VMware NSX 6.2 Installation and Configuration: A to Z

This has been a long pending series of blog Posts on VMware NSX (6.2.2) Installation and configuration I wanted to share. Last month I have installed NSX 6.2.2 in my lab and wanted to share my experience.

I have written 12 blog posts in an attempt to cover the complete procedure for NSX installation and Configuration in vSphere environment from the scratch.

Below is the list of blog posts:

 

(1) VMware NSX Installation and Configuration Part 1 – Prerequisites for Deploying NSX in vSphere Environment:

https://virtualissar.wordpress.com/2016/09/09/vmware-nsx-installation-and-configuration-part-1-prerequisites-for-deploying-nsx-in-vsphere-environment/

(2) VMware NSX Installation and Configuration Part 2 – Deployment of NSX Manager Virtual Appliance:

https://virtualissar.wordpress.com/2016/09/09/vmware-nsx-installation-and-configuration-part-2-deploment-of-nsx-manager-virtual-appliance/

(3)VMware NSX Installation and Configuration Part 3 –NSX Manager vCenter Integration, SSO, Syslog & License configuration

https://virtualissar.wordpress.com/2016/09/09/vmware-nsx-installation-and-configuration-part-3-nsx-manager-vcenter-integrationssosyslog-license-confguration/

(4) VMware NSX Installation and Configuration Part 4 – Deploy NSX Controller Cluster

https://virtualissar.wordpress.com/2016/09/09/vmware-nsx-installation-and-configuration-part-4-deploy-nsx-controller-cluster/

(5) VMware NSX Installation and Configuration Part 5- Exclude Virtual Machines from NSX Firewall Protection

https://virtualissar.wordpress.com/2016/09/09/vmware-nsx-installation-and-configuration-part-5-exclude-virtual-machines-from-nsx-firewall-protection/

(6) VMware NSX Installation and Configuration Part 6 – Prepare Host Clusters for NSX

https://virtualissar.wordpress.com/2016/09/09/vmware-nsx-installation-and-configuration-part-6-prepare-host-clusters-for-nsx/

(7) VMware NSX Installation and Configuration Part 7- VXLAN Transport Parameters Configuration

https://virtualissar.wordpress.com/2016/09/09/vmware-nsx-installation-and-configuration-part-7-vxlan-transport-parameters-configuration/

(8) VMware NSX Installation and Configuration Part 8- Creating a Logical Switch

https://virtualissar.wordpress.com/2016/09/09/vmware-nsx-installation-and-configuration-part-8-creating-a-logical-switch/

(9) VMware NSX Installation and Configuration Part 9-Adding a Distributed Logical Router

https://virtualissar.wordpress.com/2016/09/09/vmware-nsx-installation-and-configuration-part-9-adding-a-distributed-logical-router/

(10) VMware NSX Installation and Configuration Part 10- Adding an Edge Services Gateway

https://virtualissar.wordpress.com/2016/09/09/vmware-nsx-installation-and-configuration-part-10-adding-an-edge-services-gateway/

(11) VMware NSX Installation and Configuration Part 11-Configuring OSPF on a Logical (Distributed) Router:

https://virtualissar.wordpress.com/2016/09/09/vmware-nsx-installation-and-configuration-part-11-configuring-ospf-on-a-logical-distributed-router/

(12) VMware NSX Installation and Configuration Part 12-Configure OSPF on an Edge Services Gateway

https://virtualissar.wordpress.com/2016/09/09/vmware-nsx-installation-and-configuration-part-12-configure-ospf-on-an-edge-services-gateway/

Hope you liked the posts, do share comment and like if you find them helpful. Till then keep learning and sharing.

 

 

 

VMware NSX Installation and Configuration Part 12-Configure OSPF on an Edge Services Gateway

Configuring OSPF on an edge services gateway (ESG) enables the ESG to learn and advertise routes. The most common application of OSPF on an ESG is on the link between the ESG and a Logical (Distributed) Router. This allows the ESG to learn about the logical interfaces (LIFS) that are connected to the logical router. This goal can be accomplished with OSPF, IS-IS, BGP or static routing.

