EvertAM Tracker

Re: MULTI_OVERLAY_TZ_USE_COUNT not supported for configuration import on global manager

EvertAM — Fri, 10 Nov 2023 10:49:25 GMT

I have no hand's on experience with Federation, so this might be a stupid suggestion, but have you checked that you don't have any unassigned TZ overlays?

Re: NSX cluster backup error

EvertAM — Fri, 10 Nov 2023 10:44:09 GMT

Have you tried removing and recreating the scheduled backup?

Re: Export of DFW from NSXT

EvertAM — Fri, 10 Nov 2023 10:04:39 GMT

Not PowerCLI, but you should be able to retrieve all DFW rules through the API as well.

Loop through this to get all policy id's:
GET /policy/api/v1/infra/domains/<domain-id>/security-policies

Then use the results to loop through this to get an overview of all the rule-ids within each policy:
GET /policy/api/v1/infra/domains/<domain-id>/security-policies/<security-policy-id>/rules

And finally, you could loop this to get the details for every rule within the policy:
GET /policy/api/v1/infra/domains/<domain-id>/security-policies/<security-policy-id>/rules/<rule-id>

This should allow you to output it all in JSON.
Alternatively, consider managing the rulebase through IaC, that should give you a permanent overview of your rules in a repository.

Re: NSX-T log source port

EvertAM — Fri, 10 Nov 2023 09:53:43 GMT

The client is in charge of choosing it's TCP source port, either completely dynamically, like you'll see with a browser, or a fixed port (or pool of ports) for something like DHCP for example.

It appears that the client (the source in this logs) has setup multiple connections to the same host.
It's hard to tell if this is normal in this specific instance, tcp/343 is not an IANA assigned port and I personally don't really recognize it.

Re: NSX cluster backup error

EvertAM — Fri, 10 Nov 2023 09:28:15 GMT

You probably already did this, but have you verified the available disk space? It wouldn't really explain why the manual backup works, but it never hurts to check I guess.

Re: VMware ALB - Email Alerts Are Slooooow

EvertAM — Thu, 02 Nov 2023 13:25:37 GMT

Gotcha. Only other config item I can think of is that the alert itself might be set for "Rolling window" instead of instance. It might be worth a check, my personal next stap would be to contact support and ask them

Re: VMware ALB - Email Alerts Are Slooooow

EvertAM — Wed, 01 Nov 2023 23:26:22 GMT

Have you checked the health monitor to make sure it triggers instantly? Generally, you want some leniency to make sure you don't generate false alerts.

Re: Add NSX NAT Rule with service entry configured with port number range

EvertAM — Wed, 01 Nov 2023 23:23:11 GMT

I believe your issue might be that you're adding multiple ports to both the original and the translated ports. Adding multiple ports is generally used for NAT overload.

Based in your screenshot, you're trying to NAT all traffic to an IP, but only allow certain ports in. This would be better handled using a firewall rule. If you are specifically trying to NAT only 3 ports (while handling traffic to other ports differently), I think you'll need multiple NAT rules.

Re: NSX ALB Avi 30.1.1 - macro API "Input object does not have model_name field" even thou

EvertAM — Wed, 01 Nov 2023 23:28:36 GMT

Do you have a (cleaned up if needed) example of the payload you used?

Re: NSX-T API - Add a Group with Multiple Tags

EvertAM — Wed, 01 Nov 2023 23:15:54 GMT

It should be possible (the Terraform provider supports it at least).

Make sure you have the syntax completely correct. Based on the output there, you'll need both expression AND expressions in your body.

Re: Which NSX API should I use?

EvertAM — Fri, 13 Oct 2023 08:57:40 GMT

Do I correctly understand that you want to verify if a transport node has been removed from the fabric? Or do you want to check if NSX was outright uninstalled from the machine?

Re: Migration and Infrastructure preparation

EvertAM — Mon, 09 Oct 2023 09:59:05 GMT

This might sound obvious but have you checked if that group already exists in NSX-T?

