VMware NSX 6.2 Installation and Configuration: A to Z

This has been a long pending series of blog Posts on VMware NSX (6.2.2) Installation and configuration I wanted to share. Last month I have installed NSX 6.2.2 in my lab and wanted to share my experience.

I have written 12 blog posts in an attempt to cover the complete procedure for NSX installation and Configuration in vSphere environment from the scratch.

Below is the list of blog posts:

 

(1) VMware NSX Installation and Configuration Part 1 – Prerequisites for Deploying NSX in vSphere Environment:

https://virtualissar.wordpress.com/2016/09/09/vmware-nsx-installation-and-configuration-part-1-prerequisites-for-deploying-nsx-in-vsphere-environment/

(2) VMware NSX Installation and Configuration Part 2 – Deployment of NSX Manager Virtual Appliance:

https://virtualissar.wordpress.com/2016/09/09/vmware-nsx-installation-and-configuration-part-2-deploment-of-nsx-manager-virtual-appliance/

(3)VMware NSX Installation and Configuration Part 3 –NSX Manager vCenter Integration, SSO, Syslog & License configuration

https://virtualissar.wordpress.com/2016/09/09/vmware-nsx-installation-and-configuration-part-3-nsx-manager-vcenter-integrationssosyslog-license-confguration/

(4) VMware NSX Installation and Configuration Part 4 – Deploy NSX Controller Cluster

https://virtualissar.wordpress.com/2016/09/09/vmware-nsx-installation-and-configuration-part-4-deploy-nsx-controller-cluster/

(5) VMware NSX Installation and Configuration Part 5- Exclude Virtual Machines from NSX Firewall Protection

https://virtualissar.wordpress.com/2016/09/09/vmware-nsx-installation-and-configuration-part-5-exclude-virtual-machines-from-nsx-firewall-protection/

(6) VMware NSX Installation and Configuration Part 6 – Prepare Host Clusters for NSX

https://virtualissar.wordpress.com/2016/09/09/vmware-nsx-installation-and-configuration-part-6-prepare-host-clusters-for-nsx/

(7) VMware NSX Installation and Configuration Part 7- VXLAN Transport Parameters Configuration

https://virtualissar.wordpress.com/2016/09/09/vmware-nsx-installation-and-configuration-part-7-vxlan-transport-parameters-configuration/

(8) VMware NSX Installation and Configuration Part 8- Creating a Logical Switch

https://virtualissar.wordpress.com/2016/09/09/vmware-nsx-installation-and-configuration-part-8-creating-a-logical-switch/

(9) VMware NSX Installation and Configuration Part 9-Adding a Distributed Logical Router

https://virtualissar.wordpress.com/2016/09/09/vmware-nsx-installation-and-configuration-part-9-adding-a-distributed-logical-router/

(10) VMware NSX Installation and Configuration Part 10- Adding an Edge Services Gateway

https://virtualissar.wordpress.com/2016/09/09/vmware-nsx-installation-and-configuration-part-10-adding-an-edge-services-gateway/

(11) VMware NSX Installation and Configuration Part 11-Configuring OSPF on a Logical (Distributed) Router:

https://virtualissar.wordpress.com/2016/09/09/vmware-nsx-installation-and-configuration-part-11-configuring-ospf-on-a-logical-distributed-router/

(12) VMware NSX Installation and Configuration Part 12-Configure OSPF on an Edge Services Gateway

https://virtualissar.wordpress.com/2016/09/09/vmware-nsx-installation-and-configuration-part-12-configure-ospf-on-an-edge-services-gateway/

Hope you liked the posts, do share comment and like if you find them helpful. Till then keep learning and sharing.

 

 

 

VMware NSX Installation and Configuration Part 12-Configure OSPF on an Edge Services Gateway

Configuring OSPF on an edge services gateway (ESG) enables the ESG to learn and advertise routes. The most common application of OSPF on an ESG is on the link between the ESG and a Logical (Distributed) Router. This allows the ESG to learn about the logical interfaces (LIFS) that are connected to the logical router. This goal can be accomplished with OSPF, IS-IS, BGP or static routing.

OSPF routing policies provide a dynamic process of trafficload balancing between routes of equal cost.