OSPF routing policies provide a dynamic process of trafficload balancing between routes of equal cost.

An OSPF network is divided into routing areas to optimize traffic flow and limit the size of routing tables.

An area is a logical collection of OSPF networks, routers, and links that have the same area identification.

Procedure:

1.png

Double Click on ESG-1.

2.png

Under Dynamic routing configuration , select ESG uplink as a router ID and click OK.

3

Under OSPF click on OSPF configuration and select edit:

4.png

5

Now under Area definitions define area ID. We will use the same area ID 20, which we have used in DLR:

6.png

7

In area to interface mapping, we will select Transit interface and map it with area ID 20:

8.png

9

Under route redistribution, select edit and enable OSPF:

10.png

11

12.png

In the following screen, the ESG’s default gateway is the ESG’s uplink interface to its external peer.

The router ID is the ESG’s uplink interface IP address—in other words, the IP address that faces its external peer.

13.png

The area ID configured is 20, and the internal interface (the interface facing the logical router) is mapped to the area.

14.png

The connected routes are redistributed into OSPF so that the OSPF neighbor (the logical router) can learn about the ESG’s uplink network.

15.png

Make sure that the ESG is learning OSPF external routes from the logical router.

Log in to your ESG , and run “show ip route” command.

16.png

Note that the below two routes are defined on the DLR and ESG learned them via OSPF.

Guys this is it as of now , thanks for reading . i hope it was worth reading and do share on social media if you like the post.

VMware NSX Installation and Configuration Part 11-Configuring OSPF on a Logical (Distributed) Router:

Configuring OSPF on a logical router enables VM connectivity across logical routers and from logical routers to edge services gateways (ESGs). OSPF routing policies provide a dynamic process of  traffic load balancing between routes of equal cost.

An OSPF network is divided into routing areas to optimize  traffic flow and limit the size of routing tables.

An area is a logical collection of OSPF networks, routers, and links that have the same area

identification. Areas are  identified by an Area ID.

1.png

Double click on Distributed logical router.

2.png

3

4.png

Click Routing and then click OSPF

.1 Enable OSPF.

a Click Edit at the top right corner of the window and click Enable OSPF

b In Forwarding Address, type an IP address that is to be used by the router data path module in the

hosts to forward data path packets.

c In Protocol Address, type a unique IP address within the same subnet as the Forwarding Address

.The protocol address is used by the protocol to form adjacencies with the peers.

2Configurethe OSPF areas.

a Optionally, delete the not-so-stubby area (NSSA) 51 that is configured by default.

b In Area Definitions, click the Add icon.

5.png

Click on edit:

6

Under Area Definitions , click on (+) sign:

7.png

Enter the area ID and click on okay:

8.png

Under Area to interface mapping click on (+):

9.png

10.png

Under route redistribution, make sure that OSPF is enabled:

11.png

The NSX Topology now is some like below:

12.png

In the following screen, the logical router’s default gateway is the ESG’s internal interface IP address(192.168.10.1).

The router ID is the logical router’s uplink interface—in other words, the IP address that faces the ESG(192.168.10.2).

13.png

The logical router configuration uses 192.168.10.2 as its forwarding address. The protocol address can be any IP address that is in the same subnet and is not used anywhere else. In this case, 192.168.10.3 is configured.

 

The area ID configured is 20, and the uplink interface (the interface facing the ESG) is mapped to the area.

14.png

In the next blog post , i will cover the OSPF routing configuration on ESG so that DLR and ESG can share the routes with each other.

VMware NSX Installation and Configuration Part 10- Adding an Edge Services Gateway

You can install multiple NSX Edge services gateway virtual appliances in a data center. Each NSX Edge virtual appliance can have a total of ten uplink and internal network interfaces. The internal interfaces connect to secured port groups and act as the gateway for all protected virtual machines in the port group.

