UNSA NSX Configuration Workbook 190404

vSphere Distributed Switch
VMware Software-Defined Data Center Services

Configuracion de Networking
for
UNSA
Prepared by
Daniel Delgado
Consultant PSO SOLA
delgadod@vmware.com
ESXi VTEP IP Addresses

Customer Environment Variables
Network-Related Variables
DNS Server(s) 1 ns1.unsa.edu.ar 170.210.206.20
DNS Server(s) 2 ns2.unsa.edu.ar 190.221.183.220
DNS Suffix unsa.edu.ar
NTP Server ntp1.unsa.edu.ar 170.210.206.19
Syslog Server x.x.x.x
Roles and Permissions
Active Directory Users xxx@unsa.edu.ar
Active Directory Group Virtualization-Administrators
vCenter Server Role administrator
Users/Groups with vCenter Server Role of vCloud Administrator domain\vcadministrators
NSX Manager Users Groups and Roles
vCenter User or Group Name Administrator@vsphere.local
Role Type
Auditor Enterprise Administrator V
Security Administrator A
NSX for vSphere Administrator S
Enterprise Administrator N
E
(SSO Administrator rights are required to create necessary vCenter roles)
Unsa2019*
VMware:
Auditor: Users can only view system settings and auditing, events and reporting information and will not be able to
Security Administrator: Users can configure security compliance policies in addition to viewing the reporting and auditing inform
NSX Administrator: Users can perform all tasks related to deployment and administration of this NSX Manager instance.
Enterprise Administrator: Users can perform all tasks related to deployment and configuration of NSX products and administrat
ation and will not be able to make any configuration change.
g the reporting and auditing information in the system.
his NSX Manager instance.
n of NSX products and administration of this NSX Manager instance.
vSphere Component Configuration Information
vCenter Server vCenter Server 1
vCenter Server System Type (Physical/Virtual/Appliance) Appliance
vCenter Server Version and Build Number Version 6.7.0
vCenter Server System OS Type Photom
vCenter Server System Host Name VCSA-01
vCenter Server System IP Address 172.24.100.7
vCenter Server System Subnet /24
vCenter Server System DNS 170.210.206.20, 190.221.183.220
vCenter Server System DNS Suffix unsa.edu.ar
vCenter Server System NTP 170.210.206.19
vCenter Server Admin User administrator@vsphere.local
21.183.220
ESXi Hosts Configuration Information
Management Cluster
ESXi Management Host 1
ESXi Version 6.0
ESXi Host Name ESX-BLADE01
ESXi Management Network IP Address 172.28.0.51
ESXi Management Network Subnet /22
ESXi Management Network Default Gateway 172.28.1.1
ESXi Management Network DNS 172.28.16.11, 172.28.16.12
ESXi Management Network DNS Suffix nuebobersa.net
ESXi VTEP IP Address 172.28.133.30-120 (Pool)
ESXi VTEP IP Subnet /24
ESXi VTEP Default Gateway 172.28.133.1
ESXi Host 1
ESXi Version ESXi 6.7.0
ESXi Host Name 172.24.100.10
ESXi Management Network IP Address 172.24.100.10
