Professional Documents
Culture Documents
VMware NSX:
Install, Configure, Manage
NSX 6.0
Part Number EDU-EN-NSXICM6-LAB
Lab Manual
CopyrightITrademark
Copyright 2014 VMware, Inc. All rights reserved. This manual and its accompanying
materials are protected by U.S. and international copyright and intellectual property laws.
VMware products are covered by one or more patents listed at http ://www.vmware.com/go/
patents. VMware is a registered trademark or trademark of VMware, Inc. in the United States
and/or other jurisdictions. All other marks and names mentioned herein may be trademarks
of their respective companies.
The training material is provided "as is," and all express or implied conditions,
representations, and warranties, including any implied warranty of merchantability, fitness for
a particular purpose or noninfringement, are disclaimed, even if VMware, lnc., has been
advised of the possibility of such claims. This training material is designed to support an
instructor-led training course and is intended to be used for reference purposes in
conjunction with the instructor-led training course. The training material is not a standalone
training tool. Use of the training material for self-study without class attendance is not
recommended.
These materials and the computer programs to which it relates are the property of, and
embody trade secrets and confidential information proprietary to, VMware, Inc., and may not
be reproduced, copied, disclosed, transferred, adapted or modified without the express
written approval of VMware, Inc.
Course development: Rob Nendel, John Tuffin, Jerry Ozbun
Technical review: Elver Sena, Chris McCain
Technical editing: Jim Brook, Shalini Pallat, Jeffrey Gardiner
Production and publishing: Ron Morton, Regina Aboud
The courseware for VMware instructor-led training relies on materials developed by the
VMware Technical Communications writers who produce the core technical documentation,
www.vmware.com/education
TABLE
OF
CONTENTS
19
25
35
Lab 6: Deploying an NSX Edge Services Gateway and Configuring Static Routing
45
53
65
77
91
99
107
119
129
Lab 15: Using NSX Edge Firewall Rules to Control Network Traffic
137
Lab 16: Using NSX Distributed Firewall Rules to Control Network Traffic
143
153
159
Answer Key
165
ii
Lab 1
Lab 1
Lab 1
vCenter Server:
vc-I-01 a.cnrp.lncal
root
Statu s:
Task 3: Verify That the vSphere Web Client Plug-In for NSX Manager Is
Installed
In your lab environment, the VMware vSphere Web Client Plug-in for NSX Manager is
preinstalled and ready for use.
1. To log in to the vSphere Web Client, in the Firefox window, click the vSphere Web Client
bookmark.
2. When prompted, log in as root and enter the password VMwarel!.
Allow the initial authentication to complete. The initial authentication may take several minutes
to complete.
3. On the vSphere Web Client Home tab, click the Inventories> Networking & Security icon.
4. In the left navigation pane, review the list ofNSX features , then select NSX Managers.
5. In the middle pane, verify that a single NSX Manager instance with an IP address of
192.168.110.42 appears in the Objects list.
If an NSX Manager does not appear in the Objects list, ask your instructor for help.
Objects
1'--
@ Actions ....
Nam e
Lab 1
192.:168.110.42
IP .A. dd ress
192.168.110.42
Task 4: License vCenter Server, the ESXi Hosts, and NSX Manager
Your instructor provides the necessary licenses.
1. Click the vSphere Web Client Home tab.
2. Assign a vCenter Server license key to the vCenter Server instance.
a. In the left pane, navigate to Administration> Licenses.
b. In the middle pane, click the vCenter Server Systems tab.
c. With the vCenter Server instance selected, click the Assign License Key link.
d. In the Assign License Key panel, select Assign a new license key from the drop-down menu.
e. In the License key text box, enter or paste your vCenter license key.
f.
Click OK.
3. Assign a VMware vCloud Suite Enterprise license key to each VMware ESXi host.
a. In the center pane, click the Hosts tab.
b. Select the first ESXi host in the list.
c. Press the Shift key and click the last ESXi host in the list to select all three ESXi hosts.
d. Release the Shift key and click the Assign License Key link.
e. In the Assign License Key panel, select Assign a new license key from the drop-down menu.
f. In the License key text box, enter or paste your vCloud Suite Enterprise license key.
g. Click OK.
h. In the hosts list, press Shift and click to select all three ESXi hosts .
i. Right-click the selected hosts and select Connect from the pop-up menu.
You can also connect each host individually from the vCenter > Hosts and Clusters
inventory panel.
4. Assign a VMware NSXTM for vSphere license.
a. In the middle pane, click the Solutions tab.
b. Select the NSX for vSphere solution.
c. Click the Assign License Key link.
d. In the Assign License Key panel, select Assign a new license key from the drop-down menu.
e. In the License key text box, enter or paste your NSX for vSphere license key.
f.
Click OK.
Lab 1
Lab 1
Lab 1
Lab 2
Lab 2
1. Tfthe Firefox window has been closed, double-click the Firefox icon on the ControlCenter
desktop.
2. Tfyou are not logged in to the vSphere Web Client, in the Firefox window, click the vSphere
Web Client bookmark.
3 . When prompted, log in as root and enter the password VMwarel ! .
4. On the vSphere Web Client Home tab, click Inventories> Networking and Security.
3. In the Add Controller dialog box, perform the following actions to configure and deploy the
first NSX Controller.
Select Management and Edge Cluster from the Cluster/Resource Pool drop-down
menu.
e. Click the Connected To > Select link to open the Connect to a Network dialog box.
f. Tn the Connect to a Network dialog box, click Distributed Portgroup.
Option
Action
Name
Gateway
Lab 2
Option
Action
Prefix Length
Primary DNS
Secondary DNS
Leave blank.
DNS Suffix
Leave blank.
Static IP Pool
In the Add Controller dialog box, enter VMware11 in the Password and the Confirm
password text boxes.
k. Click OK.
4. Monitor the NSX Controller deployment to completion.
Use the horizontal scroll bar to uncover the Status column, if necessary.
Monitor the deployment until the status changes from Deploying to Normal.
The deployment process takes a few minutes to complete.
[i11 SJ
2. On the vSphere Web Client Home tab, click Inventories> Hosts and Clusters.
3. Expand the Hosts and Clusters inventory tree so that each cluster is expanded.
4. Click the vSphere refresh icon.
Updated at 2:13AM
Lab 2
I[~~"]I
root@localos ....
5. In the Management and Edge Cluster inventory, select the newly deployed NSX Controller
virtual machine.
The virtual machine name starts with NSX Co n t r o ll e r . ..
6. In the middle pane, use the Summary tab report and answer the following questions.
Q1.
Q2.
Q3.
How much total memory does the NSX Controller instance have?
Q4.
Q5.
Q6.
10
Lab 2
10. Review the command output and answer the following questions.
07.
08.
11. Run the following command to determine the startup nodes in the cluster, and review the
command output.
How many roles have been assigned with the first controller as master?
011. How many unique ports are used for role-based communications?
16. Close the PuTTY window and click OK when prompted to confinn.
17. Restore the Firefox window.
Lab 2
11
Click Connected To> Select to open the Connect to a Network dialog box.
j. Click OK.
12
Lab 2
2. On the vSphere Web Client Home tab, click the Inventories> Hosts and Clusters icon.
3. Expand the Hosts and Clusters inventory tree.
4. Click the vSphere refresh icon.
5. In the Management and Edge Cluster inventory, select the second NSX Controller instance.
The controller name starts with NSX Controller ...
6. In the middle pane, use the Summary tab report to answer the following questions.
Q1. What is the power status of the NSX Controller instance?
Q2.
Q3.
How much total memory does the NSX Controller instance have?
Q4.
Q5.
Q6.
13
9. In the PuTTY window, run the following command to determine the cluster status for the first
node.
Q8.
11 . Run the following command to determine the startup nodes in the cluster, and review the
command output.
How many roles have been assigned with the second controller as master?
14
Lab 2
4. In the Add Controller dialog box, perform the following actions to configure and deploy the
third NSX controller.
a. Select 192.168.110.42 from the NSX Manager drop-down menu .
b. Select ABC Medical from the Datacenter drop-down menu.
c. Select Management and Edge Cluster from the Cluster/Resource Pool drop-down menu.
d. Select ds-site-a-nfsOl from the Datastore drop-down menu.
e. Leave the Host selection blank.
f. Click Connected To > Select to open the Connect to a Network dialog box.
2. On the vSphere Web Client Home tab, click Inventories> Hosts and Clusters.
3. Expand the Hosts and Clusters inventory tree.
4. Click the vSphere refresh icon.
5. In the Management and Edge Cluster inventory, select the third NSX controller.
The controller name starts with NSX Controller . ..
6. In the middle pane, use the Summary tab report to answer the following questions.
Lab 2
15
Q1.
Q2. How many vCPUs does the NSX Controller instance have?
Q3.
How much total memory does the NSX Controller instance have?
04.
05. What port group is the NSX Controller instance connected to?
06.
16
Lab 2
11. Run the following command to determine the startup nodes in the cluster, and review the
command output.
How many roles have been assigned with the second controller as master?
Lab 2
17
18
Lab 2
Lab 3
Lab 3
19
5. Monitor the installation status of each cluster until the Installation Status changes from
Installing to Un install and the VXLAN column contains an active Configure link.
Configure VXLAN networking dialog box, and perform the following actions.
o.
e.
Select New IP Pool from the TP Pool drop-down menu to open the Add IP Pool dialog box.
20
Option
Action
Name
Gateway
Lab 3
Option
Action
Prefix Length
Primary DNS
Leave blank.
Secondary DNS
Leave blank.
DNS Suffix
Leave blank.
Static IP Pool
Enter 192 . 168 . 250 . 51-192 . 168 250 . 60 in the text box .
Updated at 2:"1 3 AM
r~l'
root@localos ...
4. Verify that the Compute Clu ster A VXLAN status is Enabled with a green check mark.
5. For Compute Cluster B, click the Configure link provided in the VXLAN column to open the
Configure VXLAN networking dialog box, and perform the following actions.
a. Verify that the Switch selection is Compute_VDS.
b. Verify that the VLAN setting is
o.
Lab 3
21
7.
Verify that the Compute Cluster B VXLAN status is Enabled with a green check mark.
If the VXLAN status is not Enabled, wait and refresh again until the status changes.
8. For Management and Edge Cluster, click the Configure link provided in the VXLAN column
to open the Configure VXLAN networking dialog box, and perform the following actions.
o.
Select New IP Pool from the IP Pool drop-down menu to open the Add IP Pool dialog box.
f.
Option
Action
Name
Gateway
Prefix Length
Primary DNS
Leave blank.
Secondary DNS
Leave blank.
DNSSuffix
Leave blank.
Static IP Pool
Enter 192 . 168 . 150 . 51-192 . 168 . 150 . 60 in the text box.
lfthe VXLAN status is not Enabled, wait and refresh again until the status changes.
11. Click the Logical Network Preparation tab and verify that VXLAN Transport is selected.
12. In the Clusters and Hosts list, expand each of the three clusters listed.
22
Lab 3
13. For each host, confirm the host has a vmk# interface, then determine the following.
IP that was assigned to each host
Action
Segment ID Pool
3. Click OK.
Action
Name
Select the check box for each of the three clusters listed.
3. Click OK.
4. Wait for the update to complete and verify that Global Transport Zone appears in the transport
zones list, with a Control Plane Mode ofUnicast.
Lab 3
23
24
Lab 3
Lab 4
Objective: Create and test logical switches for the WebTier, App-Tier, DB-Tier, and transport networks
In this lab, you will perform the following tasks :
1. Prepare for the Lab
Lab 4
25
Lab 4
[~]I
root@localos
Help
5. Drag the pane divider to the right to expand the horizontal size of the inventory pane so that the
port group names are entirely shown.
6. In the Mgmt_Edge_VDS inventory, find port groups with names ending with the following.
Transit-Network
Web-Tier
App-Tier
DB-Tier
Lab 4
27
7. If the specified port groups do not appear in the Mgmt_Edge_VDS inventory, perform the
following actions.
a. Wait one minute .
b. Click the vSphere Web Client Refresh icon.
c. Repeat step 7 until the port groups appear in the Mgmt_Edge_VDS inventory.
8. Use the networking inventory to answer the following questions.
Q1.
Have the same logcial switch port groups been added to both distributed
switches?
Q2.
If the same port groups appear on both switches, why has the system
configured networking in this way?
Q3.
Can the 10 number, associated with a VXLAN logical switch be determined from
the port group name?
Q4.
Does the transit network port group in both the Compute_VDS and
Mgmt_Edge_VOS inventories share the same VXLAN 10?
+ I"
28
X '&J I~
-r
<'Q
Actions ...
Lab 4
The Actions drop-down menu appears at the top of the middle pane.
I
CJc> db-sv-O1a
JSummary
Acti (I ns .....
