Learn NSX Day 12 : Spoof Guard

Spoof Guard

A useful feature, help prevent rouge systems connecting in to your network by pretending to be another server. An approved list of authorized servers is generated on IP, MAC. This is a separate feature from firewalls. My understanding it would increase security alongside firewall rules. See VMwares description for further information

spoof-guard

spoof-guard

Operation Modes

  • Auto trust IP on their first use
  • Manually inspect and approve before use

Topics :
Learn NSX – Home
Learn NSX Day 1 : NSX Requirements
Learn NSX Day 2 : NSX Deployment Best Practice
Learn NSX Day 3 : NSX Manager and NSX Controller
Learn NSX Day 4 : NSX Roles
Learn NSX Day 5 : NSX HA, Edge, REST API
Learn NSX  Day 6 : NSX and Logical Switches
Learn NSX Day 7 : Deploying ESXi
Learn NSX Day 8 : vDS (vSphere Distributed Switch)
Learn NSX Day 9 : Load Balancing Feature
Learn NSX Day 10 : Layer 2 Bridging
Learn NSX Day 11 : NSX EDGE
Learn NSX Day 12 : Spoof Guard
Learn NSX Day 13 : Distributed Router and Distributed Logical Firewall
Learn NSX Day 14 : Monitoring
Learn NSX Day 15 : NSX Backups
Learn NSX Day 16 : Useful Commands & Errors

 

These are notes made during my study of VMware NSX for vSphere. Apologies if any of the detail is incorrect. Hopefully posts under “Learn NSX” help others to start learning about VMware NSX for vSphere.

Learn NSX Day 11 : NSX EDGE

Features

edge

edge

HA – Loose the Primary node and the secondary takes over. Existing connection then need to reconnect.

Load balancing – One option is to load balance based on Least connections

VPN – Edge service gate can form Layer 2 VPNs (even retain existing IPs)

Authentication – A few auth options are RSA Secure ID and Active directory

DNS – Edge will forward DNS requests to the DNS server

 

Topics :
Learn NSX – Home
Learn NSX Day 1 : NSX Requirements
Learn NSX Day 2 : NSX Deployment Best Practice
Learn NSX Day 3 : NSX Manager and NSX Controller
Learn NSX Day 4 : NSX Roles
Learn NSX Day 5 : NSX HA, Edge, REST API
Learn NSX  Day 6 : NSX and Logical Switches
Learn NSX Day 7 : Deploying ESXi
Learn NSX Day 8 : vDS (vSphere Distributed Switch)
Learn NSX Day 9 : Load Balancing Feature
Learn NSX Day 10 : Layer 2 Bridging
Learn NSX Day 11 : NSX EDGE
Learn NSX Day 12 : Spoof Guard
Learn NSX Day 13 : Distributed Router and Distributed Logical Firewall
Learn NSX Day 14 : Monitoring
Learn NSX Day 15 : NSX Backups
Learn NSX Day 16 : Useful Commands & Errors

 

These are notes made during my study of VMware NSX for vSphere. Apologies if any of the detail is incorrect. Hopefully posts under “Learn NSX” help others to start learning about VMware NSX for vSphere.

 

Learn NSX Day 10 : Layer 2 Bridging

Diagram is to try and display my understanding how layer 2 bridging might work.
Layer 2 BridgingWhy

  • Extend the physical services to virtual machines
  • Allow physical devices to use NSX edge gateway as a router
  • VPN’s over untrusted medium

What does it require?

  • Distributed F/W rule to allow layer 2 bridging

    layer-2-bridging

    layer-2-bridging

  • A logical router

Topics :
Learn NSX – Home
Learn NSX Day 1 : NSX Requirements
Learn NSX Day 2 : NSX Deployment Best Practice
Learn NSX Day 3 : NSX Manager and NSX Controller
Learn NSX Day 4 : NSX Roles
Learn NSX Day 5 : NSX HA, Edge, REST API
Learn NSX  Day 6 : NSX and Logical Switches
Learn NSX Day 7 : Deploying ESXi
Learn NSX Day 8 : vDS (vSphere Distributed Switch)
Learn NSX Day 9 : Load Balancing Feature
Learn NSX Day 10 : Layer 2 Bridging
Learn NSX Day 11 : NSX EDGE
Learn NSX Day 12 : Spoof Guard
Learn NSX Day 13 : Distributed Router and Distributed Logical Firewall
Learn NSX Day 14 : Monitoring
Learn NSX Day 15 : NSX Backups
Learn NSX Day 16 : Useful Commands & Errors

 

These are notes made during my study of VMware NSX for vSphere. Apologies if any of the detail is incorrect. Hopefully posts under “Learn NSX” help others to start learning about VMware NSX for vSphere.