ESXi Management Network Subnet /24
ESXi Management Network Default Gateway 172.24.100.1
ESXi Management Network DNS 170.210.206.20, 190.221.183.2
ESXi Management Network DNS Suffix unsa.edu.ar
ESXi VTEP IP Address 172.20.102.10-50 (Pool)
ESXi VTEP IP Subnet /24
ESXi VTEP Default Gateway 172.20.102.1
Management Cluster Management Cluster
Management Host 2 Management Host 3 Management Host 4
6.0 6.0 6.0
ESX-BLADE02 ESX-BLADE03 ESX-BLADE04
172.28.0.52 172.28.0.53 172.28.0.54
/22 /22 /22
172.28.1.1 172.28.1.1 172.28.1.1
172.28.16.11, 172.28.16.12 172.28.16.11, 172.28.16.12 172.28.16.11, 172.28.16.12
nuebobersa.net nuebobersa.net nuebobersa.net
172.28.133.30-120 (Pool) 172.28.133.30-120 (Pool) 172.28.133.30-120 (Pool)
/24 /24 /24
172.28.133.1 172.28.133.1 172.28.133.1
Cluster-01
Host 2 Host 3 Host 4
ESXi 6.7.0 ESXi 6.7.0 ESXi 6.7.0
172.24.100.11 172.24.100.12 172.24.100.13
172.24.100.11 172.24.100.12 172.24.100.13
/22 /22 /22
172.24.100.1 172.24.100.1 172.24.100.1
170.210.206.20, 190.221.183.220170.210.206.20, 190.221.183.220170.210.206.20, 190.221.183.220
unsa.edu.ar unsa.edu.ar unsa.edu.ar
172.20.102.10-50 (Pool) 172.20.102.10-50 (Pool) 172.20.102.10-50 (Pool)
/24 /24 /24
172.20.102.1 172.20.102.1 172.20.102.1
Host 5 Host 6
ESXi 6.7.0 ESXi 6.7.0
172.24.100.14 172.24.100.15
172.24.100.14 172.24.100.15
/22 /22
172.24.100.1 172.24.100.1
170.210.206.20, 190.221.183.220170.210.206.20, 190.221.183.220
unsa.edu.ar unsa.edu.ar
172.20.102.10-50 (Pool) 172.20.102.10-50 (Pool)
/24 /24
172.20.102.1 172.20.102.1
vCenter Inventory Configuration
Management
vCenter
Data Center
Data Center Name
Cluster
Cluster Name
Cluster Hosts
Distributed Resource Scheduler (DRS)
High Availability (HA)
vSphere vMotion
Distributed Power Management (DPM)
vcsa-01
Datacenter-UNAS
Cluster-01
172.24.100.10,172.24.100.11,172.24.100.12,172.24.100.13,172.24.100.14,172.24.100.15
Yes
Yes
Yes
No
Network Configuration
vSphere Distributed Switch
vSphere Distributed Switch Name dvSwitch-Admin
Function Cluster Administracion
Number of Uplinks 4
NIOC (Enabled/Disabled) Disabled
MTU 1600
Discovery Type (CDP/LLDP) CDP
Discovery Operation (Listen/Advertise/Both) Listen
vSphere Distributed Switch Name dvPortgroup Name
ESXI
VCENTER
VLAN100-ADMINISTRATIVA
VLAN101-INVESTIGACION
VLAN102-ALUMNOS
VLAN12-Management
Dswitch VLAN15-vTEPS
VLAN16-EDGE
VLAN200-VIDEOCONFERENCIA
VLAN201-SEGURIDAD
VLAN202-VIDEOSTREAMINGLOCAL
VLAN300-TELEFONIA
VLAN400-OTROS
vCenter-VLAN10
Dswitch-vSAN vMOTION
vSAN
Network I/O Control
dxSwitch-Admin-DMZ dvSwitch-Computo dvSwitch-Computo-DMZ
Cluster Administracion Cluster Computo-A / BCluster Computo-A / B
4 4 4
Disabled Disabled Disabled
1500 1600 1500
CDP CDP CDP
Listen Listen Listen
Binding Allocation Ports VLAN ID Network Resourc
Static Elastic 8 10 default
VMware:
Port ID
IP hash
MAC hash
Failover order
Promiscuous MAC Changes Forged TransmiLoad BalancingFailover DeteNotify Switches