An OSPF network is divided into routing areas to optimize traffic flow and limit the size of routing tables.

An area is a logical collection of OSPF networks, routers, and links that have the same area identification.

Procedure:

1.png

Double Click on ESG-1.

2.png

Under Dynamic routing configuration , select ESG uplink as a router ID and click OK.

3

Under OSPF click on OSPF configuration and select edit:

4.png

5

Now under Area definitions define area ID. We will use the same area ID 20, which we have used in DLR:

6.png

7

In area to interface mapping, we will select Transit interface and map it with area ID 20:

8.png

9

Under route redistribution, select edit and enable OSPF:

10.png

11

12.png

In the following screen, the ESG’s default gateway is the ESG’s uplink interface to its external peer.

The router ID is the ESG’s uplink interface IP address—in other words, the IP address that faces its external peer.

13.png

The area ID configured is 20, and the internal interface (the interface facing the logical router) is mapped to the area.

14.png

The connected routes are redistributed into OSPF so that the OSPF neighbor (the logical router) can learn about the ESG’s uplink network.

15.png

Make sure that the ESG is learning OSPF external routes from the logical router.

Log in to your ESG , and run “show ip route” command.

16.png

Note that the below two routes are defined on the DLR and ESG learned them via OSPF.

Guys this is it as of now , thanks for reading . i hope it was worth reading and do share on social media if you like the post.

VMware NSX Installation and Configuration Part 11-Configuring OSPF on a Logical (Distributed) Router:

Configuring OSPF on a logical router enables VM connectivity across logical routers and from logical routers to edge services gateways (ESGs). OSPF routing policies provide a dynamic process of  traffic load balancing between routes of equal cost.

An OSPF network is divided into routing areas to optimize  traffic flow and limit the size of routing tables.

An area is a logical collection of OSPF networks, routers, and links that have the same area

identification. Areas are  identified by an Area ID.

1.png

Double click on Distributed logical router.

2.png

3

4.png

Click Routing and then click OSPF

.1 Enable OSPF.

a Click Edit at the top right corner of the window and click Enable OSPF

b In Forwarding Address, type an IP address that is to be used by the router data path module in the

hosts to forward data path packets.

c In Protocol Address, type a unique IP address within the same subnet as the Forwarding Address

.The protocol address is used by the protocol to form adjacencies with the peers.

2Configurethe OSPF areas.

a Optionally, delete the not-so-stubby area (NSSA) 51 that is configured by default.

b In Area Definitions, click the Add icon.

5.png

Click on edit:

6

Under Area Definitions , click on (+) sign:

7.png

Enter the area ID and click on okay:

8.png

Under Area to interface mapping click on (+):

9.png

10.png

Under route redistribution, make sure that OSPF is enabled:

11.png

The NSX Topology now is some like below:

12.png

In the following screen, the logical router’s default gateway is the ESG’s internal interface IP address(192.168.10.1).

The router ID is the logical router’s uplink interface—in other words, the IP address that faces the ESG(192.168.10.2).

13.png

The logical router configuration uses 192.168.10.2 as its forwarding address. The protocol address can be any IP address that is in the same subnet and is not used anywhere else. In this case, 192.168.10.3 is configured.

 

The area ID configured is 20, and the uplink interface (the interface facing the ESG) is mapped to the area.

14.png

In the next blog post , i will cover the OSPF routing configuration on ESG so that DLR and ESG can share the routes with each other.

VMware NSX Installation and Configuration Part 10- Adding an Edge Services Gateway

You can install multiple NSX Edge services gateway virtual appliances in a data center. Each NSX Edge virtual appliance can have a total of ten uplink and internal network interfaces. The internal interfaces connect to secured port groups and act as the gateway for all protected virtual machines in the port group.

The subnet assigned to the internal interface can be a publicly routed IP address space or a NATed/routed RFC 1918 private space. Firewall rules and other NSX Edge services are enforced on traffic between interfaces. Uplink interfaces of an ESG connect to uplink port groups that have access to a shared corporate network or a service that provides access layer networking.

