VMware NSX Installation and Configuration Part 4 – Deploy NSX Controller Cluster

NSX Controller is an advanced distributed state management system that provides control plane functions for NSX logical switching and routing functions. It serves as the central control point for all logical switches within a network and maintains information about all hosts, logical switches (VXLANs), and distributed logical routers. Controllers are required if you are planning to deploy

1) distributed logical routers or

2) VXLAN in unicast or hybrid mode.

No matter the size of the NSX deployment, VMware requires that each NSX Controller cluster contain three controller nodes. Having a different number of controller nodes is not supported.

Procedure

1 In vCenter, navigate to Home > Networking & Security > Installation and select the Management tab.

1.png

2

If you have not already configured an IP pool for your controller cluster, configure one now by clicking New IP Pool. Individual controllers can be in separate IP subnets, if necessary.

3

5 Type and re-type a password for the controller.

NOTE Password must not contain the username as a substring. Any character must not consecutively repeat 3 or more times. The password must be at least 12 characters and must follow 3 of the following 4 rules: n At least one upper case letter n At least one lower case letter n At least one number n At least one special character

6 After the first controller is completely deployed, deploy two additional controllers. Having three controllers is mandatory. We recommend configuring a DRS anti-affinity rule to prevent the controllers from residing on the same host.

4.png

6 After the first controller is completely deployed, deploy two additional controllers. Having three controllers is mandatory. We recommend configuring a DRS anti-affinity rule to prevent the controllers from residing on the same host.

5

In the next part i will cover how to exclude some virtual machine form NSX firewall  protection.

VMware NSX Installation and Configuration Part 3 –NSX Manager vCenter Integration,SSO,Syslog & License confguration

1 In a Web browser, navigate to the NSX Manager appliance GUI at https://IP or FQDN and log in as admin with the password that you configured during NSX Manager Installation.

2 Under Appliance Management, click Manage vCenter Registration.

1

3 Edit the vCenter Server element to point to the vCenter Server’s IP address or hostname, and enter the vCenter Server user name and password. For the user name, the best practice is to enter administrator@vsphere.local or an alternative account that you have created. Do not use the root account.

4 Check that the certificate thumbprint matches the certificate of the vCenter Server. If you installed a CA-signed certificate on the CA server, you are presented with the thumbprint of the CA-signed certificate. Otherwise, you are presented with a self-signed certificate.

5 Do not tick Modify plugin script download location, unless the NSX Manager is behind a firewall type of masking device. This option allows you to enter an alternate IP address for NSX Manager. Note that putting NSX Manager behind a firewall of this type is not recommended.

6 Confirm that the vCenter Server status is Connected.

2.png

3

4.png

7 If vCenter Web Client is already open, log out of vCenter and log back in with the same Administrator role used to register NSX Manager with vCenter. If you do not do this, vCenter Web Client will not display the Networking & Security icon on the Home tab. Click the Networking & Security icon and confirm that you can see the newly deployed NSX Manager

5.png

Configure Single Sign On:

SSO makes vSphere and NSX more secure by allowing the various components to communicate with each other through a secure token exchange mechanism, instead of requiring each component to authenticate a user separately.

You can configure lookup service on the NSX Manager and provide the SSO administrator credentials to register NSX Management Service as an SSO user. Integrating the single sign on (SSO) service with NSX improves the security of user authentication for vCenter users and enables NSX to authenticate users from other identity services such as AD, NIS, and LDAP.

With SSO, NSX supports authentication using authenticated Security Assertion Markup Language (SAML) tokens from a trusted source via REST API calls. NSX Manager can also acquire authentication SAML tokens for use with other VMware solutions. NSX caches group information for SSO users. Changes to group memberships will take up to 60 minutes to propagate from the identity provider (for example, active directory) to NSX.

Procedure:

1 Log in to the NSX Manager virtual appliance. In a Web browser, navigate to the NSX Manager appliance GUI at https://, and log in as admin with the password that you configured during NSX Manager Installation.

2 Click the Manage tab, then click NSX Management Service.

3 Type the name or IP address of the host that has the lookup service. If you are using vCenter to perform the lookup service, enter the vCenter Server’s IP address or hostname, and enter the vCenter Server user name and password.