Reject Reject Reject Port ID Link Yes
Failback Team NICs
Yes LAG-1
Yes LAG-1
Yes LAG-1
Yes LAG-1
Yes LAG-1
Yes LAG-1
Yes LAG-1
Yes LAG-1
Yes LAG-1
Yes LAG-1
Yes LAG-1
Yes LAG-1
Yes LAG-1
Yes vmnic1
Yes vmnic1, vmnic2
Yes vmnic1, vmnic2
NSX Manager Configuration Information
NSX Manager Settings nsx_unsa_core
NSX Version and Build 6.4.3-Build 9927516
Host Name 172.24.100.10
Domain Name unas.edu.ar
Role Primary
General
Time Settings
NTP 170.210.206.19
Time Zone America/Argentina/Salta
Syslog Server
Syslog Server 172.24.100.53
Port 514
Protocol UDP
Locale
Locale en-US
Network
IPv4 Information
Address 172.224.100.8
Netmask 255.255.252.0
Default Gateway 72.224.100.1
DNS Servers
IPv4 DNS Servers
Primary Server ns1.unsa.edu.ar
Secondary Server ns2.unsa.edu.ar
Search Domains unsa.edu.ar
NSX for vSphere Manager Backup
Backup/Restore (Enabled/Disabled) Enabled
Server IP Address/Host Name 10.1.45.60
Transfer Protocol (FTP/SFTP) FTP
Port 21
User Name nsxadmin
Password ftppassword
Backup Directory /NSX
Filename Prefix nsx-manager01-backup
Pass Phrase <pass phrase>
NSX Manager Backup/Restore Scheduling Yes

Backup Frequency (Weekly/Daily/Hourly) Daily
Day of Week (Sun — Sat) -
Hour of day (0 — 23) 12
Minute (0/5/10/15/20/25/30/35/40/45/50/55) 30
NSX Manager Backup/Restore Exclude No
Enable Audit Logs
Enable System Events
Enable Flow Records
NSX Active Directory Service Account

Name
Group
vCenter Server Role
NSX Manager Users Groups and Roles VMware:
Auditor: Users can
vCenter User or Group Name administrator@vsphere.local
Security Administra
NSX Administrator:
Enterprise Administ
Role Type:
- Auditor Enterprise Administrator
- Security Administrator
- NSX for vSphere Administrator
- Enterprise Administrator
NSX Management Service
vCenter Server 172.24.100.7:443
vCenter User Name administrator@vsphere.local
NSX Lookup Service
Lookup Service IP/FQDN 172.24.100.7:443/lookupservice/sdk
Lookup Service Port 443
SSO Administrator User Name administrator@vsphere.local
General
Acceso WEB
User Name admin
Password VMware1!
User Name admin

Password VMware1!
Password VMware1!
170.210.206.20
190.221.183.220
VMware:
Auditor: Users can only view system settings and auditing, events and reporting information and will not be able to make an
Security Administrator: Users can configure security compliance policies in addition to viewing the reporting and auditing information in t
NSX Administrator: Users can perform all tasks related to deployment and administration of this NSX Manager instance.
Enterprise Administrator: Users can perform all tasks related to deployment and configuration of NSX products and administration of this
upservice/sdk
nd will not be able to make any configuration change.
porting and auditing information in the system.
Manager instance.
X products and administration of this NSX Manager instance.
VXLAN Configuration
Host Preparation (VXLAN Network) Cluster 1
Cluster Name Administracion
Pool Name VTEP_Pool
Switch Dswitch
VLAN 15
MTU 1600
VMkernel NIC IP Address (DHCP/IP Pool) IP Pool
IP Pool 172.20.102.10-50
Teaming Policy (LACP/STATIC/Failover) Failover
VTEP 1
IP Pools Pool 1
Pool Name Controllers_Pool
Gateway 172.24.100.1
Network Prefix 24
DNS Servers (Not Required) 170.210.206.20, 190.221.183.220
DNS Suffix (Not Required) unas.edu.ar
Static IP Pool range 172.24.100.40-42
NSX Controller Nodes

