Professional Documents
Culture Documents
UNSA NSX Configuration Workbook 190404
UNSA NSX Configuration Workbook 190404
UNSA
Prepared by
Daniel Delgado
Consultant PSO SOLA
delgadod@vmware.com
Role Type
Auditor Enterprise Administrator V
Security Administrator A
NSX for vSphere Administrator S
Enterprise Administrator N
E
(SSO Administrator rights are required to create necessary vCenter roles)
Unsa2019*
VMware:
Auditor: Users can only view system settings and auditing, events and reporting information and will not be able to
Security Administrator: Users can configure security compliance policies in addition to viewing the reporting and auditing inform
NSX Administrator: Users can perform all tasks related to deployment and administration of this NSX Manager instance.
Enterprise Administrator: Users can perform all tasks related to deployment and configuration of NSX products and administrat
ation and will not be able to make any configuration change.
g the reporting and auditing information in the system.
his NSX Manager instance.
n of NSX products and administration of this NSX Manager instance.
vSphere Component Configuration Information
vCenter Server vCenter Server 1
vCenter Server System Type (Physical/Virtual/Appliance) Appliance
vCenter Server Version and Build Number Version 6.7.0
vCenter Server System OS Type Photom
vCenter Server System Host Name VCSA-01
vCenter Server System IP Address 172.24.100.7
vCenter Server System Subnet /24
vCenter Server System DNS 170.210.206.20, 190.221.183.220
vCenter Server System DNS Suffix unsa.edu.ar
vCenter Server System NTP 170.210.206.19
vCenter Server Admin User administrator@vsphere.local
21.183.220
ESXi Hosts Configuration Information
Management Cluster
ESXi Management Host 1
ESXi Version 6.0
ESXi Host Name ESX-BLADE01
ESXi Management Network IP Address 172.28.0.51
ESXi Management Network Subnet /22
ESXi Management Network Default Gateway 172.28.1.1
ESXi Management Network DNS 172.28.16.11, 172.28.16.12
ESXi Management Network DNS Suffix nuebobersa.net
ESXi VTEP IP Address 172.28.133.30-120 (Pool)
ESXi VTEP IP Subnet /24
ESXi VTEP Default Gateway 172.28.133.1
ESXi Host 1
ESXi Version ESXi 6.7.0
ESXi Host Name 172.24.100.10
ESXi Management Network IP Address 172.24.100.10
ESXi Management Network Subnet /24
ESXi Management Network Default Gateway 172.24.100.1
ESXi Management Network DNS 170.210.206.20, 190.221.183.2
ESXi Management Network DNS Suffix unsa.edu.ar
ESXi VTEP IP Address 172.20.102.10-50 (Pool)
ESXi VTEP IP Subnet /24
ESXi VTEP Default Gateway 172.20.102.1
Management Cluster Management Cluster
Management Host 2 Management Host 3 Management Host 4
6.0 6.0 6.0
ESX-BLADE02 ESX-BLADE03 ESX-BLADE04
172.28.0.52 172.28.0.53 172.28.0.54
/22 /22 /22
172.28.1.1 172.28.1.1 172.28.1.1
172.28.16.11, 172.28.16.12 172.28.16.11, 172.28.16.12 172.28.16.11, 172.28.16.12
nuebobersa.net nuebobersa.net nuebobersa.net
172.28.133.30-120 (Pool) 172.28.133.30-120 (Pool) 172.28.133.30-120 (Pool)
/24 /24 /24
172.28.133.1 172.28.133.1 172.28.133.1
Cluster-01
Host 2 Host 3 Host 4
ESXi 6.7.0 ESXi 6.7.0 ESXi 6.7.0
172.24.100.11 172.24.100.12 172.24.100.13
172.24.100.11 172.24.100.12 172.24.100.13
/22 /22 /22
172.24.100.1 172.24.100.1 172.24.100.1
170.210.206.20, 190.221.183.220170.210.206.20, 190.221.183.220170.210.206.20, 190.221.183.220
unsa.edu.ar unsa.edu.ar unsa.edu.ar
172.20.102.10-50 (Pool) 172.20.102.10-50 (Pool) 172.20.102.10-50 (Pool)
/24 /24 /24
172.20.102.1 172.20.102.1 172.20.102.1
Host 5 Host 6
ESXi 6.7.0 ESXi 6.7.0
172.24.100.14 172.24.100.15
172.24.100.14 172.24.100.15
/22 /22
172.24.100.1 172.24.100.1