Monitor
Manage
Relatefl0bjects
6. In the Web-Tier - Add Virtual Machines dialog box, perform the following actions to migrate
virtual machines to the Web-Tier logical switch.
a. In the filter list, select the web-sv-Ola and web-sv-02a check boxes.
b. Click Next.
c. In the Select VNICs list, select the Network Adapter 1 (VM Network) check box for
web-sv-O1a and web-sv-02a.
d. Click Next.
e. Click Finish.
7. In the Recent Tasks panel , monitor the virtual machine migrations to completion.
8. In the Logical Switches list, double-click the Web-Tier entry to manage that object.
9. Click the Related Objects tab and click Virtual Machines.
Q1.
Q2.
10. At the top of the left inventory pane, click the Network & Security back arrow.
11. In the Logical Switches list, select the App-Tier logical switch.
12. Click the Add Virtual Machines icon, or select Add VM ... from the Actions drop-down menu.
13. In the Add Virtual Machines dialog box, perform the following actions to migrate virtual
Lab 4
29
d. Click Next.
e. Click Finish.
14. In the Recent Tasks panel, monitor the virtual machine migration to completion.
15. In the Logical Switches list, select the DB-Tier logical switch.
16. Click the Add Virtual Machines icon, or select Add VM... from the Actions drop-down menu.
17. In the Add Virtual Machines dialog box , perform the following actions to migrate virtual
In the Select VNICs list, select the Network Adapter 1 (VM Network) check box for
db-sv-Ola.
d. Click Next.
e.
Click Finish.
18. In the Recent Tasks panel, monitor the virtual machine migration to completion.
2. On the vSphere Web Client Home tab, click the Inventories> VMs and Templates icon.
3. Expand the VMs and Templates inventory tree and power on each of the following virtual
machines found in the Discovered virtual machine folder.
web-sv-O 1a
web-sv-02a
app-sv-O 1a
db-sv-Ol a
To power on a virtual machine, select the virtual machine in the inventory, then select Power On
from the Actions drop-down menu.
30
Lab 4
-----
web-sv-02a IP address:
app-sv-Ol a IP address :
db-sv-OIa IP address : - - - - To view an IP address assignment, select the virtual machine in the inventory. The IP address
assignment appears at the top of the Summary tab report.
j Summary
Monitor
Manage
Related Objects
app-su-01a
Guest
as:
Compatibilit:;,:
DNS Name:
a s-s -01a
IP Addresses:
Host:
The IP address information is also provided in your Lab Topology handout on the Lab
Networks and IP Addressing page.
5. Test connectivity from the web-sv-Ola virtual machine using a console window.
a. In the VMs and Templates inventory tree, select the wcb-sv-Ola virtual machine.
b. Select Open Console from the Actions drop-down menu .
It may take a minute for the console window to initialize. Hover the mouse over the
console window, wait until the mouse pointer becomes a hand icon, then click anywhere
inside the console window and press enter.
c. Log in as root and enter the password VMwarell .
d. At the command line prompt, run the following command to query the ARP cache.
arp -an
01.
Lab 4
31
e. At the command line prompt, run the following command to ping the web-sv-02a virtual
machine. Replace ip_address with the web-sv-02a IP address recorded in step 4.
ping ip_address
Q2. Did the ping command receive replies from the web-sv-02a virtual machine?
f.
g. At the command line prompt, run the following command to query the ARP cache.
arp -an
Q3. Did the command return any entries?
h. At the command line prompt, run the following command to ping the app-sv-Gl a virtual
machine. Replace ip_address with the app-sv-Ola [P address recorded in step 5.
ping ip_address
Q4. Did the ping command receive replies from the app-sv-01 a virtual machine?
i.
j.
At the command line prompt, run the following command to ping the db-sv-Ol a virtual
machine. Replace ip_address with the db-sv-Ol a IP address recorded in step 5.
ping ip_address
Q5. Did the ping command receive replies from the db-sv-01a virtual machine?
32
Lab 4
6. Test connectivity from the Control Center system using a command prompt window.
a. Minimize the Firefox window.
b. On the ControlCenter desktop, double-click the Command Prompt shortcut.
c. In the command prompt window, run the following command to ping the web-sv-Ola
virtual machine and replace ip_address with the web-sv-Ola IP address recorded in step 4.
ping ip_address
07. Did the ping command receive replies from the web-sv-01a virtual machine?
d. Leave the Command Prompt window open for the remainder of the class.
7. Test connectivity using logical switch monitoring tools .
a. Restore the Firefox window.
b. Click the vSphere Web Client Home icon.
c. On the vSphere Web Client Home tab, click Inventories> Networking & Security.
d. In the left navigation pane, select Logical Switches.
e. In the center pane, double-click the Web-Tier entry to manage that object.
f. Click the Monitor tab and verify that the Ping test is selected.
k. Verify that the Size of test packet selection is VXLAN standard and click Start Test.
I. Click Start Test.
n. At the top of the left navigation pane , click the Networking & Security back arrow button.
Lab 4
33
3. On the Control Center desktop, leave the Command Prompt window open .
34
Lab 4
Lab 5
Lab 5
35
Lab 5
7. Select the Enable SSH Access check box and click Next.
8. On the Configure Deployment page, verify that the Datacenter selection is ABC Medical.
9. Under NSX Edge Appliances , click the green plus sign to open the Add NSX Edge Appliance
dialog box, and perform the following actions.
a. Select Management and Edge Cluster from the ClusterlResource Pool drop-down menu.
b. Select ds-site-a-nfsOl from the Datastore drop-down menu.
c. Leave all other fields blank, and click OK.
10. Click Next.
11. On the Configure interfaces page, click the Connected To > Select link under Management
Interface Configuration.
12. In the Connect NSX Edge to a Network dialog box, click Distributed Portgroup.
13. Click the Mgmt_Edge_VDS - Mgmt button and click OK.
14. Under Configure Interfaces for this NSX Edge, click the green plus sign to open the Add
Interface dialog box, and perform the following actions to configure the first of four interfaces.
a. Enter Transit-Interface in the Name text box.
b. For Type, leave UpLink selected.
c. Click the Connected To > Select lillie
d. Click the Transit-Network button and click OK.
e. Click the green plus sign under Configure Subnets.
f.
In the Add Subnet dialog box, click the green plus sign to add an IP address field.
g. Enter 192.168.10.2 in the IP Address text box and click OK to confirm the entry.
h. Enter 29 in the Subnet prefix length text box.
i. Click OK to close the Add Subnet dialog box.
j.
15. Under Configure Interfaces for this NSX Edge, click the green plus sign to open the Add Interface
dialog box, and perform the following actions to configure the second of four interfaces.
a. Enter Web- Interface in the Name text box.
b. For Type, click Internal.
c. Click the Connected To > Select link.
d. Click the Web-Tier button and click OK.
e. Click the green plus sign under Configure Subnets.
Lab 5
37
f.
In the Add Subnet dialog box, click the green plus sign to add an IP address field.
g. Enter 172.16.10.1 in the IP Address text box, and click OK to confirm the entry.
h. Enter 24 in the Subnet prefix length text box.
i. Click OK to close the Add Subnet dialog box.
j.
16. Under Configure Interfaces for this NSX Edge, click the green plus sign to open the Add
Interface dialog box, and perform the following actions to configure the third of four interfaces.
a. Enter App-Interface in the Name text box.
b. For Type, click Internal.
c. Click the Connected To > Select link.
d. Click the App-Tier button and click OK.
e. Click the green plus sign under Configure Subnets.
f.
In the Add Subnet dialog box, click the green plus sign to add an IP address field.
g. Enter 172.16.20.1 in the IP Address text box and click OK to confirm the entry.
h. Enter 24 in the Subnet prefix length text box.
i. Click OK to dose the Add Subnet dialog box.
j.
17. Under Configure Interfaces for this NSX edge, click the green plus sign to open the Add
Interface dialog box, and perform the following actions to configure the fourth interface .
a. Enter DB- Interface in the Name text box.
b. For Type, click Internal.
c. Click the Connected To > Select link.
d. Click the DB-Tier button and click OK.
e. Click the green plus sign under Configure Subnets .
f. In the Add Subnet dialog box, click the green plus sign to add an IP address field.
g. Enter 172.16.30.1 in the IP Address text box and click OK to confirm the entry.
h. Enter 24 in the Subnet prefix length text box.
i. Click OK to close the Add Subnet dialog box.
j.
38
Lab 5
18. Compare the interface configurations to the following table. If any entry is not configured
correctly, edit the entry by selecting it and clicking the pencil icon.
Name
IP Address
Connected To
Transit-Interface
192.168.10.2
29
Transit-Network
Web-Interface
172.16.10.1
24
Web-Tier
App-Interface
172.16.20.1
24
App-Tier
DB-Interface
172.16.30.1
24
DB-Tier
f Settings 1Firewall
I Routin g I Bridging 1
Config
Configuration
Interfaces
Lab 5
v NIC#
39
5. In the Interfaces list, verify that each interface shows a green check mark in the Status column.
6. In the settings category panel, select Configuration.
7. At the bottom of the center pane, locate the Logical Router Appliances panel and answer the
following questions.
Q1. On which datastore is the Logical Router Controller deployed?
Q2.
Q4.
Q5.
Q6.
40
Lab 5
db-sv-O1a IP address: - - - - The IP address information can also be found in your Lab Topology handout on the Lab
Networks and IP Addressing page.
3. Test connectivity from the web-sv-O1a virtual machine.
a. In the Firefox window, click the web-sv-Ola tab.
b. At the command prompt, run the following command to ping the web-sv-02a virtual
machine.
Replace ip_address with the web-sv-02a IP address recorded in step 2.
ping ip_address
01.
Did the ping command receive replies from the web-sv-02a virtual machine?
ping ip_address
02.
Did the ping command receive replies from the app-sv-nt a virtual machine?
Lab 5
41
f.
At the command prompt, run the following command to ping the db-sv-Ola virtual
machine.
Replace ip _address with the db-sv-O I a IP address recorded in step 2.
ping ip_address
Q3.
Did the ping command receive replies from the db-sv-01a virtual machine?
Do these results differ from the ping tests you performed after creating the
logical switches (before adding the distributed router)?
i. At the command prompt, run the following command to query the ARP cache.
arp -an
Q5.
j.
Press Ctrl+Alt to release the mouse cursor and click the vSphere Web Client tab.
4. Test connectivity from the ControJCenter system using a Command Prompt window.
a. Minimize the Firefox window.
b. In the Command Prompt window, run the following command to ping the web-sv-O1a
virtual machine.
Replace ip_address with the web-sv-O1a IP address recorded in step 2.
ping ip_address
Q6.
42
Did the ping command receive replies from the web-sv-01a virtual machine?
Lab 5
c. In the Command Prompt window, run the following command to ping the web-sv-02a
virtual machine.
Replace ip_address with the web-sv-02a IP address recorded in step 2.
ping ip_address
Q7.
Did the ping command receive replies from the web-sv-02a virtual machine?
Q8.
5001
Controller
192.168.110.201
43
4. If you are not connected to the controller that owns the slice, perform the following actions.
a. Record the IP address of the contro ller that owns the slice.
- - - - -
44
Lab 5
Lab 6
Lab 6
45
46
Lab 6
7. Select the Enable SSH access check box and click Next.
8. On the Configure deployment page, verify that the Datacenter selection is ABC Medical.
9. Verify that the Appliance Size selection is Compact.
10. Verify that the Enable auto rule generation check box is selected.
11. Under NSX Edge Appliances, click the green plus sign to open the Add NSX Edge Appliance
dialog box, and perform the following actions.
a. Select Management and Edge Cluster from the ClusterlResource Pool drop-down
menu.
b. Select ds-site-a-nfsOl from the Datastore drop-down menu.
c. Leave all other fields at default value and click OK.
12. Click Next.
13. On the Configure Interfaces page , click the green plus sign to open the Add NSX Edge
Interface dialog box, and perform the following actions to configure the first of two interfaces.
a . Enter Uplink- Interface in the Name text box.
b. For Type, leave UpLink selected.
c. Click the Connected To > Select link.
d. Click Distributed Portgroup.
g. In the Add Subnet dialog box , click the green plus sign to add an IF address field.
h. Enter 192.168.100.3 in the IP Address text box and click OK to confirm the entry.
i. Enter 24 in the Subnet prefix length text box.
j. Click OK to close the Add Subnet dialog box.
Lab 6
47
g. Enter 192 . 168 . 10 . 1 in the IP Address text box and click OK to confirm the entry.
h. Enter 29 in the Subnet prefix length text box.
i, Click OK to close the Add Subnet dialog box.
j.
15. Compare the interface configurations to the following table. If any interface is not configured
correctly, edit the interface by selecting that entry and clicking the pencil icon.
Name
IP Address
Subnet Prefix
Length
Uplink-Interface
192.168.100.3
24
Mgmt_Edge_VDS - HQ Uplink
Transit-Interface
192.168.10.1
29
Transit-Network
Connected To
::: 1 Installing
e
48
Lab 6
Edge.
