Vmware NSX: Install, Configure, Manage Lab Topology: © 2018 Vmware Inc. All Rights Reserved

VMware NSX: Install, Configure, Manage
Lab Topology
© 2018 VMware Inc. All rights reserved.

Lab Topology Overview Distributed
Logical Router
.1 DB Tier: 10.1.30.0/24
.1 App Tier: 10.1.20.0/24
.1 Web Tier: 10.1.10.0/24
.2
.3
Transit
Network
10.1.100.0/27
Controllers .11 .12 .11 .11

.1
Your Desktop Perimeter

Gateway
.3
nsxmgr-a vcva-a
Student 172.20.10.42 172.20.10.94
vdc-<kitname>-a.vmeduc.com 172.20.10.80
Green Desktop background
sa-esxi-01 sa-esxi-02 sa-esxi-03 sa-esxi-04

172.20.10.51 172.20.10.52 172.20.10.53 172.20.10.54
Storage Windows7:172.20.10.150 Windows7-2:172.20.10.151

vMotion: 172.20.12.0/24
Production-A; 172.20.11.0/24
Management-A: 172.20.10.0/24
dc-rras
.10 on each network To
Sit
e- B
nsxmgr-b vcsa-b Esxi-b-01

172.20.110.43 172.20.110.95 172.20.110.61
VMware NSX: Install, Configure, Manage 2

Subnet IP Addressing
Physical
Management A 172.20.10.0/24 Management B 172.20.110.0/24
Production A 172.20.11.0/24 Production B 172.20.111.0/24
vMotion A 172.20.12.0/24 vMotion B 172.20.12.0/24
Virtual
Web Tier A 10.1.10.0/24 Web Tier B 10.2.10.0/24
App Tier A 10.1.20.0/24
DB Tier 10.1.30.0/24
Transit 10.1.100.0/27

Infrastructure (Management Network) IP Addressing
Infrastructure (Management Networks)

Student Desktop 172.20.10.80 (on Management A)
NSX Manager A 172.20.10.42 NSX Manager B 172.20.110.43
vCenter Server A 172.20.10.94 vCenter Server B 172.20.110.95
SA-ESXI-01 172.20.10.51 SB-ESXi-01 172.20.110.61
SA-ESXi-02 172.20.10.52
SA-ESXi-03 172.20.10.53
SA-ESXi-04 172.20.10.54
RRAS Server 172.20.0.10 (Fence)
(.10 on each attached network) 172.20.10.10 (Management A) 172.20.110.10 (Management B)
172.20.11.10 (Production A) 172.20.111.10 (Production B)

Perimeter Gateway IP Addressing
Perimeter Gateway (Site A) Remote Gateway (Site B)

Primary IP Address 172.20.11.3 Primary Address 172.20.111.8
(on Production A network 172.20.11.0/24) (on Production B network 172.20.111.0/24)
L2VPN & IPSec VPN 172.20.11.3

1:1 NAT for web-sv-01a 172.20.11.5
1:1 NAT for web-sv-02a 172.20.11.6
Load Balancer 172.20.11.7
Transit 10.1.100.1
Perimeter Gateway – ECMP (Site A)

Primary IP Address 172.20.11.4
Transit 10.1.100.4

DLR and VM IP Addressing
Distributed Logical Router (Site A)

Web Tier 10.1.10.1
App Tier 10.1.20.1
DB Tier 10.1.30.1
Transit 10.1.100.2
Virtual Machines (Site A) Virtual Machines (Site B)

web-sv-01a 10.1.10.11 web-sv-01b 10.2.10.11
web-sv-02a 10.1.10.12
app-sv-01a 10.1.20.11
db-sv-01a 10.1.30.11

Lab 1: Configuring NSX Manager
Student nsxmgr-a vcva-a

172.20.10.80 172.20.10.42 172.20.10.94
SA-ESXI-01 SA-ESXI-02 SA-ESXI-03 SA-ESXI-04

172.20.10.51 172.20.10.52 172.20.10.53 172.20.10.54
Storage
vMotion: 172.20.12.0/24 .10 on each network
Production-A; 172.20.11.0/24
Management-A: 172.20.10.0/24 dc-rras
To
S ite
-B
nsxmgr-b vcsa-b Esxi-b-01

172.20.110.43 172.20.110.95 172.20.110.61
NTP/Syslog Server: 172.20.10.10

Lab 2: Configuring and Deploying an NSX Controller Cluster
Controller-Pool
172.20.10.240-172.20.10.254

