NSX Useful numbers – VCP-NV Study

These are some of the useful numbers I’ve collated as I’ve been doing the study guide. I’m happy to add more if anyone thinks I’ve missed some important ones.

Prerequisites

VMware vCenter Server 5.5 or later

VMware ESX 5.0 or later for each server

VMware Tools – For vShield Endpoint and NSX Data Security, you must upgrade your virtual machines to hardware version 7 or 8 and install VMware Tools 8.6.0 released with ESXi 5.0 Patch 3.

MTU minimum 1550, 1600 recommended

vHardware Minimums

NSX Manager NSX Controller Edge Compact Edge Large Edge Quad Large Edge X-Large vShield Endpoint NSX Data Security
vCPU 4 4 1 2 4 6 2 1
vMEM 12Gb 4Gb 512Mb 1Gb 1Gb 8Gb 1Gb 512Mb
vDISK 60Gb 20Gb 512Mb 512Mb 512Mb 4.5Gb
(4Gb swap)
4Gb 6Gb

Maximums

DHCP Pools – 20,000

Segment IDs (VNI) – 10,000

Audit Logs – 1,000,000

TCP Ports

443 between the ESXi hosts, vCenter Server, and NSX Manager.

443 between the REST client and NSX Manager.

TCP 902 and 903 between the vSphere Web Client and ESXi hosts.

TCP 80 and 443 to access the NSX Manager management user interface and initialize the vSphere and NSX Manager connection.

TCP 22 for CLI troubleshooting.

vSphere Scalability

1000 Hosts

10000 VMs

10000 Port groups

60,000 virtual ports

Logical Router

up to 1000 interfaces

up to 8 uplinks

1200 DLR instances total

100 DLR instances per ESXi host

Edge

HA default heartbeat failover interval 15 seconds (5x 3 seconds), can be reduced to 6 seconds minimum.
HA heartbeat minimum frequency = 1 second

NSX Manager

1 NSX to 1 vCenter

Backup Frequency – Hourly/Daily/Weekly

NSX Controllers

3 minimum, must be an odd number

VXLAN

VNI – 24bit number – 16M VXLAN networks

MTU 1600 bytes to support VXLAN with IPv4 and IPv6 traffic

Allows for:
50 bytes overhead for VXLAN encapsulation
54 bytes overhead if VLAN tagging is used

Uses UDP port 8472 as a transport protocol

LACP

64 LAGs per host

64 LAGs per distributed switch

802.1Q – VLAN tagging

4096 VLANs maximum

VPN

IPsec VPN – maximum of 64 tunnels across maximum of 10 sites

SSL VPN – up to 25 users

Objective 9.5 – Troubleshoot Common vSphere Networking Issues

Knowledge

This is the same as VCP5-DCV exam blueprint section 6.2

  • Verify network configuration
    • Use host profiles where possible to ensure consistent configuration
    • Use vDS where possible to minimise configuration effort across multiple hosts
    • Check configuration of Port Groups / dvPort Groups
    • Check Load Balancing and Failover Policies
    • Check Security Policies (Promiscuous Mode, Forged Transmits etc)
    • Verify that VLAN settings are correct and consistent across a cluster
  • Verify a given virtual machine is configured with the correct network resources. KB1003893 is a good resource for this but as a start:
    • Check that the network associated with the VM’s vNIC exists, and the spelling is consistent across the infrastructure.
    • Check that the “connected” checkbox for the vNIC is checked.
    • Ensure the networking is configured correctly within the Guest OS
    • Verify that the vSwitch has sufficient ports to support the VM
    • Check the uplinks for the vSwitch are consistent (same VLANS)
  • Troubleshoot virtual switch and port group configuration issues
    • Correct spelling of port group names is important and is case sensitive. Consistency of naming and Security Configuration is vital for the smooth running of the infrastructure.
    • Ensure switches are configured correctly (as per point 1) and with sufficient available ports.
  • Troubleshoot physical network adapter configuration issues
    • Ensure all physical NICs assigned to a vSwitch are configured with the same speed, duplex and VLANs on the physical switch
    • If using IP Hash as the load balancing method, ensure Link Aggregation is configured on the switch.
    • You can use CDP or LLDP to assist with network troubleshooting, it will identify the switch ports that are connected to each pNIC.
  • Identify the root cause of a network issue based on troubleshooting information
    • The root cause is likely to fall into one of 4 main areas:
      • VM
      • Port Group / vSwitch configuration
      • Host Uplinks
      • Physical Switch configuration
    • Use the above notes to assist with determining the area at fault – working from the VM down is probably easiest.
    • vmkping –D can be used to ping out through vmknics

