NSX Install Guide Part 1 – Mgmt and Control Planes

Part 1 provides details of the deployment and official documentation, we’ll build the management and control planes by deploying NSX Manager and an NSX Controller cluster. Part 2 will walk through the data plane components; host preparation, VTEP / VXLAN configuration, transport zone, and logical switches. Finally in Part 3 we’ll create and configure NSX Edge and Distributed Logical Routers. In order to get NSX up and running we’ll need:
NSX can run on any edition of vSphere from v5.5 Update 3 onwards. For versions 5.5 Update 1 and 2 Enterprise Plus licensing is required. NSX comes in Standard, Advanced, and Enterprise editions, the feature differences between editions can be found on the product page here.
There is a great hardware calculator available on virten.net here, useful for calculating the resource requirements of your design. You can also view NSX version history on the same site, here. NSX reference poster (below) available here.
nsxref

Installation

The focus of these guides will be on the deployment and configuration of the components which make up the NSX installation. The NSX model can be broken down into the following sections:
  • Management Plane: provides the UI and REST API interfaces. Consists of the NSX Manager and vCenter Server, as well as a message bus agent to carry communication between other planes in the model.
  • Control Plane: runs in the the NSX Controller cluster which manages the run-time state of logical networks. Does not carry data traffic but connects to the management and data planes using the user world agent.
NSX Install Guide Part 2 – Data Plane
NSX Install Guide Part 3 – Edge and DLR
  • Data Plane: contains the NSX vSwitch and NSX Edge. The NSX vSwitch is made up of the distributed switch and kernel modules running in the hypervisor enabling VXLAN bridging capabilities and distributed services. The NSX Edge acts as gateway device providing L2 bridging from VXLAN to the physical network, as well as other services such as perimeter firewall, load-balancing, VPN, and so on.
  • After NSX is installed you may want to use Guest Introspection to offload AV scanning to a dedicated Service Virtual Machine (SVM) provided by a third party. For more information on Guest Introspection and service deployments see the NSX Manager Guest Introspection post.
There are a number of supported topologies for the vSphere environment,  review the resources listed below for more details. In this example a vCenter Server Appliance has been deployed with 2 vSphere clusters; the management cluster is made up of 3 hosts and will be hosting the vCenter Server, NSX Manager, NSX Controllers, and NSX Edge gateways. The compute cluster is made up of 4 hosts running virtual machine workloads. Distributed switches (vDS) are configured, with the usual redundancies, 1 for management and vMotion traffic (different VMkernel ports), 1 for VXLAN, and 1 for  NSX Edges to connect out to external networks.
You’ll also need an IP addressing scheme in place, IP Pools are required for the deployment of NSX Controllers (minimum 3 recommended) and VTEP interfaces (1 per host, can also be DHCP). The setup wizards allow you to create an IP Pool at the time of deployment, however if you need to extend an existing IP Pool, or want to create your IP Pools in advance, see this post.
hosts
If you want to span virtual networks and objects (logical switches, routers, distributed firewall rules) across multiple sites or vCenter Server instances see the Configuring VMware Cross-vCenter NSX post.

Resources

All links referenced below are official VMware resources:
  • NSX 6.2.5 download link (NSX 6.3.0 download link)
  • NSX 6.2.5 release notes link (NSX 6.3.0 release notes link)
  • NSX 6.2 documentation centre link (NSX 6.3 documentation centre link)
  • NSX Hands on Labs link
  • NSX technical white paper link
  • NSX product walkthrough link
  • NSX design guide link
  • NSX validated designs link
  • NSX icons are available here for designing your own solution.