Procedure:

1 In vCenter, navigate to Home > Networking & Security > NSX Edges and click the Add (+) icon.

2 Select Edge Services Gateway and type a name for the device. This name appears in your vCenter inventory. The name should be unique across all ESGs within a single tenant. Optionally, you can also enter a hostname. This name appears in the CLI. If you do not specify the host name, the Edge ID, which gets created automatically, is displayed in the CLI. Optionally, you can enter a description and tenant and enable high availability.

1.png

2.png

3 Type and re-type a password for the ESG.

4 (Optional) Enable SSH, high availability, and automatic rule generation, and set the log level. If you do not enable automatic rule generation, you must manually add firewall, NAT, and routing configuration to allow control traffic for certain, NSX Edge services, including as load balancing and VPN. Auto rule generation does not create rules for data-channel traffic. By default, SSH and high availability are disabled, and automatic rule generation is enabled. By default, the log level is emergency. By default, logging is enabled on all new NSX Edge appliances. The default logging level is NOTICE.

3.png

5 Select the size of the NSX Edge instance based on your system resources

4.png

5.png

6.png

7.png

8.png

9.png

10.png

11.png

In the next blog , i will cover the configuration of Dynamic routing (OSPF ) in Distributed logical router.

 

VMware NSX Installation and Configuration Part 9-Adding a Distributed Logical Router

A distributed logical router (DLR) is a virtual appliance that contains the routing control plane, while distributing the data plane in kernel modules to each hypervisor host. The DLR control plane function relies on the NSX controller cluster to push routing updates to the kernel modules.

Procedure:

1 In the vSphere Web Client, navigate to Home > Networking & Security > NSX Edges.

2 Click the Add (+) icon.

3 Select Logical (Distributed) Router and type a name for the device. This name appears in your vCenter inventory. The name should be unique across all logical routers within a single tenant. Optionally, you can also enter a hostname. This name appears in the CLI. If you do not specify the host name, the Edge ID, which gets created automatically, is displayed in the CLI.

1.png

2.png

4 (Optional) Deploy an edge appliance. Deploy Edge Appliance is selected by default. An edge appliance (also called a logical router virtual appliance) is required for dynamic routing and the logical router appliance’s firewall, which applies to logical router pings, SSH access, and dynamic routing traffic. You can deselect the edge appliance option if you require only static routes, and do not want to deploy an Edge appliance. You cannot add an Edge appliance to the logical router after the logical router has been created.

5 (Optional) Enable High Availability. Enable High Availability is not selected by default. Select the Enable High Availability check box to enable and configure high availability. High availability is required if you are planning to do dynamic routing.

6 Type and re-type a password for the logical router

3.png

4.png

5.png

7 Configure interfaces. On logical routers, only IPv4 addressing is supported. In the HA Interface Configuration, if you selected Deploy NSX Edge you must connect the interface to a distributed port group. It is recommended to use a VXLAN logical switch for the HA interface. An IP address for each of the two NSX Edge appliances is chosen from the link local address space, 169.250.0.0/16. No further configuration is necessary to configure the HA service.

6.png

7.png

8.png

9.png

In the next blog post , i will cover the installation of ESG (Edge Services Gateway).

VMware NSX Installation and Configuration Part 8- Creating a Logical Switch

An NSX logical switch reproduces switching functionality (unicast, multicast, broadcast) in a virtual environment completely decoupled from underlying hardware.

Logical switches are similar to VLANs, in that they provide network connections to which you can attach virtual machines. The VMs can then communicate with each other over VXLAN if the VMs are connected to the same logical switch. Each logical switch has a segment ID, like a VLAN ID. Unlike VLAN IDs, it’s possible to have up to 16 million segment IDs.

1

Procedure:

1 In the vSphere Web Client, navigate to Home > Networking & Security > Logical Switches.

2 Click the New Logical Switch (+) icon.

2.png

3 Type a name and optional description for the logical switch.

4 Select the transport zone in which you want to create the logical switch. By default, the logical switch inherits the control plane replication mode from the transport zone. You can change it to one of the other available modes. The available modes are unicast, hybrid, and multicast. The case in which you might want to override the inherited transport zone’s control plane replication mode for an individual logical switch is when the logical switch you are creating has significantly different characteristics in terms of the amount of BUM traffic it will to carry. In this case, you might create a transport zone that uses as unicast mode, and use hybrid or multicast mode for the individual logical switch.