Tools

Objective 9.4 – Troubleshoot Common Connectivity Issues

Knowledge

  • Review netcap logs for control plane connectivity issues
    • I believe this is a typo – should be netcpa logs
      ssh into the NSX controller and run:

      show log cloudnet/cloudnet_java-vnet-controller.log

      ssh into the ESX host and run:

      tail –f /var/log/netcpa.log
    • If you want to troubleshoot your User World Agent, you can increase the netcpa log level like this:
      Start by stopping the daemon

      # /etc/init.d/netcpad stop

      Enable write permisions on netcpa’s config file:

      # chmod +wt /etc/vmware/netcpa/netcpa.xml

      Increase log level:

      # vi /etc/vmware/netcpa/netcpa.xml

      Change the XML’s /config/log/level value to “verbose”, save and restart netcpad

      # /etc/init.d/netcpad start
  • Verify VXLAN, VTEP, MAC, and ARP mapping tables
    • VXLAN
      # show control-cluster vnet vxlan vni <vni>
      # esxcli network vswitch dvs vmware vxlan network list --vds-name=<VDS_NAME>
      
      VXLAN ID  Multicast IP               Control Plane                        Controller Connection  Port Count  MAC Entry Count  ARP Entry Count  MTEP Count
      --------  -------------------------  -----------------------------------  ---------------------  ----------  ---------------  ---------------  ----------
          5000  N/A (headend replication)  Enabled (multicast proxy,ARP proxy)  192.168.110.202 (up)            1                1                0           0
          5004  N/A (headend replication)  Enabled (multicast proxy,ARP proxy)  192.168.110.203 (up)            1                0                0           0
    • VTEP
      # show control-cluster vnet vxlan vtep-table <vni>
      # esxcli network vswitch dvs vmware vxlan network vtep list --vds-name=<VDS_NAME> --vxlan-id=<VXLAN_ID>
      # show control-cluster logical-switches vtep-records <ESXi_MGT_IP>
      
      VNI      IP              Segment         MAC               Connection-ID
      5001     192.168.150.51  192.168.150.0   00:50:56:60:6a:3a 2
    • MAC
      # show control-cluster vnet vxlan mac-table <vni>
      # esxcli network vswitch dvs vmware vxlan network mac list –-vds-name=<VDS_NAME> --vxlan-id=<VXLAN_ID>
      # show control-cluster logical-switches mac-records <ESXi_MGT_IP>
    • ARP
      # show control-cluster vnet vxlan vtep-table <vni>
      # esxcli network vswitch dvs vmware vxlan network vtep list --vds-name=<VDS_NAME> --vxlan-id=<VXLAN_ID>
      
  • List VNI configuration
    • From the NSX Controller CLI
      • List
        # show control-cluster vnet vxlan vni –l
      • Display
        # show control-cluster vnet vxlan vni <vni>
  • View VXLAN connection tables and statistics
    • Connection tables
      # show control-cluster vnet vxlan connection-table <vni>
    • Statistics
      # show control-cluster vnet vxlan vni-stats <vni>
  • Perform VTEP connectivity tests
    • At a logical switch level on the monitoring tab, use unicast or broadcast test to verify VTEP connectivity
      9.4.Troubleshooting VTEP

Tools

Objective 9.3 – Troubleshoot Common NSX Component Issues

Knowledge

  • Differentiate NSX Edge logging and troubleshooting commands
    • Logging
      • show log <last n|follow|reverse>
        • Display the system log, last n lines, follow the log, show the log in reverse order
    • Troubleshooting
      • debug packet capture Similar to tcpdump
      • debug packet display interface Similar to tcpdump but for specific interface
      • ping <interface> addr ICMP ping, optionally choose the interface
      • show …. Large number of show commands, eg, arp, configuration [interface|dhcp|firewall|ipsec|loadbalancer|nat|ospf|syslog], ip [bgp|ospf|route]
        Too many to list here, see NSX CLI Guide for more detail
  • Verify NSX Controller cluster status and roles
    • SSH to one of your controller VM to use the CLI
      # show control-cluster status
      Type                Status                                       Since
      --------------------------------------------------------------------------------
      Join status:        Join complete                                09/14 14:08:46
      Majority status:    Connected to cluster majority                09/18 08:45:16
      Restart status:     This controller can be safely restarted      09/18 08:45:06
      Cluster ID:         b20ddc88-cd62-49ad-b120-572c23108520
      Node UUID:          b20ddc88-cd62-49ad-b120-572c23108520
      # show control-cluster roles
                                Listen-IP  Master?    Last-Changed  Count
      api_provider         Not configured      Yes  09/18 08:45:17      6
      persistence_server              N/A      Yes  09/18 08:45:17      5
      switch_manager            127.0.0.1      Yes  09/18 08:45:17      6
      logical_manager                 N/A      Yes  09/18 08:45:17      6
      directory_server                N/A      Yes  09/18 08:45:17      6
  • Verify NSX Controller node connectivity
    • # show control-cluster connections
      role                port            listening open conns
      --------------------------------------------------------
      api_provider        api/443         Y         1
      --------------------------------------------------------
      persistence_server          server/2878               Y                   2
                          client/2888     Y         3
                          election/3888   Y         0
      --------------------------------------------------------
      switch_manager      ovsmgmt/6632    Y         0
                          openflow/6633   Y         0
      -------------------------------------------------------- 
      system              cluster/7777    Y         2

