Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Table of Contents
Lab Overview - HOL-SDC-1603 - VMware NSX Introduction .............................................. 2
Lab Guidance .......................................................................................................... 3
Module 1 - Logical Switching (30 min) .............................................................................. 8
Controller Based VXLAN .......................................................................................... 9
Module 2 - Logical Routing (60 min) ............................................................................... 45
Routing Overview .................................................................................................. 46
Dynamic and Distributed Routing ......................................................................... 48
Centralized Routing............................................................................................... 79
ECMP and High Availability.................................................................................... 99
Prior to Moving to Module 3 - Please Complete the Following Cleanup Steps ..... 148
Module 3 - Distributed Firewall (60 min) ....................................................................... 153
Distributed Firewall East-West Protection - Micro Segmentation ......................... 154
Identity Based Firewalling ................................................................................... 184
Improved IP Discovery Mechanism for Virtual Machines and SpoofGuard........... 203
Module 4 - Edge Services Gateway (30 min) ................................................................ 221
DHCP Relay ......................................................................................................... 222
NSX Edge Services Gateway - Logical Load Balancing ........................................ 255
NSX Edge Services Gateway - SSL Offload on Logical Load Balancer.................. 300
Module 5 - Service Insertion and Security Policies (30 min).......................................... 316
Service Composer ............................................................................................... 317
Service Insertion ................................................................................................. 359
Data Security ...................................................................................................... 367
Module 6 - Monitoring and Visibility (45 min)................................................................ 382
Traceflow ............................................................................................................. 383
Flow Monitoring................................................................................................... 401
Activity Monitoring .............................................................................................. 418
HOL-SDC-1603
Page 1
HOL-SDC-1603
HOL-SDC-1603
Page 2
HOL-SDC-1603
Lab Guidance
The following module is informational in nature. If you would like to jump
directly to the lab work, please advance to step 8.
The Table of Contents can be accessed in the upper right-hand corner.
Note: It will take more than 90 minutes to complete this lab. You should
expect to only finish 2-3 of the modules during your time. The modules are
independent of each other so you can start at the beginning of any module
and proceed from there.
Server virtualization brings efficiency, flexibility and speed to how compute and memory
resources are consumed and managed in a datacenter. This is possible because of the
decoupling of compute and memory resources from the physical hardware.
However, if you look at the state of the network and network services, such as Firewall
and Load Balancer within a data center, they are tied to physical hardware. For
example, if a server administrator wants to provision a three-tier application, they have
to first ask the Network/Security administrator for a set of isolated networks along with
Routing, Firewall, and Load Balancer services. It takes days to configure physical devices
and enable these networks and services. So, even if provisioning a virtual machine takes
a few clicks, server administrators have to wait days or weeks to roll out an application.
This problem of lack of speed and flexibility in provisioning network and network
services is addressed through Network virtualization. Network virtualization achieves
this by first decoupling the network and network services from the physical hardware
and then allowing you to reproduce similar physical network topologies in logical space.
As part of the lab modules, we will demonstrate how NSX platform helps speed up
provisioning of the required network and network services for the three-tier application.
A brief description of each module follows:
Lab Module List:
Module 1 - Logical Switching (30 Minutes). Will walk you through the
different components in the NSX platform in greater detail and also show how to
create a logical switch/network and connect virtual machines to that logical
switch. As part of this module we will show how the logical switch (VXLAN)
domain can be extended to the physical network (VLAN) using the VXLAN-VLAN
Bridging feature. This feature is useful in scenarios where you want to provide
layer 2 communication between the logical and physical world
Module 2 - Logical Routing (60 Minutes). In this module you will enable the
distributed routing capability and benefit of performing routing at the hypervisor
layer. Also, Dynamic routing protocol OSPF configuration will allow you to
exchange routing table entries across the physical and virtual routers. Lastly, you
HOL-SDC-1603
Page 3
HOL-SDC-1603
will configure ECMP (Equal Cost Multipath Routing) to show scaling and high
availability of the edge gateways.
Module 3 - Distributed Firewall (60 Minutes). You will enable a Distributed
Firewall to protect a 3-tier application using Micro-Segmentation. This will allow
you to protect VM to VM (east-west traffic). You will explore the Distributed
Firewall interface.
Module 4 - Edge Services Gateway(30 Minutes). In this module you will
explore advanced features of the Edge Services Gateway. While these include
such things as DHCP Relay, and load-balancing, and high-availability (HA),you will
be focusing on DHCP Relay and Load Balancing for this module.
Module 5 - Service Insertion and Security Policies (30 Minutes). Service
Composer will be the feature you will use to create Security Groups and Security
Policies. In addition you will install NSX Data Security to monitor a VM for the
presence of credit card numbers and take actions.
Module 6 - Monitoring and Visibility (45 Minutes). NSX provides visibility
into the traffic in the virtual network. You can view protocol traffic using Flow
Monitor. You can also trace traffic between source and destination for
troubleshooting purposes. And you can track users and what applications they
are using in the virtual network.
Lab Captains:
Module
Module
Module
Module
Module
Module
HOL-SDC-1603
1
2
3
4
5
6
Melanie Spencer
Joe Silvagi
Sachin Thatte
Joe Silvagi & Sachin Thatte
Devender Sharma
Melanie Spender
Page 4
HOL-SDC-1603
HOL-SDC-1603
Page 5
HOL-SDC-1603
Without full access to the Internet, this automated process fails and you see this
watermark.
This cosmetic issue has no effect on your lab.
VMware NSX
VMware NSX is the leading network virtualization platform that delivers the operational
model of a virtual machine for the network. Just as server virtualization provides flexible
control of virtual machines running on a pool of server hardware, network virtualization
with NSX provides a centralized API to provision and configure many isolated logical
networks that run on a single physical network.
Logical networks decouple virtual machine connectivity and network services from the
physical network, giving cloud providers and enterprises the flexibility to place or
migrate virtual machines anywhere in the data center while still supporting layer-2 /
layer-3 connectivity and layer 4-7 network services.
HOL-SDC-1603
Page 6
HOL-SDC-1603
Disclaimer
This session may contain product features that are currently under
development.
This session/overview of the new technology represents no commitment from
VMware to deliver these features in any generally available product.
Features are subject to change, and must not be included in contracts,
purchase orders, or sales agreements of any kind.
Technical feasibility and market demand will affect final delivery.
Pricing and packaging for any new technologies or features discussed or
presented have not been determined.
These features are representative of feature areas under development. Feature
commitments are subject to change, and must not be included in contracts,
purchase orders, or sales agreements of any kind. Technical feasibility and market
demand will affect final delivery.
HOL-SDC-1603
Page 7
HOL-SDC-1603
Module 1 - Logical
Switching (30 min)
HOL-SDC-1603
Page 8
HOL-SDC-1603
Component Overview
Open a browser by double clicking on the Google Chrome icon on the desktop.
HOL-SDC-1603
Page 9
HOL-SDC-1603
HOL-SDC-1603
Page 10
HOL-SDC-1603
2. Click Host Preparation. You will see that the data plane components, also
called network virtualization components, are installed on the hosts in our
clusters. These components include the following: Hypervisor level kernel
modules for Port Security, VXLAN, Distributed Firewall and Distributed Routing
Firewall and VXLAN functions are configured and enabled on each cluster after the
installation of the network virtualization components. The Port security module assists
the VXLAN function while the Distributed routing module is enabled once the NSX edge
logical router control VM is configured.
HOL-SDC-1603
Page 11
HOL-SDC-1603
HOL-SDC-1603
Page 12
HOL-SDC-1603
As shown in the diagram the hosts in the compute clusters are configured with VTEP IP
address in a different subnet to the management cluster. (You may need to unpin the
left-hand pane or scroll to the right to view the IP Pool info on the right of the screen)
Computer Cluster A is in 192.168.130.0/24 subnet
Computer Cluster B is in 192.168.130.0/24 subnet
Management Edge Cluster is in 192.168.230.0/24 subnet
HOL-SDC-1603
Page 13
HOL-SDC-1603
HOL-SDC-1603
Page 14
HOL-SDC-1603
HOL-SDC-1603
Page 15
HOL-SDC-1603
Click on the Manage tab to show the clusters that are part of this Transport
Zone.
