Professional Documents
Culture Documents
Lab Topology
.2
.3
Transit
Network
10.1.100.0/27
.3
nsxmgr-a vcva-a
Student 172.20.10.42 172.20.10.94
vdc-<kitname>-a.vmeduc.com 172.20.10.80
Green Desktop background
Physical
Management A 172.20.10.0/24 Management B 172.20.110.0/24
Production A 172.20.11.0/24 Production B 172.20.111.0/24
vMotion A 172.20.12.0/24 vMotion B 172.20.12.0/24
Virtual
Web Tier A 10.1.10.0/24 Web Tier B 10.2.10.0/24
App Tier A 10.1.20.0/24
DB Tier 10.1.30.0/24
Transit 10.1.100.0/27
Storage
vMotion: 172.20.12.0/24 .10 on each network
Production-A; 172.20.11.0/24
Management-A: 172.20.10.0/24 dc-rras
To
S ite
-B
Controller-Pool
172.20.10.240-172.20.10.254
SA-ESXI-01 SA-ESXI-02
172.20.10.51 SA-ESXI-03 SA-ESXI-04
172.20.10.52
172.20.10.53 172.20.10.54
Storage
vMotion: 172.20.12.0/24 .10 on each network
Production-A; 172.20.11.0/24
Management-A: 172.20.10.0/24
dc-rras
To Site-B
Note: In a production network, VMware requires that each NSX Controller cluster contain three controller nodes,
regardless of the size of the NSX deployment. For our lab purpose only, you only deploy one controller.
SA-Management SA-Compute
To Site-B
Controllers
Management-A
172.20.10.240 (controller -1)
Student
172.20.10.80
dc-rras
Management-A: 172.20.10.10/24
To Site-B
Transit network:
10.1.100.2/27
Controllers
Student
172.20.10.80
dc-rras
Management-A: 172.20.10.10/24
To Site-B
Transit network:
10.1.100.2/27
Static Route on
Transit-Network
10.1.10.0/16
Controllers Next Hop: Transit-Interface
10.1.100.2 10.1.100.1/27
Perimeter
Gateway
dc-rras
Transit-Network
10.1.100.2/27
Protocol Address
OSPF Area 829
10.1.100.3/27
Enable Static
Route
Controllers Redistribution
Transit-Interface
into OSPF
10.1.100.1/27
Perimeter
Gateway
dc-rras
Transit-Network
10.1.100.2/27
Protocol Address
OSPF Area 829
10.1.100.3/27
Transit-Interface Transit-Interface
10.1.100.1/27 10.1.100.4/27
Controllers OSPF Area 829 OSPF Area 829
Perimeter Perimeter
Gateway Gateway
dc-rras
DLR is enabled with ECMP. The two ESGs are used for N-S traffic.
.1
Web Tier: 10.1.10.0/24
.2
Protocol Address .3
10.1.100.3/27 Transit-Network
10.1.100.2/27
Heartbeat Network
192.168.222.1/30
192.168.222.2/30
.1 .11 .12 .11 .11
Perimeter
Gateway
Controllers
.3
SA-ESXI-01 SA-ESXI-02
SA-ESXI-03 SA-ESXI-04
L2PG
VLAN 10
10.1.10.0/24
Bridge Instance
.12 .11
Transit-Network
10.1.100.2/27
Protocol Address
OSPF Area 829
10.1.100.3/27
Transit-Interface
Controllers 10.1.100.1/27
OSPF Area 829
Perimeter
Gateway
web-sv-01a web-sv-02a app-sv-01a db-sv-01a
Uplink-Interface
*172.20.11.3/24
10.1.10.11 10.1.10.12 10.1.20.11 10.1.30.11
172.20.11.5 (NAT)
172.20.11.6 (NAT)
DNAT Rules: SNAT Rules:
Original Translated Original Translated
172.20.11.5 10.1.10.11 10.1.10.11 172.20.11.5
172.20.11.6 10.1.10.12 10.1.10.12 172.20.11.6
dc-rras
Transit-Interface
Controllers 10.1.100.1/27
OSPF Area 829
Perimeter
Gateway
(Load Balancer) web-sv-01a web-sv-02a app-sv-01a db-sv-01a
10.1.10.11 10.1.10.12 10.1.20.11 10.1.30.11
Application Profile
HTTPS
Uplink-Interface Name App-Profile
*172.20.11.3/24
Type HTTPS
172.20.11.5 (NAT)
172.20.11.6 (NAT) HTTPS
Enable SSL Passthrough Enable
Transit-Network
10.1.100.2/27
Protocol Address
OSPF Area 829
10.1.100.3/27
Transit-Interface
Controllers 10.1.100.1/27
OSPF Area 829
Application Profile
HTTPS
HT
Uplink-Interface Name App-Profile
TP
*172.20.11.3/24
S
Type HTTPS
172.20.11.5 (NAT)