172.20.10.80 172.20.10.42 172.20.10.94
SA-ESXI-01 SA-ESXI-02
172.20.10.51 SA-ESXI-03 SA-ESXI-04
172.20.10.52
172.20.10.53 172.20.10.54
Storage
vMotion: 172.20.12.0/24 .10 on each network
Production-A; 172.20.11.0/24
Management-A: 172.20.10.0/24
dc-rras
To Site-B
Note: In a production network, VMware requires that each NSX Controller cluster contain three controller nodes,
regardless of the size of the NSX deployment. For our lab purpose only, you only deploy one controller.

Lab 3: Preparing for Virtual Networking
Local Transport Zone

VXLAN ID Pool: 5000-5999

172.20.10.51 172.20.10.52 172.20.10.53 172.20.10.54
SA-Management SA-Compute
Production-A 172.20.11.0/24 .10

dc-rras
To Site-B

Lab 4: Configuring Logical Switch Networks
Transit Network Web Tier App Tier DB Tier
Controllers
web-sv-01a web-sv-02a app-sv-01a db-sv-01a

10.1.10.11 10.1.10.12 10.1.20.11 10.1.30.11
Management-A
172.20.10.240 (controller -1)
Student
172.20.10.80
dc-rras
Management-A: 172.20.10.10/24
To Site-B

Lab 5: Configuring and Deploying an NSX Distributed Router
Logical Router Distributed DB Tier: 10.1.30.0/24
Control VM Logical Router
App Tier: 10.1.20.0/24
Web Tier: 10.1.10.0/24
Transit network:
10.1.100.2/27
Controllers

10.1.10.11 10.1.10.12 10.1.20.11 10.1.30.11
Management-A
172.20.10.240 (controller -1)
Student
172.20.10.80
dc-rras
Management-A: 172.20.10.10/24
To Site-B

Lab 6: Deploying an NSX Edge Services Gateway and
Configuring Static Routing
Static Route on
Transit-Network
Logical Router 172.20.10.0/24 Distributed DB Tier: 10.1.30.0/24
Control VM Next Hop: Logical Router
10.1.100.1 App Tier: 10.1.20.0/24
Web Tier: 10.1.10.0/24
Transit network:
10.1.100.2/27
Static Route on
Transit-Network
10.1.10.0/16
Controllers Next Hop: Transit-Interface
10.1.100.2 10.1.100.1/27
Perimeter
Gateway
Uplink-Interface web-sv-01a web-sv-02a app-sv-01a db-sv-01a

172.20.11.3/24 10.1.10.11 10.1.10.12 10.1.20.11 10.1.30.11
dc-rras
Student Production-A: 172.20.11.10/24

172.20.10.80 Management-A: 172.20.10.10/24

Lab 7: Configuring and Testing Dynamic Routing on NSX
Edge Appliances
Logical Router Distributed DB Tier: 10.1.30.0/24

App Tier: 10.1.20.0/24
Web Tier: 10.1.10.0/24
Transit-Network
10.1.100.2/27
Protocol Address
OSPF Area 829
10.1.100.3/27
Enable Static
Route
Controllers Redistribution
Transit-Interface
into OSPF
10.1.100.1/27
Perimeter
Gateway
Uplink-Interface web-sv-01a web-sv-02a app-sv-01a db-sv-01a

Static Route 172.20.11.3/24
on Uplink-Interface: 10.1.10.11 10.1.10.12 10.1.20.11 10.1.30.11
172.20.10.0/24
Next Hop:
172.20.11.10
dc-rras

172.20.10.80 Management-A: 172.20.10.10/24

Lab 8: Configuring Equal Cost Multipathing
Logical Router ECMP Distributed DB Tier: 10.1.30.0/24

Control VM enabled Logical Router
App Tier: 10.1.20.0/24
Web Tier: 10.1.10.0/24
Transit-Network
10.1.100.2/27
Protocol Address
OSPF Area 829
10.1.100.3/27
Transit-Interface Transit-Interface
10.1.100.1/27 10.1.100.4/27
Controllers OSPF Area 829 OSPF Area 829
Perimeter Perimeter
Gateway Gateway
Uplink-Interface Uplink-Interface web-sv-01a web-sv-02a app-sv-01a db-sv-01a

