This is part 2 of 20 blogs covering the exam prep guide for the VMware Certified Advanced Professional – Network Virtualisation Deployment (3V0-643)  VCAP6-NV certification.

At the time of writing there is no VCAP Design exam stream, thus you’re automatically granted the new VMware Certified Implementation Expert – Network Virtualisation (VCIX6-NV) certification by successfully passing the VCAP6-NV Deploy exam.

Read part 1 here.

This blogs covers:
Section 1 – Prepare VMware NSX Infrastructure
Objective 1.1 – Deploy VMware NSX Infrastructure Components

• Deploy the NSX Manager virtual appliance
• Integrate the NSX Manager with vCenter Server
  • Configure Single Sign On
  • Specify a Syslog Server
• Implement and Configure NSX Controllers
• Exclude virtual machines from firewall protection according to a deployment plan

 

Deploy the NSX Manager virtual appliance

First off are the prerequisites. Make sure you have met them. You can find all the prerequisites in the VMware Installation Guide. This is for NSX for vSphere 6.2.

At a high-level they are:

• Make sure all the required ports are open to allow communications, especially 443 for deployment
• Make sure a datastore is available on the ESXi host you are deploying the NSX Manager to. Shared storage is recommended
• Determine IP address for the NSX Manager and also Gateway, DNS servers, NTP servers IPs etc
• Configure DNS forward and reverse lookup for NSX Manager
• Determine if NSX Manager will have IPv4, IPv6 or both network configurations.
• Make sure the host you are deploying NSX Manager to is connected to a vSphere Distributed Switch (vDS). The port group the NSX Manager is deployed to must be able to communicate with vCenter Server and ESXi hosts
• The Client Integration Plugin must be installed to be able to deploy the NSX Manager from OVA via the vSphere Web Client
• Make sure you are using a supported browser

NSX for vSphere 6.2 can inter operate with the following versions of vCenter Server:

• VMware vCenter Server 5.5U3
• VMware vCenter Server 6.0U2

Download the NSX Manager 6.2 OVA file from my.vmware.com and save this locally to a machine that has access to vCenter and the ESXi management hosts.

I have determined my NSX Manager will be called labnsx01.lab.local with an IPv4 IP of 10.0.0.98 and have created the DNS forward and reverse lookup records.

Log into the vSphere Web Client, click on your management cluster or specific host, right-click and select Deploy OVF Template

Click the Local File radio button and click the Browse button and find your NSX Manager OVA file you downloaded prior. Click Next

Tick the box to accept the extra configuration options and then click Next

Click Accept to accept the licence agreements and then click Next

You now can enter the name of the NSX Manager. Note this is not the DNS name but the name the NSX Manager appears in the inventory of vCenter. I like to use the FQDN as shown. Select the datacentre or folder for the appliance to be located. Click Next

On this screen you can select the disk format, the storage policy and what datastore to provision the appliance to. I have chosen to deploy Thin Provisioned and to my Silver datastore. Click Next

Select the port group that the NSX Manager appliance will utilise. I have selected MGMT Management port group. This is the same port group that my vCenter Server and ESXi hosts utilise for management traffic. Click Next

Now you can configure all the relevant settings for the appliance: admin and CLI passwords, IP address, DNS, hostname, gateway, DNS servers, NTP server etc. Populate all this information and click Next

Review all settings. Confirm all correct. Make sure you have DNS forward and reverse entries populated for your NSX Manager. Tick the box to Power on after deployment, click Finish

The NSX Manager appliance will now start deploying

Once the appliance has been deployed and fully started, open the CLI console and log in. Run a show interface command. Confirm the interface is up and configured with the correct IP address.

Ping your vCenter Server, some management ESXi hosts and the gateway address to confirm network connectivity is functional.

Now you want to log into the NSX Manager appliance webpage. For me this is: https://labnsx01.lab.local. A self-signed certificate is in use at this point.

Log in with the username Admin and the password configured at deployment time.

Click on the View Summary tab. Make sure the vPostgres, RabbitMQ and NSX Management Services are running. Also the SSH Service if you enabled this at deployment time.

Click on the Manage tab. You want to configure your time zone (under time settings). Also in production I would deploy a CA signed certificate, but have not documented this here as it is not in the exam blue print – but I will swing back and do this soon and update the blog. (here is the process to deploy a CA signed certificate for NSX Manager).

VMware recommends for optimal performance a memory reservation for the NSX Manager. Reservations guarantee that physical memory will be available when the ESXi host is under memory pressure.

From NSX 6.2 the NSX Manager reserves all 16GB of memory by default. As this is a lab and I am constrained on resource I will reduce this.

Next we move onto integrating NSX Manager with vCenter Server, configure Single Sign On and specify a Syslog Server.

 

Integrate NSX Manager with vCenter Server

Make sure the NSX Manager appliance is running. Make sure you have an account with vCenter Administrative rights to connect NSX to vCenter Server.

The NSX Manager can only be paired with 1 vCenter Server. Even if you deploy a cross-vCenter architecture, NSX is still paired 1:1 to a vCenter Server.

Log into the NSX Manager appliance webpage with the Admin account. For me this is: https://labnsx01.lab.local.

Click the Manage vCenter Registration tab.

Firstly, you need to register the NSX Manager to vCenter. Under vCenter Server click the Edit button and enter the specific details for your vCenter Server. Click OK.