172.20.11.6 (NAT) Enable SSL Passthrough Enable
172.20.11.7 (VIP) Server Pool Member Config
Name Server Pool web-sv-01a / web-sv-
Name
02a
Algorithm Round-Robin
10.1.10.11 /
IP Address
Monitors None 10.1.10.12
web-sv-01a Port 443
Members
web-sv-02a Monitor Port Blank
Weight 1
Virtual Server Max Connections Blank
Min Connections blank
Enable Virtual Server Checked
dc-rras Application Profile App-Profile
Name VIP
Description blank
Student Production-A: 172.20.11.10/24 IP Address 10.1.10.1
172.20.10.80 Management-A: 172.20.10.10/24 Protocol HTTPS
Port 443
Default Pool Server-Pool
Connection Limit Blank
Connection Rate Limit Blank
Transit-Network
10.1.100.2/27
Protocol Address
OSPF Area 829
10.1.100.3/27
Transit-Interface
Controllers 10.1.100.1/27
OSPF Area 829
Application Profile
HT
Uplink-Interface HTTP
Name App-Profile
TP
*172.20.11.3/24
S
Type HTTPS
172.20.11.5 (NAT)
172.20.11.6 (NAT) Enable SSL Passthrough Disabled
172.20.11.7 (VIP) Server Pool Member Config
Name Server Pool web-sv-01a /
Name
web-sv-02a
Algorithm Round-Robin
10.1.10.11 /
IP Address
Monitors None 10.1.10.12
web-sv-01a Port 80
Members
web-sv-02a Monitor Port 80
Weight 1
Virtual Server Max Connections Blank
Min Connections blank
Enable Virtual Server Checked
dc-rras Application Profile App-Profile
Name VIP
Description blank
Student Production-A: 172.20.11.10/24 IP Address 10.1.10.1
172.20.10.80 Management-A: 172.20.10.10/24 Protocol HTTPS
Port 443
Default Pool Server-Pool
Connection Limit Blank
Connection Rate Limit Blank
Transit-Interface
Controllers 10.1.100.1/27
OSPF Area 829
Perimeter
Gateway
(Load Balancer) web-sv-01a web-sv-02a app-sv-01a db-sv-01a
10.1.10.11 10.1.10.12 10.1.20.11 10.1.30.11
Application Profile
HTTP
Uplink-Interface Name App-Profile
*172.20.11.3/24
Type HTTPS
172.20.11.5 (NAT)
172.20.11.6 (NAT) Enable SSL Passthrough Disabled
HTTPS
172.20.11.7 (VIP) Server Pool Member Config
Name Server Pool web-sv-01a / web-sv-
Name
02a
Algorithm Round-Robin 10.1.10.11 /
IP Address
Monitors None 10.1.10.12
web-sv-01a Port 443
Members
web-sv-02a Monitor Port Blank
Weight 1
Virtual Server Max Connections Blank
Min Connections blank
Enable Virtual Server Checked
dc-rras Application Profile App-Profile
Name VIP
Description blank
Student Production-A: 172.20.11.10/24 IP Address 172.20.11.7
172.20.10.80 Management-A: 172.20.10.10/24 Protocol HTTPS
Port 443
Default Pool Server-Pool
Connection Limit Blank
Connection Rate Limit Blank
Transit-Network
10.1.100.2/27
OSPF Area 829 Submit-to-Web-Tier
Tunnel ID 10 L2VPN-RemoteSiteTrunk
10.1.10.1/24
Protocol Address
10.1.100.3/27
Subint-to-Web-Tier
Transit-Interface Tunnel ID 10
10.1.100.2/27 10.1.10.1/24
OSPF Area 829
Controllers
Perimeter
Gateway
Remote Gateway
Uplink-Interface
web-sv-01a app-sv-01a db-sv-01a 172.20.111.8
10.1.10.11 10.1.20.11 10.1.30.11 Client
Perimeter Gateway L2VPN Global Configuration
Uplink-Interface Site Configuration Client
Listener IP 172.20.11.3
*172.20.11.3/24 Server Address 172.20.11.3
172.20.11.5 (NAT) Listener Port 443 Server Port 443
172.20.11.6 (NAT) Encryption Algorithm AES128-SHA Encryption
AES128-SHA
172.20.11.7 (VIP) Server Use System Algorithm
Yes Stretched
Generated Certficate Subint-to-Web-Tier
Interfaces
Egress
Site Configuration Server Blank
Optimization
Enable Peer Site Yes Enable Unstretched
no
Networks
Name LPVN – Site A
User ID vpnuser
Description Blank Password VMware1!