Installing NSX Manager

NSX Manager is deployed and registered with vCenter Server on a 1:1 mapping. Upon registration a plug-in is injected into the vSphere web client to enable deployment and management of logical networks and services.
Before beginning add a DNS entry for the NSX Manager in the relevant zone. Download the NSX Manager OVA file here. The NSX Manager appliance is preconfigured with 16 GB RAM, 4 vCPU and 60 GB disk. VMware recommend a memory reservation for NSX Manager in production environments.
download
Deploy the OVA file to the vCenter, in the customisation options configure the appliance network settings. Once the NSX Manager appliance is deployed and powered on open a web browser to the configured IP address. Log in with the admin account, if you didn’t change the password during deployment the default password is default.
nsx2
Click Manage vCenter Registration, under vCenter Server click Edit. Enter the name of the vCenter server to register NSX Manager and the relevant credentials, click Ok. Configure the vCenter settings under Lookup Service URL by clicking Edit, enter the vCenter host name and SSO details, click Ok.
Note the Backup & Restore option, this method uses FTP / SFTP and is currently the only supported way of backing up and restoring NSX Manager, for more information see VMware NSX Backup and Restore. Browse to the Manage Appliance Settings page, configure a time server and check DNS and host name settings are correct. You can also configure a syslog server, such as vRealize Log Insight, and change network settings if required.
nsxmanager
After configuring NSX Manager restart the VMware vSphere Web Client on the vCenter Server the NSX Manager was registered with. You may also need to restart your browser. Log in to the vSphere web client and browse to Networking & Security, click NSX Managers and verify the newly deployed NSX Manager is present.
ip1
To configure additional permissions select the NSX Manager and click Manage, Users. Here you can add, edit, and remove users and permissions. Each role provides a description of the level of access, for more information on NSX permissions click here. To add Active Directory permissions to NSX Manager select the Domains tab, and click the green plus symbol to add the LDAP details.
To apply a license key to NSX Manager select the Administration option from the home page of the vSphere web client, click Licenses, Assets, Solutions. Highlight NSX for vSphere and click the All Actions drop down menu, select Assign License. Add a new license key or assign an existing license key and click Ok.

Installing NSX Controllers

  • The NSX Controller cluster is made up of 3 NSX Controllers for high availability, ideally these should be deployed to 3 different hosts in a management cluster, and 3 different datastores, to provide redundancy.
  • The NSX Controller cluster provides the control plane and is responsible for maintaining information of logical switches and distributed logical routers, as well as hosts and virtual machines.
  • NSX Controllers are deployed as Linux based virtual machines with 2 vCPU, 4 GB RAM, and 20 GB disk.
  • NSX Controllers require an IP address from a defined IP Pool, preferably on the same subnet as the ESXi management addresses.
Log into the vSphere web client and select Networking & Security. From the left hand navigator pane click Installation. In the NSX Controllers section click the green plus symbol to add a controller.
controllers1
Populate the fields in the Add Controller wizard, where possible deploy each controller to a different host. For the IP Pool click Select; each NSX Controller uses an IP address from the IP Pool. If you have created IP Pools prior they will be listed here, if you need to extend an existing IP Pool see this post. Alternatively to create a new pool click New IP Pool.
controllers2
To create a new IP Pool fill in the details in the Add Static IP Pool wizard. The IP Pool used can be shared with other services (i.e. doesn’t have to be dedicated to NSX Controllers) as long as there are enough free IP addresses in the pool for all 3 controllers.
controllers3
When you have configured the IP Pool click Ok on the Add Controller wizard. The first controller will now be deployed.
deploying
When the deployment has completed repeat the process a further two times, using the same IP Pool. You may notice the password field is absent when deploying the second and third controllers; subsequent NSX controllers are configured with the same root password as the first deployed controller.
deployed
The NSX Controllers are ready to use. If you do have enough hosts to run the controllers on separate hosts then configure a DRS anti-affinity rule to keep them apart with the following steps:
  • In the vSphere web client click on the cluster where the NSX Controllers reside.
  • Open the Manage tab and select VM/Host Rules under Configuration.
  • Click Add to create a new rule.
  • Choose to Separate Virtual Machines and add the NSX Controllers, click Ok.
drs

