distributed Router (NSX Edge). To save time, a Distributed Router (NSX Edge) has
been deployed for you.
HOL-1803-05-NET Page 60
HOL-1803-05-NET
1. Click Manage.
2. Click Settings.
3. Click Interfaces.
HOL-1803-05-NET Page 61
HOL-1803-05-NET
You will see the configured interfaces and their properties. Information includes the vNIC
number, interface name, interface type (Internal, Uplink or Trunk) and interface status
(active or disabled).
HOL-1803-05-NET Page 62
HOL-1803-05-NET
HOL-1803-05-NET Page 63
HOL-1803-05-NET
After removing the App and DB interfaces from the Perimeter-Gateway-01 (NSX Edge),
we will navigate back to the Networking & Security section to access the Distributed-
Router-01 (NSX Edge).
We will begin configuring Distributed Routing by adding the App and DB interfaces to
the Distributed Router (NSX Edge).
1. Double-click Distributed-Router-01.
1. Click on Manage.
HOL-1803-05-NET Page 64
HOL-1803-05-NET
2. Click on Settings.
3. Click on Interfaces to display all the interfaces configured on the Distributed
Router (NSX Edge).
HOL-1803-05-NET Page 65
HOL-1803-05-NET
Add Subnets
HOL-1803-05-NET Page 66
HOL-1803-05-NET
• Repeat the previous two steps to add and configure the DB_Tier Interface
on Distributed-Router-01 (NSX Edge).
• Name DB_Tier.
• Connect to DB_Tier_Logical_Switch.
• IP address 172.16.30.1 and a subnet prefix length of 24.
HOL-1803-05-NET Page 67
HOL-1803-05-NET
After the two interfaces are configured on Distributed-Router-01 (NSX Edge), the
interface configurations are automatically pushed to every host in the environment. In
each host, there is a Routing (DR) Kernel loadable module which will handle routing
between VMs. In our lab scenario, the routing between the App and DB interfaces will be
handled by the Distributed Routing (DR) Kernel loadable module in the host instead of
Perimeter Gateway (NSX Edge). If there is communication between VMs that are
connected to different subnets but resides on the same host, traffic will not take an un-
optimal path as shown in the earlier traffic flow diagram.
HOL-1803-05-NET Page 68
HOL-1803-05-NET
After making the changes for routing to be handled by the distributed router, you will
notice that access to the 3-tier Web Application fails. This is because there is currently
no route between the Web Servers and App/DB VMs.
1. Click on HOL - Customer Database browser tab (this tab was opened in the
previous steps).
Note: If you close the HOL - Customer Database browser tab earlier, open a new
browser tab and click Customer DB App bookmark.
1. Click Refresh.
The application will take a few seconds to time out and you may need to click "X" to
stop the browser. If you see customer data, it may be cached data and you will need to
close and re-open the browser to correct it.
Note: If you do have to re-open the browser, after verifying the 3 tier application is not
working, click on the bookmark in the browser for vSphere Web Client and login again
with the credentials "root" password "VMware1!". Then click on Networking and
Security, Edge Appliances and finally double-click on "Distributed-Router".
HOL-1803-05-NET Page 69
HOL-1803-05-NET
1. Click Routing.
2. Click Global Configuration.
3. Click Edit to change Dynamic Routing Configuration.
1. Select the IP address of the Uplink interface as the default Router ID. In our case,
the Uplink interface is Transit_Network_01 and the IP address is 192.168.5.2.
HOL-1803-05-NET Page 70
HOL-1803-05-NET
2. Click OK
Note: The router ID is a 32 bit identifier denoted as an IP address and is important in the
operation of OSPF as it indicates the routers identity in an autonomous system. In our
lab scenario, we are using a router ID that is the same as the IP address of the uplink
interface on the NSX edge which is acceptable but not necessary. The screen will return
to the Global Configuration section with the option to Publish Changes.
Publish Changes
1. Click OSPF.
2. Click Edit to change OSPF Configuration. This will open the OSPF Configuration
dialog box.
HOL-1803-05-NET Page 71
HOL-1803-05-NET
Enable OSPF
Note: The Protocol Address is required for sending control traffic to the Distributed
Router Control VM while the Forwarding Address is used by the router datapath
module in the hosts to forward datapath packets. The separation of control plane and
data plane traffic in NSX means that the routing instance's data forwarding capability is
maintained even when the control function is restarted or reloaded. The control function
is referred to as "Graceful Restart" or "Non-stop Forwarding". The screen will return
to the Global Configuration section with the option to Publish Changes. However,
please DO NOT publish changes yet. Instead of publishing changes for every
configuration, we will complete all the configurations and publish them all at one time.
HOL-1803-05-NET Page 72
HOL-1803-05-NET
1. Click Green Plus icon. This will open the New Area Definition dialog box.
2. Enter 10 as the Area ID. Leave the other settings as default.
3. Click OK
Note: The Area ID for OSPF is very important and there are several types of OSPF
areas. Hence, please ensure that the NSX Edge is defined in the correct area so that it
can work properly with the OSPF configuration within the network.
HOL-1803-05-NET Page 73
HOL-1803-05-NET
1. Click Green Plus icon. This will open the New Area to Interface Mapping
dialog box.
2. Select Transit_Network_01 as the Interface.
3. Select 10 as the Area.
4. Click OK.
Publish Changes
HOL-1803-05-NET Page 74
HOL-1803-05-NET
Ensure the OSPF configuration on Distributed-Router-01 (NSX Edge) matches the picture
above.
HOL-1803-05-NET Page 75
HOL-1803-05-NET
HOL-1803-05-NET Page 76
HOL-1803-05-NET
Publish Changes
HOL-1803-05-NET Page 77
HOL-1803-05-NET
1. Double-click Perimeter-Gateway-01.
HOL-1803-05-NET Page 78
HOL-1803-05-NET
1. Click Manage.
2. Click Routing.
3. Click OSPF.
4. Click Edit to change OSPF Configuration. This will open the OSPF Configuration
dialog box.
Enable OSPF
1. Click Green Plus icon. This will open the New Area Definition dialog box.
2. Enter 10 as the Area ID. Leave the other settings as default.
3. Click OK
HOL-1803-05-NET Page 79
HOL-1803-05-NET
Note: The Area ID for OSPF is very important and there are several types of OSPF
areas. Hence, please ensure that the NSX Edge is defined in the correct area so that it
can work properly with the OSPF configuration within the network.
1. Click Green Plus icon. This will open the New Area to Interface Mapping
dialog box.
2. Select Transit_Network_01 as the vNIC.
3. Select 10 as the Area.
4. Click OK.
Publish Changes
HOL-1803-05-NET Page 80
HOL-1803-05-NET
You will notice that Perimeter-Gateway-01 (NSX Edge) has already been configured for
dynamic routing with BGP. This dynamic routing configuration allows Perimeter-
Gateway-01 (NSX Edge) to communicate and distribute routes to the router running the
overall lab.
HOL-1803-05-NET Page 81
HOL-1803-05-NET
1. Check OSPF.
2. Verify BGP is checked.
3. Click OK.
Note: BGP is the routing protocol used between Perimeter-Gateway-01 (NSX Edge) and
the vPod Router.