User iD Vpnuser
Transit-Network
10.1.100.2/27
OSPF Area 829 Submit-to-Web-Tier
Tunnel ID 10 L2VPN-RemoteSiteTrunk
10.1.10.1/24
Protocol Address
10.1.100.3/27
Static Route: Subint-to-Web-Tier
Transit-Interface
10.1.0.0/16 10.2.40.1
10.1.100.2/27
Next Hop:
10.1.100.2 OSPF Area 829
Controllers
Perimeter
Gateway
Remote Gateway
Uplink-Interface
web-sv-01a app-sv-01a db-sv-01a 172.20.111.8
10.1.10.11 10.1.20.11 10.1.30.11 Client
Perimeter Gateway IPSec VPN IPSec VPN
Uplink-Interface Configuration Configuration
*172.20.11.3/24 Enabled Yes
172.20.11.5 (NAT) Enabled Yes
172.20.11.6 (NAT) Enable PFS Yes Enable PFS Yes
172.20.11.7 (VIP) Server Name Local-Remote Name Local-Remote
Local ID Local Local ID Remote
Local Endpoint 172.20.11.3 Local Endpoint 172.20.111.8
Local Subnets 10.1.10.0/24 Local Subnets 10.1.40.0/24
Peer ID Remote Peer ID Local
Peer Endpoint 172.20.11.8 Peer Endpoint 172.20.11.3
Peer Subnets 10.2.40.0/24 Peer Subnets 10.2.10.0/24
Encryption Algorithm AES Encryption Algorithm AES
Student Authentication PSK Authentication PSK
172.20.10.80 Pre-shared Key VMware1! Pre-shared Key VMware1!
Diffie-Hellman Group DH2
dc-rras Diffie-Hellman Group DH2
Production-A: 172.20.11.10/24 Extension blank Extension blank
Production-B: 172.20.111.10/24
Status Enabled
Transit-Network
10.1.100.2/27
Protocol Address OSPF Area 829 Submit-to-Web-Tier
10.1.100.3/27 Tunnel ID 10
10.1.10.1/24
Transit-Interface
10.1.100.2/27
OSPF Area 829
Controllers
Perimeter
Gateway
web-sv-01a web-sv-01a app-sv-01a db-sv-01a
10.1.10.11 10.1.10.12 10.1.20.11 10.1.30.11
HTTP
Uplink-Interface
*172.20.11.3/24
172.20.11.5 (NAT)
172.20.11.6 (NAT) HTTPS
172.20.11.7 (VIP)
dc-rras
Student
172.20.10.80 Production-A: 172.20.11.10/24
Production-B: 172.20.10.10/24
Transit-Network
10.1.100.2/27
Protocol Address OSPF Area 829 Submit-to-Web-Tier
10.1.100.3/27 Tunnel ID 10
10.1.10.1/24
Transit-Interface
10.1.100.2/27
OSPF Area 829
Controllers
Perimeter
Gateway
web-sv-01a web-sv-01a app-sv-01a db-sv-01a
10.1.10.11 10.1.10.12 10.1.20.11 10.1.30.11
HTTP
Uplink-Interface
Edge FW Rule *172.20.11.3/24
Source Destination Service Action
Name 172.20.11.5 (NAT)
Allowed to Web IP Set: Local Web HTTP 172.20.11.6 (NAT)
ANY ACCEPT 172.20.11.7 (VIP) HTTPS
Servers Servers HTTPS
Default ANY ANY ANY DENY
dc-rras
Student
172.20.10.80 Production-A: 172.20.11.10/24
Production-B: 172.20.10.10/24
Untrusted IP Trusted IP
Address Address
172.20.10.151 172.20.10.150
Transit-Network
10.1.100.2/27
Protocol Address OSPF Area 829 Submit-to-Web-Tier
10.1.100.3/27 Tunnel ID 10
10.1.10.1/24
Transit-Interface
10.1.100.2/27
OSPF Area 829
Controllers
Perimeter
Gateway
web-sv-01a web-sv-01a app-sv-01a db-sv-01a
10.1.10.11 10.1.10.12 10.1.20.11 10.1.30.11
HTTP
Uplink-Interface
*172.20.11.3/24
172.20.11.5 (NAT)
172.20.11.6 (NAT) HTTPS
172.20.11.7 (VIP)
Transit-Network
10.1.100.2/27
Protocol Address OSPF Area 829 Submit-to-Web-Tier
10.1.100.3/27 Tunnel ID 10
10.1.10.1/24
Transit-Interface
10.1.100.2/27
OSPF Area 829
Controllers
Perimeter
Gateway
web-sv-01a web-sv-01a app-sv-01a db-sv-01a
10.1.10.11 10.1.10.12 10.1.20.11 10.1.30.11
HTTP
Uplink-Interface
*172.20.11.3/24
172.20.11.5 (NAT)
172.20.11.6 (NAT) HTTPS
172.20.11.7 (VIP)
Universal Web-Tier
SB-ESXI-01
SA-ESXI-01 SA-ESXI-02 SA-ESXI-03 SA-ESXI-04
Site A VXLAN ID Pool: 5000-5999 (Segment ID Pool) Site B VXLAN ID Pool: 6000-6999 (Segment ID Pool)