Documente Academic
Documente Profesional
Documente Cultură
Lab Topology
.2
.3
Transit
Network
10.1.100.0/27
.3
nsxmgr-a vcva-a
Student 172.20.10.42 172.20.10.94
vdc-<kitname>-a.vmeduc.com 172.20.10.80
Green Desktop background
Physical
Management A 172.20.10.0/24 Management B 172.20.110.0/24
Production A 172.20.11.0/24 Production B 172.20.111.0/24
vMotion A 172.20.12.0/24 vMotion B 172.20.12.0/24
Virtual
Web Tier A 10.1.10.0/24 Web Tier B 10.2.10.0/24
App Tier A 10.1.20.0/24
DB Tier 10.1.30.0/24
Transit 10.1.100.0/27
Controllers
Storage
vMotion: 172.20.12.0/24 .10 on each network
Production-A; 172.20.11.0/24
Management-A: 172.20.10.0/24 dc-rras
Controller-Pool
172.20.10.240-172.20.10.254
Storage
vMotion: 172.20.12.0/24 .10 on each network
Production-A; 172.20.11.0/24
Management-A: 172.20.10.0/24
dc-rras
To Site-B
Note: In a production network, VMware requires that each NSX Controller cluster contain three controller nodes,
regardless of the size of the NSX deployment. For our lab purpose only, you only deploy one controller.
To Site-B
Controllers
Management-A
172.20.10.240 (controller -1)
Student
172.20.10.80
dc-rras
Management-A: 172.20.10.10/24
To Site-B
Transit network:
10.1.100.2/27
Controllers
Student
172.20.10.80
dc-rras
Management-A: 172.20.10.10/24
To Site-B
Transit network:
10.1.100.2/27
Static Route on
Transit-Network
10.1.10.0/16
Controllers Next Hop: Transit-Interface
10.1.100.2 10.1.100.1/27
Perimeter
Gateway
dc-rras
Transit-Network
10.1.100.2/27
Protocol Address
OSPF Area 829
10.1.100.3/27
Enable Static
Route
Controllers Redistribution
Transit-Interface
into OSPF
10.1.100.1/27
Perimeter
Gateway
dc-rras
Transit-Network
10.1.100.2/27
Protocol Address
OSPF Area 829
10.1.100.3/27
Transit-Interface Transit-Interface
10.1.100.1/27 10.1.100.4/27
Controllers OSPF Area 829 OSPF Area 829
Perimeter Perimeter
Gateway Gateway
dc-rras
DLR is enabled with ECMP. The two ESGs are used for N-S traffic.
L2PG
VLAN 10
10.1.10.0/24
Bridge Instance
.12 .11
Transit-Network
10.1.100.2/27
Protocol Address
OSPF Area 829
10.1.100.3/27
Transit-Interface
Controllers 10.1.100.1/27
OSPF Area 829
Perimeter
Gateway
web-sv-01a web-sv-02a app-sv-01a db-sv-01a
Uplink-Interface
*172.20.11.3/24
10.1.10.11 10.1.10.12 10.1.20.11 10.1.30.11
172.20.11.5 (NAT)
172.20.11.6 (NAT)
DNAT Rules: SNAT Rules:
Original Translated Original Translated
172.20.11.5 10.1.10.11 10.1.10.11 172.20.11.5
172.20.11.6 10.1.10.12 10.1.10.12 172.20.11.6
dc-rras
Transit-Interface
Controllers 10.1.100.1/27
OSPF Area 829
Perimeter
Gateway
(Load Balancer) web-sv-01a web-sv-02a app-sv-01a db-sv-01a
10.1.10.11 10.1.10.12 10.1.20.11 10.1.30.11
Transit-Network
Protocol Address 10.1.100.2/27
10.1.100.3/27 OSPF Area 829
Transit-Interface
Controllers 10.1.100.1/27
OSPF Area 829
Application Profile
HTTPS
Uplink-Interface Name App-Profile
*172.20.11.3/24
Type HTTPS
172.20.11.5 (NAT)
172.20.11.6 (NAT) Enable SSL Passthrough Enable
172.20.11.7 (VIP)
Server Pool Member Config
Name Server Pool web-sv-01a / web-sv-
Name
02a
Algorithm Round-Robin
10.1.10.11 /
Monitors None IP Address
10.1.10.12
web-sv-01a Port 443
Members
web-sv-02a Monitor Port Blank
Weight 1
Virtual Server
Max Connections Blank
Enable Virtual Server Checked Min Connections blank
dc-rras Application Profile App-Profile
Name VIP
Description blank
Student Production-A: 172.20.11.10/24 IP Address 10.1.10.1
172.20.10.80 Management-A: 172.20.10.10/24 Protocol HTTPS
Port 443
Default Pool Server-Pool
Connection Limit Blank
Connection Rate Limit Blank
Transit-Network