HOL-SDC-1603
Page 16
HOL-SDC-1603
HOL-SDC-1603
Page 17
HOL-SDC-1603
HOL-SDC-1603
Page 18
HOL-SDC-1603
HOL-SDC-1603
Page 19
HOL-SDC-1603
HOL-SDC-1603
Page 20
HOL-SDC-1603
HOL-SDC-1603
Page 21
HOL-SDC-1603
HOL-SDC-1603
Page 22
HOL-SDC-1603
HOL-SDC-1603
Page 23
HOL-SDC-1603
HOL-SDC-1603
Page 24
HOL-SDC-1603
HOL-SDC-1603
Page 25
HOL-SDC-1603
HOL-SDC-1603
Page 26
HOL-SDC-1603
HOL-SDC-1603
Page 27
HOL-SDC-1603
HOL-SDC-1603
Page 28
HOL-SDC-1603
HOL-SDC-1603
Page 29
HOL-SDC-1603
HOL-SDC-1603
Page 30
HOL-SDC-1603
HOL-SDC-1603
Page 31
HOL-SDC-1603
HOL-SDC-1603
Page 32
HOL-SDC-1603
Open Putty
1. Click Start
2. Click the Putty Application icon from the Start Menu
You are connecting from the control center which is in 192.168.110.0/24 subnet. The
traffic will go through the NSX Edge and then to the Web Interface.
HOL-SDC-1603
Page 33
HOL-SDC-1603
HOL-SDC-1603
Page 34
HOL-SDC-1603
HOL-SDC-1603
Page 35
HOL-SDC-1603
web-04a
***Note you might see DUP! packets. This is due to the nature of VMware's nested lab
environment. This will not happen in a production environment.
****Do not close your Putty Session. Minimize the window for later use.
Next you are going to look at another capability of NSX Edge that allows you to extend
your logical switch network to a physical VLAN. Instead of routing the traffic to the
external world from the logical switch, you can bridge the logical and physical
environments together. The following common use cases are addressed by this feature:
Physical to Virtual (P-V) communication. For example, you have physical database
servers and you want them to talk to the other tiers of the application that are
virtualized
You want to migrate workloads running on physical to a virtual environment
HOL-SDC-1603
Page 36
HOL-SDC-1603
HOL-SDC-1603
Page 37
HOL-SDC-1603
HOL-SDC-1603
Page 38
HOL-SDC-1603
HOL-SDC-1603
Page 39
HOL-SDC-1603
Click Cancel here as the configuration is not supported in this lab environment.
The configuration is straight forward where we just have to select the logical switch and
a VLAN.
HOL-SDC-1603
Page 40
HOL-SDC-1603
The current best practice (and the only supported configuration) is for the cluster to
have three nodes of active-active-active load sharing and redundancy.
In order to increase the scalability characteristics of the NSX architecture, a slicing
mechanism is utilized to ensure that all the controller nodes can be active at any given
time.
Should a controller(s) fail, data plane (VM) traffic will not be affected. Traffic will
continue. This is because the logical network information has been pushed down to the
logical switches (the data plane). What you cannot do is make add/moves/changes
without the control plane (controller cluster) in tact.
1. Hover over the Home Icon
2. Click on Networking & Security
HOL-SDC-1603
Page 41
HOL-SDC-1603
HOL-SDC-1603
Page 42
HOL-SDC-1603
HOL-SDC-1603
Page 43
HOL-SDC-1603
Module 1 Conclusion
In this module we demonstrated the following key benefits of the NSX platform
The speed at which you can provision logical switches and interface them with virtual
machines and external networks
Platform scalability is demonstrated by the ability to scale the transport zones as well as
the controller nodes.
HOL-SDC-1603
Page 44
HOL-SDC-1603
Module 2 - Logical
Routing (60 min)
HOL-SDC-1603
Page 45
HOL-SDC-1603
Routing Overview
Lab overview
In the previous module you saw that users can create isolated logical switches/networks
with few clicks. To provide communication across these isolated logical layer 2 networks,
routing support is essential. In the NSX platform the distributed logical router allows you
to route traffic between logical switches. One of the key differentiating feature of this
logical router is that the routing capability is distributed in the hypervisor. By
incorporating this logical routing component users can reproduce complex routing
topologies in the logical space. For example, in a three tier application connected to
three logical switches, the routing between the tiers is handled by this distributed
logical router.
In this module you will demonstrate the following
1) How traffic flows when the routing is handled by an external physical router or NSX
edge services gateway.
2) Then we will go through the configuration of the Logical Interfaces (LIFs) on the
Logical router and enable routing between the App and DB tiers of the Application
3) Later we will configure dynamic routing protocols across the distributed logical router
and the NSX Edge services gateway. We will show how internal route advertisements to
the external router are controlled.
4) Finally you will see how various routing protocols, such as ECMP, can be used to scale
and protect the Edge service gateway.
This module will help you understand some of the routing capabilities supported in NSX
platform and also how to utilize these capabilities while deploying a three tier
application.
HOL-SDC-1603
Page 46
HOL-SDC-1603
Second, a text file (README.txt) has been placed on the desktop of the
environment allowing you to easily copy and paste complex commands or
passwords in the associated utilities (CMD, Putty, console, etc). Certain
characters are often not present on keyboards throughout the world. This
text file is also included for keyboard layouts which do not provide those
characters.
The text file is README.txt and is found on the desktop.
HOL-SDC-1603
Page 47
HOL-SDC-1603
HOL-SDC-1603
Page 48
HOL-SDC-1603
HOL-SDC-1603
Page 49
HOL-SDC-1603
Click Advanced
Click on Advanced
HOL-SDC-1603
Page 50
HOL-SDC-1603
HOL-SDC-1603
Page 51
HOL-SDC-1603
HOL-SDC-1603
Page 52
HOL-SDC-1603
HOL-SDC-1603
Page 53
HOL-SDC-1603
HOL-SDC-1603
Page 54
HOL-SDC-1603
HOL-SDC-1603
Page 55
HOL-SDC-1603
HOL-SDC-1603
Page 56
HOL-SDC-1603
HOL-SDC-1603
Page 57
HOL-SDC-1603
HOL-SDC-1603
Page 58
HOL-SDC-1603
HOL-SDC-1603
Page 59
HOL-SDC-1603
HOL-SDC-1603
Page 60
HOL-SDC-1603
HOL-SDC-1603
Page 61
HOL-SDC-1603
Add Subnets
1.
2.
3.
4.
HOL-SDC-1603
Page 62
HOL-SDC-1603
HOL-SDC-1603
Page 63
HOL-SDC-1603
HOL-SDC-1603
Page 64
HOL-SDC-1603
HOL-SDC-1603
Page 65
HOL-SDC-1603
HOL-SDC-1603
Page 66
HOL-SDC-1603
Publish Changes
Click the "Publish Changes" button in the dialog box again to push the updated
configuration to the distributed-edge device.
HOL-SDC-1603
Page 67
HOL-SDC-1603
HOL-SDC-1603
Page 68
HOL-SDC-1603
Enable OSPF
1.
2.
3.
4.
5.
NOTE: For the Distributed Router the "Protocol Address" field is required to send the
Control traffic to the Distribute router Control Virtual Machine. The Forwarding address is
where all the normal data path traffic will be sent. The screen will return to the main
"OSPF" configuration window. The green "Publish Changes" dialog box will be displayed.
NOTE: The separation of control plane and data plane traffic in NSX creates the
possibility of maintaining the routing instance's data forwarding capability while the
control function is restarted or reloaded. This function is referred to as "Graceful
Restart" or "Non-stop Forwarding".
DO NOT PUBLISH CHANGES YET!Rather than publishing changes at every step, we'll
continue though the configuration changes and publish them all at once.
HOL-SDC-1603
Page 69
HOL-SDC-1603
Note: The Area ID for OSPF is very important. There are several types of
OSPF areas. Be sure to check the correct area the edge devices should be in
to work properly with the rest of the OSPF configuration within the network.
HOL-SDC-1603
Page 70
HOL-SDC-1603
Publish Changes
Click the "Publish Changes" button in the dialog box again to push the updated
configuration to the distributed-edge device.
HOL-SDC-1603
Page 71
HOL-SDC-1603
HOL-SDC-1603
Page 72
HOL-SDC-1603
HOL-SDC-1603
Page 73
HOL-SDC-1603
HOL-SDC-1603
Page 74
HOL-SDC-1603
HOL-SDC-1603
Page 75
HOL-SDC-1603
Publish Changes
Click the "Publish Changes" button in the dialog box again to push the updated
configuration to the distributed-edge device.
HOL-SDC-1603
Page 76
HOL-SDC-1603
HOL-SDC-1603
Page 77
HOL-SDC-1603
HOL-SDC-1603
Page 78
HOL-SDC-1603
Centralized Routing
In this section, we will look at various elements to see how the routing is done
northbound from the edge. This includes how OSPF dynamic routing is controlled,
updated, and propagated throughout the system. We will verify the routing on the
perimeter edge appliance through the virtual routing appliance that runs and routes the
entire lab.
Special Note: On the desktop you will find a file names README.txt. It
contains the CLI commands needed in the lab exercises. If you can't type
them you can copy and paste them into the putty sessions. If you see a
number with "french brackets - {1}" this tells you to look for that CLI
command for this module in the text file.
