VMware NSX:

Install, Configure, Manage

Lab Manual
NSX 6.0

VMware® Education Services

VMware, Inc.
www.vmware.com/education
VMware NSX:
Install, Configure, Manage
NSX 6.0
Part Number EDU-EN-NSXICM6-LAB
Lab Manual

CopyrightITrademark
Copyright © 2014 VMware, Inc. All rights reserved. This manual and its accompanying
materials are protected by U.S. and international copyright and intellectual property laws.
VMware products are covered by one or more patents listed at http ://www.vmware.com/go/
patents. VMware is a registered trademark or trademark of VMware, Inc. in the United States
and/or other jurisdictions. All other marks and names mentioned herein may be trademarks
of their respective companies.
The training material is provided "as is," and all express or implied conditions,
representations, and warranties, including any implied warranty of merchantability, fitness for
a particular purpose or noninfringement, are disclaimed, even if VMware, lnc., has been
advised of the possibility of such claims. This training material is designed to support an
instructor-led training course and is intended to be used for reference purposes in
conjunction with the instructor-led training course. The training material is not a standalone
training tool. Use of the training material for self-study without class attendance is not
recommended.
These materials and the computer programs to which it relates are the property of, and
embody trade secrets and confidential information proprietary to, VMware, Inc., and may not
be reproduced, copied, disclosed, transferred, adapted or modified without the express
written approval of VMware, Inc.
Course development: Rob Nendel, John Tuffin, Jerry Ozbun
Technical review: Elver Sena, Chris McCain
Technical editing: Jim Brook, Shalini Pallat, Jeffrey Gardiner
Production and publishing: Ron Morton, Regina Aboud
The courseware for VMware instructor-led training relies on materials developed by the
VMware Technical Communications writers who produce the core technical documentation,

www.vmware.com/education
TABLE OF CONTENTS

Lab 1: Configuring NSX Manager 1

Lab 2: Configuring and Deploying an NSX Controller Cluster 7
Lab 3: Preparing for Virtual Networking 19
Lab 4: Configuring and Testing Logical Switch Networks 25
Lab 5: Configuring and Deploying an NSX Distributed Router 35
Lab 6: Deploying an NSX Edge Services Gateway and Configuring Static Routing 45
Lab 7: Configuring and Testing Dynamic Routing on NSX Edge Appliances 53
Lab 8: Configuring and Testing Network Address Translation on an NSX Edge
Services Gateway 65
Lab 9: Configuring Load Balancing with NSX Edge Gateway 77
Lab 10: Advanced Load Balancing 91
Lab 11: Configuring NSX Edge High Availability 99
Lab 12: Configuring Layer 2 VPN Tunnels 107
Lab 13: Configuring IPsec Tunnels 119
Lab 14: Configuring and Testing SSL VPN-Plus 129
Lab 15: Using NSX Edge Firewall Rules to Control Network Traffic 137
Lab 16: Using NSX Distributed Firewall Rules to Control Network Traffic 143
Lab 17: Using Flow Monitoring 153
Lab 18: Managing NSX Users and Roles 159
Answer Key 165

VMware NSX: Install , Configure, Manage

ii VMware NSX: Install , Configure, Manage
 •
Lab 1
Configuring NSX Manager

Objective: Attach an NSX Manager appliance to a

vCenter Server system
In this lab, you will perform the following tasks:

1. Access Your Lab Environment

2. Review the NSX Manager Configuration
3. Verify That the vSphere Web Client Plug-In for NSX Manager Is Installed
4. License vCenter Server, the ESXi Hosts, and NSX Manager
5. Clean Up for the Next Lab

Lab 1 Configuring NSX Manager 1

Task 1: Access Your Lab Environment
You use a Horizon" View" desktop to open an Remote Desktop Protocol connection to your lab
environment.
1. Log in to your lab environment using the information that is provided by your instructor.

Task 2: Review the NSX Manager Configuration

In your lab environment, the VMware NSX Manager" appliance has been preconfigured to
establish network connectivity with the VMware vCenter Server" system. The NSX Manager has
also been joined to the vCenter Server appliance. You review the NSX Manager deployment
configuration. The review sequence matches the steps that you take when configuring an NSX
Manager after initial deployment.

1. Log in to the NSX Manager user interface.

a. On the ControlCenter desktop, double-click the Firefox shortcut.
b. In the Firefox window, click the NSX Manager bookmark.
c. When prompted, log in as admin and enter the password VMwarel! .
2. In the NSX Manager user interface, click Manage Appliance Settings.
3. On the Manage tab, in the left pane, verify that Settings> General is selected.
4. Verify that the following general settings are configured as specified.
• The NTP Server is 192.168.110 .10
• The Syslog Server is vc-l-1a. corp .local, using port S14 /UDP.
• The Locale is en-US.
5. In the left pane, select Settings> Network and verify that the following values are configured
as specified.
• The Host name is nsxmgr-l -Ola .
• The IPv4 address is 19 2 . 16 8 . 110 .42.
• The Subnet mask is 255 . 255 . 255 . o.
• The default gateway is 192.168.110 .2
• The primary DNS server is 192.168.110.10.
6. In the left pane, select Components> NSX Management Service and verify that the following
values are configured as specified.
• The Lookup Service is not configured.

2 Lab 1 Configuring NSX Manager

 • The vCenter Server is vc-l- 0 la. corp .local.
• The vCenter Server Name is root .
• The vCenter Server Status is Connected with a green dot icon.

vCenter Server: vc-I-01 a.cnrp.lncal

vCenter User Name: root
Statu s: Connected - Last successful inventory update was unknown 0

Task 3: Verify That the vSphere Web Client Plug-In for NSX Manager Is
Installed
In your lab environment, the VMware vSphere® Web Client Plug-in for NSX Manager is
preinstalled and ready for use.
1. To log in to the vSphere Web Client, in the Firefox window, click the vSphere Web Client
bookmark.
2. When prompted, log in as root and enter the password VMwarel!.
Allow the initial authentication to complete. The initial authentication may take several minutes
to complete.
3. On the vSphere Web Client Home tab, click the Inventories> Networking & Security icon.
4. In the left navigation pane, review the list ofNSX features , then select NSX Managers.
5. In the middle pane, verify that a single NSX Manager instance with an IP address of
192.168.110.42 appears in the Objects list.
If an NSX Manager does not appear in the Objects list, ask your instructor for help.

J Objects 1'-- _
@ Actions ....

Nam e IP .A. dd ress

~ ·192.:168.110.42 192.168.110.42

Lab 1 Configuring NSX Manager 3

Task 4: License vCenter Server, the ESXi Hosts, and NSX Manager
Your instructor provides the necessary licenses.
1. Click the vSphere Web Client Home tab.
2. Assign a vCenter Server license key to the vCenter Server instance.
a. In the left pane, navigate to Administration> Licenses.
b. In the middle pane, click the vCenter Server Systems tab.
c. With the vCenter Server instance selected, click the Assign License Key link.
d. In the Assign License Key panel, select Assign a new license key from the drop-down menu.
e. In the License key text box, enter or paste your vCenter license key.
f. Click OK.
3. Assign a VMware vCloud® Suite Enterprise license key to each VMware ESXi™ host.
a. In the center pane, click the Hosts tab.
b. Select the first ESXi host in the list.
c. Press the Shift key and click the last ESXi host in the list to select all three ESXi hosts.
d. Release the Shift key and click the Assign License Key link.
e. In the Assign License Key panel, select Assign a new license key from the drop-down menu.
f. In the License key text box, enter or paste your vCloud Suite Enterprise license key.

g. Click OK.
h. In the hosts list, press Shift and click to select all three ESXi hosts .
i. Right-click the selected hosts and select Connect from the pop-up menu.

You can also connect each host individually from the vCenter > Hosts and Clusters
inventory panel.
4. Assign a VMware NSXTM for vSphere® license.
a. In the middle pane, click the Solutions tab.
b. Select the NSX for vSphere solution.
c. Click the Assign License Key link.
d. In the Assign License Key panel, select Assign a new license key from the drop-down menu.
e. In the License key text box, enter or paste your NSX for vSphere license key.
f. Click OK.

4 Lab 1 Configuring NSX Manager

Task 5: Clean Up for the Next Lab
You perform this action to prepare for the next lab.
1. In the left navigation pane, click the Networking & Security back arrow button.

Lab 1 Configuring NSX Manager 5

6 Lab 1 Configuring NSX Manager
Lab 2 •
Configuring and Deploying an NSX
Controller Cluster

Objective: Deploy a three-node NSX Controller cluster

In this lab, you will perform the following tasks:

1. Prepare for the Lab

2. Deploy the First NSX Controller Instance
3. Verify That the First NSX Controller Instance Is Operational
4. Deploy the Second NSX Controller Instance
5. Verify That the Second NSX Controller Instance Is Operational
6. Deploy the Third NSX Controller Instance
7. Verify That the Third NSX Controller Instance Is Operational
8. Clean Up for the Next Lab

Lab 2 Configuring and Deploying an NSX Controller Cluster

Task 1: Prepare for the Lab
You perform these actions to prepare for the lab if you have closed windows or logged out of the
VMware vSphere® Web Client interface.

1. Tfthe Firefox window has been closed, double-click the Firefox icon on the ControlCenter
desktop.
2. Tfyou are not logged in to the vSphere Web Client, in the Firefox window, click the vSphere
Web Client bookmark.
3 . When prompted, log in as root and enter the password VMwarel ! .

4. On the vSphere Web Client Home tab, click Inventories> Networking and Security.

Task 2: Deploy the First NSX Controller Instance

You configure and deploy the first of three VMware NSX Controller" instances.

1. In the left navigation pane, select Installation.

2 . In the middle pane, on the Management tab, click the green plus sign in the NSX Controller
nodes pane].
3. In the Add Controller dialog box, perform the following actions to configure and deploy the
first NSX Controller.
a. Select 192.168.110.42 from the VMware NSX Manager" drop-down menu.
b. Select ABC Medical from the Datacenter drop-down menu.
c. Select Management and Edge Cluster from the Cluster/Resource Pool drop-down
menu.
d. Select ds-site-a-nfsOl from the Datastore drop-down menu.
e. Click the Connected To > Select link to open the Connect to a Network dialog box.
f. Tn the Connect to a Network dialog box, click Distributed Portgroup.

g. Click the Mgmt_Edge_VDS - Mgmt button and click OK.

h. Select New IP Pool from the IP Pool drop-down menu to open the Add TP Pool dialog box
and configure the options.

Option Action
Name Enter Controller-Pool in the text box.

Gateway Enter 192.168.110.2 in the text box.

8 Lab 2 Configuring and Deploying an NSX Controller Cluster

 Option Action
Prefix Length Enter 24 in the text box.

Primary DNS Enter 192.168.110.10 in the text box.

Secondary DNS

DNS Suffix

Static IP Pool
Leave blank.

Leave blank.

Enter 192.168.110.201-192.168.110.210 in the text box .

•
i. Click OK to add the new IP pool.

j. In the Add Controller dialog box, enter VMware11 in the Password and the Confirm
password text boxes.
k. Click OK.
4. Monitor the NSX Controller deployment to completion.
• Use the horizontal scroll bar to uncover the Status column, if necessary.
• Monitor the deployment until the status changes from Deploying to Normal.
The deployment process takes a few minutes to complete.

Task 3: Verify That the First NSX Controller Instance Is Operational

You use the vSphere Web Client and the NSX Controller conunand line to determine the operational
status of the NSX Controller cluster with one node added.

1. Click the vSphere Web Client Home icon.

vmware· vSphere Web Client [i11 SJ

2. On the vSphere Web Client Home tab, click Inventories> Hosts and Clusters.
3. Expand the Hosts and Clusters inventory tree so that each cluster is expanded.
4. Click the vSphere refresh icon.

Updated at 2:13AM I[~~"]I root@localos ....

Lab 2 Configuring and Deploying an NSX Controller Cluster 9

5. In the Management and Edge Cluster inventory, select the newly deployed NSX Controller
virtual machine.
The virtual machine name starts with NSX Co n t r o ll e r . ..
6. In the middle pane, use the Summary tab report and answer the following questions.

Q1. What is the power status of the NSX Controller instance?

Q2. How many vCPUs does the NSX Controller instance have?

Q3. How much total memory does the NSX Controller instance have?

Q4. How large is the NSX Controller hard disk?

Q5. What port group is the NSX Controller instance connected to?

Q6. What is the IP address of the NSX Controller instance?

7. Minimize the Firefox window.

8. To use PuTTY to establish an SSH connection to the first NSX controller, perform the
following actions.
a. On the ControlCenter desktop , double-click the PuTTY shortcut.
b. In the Host Name (or IP address) text box, enter the TP address that you recorded in step
6, and click Open.
c. Tfprompted to confirm a PuTTY Security Alert, click Yes.
d. Log in as admin and enter the password VMwarel!.
9. Tn the PuTTY window, run the following command to determine the cluster status for the first
node .
show control-cluster status

10 Lab 2 Configuring and Deploying an NSX Controller Cluster

10. Review the command output and answer the following questions.

07. How many enabled and activated roles are listed?

•
08. Can the controller be safely restarted?

11. Run the following command to determine the startup nodes in the cluster, and review the
command output.
show control-cluster startup-nodes

12. Run the following command to review a detailed cluster role report.
show control-cluster roles

13. Review the command output and answer the following question.

09. How many roles have been assigned with the first controller as master?

14. Run the following command to review a cluster connections report.

show control-cluster connections

15. Review the command output and answer the following questions.

010. How many roles have components actively listening on a network port?

011. How many unique ports are used for role-based communications?

16. Close the PuTTY window and click OK when prompted to confinn.
17. Restore the Firefox window.

Lab 2 Configuring and Deploying an NSX Controller Cluster 11

Task 4: Deploy the Second NSX Controller Instance
You configure and deploy the second of three NSX controllers.
1. Click the vSphere Web Client Home icon.
2. On the vSphere Web Client Home tab, click Inventories> Networking and Security.
3. In the left navigation pane , select Installation.
4. In the middle pane, on the Management tab, click the green plus sign in the NSX Controller
nodes panel.
5. In the Add Controller dialog box, perform the following actions to configure and deploy the
second NSX controller
a . Select 192.1 68.110.42 from the NSX Manager drop-down menu .
b. Select ABC Medical from the Datacenter drop -down menu.
c. Select Management and Edge Cluster from the Cluster/Resource Pool drop-down menu.
d. Select ds-site-a-nfstrl from the Datastore drop-down menu.
e. Leave the Host selection blank.
f. Click Connected To> Select to open the Connect to a Network dialog box.
g. In the Connect to a Network dialog box, click Distributed Portgroup.
h. Click the Mgmt_Edge_VDS - Mgmt button and click OK.
i. Select Controller-Pool from the LP Pool drop-down menu.

j. Click OK.

6. Monitor the NSX Controller deployment to completion.

• Use the horizontal scroll bar to uncover the Status column, if necessary.
• Monitor the second node deployment until the status changes from Deploying to Normal.
The deployment process takes a few minutes to complete.

12 Lab 2 Configuring and Deploying an NSX Controller Cluster

Task 5: Verify That the Second NSX Controller Instance Is Operational
You use the vSphere Web Client and the NSX Controller command line to determine the operational
status of the NSX Controller cluster with two nodes added.
1. Click the vSphere Web Client Home icon.
2. On the vSphere Web Client Home tab, click the Inventories> Hosts and Clusters icon.
3. Expand the Hosts and Clusters inventory tree.
4. Click the vSphere refresh icon.
•
5. In the Management and Edge Cluster inventory, select the second NSX Controller instance.
The controller name starts with NSX Controller ...
6. In the middle pane, use the Summary tab report to answer the following questions.

Q1. What is the power status of the NSX Controller instance?

Q2. How many vCPUs does the NSX Controller instance have?

Q3. How much total memory does the NSX Controller instance have?

Q4. How large is the NSX Controller hard disk?

Q5. What port group is the NSX Controller instance connected to?

Q6. What is the IP address of the NSX Controller instance?

7. Minimize the Firefox window.

8. To use PuTTY to establish an SSH connection to the second NSX Controller, perform the
following actions.
a. On the ControlCenter desktop , double-click the PuTTY shortcut.
b. In the Host Name (or IP address) text box, enter the IP address that you recorded in step 6.
c. Click Open.
d. Ifprompted to confirm a PuTTY Security Alert, click Yes.
e. Log in as admin and enter the password VMwarel ! .

Lab 2 Configuring and Deploying an NSX Controller Cluster 13

9. In the PuTTY window, run the following command to determine the cluster status for the first
node.
show control -cluster status

10. Review the command output and answer the following questions.

Q7. How many enabled and activated roles are listed?

Q8. Can the controller be safely restarted?

11 . Run the following command to determine the startup nodes in the cluster, and review the
command output.
show control-cluster startup-nodes

12. Run the following command to review a detailed cluster role report .
show control-cluster roles

13. Review the command output and answer the following question.

Q9. How many roles have been assigned with the second controller as master?

14. Run the following command to review a cluster connections report.

show control-cluster connections

15. Close the PuTTY window and click OK when prompted to confirm.
16. Restore the Firefox window.

Task 6: Deploy the Third NSX Controller Instance

You configure and deploy the third NSX Controller instance.

1. Click the vSphere Web Client Home icon.

1. On the vSphere Web Client Home tab, click Inventories> Networking and Security.
2. In the left navigation pane, select Installation,
3. In the middle pane, on the Management tab, click the green plus sign in the NSX Controller
nodes panel.

14 Lab 2 Configuring and Deploying an NSX Controller Cluster

4. In the Add Controller dialog box, perform the following actions to configure and deploy the
third NSX controller.
a. Select 192.168.110.42 from the NSX Manager drop-down menu .
b. Select ABC Medical from the Datacenter drop-down menu.
c. Select Management and Edge Cluster from the Cluster/Resource Pool drop-down menu.
d. Select ds-site-a-nfsOl from the Datastore drop-down menu.
e. Leave the Host selection blank.
f. Click Connected To > Select to open the Connect to a Network dialog box.
•
g. In the Connect to a Network dialog box, click Distributed Portgroup.
h. Click the Mgmt_Edge_VDS - Mgmt button and click OK.
i. Select Controller-Pool from the IP Pool drop-down menu.
j. Click OK.

5. Monitor the NSX Controller deployment to completion.

• Use the horizontal scroll bar to uncover the Status column, if necessary.
• Monitor the third controller deployment until the status changes from Deploying to
Normal.

The deployment process takes a few minutes to complete.

Task 7: Verify That the Third NSX Controller Instance Is Operational

You use the vSphere Web Client and the NSX Controller command line to determine the operational
status of the NSX Controller cluster with three nodes added.
1. Click the vSphere Web Client Home icon.
2. On the vSphere Web Client Home tab, click Inventories> Hosts and Clusters.
3. Expand the Hosts and Clusters inventory tree.
4. Click the vSphere refresh icon.
5. In the Management and Edge Cluster inventory, select the third NSX controller.
The controller name starts with NSX Controller . ..
6. In the middle pane, use the Summary tab report to answer the following questions.

Lab 2 Configuring and Deploying an NSX Controller Cluster 15

 Q1. What is the power status of the NSX Controller instance?

Q2. How many vCPUs does the NSX Controller instance have?

Q3. How much total memory does the NSX Controller instance have?

04. How large is the NSX Controller hard disk?

05. What port group is the NSX Controller instance connected to?

06. What is the IP address of the NSX Controller instance?

7. Minimize the Firefox window.

8. To use PuTTY to establish an SSH connection to the third NSX controller, perform the
following actions .
a. On the ControlCenter desktop, double-click the PuTTY shortcut.
b. In the Host Name (or IP address) text box, enter the IP address that you recorded in step
6.
c. Click Open.
d. Ifprompted to confirm a PuTTY Security Alert, click Yes.
e. Log in as admin and enter the password VMwarel! .
9. In the PuTTY window, run the following command to determine the cluster status for the first
node .
show control -cluster status

10. Review the command output and answer the following questions.

Q7. How many enabled and activated roles are listed?

Q8. Can the controller be safely restarted?

16 Lab 2 Configuring and Deploying an NSX Controller Cluster

11. Run the following command to determine the startup nodes in the cluster, and review the
command output.
show control-cluster startup-nodes

12. Run the following command to review a detailed cluster role report.
show control-cluster roles

13. Review the command output and answer the following question.

09. How many roles have been assigned with the second controller as master?
•
14. Run the following command to review a cluster connections report.
show control-cluster connections

15. Close the PuTTY window and click OK when prompted to confirm.
16. Restore the Firefox window.

Task 8: Clean Up for the Next Lab

You prepare for the next lab.

1. Click the vSphere Web Client Home icon.

Lab 2 Configuring and Deploying an NSX Controller Cluster 17

18 Lab 2 Configuring and Deploying an NSX Controller Cluster
Lab 3
Preparing for Virtual Networking

Objective: Install NSX for vSphere modules in ESXi

hosts and confiqure the VXLAN IP pools and a transport
zone
In this lab, you will perform the following tasks :

1. Prepare for the Lab

2. Install NSX for vSphere Modules on the ESXi Hosts
3. Configure VXLAN on the ESXi Hosts
4. Configure the VXLAN ID Pool
5. Configure a Global Transport Zone
6. Clean Up for the Next Lab

Task 1: Prepare for the Lab

You perform these actions to prepare for the lab if you have closed windows or logged out of the
VMware vSphere® Web Client interface.
1. If the Firefox window has been closed, double-click the Firefox icon on the ControlCenter
desktop.
2. If you are not logged in to the vSphere Web Client, perform the following actions .
a. In the Firefox window, click the vSphere Web Client bookmark.
b. When prompted, log in as root and enter the password VMwarel!.

Lab 3 Preparing for Virtual Networking 19

Task 2: Install NSX for vSphere Modules on the ESXi Hosts
You install the VMware NSXTM for vSphere® modules on the VMware ESXi™ host assigned to
three different clusters.

1. On the vSphere Web Client Home tab, click Inventories> Networking & Security.
2. In the left navigation pane, select Installation.
3. In the middle pane , click the Host Preparation tab .
4. For each cluster listed, click the Install link in the Installation Status column, and cli ck Yes
when prompted to confirm.
The following clusters are listed:

• Management and Edge Cluster

• Compute Cluster A
• Compute Cluster B
5. Monitor the installation status of each cluster until the Installation Status changes from
Installing to Un install and the VXLAN column contains an active Configure link.

Task 3: Configure VXLAN on the ESXi Hosts

For each cluster, you specify the VDS and IP pool to be used for VXLAN networking.

1. For Compute Cluster A, click the Configure link provided in the VXLAN column to open the
Configure VXLAN networking dialog box, and perform the following actions.
a. Verify that the Switch selection is Compute_VDS.
b. Verify that the VLAN setting is o.
c. Verify that the MTU setting is 1600.
d. For VMKNic IP Addressing, click Use IP Pool.
e. Select New IP Pool from the TP Pool drop-down menu to open the Add IP Pool dialog box.
f. Configure the following options.

Option Action
Name Enter VTEP - Poc 1-1 in the text box.

Gateway Enter 192 .168.250.2 in the text box.

This is the IP address of the vPod router on the transport network.

20 Lab 3 Preparing for Virtual Networking

 Option Action
Prefix Length Enter 24 in the text box.

Primary DNS Leave blank.

Secondary DNS Leave blank.

DNS Suffix Leave blank.

Static IP Pool Enter 192 . 168 . 250 . 51-192 . 168 • 250 . 60 in the text box .

g. Click OK to close the Add IP Pool dialog box.

h. Leave all other settings at default value and click OK.
2. Wait for the update to complete and determine if an error message appears in the VXLAN
column for Compute Cluster A.
If an error is indicated, it is a transitory condition that occurs early in the process of applying
the VXLAN configuration to the cluster. The vSphere Web Client interface has not updated to
display the actual status.

3. Click the vSphere Web Client Refresh icon, which is located to the left of the logged in user
name.

Updated at 2:"1 3 AM r~l' root@localos ...

4. Verify that the Compute Clu ster A VXLAN status is Enabled with a green check mark.
5. For Compute Cluster B, click the Configure link provided in the VXLAN column to open the
Configure VXLAN networking dialog box, and perform the following actions.
a. Verify that the Switch selection is Compute_VDS.
b. Verify that the VLAN setting is o.
c. Verify that the MTU setting is 1600.
d. For VMKNic IP Addressing, click Use IP Pool, and select VTEP-Pool-l from the drop-
down menu.
e. Leave all other settings at default value and click OK.
6. Wait for the update to complete and click the vSphere Web Client Refresh icon.

Lab 3 Preparing for Virtual Networking 21

7. Verify that the Compute Cluster B VXLAN status is Enabled with a green check mark.
If the VXLAN status is not Enabled, wait and refresh again until the status changes.

8. For Management and Edge Cluster, click the Configure link provided in the VXLAN column
to open the Configure VXLAN networking dialog box, and perform the following actions.
a. Verify that the Switch selection is Mgmt_Edge_VDS.
b. Verify that the VLAN setting is o.
c. Verify that the MTU setting is 1600.
d. For VMKNic IP Addressing, click Use IP Pool.

e. Select New IP Pool from the IP Pool drop-down menu to open the Add IP Pool dialog box.
f. Configure the following options

Option Action
Name EnterVTEP-Pool-2 in the text box.

Gateway Enter 192.168.150.2 in the text box.

This is the IP address of the vPod router on the transport network.

Prefix Length Enter 24 in the text box .

Primary DNS Leave blank.

Secondary DNS Leave blank.

DNSSuffix Leave blank.

Static IP Pool Enter 192 . 168 . 150 . 51-192 . 168 . 150 . 60 in the text box.

g. Click OK to close the Add IP Pool dialog box.

h. Leave all other settings at default value and click OK.
9. Wait for the update to complete and click the vSphere Web Client Refresh icon .
10 . Verify that the Management and Edge Cluster status is Enabled with a green check mark.

lfthe VXLAN status is not Enabled, wait and refresh again until the status changes.

11. Click the Logical Network Preparation tab and verify that VXLAN Transport is selected.

12. In the Clusters and Hosts list, expand each of the three clusters listed.

22 Lab 3 Preparing for Virtual Networking

13. For each host, confirm the host has a vmk# interface, then determine the following.
• IP that was assigned to each host _
• Switch that is connected to each host's VMKNic connected to - - - - -

Task 4: Configure the VXLAN 10 Pool

You configure the ID range used to identify VXLAN networks.
1. On the Logical Network Preparation tab, click the Segment ID button.
2. Click Edit to open the Segment ID pool dialog box and configure the following options .

Option Action
Segment ID Pool Enter 5000-5999 in the text box.

Enable multicast addressing Leave the check box deselected.

3. Click OK.

Task 5: Configure a Global Transport Zone

A transport zone specifies the hosts and clusters that are associated with logical switches created in
the zone. Hosts in a transport zone are automatically added to the logical switches that you create .
This process is very similar to manually adding hosts to VMware vSphere® Distributed Switch''Y.
1. On the Logical Network Preparation tab, click Transport Zones.
2. Click the green plus sign to open the New Transport Zone dialog box and configure the
following options .

Option Action

Name Enter Global Transport Zone in the text box.

Control Plane Mode Click the Unicast button.

Select clusters to add Select the check box for each of the three clusters listed.

3. Click OK.
4. Wait for the update to complete and verify that Global Transport Zone appears in the transport
zones list, with a Control Plane Mode ofUnicast.

Lab 3 Preparing for Virtual Networking 23

Task 6: Clean Up for the Next Lab
You perform this action to prepare for the next lab.

1. In the vSphere Web Client, remain in the Networking & Security view.

24 Lab 3 Preparing for Virtual Networking

Lab 4
Configuring and Testing Logical Switch
Networks

Objective: Create and test logical switches for the Web-

•
Tier, App-Tier, DB-Tier, and transport networks
In this lab, you will perform the following tasks :

1. Prepare for the Lab

2. Create Logical Switches

3. Verify That Logical Switch Port Groups Appear in vSphere
4. Migrate Virtual Machines to Logical Switches
5. Test Connectivity
6. Clean Up for the Next Lab

Lab 4 Configuring and Testing Logical Switch Networks 25

Task 1: Prepare for the Lab
You perform these actions to prepare for the lab if you have closed windows or logged out of the
VMware vSphere® Web Client interface.
1. Tfthe Firefox window has been closed, double-click the Firefox icon on the ControlCenter
desktop.
2. Tfyou are not logged in to the vSphere Web Client, click the vSphere Web Client bookmark in
the Firefox window.
3. When prompted, log in as root and enter the password VMwarel ! .
4. On the vSphere Web Client Home tab, click Inventories> Networking & Security.

Task 2: Create Logical Switches

You create logical switches for the Transit, Web-Tier, App-Tier, and DB-Tier networks .
1. In the left navigation pane, select Logical Switches.
2. In the center pane, click the green plus sign to open the New Logical Switch dialog box, and
perform the following actions to configure the Transit-Network switch.
a. Enter Transit-Network in the Name text box.
b. Verify that the Transport Zone selection is Global Transport Zone.
c. Verify that the Control Plane Mode selection is Unicast.
d. Click OK.
3. Wait for the update to complete and confirm Transit-Network appears with a status of Normal.
4. Click the green plus sign to open the New Logical Switch dialog box.
5. Perform the following actions to configure the Web-Tier switch.
a. Enter Web-Tier in the Name text box.
b. Verify that the Transport Zone selection is Global Transport Zone.
c. Verify that the Control Plane Mode selection is Unicast.
d. Click OK.
6. Wait for the update to complete and confirm Web-Tier appears with a status of Normal.
7. Click the green plus sign to create a new logical switch.
8. In the New Logical Switch dialog box, perform the following actions.
a. Enter App-Tier in the Name text box.
b. Verify that the Transport Zone selection is Global Transport Zone.

26 Lab 4 Configuring and Testing Logical Switch Networks

 c. Verify that the Control Plane Mode selection is Unicast.
d. Click OK.
9. Wait for the update to complete and confirm App-Tier appears with a status of Normal.
10. Click the green plus sign to create a new logical switch.
11. In the New Logical Switch dialog box, perform the following actions .
a. Enter DB-Tier in the Name text box.
b. Verify that the Transport Zone selection is Global Transport Zone.
c. Verify that the Control Plane Mode selection is Unicast.
d. Click OK.
12. Wait for the update to complete and confirm DB-Tier appears with a status of Normal.

Task 3: Verify That Logical Switch Port Groups Appear in vSphere

Verify logical switch port groups appear in the VMware vSphere® Networking inventory.
1. Click the vSphere Web Client Home icon.
•
2. On the vSphere Web Client Home tab, click the Inventories> Networking icon.
Be sure to click the (vSphere) Networking icon, and not the (VMware NSXTM) Networking and
Security icon.
3. Expand the Networking inventory tree.
4. Click the vSphere Web Client Refresh icon.

[~]I root@localos ~ I Help ~

5. Drag the pane divider to the right to expand the horizontal size of the inventory pane so that the
port group names are entirely shown.
6. In the Mgmt_Edge_VDS inventory, find port groups with names ending with the following.
• Transit-Network
• Web-Tier
• App-Tier
• DB-Tier

Lab 4 Configuring and Testing Logical Switch Networks 27

7. If the specified port groups do not appear in the Mgmt_Edge_VDS inventory, perform the
following actions.
a. Wait one minute .
b. Click the vSphere Web Client Refresh icon.
c. Repeat step 7 until the port groups appear in the Mgmt_Edge_VDS inventory.
8. Use the networking inventory to answer the following questions.

Q1. Have the same logcial switch port groups been added to both distributed
switches?