NSX Controller Controller 1
NSX Manager nsx_unsa_core
Data Center Datacenter-UNAS
Cluster/Resource Pool Cluster-01
Datastore vSAN
Connect Network (Port Group) ESXi
IP Pool Name NSX-Controllers
Logical Network Preparation
NSX Manager NSX Manager 1
NSX Manager Hostname nsx_unsa_core
Local Segment ID
Segment ID Pool 5000-9999
Enable Multicast Addressing (Enabled/Disabled) Disabled
Multicast Addressing -
Transport Zones
Zone Name Local Transport Zone
Control Plane Mode (Multicast/Unicast/Hybrid) Unicast
Mark this object for Universal Synchronization Yes
Connect Clusters Cluster-01
Logical Switch Configuration

Logical Switches
Logical Switch Name Local_Transit_Network_172.24.200.0/28
Transport Zone Local Transport Zone
Control Plane Mode Unicast
Enable IP Discovery Yes
Enable MAC Learning No
Add VMs Logical Switch Name

Web-Tier-01
App-Tier-01
DB-Tier-01
LS_HA_EDGE LS_HA_DLR LS_Test_172.24.210.0/28
Local Transport Zone Local Transport Zone Local Transport Zone
Unicast Unicast Unicast
Yes Yes Yes
No No No
VM Name vNIC
web-sv-01a Network adapter 1
app-sv-01a Network adapter 1
app-sv-02a Network adapter 1
db-sv-01a Network adapter 1
db-sv-02a Network adapter 1
LS_FrontEnd_172.24.x.x/24 LS_BackEnd_172.24.x.x/24
Local Transport Zone Local Transport Zone
Unicast Unicast
Yes Yes
No No
NSX Edge Distributed Logical Router Configuration
Distributed Logical Router
DLR Name
Install Type
Enable Local Egress (Enabled/Disabled)
Deploy Edge Appliance (Enabled/Disabled)
Enable High Availability (Enabled/Disabled)
Host Name (Not Required)
CLI credentials User Name
Enable SSH access (Enabled/Disabled)
Data Center
Cluster/Resource Pool
Datastore
Host (Not Required)
Folder (Not Required)
HA Interface Port Group
DLR Interface Settings
vNIC Number
Name
Type (Internal/Uplink)
Type of Network (Distributed Port Group/Logical Switch)
Connect Network
Connectivity Status (Connecter/Disconnected)
IP Address
Subnet
vNIC Number
Name
Connect Network
IP Address
Subnet
vNIC Number
Name
Connect Network
IP Address
Subnet
vNIC Number
Name
Connect Network
IP Address
Subnet
DLR Routing Global Configuration - Default Gateway

Default Gateway
vNIC
Gateway IP
MTU
DLR Routing Global Configuration - Dynamic Routing Configuration
Dynamic Routing Configuration
Router ID
Enable OSPF
Enable BGP
Enable Logging
Log Level
DLR Routing - Static Routing Settings
Static Routing
Interface
Network (CIDR)
Next Hop
MTU
DLR Routing - OSPF Configuration
OSPF
Protocol Address
Forwarding Address
Graceful Restart (Enabled/Disabled)
Enable Default Originate (Enabled/Disabled)
DLR Routing - OSPF Areas Definition
Area ID
Type (Normal/NSSA)
Authentication (None/Password/MD5)
Value
DLR Routing - Area to Interface Mapping
Interface
Area
Ignore Interface MTU settings (Enabled/Disabled)
Hello Interval
Dead Interval
Priority
Cost
DLR Routing - BGP Configuration
Local AS
Neighbor - IP Address
Neighbor - Remote AS
Weight
Keep Alive Timer (seconds)
Hold Down Time (seconds)
DLR Routing - Route Redistribution
Route Redistribution
Enable OSPF
Enable BGP
Prefix Name
Prefix IP/Network
Redistribution criteria - Prefix Name
Redistribution criteria - Learner Protocol
Redistribution criteria - Allow Learning OSPF
Redistribution criteria - Allow Learning BGP
Redistribution criteria - Allow Learning Static Routes
Redistribution criteria - Allow Learning Connected
Redistribution criteria - Action (Permit/Deny)
DLR Services – Bridging