      The Controller cluster majority leader will be listening on port 2878 – other nodes have “-“ in the listening column. The number of “open conns” on the persistence server line should be the number of remaining nodes in the cluster eg 2 for a 3 node cluster.

  • Check NSX Controller API service
    • # show control-cluster connections
      role                port            listening open conns
      --------------------------------------------------------
      api_provider        api/443         Y         1
      --------------------------------------------------------
  • Validate VXLAN and Logical Router mapping tables
    • VXLAN From an ESXi host, use the esxcli command line
      #esxcli network vswitch dvs vmware vxlan network mac --vds-name <value> --vxlan-id value
       [--segment-id value --vtep-ip value]
      IP                  Segment ID        Is MTEP 
      192.168.0.2         192.168.0.0       False
    • Logical Router
      From the NSX controller

      show control-cluster logical-routers instance all

      This gives the LR instance IDs

      show control-cluster logical-routers interface-summary [instance ID] 
      Interface             Type        Id         IP[]
      lif0                  vlan        0          10.0.0.0/24
      lif1                  vlan        101        10.0.1.0/24
      lif2                  vxlan       5020       172.16.10.1/24
  • List Logical Router instances and statistics
    • List instances
      show control-cluster logical-routers instance all

      or

      show control-cluster logical-routers
    • Statistics
      show control-cluster logical-routers stats
  • Verify Logical Router interface and route mapping tables
    • # show control-cluster logical-routers interface-summary 1
      Interface Type Id IP[]
      lif0 vlan 0 10.0.0.0/24 
      lif1 vlan 1 10.0.1.0/24
    • # show control-cluster logical-routers routes 1
      LR-Id Destination Next-Hop
      1 70.70.70.0/24 10.0.1.2
      1 80.80.80.0/24 10.0.0.2
  • Verify active controller connections
    • # show control-cluster core stats
      messages.received 40
      messages.received.dropped 0
      messages.transmitted 22
      messages.transmit.dropped 0
      messages.processing.dropped 0
      connections.up 2
      connections.down 0
      connections.timeout 0
      connections.active 2
      connections.sharding.subscribed 0
  • View Bridge instances and learned MAC addresse
    • Dump bridge info
      # net-vdr --bridge -l <vdrName>
      
      VDR default+edge-1:1460487509 Bridge Information :
      
      Bridge config:
      Name:id             mybridge:1
      Portset name:
      DVS name:           Mgmt_Edge_VDS
      Ref count:          2
      Number of networks: 2
      Number of uplinks:  0
       
              Network 'vlan-100-type-bridging' config:
              Ref count:          2
              Network type:       1
              VLAN ID:            100
              VXLAN ID:           0
              Ageing time:        300
              Fdb entry hold time:1
              FRP filter enable:  1
      
                      Network port '50331655' config:
                      Ref count:          2
                      Port ID:            0x3000007
                      VLAN ID:            4095
                      IOChains installed: 0
      
              Network 'vxlan-5000-type-bridging' config:
              Ref count:          2
              Network type:       1
              VLAN ID:            0
              VXLAN ID:           5000
              Ageing time:        300
              Fdb entry hold time:1
              FRP filter enable:  1
      
                      Network port '50331655' config:
                      Ref count:          2
                      Port ID:            0x3000007
                      VLAN ID:            4095
                      IOChains installed: 0
    • Lists MAC table, learnt on both VXLAN and VLAN sides
      # net-vdr -b --mac default+edge-1
      
      VDR default+edge-1:1460487509 Bridge Information :
      
      Network 'vlan-100-type-bridging' MAC address table:
      MAC table on PortID:              0x0
      MAC table paging mode:            0
      Single MAC address enable:        0
      Single MAC address:               00:00:00:00:00:00
      MAC table last entry shown:       00:50:56:91:5e:93 VLAN-VXLAN: 100-0 Port: 50331661
      total number of MAC addresses:    1
      number of MAC addresses returned: 1
      MAC addresses:
      Destination Address  Address Type  VLAN ID  VXLAN ID  Destination Port  Age
      -------------------  ------------  -------  --------  ----------------  ---
      00:50:56:91:5e:93    Dynamic           100         0          50331661  0
       