Firewall Exclusions

VMware recommend that any management virtual machines are excluded from the NSX distributed firewall. Likely candidates are the vCenter Server, vCenter database (if external), Platform Services Controller (if external), etc. If you have a separate management cluster and are not preparing the management hosts for NSX then you do not need to worry about this step.
If you have management VMs running on hosts with NSX installed, i.e. host preparation, which we’ll do next, and distributed firewall enabled; then we need to exclude those virtual machines. By default the NSX Manager, NSX Controllers, and NSX Edge virtual machines are automatically excluded from the NSX distributed firewall.
  • From the vSphere web client select Networking & Security, click NSX Managers.
  • Select the NSX Manager and click the Manage tab, then Exclusions List.
  • Click the green plus symbol, select the virtual machines to add to the exclusions list and click Add, and Ok.
exclusions
The virtual machines are now excluded from distributed firewall protection. It’s also worth noting that if a new vNIC is added to any of the VMs after adding them to the exlusions list, then the distributed firewall is still automatically deployed to that new vNIC. In this case you need to either power cycle the virtual machine, or remove and re-add it to the exclusion list.

Comments

Post a Comment

Popular posts from this blog

Avamar falied to take backup of all virtual machine

Recently I encountered an issue where Avamar failed to take backup. Logs stating  insufficient Permission in the host OS 2018-02-19 06:59:56 avvcbimage Error <0000>: [IMG0008] Failed to connect to virtual disk [VMAXDS] VM/VM-000002.vmdk (3014) (3014) Insufficient permissions in the host operating system (Log #2)  We verified the permission on the vCenter but no luck,However on demand backup from local Account is with same level of access is successful. While investigation further we found that there are errors related to DNS, and even some DNS server are getting backed up via avamar. We asked to remove DNS from Avamar back considering VM stun operation during the backup but it did not help to resolve the issue. Later on we found that DNS server which is hardcoded in Avamar was decommission due which Domain ID's were unable to run backup on vCenter
Read more

How to Configure IPsec VPN within VMware NSX Edge

Image
This article shows you how to create an IPsec VPN between a NSX Edge Gateway with a vCloud Director/NSX Manager and a remote Client site. First you need basic details from client so that you can configure IPSec VPN from your end.Like you need Phase 1 and Phase 2 Details. (This document related to NSX Edge 6.3.2) Image Credit VMware Note: NSX Edge supports Main Mode for Phase 1 and Quick Mode for Phase 2. Phase 1 Parameters Phase 1 sets up mutual authentication of the peers, negotiates cryptographic parameters, and creates session keys. The Phase 1 parameters used by NSX Edge are: Main mode TripleDES / AES [Configurable] SHA-1 MODP group 2 (1024 bits) pre-shared secret [Configurable] SA lifetime of 28800 seconds (eight hours) with no kbytes rekeying ISAKMP aggressive mode disabled In 6.3.2 you Can see basic details or you can say this is mixed mode like Phase 1 and Phase 2 they don’t have different tabs or options. Here are details which you have to ...
Read more

Deploy a 2-node vSAN cluster

Image
A 2-node hyperconverged cluster is useful in branch office where you need high availability or for small infrastructure. With 2-node hyperconverged solution, you don’t need to leverage a NAS or a SAN for the shared storage. So, the hardware footprint is reduced and the manageability is improved because hyperconverged solution are easier to use than standard infrastructure with SAN. VMware provides a Software-Defined Storage solution called vSAN. vSAN can be deployed from 2 nodes to 16 nodes. 2-node cluster should be used for ROBO (Remote Office and Branch Office). A 2-node cluster requires a Witness Appliance provided by VMware freely while the appliance is virtual. The Witness Appliance is based on ESXi. This is the first time that VMware supports a scenario in production with a nested ESXi. This topic describes how to deploy a 2-node vSAN cluster and its witness appliance. Why you need a witness appliance vSAN is something like a RAID over the network. vSAN curre...
Read more