Bridge ID
Control VM Instance
Name
Logical Switches
dvPortgroup
Router 1 Router 1
nsxdlr_unsa_01
Logical Router
Disabled
Enabled
Enabled
nsxedge_up_unsa_01
admin/VMware1!VMware1!
Enabled
Datacenter-UNSA
Cluster-01
vsan
NSX
LS_HA_DLR
2
Transit Uplink
Uplink
Logical Switch
Local_Transit_Network_172.24.200.0/28
Connected
172.24.200.1
/28
10
VXLAN TEST NSX_172.28.251.0/27
Internal
Logical Switch
TEST NSX_5001_172.28.251.0/27
Connected
172.28.251.1
/27
2
Local-Transit-DLR-EDGE
Uplink
Logical Switch
Local-Transit-01 172.28.251.32/27
Connected
172.28.251.33
/27
12
DB Interface
Internal
Logical Switch
Universal-DB-Tier-01
Connected
172.16.12.1
/24
Disabled
Enabled
Transit Uplink - 192.168.10.2
Yes
No
No
INFO
Enabled
172.28.251.32 172.28.251.32
Enabled
192.168.10.3
192.168.10.2
Enabled
Disabled
10
Normal
None
Transit Uplink
10
Disabled
3
10
128
1
Disabled
Enabled
Yes
No
Any
-
Any
OSPF
Yes
No
Yes
Yes
Permit
Disabled
Router 1
NSX Edge Services Gateway Configuration
Edge Services Gateways Edge 1
NSX Edge Name nsxedge_unsa_01_R
Enable High Availability (Enabled/Disabled) Enabled
Host Name (Not Required) nsxedge_up_unsa_01
CLI credentials User Name admin / VMware1!VMware1!
Enable SSH Access (Enabled/Disabled) Enabled
Data Center Datacenter-UNSA
Appliance Size (Compact/Large/Quad Large/X-Large) Large
Enable Auto Rule Generation (Enabled/Disabled) Enabled
Cluster/Resource Pool Cluster-01
Datastore vsan
Host (Not Required)
Folder (Not Required) NSX VMware:
Automatically g
Default Gateway vNIC service rules to
Default Gateway IP flow of control
Default Gateway MTU (Not Required)
Configure Firewall default Policy (Enabled/Disabled) Disabled
Default Traffic Policy (Accept/Deny) Disable
Accept
Logging (Enable/Disable) Disable
Edge Services Gateway Interface Settings
vNIC Number 0
Name Transit Uplink
Type (Internal/Uplink/Trunk) Internal
Type of Network (Distributed Port Group/Logical Switch) Logical Switch
Connect Network Local_Transit_Network_172.24.200.0/28
Connectivity Status (Connected/Disconnected) Connected
IP Address 172.24.200.2
Subnet /28
MAC Address (Not Required)
MTU 1500
Enable Proxy ARP (Enabled/Disabled) Disabled
Send ICMP Redirect (Enable/Disabled) Enabled
vNIC Number 1
Name HQ Uplink B
Type (Internal/Uplink/Trunk) Uplink
Type of Network (Distributed Port Group/Logical Switch) Distributed Port Group
Connect Network Edge_VDS-HQ Uplink B
IP Address 192.168.101.5
Subnet /24
MTU 1500
vNIC Number 2
Name Transit-Internal-01
Type (Internal/Uplink/Trunk) Internal
Type of Network (Distributed Port Group/Logical Switch) Logical Switch
Connect Network Transit-Network-01
IP Address *192.168.10.5
Subnet /28
MTU 1500
Edge Services Gateway - Default Gateway