Q2. If the same port groups appear on both switches, why has the system
configured networking in this way?

Q3. Can the 10 number, associated with a VXLAN logical switch be determined from
the port group name?

Q4. Does the transit network port group in both the Compute_VDS and
Mgmt_Edge_VOS inventories share the same VXLAN 10?

Task 4: Migrate Virtual Machines to Logical Switches

You use the vSphere Web Client plug-in for VMware NSX Manager" to migrate virtual machines
to logical switches .
1. Click the vSphere Web Client Home icon.
2. On the vSphere Web Client Home tab, click Inventories> Networking & Security.
3. In the left navigation pane, select Logical Switches.
4. In the center pane, select the Web-Tier logical switch.
5. Click the Add Virtual Machines icon, or select Add VM ... from the Actions drop-down menu.

+ I" I
X '&J I~ -r I <'Q Actions ...

28 Lab 4 Configuring and Testing Logical Switch Networks

 The Actions drop-down menu appears at the top of the middle pane.

I
CJc> db-sv-O1a Acti (I ns .....

JSummary Monitor Manage Relatefl0bjects

6. In the Web-Tier - Add Virtual Machines dialog box, perform the following actions to migrate
virtual machines to the Web-Tier logical switch.
a. In the filter list, select the web-sv-Ola and web-sv-02a check boxes.
b. Click Next.
c. In the Select VNICs list, select the Network Adapter 1 (VM Network) check box for

•
web-sv-O1a and web-sv-02a.
d. Click Next.
e. Click Finish.
7. In the Recent Tasks panel , monitor the virtual machine migrations to completion.
8. In the Logical Switches list, double-click the Web-Tier entry to manage that object.
9. Click the Related Objects tab and click Virtual Machines.

Q1. Do the web-sv-01 a and web-sv-02a virtual machines appear in the virtual
machines list?

Q2. Do any other virtual machines appear in the list?

10. At the top of the left inventory pane, click the Network & Security back arrow.
11. In the Logical Switches list, select the App-Tier logical switch.
12. Click the Add Virtual Machines icon, or select Add VM ... from the Actions drop-down menu.
13. In the Add Virtual Machines dialog box, perform the following actions to migrate virtual
machin es to the App-Tier logical switch .
a. In the filter list, select the app-sv-Ola check box.
b. Click Next.
c. In the Select VNICs list, select the Network Adapter 1 (VM Network) check box for
app-sv-O1a.

Lab 4 Configuring and Testing Logical Switch Networks 29

 d. Click Next.
e. Click Finish.
14. In the Recent Tasks panel, monitor the virtual machine migration to completion.
15. In the Logical Switches list, select the DB-Tier logical switch.
16. Click the Add Virtual Machines icon, or select Add VM... from the Actions drop-down menu.
17. In the Add Virtual Machines dialog box , perform the following actions to migrate virtual
machines to the DB-Tier logical switch.
a. In the filter list, select the db-sv-Ola check box.
b. Click Next.
c. In the Select VNICs list, select the Network Adapter 1 (VM Network) check box for
db-sv-Ola.
d. Click Next.

e. Click Finish.
18. In the Recent Tasks panel, monitor the virtual machine migration to completion.

Task 5: Test Connectivity

Test connectivity between virtual machines, between a physical system and the virtual machines,
and between hosts using virtual switch monitoring tools .
1. Click the vSphere Web Client Home icon.
2. On the vSphere Web Client Home tab, click the Inventories> VMs and Templates icon.
3. Expand the VMs and Templates inventory tree and power on each of the following virtual
machines found in the Discovered virtual machine folder.
• web-sv-O 1a
• web-sv-02a
• app-sv-O 1a
• db-sv-Ol a
To power on a virtual machine, select the virtual machine in the inventory, then select Power On
from the Actions drop-down menu.

30 Lab 4 Configuring and Testing Logical Switch Networks

4. Record the IP address assigned to each of the following virtual machines.
• web-sv-O1a IP address: -----
• web-sv-02a IP address: _
• app-sv-Ol a IP address : _
• db-sv-OIa IP address : - - - - -
To view an IP address assignment, select the virtual machine in the inventory. The IP address
assignment appears at the top of the Summary tab report.

j Summary Monitor Manage Related Objects

app-su-01a
Guest as:
Compatibilit·:;,:

DNS Name:
IP Addresses:
SUSE Linux Enterprise 11 (64-bit)
ESXi 5. I] and later (\...t'11 ··.. ersion B)
\ ..t,/I··Nare Tools: Running, 'o/ersion:9344 (Current)
a s-s» -01a
•
Host:

The IP address information is also provided in your Lab Topology handout on the Lab
Networks and IP Addressing page.
5. Test connectivity from the web-sv-Ola virtual machine using a console window.
a. In the VMs and Templates inventory tree, select the wcb-sv-Ola virtual machine.
b. Select Open Console from the Actions drop-down menu .
It may take a minute for the console window to initialize. Hover the mouse over the
console window, wait until the mouse pointer becomes a hand icon, then click anywhere
inside the console window and press enter.
c. Log in as root and enter the password VMwarell .
d. At the command line prompt, run the following command to query the ARP cache.
arp -an

01. Did the command return any entries?

Lab 4 Configuring and Testing Logical Switch Networks 31

 e. At the command line prompt, run the following command to ping the web-sv-02a virtual
machine. Replace ip_address with the web-sv-02a IP address recorded in step 4.
ping ip_address

Q2. Did the ping command receive replies from the web-sv-02a virtual machine?

f. Press Ctrl+C to stop the ping command.

g. At the command line prompt, run the following command to query the ARP cache.
arp -an

Q3. Did the command return any entries?

h. At the command line prompt, run the following command to ping the app-sv-Gl a virtual
machine. Replace ip_address with the app-sv-Ola [P address recorded in step 5.
ping ip_address

Q4. Did the ping command receive replies from the app-sv-01 a virtual machine?

i. Press Ctrl+C to stop the ping command.

j. At the command line prompt, run the following command to ping the db-sv-Ol a virtual
machine. Replace ip_address with the db-sv-Ol a IP address recorded in step 5.
ping ip_address

Q5. Did the ping command receive replies from the db-sv-01a virtual machine?

k. Press Ctrl+C to stop the ping command.

I. Based on the ping tests conducted, answer the following question.

Q6. If any ping test failed, what might be the root cause?

m. In the Firefox window, press Ctrl+Alt to release the mouse cursor.

n. Leave the web-sv-O1a console tab open for the remainder of the class.
o. In the Firefox window, click the vSphere Web Client tab.

32 Lab 4 Configuring and Testing Logical Switch Networks

6. Test connectivity from the Control Center system using a command prompt window.
a. Minimize the Firefox window.
b. On the ControlCenter desktop, double-click the Command Prompt shortcut.
c. In the command prompt window, run the following command to ping the web-sv-Ola
virtual machine and replace ip_address with the web-sv-Ola IP address recorded in step 4.
ping ip_address

07. Did the ping command receive replies from the web-sv-01a virtual machine?

08. If no ICMP replies were received, why?

d. Leave the Command Prompt window open for the remainder of the class.
7. Test connectivity using logical switch monitoring tools .
a. Restore the Firefox window.
b. Click the vSphere Web Client Home icon.
•
c. On the vSphere Web Client Home tab, click Inventories> Networking & Security.
d. In the left navigation pane, select Logical Switches.
e. In the center pane, double-click the Web-Tier entry to manage that object.
f. Click the Monitor tab and verify that the Ping test is selected.

g. Click Source host> Browse.

h. Click the esx-Ola.corp.local button and click OK.
i. Click Destination host> Browse.
j . Click the esx-02a.corp.local button and click OK.

k. Verify that the Size of test packet selection is VXLAN standard and click Start Test.
I. Click Start Test.

m. In the Recent Tasks panel, monitor the test task to completion.

09. What were the results of the test?

n. At the top of the left navigation pane , click the Networking & Security back arrow button.

Lab 4 Configuring and Testing Logical Switch Networks 33

Task 6: Clean Up for the Next Lab
You perform these actions to prepare for the next lab.
1. In the vSphere Web Client interface, stay in the Networking & Security view.
2. In the Firefox window, leave the following tabs open.
• vSphere Web Client
• web-sv-Ola
3. On the Control Center desktop, leave the Command Prompt window open .

34 Lab 4 Configuring and Testing Logical Switch Networks

Lab 5
Configuring and Deploying an NSX
Distributed Router

Objective: Configure East-West routing by deploying a

distributed logical router
In this lab, you will perform the following tasks :

1. Prepare for the Lab

2. Configure and Deploy an NSX Distributed Logical Router
3. Verify the Distributed Router Deployment and Configuration
4. Test Connectivity
5. Use NSX Controller CLI Commands to Verify the Distributed Router Deployment
6. Clean Up for the Next Lab

Lab 5 Configuring and Deploying an NSX Distributed Router 35

Task 1: Prepare for the Lab
You perform these actions to prepare for the lab if you have closed windows or logged out of the
VMware vSphere ® Web Client interface.
1. Ifa Command Prompt window is not open on the ControlCenter desktop , perform the following
actions.
a . On the Control Center desktop , double-click the Command Prompt shortcut.
b. Position the Command Prompt window at a convenient location on the desktop.
2. If the Firefox window has been closed, double-click the Firefox icon on the ControlCenter
desktop.
3. If you are not logged in to the vSphere Web Client, click the vSphere Web Client bookmark in
the Firefox window.
4. When prompted, log in as root and enter the password VMwarel ! .
5. In the Firefox window, if the web-sv-Ola console tab is not open, perform the following action s.
a. On the vSphere Web Client Home tab, click Inventories> VMs and Templates.
b. Expand the inventory tree and select Discovered virtual machine> web-sv-Ola.
c. Select Open Console from the Actions drop-down menu.
d. If prompted to log in, log in as root and enter the password VMwarel ! .
e. Press Ctrl+Alt to release the mouse cursor and click the vSphere Web Client tab.
f. Click the vSphere Web Client Home icon.

Task 2: Configure and Deploy an NSX Distributed Logical Router

You configure and deploy a VMware NSXTM Distributed Logical Router that is connected to each of
the logical switches.
1. On the vSphere Web Client Home tab, click Inventories> Networking & Security.
2. In the left navigation pane, select NSX Edges.
3. In the center pane, click the green plus sign to open the New NSX Edge dialog box.
4. On the Name and description page, click the Logical (Distributed) Router button.
5. Enter Distributed Router in the Name text box and click Next.
6. On the CLI credentials page, enter VMwarel ! VMwarel! in the password text box.
Enter the password correctly because a verification box is not provided and the password
cannot be shown .

36 Lab 5 Configuring and Deploying an NSX Distributed Router

7. Select the Enable SSH Access check box and click Next.
8. On the Configure Deployment page, verify that the Datacenter selection is ABC Medical.
9. Under NSX Edge Appliances , click the green plus sign to open the Add NSX Edge Appliance
dialog box, and perform the following actions.
a. Select Management and Edge Cluster from the ClusterlResource Pool drop-down menu.
b. Select ds-site-a-nfsOl from the Datastore drop-down menu.
c. Leave all other fields blank, and click OK.
10. Click Next.
11. On the Configure interfaces page, click the Connected To > Select link under Management
Interface Configuration.
12. In the Connect NSX Edge to a Network dialog box, click Distributed Portgroup.
13. Click the Mgmt_Edge_VDS - Mgmt button and click OK.
14. Under Configure Interfaces for this NSX Edge, click the green plus sign to open the Add
Interface dialog box, and perform the following actions to configure the first of four interfaces.
a. Enter Transit-Interface in the Name text box.
b. For Type, leave UpLink selected.
c. Click the Connected To > Select lillie
d. Click the Transit-Network button and click OK.
e. Click the green plus sign under Configure Subnets.
f. In the Add Subnet dialog box, click the green plus sign to add an IP address field.
g. Enter 192.168.10.2 in the IP Address text box and click OK to confirm the entry.
h. Enter 29 in the Subnet prefix length text box.
i. Click OK to close the Add Subnet dialog box.
j. Leave all other settings at default value and click OK.
15. Under Configure Interfaces for this NSX Edge, click the green plus sign to open the Add Interface
dialog box, and perform the following actions to configure the second of four interfaces.
a. Enter Web- Interface in the Name text box.
b. For Type, click Internal.
c. Click the Connected To > Select link.
d. Click the Web-Tier button and click OK.
e. Click the green plus sign under Configure Subnets.

Lab 5 Configuring and Deploying an NSX Distributed Router 37

 f. In the Add Subnet dialog box, click the green plus sign to add an IP address field.
g. Enter 172.16.10.1 in the IP Address text box, and click OK to confirm the entry.
h. Enter 24 in the Subnet prefix length text box.
i. Click OK to close the Add Subnet dialog box.

j. Leave all other settings at default value and click OK.

16. Under Configure Interfaces for this NSX Edge, click the green plus sign to open the Add
Interface dialog box, and perform the following actions to configure the third of four interfaces.
a. Enter App-Interface in the Name text box.
b. For Type, click Internal.
c. Click the Connected To > Select link.
d. Click the App-Tier button and click OK.
e. Click the green plus sign under Configure Subnets.
f. In the Add Subnet dialog box, click the green plus sign to add an IP address field.
g. Enter 172.16.20.1 in the IP Address text box and click OK to confirm the entry.
h. Enter 24 in the Subnet prefix length text box.
i. Click OK to dose the Add Subnet dialog box.

j. Leave all other settings at default value and click OK.

17. Under Configure Interfaces for this NSX edge, click the green plus sign to open the Add
Interface dialog box, and perform the following actions to configure the fourth interface .
a. Enter DB- Interface in the Name text box.
b. For Type, click Internal.
c. Click the Connected To > Select link.
d. Click the DB-Tier button and click OK.
e. Click the green plus sign under Configure Subnets .
f. In the Add Subnet dialog box, click the green plus sign to add an IP address field.
g. Enter 172.16.30.1 in the IP Address text box and click OK to confirm the entry.
h. Enter 24 in the Subnet prefix length text box.
i. Click OK to close the Add Subnet dialog box.

j. Leave all other settings at default value and click OK.

38 Lab 5 Configuring and Deploying an NSX Distributed Router

18. Compare the interface configurations to the following table. If any entry is not configured
correctly, edit the entry by selecting it and clicking the pencil icon.

Name IP Address Subnet Prefix Length Connected To

Transit-Interface 192.168.10.2 29 Transit-Network

Web-Interface 172.16.10.1 24 Web-Tier

App-Interface 172.16.20.1 24 App-Tier

DB-Interface 172.16.30.1 24 DB-Tier

19. Click Next.

20. On the Configure HA page, click Next.
21. On the Ready to complete page, review the configuration report and click Finish.
22. Above the edge list, monitor the deployment to completion.
The deployment is complete when 0 installations are active.

[::.# 1 Installing ~ 0 Failed 1

e

Task 3: Verify the Distributed Router Deployment and Configuration

You verify that the distributed router has been configured correctly and has deployed successfully.
1. In the edge list, verify that the Distributed Router entry has a type of Logical Router.
2. Double-click the Distributed Router entry to manage that object.
3. Click the Manage tab and verify that the Settings button is selected .
4. In the settings category panel, select Interfaces.

f Settings 1Firewall I Routin g I Bridging 1

Config

Configuration

Interfaces v NIC#

Lab 5 Configuring and Deploying an NSX Distributed Router 39

5. In the Interfaces list, verify that each interface shows a green check mark in the Status column.
6. In the settings category panel, select Configuration.
7. At the bottom of the center pane, locate the Logical Router Appliances panel and answer the
following questions.

Q1. On which datastore is the Logical Router Controller deployed?

Q2. On which host is the Logical Router Controller running?

8. Click the vSphere Web Client Home icon.

9. On the vSphere Web Client Home tab, click Inventories> Hosts and Clusters.
10. Expand the inventory tree so that all the inventory for each cluster is shown.
11 . In the inventory tree, locate and select the Distributed Router virtual machine, and use the
Summary tab report to answer the following questions.
The Distributed Router item name starts with the text Distributed Router and appears in
Management and Edge Cluster.

Q3. How many vCPUs does the virtual machine have?

Q4. How much memory does the virtual machine have?

Q5. How large is the hard disk?

Q6. How many network adapters are connected to port groups?

12. Click the vSphere Web Client Home icon.

40 Lab 5 Configuring and Deploying an NSX Distributed Router

Task 4: Test Connectivity
Test connectivity between virtual machines, between a physical system and the virtual machines,
and between hosts using virtual switch monitoring tools.
1. On the vSphere Web Client Home tab, click Inventories> VMs and Templates.
2. Record the IP address assigned to each of the following virtual machines found in the
Discovered virtual machine folder.
• web-sv-Ola IP address: - - - - -
• web-sv-02a IP address: - - - - -
• app-sv-Ola IP address: _
• db-sv-O1a IP address: - - - - -
The IP address information can also be found in your Lab Topology handout on the Lab
Networks and IP Addressing page.
3. Test connectivity from the web-sv-O1a virtual machine.
a. In the Firefox window, click the web-sv-Ola tab.
b. At the command prompt, run the following command to ping the web-sv-02a virtual
machine.
Replace ip_address with the web-sv-02a IP address recorded in step 2.
ping ip_address

01. Did the ping command receive replies from the web-sv-02a virtual machine?

c. Press Ctrl+C to stop the ping command.

d. At the command prompt, run the following command to ping the app-sv-Ola virtual
machine.
Replace ip_address with the app-sv-O1a IP address recorded in step 2.

ping ip_address

02. Did the ping command receive replies from the app-sv-nt a virtual machine?

e. Press Ctrl+C to stop the ping command.

Lab 5 Configuring and Deploying an NSX Distributed Router 41

 f. At the command prompt, run the following command to ping the db-sv-Ola virtual
machine.
Replace ip _address with the db-sv-O I a IP address recorded in step 2.
ping ip_address

Q3. Did the ping command receive replies from the db-sv-01a virtual machine?

g. Press Ctrl+C to stop the ping command.

h. Based on the ping tests conducted, answer the following questions.

Q4. Do these results differ from the ping tests you performed after creating the
logical switches (before adding the distributed router)?

i. At the command prompt, run the following command to query the ARP cache.

arp -an

Q5. Did the command return any entries?

j. Press Ctrl+Alt to release the mouse cursor and click the vSphere Web Client tab.
4. Test connectivity from the ControJCenter system using a Command Prompt window.
a. Minimize the Firefox window.
b. In the Command Prompt window, run the following command to ping the web-sv-O1a
virtual machine.
Replace ip_address with the web-sv-O1a IP address recorded in step 2.
ping ip_address

Q6. Did the ping command receive replies from the web-sv-01a virtual machine?

42 Lab 5 Configuring and Deploying an NSX Distributed Router

 c. In the Command Prompt window, run the following command to ping the web-sv-02a
virtual machine.
Replace ip_address with the web-sv-02a IP address recorded in step 2.
ping ip_address

Q7. Did the ping command receive replies from the web-sv-02a virtual machine?

Q8. If no ICMP replies were received during the preceding tests, why?

d. Leave the Command Prompt window open.

Task 5: Use NSX Controller Cli Commands to Verify the Distributed

Router Deployment
You log in to the VMware NSX Controller" instance that owns the VNI slice and examine logical
switch tables .
1. On the ControlCenter desktop, double-click the PuTTY shortcut.
2. In the PuTTY window, connect to any of the NSX Controller nodes by performing the
following actions.
a. In the Host Name (or IP address) text box, enter the IP address of any NSX Controller
node.
The NSX ControllerIP address pool is 192.168.110.20 1 through 192.168.110.210. The first
three IP addresses in that range have been assigned to the NSX Controller instances.
b. Click Open.
c. If you are prompted to confirm a PuTTY security alert, click Yes.
d. Log in as admin and enter the password VMwarel ! .
3. At the command prompt, run the following command to determine which controller node owns
the VNI slice.
show control-cluster logical-switches vni 5001

~!NI Controller
5001 192.168.110.201

The 5001 VNI is the Web-Tier network VNI.

Lab 5 Configuring and Deploying an NSX Distributed Router 43

4. If you are not connected to the controller that owns the slice, perform the following actions.
a. Record the IP address of the contro ller that owns the slice. - - - - -

b. Close the PuTTY window and click OK when prompted to confirm.

c. On the ControlCenter desktop , double-click the PuTTY shortcut.
d. In the Host Name (or IP address) text box, enter the IP address of the controller that owns
the VNI slice .
e. Click Open.
f. If you are prompted to confirm a PuTTY security alert , click Yes.
g. Log in as admin and enter the password VMwarel! .
5. At the command prompt, run the following commands and review the command output.
show control-cluster logical-switches vtep-table 5001
show control-cluster logical-switches mac-table 5001
show control -cluster logical-switches arp -table 5001

6. If the ARP-table is empty, you can repeat task 4, step 3 to repopulate the table.

Task 6: Clean Up for the Next Lab

You perform these actions to prepare for the next lab.
1. Close the PuTTY window and click OK when promoted to confirm.
2. Restore the Firefox window.
3. Click the vSphere Web Client Home icon.
4. In the Firefox window, leave the following tabs open .
• vSphere Web Client
• wcb-sv-Ola
5. On the ControlCenter desktop, leave the Command Prompt window open.

44 Lab 5 Configuring and Deploying an NSX Distributed Router

Lab 6
Deploying an NSX Edge Services
Gateway and Configuring Static Routing

Objective: Configure and deploy an NSX Edge services

gateway to provide perimeter routing and other network
.
services
In this lab, you will perform the following tasks:

1. Prepare for the Lab

2. Configure and Deploy an NSX Edge Gateway
3. Verify the NSX Edge Gateway Deployment
•
4. Configure Static Routes on the NSX Edge Gateway
5. Configure Static Routes on the Distributed Router
6. Test Connectivity Between an External Network and a Logical Switch Network
7. Clean Up for the Next Lab

Lab 6 Deploying an NSX Edge Services Gateway and Configuring Static Routing 45
Task 1: Prepare for the Lab
You perform these actions to prepare for the lab if you have closed windows or logged out of the
VMware vSphere® Web Client interface.
1. If a Command Prompt window is not open on the Control Center desktop, perform the
following actions.
a. On the ControlCenter desktop, double-click the Command Prompt shortcut.
b. Position the Command Prompt window at a convenient location on the desktop.
2. If the Firefox window has been closed, double-click the Firefox icon on the ControlCenter
desktop.
3. If you are not logged in to the vSphere Web Client, click the vSphere Web Client bookmark in
the Firefox window.
4. When prompted, log in as root and enter the password VMwarel ! .
5. In the Firefox window, if the web-sv-Ola console tab is not open, perform the following actions.
a. On the vSphere Web Client Home tab, click the Inventories> VMs and Templates icon.
b. Expand the inventory tree and select Discovered virtual machine> web-sv-Ol a.
c. Select Open Console from the Actions drop-down menu.
d. If prompted to log in, log in as root and enter the password VMwarel ! .
e. Press Ctr1+Alt to release the mouse cursor and click the vSphere Web Client tab.
f. Click the vSphere Web Client Home icon.

Task 2: Configure and Deploy an NSX Edge Gateway

You configure and deploy an VMware NSX Edge" services gateway to provide North-South
routing and other network services.
1. On the vSphere Web Client Home tab, click Inventories> Networking & Security.
2. In the left navigation pane, select NSX Edges.
3. In the middle pane, click the green plus sign to open the New NSX Edge dialog box.
4. On the Name and description page, leave Edge Services Gateway selected.
5. Enter Perimeter Gateway in the Name text box and click Next.
6. On the CLI credentials page, enter VMwarel ! VMwarel! in the password text box.
Enter the password correctly because a verification box is not provided and the password
cannot be shown.

46 Lab 6 Deploying an NSX Edge Services Gateway and Configuring Static Routing
7. Select the Enable SSH access check box and click Next.
8. On the Configure deployment page, verify that the Datacenter selection is ABC Medical.
9. Verify that the Appliance Size selection is Compact.
10. Verify that the Enable auto rule generation check box is selected.
11. Under NSX Edge Appliances, click the green plus sign to open the Add NSX Edge Appliance
dialog box, and perform the following actions.
a. Select Management and Edge Cluster from the ClusterlResource Pool drop-down
menu.
b. Select ds-site-a-nfsOl from the Datastore drop-down menu.
c. Leave all other fields at default value and click OK.
12. Click Next.
13. On the Configure Interfaces page , click the green plus sign to open the Add NSX Edge
Interface dialog box, and perform the following actions to configure the first of two interfaces.
a . Enter Uplink- Interface in the Name text box.
b. For Type, leave UpLink selected.
c. Click the Connected To > Select link.
d. Click Distributed Portgroup.
e. Click the Mgmt-Edge-VDS - HQ Uplink button and click OK.
f. Click the green plus sign under Configure Subnets.

g. In the Add Subnet dialog box , click the green plus sign to add an IF address field.
h. Enter 192.168.100.3 in the IP Address text box and click OK to confirm the entry.
•
i. Enter 24 in the Subnet prefix length text box.

j. Click OK to close the Add Subnet dialog box.

k. Leave all other settings at default value and click OK.

14. Click the green plus sign to open the Add NSX Edge Interface dialog box, and perform the
following actions to configure the second interface.
a. Enter Transi t - Interface in the Name text box.
b. For Type, click Internal.
c. Click the Connected To > Select link .
d. Click the Transit-Network button and click OK.

Lab 6 Deploying an NSX Edge Services Gateway and Configuring Static Routing 47
 e. Click the green plus sign under Configure Subnets.
f. In the Add Subnet dialog box, click the green plus sign to add an IP address field.

g. Enter 192 . 168 . 10 . 1 in the IP Address text box and click OK to confirm the entry.
h. Enter 29 in the Subnet prefix length text box.
i, Click OK to close the Add Subnet dialog box.

j. Leave all other fields at default value and click OK.

15. Compare the interface configurations to the following table. If any interface is not configured
correctly, edit the interface by selecting that entry and clicking the pencil icon.

Subnet Prefix
Name IP Address Length Connected To
Uplink-Interface 192.168.100.3 24 Mgmt_Edge_VDS - HQ Uplink

Transit-Interface 192.168.10.1 29 Transit-Network

16. Click Next.

17. On the Default gateway settings page, select the Configure Default Gateway check box.
18. Verify that the vNIC selection is Uplink-Interface.
19. Enter 192.168.100.2 in the Gateway IP text box.
This value is the IP address of the vPod router on the HQ Uplink port group.
20. Leave all other settings at default value and click Next.
21. On the Firewall and HA page , select the Configure Firewall default policy check box.
22. For the Default Traffic Policy, click Accept.
23. Leave all other fields at the default values and click Next.
24. On the Ready to Complete page, review the configuration report and click Finish.
25. Above the edge list, monitor the deployment to completion.
The deployment is complete when 0 installations are active .

::: 1 Installing

48 Lab 6 Deploying an NSX Edge Services Gateway and Configuring Static Routing
Task 3: Verify the NSX Edge Gateway Deployment
You verify the state of the deployed NSX Edge services gateway appliance by reviewing appliance
configuration reports.
1. In the edge list, verify that the Perimeter Gateway type is NSX Edge.

2. Double-click the Perimeter Gateway entry to manage that object.

3. In the middle pane , click the Manage tab and click Settings.
4. In the settings category panel, select Interfaces and confirm that each configured interface has
a green check mark in the Status column.
5. In the settings category panel , select Configuration.
6. At the bottom of the middle pane, locate the NSX Edge Appliances list and answer the
following questions.

01. On what datastore is the Perimeter Gateway appliance deployed?

02. On which host is the Perimeter Gateway appliance running?

7. Click the vSphere Web Client Home icon.

•
8. On the vSphere Web Client Home tab, click Inventories> Hosts and Clusters.
9. Expand the Hosts and Clusters inventory tree so that the inventory of each cluster is shown.
10. Click the vSphere Web Client Refresh icon.
11. Select the Perimeter Gateway appliance in the Management and Edge Cluster inventory.
The appliance virtual machine name starts with Perimeter Gateway, followed by a number, for
example, Perimeter Gateway-G.

12. In the middle pane, use the Summary tab report to answer the following questions.

03. How many vCPUs does the appliance have?

04. How much total memory does the appliance have?

05. How big is the appliance hard disk?

Lab 6 Deploying an NSX Edge Services Gateway and Configuring Static Routing 49
 06. How many network adapters does the appliance have?

07. How many network adapters are connected to port groups?

Task 4: Configure Static Routes on the NSX Edge Gateway

You configure a static route that specifies the transit network interface on the distributed router as
the next hop for traffic destined to the Web-Tier, App-Tier, or DB-Tier logical switch networks.
1. Click the vSphere Web Client Home icon.
2. On the vSphere Web Client Home tab, click Inventories> Networking & Security.
3. In the left navigation pane, select NSX Edges.
4. In the edge list, double-click the Perimeter Gateway entry to manage that object.
5. In the middle pane, on the Manage tab, click Routing.
6. In the routing category panel, select Static Routes.
7. Click the green plus sign to open the Add Static Route dialog box and perform the following
actions.
a. Select Transit-Interface from the Interface drop-down menu.
b. Enter 172 .16.0.0/19 in the Network text box.
The /19 specification encompasses the Web-Tier, App-Tier, and DB-Tier network s.
c. Enter 192.168.10.2 in the Next Hop text box.
This value is the Distributed Router interface on the Transit network.
d. Leave all other settings at default value and click OK.
8. Above the static routes list, click Publish Changes.
9. Wait for the update to complete and confirm that the new route with a type of user appears in
the list.

Task 5: Configure Static Routes on the Distributed Router

You configure a static route that specifies the transit network interface on the edge services gateway
as the next hop for traffic destined to the Management network .
1. In the left navigation pane, click the Networking & Security back arrow button.
2. In the edge list, double-click the Distributed Router entry to manage that object.

50 Lab 6 Deploying an NSX Edge Services Gateway and Configuring Static Routing
3. In the middle pane, on the Manage tab, click Routing.
4. In the routing category panel, verify that Static Routes is selected.
5. Click the green plus sign to open the Add Static Route dialog box and perform the following
actions.
a. Select Transit-Interface from the Interface drop-down menu.
b. Enter 192.168.110.0/24 in the Network text box.
This address is the address of the Management network.
c. Enter 192.168.10.1 in the Next Hop text box.
This address is the address of the Perimeter Gateway interface on the Transit network.

d. Leave all other settings at default value and click OK .

6. Above the static routes list, click Publish Changes.
7. Wait for the update to complete and confirm that the new route with a type of user appears in
the list.

Task 6: Test Connectivity Between an External Network and a Logical

Switch Network
You test bidirectional communication over the transit network using the static routes defined on the
distributed router and the NSX Edge services gateway.
1. In the Firefox window, click the web-sv-Ola tab.

2. At the web-sv-O1a command prompt, run the following command to ping the ControlCenter
system.
ping 192.168.110.10
•
3. Confirm that ICMP echo replies are received and press Ctrl+C to stop the ping command.
The ping test demonstrates the bidirectional connectivity between the logical switch network
and the Management network, for traffic initiated on the Web-Tier network. If the ping
command does not receive the expected replies, ask your instructor for assistance.

4. In the Firefox window, press Ctr1+Alt to release the mouse cursor, open a new browser tab , and
browse the web-sv-O 1a IP address .
http://172 .16 .10.11

5. After the web-sv-O 1a Web page is displayed, browse the web-sv-02a IF address .
http://172.16 .10.12

Lab 6 Deploying an NSX Edge Services Gateway and Configuring Static Routing 51
6. After the web-sv-02a Web page is displayed, close the Firefox tab used to browse the Web
servers.
The Ping and HTTP tests that are conducted verify bidirectional connectivity between the
management and Web-Tier networks for connections initiated in either direction.