Check the presented certificate thumbprint is correct, click Yes if it is.

If successful, you will now see the status as Connected. 

If you are logged into the vSphere Web Client log out. Now log back in with the same account you just used to configure the vCenter Server integration with. If you do not use the same account, you will not see the Networking and Security icon in the vSphere Web Client.

Click the Networking and Security icon, then click NSX Managers and confirm you can see your NSX Manager.

Note: assigning user/groups to NSX Manager roles will be covered in another blog.

 

Configure Single Sign On

You must be using vCenter Server 5.5 or later and SSO must be running. Make sure you have configured a NTP Server on the NSX Manager so the time is in sync between NSX and vCenter.

Log into the NSX Manager appliance webpage with the Admin account. For me this is: https://labnsx01.lab.local.

Click the Manage vCenter Registration tab.

Under Lookup Service click the Edit button and enter the specific details for your vCenter Server. Click OK.

Note: vCenter 5.5 the lookup port is 7444, from vCenter 6.0 onwards it is 443

Note: If you have:

• Embedded Platform Service Controller (PSC): point the Lookup Service at your vCenter Server.
• External PSC: point the Lookup Service at that.

Check the presented certificate thumbprint is correct, click Yes if it is.

If successful, you will now see the status as Connected.

 

Specify a Syslog Server

You want to configure a Syslog server so the NSX Manager can push its audit logs and events to a central logging repository. I am utilising vRealize Log Insight. The deployment and configuration blogs I have done can be found here:

vRealize Deployment blog

vRealize Configuration blog

Log into the NSX Manager appliance webpage with the Admin account. For me this is: https://labnsx01.lab.local.

Click the Manage Appliance Settings tab.

Under Syslog Server click the Edit button and enter the specific details for your Syslog Server, enter the 514 as the port and UDP as the protocol. Click OK.

 

Install NSX Licence

Now it doesn’t mention this in the exam blueprint but I am going to assume that they will get you to install a NSX licence.

Log into the vSphere Web Client.

Click on the Administration tab, click Licences, then the Solutions tab.

Select the NSX for vSphere, click All Actions and select Assign Licence

Click the + sign, add your licence key and follow the prompts.

Now select the licence and click OK to assign to your NSX Manager.

 

Implement and Configure NSX Controllers

Before starting you need to make sure your NSX Manager is running and it has been registered with vCenter.

The NSX Controllers reside in the control plane and distribute network information to ESXi hosts. Controllers hold the following tables:

• MAC address table
• ARP table
• VTEP table

NSX controllers must be deployed in odd numbers so a cluster majority can be formed in the event of a controller failure. Currently NSX only supports a controller cluster of 3 members.

Note: NSX Controllers are not required if only utilising the Distributed Firewall (DFW) feature.

Controllers are deployed into a VLAN backed port group and requires connectivity to NSX and ESXi hosts. I will be deploying controllers into the Management network port group on the vDS. (They can be deployed to a vSphere Standard Switch (vSS)).

The controllers are assigned an IP address at deployment time and an IP Pool is required to service this. You can create and configure an IP Pool at controller deployment time by clicking the + sign, however I will create the IP Pool just to show you.

Log into the vSphere Web Client.

Click the Networking and Security icon, then click NSX Managers

Select your NSX Manager and then click the Manage tab

Click the Group Objects tab

Click the IP Pools option

Click the + sign to create a new pool

The Add Static IP Pool screen is displayed. Enter the information valid to your environment. As this is a lab environment, my IP Pool network range is small with 11 usable IPv4 addresses: 10.0.0.230 – 10.0.0.240. Click OK

Now we can deploy the NSX Controllers. Click on the Networking and Security icon, then click the Installation tab.

Under the NSX Controller Nodes, click the + sign to deploy the first NSX Controller. Notice you can now see the IP Pool you created earlier. Click OK once you have entered valid information.

The controller will start deploying. Do not start deploying anymore controllers until the first has deployed successfully.

After a period of time the deployment will complete and you see your controller as Connected with a green tick.

Now you can repeat the above steps and deploy an additional 2 more controllers. Click the + sign to kick off each deployment.

Once complete you will have 3 deployed controllers.

Make sure you set a DRS anti-affinity rule after you have deployed the 3 controllers to keep them separated across hosts.

Exclude VMs from Firewall Protection

By default, the NSX Manager and NSX Controllers are automatically excluded from the Distributed Firewall (DFW). Any Edge Service Gateways (ESG) are also excluded when they are deployed.

The default L2 and L3 DFW rule is an ALLOW ANY rule. To enable the DFW the rules at say the L3 level are changed to a DENY ANY rule, thus if you have not excluded specific management machines you will lock your self out. You either need to exclude such machines or add specific DFW rules for them and all communication flows required.

Below I will add the vCenter Server and the external PSC to the exclusions list.

Log into the vSphere Web Client.

Click the Networking and Security icon, then click NSX Managers

Select your NSX Manager and then click the Manage tab

Click the Exclusion List tab

Click the + sign to add a virtual machine to exclude, select your VMs and then click OK

The VMs are now excluded from the NSX DFW.

Note: After excluding a VM should you add an additional vNIC to the VM it will automatically be protected by the DFW. To exclude the vNIC you need to remove the entire VM from the Exclusions list and re-add. (or you can reboot the VM).

Here is the next blog (Part 3) covering Object 1.2 – Prepare Host Clusters for Network Virtualisation.