This is part 18 of 20+ blogs I am writing covering the exam prep guide for the VMware Certified Advanced Professional 6 – Network Virtualisation Deployment (3V0-643) VCAP6-NV certification.

At the time of writing there is no VCAP Design exam stream, thus you’re automatically granted the new VMware Certified Implementation Expert 6 – Network Virtualisation (VCIX6-NV) certification by successfully passing the VCAP6-NV Deploy exam.

For previous blogs in this series please refer to the VCAP6-NV Reference Guide I created. This has all the links to VMware NSX content and lists out each exam objective and the associated blog. Check it out here –>Exam Objective Reference Guide.

This blogs covers:

Section 6 – Configure Cross vCenter Networking and Security
Objective 6.3 – Configure and Manage Universal Logical Security Objects

Configure Universal MAC Sets
Configure Universal IP Sets
Configure Universal Security Groups
Configure Universal Firewall Rules
Configure Universal Services and Service Groups

Short and sweet blog this one.

The universal objects listed above can only be created on the Primary NSX Manager. When you create them there is an additional option to mark the object for universal synchronisation.

Universal Security Groups can only contain Universal MAC, Universal IP Sets or other Universal Security Groups.

All of the above universal network and security objects can be used in Distributed Firewall rules as the source, destination or service.

Where Are these Configured?

All of these objects are located and configured in the same place on the Primary NSX Manager:

Log into the vSphere Web Client.

Click Networking and Security, then NSX Managers at the bottom left.

Select the Primary NSX Manager.

Select Manage, then Grouping Objects.

Configure Universal MAC Sets

On the Primary NSX Manager click MAC Sets.

Click the green sign to Add a New MAC Set.

Enter the relevant details.

Tick the box: Mark this object for Universal Syncronisation.

I can now see this Universal MAC Set on the Secondary NSX Controller.

I can now create L2 Distributed Firewall rules on the Primary or Secondary NSX Managers and utilise the MAC Set group as a source or destination object.

Configure Universal IP Sets

On the Primary NSX Manager click IP Sets.

Click the green sign to Add a New IP Set.

Enter the relevant details.

Tick the box: Mark this object for Universal Synchronisation.

I can now see this Universal IP Set on the Secondary NSX Controller.

I can now create L3 Distributed Firewall rules on the Primary or Secondary NSX Managers and utilise the IP Set group as a source or destination object.

Configure Universal Security Groups

To read more about Security Groups see blog 12.

Universal Security Groups can only contain other Universal Security Groups, Universal MAC Sets or Universal IP Sets.

You cannot use Security Composer to create Universal Security Groups (it just creates local security groups).

On the Primary NSX Manager click Security Group.

Click the green sign to Add a Security Group.

Enter the relevant details.

Tick the box: Mark this object for Universal Syncronisation.

Select the relevant objects to include. If it is not a Universal object it will not allow you to create it.

I can now see this Universal Security Group on the Secondary NSX Controller.

I can now create L2 or L3 Distributed Firewall rules on the Primary or Secondary NSX Managers and utilise the Universal Security Group as a source or destination object.