Ping to ESG Fail – NSX 6.2.x (Back to basic)

If you have problem to ping your ESG (and you are not hitting the bug for the version NSX 6.1.2) please be aware of the firewall rule inside the Edge services gateway.

By default if you didn’t configure your firewall in the deployment of the ESG, the firewall rule will have the following default setting:

  1. To permit any traffic form the vse (ESG) to any destination for any services
  2. And the default Rule that is Any to Any for Any services Denny

So, If you are working in a home lab and you want to receive ping answer, you could add a new firewall rule inside the ESG to accept ICMP traffic or just allow all traffic and services on the ESG initial configuration.

Attach Image with both options:

At the ESG deployment:

  • Check “Configure Firewall default policy”
  • Change the Default Traffic Policy from Deny to Accept

Note: This will allow all the traffic and depend on your environment this may result in a security bridge, since this will allow all type of traffic though the ESG

esg-deployment

After the ESG deployment, using the Default firewall configuration on the ESG deployment.

  • On the ESG, select Manage > Firewall
  • Select the green plus sign to add a new firewall rule for the ESG, (rule must before the last rule, which is the default one to deny all traffic)
  • Configure Name, Source and Destination depend on your security needs and for services select ICMP Echo used for ping. 

 

esg-firewall-conf

Advertisements

NSX 6.2.3/6.2.4 new Vib and Service

After update from NSX 6.2.2 to 6.2.4 I found out that there is a new vibs deployed at the host preparation phase esx-vdpi and not only that, I see that there is a new services vShield-Protocol-Introspection.

Making some research  regarding the vib and the services,  my assumption is that at the vib and service are related; the esx-vdpi vib correspond to the script “/etc/init.d/vShield-Protocol-Introspection“,  the service and vib may be added to provide “Layer 7” / “App ID” visibility function in the NSX Manager but I guess is in tech preview and not available for production yet, that’s why we cannot find any official documentation for this yet; also found that this services was added in the NSX release 6.2.3 (but remember that version 6.2.3 is buggy and not available for download)

Attach an image before and after the update:

6-2-4vibsservices

Hopefully we could get more information soon… 🙂

Key points from my point of view of the VMworld 2015

After assisting some break out session and make some research after the VMworld, here are some key points to be taken in consideration for this year until the next year VMworld announcement:

–          NSX is complement of other VMware products/feature (VMware is pushing for SDN)

  • Micro segmentation and advance of it (Per VM management without the need of multiple Firewall)
  • Stretch cluster with NSX, helping you to have a single L2 site

–          vRealize for solution management/health/sizing and scale

  • VMware is pushing everything to vRealize and most of the product can be managed by it, this is the director management on VMware scale view.
  • Some of the new features are automated workload placement and re-balancing in order to optimize performance, new reporting options and collection and usage statistics to improve performance.

–          vCenter Server Applaince (VCSA) 6u1 has several improvements such as:

  • The VAMI UI accessible using port 5480 and a PSC dedicated configuration UI.
  • vCenter Update Manager (VUM) fully supported in the Web Client.

Good blog with information on new PSC improvements:

https://blogs.vmware.com/vsphere/2015/09/introducing-the-platform-services-controller-interface-in-vcenter-server-6-0-update-1.html

–          Log Insight, is an old VMware product, but there is some improve on the reporting view with the integration with vRealize and VMware highly recommend this tool as the centralized logging tool.

–          VSAN 6.1 came up on with the announcement (need to update vCenter and vSphere host to version 6 update 1)

  • Stretch cluster support with the use of a witness appliance or witness host (custom esxi image is needed)
    •  Witness host need license if it is installed on a physical host, no license needed if is a nested host (host will have a blue color instead a regular gray color)
    • Witness host is used only for witness and should be used as part of the Pools of resource
    • Witness shouldn’t part of the vSAN cluster.
  • Also there is a need for leverage everything on L2, so it is recommended to have NSX solution
  • New licensing for vSAN 6.1 standard and enterprise (Hybrid and All Flash respectively in version 6.0)
  • Stretch cluster required vSAN enterprise license

Note: With the announcement of vSAN 6 last year, there were improvement on the file system type with the acquisition. There is a upgrade for the file system from vSAN 5.5 to vSAN 6.x.

Some good blog regarding vSAN 6.1 and stretch cluster:

https://blogs.vmware.com/virtualblocks/2015/09/08/vmware-virtual-san-stretched-cluster/

vSAN 6.1 white paper:

http://www.vmware.com/files/pdf/products/vsan/VMware-Virtual-SAN-6.1-Stretched-Cluster-Guide.pdf

This is summary for the VMware white paper of vSAN 6.1 with step by step view:

http://cormachogan.com/2015/09/16/vsphere-ha-settings-for-vsan-stretched-cluster/

–          SRM 6.0 as a DR orchestrator

  • VMware advised used of vsphere replication and NSX
    • vSphere replication: the advance of using vsphere replication is to leverage all the replication from the Primary site to the DR site, without the need to be aware of the storage or different API for the differents vendors
    • NSX: for the migration of the Primary site to DR site without the need to changes IP Address, since the Logical Switch and DLR across both side will manage mac address table and Routing, making the migration more seamless for the end user.

–          Evo Rails: something that was mention on previous year VMworld is the Evo Rail and the evolution to a EvoRack , VMware is working on racks solution that could provide to the customers, with the easily and smooth deploy platform of EvoRail and with this get a full integration with NSX.