HOL-1803-05-NET Page 82
HOL-1803-05-NET
Publish Changes
HOL-1803-05-NET Page 83
HOL-1803-05-NET
The new topology shows route peering between Distributed Router and Perimeter
Gateway (NSX Edge). Routes to any network connected to the Distributed Router will be
distributed to the Perimeter Gateway (NSX Edge). In addition, we also have control over
the routing from the Perimeter Gateway to the physical network.
HOL-1803-05-NET Page 84
HOL-1803-05-NET
The routing information is being exchanged between the Distributed Router and
Perimeter Gateway. Once the routing between the two NSX Edges is established, the
connectivity to the 3-tier Web Application will be restored. Let's verify that the routing is
functional by accesssing the 3-tier Web Application.
1. Click on HOL - Customer Database browser tab (this tab was opened in the
previous steps). However, it may show 504 Gateway Time-out instead.
2. Click Refresh.
Note: It may take a minute for route propagation as the lab is a nested environment.
In this section, we have successfully configured dynamic and distributed routing. In the
next section, we will review centralized routing with the Perimeter Gateway (NSX Edge).
HOL-1803-05-NET Page 85
HOL-1803-05-NET
Centralized Routing
In this section, we will look at various elements to see how the routing is done
northbound from the edge. This includes how OSPF dynamic routing is controlled,
updated, and propagated throughout the system. We will verify the routing on the
perimeter edge appliance through the virtual routing appliance that runs and routes the
entire lab.
Special Note: On the desktop, you will find a file named README.txt. It contains the CLI
commands needed in the lab exercises. If you can't type them you can copy and paste
them into the putty sessions. If you see a number with "french brackets - {1}" this tells
you to look for that CLI command for this module in the text file.
HOL-1803-05-NET Page 86
HOL-1803-05-NET
The above diagram shows the current topology where OSPF is redistributing the routes
between Perimeter Gateway and Distributed Router. In addition, we also see the
northbound link from Perimeter Gateway to the vPod Router.
First we will confirm the Web App is functional, then we will log into the NSX Perimeter
Gateway to view OSPF neighbors and see existing route distribution. This will show how
the Perimeter Gateway is learning routes from not only the Distributed Router, but the
vPod router that is running the entire lab.
HOL-1803-05-NET Page 87
HOL-1803-05-NET
Before you start the configuration for Distributed Routing, let's verify that the 3-tier Web
Application is working correctly. The three tiers of the application (web, app and
database) are on different logical switches and NSX Edge is providing routing between
these tiers.
• The web server will return a web page with customer information stored in the
database.
Navigate to Perimeter-Gateway VM
HOL-1803-05-NET Page 88
HOL-1803-05-NET
1. Expand RegionA01.
2. Select Perimeter-Gateway-01-0.
3. Click on the Black Screen.
HOL-1803-05-NET Page 89
HOL-1803-05-NET
When the VM console launches in the browser tab, it will appear as a black screen. Click
inside the black screen and press Enter a few times to make the VM console appear
from the screensaver.
HOL-1803-05-NET Page 90
HOL-1803-05-NET
1. Username: admin
2. Password: VMware1!VMware1!
HOL-1803-05-NET Page 91
HOL-1803-05-NET
Many of the modules will have you enter Command Line Interface (CLI) commands.
There are two ways to send CLI commands to the lab.
1. Highlight the CLI command in the manual and use Control+c to copy to
clipboard.
2. Click on the console menu item SEND TEXT.
3. Press Control+v to paste from the clipboard to the window.
4. Click the SEND button.
Second, a text file (README.txt) has been placed on the desktop of the environment
allowing you to easily copy and paste complex commands or passwords in the
associated utilities (CMD, Putty, console, etc). Certain characters are often not present
on keyboards throughout the world. This text file is also included for keyboard layouts
which do not provide those characters.
HOL-1803-05-NET Page 92
HOL-1803-05-NET
1. BGP neighbor is 192.168.100.1 - This is the router ID of the vPod Router inside
the NSX environment.
2. Remote AS 65002 - This is the autonomous system number of the vPod Router's
external network.
3. BGP state = Established, up - This means the BGP neighbor adjacency is
complete and the BGP routers will send update packets to exchange routing
information.
show ip route
HOL-1803-05-NET Page 93
HOL-1803-05-NET
1. B indicates that this route is learned via BGP. This is also the default route and it
originates from the vPod Router (192.168.100.1).
2. C indicates that this route is directly connected to Perimeter-Gateway-01.
172.16.10.0/24 is the Web-Tier Logical Switch (network segment).
3. O indicates that this route is learned via OSPF from Distributed-Router-01
(192.168.5.2). 172.16.20.0/24 and 172.16.30.0/24 are the App-Tier Logical
Switch and DB-Tier Logical Switch (network segments).
There could be a situation where you would only want BGP routes to be distributed
inside of the virtual environment, but not with the physical world. We are able to control
that route distribution easily from the NSX Edge configuration.
HOL-1803-05-NET Page 94
HOL-1803-05-NET
HOL-1803-05-NET Page 95
HOL-1803-05-NET
1. Click Manage.
2. Click Routing.
3. Click BGP.
HOL-1803-05-NET Page 96
HOL-1803-05-NET
Publish Change
The VM console may appear as a black screen in the browser tab. Click inside the black
screen and press Enter a few times to make the VM console appear from the
screensaver.
You will notice that vPod Router (192.168.250.1) has been dropped from the list.
HOL-1803-05-NET Page 97
HOL-1803-05-NET
Show Routes
show ip route
Notice that the only routes being learned via OSPF is from the Distributed Router
(192.168.5.2).
HOL-1803-05-NET Page 98
HOL-1803-05-NET
Since no routes exist between the control center and the virtual networking
environment, the web app should fail.
1. Click on HOL - Customer Database browser tab (this tab was opened in the
previous steps).
2. Click Refresh.
The application will take a few seconds to time out and you may need to click "X" to
stop the browser. If you see customer data, it may be cached data and you will need to
close and re-open the browser to correct it.
HOL-1803-05-NET Page 99
HOL-1803-05-NET
Now let's get the route peering between the Perimeter-Gateway-01 and vPod Router
back in place.
Publish Change
The VM console may appear as a black screen in the browser tab. Click inside the black
screen and press Enter a few times to make the VM console appear from the
screensaver.
You will notice that vPod Router (192.168.100.1) is shown as a neighbor now.
show ip route
Show Routes
The default route from the vPod Router (192.168.100.1) is now back in the list.
With the routes back in place, the Web App should be functional again.
1. Click on HOL - Customer Database browser tab (this tab was opened in the
previous steps).
2. Click Refresh.
We have successfully completed this section of the lab and will move on to ECMP and
High Availability with the NSX Edges in the next section.
