Automate NSX-T with PowerCLI

While working on an NSX-T project I got the question from the customer to deliver some firewall and network automation based on PowerShell. This to help them ramp up the creation of networks and firewall rules. I pointed them to the PowerCLI Preview for NSX-T, but I wasn’t aware that this fling only was able to retrieve information from NSX-T and not create items/objects. So, how can we do this then? I knew we were able to manage NSX-T since PowerCLI version 6.5.3, but how does this work?


After some google-fu I came across a blog post of Kyle Ruddy named: Getting Started with the PowerCLI Module for VMware NSX-T. This article describes how the NSX-T PowerShell Module works and which cmdlets where available:

  • Connect-NsxtServer
  • Disconnect-NsxtServer
  • Get-NsxtService
    Only 3 commands? Yes, only 3 commands! Because of the simple reason that with the 3rd command you have full access to NSX-T’s public API! And therefore you’re able to retrieve and create items/objects. In the blog article Kyle also gives some examples on how to Retrieve Transport Zone Information or perform Logical Switch and IP Pool Management. But how do we create an NSGroup or a Distributed Firewall Section? This post contains some additional examples and I’ll update this post as new scripts will come along.

    The first thing we need to do is connect to the NSX-T Manager:


    Create a NSGroup based on a Security Tag

    Read More

    Limit the number of VTEPs for NSX

    Everyone who has deployed NSX for vSphere must have configured the VXLAN Transport Parameters.


    Nothing really fancy about this and pretty straight forward. But, what if you want to limit the number of VTEPs for NSX due to a specific requirement of the deployment? The number of VTEPs is not editable in the UI as described in the NSX documentation:

    The number of VTEPs is not editable in the UI. The VTEP number is set to match the number of dvUplinks on the vSphere Distributed Switch being prepared.

    So when you configure the VXLAN Transport Parameters for a host that is connected to a vSphere Distributed Switch (vDS) with 6 dvUplinks it will automatically create 6 VMkernel interfaces.


    But but… (due to questionable requirements) we need it only with 2 VMkernel interfaces on a vDS with 6 dvUplinks, how can we solve this? Well fire up your PowerNSX.

    Limit the number of VTEPs for NSX with PowerNSX

    Not familiar with PowerNSX? Well you should be, PowerNSX is a PowerShell module that contains PowerShell functions that can call the VMware NSX for vSphere API. It will make you life so much more easier and is almost indispensable when consistency and speed is key. Here you can find how to install PowerNSX and here you can find how to use PowerNSX.

    Please alter the script below to match your environment.

    After the script has run successfully, the result will be only 2 VMkernel interfaces instead of the “default” 6 VMkernel interfaces:


    Don’t forget to configure the uplink assignment on the VTEP portgroup afterwards and set the uplinks to “Active” where the VTEP VLANs are configured on and the rest to “Unused”.


    Thanks to Alexander Ries for helping with the script.

    NSX IPv6 Support

    This week I got some good questions from a customer about NSX, especially on NSX IPv6 support.

    NSX IPv6

    And I knew which features are not supported:

  • Distributed logical router: The DLR does not support IPv6 forwarding / routing.
  • Dynamic routing (OSPF, BGP): Only IPv6 static routes are supported on the Edge Services Gateway.
  • NAT, SLAAC and DHCPv6 on NSX Edge: The workloads should use static IPv6 address allocation.
  • But I couldn’t immediately answer the question which components of NSX supported what connectivity like IPv4, IPv6 or dual stack. To make things worse the NSX 6.2 Documentation Center does not contain a lot of information about the IPv6 support… Luckily for me (and the customer) some insiders provided me the necessary information and I would like to share this with you.

    Detailed NSX IPv6 Support

    Read More

    Component Feature Support1 Notes
    VM Addressing
    Guest VM Addressing IPv4, IPv6, DS VXLAN encap packets are capable of carrying IPv6 payload. VMs can have only IPv6 static addresses. SLAAC (RA) and DHCPv6 (relay and server) are not supported
    VXLAN Transport IPv4
    NSX Manager
    NSX Manager IP IPv4, IPv6, DS
    NSX Controller
    Management IP IPv4

    NSX for vSphere Configuration Maximums

    This post describes the NSX for vSphere Configuration Maximums for version 6.0.x, 6.1.x and 6.2.x.

    NSX for vsphere Configuration Maximums

    Whenever I got into a discussions about sizing, scalability and maximums of NSX I always turned to an excellent post written by Martijn Smit. But this post only contained information until version 6.1.x and not the latest version 6.2.x. And then during one of my projects some questions around the scalability of version 6.2.x came up and we had to do some research to find these scalability numbers. You can find the results of that research below.

    UPDATE: VMware has requested that I take down this article because I’ve used internal numbers that are only for use to help the field design deployments. Without other design information the numbers alone it could create support and competitive issues. Therefore I updated the article and removed the items that cannot be found on the official documentation center.