HOL-SDC-1603
Page 79
HOL-SDC-1603
HOL-SDC-1603
Page 80
HOL-SDC-1603
HOL-SDC-1603
Page 81
HOL-SDC-1603
Navigate to Perimeter-Gateway VM
Select VMs and Templates
HOL-SDC-1603
Page 82
HOL-SDC-1603
2. Select Perimeter-Gateway
3. Select Summary Tab
4. Click Launch Remote Console
HOL-SDC-1603
Page 83
HOL-SDC-1603
HOL-SDC-1603
Page 84
HOL-SDC-1603
HOL-SDC-1603
Page 85
HOL-SDC-1603
HOL-SDC-1603
Page 86
HOL-SDC-1603
HOL-SDC-1603
Page 87
HOL-SDC-1603
HOL-SDC-1603
Page 88
HOL-SDC-1603
HOL-SDC-1603
Page 89
HOL-SDC-1603
HOL-SDC-1603
Page 90
HOL-SDC-1603
Confirm Delete
Click Yes
Publish Change
Click Publish Changes to push the configuration change.
HOL-SDC-1603
Page 91
HOL-SDC-1603
You will now see that the only neighbor is the Distributed Router (192.168.5.2) and
that the vPod Router (192.168.250.1) has dropped from the list.
Show Routes
1. Type "show ip route" and Press Enter
show ip route
Now you can see that the only routes being learned via OSPF is from the Distributed
Router (192.168.5.2)
HOL-SDC-1603
Page 92
HOL-SDC-1603
Since no routes exist between you control center and the virtual networking
environment, the web app should fail.
1. Click on the HOL - Multi-Tier App Tab
2. Click Refresh.
The application may take a few moments to actually time out, you may need to select
the red "x" to stop the browser. If you do see customer data, it may be cached from
before and you may need to close and re-open the browser to correct it.
HOL-SDC-1603
Page 93
HOL-SDC-1603
HOL-SDC-1603
Page 94
HOL-SDC-1603
Publish Change
Click Publish Changes to push the configuration change.
HOL-SDC-1603
Page 95
HOL-SDC-1603
You will now see that both the Distributed Router (192.168.5.2) and that the vPod
Router (192.168.250.1) are shown as neighbors.
HOL-SDC-1603
Page 96
HOL-SDC-1603
Show Routes
All routes from the vPod Router (192.168.100.1) are now back in the list.
HOL-SDC-1603
Page 97
HOL-SDC-1603
HOL-SDC-1603
Page 98
HOL-SDC-1603
HOL-SDC-1603
Page 99
HOL-SDC-1603
HOL-SDC-1603
Page 100
HOL-SDC-1603
HOL-SDC-1603
Page 101
HOL-SDC-1603
Set Password
1.
2.
3.
4.
HOL-SDC-1603
Page 102
HOL-SDC-1603
NOTE - All passwords for NSX Edges are 12 character complex passwords.
HOL-SDC-1603
Page 103
HOL-SDC-1603
HOL-SDC-1603
Page 104
HOL-SDC-1603
Continue Deployment
Click Next
HOL-SDC-1603
Page 105
HOL-SDC-1603
HOL-SDC-1603
Page 106
HOL-SDC-1603
HOL-SDC-1603
Page 107
HOL-SDC-1603
HOL-SDC-1603
Page 108
HOL-SDC-1603
HOL-SDC-1603
Page 109
HOL-SDC-1603
HOL-SDC-1603
Page 110
HOL-SDC-1603
5. Enter 29 under Subnet Prefix Length - NOTE - This is 29, not 24! Please
make sure to enter the right number or the lab will not function.
6. Click OK
HOL-SDC-1603
Page 111
HOL-SDC-1603
Continue Deployment
IMPORTANT! Before continuing, review the information and tha the IP
Addresses and Subnet Prefix numbers are correct.
Click Next
HOL-SDC-1603
Page 112
HOL-SDC-1603
2. Click Next
HOL-SDC-1603
Page 113
HOL-SDC-1603
HOL-SDC-1603
Page 114
HOL-SDC-1603
Finalize Deployment
Click Finish to start deployment
Edge Deploying
It will take a couple of minutes for the Edge to deploy.
1. You will notice under status for Edge-5 that it says Busy, also it shows 1 item
installing. This means the deployment is in process.
2. You can click the refresh icon on the web client to speed up the auto refresh on
this screen.
HOL-SDC-1603
Page 115
HOL-SDC-1603
Once the status says Deployed you can move on to the next step.
HOL-SDC-1603
Page 116
HOL-SDC-1603
Publish Changes
Click the "Publish Changes" button in the dialog box again to push the updated
configuration to the distributed-edge device.
HOL-SDC-1603
Page 117
HOL-SDC-1603
Enable OSPF
1.
2.
3.
4.
HOL-SDC-1603
Page 118
HOL-SDC-1603
HOL-SDC-1603
Page 119
HOL-SDC-1603
HOL-SDC-1603
Page 120
HOL-SDC-1603
NOTE - DO NOT check the Ignore Interface MTU, that is on the uplink only!
Publish Changes
Click the "Publish Changes" button in the dialog box again to push the updated
configuration to the distributed-edge device.
HOL-SDC-1603
Page 121
HOL-SDC-1603
HOL-SDC-1603
Page 122
HOL-SDC-1603
Publish Changes
Click the "Publish Changes" button in the dialog box again to push the updated
configuration to the distributed-edge device.
HOL-SDC-1603
Page 123
HOL-SDC-1603
Enable ECMP
We are now going to enable ECMP on both the Distributed Router and the Perimeter
Gateways
Click Home Icon, then Networking and Security
HOL-SDC-1603
Page 124
HOL-SDC-1603
Click
Click
Click
Click
Click
HOL-SDC-1603
Manage tab
Routing Tab
Global Configuration in left pane
ENABLE Button next to ECMP
OK
Page 125
HOL-SDC-1603
Publish Change
Click Publish Changes to push the configuration change.
HOL-SDC-1603
Page 126
HOL-SDC-1603
Click
Click
Click
Click
Click
Manage tab
Routing Tab
Global Configuration in left pane
ENABLE Button next to ECMP
OK
Publish Change
Click Publish Changes to push the configuration change.
HOL-SDC-1603
Page 127
HOL-SDC-1603
HOL-SDC-1603
Page 128
HOL-SDC-1603
Click
Click
Click
Click
Click
Manage tab
Routing Tab
Global Configuration in left pane
ENABLE Button next to ECMP
OK
Publish Change
Click Publish Changes to push the configuration change.
HOL-SDC-1603
Page 129
HOL-SDC-1603
Topology Overview
At this stage, this is the topology of the lab. This includes the new Perimeter Gateway
that has been added, routing configured, and ECMP turned on.
HOL-SDC-1603
Page 130
HOL-SDC-1603
HOL-SDC-1603
Page 131
HOL-SDC-1603
HOL-SDC-1603
Page 132
HOL-SDC-1603
What this now shows is where the Distributed Router only had a single peer previously,
it now has two. Those being both Perimeter-Gateway-1(192.168.100.3) and
Perimeter-Gateway-2 (192.168.100.5).
HOL-SDC-1603
Page 133
HOL-SDC-1603
HOL-SDC-1603
Page 134
HOL-SDC-1603
2. Click Load
3. Click Open
HOL-SDC-1603
Page 135
HOL-SDC-1603
HOL-SDC-1603
Page 136
HOL-SDC-1603
HOL-SDC-1603
Page 137
HOL-SDC-1603
Show Routes
1. Enter show ip ospf route and press Enter
show ip ospf route
2. In this section you notice that 172.16.10.0/24 only has one router listed, this is
because that network is direct connected to Perimeter-Gateway-1 (192.168.100.3)
and is not routable by Perimeter-Gateway-2
3. In this section you notice that 172.16.20.0/24 & 172.16.30.0/24 has two routers
listed, both Perimeter-Gateway 1 (192.168.100.3) and Perimeter-Gateway-2
HOL-SDC-1603
Page 138
HOL-SDC-1603
HOL-SDC-1603
Page 139
HOL-SDC-1603
You will see pings from the control center to the database server (db-01a) start.
Leave this window open and running as you go to the next step.
HOL-SDC-1603
Page 140
HOL-SDC-1603
Confirm Shutdown
Click Yes
HOL-SDC-1603
Page 141
HOL-SDC-1603
HOL-SDC-1603
Page 142
HOL-SDC-1603
You will note all routes to the 172.16.x.xnetworks are only through the PerimeterGateway-1 (192.168.100.3).
Leave this window open for the following steps.
HOL-SDC-1603
Page 143
HOL-SDC-1603
HOL-SDC-1603
Page 144
HOL-SDC-1603
HOL-SDC-1603
Page 145
HOL-SDC-1603
Show Routes
Let's check the status of the routes on the vPod router since we powered the Gateway
back up.
1. Enter show ip ospf route and press Enter
show ip ospf route
In section 2, you will see the routes have returned to dual connectivity.