ECMP is a routing strategy that allows next-hop packet forwarding to a single destination
can occur over multiple best paths. These best paths can be added statically or as a
result of metric calculations by dynamic routing protocols like OSPF or BGP. The Edge
Services Gateway utilizes Linux network stack implementation, a round-robin algorithm
with a randomness component. After a next hop is selected for a particular source and
destination IP address pair, the route cache stores the selected next hop. All packets for
that flow go to the selected next hop. The Distributed Logical Router uses an XOR
algorithm to determine the next hop from a list of possible ECMP next hops. This
algorithm uses the source and destination IP address on the outgoing packet as sources
of entropy.
Now we will configure a new Perimeter Gateway, and establish an ECMP cluster between
the Perimeter Gateways for the Distributed Logical Router to leverage for increased
capacity and availability. We will test availability by shutting down one of the Perimeter
Gateways, and watching the traffic path change.
Set Password
Note: All passwords for NSX Edges are 12-character complex passwords.
1. Click Green Plus icon. The Add NSX Edge Appliance dialog box will appear.
2. Select RegionA01-MGMT01 for Cluster/Resource Pool.
3. Select RegionA01-ISCSI01-MGMT01 for Datastore.
4. Select esx-04a.corp.local for Host.
5. Click OK.
Continue Deployment
1. Click Next.
1. Click Green Plus icon. This will add the first interface.
We have to pick the northbound switch interface (a distributed port group) for this
Perimeter Gateway.
1. Click Green Plus icon. This will add the second interface.
We have to pick the northbound switch interface (VXLAN Backed Logical Switch) for this
Perimeter Gateway.
Continue Deployment
Ensure the IP Addresses and Subnet Prefix Length information are the same as the
picture.
1. Click Next.
We are removing the default gateway since information is received via OSPF.
Finalize Deployment
Edge Deploying
1. The NSX Edges section will show that there is 1 Installing while Perimeter-
Gateway-02 is being deployed.
2. The status for Perimeter-Gateway-02 will indicate that it is Busy. This means the
deployment is in process.
3. Click refresh icon on the vSphere Web Client to see the deployment status of
Perimeter-Gateway-02.
Once the status for Perimeter-Gateway-02 indicates that it is Deployed, we can move on
to the next step.
We will need to configure OSPF on Perimeter-Gateway-02 (NSX Edge) before ECMP can
be enabled.
1. Double-click Perimeter-Gateway-02.
1. Click Manage.
2. Click Routing.
3. Select Global Configuration.
4. Click Edit to change Dynamic Routing Configuration.
5. Select Uplink -192.168.100.4 as Router ID.
6. Click OK.
Publish Changes
Enable OSPF
1. Click OSPF.
2. Click Edit to change OSPF Configuration.
3. Check Enable OSPF.
4. Click OK.
Now the same must be done for the downlink interface to the Distributed Router
Publish Changes
Enable BGP
1. Select BGP.
2. Click Edit to change BGP Configuration.
3. Check Enable BGP.
4. Enter 65001 as the Local AS.
5. Click OK.
Publish Changes
We must now enable BGP and OSPF route redistribution in order for the routes to be
accessible through this edge.
Publish Changes
Enable ECMP
We are now going to enable ECMP on the Distributed Router and Perimeter Gateways
1. Click Manage.
2. Click Routing.
3. Click Global Configuration.
4. Click Enable.
Publish Change
1. Double-click Perimeter-Gateway-01.
1. Click Manage.
2. Click Routing.
3. Click Global Configuration.
4. Click Enable.
Publish Change
1. Click Back.
1. Double-click Perimeter-Gateway-02.
1. Click Manage.
2. Click Routing.
3. Click Global Configuration.
4. Click Enable.
Publish Change
Topology Overview
At this stage, this is the topology of the lab. This includes the new Perimeter Gateway
that has been added, routing configured, and ECMP turned on.
Let's now access the distributed router to ensure that OSPF is communicating and ECMP
is functioning.
1. Click Refresh.
2. Expand RegionA01.
3. Select Distributed-Router-01-0.
4. Select Summary.
5. Click on VM Console.
Access VM Console
When the VM console launches in the browser tab, it will appear as a black screen. Click
inside the black screen and press Enter a few times to make the VM console appear
from the screensaver.
1. Username: admin
2. Password: VMware1!VMware1!
The first thing we will do is look at the OSPF neighbors to the Distributed Router.
This shows us that the Distributed Router has two OSPF neighbors. The neighbors are
the Perimeter-Gateway-1(192.168.100.3) and Perimeter-Gateway-2
(192.168.100.4).
show ip route
Note: The vPod Router network segments and default route are advertised via both
Perimeter Gateway network addresses. The red arrows above are pointing to the
addresses of both the Perimeter-Gateway-01 and Perimeter-Gateway-02.
Note: To release your cursor from the window, press Ctrl+Alt keys.
Now we will look at ECMP from the vPod Router, which simulates a physical router in
your network.
We must telnet into the module that controls BGP in the vPod Router.
We must telnet into the module that controls OSPF in the vPod Router.
Show Routes
show ip bgp
2. In this section you notice that all networks have two next hop routers listed, and this
is because Perimeter-Gateway-01 (192.168.100.3) and Perimeter-Gateway-02
(192.168.100.4) are both Established neighbors for these networks.
At this point, any traffic connected to the distributed router can egress out either of the
perimeter gateways with ECMP.
1. Expand RegionA01.
2. Right-click Perimeter-Gateway-01-0.
3. Click Power.
4. Click Shut Down Guest OS.
Confirm Shutdown
1. Click Yes.
With ECMP, BGP, and OSPF in the environment, we are able to dynamically change
routes in the event of a failure in a particular path. We will now simulate one of the
paths going down, and route redistribution occuring.
ping -t db-01a
You will see pings from the control center to the database server (db-01a) start.
Leave this window open and running as you go to the next step.
When the VM console launches in the browser tab, it will appear as a black screen. Click
inside the black screen and press Enter a few times to make the VM console appear
from the screensaver.
show ip route
Note: Only the Perimeter-Gateway-02 is now available to acces the vPod Router network
segments.
1. Expand RegionA01.
2. Right-click Perimeter-Gateway-01-0.
3. Click Power.
4. Click Power On.
It will take a minute or two for the VM to power up. Once it shows the VMTools are online
in the VM Summary, you can move to the next step.
1. Click Refresh icon. This will check for updates on the VMTools status.
• On the taskbar, go back to your command prompt running your ping test.
Although this is not a clear depiction of the fail over from Perimeter-Gateway-02 to
Perimeter-Gateway-01, the ping traffic would migrate from Perimeter-Gateway-02 to
Perimeter-Gateway-01 with minimal impact if the active path went down.
When the VM console launches in the browser tab, it will appear as a black screen. Click
inside the black screen and press Enter a few times to make the VM console appear
from the screensaver.
Show Routes
Let's check the status of the routes on the Distributed-Router-01 since we powered
Perimeter-Gateway-01 back up.
show ip route
Note: we should now see that all vPod Router networks have returned to dual
connectivity.
A final note on ECMP and HA in this lab. While we have shutdown Perimeter-
Gateway-01, the result of of doing this on Perimeter-Gateway-02 would be the
same.