The subnet assigned to the internal interface can be a publicly routed IP address space or a NATed/routed RFC 1918 private space. Firewall rules and other NSX Edge services are enforced on traffic between interfaces. Uplink interfaces of an ESG connect to uplink port groups that have access to a shared corporate network or a service that provides access layer networking.

Procedure:

1 In vCenter, navigate to Home > Networking & Security > NSX Edges and click the Add (+) icon.

2 Select Edge Services Gateway and type a name for the device. This name appears in your vCenter inventory. The name should be unique across all ESGs within a single tenant. Optionally, you can also enter a hostname. This name appears in the CLI. If you do not specify the host name, the Edge ID, which gets created automatically, is displayed in the CLI. Optionally, you can enter a description and tenant and enable high availability.

1.png

2.png

3 Type and re-type a password for the ESG.

4 (Optional) Enable SSH, high availability, and automatic rule generation, and set the log level. If you do not enable automatic rule generation, you must manually add firewall, NAT, and routing configuration to allow control traffic for certain, NSX Edge services, including as load balancing and VPN. Auto rule generation does not create rules for data-channel traffic. By default, SSH and high availability are disabled, and automatic rule generation is enabled. By default, the log level is emergency. By default, logging is enabled on all new NSX Edge appliances. The default logging level is NOTICE.

3.png

5 Select the size of the NSX Edge instance based on your system resources

4.png

5.png

6.png

7.png

8.png

9.png

10.png

11.png

In the next blog , i will cover the configuration of Dynamic routing (OSPF ) in Distributed logical router.

 

VMware NSX Installation and Configuration Part 9-Adding a Distributed Logical Router

A distributed logical router (DLR) is a virtual appliance that contains the routing control plane, while distributing the data plane in kernel modules to each hypervisor host. The DLR control plane function relies on the NSX controller cluster to push routing updates to the kernel modules.

Procedure:

1 In the vSphere Web Client, navigate to Home > Networking & Security > NSX Edges.

2 Click the Add (+) icon.

3 Select Logical (Distributed) Router and type a name for the device. This name appears in your vCenter inventory. The name should be unique across all logical routers within a single tenant. Optionally, you can also enter a hostname. This name appears in the CLI. If you do not specify the host name, the Edge ID, which gets created automatically, is displayed in the CLI.

1.png

2.png

4 (Optional) Deploy an edge appliance. Deploy Edge Appliance is selected by default. An edge appliance (also called a logical router virtual appliance) is required for dynamic routing and the logical router appliance’s firewall, which applies to logical router pings, SSH access, and dynamic routing traffic. You can deselect the edge appliance option if you require only static routes, and do not want to deploy an Edge appliance. You cannot add an Edge appliance to the logical router after the logical router has been created.

5 (Optional) Enable High Availability. Enable High Availability is not selected by default. Select the Enable High Availability check box to enable and configure high availability. High availability is required if you are planning to do dynamic routing.

6 Type and re-type a password for the logical router

3.png

4.png

5.png

7 Configure interfaces. On logical routers, only IPv4 addressing is supported. In the HA Interface Configuration, if you selected Deploy NSX Edge you must connect the interface to a distributed port group. It is recommended to use a VXLAN logical switch for the HA interface. An IP address for each of the two NSX Edge appliances is chosen from the link local address space, 169.250.0.0/16. No further configuration is necessary to configure the HA service.

6.png

7.png

8.png

9.png

In the next blog post , i will cover the installation of ESG (Edge Services Gateway).

VMware NSX Installation and Configuration Part 8- Creating a Logical Switch

An NSX logical switch reproduces switching functionality (unicast, multicast, broadcast) in a virtual environment completely decoupled from underlying hardware.

Logical switches are similar to VLANs, in that they provide network connections to which you can attach virtual machines. The VMs can then communicate with each other over VXLAN if the VMs are connected to the same logical switch. Each logical switch has a segment ID, like a VLAN ID. Unlike VLAN IDs, it’s possible to have up to 16 million segment IDs.

