Currently the router for my server VLANs is a layer 3 Cisco Nexus switch. The VMs are on Cisco UCS blades with hypervisors and there is trunking between the Nexus switch and the UCS fabric. Let's ass...
See more...
Currently the router for my server VLANs is a layer 3 Cisco Nexus switch. The VMs are on Cisco UCS blades with hypervisors and there is trunking between the Nexus switch and the UCS fabric. Let's assume that my current server VLAN 10 subnet is 10.10.10.0/24 and the gateway 10.10.10.1. We implement an NSX edge on network 10.10.200.0 and the route out of NSX is 10.10.200.1 on the Nexus switch and path into NSX 10.10.200.2. When we implement the NSX - what would be the common method to migrate all the hosts on my server subnet 10.10.10.0/24? Would it more likely be the case that I'd create a new VLAN and subnet within NSX say 10.10.210.0/24 vlan 210? How would the VMs then see the new VLAN 210 as that is currently provisioned by the Nexus and the UCS? Or as opposed to moving all the servers to a new VLAN/Subnet might there be a means to migrate the entire VLAN to be within NSX which would avoid the re-addressing? Thank you for any insight as I've never done one of these migrations before. I've only been a NSX user that had already been previously setup. TY
The NSX edge being able to have additional uplink interfaces - I think is the key info. Thank you! As for NSX-T - gawd. I left the NSX game just as it was starting to get popular and didn't loo...
See more...
The NSX edge being able to have additional uplink interfaces - I think is the key info. Thank you! As for NSX-T - gawd. I left the NSX game just as it was starting to get popular and didn't look deeply at it. I was under the impression that people would use NSX-T if they wanted to integrate VMs/NSX into the cloud. But perhaps you're suggesting the product overall is now just called NSX-T? Not sure where you were going w that distinction.
There is an Internet facing firewall with say three interfaces - outside, inside and DMZ. All the servers presently are VMs reachable from the inside interface of that inet connected firewall. S...
See more...
There is an Internet facing firewall with say three interfaces - outside, inside and DMZ. All the servers presently are VMs reachable from the inside interface of that inet connected firewall. So now I want to move some of the servers to a DMZ. Since we'll be implementing NSX - I see two options: 1) Keep all of the VMs reachable from that inside FW interface and create a DMZ vlan/subnet within NSX. All traffic would flow from inside interface to NSX Edge VM routing. Restrict traffic in and out of that DMZ using NSX firewall ability. This seems simplest. 2) Somehow employ the inet connected firewall's DMZ interface to NSX/VMWare environment via a second edge VM. It's the second scenario I'm trying to think through. Is it possible for an NSX environment to have two edge VMs/routers? One would be just for routing to the DMZ and the other edge would be handling all other traffic. If I'm still clear as mud I can post a diagram of the idea.
I would like to integrate NSX with my PAN firewall such that the PAN DMZ interface because a gateway into the NSX controlled VLANs. So north-south traffic would be regulated by the PAN and host to ho...
See more...
I would like to integrate NSX with my PAN firewall such that the PAN DMZ interface because a gateway into the NSX controlled VLANs. So north-south traffic would be regulated by the PAN and host to host flows would be restricted via tag based policies in NSX. I also want to have a have a gateway into the NSX from the internal Cisco Nexus switch. Q: is it possible to have two gateways into NSX? It's been a while since I worked with it. Thank you.
I've been aware from NSX as my company of the last 18 months has VMWare but no NSX. I wondered what progress has been made with NSX-T with regards to Azure. With NSX-T are you able to move VM's b...
See more...
I've been aware from NSX as my company of the last 18 months has VMWare but no NSX. I wondered what progress has been made with NSX-T with regards to Azure. With NSX-T are you able to move VM's between a traditional data center and an Azure vNet? TY
The company is running vSphere 6.5 and has no vRealize products. What is the best way to judge the network performance for ESXi or VM iSCSI to the Data Store? If I go to a specific data store...
See more...
The company is running vSphere 6.5 and has no vRealize products. What is the best way to judge the network performance for ESXi or VM iSCSI to the Data Store? If I go to a specific data store and then monitoring/performance I can see a bunch of real time statistics. Are these the best benchmarks to determine if the network path to the storage is working well? What other tools could be brought to bear to determine if the path to the storage is fast and throughput wide - not inducing any latency?