The only caveat is that the Customer DB App does not work when Perimeter-
Gateway-01 is offline since the web server VMs are directly connected to it. We could
resolve this by moving the Web-Tier down to the Distributed-Router-01 as you did the
Database and App networks in the Dynamic and Distributed Routing section of this
lab. Once that is complete, the Customer DB App will function if Perimeter Gateway 1 or
2 were offline. It is important to note that performing this migration will break
other modules in this lab! This is the reason it is not done as part of the
manual. If other modules are not going to be attempted, this migration can
be performed without an issue.
Delete Perimeter-Gateway-02
Confirm Delete
1. Click Yes.
1. Double-click Distributed-Router-01.
1. Click Manage.
2. Click Routing.
3. Click Global Configuration.
4. Click Disable.
Publish Change
1. Double-click Perimeter-Gateway-01.
1. Click Manage.
2. Click Routing.
3. Click Global Configuration.
4. Click Disable.
Publish Change
Module 3 Conclusion
In this module, we covered the routing capabilities of NSX Distributed Logical Router and
Edge Services Gateways:
1. Migrated Logical Switches from Edge Services Gateway (ESG) to the Distributed
Logical Router (DLR).
2. Configured the dynamic routing protocol between ESG and DLR.
3. Review the centralized routing capabilities of ESG and dynamic route peering
information.
4. Demonstrated scalability and availablity of ESG by deploying a second ESG and
establishing route peering between the two ESGs via Equal Cost Multipath (ECMP)
route configuration.
5. Removed ESG2 and ECMP route configuration.
If you are keen to learn more about NSX, please visit the NSX 6.3 Documentation Center
via the following URL:
• Go to https://tinyurl.com/y9zy7cpn
• (15 minutes) - Basic - This module will walk you through a basic install of NSX
including deploying the .ova, configuring NSX Manager, deploying controllers and
preparing hosts.
• (30 minutes) - Basic - This module will cover the creation of logical switches and
add virtual machines to the logical switches.
• (60 minutes) - Basic - This module will demonstrate the dynamic and distributed
routing capabilities supported on the NSX platform by providing routes between a
3-tier application.
• (45 minutes) - Basic - This module will cover the Distributed Firewall and Service
Composer creating firewall rules between a 3-tier application.
• (30 Minutes) - Basic - This module will help understand how NSX can help secure
applications and virtual machines using dynamic inclusion with security groups.
• (45 Minutes) - Basic - This module will demonstrate the capabilities of the Identity
Based Firewall feature and how it can provide security with Active Directory
integration.
• (30 Minutes) - Basic - This module will demonstrate application micro-
segmentation with Application Rule Manager.
Lab Captains:
Module 4 - Service
Composer and Distributed
Firewall Overview (45
minutes)
• Review and create a Security Group for VMs, defined by dynamic membership
• Review, create, and apply a firewall rule to the Security Group via a Security
Policy
• Review the Service Composer Canvas as an interface to show the mapping of
Security Policies to Security Groups
Start the module from your desktop. The desktop is your Control center jumpbox in
the virtual environment. From this desktop you will access the vCenter Server
Appliance deployed in your virtual datacenter.
Special Note: On the desktop you will find a file names README.txt. It
contains the user accounts and passwords used for all the virtual devices and
VM's in the lab.
During this module, you will input text into the Main Console. Besides directly typing it
in, there are two very helpful methods of entering data which make it easier to enter
complex data.
You can also click and drag text and Command Line Interface (CLI) commands directly
from the Lab Manual into the active window in the Main Console.
1. Bring up the vSphere Web Client via the icon on the desktop labeled, Google
Chrome.
If you are not already logged into the vSphere Web Client:
(The home page should be the vSphere Web Client. If not, Click on the vSphere Web
Client Taskbar icon for Google Chrome.)
You will now configure Distributed Firewall access to a 3-tier application. The application
has two web servers, and one each of an application and database server. There is also
a Load Balancer servicing the two web servers.
Next you will test communication and access between the network segments and guest
VMs making up the 3-tier application. Your first test will be to open a console to web-
sv-01a and ping the other members.
First you will show that web-01a can Ping web-02a by entering
ping -c 2 172.16.10.12
ping -c 2 172.16.20.11
ping -c 2 172.16.30.11
(Note: You might see DUP! at the end of a Ping line. This is due to the nature of the
virtual lab environment using nested virtualization and promiscuous mode on the virtual
routers. You will not see this in production.)
Using a browser you will access the 3-tier application to demonstrate the function
between the 3 parts.
You should get back data that passed from the web tier to the app-01a vm and finally
queried the db-01a vm.
In this section you will change the default Allow rule to Block and show communication
to the 3-tier application to be broken. After that you will create new access rules to re-
establish communication in a secure method.
3. Select Firewall on the left. You will see the Default Section Layer3 on the General
Section.
Notice the Rules have green check marks. This means a rule is enabled. Rules are
built in the typical fashion with source, destination, and service fields. Services are a
combination of protocols and ports.
Scroll to the right and you can see the Action choices for the Default Rule by placing the
cursor in the field for Action:Allow on rule 5. This will bring up a pencil sign that allows
you to see the choices for this field.
1. Click Save
You will notice a green bar appears announcing that you now need to choose either to
Publish Changes, Revert Changes or Save Changes. Publish pushes to the DFW. Revert
cancels your edits. Save Changes allows you to save and publish later.
To test the block rule using your previous Putty and browser sessions
• Putty: In a few moments opening Putty will show it is no longer active due to the
default rule now blocks everything including SSH. Minimize the console again.
Service Composer defines a new model for consuming network and security services in
virtual and cloud environments. Polices are made actionable through simple
visualization and consumption of services that are built-in or enhanced by 3rd party
solutions. These same polices can be made repeatable through export/import
capabilities, which would help make it easier to stand up and recover an environment
when there is an issue. One of those objects for repeatable use is a Security Group. We
will cover Service Composer and Security Groups in depth in a later the module, called
"Service Compose and DFW Overview."
1. Select Security Groups. Note: there may be existing security groups to be used
in another lab module
2. To add a new security group click the New Security Group icon
Note: As a shortcut you can double-click the VMs on the left and they will move to the
right in this one step.
You have created a security group named Web-tier having 2 VMs assigned.
Next you will add new rules to allow access to the web vm and then set up access
between the tiers.
1. On the far right of the "Flow Monitoring & Trace Flow Rules-Disabled by Default
(Rule 1)" row click on Add Section which looks like a folder
1. On the row for the new "3-tier App" section click on the Add rule icon which is a
green plus-sign.
1. Hover the mouse pointer in the Destination field and select the Destination
pencil sign.
Destination:
1. Pull down the Object Type and scroll down until you find Security Group
2. Click on Web-tier
3. Click on the top arrow to move the object to the right
4. Click OK
Edit Service
1. Again hover in the Service field and click on the pencil sign.
In the search field you can search for service pattern matches.
1. Enter "https" and press enter to see all services associated with the name
https
2. Select the simple HTTPS service
3. Click on the top arrow
4. Note: Repeat the above steps 1-3 to find and add SSH. (You will see later
in the module that we need SSH.)
5. Click OK
Note: This will cause the green bar with the option to publish or revert changes.
You will now add a second rule to allow the Web Security Group to access the App
Security Group via the App port.