172.20.11.3/24 172.20.11.4/24 10.1.10.11 10.1.10.12 10.1.20.11 10.1.30.11
dc-rras

172.20.10.80 Management-A: 172.20.10.10/24
DLR is enabled with ECMP. The two ESGs are used for N-S traffic.

Lab 9: Configuring NSX Edge High Availability
Logical Router Distributed
Control VM Logical Router .1 DB Tier: 10.1.30.0/24
.1 App Tier: 10.1.20.0/24
.1
Web Tier: 10.1.10.0/24
.2
Protocol Address .3
10.1.100.3/27 Transit-Network
10.1.100.2/27
Heartbeat Network
192.168.222.1/30
192.168.222.2/30
.1 .11 .12 .11 .11
Perimeter
Gateway
Controllers
.3

172.20.10.80 172.20.10.42 172.20.10.94
.10 on each network

Storage
vMotion: 172.20.12.0/24
Production-A; 172.20.11.0/24 To
dc-rras S ite
Management-A: 172.20.10.0/24 -B

Lab 10: Configuring L2 Bridging
Distributed
Logical Router
.1 Web Tier: 10.1.10.0/24
L2PG
VLAN 10
10.1.10.0/24
Bridge Instance
.12 .11

Lab 11: Configuring and Testing NAT on an NSX ESG

DB Tier: 10.1.30.0/24
App Tier: 10.1.20.0/24
Web Tier: 10.1.10.0/24
Transit-Network
10.1.100.2/27
Protocol Address
OSPF Area 829
10.1.100.3/27
Transit-Interface
Controllers 10.1.100.1/27
OSPF Area 829
Perimeter
Gateway
Uplink-Interface
*172.20.11.3/24
10.1.10.11 10.1.10.12 10.1.20.11 10.1.30.11
172.20.11.5 (NAT)
172.20.11.6 (NAT)
DNAT Rules: SNAT Rules:
Original Translated Original Translated
172.20.11.5 10.1.10.11 10.1.10.11 172.20.11.5
172.20.11.6 10.1.10.12 10.1.10.12 172.20.11.6
dc-rras

172.20.10.80 Management-A: 172.20.10.10/24

Lab 12: Configuring Load Balancing with NSX Edge Gateway (1)
DB Tier: 10.1.30.0/24
App Tier: 10.1.20.0/24
Web Tier: 10.1.10.0/24

Transit-Network
10.1.100.2/27
Protocol Address
OSPF Area 829
10.1.100.3/27
Transit-Interface
OSPF Area 829
Perimeter
Gateway
(Load Balancer) web-sv-01a web-sv-02a app-sv-01a db-sv-01a
10.1.10.11 10.1.10.12 10.1.20.11 10.1.30.11
Application Profile
HTTPS
Uplink-Interface Name App-Profile
*172.20.11.3/24
Type HTTPS
172.20.11.5 (NAT)
172.20.11.6 (NAT) HTTPS
Enable SSL Passthrough Enable
172.20.11.7 (VIP) Server Pool Member Config

Name Server Pool web-sv-01a /
Name
web-sv-02a
Algorithm Round-Robin 10.1.10.11 /
IP Address
Monitors None 10.1.10.12
web-sv-01a Port 443
Members
web-sv-02a Monitor Port Blank
Weight 1
Virtual Server Max Connections Blank
Min Connections blank
Enable Virtual Server Checked
dc-rras Application Profile App-Profile
Name VIP
Description blank
Student Production-A: 172.20.11.10/24 IP Address 172.20.11.7
172.20.10.80 Management-A: 172.20.10.10/24 Protocol HTTPS
Port 443
Default Pool Server-Pool
Connection Limit Blank
Connection Rate Limit Blank

Lab 12: Configuring Load Balancing with NSX Edge Gateway (2)
DB Tier: 10.1.30.0/24
App Tier: 10.1.20.0/24
Transit-Network
10.1.100.2/27
Protocol Address
OSPF Area 829
10.1.100.3/27
Transit-Interface
OSPF Area 829
Perimeter Web Tier-Temp

Gateway 10.1.10.1 (VIP)
10.1.10.11 10.1.10.12 10.1.20.11 10.1.30.11
Application Profile
HTTPS
HT
TP
*172.20.11.3/24
S
Type HTTPS
172.20.11.5 (NAT)
172.20.11.6 (NAT) Enable SSL Passthrough Enable
Name Server Pool web-sv-01a / web-sv-
Name
02a
Algorithm Round-Robin
10.1.10.11 /
IP Address
web-sv-01a Port 443
Members
Weight 1
Name VIP
Description blank
Port 443

