Documente Academic
Documente Profesional
Documente Cultură
NSXICM62 LabTopologyHandout PDF
Încărcat de
naveenj kumarTitlu original
Drepturi de autor
Formate disponibile
Partajați acest document
Partajați sau inserați document
Vi se pare util acest document?
Este necorespunzător acest conținut?
Raportați acest documentDrepturi de autor:
Formate disponibile
NSXICM62 LabTopologyHandout PDF
Încărcat de
naveenj kumarDrepturi de autor:
Formate disponibile
VMware NSX: Install, Configure, Manage
Lab Topology
© 2017 VMware Inc. All rights reserved.
Lab Topology Overview Distributed
Logical Router
.1 DB Tier: 10.1.30.0/24
.1 App Tier: 10.1.20.0/24
.1 Web Tier: 10.1.10.0/24
.2
.3
Transit
Network
10.1.100.0/27
Controllers .11 .12 .11 .11
.1
Your Desktop Perimeter
Gateway
.3
nsxmgr-a vcva-a
Student 172.20.10.42 172.20.10.94
vdc-<kitname>-a.vmeduc.com 172.20.10.80
Green Desktop background
esxi-a-01.51 esxi-a-02.52 esxi-a-04 esxi-a-05.55
172.20.10.51 172.20.10.52 172.20.10.54 172.20.10.55
Storage vMotion: 172.20.12.0/24 .10 on each network
Production-A; 172.20.11.0/24
Management-A: 172.20.10.0/24
dc-rras
nsxmgr-b vcsa-b Esxi-b-01
172.20.110.43 172.20.110.95 172.20.110.61
VMware NSX: Install, Configure, Manage 2
© 2017 VMware Inc. All rights reserved.
Subnet IP Addressing
Physical
Management A 172.20.10.0/24 Management B 172.20.110.0/24
Production A 172.20.11.0/24 Production B 172.20.111.0/24
vMotion A 172.20.12.0/24 vMotion B 172.20.12.0/24
Virtual
Web Tier A 10.1.10.0/24 Web Tier B 10.2.10.0/24
App Tier A 10.1.20.0/24
DB Tier 10.1.30.0/24
Transit 10.1.100.0/27
VMware NSX: Install, Configure, Manage 3
© 2017 VMware Inc. All rights reserved.
Infrastructure (Management Network) IP Addressing
Infrastructure (Management Networks)
Student Desktop 172.20.10.80 (on Management A)
NSX Manager A 172.20.10.42 NSX Manager B 172.20.110.43
vCenter Server A 172.20.10.94 vCenter Server B 172.20.110.95
ESXi-a-01 172.20.10.51 ESXi-b-01 172.20.110.61
ESXi-a-02 172.20.10.52
ESXi-a-04 172.20.10.54
ESXi-a-05 172.20.10.55
RRAS Server 172.20.0.10 (Fence)
(.10 on each attached network) 172.20.10.10 (Management A) 172.20.110.10 (Management B)
172.20.11.10 (Production A) 172.20.111.10 (Production B)
VMware NSX: Install, Configure, Manage 4
© 2017 VMware Inc. All rights reserved.
Perimeter Gateway IP Addressing
Perimeter Gateway (Site A) Remote Gateway (Site B)
Primary IP Address 172.20.11.3 Primary Address 172.20.111.8
(on Production A network 172.20.11.0/24) (on Production B network 172.20.111.0/24)
L2VPN & IPSec VPN 172.20.11.3
1:1 NAT for web-sv-01a 172.20.11.5
1:1 NAT for web-sv-02a 172.20.11.6
Load Balancer 172.20.11.7
Transit 10.1.100.1
Perimeter Gateway – ECMP (Site A)
Primary IP Address 172.20.11.4
Transit 10.1.100.4
VMware NSX: Install, Configure, Manage 5
© 2017 VMware Inc. All rights reserved.
DLR and VM IP Addressing
Distributed Logical Router (Site A)
Web Tier 10.1.10.1
App Tier 10.1.20.1
DB Tier 10.1.30.1
Transit 10.1.100.2
Virtual Machines (Site A) Virtual Machines (Site B)
web-sv-01a 10.1.10.11 web-sv-01b 10.2.10.11
web-sv-02a 10.1.10.12
app-sv-01a 10.1.20.11
db-sv-01a 10.1.30.11
VMware NSX: Install, Configure, Manage 6
© 2017 VMware Inc. All rights reserved.
Lab 1: Configuring NSX Manager
Controllers
Student nsxmgr-a vcva-a
172.20.10.80 172.20.10.42 172.20.10.94
esxi-a-01.51 esxi-a-02.52 esxi-a-04 esxi-a-05.55
172.20.10.51 172.20.10.52 172.20.10.54 172.20.10.55
Storage
vMotion: 172.20.12.0/24 .10 on each network
Production-A; 172.20.11.0/24
Management-A: 172.20.10.0/24 dc-rras
nsxmgr-b vcsa-b Esxi-b-01
172.20.110.43 172.20.110.95 172.20.110.61
NTP/Syslog Server: 172.20.10.10
VMware NSX: Install, Configure, Manage 7
© 2017 VMware Inc. All rights reserved.