      Network 'vxlan-5000-type-bridging' MAC address table:
      MAC table on PortID:              0x0
      MAC table paging mode:            0
      Single MAC address enable:        0
      Single MAC address:               00:00:00:00:00:00
      MAC table   last entry shown:       00:50:56:ae:9b:be VLAN-VXLAN: 0-5000 Port: 50331650
      total number of MAC addresses:    1
      number of MAC addresses returned: 1
      MAC addresses:
      Destination Address  Address Type  VLAN ID  VXLAN ID  Destination Port  Age
      -------------------  ------------  -------  --------  ----------------  ---
      00:50:56:ae:9b:be    Dynamic             0      5000          50331650  0
    • Display Logical Router instances
      • # net-vdr --instance -l
        
        VDR Instance Information :
        ---------------------------
        VDR Instance:               default+edge-1:1460487509
        Vdr Name:                   default+edge-1
        Vdr Id:                     1460487509
        Number of Lifs:             3
        Number of Routes:           1
        State:                      Enabled
        Controller IP:              192.168.110.201
        Control Plane Active:       Yes
        Control Plane IP:           192.168.110.52
        Edge Active:                Yes
    • Verify NSX Manager services status
      • Service status can be view through the NSX Manager Web Interface9.3.NSX Manager Status
    • View Logical Interfaces and routing tables
      • Logical interfacesFrom the CLI on an ESXi host
        # net-vdr --lif -l default+edge-1
        
        VDR default+edge-1:1460487509 LIF Information :
        
        Name:                570d45550000000c
        Mode:                Routing, Distributed, Internal
        Id:                  Vxlan:5004
        Ip(Mask):            10.10.10.1(255.255.255.0)
        Connected Dvs:       Mgmt_Edge_VDS
        VXLAN Control Plane: Enabled
        VXLAN Multicast IP:  0.0.0.1
        State:               Enabled
        Flags:               0x2288
        
        Name:                570d45550000000b
        Mode:                Bridging, Sedimented, Internal
        Id:                  Vlan:100
        Bridge Id:           mybridge:1
        Ip(Mask):            0.0.0.0(0.0.0.0)
        Connected Dvs:       Mgmt_Edge_VDS
        Designated Instance: No
        DI IP:               192.168.110.51
        State:               Enabled
        Flags:               0xd4
        
        Name:                570d45550000000a
        Mode:                Bridging, Sedimented, Internal
        Id:                  Vxlan:5000
        Bridge Id:           mybridge:1
        Ip(Mask):            0.0.0.0(0.0.0.0)
        Connected Dvs:       Mgmt_Edge_VDS
        VXLAN Control Plane: Enabled
        VXLAN Multicast IP:  0.0.0.1
        State:               Enabled
         Flags:               0x23d4
      • Routing
        # net-vdr -R -l default+edge-1
        
        VDR default+edge-1:1460487509 Route Table
        Legend: [U: Up], [G: Gateway], [C: Connected], [I: Interface]
        Legend: [H: Host], [F: Soft Flush] [!: Reject]
         
        Destination      GenMask          Gateway          Flags    Ref Origin   UpTime     Interface
        -----------      -------          -------          -----    --- ------   ------     ---------
         10.10.10.0       255.255.255.0    0.0.0.0          UCI      1   MANUAL   410777     570d45550000000c
    • Analyze NSX Edge statistics
      • Log in to the vSphere Web Client.
      • Click Networking & Security and then click NSX Edges.
      • Double-click an NSX Edge.
      • Click the Monitor tab.
      • Select the period for which you want to view the statistics.

Tools

  • NSX Administration Guide
  • NSX Command Line Interface Reference Guide
  • NSX API Guide
  • NSX Controller CLI
  • NSX Edge CLI
  • NSX API
  • vSphere Web Client
  • VDS Health Check
  • net-dvr
  • http://www.yet.org/2014/09/nsxv-troubleshooting/  – very useful for this section (it’s where I’ve pulled a lot of the above from)