Learn NSX Day 9 : Load Balancing Feature

EDGE Load Balancing
Networking and Security > NSX EDGE > Manage > Load Balancer tab.

load-balancing-edge

load-balancing-edge

Three load balancing options available

  • Enable Loadbalance – For internal servers distributed traffic
  • Enable Service Insertion – Load balance with third party vendor appliances
  • Acceleration Enabled – For faster L4 LB engine instead of L7

You can also select a variety of logging options

Details can be found in the VMware Document Centre

 

vSphere standard switch – Load Balancing

Diagram try to display my understanding of the vSphere standard switch load balancing using Round Robin of physical NICs

Load Balancing Feature

 

Topics :
Learn NSX – Home
Learn NSX Day 1 : NSX Requirements
Learn NSX Day 2 : NSX Deployment Best Practice
Learn NSX Day 3 : NSX Manager and NSX Controller
Learn NSX Day 4 : NSX Roles
Learn NSX Day 5 : NSX HA, Edge, REST API
Learn NSX  Day 6 : NSX and Logical Switches
Learn NSX Day 7 : Deploying ESXi
Learn NSX Day 8 : vDS (vSphere Distributed Switch)
Learn NSX Day 9 : Load Balancing Feature
Learn NSX Day 10 : Layer 2 Bridging
Learn NSX Day 11 : NSX EDGE
Learn NSX Day 12 : Spoof Guard
Learn NSX Day 13 : Distributed Router and Distributed Logical Firewall
Learn NSX Day 14 : Monitoring
Learn NSX Day 15 : NSX Backups
Learn NSX Day 16 : Useful Commands & Errors

 

These are notes made during my study of VMware NSX for vSphere. Apologise if any of the detail is incorrect. Hopefully posts under “Learn NSX” help others to start learning about VMware NSX for vSphere.

Learn NSX Day 8 : vDS (vSphere Distributed Switch)

Switch Features

vDS-versions

vDS-versions

 

  • Network I/O Control
  • LLDP
  • Port Mirroring

Policy Settings

  • Access Control Lists
  • LCAP v2
  • DSCP Marking

 

Configure Virtual Machine to use vDS

  • VMs – Adapter Settings

    adapter-settings

    adapter-settings

  • Migrate Virtual Machine
migrate-vm

migrate-vm

More information on Best Practice available in this white paper: http://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/techpaper/vsphere-distributed-switch-best-practices-white-paper.pdf

Topics :
Learn NSX – Home
Learn NSX Day 1 : NSX Requirements
Learn NSX Day 2 : NSX Deployment Best Practice
Learn NSX Day 3 : NSX Manager and NSX Controller
Learn NSX Day 4 : NSX Roles
Learn NSX Day 5 : NSX HA, Edge, REST API
Learn NSX  Day 6 : NSX and Logical Switches
Learn NSX Day 7 : Deploying ESXi
Learn NSX Day 8 : vDS (vSphere Distributed Switch)
Learn NSX Day 9 : Load Balancing Feature
Learn NSX Day 10 : Layer 2 Bridging
Learn NSX Day 11 : NSX EDGE
Learn NSX Day 12 : Spoof Guard
Learn NSX Day 13 : Distributed Router and Distributed Logical Firewall
Learn NSX Day 14 : Monitoring
Learn NSX Day 15 : NSX Backups
Learn NSX Day 16 : Useful Commands & Errors

 

 

These are notes made during my study of VMware NSX for vSphere. Apologise if any of the detail is incorrect. Hopefully posts under “Learn NSX” help others to start learning about VMware NSX for vSphere.

Learn NSX Day 7 : Deploying ESXi

Image Builder
Reason to use :
Pre load NSX VIBs into your ESXi image for an auto deploy solution
(Prep ESXi hosts normally in Update Manager)
A guide can be found her How to Install VIBs on ESXi host vmwarearena.com

Check VIBs are loaded

host-prep

host-prep

Check for  :
NSX VXLAN
NSX Distributed Firewall

Where to check. See example “Verify NSX VIBs Installation from ESXi hosts” vmwarearena.com

  

ESXi

  • Logs F/W decisions
  • Requires “netcpa” agent to be running for VXLAN tunnel end point (VTEP)
  • Shows ARP entries for given VXLAN network

 