Lab 2: Configuring and Deploying an NSX Controller Cluster
Controller-Pool
172.20.10.240-172.20.10.254
Student nsxmgr-a vcva-a
172.20.10.80 172.20.10.42 172.20.10.94
esxi-a-01.51 esxi-a-02.52 esxi-a-04 esxi-a-05.55
172.20.10.51 172.20.10.52 172.20.10.54 172.20.10.55
Storage
vMotion: 172.20.12.0/24 .10 on each network
Production-A; 172.20.11.0/24
Management-A: 172.20.10.0/24
dc-rras
To Site-B
Note: In a production network, VMware requires that each NSX Controller cluster contain three controller nodes,
regardless of the size of the NSX deployment. For our lab purpose only, you only deploy one controller.
VMware NSX: Install, Configure, Manage 8
© 2017 VMware Inc. All rights reserved.
Lab 4: Preparing for Virtual Networking
Local Transport Zone
VXLAN ID Pool: 5000-5999
esxi-a-01 esxi-a-02 esxi-a-04 esxi-a-05
172.20.10.51 172.20.10.52 172.20.10.54 172.20.10.55
Management and Edge Compute
Production-A 172.20.11.0/24 .10
dc-rras
To Site-B
VMware NSX: Install, Configure, Manage 9
© 2017 VMware Inc. All rights reserved.
Lab 5: Configuring Logical Switch Networks
Transit Network Web Tier App Tier DB Tier
Controllers
web-sv-01a web-sv-02a app-sv-01a db-sv-01a
10.1.10.11 10.1.10.12 10.1.20.11 10.1.30.11
Management-A
172.20.10.240 (controller -1)
Student
172.20.10.80
dc-rras
Management-A: 172.20.10.10/24
To Site-B
VMware NSX: Install, Configure, Manage 10
© 2017 VMware Inc. All rights reserved.
Lab 6: Configuring and Deploying an NSX Distributed Router
Logical Router Distributed DB Tier: 10.1.30.0/24
Control VM Logical Router
App Tier: 10.1.20.0/24
Web Tier: 10.1.10.0/24
Transit network:
10.1.100.2/27
Controllers
web-sv-01a web-sv-02a app-sv-01a db-sv-01a
10.1.10.11 10.1.10.12 10.1.20.11 10.1.30.11
Management-A
172.20.10.240 (controller -1)
Student
172.20.10.80
dc-rras
Management-A: 172.20.10.10/24
To Site-B
VMware NSX: Install, Configure, Manage 11
© 2017 VMware Inc. All rights reserved.
Lab 7: Deploying an NSX Edge Services Gateway and
Configuring Static Routing
Static Route on
Transit-Network
Logical Router 172.20.10.0/24 Distributed DB Tier: 10.1.30.0/24
Control VM Next Hop: Logical Router
10.1.100.1 App Tier: 10.1.20.0/24
Web Tier: 10.1.10.0/24
Transit network:
10.1.100.2/27
Static Route on
Transit-Network
10.1.10.0/16
Controllers Next Hop: Transit-Interface
10.1.100.2 10.1.100.1/27
Perimeter
Gateway
Uplink-Interface web-sv-01a web-sv-02a app-sv-01a db-sv-01a
172.20.11.3/24 10.1.10.11 10.1.10.12 10.1.20.11 10.1.30.11
dc-rras
Student Production-A: 172.20.11.10/24
172.20.10.80 Management-A: 172.20.10.10/24
VMware NSX: Install, Configure, Manage 12
© 2017 VMware Inc. All rights reserved.
Lab 8: Configuring and Testing Dynamic Routing on NSX
Edge Appliances
Logical Router Distributed DB Tier: 10.1.30.0/24
Control VM Logical Router
App Tier: 10.1.20.0/24
Web Tier: 10.1.10.0/24
Transit-Network
10.1.100.2/27
Protocol Address
OSPF Area 829
10.1.100.3/27
Enable Static
Route
Controllers Redistribution
Transit-Interface
into OSPF
10.1.100.1/27
Perimeter
Gateway
Uplink-Interface web-sv-01a web-sv-02a app-sv-01a db-sv-01a
Static Route 172.20.11.3/24
on Uplink-Interface: 10.1.10.11 10.1.10.12 10.1.20.11 10.1.30.11
172.20.10.0/24
Next Hop:
172.20.11.10
dc-rras
Student Production-A: 172.20.11.10/24
172.20.10.80 Management-A: 172.20.10.10/24
VMware NSX: Install, Configure, Manage 13
© 2017 VMware Inc. All rights reserved.
Lab 9: Configuring Equal Cost Multipathing
Logical Router ECMP Distributed DB Tier: 10.1.30.0/24
Control VM enabled Logical Router
App Tier: 10.1.20.0/24
Web Tier: 10.1.10.0/24
Transit-Network
10.1.100.2/27
Protocol Address
OSPF Area 829
10.1.100.3/27
Transit-Interface Transit-Interface
10.1.100.1/27 10.1.100.4/27
Controllers OSPF Area 829 OSPF Area 829
Perimeter Perimeter
Gateway Gateway
Uplink-Interface Uplink-Interface web-sv-01a web-sv-02a app-sv-01a db-sv-01a
172.20.11.3/24 172.20.11.4/24 10.1.10.11 10.1.10.12 10.1.20.11 10.1.30.11
dc-rras
Student Production-A: 172.20.11.10/24
172.20.10.80 Management-A: 172.20.10.10/24
DLR is enabled with ECMP. The two ESGs are used for N-S traffic.