Default Gateway Disabled
vNIC
Gateway IP
MTU
Edge Services Gateway - General Routing Settings
Dynamic Routing Configuration Enabled
Router ID HQ Uplink A - 192.168.100.5
Enable OSPF Yes
Enable BGP No
Enable Logging No
Log Level INFO
Edge Services Gateway - Static Routing Settings
Static Routing Enabled
Interface HQ Uplink A
Network (CIDR) 172.16.10.0/16
Next Hop 192.168.10.2
MTU 1500
Edge Services Gateway - OSPF Configuration
OSPF Enabled
Graceful Restart (Enabled/Disabled) Disabled
Enable Default Originate (Enabled/Disabled) Disabled
DLR Routing - OSPF Areas Definition
Area ID 10
Type (Normal/NSSA) Normal
Authentication (None/Password/MD5) None
Value
Interface HQ Uplink A
Area 10
Ignore Interface MTU settings (Enabled/Disabled) Disabled
Hello Interval 3
Dead Interval 10
Priority 128
Cost 1
Interface Universal-Transit-Network-01
Area 10
Ignore Interface MTU settings (Enabled/Disabled) Disabled
Hello Interval 3
Dead Interval 10
Priority 128
Cost 1
Edge Services Gateway - BGP Configuration
Local AS Disabled
Neighbor - IP Address
Neighbor - Remote AS
Weight
Keep Alive Timer (seconds)
Hold Down Time (seconds)
Edge Services Gateway - Route Redistribution
Route Redistribution Enabled
Enable OSPF Yes
Enable BGP No
Prefix Name Any
Prefix IP/Network -
Redistribution criteria - Prefix Name Any
Redistribution criteria - Learner Protocol OSPF
Redistribution criteria - Allow Learning OSPF Yes
Redistribution criteria - Allow Learning BGP No
Redistribution criteria - Allow Learning Static Routes Yes
Redistribution criteria - Allow Learning Connected Yes
Redistribution criteria - Action (Permit/Deny) Permit
Edge Services Gateway – Firewall

Firewall Enabled: No (web servers are on same logical switch)
Number 1
Source (VMs/Security Groups/etc.) web-sv-01a
Destination (VMs/Security Group/etc.) web-sv-02a
Service any
Action: (Accept/Deny) Deny
Enable logging Yes
Edge Services Gateway – DHCP
DHCP Enabled
Logging Enabled No
Log Lever INFO
Auto Configure DNS (Enabled/Disabled) Disabled
Lease Never Expires (Enabled/Disabled) Disabled
Start IP 1.1.1.200
End IP 1.1.1.225
Domain Name (Not Required)
Primary Name Server (Not Required)
Secondary Name Server (Not Required)
Default Gateway (Not Required) 1.1.1.254
Lease Time 86400
DHCP Binding Setting No

Interface
VM Name
VM vNIC Index
Host Name
IP Address
DHCP Relay No
IP Sets
IP Addresses
Domain Names
DHCP Relay Agent #1

vNIC
Gateway IP Address
DHCP Relay Agent #2
vNIC
Gateway IP Address
Edge Services Gateway – NAT
Order
DNAT Enabled No
Applied On
Original IP/Range (External)
Protocol (Not Required)
Original Port/Range (Not Required)
Translated IP/Range (Internal)
Translated Port/Range (Not Required)
Enable logging
Order
SNAT Enabled No
Applied on
Original source IP/range (Internal)
Translated source IP/range (External)
Enable logging
Edge Services Gateway – Load Balancer
Enable Load Balancer No
Enable Service Insertion No
Acceleration Enabled No
Enable Logging No
Log Level Info
Application Profile Disabled