170.210.206.20, 190.221.183.220170.210.206.20, 190.221.183.220
unsa.edu.ar unsa.edu.ar
172.20.102.10-50 (Pool) 172.20.102.10-50 (Pool)
/24 /24
172.20.102.1 172.20.102.1
vCenter Inventory Configuration
Management
vCenter
Data Center
Data Center Name
Cluster
Cluster Name
Cluster Hosts
Distributed Resource Scheduler (DRS)
High Availability (HA)
vSphere vMotion
Distributed Power Management (DPM)
vcsa-01
Datacenter-UNAS
Cluster-01
172.24.100.10,172.24.100.11,172.24.100.12,172.24.100.13,172.24.100.14,172.24.100.15
Yes
Yes
Yes
No
Network Configuration
vSphere Distributed Switch
vSphere Distributed Switch Name dvSwitch-Admin
Function Cluster Administracion
Number of Uplinks 4
NIOC (Enabled/Disabled) Disabled
MTU 1600
Discovery Type (CDP/LLDP) CDP
Discovery Operation (Listen/Advertise/Both) Listen
vSphere Distributed Switch Name dvPortgroup Name
ESXI
VCENTER
VLAN100-ADMINISTRATIVA
VLAN101-INVESTIGACION
VLAN102-ALUMNOS
VLAN12-Management
Dswitch VLAN15-vTEPS
VLAN16-EDGE
VLAN200-VIDEOCONFERENCIA
VLAN201-SEGURIDAD
VLAN202-VIDEOSTREAMINGLOCAL
VLAN300-TELEFONIA
VLAN400-OTROS
vCenter-VLAN10
Dswitch-vSAN vMOTION
vSAN
Network I/O Control
dxSwitch-Admin-DMZ dvSwitch-Computo dvSwitch-Computo-DMZ
Cluster Administracion Cluster Computo-A / BCluster Computo-A / B
4 4 4
Disabled Disabled Disabled
1500 1600 1500
CDP CDP CDP
Listen Listen Listen
Binding Allocation Ports VLAN ID Network Resourc
Static Elastic 8 10 default
Static Elastic 8 10 default
Static Elastic 8 100 default
Static Elastic 8 101 default
Static Elastic 8 102 default
Static Elastic 8 12 default
Static Elastic 8 15 default
Static Elastic 8 16 default
Static Elastic 8 200 default
Static Elastic 8 201 default
Static Elastic 8 202 default
Static Elastic 8 300 default
Static Elastic 8 400 default
Static Elastic 8 10 default
Static Elastic 8 14 default
Static Elastic 86 11 default
VMware:
Port ID
IP hash
MAC hash
Failover order
General
Acceso WEB
User Name admin
Password VMware1!
Password VMware1!
170.210.206.20
190.221.183.220
VMware:
Auditor: Users can only view system settings and auditing, events and reporting information and will not be able to make an
Security Administrator: Users can configure security compliance policies in addition to viewing the reporting and auditing information in t
NSX Administrator: Users can perform all tasks related to deployment and administration of this NSX Manager instance.
Enterprise Administrator: Users can perform all tasks related to deployment and configuration of NSX products and administration of this
upservice/sdk
nd will not be able to make any configuration change.
porting and auditing information in the system.
Manager instance.
X products and administration of this NSX Manager instance.
VXLAN Configuration
Host Preparation (VXLAN Network) Cluster 1
Cluster Name Administracion
Pool Name VTEP_Pool
Switch Dswitch
VLAN 15
MTU 1600
VMkernel NIC IP Address (DHCP/IP Pool) IP Pool
IP Pool 172.20.102.10-50
Teaming Policy (LACP/STATIC/Failover) Failover
VTEP 1
IP Pools Pool 1
Pool Name Controllers_Pool
Gateway 172.24.100.1
Network Prefix 24
DNS Servers (Not Required) 170.210.206.20, 190.221.183.220
DNS Suffix (Not Required) unas.edu.ar
Static IP Pool range 172.24.100.40-42
App-Tier-01
DB-Tier-01
LS_HA_EDGE LS_HA_DLR LS_Test_172.24.210.0/28
Local Transport Zone Local Transport Zone Local Transport Zone
Unicast Unicast Unicast
Yes Yes Yes
No No No
VM Name vNIC
web-sv-01a Network adapter 1
web-sv-02a Network adapter 1
web-sv-03a Network adapter 1
web-sv-04a Network adapter 1
app-sv-01a Network adapter 1
app-sv-02a Network adapter 1
db-sv-01a Network adapter 1
db-sv-02a Network adapter 1