1. As you did before hover the mouse over the Name field and click the pencil.
Enter "Web to App" for the name
2. Choose Web-tier Security Group for the Source field
In the first rule you used the Web-tier security group as the destination. You could
proceed with the remaining rules in the same fashion. But as you see from the drop-
down you can use several vCenter objects already defined. A powerful time saving
aspect of the integrated vSphere with NSX Security is you can use existing virtual
datacenter objects for your rules rather having to start from scratch. Here you will use a
VXLAN Logical Switch as the destination. This allows you to create a rule to be applied
to any VM attached to this network.
1. Scroll down in the Object Type drop-down and click on Logical Switch choice
2. Select App_Tier-Logical_Switch
3. Click on the top arrow to move the object to the right
4. Click OK
1. Hover over the Service Field and click the pencil to edit.
The 3-tier application uses tcp port 8443 between the web and app tiers. You will create
a new Service called MyApp to be the allowed service.
Click OK
• Click OK
Repeating the steps: On your own create the third and last rule below your last rule to
give access between the App Tier Logical Switch and the DB Tier Logical Switch.
1. Create the final rule allowing the App Logical Switch to communicate
with the Database Logical Switch via the HTTP service.
Your new rule should look like the one listed in the example.
2. Publish Changes
1. Return to the tab you used previously for the Web App.
2. Refresh the browser to show you are getting the data via the 3-tier app.
web-02a
ping -c 2 172.16.10.12
app-01a
ping -c 2 172.16.20.11
db-01a
ping -c 2 172.16.30.11
Pings are not allowed and will fail as ICMP is not allowed between tiers or tier members
in your rules. Without allowing for ICMP between the tiers the Default Rule now blocks
all other traffic.
The diagram shows the relative enforcement point of the vNIC level firewall. Although
the DFW is a Kernel Loadable Module (KLM) of the vSphere ESXi Host the rules are
enforced at the vNIC of the guest VM. This protection moves with the VM during
vMotion to provide complete fulltime protection not allowing for a "window of
opportunity" during which the VM is susceptible to attack.
Module Clean Up
You will need to set the Default Rule back to Allow to proceed to the next Module.
You create a SpoofGuard policy for specific networks that allows you to authorize the IP
addresses reported and alter them if necessary to prevent spoofing. SpoofGuard
inherently trusts the MAC addresses of virtual machines collected from the VMX files
and vSphere SDK. Operating separately from Firewall rules, you can use SpoofGuard to
block traffic determined to be spoofed.
SpoofGuard supports both IPv4 and IPv6 addresses. When using IPv4, the SpoofGuard
policy supports a single IP address assigned to a vNIC. IPv6 supports multiple IP
addresses assigned to a vNIC. The SpoofGuard policy monitors and manages the IP
addresses reported by your virtual machines in one of the following modes:
This mode allows all traffic from your virtual machines to pass while building a table of
vNIC-to-IP address assignments. We can review this table at our convenience and make
IP address changes. This mode automatically approves all ipv4 and ipv6 address on a
vNIC.
This mode blocks all traffic until there is an approval each vNIC-to-IP address
assignment.
SpoofGuard includes a system-generated default policy that applies to port groups and
logical networks not covered by the other SpoofGuard policies. A newly added network
is automatically added to the default policy until the administrator adds the network to
an existing policy or creates a new policy for it.
NSX distributed firewall operation requires discovery of IP addressees for objects that
are specified as a source or a destination. Prior to NSX 6.2, this was achieved by
VMtools inside the VM. This exercise will show you how to discover IP addresses with
VMtools and Trust-On-First-Use.
Explore SpoofGuard
1. Click Change
Enable SpoofGuard
2. Click Finish
First, we must migrate the linux-01a VM from its existing vDS to a Logical Switch to
leverage SpoofGuard IP Discovery capabilities.
1. Check the box for the linux-01a vNIC to migrate to the Logical Switch
2. Click Next
Remember you can use the "click and drag" feature to copy CLI commands into the
active window
Verify IP Configuration
ifconfig
ping -c 2 192.168.120.1
Note: the ping test in this step will fail because we have not connected the
Linux_Logical_Switch to an NSX Edge to provide routing. We only want to
initiate traffic from the VM in order for SpoofGuard to identify this VM.
1. Press Control+Alt to move your cursor out of the Remote Console Window
2. Return to the vSphere Web Client browser tab by clicking on it
1. Under the Navigator, click the Back buton in the history field until you get back
to to the NSX configuration interface.
Notice that the Source Field denotes TOFUARP (Trust On First Use ARP) for the address
192.168.120.115.
• Click Approve
Note: we may have to scroll to the right to view the Approve action
Publish IP Approval
1. Select Active Virtual NICs Since Last Published from the drop down menu
Note: linux-01a is no longer listed because we have approved the IP address for use by
that VM, and no activity has originated from the VM since the approval.
SpoofGuard Wrap Up
This concludes the section on Improved IP Discovery Mechanism for Virtual Machines
and SpoofGuard. We have successfully migrated a VM into the NSX environment, and
leveraged SpoofGuard to learn the IP address of the VM with the new Trust-On-First-Use
ARP feature.
Note that security group membership changes constantly. For example, a virtual
machine tagged with the AntiVirus.virusFound tag is moved into the Quarantine security
group. When the virus is cleaned and this tag is removed from the virtual machine, it
again moves out of the Quarantine security group.
You will see that you can use Computer OS Name, Computer Name, VM Name, Security
Tag, or Entity. Entity allows you to pick from many elements of the vCenter including
Resource Pool, Directory Domain Group, Logical Switches, Distributed Port Group and
many more.
The Criteria choices will vary depending on the Object Type chosen.
1. Select VM Name from the first Criteria Details drop down list.
2. Verify Contains is selected in the middle drop down of the page.
3. Enter "web" in the dialog box.
4. Click Finish.
View Membership
1. Click the number in the Virtual Machine column associated with the new Web
Security Group.
Note: There should 6 in the Virtual Machine column for the Web Security Group,
including all VMs with "WEB" in their name, without consideration for capitalization, or IP
networks.
2. Click the X in the upper right hand corner of the dialog box to close it.
During service deployment in NSX, the third party vendor selects the service category
for the service being deployed. A default service profile is created for each vendor
template.
Note When you have many security groups to which you need to attach the same
security policy, create an umbrella security group that includes all these child security
groups, and apply the common security policy to the umbrella security group. This will
ensure that the NSX distributed firewall utilizes ESXi host memory efficiently.
Note: we are going to apply this Security Policy to the Policy's Security Group,
which is now defined as the Source and Destination for our Firewall rule.
Click OK
1. Click OK
1. Click Finish
This information verifies that our rules have successfully synced with the Firewall rules
in NSX, and are being correctly applied to the Security Groups
1. Click on Firewall
1. Expand the firewall section "Block Web-to-Web Traffic" and verify the
rules creation
Next we will test communication and access between the Web VMs making up the 3-tier
application. Our first test will be to open a console to web-01a and ping web-02a.
1. Ping web-02a.
ping -c 2 web-02a
Pings will fail between the Web VMs per the Security Policy.
