Microsegmentation with NSX-T (part 1: methodology)

Microsegmentation with NSX-T (part 1: methodology)

Comments 7 comments

After a number of blogs on network-virtualization, I thought it was time to start writing some blogs on another of the major three use cases: Security, through micro-segmentation. In my line of work most organizations where I implement NSX (first V and now T) are primarily interested in the security aspects of the product. In my presentations on NSX I usually use two pictures to show what security is like in most traditional environments. It looks something like this: (for…

Read More Read More

Distributed Multi-Tier Routing in NSX-T

Distributed Multi-Tier Routing in NSX-T

Comments 5 comments

I learned something today, which in hindsight is obvious. Hopefully this helps someone that runs into the same “strange” (but not so strange) behavior. I created the following topology today, to prepare for some NSX-T demo I am giving tomorrow: What I (among other stuff) wanted to show, was that routing between Test-Segments “D” and “E” and “A”, “B” and “C”, is completely distributed. So when VM’s from the different segments live on the same host, no physical hops are…

Read More Read More

Install a signed certificate for vRealize Network Insight

Install a signed certificate for vRealize Network Insight

Comments 0 Comment

Within our demonstration environment (the PQR Experience Center), we are running a multitude of SDDC-products from VMware. Most of them have been signed by a CA-based certificate, but today we found out that our vRNI server is still running with the self-signed certificate. Time to change this! I have looked at the procedure at https://kb.vmware.com/s/article/2148128, and created some screen shots to accompany the procedure. First of all, I logged in with ssh on the platform-vm. I used the username “support”,…

Read More Read More

Integrating NSX-T with Active Directory for RBAC (through VMware Identity Manager)

Integrating NSX-T with Active Directory for RBAC (through VMware Identity Manager)

Comments 2 comments

So after using NSX-T for a while, with the built-in admin account, it is time to look into using RBAC for some granular control over who is allowed to do what, within NSX. So with NSX-T it isn’t as straight forward as it was in NSX-V. Integrating logins with AD requires a bit more work. With NSX-T it becomes necessary to work with the VMware Identity Manager. When looking at the ever-important Interoperability Matrix, we can see that the following version…

Read More Read More

Resetting expired admin password on NSX-T

Resetting expired admin password on NSX-T

Comments 6 comments

So apparently it has been 90 days since the deployment of NSX-T and therefor, time for the admin password to expire ;): Unfortunately, this doesn’t give you the opportunity to login and then change the password (a feature I would really appreciate), but a reset is necessary. In the online documentation (https://docs.vmware.com/en/VMware-NSX-T-Data-Center/2.4/administration/GUID-8816B842-2EC4-40A8-A618-F68DB29FABD2.html) the reset is done through a reboot into single user mode of one of the appliances and reset the password. However, in the online documentation one of the…

Read More Read More

NSX-T: Missing locale data for the locale “XX”.

NSX-T: Missing locale data for the locale “XX”.

Comments 0 Comment

So, as you may know, I am from the Netherlands (or Holland, although technically I am not, but that is a different discussion ;)). So within my lab-environment I sometimes use Dutch as the language-setting, for instance within Firefox, the browser I use(d) to configure NSX-T. But this issue also occurs in Chrome. Within IE (although I only used that to test if it was affected by this ;)), the page doesn’t load at all. When I try to open…

Read More Read More

Load Balancing with NSX-T – Part 1

Load Balancing with NSX-T – Part 1

Comments 4 comments

So after I looked at the installation, the fabric and routing and switching, it is time to take a look at the higher level networking functions within NSX-T, like Load Balancing. The functionality itself has not changed very much since NSX-T (compared to V), but the way that it is consumed is different.

As described in an earlier blog (Routing with NSX-T (part 1)), NSX-T uses multiple entities within it’s fabric. Two of which being tier-0 and tier-1 gateways and load balancing can only exist on a tier-1 gateway. So when you use Load Balancing within NSX-T you have to deploy both tier-0 and tier-1 components.

Routing with NSX-T (part 2)

Routing with NSX-T (part 2)

Comments 11 comments

So after the theory, it is time to create some routed networks. In order to do this, I created a design on what I want to accomplish. Part of the design is already in place, but for this blog I have created the part which is visible in the red square: So we already have a tier-0 gateway, connected to a tier-1 gateway, which is connected to several segments. The existing tier-1 is also used as a load balancer for…

Read More Read More

Routing with NSX-T (part 1)

Routing with NSX-T (part 1)

Comments 4 comments

As someone who has worked with NSX-V for quite some time, routing within NSX-T is a little bit difficult to grasp. The terminology might be only slightly different, the concepts are completely different. Within NSX-V, you had E-W routing, through a DLR and N-S routing through one or more ESG’s, either in HA or in ECMP. That was all pretty straight forward. The addition of statefull service could only be performed by ESG’s and if so, the ESG’s would not…

Read More Read More