Lab 13: Advanced Load Balancing (1)
DB Tier: 10.1.30.0/24
App Tier: 10.1.20.0/24
Transit-Network
10.1.100.2/27
Protocol Address
OSPF Area 829
10.1.100.3/27
Transit-Interface
OSPF Area 829
Perimeter Web Tier-Temp

Gateway 10.1.10.1 (VIP)
10.1.10.11 10.1.10.12 10.1.20.11 10.1.30.11
Application Profile
HT
Uplink-Interface HTTP
Name App-Profile
TP
*172.20.11.3/24
S
Type HTTPS
172.20.11.5 (NAT)
172.20.11.6 (NAT) Enable SSL Passthrough Disabled
Name Server Pool web-sv-01a /
Name
web-sv-02a
Algorithm Round-Robin
10.1.10.11 /
IP Address
web-sv-01a Port 80
Members
web-sv-02a Monitor Port 80
Weight 1
Name VIP
Description blank
Port 443

Lab 13: Advanced Load Balancing (2)
DB Tier: 10.1.30.0/24
App Tier: 10.1.20.0/24
Web Tier: 10.1.10.0/24

Transit-Network
10.1.100.2/27
Protocol Address
OSPF Area 829
10.1.100.3/27
Transit-Interface
OSPF Area 829
Perimeter
Gateway
10.1.10.11 10.1.10.12 10.1.20.11 10.1.30.11
Application Profile
HTTP
*172.20.11.3/24
Type HTTPS
172.20.11.5 (NAT)
172.20.11.6 (NAT) Enable SSL Passthrough Disabled
HTTPS
Name Server Pool web-sv-01a / web-sv-
Name
02a
Algorithm Round-Robin 10.1.10.11 /
IP Address
web-sv-01a Port 443
Members
Weight 1
Name VIP
Description blank
Port 443

Lab 14: Configuring Layer 2 VPN Tunnel
Site A Site B
web-sv-01b
Control VM Logical Router DB Tier: 10.1.30.0/24
10.1.10.13
App Tier: 10.1.20.0/24 (GW 10.1.10.1)
Transit-Network
10.1.100.2/27
OSPF Area 829 Submit-to-Web-Tier
Tunnel ID 10 L2VPN-RemoteSiteTrunk
10.1.10.1/24
Protocol Address
10.1.100.3/27
Subint-to-Web-Tier
Transit-Interface Tunnel ID 10
10.1.100.2/27 10.1.10.1/24
OSPF Area 829
Controllers
Perimeter
Gateway
Remote Gateway
Uplink-Interface
web-sv-01a app-sv-01a db-sv-01a 172.20.111.8
10.1.10.11 10.1.20.11 10.1.30.11 Client
Perimeter Gateway L2VPN Global Configuration
Uplink-Interface Site Configuration Client
Listener IP 172.20.11.3
*172.20.11.3/24 Server Address 172.20.11.3
172.20.11.5 (NAT) Listener Port 443 Server Port 443
172.20.11.6 (NAT) Encryption Algorithm AES128-SHA Encryption
AES128-SHA
172.20.11.7 (VIP) Server Use System Algorithm
Yes Stretched
Generated Certficate Subint-to-Web-Tier
Interfaces
Egress
Site Configuration Server Blank
Optimization
Enable Peer Site Yes Enable Unstretched
no
Networks
Name LPVN – Site A
User ID vpnuser
Description Blank Password VMware1!
User iD Vpnuser
Student Password VMware1!
172.20.10.80c Stretched Interfaces Subint-to-Web-Tier Production-B: 172.20.111.10/24

Egress Optimization Blank
Enable Unstretched
Networks
no dc-rras Site B Distributed Port Groups:
Production-A: 172.20.11.10/24 • L2VPN-RemoteSiteTrunk
• VPN-Web Tier