This topic introduces Service Composer by walking you through a partially configured
system so that you can visualize the mappings between security groups and security
policy objects at a high level from the canvas view.
All security groups within the selected NSX Manager (that are not contained within
another security group) are displayed along with the policies applied on them. The NSX
Manager drop-down lists all NSX Managers on which the currently logged in user has a
role assigned.
Each rectangular box in the canvas represents a security group and the icons within the
box represent security group members and details about the security policy mapped to
the security group.
A number next to each icon indicates the number of instances - for example, the
number 1 next to the Security Policy icon indicates that a policy is mapped to that
Security Group
This icon Security Groups nested within the main security group. In your Security
Group there are no nested groups.
1. Click the Virtual Machine icon in the bottom left hand corner of the Canvas.
2. Close the window.
Virtual machines that are currently part of the main security group as well as nested
security groups. If we had any virtual machines with services errors, we could click on
the the Errors tab to see those virtual machines.
1. Click the Security Policy icon in the top right hand corner of the Canvas.
Optional Actions:
• You can create a new security policy by clicking the Create Security Policy
icon. The newly created security policy object is automatically mapped to the
security group.
• Map additional security policies to the security group by clicking the Apply
Security Policy icon.
Suppose you have two policies applied to a security group and both have the same
category Endpoint service configured. The effective service count in this case will be 1
(since the second lower priority service is overridden).
Note: Guest Introspection Service failures, if any, are indicated in the Errors tab.
Clicking the Errors icon displays the issues.
1. Click the Firewall rules icon to display firewall rules associated with the
security policy mapped to the security group.
2. Close the window.
Note: Again, Network Introspection Service failures, if any, are indicated in the Errors
tab. Clicking the Errors icon displays the issues.
1. Enter "hr" in the search field in the top right corner of the Canvas window to
display only the security groups with "hr" in their names.
1. Click the Top Level icon at the top left of the window
2. Click the Internal Services
This will allow us to see the security group hierarchy, and if a security group contains
nested security groups
The top bar displays the name of the parent security group and the icons in the bar
display the total number of security policies, endpoint services, firewall services, and
network introspection services applicable to the parent group.
1. We can navigate back up to the top level by clicking the blue Go up one level
arrow icon in the top left part of the window.
You can zoom in and out of the canvas view smoothly by moving the zoom slider on the
top right corner of the window. The Navigator box shows a zoomed out view of the
entire canvas. If the canvas is much bigger than what fits on your screen, it will show a
box around the area that is actually visible and you can move it to change the section of
the canvas that is being displayed.
Module 4 - Conclusion
This now completes Module 4 on Service Composer and Distributed Firewall. We have
created both static and dynamic Security Groups, applied both static and dynamic
Security Policies, including firewall rules, and used SpoofGuard to discover and allow
VMs on to the network that are not running VMTools.
Module 4 Clean Up
Prior to finishing Module 4, you need to remove the rule that was created during this
section.
If you are looking for additional information on NSX Routing capabilities and
configuration, then please review the NSX 6.3 Documentation Center via the URL below:
• Go to https://tinyurl.com/zwch3gh
• (15 minutes) - Basic - This module will walk you through a basic install of NSX
including deploying the .ova, configuring NSX Manager, deploying controllers and
preparing hosts.
• (30 minutes) - Basic - This module will cover the creation of logical switches and
add virtual machines to the logical switches.
• (60 minutes) - Basic - This module will demonstrate the dynamic and distributed
routing capabilities supported on the NSX platform by providing routes between a
3-tier application.
• (45 minutes) - Basic - This module will cover the Distributed Firewall and Service
Composer creating firewall rules between a 3-tier application.
• (30 Minutes) - Basic - This module will help understand how NSX can help secure
applications and virtual machines using dynamic inclusion with security groups.
• (45 Minutes) - Basic - This module will demonstrate the capabilities of the Identity
Based Firewall feature and how it can provide security with Active Directory
integration.
• (30 Minutes) - Basic - This module will demonstrate application micro-
segmentation with Application Rule Manager.
Lab Captains:
Module 5 - Intelligent
Grouping (30 minutes)
Intelligent Grouping
Module 3 Intelligent Grouping
Introduction
The End of Support (EOS) of major enterprise platforms like Windows XP, Windows
2000 Server, and Windows Server 2003 are a major challenge for organizations running
mission-critical applications necessary for day-to-day business. For example, in July
2015, when Microsoft ended support for Windows 2003, it put millions of enterprise
servers at risk.
Organizations using an Operating Systems that is EOS likely introduced serious security
risks into their environments, unless they are fully prepared to migrate to a new
platform or put compensating controls in place. Hackers know that platform providers
like Microsoft will no longer acknowledge or patch vulnerabilities, so these systems
quickly become a favorite target for attacks, and the risks of running an unsupported
platform after EOS will increase over time as more issues are found and not patched.
NSX can help mitigate the issue of EOS Operating Systems by providing additional
security via the Distributed FireWall (DFW) and Service Composer. In this lab you will use
NSX Security Groups to corral windows XP VMs and provide firewall polices to protect
them in a simulated environment.
Lab Captain:
If you are not already logged into the vSphere Web Client:
(The home page should be the vSphere Web Client. If not, Click on the vSphere Web
Client Taskbar icon for Google Chrome.)
1. Clicking on the Push-Pins will allow task panes to collapse and provide more
viewing space to the main pane. You can also collapse the left-hand pane to gain
the maximum space.
1. Select Home
2. Select VMs and Templates
1. Select win-xp-01.corp.local.
2. Select the Summary tab.
3. Click to launch the console.
login Creditials
We see the Windows XP VM has full access to our internal applications. This is the
desired security posture.
The control console VM exists outside of the virtual environment we are using for this
lab. As such it represents a service external to our environment. We will use the control
center IP address 192.168.110.10 to represent Internet services.
If “Command Prompt” icon not shown. Click “Run” and type “cmd” and press
Enter to bring up the Command Prompt”
First you will show that win-xp-01 can reach the external network by pinging a vm
external to the defined virtual datacenter. In this case you will use the address of the
Main Console (192.168.110.10). This represents the Internet.
ping 192.168.110.10
As you can see as illustrated by the ping we can reach External Services. This creates a
large potential security concern for VMs running End of Support Operating Systems.
The Security Group has been created and has Dynamically included the windows XP VM.
Move your mouse of over the Virtual Machines column. It should indicate 1.
1. Click the number "1" to display the name of the VM in the Security Group.
2. Click the "X" to close the window.
Limit VM Access
We will now apply rules to limit VM external access.
Apply Policy
Go to Service Composer.
Select Destination
In order to make this Lab easier to configure the Internal Services Security Group was
premade and contains VMs that are apart of the internal applications. We are creating
rules that will allow the EOS XP VMs to access these Internal Services but not to access
external services(i.e the internet).
Verify settings:
Service: Any
State: Enabled
1. Click OK.
1. Click Finish.
1. Click the Add Section icon on the Flow Monitoring Rule section
2. Type "Internal Services to Internal Services" as the Section Name
3. Verify Add section Below is selected
4. Click Save
Publish Changes
1. Hover and Click the Pencil Icon to Edit the Firewall Name.
2. Type the rule name: App to App.
3. Click Save.
Our new firewall rule will allow our internal application to communicate between
Application Tiers.