Protocol Address 10.1.100.2/27
10.1.100.3/27 OSPF Area 829
Transit-Interface
Controllers 10.1.100.1/27
OSPF Area 829
Application Profile
Uplink-Interface HTTP
Name App-Profile
*172.20.11.3/24
Type HTTPS
172.20.11.5 (NAT)
172.20.11.6 (NAT) Enable SSL Passthrough Disabled
172.20.11.7 (VIP)
Server Pool Member Config
Name Server Pool web-sv-01a /
Name
web-sv-02a
Algorithm Round-Robin
10.1.10.11 /
Monitors None IP Address
10.1.10.12
web-sv-01a Port 80
Members
web-sv-02a Monitor Port 80
Weight 1
Virtual Server
Max Connections Blank
Enable Virtual Server Checked Min Connections blank
dc-rras Application Profile App-Profile
Name VIP
Description blank
Student Production-A: 172.20.11.10/24 IP Address 10.1.10.1
172.20.10.80 Management-A: 172.20.10.10/24 Protocol HTTPS
Port 443
Default Pool Server-Pool
Connection Limit Blank
Connection Rate Limit Blank
Transit-Interface
Controllers 10.1.100.1/27
OSPF Area 829
Perimeter
Gateway
(Load Balancer) web-sv-01a web-sv-02a app-sv-01a db-sv-01a
10.1.10.11 10.1.10.12 10.1.20.11 10.1.30.11
Application Profile
HTTP
Uplink-Interface Name App-Profile
*172.20.11.3/24
Type HTTPS
172.20.11.5 (NAT)
172.20.11.6 (NAT) HTTPS
Enable SSL Passthrough Disabled
172.20.11.7 (VIP)
Server Pool Member Config
Name Server Pool web-sv-01a / web-sv-
Name
02a
Algorithm Round-Robin
10.1.10.11 /
Monitors None IP Address
10.1.10.12
web-sv-01a Port 443
Members
web-sv-02a Monitor Port Blank
Weight 1
Virtual Server
Max Connections Blank
Enable Virtual Server Checked Min Connections blank
dc-rras Application Profile App-Profile
Name VIP
Description blank
Student Production-A: 172.20.11.10/24 IP Address 172.20.11.7
172.20.10.80 Management-A: 172.20.10.10/24 Protocol HTTPS
Port 443
Default Pool Server-Pool
Connection Limit Blank
Connection Rate Limit Blank
.1
Web Tier: 10.1.10.0/24
.2
Protocol Address .3
10.1.100.3/27 Transit-Network
10.1.100.2/27
Heartbeat Network
192.168.222.1/30
192.168.222.2/30
.1 .11 .12 .11 .11
Perimeter
Gateway
Controllers
.3
esxi-a-01.51 esxi-a-02.52
esxi-a-04.54 esxi-a-05.55
Transit-Network
10.1.100.2/27
OSPF Area 829 Submit-to-Web-Tier
Tunnel ID 10 L2VPN-RemoteSiteTrunk
10.1.10.1/24
Protocol Address
10.1.100.3/27
Subint-to-Web-Tier
Transit-Interface Tunnel ID 10
10.1.100.2/27 10.1.10.1/24
OSPF Area 829
Controllers
Perimeter
Gateway
Remote Gateway
Uplink-Interface
web-sv-01a app-sv-01a db-sv-01a 172.20.111.8
10.1.10.11 10.1.20.11 10.1.30.11 Client
Perimeter Gateway L2VPN Global Configuration
Uplink-Interface Site Configuration Client
*172.20.11.3/24 Listener IP 172.20.11.3
Server Address 172.20.11.3
172.20.11.5 (NAT) Listener Port 443
172.20.11.6 (NAT) Server Port 443
Encryption Algorithm AES128-SHA
172.20.11.7 (VIP) Server Encryption
Use System AES128-SHA
Yes Algorithm
Generated Certficate
Stretched Interfaces Subint-to-Web-Tier
Site Configuration Server Egress
Blank
Optimization
Enable Peer Site Yes
Enable Unstretched
no
Name LPVN – Site A Networks
Description Blank User ID vpnuser
Transit-Network
10.1.100.2/27
OSPF Area 829 Submit-to-Web-Tier
Tunnel ID 10 L2VPN-RemoteSiteTrunk
10.1.10.1/24
Protocol Address
10.1.100.3/27
Static Route: Subint-to-Web-Tier
Transit-Interface
10.1.0.0/16 10.2.40.1
10.1.100.2/27
Next Hop:
OSPF Area 829
10.1.100.2
Controllers
Perimeter
Gateway
Remote Gateway
Uplink-Interface
web-sv-01a app-sv-01a db-sv-01a 172.20.111.8
10.1.10.11 10.1.20.11 10.1.30.11 Client
Perimeter Gateway IPSec VPN IPSec VPN
Uplink-Interface Configuration Configuration
*172.20.11.3/24
Enabled Yes Enabled Yes
172.20.11.5 (NAT)