Objective 9.2 – Troubleshoot Common NSX Installation/Configuration Issues

Knowledge

  • Identify ports required for NSX communication
    • 443/TCP Downloading the OVA file on the ESX host for deployment Using REST APIs Using the NSX Manager user interface
    • 80/TCP Initiating connection to the vSphere SDK Messaging between NSX Manager and NSX host modules
    • 1234/TCP Communication between ESX Host and NSX Controller Clusters
    • 56711 Rabbit MQ (messaging bus technology)
    • 22/TCP Console access (SSH) to CLI. By default, this port is closed.
  • Troubleshoot lookup service configuration
    • Confirm that the user has admin privileges.
    • Verify whether NSX Manager and Lookup service appliances are in time sync. To achieve this, use same NTP server configurations at NSX Manager and Lookup service.
    • Check DNS settings for name resolution.
  • Troubleshoot vCenter Server link
    • Check DNS settings.
    • Confirm that user has administrative privileges.
  • Troubleshoot licensing issues
    • Validate that the vSphere Web Client is successfully installed. Starting with vCenter Server 5.0, License Reporting is a component of the vSphere Web Client. To access it, the Web client must be installed and vCenter Server must be registered to it. For more information, see the Install and Start the vSphere Web Client section of the vSphere Installation and Setup guide.
    • Verify that vCenter Server and the vSphere Client workstation can communicate with the Web Client Server. For more information, see Testing network connectivity with the ping command (KB1003486).
    • Verify that name resolution to the Web Client server is correctly configured from vCenter Server and the vSphere Client workstation. For more information, see Configuring name resolution for VMware vCenter Server (KB1003735).
    • Check the vSphere Client log ( viclient-x-xxxx.log located at %USERPROFILE%\AppData\Local\VMware\vpx) to validate the URL used to connect to the Web Client server.
      You see messages similar to:

      [viclient:QuickInf:M: 7] 2012-02-27 12:15:22.227 FlexWebContainer.NavigateToUrl(nav): https:// webclient/csharp-app/?extensionId=vsphere.license.licenseReportView&context=CB1D4EA7-F6A8-46DA-81CA-99ADCF95359A:Folder:group-d1&locale=en_US&j_serviceUrl=https:// vcenterserver&j_serviceGuid=CB1D4EA7-F6A8-46DA-81CA-99ADCF95359A&j_thumbprint=98:CC:31:66:6C:4F:85:6E:A6:09:09:89:22:28:90:23:23:DC:82:E8&j_qsCookie=JSESSIONID=6atwl6n6g00cht1apfj5tp47, vmware_soap_session=d0122775-e4b2-427b-9195-12ccf3a53b4c&sessionTicket=cst-VCT-5292c695-1069-a798-c4d7-08e3ad48fe04–tp-98-CC-31-66-6C-4F-85-6E-A6-09-09-89-22-28-90-23-23-DC-82-E8

      Where webclient is the address of the Web Client Server and vcenterserver is the address of vCenter server. If either of these values are incorrect, unregister and then register vCenter Server to the vSphere Web Client from the Web client Administration application. This application is located on the server running the vSphere Web Client. To launch the application, navigate to Start > Programs > VMware > VMware vSphere Web Client > vSphere Administration Application.

    • Validate that the vCenter Server proxy.xml file (located at C:\Documents and Settings\All Users\Application Data\VMware\VMware VirtualCenter) has the appropriate configuration for the Web Client. A correct configuration appears similar to:
      <e id=”19″>
      <_type>vim.ProxyService.RedirectSpec</_type>
      <accessMode>httpsOnly</accessMode>
      <hostName> webclient</hostName>
      <port> 9443</port>
      <redirectType>permanent</redirectType>
      <serverNamespace>/vsphere-client</serverNamespace>
      </e>
      Where webclient is the address of the Web Client server. If either the port or the address to the Web client is incorrect, correct and then restart the VMware VirtualCenter Server service.
  • Troubleshoot permissions issues
    • There are 4 User Roles:
      •  Enterprise Administrator NSX Operations and Security
      • NSX Administrator NSX Operations only (install virtual appliances, configure port groups etc)
      • Security Administrator NSX Security only (define Data Security policies, create port groups, create reports etc)
      • Auditor Read Only
    • An NSX User/Group can only have one role
    • You cannot add a role to a user/group, or remove an assigned role from a user/group, you can however change the assigned role for a user/group.
    • There are 2 scopes which determine what resources a particular user can view
      • No restriction Access to the entire NSX system
      • Limit access scope Access only a specified Edge.
    • A user can be a member of a number of groups, and will inherit combined role permissions from those groups. If the user has a directly assigned role, this overrides the group permissions.
    • Given the above overview of NSX permissions, check for permissions allocated directly to a user, also check membership of the groups that permissions have been allocated to, as well as any scope limitation
  • Troubleshoot host preparation issues
    • In the Installation tab, click Host Preparation.
    • For each cluster, click Install in the Installation Status column.
      Note – While the installation is in progress, do not deploy, upgrade, or uninstall any service or component.
    • Monitor the installation until the Installation Status column displays a green check mark.