02.
8. On the vSphere Web Client Home tab, click Inventories> Hosts and Clusters.
9.
Expand the Hosts and Clusters inventory tree so that the inventory of each cluster is shown.
Lab 6
03.
04.
05.
49
06.
07.
50
Lab 6
2. At the web-sv-O1a command prompt, run the following command to ping the ControlCenter
system.
ping 192.168.110.10
3. Confirm that ICMP echo replies are received and press Ctrl+C to stop the ping command.
The ping test demonstrates the bidirectional connectivity between the logical switch network
and the Management network, for traffic initiated on the Web-Tier network. If the ping
command does not receive the expected replies, ask your instructor for assistance.
4. In the Firefox window, press Ctr1+Alt to release the mouse cursor, open a new browser tab , and
browse the web-sv-O 1a IP address .
http://172 .16 .10.11
5. After the web-sv-O 1a Web page is displayed, browse the web-sv-02a IF address .
http://172.16 .10.12
Lab 6
51
6. After the web-sv-02a Web page is displayed, close the Firefox tab used to browse the Web
servers.
The Ping and HTTP tests that are conducted verify bidirectional connectivity between the
management and Web-Tier networks for connections initiated in either direction.
7. Minimize the Firefox window.
8. On the ControlCenter desktop, in the Command Prompt window, run the following command to
verify that the static routes enable bidirectional connectivity between the Management network
and the App-Tier logical switch network.
ping 172.16.20.11
9. Verify that ICMP echo replies are received and press Ctrl+C to stop the ping command.
10. Run the following command to verify that the static routes enable bidirectional connectivity
between the Management network and the DB-Tier logical switch network.
Ping 172.16.30.11
11 . Verify that ICMP echo replies are received and press Ctrl+C to stop the ping command.
12. Leave the Command Prompt window open.
13. Restore the Firefox window and click the vSphere Web Client tab.
52
Lab 6
Lab 7
Lab 7
53
6. On the vSphere Web Client Home tab, click Inventories> Networking & Security.
ping 172.16.10.11
54
Lab 7
55
56
Lab 7
3. In the Route Redistribution Status panel, at the top of the page, determine if a green check mark
appears next to OSPF.
Route Redistribution status:
OSPF:
ISIS:
BGP:
4. If a green check mark does not appear, perform the following actions.
a. On the right side of the Route Redistribution Status panel, click Change.
b. In the Change redistribution settings dialog box, select the OSPF check box .
c. Click Save.
d. In the Route Redistribution Status panel, at the top of the page, verify that a green check
mark appears next to OSPF.
5. At the top of the page, click Publish Changes.
57
4. Leave all other fields at the default value and click Save.
Do not select the Enable OSPF check box. For management purposes, OSPF can be enabled or
disabled in the Global Configuration page, after having been initially configured elsewhere. An
error message is displayed if OSPF is enabled in Global Configuration without first configuring
the OSPF parameters. This condition is unique to NSX Edges of type Distributed Router.
5. At the top of the Global Configuration page, click Publish Changes.
6. In the routing category panel, select OSPF.
7. On the right side of the OSPF Configuration panel, click Edit to open the OSPF Configuration
dialog box, and perform the following actions.
a. Select the Enable OSPF check box.
b. Enter 192 . 168 . 10 . 3 in the Protocol Address text box.
c. Enter 192 . 168 . 10 . 2 in the Forwarding Address text box.
d. Click OK.
8. In the Area Definitions panel, click the green plus sign to open the New Area Definition dialog
box.
a. Enter 829 in the Area ID text box.
b. Leave all other fields at the default value and click OK.
9. In the Area to Interface Mapping panel, click the green plus sign to open the New Area to
Interface Mapping dialog box, and perform the following actions.
a. Verify that the Interface selection is Transit-Interface.
b. Select 829 from the Area drop-down menu.
c. Leave all other fields at default value and click OK.
10. At the top of the OSPF configuration page, click Publish Changes.
11. After the changes have been published, verify that the OSPF Configuration Status is Enabled.
OSPF Configuration
Status
Enabled
Protocol Address
192.168.10.3
For~varding
58
Address
Lab 7
192.168.10.2
Lab 7
59
b. In the Dynamic Routing Configuration panel, verify that the following options are
configured as shown.
RouterTD : 192.168.10.2
OSPF: green check mark
In the static routes table, verify that no static routes are defined.
In the OSPF Configuration panel, verify that the following options are set as specified.
Status: Enabled
Protocol Address: 192.168.10.3
Forwarding Address: 192.168 .10.2
g. In the Area Definitions panel, verify that Area 829 is defined with Normal for Type and
None for Authentication.
h.
In the Area to Interface Mapping panel, verify that area 829 has been mapped to TransitInterface.
In the Route Redistribution Status panel, verify that a green check mark appears next to
OSPF.
k. In the Route Redistribution table, verify that an entry exists with the following criteria.
Learner: OSPF
From: Connected
Prefix: Any
Action: Permit
7. In the left navigation pane, click the Networking & Security back arrow button.
8. In the edge list, double-click the Perimeter Gateway entry to manage that object.
9. In the middle pane, click the Manage tab and click Routing.
60
Lab 7
10. Verify the Perimeter Gateway configuration by performing the following actions.
If any option is incorrectly configured, correct the option as you progress through the following
steps.
IOSPF Status:Enabled
Area Definitions:
I.
g. In the Area Definitions panel, verify that the following areas are defined.
Area ID:829, Type: Normal, Authentication: None
Area ID:O, Type: Normal, Authentication: None
h. In the Area to Interface Mapping panel, verify that area 829 is mapped to Transit-Interface
OSPF.
k. In the Route Redistribution table, verify that an entry exists with the following criteria.
Leamer: OSPF
From: OSPF
Prefix: Any
Action: Permit
Lab 7
61
12. In the left navigation pane , click the Networking & Security back arrow button.
13. In the edge list, double-click the Distributed Router entry.
14. In the middle pane, click the Manage tab and click Settings.
15. In the settings category panel, select Interfaces and answer the following question .
02. Are the logical switch networks: Web-Tier (172.16.10.0/24), App-Tier (172.16.20.0/24),
and DB-Tier (172.16.30.0/24), connected to Distributed Router interfaces?
18. In the routing category panel , select Route Redistribution, and answer the following question.
Q4. Is the configured Route Redistribution entry sufficiently configured so that
subnets known to the Distributed Router can be learned through OSPF?
19. In the left navigation pane, click the Networking & Security back arrow button .
20. In the edge list, double-click the Perimeter Gateway entry to manage that object.
21. In the middle pane, click the Manage tab and click Settings.
22. In the settings category panel, select Interfaces and answer the following question.
05. Is the Management network attached to Perimeter Gateway?
62
Lab 7
25. In the routing category panel, select Route Redistribution and answer the following question.
07.
a. Under Allow learning from, select the Static Routes check box.
b. Click Save.
6. At the top of the Route Redistribution page, click Publish Changes.
The above configuration change instructs Perimeter Gateway to allow learning of both
connected subnets and static routes through OSPF. The distributed router receives a route to the
Management network from Perimeter Gateway with a next hop of the Perimeter Gateway
interface on the transit network .
7. Minimize the Firefox window.
8. On the Control Center desktop, in the Command Prompt window, run the following command to
test bidirectional connectivity between the Management Network and the Web-Tier logical
switch network.
63
ping 172.16.20.11
ping 172.16.30.11
12. Leave the Command Prompt window open.
13. Restore the Firefox window.
64
Lab 7
Lab 8
Lab 8
65
6. On the vSphere Web Client Home tab, click Inventories> Networking & Security.
66
Lab 8
6. If you cannot log in because SSH access was not enabled during deployment of the edge, or if
the password was entered incorrectly, perform the following steps.
a. Restore the Firefox window.
b. In the left navigation pane, select NSX Edges.
c. In the edge list, select the Perimeter Gateway entry and select Change CLI Credentials
from the Actions drop-down menu .
d. In the Change CLI credentials, enter VMwarel! VMwarel! in the Password and Retype
Password text boxes.
e. Verify that the Enable SSH Access check box is selected and click OK.
f. Restart this task by going back to step 1.
7. Run the following command to begin capturing HTTP traffic on the uplink interface.
All commands are case-sensitive.
debug packet display interface vNic_O port_80
Include the port_80 filter as the last argument of the command. The last argument is the filter
expression. The filter expression must be expressed with underscore characters where spaces
might normally appear.
8. Leave the traffic capture running in the PuTTY window and restore the Firefox window.
9. In the Firefox window, open a new browser tab and go to http://172.16.10.ll to browse the
web-sv-O1a Web server.
10. After the Web page is displayed, go to http://192.168.l00. 7 to verify that there is no response.
The 192.168.100.7 address specified in the URL is the NAT address that you associate with the
web-sv-O la virtual machine at 172.16.10.11.
11. After Firefox reports that the page cannot be displayed, close the browser tab and minimize the
Firefox window.
12. In the PuTTY window, examine the packets captured to determine source and destination
addressing format.
Packet addressing is always reported in the following format:
time protocol source-address : source-port > destination-address : destination-port
Lab 8
67
13. In the packet capture output, examine the addressing of each packet and verify that the
following two addresses are involved in the exchange.
192.168.110 .10
This address is the IP address of the ControlCenter.
172.16.10.11
This address is the IP address of the web-sv-O1a virtual machine on the Web-Tier network.
14. Answer the following question.
01.
In the packet capture, do you observe any packets exchanged between the
ControlCenter system and the 192.168.100.7 IP address?
[Z] x
IP Address
68
Lab 8
In the interfaces list, verify that vNIC# 0 has the following two IP addresses.
192.168.100.3* /24
192.168.100.7
The asterisk (star) character to the right of the 192.168.100.3 address indicates the primary IP
address assigned to the interface. All other addresses are considered to be secondary.
vNI C#
1 . Name
IF' Address
Uplink:-I ...
192.168.100.7
Lab 8
69
Lab 8
If response traffic was not translated based on the destination NAT mapping,
what source address would the packets have when received by the
ControlCenter?
02.
71
3. At the web-sv-Ol a command prompt, run the following command to ping the ControlCenter
system.
72
Lab 8
1. Above the NAT rules list, click the green plus sign and select Add SNAT Rule.
2. In the Add SNAT Rule dialog box, perform the following actions.
a. Select Uplink-Interface from the Applied On drop-down menu.
b. Enter 172.16.10.11 in the Original Source IPlRange text box.
This address is the address of the web-sv-O 1a Web server virtual machine on the Web-Tier
network.
c. Enter 192.168.100.7 in the Translated Source IP/Range text box.
This address is the translated source IP address.
d. Select the Enabled check box.
e. Leave all other fields at the default value and click OK.
3. Above the NAT rules list, click Publish Changes.
3. After at least one ICMP request and reply have been reported, press Ctrl+C to stop the ping
command.
4. Press Ctrl+Alt to release the mouse cursor and minimize the Firefox window.
5. In the PuTTY window, detennine source and destination addressing, and verify that the
following two IP addresses are involved in the ICMP exchange.
192.168.110.10
This address is the IP address of the ControlCenter.
192.168.100.7
This address is the translated IP address of the web-sv-O 1a Web server virtual machine.
6. Press Ctrl+C to stop the packet capture.
7. Restore the Firefox window and click the vSphere Web Client tab.
Lab 8
73
If the test does not produce the expected results, review your configuration carefully,
ensure that the destination NAT rule is enabled and is applied on the Uplink-Interface, and
try the test again. If the test continues to fail, ask your instructor for assistance. Both
destination NAT rules must be defined and working for upcoming labs.
74
Lab 8
Lab 8
75
76
Lab 8
Lab 9
10. Reposition the Virtual Server and Examine NAT Rule Changes
11 . Use a Packet Capture to Verify Round-Robin Operation
12. Clean Up for the Next Lab
Lab 9
77
6. On the vSphere Web Client Home tab, click Inventories> Networking & Security.
78
Lab 9
[Z] x
IP Address
79
80
Lab 9
2. Above the top panel, click the green plus sign to open the New Pool dialog box, and perform
the following actions.
a. Enter Server-Pool in the Name text box.
b. Verify that the Algorithm selection is ROUND-ROBIN.
c. Verify that the Monitors selection is NONE.
d. Below Members, click the green plus sign to open the New Member dialog box, and add
the first server.
Option
Action
Name
IP Address
Port
AU other settings
second server.
Option
Action
Name
IP Address
Port
Lab 9
81
3. Leave the packet capture running and restore the Firefox window.
4. In the Firefox window, open a new browser tab and go to https ://l92.168 .100.9.
5. IfFirefox reports that the connection is untrusted, perform the following actions .
a. Click the I Understand the Risks link.
b. Click the Add Exception link
c. In the Add Security Exception dialog box, click Confirm Security Exception.
