Automate NSX-T with PowerCLI

While working on an NSX-T project I got the question from the customer to deliver some firewall and network automation based on PowerShell. This to help them ramp up the creation of networks and firewall rules. I pointed them to the PowerCLI Preview for NSX-T, but I wasn’t aware that this fling only was able to retrieve information from NSX-T and not create items/objects. So, how can we do this then? I knew we were able to manage NSX-T since PowerCLI version 6.5.3, but how does this work?

PowerCLI NSX-T

After some google-fu I came across a blog post of Kyle Ruddy named: Getting Started with the PowerCLI Module for VMware NSX-T. This article describes how the NSX-T PowerShell Module works and which cmdlets where available:

  • Connect-NsxtServer
  • Disconnect-NsxtServer
  • Get-NsxtService
  •  
    Only 3 commands? Yes, only 3 commands! Because of the simple reason that with the 3rd command you have full access to NSX-T’s public API! And therefore you’re able to retrieve and create items/objects. In the blog article Kyle also gives some examples on how to Retrieve Transport Zone Information or perform Logical Switch and IP Pool Management. But how do we create an NSGroup or a Distributed Firewall Section? This post contains some additional examples and I’ll update this post as new scripts will come along.

    The first thing we need to do is connect to the NSX-T Manager:

    NSGroups

    Create a NSGroup based on a Security Tag

    (more…)

    Read More

    VMworld NSX Announcements

    It’s that time of the year again, it is time for VMworld!
    And it’s going to be something special again this year, especially for everything Network Virtualization related. Everyone did their best to not spill the beans on all new nifty features that will be announced during this VMworld.
     

    What will be announced at VMworld 2017

    Some of the NSX related announcements that will be made are:

  • NSX-T 2.0
  • VMware Cloud Services Secure Networking
  • VMware Cloud on AWS
  • VMware AppDefense (previously known as Project Goldilocks)
  • vRealize Network Insight 3.5
  •  

    What’s new with NSX-T 2.0

    In case you missed the initial announcement of NSX-T you can read it here or register for session NET1510BU.

    Some of the new features of NSX-T 2.0 are:

  • Multi Domain Networking
  • Automation with OpenStack
  • CNI Integtration for Kubernetes
  • Improvements of On-Prem deployments
  • Support for Multi Off Site Clouds
  •  

    VMworld NSX-T
     

    VMware Cloud on AWS

    VMware Cloud on AWS is a VMware Service which is joint engineerd and a one stop shop for Customers.

    VCAWS
     

    This Service includes the following:

  • VMware SDDC running on AWS bare metal
  • Sold, operated and supported by VMware
  • Support for containers and VMs
  • On-Demand capacity & flexible consumption
  • Full operational consistency with On-Prem SDDC
  • Seamless workload portability
  •  

    NSX Vision

    The image below gives you an glimps into what the Network Security Business Unit (NSBU) has in store for NSX.
     

    NSX Vision
     

    AppDefense

    AppDefense will be one of the biggest announcements on the first day of VMworld. So what is AppDefense you ask? Well in short, AppDefense provides an intent-based security capability that is able to detect and block potential malicious actions and applications. The AppDefense system understands and learns what is a known good process and is also able to determine when the runtime behavior of an application deviates from its intended state. In other words, AppDefense was the missing link to provide Enterprise Security.

    Some of the features of AppDefense are:

  • Application Control
    • Comprehensive view/grouping of VMs in the datacenter
  • Runtime Anomaly Detection and Response
    • Monitor the real time state of the OS and user Applications
    • Alert and control process, network, and kernel events
  • Process Analysis
    • Built-in Process analysis engine gives overall process maliciousness as well as specific traits that are potentially suspicious
  • Orchestrate Remediation
    • Our infrastructure reach provides a more effective way to orchestrate remediation during a security incident
  • AppDefense will be (initially) deployed as SaaS service, this could be quite benefitial due to the amount of information gathered by other customers. A Proxy will be deployed on-premises to gather the information.
     

    What’s next?

    Like I desribed in an earlier blog post on the ITQ website, my main focus this year will be VMware Cloud on AWS and NSX. So please keep and eye on this site and get all the latest information on these topics.

    Read More

    Limit the number of VTEPs for NSX

    Everyone who has deployed NSX for vSphere must have configured the VXLAN Transport Parameters.

    VTEPs
     

    Nothing really fancy about this and pretty straight forward. But, what if you want to limit the number of VTEPs for NSX due to a specific requirement of the deployment? The number of VTEPs is not editable in the UI as described in the NSX documentation:

    The number of VTEPs is not editable in the UI. The VTEP number is set to match the number of dvUplinks on the vSphere Distributed Switch being prepared.