VMware NSX: Install, Configure, Manage 14
© 2017 VMware Inc. All rights reserved.
Lab 10: Configuring L2 Bridging
Distributed
Logical Router
.1 Web Tier: 10.1.10.0/24
L2PG
VLAN 10
10.1.10.0/24
Bridge Instance
.12 .11
VMware NSX: Install, Configure, Manage 15
© 2017 VMware Inc. All rights reserved.
Lab 11: Configuring and Testing NAT on an NSX ESG
Logical Router Distributed
Control VM Logical Router
DB Tier: 10.1.30.0/24
App Tier: 10.1.20.0/24
Web Tier: 10.1.10.0/24
Transit-Network
10.1.100.2/27
Protocol Address
OSPF Area 829
10.1.100.3/27
Transit-Interface
Controllers 10.1.100.1/27
OSPF Area 829
Perimeter
Gateway
web-sv-01a web-sv-02a app-sv-01a db-sv-01a
Uplink-Interface
*172.20.11.3/24
10.1.10.11 10.1.10.12 10.1.20.11 10.1.30.11
172.20.11.5 (NAT)
172.20.11.6 (NAT)
DNAT Rules: SNAT Rules:
Original Translated Original Translated
172.20.11.5 10.1.10.11 10.1.10.11 172.20.11.5
172.20.11.6 10.1.10.12 10.1.10.12 172.20.11.6
dc-rras
Student Production-A: 172.20.11.10/24
172.20.10.80 Management-A: 172.20.10.10/24
VMware NSX: Install, Configure, Manage 16
© 2017 VMware Inc. All rights reserved.
Lab 12: Configuring Load Balancing with NSX Edge Gateway (1)
Logical Router Distributed
Control VM Logical Router
DB Tier: 10.1.30.0/24
App Tier: 10.1.20.0/24
Web Tier: 10.1.10.0/24
Transit-Network
Protocol Address 10.1.100.2/27
10.1.100.3/27 OSPF Area 829
Transit-Interface
Controllers 10.1.100.1/27
OSPF Area 829
Perimeter
Gateway
(Load Balancer) web-sv-01a web-sv-02a app-sv-01a db-sv-01a
10.1.10.11 10.1.10.12 10.1.20.11 10.1.30.11
HTTPS Application Profile
Uplink-Interface Name App-Profile
*172.20.11.3/24
Type HTTPS
172.20.11.5 (NAT)
172.20.11.6 (NAT) HTTPS
Enable SSL Passthrough Enable
172.20.11.7 (VIP) Server Pool Member Config
Name Server Pool web-sv-01a /
Name
web-sv-02a
Algorithm Round-Robin
10.1.10.11 /
Monitors None IP Address
10.1.10.12
web-sv-01a Port 443
Members
web-sv-02a Monitor Port Blank
Weight 1
Virtual Server
Max Connections Blank
Enable Virtual Server Checked Min Connections blank
dc-rras Application Profile App-Profile
Name VIP
Description blank
Student Production-A: 172.20.11.10/24 IP Address 172.20.11.7
172.20.10.80 Management-A: 172.20.10.10/24 Protocol HTTPS
Port 443
Default Pool Server-Pool
Connection Limit Blank
Connection Rate Limit Blank
VMware NSX: Install, Configure, Manage 17
© 2017 VMware Inc. All rights reserved.
Lab 12: Configuring Load Balancing with NSX Edge Gateway (2)
Logical Router Distributed
Control VM Logical Router
DB Tier: 10.1.30.0/24
App Tier: 10.1.20.0/24
Transit-Network
Protocol Address 10.1.100.2/27
10.1.100.3/27 OSPF Area 829
Transit-Interface
Controllers 10.1.100.1/27
OSPF Area 829
Perimeter Web Tier-Temp
Gateway 10.1.10.1 (VIP)
(Load Balancer) web-sv-01a web-sv-02a app-sv-01a db-sv-01a
10.1.10.11 10.1.10.12 10.1.20.11 10.1.30.11
Application Profile
HTTPS
Uplink-Interface Name App-Profile
*172.20.11.3/24
Type HTTPS
172.20.11.5 (NAT)
172.20.11.6 (NAT) Enable SSL Passthrough Enable
172.20.11.7 (VIP)
Server Pool Member Config
Name Server Pool web-sv-01a / web-sv-
Name
02a
Algorithm Round-Robin
10.1.10.11 /
Monitors None IP Address
10.1.10.12
web-sv-01a Port 443
Members
web-sv-02a Monitor Port Blank
Weight 1
Virtual Server
Max Connections Blank
Enable Virtual Server Checked Min Connections blank
dc-rras Application Profile App-Profile
Name VIP
Description blank
Student Production-A: 172.20.11.10/24 IP Address 10.1.10.1
172.20.10.80 Management-A: 172.20.10.10/24 Protocol HTTPS
Port 443
Default Pool Server-Pool
Connection Limit Blank
Connection Rate Limit Blank
VMware NSX: Install, Configure, Manage 18
© 2017 VMware Inc. All rights reserved.