6. Minimize the Firefox window.
82
Lab 9
7. In the PuTTY window, examine the captured packets to determine source and destination
addressing, and verify that the exchange is between a combination of the following IP
addresses. Only one of the two Web server addresses is used.
192.168.10.1
This address is the Transit network interface of the perimeter gateway edge.
172.16.10.11 or 172.16.10.12
These are the addresses of the Web servers on the Web-Tier logical switch network.
8. Consider the packet exchange you just examined and answer the following question.
01. Which extra operation is the perimeter gateway performing on packets that
leave the Transit network interface, on the way to the Web server virtual
machines?
03. What setting would you enable on the load balancer so that original source
addresses are maintained?
Lab 9
83
17. In the PuTTY window, examine the captured packets to determine source and destination
addressing, and verify that the exchange is between a combination of the following IP
addresses. Only one of the two Web server addresses is used.
192.168.110.10
This address is the address of the ControlCenter system . With transparent mode enabled,
the original source address has been maintained in packets forwarded to the Web server.
Sessions are still proxied by perimeter gateway, using a different source port than the
source port that is used by the original client.
172.16.10.11 or 172.16.10.12
These addresses are the addresses of the Web servers on the Web-Tier logical switch
network.
18. On the ControlCenter desktop, double-click the Internet Explorer shortcut.
19. In Internet Explorer, go to https:/1192.168.100.9.
20. When Internet Explorer reports a prob lem with the Web site security certificate, click the
Continue to this website (not recommended) link.
21. Wait for the Web page to be displayed, which might take a few moments, and minimize the
Internet Explorer window.
22. In the PuTTY window, examine the captured packets to determine source and destination
addressing, and verify that the exchange is between a combination of the following IP
addresses. Only one of the Web server addresses appear.
192.168.110.10
This address is the IP address of the ControlCenter system.
172.16.10.11 or 172.16.10.12
These addresses are the addresses of the Web servers on the Web logical switch network.
The address that appears in the most recent capture should be the Web server not seen in
the previous capture.
23. Press Ctr1+C to stop the packet capture.
24. Restore the Firefox window and click the "Sphere Web Client tab.
84
Lab 9
02. Is the port range being translated in any way by this rule?
03. If this rule performs no apparent translation, why did the system define it?
04.
Given that a virtual server uses a destination NAT rule to trigger member server
selection, do you think that a virtual server can operate normally using a pool
of member servers with IP addresses that are also defined by destination NAT
rules?
Lab 9
85
v t-l IC#
1.6. tlame
IP .A.d d ress
::::;ubnet Prefix L
Transit-Int...
'192 .168.10.2*
29
10
Web-Tier
172 .16.10.1*
24
6. Wait for the update to complete, and verify that a disconnect icon appears in the Web-Interface
Status column.
7. At the top of the left navigation pane, click the Networking & Security back arrow button.
8. In the edge list, double-click the Perimeter Gateway entry to manage that object.
9. In the middle pane, click the Manage tab and click Settings.
10. In the settings category panel, select Interfaces.
11. Select the vNIC# 2 interface, click the pencil icon to open the Edit NSX Edge Interface dialog
box, and perform the following actions.
a. Enter Web-Tier-Temp in the Name text box.
b. Verify that the Type selection is Internal.
c. Click the Connected To > Select link.
d. Click the Web-Tier button and click OK.
e. Above the IP Address table, click the green plus sign to open the Add Subnet dialog box.
86
Lab 9
f. In the Add Subnet dialog box, click the green plus sign to create an IP address entry.
g. Enter 172 . 16 . 10 . 1 in the IP address text box and click OK to confirm the entry.
The new interface you are configuring on perimeter gateway replaces the distributed router
interface you disconnected in step 5, using the same IP address.
h. Enter 24 in the Subnet Prefix Length text box .
i. Click OK to close the Add Subnet dialog box.
j. Click OK to commit the interface changes.
Task 10: Reposition the Virtual Server and Examine NAT Rule Changes
The virtual server is repositioned to be on the same subnet as the pool members, in a one-armed
configuration.
1. Under the Manage tab, click Load Balancer.
2. In the load balancer category panel, select Virtual Servers.
3. In the virtual servers list, select the single virtual server defined and click the pencil icon .
4. In the Edit Virtual Server dialog box, change the IP Address field to 172.16.10.1, and click
OK.
For this example, the primary IP address of an interface is used for the virtual server.
5. Under the Manage tab, click NAT.
6. In the NAT rules list, find the destination NAT rule that has 172.16.10.1 in the Original IP
Address column, and answer the following questions.
Lab 9
01.
Has the system autoremoved the destination NAT rule for the old virtual server
IP address of 192.168.100.9?
02.
Is the new rule translating the original IP address or port in any way?
03.
Based on the virtual server destination NAT rules that you have examined so
far, is there any difference in the actual operation performed by NSX Edge on
traffic to be sent to a member server?
87
7. Examine each of the new destination NAT rule columns carefully, thinking back to the previous
destination NAT rule you examined when the virtual server was positioned on the uplink
network, and answer the following question.
Q4.
Other than a primary interface IP address being used as the virtual server IP
address in this example, what is the primary difference between the two
positions in terms of traffic flow and sequence of operations on the edge when
traffic is received, transformed, and subsequently sent to a member server?
Lab 9
172.16.10.11 or 172.16.10.12
These addresses are the addresses of the Web servers on the Web logical switch network.
8. Leave the packet capture running.
9. Restore the Internet Explorer window and go to https:l/172.16.10.1.
10. When Internet Explorer reports a problem with the Web site security certificate, click the
Continue to this website (not recommended) link .
11 . Wait for the Web page to be displayed, which might take a few moments, and close the Internet
Explorer window.
12. In the PuTTY window, examine the captured packets and verify that the exchange is between a
combination of the following IP addresses.
172.16.10.1
This address is the perimeter gateway interface on which the destination NAT rule is applied.
172.16.10.11 or 172.16.10.12
These addresses are the addresses of the Web servers on the Web logical switch network.
The address that appears in the capture should be the Web server not seen in the previous
capture .
13. Press Ctr1+C to stop the packet capture.
14. Restore the Firefox window and, ifnot already active , click the vSphere Web Client tab.
Lab 9
89
90
Lab 9
Lab 10
This lab require s that you have completed the previous lab (Configuring Load Balancing with NSX
Edge Gateway). If you did not perform the previous lab, ask your instructor for guidance.
Lab 10
91
6. On the vSphere Web Client Home tab, click the Inventories > Networking & Security icon.
92
Lab 10
c. Verify that
RSA
d. Verify that
2048
Lab 10
93
3. Leave the packet capture running and position the window so that you remember that it contains
the uplink capture.
4. On the ControlCenter desktop, double-click the PuTTY shortcut.
5. In the PuTTY window, double-click the Edge Services GW saved session.
6. Log in as admin and enter the VMwarel ! VMwarel! password.
7. In the new PuTTY window, begin capturing HTTP traffic on the web-tier-temp interface by
running the following command.
debug packet display interface vNic_2 port_80
The two packet captures show the load balancer virtual server receiving SSL traffic and
connecting to a pool member server using HTTP.
8. Leave both PuTTY windows open and position the windows so that the captures can be
compared.
9. On the ControlCenter desktop, double-click the Internet Explorer shortcut.
Ensure that you use Internet Explorer for the following tests.
94
Lab 10
95
21. In the PuTTY window, examine the reported network packets and verify that the exchange is
between a combination of the following IP addresse.
192.168.110.10
This address is the IP address of the ControlCenter system that is maintained in transparent
mode.
172.16.10.11 or 172.16.10.12
These addresses are the IP addresses of the Web servers on the Web logical switch network.
The address that appears in the capture should be the Web server not seen in the previous
transit network capture.
22. Press Ctrl+C to stop the traffic capture.
23. Close the PuTTY window used to capture traffic on the transit network and click OK when
prompted to confirm.
24. Keep the original PuTTY window open.
25. Restore the Firefox window.
2. Select the single virtual server listed, click the pencil icon to open the Edit Virtual Server dialog
box, and perform the following actions.
a. Change the IP address field to 192.168.100.9 .
The virtual server IP address must be moved back to the uplink network because the WebTier logical switch is migrated back to the distributed router.
b. Click OK.
3. Under the Manage tab, click Settings.
4. In the settings category panel, select Interfaces.
5. In the interface list, select the Web-Tier-Temp interface and click the disconnect icon.
6. Wait for the update to complete and verify that a disconnect icon appears in the Web-Tier-Temp
Status column.
96
Lab 10
7. Select the Web-Tier-Temp interface, click the red X to delete the interface, and click OK when
prompted to confirm.
Ensure that you delete the correct interface.
8. Wait for the update to complete and verify that vNIC# 2 has been reset.
9. At the top of the left navigation pane, click the Networking & Security left arrow button.
10. In the edge list, double-click the Distributed Router entry to manage that object.
11 . In the settings category panel, select Interfaces.
12. In the interface list, select the Web-Interface interface entry and click the green check mark
icon to reattach the logical switch.
13. Wait for the update to complete and verify that a green check mark icon appears in the WebInterface Status column.
Lab 10
97
98
Lab 10
Lab 11
Lab 11
99
2. Ifthe PuTTY window is not open on the ControlCenter desktop , perform the following actions.
a. On the Control Center desktop , double-click the PuTTY shortcut.
b. In the PuTTY window, double-click the Edge Services GW saved session.
c. Ifprompted to confirm a PuTTY security alert , click Yes.
d. Log in as admin and enter the password VMwarel !VMwarel ! .
3. If the Firefox window has been closed , double-click the Firefox icon on the ControlCenter
desktop.
4. If you are not logged in to the vSphere Web Client, perform the following actions.
a. In the Firefox window, click the vSphere Web Client bookmark.
b. When prompted, log in as root and enter the password VMwarel ! .
5. In the Firefox window, if the web-sv-Ola console tab is not open, perform the following
actions.
a. On the vSphere Web Client Home tab, click the Inventories> VMs and Templates icon.
b. Expand the inventory tree and select Discovered virtual machine> web-sv-Ola.
c. Select Open Console from the Actions drop-down menu.
d. If prompted to log in, log in as root and enter the password VMwarel! .
e. Press Ctrl+Alt to release the pointer and click the vSphere Web Client tab.
f. Click the vSphere Web Client Home icon.
6. On the vSphere Web Client Home tab, click the Inventories> Networking & Security icon.
a. Click Enable.
b. Select Transit-Interface from the vNIC drop-down menu.
Only internal interfaces can be selected or used to carry HA heartbeat traffic.
c. In the two text boxes for configuring Management IPs, enter the following IP addresses in
Classless Inter-Domain Routing (CIDR) format as shown.
192.168.222.1/30
192.168.222.2/30
d. Leave all remaining settings at the default value and click OK.
8. Wait for the HA configuration update to finish, and verify that the HA status in the HA
Configuration panel is Enabled.
9. Click the vSphere Web Client Home icon.
10. On the vSphere Web Client Home tab, click Inventories> Hosts and Clusters.
11 . Expand the Hosts and Clusters inventory tree so that the Management and Edge Cluster
inventory is shown.
12. In the Management and Edge Cluster inventory, find all virtual machines with names starting
with Perimeter Gateway.
13. Select each perimeter gateway virtual machine and use the Summary tab information to answer
the following questions.
01.
04.
101
02.
03.
Based on the sequence of actions taken so far, the active node should be the vshield-edge-2-0
(Perimeter Gateway-O) node. Remember which node was listed as active, you will cause a
failover in the next task.
4. At the command prompt, run the following command to display HA heartbeat packets captured
on the transit network interface.
Lab 11
Lab 11
103
11. At the command prompt, run the following command to display HA heartbeat packets captured
on the transit network interface.
104
Lab 11
Lab 11
105
106
Lab 11
Lab 12
Lab 12
107
Lab 12
a. On the Select Migration Type page, leave Change Host selected and click Next.
b. On the Select Destination Resource page, select Compute Cluster B and click Next.
c. On the Select vMotion Priority page, leave the Reserve CPU for optimal vMotion
performance (Recommended) selected and click Next.
d. On the Review Selections page, review the changes to be made and click Finish.
5. In the Recent tasks pane, monitor the migration task to completion and verify that the web-sv02a virtual machine appears in the Compute Cluster B inventory.
6. Click the vSphere Web Client Home icon.
7. On the vSphere Web Client Home tab, click Inventories> Networking & Security.
3. In the logical switch list, select the Branch-Web-Tier entry and select Add VM from the
Actions drop-down menu .
4. In the Add Virtual Machines dialog box, perform the following actions.
a. On the Select Virtual Machines page, scroll down and select the web-sv-02a check box,
and click Next.
b. On the Select VNICs page, select the web-sv-02a - Network adapter 1 (Web-Tier) check
box and click Next.
c. On the Ready to complete page, verify that web-sv-02a Network adapter 1 now indicates
(Branch-Web-Tier) and click Finish.