In order to block any unwanted traffic including traffic to external services from the
Windows XP EOS VMs we need to enable blocking on the default firewall rule. The
default firewall rule is in the default firewall section.
Publish Changes
You will see that the page is refreshed. This is allowed by your firewall rule between
Internal Services.
ping 192.168.110.10
Now we can see that win-xp-01a has access to internal services, but its external access
has been completely blocked per the Group Policy.
Publish Changes
1. Publish Changes.
Module 5 Conclusion
Congratulations on completing Module 5.
In the lab we have seen how using intelligent grouping can quickly containerize End of
Support Operating Systems via security groups. Once security groups are in place we
can use them to create firewall rules that can both limit access to and from the virtual
machines contained within. The Security Groups are a versatile tool and can be reused
to change or create new policies as our security requirements evolve.
If you are looking for additional information on NSX Security Groups capabilities and
configuration, then please review the NSX 6.3 Documentation Center via the URL below:
• Go to https://tinyurl.com/zwch3gh
• (15 minutes) - Basic - This module will walk you through a basic install of NSX
including deploying the .ova, configuring NSX Manager, deploying controllers and
preparing hosts.
• (30 minutes) - Basic - This module will cover the creation of logical switches and
add virtual machines to the logical switches.
• (60 minutes) - Basic - This module will demonstrate the dynamic and distributed
routing capabilities supported on the NSX platform by providing routes between a
3-tier application.
• (45 minutes) - Basic - This module will cover the Distributed Firewall and Service
Composer creating firewall rules between a 3-tier application.
• (30 Minutes) - Basic - This module will help understand how NSX can help secure
applications and virtual machines using dynamic inclusion with security groups.
• (45 Minutes) - Basic - This module will demonstrate the capabilities of the Identity
Based Firewall feature and how it can provide security with Active Directory
integration.
• (30 Minutes) - Basic - This module will demonstrate application micro-
segmentation with Application Rule Manager.
Lab Captains:
Introduction
In this Lab Module you will create firewall rules using the NSX Identity Based Firewall
feature. This feature uses a connection to Active Directory from the NSX manager. The
NSX manager scans the event log of the AD Server to determine log on credentials and
events. Users logging on to VMs can have their VMs instantly assigned to Security
Groups based on their AD groups. The Security Groups combined with firewall rules
allow us to control access within our environment.
This lab uses two different Active Directory groups and two different users. The first
user, a network administrator who should be able to get to any application in the
environment and a Human Resources administrator who should only have access to a
specific HR web based application.
Lab Captain:
If you are not already logged into the vSphere Web Client:
(The home page should be the vSphere Web Client. If not, Click on the vSphere Web
Client Taskbar icon for Google Chrome.)
On the left go down to the NSX Managers. Notice it denotes only one.
1. Click on 192.168.110.42.
Notice that the table has an entry. This is partially-configured for another lab module
but you will step through the process so you have the opportunity to review how the
connection was created.
This connection requires you to provide AD information so that vCenter can access AD
for group information. NOTE: This is different from associating a vCenter to AD for
permissions used in Users/Roles.
For the name field you would enter a name. You would next enter the NetBIOS name
for the domain.
1. Click Next
1. Click Finish.
AD Synchronization
With a configured and synchronized AD connection you are ready to make use of the AD
Groups in your security policies.
1. Click the Add rule icon on the newly created rule section.
2. Click to Expand the newly created rule section.
3. Click the pencil Icon on the Name column to edit the new rule.
Name Rule
2. Click Save.
Edit Source
You are going to add a Domain Group to the Source field of the Network Admin rule.
Choose AD Group
Complete AD Group
1. Click Finish.
1. Click OK
1. Hover and Click Pencil Icon in the Destination Column of the new created rule.
1. Select Security Group from the Object type Pull down menu.
2. Select the pre-created Internal Services security group.
3. Click the Right-arrow icon to add it to the Selected Objects.
4. Click OK.
The "Internal Services" security group is made up of all the VMs in the internal
environment. This rule will allows the admin to connect to any application and or any
VM in the internal environment.
Name Rule
1. Hover and Click the Pencil icon in the Name column of the newly created rule.
2. Rule Name type: Human Resources Access.
3. Click Save.
Edit Source
You are going to add a Domain Group to the Source field of the HR Admin rule.
4. Click on "OK"
1. Click on "Finish".
1. Click OK.
1. Hover and Click Pencil Icon in the Destination Column of the new created
rule.
1. Select Virtual Machine from the Object type Pull down menu.
2. Enter "web" in search field.
3. Select hr-web-01a from the Available Objects window.
4. Click the arrow icon to add it to the Selected Objects.
5. Click OK.
Define Service
HR Admins should only have access to the applications via web access. (HTTP and
HTTPS)
The new rule should Allow HR-Admin (Human Recources AD group members) to
access the HR and Web Applications using HTTP and HTTPS Services.
We have created a AD based firewall rules to allow HR admins and Net admins to access
the appropriate applications based on there role. However we still need to Add an
additional rule to allow access between internal services as well as modifying the
Default firewall rule to block all other access including External access.
1. Click the Add Section icon on the "Flow Monitoring & Traceflow Rule
Section"
2. Type "Internal Services to Internal Services" as the Section Name
3. Verify Add section Below is selected
4. Click Save
Publish Changes
Our new firewall rule will allow our internal application to communicate between
Application Tiers.
1. Verify the Source and Destination are security group " Internal Services"
2. Verify Action Allow
3. Click Publish Changes
In order to block any unwanted traffic we need to enable blocking on the default firewall
rule. The default firewall rule is in the default firewall section.
Publish Changes
You can test the new Identity based rules by opening a console to the Jump Box
(win-12-jump) VM in the domain and logging in as a member of the Active Directory
AppConfiguration group or the Human Resources group. User Netadmin is a member
of the AppConfiguration group and therefore can login into any internal application or
application teir. User HRadmin is a member of the Human Resources group and can
only login into HR web application and the Financial web application. You will login as
each and see the results of trying to access the multiple 3-tier applications.
Login in as HRadmin
User HRadmin is part of the Hresources domain group and is ONLY allowed to access
the HR Medical application.
This link will FAIL. Again user HRadmin is part of the Hresources domain group and is
ONLY allowed to access the HR Medical application.
Login in as NetAdmin
User NetAdmin is part of the AppConfiguration domain group and is allowed to access all
applications.
User NetAdmin is part of the AppConfiguration domain group and is allowed to access all
applications.
User NetAdmin is part of the AppConfiguration domain group and is allowed to access all
applications.
Module 6 Conclusion
Congratulations on completing Module 6.
In the lab we have seen how using Identity Based Firewall features within NSX we can
control access to internal applications. We created AD based firewall rules for both a
Network Administrator and a Human Resources Administrator. These rules allow the HR
admin to only connect to the HR web application via HTTP protocol. The rules also
allow the Network Admin to connect to any of the applications via any protocol. In this
way we can control access to the correct applications with the correct level of privilege
based on roles within the organization.