Lab 13: Advanced Load Balancing (1)
Logical Router Distributed
Control VM Logical Router
DB Tier: 10.1.30.0/24
App Tier: 10.1.20.0/24
Transit-Network
Protocol Address 10.1.100.2/27
10.1.100.3/27 OSPF Area 829
Transit-Interface
Controllers 10.1.100.1/27
OSPF Area 829
Perimeter Web Tier-Temp
Gateway 10.1.10.1 (VIP)
(Load Balancer) web-sv-01a web-sv-02a app-sv-01a db-sv-01a
10.1.10.11 10.1.10.12 10.1.20.11 10.1.30.11
Application Profile
Uplink-Interface HTTP
Name App-Profile
*172.20.11.3/24
Type HTTPS
172.20.11.5 (NAT)
172.20.11.6 (NAT) Enable SSL Passthrough Disabled
172.20.11.7 (VIP)
Server Pool Member Config
Name Server Pool web-sv-01a /
Name
web-sv-02a
Algorithm Round-Robin
10.1.10.11 /
Monitors None IP Address
10.1.10.12
web-sv-01a Port 80
Members
web-sv-02a Monitor Port 80
Weight 1
Virtual Server
Max Connections Blank
Enable Virtual Server Checked Min Connections blank
dc-rras Application Profile App-Profile
Name VIP
Description blank
Student Production-A: 172.20.11.10/24 IP Address 10.1.10.1
172.20.10.80 Management-A: 172.20.10.10/24 Protocol HTTPS
Port 443
Default Pool Server-Pool
Connection Limit Blank
Connection Rate Limit Blank
VMware NSX: Install, Configure, Manage 19
© 2017 VMware Inc. All rights reserved.
Lab 13: Advanced Load Balancing (2)
Logical Router Distributed
Control VM Logical Router
DB Tier: 10.1.30.0/24
App Tier: 10.1.20.0/24
Web Tier: 10.1.10.0/24
Transit-Network
Protocol Address 10.1.100.2/27
10.1.100.3/27 OSPF Area 829
Transit-Interface
Controllers 10.1.100.1/27
OSPF Area 829
Perimeter
Gateway
(Load Balancer) web-sv-01a web-sv-02a app-sv-01a db-sv-01a
10.1.10.11 10.1.10.12 10.1.20.11 10.1.30.11
Application Profile
HTTP
Uplink-Interface Name App-Profile
*172.20.11.3/24
Type HTTPS
172.20.11.5 (NAT)
172.20.11.6 (NAT) HTTPS
Enable SSL Passthrough Disabled
172.20.11.7 (VIP)
Server Pool Member Config
Name Server Pool web-sv-01a / web-sv-
Name
02a
Algorithm Round-Robin
10.1.10.11 /
Monitors None IP Address
10.1.10.12
web-sv-01a Port 443
Members
web-sv-02a Monitor Port Blank
Weight 1
Virtual Server
Max Connections Blank
Enable Virtual Server Checked Min Connections blank
dc-rras Application Profile App-Profile
Name VIP
Description blank
Student Production-A: 172.20.11.10/24 IP Address 172.20.11.7
172.20.10.80 Management-A: 172.20.10.10/24 Protocol HTTPS
Port 443
Default Pool Server-Pool
Connection Limit Blank
Connection Rate Limit Blank
VMware NSX: Install, Configure, Manage 20
© 2017 VMware Inc. All rights reserved.
Lab 14: Configuring NSX Edge High Availability
Logical Router Distributed
Control VM Logical Router .1 DB Tier: 10.1.30.0/24
.1 App Tier: 10.1.20.0/24
.1
Web Tier: 10.1.10.0/24
.2
Protocol Address .3
10.1.100.3/27 Transit-Network
10.1.100.2/27
Heartbeat Network
192.168.222.1/30
192.168.222.2/30
.1 .11 .12 .11 .11
Perimeter
Gateway
Controllers
.3
Student nsxmgr-a vcva-a
172.20.10.80 172.20.10.42 172.20.10.94
esxi-a-01.51 esxi-a-02.52
esxi-a-04.54 esxi-a-05.55
.10 on each network
Storage
vMotion: 172.20.12.0/24
Production-A; 172.20.11.0/24
dc-rras
Management-A: 172.20.10.0/24
VMware NSX: Install, Configure, Manage 21
© 2017 VMware Inc. All rights reserved.
Lab 15: Configuring Layer 2 VPN Tunnel
Site A Site B
Logical Router Distributed
web-sv-01b
Control VM Logical Router DB Tier: 10.1.30.0/24
10.1.10.13
App Tier: 10.1.20.0/24 (GW 10.1.10.1)
Transit-Network
10.1.100.2/27
OSPF Area 829 Submit-to-Web-Tier
Tunnel ID 10 L2VPN-RemoteSiteTrunk
10.1.10.1/24
Protocol Address
10.1.100.3/27
Subint-to-Web-Tier
Transit-Interface Tunnel ID 10
10.1.100.2/27 10.1.10.1/24
OSPF Area 829
Controllers
Perimeter
Gateway
Remote Gateway
Uplink-Interface
web-sv-01a app-sv-01a db-sv-01a 172.20.111.8
10.1.10.11 10.1.20.11 10.1.30.11 Client
Perimeter Gateway L2VPN Global Configuration
Uplink-Interface Site Configuration Client
*172.20.11.3/24 Listener IP 172.20.11.3
Server Address 172.20.11.3
172.20.11.5 (NAT) Listener Port 443
172.20.11.6 (NAT) Server Port 443
Encryption Algorithm AES128-SHA
172.20.11.7 (VIP) Server Encryption
Use System AES128-SHA
Yes Algorithm
Generated Certficate
Stretched Interfaces Subint-to-Web-Tier
Site Configuration Server Egress
Blank
Optimization
Enable Peer Site Yes
Enable Unstretched
no
Name LPVN – Site A Networks
Description Blank User ID vpnuser
User iD Vpnuser Password VMware1!