HOL-SDC-1603
Page 146
HOL-SDC-1603
With that complete, the web app would function no matter if gateway 1 or 2 were
offline.
NOTE - Doing the above will break other modules in this lab! This is the
reason it is not done as part of the manual. If you do not plan to work on the
other modules, you can attempt to do the above.
HOL-SDC-1603
Page 147
HOL-SDC-1603
HOL-SDC-1603
Page 148
HOL-SDC-1603
Delete Edge-5
We need to delete the Edge we just created
1. Select NSX Edges
2. Select Edge-5
3. Click Red X to Delete
Confirm Delete
Click Yes to confirm deletion
HOL-SDC-1603
Page 149
HOL-SDC-1603
Click
Click
Click
Click
HOL-SDC-1603
Manage tab
Routing Tab
Global Configuration in left pane
DISABLE Button next to ECMP
Page 150
HOL-SDC-1603
Publish Change
Click Publish Changes to push the configuration change.
HOL-SDC-1603
Page 151
HOL-SDC-1603
Publish Change
Click Publish Changes to push the configuration change.
Conclusion
This now completes Module 2 on Logical Routing.
We hope that you have enjoying the routing portion of this lab and have found it helpful
in your understanding of NSX.
HOL-SDC-1603
Page 152
HOL-SDC-1603
Module 3 - Distributed
Firewall (60 min)
HOL-SDC-1603
Page 153
HOL-SDC-1603
HOL-SDC-1603
Page 154
HOL-SDC-1603
Start the module from your desktop. The desktop is your Control center jumpbox in
the virtual environment. From this desktop you will access the vCenter Server
Appliance deployed in your virtual datacenter.
Special Note: On the desktop you will find a file names README.txt. It
contains the CLI commands needed in the lab exercises. If you can't type
them you can copy and paste them into the putty sessions. If you see a
number with "french brackets - {1}" this tells you to look for that CLI
command for this module in the text file.
HOL-SDC-1603
Page 155
HOL-SDC-1603
1. Highlight the CLI command in the manual and use Control+c to copy to
clipboard.
2. Click on the console menu item SEND TEXT.
3. Press Control+v to paste from the clipboard to the window.
4. Click the SEND button.
Second, a text file (README.txt) has been placed on the desktop of the
environment providing you with all the user accounts and passwords for the
environment.
HOL-SDC-1603
Page 156
HOL-SDC-1603
HOL-SDC-1603
Page 157
HOL-SDC-1603
HOL-SDC-1603
Page 158
HOL-SDC-1603
Open Installation
1. First click on Installation
2. Click on the Host Preparation tab. The table will show the clusters in the
virtual datacenter
Notice that NSX is installed at the Cluster level, meaning that installation, removal, and
updates all are a cluster level definition. If later a new physical host is added to the
cluster it will have NSX added automatically. This provides a cluster level of networking
and security without fear of a VM migrating to a host without NSX.
HOL-SDC-1603
Page 159
HOL-SDC-1603
HOL-SDC-1603
Page 160
HOL-SDC-1603
ping -c 2 172.16.30.11
(Note: You might see DUP! at the end of a Ping line. This is due to the nature of the
virtual lab environment using nested virtualization and promiscuous mode on the virtual
routers. You will not see this in production.)
Don't close the window just minimize it for later use.
HOL-SDC-1603
Page 161
HOL-SDC-1603
HOL-SDC-1603
Page 162
HOL-SDC-1603
HOL-SDC-1603
Page 163
HOL-SDC-1603
HOL-SDC-1603
Page 164
HOL-SDC-1603
HOL-SDC-1603
Page 165
HOL-SDC-1603
HOL-SDC-1603
Page 166
HOL-SDC-1603
HOL-SDC-1603
Page 167
HOL-SDC-1603
Service Composer defines a new model for consuming network and security services in
virtual and cloud environments. Polices are made actionable through simple
visualization and consumption of services that are built-in or enhanced by 3rd party
solutions. These same polices can be made repeatable through export/import
capabilities, which would help make it easier to stand up and recover an environment
when there is an issue. One of those objects for repeatable use is a Security Group.
HOL-SDC-1603
Page 168
HOL-SDC-1603
2. Select Next
3. Click Next to move to the "Select objects to include" section
HOL-SDC-1603
Page 169
HOL-SDC-1603
HOL-SDC-1603
Page 170
HOL-SDC-1603
HOL-SDC-1603
Page 171
HOL-SDC-1603
HOL-SDC-1603
Page 172
HOL-SDC-1603
Pull down the Object Type and scroll down until you find Security Group
Click on Web-tier
Click on the top arrow to move the object to the right
Click OK
HOL-SDC-1603
Page 173
HOL-SDC-1603
HOL-SDC-1603
Page 174
HOL-SDC-1603
2. You want this rule to be processed below the previous rule so choose Add Below
from the drop down box
HOL-SDC-1603
Page 175
HOL-SDC-1603
1. Scroll down in the Object Type drop-down and click on theLogical Switch
choice
2. SelectApp_Tier-01
3. Click on the top arrow to move the object to the right
4. Click OK
HOL-SDC-1603
Page 176
HOL-SDC-1603
HOL-SDC-1603
Page 177
HOL-SDC-1603
Click OK
Click OK
HOL-SDC-1603
Page 178
HOL-SDC-1603
HOL-SDC-1603
Page 179
HOL-SDC-1603
HOL-SDC-1603
Page 180
HOL-SDC-1603
app-01a
ping -c 2 172.16.20.11
db-01a
ping -c 2 172.16.30.11
Pings are not allowed and will fail as ICMP is not allowed between tiers or tier members
in your rules. Without allowing for ICMP between the tiers the Default Rule now blocks
all other traffic.
HOL-SDC-1603
Page 181
HOL-SDC-1603
HOL-SDC-1603
Page 182
HOL-SDC-1603
HOL-SDC-1603
Page 183
HOL-SDC-1603
HOL-SDC-1603
Page 184
HOL-SDC-1603
Click
Click
Click
Click
HOL-SDC-1603
on
on
on
on
Manage tab
Domains tab
corp.local
Pencil to edit
Page 185
HOL-SDC-1603
HOL-SDC-1603
Page 186
HOL-SDC-1603
3. Click Next
HOL-SDC-1603
Page 187
HOL-SDC-1603
HOL-SDC-1603
Page 188
HOL-SDC-1603
AD Synchronization
1. Click the "Double-Gear"
2. Click the "Single-Gear" to get updates from the AD. You should see a Success
Status and the current date.
Note this may take 2-3 minutes to succeed.
With a configured and synchronized AD connection you are ready to make use of the AD
Groups in your security policies.
HOL-SDC-1603
Page 189
HOL-SDC-1603
Click on Firewall
Hover on to source field and click on the pencil sign
Select Security Group in the Object Type pull-down
Click on New Security Group
HOL-SDC-1603
Page 190
HOL-SDC-1603
2.
3.
4.
5.
6.
7.
8.
HOL-SDC-1603
Page 191
HOL-SDC-1603
Click Ok on Settings.
Click OK
HOL-SDC-1603
Page 192
HOL-SDC-1603
Publish Changes
You now have a Domain Group, AD-Sales, set as the source for access to the Web-tier.
In this case a user will have to be a member of the AD Group Sales to gain access to
the Web-tier of the 3-tier application.
Publish Changes
HOL-SDC-1603
Page 193
HOL-SDC-1603
HOL-SDC-1603
Page 194
HOL-SDC-1603
HOL-SDC-1603
Page 195
HOL-SDC-1603
Login in as NonSales
1.
2.
3.
4.
5.
6.
HOL-SDC-1603
Page 196
HOL-SDC-1603
HOL-SDC-1603
Page 197
HOL-SDC-1603
HOL-SDC-1603
Page 198
HOL-SDC-1603
Login as Sales1
1. Enter Sales1 for the User name. Password is VMware1!
2. Click on the arrow
HOL-SDC-1603
Page 199
HOL-SDC-1603
HOL-SDC-1603
Page 200
HOL-SDC-1603
Verify Access
User Sales1 is a member of the AD-Sales group and allowing access to the 3-tier
application.
You can close the console to win8-01a
HOL-SDC-1603
Page 201
HOL-SDC-1603
Prepare the lab for the next section - Set Default Rule to
Allow
1. Set the Default Rule in the Default Section to have an Action of Allow
2. Publish Changes
This will allow the next section to function properly.
HOL-SDC-1603
Page 202
HOL-SDC-1603
HOL-SDC-1603
Page 203
HOL-SDC-1603
Ping Linux-01a
Remember to use the SEND TEXT option.
HOL-SDC-1603
Page 204
HOL-SDC-1603
As you can see, you are able to ping Linux-01a, even though the "Reject" rule should
have prevented it. This is because NSX Distributed Firewall does not have an IP address
of Linux-01a and therefore can not prevent the ping.
