VCAP6-NV (3V0-643) Study Guide – Part 18. Configure and Manage NSX Universal Logical Security Objects.

This is part 18 of 20+ blogs I am writing covering the exam prep guide for the VMware Certified Advanced Professional 6 – Network Virtualisation Deployment (3V0-643)  VCAP6-NV certification.

At the time of writing there is no VCAP Design exam stream, thus you’re automatically granted the new VMware Certified Implementation Expert 6 – Network Virtualisation (VCIX6-NV) certification by successfully passing the VCAP6-NV Deploy exam.

For previous blogs in this series please refer to the VCAP6-NV Reference Guide I created. This has all the links to VMware NSX content and lists out each exam objective and the associated blog. Check it out here –>Exam Objective Reference Guide.

This blogs covers:

Section 6 – Configure Cross vCenter Networking and Security
Objective 6.3 – Configure and Manage Universal Logical Security Objects

  • Configure Universal MAC Sets
  • Configure Universal IP Sets
  • Configure Universal Security Groups
  • Configure Universal Firewall Rules
  • Configure Universal Services and Service Groups

Short and sweet blog this one.

The universal objects listed above can only be created on the Primary NSX Manager. When you create them there is an additional option to mark the object for universal synchronisation.

Universal Security Groups can only contain Universal MAC, Universal IP Sets or other Universal Security Groups.

All of the above universal network and security objects can be used in Distributed Firewall rules as the source, destination or service.

Where Are these Configured?

All of these objects are located and configured in the same place on the Primary NSX Manager:

Log into the vSphere Web Client.

Click Networking and Security, then NSX Managers at the bottom left.

Select the Primary NSX Manager.

Select Manage, then Grouping Objects.

blah

Configure Universal MAC Sets

On the Primary NSX Manager click MAC Sets.

Click the green plus sign to Add a New MAC Set.

Enter the relevant details.

Tick the box: Mark this object for Universal Syncronisation.

mac.JPG

I can now see this Universal MAC Set on the Secondary NSX Controller.

I can now create L2 Distributed Firewall rules on the Primary or Secondary NSX Managers and utilise the MAC Set group as a source or destination object.

mac2

Configure Universal IP Sets

On the Primary NSX Manager click IP Sets.

Click the green plus sign to Add a New IP Set.

Enter the relevant details.

Tick the box: Mark this object for Universal Synchronisation.

ip

I can now see this Universal IP Set on the Secondary NSX Controller.

I can now create L3 Distributed Firewall rules on the Primary or Secondary NSX Managers and utilise the IP Set group as a source or destination object.

ipset.JPG

Configure Universal Security Groups

To read more about Security Groups see blog 12.

Universal Security Groups can only contain other Universal Security Groups, Universal MAC Sets or Universal IP Sets.

You cannot use Security Composer to create Universal Security Groups (it just creates local security groups).

On the Primary NSX Manager click Security Group.

Click the green plus sign to Add a Security Group.

Enter the relevant details.

Tick the box: Mark this object for Universal Syncronisation.

sg.JPG

Select the relevant objects to include. If it is not a Universal object it will not allow you to create it.

sg2.JPG

sg4

I can now see this Universal Security Group on the Secondary NSX Controller.

I can now create L2 or L3 Distributed Firewall rules on the Primary or Secondary NSX Managers and utilise the Universal Security Group as a source or destination object.

Configure Universal Firewall Rules

A new Section is required in the Distributed Firewall. This Section is replicated to Secondary NSX Managers.

On the Primary NSX Manager click Firewall.

Click the green sec2 sign to Add a Section.

Enter the relevant details.

Tick the box: Mark this object for Universal Syncronisation .

section

I can now see this Universal Distributed Firewall Section on the Secondary NSX Controller and any rules associated with it.

dfw2

You can create either L2 and/or L3 Universal Sections with rules.

Configure Universal Services and Service Groups

A Service is an Port and Protocol combination e.g. 80 www, 25 smtp, 21 FTP.

A Service Group is a collection of Services.

Services or Service Groups can be used in Distributed Firewall Rules to identify traffic.

To Create a Service.

On the Primary NSX Manager click Service.

Click the green plus sign to Add Service.

Enter the relevant details.

Tick the box: Mark this object for Universal Syncronisation.

myserv

myserv2

To Create a Service Group.

On the Primary NSX Manager click Service Groups.

Click the green plus sign to Add Service Group.

Enter the relevant details.

Tick the box: Mark this object for Universal Syncronisation.

msg

I can now create Universal Firewall Rules and add these as the services.

service

And that’s it for this blog!

Blog 19 will cover:

Section 7 – Perform Advanced VMware NSX Troubleshooting
Objective 7.1 – Troubleshoot Common VMware NSX Installation/Configuration Issues

  • Troubleshoot NSX Manager services
  • Download Technical Supports logs from NSX Manager
  • Troubleshoot host preparation issues
  • Troubleshoot NSX Controller cluster status, roles and connectivity
  • Troubleshoot Logical Switch transport zone and NSX Edge mappings
  • Troubleshoot Logical Router interface and route mappings
  • Troubleshoot distributed and edge firewall implementations

Follow me on Twitter or LinkedIn.

Be Social; Please Share.

  1. […] Objective 6.3 – Configure and Manage Universal Logical Security Objects […]

    Like

    Reply

  2. […] Blog 18 will cover Objective 6.3 – Configure and Manage Universal Logical Security Objects […]

    Like

    Reply

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: