Universal Security Objects - VLAN

Would like to check with you if the below is technically feasible.

Universal security objects in NSX, is use to sync the security objects between 2 sites.

Would like to check if this is supported only for the VXLAN or is it supported for VLAN also.

Can we create universal security groups for the VMs in VLAN using VMNAME & get it sync to the DR site.

My understanding it is only for VXLAN.

13 Replies
Sreec
VMware Employee
VMware Employee

I haven't tested this explicitly for VM-Name. However if you have tools running -i believe even for VLAN port-group it will work. In my case i have configured a UFW for VM connected to VLAN port group using IP-Sets blocking the traffic between the sites and rules works irrespective where the VM is residing(Active- Passive)

Cheers,
Sree | VCIX-5X| VCAP-5X| VExpert 6x|Cisco Certified Specialist
Please KUDO helpful posts and mark the thread as solved if answered
0 Kudos
lhoffer
VMware Employee
VMware Employee

You can use VMnames and universal security tags in NSX 6.3, however there's a caveat in that it only translates the inventory of it's local vCenter so it's only suitable for active/standby deployments where all components of an application will reside under the same vCenter at any given time.  I recommend checking out the NSX-V 6.3: Cross-VC NSX Security Enhancements - Network Virtualization blog which goes into more depth on this.

I have the below requirements. I am running NSX 6.2.2 in DC 1 & DC 2 with 1:1 mapping of vCenter & NSX Manager.

In DC 1 , I have created security groups with Dynamic Membership using VMname & based on that I have created firewall policies.

In DC 2 , I have the similar configuration in which I have created security groups with Dynamic Membership using VMname & based on that I have created firewall policies.

The problem I am facing is that , in DC 1  it is not aware of the security groups created in DC 2 & vice versa.

Because of this I am not able to apply the firewall policies between these security groups in both the DC 1 & DC 2.

I am looking for a solution where the DC 1 knows about both the security groups & similarly DC 2 to know about both the security groups.

0 Kudos

Any inputs

0 Kudos

I have created the  diagram for reference. 

Each Dc has vcenter & NSX Manager with 1:1 mapping.

Security Group is defined in each VC based on VM name for dynamic grouping.

Question

DC 1 vcenter does not know about the security group created in DC 2 & vice versa.

I need to apply the firewall policies to restrict between security group#1 of DC 1 & security group of DC 2

Let me know how to achieve it. What is the best way so that vCenter in DC 1 knows about the security groups in DC 2 & vice versa.

pastedImage_0.png

0 Kudos
Techstarts
Expert
Expert

The problem I am facing is that , in DC 1  it is not aware of the security groups created in DC 2 & vice versa.

Because of this I am not able to apply the firewall policies between these security groups in both the DC 1 & DC 2.

Are you not creating universal security groups?

With Great Regards,
lhoffer
VMware Employee
VMware Employee

It sounds like you might be creating local (aka global) security groups instead of universal security groups (which get sync'd across NSX managers).  You won't be able to use service composer but if you create it on your primary NSX manager under "Grouping objects > Security Group", you just check the "Mark this object for Universal Synchronization" box on the first screen as shown below (this is from a 6.3 environment so you won't see the "use for active/standby deployments" option or have the ability to use VM-name or universal security tags as group membership criteria in a 6.2.x environment):

pastedImage_0.png

0 Kudos

Thanks.

I am looking for this in NSX 6.3.x environment. At present I don`t have any universal objects created.

In DC1 there is 1:1 Mapping of vCenter & NSX Manager. The same in the DC2.

There are local Logical Switches in each DC & VLAN port groups in each DC.

The VMs which are grouped inside the security group dynamically using VMNAME can be part of both VXLAN & VLAN.

In this scenario how can i achieve my requirement.

Also its mentioned that the cross vCenter NSX should in Active - Standby environment.

What exactly is the meaning of Active - Standby Environment.

-  My understanding is that it requires ULS, ULR, UDFW

- The default GW will be in DC1

- How will it work for VLAN environment.

0 Kudos
Techstarts
Expert
Expert

I am looking for this in NSX 6.3.x environment. At present I don`t have any universal objects created.

In DC1 there is 1:1 Mapping of vCenter & NSX Manager. The same in the DC2.

There are local Logical Switches in each DC & VLAN port groups in each DC.

Dear Rajeev,

Do you have NSX Enterprise license? Cross-vCenter NSX is included only with Enterprise license. If you do not have this edition, then there is no way you can address your requirements.

What exactly is the meaning of Active - Standby Environment.

-  My understanding is that it requires ULS, ULR, UDFW

- The default GW will be in DC1

- How will it work for VLAN environment.

You are right, you need Universal LS,DR,UDFW.

Active-Standby is scenario when all your VMs are running from site-A while Site-B waits and watch for DR event. All egress traffic will occur from Routers of Site-A. Even you wish to use DR site for developer workload, traffic will be routed via Routers from Site-A basically there will be no local egress. So DGW in both these sites must be ULR .

Sorry to say but Cross-VC NSX is much beyond simply enabling check box.

With Great Regards,
0 Kudos

Thanks.

Regarding the license, its not an issue. Enterprise license can be managed if I am able to technically achieve what is expected.

I understood your explanation regarding Active - Standby.

I still have the below queries.

1. I have network A (10.0.0.0/24) in DC 1 & network B (20.20.20.0/24) in DC 2 under VXLAN. It is not under ULS, since the network is local to its DC.

I need to have security groups based on VNMAME in both DC 1 & DC 2.  In this scenario how will the security groups gets sync.

2. Similarly I have VLAN Network in DC 1 (30.30.30.0/24 ) & DC 2 (40.40.40.0/24)

          In ths scenario how it will work.

0 Kudos
Techstarts
Expert
Expert

Only way to achieve your objectives is by using Universal objects

With Great Regards,
Richard__R
Enthusiast
Enthusiast

Nothing native in NSX will achieve that - you would need to synchronise the security group creation either manually or leverage a tool like vRO to orchestrate the changes in parallel against multiple NSX Managers. As it has been said before, the VM name is only relevant to the local vCenter inventory so if you want to create rules between the networks in different DCs with this approach (local security groups per DC) you'd still need to use IP addresses for the remote endpoints.

0 Kudos

Thanks. Got it.

Even my understanding is the same.

All I am thinking is how to automate it. For EX - Extract the details from the security group in DC 2 & exact the IP address from the security group.

Manually add the IP Addresses into the security group of DC1. Let me know if this is possible using API & by some scripts to automate it.

0 Kudos