All TKB Articles in Networking

The HCX Network Underlay Characterization and Performance Outcomes technical paper provides information to help HCX users understand the relationships between the network underlay and VMware® HCX. With HCX performance, various dimensions of environmental and load data need to be considered. One of the dimensions is the network underlay and the HCX performance derived from the underlay capabilities. In this regard, Characterizing an Underlay for HCX means understanding whether the underlay meets the minimum HCX requirements for providing successful virtual machine migrations and network extension services, and understanding baseline performance outcomes for given underlay conditions (even with the inclusion of IPSec VPN or SD-WAN, or VPN services which were previously not supported for HCX implementations).   This document attempts to put these considerations in perspective and also tries to provide some guidance on how to verify whether the performance is optimal for the given environment and parameters. [Prepared October 2021 with HCX 4.2] [Updated to 1.1 March 2022 - Corrections]  

When completing an upgrade precheck in SDDC-Manager the NSX-T password validity check fails:   Impact - HIgh: Password has expired and upgrade will fail due to this.  You will see the following in the /var/log/vmware/vcf/lcm/lcm-debug.log:   2021-06-17T19:10:20.089+0000 DEBUG [vcf_lcm,0000000000000000,0000,precheckId=af8ce3f0-615b-4387-919c-f123e797d4a5,resourceType=NSX_T,resourceId=nsx.corp.local] [c.v.e.s.l.p.c.u.VmwPrimitiveUtils,pool-3-thread-48] Password validation status for API credential type of resource: nsx.corp.local is VALID 2021-06-17T19:10:20.090+0000 DEBUG [vcf_lcm,0000000000000000,0000,precheckId=af8ce3f0-615b-4387-919c-f123e797d4a5,resourceType=NSX_T,resourceId=nsx.corp.local] [c.v.e.s.l.p.util.PrimitiveHelper,pool-3-thread-48] Password validation for API credential type of resource: nsx.corp.local is VALID 2021-06-17T19:10:20.090+0000 DEBUG [vcf_lcm,0000000000000000,0000,precheckId=af8ce3f0-615b-4387-919c-f123e797d4a5,resourceType=NSX_T,resourceId=nsx.corp.local] [c.v.e.s.l.p.c.u.VmwPrimitiveUtils,pool-3-thread-48] Password validationexpiry data for API credential type of resource: nsx.corp.local is SUCCEEDED 2021-06-17T19:10:20.090+0000 DEBUG [vcf_lcm,0000000000000000,0000,precheckId=af8ce3f0-615b-4387-919c-f123e797d4a5,resourceType=NSX_T,resourceId=nsx.corp.local] [c.v.e.s.l.p.c.u.VmwPrimitiveUtils,pool-3-thread-48] Password validationexpiry for API credential type of resource: nsx.corp.local is in -22 days 2021-06-17T19:10:20.090+0000 INFO  [vcf_lcm,0000000000000000,0000,precheckId=af8ce3f0-615b-4387-919c-f123e797d4a5,resourceType=NSX_T,resourceId=nsx.corp.local] [c.v.e.s.l.p.i.nsxt.NsxtPrimitiveImpl,pool-3-thread-48] Completed precheck task NSX_T_PASSWORD_VALIDITY_CHECK  on resource id nsx.corp.local  with status RED   Note: This precheck will also fail if the password expiry is cleared using the command "clear user admin password-expiration". It is a known issue, please refer the KB SDDC manager falsely shows the password for NSXT component as expired for more information.      Cause NSX-T does not support setting password expiry for root or admin to 99999 NSX-T password expiry can be set to a maximum period of 9999      Resolution Set password expiry for root and admin to 9999: 1. SSH to NSX-T VIP with admin credentials 2. Check password expiry for both root and admin accounts get user admin password-expiration 3. If the password has expired or is set to 99999 use the following command to set password expiry to 9999 set user admin password-expiration 9999 4. Retry upgrade precheck in SDDC-Manager

HCX Mobility Optimized Networking (MON) is an enterprise capability of the VMware HCX Network Extension (HCX-NE) feature. MON enables optimized application mobility for virtual machine application groups that span multiple segmented networks or for virtual machines with inter-VLAN dependencies, as well as for hybrid applications, throughout the migration cycle. Migrated virtual machines can be configured to access the internet and AWS S3 storage buckets optimally, without experiencing the network tromboning effect. This technical paper describes the HCX Mobility Optimized Networking technology the VMware Cloud on AWS.   