If you are looking for additional information on NSX Identity Based Firewall capabilities
and configuration, then please review the NSX 6.3 Documentation Center via the URL
below:
• Go to https://tinyurl.com/zwch3gh
• (15 minutes) - Basic - This module will walk you through a basic install of NSX
including deploying the .ova, configuring NSX Manager, deploying controllers and
preparing hosts.
• (30 minutes) - Basic - This module will cover the creation of logical switches and
add virtual machines to the logical switches.
• (60 minutes) - Basic - This module will demonstrate the dynamic and distributed
routing capabilities supported on the NSX platform by providing routes between a
3-tier application.
• (45 minutes) - Basic - This module will cover the Distributed Firewall and Service
Composer creating firewall rules between a 3-tier application.
• (30 Minutes) - Basic - This module will help understand how NSX can help secure
applications and virtual machines using dynamic inclusion with security groups.
• (45 Minutes) - Basic - This module will demonstrate the capabilities of the Identity
Based Firewall feature and how it can provide security with Active Directory
integration.
• (30 Minutes) - Basic - This module will demonstrate application micro-
segmentation with Application Rule Manager.
Lab Captains:
Module 7 - NSX
Application Rule Manager
(30 minutes)
The Application Rule Manager (ARM) is a new toolset introduced in NSX 6.3. Application
Rule Manager utilizes real-time flow data to enable quick and efficient
microsegmentation planning and implemenation of Zero Trust security models. ARM
provideds a new way to help secure new or existing applications on scales larger than
what Log Insight can handle, and environments on a smaller scale than what vRealize
Network Insight (vRNI) would address.
ARM gathers real-time flow data both IN, OUT and between application workloads
allowing for the creation of app-centric security models. ARM can monitor up to 30 VMs
per session and a total of 5 sessions can be running at any given time. ARM also
provides visibility into blocked flows and the firewall rules that are blocking the traffic.
1. Select virtual machines (VMs) that form the application and need to be
monitored. Once configured, all incoming and outgoing flows for a defined set of
VNICs (Virtualized Network Interface Cards) on the VMs are monitored. There can
be up to five sessions collecting flows at a time.
2. Stop the monitoring to generate the flow tables. The flows are analyzed to reveal
the interaction between VMs. The flows can be filtered to bring the flow records to
a limited working set.
3. Use flow tables to create grouping object such as security groups, IP sets,
services and service groups and firewall rules.
Lab Captain:
Application Microsegmentation
Launch Chrome Browser and vSphere Web Client
If you are not already logged into the vSphere Web Client:
(The home page should be the vSphere Web Client. If not, click on the vSphere Web
Client Taskbar icon for Google Chrome.)
1. Select Home
2. Select Networking & Security
Application Rule Manager is now collecting flow data from the three HR_App virtual
machines. The longer the collection process runs, the more data you will have to
analyze. For our purposes, we will collect flow data for three minutes. To generate some
flow data:
ping -c 2 172.16.60.12
ping 172.16.60.10
Within three minutes, you will see Flows in the Flow Monitoring console. The number of
flows will vary in each lab.
Here we can see source and destination IPs as well as services like HTTP, HTTPS, etc.
Before we analyze the data collected for HR_App, we will configure a second session for
Fin_App in order to demonstrate collecting multiple data flow sessions.
Application Rule Manager is now collecting flow data from the three Finance_App virtual
machines. The longer the collection process runs, the more data you will have to
analyze. For our purposes, we will collect flow data for three minutes. To generate flow
data, open a new Chrome browswer tab and click on the Finance DB App bookmark
and refresh the page several times. Within three minutes, you will see Flows in the Flow
Monitoring console. The number of flows will vary in each lab.
1. Click Stop
2. Click Yes
Review Sessions
We can now see that Application Rule Manager has successfully collect flow data for
both the HR_DB_App and Finance_DB_App virtual machines.
Review Sources
1. Verify Analysis Complete has green checkmark. This indicates data analysis
was successful.
After analyzing and processing flow data, NSX has replaced the IPs with VM names,
making it easier to logically map flows between objects.
We will use the information ARM has given us to microsegment virtual machines within
and between HR__DB_App & Finance_DB_App. Let's see if hr-web-01a can communicate
with hr-db-01a.
ping -c 2 172.16.60.12
We just verified that the HR_DB_App web-01a virtual machine can communicate directly
with the db-01a virtual machine. This is not an ideal situation! Next, we will configure
appropriate firewall rules to control traffic between the three-tiered virtual machines.
Select Services
Confirm Configuration
1. Under Flow Details, select the Firewall Rules tab. Here we can see the firewall
rules you just created.
2. Firewall rules can also be Edited and Deleted from this view.
3. Click Publish
Enter Name
Here we can review the firwall rules we just configured in Application Rule Manager.
Next, we will test the HR_DB_App to make the web page still resolves and unsecure
traffic has been blocked.
1. Under the Default Rule, click on the Pencil icon to edit the rule.
2. Action: Block
3. Click Save
1. Publish Changes
Let's test if we can successfully ping the web, application and database servers from the
Main Console:
1. ping 172.16.60.10
2. ping 172.16.60.11
3. ping 172.16.60.12
ping 172.16.60.10
ping 172.16.60.11
ping 172.16.60.12
Now we can see that ICMP traffic is being blocked. The only allowed traffic is HTTPS.
Note: In this lab, we configured the web-01a firewall rule to allow SSH so we can access
the virtual machine via Putty to do the next test.
Open Putty
ping -c 2 172.16.60.12
1. ping -c 2 172.16.60.12
2. After about 10 seconds, enter Control+C to terminate.
Now we can see traffic from the web-01a to db-01a has been blocked!
Module 7 Conclusion
Congratulations on completing Module 7!
If you are looking for additional information on NSX Application Rule Manager
capabilities and configuration, then please review the NSX 6.3 Documentation Center
via the URL below:
• Go to https://tinyurl.com/zwch3gh
• (15 minutes) - Basic - This module will walk you through a basic install of NSX
including deploying the .ova, configuring NSX Manager, deploying controllers and
preparing hosts.
• (30 minutes) - Basic - This module will cover the creation of logical switches and
add virtual machines to the logical switches.
• (60 minutes) - Basic - This module will demonstrate the dynamic and distributed
routing capabilities supported on the NSX platform by providing routes between a
3-tier application.
• (45 minutes) - Basic - This module will cover the Distributed Firewall and Service
Composer creating firewall rules between a 3-tier application.
• (30 Minutes) - Basic - This module will help understand how NSX can help secure
applications and virtual machines using dynamic inclusion with security groups.
• (45 Minutes) - Basic - This module will demonstrate the capabilities of the Identity
Based Firewall feature and how it can provide security with Active Directory
integration.
• (30 Minutes) - Basic - This module will demonstrate application micro-
segmentation with Application Rule Manager.
Lab Captains:
Conclusion
Thank you for participating in the VMware Hands-on Labs. Be sure to visit
http://hol.vmware.com/ to continue your lab experience online.
Version: 20171023-155706