This is part 20 of 22 blogs I am writing covering the exam prep guide for the VMware Certified Advanced Professional 6 – Network Virtualisation Deployment (3V0-643)  VCAP6-NV certification.

At the time of writing there is no VCAP Design exam stream, thus you’re automatically granted the new VMware Certified Implementation Expert 6 – Network Virtualisation (VCIX6-NV) certification by successfully passing the VCAP6-NV Deploy exam.

For previous blogs in this series please refer to the VCAP6-NV Reference Guide I created. This has all the links to VMware NSX content and lists out each exam objective and the associated blog. Check it out here –>Exam Objective Reference Guide.

This blogs covers:

Section 7 – Perform Advanced VMware NSX Troubleshooting
Objective 7.2 – Troubleshoot VMware NSX Connectivity Issues

• Monitor and analyze virtual machine traffic with Flow Monitoring
• Troubleshoot virtual machine connectivity
• Troubleshoot dynamic routing protocols

 

Another short blog post. I cannot see the point in going into troubleshooting detail here when in your lab you will be deploying, configuring, breaking, fixing and picking up more skills than reading this \o/

Flow Monitoring

Flow Monitoring is a tool that can be used to analyse ingress and egress traffic of virtual machines that are members of vSphere clusters connected to NSX.

You need to enable Flow Monitoring as it is disabled by default.

You can see information such as source and destination IPs, protocols, ports and the number of sessions and the amount of data being transferred. You can also see traffic flows that have been allowed or blocked by the Distributed Firewall etc.

There is information like: Top Flows, Top Destinations and Top Sources.

There is also an option to see Live Flows for a specific vNIC of a VM in real-time and an option to add allow or deny rules directly from the flows you can see in flight.

Enable Flow Monitoring

First thing you need to do is enable the Global Collection Status.

Log into the vSphere Web Client.

Click Networking and Security.

Click Flow Monitoring followed by Configuration.

Click the Enable button to start the Global Flow Collection. You will see the status change to Enabled.

It will take a short period before data will be seen on the Dashboard.

Under the Global Flow Collection status you can see the Exclusion Settings. These are options to exclude specific ‘things’ from the collection flow. If you click on any of them you can configure specific options.

The options under Destination shows the following how I can exclude IPs and ports for example. Click the green sign to add a specific object like an IP or MAC set.

Flow Monitoring Dashboard

On the Dashboard tab you can see Top Flows, Top Destinations and Top Sources.

Dashboard Top Flows:

Dashboard Top Destinations:

Dashboard Top Sources:

Details by Service

Clicking on the Details by Service tab you can see the actual services that are collected, the amount of data and number of sessions.

You can click on Allowed Flows or Blocked Flows. This information is filtered based on rules from the DFW.

If you click a Service you can actually see the traffic flow from the source and destination and Add a DFW Rule from that flow to allow or deny (depending on the tab your on). If a rule already exists you can also edit the rule.

Below I am clicking on this one specific HTTPS flow and then click the Add Rule option. From here I could create a deny DFW rule for this flow.

If I go into the Firewall section in NSX I can see my Block HTTPS rule has been created.

Live Flow

Live Flow allows you to see real-time traffic flows for a specific VM network interface.

Click the Live Flow tab.

Click the Browse button.

Select a vNIC of a specific VM. Then click Start.

Below is the traffic being displayed in real-time.

*VMware mention in the documentation that live flow can affect the performance of NSX Manager and the VM, so make sure you stop when you are finished.

Troubleshoot Virtual Machine Connectivity

Remember a VM must be connected to a Logical Switch for it to communicate with another VM. You can add and remove VMs from Logical Switches.

A Logical Switch must be connected to a Distributed Logical Router or Edge Services Gateway to communicate with other Logical Switches.

Make sure you check all the other basics you would for a virtual machine. Make sure you check gateways and subnet masks/CIDRs etc should VMs being having any issues communicating.

Add a VM to a Logical Switch

Log into the vSphere Web Client.

Click Networking and Security.

Click Logical Switches. Select a Logical Switch.

Click the icon to Add a VM to the Logical Switch.

Select the VM to add.

Select the VM NIC/s to Add. Click Next and Finish.

Remove VM from Logical Switch

Select a Logical Switch.

Click the  icon to Remove a VM from Logical Switch.

Select VM/s and click OK.

Test Connectivity 

Double-click on a Logical Switch.

Click on Monitor. Here you can do Ping and Broadcast Tests.

Troubleshoot Dynamic Routing Protocols

Refer back to blog 7 on how to configure all three of the dynamic routing protocols that NSX supports.

Make sure you practice in your lab. Make sure you know how to configure OSPF, BGP and IS-IS. Test with pings etc going over the routes to confirm its functional.

And that’s it for this blog!

Blog 21 will cover:
Objective 7.3 – Troubleshoot VMware NSX Edge Services Issues

• Troubleshoot VPN service issues
• Troubleshoot DHCP/DNS/NAT service issues
• Troubleshoot Logical Load Balancer implementation issues
• Download Technical Support logs from NSX Edge instances

Follow me on Twitter or LinkedIn.

Be Social; Please Share.