7. Minimize the Firefox window.

8. On the ControlCenter desktop, in the Command Prompt window, run the following command to
verify that the static routes enable bidirectional connectivity between the Management network
and the App-Tier logical switch network.
ping 172.16.20.11

9. Verify that ICMP echo replies are received and press Ctrl+C to stop the ping command.
10. Run the following command to verify that the static routes enable bidirectional connectivity
between the Management network and the DB-Tier logical switch network.
Ping 172.16.30.11

11 . Verify that ICMP echo replies are received and press Ctrl+C to stop the ping command.
12. Leave the Command Prompt window open.
13. Restore the Firefox window and click the vSphere Web Client tab.

Task 7: Clean Up for the Next Lab

You perform these actions to prepare for the next lab.

1. In the left navigation pane, click the Networking & Security back arrow button.
2. In the Firefox window, leave the following tabs open.
• vSphere'Veb Client
• web-sv-Ola
3. On the ControlCenter desktop, leave the Command Prompt window open.

52 Lab 6 Deploying an NSX Edge Services Gateway and Configuring Static Routing
Lab 7
Configuring and Testing Dynamic
Routing on NSX Edge Appliances

Objective: Configure OSPF to establish bidirectional

connectivity between the Management network and the
Web-Tier, App-Tier, and DB-Tier logical switch networks
In this lab, you will perform the following tasks :

1. Prepare for the Lab

2. Remove Static Routes from Perimeter Gateway
3. Configure OSPF on Perimeter Gateway
4. Redistribute Perimeter Gateway Subnets
5. Remove Static Route on Distributed Router
6. Configure OSPF on Distributed Router
•
7. Redistribute Distributed Router Internal Subnets
8. Troubleshoot Connectivity Between Logical Switch Networks and the Management Network
9. Resolve the Connectivity Issue
10. Clean Up for the Next Lab

Lab 7 Configuring and Testing Dynamic Routing on NSX Edge Appliances 53

Task 1: Prepare for the Lab
You perform these actions to prepare for the lab if you have closed windows or logged out of the
VMware vSphere ® Web Client interface.
1. Ifa Command Prompt window is not open on the ControlCenter desktop , perform the following
actions.
a . On the Control Center desktop , double-click the Command Prompt shortcut.
b. Position the Command Prompt window to a convenient location on the desktop .
2. If the Firefox window has been closed, double-click the Firefox icon on the ControlCenter
desktop.
3. If you are not logged in to the vSphere Web Client, click the vSphere Web Client bookmark in
the Firefox window.
4. When prompted, log in as root and enter the password VMwarel! .
5. In the Firefox window, if the web-sv-Ola console tab is not open, perform the following actions.
a. On the vSphere Web Client Home tab, click the lnventories > VMs and Templates icon.
b. Expand the inventory tree and select Discovered virtual machine> web-sv-Ol a.
c. Select Open Console from the Actions drop-down menu.
d. If prompted to log in, log in as root using the VMwarel! password.
e. Press CtrI+AIt to release the mouse cursor and click the vSphere Web Client tab.
f. Click the vSphere Web Client Home icon.

6. On the vSphere Web Client Home tab, click Inventories> Networking & Security.

Task 2: Remove Static Routes from Perimeter Gateway

You remove the static routes that you configured in an earlier lab to configure dynamic routing using
the Open Shortest Path First (OSPF) routing protocol.
1. Minimize the Firefox window.
2. On the ControlCenter desktop, in the Command Prompt window, run the following command to
test bidirectional connectivity between the Management Network and the Web-Tier logical
switch network.
ping 172.16.10.11

54 Lab 7 Configuring and Testing Dynamic Routing on NSX Edge Appliances

3. Verify that ICMP echo replies are received.
If ICMP echo replies are not received, you might be performing this lab without first
configuring static routing when the VMware NSX Edge" services gateway was deployed in an
earlier lab. Ask your instructor for assistance if the expected replies are not observed.
4. Leave the Command Prompt window open.
5. Restore the Firefox window.
6. In the left navigation pane, select NSX Edges.
7. In the edge list, double-click the Perimeter Gateway entry to manage that object.
8. In the middle pane, click the Manage tab and click Routing.
9. In the routing category panel, select Static Routes.
10. In the static routes list, select the 172.16.0.0/19 route and click the red X icon to delete the entry.
11. Above the static routes list, click Publish Changes.
12. Minimize the Firefox window.
13. On the Control Center desktop, in the Command Prompt window, run the following command to
test bidirectional connectivity between the Management Network and the Web-Tier logical
switch network.
ping 172.16 .10 .11

14. Verify that ICMP echo replies are not received.

The message displayed is TTL expired in transit .
15. Leave the Command Prompt window open.

•
16. Restore the Firefox window.

Task 3: Configure OSPF on Perimeter Gateway

You configure OSPF on Perimeter Gateway, so that the routes to the logical switch networks are
learned from the distributed router over the transit network.
1. In the routing categories list, select Global Configuration.
2. In the Dynamic Routing Configuration panel, click Edit to open the Edit Dynamic Routing
Configuration dialog box, and perform the following actions.
a. Select Uplink-Interface - 192.168.100.3 from the Router ID drop-down menu.
b. Check the Enable OSPF check box.
c. Leave all other fields at the default value and click Save.
3. At the top of the Global Configuration page, click Publish Changes.

Lab 7 Configuring and Testing Dynamic Routing on NSX Edge Appliances 55

4. In the routing category panel, select OSPF.
5. In the Area Definitions list, verify that an area with the following properties appears in the list.
• Area ID: 0
• Type: Normal
• Authentication : None
If the specified Area Definition does not exist, create a new Area Definition by clicking the
green plus sign and configuring the area as described in step 5.
6. Above the Area Definitions list, click the green plus sign to open the New Area Definition
dialog box, and perform the following actions.
a. Enter 829 in the Area ID text box.
b. Leave all other settings at the default value and click OK.
7. Under Area Interface Mapping, at the bottom of the OSPF page, click the green plus sign to
open the New Area to Interface Mapping dialog box, and perform the following actions.
a. Verify that the vNIC selection is Uplink-Interface.
b. Select 0 from the Area drop-down menu.
c. Leave all other fields at the default value and click OK.
8. Under Area Interface Mapping , at the bottom of the OSPF page, click the green plus sign to
open the New Area to Interface Mapping dialog box, and perform the following actions.
a. Select Transit-Interface from the drop-down menu.
b. Select 829 from the Area drop-down menu.
c. Leave all other fields at the default value and click OK.
9. At the top of the OSPF page, click Publish Changes.

Task 4: Redistribute Perimeter Gateway Subnets

You configure which type of subnets are advertised by Perimeter Gateway, through OSPF.
1. In the routing category panel, select Route Redistribution.
2. Under Route Redistribution table, at the bottom of the page, click the green plus sign to open
the New Redistribution criteria dialog box, and perform the following actions.
a. Under Allow learning from, select the Connected check box.
Subnets connected to Perimeter Gateway can now be learned.
b. Leave all other settings at the default value and click OK.

56 Lab 7 Configuring and Testing Dynamic Routing on NSX Edge Appliances

3. In the Route Redistribution Status panel, at the top of the page, determine if a green check mark
appears next to OSPF.

Route Redistribution status:

OSPF: ~ ISIS: BGP:

4. If a green check mark does not appear, perform the following actions.
a. On the right side of the Route Redistribution Status panel, click Change.
b. In the Change redistribution settings dialog box, select the OSPF check box .
c. Click Save.
d. In the Route Redistribution Status panel, at the top of the page, verify that a green check
mark appears next to OSPF.
5. At the top of the page, click Publish Changes.

Task 5: Remove Static Route on Distributed Router

You remove the static routes configured in an earlier lab in preparation to configure dynamic routing
using the OSPF routing protocol.
1. At the top of the left navigation page , click the Networking & Security back arrow button.
2. In the edge list, double-click the Distributed Router entry to manage that object.
3. In the middle pane, click the Manage tab and click Routing.
4. In the routing category panel, select Static Routes.
5. In the static routes list, select the 192.168.110.0/24 route and click the red X to delete the entry.
6. Above the static routes list, click Publish Changes.

Task 6: Configure OSPF on Distributed Router

•
You configure OSPF on the distributed router.
1. In the routing category panel, select Global Configuration.
2. On the right side of the Dynamic Routing Configuration panel, click Edit.
Use the horizontal scroll bar to uncover the button if the button is not visible .
3. In the Edit Dynamic Routing Configuration dialog box, select Transit-Interface - 192.168.10.2
from the Router ID drop-down menu.
This setting must be specified before OSPF can be configured.

Lab 7 Configuring and Testing Dynamic Routing on NSX Edge Appliances 57

4. Leave all other fields at the default value and click Save.

Do not select the Enable OSPF check box. For management purposes, OSPF can be enabled or
disabled in the Global Configuration page, after having been initially configured elsewhere. An
error message is displayed if OSPF is enabled in Global Configuration without first configuring
the OSPF parameters. This condition is unique to NSX Edges of type Distributed Router.
5. At the top of the Global Configuration page, click Publish Changes.
6. In the routing category panel, select OSPF.
7. On the right side of the OSPF Configuration panel, click Edit to open the OSPF Configuration
dialog box, and perform the following actions.
a. Select the Enable OSPF check box.
b. Enter 192 . 168 . 10 . 3 in the Protocol Address text box.
c. Enter 192 . 168 . 10 . 2 in the Forwarding Address text box.
d. Click OK.
8. In the Area Definitions panel, click the green plus sign to open the New Area Definition dialog
box.
a. Enter 829 in the Area ID text box.
b. Leave all other fields at the default value and click OK.
9. In the Area to Interface Mapping panel, click the green plus sign to open the New Area to
Interface Mapping dialog box, and perform the following actions.
a. Verify that the Interface selection is Transit-Interface.
b. Select 829 from the Area drop-down menu.
c. Leave all other fields at default value and click OK.
10. At the top of the OSPF configuration page, click Publish Changes.
11. After the changes have been published, verify that the OSPF Configuration Status is Enabled.

OSPF Configuration

Status Enabled

Protocol Address 192.168.10.3

For~varding Address 192.168.10.2

58 Lab 7 Configuring and Testing Dynamic Routing on NSX Edge Appliances

Task 7: Redistribute Distributed Router Internal Subnets
You configure which type of subnets are advertised by the distributed router, through OSPF.
1. In the routing category panel, select Route Redistribution.
2. In the Route Redistribution table, select the single entry that appears, click the pencil icon to
open the Edit Redistribution criteria dialog box, and verify the following settings .
• Prefix Name : Any
• Learner Protocol: OSPF
• Allow Learning From: Connected
• Action: Permit
3. Click Cancel.
If the default route redistribution entry does not appear in the list or is not configured as
specified, create a new route redistribution by clicking the green plus sign and configuring the
criteria as specified in step 2.

Task 8: Troubleshoot Connectivity Between Logical Switch Networks

and the Management Network
You verify the OSPF configuration and troubleshoot connectivity betwen a logical switch network
that is connected to the distributed router and the Management network.
1. Minimize the Firefox window.
2. On the ControlCenter desktop , in the Command Prompt window, run the following command to
test bidirectional connectivity between the Management Network and the Web-Tier logical

•
switch network.
ping 172.16 .10.11

3. Verify that ICMP echo replies are not received.

4. Leave the Command Prompt window open.
5. Restore the Firefox window.
6. Verify the distributed router configuration by performing the following actions.
If any option is incorrectly configured, correct the option as you progress through the following
steps .
a . In the routing category panel, select Global Configuration .

Lab 7 Configuring and Testing Dynamic Routing on NSX Edge Appliances 59

 b. In the Dynamic Routing Configuration panel, verify that the following options are
configured as shown.
• RouterTD : 192.168.10.2
• OSPF: green check mark
c. In the routing category panel, select Static Routes .
d. In the static routes table, verify that no static routes are defined.
e. In the routing category panel, select OSPF.

f. In the OSPF Configuration panel, verify that the following options are set as specified.

• Status: Enabled
• Protocol Address: 192.168.10.3
• Forwarding Address: 192.168 .10.2
g. In the Area Definitions panel, verify that Area 829 is defined with Normal for Type and
None for Authentication.
h. In the Area to Interface Mapping panel, verify that area 829 has been mapped to Transit-
Interface.
i. In the routing category panel, select Route Redistribution.

j. In the Route Redistribution Status panel, verify that a green check mark appears next to
OSPF.
k. In the Route Redistribution table, verify that an entry exists with the following criteria.

• Learner: OSPF
• From: Connected
• Prefix: Any
• Action: Permit
7. In the left navigation pane, click the Networking & Security back arrow button.
8. In the edge list, double-click the Perimeter Gateway entry to manage that object.
9. In the middle pane, click the Manage tab and click Routing.

60 Lab 7 Configuring and Testing Dynamic Routing on NSX Edge Appliances

10. Verify the Perimeter Gateway configuration by performing the following actions.
If any option is incorrectly configured, correct the option as you progress through the following
steps.

a. In the routing category panel, select Global Configuration.

b. In the Dynamic Routing Configuration panel, verify that the following options are
configured as shown.
• Router ID: 192.168.100.3
• OSPF : green check mark
c. In the routing category panel, select Static Routes .
d. In the static routes table, verify that no static routes are defined.

e. In the routing category panel, select OSPF.

f. At the top of the OSPF page, verify that the OSPF Status is Enabled.

IOSPF Status:Enabled
Area Definitions:
I.
g. In the Area Definitions panel, verify that the following areas are defined.
• Area ID:829, Type: Normal, Authentication: None
• Area ID:O, Type: Normal, Authentication: None
h. In the Area to Interface Mapping panel, verify that area 829 is mapped to Transit-Interface
and area 0 is mapped to Uplink-Interface.
i. In the routing category panel, select Route Redistribution.

j. In the Route Redistribution Status panel, verify that a green check mark appears next to
•
OSPF.
k. In the Route Redistribution table, verify that an entry exists with the following criteria.
• Leamer: OSPF
• From: OSPF
• Prefix: Any
• Action: Permit

Lab 7 Configuring and Testing Dynamic Routing on NSX Edge Appliances 61

11 . Answer the following question.

01. Are the configuration settings for Distributed Router and Perimeter Gateway
exactly as specified in the preceding steps?

12. In the left navigation pane , click the Networking & Security back arrow button.
13. In the edge list, double-click the Distributed Router entry.
14. In the middle pane, click the Manage tab and click Settings.
15. In the settings category panel, select Interfaces and answer the following question .

02. Are the logical switch networks: Web-Tier (172.16.10.0/24), App-Tier (172.16.20.0/24),
and DB-Tier (172.16.30.0/24), connected to Distributed Router interfaces?

16. On the Manage tab, click Routing.

17. In the routing category list, select Static Routes and answer the following question.

Q3. Is the absence of static routes on Distributed Router an issue (are there
subnets not directly connected that Distributed Router should advertise)?

18. In the routing category panel , select Route Redistribution, and answer the following question.

Q4. Is the configured Route Redistribution entry sufficiently configured so that

subnets known to the Distributed Router can be learned through OSPF?

19. In the left navigation pane, click the Networking & Security back arrow button .
20. In the edge list, double-click the Perimeter Gateway entry to manage that object.
21. In the middle pane, click the Manage tab and click Settings.
22. In the settings category panel, select Interfaces and answer the following question.

05. Is the Management network attached to Perimeter Gateway?

23. On the Management tab, click Routing.

24. In the routing category panel, select Static Routes and answer the following question.

06. Is the Management network identified by a static route?

62 Lab 7 Configuring and Testing Dynamic Routing on NSX Edge Appliances

25. In the routing category panel, select Route Redistribution and answer the following question.

07. Is the current route redistribution configured to allow the learning of static
routes through OSPF?

Task 9: Resolve the Connectivity Issue

You configure Perimeter Gateway with a static route to the Management network and configure
OSPF to advertise static routes.
1. In the routing category panel, select Static Routes.
2. Click the green plus sign to open the Add Static Route dialog box and perform the following
actions.
a. Select Uplink-Interface from the Interface drop-down menu.
b. Enter 192.168.110.0/24 in the Network text box.
This address is the management network address.
c. Enter 192.168.100.2 in the Next Hop text box.
This address is the address ofvPod router on the HQ Uplink portgroup.
d. Leave all other settings at default value and click OK.
3. Click Publish Changes.
4. In the routing category panel, select Route Redistribution.
5. In the Route Redistribution table, select the single entry that appears, and click the pencil icon
to open the Edit Redistribution criteria dialog box
a. Under Allow learning from, select the Static Routes check box.
b. Click Save.
6. At the top of the Route Redistribution page, click Publish Changes.
The above configuration change instructs Perimeter Gateway to allow learning of both
•
connected subnets and static routes through OSPF. The distributed router receives a route to the
Management network from Perimeter Gateway with a next hop of the Perimeter Gateway
interface on the transit network .
7. Minimize the Firefox window.
8. On the Control Center desktop, in the Command Prompt window, run the following command to
test bidirectional connectivity between the Management Network and the Web-Tier logical
switch network.
ping 172.16.10 .11

Lab 7 Configuring and Testing Dynamic Routing on NSX Edge Appliances 63

9. Verify that ICMP echo replies are received.
10. IfICMP replies are not received, wait 60 seconds and repeat step 8 until ICMP replies are
received.
11. Run the following ping tests to verify connectivity between the Management network and the
App- Tier and DB-Tier logical switch networks.
ping 172.16.20.11

ping 172.16.30.11

12. Leave the Command Prompt window open.

13. Restore the Firefox window.

Task 10: Clean Up for the Next Lab

You perform these actions to prepare for the next lab.
1. In the left navigation pane, click the Networking & Security back arrow button.
2. In the Firefox window, leave the following tabs open.
• vSphere Web Client
• web-sv-Ola
3. On the ControlCenter desktop, leave the Command Prompt window open .

64 Lab 7 Configuring and Testing Dynamic Routing on NSX Edge Appliances

Lab 8
Configuring and Testing Network
Address Translation on an NSX Edge
Services Gateway

Objective: Use destination NAT and source NAT rules to

establish a one-to-one relationship between the IP
address of a Web server on an internal subnet and an IP
address in an externally accessible subnet
In this lab, you will perform the following tasks:

1. Prepare for the Lab

2. Verify Non-Translated Packet Addressing
3. Configure an Additional IP Address on the Uplink Interface of Perimeter Gateway

•
4. Configure a Destination NAT Rule
5. Test Connectivity Using the Destination NAT Translation
6. Verify Non-Translated Packet Addressing Before Defining a Source NAT Rule
7. Configure a Source NAT Rule
8. Test Connectivity Using the Source NAT Translation
9. Use What You Have Learned
10. Clean Up for the Next Lab

Lab 8 Configuring and Testing NAT on an NSX Edge Services Gateway 65

Task 1: Prepare for the Lab
You perform these actions to prepare for the lab if you have closed windows or logged out of the
VMware vSphere ® Web Client interface.
1. Ifa Command Prompt window is not open on the ControlCenter desktop , perform the following
actions.
a . On the Control Center desktop , double-click the Command Prompt shortcut.
b. Position the Command Prompt window at a convenient location on the desktop.
2. If the Firefox window has been closed, double-click the Firefox icon on the ControlCenter
desktop.
3. If you are not logged in to the vSphere Web Client, click the vSphere Web Client bookmark in
the Firefox window.
4. When prompted, log in as root and enter the password VMwarel ! .
5. In the Firefox window, if the web-sv-Ola console tab is not open, perform the following
actions.
a. On the vSphere Web Client Home tab, click the Inventories> VMs and Templates icon.
b. Expand the inventory tree and select Discovered virtual machine> web-sv-Ola.
c. Select Open Console from the Actions drop-down menu.
d. If prompted to log in, log in as root and enter the password VMwarel ! .
e. Press Clrl+Alt to release the mouse cursor and click the vSphere Web Client tab.
f. Click the vSphere Web Client Home icon.

6. On the vSphere Web Client Home tab, click Inventories> Networking & Security.

Task 2: Verify Non-Translated Packet Addressing

You use the packet capture capabilities ofYMware NSX Edge" to verify source and destination
addressing of packets exchanged by the ControlCenter system and the web-sv-Ola Web server.

1. Minimize the Firefox window.

2. On the ControlCenter desktop , double-click the PuTTY shortcut.
3. In the PuTTY window, double-click the Edge Services GW saved session.
4. When prompted with a PuTTY Security Alert , click Yes.
5. Log in as admin and enter the password VMwarel ! VMwarel ! .

66 Lab 8 Configuring and Testing NAT on an NSX Edge Services Gateway

6. If you cannot log in because SSH access was not enabled during deployment of the edge, or if
the password was entered incorrectly, perform the following steps.
a. Restore the Firefox window.
b. In the left navigation pane, select NSX Edges.
c. In the edge list, select the Perimeter Gateway entry and select Change CLI Credentials
from the Actions drop-down menu .
d. In the Change CLI credentials, enter VMwarel! VMwarel! in the Password and Retype
Password text boxes.
e. Verify that the Enable SSH Access check box is selected and click OK.
f. Restart this task by going back to step 1.

7. Run the following command to begin capturing HTTP traffic on the uplink interface.
All commands are case-sensitive.
debug packet display interface vNic_O port_80

Include the port_80 filter as the last argument of the command. The last argument is the filter
expression. The filter expression must be expressed with underscore characters where spaces
might normally appear.
8. Leave the traffic capture running in the PuTTY window and restore the Firefox window.
9. In the Firefox window, open a new browser tab and go to http://172.16.10.ll to browse the
web-sv-O1a Web server.
10. After the Web page is displayed, go to http://192.168.l00. 7 to verify that there is no response.
The 192.168.100.7 address specified in the URL is the NAT address that you associate with the
web-sv-O la virtual machine at 172.16.10.11.
11. After Firefox reports that the page cannot be displayed, close the browser tab and minimize the
Firefox window.

•
12. In the PuTTY window, examine the packets captured to determine source and destination
addressing format.
Packet addressing is always reported in the following format:
time protocol source-address : source-port > destination-address : destination-port

Lab 8 Configuring and Testing NAT on an NSX Edge Services Gateway 67

13. In the packet capture output, examine the addressing of each packet and verify that the
following two addresses are involved in the exchange.
• 192.168.110 .10
This address is the IP address of the ControlCenter.

• 172.16.10.11
This address is the IP address of the web-sv-O1a virtual machine on the Web-Tier network.
14. Answer the following question.

01. In the packet capture, do you observe any packets exchanged between the
ControlCenter system and the 192.168.100.7 IP address?

15. Leave the packet capture running in the PuTTY window.

16. Restore the Firefox window.

Task 3: Configure an Additional IP Address on the Uplink Interface of

Perimeter Gateway
Before creating destination NAT rules, an unused IP address on a subnet attached to the NSX Edge
services gateway must be added to the interface that faces the incoming traffic to be translated.
Adding the IP addresses to the interface enables the interface to receive the packets destined for the
added IP address on that MAC address. The primary IP address can also be used, if port translation
is also specified. However, for a 1:1 association, a new IP address is required.

1. In the left navigation pane, select NSX Edges.

2. In edge list, double-click the Perimeter Gateway entry to manage that object.
3. In the middle pane, click the Manage tab and click Settings.
4. In the settings category panel, select Interfaces.
5. In the interfaces list, select the vNIC# 0 entry that has an IP address of 192.168 .100 .3, and
click the pencil icon.
6. In the Edit NSX Edge Interface dialog box, select the existing 192.168.100.3 IP address and
click the pencil icon to open the Edit Subnet dialog box.

[Z] x
IP Address

192.1 68.1 00 .3*

68 Lab 8 Configuring and Testing NAT on an NSX Edge Services Gateway

7. In the Edit Subnet dialog box, perform the following actions.
a. Click the green plus sign to create a new IP address entry.
b. Enter 192.168.100.7 in the new IP address text box and click OK to confirm the entry.
c. Click OK to close the Edit Subnet dialog.
8. Click OK to commit the interface changes.
9. In the interfaces list, verify that vNIC# 0 has the following two IP addresses.
• 192.168.100.3* /24
• 192.168.100.7
The asterisk (star) character to the right of the 192.168.100.3 address indicates the primary IP
address assigned to the interface. All other addresses are considered to be secondary.

vNI C# 1 . Name IF' Address Subnet Pref ix Length

o Uplink:-I ...
192.168.100.7

Task 4: Configure a Destination NAT Rule

A destination NAT rule can be assigned to any interface. The correct interface on which to assign
destination NAT rules is the interface that receives the network traffic to be translated, such as the
Uplink interface. A destination NAT rule translates the destination address of incoming packets prior
to forwarding/routing those packets to that translated destination. The source address of a
destination NAT rule must be allocated from a directly connected subnet, such as the subnet the
Uplink interface is attached to. The translated address can be any IP address that either exists in a
directly-connected subnet, or in a subnet known to the NSX Edge instance that is accessible through
routing capabilities (static routes and dynamic routing). This lab demonstrates translating packets to
addresses that require further routing.
1. Under the Manage tab, click NAT.
2. Above the NAT rules list, click the green plus sign and select Add DNAT Rule.
3. In the Add DNAT Rule dialog box, perform the following actions.
•
a. Select Uplink-Interface from the Applied On drop-down menu .
b. Enter 192 . 168 . 100 . 7 in the OriginallP/Range text box.

Lab 8 Configuring and Testing NAT on an NSX Edge Services Gateway 69

 c. Enter 172.16.10.11 in the Translated IPlRange text box.
This address is the address of the web-sv-O Ia Web server virtual machine that is attached to
the Web-Tier logical switch network. The Web-Tier network is acces sible from the
perimeter gateway through an OSPF-learned route that has a next hop of distributed router
on the transport network.
d. Select the Enabled check box.
e . Leave all other settings at the default value and click OK.
4. Above the NAT rules list, click Publish Changes.
5. Wait for the update to complete and verify that the new destination NAT rule appears in the list
with a Rule Type of USER.

Task 5: Test Connectivity Using the Destination NAT Translation

When a connection is initiated that traverses an NSX Edge NAT rule, a mapping is created that
allows the response traffic to traverse the rule logic in the reverse direction. You can control how the
NAT rules expose servers or services based on the direction of the traffic. If a server or service is
only to be exposed to external access, through a destination NAT address, then no further NAT rules
are required. The NAT mapping ensures that response traffic from the exposed server appears as if
originating from the destination NAT address. A destination NAT rule can also translate port
numbers, allowing you to overload a single IP address to expose multiple services using different
incoming ports .
1. In the Firefox window, open a new browser tab and go to http://192.168 .100.7 to browse the
web-sv-O Ia Web server using the destination NAT address.

2. After the Web page is displayed, keep the Web server tab open and minimize the Firefox
window.
3. In the PuTTY window, determine packet addressing and verify that the following two IP
addresses are involved in the exchange.
• 192.168.110.10
This address is the IP address of the ControlCenter.

• 192.168.100.7
This address is the destination NAT original address. For packets sent to this address, the
destination was transformed from 192.168.100.7 to 172.16.10.11 before being fowarded by
NSX Edge. For response packets sent from the Web server, the source address was
translated so that the packets appear as if originating from the destination NAT addres s to
maintain the integrity ofthe client > server connection.

4. Press Ctr1+C to stop the packet capture.

70 Lab 8 Configuring and Testing NAT on an NSX Edge Services Gateway

5. Run the following command to begin capturing packets on the Transit-Interface.
debug packet display interface vNic 1 port 80

6. Restore the Firefox window and click the page refresh icon to reload the Web server page.
7. After the Web page is displayed, close the browser tab and minimize the Firefox window.
8. In the PuTTY window, determine packet addressing and verify that the following two IP
addresses are involved in the exchange.
• 192.168.110.10
This address is the IP address of the ControlCenter.

• 172.16.10.11
This address is the destination NAT translated address of the web-sv-Ol a Web server. The
packets captured on the transit network are forwarded from perimeter gateway to
distributed router with the destination address translated.

9. Press Ctrl+C to stop the packet capture and leave the PuTTY window open.
10. Consider the tests performed so far in this lab and answer the following questions.

01. If response traffic was not translated based on the destination NAT mapping,
what source address would the packets have when received by the
ControlCenter?

02. For a TCP connection being established from 192.168.110.10 (ControICenter) to

192.168.100.7 (destination NAT for web-sv-01a), would the ControlCenter
associate response packets from 172.16.10.11 with that connection?

Task 6: Verify Non-Translated Packet Addressing Before Defining a

•
Source NAT Rule
You verify the source and destination address of packets exchanged between the ControlCenter and
the web-sv-O 1a Web server virtual machine before applying a source NAT translation.

1. In the PuTTY window, run the following command to begin capturing ICMP packets on the
uplink interface.
debug packet display interface vNic_O icmp

2. Leave the packet capture running, restore the Firefox window, and click the web-sv-Ill a
console tab.

Lab 8 Configuring and Testing NAT on an NSX Edge Services Gateway 71

3. At the web-sv-Ol a command prompt, run the following command to ping the ControlCenter
system.
ping 192 .168 .110.10

4. After at least one TCMP echo reque st and echo reply are reported, press Ctrl+C to stop the ping
command.
5. Press CtrJ+Alt to release the mouse cursor and minimize the Firefox window.
6. In the PuTTY window, determine source and destination addressing and verify that the
following two IP addresses are involved in the ICMP exchange.
• 192.168.110.10
This address is the IP address of the ControlCenter

• 172.16.10.11
This address is the non-translated IP address of the web-sv-Ola Web server virtual
machine.
The captured exchange shows the web-sv-Gl a Web server IP address is unaffected by the
destination NAT rule when traffic is initiated from that address. The original web-sv-Gl a Web
server IP address is maintained as the packets leave perimeter gateway in transit to the
ControlCenter system.
7. Restore the Firefox window and click the vSphere Web Client tab.

Task 7: Configure a Source NAT Rule

A source NAT rule can be assigned to any interface . The correct interface on which to assign source
NAT rules is the interface that connects to the translated network, not the interface that received the
original packet. A source NAT rule translates the source address of a packet received by NSX Edge,
typically on an internal interface, to a specified IP address in some other subnet attached to NSX
Edge. For instance, the subnet that the uplink is attached to, which would make the packet appear as
if originating from that subnet before routing is applied. The same mappings are created when
source NAT rules are traversed so that response traffic can be received by the originating node. The
translated IP address must be added to the interface attached to the translated subnet so that the
interface can respond to ARP requests for that TP address to receive response traffic. Source NAT
rules can oftentimes be used to shape outbound traffic . By doing so, outbound traffic is sent to an
appropriate next hop or is able to traverse upstream firewall rules that do not block the translated
subnet but may block the original source subnet.

72 Lab 8 Configuring and Testing NAT on an NSX Edge Services Gateway

1. Above the NAT rules list, click the green plus sign and select Add SNAT Rule.
2. In the Add SNAT Rule dialog box, perform the following actions.
a. Select Uplink-Interface from the Applied On drop-down menu.
b. Enter 172.16.10.11 in the Original Source IPlRange text box.
This address is the address of the web-sv-O 1a Web server virtual machine on the Web-Tier
network.
c. Enter 192.168.100.7 in the Translated Source IP/Range text box.
This address is the translated source IP address.
d. Select the Enabled check box.
e. Leave all other fields at the default value and click OK.
3. Above the NAT rules list, click Publish Changes.