5. Wait for the migration task to complete, and double-click the Branch-Web-Tier entry to
manage that object.
Lab 12
109
6. In the left pane , select Virtual Machines and verify that web-sv-02a appears.
7. At the top of the navigation pane , click the Networking & Security back arrow button.
f. Under Configure subnets, click the green plus sign to open the Add Subnet dialog box.
g. In the Add Subnet dialog box, click the green plus sign to add an IP address field.
110
Lab 12
h. Enter 192.168.130.4 in the IP Address text box and click OK to confirm the entry.
i, Enter 24 in the Subnet prefix length text box.
j.
k. Leave all other settings at the default value and click OK.
13. Click the green plus sign to open the Add NSX Edge Interface dialog box, and perform the
following actions .
a. Enter Web-Tier in the Name text box.
b. For Type, click Internal.
c. Click the Connected To > Select link.
d. Click Branch-Web-Tier and click OK.
e . Below Configure subnets, click the green plus sign to open the Add Subnet dialog box.
f. In the Add Subnet dialog box, click the green plus sign to add an IP address field.
g. Enter 172.16.10.1 in the IP Address text box and click OK to confirm the entry.
The 172.16.10 .1 IP address assigned to the Branch Gateway on the new Branch- Web-Tier
subnet is the same IP address assigned to Perimeter Gateway on the original Web-Tier
logical switch. This assignment removes the need to change the default gateway setting on
any virtual machine moved to the new network.
h. Enter 24 in the Subnet prefix length text box.
i. Click OK to close the Add Subnet dialog box.
j.
Leave all other settings at the default value and click OK.
14. Compare the interface configurations to the following table . If any interface is not configured
correctly, select it and click the pencil icon to edit it.
Name
IP Address
Subnet Prefix
Length
Connected To
Uplink-Interface
192.168.130.4
24
Mgmt~dge_VDS
Web-Tier
172.16.10.1
24
Branch-Web-Tier
- HQ Access
111
19. Click the Accept button for Default Traffic Policy and click Next.
20. On the Ready to Complete page, review the configuration report and click Finish.
21. Above the NSX Edge list, monitor the deployment to completion.
The deployment is complete when 0 installations are active.
...
:'" 1 Installing
e
If the Client Settings dialog box does not close, scroll back through the configuration settings
and look for any setting with a red box around it. The dialog box does not report settings that
fail validation.
112
Lab 12
6. Click Enable.
7. Wait for the update to complete, then verify that the following settings are configured as shown.
L2VPN Service Status: Enabled
Server Address: 192.168.100.10
113
192.168.100.9
Virtual server address (load balancer)
192.168.100.10
New listener address for L2VPN
9. Click OK to close the Assigned IP Addresses dialog box.
In the Add Subnet dialog box, click the green plus sign to add an IP address entry.
g. Enter 172.16.10.2 in the IP address text box and click OK to confirm the entry.
h. Enter 24 in the Suhnet Prefix Length text box.
i. Click OK to add the IP address and subnet.
j. Leave all other fields at the default value and click OK.
Lab 12
Scroll down to the certificate list and click the 172.16.10.1 button.
k. Click OK.
If the Server Settings dialog box does not close , scroll back through the configuration
settings and look for any setting with a red box around it. The dialog box does not report
settings that fai I validation.
5. Click Enable.
6. Wait for the update to complete and verify the following settings.
ListenerIP: 192.168.100.10
Listener Port: 443
Encryption Algorithm : AES256-SHA
Internal Interface: 2
User Id: vpn-user
Server Certificate: MED-APP.CORP.LOCAL
7. At the bottom of the L2VPN configuration page, click Fetch Status and expand the Tunnel
Status section .
8. Verify that the tunnel Status is UP.
If the tunnel status is Down, wait a minute and click Fetch Status again. If the tunnel remain s
down, go back through the lab and verify that all configuration changes have been made and are
correct.
On the L2VPN server side, the tunnel status is Up regardless of whether the client connection is
established. To verify that a client is connected, you must check the status of the client-side of
the tunnel.
9. At the top of the left pane , click the Networking & Security left arrow.
10. In the edge list, double-click the Branch Gateway entry to manage that object.
Lab 12
115
11 . At the bottom of the L2VPN configuration page, expand the Tunnel status section and click
Fetch Status.
12. Verify that the tunnel status is up.
until the pointer becomes a hand icon, click anywhere in the console window, and press Enter.
4. If prompted to log in, log in as root and enter the VMwarel! password.
5. At the web-sv-02a command prompt, run the following command to view the network interface
configuration.
ifconfig
6. Record the ethO hardware (HWaddr) address . - - - - 7. At the command prompt, ping the server on the HQ Web-Tier logical switch.
ping 172.16.10.11
Internet Control Message Protocol (TCMP) echo replies are received. Leave the ping command
running,
IfICMP echo replies are not received, press Ctrl+C to stop the ping command, wait one minute ,
and repeat this step.
8. Press Ctrl+Alt to release the pointer.
9. In the Firefox window, select the web-sv-Ol a console tab.
116
Lab 12
10. Consider the following configuration and answer the follow-up questions.
A layer 2 tunnel connects two NSX Edge gateways: branch gateway and perimeter gateway,
and extends the 172.16.10.0/24 Web-Tier logical switch network. You have initiated a
continuous ping from the Web server on the branch gateway side of the tunnel to the Web server
on the perimeter gateway side of the tunnel.
Q1.
Q2.
11 . At the web-sv-01a command prompt, examine the Address Resolution Protocol (ARP) table.
arp -a
12. In the ARP table output, find the hardware address for 172.16.10.12 and the IP address ofthe
web-sv-02a virtual machine.
Q3.
Is the 172.16.10.12 hardware address the same that you recorded in step 6?
Q4.
The hardware address for web-sv-02a (at 172.16.10.12) is preserved when the tunnel traffic is
decapsulated by the perimeter gateway. Because this is a layer 2 tunnel, response frames sent to
that MAC address are intercepted for encapsulation back to the sending node. This tunnel
differs from an IPsec tunnel, for example, where you might see the source IP with the hardware
address of the gateway interface that faces the destination.
Lab 12
117
Are packets being exchanged between the two NSX Edge gateways?
Perimeter gateway: 192.168.100.10
Branch gateway: 192.168.130.4
118
Lab 12
Lab 13
Lab 13
119
6. In the Fircfox window, if the web-sv-02a console tab is not open , perform the following actions.
a. On the vSphere Web Client Home tab, the Inventories> VMs and Templates icon.
b. Expand the inventory tree and select Discovered virtual machine> web-sv-02a.
c. Select Open Console from the Actions drop-down menu.
d. Ifprompted to log in, log in as root and enter the password VMwarel!.
e. Press CtrI+Alt to release the pointer and click the vSphere Web Client tab.
f. Click the vSphere Web Client Home icon.
120
121
19. Click the green plus sign to open the Add Static Route dialog box, and perform the following
actions .
a . Select Transit-Interface from the Interface drop-down menu.
b. Enter 172.16.0.0/19 in the Network text box.
c. Enter 192.168.10.2 in the Next Hop text box.
This address is the interface address of the distributed router on the Transit network.
d. Click OK.
20. Click Publish Changes and wait for the update to complete.
I. Select the Display shared key check box and verify that the shared key is exactly
VMwarel! .
m. Leave all remaining settings at the default value and click OK.
4. In the top status panel, click Enable.
5. Click Publish Changes and wait for the update to complete .
6. In the status panel, verify that the IPSec VPN Service Status is Enabled.
Lab 13
123
Task 5: Update the web-sv-02a Web Server with the New Web-Tier
Subnet Specification
You change the networking configuration on web-sv-02a to match the branch topology.
1. In the Firefox window, click the web-sv-02a console tab.
2. At the web-sv-02a command prompt, run the following command to change the IP address of
the web-sv-02a virtual machine.
ifconfig ethO 172.16.40.12 netmask 255.255.255.0
3. Run the following command to change the default gateway used by the virtual machine.
route add default gw 172.16.40 .1 ethO
4. Run the following command to verify that the 172.16.40.12 IP address has been assigned.
ifconfig
5. Run the following command to verify that the default gateway route for 172.16.40 .1 has been
configured.
route
124
m. Leave all remaining settings at the default value and click OK.
6. Click Enable.
7. Click the Publish Changes button and wait for the update to complete.
8. In the status panel, verify that the IPSec VPN Service Status is Enabled.
125
126
Q1.
Q2.
What is the problem because of which no response to be sent back through the tunnel?
Lab 13
11. Leave the packet capture running, restore the Firefox window, and click the vSphere Web
Client tab.
12. At the top of the left navigation pane, click the Networking & Security left arrow button .
13. In the edge list, double-click the Distributed Router entry to manage that object.
14. In the middle pane, click the Manage tab and click Routing.
15. In the routing category panel, select Global Configuration.
16. In the Default Gateway panel, click Edit to open the Edit Default Gateway dialog box, and
perform the following actions.
127
128
Lab 13
Lab 14
II
129
2. Ifthe PuTTY window is not open on the ControlCenter desktop, perform the following actions.
a. On the ControlCenter desktop, double-click the PuTTY shortcut.
b. In the PuTTY window, double-click the Edge Services GW saved session.
c. Ifprompted to confirm a PuTTY security alert, click Yes.
d. Log in as admin and enter the password VMwarel !VMwarel ! .
3. If the Firefox window has been closed, double-click the Firefox icon on the ControlCenter
desktop.
4. If you are not logged in to the vSphere Web Client, perform the following actions.
a. In the Firefox window, click the vSphere Web Client bookmark.
b. When prompted, log in as root and enter the password VMwarel ! .
5. In the Firefox window, if the web-sv-Ola console tab is not open, perform the following
actions.
a. On the vSphere Web Client Home tab, click Inventories> VMs and Templates.
b. Expand the inventory tree and select Discovered virtual machine> web-sv-Ola.
c. Select Open Console from the Actions drop-down menu.
d. If prompted to log in, log in as root and enter the password VMwarel! .
e. Press Ctr1+Alt to release the pointer.
f. Click the vSphere Web Client tab.
Lab 14
II
131
7. In the VMware SSL VPN-Plus portal page, log in as vpn-user and enter the password
VMware1!.
8. On the user portal page, verify that one tab labeled Tools is shown, with a Change Password
link available.
9. Click the Logout link in the upper-right corner of the page, in the black status bar, and click
OK when prompted to confirm .
10. In the Firefox window, close the portal tab and click the vSphere Web Client tab.
Lab 14
b. In the Gateway table, enter 192 .168 .130.4 in the Gateway column text box, leave the
port at 443, and click OK to confirm the entry.
c. In the Installation Parameters for Windows list, select the following check boxes .
Allow remember password
Enable silent mode installation
Create desktop icon
d. Click OK.
3. In the Firefox window, open a new browser tab and go to https ://192.168.130A.
4. When prompted to log in, log in as vpn-user and enter the password VMware1!.
5. In the SSL VPN-Plus portal, on the Full Access tab, click the Test Package link.
II
Full Access
Full Access
Available Network Extension clients.
list
Test Package
Lab 14
133
ping 17 2.16.40.1 2
The ping command does not receive Internet Control Message Protocol (ICMP) echo replies.
3. Leave the Command Prompt window open.
4. On the ControlCenter desktop, find a new shortcut titled VMware Tray.
The VMware Tray shortcut was added when the SSL VPN-Plus test package was installed from
the portal page .
5. Double-click the VMware Tray shortcut to start the SSL VPN-Plus Client application, and
click Login.
6. When prompted, log in as vpn-user and enter the password VMwarel! .
7. Click OK when prompted to confirm the connection has been established.
8. In the Command Prompt window, run the following command to ping the web-sv-02a server.
134
What is the gateway address and port for the network configuration?
Lab 14
Q3. What IP address is assigned to encapsulated packets that traverse the tunnel?
In the PuTTY window, enter 192 .168.130.4 in the Host Name (or IP address) text box and
click Open.
II
8. Leave the packet capture running and switch to the Command Prompt window.
9. Run the following command to ping the web-sv-02a server.
ping 172.16 .40 .12
10. Switch to the PuTTY window and verify that an ICMP exchange has occurred between the
following IP addresses.
192.168.170.2
This address is the IP address assigned to the SSL VPN-Plus Client application running on
the ControlCenter system.
172.16.40.12
This address is the IP address of the web-sv-02a server.
11 . Press Ctr1+C to stop the packet capture.
12. Close the 192.168.130.4 - PuTTY window and click OK when prompted to confirm.
13. On the ControlCenter desktop, double-click the VMware Tray icon.
14. Click Logout on the General tab and click Yes when prompted to confirm.
Lab 14
135
136
Lab 14
Lab 15
Lab 15
137
6. On the vSphere Web Client Home tab, click Inventories> Networking & Security.
138
Lab 15
9. Above the rule list, click Publish and wait for the update to complete.
10. In the Firefox window, open a new browser tab and go to https ://172.16.10.1l.
11 . Verify that the Web page cannot be displayed, and close the browser tab.