Student Password VMware1!
172.20.10.80c Stretched Interfaces Subint-to-Web-Tier Production-B: 172.20.111.10/24
Egress Optimization Blank
Enable Unstretched
no dc-rras Site B Distributed Port Groups:
Production-A: 172.20.11.10/24 Networks • L2VPN-RemoteSiteTrunk
• VPN-Web Tier
VMware NSX: Install, Configure, Manage 22
© 2017 VMware Inc. All rights reserved.
Lab 16: Configuring IPsec Tunnels
Site A Site B
Logical Router Distributed web-sv-01b
Control VM Logical Router 10.2.40.11
DB Tier: 10.1.30.0/24
App Tier: 10.1.20.0/24
Transit-Network
10.1.100.2/27
OSPF Area 829 Submit-to-Web-Tier
Tunnel ID 10 L2VPN-RemoteSiteTrunk
10.1.10.1/24
Protocol Address
10.1.100.3/27
Static Route: Subint-to-Web-Tier
Transit-Interface
10.1.0.0/16 10.2.40.1
10.1.100.2/27
Next Hop:
OSPF Area 829
10.1.100.2
Controllers
Perimeter
Gateway
Remote Gateway
Uplink-Interface
web-sv-01a app-sv-01a db-sv-01a 172.20.111.8
10.1.10.11 10.1.20.11 10.1.30.11 Client
Perimeter Gateway IPSec VPN IPSec VPN
Uplink-Interface Configuration Configuration
*172.20.11.3/24
Enabled Yes Enabled Yes
172.20.11.5 (NAT)
172.20.11.6 (NAT) Enable PFS Yes Enable PFS Yes
172.20.11.7 (VIP) Server Name Local-Remote Name Local-Remote
Local ID Local Local ID Remote
Local Endpoint 172.20.11.3 Local Endpoint 172.20.111.8
Local Subnets 10.1.10.0/24 Local Subnets 10.1.40.0/24
Peer ID Remote Peer ID Local
Peer Endpoint 172.20.11.8 Peer Endpoint 172.20.11.3
Peer Subnets 10.2.40.0/24 Peer Subnets 10.2.10.0/24
Encryption Algorithm AES Encryption Algorithm AES
Student Authentication PSK Authentication PSK
172.20.10.80 Pre-shared Key VMware1! Pre-shared Key VMware1!
Diffie-Hellman Group DH2 dc-rras Diffie-Hellman Group DH2
Production-A: 172.20.11.10/24
Extension blank Extension blank
Production-B: 172.20.111.10/24
VMware NSX: Install, Configure, Manage 23
© 2017 VMware Inc. All rights reserved.
Lab 17: Configuring and Testing SSL VPN-Plus
SSL VPN-Plus Server Settings SSL VPN-Plus Private Networks
Site A Site B IPv4 Address
IPv6 Address
172.20.111.8
None
Network
Description
10.2.40.0/24
None
Port 443 Send Traffic Over Tunnel
CipherList AES256-SHA Enable TCP Optimization Checked
web-sv-01b
10.1.10.13 Use Default Server Certificate Checked Ports Blank
Status Enabled
SSL VPN-Plus Authentication Server
Server Type Local SSL VPN-Plus Installation package
Enable Password Policy Unchecked Gateway 172.20.111.8
Enable Account Lockout Unchecked Port 443
L2VPN-RemoteSiteTrunk
Status Enables Create Package for Windows only
Use for Secondary Auth Unchecked Description Empty
Subint-to-Web-Tier
Remote Gateway Tunnel ID 10
Status Enabled
(SSL VPN Server) 10.1.10.1/24 SSL VPN-Plus User Start Client on logon Unchecked
Allow Remember Password Checked
User ID Vpn-user
Enable Silent mode Install Checked
Password VMware1! Hide SSL client adapter Unchecked
First Name Blank Create Desktop icon Checked
Remote Gateway Enable Silent Mode operation Unchecked
Last name Blank
Uplink-Interface
172.20.111.8 Server Certificate Validation Unchecked
Description Blank
SSL
VPN-Plus Password never expires Checked
Allow Change password Checked
Change on Next login Unchecked
Status Enabled
SSL VPN-Plus IP Pool
IP Range 192.168.170.2-254
Netmask 255.25.255.0
Gateway 192.168.170.1
Description Blank
Status Enabled
Student
Primary DNS Blank
172.20.10.80 dc-rras
Secondary DNS Blank
DNS Suffix Blank
Management A: 172.20.11.10/24 Production-B: 172.20.111.10/24 WINS Server Blank
VMware NSX: Install, Configure, Manage 24
© 2017 VMware Inc. All rights reserved.