Topics :
Learn NSX – Home
Learn NSX Day 1 : NSX Requirements
Learn NSX Day 2 : NSX Deployment Best Practice
Learn NSX Day 3 : NSX Manager and NSX Controller
Learn NSX Day 4 : NSX Roles
Learn NSX Day 5 : NSX HA, Edge, REST API
Learn NSX  Day 6 : NSX and Logical Switches
Learn NSX Day 7 : Deploying ESXi
Learn NSX Day 8 : vDS (vSphere Distributed Switch)
Learn NSX Day 9 : Load Balancing Feature
Learn NSX Day 10 : Layer 2 Bridging
Learn NSX Day 11 : NSX EDGE
Learn NSX Day 12 : Spoof Guard
Learn NSX Day 13 : Distributed Router and Distributed Logical Firewall
Learn NSX Day 14 : Monitoring
Learn NSX Day 15 : NSX Backups
Learn NSX Day 16 : Useful Commands & Errors

 

These are notes made during my study of VMware NSX for vSphere. Apologise if any of the detail is incorrect. Hopefully posts under “Learn NSX” help others to start learning about VMware NSX for vSphere.

Learn NSX  Day 6 : NSX and Logical Switches

Replication Modes on Logical Switches

logical-switch options

logical-switch options

 

Broadcast (BUM)
Hybrid Mode Logical Switch

 

broadcast

broadcast

 

Sort of utilises both Unicast and Multicast traffic

 


Unknown Uni-cast replication

unicast

unicast


Reason to use :
Opposite to Multicast. Separation of the Physical and Logical networks
 
No PIM or IGMP on physical network. Non-ESXi don’t receive BUM option
Configurable in the Transport Zone (VTEPS Send Uni-cast and can remote proxy in transport zone)

Multicast Replication

multicast

multicast


Reason to use :
NSX relies on Layer 2 and Layer 3 multicast for physical network for VXLAN encapsulated multi destination is sent to all VTEPS
(page  26) 
Required PIM and L3 multicasting routing
Least amount of bandwidth used on physical network architecture

 

Logical Switches

Prep work :
Config VXLAN tunnel endpoint (VTEP) VLAN on trunk in physical switches

A good article on logical switching and transport zones was available this page by  Alex Hunt – Logical Switching and Transport Zones 


Spine – Leaf architected networks

spine-leaf

spine-leaf

A great description by Ethan Banks below :
“In modern data centers, an alternative to the core/aggregation/access layer network topology has emerged known as leaf-spine. In a leaf-spine architecture, a series of leaf switches form the access layer. These switches are fully meshed to a series of spine switches.

Network overlays such as VXLAN are common in highly virtualized, multi-tenant environments such as those found at Infrastructure as a Service providers. Arista Networks is a proponent of layer 3 leaf-spine designs, providing switches that can also act as VXLAN Tunnel Endpoints.” By Ethan Banks

 

Topics :
Learn NSX – Home
Learn NSX Day 1 : NSX Requirements
Learn NSX Day 2 : NSX Deployment Best Practice
Learn NSX Day 3 : NSX Manager and NSX Controller
Learn NSX Day 4 : NSX Roles
Learn NSX Day 5 : NSX HA, Edge, REST API
Learn NSX  Day 6 : NSX and Logical Switches
Learn NSX Day 7 : Deploying ESXi
Learn NSX Day 8 : vDS (vSphere Distributed Switch)
Learn NSX Day 9 : Load Balancing Feature
Learn NSX Day 10 : Layer 2 Bridging
Learn NSX Day 11 : NSX EDGE
Learn NSX Day 12 : Spoof Guard
Learn NSX Day 13 : Distributed Router and Distributed Logical Firewall
Learn NSX Day 14 : Monitoring
Learn NSX Day 15 : NSX Backups
Learn NSX Day 16 : Useful Commands & Errors

 

These are notes made during my study of VMware NSX for vSphere. Apologises if any of the detail is incorrect. Hopefully posts under “Learn NSX” help others to start learning about VMware NSX for vSphere.

 

Learn NSX  Day 5 : NSX HA, Edge, REST API

Edge HA

edge

edge

 

  • Works in Active / Standby. There is zero service interruption during failover
  • Requires two NSX Edge appliances
  • Configured with in the Web Client > Networking and Security > NSX Edges > Manage > Settings > Configuration > Add Edge appliance or at the install NSX edge time

    add-edge

    add-edge

  • Edge makes sure Edge VMs are on different ESXi hosts.