12. If not active, click the vSphere Web Client tab.
13. On the Firewall configuration page , click the green plus sign to create a row in the rules table.
The new row is highlighted, as shown in the following image.
8 3
ipsec
Internal
0 192.-168.100.-10
0 192.-168.130.4
8 5
Lab 15
Default Rule
User
any
Default
any
139
14. Point to the Name cell and click the plus sign .
15. Enter Allowed to Web Servers in the Rule Name text box and click OK.
16. Point to the Destination cell, click the plus sign, and perform the following actions in the popup configuration panel.
a. Select IP Sets from the drop-down menu .
b. Click the New IP Set link at the bottom of the pop-up panel to open the Add TP Addresses
dialog box, and configure the following options.
Option
Action
Name
Description
Leave blank.
IP Addresses
140
Lab 15
Task 4: Determine How the Firewall Rule Interacts with Other NSX
Edge Features
You determine how a firewall rule interacts with an existing destination NAT rule.
1. In the Firefox window, open a new browser tab and go to https ://192 .168.100.9 .
2. Verify that the Web page is displayed, or you are prompted with an untrusted connection
message, and close the browser tab.
3. If not active, click the vSphere Web Client tab and answer the following quest ions.
Q1.
Because the virtual server for load balancing HTTP traffic was configured with
the 172.16.10.11 Web server as a member server, will the rule that you just
created allow HTTP connections to the virtual server IP address of
192.168.100.9?
Q2. Because the load balancer uses destination NAT logic to perform member
server selection, will attempts to connect to the destination NAT rule that you
created earlier in the course for the 172.16.10.11 Web server be allowed?
4. In the Firefox window, open a new browser tab and go to https://192 .168.100.7 .
This address is the destination NAT address for the web-sv-O1a Web server.
5. Verify that the Web page cannot be displayed and close the browser tab.
6. Ifnot active , click the vSphere Web Client tab.
7. In the middle pane, under the Manage tab, click Grouping Objects.
8. In the category panel, select IP Sets.
9. In the IP Set list, select the Local Web Servers entry.
10. Click the pencil icon to open the Edit IP Addresses dialog box, and perform the following
actions.
a. In the IP Addresses text box, change the entry to read as follows (without spaces).
172 .16.10.11,192.168.100.7
b. Click OK.
11. In the Firefox window, open a new browser tab and go to https ://I92.168.100.7.
12. Verify that the Web page is displayed, or you are prompted with an untrusted connection
message, and close the browser tab.
13. If not active, click the vSphere Web Client tab.
Lab 15
141
14. In the middle pane, under the Manage tab, click Firewall.
15. In the rule list, select the Allowed to Web Servers rule,
16. Click the red X icon to delete the rule and click OK when prompted to confirm.
17. Point to the Default Rule Action cell.
18. Click the plus sign .
19. Click Accept and click OK.
20. Click Publish and wait for the update to complete.
142
Lab 15
Lab 16
Lab 16
143
6. On the vSphere Web Client Home tab, click the Inventories> Networking & Security icon.
144
Lab 16
Service
Action
c. Click OK.
7. Click Publish Changes and wait for the update to complete.
Lab 16
145
5. Point to the Source cell and click the plus sign to open the pop-up configuration panel, and
perform the following actions.
a. Select Logical Switch from the View drop-down menu.
b. Select the Web-Tier check box and click the blue right arrow button to move the switch
into the Selected list.
c. Click OK.
6. Point to the Destination cell and click the plus sign to open the pop-up configuration panel, and
perform the following actions.
a. Select Logical Switch from the View drop-down menu.
b. Select the App-Tier check box and click the blue right arrow button to move the switch
into the Selected list.
7. Click OK.
8. Point to the Services cell and click the plus sign to open the pop-up configuration panel, and
perform the following actions.
a. Click the New... link that appears in the lower-left comer of the pop-up panel.
b. Select Service to open the Add Service dialog box, and configure the following options.
Option
Action
Name
Enter
Description
Leave blank.
Protocol
Destination ports
Enter
Enable inheritance...
Tomcat-8443
8443
Lab 16
12. Enter Allowed App To DB in the Rule Name text box and click OK.
13. Point to the Source cell and click the plus sign to open the pop-up configuration panel, and
perform the following actions.
a. Select Logical Switch from the View drop-down menu.
b. Select the App-Tier check box and click the blue right arrow button to move the switch
into the Selected list.
c. Click OK.
14. Point to the Destination cell and click the plus sign to open the pop-up configuration panel, and
perform the following actions.
a. Select Logical Switch from the View drop-down menu.
b. Select the DB-Tier check box and click the blue right arrow button to move the switch
into the Selected list.
15. Click OK.
16. Point to the Services cell and click the plus sign to open the pop-up configuration panel, and
perform the following actions.
a. Enter
SQL
b. In the Available services list, scroll down to find the generic MySQL service .
c. Select the MySQL check box and click the blue right arrow to move the service to the
Selected list.
d. Click OK.
17. Click Publish Changes and wait for the update to complete.
147
148
Lab 16
25. Point to Web-Tier in the Destination cell and click the red X icon that appears to remove WebTier from the Destination cell.
26. Point to the Destination cell and click IP.
Desti 1"1 ati 0 1"1
IP
This address is the destination NAT address that you configured earlier in the course for the
172.16.10.11 Web server.
30. Click the Firefox page refresh icon to reload the page.
31. Verify that the Web page is displayed, or you are prompted with an untrusted connection
message, and close the browser tab.
32. Click the vSphere Web Client tab.
33. Read the following summary and answer the question that follows.
In the previous lab, attempts to browse the destination NAT address 192.168.100.7 were
blocked, by the firewall rule defined on perimeter gateway, until the destination IP set was
expanded to include the destination NAT address.
01.
Lab 16
Why does the Distributed Firewall rule allow browser connections to the
172.16.10.11 Web server through the destination NAT address 192.168.100.7,
when the rule explicitly defines 172 .16.10.11 as the only valid destination?
149
150
Lab 16
General
+ []
1 Ethernet 1
X -
-.II ~
II
7. In the Load Saved Configuration dialog box, scroll down and select the last (oldest) autosaved
configuration, and click OK.
The oldest autosaved configuration was saved when the Test Section was created, prior to new
rules being defined.
8. When prompted to confirm , read the message and click Yes.
9. Click Publish Changes and wait for the update to complete.
Lab 16
151
152
Lab 16
Lab 17
Lab 17
153
II
5. In the Change Time Interval dialog box, select Last 24 hours and click OK.
154
Lab 17
6. Find the statistics row located at the top of the Dashboard page.
01. What percent (%) of the traffic flows have been allowed?
02.
What percent (%) of the traffic flows have been blocked by a firewall rule?
13. In the flow list, find the top flow based on the number of packets transferred.
05.
Are the destinations the same for the two flows examined?
14. Under the Manage tab, click Top Sources and review the top flow report.
Lab 17
155
5. Use the table at the bottom of the pane to answer the following questions.
01. What is the 10 of the rule that allowed the traffic?
Web to App
d. Leave all other settings at the default value and click OK.
8. In the Firefox window, open a new browser tab and go to https:11172.16.1 0.1).
9. If the page is displayed, click the Firefox refresh icon to reload the page .
10. Allow the page to time out.
It takes several minutes for the page to time out because the Web server is not refusing to
service the request. The Web server cannot reach the application server.
11. After the page has timed out, verify that a 503 Service Temporarily Unavailable
message is displayed .
12. Close the browser tab.
156
Lab 17
Lab 17
157
158
Lab 17
Lab 18
II
Lab 18
159
6. On the vSphere Web Client Home tab, click the Inventories> Networking & Security icon.
160
Lab 18
Task 2: Add an
You add a user and give administration rights ofVMware NSXTM to that user.
1. In the left navigation pane, select NSX Managers.
2. In the NSX Manager list, click the 192.168.110.42 link to manage that object.
3. In the middle pane, click the Manage tab and click Users.
4. Above the user list, click the green plus sign to open the Assign Role dialog box.
5. On the Identify User page, leave Specify a vCenter user selected.
6. Enter CORP\dory in the User text box and click Next.
7. On the Select Roles page, click NSX Administrator and click Next.
8. On the Limit Scope page, leave No restriction selected and click Finish.
9. Minimize the Firefox window.
10. On the ControlCenter desktop, double-click the Internet Explorer shortcut.
panel.
Q1.
Q2.
You added dory as an NSX administrator. Why are you unable to manage NSX as dory?
II
14. Click the down arrow control next to the logged in user name and select Logout.
~I~I
Halp
I
l
Lab 18
161
In the Assign Role panel, select Administrator from the drop-down menu .
162
Lab 18
2. After the update completes, find the error or warning dialog box that is displayed and read the
provided message.
The message indicates that dory no longer has rights to administer the current NSX feature .
3. Close the warning dialog box.
4. At the top of the left navigation pane , click the NSX Managers left arrow.
5. At the top of the left navigation pane , click the Networking & Security left arrow.
6. In the left navigation pane, select NSX Edges.
II
Q1. As dory, can you administer any N5X Edge other than perimeter gateway?
Lab 18
163
164
Lab 18
Answer Key
7.
2.
8.
Yes
3.
4.
5.
6.
2048 MB
9.
All 5 roles
20GB
10.
11.
4or5
Mgmt_Edge_VDS - Mgmt
192.168.110.201
6.
192.168 .110.202
2.
7.
3.
4.
5.
2048 MB
8.
9.
20 GB
13
Yes
Mgmt_Edge_VDS - Mgmt
6.
192.168 .110.203
2.
7.
3.
2048 MB
8.
Yes
4.
5.
20 GB
9.
15
Mgmt_Edge_VDS - Mgmt
Yes
Because of the transport zone . Compute
Cluster A and B hosts are attached to the
Compute_VDS distributed switch, and those
clusters have been included in the common
global transport zone.
Answer Key
3.
4.
27
165
Yes
28
2.
No
30
1.
2.
No
Yes
6.
3.
7.
8.
No
As is the case with East-West routing , NorthSouth routing has not yet been established .
Success
4.
5.
9.
No
ds-site-a-nfs01
4.
512 MB
2.
5.
6.
500 MB
2
3.
39
41
1.
2.
Yes
Yes
5.
3.
Yes
6.
No
4.
Yes
7.
8.
No
North-South routing has yet to be established .
.49
1.
ds-site-a -nfs0 1
4.
512 MB
2.
5.
6.
500 MB
10
3.
7.
59
1.
Yes
5.
No
2.
Yes
6.
No
3.
7.
4.
Answer Key
166
66
No
2.
70
NAT
Because the load balancer is operating in
nontransparent mode and proxying sessions
between itself and the Web servers on behalf
of the original client.
Transparent mode
4.
85
5.
Task 10: Reposition the Virtual Server and Examine NAT Rule Changes
1.
2.
3.
Yes
No
No the operations are the same.
,
Answer Key
82
3.
4.
87
167
Two
Either esx-01 a or esx02a .
100
3.
4.
3.
4.
3.
4.
2.
103
2.
102
2.
3.
104
116
3.
4.
Yes
Yes, tunnel decapsulation ensures original
source MAC/IP address.
2.
443
Yes
117
2.
126
168
192.168.130.4:443
172.16.40.0/255.255.255.0
192.168.170.2
4.
134
The IP address assigned to the SSL VPNPlus client out of the IP pool specified in the
tunnel profile, in this case 192.168.170.2.
Answer Key
Lab 15: Using NSX Edge Firewall Rules to Control Network Traffic
Task 4: Determine How the Firewall Rule Interacts with Other NSX Edge Features . . . .141
1.
Yes
2.
Lab 16: Using NSX Distributed Firewall Rules to Control Network Traffic
Task 4: Restrict Inbound Web Server Traffic to HTIP and HTTPS
1.
147
154
4.
5.
2.
1002
155
No
Dory has not been given rights to the VMware
vCenter Server system that VMware NSX
Manaqer" is connected to.
3.
No
Answer Key
2.
161
Yes
163
No
169
170
Answer Key
Lab Topology
VMware
N~figUre, Manage
vrnware
20 14 VMware Inc All rights reserved
Distributed Router
.1
172.16.30.0 24
.1
172.16 .20.0 24
Web Tier
.........
.Managemen
. . . . .. . . . .t . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
.1
~ .... .......~
App-sv-Ola
(.11)
DB-sv-01a
(.11)
We b-sv-Ola We b-sv-02a
(.11)
(.12)
Perimeter
DB Tier
'c~~ p~ t ~
.3
'A...... ... . . . ... ... . . . . .... ..... . .... . . .. . .... . .. ... ...... ... ....
HQUplink: 192.168.100.0/24
Branch
Gateway
I .