Lab 18: Using NSX Edge Firewall Rules to Control Network
Traffic
Logical Router Distributed
Control VM Logical Router DB Tier: 10.1.30.0/24
App Tier: 10.1.20.0/24
Transit-Network
10.1.100.2/27
Protocol Address OSPF Area 829 Submit-to-Web-Tier
10.1.100.3/27 Tunnel ID 10
10.1.10.1/24
Transit-Interface
10.1.100.2/27
OSPF Area 829
Controllers
Perimeter
Gateway
web-sv-01a web-sv-01a app-sv-01a db-sv-01a
10.1.10.11 10.1.10.12 10.1.20.11 10.1.30.11
HTTP
Uplink-Interface
Edge FW Rule *172.20.11.3/24
Source Destination Service Action
Name 172.20.11.5 (NAT)
172.20.11.6 (NAT)
Allowed to Web
ANY
IP Set: Local Web HTTP
ACCEPT 172.20.11.7 (VIP)
HTTPS
Servers Servers HTTPS
Default ANY ANY ANY DENY
dc-rras
Student
172.20.10.80 Production-A: 172.20.11.10/24
Production-B: 172.20.10.10/24
VMware NSX: Install, Configure, Manage 25
© 2017 VMware Inc. All rights reserved.
Lab 19: Using the VMware NSX Distributed Firewall Rules to
Control Network Traffic
DFW Rule Name Source Destination Service Action
Logical Switch: Logical Switch: Tomcat-
Allowed Web to App ALLOW
Web-Tier App-Tier 8443
Logical Switch: Logical Switch:
Allowed App to DB MySQL ALLOW
App-Tier DB-Tier
Logical Switch: HTTP
Allowed to Web Servers Any ALLOW
Web Tier HTTPS
Default ANY ANY ANY BLOCK
Logical Router Distributed
Control VM Logical Router DB Tier: 10.1.30.0/24
App Tier: 10.1.20.0/24
Transit-Network
10.1.100.2/27
Protocol Address OSPF Area 829 Submit-to-Web-Tier
10.1.100.3/27 Tunnel ID 10
10.1.10.1/24
Transit-Interface
10.1.100.2/27
OSPF Area 829
Controllers
Perimeter
Gateway
web-sv-01a web-sv-01a app-sv-01a db-sv-01a
10.1.10.11 10.1.10.12 10.1.20.11 10.1.30.11
HTTP
Uplink-Interface
*172.20.11.3/24
172.20.11.5 (NAT)
172.20.11.6 (NAT) HTTPS
172.20.11.7 (VIP)
dc-rras
Student
172.20.10.80 Production-A: 172.20.11.10/24
Production-B: 172.20.10.10/24
VMware NSX: Install, Configure, Manage 26
© 2017 VMware Inc. All rights reserved.
Lab 20: Configuring an Identity-Aware Firewall
DFW Rule Name Source Destination Service Action
Security Group:
Allowed SSH to Admins Cluster: Compute SSH ALLOW
AD-SSH
Blocked SSH for
ANY Cluster Compute SSH BLOCK
Normal Users
Logical Router Distributed
Control VM Logical Router DB Tier: 10.1.30.0/24
App Tier: 10.1.20.0/24
Transit-Network
10.1.100.2/27
Protocol Address OSPF Area 829 Submit-to-Web-Tier
10.1.100.3/27 Tunnel ID 10
10.1.10.1/24
Transit-Interface
10.1.100.2/27
OSPF Area 829
Controllers
Perimeter
Gateway
web-sv-01a web-sv-01a app-sv-01a db-sv-01a
10.1.10.11 10.1.10.12 10.1.20.11 10.1.30.11
HTTP
Uplink-Interface
*172.20.11.3/24
172.20.11.5 (NAT)
172.20.11.6 (NAT) HTTPS
172.20.11.7 (VIP)
dc-rras Production-A: 172.20.11.10/24
Production-B: 172.20.10.10/24
Student
172.20.10.80
Security Group Activity Monitoring Data Collection Security Group AD-SSH
Dynamic Inclusion None Dynamic Inclusion None
Static Inclusion Compute Static Inclusion Directory Group: AD-SSH
Static Exclusion None Static Exclusion none
VMware NSX: Install, Configure, Manage 27
© 2017 VMware Inc. All rights reserved.
Lab 21: Using VMware NSX Service Composer
DFW Rule Name Source Destination Service Action
Security Group:
Allowed SSH to Admins Cluster: Compute SSH ALLOW
AD-SSH
Blocked SSH for
ANY Cluster Compute SSH BLOCK
Normal Users
Logical Router Distributed
Control VM Logical Router DB Tier: 10.1.30.0/24
App Tier: 10.1.20.0/24
Transit-Network
10.1.100.2/27
Protocol Address OSPF Area 829 Submit-to-Web-Tier
10.1.100.3/27 Tunnel ID 10
10.1.10.1/24
Transit-Interface
10.1.100.2/27
OSPF Area 829
Controllers
Perimeter
Gateway
web-sv-01a web-sv-01a app-sv-01a db-sv-01a
10.1.10.11 10.1.10.12 10.1.20.11 10.1.30.11
HTTP
Uplink-Interface
*172.20.11.3/24
172.20.11.5 (NAT)
172.20.11.6 (NAT) HTTPS
172.20.11.7 (VIP)
dc-rras Production-A: 172.20.11.10/24
Production-B: 172.20.10.10/24
Student
172.20.10.80
Security Group Activity Monitoring Data Collection Security Group Isolate Compromised VMs
Dynamic Inclusion VM Name Contains virus Guest Introspection None
Static Inclusion None Firewall Rules Block all Traffic
Static Exclusion DV Port Group: Management Network Introspection none
Apply Policy To Quarantine Group
VMware NSX: Install, Configure, Manage 28
© 2017 VMware Inc. All rights reserved.