Task 8: Test Connectivity Using the Source NAT Translation

Packets sent from the web-sv-O 1a Web server virtual machine now appear as originating from the
192.168.100.0/24 external subnet.
1. In the Firefox window, select the web-sv-Ola console tab.
2. At the web-sv-Ol a command prompt, run the following command to ping the ControlCenter
system.
ping 192.168.110.10
3. After at least one ICMP request and reply have been reported, press Ctrl+C to stop the ping
command.
4. Press Ctrl+Alt to release the mouse cursor and minimize the Firefox window.
5. In the PuTTY window, detennine source and destination addressing, and verify that the
following two IP addresses are involved in the ICMP exchange.
• 192.168.110.10
This address is the IP address of the ControlCenter.
• 192.168.100.7
This address is the translated IP address of the web-sv-O 1a Web server virtual machine.
•
6. Press Ctrl+C to stop the packet capture.
7. Restore the Firefox window and click the vSphere Web Client tab.

Lab 8 Configuring and Testing NAT on an NSX Edge Services Gateway 73

Task 9: Use What You Have Learned
For upcoming labs, the internal IP address of both Web server virtual machines must be translated.
You use what you have learned in this lab to configure a destination NAT rule for the web-sv-02a
Web server virtual machine.
1. Perform "Configure an Additional IP Address on the Uplink Interface of Perimeter Gateway"
on page 68 to add another IP address to the uplink interface of perimeter gateway. Assign the
following IP address.
• 192.168.100.8
2. Perform "Configure a Destination NAT Rule" on page 69 to create a destination NAT rule on
perimeter gateway. Use the following parameters.
• Assigned On: Uplink-Interface
• Original IP/Range: 192.168.100.8
• Translated IP/Range: 172.16.10.12
• Enabled: Check box selected
• All other fields at the default value (undefined)
3. Test your configuration by performing the following actions.
a. In the PuTTY window, run the following command to begin capturing HTTP traffic on the
uplink interface.
debug packet display interface vNic_O port_80

b. In Firefox , open a new browser tab and go to http://192.168.100.8.

c. After the Web page is displayed, close the new browser tab.
d. In the PuTTY window, verify that the following two addresses are involved in the HTTP
exchange.
• 192.168.110.10
• 192.168.100.8
e . Press Ctr1+C to stop the packet capture.

If the test does not produce the expected results, review your configuration carefully,
ensure that the destination NAT rule is enabled and is applied on the Uplink-Interface, and
try the test again. If the test continues to fail, ask your instructor for assistance. Both
destination NAT rules must be defined and working for upcoming labs.

74 Lab 8 Configuring and Testing NAT on an NSX Edge Services Gateway

Task 10: Clean Up for the Next Lab
You perform these actions to prepare for the next lab.

1. On the ControlCenter desktop, leave the PuTTY window and the Command Prompt window
open .
2. In the Firefox window, click the vSphere Web Client tab.
3. At the top of the left navigation page, click the Networking & Security back arrow button.
4. In the Firefox window, leave the following tabs open.
• vSphere Web Client
• web-sv-Ola

•
Lab 8 Configuring and Testing NAT on an NSX Edge Services Gateway 75
76 Lab 8 Configuring and Testing NAT on an NSX Edge Services Gateway
Lab 9
Configuring Load Balancinq with NSX
Edge Gateway

Objective: Configure a round-robin load balancer to

distribute traffic between two Web servers, and verify
round-robin operation using traffic capture tools
In this lab, you will perform the following tasks:

1. Prepare for the Lab

2. Verify the Lack of Connectivity
3. Add an IP Address to the Uplink Interface
4. Enable the Load Balancer Service and Configure an Application Profile
5. Create a Server Pool
6. Create a Virtual Server
7. Use the Packet Capture Capabilities ofNSX Edge to Verify Round-Robin Load Balancing
8. Examine NAT Rule Changes
9. Migrate the Web-Tier Logical Switch to the Perimeter Gateway
10. Reposition the Virtual Server and Examine NAT Rule Changes
11 . Use a Packet Capture to Verify Round-Robin Operation
12. Clean Up for the Next Lab
•
Lab 9 Configuring Load Balancing with NSX Edge Gateway 77
Task 1: Prepare for the Lab
You perform these actions to prepare for the lab if you have closed windows or logged out of the
VMware vSphere ® Web Client interface.
1. Ifa Command Prompt window is not open on the ControlCenter desktop , perform the following
actions.
a . On the Control Center desktop , double-click the Command Prompt shortcut.
b. Position the Command Prompt window at a convenient location on the desktop.
2. If the PuTTY window is not open on the ControlCenter desktop, perform the following actions .
a. On the ControlCenter desktop, double-click the PuTTY shortcut.
b. In the PuTTY window, double -click the Edge Services GW saved session.
c. If prompted to confirm a PuTTY security alert, click Yes.
d. Log in as admin and enter the password VMwarel ! VMwarel ! .
3. If the Firefox window has been closed , double-click the Firefox icon on the ControlCenter
desktop.
4. If you are not logged in to the vSphere Web Client, perform the following actions.
a . In the Firefox window, click the vSphere Web Client bookmark.
b. When prompted, log in as root and enter the password VMwarel ! .
5. In the Firefox window, if the web-sv-Ola console tab is not open, perform the following
actions .
a . On the vSphere Web Client Home tab, click Inventories> VMs and Templates.
b. Expand the inventory tree and select Discovered virtual machine> web-sv-Ota.
c. Select Open Console from the Actions drop-down menu.
d. If prompted to log in, log in as root and enter the password VMwarel ! .
e. Press Ctrl+Alt to release the pointer and click the vSphere Web Client tab.
f. Click the vSphere Web Client Home icon.

6. On the vSphere Web Client Home tab, click Inventories> Networking & Security.

78 Lab 9 Configuring Load Balancing with NSX Edge Gateway

Task 2: Verify the Lack of Connectivity
You open a Web browser and browse the IP address to be assigned to the load balancer virtual
server.
1. In the Firefox window, open a new browser tab and go to https ://192 .168.100.9.
2. Verify that the page does not open.
Firefox shows a Server not found message.
3. Close the new browser tab and click the vSphere Web Client tab.

Task 3: Add an IP Address to the Uplink Interface

To use an IP address for network address translation (NAT) rules or a load balancer virtual server
that is not the default IP address assigned to an NSX Edge interface, the IP address must be
explicitly added to the interface. The IP address must be explicitly configured so that the NSX Edge
appliance can receive incoming packets on that interface from the upstream device.
1. In the left navigation pane, select NSX Edges.
2. In edge list, double-click the Perimeter Gateway entry to manage that object.
3. In the middle pane, click the Manage tab and click Settings.
4. In the settings category panel, select Interfaces.
5. In the interfaces list, select the vNIC# 0 interface and click the pencil icon.
6. In the Edit NSX Edge Interface dialog box, select the 192.168.100.3 IP address and click the
pencil icon.
This entry has three IP addresses: 192.168.100.3 , 192.168.100.7, and 192.168.100.8.
7. In the Edit NSX Edge Interface dialog box, select the existing 192.168.100.3*,... IP address and
click the pencil icon to open the Edit Subnet dialog box.

[Z] x
IP Address

192.1 68.1 00 .3*

8. In the Edit Subnet dialog box, perform the following actions.

a. Click the green plus sign to create an address entry
b. Enter 192 . 168 . 100 . 9 in the IP address text box and click OK to confirm the entry.
•
c. Click OK to close the Edit Subnet dialog box .

Lab 9 Configuring Load Balancing with NSX Edge Gateway 79

9. Click OK to commit the interface changes.
10. In the interfaces list, find the vNIC #0 entry, click the Show All link in the IP address column,
and verify that the following addre sses appear in the list.
• 192.16 8.100 .3*
Primary address of the interface

• 192.168.100.7
NAT address for web-sv-Ola

• 192.168.100.8
NAT address for web-sv-02a

• 192.168.1 00.9
New address for the load balancer virtual server
11 . Click OK to close the Assigned IP Addresses dialog box .

Task 4: Enable the Load Balancer Service and Configure an

Application Profile
You enable the load balancer service and configure for HTTPS with SSL pass-through.

1. Under the Manage tab , click Load Balancer.

2. In the load balancer category panel, select Global Configuration.
3. Click Edit on the right side of the global configuration page.
4. In the Edit load balancer global configuration page, select the Enable Load balancer check
box and click OK, leaving all other fields at the default value.
5. In the load balancer category panel, select Application Profiles.
6. Above the top panel , click the green plus sign to open the New Profile dialog box, and perform
the following actions.
a. Enter App - Pro f i 1 e in the Narne text box.
b. Click HTTPS.
c. Select the Enable SSL Passthrough check box .
d. Leave all other fields at the default value and click OK.

80 Lab 9 Configuring Load Balancing with NSX Edge Gateway

Task 5: Create a Server Pool
You create a round-robin server pool that contains the two Web server virtual machines as members
providing HTTPS.
1. In the load balancer category panel, select Pools.
2. Above the top panel, click the green plus sign to open the New Pool dialog box, and perform
the following actions.
a. Enter Server-Pool in the Name text box.
b. Verify that the Algorithm selection is ROUND-ROBIN.
c. Verify that the Monitors selection is NONE.
d. Below Members, click the green plus sign to open the New Member dialog box, and add
the first server.

Option Action
Name Enter Web- sv- 01a in the text box.

IP Address Enter 172.16.10 .11 in the text box.

Port Enter 443 in the text box.

AU other settings Leave at the default value .

e . Click OK to close the New Member dialog box.

f. Under Members, click the green plus sign to open the New Member dialog box, and add a
second server.

Option Action
Name EnterWeb-sv-02a in the text box.

IP Address Enter 172.16.10.12 in the text box.

Port Enter 443 in the text box.

•
All other settings Leave at the default value.

g. Click OK to close the New Member dialog box.

h. Click OK to close the New Pool dialog box.

Lab 9 Configuring Load Balancing with NSX Edge Gateway 81

Task 6: Create a Virtual Server
The virtual server is positioned on the external network attached to the uplink interface of perimeter
gateway, in a two-arm configuration.
1. In the load balancer category panel, select Virtual Servers.
2. Above the top panel, click the green plus sign to open the New Virtual Server dialog box, and
perform the following actions.
a . Verify that the Enabled check box is selected.
b. Enter VIP in the Name text box.
c. Enter 192.168.100.9 in the lP Address text box .
d. Select HTTPS from the Protocol drop-down menu .
e. Verify that the Port setting has changed to 443.
f. Select Server-Pool from the Default Pool drop-down menu.
g. Verify that the Application Profile selection is App-Profile.
h. Leave all other settings at default value and click OK.

Task 7: Use the Packet Capture Capabilities of NSX Edge to Verify

Round-Robin Load Balancing
You monitor HTTPS traffic that traverses the transit network to verify round-robin distribution as
perimeter gateway assigns sessions to servers in the pool.
1. Minimize the Firefox window.
2. In the PuTTY window, run the following command to begin capturing SSL packets on the
transit interface.
debug packet display interface vNic_l port_443

3. Leave the packet capture running and restore the Firefox window.
4. In the Firefox window, open a new browser tab and go to https ://l92.168 .100.9.
5. IfFirefox reports that the connection is untrusted, perform the following actions .
a. Click the I Understand the Risks link.
b. Click the Add Exception link
c. In the Add Security Exception dialog box, click Confirm Security Exception.
6. Minimize the Firefox window.

82 Lab 9 Configuring Load Balancing with NSX Edge Gateway

7. In the PuTTY window, examine the captured packets to determine source and destination
addressing, and verify that the exchange is between a combination of the following IP
addresses. Only one of the two Web server addresses is used.
• 192.168.10.1
This address is the Transit network interface of the perimeter gateway edge.

• 172.16.10.11 or 172.16.10.12
These are the addresses of the Web servers on the Web-Tier logical switch network.

8. Consider the packet exchange you just examined and answer the following question.

01. Which extra operation is the perimeter gateway performing on packets that
leave the Transit network interface, on the way to the Web server virtual
machines?

02. Why is perimeter gateway performing this extra operation instead of

maintaining the original source address of the ControlCenter system?

03. What setting would you enable on the load balancer so that original source
addresses are maintained?

9. Leave the packet capture running.

10. Restore the Firefox window and click the vSphere Web Client tab.
11 . In the load balancer category panel, select Pools.
12. In the pool list, select pool-I and click the pencil icon.
13. In the Edit Pool dialog box, select the Transparent check box at the bottom and click OK.
14. After the configuration update completes, click the NSX for vSphere Training tab in Firefox.
15. Click the Firefox page refresh button to the right of the URL bar.
16. Minimize the Firefox window.

•
Lab 9 Configuring Load Balancing with NSX Edge Gateway 83
17. In the PuTTY window, examine the captured packets to determine source and destination
addressing, and verify that the exchange is between a combination of the following IP
addresses. Only one of the two Web server addresses is used.
• 192.168.110.10
This address is the address of the ControlCenter system . With transparent mode enabled,
the original source address has been maintained in packets forwarded to the Web server.
Sessions are still proxied by perimeter gateway, using a different source port than the
source port that is used by the original client.
• 172.16.10.11 or 172.16.10.12
These addresses are the addresses of the Web servers on the Web-Tier logical switch
network.
18. On the ControlCenter desktop, double-click the Internet Explorer shortcut.
19. In Internet Explorer, go to https:/1192.168.100.9.
20. When Internet Explorer reports a prob lem with the Web site security certificate, click the
Continue to this website (not recommended) link.
21. Wait for the Web page to be displayed, which might take a few moments, and minimize the
Internet Explorer window.
22. In the PuTTY window, examine the captured packets to determine source and destination
addressing, and verify that the exchange is between a combination of the following IP
addresses. Only one of the Web server addresses appear.
• 192.168.110.10
This address is the IP address of the ControlCenter system.

• 172.16.10.11 or 172.16.10.12
These addresses are the addresses of the Web servers on the Web logical switch network.
The address that appears in the most recent capture should be the Web server not seen in
the previous capture.
23. Press Ctr1+C to stop the packet capture.
24. Restore the Firefox window and click the "Sphere Web Client tab.

84 Lab 9 Configuring Load Balancing with NSX Edge Gateway

Task 8: Examine NAT Rule Changes
An NSX Edge instance automatically defines NAT rules for various features to facilitate operation
of those features.
1. Under the Manage tab, click NAT.
2. In the NAT rules list, find the destination NAT rule that has 192.168.100.9 in the Original
IP Address Column and a blank Rule Type.
All other rules have a Rule Type of USER.
The blank rule type is an autogenerated destination NAT rule that the system created as part of
the virtual server configuration.
3. Examine the destination NAT rule carefully, and answer the following questions.
Expand and examine the Original IP Address and Translated IP Address fields.

01. Is the original IP address being translated in any way by this rule?

02. Is the port range being translated in any way by this rule?

03. If this rule performs no apparent translation, why did the system define it?

04. Given that a virtual server uses a destination NAT rule to trigger member server
selection, do you think that a virtual server can operate normally using a pool
of member servers with IP addresses that are also defined by destination NAT
rules?

05. Which interface is the destination NAT rule applied on?

•
Lab 9 Configuring Load Balancing with NSX Edge Gateway 85
Task 9: Migrate the Web-Tier Logical Switch to the Perimeter Gateway
You migrate the Web-Tier logical switch so that the network is connected directly to the perimeter
gateway. The load balancer virtual server is moved to the directly-connected Web-Tier network to
show side-by-side operation of the load balancer.
1. At the top of the left navigation pane, click the Networking & Security back arrow button.
2. In the edge list, double-click the Distributed Router entry to manage that object.
3. In the middle pane, click the Manage tab and click Settings.
4. In the settings category panel, select Interfaces,
5. In the interfaces list, select the Web-Interface entry and click the disconnect icon.

v t-l IC# 1.6. t·lame IP .A.d d ress ::::;ubnet Prefix L

2 Transit-Int... '192 .168.10.2* 29

10 Web-Tier 172 .16.10.1* 24

6. Wait for the update to complete, and verify that a disconnect icon appears in the Web-Interface
Status column.
7. At the top of the left navigation pane, click the Networking & Security back arrow button.
8. In the edge list, double-click the Perimeter Gateway entry to manage that object.
9. In the middle pane, click the Manage tab and click Settings.
10. In the settings category panel, select Interfaces.
11. Select the vNIC# 2 interface, click the pencil icon to open the Edit NSX Edge Interface dialog
box, and perform the following actions.
a. Enter Web-Tier-Temp in the Name text box.
b. Verify that the Type selection is Internal.
c. Click the Connected To > Select link.
d. Click the Web-Tier button and click OK.
e. Above the IP Address table, click the green plus sign to open the Add Subnet dialog box.

86 Lab 9 Configuring Load Balancing with NSX Edge Gateway

 f. In the Add Subnet dialog box, click the green plus sign to create an IP address entry.

g. Enter 172 . 16 . 10 . 1 in the IP address text box and click OK to confirm the entry.
The new interface you are configuring on perimeter gateway replaces the distributed router
interface you disconnected in step 5, using the same IP address.
h. Enter 24 in the Subnet Prefix Length text box .
i. Click OK to close the Add Subnet dialog box.

j. Click OK to commit the interface changes.

Task 10: Reposition the Virtual Server and Examine NAT Rule Changes
The virtual server is repositioned to be on the same subnet as the pool members, in a one-armed
configuration.
1. Under the Manage tab, click Load Balancer.
2. In the load balancer category panel, select Virtual Servers.
3. In the virtual servers list, select the single virtual server defined and click the pencil icon .
4. In the Edit Virtual Server dialog box, change the IP Address field to 172.16.10.1, and click
OK.
For this example, the primary IP address of an interface is used for the virtual server.
5. Under the Manage tab, click NAT.
6. In the NAT rules list, find the destination NAT rule that has 172.16.10.1 in the Original IP
Address column, and answer the following questions.

01. Has the system autoremoved the destination NAT rule for the old virtual server
IP address of 192.168.100.9?

02. Is the new rule translating the original IP address or port in any way?

03. Based on the virtual server destination NAT rules that you have examined so
far, is there any difference in the actual operation performed by NSX Edge on

•
traffic to be sent to a member server?

Lab 9 Configuring Load Balancing with NSX Edge Gateway 87

7. Examine each of the new destination NAT rule columns carefully, thinking back to the previous
destination NAT rule you examined when the virtual server was positioned on the uplink
network, and answer the following question.

Q4. Other than a primary interface IP address being used as the virtual server IP
address in this example, what is the primary difference between the two
positions in terms of traffic flow and sequence of operations on the edge when
traffic is received, transformed, and subsequently sent to a member server?

Task 11: Use a Packet Capture to Verify Round-Robin Operation

You use the same techniques learned so far to verify proxy mode operation.

1. Minimize the Firefox window.

2. In the PuTTY window, run the following command to begin capturing SSL packets on the Web-
Tier-Temp interface.
debug packet display interface vNic_2 port_443

3. Leave the packet capture running and restore the Firefox window,
4. In the Firefox window, click the NSX for vSphere Training tab and go to https:1/l72.1 6.10.1.
While performing the interim tasks in this activity, after migrating the Web-Tier virtual switch,
the OSPF routing table automatically updates and both perimeter gateway and distributed router
are aware of the new network location.

5. When Firefox reports the connection is untrusted, perform the following actions.
a. Click the] Understand the Risks link.
b. Click the Add Exception link
c. In the Add Security Exception dialog box, click Confirm Security Exception.
6. After the Web page is displayed, close the browser tab used to browse the Web page and
minimize the Firefox window.
7. In the PuTTY window, examine the captured packets to determine source and destination
addressing, and verify that the exchange is between a combination of the following IP
addresses . Only one of the Web server IP addresses appear.
• 172.16.10.1
This address is the perimeter gateway interface on which the destination NAT rule is applied.

88 Lab 9 Configuring Load Balancing with NSX Edge Gateway

 • 172.16.10.11 or 172.16.10.12
These addresses are the addresses of the Web servers on the Web logical switch network.
8. Leave the packet capture running.
9. Restore the Internet Explorer window and go to https:l/172.16.10.1.
10. When Internet Explorer reports a problem with the Web site security certificate, click the
Continue to this website (not recommended) link .
11 . Wait for the Web page to be displayed, which might take a few moments, and close the Internet
Explorer window.
12. In the PuTTY window, examine the captured packets and verify that the exchange is between a
combination of the following IP addresses.
• 172.16.10.1
This address is the perimeter gateway interface on which the destination NAT rule is applied.

• 172.16.10.11 or 172.16.10.12
These addresses are the addresses of the Web servers on the Web logical switch network.
The address that appears in the capture should be the Web server not seen in the previous
capture .
13. Press Ctr1+C to stop the packet capture.
14. Restore the Firefox window and, ifnot already active , click the vSphere Web Client tab.

Task 12: Clean Up for the Next Lab

You perform these actions to prepare for the next lab.
1. On the ControlCenter desktop , leave the PuTTY window and the Command Prompt window
open .
2. In the vSphere Web Client, click the Networking & Security back arrow button.
3. In the Firefox window, leave the following tabs open.
• vSphere Web Client
• web-sv-Ola

•
Lab 9 Configuring Load Balancing with NSX Edge Gateway 89
90 Lab 9 Configuring Load Balancing with NSX Edge Gateway
Lab 10
Advanced Load Balancing

Objective: Configure a load balancer to provide SSL

security for a Web site
In this lab, you will perform the following tasks :

1. Prepare for the Lab

2. Generate a Certificate
3. Modify the Existing Load Balancer
4. Capture Network Traffic at Perimeter Gateway
5. Migrate the Web-Tier Logical Switch Back to Distributed Router
6. Clean Up for the Next Lab

IMPORTANT
This lab require s that you have completed the previous lab (Configuring Load Balancing with NSX
Edge Gateway). If you did not perform the previous lab, ask your instructor for guidance.

Lab 10 Advanced Load Balancing 91 •

Task 1: Prepare for the Lab
You perform these actions to prepare for the lab if you have closed windows or logged out of the
VMware vSphere® Web Client interface.
1. Ifa Command Prompt window is not open on the ControlCenter desktop, perform the following
actions.
a . On the Control Center desktop, double-click the Command Prompt shortcut.
b. Position the Command Prompt window to a convenient location on the desktop.
2. If the PuTTY window is not open on the ControlCenter desktop, perform the following acitons.
a. On the ControlCenter desktop, double-click the PuTTY shortcut.
b. In the PuTTY window, double -click the Edge Services GW saved session.
c. If prompted to confirm a PuTTY security alert, click Yes.
d. Log in as admin using the VMwarel ! VMwarel! password.
3. If the Firefox window has been closed, double -click the Firefox icon on the ControlCenter
desktop.
4. If you are not logged in to the vSphere Web Client, perform the following actions.
a . In the Firefox window, click the vSphere Web Client bookmark.
b. When prompted, log in as root, using the VMwarel! password.
5. In the Firefox window, if the web-sv-Ola console tab is not open, perform the following
actions.
a . On the vSphere Web Client Home tab, click the Inventories> VMs and Templates icon.
b. Expand the inventory tree and select Discovered virtual machine> web-sv-Ota.
c. Select Open Console from the Actions drop-down menu.
d. If prompted to log in, log in as root using the VMwarel! password.
e. Press Ctrl+Alt to release the pointer and click the vSphere Web Client tab.
f. Click the vSphere Web Client Home icon.

6. On the vSphere Web Client Home tab, click the Inventories > Networking & Security icon.

92 Lab 10 Advanced Load Balancing

Task 2: Generate a Certificate
You generate a certificate reqiuest and instruct the VMware NSX Edge" instance to create a self-
signed certificate from that request.
1. In the left navigation pane, select NSX Edges.
2. In the edge list, double-click the Perimeter Gateway entry to manage that object.
3. Click the Manage tab and click Settings.
4. In the settings category panel, select Certificates.
5. Select Generate CSR from the Actions drop-down menu to to open the Generate CSR dialog
box, and perform the following acitons .
a. Enter 172.16.10.1 in the Common Name text box.
b. Enter ABC Medical in the Organization Name text box.
c. Verify that RSA is the selected Message Algorithm.
d. Verify that 2048 is the selected Key Size.
e . Leave all other settings at default value and click OK.
6. In the certificate list, select the newly generated signing request and select Self Sign Certificate
from the Actions drop-down menu .
7. When prompted, enter 365 in the Number of days text box, and click OK.

Task 3: Modify the Existing Load Balancer

You update the application profile to include the self-signed certificate, and update the server pool to
use HTTP instead of HTTPS. Consider the Web server as not having its own certificate for this lab.
The self-signed certificate is used insteead for commubnciation between clients and the virtual
server. Communciation between the virtual server and the member servers uses HTTP.
1. On the Manage tab, click the Load Balancer button.
2. In the load balancer category panel, select Application Profiles.
3. Select the single application profile listed and click the pencil icon.
4. In the Edit Profile dialog box, perform the following actions.
a. Deselect the Enable SSL Passthrough check box.
b. At the bottom of the dialog box, in the certificate list, click the Service Certificates>
172.16.10.1 button.
c. Leave all other settings at default value and click OK.

Lab 10 Advanced Load Balancing 93 •

5. In the load balancer category panel, select Pools.
6. Select the single pool that appears and click the pencil icon.
7. In the Edit Pool dialog box, perform the following actions for each member server listed.
a. Select the member server and click the pencil icon.
b. In the Edit Member dialog box, change both the Port and the Monitor Port to 80 and click
OK.
c. Ensure that both member servers are updated.
8. Click OK to close the Edit Pool dialog box.

Task 4: Capture Network Traffic at Perimeter Gateway

You examine two different packet captures. A packet capture on the uplink interface is examined to
verify the SSL communciation between clients and the virtual server. A packet capture on the transit
network is examined to verify round-robin operation.
1. Minimize the Firefox window.
2. In the PuTTY window, begin capturing SSL traffic on the uplink interface by running the
following command.
debug packet disp lay interface vNic 0 port 443

3. Leave the packet capture running and position the window so that you remember that it contains
the uplink capture.
4. On the ControlCenter desktop, double-click the PuTTY shortcut.
5. In the PuTTY window, double-click the Edge Services GW saved session.
6. Log in as admin and enter the VMwarel ! VMwarel! password.
7. In the new PuTTY window, begin capturing HTTP traffic on the web-tier-temp interface by
running the following command.
debug packet display interface vNic_2 port_80

The two packet captures show the load balancer virtual server receiving SSL traffic and
connecting to a pool member server using HTTP.
8. Leave both PuTTY windows open and position the windows so that the captures can be
compared.
9. On the ControlCenter desktop, double-click the Internet Explorer shortcut.
Ensure that you use Internet Explorer for the following tests.

94 Lab 10 Advanced Load Balancing

10. In the Internet Explorer window, go to https://172.16.10.1.
11. When Internet Explorer reports a problem with the Web site's security certificate, click the
Continue to this website (not recommended) link.
The Web site security message might appear after a minute. After you click the continue link,
the Web page might be displayed after a minute.
12. Minimize the Internet Explorer window.
13. Select the PuTTY window that contains the uplink interface capture .
14. In the PuTTY window, examine the captured packets and verify that the exchange is between a
combination of the following IP addresses.
• 192.168.110.10
This address is the IP address of the ControlCenter system.

• 172.16.10.1
This address is the virtual IP (vIP) address of the load balancer in the one-aim configuration.
15. Press Ctrl+C to stop the traffic capture.
16. Select the PuTTY window that contains the transit interface capture.
17. In the PuTTY window, examine the captured packets and verify that the exchange is between a
combination of the following IP addresses. Only one of the Web server IP addresses appears.
• 192.168.110 .10
This address is the IP address of the ControlCenter system that is maintained in transparent
mode.
• I72.16. 1O. II or 172.16.10.12
These addresses are the IP addresses ofthe Web servers on the Web logical switch network.
18. Restore the Internet Explorer window and click the page refresh icon.

~ https:,1,1 172. 16.10.1,l

19. Close the Internet Explorer window.

20. Select the PuTTY window that contains the transit interface capture .

Lab 10 Advanced Load Balancing 95 •

21. In the PuTTY window, examine the reported network packets and verify that the exchange is
between a combination of the following IP addresse.
• 192.168.110.10
This address is the IP address of the ControlCenter system that is maintained in transparent
mode.

• 172.16.10.11 or 172.16.10.12
These addresses are the IP addresses of the Web servers on the Web logical switch network.
The address that appears in the capture should be the Web server not seen in the previous
transit network capture.

22. Press Ctrl+C to stop the traffic capture.

23. Close the PuTTY window used to capture traffic on the transit network and click OK when
prompted to confirm.
24. Keep the original PuTTY window open.
25. Restore the Firefox window.

Task 5: Migrate the Web-Tier Logical Switch Back to Distributed

Router
You must restore the lab environment to its original state by migrating the web-Tier logical switch
back to the distributed router. Later labs fail if the configuration is not restored.
1. In the load balancer category panel, select Virtual Servers.
2. Select the single virtual server listed, click the pencil icon to open the Edit Virtual Server dialog
box, and perform the following actions.
a. Change the IP address field to 192.168.100.9 .
The virtual server IP address must be moved back to the uplink network because the Web-
Tier logical switch is migrated back to the distributed router.

b. Click OK.
3. Under the Manage tab, click Settings.
4. In the settings category panel, select Interfaces.
5. In the interface list, select the Web-Tier-Temp interface and click the disconnect icon.
6. Wait for the update to complete and verify that a disconnect icon appears in the Web-Tier-Temp
Status column.

96 Lab 10 Advanced Load Balancing

7. Select the Web-Tier-Temp interface, click the red X to delete the interface, and click OK when
prompted to confirm.
Ensure that you delete the correct interface.
8. Wait for the update to complete and verify that vNIC# 2 has been reset.
9. At the top of the left navigation pane, click the Networking & Security left arrow button.
10. In the edge list, double-click the Distributed Router entry to manage that object.
11 . In the settings category panel, select Interfaces.
12. In the interface list, select the Web-Interface interface entry and click the green check mark
icon to reattach the logical switch.
13. Wait for the update to complete and verify that a green check mark icon appears in the Web-
Interface Status column.

Task 6: Clean Up for the Next Lab

You perform these actions to prepare for the next lab.
1. On the ControlCenter desktop , leave the PuTTY window and the Command Prompt window
open .
2. In the vSphere Web Client, click the Networking & Security back arrow button.
3. In the Firefox window, leave the following tabs open.
• vSphere Web Client
• web-sv-Ola

Lab 10 Advanced Load Balancing 97 •

98 Lab 10 Advanced Load Balancing
Lab 11
Configuring NSX Edge High Availability

Objective: Configure high availability and use the NSX

Edge command line to determine current HA status and
view heartbeat traffic
In this lab, you will perform the following tasks:

1. Prepare for the Lab

2. Configure NSX Edge High Availability
3. Examine the High Availability Service Status and Heartbeat
4. Force a Failover Condition
5. Restore the Failed Node
6. Clean Up for the Next Lab

Task 1: Prepare for the Lab

You perform these actions to prepare for the lab if you have closed windows or logged out of the
VMware vSphere® Web Client interface .
1. If a Command Prompt window is not open on the ControlCenter desktop, perform the following
actions.
a. On the ControlCenter desktop, double-click the Command Prompt shortcut.
b. Position the Command Prompt window at a convenient location on the desktop.