      If the Installation Status column displays a red warning icon and says Not Ready, click Resolve. Clicking Resolve might result in a reboot of the host. If the installation is still not successful, click the warning icon. All errors are displayed. Take the required action and click Resolve again.

      When the installation is complete, the Installation Status column displays 6.1 and the Firewall column displays Enabled. Both columns have a green check mark. If you see Resolve in the Installation Status column, click Resolve and then refresh your browser window.

  • Troubleshoot IP pool issues
    • I can’t find anything in the admin or installation guides about this. I guess the obvious things are to ensure that the IP Pool configuration matches the subnet (correct subnet mask etc) and that it’s not full.

Tools

  • NSX Installation and Upgrade Guide
  • NSX Administration Guide
  • NSX Command Line Interface Reference Guide
  • NSX Controller CLI
  • vSphere Web Client

Objective 9.1 – Identify Tools Available for Troubleshooting

Knowledge

  • Identify filters available for packet capture
    • NSX Edge CLI
    • pktcap-uw
    • tcpdump-uw
    • Flow Monitoring
  • Capture and trace uplink, vmknic, and physical NIC packets
    • Uplink
      debug packet display interface

      • Displays all packets captured by an NSX Edge interface, similar to a tcpdump. Enabling this command can impact NSX Edge performance. To disable the display of packets, use no before the command.
      • Synopsis
        [no] debug packet display interface (intif | extif) [EXPRESSION]
    • vmknic
      • To view a live capture of a vmkernel ports traffic:
        # pktcap-uw –vmk vmkX
    • pNic
      • To view a live capture of a specific physical network card on the host vmnic:
        # pktcap-uw –uplink vmnicX
  • Identify and track NSX infrastructure changes
    • NSX Ticket Logger – See Objective 8.4
  • Output packet data for use by a protocol analyzer
    • To capture the output to a file, use -o option:
      # pktcap-uw –vmk vmk# -o file.pcap
  • Capture and analyze traffic flows
    • Log in to the vSphere Web Client.
    • Select Networking & Security from the left navigation pane and then select Flow Monitoring.
    • Ensure that you are in the Dashboard tab.
    • Click Flow Monitoring.
    • The page might take several seconds to load. The top of the page displays the percentage of allowed traffic, traffic blocked by firewall rules, and traffic blocked by SpoofGuard. The multiple line graph displays data flow for each service in your environment. When you point to a service in the legend area, the plot for that service is highlighted.
    • Traffic statistics are displayed in three tabs:
    • Top Flows displays the total incoming and outgoing traffic per service over the specified time period based on the total bytes value (not based on sessions/packets). The top five services are displayed. Blocked flows are not considered when calculating top flows.
    • Top Destinations displays incoming traffic per destination over the specified time period. The top five destinations are displayed.
    • Top Sources displays outgoing traffic per source over the specified time period. The top five sources are displayed.
    • Click the Details by Service tab.
    • Details about all traffic for the selected service are displayed. Click Load More Records to display additional flows. The Allowed Flows tab displays the allowed traffic sessions and the Blocked Flows tab displays the blocked traffic.
    • You can search on service names.
    • Click an item in the table to display the rules that allowed or blocked that traffic flow.
    • Click the Rule Id for a rule to display the rule details
  • Mirror network traffic for analysis
    • Netflow/IPFix
      •  Log in to the vSphere Web Client.
      • Click Networking & Security and then Flow Monitoring
      • Select Configuration
      • Configure the Flow Collections, making modifications to Flow Exclusion if required
      • Click on IPFix and edit the IPFix domain, timeout and collector IPs as required.
      • Click Publish Changes
    • vDS port mirroring
      • Log in to the vSphere Web Client.
      • Browse to a distributed switch in the vSphere Web Client
      • Click the Manage tab and select Settings > Port Mirroring
      • Click New.
      • Select the session type for the port mirroring session.
        • Distributed Port Mirroring Mirror packets from a number of distributed ports to other distributed ports on the same host. If the source and the destination are on different hosts, this session type does not function.
        • Remote Mirroring Source Mirror packets from a number of distributed ports to specific uplink ports on the corresponding host.
        • Remote Mirroring Destination Mirror packets from a number of VLANs to distributed ports.
        • Encapsulated Remote Mirroring (L3) Source Mirror packets from a number of distributed ports to remote agent’s IP addresses. The virtual machine’s traffic is mirrored to a remote physical destination through an IP tunnel.
        • Distributed Port Mirroring (legacy) Mirror packets from a number of distributed ports to a number of distributed ports and/or uplink ports on the corresponding host.
      • Click Next
      • Set the session properties. Different options are available for configuration depending on which session type you selected.
        • Name You can enter a unique name for the port mirroring session, or accept the automatically generated session name.
        • Status Use the drop down menu to enable or disable the session.
        • Session type Displays the type of session you selected.
        • Normal I/O on destination ports Use the drop-down menu to allow or disallow normal I/O on destination ports. This property is only available for uplink and distributed port destinations. If you disallow this option, mirrored traffic will be allowed out on destination ports, but no traffic will be allowed in.
        • Mirrored packet length (Bytes)
          Use the check box to enable mirrored packet length in bytes. This puts a limit on the size of mirrored frames. If this option is selected, all mirrored frames are truncated to the specified length.
        • Sampling rate
          Select the rate at which packets are sampled. This is enabled by default for all port mirroring sessions except legacy sessions.
        • Description
          You have the option to enter a description of the port mirroring session configuration.
      • Click Next.
      • Select the source of the traffic to be mirrored and the traffic direction. Depending on the type of port mirroring session you selected, different options are available for configuration.
        • Add existing ports from a list
          Click Select distributed ports. A dialog box displays a list of existing ports. Select the check box next to the distributed port and click OK. You can choose more than one distributed port.
        • Add existing ports by port number
          Click Add distributed ports, enter the port number and click OK.
      • Set the traffic direction
        After adding ports, select the port in the list and click the ingress, egress, or ingress/egress button. Your choice appears in the Traffic Direction column.
      • Specify the source VLAN
        If you selected a Remote Mirroring Destination sessions type, you must specify the source VLAN. Click Add to add a VLAN ID. Edit the ID by using the up and down arrows, or clicking in the field and entering the VLAN ID manually.
      • Click Next.
      • Select the destination for the port mirroring session. Depending on which type of session you chose, different options are available.
        • Select a destination distributed port
          Click Select distributed ports to select ports from a list, or click Add distributed ports to add ports by port number. You can add more than one distributed port.
        • Select an uplink
          Select an available uplink from the list and click Add to add the uplink to the port mirroring session. You can select more than one uplink.
        • Select ports or uplinks
          Click Select distributed ports to select ports from a list, or click Add distributed ports to add ports by port number. You can add more than one distributed port.
        • Click Add uplinks to add uplinks as the destination. Select uplinks from the list and click OK.
        • Specify IP address
          Click Add. A new list entry is created. Select the entry and either click Edit to enter the IP address, or click directly in the IP Address field and type the IP address. A warning appears if the IP address is invalid.
      • Click Next.
      • Review the information that you entered for the port mirroring session on the Ready to complete page.
      • (Optional) Use the Back button to edit the information.
      • Click Finish.
  • Perform a network health check
    • Enabling or disabling the vSphere Distributed Switch health check in the vSphere Web Client
      Notes:  Health check monitors for changes in vSphere distributed switch configurations. You must enable vSphere distributed switch health check to perform checks on distributed switch configurations.
      Health check is available only in ESXi 5.1 and later distributed switches. You can view health check information only through the vSphere Web Client 5.1 or later.

