Recently we have been looking to implement zero trust networking. One way to achieve this was to use physical firewall and multiple VLAN’s to break out traffic and restrict access to each VLAN this would take a long time to complete and is quite difficult to manage.
It would require adding between 30 to 60 additional VLAN to our physical servers and VMware and re assinging IP to each server which would cause a lot of downtime.
As an alternative to this I have been looking at VMware NSX to try achieve this same segmentation without the need to redesign the entire VMware networks.
NSX consists of multiple components under different planes like management, control, and data plane’s below is an image of the different plane’s.
In the next set of posts I am going to go thorough install and configuring a basic NSX deployment. I will be setting this up in a Lab environment and will use nested ESXi and appliances.
It is recommended to have NSX installed on its own management cluster along with vCenter.
First step is to download the OVA for NSX current version is 6.4.4
below are the system requirments to deploy NSX
NSX 6.4.4 is not supported on vSphere 5.5 below are the supported and recommed verison of vSphere to run NSX 6.4.4:
- For vSphere 6.0:
Supported: 6.0 Update 2, 6.0 Update 3
Recommended: 6.0 Update 3. vSphere 6.0 Update 3 resolves the issue of duplicate VTEPs in ESXi hosts after rebooting vCenter server. SeeVMware Knowledge Base article 2144605 for more information.
- For vSphere 6.5:
Supported: 6.5a, 6.5 Update 1
Recommended: 6.5 Update 1. vSphere 6.5 Update 1 resolves the issue of EAM failing with OutOfMemory. See VMware Knowledge Base Article 2135378 for more information.
Once the OVA is downloaded logon to vCenter right-click on datacenter and deploy OVF Template.
Select the location of OVA
Give the appliance a name
Select the Cluster that will run the appliance
Accept the licence agreement and click continue
Chose Thick Provision
Select the network that will be used for the management network
The next screen is where all the customization will be setup
Network settings: management IP, subnet, gateway, DNS and NTP. Leave blank if you want to use DHCP but its recommend to use static addresses
Once all setting are configured click next and confirm all settings on the last screen. Once finished the OVA should start to deploy. (Note that this failed the first time for me as I selected a host and there seems to be an issue with this in vCenter 6.7, once I selected the cluster the OVA deployed without issue)
Once the OVA had been deployed I decided to edit the memory size as I was running low on memory so I change it from 16Gb to 8Gb but for production this should be left at 16Gb.
After this you can connect using DNS name configured above or through the management IP
The last step in this post is to connect NSX to vCenter
Logon using admin and the password specified in the config of the OVA
Click on Manage vCenter Registration
both the lookup and vCenter server connection will need to be configured
Add vCenter server and user name / password
There will be a prompt to trust the vCenter certificate click yes to continue
Once configured both status should show as connected
Open the vCenter web client and once logged on there should now be an addtional tab for Networking & Security. (At the time of this post this option is only available in the Flash version of the Web client not the HTML 5 version)
In the next post we will start to configure the NSX and controllers.