Lab 11 Configuring NSX Edge High Availability 99

2. Ifthe PuTTY window is not open on the ControlCenter desktop , perform the following actions.
a. On the Control Center desktop , double-click the PuTTY shortcut.
b. In the PuTTY window, double-click the Edge Services GW saved session.
c. Ifprompted to confirm a PuTTY security alert , click Yes.
d. Log in as admin and enter the password VMwarel !VMwarel ! .
3. If the Firefox window has been closed , double-click the Firefox icon on the ControlCenter
desktop.
4. If you are not logged in to the vSphere Web Client, perform the following actions.
a. In the Firefox window, click the vSphere Web Client bookmark.
b. When prompted, log in as root and enter the password VMwarel ! .
5. In the Firefox window, if the web-sv-Ola console tab is not open, perform the following
actions.
a. On the vSphere Web Client Home tab, click the Inventories> VMs and Templates icon.
b. Expand the inventory tree and select Discovered virtual machine> web-sv-Ola.
c. Select Open Console from the Actions drop-down menu.
d. If prompted to log in, log in as root and enter the password VMwarel! .
e. Press Ctrl+Alt to release the pointer and click the vSphere Web Client tab.
f. Click the vSphere Web Client Home icon.

6. On the vSphere Web Client Home tab, click the Inventories> Networking & Security icon.

Task 2: Configure NSX Edge High Availability

You configure perimeter gateway for high availability.
1. In the left navigation pane, select NSX Edges.
2. In the edge list, double-click the Perimeter Gateway entry to manage that object.
3. In the middle pane, click the Manage tab and click Settings.
4. In the Settings category list, select Configuration.
5. On the Configuration page, in the Status panel (the panel on the right in the first row of panels),
determine the current HA status of the edge.
The status is Not Conf igured .
6. In the HA Configuration panel (the panel on the left in the second row of panels), click the
Change link to configure and enable HA.

100 Lab 11 Configuring NSX Edge High Availability

7. In the Change HA configuration dialog box, perform the following actions.
a. Click Enable.
b. Select Transit-Interface from the vNIC drop-down menu.
Only internal interfaces can be selected or used to carry HA heartbeat traffic.
•
c. In the two text boxes for configuring Management IPs, enter the following IP addresses in
Classless Inter-Domain Routing (CIDR) format as shown.
• 192.168.222.1/30

• 192.168.222.2/30
d. Leave all remaining settings at the default value and click OK.
8. Wait for the HA configuration update to finish, and verify that the HA status in the HA
Configuration panel is Enabled.
9. Click the vSphere Web Client Home icon.
10. On the vSphere Web Client Home tab, click Inventories> Hosts and Clusters.
11 . Expand the Hosts and Clusters inventory tree so that the Management and Edge Cluster
inventory is shown.
12. In the Management and Edge Cluster inventory, find all virtual machines with names starting
with Perimeter Gateway.
13. Select each perimeter gateway virtual machine and use the Summary tab information to answer
the following questions.

01. How many instances of perimeter gateway did you find?

02. Which host is Perimeter Gateway-O running on?

03. Which host is Perimeter Gateway-1 running on?

04. Are the NSX Edge instances running on different hosts?

14. Remain in the Hosts and Clusters inventory.

Lab 11 Configuring NSX Edge High Availability 101

Task 3: Examine the High Availability Service Status and Heartbeat
You use command line tools to query the high availability service status and examine the heartbeat
network traffic.

1. Minimize the Firefox window.

2. In the PuTTY window, run the following command to show the status of the high availability
service.
show service highavailability
3. Examine the command output and answer the following questions.
This command uses the generic vshield-edge name for the edge instances. Refer to the trailing -
oor -1 to associate what the command is showing with the perimeter gateway nodes.
01. Which of the perimeter gateway nodes is active?
The active node name is shown as the value of haveability Unit Name.

02. Are both peer nodes in good health?

03. Are the file synchronization and connection synchronization services

necessary for failover running?

Based on the sequence of actions taken so far, the active node should be the vshield-edge-2-0
(Perimeter Gateway-O) node. Remember which node was listed as active, you will cause a
failover in the next task.

4. At the command prompt, run the following command to display HA heartbeat packets captured
on the transit network interface.
debug packet display interface vNic_1
net 192 .168.222.0 mask 255.255.255.252
This command displays HA heartbeat packets captured on the transit network interface.

5. Examine the exchange and verify that the two HA nodes are activ ely communicating status to
each other. You should see packets exchanged between the following IP addresses.
• 192.168.222.1
• 192.168.222 .2
6. Keep the traffic capture running and restore the Firefox window.

102 Lab 11 Configuring NSX Edge High Availability

Task 4: Force a Failover Condition
You power off the high availability active node to force a failover to the standby node.
1. In the Hosts and Clusters inventory tree, select Perimeter Gateway-O, or whichever of the two
perimeter gateway nodes was listed as active in the preceding task.
•
2. Select Shut Down Guest OS from the Actions drop-down menu and click Yes when prompted
to confirm.
3. Monitor the appliance shutdown until the task shows as complete in the recent tasks pane and a
running indicator icon no longer appears on the virtual machine in the cluster inventory.
4. Minimize the Firefox window.
5. Click OK to dismiss the PuTTY alert and close the PuTTY window.
The SSH session to the perimeter gateway has been terminated because the virtual machine has
been shut down .
6. On the Control Center desktop, double-click the PuTTY shortcut.
7. In the PuTTY window, double-click the Edge Services GW saved session .

8. Log in as admin and enter the password VMwarel ! VMwarel ! .

9. Run the following command to show the status of the high availability.
show service highavailability

10. Examine the command output and answer the following questions.

01. Which of the Perimeter Gateway nodes is active?

The active node name is shown as the value of haveability Unit Name.

02. Are both peer nodes in good health?

03. Are services necessary for failover running?

Specifically file synchronization and connection synchronization.

04. Has a failover occurred?

Lab 11 Configuring NSX Edge High Availability 103

11. At the command prompt, run the following command to display HA heartbeat packets captured
on the transit network interface.
debug packet display interface vNic 1
net 192.168.222.0 mask 255.255.255.252

This command displays HA heartbeat packets captured on the transit network interface.
12. Examine the packet exchange and verify that only the active node is communicating heartbeat
information and is receiving no replies from the peer node.
13. Keep the traffic capture running and restore the Firefox window.

Task 5: Restore the Failed Node

You power on the stopped node to restore the high availability pair and use command-line tools to
examine changes in the high availability service configuration.
1. In the Hosts and Clusters inventory, verify that the shut-down HA node is still selected, and
select Power On from the actions menu.
2. Minimize the Firefox window.
3. In the PuTTY window, monitor the packet capture until you observe both nodes communicating
heartbeat information again.
4. Press Ctrl+C to stop the packet capture.
5. Run the following command to show the status of the high availability service.
show service highavailability

6. Examine the command output and answer the following questions.

Q1. Which of the Perimeter Gateway nodes is active?

The active node name is shown as the value of haveability Unit Name.

Q2. Are both peer nodes in good health?

Q3. Are services necessary for failover running?

Specifically file synchronization and connection synchronization.

Q4. Has a fail back occurred?

104 Lab 11 Configuring NSX Edge High Availability

Task 6: Clean Up for the Next Lab
You perform these actions to prepare for the next lab.
1. Leave the PuTTY window open.
2. Leave the Command Prompt window open.
•
3. Restore the Firefox window and click the vSphere Web Client Home icon.
4. In the Firefox window, leave the following tabs open.
• vSphere Web Client
• web-sv-Ola

Lab 11 Configuring NSX Edge High Availability 105

106 Lab 11 Configuring NSX Edge High Availability
Lab 12 •
Configuring Layer 2 VPN Tunnels

Objective: Configure a layer 2 VPN tunnel between two

NSX Edge services gateway appliances
In this lab, you will perforrn the following tasks :

1. Prepare for the Lab

2. Migrate a Web Server Virtual Machine to a Different Cluster
3. Create a Logical Switch and Migrate Virtual Machine Networking
4. Deploy the Branch Edge
5. Configure Branch Gateway as a Layer 2 VPN Client
6. Add an IP Address to the UpLink Interface
7. Add a Web-Tier Interface to Perimeter Gateway
8. Configure Perimeter Gateway as a Layer 2 VPN Server
9. Test Tunnel Connectivity
10. Verify Tunnel Connectivity
11. Clean Up for the Next Lab

Lab 12 Configuring Layer 2 VPN Tunnels 107

Task 1: Prepare for the Lab
You perform these actions to prepare for the lab if you have closed windows or logged out of the
VMware vSphere ® Web Client interface.
1. Ifa Command Prompt window is not open on the ControlCenter desktop , perform the following
actions.
a . On the Control Center desktop , double-click the Command Prompt shortcut.
b. Position the Command Prompt window to a convenient location on the desktop .
2. If the PuTTY window is not open on the ControlCenter desktop, perform the following actions .
a. On the ControlCenter desktop, double-click the PuTTY shortcut.
b. In the PuTTY window, double -click the Edge Services GW saved session.
c. If prompted to confirm a PuTTY security alert, click Yes.
d. Log in as admin and enter the password VMwarel ! VMwarel ! .
3. If the Firefox window has been closed , double-click the Firefox icon on the ControlCenter
desktop.
4. If you are not logged in to the vSphere Web Client, perform the following actions.
a . In the Firefox window, click the vSphere Web Client bookmark.
b. When prompted, log in as root and enter the password VMwarel ! .
5. In the Firefox window, if the web-sv-Ola console tab is not open, perform the following
actions .
a . On the vSphere Web Client Home tab, click Inventories> VMs and Templates.
b. Expand the inventory tree and select Discovered virtual machine> web-sv-Ota.
c. Select Open Console from the Actions drop-down menu.
d. If prompted to log in, log in as root and enter the password VMwarel ! .
e. Press Ctrl+Alt to release the pointer and click the vSphere Web Client tab.
f. Click the vSphere Web Client Home icon.

Task 2: Migrate a Web Server Virtual Machine to a Different Cluster

You move the web-sv-02a virtual machine to the Compute B cluster.
1. On the vSphere Web Client Home tab, click Inventories> Hosts and Clusters.
2. Expand the inventory tree so that the Compute Cluster A inventory is shown.
3. Select the web-sv-02a virtual machine and select Migrate from the Actions drop-down menu.

108 Lab 12 Configuring Layer 2 VPN Tunnels

4. In the web-sv-02a - Migrate dialog box, perform the following actions.
a. On the Select Migration Type page, leave Change Host selected and click Next.
b. On the Select Destination Resource page, select Compute Cluster B and click Next.
c. On the Select vMotion Priority page, leave the Reserve CPU for optimal vMotion
performance (Recommended) selected and click Next.
d. On the Review Selections page, review the changes to be made and click Finish.
5. In the Recent tasks pane, monitor the migration task to completion and verify that the web-sv-
02a virtual machine appears in the Compute Cluster B inventory.
•
6. Click the vSphere Web Client Home icon.
7. On the vSphere Web Client Home tab, click Inventories> Networking & Security.

Task 3: Create a Logical Switch and Migrate Virtual Machine

Networking
You create a logical switch and migrate virtual machine networking to that switch.

1. In the left navigation pane, select Logical Switches.

2. Above the logical switch list, click the green plus sign to open the New Logical Switch dialog
box, and perform the following actions .
a. Enter Branch-Web-Tier in the Name text box .
b. Verify that the Transport Zone is Global Transport Zone.
c. Verify that the Control Plane Mode is Unicast.
d. Click OK.

3. In the logical switch list, select the Branch-Web-Tier entry and select Add VM from the
Actions drop-down menu .
4. In the Add Virtual Machines dialog box, perform the following actions.
a. On the Select Virtual Machines page, scroll down and select the web-sv-02a check box,
and click Next.
b. On the Select VNICs page, select the web-sv-02a - Network adapter 1 (Web-Tier) check
box and click Next.
c. On the Ready to complete page, verify that web-sv-02a Network adapter 1 now indicates
(Branch-Web-Tier) and click Finish.
5. Wait for the migration task to complete, and double-click the Branch-Web-Tier entry to
manage that object.

Lab 12 Configuring Layer 2 VPN Tunnels 109

6. In the left pane , select Virtual Machines and verify that web-sv-02a appears.
7. At the top of the navigation pane , click the Networking & Security back arrow button.

Task 4: Deploy the Branch Edge

You configure and deploy an NSX Edge services gateway for the branch cluster.
1. In the left navigation pane, select NSX Edges.
2. Above the edge list, dick the green plus sign to open the New NSX Edge dialog box.
3. On the Name and description page, leave the Install Type as Edge Services Gateway.
4. Enter Branch Gateway in the Name text box and click Next.
5. On the CLI credentials page, enter VMwarel ! VMwarel! in the Password text box
Ensure that you enter the password correctly. A verification box is not provided and the
password cannot be shown.
6. Select the Enable SSH access check box and click Next.
7. On the Configure deployment page, verify that the Datacenter selection is ABC Medical
8. Verify that the Appliance Size selection is Compact.
9. Verify that the Enable auto rule generation check box is selected.
10. Under NSX Edge Appliances , click the green plus sign to open the Add NSX Edge Appliance
dialog box, and perform the following actions.
a. Select Compute Cluster B from the Cluster/Resource Pool drop-down menu.
b. Select ds-site-a-nfs02 from the Datastore drop-down menu.
c. Leave all other settings at the default value and click OK.
11 . Click Next.
12. On the Configure Interfaces page, click the green plus sign to open the Add NSX Edge
Interface dialog box, and perform the following actions.
a. Enter Uplink-Interface in the Name text box.
b. For Type, leave UpI.Jnk selected.
c. Click the Connected To > Select link.
d. Click Distributed Portgroup.
e. Select Computc_VDS - HQ Access and click OK.

f. Under Configure subnets, click the green plus sign to open the Add Subnet dialog box.
g. In the Add Subnet dialog box, click the green plus sign to add an IP address field.

110 Lab 12 Configuring Layer 2 VPN Tunnels

 h. Enter 192.168.130.4 in the IP Address text box and click OK to confirm the entry.
i, Enter 24 in the Subnet prefix length text box.

j. Click OK to close the Add Subnet dialog box.

k. Leave all other settings at the default value and click OK.
13. Click the green plus sign to open the Add NSX Edge Interface dialog box, and perform the
following actions .
a. Enter Web-Tier in the Name text box.
b. For Type, click Internal.
•
c. Click the Connected To > Select link.
d. Click Branch-Web-Tier and click OK.
e . Below Configure subnets, click the green plus sign to open the Add Subnet dialog box.
f. In the Add Subnet dialog box, click the green plus sign to add an IP address field.
g. Enter 172.16.10.1 in the IP Address text box and click OK to confirm the entry.
The 172.16.10 .1 IP address assigned to the Branch Gateway on the new Branch- Web-Tier
subnet is the same IP address assigned to Perimeter Gateway on the original Web-Tier
logical switch. This assignment removes the need to change the default gateway setting on
any virtual machine moved to the new network.
h. Enter 24 in the Subnet prefix length text box.
i. Click OK to close the Add Subnet dialog box.
j. Leave all other settings at the default value and click OK.
14. Compare the interface configurations to the following table . If any interface is not configured
correctly, select it and click the pencil icon to edit it.

Subnet Prefix
Name IP Address Length Connected To
Uplink-Interface 192.168.130.4 24 Mgmt~dge_VDS - HQ Access

Web-Tier 172.16.10.1 24 Branch-Web-Tier

15. Click Next.

16. On the Default gateway settings page, select the Configure Default Gateway check box.
17. Enter 192.168.130.2 in the Gateway IP text box and click Next.
18. On the Firewall and HA page , select the Configure Firewall default policy check box.

Lab 12 Configuring Layer 2 VPN Tunnels 111

19. Click the Accept button for Default Traffic Policy and click Next.
20. On the Ready to Complete page, review the configuration report and click Finish.
21. Above the NSX Edge list, monitor the deployment to completion.
The deployment is complete when 0 installations are active.

...
:'" 1 Installing

Task 5: Configure Branch Gateway as a Layer 2 VPN Client

You configure the NSX Edge services gateway as a VPN client.
1. In the edge list, double-click the Branch Gateway entry to manage that object.
2. In the middle pane, click the Manage tab and click VPN .
3. In the vpn category panel, select L2VPN.
4. In the L2VPN configuration page, click Client
5. Click Change to open the Client Settings dialog box, and perform the following actions.
a. Expand the Client Details section .
b. Enter 192 . 16 B . 100 . lOin the Server Address text box.
This address is the IP address of the perimeter gateway on the HQ-Uplink network. The
192.168.100.10 address is added to the uplink interface later in this activity.
c. Verify that the Server Port is 443.
d. Select Web-Tier from the Internal Interface drop-down menu.
This network is extended by the L2VPN connection to the server.
e. Expand the User Details section.
f. Enter vpn-user in the User Id text box.

g. Enter VMwarel! in the Password text box.

h. Enter VMwareI! in the Re-Type Password text box.
i. Leave all other settings at the default value and click OK.

If the Client Settings dialog box does not close, scroll back through the configuration settings
and look for any setting with a red box around it. The dialog box does not report settings that
fail validation.

112 Lab 12 Configuring Layer 2 VPN Tunnels

6. Click Enable.
7. Wait for the update to complete, then verify that the following settings are configured as shown.
• L2VPN Service Status: Enabled
• Server Address: 192.168.100.10
• Server Port : 443
• Internal Interface: 1
• User Id: vpn-user
•
8. At the top of the navigation pane, click the Networking & Security left arrow button.

Task 6: Add an IP Address to the UpLink Interface

You add a secondary IP address to the uplink interface for VPN communications.
1. In edge list, double-click the Perimeter Gateway entry to manage that object.
2. In the middle pane, click the Manage tab and click Settings.
3. In the settings category list, select Interfaces.
4. In the interfaces list, select the vNIC# 0 interface, and click the pencil icon.
5. In the Edit NSX Edge Interface dialog box, select the single address entry shown and click the
pencil icon.
6. In the Edit Subnet dialog box, perform the following actions.
a. Click the green plus sign to add an IP address field.
b. Enter 192.168.100.10 in the IP address text box and click OK to confirm the entry.
c. Click OK to close the Edit Subnet dialog box.
7. Click OK to commit the interface changes.
8. In the interfaces list, find the vNIC #0 entry, click the Show All link in the IP address column,
and verify that the following IP addresses are shown.
• 192.168.100.3*
Primary address of the interface
• 192.168.100.7
NAT address for web-sv-Ola
• 192.168.100.8
NAT address for web-sv-02a

Lab 12 Configuring Layer 2 VPN Tunnels 113

 • 192.168.100.9
Virtual server address (load balancer)
• 192.168.100.10
New listener address for L2VPN
9. Click OK to close the Assigned IP Addresses dialog box.

Task 7: Add a Web-Tier Interface to Perimeter Gateway

You configure a new interface on the perimeter gateway to give the NSX Edge appliance direct
access to the Web-Tier network.
1. In the interface list, select the vNIC# 2 entry.
2. Click the pencil icon to open the Edit NSX Edge Interface dialog box, and perform the
following actions .
a. Enter Web-Tier-L2VPN in the Name text box.
b. For Type, click Internal.
c. Click the Connected To > Select link.
d. Click the Web-Tier logical switch button and click OK.
e. Above the IP address list, click the green plus sign to open the Add Subnet dialog box.
f. In the Add Subnet dialog box, click the green plus sign to add an IP address entry.
g. Enter 172.16.10.2 in the IP address text box and click OK to confirm the entry.
h. Enter 24 in the Suhnet Prefix Length text box.
i. Click OK to add the IP address and subnet.

j. Leave all other fields at the default value and click OK.

Task 8: Configure Perimeter Gateway as a Layer 2 VPN Server

You configure the perimeter gateway as a VPN server.
1. Under the Manage tab, click VPN.
2. In the VPN category list, select L2VPN.
3. On the L2VPN configuration page, leave Server selected.
4. Click Change to open the Server Settings dialog box, and perform the following actions.
a. Expand the Server Details section.
b. Enter 192.168.100.10 in the Listener IP text box.

114 Lab 12 Configuring Layer 2 VPN Tunnels

 c. Verify that the Listener Port is 443.
d. Select AES256-SHA from the Encryption Algorithm list.
e. Select Web-Tier-L2VPN from the Internal Interface drop-down menu .
f. Expand the User Details section.

g. Enter vpn-user in the User Id text box.

h. Enter VMwarel! in the Password text box.
i. Enter VMwarel! in the Re-Type Password text box.
•
j. Scroll down to the certificate list and click the 172.16.10.1 button.
k. Click OK.
If the Server Settings dialog box does not close , scroll back through the configuration
settings and look for any setting with a red box around it. The dialog box does not report
settings that fai I validation.
5. Click Enable.
6. Wait for the update to complete and verify the following settings.
• ListenerIP: 192.168.100.10
• Listener Port: 443
• Encryption Algorithm : AES256-SHA
• Internal Interface: 2
• User Id: vpn-user
• Server Certificate: MED-APP.CORP.LOCAL
7. At the bottom of the L2VPN configuration page, click Fetch Status and expand the Tunnel
Status section .
8. Verify that the tunnel Status is UP.
If the tunnel status is Down, wait a minute and click Fetch Status again. If the tunnel remain s
down, go back through the lab and verify that all configuration changes have been made and are
correct.
On the L2VPN server side, the tunnel status is Up regardless of whether the client connection is
established. To verify that a client is connected, you must check the status of the client-side of
the tunnel.
9. At the top of the left pane , click the Networking & Security left arrow.
10. In the edge list, double-click the Branch Gateway entry to manage that object.

Lab 12 Configuring Layer 2 VPN Tunnels 115

11 . At the bottom of the L2VPN configuration page, expand the Tunnel status section and click
Fetch Status.
12. Verify that the tunnel status is up.

Task 9: Test Tunnel Connectivity

You perform connectivity tests to determine the functional state of the L2 VPN tunneL
1. Click the vSphere Web Client Home icon.
2. On the vSphere Web Client Home tab, click the Inventories> VMs & Templates icon.
3. In the inventory pane, select Discovered virtual machine> web-sv-02a and select Open
Console from the Actions drop-down menu.
It might take a minute for the console window to initialize. Point to the console window, wait
until the pointer becomes a hand icon, click anywhere in the console window, and press Enter.
4. If prompted to log in, log in as root and enter the VMwarel! password.
5. At the web-sv-02a command prompt, run the following command to view the network interface
configuration.
ifconfig

6. Record the ethO hardware (HWaddr) address . - - - - -

7. At the command prompt, ping the server on the HQ Web-Tier logical switch.
ping 172.16.10.11

Internet Control Message Protocol (TCMP) echo replies are received. Leave the ping command
running,

IfICMP echo replies are not received, press Ctrl+C to stop the ping command, wait one minute ,
and repeat this step.
8. Press Ctrl+Alt to release the pointer.
9. In the Firefox window, select the web-sv-Ol a console tab.

116 Lab 12 Configuring Layer 2 VPN Tunnels

10. Consider the following configuration and answer the follow-up questions.
A layer 2 tunnel connects two NSX Edge gateways: branch gateway and perimeter gateway,
and extends the 172.16.10.0/24 Web-Tier logical switch network. You have initiated a
continuous ping from the Web server on the branch gateway side of the tunnel to the Web server
on the perimeter gateway side of the tunnel.

Q1. If you capture traffic on the web-sv-01 virtual machine, on the perimeter
gateway side of the tunnel, what source IP address would the incoming ping
packets have?
•
Q2. What source hardware (MAC) address would the frames have?

11 . At the web-sv-01a command prompt, examine the Address Resolution Protocol (ARP) table.
arp -a

12. In the ARP table output, find the hardware address for 172.16.10.12 and the IP address ofthe
web-sv-02a virtual machine.

Q3. Is the 172.16.10.12 hardware address the same that you recorded in step 6?

Q4. Is this what you expected to see? If not, why?

The hardware address for web-sv-02a (at 172.16.10.12) is preserved when the tunnel traffic is
decapsulated by the perimeter gateway. Because this is a layer 2 tunnel, response frames sent to
that MAC address are intercepted for encapsulation back to the sending node. This tunnel
differs from an IPsec tunnel, for example, where you might see the source IP with the hardware
address of the gateway interface that faces the destination.

Task 10: Verify Tunnel Connectivity

You use traffic capture tools to verify L2 VPN tunnel communcations.
1. Press Ctrl+Alt to release the pointer and minimize the Firefox window.
2. In the PuTTY window, run the following command to begin capturing packets sent from branch
gateway.
debug packet display interface vNic 0 host 192.168.130.4

Lab 12 Configuring Layer 2 VPN Tunnels 117

3. Use the packet capture output to answer the following questions.

01. Are packets being exchanged between the two NSX Edge gateways?
Perimeter gateway: 192.168.100.10
Branch gateway: 192.168.130.4

02. What source port is being used?

4. In the PuTTY window, press CtrI+C to stop the packet capture .

Task 11: Clean Up for the Next Lab

You perform these actions to prepare for the next lab.
1. Leave the PuTTY window open.
2. Leave the Command Prompt window open.
3. Restore the Firefox window.
4. In the web-sv-02a console tab, press Ctrl+C to stop the ping command .
5. Press Ctrl+Alt to release the pointer and click the vSphere Web Client tab.
6. Click the vSphere Web Client Home icon.
7. In the Firefox window, leave the following tabs open for the next lab.
• vSphere Web Client
• Console to web-sv-Ot a
• Console to web-sv-02a

118 Lab 12 Configuring Layer 2 VPN Tunnels

Lab 13
Configuring IPsec Tunnels
•
Objective: Configure, test, and troubleshoot an IPsec
tunnel designed to connect two sites (HQ and Branch)
In this lab, you will perform the following tasks :

1. Prepare for the Lab

2. Prepare the Perimeter Gateway for IPsec Tunneling
3. Configure Perimeter Gateway as an IPSec Tunnel Endpoint
4. Prepare the Branch Gateway for IPsec Tunneling
5. Update the web-sv-02a Web Server with the New Web-Tier Subnet Specification
6. Configure Branch Gateway as an IPsec Tunnel Endpoint
7. Test VPN Tunnel Connectivity
8. Troubleshoot and Resolve VPN Tunnel Connectivity
9. Clean Up for the Next Lab

Lab 13 Configuring IPsec Tunnels 119

Task 1: Prepare for the Lab
You perform these actions to prepare for the lab if you have closed windows or logged out of the
VMware vSphere® Web Client interface.
1. Ifa Command Prompt window is not open on the ControlCenter desktop, perform the following
actions.
a . On the Control Center desktop, double-click the Command Prompt shortcut.
b. Position the Command Prompt window to a convenient location on the desktop.
2. If the PuTTY window is not open on the ControlCenter desktop, perform the following actions.
a. On the ControlCenter desktop, double-click the PuTTY shortcut,
b. In the PuTTY window, double-click the Edge Services GW saved session.
c. If prompted to confirm a PuTTY security alert, click Yes.
d. Log in as admin and enter the password VMwarel ! VMwarel ! .
3. If the Firefox window has been closed, double-click the Firefox icon on the ControlCenter
desktop.
4. If you are not logged in to the vSphere Web Client, perform the following actions.
a. In the Firefox window, click the vSphere Web Client bookmark.
b. When prompted, log in as root and enter the password VMwarell.
5. In the Firefox window, if the web-sv-O la console tab is not open, perform the following actions.
a . On the vSphere Web Client Home tab, click the Inventories> VMs and Templates icon.
b. Expand the inventory tree and select Discovered virtual machine> web-sv-Ota.
c. Select Open Console from the Actions drop-down menu .
d. Ifprompted to log in, log in as root and enter the password VMwarel! .
e. Press Ctrl+Alt to release the pointer and click the vSphere Web Client tab.
f. Click the vSphere Web Client Home icon.

6. In the Fircfox window, if the web-sv-02a console tab is not open , perform the following actions.
a. On the vSphere Web Client Home tab, the Inventories> VMs and Templates icon.
b. Expand the inventory tree and select Discovered virtual machine> web-sv-02a.
c. Select Open Console from the Actions drop-down menu.
d. Ifprompted to log in, log in as root and enter the password VMwarel!.
e. Press CtrI+Alt to release the pointer and click the vSphere Web Client tab.
f. Click the vSphere Web Client Home icon.

120 Lab 13 Configuring IPsec Tunnels

Task 2: Prepare the Perimeter Gateway for IPsec Tunneling
You perform the necessary configuration changes to enable IPsec tunneling on perimeter gateway.
1. On the vSphere Web Client Home tab, click the Inventories> Networking & Security icon.
2. In the left navigation pane, select NSX Edges.
3. In the edge list, double-click the Perimeter Gateway entry to manage that object.
4. In the middle pane, click the Manage tab and click VPN.
5. In the VPN category panel, select L2VPN.
6. In the L2VPN status panel, click Delete Configuration and click OK when prompted to
confirm.
7. Wait for the update to complete and verify that the L2VPN configuration has been reset and the
service status is Disabled.
•
It might take up to a minute for the update to complete.

8. Under the Manage tab, click Settings.

9. In the settings category panel, select Interfaces.
10. In the interface list, select the Web-Tier-L2VPN interface.
11. Click the red X icon and click OK when prompted to confirm.
12. Wait for the update to complete and verify that the interface has been reset.
13. Under the Manage tab, click Routing.
14. In the routing category panel, select Global Configuration.
15. In the Dynamic Routing Configuration panel, click Edit.
16. In the Edit Dynamic Routing Configuration dialog box , deselect the Enable OSPF check box
and click Save.
The perimeter gateway is configured as an IPsec tunnel endpoint exposing the Web-Tier, App-
Tier and DB-Tier networks. The Web-Tier, App- Tier, and DB-Tier networks are reachable
through the distributed router over the transit network. The networks that are exposed by an
IPsec tunnel endpoint must either be direct-attached subnets or subnets reachable through static
routing. You cannot expose subnets that are only reachable through a dynamic routing update
from OSPF or one of the other supported routing protocols.

17. Click Publish Changes and wait for the update to complete.
18. In the routing category panel, select Static Routes.

Lab 13 Configuring IPsec Tunnels 121

19. Click the green plus sign to open the Add Static Route dialog box, and perform the following
actions .
a . Select Transit-Interface from the Interface drop-down menu.
b. Enter 172.16.0.0/19 in the Network text box.
c. Enter 192.168.10.2 in the Next Hop text box.
This address is the interface address of the distributed router on the Transit network.
d. Click OK.
20. Click Publish Changes and wait for the update to complete.

Task 3: Configure Perimeter Gateway as an IPSec Tunnel Endpoint

You configure perimeter gateway as an IPsec VPN tunnel endpoint that provides tunnel-based
access to the Web-Tier, App-Tier, and DB-Tier networks.

1. Under the Manage tab , click VPN .

2. In the VPN category panel, select IPSec VPN.
3. Above the tunnel endpoint list, click the green plus symbol icon to open the New LPSec VPN
dialog box, and perform the following actions .
a . Verify that the Enabled check box is selected.
b. Enter HQ-Branch in the Name text box.
c. Enter HQ in the Local Id text box.
d. Enter 192 .168 .100 .10 in the Local Endpoint text box.
This address is the same address that identified the Perimeter Gateway as an L2VPN server
in the previous lab .

e. Enter 172 . 16 . 0 . 0/19 in the Local Subnets text box .

Spaces are not allowed in the local subnets specification. Enter the specification exactly as
shown.

f. Enter Branch in the Peer Id text box.

g. Enter 192.168.130.4 in the Peer Endpoint text box.

h. Enter 172.16.40.0/24 in the Peer Subnets text box.
i. Leave AES selected for Encryption Algorithm.

j. Leave the PSK button selected.

k. Enter VMware1! in the Pre-Shared key text box.