We are pleased to announce the introduction of VMware NSX Advanced Firewall for VMware Cloud on AWS, which takes the network security capabilities of VMware Cloud on AWS SDDC to a new level. Adding NSX Advanced Firewall features allows organizations to define security policies at Layer 7 while enabling deep packet inspection across all vNICS within the software-defined data center (SDDC).      NSX Advanced Firewall capabilities help you secure your applications against a never-expanding set of threats on the internet. Specifically, it includes a robust set of networking and security capabilities that enable customers to run production applications in the cloud.  This capability allows you to:  Detect attempts at exploiting vulnerabilities in your workloads.  Gain protection against vulnerabilities inside your SDDC with granular application-level security policies.  Reduce the attack surface of your workloads by allowing only the intended application traffic to run in your SDDC.  Seamlessly provide inspection for all traffic without a single inspection bottleneck.  Achieve your compliance goals.  Customers can purchase the NSX Advanced Firewall as an add-on in VMware Cloud on AWS. 

Modern apps need to run in multi-cluster, multi-cloud environments across a mix of traditional and microservices architectures. In this context, enterprise platform, infrastructure, and operations teams are presented with unique challenges in securely connecting and managing modern workloads, in delivering scalable services, or bridging between traditional VM workloads and containers, and supporting production operations for modern apps.   VMware recently introduced the “VMware Modern Apps Connectivity solution”, which brings together the advanced capabilities of Tanzu Service Mesh (TSM) and VMware NSX Advanced Load Balancer ALB (formerly Avi Networks) address today’s unique enterprise challenges.      