HOL-SDC-1603
Page 205
HOL-SDC-1603
HOL-SDC-1603
Page 206
HOL-SDC-1603
Notice, you can no longer ping linux-01a. It is "rejected" by the firewall which is evident
by "host unreachable" in the response.
To conclude, you were able to ping Linux-01a VM at the beginning, even though there is
a rule that should have prevented it .This was the case because NSX firewall did not
know IP address of the VM due to lack of VMtools. After IP address learning was enabled
with ARP Snooping (NSX 6.2 feature), the "REJECT" rule took effect and you could no
longer ping Linux-01a VM.
HOL-SDC-1603
Page 207
HOL-SDC-1603
HOL-SDC-1603
Page 208
HOL-SDC-1603
addresses assigned to a vNIC. The SpoofGuard policy monitors and manages the IP
addresses reported by your virtual machines in one of the following modes.
Automatically Trust IP Assignments On Their First Use
Manually Inspect and Approve All IP Assignments Before Use
This mode allows all traffic from your virtual machines to pass while building a table of
vNIC-to-IP address assignments. You can review this table at your convenience and
make IP address changes. This mode automatically approves all ipv4 and ipv6 address
on a vNIC.
This mode blocks all traffic until you approve each vNIC-to-IP address assignment.
NOTE SpoofGuard inherently allows DHCP requests regardless of enabled mode.
However, if in manual inspection mode, traffic does not pass until the DHCP-assigned IP
address has been approved.
SpoofGuard includes a system-generated default policy that applies to port groups and
logical networks not covered by the other SpoofGuard policies. A newly added network
is automatically added to the default policy until you add the network to an existing
policy or create a new policy for it.
HOL-SDC-1603
Page 209
HOL-SDC-1603
Enable SpoofGuard
1. Click the Radio button for Enabled
2. Click Finish
HOL-SDC-1603
Page 210
HOL-SDC-1603
Locate Linux-01a VM
1. Enter "linux" in the vCenter Search field
2. Click on Linux-01a
HOL-SDC-1603
Page 211
HOL-SDC-1603
Login to Linux-01a
1. Login using root for the user
2. Password: VMware1!
HOL-SDC-1603
Page 212
HOL-SDC-1603
HOL-SDC-1603
Page 213
HOL-SDC-1603
HOL-SDC-1603
Page 214
HOL-SDC-1603
HOL-SDC-1603
Page 215
HOL-SDC-1603
HOL-SDC-1603
Page 216
HOL-SDC-1603
Change Linux-01a IP
Open the console to Linux-01a.
Enter ipswap231-221 to change the IP Address back to 192.168.100.221.
ipswap231-221
HOL-SDC-1603
Page 217
HOL-SDC-1603
Test Connectivity
Ping the Edge again.
ping -c 2 192.168.100.3
HOL-SDC-1603
Page 218
HOL-SDC-1603
Publish IP Approval
Click on Publish Changes
HOL-SDC-1603
Page 219
HOL-SDC-1603
And now you see that your approval of 192.168.100.221 now allows network
connectivity.
HOL-SDC-1603
Page 220
HOL-SDC-1603
HOL-SDC-1603
Page 221
HOL-SDC-1603
DHCP Relay
This lab will cover the DHCP Relay functionality within NSX and will take approximately
15 minutes to complete.
In a network where there are only single network segments, DHCP clients can
communicate directly with their DHCP server. DHCP servers can also provide IP
addresses for multiple networks, even ones not on the same segment as themselves.
Though when serving up IP addresses for IP ranges outside its own, it is unable to
communicate with those clients directly. This is due to the clients not having a routable
IP address or a gateway that they are aware of.
In these situations a DHCP Relay agent is required in order to relay the received
broadcast from DHCP clients by sending it to the DHCP server in unicast. The DHCP
server will select a DHCP scope based upon the range the unicast is coming from,
returning it to the agent address which is then broadcasted back to the original network
to the client.
Areas to be covered in this lab:
Create a new network segment within NSX.
Enable the DHCP Relay agent on the new network segment.
Using a pre-created DHCP scope on a DHCP server that is on another network
segment, which that requires layer 3 communication.
Then network boot ( PXE ) a blank VM via DHCP scope options.
In this lab the following items have been pre-setup
Windows Server based DHCP Server, with appropriate DHCP scope and scope
options set.
TFTP server for the PXE boot files: This server has been installed, configured, and
OS files loaded.
HOL-SDC-1603
Page 222
HOL-SDC-1603
Lab Topology
This diagram lays out the final topology that will be created and used in this lab module.
HOL-SDC-1603
Page 223
HOL-SDC-1603
HOL-SDC-1603
Page 224
HOL-SDC-1603
HOL-SDC-1603
Page 225
HOL-SDC-1603
HOL-SDC-1603
Page 226
HOL-SDC-1603
HOL-SDC-1603
Page 227
HOL-SDC-1603
HOL-SDC-1603
Page 228
HOL-SDC-1603
HOL-SDC-1603
Page 229
HOL-SDC-1603
Add Interface
This section will attach the logical switch to an interface on the Perimeter Gateway.
1.
2.
3.
4.
5.
Click Manage
Click Settings
Click Interfaces
Select vnic9
Click the Pencil Icon to edit interface
HOL-SDC-1603
Page 230
HOL-SDC-1603
HOL-SDC-1603
Page 231
HOL-SDC-1603
HOL-SDC-1603
Page 232
HOL-SDC-1603
HOL-SDC-1603
Page 233
HOL-SDC-1603
HOL-SDC-1603
Page 234
HOL-SDC-1603
1.
2.
3.
4.
HOL-SDC-1603
Page 235
HOL-SDC-1603
HOL-SDC-1603
Page 236
HOL-SDC-1603
HOL-SDC-1603
Page 237
HOL-SDC-1603
HOL-SDC-1603
Page 238
HOL-SDC-1603
Create New VM
1.
2.
3.
4.
HOL-SDC-1603
Page 239
HOL-SDC-1603
HOL-SDC-1603
Page 240
HOL-SDC-1603
Name the VM
1. Name = PXE VM
2. Click Next
HOL-SDC-1603
Page 241
HOL-SDC-1603
Select Host
Click Next
HOL-SDC-1603
Page 242
HOL-SDC-1603
Select Storage
Leave this as default
Click Next
HOL-SDC-1603
Page 243
HOL-SDC-1603
Select Compatibility
Leave this as default
Click Next
HOL-SDC-1603
Page 244
HOL-SDC-1603
Select Guest OS
Leave this as default
1. Select Linux under Guest OS Family
2. Select Other Linux (64-bit) under Guest OS Version
3. Click Next
HOL-SDC-1603
Page 245
HOL-SDC-1603
HOL-SDC-1603
Page 246
HOL-SDC-1603
HOL-SDC-1603
Page 247
HOL-SDC-1603
Complete VM Creation
Click Finish.
HOL-SDC-1603
Page 248
HOL-SDC-1603
Power Up VM
Power up the new VM.
Click the Play button
HOL-SDC-1603
Page 249
HOL-SDC-1603
HOL-SDC-1603
Page 250
HOL-SDC-1603
Image Booting
This screen will appear once the VM has a DHCP address and is downloading the PXE
image from the boot server. This screen will take about 1-2 mins, please move on to the
next step.
HOL-SDC-1603
Page 251
HOL-SDC-1603
View Leases
We can look to see what address the VM took from the DHCP server.
1. Expand the sections by clicking on the arrows
2. Select Address Leases
3. You will see the address 172.16.50.10 which is in the range we created earlier
View Options
We can also see the scope options used to boot the PXE Image
1. Select Scope Options
2. You will note option 66 & 67 were used
You can now close DHCP.
HOL-SDC-1603
Page 252
HOL-SDC-1603
Access Booted VM
Return to the PXE VM console by selecting it from the taskbar.
HOL-SDC-1603
Page 253
HOL-SDC-1603
Verify Connectivity
Because of the dynamic routing already in place with the virtual network, we have
connectivity to the VM upon its creation. You can verify this by pinging it from the
control center.
1. Click the Command Prompt Icon in the taskbar.
2.
Type ping 172.16.50.10 and press enter.
option.)
ping 172.16.50.10
You will then see a ping response from the VM. You can now close this command
window.
Conclusion
In this lab we have completed the creation of a new network segment, then relayed the
DHCP requests from that network to an external DHCP server. In doing so we were able
to access additional boot options of this external DHCP server and PXE into a Linux OS.
This lab is now completed, thank you for completing the DHCP Relay lab.