122 Lab 13 Configuring IPsec Tunnels

 I. Select the Display shared key check box and verify that the shared key is exactly
VMwarel! .

m. Leave all remaining settings at the default value and click OK.
4. In the top status panel, click Enable.
5. Click Publish Changes and wait for the update to complete .
6. In the status panel, verify that the IPSec VPN Service Status is Enabled.

Task 4: Prepare the Branch Gateway for IPsec Tunneling

You configure branch gateway to enable IPsec VPN tunneling.
1. At the top of the navigation pane, click the Networking & Security left arrow button.
2. In the edge list, double-click the Branch Gateway entry to manage that object.
•
3. In the middle pane, click the Manage tab and click VPN.
4. In the VPN category panel, select L2VPN.
5. In the L2VPN status panel, click Delete Configuration.
6. Click OK when prompted to confirm .
7. Wait for the update to complete and verify that the L2VPN configuration has been reset and the
service status is Disabled.
It might take up to a minute for the update to complete.

8. Under the Manage tab, click Settings.

9. In the settings category panel, select Interfaces.
10. In the interface list, select the Web-Tier interface and click the pencil icon.
11 . In the Edit NSX Edge Interface dialog box, select the 172.16.10.1 entry in the IP Address list
and click the pencil icon.
12. In the Edit Subnet dialog box, select the 172.16.10.1 address and click the pencil icon.
13. Change the IP address to 172.16.40.1 and click OK to confirm the entry.
The Web-Tier network on the branch gateway edge is changed to 172.16.40.0/24.
14. Click OK to close the Edit Subnet dialog box.
15. Click OK to commit the interface changes .

Lab 13 Configuring IPsec Tunnels 123

Task 5: Update the web-sv-02a Web Server with the New Web-Tier
Subnet Specification
You change the networking configuration on web-sv-02a to match the branch topology.
1. In the Firefox window, click the web-sv-02a console tab.
2. At the web-sv-02a command prompt, run the following command to change the IP address of
the web-sv-02a virtual machine.
ifconfig ethO 172.16.40.12 netmask 255.255.255.0

3. Run the following command to change the default gateway used by the virtual machine.
route add default gw 172.16.40 .1 ethO

4. Run the following command to verify that the 172.16.40.12 IP address has been assigned.
ifconfig
5. Run the following command to verify that the default gateway route for 172.16.40 .1 has been
configured.
route

Task 6: Configure Branch Gateway as an IPsec Tunnel Endpoint

You configure branch gateway as an IPsec VPN tunnel endpoint that provides tunnel-based access to
the branch Web-Tier network.
1. In the Firefox window, press Ctrl+Alt to release the pointer.

2. Click the vSphere Web Client tab .

3. In the middle pane, under the Manage tab, click VPN.
4. In the VPN category panel , select IPSec VPN.
5. Above the tunnel endpoint list, click the green plus symbol icon to open the New JPSec VPN
dialog box , and perform the following actions.
a . Select the Enabled check box.
b. Enter HQ-Branch in the Name text box .
c. Enter Branch in the Local Id text box.
d. Enter 192.168.130.4 in the Local Endpoint text box.
e. Enter 172 . 16 .40 . 0/24 in the Local Subnets text box.
f. Enter HQ in the Peer Id text box.

g. Enter 192.168.100.10 in the Peer Endpoint text box.

124 Lab 13 Configuring IPsec Tunnels

 h. Enter 172.16.0.0/19 in the Peer Subnets text box without spaces.
i, Leave AES selected as the Encryption Algorithm.

j. Leave the PSK button selected.

k. Enter VMware1! in the Pre-Shared key text box.
I. Select the Display shared key check box and verify that the shared key is exactly
VMwarel! .

m. Leave all remaining settings at the default value and click OK.
6. Click Enable.
7. Click the Publish Changes button and wait for the update to complete.
8. In the status panel, verify that the IPSec VPN Service Status is Enabled.
•
Task 7: Test VPN Tunnel Connectivity
Use ping tests to determine connectivity status of the IPsec VPN tunnel.

1. Wait one minute for the VPN tunnels to be established, and click the Show IPSec Statistics lillie
2. In the IPSec VPN Statistics pop-up panel , verify that the single virtual private network (VPN)
connection that is listed in the top table has a green check mark in the Channel State column.
3. Select the single connection listed in the top table.
4. Verify that a single tunnel is listed in the bottom table with a green check mark in the Tunnel
State column.
5. Close the IPSec VPN Statistics pop-up panel.
The VPN connection between the two VMware NSX Edge" gateway appliances is established
and a tunnel is open .

6. In the Firefox window, click the web -sv-02a console tab.

7. At the web-sv-02a command prompt, try to ping the following IP addresses.
Press Ctrl+C to stop each ping command after lack of connectivity has been determined,

• 172.16.1 0.11
This address is the IP address of the web-sv-Ol a Web server
• 172.16.20.11
This address is the IP address of the app-sv-Ola application server.

• 172.16.30.11
This address is the IP address of the db-sv-O1a database server.

Lab 13 Configuring IPsec Tunnels 125

Task 8: Troubleshoot and Resolve VPN Tunnel Connectivity
You use ping tests and traffic capture tools to troubleshoot an issue with connectivity through the
IPsec VPN tunnel.
1. In the Firefox window, press Ctr1+AIt to release the pointer.
2. Minimize the window.
3. In the PuTTY window, run the followin g command to capture TeMP packets on the transit
network interface.
debug packet disp lay interface vNic_1 icmp
Traffic traversing the VPN tunnel , from branch to any subnet reachable through perimeter
gateway, appears in decapsulated form on the transit interface.
4. Leave the capture running .
5. Restore the Firefox window.
6. In the web-sv-02a console tab, run the following command to ping the application server.
ping 172.16 .20.11

7. Leave the ping command running, press Ctrl+Alt to release the pointer.
8. Minimize the Firefox window.
9. In the PuTTY window, verify that ICMP echo request packets are being captured leaving the
transit network interface.
The packet addressing is as follows:
• Source: 172.16.40 .12
• Destination: 172.16.20.11
10. Read the synopsis below and answer the questions that follow.
The IPSec VPN tunnels have been established between the perimeter gateway and branch
gateway appliances. The capture on the perimeter gateway shows that the tunnels are
operational, because the traffic is being captured after decapsulation. However, a connectivity
problem exists between the perimeter gateway and the distributed router.

Q1. Iftraffic is reaching the destination network outside of a tunnel (decapsulated),

does this indicate the tunnel is up and working?

Q2. What is the problem because of which no response to be sent back through the tunnel?

126 Lab 13 Configuring IPsec Tunnels

11. Leave the packet capture running, restore the Firefox window, and click the vSphere Web
Client tab.
12. At the top of the left navigation pane, click the Networking & Security left arrow button .
13. In the edge list, double-click the Distributed Router entry to manage that object.
14. In the middle pane, click the Manage tab and click Routing.
15. In the routing category panel, select Global Configuration.
16. In the Default Gateway panel, click Edit to open the Edit Default Gateway dialog box, and

•
perform the following actions.
a. For Interface, leave Transit-Interface selected.
b. Enter 192 . 168 . 10 . 1 in the Gateway IP text box.
This address is the perimeter gateway on the transit network.
c. Leave all other settings at the default value and click Save.
17. Click Publish Changes and wait for the update to complete.
18. Minimize the Firefox window.
19. In the PuTTY window, verify that bidirectional communication is taking place between the
following IP addresses.
• 172.16.40.12
This address is the IP address of the web-sv-02a Web server.

• 172.16.20.11
This address is the IP address of the app-sv-O1a server.

20. Leave the packet capture running.

21. Restore the Firefox window.
22. In the web-sv-02a console tab, press Ctr1+C to stop the ping command.
23. Test connectivity between the web-sv-02a Web server on the branch web-tier network and the
following IP addresses:
• 172.16.10.11
This address is the IP address of the web-sv-O1a server.

• 172.16.30.11
This address is the IP address of the db-sv-O 1a server.
24. In the PuTTY window, press Ctr1+C to stop the packet capture.

Lab 13 Configuring IPsec Tunnels 127

Task 9: Clean Up for the Next Lab
You perform these actions to prepare for the next lab.
1. Leave the PuTTY window open.
2. Leave the Command Prompt window open.
3. Restore the Firefox window and close the web-sv-02a console tab.
4. Click the vSphere Web Client tab.
5. At the top of the left navigation pane, click the Networking & Security left arrow button.
6. In the Firefox window, leave the following tabs open for the next lab.
• vSphere Web Client
• Console to web-sv-Ola

128 Lab 13 Configuring IPsec Tunnels

Lab 14
Configuring and Testing SSL VPN-Plus

Objective: Configure an SSL VPN-Plus portal page and a

direct-access client package
II
In this lab, you will perform the following tasks :

1. Prepare for the Lab

2. Configure SSL VPN-Plus Server Settings
3. Configure a Local Authentication Server and a Local User
4. Enable SSL VPN-Plus and Test Portal Access
5. Configure an IP Pool and Private Networks
6. Create and Test an Installation Package
7. Test Network Access by Using the SSL VPN-Plus Client Application
8. Review the Client Configuration and Examine Traffic
9. Clean Up for the Next Lab

Task 1: Prepare for the Lab

You perform these actions to prepare for the lab if you have closed windows or logged out of the
VMware vSphere® Web Client interface.
1. If a Command Prompt window is not open on the ControlCenter desktop, perform the following
actions.
a . On the ControlCenter desktop, double-click the Command Prompt shortcut.
b. Position the Command Prompt window to a convenient location on the desktop .

Lab 14 Configuring and Testing SSL VPN -Plus 129

2. Ifthe PuTTY window is not open on the ControlCenter desktop, perform the following actions.
a. On the ControlCenter desktop, double-click the PuTTY shortcut.
b. In the PuTTY window, double-click the Edge Services GW saved session.
c. Ifprompted to confirm a PuTTY security alert, click Yes.
d. Log in as admin and enter the password VMwarel !VMwarel ! .
3. If the Firefox window has been closed, double-click the Firefox icon on the ControlCenter
desktop.
4. If you are not logged in to the vSphere Web Client, perform the following actions.
a. In the Firefox window, click the vSphere Web Client bookmark.
b. When prompted, log in as root and enter the password VMwarel ! .
5. In the Firefox window, if the web-sv-Ola console tab is not open, perform the following
actions.
a. On the vSphere Web Client Home tab, click Inventories> VMs and Templates.
b. Expand the inventory tree and select Discovered virtual machine> web-sv-Ola.
c. Select Open Console from the Actions drop-down menu.
d. If prompted to log in, log in as root and enter the password VMwarel! .
e. Press Ctr1+Alt to release the pointer.
f. Click the vSphere Web Client tab.

g. Click the vSphere Web Client Home icon.

6. On the vSphere Web Client Home tab, click Inventories> Networking & Security.

Task 2: Configure SSL VPN-Plus Server Settings

You configure SSL VPN-Plus to enable branch gateway to act as a VPN server.
1. In the left navigation pane, select NSX Edges.
2. In the edge list, double-click the Branch Gateway entry to manage that object.
3. In the middle pane, click the Manage tab and click SSL VPN-Plus.
4. In the SSL VPN-Plus category panel, select Server Settings and click Change.
5. In the Change Server Settings dialog box, perform the following actions.
a. For IPv4 Address, leave the 192.168.130.4 (primary) address selected.
b. For IPv6 Address, leave None selected.

130 Lab 14 Configuring and Testing SSL VPN-Plus

 c. Leave the port specification of 443 .
d. Select AES256-SHA from the Cipher List.
e. For Server Certificate, leave the Use Default Certificate check box selected.
f. Click OK.

Task 3: Configure a Local Authentication Server and a Local User

You configure branch gateway to provide local authentication services.
1. In the SSL VPN-Plus category panel, select Authentication .
2. In the middle pane, click the green plus sign icon to open the Add Authentication Server dialog
box, and perform the following actions.

II
a. Select LOCAL from the Authentication Server Type drop-down menu.
b. Deselect the Enable password policy check box.
c. Deselect the Enable account lockout policy check box.
d. Leave all other settings at the default value and click OK.
3. In the SSL VPN-Plus category panel, select Users.
4. In the middle pane, click the green plus sign to open the Add User dialog box, and perform the
following actions.
a. Enter vpn-user in the User ID text box.
b. Enter VMwarel! in the Password text box and the Re-type Password text box.
c. Select the Password never expires check box .
d. Leave all other settings at the default value and click OK.

Task 4: Enable SSL VPN-Plus and Test Portal Access

You enable SSL VPN-Plus and test portal access using a browser.
1. In the SSL VPN-Plus category panel, select Dashboard.
2. In the Status panel, click Enable and click Yes when prompted to confirm.
3. Wait for the update to complete and verify that the service status is Enabled.
4. In the Firefox window, open a new browser tab and go to https://192.l68.130.4.
5. When prompted to confirm the untrusted connection, click the I Understand the Risks link and
click Add Exception.
6. In the Add Security Exception dialog box, click Confirm Security Exception.

Lab 14 Configuring and Testing SSL VPN-Plus 131

7. In the VMware SSL VPN-Plus portal page, log in as vpn-user and enter the password
VMware1!.

8. On the user portal page, verify that one tab labeled Tools is shown, with a Change Password
link available.
9. Click the Logout link in the upper-right corner of the page, in the black status bar, and click
OK when prompted to confirm .
10. In the Firefox window, close the portal tab and click the vSphere Web Client tab.

Task 5: Configure an IP Pool and Private Networks

You configure an IP pool and private networks in preparation for direct-network connectivity by an
SSL VPN-Plus client.
1. In the SSL VPN-Plus category panel, select IP Pool.
2. On the IP Pool configuration page, click the green plus sign to open the Add IP Pool dialog
box, and perform the following actions.
a. Enter 192.168.170.2 in the first IP Range text box .
b. Enter 192 . 168 • 170 .254 in the second IP Range text box.
c. Enter 255.255.255.0 in the Netmask text box.
d. Enter 192.168.170.1 in the Gateway text box.
e. Leave all other settings at the default value and click OK.
3. In the SSL VPN-Plus category panel, select Private Networks.
4. On the Private Networks configuration page, click the green plus sign to open the Add Private
Networking dialog box, and perform the following actions.
a. Enter 172.16.40.0 in the Network text box.
b. Enter 255.255.255.0 in the Netmask text box.
c. Leave all other settings at the default value and click OK.

Task 6: Create and Test an Installation Package

You create and configure an installation package.
1. In the SSL VPN-Plus category panel, select Installation Package.
2. On the Installation Package configuration page, click the green plus sign to open the Add
Installation Package dialog box, and perform the following actions.
a. Enter Test Package in the Profile Name text box.

132 Lab 14 Configuring and Testing SSL VPN-Plus

 b. In the Gateway table, enter 192 .168 .130.4 in the Gateway column text box, leave the
port at 443, and click OK to confirm the entry.
c. In the Installation Parameters for Windows list, select the following check boxes .
• Allow remember password
• Enable silent mode installation
• Create desktop icon
d. Click OK.
3. In the Firefox window, open a new browser tab and go to https ://192.168.130A.
4. When prompted to log in, log in as vpn-user and enter the password VMware1!.
5. In the SSL VPN-Plus portal, on the Full Access tab, click the Test Package link.

Full Access II
Full Access
Available Network Extension clients.

list

Test Package

A new browser window opens.

6. In the new Firefox browser window, click the Please click here to start the installation link.
7. When prompted, click Save File.
8. In the Firefox downloads window, double-click the VMware_index.html-Setup.exe file, and
click Run when prompted.
9. Close the Firefox downloads window.
10. Close new Firefox window that opened when you initiated the installation.
11. In the SSL VPN-Plus portal, click the Logout link in the upper-right corner of the page, in the
black status bar, and click OK when prompted to confirm .
12. Close the portal tab .

Lab 14 Configuring and Testing SSL VPN-Plus 133

Task 7: Test Network Access by Using the SSL VPN-Plus Client
Application
You use the SSL VPN-Plus client application to test direct access to networks available through the
SSL VPN-Plus tunnel.
1. Minimize the Firefox window.
2. In the Command Prompt window, run the following command to try to ping the web-sv-02a.
ping 17 2.16.40.1 2

The ping command does not receive Internet Control Message Protocol (ICMP) echo replies.
3. Leave the Command Prompt window open.
4. On the ControlCenter desktop, find a new shortcut titled VMware Tray.
The VMware Tray shortcut was added when the SSL VPN-Plus test package was installed from
the portal page .
5. Double-click the VMware Tray shortcut to start the SSL VPN-Plus Client application, and
click Login.
6. When prompted, log in as vpn-user and enter the password VMwarel! .
7. Click OK when prompted to confirm the connection has been established.
8. In the Command Prompt window, run the following command to ping the web-sv-02a server.
ping 172.16 .40.1 2

The ping command receives ICMP echo replies .

Task 8: Review the Client Configuration and Examine Traffic

You review the SSL VPN-Plus client configuration and verify tunnel connectivity using traffic
capture tools.
1. On the ControlCenter desktop, double-click the VMware Tray shortcut again.
When the SSL VPN-Plus client is running, double-clicking the program icon opens the statistics
window. The statistics window can also be opened from the client application icon running in
the system tray.
2. In the SSL VPN-Plus Client - Statistics window, click the Advanced tab and answer the
following questions.

01. What is the gateway address and port for the network configuration?

134 Lab 14 Configuring and Testing SSL VPN-Plus

 Q2. What local subnets are exposed to the tunnel client?

Q3. What IP address is assigned to encapsulated packets that traverse the tunnel?

3. On the Control Center desktop , double-click the PuTTY shortcut.

4. In the PuTTY window, enter 192 .168.130.4 in the Host Name (or IP address) text box and
click Open.
5. When prompted, click OK to confirm the PuTTY security alert.
6. Log in as admin and enter the password VMware1 ! VMware1 ! .
7. Run the following command to begin capturing ICMP packets on the internal network.

debug packet display interface vNic 1 icmp

Q4. If you capture packets on the NSX Edge side of the SSL VPN·Plus tunnel, on an
interface connected to the destination subnet, what source IP address do ping
II
packets have?

8. Leave the packet capture running and switch to the Command Prompt window.
9. Run the following command to ping the web-sv-02a server.
ping 172.16 .40 .12

10. Switch to the PuTTY window and verify that an ICMP exchange has occurred between the
following IP addresses.
• 192.168.170.2
This address is the IP address assigned to the SSL VPN-Plus Client application running on
the ControlCenter system.

• 172.16.40.12
This address is the IP address of the web-sv-02a server.

11 . Press Ctr1+C to stop the packet capture.

12. Close the 192.168.130.4 - PuTTY window and click OK when prompted to confirm.
13. On the ControlCenter desktop, double-click the VMware Tray icon.
14. Click Logout on the General tab and click Yes when prompted to confirm.

Lab 14 Configuring and Testing SSL VPN-Plus 135

Task 9: Clean Up for the Next Lab
You perform these actions to prepare for the next lab.
1. Leave the PuTTY window open.
2. Leave the Command Prompt window open.
3. Restore the Firefox window and click the vSphere Web Client tab.
4. At the top of the left navigation pane, click the Networking & Security left arrow button.
5. In the Firefox window, leave the following tabs open for the next lab.
• vSphere Web Client
• Console to web-sv-Ola

136 Lab 14 Configuring and Testing SSL VPN-Plus

Lab 15
Using NSX Edge Firewall Rules to
Control Network Traffic

Objective: Define NSX Edge 'firewall rules to restrict

traffic to one or more Web servers
In this lab, you will perform the following tasks :

1. Prepare for the Lab

2. Enable Flow Monitoring for Future Reference
3. Restrict Inbound Web Server Traffic to HTTP and HTTPS
4. Determine How the Firewall Rule Interacts with Other NSX Edge Features
5. Clean Up for the Next Lab

Lab 15 Using NSX Edge Firewall Rules to Control Network Traffic 137
Task 1: Prepare for the Lab
You perform these actions to prepare for the lab if you have closed windows or logged out of the
VMware vSphere® Web Client interface.
1. Ifa Command Prompt window is not open on the ControlCenter desktop, perform the following
actions.
a . On the Control Center desktop, double-click the Command Prompt shortcut.
b. Position the Command Prompt window to a convenient location on the desktop.
2. If the PuTTY window is not open on the ControlCenter desktop, perform the following actions.
a. On the ControlCenter desktop, double-click the PuTTY shortcut.
b. In the PuTTY window, double -click the Edge Services GW saved session.
c. If prompted to confirm a PuTTY security alert, click Yes.
d. Log in as admin and enter the password VMwarel ! VMwarel ! .
3. If the Firefox window has been closed, double -click the Firefox icon on the ControlCenter
desktop.
4. If you are not logged in to the vSphere Web Client, perform the following actions.
a . In the Firefox window, click the vSphere Web Client bookmark.
b. When prompted, log in as root and enter the password VMwarel ! .
5. In the Firefox window, if the web-sv-Ola console tab is not open, perform the following
actions.
a . On the vSphere Web Client Home tab, click Inventories> VMs and Templates.
b. Expand the inventory tree and select Discovered virtual machine> web-sv-Ota.
c. Select Open Console from the Actions drop-down menu.
d. If prompted to log in, log in as root and enter the password VMwarel ! .
e. Press Ctrl+Alt to release the pointer and click the vSphere Web Client tab.
f. Click the vSphere Web Client Home icon.

6. On the vSphere Web Client Home tab, click Inventories> Networking & Security.

138 Lab 15 Using NSX Edge Firewall Rules to Control Network Traffic
Task 2: Enable Flow Monitoring for Future Reference
Flow monitoring is not used in this activity. You enable flow monitoring now so that allowed and
blocked traffic flows can be captured for reference in an upcoming lab.
1. In the left navigation pane , select Flow Monitoring.
2. In the middle pane, click the Configuration tab.
3. On the configuration page , click Enable.

Task 3: Restrict Inbound Web Server Traffic to HTTP and HTTPS

You configure a new firewall rule to restrict traffic destined for a Web server to HTTP and HTTPS.

1. In the left navigation pane, select NSX Edges.

2. In the edge list, double-click the Perimeter Gateway entry to manage that object.
3. In the middle pane, click the Manage tab and click Firewall.
4. In the firewall rules list, find the rule named Default Rule.
5. If necessary, use the horizontal scroll bar to uncover the Action column.
6. Point to the Action cell until a plus sign icon appears.
7. Click the plus sign icon.
8. Select the Deny and Log buttons and click OK.
9. Above the rule list, click Publish and wait for the update to complete.
10. In the Firefox window, open a new browser tab and go to https ://172.16.10.1l.
11 . Verify that the Web page cannot be displayed, and close the browser tab.
12. If not active, click the vSphere Web Client tab.
13. On the Firewall configuration page , click the green plus sign to create a row in the rules table.
The new row is highlighted, as shown in the following image.

8 3 ipsec Internal 0 192.-168.100.-10

0 192.-168.130.4

4 User any

8 5 Default Rule Default any

Lab 15 Using NSX Edge Firewall Rules to Control Network Traffic 139
14. Point to the Name cell and click the plus sign .
15. Enter Allowed to Web Servers in the Rule Name text box and click OK.
16. Point to the Destination cell, click the plus sign, and perform the following actions in the pop-
up configuration panel.
a. Select IP Sets from the drop-down menu .
b. Click the New IP Set link at the bottom of the pop-up panel to open the Add TP Addresses
dialog box, and configure the following options.

Option Action
Name Enter Local Web Servers in the text box.

Description Leave blank.

IP Addresses Enter 172.16.10.11 in the text box.

c. Click OK to close the Add IP Addresses dialog box.

The pop-up configuration panel also closes.
17. Point to the Service cell, click the plus sign , and perform the following actions in the pop-up
configuration panel.
a. Enter HTTP in the search text box.
b. Scroll down to the bottom of the service list and select the generic HTTP and HTTPS
check boxes .
c. Click OK to close the pop-up configuration panel.
18. Verify that the Action for the new rule is Accept.
19. Click Publish and wait for the update to complete.
20. In the Firefox window, open a new browser tab and go to https://] 72.16. ]0.1 ] .
21. Verify that the Web page is displayed, or you are prompted with an untrusted connection
message, and close the browser tab.
22. Tfnot active, click the vSphere Web Client tab.

140 Lab 15 Using NSX Edge Firewall Rules to Control Network Traffic
Task 4: Determine How the Firewall Rule Interacts with Other NSX
Edge Features
You determine how a firewall rule interacts with an existing destination NAT rule.
1. In the Firefox window, open a new browser tab and go to https ://192 .168.100.9 .
2. Verify that the Web page is displayed, or you are prompted with an untrusted connection
message, and close the browser tab.
3. If not active, click the vSphere Web Client tab and answer the following quest ions.

Q1. Because the virtual server for load balancing HTTP traffic was configured with
the 172.16.10.11 Web server as a member server, will the rule that you just
created allow HTTP connections to the virtual server IP address of
192.168.100.9?

Q2. Because the load balancer uses destination NAT logic to perform member
server selection, will attempts to connect to the destination NAT rule that you
created earlier in the course for the 172.16.10.11 Web server be allowed?

4. In the Firefox window, open a new browser tab and go to https://192 .168.100.7 .
This address is the destination NAT address for the web-sv-O1a Web server.
5. Verify that the Web page cannot be displayed and close the browser tab.
6. Ifnot active , click the vSphere Web Client tab.
7. In the middle pane, under the Manage tab, click Grouping Objects.
8. In the category panel, select IP Sets.
9. In the IP Set list, select the Local Web Servers entry.
10. Click the pencil icon to open the Edit IP Addresses dialog box, and perform the following
actions.
a. In the IP Addresses text box, change the entry to read as follows (without spaces).
172 .16.10.11,192.168.100.7

b. Click OK.
11. In the Firefox window, open a new browser tab and go to https ://I92.168.100.7.
12. Verify that the Web page is displayed, or you are prompted with an untrusted connection
message, and close the browser tab.
13. If not active, click the vSphere Web Client tab.

Lab 15 Using NSX Edge Firewall Rules to Control Network Traffic 141
14. In the middle pane, under the Manage tab, click Firewall.
15. In the rule list, select the Allowed to Web Servers rule,
16. Click the red X icon to delete the rule and click OK when prompted to confirm.
17. Point to the Default Rule Action cell.
18. Click the plus sign .
19. Click Accept and click OK.
20. Click Publish and wait for the update to complete.

Task 5: Clean Up for the Next Lab

You perform these actions to prepare for the next lab.
1. Leave the PuTTY window open.
2. Leave the Command Prompt window open.
3. At the top of the left navigation pane, click the Networking & Security left arrow button.
4. In the Firefox window, leave the following tabs open for the next lab.
• vSphere Web Client
• Console to web-sv-Ola

142 Lab 15 Using NSX Edge Firewall Rules to Control Network Traffic
Lab 16
Using NSX Distributed Firewall Rules to
Control Network Traffic

Objective: Define NSX Distributed Firewall rules to

restrict traffic to one or more Web servers and between
application tiers
In this lab, you will perform the following tasks:

1. Prepare for the Lab

2. Create a Distributed Firewall Section
3. Configure Cross-Tier Rules
•
4. Restrict Inbound Web Server Traffic to HTTP and HTTPS
5. Review Distributed Firewall Log Entries
6. Restore a Saved Distributed Firewall Configuration
7. Clean Up for the Next Lab

Lab 16 Using NSX Distributed Firewall Rules to Control Network Traffic 143
Task 1: Prepare for the Lab
You perform these actions to prepare for the lab if you have closed windows or logged out of the
VMware vSphere® Web Client interface.
1. Ifa Command Prompt window is not open on the ControlCenter desktop, perform the following
actions.
a . On the Control Center desktop, double-click the Command Prompt shortcut.
b. Position the Command Prompt window to a convenient location on the desktop.
2. If the PuTTY window is not open on the ControlCenter desktop, perform the following actions.
a. On the ControlCenter desktop, double-click the PuTTY shortcut.
b. In the PuTTY window, double -click the Edge Services GW saved session.
c. If prompted to confirm a PuTTY security alert, click Yes.
d. Log in as admin using the VMwarel ! VMwarel! password.
3. If the Firefox window has been closed, double -click the Firefox icon on the ControlCenter
desktop.
4. If you are not logged in to the vSphere Web Client, perform the following actions.
a . In the Firefox window, click the vSphere Web Client bookmark.
b. When prompted, log in as root, using the VMwarel! password.
5. In the Firefox window, if the web-sv-Ola console tab is not open, perform the following
actions.
a . On the vSphere Web Client Home tab, click the Inventories> VMs and Templates icon.
b. Expand the inventory tree and select Discovered virtual machine> web-sv-Ota.
c. Select Open Console from the Actions drop-down menu.
d. If prompted to log in, log in as root using the VMwarel! password.
e. Press Ctrl+Alt to release the pointer and click the vSphere Web Client tab.
f. Click the vSphere Web Client Home icon.

6. On the vSphere Web Client Home tab, click the Inventories> Networking & Security icon.

144 Lab 16 Using NSX Distributed Firewall Rules to Control Network Traffic
Task 2: Create a Distributed Firewall Section
You create a section that contains your custom firewall rules.
1. In the left navigation pane, select Firewall.
2. In the middle pane, on the Configuration tab, verify that General is selected.
3. In the section list, find the Default Section Layer3 (Rule 1-3) entry.
4. If necessary, use the horizontal scroll bar to uncover the icons that appear on the far right of the
default section.
5. Click the folder icon.

Service Action

6. In the pop-up configuration panel, perform the following actions .

a. Enter Test Section in the Section name text box.
b. Leave Add section above selected.

•
c. Click OK.
7. Click Publish Changes and wait for the update to complete.

Task 3: Configure Cross-Tier Rules

You configure rules to allow basic connectivity between the Web-Tier, App-Tier, and DB-Tier
networks.
1. If necessary, use the horizontal scroll bar to uncover the icons on the far-right side of the Test
Section entry, and click the green plus sign to create a rule.
2. Expand Test Section and find the new rule entry.
3. Point to the Name cell and click the plus sign.
4. Enter Allowed Web To App in the Rule Name text box and click OK.

Lab 16 Using NSX Distributed Firewall Rules to Control Network Traffic 145
5. Point to the Source cell and click the plus sign to open the pop-up configuration panel, and
perform the following actions.
a. Select Logical Switch from the View drop-down menu.
b. Select the Web-Tier check box and click the blue right arrow button to move the switch
into the Selected list.
c. Click OK.
6. Point to the Destination cell and click the plus sign to open the pop-up configuration panel, and
perform the following actions.
a. Select Logical Switch from the View drop-down menu.
b. Select the App-Tier check box and click the blue right arrow button to move the switch
into the Selected list.
7. Click OK.
8. Point to the Services cell and click the plus sign to open the pop-up configuration panel, and
perform the following actions.
a. Click the New... link that appears in the lower-left comer of the pop-up panel.
b. Select Service to open the Add Service dialog box, and configure the following options.

Option Action
Name Enter Tomcat-8443 in the text box.

Description Leave blank.

Protocol Leave TCP selected.

Destination ports Enter 8443 in the text box.

Enable inheritance... Leave at the default value (deselected).

c. Click OK to close the Add Service dialog box.

The pop-up configuration panel also closes.
9. Click Publish Changes and wait for the update to complete.
10. Click the green plus sign above the rules list to create a rule.
If the icon is not active, select any rule in the Test Section rule list.
11 . Point to the Name cell and click the plus sign.