We are excited to announce the general availability of VMware NSX-T™ 3.0, a major release of our full stack Layer 2 to Layer 7 networking platform that offers virtual networking, security, load balancing, visibility, and analytics in a single platform. NSX-T 3.0 includes key innovations across cloud-scale networking, security, containers, and operations that help enterprises achieve one-click public cloud experience wherever their workloads are deployed. As enterprises adopt cloud, containers, and new applications, IT teams are managing more heterogenous and distributed environments that need to be better secured, automated, and monitored. The need to run and manage workloads on all types of infrastructure, VMs, containers, bare metal across both private and public clouds, is greater than ever. Enterprises need end-to-end software-defined solutions to fully automate, connect, and protect all their workloads.  As a key component of VMware Virtual Cloud Network, VMware NSX-T 3.0 includes groundbreaking innovations that make it easier to replace legacy appliances that congest data center traffic, achieve stronger security posture, and run virtual and containerized workloads anywhere. NSX-T 3.0 also introduces global policy consistency, AWS and Azure gov cloud support, VMware NSX® Intelligence enhancements, Layer 3 EVPN, and powerful networking and security services for vSphere with Kubernetes, superseding features in NSX-V. In addition, NSX-T 3.0 integrated with enhancements in VMware vRealize™ Network Insight 5.2 to deliver comprehensive end-to-end network visibility and flow-based application discovery. Cloud-scale Network Agility Scaling up and managing a cloud environment – whether public or private – requires simplified network configuration and management, visibility and control, and the ability to rapidly add new capabilities into the existing environment.  NSX Federation – NSX Federation in NSX-T 3.0 helps deliver a cloud-like operating model by simplifying the consumption of networking and security constructs. It introduces the NSX Global Manager, a centralized console for managing the network as a single entity while keeping configuration and operational state synchronized across multiple locations.        Security policies attach and move with the workload, ensuring that policy compliance is maintained during workload failover or migration between locations. Follow us on twitter @vmwarensx for a detailed blog on NSX Federation in a few weeks.  Support for AWS GovCloud and Azure Government – NSX-T 3.0 extends support for public clouds with VMware NSX™ Cloud support for AWS GovCloud and Azure Government. This provides isolated public cloud environments for U.S. government agencies and customers to move sensitive workloads into the cloud and assist with regulatory and compliance requirements. NSX customers will benefit from the extended visibility, consistent networking and security policies, precise control over cloud networking, and end-to-end operational control across clouds.  Enhanced Multi-tenancy with VRF Lite and Layer 3 BGP EVPN – VRF Lite greatly reduces the networking infrastructure footprint by introducing complete data plane tenant isolation with separate routing table, NAT, and firewall within each VRF on NSX Edge. NSX Edge also implements Layer3 EVPN to seamlessly connect telco VNFs to the overlay network.  The Edge implements standards based BGP control plane to advertise IP Prefixes, running eBGP sessions to the VNF and MP-BGP sessions with the PE/DCGW(s).  Dynamic Network Service Chaining – NSX service insertion is further enhanced with support for dynamic service chaining for traffic from and to VMs, containers, and bare metal workloads.  The Edge Node dynamically classifies incoming network traffic and applies a set of network services to achieve app-aware security and monitoring.  Best-in-class Intrinsic Security With NSX-T 3.0, the Service-defined Firewall in the NSX platform has been enhanced with the addition of a distributed IDS/IPS  solution to protect east-west traffic in the data center. NSX-T 3.0 is a step further towards our goal of extending the NSX intrinsic security approach from every workload to data center, multi-cloud, and edge.  NSX Distributed IDS/IPS – At VMworld Europe last year, we announced the VMware Distributed IDS/IPS solution for our advanced Layer 7 internal firewall. NSX Distributed IDS/IPS is an advanced threat detection engine purpose-built to detect lateral threat movement on east-west traffic across multi-cloud environments.  It eliminates security blind-spots and helps meet compliance needs.     Unlike traditional architectures that hairpin traffic to discrete appliances, NSX Distributed IDS/IPS distributes the analysis out to every workload and curates the signatures evaluated by each engine based on precise knowledge of running applications. This elastic throughput scales with workloads while improving utilization of existing compute capacity, simplifies the network design and operational model, and radically reduces the rate of false positives. This approach enables security teams to replace discrete appliances, and helps achieve regulatory compliance and create virtual security zones without physical separation of infrastructure.  L7 Edge Firewall Enhancements – The Layer 7 Edge Firewall is further enhanced in NSX-T 3.0 with the implementation of URL Analysis for URL Classification and Reputation. The Edge Firewall detects access from outside the datacenter for granular detection and categorization of in-bound and outbound URLs. DFW for Windows 2016 workloads – In addition to existing support for Linux, NSX-T 3.0 adds NSX Distributed Firewall (DFW) support for Windows 2016 based physical workloads.  Time-based rules and Configuration wizard – Firewall rules can be enforced based on a pre-scheduled timeline defined by the administrator. NSX-T 3.0 also simplifies the implementation of VLAN backed micro-segmentation using a new configuration wizard.  Full-stack Networking and Security for Modern Apps Networking for vSphere with Kubernetes – NSX-T is designed-in from the ground up as the default pod networking solution for vSphere with Kubernetes.  NSX provides a rich set of networking capabilities for vSphere with Kubernetes, including distributed switching and routing, firewalling, load balancing, NAT, IPAM, and more.     Vinay Reddy describes how NSX-T, designed into vSphere with Kubernetes as the default networking solution, addresses common challenges associated with container networking and security.     Prescriptive networking for vSphere Namespace isolation – NSX-T 3.0 delivers a prescriptive network design to greatly simplify the implementation of vSphere Namespaces. It automatically implements the logical segments, distributed routing and firewalling, and IPAM services required for Namespace isolation in the vSphere Supervisor Cluster.  Any workloads created in a Namespace automatically inherit the security policy applied to that Namespace, allowing developers to self-service resources into that Namespace.  Integration with Cluster API in VMware Tanzu Kubernetes Grid Service – NSX-T integrates with VMware Tanzu Kubernetes Grid Service to allow developers to deploy Tanzu Kubernetes Grid clusters.  NSX-T greatly simplifies the necessary networking infrastructure, including the creation of logical segments, Tier-1 Gateway, and load balancers, needed for Tanzu Kubernetes Grid clusters. Operational Simplicity and Automation  Converged vSphere® Distributed Switch™ – With NSX-T 3.0, admins can now deploy NSX-T directly on VMware vSphere Distributed Switch 7.0. This greatly simplifies NSX-T deployment in vSphere environments with no changes required to the existing vSphere Distributed Switch and no VM traffic disruption.     Policy Enhancements with Terraform Provider & Ansible Module – NSX-T 3.0 extends the use of Terraform Provider and Ansible Modules, two of the most widely used automation tools for config generation and deployment, beyond NSX-T installation use cases with support for the NSX-T Policy API.  It now supports additional topology deployment workflows for security, logical gateway and segments, and network overlays and VLAN segments. Lifecycle management has become easier with the Ansible Module. NSX-T component upgrade of NSX Managers, Transport Nodes, Edge Nodes can be automated with the Ansible Modules.  Simplified Integration with vRealize Network Insight 5.2 – Tight integration with vRealize Network Insight 5.2 delivers comprehensive end-to-end network visibility. Support for vRealize Operations alerts enables precise troubleshooting in NSX-T environments from vRealize Network Insight dashboard. vRealize Network Insight 5.2 also implements flow-based application discovery across VMware platforms for application categorization by tier.  OpenStack Neutron Enhancements – The OpenStack Neutron plugin for NSX-T has been enhanced to abstract multiple NSX-T end points and operators can now configure additional IPv6 features (including DHCPv6, IPv6 LB, and NAT64) using the NSX-T policy plugin.  Summary  The NSX-T 3.0 release expands the breadth and depth of NSX-T use cases across cloud-scale networking, distributed IDS for advanced threat protection, and modern container-based applications. We remain committed to helping our customers radically simplify their network, achieve consistent policies across locations and transform their operations in the data center and cloud with full-stack automation across switching, routing, security, load balancing, and other layer 7 network services.  Follow us on Twitter @vmwarensx for updates and a series of deep-dive blogs on the key capabilities delivered in NSX-T 3.0.  NSX-T Resources  VMware NSX-T 3.0 Resources  More on NSX-T 3.0 Read the Press Release  Download NSX-T 3.0  Get started with a Beginner or Advanced NSX Hands-On-Lab (HOL)  Take a Virtual Cloud Network Assessment VMware NSX Product Page VMware NSX YouTube Channel, including 45+ Light Board videos!  VMware vRealize Network Insight (vRNI) 5.2 Resources  vRNI 5.2 Release Blog  vRNI Product Page vRNI Lighting Lab