You can find them under Inventory -> Groups

Re: NON-IP Distributed Firewall Category

EvertAM — Fri, 29 Sep 2023 14:29:48 GMT

Ethernet would be considered non-IP, it is meant for all your L2 rules.

However, the categories themselves do not necessarily restrict you from the rules you can make in them. They are recommendations for to help you with ordering and building your firewall policies.

https://docs.vmware.com/en/VMware-NSX-T-Data-Center/3.2/administration/GUID-6AB240DB-949C-4E95-A9A7-4AC6EF5E3036.html

The documentation is for 3.2, but this hasn't really changed between recent versions I believe, it's still the same in 4.x at least.

Re: Use Aria Operations for Network (vRNI) to build wave migration

EvertAM — Fri, 25 Aug 2023 06:39:22 GMT

We've been doing it manually actually, but our environment is smell enough. As part of our migration we do also tag new VM's with a predefined set of categories to identify them. We use these as the member criteria for our NSX Security groups as well.

Assuming you've already consistently tagged VM's, using those is probably not a bad idea

Re: NSX-ALB System-Default-Secure-Channel-Cert

EvertAM — Wed, 23 Aug 2023 15:17:38 GMT

It doesn't seem to be universal, we've recently upgrade to 22.1.4 but did not encounter the issue.

Based in the expiration dates, it seems like your System-Default-Root-CA was somehow renewed. Our controllers show the same expiration dates for both the root and the Secure-Channel-Cert (with the root expiring one second earlier).

You could try to renew the Secure-Channel-Cert, but that might be bit risky in a production environment.

Re: Use Aria Operations for Network (vRNI) to build wave migration

EvertAM — Wed, 23 Aug 2023 10:04:18 GMT

We're in the process of doing this right now now.

Some of our experiences below:
- Try to add other sources outside of your VMware environment (switches, loadbalancers, ...), this will help in identifying flows that aren't necessarily virtual.
- vRNI has a LOT of information, and it can be quite a challenge to sift through it
- Flows are only ever stored for 30 days, something to keep in mind if you have flows that might only occur every so often
- Define your applications and tiers in vRNI (under Applications -> All Applications -> Add). This will help tremendously in analyzing flows

I don't believe it's a good idea to use vRNI to define the contents of your waves. Identify (some of) your applications, and sort those into waves. Secure based on an application, not a VM.

Re: NSX IDS/IPS with VLAN Segment

EvertAM — Wed, 09 Aug 2023 15:55:45 GMT

Your understanding is correct. This IDS/IPS engine is part of the distributed firewall, which does not require NSX overlay segments to function.

Re: IP Prefix on BGP tunnels

EvertAM — Wed, 09 Aug 2023 15:52:05 GMT

That's probably not gonna work for your goal. The out filter will filter out routes that the T0 advertises to the outside world. Based on your message, you want to apply something like this to the the MPLS peers (incoming):

0.0.0.0/0 Deny
Any Allow

This will cause the MPLS peers to not accept a default route from the remote side, this in turn will cause the T0 to not install a default route from the MPLS peers in it's routing table. You might additionally want to add some extra rules in there for other public IP's, but that will depend on your environment.

For this usecase, you don't necessarily need any other filters I believe.

It is best practice to only allow your own public address space on an outgoing BGP filter (even though your ISP should be filtering this as well), and to deny any incoming private subnets from your ISP (again, they should not send this, but if everyone did there job properly, most of us would be out of a job). All of this assumes that you are directly peering to an ISP of course

Re: IP Prefix on BGP tunnels

EvertAM — Wed, 09 Aug 2023 12:50:20 GMT

Are you applying these as incoming or outgoing filters?

Re: IP Prefix on BGP tunnels

EvertAM — Wed, 09 Aug 2023 06:58:21 GMT

Where did you apply these exactly?

You'll generally use prefix lists to filter which routes you accept into the routing table, and which prefixes you want to advertise.

Your screenshots don't have the name on them, but one of them outright denies everything right at the top, so that's a likely culprit. The list will be checked top to bottom and hit on the first match.

Am I understanding correctly that you're trying to force internet traffic through the internet line, and all other traffic through the MPLS?