Lab 15: Configuring IPsec Tunnels
Site A Site B
Logical Router Distributed web-sv-01b
Control VM Logical Router 10.2.40.11
DB Tier: 10.1.30.0/24
App Tier: 10.1.20.0/24
Transit-Network
10.1.100.2/27
OSPF Area 829 Submit-to-Web-Tier
Tunnel ID 10 L2VPN-RemoteSiteTrunk
10.1.10.1/24
Protocol Address
10.1.100.3/27
Static Route: Subint-to-Web-Tier
Transit-Interface
10.1.0.0/16 10.2.40.1
10.1.100.2/27
Next Hop:
10.1.100.2 OSPF Area 829
Controllers
Perimeter
Gateway
Remote Gateway
Uplink-Interface
web-sv-01a app-sv-01a db-sv-01a 172.20.111.8
10.1.10.11 10.1.20.11 10.1.30.11 Client
Perimeter Gateway IPSec VPN IPSec VPN
Uplink-Interface Configuration Configuration
*172.20.11.3/24 Enabled Yes
172.20.11.5 (NAT) Enabled Yes
172.20.11.6 (NAT) Enable PFS Yes Enable PFS Yes
172.20.11.7 (VIP) Server Name Local-Remote Name Local-Remote
Local ID Local Local ID Remote
Local Endpoint 172.20.11.3 Local Endpoint 172.20.111.8
Local Subnets 10.1.10.0/24 Local Subnets 10.1.40.0/24
Peer ID Remote Peer ID Local
Peer Endpoint 172.20.11.8 Peer Endpoint 172.20.11.3
Peer Subnets 10.2.40.0/24 Peer Subnets 10.2.10.0/24
Encryption Algorithm AES Encryption Algorithm AES
Student Authentication PSK Authentication PSK
172.20.10.80 Pre-shared Key VMware1! Pre-shared Key VMware1!
Diffie-Hellman Group DH2
dc-rras Diffie-Hellman Group DH2
Production-A: 172.20.11.10/24 Extension blank Extension blank
Production-B: 172.20.111.10/24

Lab 16: Configuring and Testing SSL VPN-Plus
SSL VPN-Plus Server Settings SSL VPN-Plus Private Networks
Site A Site B IPv4 Address

IPv6 Address
172.20.111.8
None
Network
Description
10.2.40.0/24
None
Port 443
Send Traffic Over Tunnel
CipherList AES256-SHA
Enable TCP Optimization Checked
web-sv-01b Use Default Server
10.1.10.13 Checked Ports Blank
Certificate
Status Enabled
SSL VPN-Plus Authentication Server
Server Type Local SSL VPN-Plus Installation package
Enable Password Policy Unchecked Gateway 172.20.111.8
Enable Account Lockout Unchecked Port 443
L2VPN-RemoteSiteTrunk
Status Enables Create Package for Windows only
Use for Secondary Auth Unchecked Description Empty
Subint-to-Web-Tier Status Enabled
Remote Gateway Tunnel ID 10
(SSL VPN Server) Start Client on logon Unchecked
10.1.10.1/24 SSL VPN-Plus User
Allow Remember Password Checked
User ID Vpn-user
Enable Silent mode Install Checked
Password VMware1! Hide SSL client adapter Unchecked
First Name Blank Create Desktop icon Checked
Remote Gateway Enable Silent Mode operation Unchecked

Last name Blank
Uplink-Interface Server Certificate
Unchecked
172.20.111.8 Validation
Description Blank
SSL
VPN-Plus Password never expires Checked
Allow Change password Checked
Change on Next login Unchecked
Status Enabled
SSL VPN-Plus IP Pool

IP Range 192.168.170.2-254
Netmask 255.25.255.0
Gateway 192.168.170.1
Description Blank
Status Enabled
Student
Primary DNS Blank
172.20.10.80 dc-rras Secondary DNS Blank
DNS Suffix Blank
Management A: 172.20.11.10/24 Production-B: 172.20.111.10/24 WINS Server Blank

Lab 17: Using the VMware NSX Distributed Firewall Rules to
Control Network Traffic
DFW Rule Name Source Destination Service Action
Logical Switch: Logical Switch: Tomcat-
Allowed Web to App ALLOW
Web-Tier App-Tier 8443
Logical Switch: Logical Switch:
Allowed App to DB MySQL ALLOW
App-Tier DB-Tier
Logical Switch: HTTP
Allowed to Web Servers Any ALLOW
Web Tier HTTPS
Default ANY ANY ANY BLOCK
App Tier: 10.1.20.0/24
Transit-Network
10.1.100.2/27
Protocol Address OSPF Area 829 Submit-to-Web-Tier
10.1.100.3/27 Tunnel ID 10
10.1.10.1/24
Transit-Interface
10.1.100.2/27
OSPF Area 829
Controllers
Perimeter
Gateway
10.1.10.11 10.1.10.12 10.1.20.11 10.1.30.11
HTTP
Uplink-Interface
*172.20.11.3/24
172.20.11.5 (NAT)
172.20.11.6 (NAT) HTTPS
172.20.11.7 (VIP)
dc-rras
Student
172.20.10.80 Production-A: 172.20.11.10/24
Production-B: 172.20.10.10/24