1

Procedure:

1 In the vSphere Web Client, navigate to Home > Networking & Security > Logical Switches.

2 Click the New Logical Switch (+) icon.

2.png

3 Type a name and optional description for the logical switch.

4 Select the transport zone in which you want to create the logical switch. By default, the logical switch inherits the control plane replication mode from the transport zone. You can change it to one of the other available modes. The available modes are unicast, hybrid, and multicast. The case in which you might want to override the inherited transport zone’s control plane replication mode for an individual logical switch is when the logical switch you are creating has significantly different characteristics in terms of the amount of BUM traffic it will to carry. In this case, you might create a transport zone that uses as unicast mode, and use hybrid or multicast mode for the individual logical switch.

5 (Optional) Click Enable IP Discovery to enable ARP suppression. This setting minimizes ARP traffic flooding within individual VXLAN segments—in other words, between VMs connected to the same logical switch. IP discovery is enabled by default.

6 (Optional) Click Enable MAC learning if your VMs have multiple MAC addresses or are using virtual NICs that are trunking VLANs.

3.png

7 Attach a VM to the logical switch by selecting the switch and clicking the Add Virtual Machine (+) icon.

4.png

8 Select the VM and click the right-arrow button.

5.png

9 Select a vNIC

6.png

7

Each logical switch that you create receives an ID from the segment ID pool, and a virtual wire is created. A virtual wire is a dvPortgroup that is created on each vSphere distributed switch.

The virtual wire descriptor contains the name of the logical switch and the logical switch’s segment ID. Assigned segment IDs appear in multiple places, as shown in the following examples. In Home > Networking & Security > Logical Switches:

8

In Home > Networking:

9.png

In Home > Hosts and Clusters > VM > Summary

10.png

On the hosts that are running the VMs that are attached to the logical switch, log in and execute the following commands to view local VXLAN configuration and state information. n Displays host-specific VXLAN details.

11

VDS Name displays the vSphere distributed switch to which the host is attached. The Segment ID is the IP network used by VXLAN. The Gateway IP is the gateway IP address used by VXLAN.

The Network Count remains 0 unless a DLR is attached to the logical switch. The Vmknic count should match the number of VMs attached to the logical switch

Test IP VTEP interface connectivity, and verify the MTU has been increased to support VXLAN encapsulation. Ping the vmknic interface IP address, which can be found on the host’s Manage > Networking > Virtual switches page in the vCenter Web Client.

12.png

The -d flag sets the don’t-fragment (DF) bit on IPv4 packets. The -s flag sets the packet size.

13

This is it regarding the creation of a logical switch , in the next blog post i will cover the configuration of Distributed logical router.

VMware NSX Installation and Configuration Part 6 – Prepare Host Clusters for NSX

Host preparation is the process in which the NSX Manager

1) Installs NSX kernel modules on ESXi hosts that are members of vCenter clusters and

2) Builds the NSX control-plane and management-plane fabric. NSX kernel modules packaged in VIB files run within the hypervisor kernel and provide services such as distributed routing, distributed firewall, and VXLAN bridging capabilities.

To prepare your environment for network virtualization, you must install network infrastructure components on a per-cluster level for each vCenter server where needed. This deploys the required software on all hosts in the cluster. When a new host is added to this cluster, the required software is automatically installed on the newly added host.

 

Procedure

1 In vCenter, navigate to Home > Networking & Security > Installation and select the Host Preparation tab.

2 For all clusters that will require NSX logical switching, routing, and firewalls, click the gear icon and click Install

1.png

When the installation is complete, the Installation Status column displays 6.2 Uninstall and the Firewall column displays Enabled. Both columns have a green check mark. If you see Resolve in the Installation Status column, click Resolve and then refresh your browser window.

VIBs are installed and registered with all hosts within the prepared cluster: n esx-vsip n esx-vxlan To verify, SSH to each host and run the:

esxcli software vib list | grep esx command. In addition to displaying the VIBs, this command shows the version of the VIBs installed.

2

In the next post , we will look into the VXLAN configuration parameters.