'.4
Management A
Contro ICenter
(.10)
NSX Manager
(.42)
vCenter Server
(.22)
ESX-01a (.51)
ESXCOMPOla (.51)
ESX-02a (.52)
ESXCOMPOlb (,56)
vMotion A: 10.10.30.0/24
NFS Storage
(.60)
ESXCOMP02a (.52)
Transport B: 192.168.250.0/24
Management B: 192.168.210.0/24
Management A: 192.168.110.0/24
VPOD ROUTER (.2)
vmware'
HQAccess: 192.168.130.0;24
Management A
ControlCenter
(.10)
vCenter Server
(.22)
ESX-01a (.51)
ESXCOMP01a (.51)
ESX-02a (.52)
ESXCOMPOlb (.56)
vMotion A: 10.10.30.0/24
NFSStorage
(.60)
ESXCOMP02a (.52)
Transport B: 192.168.250.0/24
Transport A: 192.168.150.0/24
Management B: 192.168.210.0/24
Management A: 192.168.110.0/24
VMware
N~figUre, Manage
vmwere
201 4 VMware Inc , All rights reserved
.1
172.16.30.0 24
.1
172.16.20.0 24
Transit
Web Tier
.1Y1.a.n.a.g~!,!~ ~~
Tier
DB Tier
.1
Perimeter
.3
App-sv-Ola
(.11)
Branch
Gateway
DB-sv-Ola
(.11)
:C~';"P~t~'B " " " " " " " :4'r- ""
HQAccess: 192.168.130.0/24
VMware
N~figUre, Manage
vmware'
ce 20 1-t VMware Inc . All rig ht s re se rved
.1
~
192.168.10 .0
172.16.30.0 24
.1
172.16.20.0 24
DB Tier
AQ Tier
.. 1Yl.a.n.a~[l1~~t. . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . .
.1
Controller
Cluster
Web-sv-01a Web-sv-02a
(.11)
(.12)
Perimeter
. . . . . . . . . . .. . . . . .. ~?~\'.~.y.
'C';~p~ tE:A""
.3
"
"
"
""
"
ControlCenter
(.10)
,- --~
r
r
,
,"
/','
I
I
I
II
I
"
"
"
"""
DB-sv-01a
(.11)
App-sv-01a
(.11)
"
"
""
"
"
"
"
"
"
"
"
"
"
"
' "
... ..
Branch
Gateway
-l.
.-------------------------~,__o
--------------------------------- -- ------
;'
//
,r
"
Management A: 192.168.110.0/24
VPOD ROUTER (.2)
VMware
N~figUre, Manage
vmwere
20 14 VMware Inc . All rights reserved
172.16.30.0 24
.1
172.16.20.0 24
Web Tier
,.ryt.an.a~rr!~ ~ ~ . ,
DBTier
.1
Controller
Cluster
Web-sv-01a Web-sv-02a
(.11)
(.12)
Perimeter
.. .. . . . . . . .. . . . . .. ~?~~.~.y.
'C';~ p~tE:A""
.3
'"
"
"
"
""
"
"
"
HQUplink: 192.168.100.0/24
............ ...... ------...... "
'-,---------
-_
"
"
"
""
,- ---1
1 \
1 \
ControlCenter
(.10)
I
I
I
I
: Route
i
JI
1
I
I
I
\
\
\
\
"
"
"
Branch
Gateway
"
"
"
"
"
"
"
' "
... . .
HQAccess: 192.168.130.0/24
\\
I
"
DB-sv-01a
(.11)
App-sv-01a
(.11)
"""
,"''
"
"
, "
I
III
II
!
!
./
I
I
I
I
I
I
I
I
I
I
Management A: 192.168.110.0/24
VPOD ROUTER (.2)
VMware
N~figUre, Manage
vmwere
20 14 VMware Inc. All right s re served
Management A: 192.168.110.0/24
vMotion A: 10.10.30.0/24
Transport A: 192.168.150.0/24
Management B: 192.168.210.0/24
vMotion B: 10.20.30.0/24
Transport B: 192.168.250.0/24
HQ Uplink: 192.168.100.0/24
HQ Access: 192.168.130.0/24
VMware
N~figUre, Manage
vrnware
20 14 VMware Inc All rights reserved
DB Tier: 172.16.30.0/24
Transit: 192.168.10.0/29
VMware
N~figUre, Manage
vrnware
20 14 VMware Inc All rights reserved
IP Addresses (1)
lnfrastructure (Management networks)
ControlCenter: 192.168.110.10 on Management A
vPod Router
.2 on each attached subnet
VMware
N~figUre, Manage
10
vrnware
20 14 VMware Inc All rights reserved
IP Addresses (2)
Edges
Perimeter Gateway
192.168.100.3 on HQ Uplink (primary address)
192.168.100.7 on HQ Uplink (1:1 NAT forweb-sv-01a)
192.168.100.8 on HQ Uplink (1:1 NAT forweb-sv-02a)
192.168.100.9 on HQ Uplink (Load balancer)
192.168.100.10 on HQ Uplink (L2 and IPsec VPN)
192.168.10.1 on Transit
Branch Gateway
192.168.130.4 on HQ Access (primary address)
Distributed Router
192.168.10.2 on Transit
172.16.10.1 on Web Tier
172.16.20.1 on App Tier
172.16.30.1 on DB Tier
VMware
N~figUre, Manage
11
vrnware
20 14 VMware Inc All rights reserved
IP Addresses (3)
Virtual Machines
Web-sv-01 a: 172.16.10.11 on Web Tier
Web-sv-02a: 172.16.10.12 on Web Tier
App-sv-01 a: 172.16.20.11 on App Tier
VMware
N~figUre, Manage
vmwere'
12
~
Lab 1:
Configuring NSX Manager
VMware
N~figUre, Manage
13
vrnware
20 14 VMware Inc All rights reserved
Topology
tfI'!' ....... ,
I
I
,.
"
~;
I
I
Contro ICente r
(.10)
HQAccess: 192.168.130.0/24
Management A
I
I
I
I
NSX Manager
(.42)
,--------"",
vCenter Server
"
(.22)
ESX-01a (.51)
ESXCOMP01a (.51)
ESX-02a (.52)
ESXCOMPO1b (.56)
vMotion B: 10.20.30.0/24
vMotion A: 10.10.30.0/24
NFSStorage
(.60)
ESXCOMP02a (.52)
Transport B: 192.168.250.0/24
Transport A: 192.168.150.0/24
Management A: 192.168.110.0/24
VPOD ROUTER (.2)
VMware
N~figUre, Manage
14
vrnware
20 14 VMware Inc All rights reserved
Lab 2:
Configuring and Deploying an NSX
Controller Cluster
VMware
N~figUre, Manage
15
vrnware
20 14 VMware Inc All rights reserved
Topology
. ,.~ .'7 .'7 .'7 .'7 .'7 .'7 .'7 .'7.'7.'7 .'7.'7 .~ ~
:
Controller
~
Cluster
:
J.... :
192.168.110.201-192.168.110.210 on Management A
lI
Controller IP Pool:
I
I
\ __
__
''
1fIII! . . .
Management A
ControlCenter
(.10)
NSX Manager
(.42)
vCenter Server
(.22)
ESX-Ola (.51)
ESXCOMPOla (.51)
ESX-02a (.52)
ESXCOMPOlb (.56)
vMotion A: 10.10.30.0/24
NFS Storage
(.60)
ESXCOMP02a (.52)
Transport B: 192.168.250.0/24
Management B: 192.168.210.0/24
Management A: 192.168.110.0/24
VMware
N~figUre, Manage
16
vrnware
20 14 VMware Inc All rights reserved
Lab 3:
Preparing for Virtual Networking
VMware
N~figUre, Manage
17
vrnware
20 14 VMware Inc All rights reserved
Topology (1)
..~~~~~e.n:;~ ~
Compute A
E5X-01a
E5XCOMP-
E5X-02a
Ola
E5XCOMP02a
ESXCOMP-
Olb
Transport B: 192.168.250.0/24
VMware
N~figUre, Manage
18
vrnware
20 14 VMware Inc All rights reserved
Topology (End)
I
I
,/ -,
,~-----------------------------~
. .. ".
Compute A
Ma
nagement
"
". "
,--------------------------- "
Com pute B
..
.
.
\
I
E5X-01a
E5XCOMP-
E5X-02a
Ola
E5XCOMP02a
ESXCOMP-
Olb
VMware
N~figUre, Manage
19
vmwere
201 4 V Mw are Inc , All rights reserved
Lab 4:
Configuring and Testing Logical Switch
Networks
VMware
N~figUre, Manage
20
vrnware
20 14 VMware Inc All rights reserved
Topology
,-------------------------------------,
172.16.30.0 24
'
172.16.20.0 24
Web Tier
:
':'.
Controller
Cluster
.I
Web-sv-Ola Web-sv-02a
(.11)
(.12)
,.
App-sv-01a
(.11)
:.
...
DB-sv-01a
(.11)
. . . . . .. . .. .. .. .. . .. . .. .. . . .. .. .. .. . . . . .. . .. .. . . :'1 .:
\
Com pute A
,-------------------------------------~
,:I
Com pute B
HQ Uplink: 192.168.100.0/24
Management A
192.168.110.0;24
ControlCenter
(.10)
VMware
NSX Manager
(.42)
vCenter Server
(.22)
N~figUre, Manage
21
vmwere
20 14 VMware Inc . All rights reserved
Lab 5:
Configuring and Deploying an NSX
Distributed Router
VMware
N~figUre, Manage
22
vrnware
20 14 VMware Inc All rights reserved
Topology
I
,--------------------------------------~,
Distributed Router
\
.1
172.16.30.0 24
.1
172.16.20.0 24
Web Tier
j: ..... ....
C~~~~~; M"~~.m""
I :
I :
I :
: ~
I :
I :
. . .. . .. . . . . .. . . . . .. . .. .. . . .. . . . . .. . . .. . . . .. . . . . . .. .\ :
.
:
.
()
~
Tier
~
, T~
. ,T
DBTier
........:
~
. ,T
.
:
.
Web-sv-01a Web-sv-02a
(.11)
(.12)
:ca"~ p~ t~ '1i
App-sv-01a
(.11)
DB-sv-01a
(.11)
.
' ,. c~';"pu't~' Ii'
,---------------------------------------~
HQAccess: 192.168.130.0/24
HQ Uplink: 192.168.100.0/24
Management A
192.168.110.0/24
ControlCenter
(.10)
VMware
NSX Manager
(.42)
vCenter Server
(.22)
N~figUre, Manage
23
vmwere
20 14 VMware Inc . All rights reserved
Lab 6:
Deploying an NSX Edge Services Gateway
and Configuring Static Routing
VMware
N~figUre, Manage
24
vrnware
20 14 VMware Inc All rights reserved
Topology
Distributed Router
,---------------------------,
,
.=.
l
----=.'-====~=____,
172.16.30.0 24
t----'.
.1
172 .16.20.0 24
Tier
Web Tier
. . . . . . . . . . . . . . . . . . . . . .ry1.a.,,!a.~.11) ~~!.
Cor.troller
(,:JustE'r
DB Tier
.1
Perimeter
Gateway
"
We b-sv-01a We b-sv-02a
(.11)
(.12)
:3 ......
App-sv-01a
DB-sv-01a
(.11)
(.11)
:ca'~'p~t~ 'f" .... .. .... . .. .. ... ..... ... ... . .. . .... ....... ...... .. . ...... ..
~-------------------- -----~
HQ Uplink: 192.168.100.0/24
compu te B
HQAccess: 192.168.130.0/24
Management A
192.168.110.0;24
ControlCenter
(.10)
VMware
NSX Manager
(.42)
vCenter Server
(.22)
N~figUre, Manage
25
vmwere
20 14 VMware Inc . All rights reserved
Lab 7:
Configuring and Testing Dynamic Routing
on NSX Edge Appliances
VMware
N~figUre, Manage
26
vrnware
20 14 VMware Inc All rights reserved
Topology (1)
Through OSPF, Perimeter Gateway and Distributed Router share
routes to known subnets.
Subnets on both sides must be
known and advertised.
.1
.1
172.16.30.0 24
172.16.20.0 24
DB Tier
Perimeter
Gateway
Web-sv-Ola Web-sv-02a
(.11)
(.12)
App-sv-Ola
(.11)
DB-sv-Ola
(.11)
HQUplink: 192.168.100.0/24
Management A
192.168.110.0/24
ControlCenter
(.10)
VMware
N~figUre, Manage
27
vmwere
20 14 VMware Inc. All rights re serve d
Topology (End)
,
:
,;------------------------,
Control
"
II
I
I
I
1
.3
VM (protocol address)
II
Distributed Router I
I
.........,..:=,
1_ _--i1i--
192.168.10.0 29 I
---=.
17:...:2:::..=.,:
16::..:;.3::,:0::.:..0=-=2",4---,
""'-'--'''-'-='''-'-'='~'-'=='172.16.20.0 24----,
:::J...--'.::.
l _--;:; -
Transit
Tier
I
... . ................ ...... ............. . iy1.a.':a.~.n:> !'!'L
DB Tier
con taller
CI~ster
I
Control
VM
.1
Perimeter
Gateway ........~....