HOL-SDC-1603
Page 254
HOL-SDC-1603
HOL-SDC-1603
Page 255
HOL-SDC-1603
HOL-SDC-1603
Page 256
HOL-SDC-1603
HOL-SDC-1603
Page 257
HOL-SDC-1603
HOL-SDC-1603
Page 258
HOL-SDC-1603
HOL-SDC-1603
Page 259
HOL-SDC-1603
HOL-SDC-1603
Page 260
HOL-SDC-1603
HOL-SDC-1603
Page 261
HOL-SDC-1603
HOL-SDC-1603
Page 262
HOL-SDC-1603
Cluster/Datastore placement
1. Select Management and Edge Cluster for your Cluster/Resource Pool
placement
2. Select ds-site-a-nfs01 for your Datastore placement
3. Select a host esx-04-a.corp.local
4. Place in Edges folder
5. Click theOK
HOL-SDC-1603
Page 263
HOL-SDC-1603
HOL-SDC-1603
Page 264
HOL-SDC-1603
HOL-SDC-1603
Page 265
HOL-SDC-1603
HOL-SDC-1603
Page 266
HOL-SDC-1603
HOL-SDC-1603
Page 267
HOL-SDC-1603
Configuring Subnets
Next, you'll be configuring an IP address for this interface
Click thesmall green plus sign icon.
HOL-SDC-1603
Page 268
HOL-SDC-1603
HOL-SDC-1603
Page 269
HOL-SDC-1603
HOL-SDC-1603
Page 270
HOL-SDC-1603
HOL-SDC-1603
Page 271
HOL-SDC-1603
HOL-SDC-1603
Page 272
HOL-SDC-1603
HOL-SDC-1603
Page 273
HOL-SDC-1603
Monitoring Deployment
To monitor deployment of the Edge Services Gateway,
Click on the Installing button while the Edge is still being deployed to see the
progress of the installing steps.
Afterwards, you should see the progress of the Edge deployment.
HOL-SDC-1603
Page 274
HOL-SDC-1603
HOL-SDC-1603
Page 275
HOL-SDC-1603
HOL-SDC-1603
Page 276
HOL-SDC-1603
HOL-SDC-1603
Page 277
HOL-SDC-1603
HOL-SDC-1603
Page 278
HOL-SDC-1603
HOL-SDC-1603
Page 279
HOL-SDC-1603
2.
3.
4.
5.
HOL-SDC-1603
Page 280
HOL-SDC-1603
HOL-SDC-1603
Page 281
HOL-SDC-1603
Repeat above the process to add one more pool member using following
information
HOL-SDC-1603
Page 282
HOL-SDC-1603
Name: web-02a
IP Address: 172.16.10.12
Port: 443
Monitor Port: 443
HOL-SDC-1603
Page 283
HOL-SDC-1603
Click OK
HOL-SDC-1603
Page 284
HOL-SDC-1603
HOL-SDC-1603
Page 285
HOL-SDC-1603
HOL-SDC-1603
Page 286
HOL-SDC-1603
HOL-SDC-1603
Page 287
HOL-SDC-1603
HOL-SDC-1603
Page 288
HOL-SDC-1603
HOL-SDC-1603
Page 289
HOL-SDC-1603
HOL-SDC-1603
Page 290
HOL-SDC-1603
HOL-SDC-1603
Page 291
HOL-SDC-1603
Login to OneArm-LoadBalancer-0
1. Login using user: admin and password VMware1!VMware1!
HOL-SDC-1603
Page 292
HOL-SDC-1603
HOL-SDC-1603
Page 293
HOL-SDC-1603
Start PuTTY
Click on the PuTTY shortcut on the Window's Launch Bar.
SSH to web-sv-01a
1. Scroll down to Web-01a.corp.local
HOL-SDC-1603
Page 294
HOL-SDC-1603
2. Select Web-01a.corp.local
3. Click Load
4. Click on Open
Shutdown HTTPD
We will shutdown HTTPS to simulate the first failure condition
Type service httpd stop to shutdown HTTPD.
service httpd stop
HOL-SDC-1603
Page 295
HOL-SDC-1603
Loadbalancer console
Type show service loadbalancer pool
show service loadbalancer pool
Because the service is down, the failure detail shows the client could not establish SSL
session.
HOL-SDC-1603
Page 296
HOL-SDC-1603
Shutdown web-01a
1. In upper right corner search box of vSphere Web Client type "web-01a"
2. Click on web-01a
Console in to LoadBalancer
Select the "OneArm-LoadBalancer" on the application bar.
HOL-SDC-1603
Page 297
HOL-SDC-1603
Because now the VM is down, the failure detail shows the client could not establish L4
connection as oppose to L7 (SSL) connection in previous step.
HOL-SDC-1603
Page 298
HOL-SDC-1603
HOL-SDC-1603
Page 299
HOL-SDC-1603
HOL-SDC-1603
Page 300
HOL-SDC-1603
HOL-SDC-1603
Page 301
HOL-SDC-1603
HOL-SDC-1603
Page 302
HOL-SDC-1603
HOL-SDC-1603
Page 303
HOL-SDC-1603
HOL-SDC-1603
Page 304
HOL-SDC-1603
HOL-SDC-1603
Page 305
HOL-SDC-1603
HOL-SDC-1603
Page 306
HOL-SDC-1603
HOL-SDC-1603
Page 307
HOL-SDC-1603
HOL-SDC-1603
Page 308
HOL-SDC-1603
HOL-SDC-1603
Page 309
HOL-SDC-1603
2.
Name: web-02a
IP Address: 172.16.10.12
Port: 80
Monitor Port: 80
Click OK
HOL-SDC-1603
Page 310
HOL-SDC-1603
HOL-SDC-1603
Page 311
HOL-SDC-1603
HOL-SDC-1603
Page 312
HOL-SDC-1603
2. Click on "Advanced"
HOL-SDC-1603
Page 313
HOL-SDC-1603
HOL-SDC-1603
Page 314
HOL-SDC-1603
HOL-SDC-1603
Page 315
HOL-SDC-1603
Module 5 - Service
Insertion and Security
Policies (30 min)
HOL-SDC-1603
Page 316
HOL-SDC-1603
Service Composer
Service Composer is a built-in tool that defines a new model for consuming network and
security services; it allows you to provision and assign firewall policies and security
services to applications in real time in a virtual infrastructure. Security policies are
assigned to groups of virtual machines, and the policy is automatically applied to new
virtual machines as they are added to the group.
From a practical point of view, NSX Service Composer is a configuration interface that
gives administrators a consistent and centralized way to provision, apply and automate
network security services like anti-virus/malware protection, IPS, DLP, firewall rules, etc.
Those services can be available natively in NSX or enhanced by third-party solutions.
This module will show you how to dynamically identify and isolate a workload that has
violated PCI (Payment Card Industry) compliance by using Service Composer and native
NSX Data Security feature.
The module has 3 sections:
1. Service Composer
2. Service Insertion
3. Data Security
In Section 1 we will use Service Composer to build Security Groups and Security Policies.
You will learn the creation of Security Groups using both static inclusion and dynamic
inclusion. You will create 2 Security Groups and 2 sets of security policies attached to
the security groups as shown in the diagram below. Security Group "Non-CDE"
(Cardholder Data Environment - the credit card environment where all cardholder
information is processed) will be created by including a single VM "win8-01a". This VM
represents a VM which is not part of the CDE and should not contain any cardholder
data. You will then create a security group named "PCI-Violation" whose members will be
created using a security tag assigned dynamically by data security scan. You will also
create 2 security policies "Non-CDE Security Policy" allowing unrestricted access to/from
"win8-01a" VM and "PCI-Violation Security Policy" for isolating the VM if sensitive data
was found and restrict any communication to/from VM as it violates the PCI regulation.
In Section 2 we will modify the security policy "PCI-Violation Security Policy" to add Data
Security as a service
In Section 3 we will configure data pattern and scope of Data Security scan and
manually scan the VM "win8-01a". We have placed some sensitive information on the
VM. As a result of the scan the VM will be tagged with tag
"vmware.datasecurity.violating" which will match the criteria set for security group "PCIVIolation" security group.
HOL-SDC-1603
Page 317
HOL-SDC-1603
This module demonstrates the power of Service Composer and how it can be leveraged
to change security posture around a workload or group of workloads and isolates them
without changing the physical location or changing the infrastructure underneath. The
same principles in this module can be leveraged to insert advance security services
from 3rd party vendors.