172.20.11.6 (NAT) Enable PFS Yes Enable PFS Yes
172.20.11.7 (VIP) Server Name Local-Remote Name Local-Remote
Local ID Local Local ID Remote
Local Endpoint 172.20.11.3 Local Endpoint 172.20.111.8
Local Subnets 10.1.10.0/24 Local Subnets 10.1.40.0/24
Peer ID Remote Peer ID Local
Peer Endpoint 172.20.11.8 Peer Endpoint 172.20.11.3
Peer Subnets 10.2.40.0/24 Peer Subnets 10.2.10.0/24
Encryption Algorithm AES Encryption Algorithm AES
Student Authentication PSK Authentication PSK
172.20.10.80 Pre-shared Key VMware1! Pre-shared Key VMware1!
Diffie-Hellman Group DH2 dc-rras Diffie-Hellman Group DH2
Production-A: 172.20.11.10/24
Extension blank Extension blank
Production-B: 172.20.111.10/24
Status Enabled
Transit-Network
10.1.100.2/27
Protocol Address OSPF Area 829 Submit-to-Web-Tier
10.1.100.3/27 Tunnel ID 10
10.1.10.1/24
Transit-Interface
10.1.100.2/27
OSPF Area 829
Controllers
Perimeter
Gateway
web-sv-01a web-sv-01a app-sv-01a db-sv-01a
10.1.10.11 10.1.10.12 10.1.20.11 10.1.30.11
HTTP
Uplink-Interface
Edge FW Rule *172.20.11.3/24
Source Destination Service Action
Name 172.20.11.5 (NAT)
172.20.11.6 (NAT)
Allowed to Web
ANY
IP Set: Local Web HTTP
ACCEPT 172.20.11.7 (VIP)
HTTPS
Servers Servers HTTPS
Default ANY ANY ANY DENY
dc-rras
Student
172.20.10.80 Production-A: 172.20.11.10/24
Production-B: 172.20.10.10/24
Transit-Network
10.1.100.2/27
Protocol Address OSPF Area 829 Submit-to-Web-Tier
10.1.100.3/27 Tunnel ID 10
10.1.10.1/24
Transit-Interface
10.1.100.2/27
OSPF Area 829
Controllers
Perimeter
Gateway
web-sv-01a web-sv-01a app-sv-01a db-sv-01a
10.1.10.11 10.1.10.12 10.1.20.11 10.1.30.11
HTTP
Uplink-Interface
*172.20.11.3/24
172.20.11.5 (NAT)
172.20.11.6 (NAT) HTTPS
172.20.11.7 (VIP)
dc-rras
Student
172.20.10.80 Production-A: 172.20.11.10/24
Production-B: 172.20.10.10/24
Transit-Network
10.1.100.2/27
Protocol Address OSPF Area 829 Submit-to-Web-Tier
10.1.100.3/27 Tunnel ID 10
10.1.10.1/24
Transit-Interface
10.1.100.2/27
OSPF Area 829
Controllers
Perimeter
Gateway
web-sv-01a web-sv-01a app-sv-01a db-sv-01a
10.1.10.11 10.1.10.12 10.1.20.11 10.1.30.11
HTTP
Uplink-Interface
*172.20.11.3/24
172.20.11.5 (NAT)
172.20.11.6 (NAT) HTTPS
172.20.11.7 (VIP)
Transit-Network
10.1.100.2/27
Protocol Address OSPF Area 829 Submit-to-Web-Tier
10.1.100.3/27 Tunnel ID 10
10.1.10.1/24
Transit-Interface
10.1.100.2/27
OSPF Area 829
Controllers
Perimeter
Gateway
web-sv-01a web-sv-01a app-sv-01a db-sv-01a
10.1.10.11 10.1.10.12 10.1.20.11 10.1.30.11
HTTP
Uplink-Interface
*172.20.11.3/24
172.20.11.5 (NAT)
172.20.11.6 (NAT) HTTPS
172.20.11.7 (VIP)
Universal Web-Tier
esxi-b-01
esxi-a-01 esxi-a-02 esxi-a-04 esxi-a-05 172.20.110.61
172.20.10.51 172.20.10.52 172.20.10.54 172.20.10.55
.10 on each network
Storage
vMotion: 172.20.12.0/24 vMotion: 172.20.12.0/24
Production-A; 172.20.11.0/24 dc-rras Production-B; 172.20.11.0/24
Management-A: 172.20.10.0/24 Management-B: 172.20.10.0/24
Site A VXLAN ID Pool: 5000-5999 (Segment ID Pool) Site B VXLAN ID Pool: 6000-6999 (Segment ID Pool)
Universal Segment ID Pool: 7000-7999