This presentation teaches you how ECMP can be leveraged within NSX-T.   There are multiple layers of ECMP within NSX-T:  ECMP between the DR to SR  ECMP between the SR and the physical networking fabric.  NSX-T offers an optimal way to load balance the networking traffic within the Data Center.   We will also present how easy it is to enable ECMP whether you use BGP, OSPF or static routes.  Do not hesitate to comment or to ask questions. Video: https://www.youtube.com/watch?v=XdSs-S2a5fc April 2021: v1.2  June 2021: v1.3 - Added ECMP DR to SR for Multi-Tier routing architecture

  This is the VMware® NSX-T 3.1 Security Configuration Guide.This guide provides prescriptive guidance for customers on how to deploy and operate VMware® NSX-T in a secure manner. Guide is provided in an easy to consume spreadsheet format, with rich metadata (i.e. similar to existing NSX for vSphere & VMware vSphere Security Configuration Guides) to allow for guideline classification and risk assessment. Feedback and Comments to the Authors and the NSX Solution Team can be posted as comments to this community Post (Note: users must login on vmware communities before posting a comment). Other related NSX Security Guide can be found @ https://communities.vmware.com/docs/DOC-37726 --The VMware NSX PM/TPM Team

  This presentation provides all the supported capabilities regarding OSPFv2 support in NSX-T 3.1.1:     Active/Active and Active/Standby Topology Point to Point and Broadcast Network Standard / Backbone / NSSA Areas Area Definition (Authentication) CLI Outputs Route redistribution Summarization UI Configuration Feel free to ask any questions below ! Thanks

This document is a complete reference on the VMware NSX Advanced Load Balancer (by Avi Networks). The PowerPoint document is organized as slides that cover the following topics in detail: 1 Architecture/Infrastructure 2 Monitors 3 Server Pools 4 Layer 4 VIP 5 Layer 7 HTTP VIP 6 Layer 7 HTTPS VIP 7 Profiles and Policies 8 Manipulating Traffic Flows 9 Application Troubleshooting 10 Events and Alerts      