Note: CDE=Card Data Environment
HOL-SDC-1603
Page 318
HOL-SDC-1603
HOL-SDC-1603
Page 319
HOL-SDC-1603
HOL-SDC-1603
Page 320
HOL-SDC-1603
HOL-SDC-1603
Page 321
HOL-SDC-1603
HOL-SDC-1603
Page 322
HOL-SDC-1603
HOL-SDC-1603
Page 323
HOL-SDC-1603
HOL-SDC-1603
Page 324
HOL-SDC-1603
HOL-SDC-1603
Page 325
HOL-SDC-1603
Type Name of the first firewall rule "Allow from Non-CDE to any"
Check Allow
Check Log
Click on "Change" to create allowed services
HOL-SDC-1603
Page 326
HOL-SDC-1603
HOL-SDC-1603
Page 327
HOL-SDC-1603
HOL-SDC-1603
Page 328
HOL-SDC-1603
HOL-SDC-1603
Page 329
HOL-SDC-1603
HOL-SDC-1603
Page 330
HOL-SDC-1603
HOL-SDC-1603
Page 331
HOL-SDC-1603
Select Source
1. Check Any as source
2. Click OK
HOL-SDC-1603
Page 332
HOL-SDC-1603
Define Services
Click on Change
HOL-SDC-1603
Page 333
HOL-SDC-1603
HOL-SDC-1603
Page 334
HOL-SDC-1603
HOL-SDC-1603
Page 335
HOL-SDC-1603
HOL-SDC-1603
Page 336
HOL-SDC-1603
HOL-SDC-1603
Page 337
HOL-SDC-1603
HOL-SDC-1603
Page 338
HOL-SDC-1603
Return to Firewall
Click on Firewall
HOL-SDC-1603
Page 339
HOL-SDC-1603
HOL-SDC-1603
Page 340
HOL-SDC-1603
text file is also included for keyboard layouts which do not provide those
characters.
The text file is README.txt and is found on the desktop.
HOL-SDC-1603
Page 341
HOL-SDC-1603
ping win8-01a
2.
3.
Type dir x:
dir x:
Check successful "ping" to win8-01a and successful completion of "net use" command.
You can also see the content of directory mapped.
HOL-SDC-1603
Page 342
HOL-SDC-1603
HOL-SDC-1603
Page 343
HOL-SDC-1603
HOL-SDC-1603
Page 344
HOL-SDC-1603
HOL-SDC-1603
Page 345
HOL-SDC-1603
HOL-SDC-1603
Page 346
HOL-SDC-1603
HOL-SDC-1603
Page 347
HOL-SDC-1603
HOL-SDC-1603
Page 348
HOL-SDC-1603
HOL-SDC-1603
Page 349
HOL-SDC-1603
HOL-SDC-1603
Page 350
HOL-SDC-1603
HOL-SDC-1603
Page 351
HOL-SDC-1603
HOL-SDC-1603
Page 352
HOL-SDC-1603
HOL-SDC-1603
Page 353
HOL-SDC-1603
HOL-SDC-1603
Page 354
HOL-SDC-1603
HOL-SDC-1603
Page 355
HOL-SDC-1603
HOL-SDC-1603
Page 356
HOL-SDC-1603
HOL-SDC-1603
Page 357
HOL-SDC-1603
HOL-SDC-1603
Page 358
HOL-SDC-1603
Service Insertion
NSX network virtualization platform provides L2-L4 stateful firewalling features to
deliver segmentation within virtual networks. In some environments, there is a
requirement for more advanced network security capabilities. In these instances,
customers can leverage VMware NSX to distribute, enable and enforce advanced
network security services. In this section we will insert the native Data Security service
which will help us identify credit card data in a Non-CDE(Card Data Environment)
workload. Data Security feature requires the installation of Guest Introspection and Data
Security Service VM's prior to identify sensitive information stored in virtual workloads.
In this section we will install Data Security Service VM and add NSX Data Security to the
Service Deployments making it available for use. Next you will be modifying the
existing Security Policy "Non-CDE Security Policy" which was created in previous section
and insert the Data Security as a service.
HOL-SDC-1603
Page 359
HOL-SDC-1603
HOL-SDC-1603
Page 360
HOL-SDC-1603
Select Cluster
1. Check the box for Compute Cluster B
2. Click Next
HOL-SDC-1603
Page 361
HOL-SDC-1603
HOL-SDC-1603
Page 362
HOL-SDC-1603
HOL-SDC-1603
Page 363
HOL-SDC-1603
HOL-SDC-1603
Page 364
HOL-SDC-1603
HOL-SDC-1603
Page 365
HOL-SDC-1603
HOL-SDC-1603
Page 366
HOL-SDC-1603
Data Security
VMware NSX Data Security scans and analyzes data on your Virtual Machines and will
report the number of violations detected, as well as what files violated your policy. It
essentially provides visibility into any sensitive data that is in your environment. Based
on the violations reported by NSX Data Security, you can ensure that sensitive data is
adequately protected and assess compliance with regulations around the world.To begin
using NSX Data Security, you create a policy that defines the regulations that apply to
data security in your organization and specifies the areas of your environment and files
to be scanned. A regulation is composed of content blades, which identify the sensitive
content to be detected. NSX supports PCI, PHI, and PII related regulations only.
When you start a Data Security scan, NSX analyzes the data on the virtual machines in
your vSphere inventory and reports the number of violations detected and the files that
violated your policy.In this section we will configure Data Security, select the pattern we
want to identify on the workload and also do a scan to determine any sensitive data
matching the pattern resident on the VM in our scenario which is "win8-01a". In our case
we have shown you a PCI example but you can select from a vast list of regulations as
well create your own custom patterns using wild cards.
HOL-SDC-1603
Page 367
HOL-SDC-1603
2. Click on "Edit"
HOL-SDC-1603
Page 368
HOL-SDC-1603
HOL-SDC-1603
Page 369
HOL-SDC-1603
HOL-SDC-1603
Page 370
HOL-SDC-1603
HOL-SDC-1603
Page 371
HOL-SDC-1603
HOL-SDC-1603
Page 372
HOL-SDC-1603
HOL-SDC-1603
Page 373
HOL-SDC-1603
Scan completion
Once the scan is completed the color will change to purple. Notice under "View
Regulations Violated Report", it shows the violation type PCI-DSS and under "View VM's
Regulations Report", it shows the VM name that has violated the PCI regulations.
HOL-SDC-1603
Page 374
HOL-SDC-1603
View Report
Select Violating files
HOL-SDC-1603
Page 375
HOL-SDC-1603
Detailed Report
Selecting the "Violating files" option wil give detail about the violating workload, name
of the VM,cluster information,location of the file,when was the file modified etc.
Canvas View
Click on Service Composer
HOL-SDC-1603
Page 376
HOL-SDC-1603
HOL-SDC-1603
Page 377
HOL-SDC-1603
HOL-SDC-1603
Page 378
HOL-SDC-1603
HOL-SDC-1603
Page 379
HOL-SDC-1603
2. Enter net use Notice that the existing net use for X: still exists but,
net use
HOL-SDC-1603
Page 380
HOL-SDC-1603
In the previous section you were able to ping win8-01a VM, after the violation ping is
blocked. Also the "net use" command errors out. This has happened as a result of
dynamic tag enforcement and using the tag to enforce security policy which restricts
access to the workload. In a real world scenario, you might want to allow administrative
access to the workload to do further forensics. To keep it simple we have restricted all
the access.
Possibilities around the NSX Service Composer are tremendous; you can create an
almost infinite number of associations between security groups and security policies to
efficiently automate the how security services will be consumed in the software-defined
data center.
HOL-SDC-1603
Page 381
HOL-SDC-1603
Module 6 - Monitoring
and Visibility (45 min)
HOL-SDC-1603
Page 382
HOL-SDC-1603
Traceflow
VMware NSX 6.2 brings new features to assist you in monitoring the virtual network as
well as increased visibility of the packet for troubleshooting. New to 6.2 is Traceflow
which allows you to follow a packet in its path from source to destination. Flow
monitoring will allow you to monitor flows between source and destination allowing you
to correlate to firewall rules. Activity Monitoring will allow you to monitor what
applications users are using in your virtual environment.
Login to vCenter
1. Check the Use Windows session authentication box
2. Click Login
HOL-SDC-1603
Page 383
HOL-SDC-1603
HOL-SDC-1603
Page 384
HOL-SDC-1603
Launch Traceflow
From the Networking & Security section in the vSphere Web Client,
scroll down to Tools and select Traceflow.
Traceflow is a new feature in NSX 6.2 and allows for the ability to inject packets into the
vNIC without using the guest VM's OS and trace the packets through the network to the
destination vNIC again without using the destination OS. This enhances your
operational and troubleshooting capabilities by helping you to identify problems
between the virtual and physical network. It also allows for separation of duties as now
a network engineer can trace packets between a source and destination without the
need to have access to the guest VMs OS. Supporting both L2 and L3 traceflow you
can see where packets get dropped when troubleshooting connectivity problems. This
allows you to quickly identify problems and pinpoint an issue in the NSX data path.