146 Lab 16 Using NSX Distributed Firewall Rules to Control Network Traffic
12. Enter Allowed App To DB in the Rule Name text box and click OK.
13. Point to the Source cell and click the plus sign to open the pop-up configuration panel, and
perform the following actions.
a. Select Logical Switch from the View drop-down menu.
b. Select the App-Tier check box and click the blue right arrow button to move the switch
into the Selected list.
c. Click OK.
14. Point to the Destination cell and click the plus sign to open the pop-up configuration panel, and
perform the following actions.
a. Select Logical Switch from the View drop-down menu.
b. Select the DB-Tier check box and click the blue right arrow button to move the switch
into the Selected list.
15. Click OK.
16. Point to the Services cell and click the plus sign to open the pop-up configuration panel, and
perform the following actions.
a. Enter SQL in the search text box.
b. In the Available services list, scroll down to find the generic MySQL service .
c. Select the MySQL check box and click the blue right arrow to move the service to the
Selected list.
d. Click OK.
17. Click Publish Changes and wait for the update to complete.
•
Task 4: Restrict Inbound Web Server Traffic to HTTP and HTTPS
You configure a firewall rule that restricts network traffic that is destined for a Web server, to HTTP
and HTTPS .
1. In the Firefox window, open a new browser tab and go to https://172.16.1 0.11 .

2. Click the Firefox refresh icon to reload the page.

3. Verify that the Web page is displayed, or you are prompted with an untrusted connection
message, and close the browser tab.
4. Click the vSphere Web Client tab.
5. In the firewall section list, expand the Default Section Layer3 entry.
6. Point to the Default Rule Action cell and click the plus sign .

Lab 16 Using NSX Distributed Firewall Rules to Control Network Traffic 147
7. Click Block and Log and click OK.
8. Click Publish Changes and wait for the update to complete.
9. In the Firefox window, open a new browser tab and go to https:/!l72.l6.10.l1.
10. Iftbe Web page is displayed, click the Firefox refresh icon to reload the page.
11. Verify that the Web page is not displayed, and close the browser tab.
12. Click the vSphere Web Client tab.
13. Click the green plus sign above tbe rules list to create a rule in Test Section.
If the icon is not active, select any rule in the Test Section rule list.
14. Point to the Name cell and click the plus sign.
15. Enter Allowed to Web Servers in the Rule Name text box and click OK.
16. Point to the Destination cell, click the plus sign to open the pop-up configuration panel, and
perform the following actions.
a. Select Logical Switch from the View drop-down menu.
b. Select the Web-Tier check box and click the blue right-arrow button to move the
Web-Tier entry to the Selected list on the right.
c. Click OK.
17. Point to the Services cell and click the plus sign to open the pop-up configuration panel, and
perform the following actions.
a. Enter HTTP in the search text box.
b. Select the generic HTTP and HTTPS check boxes and click the blue right arrow button
to move those services to the Selected list.
c. Click OK.
18. Point to the Action cell and click the plus sign that appears.
19. Click Log and click OK.
20. Click Publish Changes and wait for the update to complete.
21. In the Firefox window, open a new browser tab and go to https:/!l72.16.l0.11.
22. Click the Firefox refresh icon to reload the page.
23. Verify that the Web page is displayed, or you are prompted with an untrusted connection
message, and close the browser tab.
24. Click the vSphere Web Client tab.

148 Lab 16 Using NSX Distributed Firewall Rules to Control Network Traffic
25. Point to Web-Tier in the Destination cell and click the red X icon that appears to remove Web-
Tier from the Destination cell.
26. Point to the Destination cell and click IP.

Desti 1"1 ati 0 1"1

I IP

27. In the pop-up configuration panel, perform the following actions .

a. Leave IPv4 selected.
b. Enter 172.16.10.11 in the Value text box.
This address is the IP address of the Web server on the Web-Tier logical switch network.
c. Click OK.
28. Click Publish Changes and wait for the update to complete.
29. In the Firefox window, open a new browser tab and go to https ://192.168.100.7.
This address is the destination NAT address that you configured earlier in the course for the
172.16.10.11 Web server.
30. Click the Firefox page refresh icon to reload the page.
31. Verify that the Web page is displayed, or you are prompted with an untrusted connection
•
message, and close the browser tab.
32. Click the vSphere Web Client tab.
33. Read the following summary and answer the question that follows.
In the previous lab, attempts to browse the destination NAT address 192.168.100.7 were
blocked, by the firewall rule defined on perimeter gateway, until the destination IP set was
expanded to include the destination NAT address.

01. Why does the Distributed Firewall rule allow browser connections to the
172.16.10.11 Web server through the destination NAT address 192.168.100.7,
when the rule explicitly defines 172 .16.10.11 as the only valid destination?

Lab 16 Using NSX Distributed Firewall Rules to Control Network Traffic 149
Task 5: Review Distributed Firewall Log Entries
You review log entries that detail connections that have been allowed or blocked by firewall rules.

1. In the Firefox window, select the web-sv-ul a tab.

2. At the web-sv-O Ia command prompt, attempt to ping the following servers.
3. Press Ctrl+C to stop each ping command after lack of connectivity is confirmed.
• 172.16.20.11
This addre ss is the IP address of app-sv-Gl a.

• 172.16.30.11
This addre ss is the IP address of db -sv-OIa.

4. Press Ctrl+Alt to release the pointer and click the vSphere Web Client tab.
5. Click the vSphere Web Client Home icon.
6. In the left pane , select Log Browser.
7. In the middle pane, select the Select object now... link to open the Select an Object dialog box ,
and perform the following actions.
a. On the Filter tab, verify that Hosts is selected.
b. In the Hosts list, click esxcomp-Ol a.corp.local.
c. Click OK.
8. Select the Retrieve Now link and wait for the logs to be retrieved from the host.
Log retrieval takes several minutes to complete.

9. Verify that VMKernel is selected in the Type drop-down menu at the top of the pane .
10. Enter DROP in the filter text box, located at the top on the right side of the pane.
Log entrie s describing connections that were dropped because of a firewall rule are displayed.

11. Examine one or more rules by double-clicking the log entry.

12. Enter PASS in the filter text box.
Log entries describing connections that were allowed because of a firewall rule are displayed.
13. Examine one or more rules by double-clicking the log entry.

150 Lab 16 Using NSX Distributed Firewall Rules to Control Network Traffic
Task 6: Restore a Saved Distributed Firewall Configuration
You restore the firewall configuration from a saved backup.
1. Click the vSphere Web Client Home icon.
2. On the vSphere Web Client Home page, click the Inventories> Networking & Security icon.
3. In the left navigation pane, select Firewall.
4. In the middle pane, click the Saved Configurations tab.
The configuration list contains several new entries that were autosaved by the system.
5. Click the Configuration tab.
6. Under the General and Ethernet buttons, click the Load saved configuration icon.

l General 1 Ethernet 1

+ [] X - -.II ~ II
7. In the Load Saved Configuration dialog box, scroll down and select the last (oldest) autosaved
configuration, and click OK.
The oldest autosaved configuration was saved when the Test Section was created, prior to new

•
rules being defined.
8. When prompted to confirm , read the message and click Yes.
9. Click Publish Changes and wait for the update to complete.

Task 7: Clean Up for the Next Lab

You perform these actions to prepare for the next lab.
1. Leave the PuTTY window open.
2. Leave the Command Prompt window open.
3. In the Firefox window, leave the following tabs open for the next lab.
• vSphere Web Client
• Console to web-sv-Ola

Lab 16 Using NSX Distributed Firewall Rules to Control Network Traffic 151
152 Lab 16 Using NSX Distributed Firewall Rules to Control Network Traffic
Lab 17
Using Flow Monitoring

Objective: Examine network flows using the Flow

Monitoring feature and define a firewall rule based on a flow
In this lab, you will perform the following tasks :

1. Prepare for the Lab

2. Examine Dashboard Details
3. Review Allowed Flows by Service
4. Add a Firewall Rule Based on a Flow
5. Clean Up for the Next Lab

Task 1: Prepare for the Lab

You perform these action s to prepare for the lab if you have closed windows or logged out of the
VMware vSphere® Web Client interface.
1. If a Command Prompt window is not open on the ControlCenter desktop, perform the following
•
actions .
a. On the ControlCenter desktop, double-click the Command Prompt shortcut.
b. Position the Command Prompt window to a convenient location on the desktop .
2. If the PuTTY window is not open on the Control Center desktop , perform the following actions.
a. On the ControlCenter desktop, double-click the PuTTY shortcut.
b. In the PuTTY window, double-click the Edge Services GW saved session.

Lab 17 Using Flow Monitoring 153

 c. If prompted to confirm a PuTTY security alert, click Yes.
d. Log in as adInin and enter the password VMwarel ! VMwarel ! .
3. If the Firefox window has been closed , double-click the Firefox icon on the ControlCenter
desktop.
4. If you are not logged in to the vSphere Web Client, perform the following actions .
a. In the Firefox window, click the vSphere Web Client bookmark.
b. When prompted, log in as root and enter the password VMwarel!.
5. In the Firefox window, if the web-sv-Ola console tab is not open, perform the following
actions .
a. On the vSphere Web Client Home tab, click the Inventories> VMs and Templates icon.
b. Expand the inventory tree and select Discovered virtual machine> web-sv-Ola.
c. Select Open Console from the Actions drop-down menu.
d. Ifprompted to log in, log in as root and enter the password VMwarel! .
e. Press Ctrl+Alt to release the pointer and click the vSphere Web Client tab.
f. Click the vSphere Web Client Home icon.

Task 2: Examine Dashboard Details

You examine the layout and contents of the dashboard.
1. On the vSphere Web Client Home tab, click the Inventories> Networking & Security icon.
2. In the left navigation pane, select Flow Monitoring.
3. In the middle pane, click the Dashboard tab.
4. Click the calender icon located in the upper-right comer of the Dashboard pane .
Use the horizontal scroll bar if necessary to uncover the calender icon. The icon is located to the
right of the Time Interval information.

Tirne Interval: 6.12.120 '14 5:05 PM to 6.13.120 '14 5:05 oA,tlo~

II
5. In the Change Time Interval dialog box, select Last 24 hours and click OK.

154 Lab 17 Using Flow Monitoring

6. Find the statistics row located at the top of the Dashboard page.

01. What percent (%) of the traffic flows have been allowed?

02. What percent (%) of the traffic flows have been blocked by a firewall rule?

7. Under the Dashboard tab, click Top Flows.

8. In the flow list, select the top flow based on number of bytes transferred.
The corresponding line in the line graph is highlighted.
9. In the line graph, trace the highlighted line to find the highest peak value.
10. Point to the peak value point.

03. At what time did the peak occur?

11 . Under the Dashboard tab, click Top Destinations.

12. In the flow list, find the top flow based on the number of bytes transferred.

04. What is the destination of the top flow?

13. In the flow list, find the top flow based on the number of packets transferred.

05. Are the destinations the same for the two flows examined?

14. Under the Manage tab, click Top Sources and review the top flow report.

Task 3: Review Allowed Flows by Service

You review the allowed flows by service list.
•
1. Click the Details By Service tab and verify that Allowed Flows is selected.
2. Click the calender icon located in the upper-right comer of the pane.
3. In the Change Time Interval dialog box, select Last 24 hours and click OK.
4. In the allowed flows list, select the Tomcat-8443 flow.

Lab 17 Using Flow Monitoring 155

5. Use the table at the bottom of the pane to answer the following questions.

01. What is the 10 of the rule that allowed the traffic?

02. What distributed firewall section contains that rule?

(click the 10 link to view the rule details)

Task 4: Add a Firewall Rule Based on a Flow

You create a new firewall rule based on a captured flow.
1. In the Firefox window, open a new browser tab and go to https:/1172.I6.10.11.
2. Click the Firefox refresh button to reload the page.
3. Verify that the page is displayed, or you are prompted with an unsecure connection message,
and close the browser tab.
4. Switch to the vSphere Web Client tab.
5. On the Allowed Flows page, in the allowed flows list, select the Tomcat-8443 flow.
6. In the bottom table, click Add Rule for the first flow with a source ofweb-sv-Ola.
The Add Rule button appears in the Actions column on the far right of the table. Use the
horizontal scroll bar if necessary to uncover the Actions column .
7. In the Add Rule dialog box, perform the following actions.
a. Enter Deny Web to App in the Name text box.
b. Click Action> Block.
C. Select Test Section from the Section Name drop-down menu.
d. Leave all other settings at the default value and click OK.
8. In the Firefox window, open a new browser tab and go to https:11172.16.1 0.1).
9. If the page is displayed, click the Firefox refresh icon to reload the page .
10. Allow the page to time out.
It takes several minutes for the page to time out because the Web server is not refusing to
service the request. The Web server cannot reach the application server.
11. After the page has timed out, verify that a 503 Service Temporarily Unavailable
message is displayed .
12. Close the browser tab.

156 Lab 17 Using Flow Monitoring

13. Switch to the vSphere Web Client tab.
14. Click Blocked Flows.
15. In the blocked flows list, select the Tomcat-8443 flow.
16. In the bottom table, find the entry for the traffic that was just blocked by the rule that you
created .
Use the Time Stamp field to determine which row is the most recent entry.
17. In the left navigation pane, select Firewall.
18. In the middle pane, on the Configuration tab, expand Test Section in the rules list.
19. Select the single rule that appears .
20. Click the red X icon to delete the rule, and click OK when prompted to confirm.
21. Click Publish Changes.

Task 5: Clean Up for the Next Lab

You perform these actions to prepare for the next lab.
1. Leave the PuTTY window open.
2. Leave the Command Prompt window open.
3. In the Firefox window, leave the following tabs open for the next lab.
• vSphere Web Client
• Console to web-sv-Ota

Lab 17 Using Flow Monitoring 157

158 Lab 17 Using Flow Monitoring
Lab 18
Managing NSX Users and Roles

Objective: Add an SSO user as an NSX Administrator

and change the role of the user
In this lab, you will perform the following tasks :

1. Prepare for the Lab

2. Add an SSO User with NSX Administration Rights
3. Restrict an NSX User to Administration of a Specific NSX Edge
4. Explore Roles and Scope Limitations
5. Clean Up for the Next Lab

II

Lab 18 Managing NSX Users and Roles 159

Task 1: Prepare for the Lab
You perform these actions to prepare for the lab if you have closed windows or logged out of the
VMware vSphere® Web Client interface.
1. Ifa Command Prompt window is not open on the ControlCenter desktop, perform the following
actions.
a . On the Control Center desktop, double-click the Command Prompt shortcut.
b. Position the Command Prompt window to a convenient location on the desktop.
2. If the PuTTY window is not open on the ControlCenter desktop, perform the following actions.
a. On the ControlCenter desktop, double-click the PuTTY shortcut.
b. In the PuTTY window, double -click the Edge Services GW saved session.
c. If prompted to confirm a PuTTY security alert, click Yes.
d. Log in as admin and enter the password VMwarel ! VMwarel ! .
3. If the Firefox window has been closed, double -click the Firefox icon on the ControlCenter
desktop.
4. If you are not logged in to the vSphere Web Client, perform the following actions.
a . In the Firefox window, click the vSphere Web Client bookmark.
b. When prompted, log in as root and enter the password VMwarel ! .
5. In the Firefox window, if the web-sv-Ola console tab is not open, perform the following
actions.
a . On the vSphere Web Client Home tab, click the Inventories> VMs and Templates icon.
b. Expand the inventory tree and select Discovered virtual machine> web-sv-Ota.
c. Select Open Console from the Actions drop-down menu.
d. If prompted, log in as root and enter the password VMwarel ! .
e. Press Ctrl+Alt to release the pointer and click the vSphere Web Client tab.
f. Click the vSphere Web Client Home icon.

6. On the vSphere Web Client Home tab, click the Inventories> Networking & Security icon.

160 Lab 18 Managing NSX Users and Roles

Task 2: Add an ssa User with NSX Administration Rights
You add a user and give administration rights ofVMware NSXTM to that user.
1. In the left navigation pane, select NSX Managers.
2. In the NSX Manager list, click the 192.168.110.42 link to manage that object.
3. In the middle pane, click the Manage tab and click Users.
4. Above the user list, click the green plus sign to open the Assign Role dialog box.
5. On the Identify User page, leave Specify a vCenter user selected.
6. Enter CORP\dory in the User text box and click Next.
7. On the Select Roles page, click NSX Administrator and click Next.
8. On the Limit Scope page, leave No restriction selected and click Finish.
9. Minimize the Firefox window.
10. On the ControlCenter desktop, double-click the Internet Explorer shortcut.
The vSphere Web Client page loads automatically.
11. Log in to the vSphere Web Client interface as dory@corp . local, and enter the password
VMwarel!.

12. On the vSphere Web Client Home tab, examine the feature icons available in the Inventories
panel.

Q1. Can you manage NSX as dory?

Q2. You added dory as an NSX administrator. Why are you unable to manage NSX as dory?

13. Do not close the Internet Explorer window.

14. Click the down arrow control next to the logged in user name and select Logout.

~I~I Halp v I
II
l
emove S ored Data...
I Reset To Factory Defaults

Ct1ange Passv,/ord ...

Logout

Lab 18 Managing NSX Users and Roles 161

15. Minimize the Internet Explorer window.
16. Restore the Firefox window.
17. Click the vSphere Web Client Home icon.
18. On the vSphere Web Client Home tab, click the Inventories> vCenter icon.
19. In the left pane , select vCenter Servers.
20. In the vCenter Server list, click the vc-I-Ola link to manage that object.
21. In the middle pane, click the Manage tab and click Permissions.
22. Click the green plus sign to open the vc-l-Ola - Add Permission dialog box, and perform the
following actions.
a. At the bottom of the Users and Groups panel, click Add to open the Select Users and
Groups dialog box.
b. Select CORP from the Domain drop-down menu .
c. Enter dory in the Search text box.
d. Select the dory entry and click Add.
e. Click OK to close the Select Users and Groups dialog box.
f. In the Assign Role panel, select Administrator from the drop-down menu .
g. Verify that the Propagate to children check box is selected.
h. Click OK and wait for the update to complete.
23. Switch to the Internet Explorer window, log in to the vSphere Web Client interface as
dory@corp. local, and enter the password VMwarel ! .

24. On the vSphere Web Client Home tab, examine the feature icons available in the Inventories
panel.

03. Can you manage NSX as dory?

25. Click the Inventories> Networking & Security icon.

26. In the left navigation pane, select various features and determine which features dory can
administer.

162 Lab 18 Managing NSX Users and Roles

Task 3: Restrict an NSX User to Administration of a Specific NSX Edge
You configure the role assigned to an existing user to restrict administration rights for that user to a
specific NSX Edge instance.
1. As dory, change your own role by performing the following actions .
a. In the left navigation pane, select NSX Managers.
b. In the NSX Manager list, click the 192.168.110.42 link to manage that object.
c. In the middle pane, click the Manage tab and click Users.
d. In the user list, select the CORP\dory entry and click the Change Role link to open the
Edit Role Assignment for vCenter user dialog box.
e. On the Select Roles page, click Security Administrator and click Next.
f. On the Limit Scope page, click Limit access ...

g. Click in the search text box.

h. Select Perimeter Gateway from the drop-down menu and click Add.
i. Click Finish.

j. When prompted to confirm termination of the user session, click Yes.

2. After the update completes, find the error or warning dialog box that is displayed and read the
provided message.
The message indicates that dory no longer has rights to administer the current NSX feature .
3. Close the warning dialog box.
4. At the top of the left navigation pane , click the NSX Managers left arrow.
5. At the top of the left navigation pane , click the Networking & Security left arrow.
6. In the left navigation pane, select NSX Edges.

Q1. As dory, can you administer any N5X Edge other than perimeter gateway?

7. In the left navigation pane, select Logical Switches.

II
Q2. As dory, can you administer any logical switch?

8. Do not close the Internet Explorer window.

9. Click the down arrow control to the right of the logged in user name and select Logout.

Lab 18 Managing NSX Users and Roles 163

Task 4: Explore Roles and Scope Limitations
You configure various roles and scope limitations and review how the NSX administration interface
changes in response.
1. Spend the remaining time you have for this lab exploring how roles and scope limitations affect
access to various NSX features and objects.
• Use the Firefox window and remain logged in to the vSphere Web Client interface as root
to chang e the role and scope limitation assigned to the dory user. Try different
combinations of role and scope limitations.
• Use the Internet Explorer window to log in as [email protected] and explore how the role
and scope limitation affects your ability to examine or configure any NSX feature or object
that you are interested in testing.
• Take notes on any behavior that you did not expect to occur, given a particular role or
scope limitation setting .

Task 5: Clean Up for the Next Lab

You perform these action s to prepare for the next lab.
1. Leave the PuTTY window open .
2. Leave the Command Prompt window open.
3. Close the Internet Explorer window.
4. Click the vSphere Web Client Home icon.
5. In the Firefox window, leave the following tabs open for the next lab.
• vSphere'Veb Client
• Console to web-sv-Ola

164 Lab 18 Managing NSX Users and Roles

Answer Key

Lab 2: Configuring and Deploying an NSX Controller Cluster

Task 3: Verify That the First NSX Controller Instance Is Operational 9
1. Powered-on based on the Play icon showing. 7. 5
2. 2 8. Yes
3. 2048 MB 9. All 5 roles
4. 20GB 10. 4or5
5. Mgmt_Edge_VDS - Mgmt 11. 7 ports, 443 ,2878,2888,3888,6632,6633,
6. 192.168.110.201 7777

Task 5: Verify That the Second NSX Controller Instance Is Operational 13

1. Powered-on based on the Play icon showing. 6. 192.168 .110.202
2. 2 7. 5
3. 2048 MB 8. Yes
4. 20 GB 9. Zero , none of the roles - this may vary.
5. Mgmt_Edge_VDS - Mgmt

Task 7: Verify That the Third NSX Controller Instance Is Operational 15

1. Powered-on based on the Play icon showing. 6. 192.168 .110.203
2. 2 7. 5
3. 2048 MB 8. Yes
4. 20 GB 9. Zero , none of the roles. This might vary.
5. Mgmt_Edge_VDS - Mgmt

Lab 4: Configuring and Testing Logical Switch Networks

Task 3: Verify That Logical Switch Port Groups Appear in vSphere 27
1. Yes 3. Yes, the ID follows the sid keyword in the port
2. Because of the transport zone . Compute group name.
Cluster A and B hosts are attached to the 4. Yes
Compute_VDS distributed switch, and those
clusters have been included in the common
global transport zone.

Answer Key 165

Task 4: Migrate Virtua l Machines to Logical Switches 28
1. Yes 2. No

Task 5: Test Connectivity 30

1. No 6. East-West routing has not been establ ished
2. Yes between the logical switch networks.
3. Yes, the -sv-02a virtual machine , and possibly 7. No
the default gateway if both virtual machines 8. As is the case with East-West routing , North-
are on different hosts. South routing has not yet been established .
4. No 9. Success
5. No

Lab 5: Configuring and Deploying an NSX Distributed Router

Task 3: Verify the Distributed Router Deployment and Configuration 39
1. ds-site-a-nfs01 4. 512 MB
2. Can be either host that is assigned to 5. 500 MB
Management and Edge Cluster. 6. 2
3. 1
Task 4: Test Connectivity 41
1. Yes 5. Yes, the other node on the Web-Tier network
2. Yes and the router interface .
3. Yes 6. No
4. Yes 7. No
8. North-South routing has yet to be established .

Lab 6: Deploying an NSX Edge Services Gateway and Configuring Static

Routing
Task 3: Verify the NSX Edge Gateway Deployment. .49
1. ds-site-a -nfs0 1 4. 512 MB
2. Can be either esx-01a.corp.local or esx- 5. 500 MB
02a.corp .local 6. 10
3. 1 7. 2

Lab 7: Configuring and Testing Dynamic Routing on NSX Edge Appliances

Task 8: Troubleshoot Connectivity Between Logical Switch Networks and the
Management Network 59
1. Yes 5. No
2. Yes 6. No
3. No, only directly connected subnets need to 7. No, Connected is the only selection . Static
be advertised . routes should be added.
4. Yes , Direct connected can be learned , which
is sufficient.

Answer Key 166

Lab 8: Configuring and Testing Network Address Translation on an NSX
Edge Services Gateway
Task 2: Verify Non-Translated Packet Addressing 66
1. No
Task 5: Test Connectivity Using the Destination NAT Translation 70
1. 172.16.10.11, the non-translated IP address 2. No, regardless of any TCP flag sequencing or
of web-sv-O 1a handshake condition that may be set, the IP
addresses do not match.

Lab 9: Configuring Load Balancing with NSX Edge Gateway

Task 7: Use the Packet Capture Capabilities of NSX Edge to Verify Round-Robin Load
Balancing 82
1. NAT 3. Transparent mode
2. Because the load balancer is operating in
nontransparent mode and proxying sessions
between itself and the Web servers on behalf
of the original client.
Task 8: Examine NAT Rule Changes 85
1. No, the original and translated IP addresses 4. No, a virtual server cannot operate on a pool
are both 192 .168.100.9. of destination NAT-defined addresses. Such
2. No functionality would require recursive
application of the NAT logic to each packet
3. To force the traffic into the NAT logic of the
received. The system is not designed to
NSX Edge services gateway where a member
accommodate that type of operation . Only one
server can be selected and the actual
NAT rule can be applied to any packet
destination NAT performed. Traffic received
on the virtual server IP address must undergo received.
a destination NAT translation after the 5. Uplink
destination server is selected from the pool,
based on the configured load-balancing
algorithm. Because server selection is
dynamic , the destination NAT rule triggers the
destination NAT operation where further logic
can be applied .
Task 10: Reposition the Virtual Server and Examine NAT Rule Changes 87
1. Yes 4. The destination NAT translation occurs on the
2. No outbound interface. In this case, vNic_2 facing
3. No the operations are the same. the network that the member servers are
, attached to. The previous destination NAT
rule was applied on the receiving interface
because destination NAT rules must be
applied on the interface connected to the
network that contains the original IP address
to be translated, regardless of ingress or
egress.

Answer Key 167

Lab 11: Configuring NSX Edge High Availability
Task 2: Configure NSX Edge High Availability 100
1. Two 3. Either esx-01a or esx02a , but is the opposite
2. Either esx-01 a or esx02a . of the other node.
4. Yes, by default , HA peer nodes are
maintained on different hosts.
Task 3: Examine the High Availability Service Status and Heartbeat 102
1. Perimeter Gateway-O is active. This node 2. Yes, as denoted in the Peer Host list.
should be the same for all students at this 3. Yes, both services are shown as running.
stage.

Task 4: Force a Failover Condition 103

1. Perimeter Gateway-t is active. This node 3. Yes, both services show as running.
should be the same for all students at this 4. Yes, from Perimeter Gateway-O to Perimeter
stage . Gateway-f.
2. No, vshield-edge-#-O is unreachable .
Task 5: Restore the Failed Node 104
1. Perimeter Gateway-t is active. This node 3. Yes, both services show as running.
should be the same for all students at this 4. No, the failover node remains active and the
stage . restored node simply assumes standby
2. Yes status.

Lab 12: Configuring Layer 2 VPN Tunnels

Task 9: Test Tunnel Connectivity 116
1. 172.16.10.12, the address of the web-sv-02a 3. Yes
virtual machine. 4. Yes, tunnel decapsulation ensures original
2. The MAC address ofweb-sv-02a because the source MAC/IP address.
tunnel wraps layer 2 traffic and, when
decapsulated, the hardware address is
preserved.
Task 10: Verify Tunnel Connectivity 117
1. Yes 2. 443

Lab 13: Configuring IPsec Tunnels

Task 8: Troubleshoot and Resolve VPN Tunnel Connectivity 126
1. Yes, in general , but verification is limited to the 2. The distributed router has no knowledge of
one direction . the remote subnet and has no default gateway
defined .

Lab 14: Configuring and Testing SSL VPN-Plus

Task 8: Review the Client Configuration and Examine Traffic 134
1. 192.168.130.4:443 4. The IP address assigned to the SSL VPN-
2. 172.16.40.0/255.255.255.0 Plus client out of the IP pool specified in the
3. 192.168.170.2 tunnel profile, in this case 192.168.170.2.

168 Answer Key

Lab 15: Using NSX Edge Firewall Rules to Control Network Traffic
Task 4: Determine How the Firewall Rule Interacts with Other NSX Edge Features . . . .141
1. Yes 2. No, the logic is different, even though the
destination NAT logic is used by the load
balancer.

Lab 16: Using NSX Distributed Firewall Rules to Control Network Traffic
Task 4: Restrict Inbound Web Server Traffic to HTIP and HTTPS 147
1. Distributed Firewall rules work on true source
and destination addresses and objects. Such
rules are not affected by transforms (such as
destination NAT translations) performed by
NSX Edge devices.

Lab 17: Using Flow Monitoring

Task 2: Examine Dashboard Details 154
1. Varies, around 75%. 4. app-sv-Ota, but might vary.
2. Varies, around 25%. 5. No, but might vary . The top flow by packet
3. Answers vary. count destination is likely web-sv-01a.

Task 3: Review Allowed Flows by Service 155

1. 1002 2. Default Section Layer3

Lab 18: Managing NSX Users and Roles

Task 2: Add an SSO User with NSX Administration Rights 161
1. No 3. Yes
2. Dory has not been given rights to the VMware
vCenter Server™ system that VMware NSX
Manaqer" is connected to.
Task 3: Restrict an NSX User to Administration of a Specific NSX Edge 163
1. No 2. No

Answer Key 169

170 Answer Key
Lab Topology
 Topology Introduction and Reference

VMware N~figUre, Manage 2 vrnware·

© 20 14 VMware Inc All rights reserved
 Distributed Router
.1 172.16.30.0 24
.1 172.16 .20.0 24

Web Tier DB Tier

.Managemen
. . . . .. . . . .t . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
.1
•......... ~ ~ ~ .... .....•..~ .