Lab 22: Configuring Cross-vCenter VMware NSX
Site A Universal Section Site B
Universal DFW Rule Name Source Destination Service Action
IP Address: HTTP
web-sv-01a ANY ALLOW
10.1.10.11 HTTPS
web-sv-01a web-sv-01b
10.1.10.11 10.1.10.13
Universal
Controller
Cluster
Universal Web-Tier
Student nsxmgr-a vcva-a vcva-b
nsxmgr-b
172.20.10.80 172.20.10.42 172.20.10.94 172.20.110.95
172.20.110.43
Primary Secondary
esxi-b-01
esxi-a-01 esxi-a-02 esxi-a-04 esxi-a-05 172.20.110.61
172.20.10.51 172.20.10.52 172.20.10.54 172.20.10.55
.10 on each network
Storage
vMotion: 172.20.12.0/24 vMotion: 172.20.12.0/24
Production-A; 172.20.11.0/24 dc-rras Production-B; 172.20.11.0/24
Management-A: 172.20.10.0/24 Management-B: 172.20.10.0/24
Site A VXLAN ID Pool: 5000-5999 (Segment ID Pool) Site B VXLAN ID Pool: 6000-6999 (Segment ID Pool)
Universal Segment ID Pool: 7000-7999
VMware NSX: Install, Configure, Manage 29
© 2017 VMware Inc. All rights reserved.
S-ar putea să vă placă și
- The Subtle Art of Not Giving a F*ck: A Counterintuitive Approach to Living a Good LifeDe la EverandThe Subtle Art of Not Giving a F*ck: A Counterintuitive Approach to Living a Good LifeEvaluare: 4 din 5 stele4/5 (5784)
- The Little Book of Hygge: Danish Secrets to Happy LivingDe la EverandThe Little Book of Hygge: Danish Secrets to Happy LivingEvaluare: 3.5 din 5 stele3.5/5 (399)
- Hidden Figures: The American Dream and the Untold Story of the Black Women Mathematicians Who Helped Win the Space RaceDe la EverandHidden Figures: The American Dream and the Untold Story of the Black Women Mathematicians Who Helped Win the Space RaceEvaluare: 4 din 5 stele4/5 (890)
- Shoe Dog: A Memoir by the Creator of NikeDe la EverandShoe Dog: A Memoir by the Creator of NikeEvaluare: 4.5 din 5 stele4.5/5 (537)
- Grit: The Power of Passion and PerseveranceDe la EverandGrit: The Power of Passion and PerseveranceEvaluare: 4 din 5 stele4/5 (587)
- Elon Musk: Tesla, SpaceX, and the Quest for a Fantastic FutureDe la EverandElon Musk: Tesla, SpaceX, and the Quest for a Fantastic FutureEvaluare: 4.5 din 5 stele4.5/5 (474)
- The Yellow House: A Memoir (2019 National Book Award Winner)De la EverandThe Yellow House: A Memoir (2019 National Book Award Winner)Evaluare: 4 din 5 stele4/5 (98)
- Team of Rivals: The Political Genius of Abraham LincolnDe la EverandTeam of Rivals: The Political Genius of Abraham LincolnEvaluare: 4.5 din 5 stele4.5/5 (234)
- Never Split the Difference: Negotiating As If Your Life Depended On ItDe la EverandNever Split the Difference: Negotiating As If Your Life Depended On ItEvaluare: 4.5 din 5 stele4.5/5 (838)
- The Emperor of All Maladies: A Biography of CancerDe la EverandThe Emperor of All Maladies: A Biography of CancerEvaluare: 4.5 din 5 stele4.5/5 (271)
- A Heartbreaking Work Of Staggering Genius: A Memoir Based on a True StoryDe la EverandA Heartbreaking Work Of Staggering Genius: A Memoir Based on a True StoryEvaluare: 3.5 din 5 stele3.5/5 (231)
- Devil in the Grove: Thurgood Marshall, the Groveland Boys, and the Dawn of a New AmericaDe la EverandDevil in the Grove: Thurgood Marshall, the Groveland Boys, and the Dawn of a New AmericaEvaluare: 4.5 din 5 stele4.5/5 (265)
- The Hard Thing About Hard Things: Building a Business When There Are No Easy AnswersDe la EverandThe Hard Thing About Hard Things: Building a Business When There Are No Easy AnswersEvaluare: 4.5 din 5 stele4.5/5 (344)
- On Fire: The (Burning) Case for a Green New DealDe la EverandOn Fire: The (Burning) Case for a Green New DealEvaluare: 4 din 5 stele4/5 (72)
- The World Is Flat 3.0: A Brief History of the Twenty-first CenturyDe la EverandThe World Is Flat 3.0: A Brief History of the Twenty-first CenturyEvaluare: 3.5 din 5 stele3.5/5 (2219)
- The Unwinding: An Inner History of the New AmericaDe la EverandThe Unwinding: An Inner History of the New AmericaEvaluare: 4 din 5 stele4/5 (45)