HOL-SDC-1603
Page 385
HOL-SDC-1603
HOL-SDC-1603
Page 386
HOL-SDC-1603
HOL-SDC-1603
Page 387
HOL-SDC-1603
HOL-SDC-1603
Page 388
HOL-SDC-1603
Select Destination VM
Double click on web-02a
HOL-SDC-1603
Page 389
HOL-SDC-1603
HOL-SDC-1603
Page 390
HOL-SDC-1603
HOL-SDC-1603
Page 391
HOL-SDC-1603
HOL-SDC-1603
Page 392
HOL-SDC-1603
HOL-SDC-1603
Page 393
HOL-SDC-1603
HOL-SDC-1603
Page 394
HOL-SDC-1603
2. Select all of the ICMP Objects except for the IPV6 Objects. (You can
select the first on and Shift+Click on the last)
3. Click on the right arrow to select these objects
4. Click OK
HOL-SDC-1603
Page 395
HOL-SDC-1603
HOL-SDC-1603
Page 396
HOL-SDC-1603
HOL-SDC-1603
Page 397
HOL-SDC-1603
Click on Traceflow
Set the source to web-01a
Set the destination to web-02a
Select ICMP as the protocol
Start the Trace
HOL-SDC-1603
Page 398
HOL-SDC-1603
HOL-SDC-1603
Page 399
HOL-SDC-1603
Traceflow Summary
Traceflow is a useful tool for tracing a packet through the NSX data path to determine
where packets may be dropped and to also quickly verify firewall rules.
HOL-SDC-1603
Page 400
HOL-SDC-1603
Flow Monitoring
Flow monitoring provides vNIC level visibility of VM traffic flows
Flow Monitoring is a traffic analysis tool that provides a detailed view of the traffic to
and from protected virtual machines. When flow monitoring is enabled, its output
defines which machines are exchanging data and over which application. This data
includes the number of sessions and packets transmitted per session. Session details
include sources, destinations, applications, and ports being used. Session details can be
used to create firewall allow or block rules.
You can view TCP and UDP connections to and from a selected vNIC. You can also
exclude flows by specifying filters.
Flow Monitoring can thus be used as a forensic tool to detect rogue services and
examine outbound sessions.
HOL-SDC-1603
Page 401
HOL-SDC-1603
Flow Monitor
Our goal is to determine some interesting data flows within the NSX environment and be
able to take action on the data being collected.
In this case we are interested in HTTP connections being made directly to our Web
Servers (web-01a and web-02a). This is because most traffic to our Web Servers should
be using SSL and should go through the Load Balancer VIP we setup in previous
exercise.
The first step is to Enable Flow monitoring. Then we will simulate HTTP traffic.
Simulate a large number of HTTP connections with Apache Bench by logging into the
console of web-01a and opening a Command Prompt
Select Networking & Security from the left pane of the vSphere Web
Client.
HOL-SDC-1603
Page 402
HOL-SDC-1603
HOL-SDC-1603
Page 403
HOL-SDC-1603
Flow Monitoring
You can see that Flow Collection is now enabled.
IPFix is the IETF's version of Cisco's proprietary Netflow. Navigate through the IPFix area
for your information. We will not be configuring collectors in this lab.
1. Click IPFix
HOL-SDC-1603
Page 404
HOL-SDC-1603
IPFix
The Edit button allows you to enable IPFix.
The Green Plus button allows you to configure IPFix Collector addresses. You can
send to multiple collectors and defined ports.
1. After reviewing the IPFix areas, Click Flow Exclusion.
HOL-SDC-1603
Page 405
HOL-SDC-1603
text file is also included for keyboard layouts which do not provide those
characters.
The text file is README.txt and is found on the desktop.
HOL-SDC-1603
Page 406
HOL-SDC-1603
Generate traffic
We will simulate a large number of HTTP connections by running the Apache Bench tool
from the Control Center to one of our web servers.
We are interested in HTTP connections being made directly to our web servers as they
should be primarily be receiving traffic on the Load Balancer VIP.
Open a command prompt on the Control Center by selecting the command prompt icon
on the bottom tool bar (lower left), and type the following command:
ab -n 12345 -c 10 -w http://172.16.10.11/
HOL-SDC-1603
Page 407
HOL-SDC-1603
need to refresh the vSphere Web Client by clicking the refresh arrow at the
top of the screen**
HTTP Flows
Highlight the HTTP Service and it will highlight the corresponding line
on the graph.
HOL-SDC-1603
Page 408
HOL-SDC-1603
Details By Service
1. To gain more information about the specific protocol (HTTP) traffic
spike, open the Details By Service Tab and select Allowed Flows.1. FYI:
The Details are sorted by Service in descending order of Bytes but
clicking the Column Head will resort by that column or reverse the sort.
2. NOTE: If HTTP traffic does not show up, Click Refresh in the Web Client.
You may also need to refresh your browser.
3. Highlight the TCP - HTTP traffic line to gain more detailed information.
We see that most of the traffic to web-01a (172.16.10.11) is being generated by the
Control Center VM (192.168.110.10).
The Control Center system should not be sending large amounts of HTTP traffic to our
"Production" Web Servers.
We will add a firewall rule to prevent this unwanted flow until we can determine what is
going on and minimize any potential threat.
**Please note: It may take a few minutes in this nested lab environment for
the flows to show up in the dashboard. Refresh the vSphere Web Client after a
few minutes if you are not seeing the new flows in the dashboard, or Details
By Service tab.**
HOL-SDC-1603
Page 409
HOL-SDC-1603
Reject Traffic
Add a Firewall rule to Reject HTTP traffic to the web-sv-01a from 192.168.110.10. The
Source: 192.168.110.10 and Destination 172.16.10.11 and HTTP Service are prepopulated for you.
HOL-SDC-1603
Page 410
HOL-SDC-1603
HOL-SDC-1603
Page 411
HOL-SDC-1603
http://172.16.10.11/
HOL-SDC-1603
Page 412
HOL-SDC-1603
Flow Monitor is a great way to detect traffic anomalies in your environment and mitigate
issues quickly by leveraging the Distributed Firewall power of NSX.
HOL-SDC-1603
Page 413
HOL-SDC-1603
Live Flow
You can also use Live Flow to view traffic to/from a particular machine and vNIC.
1.
2.
3.
4.
Select the Live Flow tab while in the Flow Monitoring section
Click on the Browse link
Select web-01a and it's network adapter
Click OK
HOL-SDC-1603
Page 414
HOL-SDC-1603
HOL-SDC-1603
Page 415
HOL-SDC-1603
HOL-SDC-1603
Page 416
HOL-SDC-1603
Publish Changes.
Select Publish Changes and verify the rule was deleted by visually
inspecting the Default Section Layer 3 rules.
HOL-SDC-1603
Page 417
HOL-SDC-1603
Activity Monitoring
Activity Monitoring provides visibility into your virtual network to ensure that security
policies at your organization are being enforced correctly.
A Security policy may mandate who is allowed access to what applications. The Cloud
administrator can generate Activity Monitoring reports to see if the IP based firewall rule
that they set is doing the intended work. By providing user and application level detail,
Activity Monitoring translates high level security policies to low level IP address and
network based implementation.
Value: Detailed visibility into Applications and Activity on a monitored Virtual
Machine through the Guest Introspection Service.
In order to leverage Activity Monitoring you need to do the following:
Successfully Install NSX and execute Host preparation.
Deploy the Guest Introspection Service to any cluster that will be monitored.
Have updated version of VMware Tools installed on Virtual Machines WITH VMCI
Guest Introspection drivers installed.
Use NSX Security Group Activity Monitoring Data Collection group
NOTE: The above steps have already been completed in our lab environment.
We will configure the following:
Configure data collection on Virtual Machines
Start Activity Monitoring
HOL-SDC-1603
Page 418
HOL-SDC-1603
HOL-SDC-1603
Page 419
HOL-SDC-1603
HOL-SDC-1603
Page 420
HOL-SDC-1603
HOL-SDC-1603
Page 421
HOL-SDC-1603
HOL-SDC-1603
Page 422
HOL-SDC-1603
HOL-SDC-1603
Page 423
HOL-SDC-1603
HOL-SDC-1603
Page 424
HOL-SDC-1603
HOL-SDC-1603
Page 425
HOL-SDC-1603
HOL-SDC-1603
Page 426
HOL-SDC-1603
HOL-SDC-1603
Page 427
HOL-SDC-1603
Connect to win8-01a
1. Enter win8-01a.corp.local
2. Click Connect
win8-01a.corp.local
Login
Use the CORP\Administrator account.
Use VMware1! as the password.
HOL-SDC-1603
Page 428
HOL-SDC-1603
HOL-SDC-1603
Page 429
HOL-SDC-1603
can use Activity monitor to view all activity to/from a given VM and view who is
generating the traffic. This helps you to determine if unwanted traffic is occurring.
1. Click the reduce button to return to desktop
HOL-SDC-1603
Page 430
HOL-SDC-1603
HOL-SDC-1603
Page 431
HOL-SDC-1603
Conclusion
Thank you for participating in the VMware Hands-on Labs. Be sure to visit
http://hol.vmware.com/ to continue your lab experience online.
Lab SKU: HOL-SDC-1603
Version: 20160523-075128
HOL-SDC-1603
Page 432