5 (Optional) Click Enable IP Discovery to enable ARP suppression. This setting minimizes ARP traffic flooding within individual VXLAN segments—in other words, between VMs connected to the same logical switch. IP discovery is enabled by default.

6 (Optional) Click Enable MAC learning if your VMs have multiple MAC addresses or are using virtual NICs that are trunking VLANs.

3.png

7 Attach a VM to the logical switch by selecting the switch and clicking the Add Virtual Machine (+) icon.

4.png

8 Select the VM and click the right-arrow button.

5.png

9 Select a vNIC

6.png

7

Each logical switch that you create receives an ID from the segment ID pool, and a virtual wire is created. A virtual wire is a dvPortgroup that is created on each vSphere distributed switch.

The virtual wire descriptor contains the name of the logical switch and the logical switch’s segment ID. Assigned segment IDs appear in multiple places, as shown in the following examples. In Home > Networking & Security > Logical Switches:

8

In Home > Networking:

9.png

In Home > Hosts and Clusters > VM > Summary

10.png

On the hosts that are running the VMs that are attached to the logical switch, log in and execute the following commands to view local VXLAN configuration and state information. n Displays host-specific VXLAN details.

11

VDS Name displays the vSphere distributed switch to which the host is attached. The Segment ID is the IP network used by VXLAN. The Gateway IP is the gateway IP address used by VXLAN.

The Network Count remains 0 unless a DLR is attached to the logical switch. The Vmknic count should match the number of VMs attached to the logical switch

Test IP VTEP interface connectivity, and verify the MTU has been increased to support VXLAN encapsulation. Ping the vmknic interface IP address, which can be found on the host’s Manage > Networking > Virtual switches page in the vCenter Web Client.

12.png

The -d flag sets the don’t-fragment (DF) bit on IPv4 packets. The -s flag sets the packet size.

13

This is it regarding the creation of a logical switch , in the next blog post i will cover the configuration of Distributed logical router.

VMware NSX Installation and Configuration Part 7- VXLAN Transport Parameters Configuration

Procedure

1 In vCenter, navigate to Home > Networking & Security > Installation and select the Host Preparation tab.

2 Click Not Configured in the VXLAN column.

3 Set up logical networking. This involves selecting a VDS, a VLAN ID, an MTU size, an IP addressing mechanism, and a NIC teaming policy. The MTU for each switch must be set to 1550 or higher. By default, it is set to 1600.

If the vSphere distributed switch (VDS) MTU size is larger than the VXLAN MTU, the VDS MTU will not be adjusted down. If it is set to a lower value, it will be adjusted to match the VXLAN MTU. For example, if the VDS MTU is set to 2000 and you accept the default VXLAN MTU of 1600, no changes to the VDS MTU will be made. If the VDS MTU is 1500 and the VXLAN MTU is 1600, the VDS MTU will be changed to 1600.

1.png

2.png

3

Configuring VXLAN results in the creation of new distributed port groups.

4.png

Assign a Segment ID Pool and Multicast Address Range:

VXLAN segments are built between VXLAN tunnel end points (VTEPs). A hypervisor host is an example of a typical VTEP. Each VXLAN tunnel has a segment ID. You must specify a segment ID pool for each NSX Manager to isolate your network traffic. If an NSX controller is not deployed in your environment, you must also add a multicast address range to spread traffic across your network and avoid overloading a single multicast address.

Procedure:

1 In vCenter, navigate to Home > Networking & Security > Installation and select the Logical Network Preparation tab. 2 Click Segment ID > Edit.

5.png

6

4 If any of your transport zones will use multicast or hybrid replication mode, add a multicast address or a range of multicast addresses.

Having a range of multicast addresses spreads traffic across your network, prevents the overloading of a single multicast address, and better contains BUM replication.

Add a Transport Zone:

A transport zone controls to which hosts a logical switch can reach. It can span one or more vSphere clusters. Transport zones dictate which clusters and, therefore, which VMs can participate in the use of a particular network.