On a previous assignment, I ran into an issue where once in a while a Distributed Firewall Rule would not be effective in permitting the intended traffic. The resolution would be to change from ...
See more...
On a previous assignment, I ran into an issue where once in a while a Distributed Firewall Rule would not be effective in permitting the intended traffic. The resolution would be to change from using the VM Name to using an IP address instead. At a later time we became pretty sure that the problem was related to some VMs not having been updated with the latest VMWare Tools. Does anyone have any more insight into this? Seen this issue? Is there a particular version of VMWare Tools where being able to use the VM name in your DFW rules becomes enabled? Thank you.
I normally use VRNI to capture flows. But I used Application Rule Manager in one instance yesterday. I was surprised to find flows captured in ARM that did not show up in VRNI. One issue tha...
See more...
I normally use VRNI to capture flows. But I used Application Rule Manager in one instance yesterday. I was surprised to find flows captured in ARM that did not show up in VRNI. One issue that's going on is the communications channel between NSX Manager and the ESX host of the VM of interest is down. Could that cause a problem in completeness of flow reporting to VRNI from that VM/host? Any other thought on why some flows might show up in ARM but not VRNI?
Summarizing for future seekers.. grep through /var/log/vsfwd.log and /var/log/netcpa.og ps | grep vsfwd p. 16 , 19 https://docs.vmware.com/en/VMware-NSX-Data-Center-for-vSphere/6.3/nsx_6...
See more...
Summarizing for future seekers.. grep through /var/log/vsfwd.log and /var/log/netcpa.og ps | grep vsfwd p. 16 , 19 https://docs.vmware.com/en/VMware-NSX-Data-Center-for-vSphere/6.3/nsx_63_troubleshooting.pdf
In Networking & Security/Installation - I see some ESXi in some clusters down for communication NSX Mgr to Firewall Agent. What are the recovery options?
I don't see a direct means to do this. But figured I ask the community.. Is there any means to report all members of a Security Group? All children, grand children, great grandchildren??
That's very helpful. Thank you. On this consult gig I don't think I have access to the ESXi hosts unfortunately. Only access to NSX, VRNI, vCenter. Perhaps access to the CLI NSX. Perhaps a thou...
See more...
That's very helpful. Thank you. On this consult gig I don't think I have access to the ESXi hosts unfortunately. Only access to NSX, VRNI, vCenter. Perhaps access to the CLI NSX. Perhaps a thought on verifying the push with one of those tools?
I'm on a gig where the customer has NSX deployed for its DFW feature, but no NSX controllers of edges. In VRNI I noticed the warning message below regarding the NSX managers. The full message i...
See more...
I'm on a gig where the customer has NSX deployed for its DFW feature, but no NSX controllers of edges. In VRNI I noticed the warning message below regarding the NSX managers. The full message is Please enable NSX controller and NSX edge for richer data collection. What additional collection would they get with NSX controller and edge deployed?
That's a big help. Thank you. It's such a strange experience consulting and having such restricted access. But I can be more focused in my ask of the admins armed with this.
A co-worker at a microsegmentation gig pointed out that Controller Nodes frequently go to disconnected. In Networking and Security I'm referring to Installation and Upgrade/Management/Controller...
See more...
A co-worker at a microsegmentation gig pointed out that Controller Nodes frequently go to disconnected. In Networking and Security I'm referring to Installation and Upgrade/Management/Controller Nodes. I only have limited access and no ability to open a ticket on the environment. I wonder if anyone on the forum had seen this before. They have many controller clusters - 10 or more whereas in my previous environment we only had one and I've never seen this issue. The problem it causes is when we want to publish distributed firewall rules - the rules will fail to push to the clusters that are temporarily in disconnected state. The condition is always very transient and comes back in a few moments. But it can cause a problem with publishing of the rules. Has anyone ever seen this before? Is it a known bug? Other thought?
Your issue was with VRNI or VRLI? I supposed that the same issue could apply to VRLI - for example of the license request was for an IP address other than what actually got processed at VMWare. O...
See more...
Your issue was with VRNI or VRLI? I supposed that the same issue could apply to VRLI - for example of the license request was for an IP address other than what actually got processed at VMWare. Or if a second device literally took on the same IP address. I'm away for about a week so I won't be able to try out this line of investigation for a bit. But I appreciate the idea.