4 Type the port number. Enter port 443 if you are using vSphere 6.0. For vSphere 5.5, use port number 7444. The Lookup Service URL is displayed based on the specified host and port.

6.png

7.png

8

Specify a Syslog Server:

If you specify a syslog server, NSX Manager sends all audit logs and system events to the syslog server. Syslog data is useful for troubleshooting and reviewing data logged during installation and configuration. NSX Edge supports two syslog servers. NSX Manager and NSX Controllers support one syslog server.

Procedure

1 In a Web browser, navigate to the NSX Manager appliance GUI at https://.

2 Log in as admin with the password that you configured during NSX Manager installation.

3 Click Manage Appliance Settings.

9.png

10.png

4 From the Settings panel, click General.

5 Click Edit next to Syslog Server.

6 Type the IP address or hostname, port, and protocol of the syslog server. If you do not specify a port, the default UDP port for the IP address/host name of the syslog server is used.

11

Install and Assign NSX for vSphere License:

In vSphere 6.0, complete the following steps to add a license for NSX.

a Log in to the vSphere Web Client.

b Click Administration and then click Licenses.

c Click the Assets tab, then the Solutions tab.

d Select NSX for vSphere in the Solutions list. From the All Actions drop-down menu, select Assign license….

e Click the Add ( ) icon. Enter a license key and click Next. Add a name for the license, and click Next. Click Finish to add the license.

f Select the new license.

g (Optional) Click the View Features icon to view what features are enabled with this license. View the Capacity column to view the capacity of the license.

h Click OK to assign the new license to NSX.

12.png

13

14

In the next blog , i will talk about the NSC Controller cluster deployment and configuration.

VMware NSX Installation and Configuration Part 1 – Prerequisites for Deploying NSX in vSphere Environment:

This has been a long pending series of blog Post on VMware NSX (6.2.2) Installation and configuration that I wanted to share. Last month I have installed NSX 6.2.2 in my lab, the first and most important thing before installation is to make sure all the prerequisite is in place for a smooth NSX installation.

Software Prerequisites for NSX 6.2.2:

VMware vCenter Server 5.5U3 with ESXi 5.5

VMware vCenter Server 6.0U2 with ESXi 6.0

At least three ESXi 5.5/6 host

For the latest interoperability information, you can refer to Product Interoperability Matrixes at

http://partnerweb.vmware.com/comp_guide2/sim/interop_matrix.php

Hardware Prerequisites for NSX 6.2.2:1

Client and User Access Prerequisites:

  • If you added ESXi hosts by name to the vSphere inventory, ensure that forward and reverse name Resolution is working. Otherwise, NSX Manager cannot resolve the IP addresses.
  • Permissions to add and power on virtual machines
  • Access to the datastore where you store virtual machine files and the account permissions to copy file to that datastore
  • Cookies enabled on your Web browser, to access the NSX Manager user interface
  • From NSX Manager, ensure port 443 is accessible from the ESXi host, the vCenter Server, and the NSX appliances to be deployed. This port is required to download the OVF file on the ESXi host for deployment.
  • A Web browser that is supported for the version of vSphere Web Client you are using

Ports and Protocols Required by NSX:

The below ports must be open for NSX to operate properly:23.png

vSphere Distributed Switch:

The VxLAN based logical switching needs the vSphere distributed switch, vSphere standard switch is not a supported configuration with NSX.

NSX vSwitch is based on vSphere distributed switches (VDSs), which provide uplinks for host connectivity to the top-of-rack (ToR) physical switches. As a best practice, VMware recommends that you plan and prepare your vSphere distributed switches before installing NSX for vSphere. A single host can be

Attached to multiple VDSs. A single VDS can span multiple hosts across multiple clusters. For each host cluster that will participate in NSX, all hosts within the cluster must be attached to a common VDS.

NSX Installation workflow:

Installation involves deployment of multiple virtual appliances, ESXi host preparations and configuration across physical and virtual components.

4.png

I will be covering the installation of each components in separate blog posts starting with Installation and configuration of NSX Manager. Thanks for reading this, if you find the information useful, share it on social media.