An NSX environment can contain one or more transport zones based on your requirements. A host cluster can belong to multiple transport zones. A logical switch can belong to only one transport zone. NSX does not allow connection of VMs that are in different transport zones. The span of a logical switch is limited to a transport zone, so virtual machines in different transport zones cannot be on the same Layer 2 network.

A distributed logical router cannot connect to logical switches that are in different transport zones. After you connect the first logical switch, the selection of further logical switches is limited to those that are in the same transport zone. Similarly, an edge services gateway (ESG) has access to logical switches from only one transport zone.

Procedure:

1 In vCenter, navigate to Home > Networking & Security > Installation and select the Logical Network Preparation tab.

2 Click Transport Zones and click the New Transport Zone (+) icon

7.png

3 In the New Transport Zone dialog box, type a name and an optional description for the transport zone. 4 Depending on whether you have a controller node in your environment, or you want to use multicast addresses, select the control plane mode.

  • Multicast: Multicast IP addresses in the physical network are used for the control plane. This mode is recommended only when you are upgrading from older VXLAN deployments. Requires PIM/IGMP in the physical network.
  • Unicast: The control plane is handled by an NSX controller. All unicast traffic leverages optimized headend replication. No multicast IP addresses or special network configuration is required.
  • Hybrid: Offloads local traffic replication to the physical network (L2 multicast). This requires IGMP snooping on the first-hop switch and access to an IGMP querier in each VTEP subnet, but does not require PIM. The first-hop switch handles traffic replication for the subnet.

5 Select the clusters to be added to the transport zone.

8.png

That was it regarding the VXLAN configuration , in the next blog i will cover the creation of VXLAN based logical switch.

VMware NSX Installation and Configuration Part 6 – Prepare Host Clusters for NSX

Host preparation is the process in which the NSX Manager

1) Installs NSX kernel modules on ESXi hosts that are members of vCenter clusters and

2) Builds the NSX control-plane and management-plane fabric. NSX kernel modules packaged in VIB files run within the hypervisor kernel and provide services such as distributed routing, distributed firewall, and VXLAN bridging capabilities.

To prepare your environment for network virtualization, you must install network infrastructure components on a per-cluster level for each vCenter server where needed. This deploys the required software on all hosts in the cluster. When a new host is added to this cluster, the required software is automatically installed on the newly added host.

 

Procedure

1 In vCenter, navigate to Home > Networking & Security > Installation and select the Host Preparation tab.

2 For all clusters that will require NSX logical switching, routing, and firewalls, click the gear icon and click Install

1.png

When the installation is complete, the Installation Status column displays 6.2 Uninstall and the Firewall column displays Enabled. Both columns have a green check mark. If you see Resolve in the Installation Status column, click Resolve and then refresh your browser window.

VIBs are installed and registered with all hosts within the prepared cluster: n esx-vsip n esx-vxlan To verify, SSH to each host and run the:

esxcli software vib list | grep esx command. In addition to displaying the VIBs, this command shows the version of the VIBs installed.

2

In the next post , we will look into the VXLAN configuration parameters.

 

VMware NSX Installation and Configuration Part 5- Exclude Virtual Machines from NSX Firewall Protection

You can exclude a set of virtual machines from NSX distributed firewall protection.

NSX Manager, NSX Controllers, and NSX Edge virtual machines are automatically excluded from NSX distributed firewall protection. In addition, VMware recommends that you place the following service virtual machines in the Exclusion List to allow traffic to flow freely.

– vCenter Server. It can be moved into a cluster that is protected by Firewall, but it must already exist in the exclusion list to avoid connectivity issues. n Partner service virtual machines.

– Virtual machines that require promiscuous mode. If these virtual machines are protected by NSX distributed firewall, their performance may be adversely affected.

– The SQL server that your Windows-based vCenter uses. n vCenter Web server, if you are running it    separately.

Procedure

1 In the vSphere Web Client, click Networking & Security.

2 In Networking & Security Inventory, click NSX Managers.

3 In the Name column, click an NSX Manager.

4 Click the Manage tab and then click the Exclusion List tab.

5 Click the Add (+) icon

6 Type the name of the virtual machine that you want to exclude and click Add

1.png

2.png

In the next post i will cover how to prepare vSphere Host Cluster for NSX.