- The Gifts of Imperfection: Let Go of Who You Think You're Supposed to Be and Embrace Who You AreDe la EverandThe Gifts of Imperfection: Let Go of Who You Think You're Supposed to Be and Embrace Who You AreEvaluare: 4 din 5 stele4/5 (1090)
- The Sympathizer: A Novel (Pulitzer Prize for Fiction)De la EverandThe Sympathizer: A Novel (Pulitzer Prize for Fiction)Evaluare: 4.5 din 5 stele4.5/5 (119)
- Her Body and Other Parties: StoriesDe la EverandHer Body and Other Parties: StoriesEvaluare: 4 din 5 stele4/5 (821)
- I2C Info - I2C Bus, Interface and ProtocolDocument2 paginiI2C Info - I2C Bus, Interface and ProtocolChakkaravarthiErÎncă nu există evaluări
- EXOS User Guide 30 5Document2.087 paginiEXOS User Guide 30 5vikrant0% (1)
- 1.2.2 IP AddressingDocument12 pagini1.2.2 IP AddressingCollins JimÎncă nu există evaluări
- Configuring Extended ACLs Scenario 2Document3 paginiConfiguring Extended ACLs Scenario 2Affan VirgostarÎncă nu există evaluări
- New CCNA – Trunking Questions ExplainedDocument6 paginiNew CCNA – Trunking Questions Explainedokotete evidenceÎncă nu există evaluări
- Lab 10Document10 paginiLab 10Travis Jon Wheelwright83% (6)
- HP Procurve Layer 2 Configuration GuideDocument2 paginiHP Procurve Layer 2 Configuration GuideKurniawan Setyo NugrohoÎncă nu există evaluări
- Evolution of LAN DevicesDocument26 paginiEvolution of LAN DevicesMariecar GarciaÎncă nu există evaluări
- Master Thesis Ketan BavaliaDocument89 paginiMaster Thesis Ketan Bavaliaxlrider530100% (1)
- IPTV Over Next Generation Networks in ITU-TDocument18 paginiIPTV Over Next Generation Networks in ITU-TOkkar MaungÎncă nu există evaluări
- Ericsson Microwave-MobilisDocument33 paginiEricsson Microwave-Mobilisyacine bouazniÎncă nu există evaluări
- Huawei CloudEngine 9860 Switch DatasheetDocument11 paginiHuawei CloudEngine 9860 Switch DatasheetCCIE DetectÎncă nu există evaluări
- Security Reference HandbookDocument76 paginiSecurity Reference HandbookramiÎncă nu există evaluări
- ESpace IAD V300R001 Troubleshooting Guide 07Document131 paginiESpace IAD V300R001 Troubleshooting Guide 07nikosgalanisÎncă nu există evaluări
- MGate MB3000 Series Users Manual v9Document84 paginiMGate MB3000 Series Users Manual v9Washington HuallpaÎncă nu există evaluări
- A7NETH-2P User's ManualDocument282 paginiA7NETH-2P User's ManualALEXÎncă nu există evaluări
- ETX-1P CC)Document26 paginiETX-1P CC)Eric OukoÎncă nu există evaluări
- Oferta KMW Systems 2 Decembrie.01Document392 paginiOferta KMW Systems 2 Decembrie.01Arian Mareș100% (1)
- Redistribute Default Route BGP to EIGRPDocument5 paginiRedistribute Default Route BGP to EIGRPJorge Joaquin Gomez MarrugoÎncă nu există evaluări
- CNS - Module-4-Network Security NotesDocument12 paginiCNS - Module-4-Network Security NotesAadhar Kumar MishraÎncă nu există evaluări
- LPCXpresso1769 CD Revd1Document5 paginiLPCXpresso1769 CD Revd1rivamara5960Încă nu există evaluări
- Lab 6 - StudentDocument24 paginiLab 6 - StudentsalwaÎncă nu există evaluări
- Next Generation Mobile Network PosterDocument1 paginăNext Generation Mobile Network PosterTarik Kazaz100% (2)
- Monitor and Tshoot ASA Performance IssuesDocument20 paginiMonitor and Tshoot ASA Performance IssuesChandru BlueEyesÎncă nu există evaluări
- 4 NetworkDocument6 pagini4 Networkapi-371092170Încă nu există evaluări
- DMZ - Best Practices - VSDDocument5 paginiDMZ - Best Practices - VSDKashif Aziz Awan100% (1)
- Enc 28 J 60Document27 paginiEnc 28 J 60Doanh Trần VănÎncă nu există evaluări
- HCIP-Routing & Switching IERS V2.5 Exam OutlineDocument3 paginiHCIP-Routing & Switching IERS V2.5 Exam OutlinericardoÎncă nu există evaluări
- 4g CDR New Hos 13bks0479 Pangdua - PL (20221125) - RfsDocument50 pagini4g CDR New Hos 13bks0479 Pangdua - PL (20221125) - RfsKehet SiaaÎncă nu există evaluări
- SS Cnreach IO Expander 02062018Document2 paginiSS Cnreach IO Expander 02062018Alexandre Marques de SouzaÎncă nu există evaluări