............\
Web-sv-Ola Web-sv-02a
(.11)
(.12)
;'
,~------------~ -,~
~.
(J
Com put e B
HQAccess: 192.168.130.0/24
Management A
ControlCente r
(.10)
VMware
DB-sv-Ola
(.11)
com put e A
HQ Uplink : 192.168.100.0/24
~
o
App-sv-Ola
(.11)
N~figUre, Manage
192.168.110.0/24
VPOD ROUTE R P)
28
vrnware
:2) 20 14 VMvrare Inc. All nqhts reservad
Lab 8:
Configuring and Testing Network Address
Translation on an NSX Edge Services
Gateway
VMware
N~figUre, Manage
vmware'
29
~
20 14
v Mw are
Topology
Distributed Router
.1
172.16.30.0 24
.1
172 .16.20.0 24
DB Tier
Controller
Cluster
.1
Perimeter
Gateway
App-sv-01a
DB-sv-01a
Com pute B
.3
HQAccess: 192.168.130.0/24
Management A
192.168.110.0/24
ControlCenter
(.10)
VMware
N~figUre, Manage
30
vmwere
20 14 VMware Inc . All rights re serve d
Lab 9:
Configuring Load Balancing with N5X
Edge Gateway
VMware
N~figUre, Manage
31
vrnware
20 14 VMware Inc All rights reserved
.1
172.16.30.0 24
.1
172.16.20.0 24
Web Tier
Controller
Cluster
DBTier
.1
Perimeter
Gateway
Compute B
.3
HQ Uplink : )~2. 1.68.100.0/24
(1:1 NAT to web-sv-Ola
.7)
.8)
,"
/
"
,----------------- -------, /
(LB Virtual Server
.9)
./
,---------------------------
I
I
",
HQAccess: 192.168.130.0/24
"
""
'
Management A
192.168.110.0/24
ControlCenter
(.10)
VMware
N~figUre, Manage
32
vmwere
20 14 VMware Inc. All right s re serve d
172.16.30.0 24
.1
172.16.20.0 24
Web Tier
. . . . . . . . . . . . ry1.a.,!aJle.r1) ~ ~!
Controller
Cluster
AQ Tier
.. . . ..
; ;. . . . . . . . . . .
,--~------~--, ~
(----:-, :
.1 : "-~,' Web-sv-Ola Web-sv-02a 1
: i-' ~"
(.11)
(.12)
:
Perimeter
Gateway
i>:
DBTier
App-sv-01a
(.11)
DB-sv-01a
(.11)
,1
.3
HQ Uplink: 192.168.100.0/24
(1:1 NAT to web-sv-Ola
.7)
.8)
Com pute B
HQAccess: 192.168.130.0/24
Management A
192.168.110.0/24
ControlCenter
(.10)
VMware
N~figUre, Manage
33
vmwere
20 14 VMware Inc . All rights reserved
Lab 10:
Advanced Load Balancing
VMware
N~figUre, Manage
34
vrnware
20 14 VMware Inc All rights reserved
Topology
Distributed Router
.1
172.16.30.0 24
.1
172.16.20.0 24
Web Tier
~;;~
,--~----~
~
----,
!Web-sv-Ola
(.11)
:~/~
Com pute
.3
r,
"
"
We b-sv-02a !
(.12)
:
,,:-.~::-.-.~::-.-.-:::-.-.-:~
.7)
"
.8)
"
I
DB-sv-01a
(.11)
Comput e B
HQAccess: 192.168.130.0/24
I'
"
,----------------- -------,
(LB Virtual Server
.9)
/
,---------------------------
I
I
App-sv-01a
(.11)
DBTier
"
Management A
192.168.110.0/24
ControlCenter
(.10)
VMware
N~figUre, Manage
35
vmwere
20 14 VMware Inc . All rights reserved
Lab 11:
Configuring NSX Edge High Availability
VMware
N~figUre, Manage
36
vrnware
20 14 VMware Inc All rights reserved
Topology
Distributed Router
172.16.30.0 24
_=-=
. 1'-----------------="--'='==~~___,
.1
172.16.20.0 24
Web Tier
DB Tier
Controllea Perimeter
Clusterl Gateway
I
I
I
.1
l
l
l
~
~
~
I
I
I
We b-sv-Ol a We b-sv-02a
(.11)
(.12)
'co";' p~ i ~ 'A """"
""
"
HQ Uplink: 192.168.100.0/24
(1:1 NAT to web-sv-Ola
.7)
.8)
.9)
"
""
"
"
"
App-sv-01a
(.11)
"
"
"
"
"
""
"
"
DB-sv-01a
(.11)
""
""
"
"
"
"
"
' "
"
"
"
"
"
"
"
' "
HQAccess: 192.168.130.0/24
Management A
192.168.110.0;24
ControlCenter
(.10)
VMware
N~figUre, Manage
37
vmwere
20 14 VMware Inc . All rights reserved
Lab 12:
Configuring Layer 2 VPN Tunnels
VMware
N~figUre, Manage
38
vrnware
20 14 VMware Inc All rights reserved
Topology (1)
Using an L2 tunnel, two logical switches are "combined" to form a
single broadcast domain
.1
172.16.30.0 24
.1
172.16 .20.0 24
Branch
Web Tier
eI <.--------Web-sv-Ola
(.12)
Compute B
VMware
N~figUre, Manage
Web-sv-01a
(.11)
App-sv-Ola
(.11)
DB-sv-01a
(.11)
'C; ~, p~ t ~ 'A
39
vmwere
20 14 VMware Inc. All right s re serve d
Topology (End)
Distributed Router
.1
~"
~ ~~
,~~~'
~~~~~
~~-~~-------~~~"
.........
172.16.30.0 24
Tier
-,
"
:i4!:::~172. 16 . 20 .0 24
.1..
'"
......,......
Branch
......
Web Tier ..
:~~
DBTier
I
I
. .. . . . . . . . . . . . . . . . .. .... .. _
Branch
Gateway
.:
App-sv-01a
(.11)
Web-sv-02a
(.12)
.
.
Com pul e A
.3
DB-sv-Ola
(.11)
HQ Uplink: 192.168.100.0/24
(1:1 NAT to web-sv-Ola
.7)
.8)
.10)
,---------------------------
_--------
Management A
192.168.110.0/24
ControlCenter
(.10)
VMware
N~figUre, Manage
40
172.16.10.0 24 I:
______________
. . . . . ..
Web-sv-01a
(.11)
vmwere
20 14 VMware Inc. All right s re served
Lab 13:
Configuring IPsec Tunnels
VMware
N~figUre, Manage
41
vrnware
20 14 VMware Inc All rights reserved
Topology (1)
Using an IPsec tunnel, a remote subnet "appears" as being available
through the local gateway (routes as if directly attached).
Perimeter
Gateway
Branch
Web Tier
.1
172.16.40 .0/24
172.16.30.0 24
172.16.20.0 24
Web Tier
: We b-sv-02a
:
(.12)
Compute B
DB Tier
~" " " "" " T" " " " " " " " " "" " ' : " "" T "" ' "
C1
C1
Web-sv-01a
(.11)
App-sv-Ola
(.11)
..
.
DB-sv-Ola
(.11)
Com put e A
VMware
N~figUre, Manage
42
vmwere
20 14 VMware Inc. All rights reserved
Topology (End)
Distributed Router
.1
J
Transit
172.16.30.0 24
172.16.20.0 24
.1
Web Tier
Tier
DB Tier
Branch
Web Tier
172.16.40 .0 24
. . . . . . . . . . . . . . _.. .. _. . . .i'y1.a.n.a.!frr! ~ . .. . . . .
Branch
Gateway
Web-sv-01a
(.11)
App-sv-01a
(.11)
DB-sv-01a
(.11)
Web-sv-02a
(.12)
CompuieA .
.3
HQ Uplink: 192.168.100.0/24
(1:1 NAT to web-sv-01a
.7)
.8)
.10)
,----------------------~----
_~---~-~~
Management A
192.168.110.0/24
ControlCenter
(.10)
VMware
N~fjgUre, Manage
43
vmwere
20 14 VMware Inc. All right s re serve d
Lab 14:
Configuring and Testing SSL VPN-Plus
VMware
N~figUre, Manage
44
vrnware
20 14 VMware Inc All rights reserved
Topology (1)
Using SSL VPN-Plus, remote subnets are presented to clients as if
those subnets are directly accessible through a local router, with
routes being provided automatically.
Branch
Web Tier
172 .16.40 .0/24
Branch
Gateway
: We b-sv-02a
~
(.12)
c~';"PC:t~
VMware
Ii
N~figUre, Manage
45
vmwere
201 4 V Mw are Inc , All rights reserved
Topology (End)
Distri buted Router
.1
172.16.30.0 24
.1
172.16.20.0 24
Branch
Web Tier
Web Tier
Branch
Gateway
Web-sv-01a
(.11)
:ca"~ p~ t ~
App-sv-01a
(.11)
DB-sv-01a
(.11)
.3
HQ Uplink: 192.168.100.0/24
(1:1 NAT to web-sv-01a
.7)
.8)
.9)
.10)
Web-sv-02a
(.12)
HQAccess: 192.168.130.0/24
,,---------
Management A
192.168.110.0/24
VPOD
VMware
N~figUre, Manage
46
VI11Ware"
201 4 V Mware Inc, All rights reserved
Lab 15:
Using NSX Edge Firewall Rules to Control
Network Traffic
VMware
N~figUre, Manage
47
vrnware
20 14 VMware Inc All rights reserved
Topology
Distri buted Router
.1
172.16.30.0 24
.1
Transit
.. .
172.16.20.0 24
Web Tier
Branch
Web Tier
DBTier
172.16.40.0 24
,---------
------,
c~t~~;!;;;::~,o;""' . i
. . . 0_'_
I
I
I
.
:
:
I
I
I
I
:
.
:
:
()
'~
~~
comp~te'f,, "
App-sv-01a
(.11)
"""
""
""
HQ Uplink: 192.168.100.0/24
.7)
.8)
.9)
.10)
Branch
Gateway
Web-sv-01a
(.11)
,-------- -------,
r - -----"L--------"''--------O
""""
"
""
""""
"
Web-sv-02a
(.12)
DB-sv-01a
(.11)
"""""""""" "
' "
HQAccess: 192.168.130.0/24
Management A
192.168.110.0/24
ControlCenter
(.10)
VMware
N~figUre, Manage
48
vmwere
20 14 VMware Inc . All rights reserved
Lab 16:
Using NSX Distributed Firewall Rules to
Control Network Traffic
VMware
N~figUre, Manage
vmware'
49
~
Topology
Distri buted Router
.1
172.16.30.0 24
.1
172.16.20.0 24
Transit
Branch
Web Tier
DB Tier
172.16.40.0 24
. ..... .. .. . .... . . . . . . . . ryT.a.n.a.l5!'~ ~ . . . . . . . . . . . .
.1
Branch
Gateway
App-sv-01a
(.11)
Web-sv-01a
(.11)
'c';~ p ~ t ~ 'f"
Web-sv-02a
(.12)
DB-sv-01a
(.11)
. . . . . .. .. . . . . . .. . . . .. . .. . ... . . . . .. . .. . .. . .. . . . . . .. .. . .. . . .. .. . . .. .
C~ m'p';te'
e'
.3
HQ Uplink: 192.168.100.0/24
(1:1 NAT to web-sv-01a
.7)
.8)
.9)
.10)
HQAccess: 192.168.130.0/24
Management A
192.168.110.0/24
ControlCenter
(.10)
VMware
N~figUre, Manage
50
vrnware
20 14 VMware Inc All rights reserved
Lab 17:
Using Flow Monitoring
VMware
N~figUre, Manage
vmware'
51
~
Topology
Distri buted Router
.1
172.16.30.0 24
.1
172.16.20.0 24
Transit
Branch
Web Tier
DB Tier
172.16.40.0 24
. ..... .. .. . .... . . . . . . . . ryT.a.n.a.l5!'~ ~ . . . . . . . . . . . .
.1
Branch
Gateway
App-sv-01a
(.11)
Web-sv-01a
(.11)
'c';~ p ~ t ~ 'f"
Web-sv-02a
(.12)
DB-sv-01a
(.11)
. . . . . .. .. . . . . . .. . . . .. . .. . ... . . . . .. . .. . .. . .. . . . . . .. .. . .. . . .. .. . . .. .
C~ m'p';te'
e'
.3
HQ Uplink: 192.168.100.0/24
(1:1 NAT to web-sv-01a
.7)
.8)
.9)
.10)
HQAccess: 192.168.130.0/24
Management A
192.168.110.0/24
ControlCenter
(.10)
VMware
N~figUre, Manage
52
vrnware
20 14 VMware Inc All rights reserved