    So when you configure the VXLAN Transport Parameters for a host that is connected to a vSphere Distributed Switch (vDS) with 6 dvUplinks it will automatically create 6 VMkernel interfaces.

    VTEP-6

    But but… (due to questionable requirements) we need it only with 2 VMkernel interfaces on a vDS with 6 dvUplinks, how can we solve this? Well fire up your PowerNSX.
     

    Limit the number of VTEPs for NSX with PowerNSX

    Not familiar with PowerNSX? Well you should be, PowerNSX is a PowerShell module that contains PowerShell functions that can call the VMware NSX for vSphere API. It will make you life so much more easier and is almost indispensable when consistency and speed is key. Here you can find how to install PowerNSX and here you can find how to use PowerNSX.

    Please alter the script below to match your environment.

    After the script has run successfully, the result will be only 2 VMkernel interfaces instead of the “default” 6 VMkernel interfaces:

    VTEP-2

    Don’t forget to configure the uplink assignment on the VTEP portgroup afterwards and set the uplinks to “Active” where the VTEP VLANs are configured on and the rest to “Unused”.

    VTEP-Assignment

    Thanks to Alexander Ries for helping with the script.

    Read More

    VMworld Barcelona 2017

    While sitting on my couch browsing through emails on my phone and it suddenly went *DING* and a new email appeared with the subject “VMworld Blogger Pass, Barcelona – YOU’RE GOING!
    Wait… What?? Woohoo! VMworld Barcelona 2017 here I come!
     

    VMworld Barcelona 2017
     

    This is the first time I’m selected to receive a VMworld Blogger Pass by the vExpert Team and I’m truly grateful for this opportunity.

    While the VMware Blogger Pass covers the full conference pass but it doesn’t cover the other expenses such as flights and hotels. Luckily for me my employer ITQ sees VMworld as an opportunity to attend and share interactive sessions and group discussion with peers from the IT world.

    But if you still need a good justification for your boss to go, read this article from Fabian Lenz called “Why VMworld 2017” that contains some good reasons to convice your boss. Or even better download the “Convince Your Manager” letter from the VMworld site!

    Some handy links for VMworld:

    I hope to see you in Barcelona to chat about whatever (even non-VMware related stuff 😉 ), just say hi if you see me or hit me up on twitter @vMBaggum.

    Adiós y hasta pronto!

    Read More

    Change the vmnic order on vSphere 6.x

    There is always one ESXi host who thinks he’s special and therefore has a different configuration than its siblings. This week it was a brand spanking new UCS blade server that didn’t want to play nice and the result was a different vmnic order.

    I’ve done this fix several times before with the older versions (< v5.5) of vSphere but now it was vSphere 6.0 so the KB article 2019871 that describes how to do this up to version 5.1 did not apply any more. But all the way at the bottom there is a link to KB article 2091560 that describe how to do this with vSphere 6.x!

    How to change the vmnic order

    Log on to your “special” ESXi host with your favorite SSH client.

    Run the following command to see the current assignment of aliases to device locations:

    The output will look as follows:

    Then to reassign an alias run the following command:

    For example, if you want to swap vmnic3 and vmnic4 use the following commands:

    After you re-assigned the aliases perform a clean reboot of the ESXi host and you’re done!

    Read More

    NSX IPv6 Support

    This week I got some good questions from a customer about NSX, especially on NSX IPv6 support.
     

    NSX IPv6

    And I knew which features are not supported:

  • Distributed logical router: The DLR does not support IPv6 forwarding / routing.
  • Dynamic routing (OSPF, BGP): Only IPv6 static routes are supported on the Edge Services Gateway.
  • NAT, SLAAC and DHCPv6 on NSX Edge: The workloads should use static IPv6 address allocation.
  • But I couldn’t immediately answer the question which components of NSX supported what connectivity like IPv4, IPv6 or dual stack. To make things worse the NSX 6.2 Documentation Center does not contain a lot of information about the IPv6 support… Luckily for me (and the customer) some insiders provided me the necessary information and I would like to share this with you.
     

    Detailed NSX IPv6 Support

    (more…)

    Component Feature Support1 Notes
    VM Addressing
    Guest VM Addressing IPv4, IPv6, DS VXLAN encap packets are capable of carrying IPv6 payload. VMs can have only IPv6 static addresses. SLAAC (RA) and DHCPv6 (relay and server) are not supported
    VXLAN Transport IPv4
    NSX Manager
    NSX Manager IP IPv4, IPv6, DS
    NSX Controller
    Management IP IPv4

    Read More