VMware recommends:

  • Deploy appliances to two different datastores and resource pools.
  • Have a Primary and a Secondary appliance
  • Primary maintains the heartbeat.
  • Leverage vSphere HA to provide better NSX Edge HA

NSX Rest API

 

Topics :
Learn NSX – Home
Learn NSX Day 1 : NSX Requirements
Learn NSX Day 2 : NSX Deployment Best Practice
Learn NSX Day 3 : NSX Manager and NSX Controller
Learn NSX Day 4 : NSX Roles
Learn NSX Day 5 : NSX HA, Edge, REST API
Learn NSX  Day 6 : NSX and Logical Switches
Learn NSX Day 7 : Deploying ESXi
Learn NSX Day 8 : vDS (vSphere Distributed Switch)
Learn NSX Day 9 : Load Balancing Feature
Learn NSX Day 10 : Layer 2 Bridging
Learn NSX Day 11 : NSX EDGE
Learn NSX Day 12 : Spoof Guard
Learn NSX Day 13 : Distributed Router and Distributed Logical Firewall
Learn NSX Day 14 : Monitoring
Learn NSX Day 15 : NSX Backups
Learn NSX Day 16 : Useful Commands & Errors

 

These are notes made during my study of VMware NSX for vSphere. Apologise if any of the detail is incorrect. Hopefully posts under “Learn NSX” help others to start learning about VMware NSX for vSphere.

Learn NSX  Day 4 : NSX Roles

Security Admin
Options : “NSX Security only”
Description : View configured policies, View violation reports, can also have limited access to specific edge devices, create port groups etc.

NSX Administrator
Options : “NSX Operations only”
Description :Install appliance’s and configuration

Auditor
Options : “Read Only”
Description : View configured policies, View violation reports

Enterprise Admin
Options : “NSX Operation and Security”
Description : Create and publish security policies, install virtual appliances plus other roles

 

A good article and guide on how to assign users permissions I used was “Working with NSX – Assigning User Permissions” WAHL NETWORK

 

VMware NSX 6 Documentation for “quote”

 

Topics :
Learn NSX – Home
Learn NSX Day 1 : NSX Requirements
Learn NSX Day 2 : NSX Deployment Best Practice
Learn NSX Day 3 : NSX Manager and NSX Controller
Learn NSX Day 4 : NSX Roles
Learn NSX Day 5 : NSX HA, Edge, REST API
Learn NSX  Day 6 : NSX and Logical Switches
Learn NSX Day 7 : Deploying ESXi
Learn NSX Day 8 : vDS (vSphere Distributed Switch)
Learn NSX Day 9 : Load Balancing Feature
Learn NSX Day 10 : Layer 2 Bridging
Learn NSX Day 11 : NSX EDGE
Learn NSX Day 12 : Spoof Guard
Learn NSX Day 13 : Distributed Router and Distributed Logical Firewall
Learn NSX Day 14 : Monitoring
Learn NSX Day 15 : NSX Backups
Learn NSX Day 16 : Useful Commands & Errors

 

These are notes made during my study of VMware NSX for vSphere. Apologise if any of the detail is incorrect. Hopefully posts under “Learn NSX” help others to start learning about VMware NSX for vSphere.

 

Learn NSX  Day 3 : NSX Manager and NSX Controller

NSX Manager

NSX Manger

NSX Manger

Manage vCenter Registration

nsx-manager-options

nsx-manager-options

Overview

Manage NSX Manager

Manage NSX Manager

Options

  • Deployment of the controller clusters
  • Logical networking
  • Networking and Edge services
  • Security Services (out the box includes support  for vRA,vLI,vROPS,vIO,Arkin & Tufin)
  • Creates self-signed certs
  • ESXi host Prep (VIBS etc)
  • Extend logical networks for a new ESXi cluster
    (web client > Network security > Install for new cluster)
  • Logging configured
  • Backup NSX

NSX Controller (Control Plane)

add-controller

add-controller

  • Deployed as virtual appliances
  • Enable VXLAN
  • Logically separated from the data plane traffic
  • Dynamic routing between ESXi (North / South by Edge VM)
  • Supports ARP suppression
  • Each controller node is assigned roles

Diagram from my notes

NSX Manager

 

Topics :
Learn NSX – Home
Learn NSX Day 1 : NSX Requirements
Learn NSX Day 2 : NSX Deployment Best Practice
Learn NSX Day 3 : NSX Manager and NSX Controller
Learn NSX Day 4 : NSX Roles
Learn NSX Day 5 : NSX HA, Edge, REST API
Learn NSX  Day 6 : NSX and Logical Switches
Learn NSX Day 7 : Deploying ESXi
Learn NSX Day 8 : vDS (vSphere Distributed Switch)
Learn NSX Day 9 : Load Balancing Feature
Learn NSX Day 10 : Layer 2 Bridging
Learn NSX Day 11 : NSX EDGE
Learn NSX Day 12 : Spoof Guard
Learn NSX Day 13 : Distributed Router and Distributed Logical Firewall
Learn NSX Day 14 : Monitoring
Learn NSX Day 15 : NSX Backups
Learn NSX Day 16 : Useful Commands & Errors

 

These are notes made during my study of VMware NSX for vSphere. Apologise if any of the detail is incorrect. Hopefully posts under “Learn NSX” help others to start learning about VMware NSX for vSphere.