      • Browse to a vSphere distributed switch in the vSphere Web Client.
      • Click the Manage tab.
      • Click Settings and then click Health check.
      • To enable or disable health check, click Edit.
      • Select from the dropdown to enable or disable health check options.
        The options include:

        • VLAN and MTU – Reports the status of distributed uplink ports and VLAN ranges
        • Teaming and Failover – Checks for any configuration mismatch between ESXi and the physical switch used in the teaming policy.
      • Click OK.
    • Viewing the vSphere Distributed Switch health check information
      Note: After enabling health check, you can view the vSphere distributed switch health check information in the vSphere Web Client.

      • Browse to a vSphere distributed switch in the vSphere Web Client.
      • Click the Monitor tab and click Health.
      • In the Health Status Details section, click one of these tab to view the health status:
        • VLAN
        • MTU
        • Teaming and Failover
  • Configure vSphere Distributed Switch alarms
    • Browse to a vSphere distributed switch in the vSphere Web Client.
    • Click the Manage tab and Alarm Definitions
    • Click + to add an alarm
    • Enter the Alarm name and Description
    • Next
    • Add Events and Conditions to trigger the alarm
    • Next
    • Optional: Click + to add actions on alarm state changes
    • Click Finish

Tools

  • NSX Administration Guide
  • vSphere Networking Guide
  • vSphere Command-Line Interface Concepts and Examples
  • vSphere Web Client
  • NSX Ticket Logger
  • ESXi Host CLI
  • pktcap-uw
  • Netflow
  • RSPAN/ERSPAN
  • VDS Health Check