LS_FrontEnd_172.24.x.x/24 LS_BackEnd_172.24.x.x/24
Local Transport Zone Local Transport Zone
Unicast Unicast
Yes Yes
No No
NSX Edge Distributed Logical Router Configuration
Distributed Logical Router
DLR Name
Install Type
Enable Local Egress (Enabled/Disabled)
Deploy Edge Appliance (Enabled/Disabled)
Enable High Availability (Enabled/Disabled)
Host Name (Not Required)
CLI credentials User Name
Enable SSH access (Enabled/Disabled)
Data Center
Cluster/Resource Pool
Datastore
Host (Not Required)
Folder (Not Required)
HA Interface Port Group
DLR Interface Settings
vNIC Number
Name
Type (Internal/Uplink)
Type of Network (Distributed Port Group/Logical Switch)
Connect Network
Connectivity Status (Connecter/Disconnected)
IP Address
Subnet
DLR Interface Settings
vNIC Number
Name
Type (Internal/Uplink)
Type of Network (Distributed Port Group/Logical Switch)
Connect Network
Connectivity Status (Connecter/Disconnected)
IP Address
Subnet
DLR Interface Settings
vNIC Number
Name
Type (Internal/Uplink)
Type of Network (Distributed Port Group/Logical Switch)
Connect Network
Connectivity Status (Connecter/Disconnected)
IP Address
Subnet
DLR Interface Settings
vNIC Number
Name
Type (Internal/Uplink)
Type of Network (Distributed Port Group/Logical Switch)
Connect Network
Connectivity Status (Connecter/Disconnected)
IP Address
Subnet
NSX
LS_HA_DLR
2
Transit Uplink
Uplink
Logical Switch
Local_Transit_Network_172.24.200.0/28
Connected
172.24.200.1
/28
10
VXLAN TEST NSX_172.28.251.0/27
Internal
Logical Switch
TEST NSX_5001_172.28.251.0/27
Connected
172.28.251.1
/27
2
Local-Transit-DLR-EDGE
Uplink
Logical Switch
Local-Transit-01 172.28.251.32/27
Connected
172.28.251.33
/27
12
DB Interface
Internal
Logical Switch
Universal-DB-Tier-01
Connected
172.16.12.1
/24
Disabled
Enabled
Transit Uplink - 192.168.10.2
Yes
No
No
INFO
Enabled
172.28.251.32 172.28.251.32
Enabled
192.168.10.3
192.168.10.2
Enabled
Disabled
10
Normal
None
Transit Uplink
10
Disabled
3
10
128
1
Disabled
Enabled
Yes
No
Any
-
Any
OSPF
Yes
No
Yes
Yes
Permit
Disabled
Router 1
NSX Edge Services Gateway Configuration
Edge Services Gateways Edge 1
NSX Edge Name nsxedge_unsa_01_R
Enable High Availability (Enabled/Disabled) Enabled
Host Name (Not Required) nsxedge_up_unsa_01
CLI credentials User Name admin / VMware1!VMware1!
Enable SSH Access (Enabled/Disabled) Enabled
Data Center Datacenter-UNSA
Appliance Size (Compact/Large/Quad Large/X-Large) Large
Enable Auto Rule Generation (Enabled/Disabled) Enabled
Cluster/Resource Pool Cluster-01
Datastore vsan
Host (Not Required)
Folder (Not Required) NSX VMware:
Automatically g
Default Gateway vNIC service rules to
Default Gateway IP flow of control
Default Gateway MTU (Not Required)
Configure Firewall default Policy (Enabled/Disabled) Disabled
Default Traffic Policy (Accept/Deny) Disable
Accept
Logging (Enable/Disable) Disable
Edge Services Gateway Interface Settings
vNIC Number 0
Name Transit Uplink
Type (Internal/Uplink/Trunk) Internal
Type of Network (Distributed Port Group/Logical Switch) Logical Switch
Connect Network Local_Transit_Network_172.24.200.0/28
Connectivity Status (Connected/Disconnected) Connected
IP Address 172.24.200.2
Subnet /28
MAC Address (Not Required)
MTU 1500
Enable Proxy ARP (Enabled/Disabled) Disabled
Send ICMP Redirect (Enable/Disabled) Enabled
Edge Services Gateway Interface Settings
vNIC Number 1
Name HQ Uplink B
Type (Internal/Uplink/Trunk) Uplink
Type of Network (Distributed Port Group/Logical Switch) Distributed Port Group
Connect Network Edge_VDS-HQ Uplink B
Connectivity Status (Connected/Disconnected) Connected
IP Address 192.168.101.5