Lab 18: Using NSX Edge Firewall Rules to Control Network
Traffic

App Tier: 10.1.20.0/24
Transit-Network
10.1.100.2/27
10.1.100.3/27 Tunnel ID 10
10.1.10.1/24
Transit-Interface
10.1.100.2/27
OSPF Area 829
Controllers
Perimeter
Gateway
10.1.10.11 10.1.10.12 10.1.20.11 10.1.30.11
HTTP
Uplink-Interface
Edge FW Rule *172.20.11.3/24
Source Destination Service Action
Name 172.20.11.5 (NAT)
Allowed to Web IP Set: Local Web HTTP 172.20.11.6 (NAT)
ANY ACCEPT 172.20.11.7 (VIP) HTTPS
Servers Servers HTTPS
Default ANY ANY ANY DENY
dc-rras
Student
172.20.10.80 Production-A: 172.20.11.10/24
Production-B: 172.20.10.10/24

Lab 19: Configuring and Using SpoofGuard and IP Discovery
Untrusted IP Trusted IP
Address Address
172.20.10.151 172.20.10.150
Windows7-2 Windows7 virtual

virtual machine machine

Lab 20: Using VMware NSX Service Composer
Security Group:
Allowed SSH to Admins Cluster: Compute SSH ALLOW
AD-SSH
Blocked SSH for
ANY Cluster Compute SSH BLOCK
Normal Users
App Tier: 10.1.20.0/24
Transit-Network
10.1.100.2/27
10.1.100.3/27 Tunnel ID 10
10.1.10.1/24
Transit-Interface
10.1.100.2/27
OSPF Area 829
Controllers
Perimeter
Gateway
10.1.10.11 10.1.10.12 10.1.20.11 10.1.30.11
HTTP
Uplink-Interface
*172.20.11.3/24
172.20.11.5 (NAT)
172.20.11.6 (NAT) HTTPS
172.20.11.7 (VIP)
dc-rras Production-A: 172.20.11.10/24

Production-B: 172.20.10.10/24
Student
172.20.10.80
Security Group Activity Monitoring Data Collection Security Group Isolate Compromised VMs
Dynamic Inclusion VM Name Contains virus Guest Introspection None
Static Inclusion None Firewall Rules Block all Traffic
Static Exclusion DV Port Group: Management Network Introspection none
Apply Policy To Quarantine Group

Lab 21: Configuring an Identity-Aware Firewall
Security Group:
Allowed SSH to Admins Cluster: Compute SSH ALLOW
AD-SSH
Blocked SSH for
ANY Cluster Compute SSH BLOCK
Normal Users
App Tier: 10.1.20.0/24
Transit-Network
10.1.100.2/27
10.1.100.3/27 Tunnel ID 10
10.1.10.1/24
Transit-Interface
10.1.100.2/27
OSPF Area 829
Controllers
Perimeter
Gateway
10.1.10.11 10.1.10.12 10.1.20.11 10.1.30.11
HTTP
Uplink-Interface
*172.20.11.3/24
172.20.11.5 (NAT)
172.20.11.6 (NAT) HTTPS
172.20.11.7 (VIP)
dc-rras Production-A: 172.20.11.10/24

Production-B: 172.20.10.10/24
Student
172.20.10.80
Security Group Activity Monitoring Data Collection Security Group AD-SSH

Dynamic Inclusion None Dynamic Inclusion None
Static Inclusion Compute Static Inclusion Directory Group: AD-SSH
Static Exclusion None Static Exclusion none

Lab 22: Micro-segmentation with Application Rule Manager
Web Web App DB

Lab 23: Guest Introspection and Endpoint Monitoring

Lab 24: Configuring Cross-vCenter VMware NSX
Site A Universal Section Site B

Universal DFW Rule Name Source Destination Service Action
IP Address: HTTP
web-sv-01a ANY ALLOW
10.1.10.11 HTTPS
web-sv-01a web-sv-01b
10.1.10.11 10.1.10.13
Universal
Controller
Cluster
Universal Web-Tier
Student nsxmgr-a vcva-a nsxmgr-b vcva-b