Objective 8.6 – Backup and Recover Configurations

Knowledge

  • Identify remote backup destinations
    • Backups can be sent to remote FTP or SFTP servers
  • Explain how to backup and recover various components
    • You can back up and restore your NSX Manager data, which can include system configuration, events, and audit log tables. Configuration tables are included in every backup. Backups are saved to a remote location that must be accessible by the NSX Manager.
  • Schedule backups
    • See Perform NSX Manager backup operations, below
  • Export/Restore vSphere Distributed Switch configuration
    • Export
      • Browse to a distributed switch in the vSphere Web Client navigator.
      • Right-click the distributed switch and click All vCenter Actions > Export Configuration.
      • Select the Export the distributed switch configuration or Export the distributed switch configuration and all port groups option.
      • (Optional) Enter notes about this configuration in the Description field.
      • Click OK.
      • Click Yes to save the configuration file to your local system.
    •  Restore
      • Browse to a distributed switch in the vSphere Web Client navigator.
      • Right-click the distributed switch and click All vCenter Actions > Restore Configuration.
      • Browse for the configuration backup file to use.
      • Select the Restore distributed switch and all port groups or Restore distributed switch only option and click Next.
      • Review the summary information for the restore.
      • Click Finish.
  • Import/Export Service Composer profiles
    • Import
      • Log in to the vSphere Web Client.
      • Click Networking & Security and then click Service Composer.
      • Click the Security Policies tab.
      • Click Actions and then click the Import Service Configuration icon.
      • Select the configuration file that you want to import.
      • If desired, type a suffix to be added to the security policies and security groups that are being imported. If you specify a suffix, it is added to the security policy names being imported thus ensuring that they have unique names.
      • Click Next. Service Composer verifies that all services referred to in the configuration are available in the destination environment. If not, the Manage Missing Services page is displayed, where you can map missing services to available target services. The Ready to complete page displays the security policies along with associated objects (security groups on which these have been applied, as well as Endpoint services, firewall rules, and network introspection services) to be imported.
      • Click Finish. The imported security policies are added to the top of the security policy table (above the existing policies) in the target NSX Manager. The original order of the imported policies is preserved.
    • Export
      •  Log in to the vSphere Web Client.
      • Click Networking & Security and then click Service Composer.
      • Click the Security Policies tab.
      • Select the security policy that you want to export.
      • Click Actions and then click the Export Service Configuration icon.
      • Type a name and description for the configuration that you are exporting.
      • If desired, type a prefix to be added to the security policies and security groups that are being exported. If you specify a prefix, it is added to the target security policy names thus ensuring that they have unique names.
      • Click Next.
      • In the Select security policies page, select the security policy that you want to export and click Next.
      • The Ready to complete page displays the security policies along with associated objects (security groups on which these have been applied, as well as Endpoint services, firewall rules, and network introspection services) to be exported.
      • Click Finish.
      • Select the directory on your computer where you want to download the exported blueprint and click Save.
  • Perform NSX Manager backup and restore operations
    • Backup
      • Log in to the NSX Manager Virtual Appliance.
      • Under Appliance Management, click Backups & Restore.
      • To specify the backup location, click Change next to FTP Server Settings.
        • Type the IP address or host name of the backup system.
        • From the Transfer Protocol drop-down menu, select either SFTP or FTP, based on what the destination supports.
        • Edit the default port if required.
        • Type the user name and password required to login to the backup system.
        • In the Backup Directory field, type the absolute path where backups will be stored.
        • Type a text string in Filename Prefix.
          This text is prepended to each backup filename for easy recognition on the backup system. For example, if you type ppdb, the resulting backup is named as ppdbHH_MM_SS_DayDDMonYYYY.
        • Type the pass phrase to secure the backup.
        • Click OK.
      • To specify schedule details, click Change next to Scheduling.
        • From the Backup Frequency drop-down menu, select Hourly, Daily, or Weekly. The Day of Week, Hour of Day, and Minute drop-down menus are disabled based on the selected frequency. For example, if you select Daily, the Day of Week drop-down menu is disabled as this field is not applicable to a daily frequency.
        • For a weekly backup, select the day of the week the data should be backed up.
        • For a weekly or daily backup, select the hour at which the backup should begin.
        • Select the minute at which the backup should begin and click Schedule.
      • To exclude logs and flow data from being backed up, click Change next to Exclude.
        • Select the items you want to exclude from the backup.
        • Click OK.
    • Restore
      • Log in to the NSX Manager Virtual Appliance.
      • Under Appliance Management, click Backups & Restore.
      • In the Backups History section, select the check box for the backup to restore.
      • Click Restore.
      • Click OK to confirm.

Tools

  • NSX Administration Guide
  • vSphere Web Client