: ~ ~ ~ ~ Branch
We b-sv-Ola We b-sv-02a App-sv-Ola DB-sv-01a
Gateway
Perimeter
I .
(.11) (.12) (.11) (.11)
. .... .. . .. .... .. . . . ~?~~.~.y. . 'c~~ p~ t ~ 'A......• ... . . . ... ... . . . . .... •..... . .... . . .. . .... . .. ... ...... ... .... c~";" p~t~' Ii' '.4
.3

HQUplink: 192.168.100.0/24 HQAccess: 192 .168.130.0/24

Management A

Contro ICenter NSX Manager vCenter Server

(.10) (.42) (.22)

ESX-01a (.51) ESX-02a (.52) ESXCOMP- ESXCOMP- ESXCOMP-

Ola (.51) 02a (.52) Olb (,56)

vMotion A: 10.10.30.0/24 vMotion B: 10.20.30 .0/24

Transport B: 192.168.250.0/24
NFS Storage Transport A: 192.168 .150.0/24
(.60) Management B: 192.168.210.0/24
Management A: 192.168.110.0/24
VPOD ROUTER (.2)

~ vmware'
 Physical Topology and Components

You are here

HQ Upli nk: 192.168.100.0/24 HQAccess: 192.168.130.0;24

Management A

ControlCenter vCenter Server

(.10) (.22)

ESX-01a (.51) ESX-02a (.52) ESXCOMP- ESXCOMP- ESXCOMP-

01a (.51) 02a (.52) Olb (.56)

vMotion A: 10.10.30.0/24 vl'v1otion B: 10.20 .30 .0/24

Transport B: 192.168.250.0/24
NFSStorage Transport A: 192.168.150.0/24
(.60) Management B: 192.168.210.0/24
Management A: 192.168.110.0/24
VPOD ROUTER (.2)

VMware N~figUre, Manage 4 vmwere

© 201 4 VMware Inc , All rights reserved
 Virtual Topology and Components

Dist ributed Router

.1 172.16.30.0 24
.1 172.16.20.0 24

Transit
Web Tier Tier DB Tier

.1Y1.a.n.a.g~!,!~ ~~ _ .
.1

Branch
Web-sv-01a Web -sv-02a App-sv-Ola DB-sv-Ola
Gateway
Perimeter (.11) (.12) (.11) (.11)
. .. ... ... ....... .. G~~~.~.y.
.3
. 'c~ ";' P~ t~'A .
:C~';"P~t~'B " " " " " " " :4'r- "" .
HQ Upli nk: 192.168 .100.0;24 HQAccess: 192.168.130.0/24

Management A: 192.168.110 .0/24

VPOD ROUTER (.2)

VMware N~figUre, Manage 5 vmware'

ce 20 1-t VMware Inc . All rig ht s re se rved
 vPodRouter: Static Route (1)
Distri buted Router
.1 172.16.30.0 24
192.168.10 .0 ~ .1 172.16.20.0 24

AQ Tier DB Tier

.. 1Yl.a.n.a~[l1~~t. . . . . . . . . . . . . . . . . . .. . . • • . • . . . . . . . . . . . ~ ~ .
Controller .1
Cluster

Branch
Web-sv-01a Web-sv-02a App-sv-01a DB-sv-01a
Gateway
Perimeter (.11) (.12) (.11) (.11)
. . . . . . . . . . .. . . . . .. ~?~\'.~.y.
.3
. 'C';~p~ tE:A"" " " " "" " " " " """ " " "" "

.--------------------------
"

~,__o
" " " " " " " " " ' " ... .. ;c~';"p~t;; B" " " """ " -l.
HQ Upli nk: 192.168.100.0;24 HQAccess: 192.168 .130.0/24

i"- -- - -- - -- - -- - -- - -- - -- - -- - -- - -- - - - - -- --- - -- - ---,

ControlCenter ,- --~
r I
[Source: 192.168.110.10 (Control Center) :
(.10) ,
r I
I
iI Dest: 172 .16.10.11 (wev-sv-01a) iI
,"
r
II
I
: GW: 192 .168 .110 .2 (vPodRouter) i
/',' ~ 1 --------------------------------- -- ------

;'
//
,r
"
Management A: 192.168.110.0/24

VPOD ROUTER (.2)

VMware N~figUre, Manage 6 vmwere

© 20 14 VMware Inc . All rights reserved
 vPodRouter: Static Route (2)
Distri buted Router
.1 172.16.30.0 24
.1 172.16.20.0 24

Web Tier DBTier

,.ryt.an.a~rr!~ ~ ~ . , , . . ~ ~ .
Controller .1
Cluster

Branch
Web-sv-01a Web-sv-02a App-sv-01a DB-sv-01a
Gateway
Perimeter (.11) (.12) (.11) (.11)
.. .. . . . . . . .. . . . . .. ~?~~.~.y. . 'C';~ p~tE:A"" " " " "" " " " " """ " " "" " " " " " " " " " " " ' " ... . .
.3

\ HQUplink: 192.168.100.0/24 HQAccess: 192.168.130.0/24

'" -_
............ ...... ------...... "
'-,--------- \\
[S-~~-r~-~~192~1-68~ il0~iO-(C~;;t-r~iC~~t~ ~i-]
I
1 \ ,- ---1
1 \
I
I
1
\
\
\ ,
,
"
" I
III !Dest: 172.16.10.11 (wev-sv-01a) !
ControlCenter
r -- - ---- - - -- -- - - -- -- - --- -- - - - - -- - -- - -- - - - -- - - -- --- - -- I
I
I
I
I
\
\
\
, ,"''
, " II

~
!LGW: 192.168.110.2 (vPodRouter) ~
!
(.10) I
I
I
I
I
~
I
J
,
\ ./
: Route : I

i Network : 172 .16.0.0/16 i I

I
I

i Next Hop: 192.168.100.3 i I

I
I

i
I

I
~
(Perimeter Gatewa y on HQ Uplink) i
JI
I
I
I
I

Management A: 192.168.110.0/24

VPOD ROUTER (.2)

VMware N~figUre, Manage 7 vmwere

© 20 14 VMware Inc. All right s re served
Subnet Addresses (1)

Physical:
• Management A: 192.168.110.0/24
• vMotion A: 10.10.30.0/24
• Transport A: 192.168.150.0/24
• Management B: 192.168.210.0/24
• vMotion B: 10.20.30.0/24
• Transport B: 192.168.250.0/24
• HQ Uplink: 192.168.100.0/24
• HQ Access: 192.168.130.0/24

VMware N~figUre, Manage 8 vrnware·

© 20 14 VMware Inc All rights reserved
Subnet Addresses (2)

Virtual
• Web Tier: 172.16.10.0/24
• App Tier: 172.16.20.0/24
• DB Tier: 172.16.30.0/24
• Transit: 192.168.10.0/29

VMware N~figUre, Manage 9 vrnware·

© 20 14 VMware Inc All rights reserved
IP Addresses (1)

lnfrastructure (Management networks)

• ControlCenter: 192.168.110.10 on Management A
• NSX Manager: 192.168.110.42 on Management A
• vCenter Server: 192.168.110.22 on Management A
• ESX-01a: 192.168.110.51 on Management A
• ESX-02a: 192.168.110.52 on Management A
• ESXCOMP-01a: 192.168.210.51 on Management B
• ESXCOMP-02a: 192.168.210.52 on Management B
• ESXCOMP-01b: 192.168.210.56 on Management B
• vPod Router
• .2 on each attached subnet

VMware N~figUre, Manage 10 vrnware·

© 20 14 VMware Inc All rights reserved
IP Addresses (2)

Edges
• Perimeter Gateway
• 192.168.100.3 on HQ Uplink (primary address)
• 192.168.100.7 on HQ Uplink (1:1 NAT forweb-sv-01a)
• 192.168.100.8 on HQ Uplink (1:1 NAT forweb-sv-02a)
• 192.168.100.9 on HQ Uplink (Load balancer)
• 192.168.100.10 on HQ Uplink (L2 and IPsec VPN)
• 192.168.10.1 on Transit
Branch Gateway
• 192.168.130.4 on HQ Access (primary address)
Distributed Router
• 192.168.10.2 on Transit
• 172.16.10.1 on Web Tier
• 172.16.20.1 on App Tier
• 172.16.30.1 on DB Tier

VMware N~figUre, Manage 11 vrnware·

© 20 14 VMware Inc All rights reserved
IP Addresses (3)

Virtual Machines
• Web-sv-01 a: 172.16.10.11 on Web Tier
• Web-sv-02a: 172.16.10.12 on Web Tier
• App-sv-01 a: 172.16.20.11 on App Tier
• DB-sv-01 a: 172.16.30.11 on DB Tier

VMware N~figUre, Manage 12 vmwere'

~ 20 14 YMware Inc All rights reserved
 Lab 1:
Configuring NSX Manager

VMware N~figUre, Manage 13 vrnware·

© 20 14 VMware Inc All rights reserved
 Topology

,. "
~;
tfI'!' ....... ,
,
, c)o-,.----- - - - - ---:---:-- - - - - -----,
I
, \
I
, HQ Upli nk: 192.168.100.0/24 HQAccess: 192.168.130.0/24
I I
I I Management A
I
I
I
I
Contro ICente r i NSX Manager : vCenter Server
(.10) \ (.42) " (.22)
,--------"",

ESX-01a (.51) ESX-02a (.52) ESXCOMP- ESXCOMP- ESXCOMP-

01a (.51) 02a (.52) O1b (.56)

vMotion A: 10.10.30.0/24 vMotion B: 10.20.30.0/24

Transport B: 192.168.250.0/24
NFSStorage Transport A: 192.168.150.0/24
(.60) Management B: 192 .168 .210.0/24
Management A: 192.168.110.0/24
VPOD ROUTER (.2)

VMware N~figUre, Manage 14 vrnware·

© 20 14 VMware Inc All rights reserved
 Lab 2:
Configuring and Deploying an NSX
Controller Cluster

VMware N~figUre, Manage 15 vrnware·

© 20 14 VMware Inc All rights reserved
 Topology

. ,.~ .'7 .'7 .'7 .'7 .'7 .'7 .'7 .'7.'7.'7 .'7.'7 .~ ~ ryT.~ ~a.i'[€.fl] ~~! .
Controller IP Pool:
: Controller ~
l Cluster :
I
lI
I
J.... : I

I
I
192.168.110.201-192.168.110.210 on Management A

,
\ • __
•• _ __ _ ''
1fIII! • •• • •• • .• • • . • • • • • • • • • • •• •• • . • •

HQ Upli nk: 192 .168.100.0/24 HQAccess: 192 .168 .130.0/24

Management A

ControlCenter NSX Manager vCenter Server

(.10) (.42) (.22)

ESX-Ola (.51) ESX-02a (.52) ESXCOMP- ESXCOMP- ESXCOMP-

Ola (.51) 02a (.52) Olb (.56)

vMotion A: 10.10.30.0/24 vMotion B: 10.20 .30.0/24

Transport A: 192 .168.150 .0/24 Transport B: 192.168.250.0/24

NFS Storage
(.60) Management B: 192.168.210.0/24
Management A: 192.168.110.0/24
VPOD ROUTER (.2)

VMware N~figUre, Manage 16 vrnware·

© 20 14 VMware Inc All rights reserved
 Lab 3:
Preparing for Virtual Networking

VMware N~figUre, Manage 17 vrnware·

© 20 14 VMware Inc All rights reserved
Topology (1)

Compute A
..~~~~~e.n:;~ ~ .

E5X-01a E5X-02a E5XCOMP- E5XCOMP- ESXCOMP-

Ola 02a Olb

Transport A: 192 .168 .150 .0/24 Transport B: 192.168.250.0/24

VPOD ROUTER (.2)

VMware N~figUre, Manage 18 vrnware·

© 20 14 VMware Inc All rights reserved
Topology (End)

~
Global Transport Zone ,/ -, VXLAN ID Pool: 5000-5999
I
,~-----------------------------~ ,--------------------------- " \
I \
I I
. .. ". Ma
"
nagement
". " . .Compute A Com pute B
.
·· ..
·.
·.
·.

E5X-01a E5X-02a E5XCOMP- E5XCOMP- ESXCOMP-

Ola 02a Olb

Transport A: 192 .168.150.0/24 Transport B: 192 .168.250.0/24

VTEP-Pool-1: 192.168.150.51-192.168.150.60 > VTEP-Pool-2: 192.168.250.51-192.168.250.60 >

GW: 192.168.150.2 GW: 192 .168.250.2
VPOD ROUTER (.2)

VMware N~figUre, Manage 19 vmwere

© 201 4 V Mw are Inc , All rights reserved
 Lab 4:
Configuring and Testing Logical Switch
Networks

VMware N~figUre, Manage 20 vrnware·

© 20 14 VMware Inc All rights reserved
 Topology

,
,-------------------------------------,
172.16.30.0 24 '
172.16.20.0 24

Web Tier

••••••••• •••••••••••••• ••••••• ••.••••••• 1YI.a. ~a.g,e.r1) ~~!

Controller
.
~ ' '' '' ' '' '()
'' ~ ~
Cluster ·
: ~
':'.- ,. :.
·· ...
·
Web-sv-Ola Web-sv-02a App-sv-01a DB-sv-01a
.I (.11) (.12) (.11) (.11)
. . . . . .. . .. .. .. .. . .. . .. .. . . .. .. .. .. . . . . .. . .. .. . . :'1 .:
\ Com pute A ~
,:I
Com pute B
.

,-------------------------------------~
HQ Uplink: 192.168.100.0/24

Management A
192.168.110.0;24

ControlCenter NSX Manager vCenter Server VPOD ROUTE R (.2)

(.10) (.42) (.22)

VMware N~figUre, Manage 21 vmwere

© 20 14 VMware Inc . All rights reserved
 Lab 5:
Configuring and Deploying an NSX
Distributed Router

VMware N~figUre, Manage 22 vrnware·

© 20 14 VMware Inc All rights reserved
 Topology

,--------------------------------------~,
I Distributed Router \
.1 172.16.30.0 24
.1 172.16.20.0 24

Web Tier Tier DBTier

·· · ·· · · · · · · ···· C~~~~~;··· · · · ·· ·· ·M"~~.m"" j: •..... .... ()

~ ~
, T~
. ,T · ~
. ,T ........•: .
I : . 0 0 0 . :

I : : :
I : . .
: ~ Web-sv-01a Web-sv-02a App-sv-01a DB-sv-01a
I : (.11) (.12) (.11) (.11)
I : .
. . .. . .. . . . . .. . . . . .. . .. .. . . .. . . . . .. . . .. . . . .. . . . . . .. .\ : :ca"~ p~ t~ '1i ' ,. c~';"pu't~' Ii' .
,---------------------------------------~
HQ Uplink: 192.168.100.0/24 HQAccess: 192.168.130.0/24

Management A
192.168.110.0/24

ControlCenter NSX Manager vCenter Server VPOD ROUTE R (.2)

(.10) (.42) (.22)

VMware N~figUre, Manage 23 vmwere

© 20 14 VMware Inc . All rights reserved
 Lab 6:
Deploying an NSX Edge Services Gateway
and Configuring Static Routing

VMware N~figUre, Manage 24 vrnware·

© 20 14 VMware Inc All rights reserved
 Topology

Distributed Router
I ,---------------------------, , .=.
l t----'. 172.16.30.0 24
----=.'-====~=____,

.1 172 .16.20.0 24

Web Tier Tier DB Tier

. • . • . . . . . . . . . • . . . . • . . • • • • • . . . . .ry1.a.,,!a.~.11) ~~!. .
Cor.troller
(,:JustE'r
.1

Perimeter
We b-sv-01a We b-sv-02a App-sv-01a DB-sv-01a
Gateway
(.11) (.12) (.11) (.11)
" :3 ...... :ca'~'p~t~ 'f" .•... .. •.... . .. ..• ... .•.... ... ... . .. . .... ....... ...... .. . .•..... ..
compu te B
~-------------------- -----~
HQ Uplink: 192.168.100.0/24 HQAccess: 192.168.130.0/24

Management A
192.168.110.0;24

ControlCenter NSX Manager vCenter Server VPOD ROUTE R (.2)

(.10) (.42) (.22)

VMware N~figUre, Manage 25 vmwere

© 20 14 VMware Inc . All rights reserved
 Lab 7:
Configuring and Testing Dynamic Routing
on NSX Edge Appliances

VMware N~figUre, Manage 26 vrnware·

© 20 14 VMware Inc All rights reserved
 Topology (1)

Through OSPF, Perimeter Gateway and Distributed Router share

routes to known subnets.
Subnets on both sides must be .1 172.16.30.0 24

known and advertised. .1 172.16.20.0 24

DB Tier

Perimeter
Gateway Web-sv-Ola Web-sv-02a App-sv-Ola DB-sv-Ola
(.11) (.12) (.11) (.11)
.... .. . .. ...... .. .. . . . . ... ... ..... ... ... .. .. . . . . . . . .j
Com put e A

HQUplink: 192.168.100.0/24

Management A
192.168.110.0/24

ControlCenter VPOD ROUTE R (.2)

(.10)

VMware N~figUre, Manage 27 vmwere

© 20 14 VMware Inc. All rights re serve d
 Topology (End)

,
,;------------------------,
Control "
:
II
I
I
I
1 .3 VM (protocol address)

Distributed Router I
.........,..:=,
I
I

II

1_ _--i1i-- ---=.
17:...:2:::..=.,:
16::..:;.3::,:0::.:..0=-=2",-
4---,
192.168.10.0 29 I :::J...--'•.::.
l _--;:; - ""'-'--'''-'-='''-'-'='~'-'=='-
172.16.20.0 24----,

Transit
Tier DB Tier

I
... . ................ ...... ............. . iy1.a.':a.~.n:> !'!'L .
con taller :
CI~ster
I Control .1
VM
Perimeter
I Web-sv-Ola Web-sv-02a App-sv-Ola DB-sv-Ola
I Gateway ........~....
I . (.11) (.12) (.11) (.11)
............\ ;'
,~------------~ -,~
com put e A Com put e B

HQ Uplink : 192.168.100.0/24 HQAccess: 192.168.130.0/24

(J
~.
~
o
~
t--- - - - - -- - - - - - - - - --='--- - - ----q
Management A
192.168.110.0/24

ControlCente r VPOD ROUTE R P)

(.10)

VMware N~figUre, Manage 28 vrnware·

:2) 20 14 VMv•rare Inc. All nqhts reservad
 Lab 8:
Configuring and Testing Network Address
Translation on an NSX Edge Services
Gateway

VMware N~figUre, Manage 29 vmware'

~ 20 14 v Mw are Inc All rights reserved
 Topology

Distributed Router
.1 172.16.30.0 24
.1 172 .16.20.0 24

DB Tier

. . . . .. . . . . . . . . .. . . ... .... .. . .... .... . .. . ry1.a.n.a.~.r1)~ ~!

Controller
Cluster
.1

Perimeter
App-sv-01a DB-sv-01a
Gateway

Com pute B
.3
HQAccess: 192.168.130.0/24

Management A
192.168.110.0/24

ControlCenter VPOD ROUTE R (.2)

(.10)

VMware N~figUre, Manage 30 vmwere

© 20 14 VMware Inc . All rights re serve d
 Lab 9:
Configuring Load Balancing with N5X
Edge Gateway

VMware N~figUre, Manage 31 vrnware·

© 20 14 VMware Inc All rights reserved
 Topology (1) . Different Subnets

Distributed Router
.1 172.16.30.0 24
.1 172.16.20.0 24

Web Tier DBTier

... . . . . . . . . . . .. .. .. .. . . . . . . .... . • . •..... 1y1.a.,!a.~!1)~~! .

Controller
Cluster
.1

Perimeter
Gateway

Compute B
.3
HQ Uplink : )~2. 1.68.100.0/24 HQAccess: 192.168.130.0/24
(1:1 NAT to web-sv-Ola .7) ," ", / "
(1:1 NAT for web-sv-02a .8) / " ""
,----------------- -------, /
I '
I (LB Virtual Server .9) ./
,---------------------------
Management A
192.168.110.0/24

ControlCenter VPOD ROUTE R (.2)

(.10)

VMware N~figUre, Manage 32 vmwere

© 20 14 VMware Inc. All right s re serve d
 Topology (1) " Same Subnet

Distributed Router
.1 172.16.30.0 24
.1 172.16.20.0 24

Web Tier AQ Tier DBTier

~
• • • . • • . • • • • • • . . . . • . . • . • • • . • • . • • • • • • • •. • •ry1.a.,!aJle.r1) ~ ~!
Controller
1 ~ •.. . . .. ~ ~ ~
; ;. •. . . . . . . . . . .

Cluster

Perimeter
(----:-, : ,--~------~--, ~
.1 : "-~,' Web-sv-Ola Web-sv-02a 1 App-sv-01a
~
DB-sv-01a
Gateway
: i-' ~" (.11) (.12) : (.11) (.11)
: ,----------------- ,1
. c~ ;,; p~t~ i>: . Com pute B
.3
HQ Uplink: 192.168.100.0/24 HQAccess: 192.168.130.0/24
(1:1 NAT to web-sv-Ola .7)

(1:1 NAT for web-sv-02a .8)

Management A
192.168.110.0/24

ControlCenter VPOD ROUTE R (.2)

(.10)

VMware N~figUre, Manage 33 vmwere

© 20 14 VMware Inc . All rights reserved
 Lab 10:
Advanced Load Balancing

VMware N~figUre, Manage 34 vrnware·

© 20 14 VMware Inc All rights reserved
 Topology

Distributed Router
.1 172.16.30.0 24
.1 172.16.20.0 24

Web Tier DBTier

·• I
~;;~
,--~----- ~ ~ ----, ,

!Web-sv-Ola We b-sv-02a ! App-sv-01a DB-sv-01a

· : (.11) (.12) : (.11) (.11)
• , I
~ :~/~ ,,:-.~::-.-.~::-.-.-:::-.-.-:~ .
Com pute r, " Comput e B
.3
" I
HQ Uplink : )~2. 168.100.0/24 HQAccess: 192.168.130.0/24
" I'
(1:1 NAT to web-sv-Ola .7) " /
I I

(1:1 NAT for web-sv-02a .8) / " " "

,----------------- -------,
I I
/
I (LB Virtual Server .9) /
,---------------------------
Management A
192.168.110.0/24

ControlCenter VPOD ROUTE R (.2)

(.10)

VMware N~figUre, Manage 35 vmwere

© 20 14 VMware Inc . All rights reserved
 Lab 11:
Configuring NSX Edge High Availability

VMware N~figUre, Manage 36 vrnware·

© 20 14 VMware Inc All rights reserved
 Topology

Distributed Router
_=-=
. 1'-----------------="--'='==~~___,
172.16.30.0 24
.1 172.16.20.0 24

Web Tier DB Tier

.. . . .... .... . . . . . . . . . . . . . . . ~.•.•.•.•.• ry1~.~.~~~ .•.•.•.•.• .•.,

Controllea Perimeter .1 l
Clusterl Gateway ~
I l
I l
I l
I ~ We b-sv-Ol a We b-sv-02a App-sv-01a DB-sv-01a
I ~
I ~ (.11) (.12) (.11) (.11)
.. ............. ....I. . . .............. . . . ..... . . ............... "~ 'co";' p~ i ~ 'A """" "" " " "" " " " " " " " " "" " " "" "" " " " " " ' " . 'C~";"pu't~ 'B " " " " " " " " ' " .
.3
HQ Uplink: 192.168.100.0/24 HQAccess: 192.168.130.0/24
(1:1 NAT to web-sv-Ola .7)

(1:1 NAT for web-sv-02a .8)

(LB Virtual Server .9)

Management A
192.168.110.0;24

ControlCenter VPOD ROUTE R(.2)

(.10)

VMware N~figUre, Manage 37 vmwere

© 20 14 VMware Inc . All rights reserved
 Lab 12:
Configuring Layer 2 VPN Tunnels

VMware N~figUre, Manage 38 vrnware·

© 20 14 VMware Inc All rights reserved
Topology (1)

Using an L2 tunnel, two logical switches are "combined" to form a

single broadcast domain

Distri buted Router

.1 172.16.30.0 24
.1 172.16 .20.0 24

Branch
Web Tier

eI <.---------
Web-sv-Ola Web-sv-01a App-sv-Ola DB-sv-01a
(.12) (.11) (.11) (.11)

Compute B
'C; ~, p~ t ~ 'A .

VMware N~figUre, Manage 39 vmwere

© 20 14 VMware Inc. All right s re serve d
 Topology (End)
~~-~~-------~~~"
Distributed Router ~~~~~ .........
,~~~' '"
.1 ~ ~~ 172.16.30.0 24 -,
~" "
.1.. :i4!:::~172. 16 . 20 .0 24 ......,......

Branch ......
A Tier DBTier Web Tier .. :~~ _
I I
I 172.16.10.0 24 I:
______________

. .. . . . . . • . . . • . . . . . . . .. .... .. _ iYI.a.n.a.g~ rr! ~ • ... . • . . • . . .•.

Branch
Gateway

Web-sv-01a App-sv-01a DB-sv-Ola Web-sv-02a

(.11) (.11) (.11) (.12)
.: .
.
Com pul e A
.3
HQ Uplink: 192.168.100.0/24
(1:1 NAT to web-sv-Ola .7)

(1:1 NAT for web-sv-02a .8)

;:~_~i~:~~I_:~~v_e~ .~~ __\.~_---~~-----~~~~~~~~~~~~~

: (L2 & IPsecVPN .10) _--------
,---------------------------
Management A
192.168.110.0/24

ControlCenter VPOD ROUTE R (.2)

(.10)

VMware N~figUre, Manage 40 vmwere

© 20 14 VMware Inc. All right s re served
 Lab 13:
Configuring IPsec Tunnels

VMware N~figUre, Manage 41 vrnware·

© 20 14 VMware Inc All rights reserved
Topology (1)

Using an IPsec tunnel, a remote subnet "appears" as being available

through the local gateway (routes as if directly attached).

Perimeter
Branch Gateway Distri but ed Router
.1 172.16.30.0 24
Web Tier
• 172.16.40 .0/24 .1 172.16.20.0 24

Web Tier DB Tier

~" " " "" " T" " " " " " " " " "" " ' : " "" T "" ' " ~ ..
: We b-sv-02a
: (.12) . C1 C1
Compute B
~ ~ ~ .
Web-sv-01a App-sv-Ola DB-sv-Ola
(.11) (.11) (.11)

Com put e A

VMware N~figUre, Manage 42 vmwere

© 20 14 VMware Inc. All rights reserved
 Topology (End)

Distributed Router
.1 172.16.30.0 24
J .1 172.16.20.0 24

Branch
Transit
Web Tier Tier DB Tier Web Tier
172.16.40 .0 24

. • . . . . • . • • . . • . • . . . . • . • _..• .. _•. .•• .•• .i'y1.a.n.a.!frr! ~ • . .•. • • . • • . . • .

Branch
Gateway

Web-sv-01a App-sv-01a DB-sv-01a Web-sv-02a

(.11) (.11) (.11) (.12)

·Co·mpuie·A· ·· ·· ·· · ········ · · ·· ······ · ·· ·· · ··· · · ···· ········ ······ ·· · · ·· ··· · .

.3
HQ Uplink: 192.168.100.0/24
(1:1 NAT to web-sv-01a .7)

(1:1 NAT for web-sv-02a .8)

;:~_~i~:~~I_:~~v_e~ .~~ __\.~ __--~--~~~~~~~~~~~~~~~~~

l (L2 & IPsecVPN .10) _~---~-~~
,----------------------~----
Management A
192.168.110.0/24

ControlCenter VPOD ROUTE R (.2)

(.10)

VMware N~fjgUre, Manage 43 vmwere

© 20 14 VMware Inc. All right s re serve d
 Lab 14:
Configuring and Testing SSL VPN-Plus

VMware N~figUre, Manage 44 vrnware·

© 20 14 VMware Inc All rights reserved
Topology (1)

Using SSL VPN-Plus, remote subnets are presented to clients as if

those subnets are directly accessible through a local router, with
routes being provided automatically.

Branch
Web Tier
• 172 .16.40 .0/24 • Branch
Gateway

: We b-sv-02a
~ (.12)
.
c~';"·PC:t~· Ii· .

VMware N~figUre, Manage 45 vmwere

© 201 4 V Mw are Inc , All rights reserved
Topology (End)

Distri buted Router

.1 172.16.30.0 24
.1 172.16.20.0 24

Branch
Web Tier Web Tier

. ..... .. .. . .... •. . • .. . . . •. . •1'f1.a.n.a.g!,~ ~ • . . . . • . . • . . . • .

Branch
Gateway

Web-sv-01a App-sv-01a DB-sv-01a Web-sv-02a

(.11) (.11) (.11) (.12)
'f" ... .. . .. •.. . . . . .. . .. . .. . .. . .. •.. . . . . .. . ... .. . .. . .•. .. . .. . .. . . . . .. ..: .C~ m'p';t e ' e ' .

,,---------
:ca"~ p~ t ~

.3
HQ Uplink: 192.168.100.0/24 HQAccess: 192.168.130.0/24
(1:1 NAT to web-sv-01a .7)

(1:1 NAT for web-sv-02a .8)

(LB Virtual Server .9)

(L2 & IPsecVPN .10)

Management A
192.168.110.0/24

VPOD

VMware N~figUre, Manage 46 VI11Ware"

© 201 4 V Mware Inc, All rights reserved
 Lab 15:
Using NSX Edge Firewall Rules to Control
Network Traffic

VMware N~figUre, Manage 47 vrnware·

© 20 14 VMware Inc All rights reserved
 Topology

Distri buted Router

.1 172.16.30.0 24
.1 172.16.20.0 24

Branch
Transit
Web Tier DBTier Web Tier
172.16.40.0 24

.. . ,--------- ------,
c~t~~;!;;;::~,o;""' . i ·· · · · ·· · · , ()
'~ ~~ ~
Branch
Gateway
. . . 0_'_
•
I
I
I
I
.
:
:
:
0

Web-sv-01a
0

App-sv-01a DB-sv-01a Web-sv-02a

I .
I : (.11) (.11) (.11) (.12)
I :
.... ..... ....... ........ ·1····· ···· ·········· comp~te'f,, " """ "" "" """" " "" """" " """""""""" " ' "

,-------- -------,
r - -----"L--------"''--------O
HQ Uplink: 192.168.100.0/24 HQAccess: 192.168.130.0/24
(1:1 NAT to web-sv-01a .7)

(1:1 NAT for web-sv-02a .8)

(LB Virtual Server .9)

(L2 & IPsecVPN .10)

Management A
192.168.110.0/24

ControlCenter VPOD ROUTE R(.2)

(.10)

VMware N~figUre, Manage 48 vmwere

© 20 14 VMware Inc . All rights reserved
 Lab 16:
Using NSX Distributed Firewall Rules to
Control Network Traffic

VMware N~figUre, Manage 49 vmware'

~ 20 14 VMware Inc All rights reserved
 Topology

Distri buted Router

.1 172.16.30.0 24
.1 172.16.20.0 24

Branch
Transit
DB Tier Web Tier
172.16.40.0 24

. ..... .. .. . .... • . . . •. . . . •. • •ryT.a.n.a.l5!'~ ~ . . . . . • . . • . . . . .

.1
Branch
Gateway

Web-sv-01a App-sv-01a DB-sv-01a Web-sv-02a

(.11) (.11) (.11) (.12)
'c';~ p ~ t ~ 'f" . . . . . .. .. . . . . . .. . . . .. . .. . ... . . . . .. . .. . .. . .. . . . . . .. .. . .. . . .. .. . . .. . .
C~ m'p';te' e' .
.3
HQ Uplink: 192.168.100.0/24 HQAccess: 192.168.130.0/24
(1:1 NAT to web-sv-01a .7)

(1:1 NAT for web-sv-02a .8)

(LB Virtual Server .9)

(L2 & IPsecVPN .10)

Management A
192.168.110.0/24

ControlCenter VPOD ROUTE R (.2)

(.10)

VMware N~figUre, Manage 50 vrnware·

© 20 14 VMware Inc All rights reserved
 Lab 17:
Using Flow Monitoring

VMware N~figUre, Manage 51 vmware'

~ 20 14 VMWi'lre Inc All rig hts reserved
 Topology

Distri buted Router

.1 172.16.30.0 24
.1 172.16.20.0 24

Branch
Transit
DB Tier Web Tier
172.16.40.0 24

. ..... .. .. . .... • . . . •. . . . •. • •ryT.a.n.a.l5!'~ ~ . . . . . • . . • . . . . .

.1
Branch
Gateway

Web-sv-01a App-sv-01a DB-sv-01a Web-sv-02a

(.11) (.11) (.11) (.12)
'c';~ p ~ t ~ 'f" . . . . . .. .. . . . . . .. . . . .. . .. . ... . . . . .. . .. . .. . .. . . . . . .. .. . .. . . .. .. . . .. . .
C~ m'p';te' e' .
.3
HQ Uplink: 192.168.100.0/24 HQAccess: 192.168.130.0/24
(1:1 NAT to web-sv-01a .7)

(1:1 NAT for web-sv-02a .8)

(LB Virtual Server .9)

(L2 & IPsecVPN .10)

Management A
192.168.110.0/24

ControlCenter VPOD ROUTE R (.2)

(.10)

VMware N~figUre, Manage 52 vrnware·

© 20 14 VMware Inc All rights reserved