 

VMware NSX Installation and Configuration Part 5- Exclude Virtual Machines from NSX Firewall Protection

You can exclude a set of virtual machines from NSX distributed firewall protection.

NSX Manager, NSX Controllers, and NSX Edge virtual machines are automatically excluded from NSX distributed firewall protection. In addition, VMware recommends that you place the following service virtual machines in the Exclusion List to allow traffic to flow freely.

– vCenter Server. It can be moved into a cluster that is protected by Firewall, but it must already exist in the exclusion list to avoid connectivity issues. n Partner service virtual machines.

– Virtual machines that require promiscuous mode. If these virtual machines are protected by NSX distributed firewall, their performance may be adversely affected.

– The SQL server that your Windows-based vCenter uses. n vCenter Web server, if you are running it    separately.

Procedure

1 In the vSphere Web Client, click Networking & Security.

2 In Networking & Security Inventory, click NSX Managers.

3 In the Name column, click an NSX Manager.

4 Click the Manage tab and then click the Exclusion List tab.

5 Click the Add (+) icon

6 Type the name of the virtual machine that you want to exclude and click Add

1.png

2.png

In the next post i will cover how to prepare vSphere Host Cluster for NSX.

VMware NSX Installation and Configuration Part 3 –NSX Manager vCenter Integration,SSO,Syslog & License confguration

1 In a Web browser, navigate to the NSX Manager appliance GUI at https://IP or FQDN and log in as admin with the password that you configured during NSX Manager Installation.

2 Under Appliance Management, click Manage vCenter Registration.

1

3 Edit the vCenter Server element to point to the vCenter Server’s IP address or hostname, and enter the vCenter Server user name and password. For the user name, the best practice is to enter administrator@vsphere.local or an alternative account that you have created. Do not use the root account.

4 Check that the certificate thumbprint matches the certificate of the vCenter Server. If you installed a CA-signed certificate on the CA server, you are presented with the thumbprint of the CA-signed certificate. Otherwise, you are presented with a self-signed certificate.

5 Do not tick Modify plugin script download location, unless the NSX Manager is behind a firewall type of masking device. This option allows you to enter an alternate IP address for NSX Manager. Note that putting NSX Manager behind a firewall of this type is not recommended.

6 Confirm that the vCenter Server status is Connected.

2.png

3

4.png

7 If vCenter Web Client is already open, log out of vCenter and log back in with the same Administrator role used to register NSX Manager with vCenter. If you do not do this, vCenter Web Client will not display the Networking & Security icon on the Home tab. Click the Networking & Security icon and confirm that you can see the newly deployed NSX Manager

5.png

Configure Single Sign On:

SSO makes vSphere and NSX more secure by allowing the various components to communicate with each other through a secure token exchange mechanism, instead of requiring each component to authenticate a user separately.

You can configure lookup service on the NSX Manager and provide the SSO administrator credentials to register NSX Management Service as an SSO user. Integrating the single sign on (SSO) service with NSX improves the security of user authentication for vCenter users and enables NSX to authenticate users from other identity services such as AD, NIS, and LDAP.

With SSO, NSX supports authentication using authenticated Security Assertion Markup Language (SAML) tokens from a trusted source via REST API calls. NSX Manager can also acquire authentication SAML tokens for use with other VMware solutions. NSX caches group information for SSO users. Changes to group memberships will take up to 60 minutes to propagate from the identity provider (for example, active directory) to NSX.

Procedure:

1 Log in to the NSX Manager virtual appliance. In a Web browser, navigate to the NSX Manager appliance GUI at https://, and log in as admin with the password that you configured during NSX Manager Installation.

2 Click the Manage tab, then click NSX Management Service.

3 Type the name or IP address of the host that has the lookup service. If you are using vCenter to perform the lookup service, enter the vCenter Server’s IP address or hostname, and enter the vCenter Server user name and password.

4 Type the port number. Enter port 443 if you are using vSphere 6.0. For vSphere 5.5, use port number 7444. The Lookup Service URL is displayed based on the specified host and port.