Authors: VMware NSX Technical Product Management Team This is the NSX-T Reference Design Page. The latest doc updates are aligned to NSX version 4.1. Highlights include: Technology overview chapters: TEP HA (Ch3) VPC/Projects (Ch2) A/A Stateful Gateways (Ch4) Bare Metal edge hardware recommendation (Ch8) DPUs (Ch9) Update VRF route leaking (Ch4) Design Chapter (Ch7): Projects 1 VC to many NSX MTU recommendation, Gateway vs. global MTU   Readers are encouraged to send feedback to NSXDesignFeedback_at_groups_vmware_com (replace at and underscores) We will continue updating this document, so please re-download this document. --The VMware NSX Product Management

NSX-T Security Reference Guide -  This talks about NSX Service-defined Firewall capabilities, different use cases, architecture, consumption model and the best practices around the security design.   1.3 version mainly has following updates along with minor update to all section: * Chapter -1: NSX Service-defined firewall value prop/positioning. * Chapter -2: NSX Use cases – What/why/how and NSX deployment Options. * Chapter -5: Best practices around Groups/Tags/Policy 
Readers are encouraged to send a feedback to NSXDesignFeedback_at_groups*vmware*com  (replace _at_  -> @ and * -> .) 
We will continually updating this document so please re-download this document. 
--The VMware NSX Product Management

NSX-T 3.0 Operation Guide  Authors: VMware NSX Technical Product Management Team   This is the NSX-T Operation Guide based on NSX-T release 3.0. It is the foundational overhaul to NSX-T day 2 operation guidance and some of best practices.  It covers: NSX-T Monitoring Tools NSX-T Troubleshooting Tools NSX-T Operation best practices Readers are encouraged to send a feedback to NSXDesignFeedback_at_groups_vmware_com  (replace at and underscores) We will continually updating this document so please re-download this document.   --The VMware NSX Product Management

This deck offers a nice presentation of what is NSX Federation and how it works. A very similar deck was used at VMworld 2020 session VCNC1178D here and watching is a nice option as it gives "voice over" the deck. Federation demos are also available here.   Note1: This ToI may be updated in the future so always check you have the latest version.     . NSX 4.0-4.1 Federation 101 ToI version is 1.0 done on 10/30/2023.     . NSX-T 3.2 Federation 101 ToI version is 1.1 done on 08/26/2022.   Note2: For deeper information, we also offer the "NSX Federation Multi-Location Design Guide (Federation + Multisite)" here.

NSX-T offers two technical solutions for Multi-Locations On-Prem Data Centers: NSX-T Federation NSX-T Multisite This NSX-T Multi-Location Design Guide offers guidance and best practices for Network & Security services in your On-Prem locations. FYI there is also some other nice documents on this use case: NSX-T Federation Presentation (ppt deck here with a link to demos) NSX-T Multisite Presentation (ppt deck here with embedded demos)   Note: This document may be updated in the future so always check you have the latest version. The Design Guide version for NSX-T 4.1 release is 1.4 done on 08/22/2023. The Design Guide version for NSX-T 4.0 release is 1.10 done on 08/22/2023. The Design Guide version for NSX-T 3.2 release is 1.19 done on 08/22/2023. The Design Guide version for NSX-T 3.1 release is 1.31 done on 06/21/2023.  

Three Federation demos are proposed here:  1. Federation Network & Security Services demo: "Federation-Demo1-Network&Security.mp4" 2. Federation Disaster Recovery(Network/Security & Compute) with Stretched Networks + SRM: "Federation-Demo2-DR.mp4" 3. Federation Disaster Recovery(Network/Security & Compute) with GSLB: "Federation-Demo3-DR_GSLB.mp4"   Enjoy the demos. Dimitri   Note1: For information on NSX-T Federation we offer the "NSX-T Federation Presentation" here. Note2: For deeper information, we also offer the "NSX-T Federation Multi-Location Design Guide (Federation + Multisite)" here.

This document attempts to describe the use cases, the configuration, the redundancy model and the design scenarios related to the NSX-T edge bridge. Even if we're talking about a 30 page white paper on a very specific topic, I can already see some few areas missing coverage. However, I think this is already useful enough to be shared to the world. Let me know you feedback on clarity. I'm more interested in making sure this is easy to understand than expanding the scope of this piece at that stage. Thanks and regards, Francois Tallet @ vmware Jan 15th 2021: updated for 3.1 (CLI changes)