Name
Type (TCP/HTTP/HTTPS)
Enable SSL Pass-Through (HTTPS Only)
HTTP Redirect URL
Persistence (Cookie/Source IP)
Cookie Name
Mode (Insert/Prefix/App Session)
Enable Insert X-Forwarded-For-HTTP header (HTTP/HTTPS)
Enable Pool Side SSL (HTTPS Only)
Certificates
Pool Disabled
Name
Algorithm (ROUND-ROBIN/IP-HASH/LEASTCONN/URI)
Monitors (NONE/TCP/HTTP/HTTPS/Custom)
Members (IP Address, Port)
Enable Transparent
Virtual Server Disabled

Name
IP Address
Protocol (TCP/HTTP/HTTPS)
Port
Default Pool
Application Profile
Connection Limit
Connection Rate Limit (CPS)
Edge Services Gateway – VPN (IPsec)
Enabled IPsec VPN Disabled
Name
Local ID
Local Endpoint
Local Subnets
Peer ID
Peer Endpoint
Peer Subnets
Encryption Algorithm (AES/AES256/Triple DES/AES-GCM)
Authentication (PSK/Certificate)
Pre-Shared Key
Diffie-Hellman Group (DH2/DH5)
Enable Perfect Forward Secrecy (PFS)
Edge Services Gateway – VPN (L2)
Server Disabled
Listener IP
Listener Port
Encryption Algorithm
Internal Interface
User ID
Certificate (You Can Use System Generated)
Client Disabled
Server Address
Server Port
Internal Interface
User ID
Enable Secure Proxy
Secure Proxy Address
Secure Proxy Port
CA Certificate (You Can Validate Server Certificate)
Edge Services Gateway – VPN (SSL VPN-Plus)
Enabled No
Edge 2 Edge 3
VMware:
Automatically generate
service rules to allow
flow of control traffic.
Edge 4
Security Groups
Name Dynamic Membership Criteria
Infra-DNS-Servers None
Infra-DHCP-Servers None
Infra-SMTP-Servers None
Infra-NTP-Servers None
Infra-ActiveDirectory-Servers None
Infra-Backup-Servers None
Infra-AntiVirus-Servers None
Infra-Monitoring-Servers None
VDI-Admin-Group None
VDI-Finance-Group None
VDI-Marketing-Group None
Objects to Include Objects to Exclude
<Infrastructure DNS Servers>
<Infrastructure DHCP Servers>
<Infrastructure SMTP Servers>
<Infrastructure NTP Servers>
<Infrastructure Active Directory Servers>
<Infrastructure Backup Servers>
<Infrastructure AntiVirus Servers>
<Infrastructure Monitoring Servers>
<AD Admin Group>
<AD Finance Group>
<AD Marketing Group>
Distributed Firewall Configuration
General Rules
Section Name
Infrastructure Services DNS Service
DHCP Service
SMTP
Default NTP Inbound
Default NTP Outbound
SSH from all or specific subnets
HTTP/HTTPS Access
RDP Access
Access to Active Directory/LDAP Servers
Backups Inbound
Backups Outbound
Vulnerability Scanners
Monitoring Servers
Temporary rule for clientFTP
Temporary rule for clientFTP
Default Ping Rule
3-Tier App Inter-Tier Communications External to Web-Tier

Web-Tier to App-Tier Virtual IP
LB to App-Tier
App-Tier to DB-Tier
3-Tier App Intra-Tier Communications

Intra-Web-Tier Traffic
Intra-App-Tier Traffic
Default Section Layer3 Default Rule NDP
Default Rule DHCP
Default Rule
Ethernet Rules
Section Name
Default Section Layer2 -
Source Destination Service
DNS (TCP: 53)
Any Infra-DNS-Servers DNS-UDP (UDP: 53)
Any Infra-DHCP-Servers DHCP ( UDP 67)
<Source-IP> Infra-SMTP-Servers SMTP (TCP: 25)
*any Infra-NTP-Servers NTP Time Server (UDP: 123)
Infra-NTP-Servers *any NTP Time Server (UDP: 123)
Source IP Destination IP SSH (TCP 22)
Source IP Destination IP HTTP/HTTPS
Source IP/Subnets Destination IP TCP/UDP 3389
AD Server (TCP: 464) (UDP: 464)