6.png

7.png

8

Specify a Syslog Server:

If you specify a syslog server, NSX Manager sends all audit logs and system events to the syslog server. Syslog data is useful for troubleshooting and reviewing data logged during installation and configuration. NSX Edge supports two syslog servers. NSX Manager and NSX Controllers support one syslog server.

Procedure

1 In a Web browser, navigate to the NSX Manager appliance GUI at https://.

2 Log in as admin with the password that you configured during NSX Manager installation.

3 Click Manage Appliance Settings.

9.png

10.png

4 From the Settings panel, click General.

5 Click Edit next to Syslog Server.

6 Type the IP address or hostname, port, and protocol of the syslog server. If you do not specify a port, the default UDP port for the IP address/host name of the syslog server is used.

11

Install and Assign NSX for vSphere License:

In vSphere 6.0, complete the following steps to add a license for NSX.

a Log in to the vSphere Web Client.

b Click Administration and then click Licenses.

c Click the Assets tab, then the Solutions tab.

d Select NSX for vSphere in the Solutions list. From the All Actions drop-down menu, select Assign license….

e Click the Add ( ) icon. Enter a license key and click Next. Add a name for the license, and click Next. Click Finish to add the license.

f Select the new license.

g (Optional) Click the View Features icon to view what features are enabled with this license. View the Capacity column to view the capacity of the license.

h Click OK to assign the new license to NSX.

12.png

13

14

In the next blog , i will talk about the NSC Controller cluster deployment and configuration.

VMware NSX Installation and Configuration Part 1 – Prerequisites for Deploying NSX in vSphere Environment:

This has been a long pending series of blog Post on VMware NSX (6.2.2) Installation and configuration that I wanted to share. Last month I have installed NSX 6.2.2 in my lab, the first and most important thing before installation is to make sure all the prerequisite is in place for a smooth NSX installation.

Software Prerequisites for NSX 6.2.2:

VMware vCenter Server 5.5U3 with ESXi 5.5

VMware vCenter Server 6.0U2 with ESXi 6.0

At least three ESXi 5.5/6 host

For the latest interoperability information, you can refer to Product Interoperability Matrixes at

http://partnerweb.vmware.com/comp_guide2/sim/interop_matrix.php

Hardware Prerequisites for NSX 6.2.2:1

Client and User Access Prerequisites:

  • If you added ESXi hosts by name to the vSphere inventory, ensure that forward and reverse name Resolution is working. Otherwise, NSX Manager cannot resolve the IP addresses.
  • Permissions to add and power on virtual machines
  • Access to the datastore where you store virtual machine files and the account permissions to copy file to that datastore
  • Cookies enabled on your Web browser, to access the NSX Manager user interface
  • From NSX Manager, ensure port 443 is accessible from the ESXi host, the vCenter Server, and the NSX appliances to be deployed. This port is required to download the OVF file on the ESXi host for deployment.
  • A Web browser that is supported for the version of vSphere Web Client you are using

Ports and Protocols Required by NSX:

The below ports must be open for NSX to operate properly:23.png

vSphere Distributed Switch:

The VxLAN based logical switching needs the vSphere distributed switch, vSphere standard switch is not a supported configuration with NSX.

NSX vSwitch is based on vSphere distributed switches (VDSs), which provide uplinks for host connectivity to the top-of-rack (ToR) physical switches. As a best practice, VMware recommends that you plan and prepare your vSphere distributed switches before installing NSX for vSphere. A single host can be

Attached to multiple VDSs. A single VDS can span multiple hosts across multiple clusters. For each host cluster that will participate in NSX, all hosts within the cluster must be attached to a common VDS.

NSX Installation workflow:

Installation involves deployment of multiple virtual appliances, ESXi host preparations and configuration across physical and virtual components.

4.png

I will be covering the installation of each components in separate blog posts starting with Installation and configuration of NSX Manager. Thanks for reading this, if you find the information useful, share it on social media.