Punkgeek's Posts

Re: Enhancing ESXi Host Security Against Ransomware with VMware NSX DFW

by Enthusiast in VMware NSX Discussions
‎10-26-2023 11:21 AM
‎10-26-2023 11:21 AM
Thank you for your response. Is it safe enough to only limit IP addresses in the ESXi firewall?

Enhancing ESXi Host Security Against Ransomware with VMware NSX DFW

by Enthusiast in VMware NSX Discussions
‎10-23-2023 07:08 AM
‎10-23-2023 07:08 AM
Hello, I have an ESXi host with a public IP address, and it is connected to the vCenter via the public IP address. Given that I am unable to move the ESXi into a private network, I'm considering usi... See more...
Hello, I have an ESXi host with a public IP address, and it is connected to the vCenter via the public IP address. Given that I am unable to move the ESXi into a private network, I'm considering using VMware NSX DFW to enhance its security against ransomware. Would this solution suffice? Regards,

Re: NSX-T faulty TEP

by Enthusiast in VMware NSX Discussions
‎08-16-2023 03:22 PM
‎08-16-2023 03:22 PM
Hello, Yes, the edge node is inside the nested lab, but I'm using a single uplink for the ESXi and edge vm. I've checked the MTU, and everything is working fine: From ESXi to ESXi: vmkping -I vmk... See more...
Hello, Yes, the edge node is inside the nested lab, but I'm using a single uplink for the ESXi and edge vm. I've checked the MTU, and everything is working fine: From ESXi to ESXi: vmkping -I vmk10 -S vxlan -d -s 8000 192.168.10.61 8008 bytes from 192.168.10.61: icmp_seq=0 ttl=64 time=0.374 ms   From ESXi to Edge Node: vmkping -I vmk10 -S vxlan -d -s 8000 192.168.10.61 8008 bytes from 192.168.10.61: icmp_seq=0 ttl=64 time=0.374 ms   How can ESXi communicate with the edge node in different VLANs? Could you please explain this?   Regards,

Re: NSX-T faulty TEP

by Enthusiast in VMware NSX Discussions
‎08-15-2023 09:34 AM
‎08-15-2023 09:34 AM
Hello, thank you for your response.  Sorry, I wrote incorrectly. All IPs are in the 192.168.10.0/24 range, and there is no configured VLAN. Nsx-T version 4 I didn't understand the part that applia... See more...
Hello, thank you for your response.  Sorry, I wrote incorrectly. All IPs are in the 192.168.10.0/24 range, and there is no configured VLAN. Nsx-T version 4 I didn't understand the part that appliances VTEP. How can an appliance have VTEP? It's a nested environment; I only have a single edge node and a single nsx appliance.  I've attached some screenshots from nodes and hosts. Thanks

NSX-T faulty TEP

by Enthusiast in VMware NSX Discussions
‎08-15-2023 12:22 AM
‎08-15-2023 12:22 AM
I have created a VLAN segment in NSX and a T-0 gateway. I added the created VLAN segment as the Tier-0 interface. Then, I created an overlay segment and connected it to the T-0 gateway. Everything w... See more...
I have created a VLAN segment in NSX and a T-0 gateway. I added the created VLAN segment as the Tier-0 interface. Then, I created an overlay segment and connected it to the T-0 gateway. Everything was fine until I connected the Overlay segment to one of the virtual machines, causing the Edge node and the ESXi host to go down. I checked the VTEP between the ESXi hosts and the edge node, and they are responding with an MTU of 1700. I'm using 192.168.8.0/24 for the management, which the ESXi hosts, NSX appliance, vCetner, and Edge node management IP are in this range. And 192.168.10.9/24 for the VTEP IP range. Here are the error messages that show in the NSX: TEP Health, Faulty TEP Description : TEP:vmk10 of VDS:VDS at Transport node:2e7e8310-aabb-4c9e-aec1-9f37ed1f9fa8. Overlay workloads using this TEP will face network outage. Recommended Action 1. Check if TEP has valid IP or any other underlay connectivity issues. 2. Enable TEP HA to failover workloads to other healthy TEPs. Infrastructure Communication, Edge Tunnels Down Description: The overall tunnel status of Edge node 31829895-3a35-432f-a2d3-0b3d24469dd6 is down. Recommended Action: Invoke the NSX CLI command `get tunnel-ports` to get all tunnel ports, then check each tunnel's stats by invoking NSX CLI command `get tunnel-port <UUID> stats` to check if there are any drops. Also check /var/log/syslog if there are tunnel related errors. High Availability, Tier0 Gateway Failover Description: The tier0 gateway 94bd643e-a463-452c-9c66-b734a6c31623 failover from Active to Down, service-router 3b7b34f6-ebee-4dd6-afc4-ae777f7d4fd3 Recommended Action: Invoke the NSX CLI command `get logical-router <service_router_id>` to identify the tier0 service-router vrf ID. Switch to the vrf context by invoking `vrf <vrf-id>` then invoke `get high-availability status` to determine the service that is down.          

Cannot ping ESXi or Edge TEP IP

by Enthusiast in VMware NSX Discussions
‎08-04-2023 06:45 AM
‎08-04-2023 06:45 AM
Hello, I have configured NSX-T on my nested environment and increased the MTU to 1800. While I can easily ping ESXi hosts from each other on vmk0, I encounter issues when attempting to ping the oth... See more...
Hello, I have configured NSX-T on my nested environment and increased the MTU to 1800. While I can easily ping ESXi hosts from each other on vmk0, I encounter issues when attempting to ping the other ESXi hosts through the following command, as there is no response. Additionally, the Edge VM's tep IP address is also unreachable.   esxcli network ip interface ipv4 get Name IPv4 Address IPv4 Netmask IPv4 Broadcast Address Type Gateway DHCP DNS ----- ------------- ------------- --------------- ------------ ------------ -------- vmk0 192.168.8.51 255.255.255.0 192.168.8.255 STATIC 192.168.8.1 false vmk10 192.168.10.23 255.255.255.0 192.168.10.255 STATIC 192.168.10.1 false vmk50 169.254.1.1 255.255.0.0 169.254.255.255 STATIC 192.168.8.1 false # vmkping -I vmk10 -S vxlan -d 192.168.10.21 -s 1400 PING 192.168.10.21 (192.168.10.21): 1400 data bytes --- 192.168.10.21 ping statistics --- 3 packets transmitted, 0 packets received, 100% packet loss # ping 192.168.8.52 PING 192.168.8.52 (192.168.8.52): 56 data bytes 64 bytes from 192.168.8.52: icmp_seq=0 ttl=64 time=1.036 ms   I've tried to find an article to troubleshoot this case, but I couldn't find one.