    NSX 6.0 NSX 6.1 NSX 6.2
    vCenter 1 1 1
    Controllers 3 3 3
    vCenter Clusters 12 12 16
    Hosts per Cluster 32 32 32
    Hosts per Transport Zone 256 256 256
    Logical Switch 10,000 10,000 10,000
    Logical Switch Ports 50,000 50,000 50,000
    VXLAN/VLAN l2 Bridges per DLR 500 500 500
    Identity Firewall
    Active Directory Groups 3 500 500 500
    Users per Group 3 1,000 1,000 1,000
    Max # of users in a domain 3 500,000 500,000 500,000
    VMs joined to a domain 1,000 1,000 1,000
    Maximum # of domains 10 10 10
    L3 Distributed Logical Router (DLR)
    DLRs per ESXi host 100 1000 1000
    DLRs per NSX Manager 1200 1200 1200
    Interfaces per DLR 991 991 991
    Uplinks per DLR 8 8 8
    Interfaces per ESXi Host 10,000 10,000 10,000
    OSPF Adjacencies per DLR 10 10 10
    BGP Neighbors per DLR 10 10 10
    Maximum Paths with ECMP 8 8
    L3 Edge Service Gateway (ESG)
    Maximum # of ESGs 4 2,000 2,000 2,000
    Maximum # Interfaces 10 10 10
    Maximum # of Sub-interfaces 200 200
    Secondary IP addresses 2,000 2,000 2,000

    1 As this is depending on multiple factors, please contact VMware for accurate estimate.
    2 Number of records over 15 days.
    3 At the moment there is no upper limit on any of the numbers, so the Active Directory Synchronization may work with even larger Active Directory setup.
    4 HA does not have an impact on the maximum number of ESGs.

    NSX for vsphere Configuration Maximums Disclaimer

    These numbers can be used as a guidance and are not 110% confirmed by VMware. I’m still hopeful that VMware soon will publish an official NSX Maximum Configurations document and we do not have to gather these numbers from everywhere anymore. Only time will tell 🙂 enjoy!

    Trend Micro Deep Security and NSX 6.2.3 issue

    Last week I had the pleasure of upgrading vCNS 5.5.4 to NSX 6.2.3 at a customer that also was running Trend Micro Deep Security 9.6 SP1. Before the upgrade I checked the compatibility matrices here, here, here and here and it looked like everything checked out. So I went ahead with the upgrade and the upgrade went super smooth and ran without any issues. After the upgrade was completed I linked the Trend Micro Deep Security Manager to the NSX Manager and we protected the VMs and again all looked good. But then… I ran into the most annoying error know to man (with Trend Micro Deep Security) “Anti-Malware Engine Offline” and “Web Reputation Engine Offline”.

    NSX 6.2.3

    Oh Joy!

    Let the troubleshooting begin!

    • Filter Drivers ESXi hosts
    • Check, all ESXi hosts have the Filter Driver Removed.
  • Guest Introspection Drivers VMware Tools
    • Check, all VMs have an updated version of the VMware Tools with the Guest Introspection option enabled.
  • Licensing NSX
    • Check, NSX 6.2.3 is licensed as “NSX for vSphere”.
  • Licensing Trend Micro Deep Security
    • Check, Anti-Malware and Web Reputation is licensed.
  • NSX Security Policy
    • Check, the correct NSX Security Policy is in place and applied on all VMs.
  • NSX Guest Introspection Service VMs
    • Check, the NSX Guest Introspection Service VMs are deployed and service is up and running.
  • Trend Micro Deep Security Service VMs
    • Check, the Trend Micro Deep Security Service VMs are deployed and service is up and running.
  • Trend Micro Deep Security Policy
    • Bingo! Disabling the Web Reputation solved also the “Anti-Malware Engine Offline” error. We have a lead!

    Read More

    NSX Manager SFTP Backup

    During my last couple of NSX projects the backup of the NSX Manager proved to be some kind of a challenge. Using the NSX manager, it is possible to create backups via the FTP or the SFTP transfer protocol, but because we wanted to adhere the NSX hardening recommendations SFTP is preferred transfer protocol. No biggie you would think, except that most of the customers did not possessed the proper SFTP (don’t confuse with FTPS!!) software to support this.

    Why is it so important to create a proper backup of the NSX Manager? Well that’s because the backup contains the following components :

  • NSX configuration
  • NSX Controllers configuration
  • Logical switches configuration
  • Routing configuration
  • Security groups, policies and settings
  • All firewall rules
  • And simply everything else that you configure within the NSX Manager UI or API
    I think you now understand why you want to have these settings safely stored away.

    So what are our options? On the authors created a list of stand-alone SFTP servers that can be used for this task. For some customers it is difficult to procure these types of software online and rather use “freeware”. Then the next problem arises, some companies won’t use encryption software if it’s not commercial… Yeah I love those discussion with the security guys 🙂 .

    OK so just for the sake of it (and I’m not bound by any security guys looking over my shoulders) I’m just going for the NSX Manager SFTP Backup based on FreeFTPd for Windows.
    Read More