Source IP Infra-ActiveDirectory-Servers LDAP (TCP: 389) (UDP: 389)
LDAP-over-SSL (TCP: 636) (UDP: 636)
Source IP Infra-Backup-Servers <specific ports> or any

Infra-Backup-Servers Destination IP *any
Source IP Infra-AntiVirus-Servers *any
Infra-Monitoring-Servers Destination IP *any
*any Define Destination IP's *any
Define Source IP Addresses *any *any
ICMP Destination Unreachable

ICMP Echo
*any *any
ICMP Echo Reply
ICMP Redirect
Any SG-Web-01 HTTP

SG-Web-01 172.16.1.6 HTTP
172.16.1.1 SG-App-01 HTTP
SG-App-01 SG-DB-01 MySQL
ICMP Echo
SG-Web-01 SG-Web-01 ICMP Echo Reply
ICMP Echo
SG-App-01 SG-App-01 ICMP Echo Reply
IPv6-ICMP Neighbor Solicitation
Any Any IPv6-ICMP Neighbor Advertisement
DHCP-Server
Any Any
DHCP-Client
Any Any Any
Source Destination Service

- - -
Action Applied To Log
Allow/Deny Any
Log
Allow/Deny Any Log
Allow/Deny Any Log
Allow/Deny Any Log
Allow/Deny Any Log
Allow/Deny Any Log
Allow/Deny Any Log
Allow/Deny Any Log
Allow/Deny Any
Log
Allow/Deny Any Log
Allow/Deny Any Log
Allow/Deny Any Log
Allow/Deny Any Log
Allow/Deny Any Log
Allow/Deny Any Log
Allow/Deny Any Do Not Log
Allow Distributed Firewall Log

Allow Any Do Not Log
Allow Any Do Not Log
Deny Any Log
Action Applied To Log

- - -
SpoofGuard Configuration
Rules
Policy Name Enabled/Disabled Operation Mode Allow Local Address
Default Policy Disabled
VMware:
Automatically trust IP assignments on VMwa
their first use / Manually inspect and Allow lo
approve all IP assignments before use.
Network (Port Group/dvPortgroup/Logical Switch)
VMware:
Allow local address (169.254.0.0/16) as valid address in this namespace.

UNSA NSX Configuration Workbook 190404

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

UNSA NSX Configuration Workbook 190404

Uploaded by

Copyright:

Available Formats

vSphere Distributed Switch

VMware Software-Defined Data Center Services

ESXi VTEP IP Addresses

Promiscuous MAC Changes Forged TransmiLoad BalancingFailover DeteNotify Switches

NSX Manager Backup/Restore Scheduling Yes

NSX Active Directory Service Account

User Name admin

NSX Controller Nodes

Logical Switch Configuration

Add VMs Logical Switch Name

DLR Routing Global Configuration - Default Gateway

DLR Services – Bridging

Edge Services Gateway - Default Gateway

Edge Services Gateway – Firewall

DHCP Binding Setting No

DHCP Relay Agent #1

Application Profile Disabled

Virtual Server Disabled

Infrastructure Services DNS Service

Access to Active Directory/LDAP Servers

Default Ping Rule

3-Tier App Inter-Tier Communications External to Web-Tier

3-Tier App Intra-Tier Communications

Default Section Layer3 Default Rule NDP

Default Rule DHCP

AD Server (TCP: 464) (UDP: 464)

Source IP Infra-Backup-Servers <specific ports> or any

ICMP Destination Unreachable

Any SG-Web-01 HTTP

Source Destination Service

Allow/Deny Any Do Not Log

Allow Distributed Firewall Log

Allow Distributed Firewall Log

Allow Distributed Firewall Log

Allow Any Do Not Log

Allow Any Do Not Log

Deny Any Log

Action Applied To Log

You might also like