Subnet /24
MAC Address (Not Required)
MTU 1500
Enable Proxy ARP (Enabled/Disabled) Disabled
Send ICMP Redirect (Enable/Disabled) Enabled
Edge Services Gateway Interface Settings
vNIC Number 2
Name Transit-Internal-01
Type (Internal/Uplink/Trunk) Internal
Type of Network (Distributed Port Group/Logical Switch) Logical Switch
Connect Network Transit-Network-01
Connectivity Status (Connected/Disconnected) Connected
IP Address *192.168.10.5
Subnet /28
MAC Address (Not Required)
MTU 1500
Enable Proxy ARP (Enabled/Disabled) Disabled
Send ICMP Redirect (Enable/Disabled) Enabled
DHCP Relay No
IP Sets
IP Addresses
Domain Names
Order
SNAT Enabled No
Applied on
Original source IP/range (Internal)
Translated source IP/range (External)
Enable logging
Edge Services Gateway – Load Balancer
Enable Load Balancer No
Enable Service Insertion No
Acceleration Enabled No
Enable Logging No
Log Level Info
Pool Disabled
Name
Algorithm (ROUND-ROBIN/IP-HASH/LEASTCONN/URI)
Monitors (NONE/TCP/HTTP/HTTPS/Custom)
Members (IP Address, Port)
Enable Transparent
Client Disabled
Server Address
Server Port
Internal Interface
User ID
Enable Secure Proxy
Secure Proxy Address
Secure Proxy Port
CA Certificate (You Can Validate Server Certificate)
Edge Services Gateway – VPN (SSL VPN-Plus)
Enabled No
Edge 2 Edge 3
VMware:
Automatically generate
service rules to allow
flow of control traffic.
Edge 4
Security Groups
Name Dynamic Membership Criteria
Infra-DNS-Servers None
Infra-DHCP-Servers None
Infra-SMTP-Servers None
Infra-NTP-Servers None
Infra-ActiveDirectory-Servers None
Infra-Backup-Servers None
Infra-AntiVirus-Servers None
Infra-Monitoring-Servers None
VDI-Admin-Group None
VDI-Finance-Group None
VDI-Marketing-Group None
Objects to Include Objects to Exclude
<Infrastructure DNS Servers>
<Infrastructure DHCP Servers>
<Infrastructure SMTP Servers>
<Infrastructure NTP Servers>
<Infrastructure Active Directory Servers>
<Infrastructure Backup Servers>
<Infrastructure AntiVirus Servers>
<Infrastructure Monitoring Servers>
<AD Admin Group>
<AD Finance Group>
<AD Marketing Group>
Distributed Firewall Configuration
General Rules
Section Name
DHCP Service
SMTP
Default NTP Inbound
Default NTP Outbound
SSH from all or specific subnets
HTTP/HTTPS Access
RDP Access
Backups Inbound
Backups Outbound
Vulnerability Scanners
Monitoring Servers
Temporary rule for clientFTP
Temporary rule for clientFTP
Intra-App-Tier Traffic
Default Rule
Ethernet Rules
Section Name
Default Section Layer2 -
Source Destination Service
DNS (TCP: 53)
Any Infra-DNS-Servers DNS-UDP (UDP: 53)
Any Infra-DHCP-Servers DHCP ( UDP 67)
<Source-IP> Infra-SMTP-Servers SMTP (TCP: 25)
*any Infra-NTP-Servers NTP Time Server (UDP: 123)
Infra-NTP-Servers *any NTP Time Server (UDP: 123)
Source IP Destination IP SSH (TCP 22)
Source IP Destination IP HTTP/HTTPS
Source IP/Subnets Destination IP TCP/UDP 3389
ICMP Echo
SG-Web-01 SG-Web-01 ICMP Echo Reply
ICMP Echo
SG-App-01 SG-App-01 ICMP Echo Reply
IPv6-ICMP Neighbor Solicitation
Any Any IPv6-ICMP Neighbor Advertisement
DHCP-Server
Any Any
DHCP-Client
Any Any Any
Allow/Deny Any
Log
Allow/Deny Any Log
Allow/Deny Any Log
Allow/Deny Any Log
Allow/Deny Any Log
Allow/Deny Any Log
Allow/Deny Any Log
Allow/Deny Any Log
Allow/Deny Any
Log
Allow/Deny Any Log
Allow/Deny Any Log
Allow/Deny Any Log
Allow/Deny Any Log
Allow/Deny Any Log
Allow/Deny Any Log
VMware:
Automatically trust IP assignments on VMwa
their first use / Manually inspect and Allow lo
approve all IP assignments before use.
Network (Port Group/dvPortgroup/Logical Switch)
VMware:
Allow local address (169.254.0.0/16) as valid address in this namespace.