172.20.10.80 172.20.10.42 172.20.10.94 172.20.110.43 172.20.110.95
Primary Secondary
SB-ESXI-01
.10 on each network

Storage vMotion: 172.20.12.0/24 vMotion: 172.20.12.0/24
Production-A; 172.20.11.0/24 dc-rras Production-B; 172.20.11.0/24
Management-A: 172.20.10.0/24 Management-B: 172.20.10.0/24
Site A VXLAN ID Pool: 5000-5999 (Segment ID Pool) Site B VXLAN ID Pool: 6000-6999 (Segment ID Pool)
Universal Segment ID Pool: 7000-7999


Vmware NSX: Install, Configure, Manage Lab Topology: © 2018 Vmware Inc. All Rights Reserved

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Vmware NSX: Install, Configure, Manage Lab Topology: © 2018 Vmware Inc. All Rights Reserved

Uploaded by

Copyright:

Available Formats

VMware NSX: Install, Configure, Manage

© 2018 VMware Inc. All rights reserved.

Controllers .11 .12 .11 .11

Your Desktop Perimeter

sa-esxi-01 sa-esxi-02 sa-esxi-03 sa-esxi-04

Storage Windows7:172.20.10.150 Windows7-2:172.20.10.151

nsxmgr-b vcsa-b Esxi-b-01

VMware NSX: Install, Configure, Manage 2

VMware NSX: Install, Configure, Manage 3

Infrastructure (Management Networks)

VMware NSX: Install, Configure, Manage 4

Perimeter Gateway (Site A) Remote Gateway (Site B)

L2VPN & IPSec VPN 172.20.11.3

Perimeter Gateway – ECMP (Site A)

VMware NSX: Install, Configure, Manage 5

Distributed Logical Router (Site A)

Virtual Machines (Site A) Virtual Machines (Site B)

VMware NSX: Install, Configure, Manage 6

Student nsxmgr-a vcva-a

SA-ESXI-01 SA-ESXI-02 SA-ESXI-03 SA-ESXI-04

nsxmgr-b vcsa-b Esxi-b-01

NTP/Syslog Server: 172.20.10.10

VMware NSX: Install, Configure, Manage 7

Student nsxmgr-a vcva-a

VMware NSX: Install, Configure, Manage 8

Local Transport Zone

SA-ESXI-01 SA-ESXI-02 SA-ESXI-03 SA-ESXI-04

Production-A 172.20.11.0/24 .10

VMware NSX: Install, Configure, Manage 9

Transit Network Web Tier App Tier DB Tier

web-sv-01a web-sv-02a app-sv-01a db-sv-01a

VMware NSX: Install, Configure, Manage 10

Web Tier: 10.1.10.0/24

web-sv-01a web-sv-02a app-sv-01a db-sv-01a

VMware NSX: Install, Configure, Manage 11

Web Tier: 10.1.10.0/24

Uplink-Interface web-sv-01a web-sv-02a app-sv-01a db-sv-01a

Student Production-A: 172.20.11.10/24

VMware NSX: Install, Configure, Manage 12

Logical Router Distributed DB Tier: 10.1.30.0/24

Web Tier: 10.1.10.0/24

Uplink-Interface web-sv-01a web-sv-02a app-sv-01a db-sv-01a

Student Production-A: 172.20.11.10/24

VMware NSX: Install, Configure, Manage 13

Logical Router ECMP Distributed DB Tier: 10.1.30.0/24

Web Tier: 10.1.10.0/24

Uplink-Interface Uplink-Interface web-sv-01a web-sv-02a app-sv-01a db-sv-01a

Student Production-A: 172.20.11.10/24

VMware NSX: Install, Configure, Manage 14

.1 App Tier: 10.1.20.0/24

Student nsxmgr-a vcva-a

.10 on each network

VMware NSX: Install, Configure, Manage 15

.1 Web Tier: 10.1.10.0/24

VMware NSX: Install, Configure, Manage 16

Logical Router Distributed

App Tier: 10.1.20.0/24

Web Tier: 10.1.10.0/24

Student Production-A: 172.20.11.10/24

VMware NSX: Install, Configure, Manage 17

App Tier: 10.1.20.0/24

Web Tier: 10.1.10.0/24

172.20.11.7 (VIP) Server Pool Member Config