VMware vRealize Automation 8.1 – Part1: Cloud Assembly & Service Broker

Welcome back techies. I have picked up this topic for my series of blogs because it has a huge demand in market and slowly all customers are moving to private cloud using this product. VMware vRealize Automation is a modern infrastructure automation platform that enables self-service multicloud environments. With vRealize Automation, customers can increase agility, productivity and efficiency through self-service automation, by reducing the complexity of their IT environment, streamlining IT processes and delivering a DevOps-ready automation platform.

This post focuses on configuration of the vRA 8.1 environment. At the end of this series, you will have clear understanding on configuration of vRA 8.1 environment, and how a user gets a portal to request server’s from the catalog.

I have already explained the deployment procedure of vRA 8.1 in my previous post here.

https://virtualrove.com/2020/06/22/vrlcm-8-1-part1-deployment-configuration/

This vRA 8.1 series is divided into following parts.

VMware vRealize Automation 8.1 – Part1: Cloud Assembly & Service Broker
VMware vRealize Automation 8.1 – Part2: Cloud Accounts,Projects & Cloud Zones
VMware vRealize Automation 8.1 – Part3: Flavor Mapping & Image Mapping
VMware vRealize Automation 8.1 – Part4: Network Profiles
VMware vRealize Automation 8.1 – Part5: Blueprints
VMware vRealize Automation 8.1 – Part6: Content & Catalog
VMware vRealize Automation 8.1 – Part7: User Permissions, Roles & Branding

At this stage, I have 4 ESXi host cluster, a vCenter, vRA & vIDM deployed though vRLCM.

VMware Identity Manager is already integrated with vRA as part of vRLCM deployment procedure. Our Active Directory has already been integrated with vIDM. Check the procedure here.

https://virtualrove.com/2020/07/11/vmware-vrlcm-8-1-part3-identity-manager-ad-integration/

Lets begin the show.

Log into vRA URL with local account.

You get a ‘Cloud Services Console’ upon login.

‘Launch Quickstart’ – To use inbuilt guided setup to configure your vRA env. However, we will use manual setup to understand all components.

Cloud Assembly: vRealize Automation Cloud Assembly is a cloud-based service that you use to create and deploy machines, applications, and services to your cloud infrastructure. The primary purpose of vRealize Automation Cloud Assembly is to create blueprints, and then deploy the blueprints.

Click on ‘Cloud Assembly’.

We will see Deployments, Design & Infrastructure tabs in detail in my upcoming posts.

Service Broker:  You provide the blueprints and other templates to your consumers in a catalog. Your consumers can manage their deployments. You can also create and apply policies on this page. Its simplified user interface that cloud administrators make available to users when the administrator’s teams do not need full access to developing and building and the blueprints or templates.

Code Stream: vRealize Automation Code Stream models the tasks in your software release process, and automates the development and test of developer code to release it to production.

vRealize Orchestrator: Anything as a service. You create custom workflows here as per your need and publish them into the catalog. This one is really a big topic and I will try to cover at least one workflow to you an example.

Multitenancy: vRA 8.1 environment can also be configured for multitenancy. In this setup, you assign dedicated infrastructure to a particular tenant.  Organizations can choose whether or not to enable tenancy based on their need for the logical isolation provided by multitenancy. I will try my level best to setup the multitenancy and show you an example.  

That’s it. This is a small introduction and navigation of vRA 8.1. Its been a while since I worked on vRA. I remember doing implementation of 6.X version long back and little work on 7.X last year. Hence I would explain replaced naming conventions in 8.x version. I have not used any specific documentation to configure the explained environment in my upcoming blogs. I just used my experience on earlier versions and started configuring it. So, please suggest if you want me add anything that is missing and should have been there in the post. Thank you. 😊

We will begin the configuration of the vRA 8.1 environment in my next post.

Are you looking out for a lab to practice VMware products..? If yes, then click here to know more about our Lab-as-a-Service (LaaS).

Subscribe here to receive emails for new posts on this website.

VMware vRLCM 8.1 – Part3 Identity Manager & AD integration

We did the deployment of vROPS & vRB in my last post, vRA 8.1 & Identity Manager was already installed as part of vRLCM deployment. All products have been already integrated into VMware Identity Manger (vIDM). For now, only local users can log into these products because we have not integrated Active Directory into vIDM. In this post, I will walk you though the procedure to integrate AD into vIDM.

VMware Identity Manager is the identity and access management component of Workspace ONE. Workspace ONE is a new VMware offering designed to directly address challenges faced by organizations in the consumerization of IT. Workspace ONE is the simple and secure enterprise platform that delivers and manages any app on any device by integrating identity, application, and enterprise mobility management.

Let’s log in to vIDM using idm (local) account. We provided this account information while deploying vIDM.

Notice that the header of the page has Workspace ONE logo and I see vRLCM application listed in the catalog.

After my last post on vROPS and vRB, I saw these two applications listed here. I deleted them to free up my compute resources.

Next, Click on the user account > Administration Console

You will land up on the Dashboard of the vIDM. Click ‘Identity & Access Management’

We only see ‘System Directory’ here. Let’s integrate our Active Directory, so that the users from AD can access the applications integrated into vIDM.

Click on ‘Add Directory’
Directory Name: dtaglab.local

Click the radio button to select ‘AD (Integrated Windows Authentication)’

Scroll down and provide Join Domain details.

Bind User details > Save & Next

Select your domain and Next.

Next

If you want to sync groups from AD, Click on + sign on this page.
For now, I will only sync users from AD. Click Next without any action on this page.

Click on + sign and provide user DN’s (Distinguished Name)
On this page, we provide a location from where you want to sync users from your AD.

DN can be obtained from AD users and groups here.

On the Review screen, you get a summary of the users that are going to sync with vIDM.

Scroll down to check for errors.

This error is for ‘Guest’ & ‘krbtgt’ users, which does not matter to us for now.

Note: You have to configure ‘First Name’, ‘Last Name’ & ‘Email address’ of the users to be sync with vIDM. Users does not show up if you do not have these properties defined.

Click ‘Sync Directory’ on the review page.

Sync has started. It takes little time and depends on how many users to sync. Click ‘Refresh Page’ and check the status. You see a green check box and number synced users show up.

And we are done. We have integrated Active Directory into vIDM and all synced users can be given access to the application that are integrated with vIDM.

Remember, you still have to manually give permissions to the users for a specific application. We will see that in my next post when we start configuring vRA.

I hope that the information was helpful. Keep learning. 😊

Are you looking out for a lab to practice VMware products..? If yes, then click here to know more about our Lab-as-a-Service (LaaS).

Subscribe here to receive emails for new posts on this website.

VMware vRLCM 8.1 – Part2: vRLI, vRNI, vROPS & vRB deployment

In my last post, we did the deployment of vRLCM 8.1 successfully and checked some troubleshooting steps too. Initial deployment installed vRLCM, vRA & vIDM. Check my previous blog for more details here. https://virtualrove.com/2020/06/22/vrlcm-8-1-part1-deployment-configuration/

This post will focus on adding binaries to vRLCM and deploying remaining vRealize Suite products. Before we move forward, lets navigate through vRLCM to check more options.

You get this page as soon as you login to vRLCM.

Lifecycle Operations: As an administrator, you will mostly spend your time in lifecycle operations. This application will let you manage the Day 0 to Day 2 operations of all your vRealize Suite products.

Locker: This place is mostly for certificate management. You can Generate, Import & Generate CSR here. Also, you can also manage passwords and licenses on this screen.

User Management (Identity and Tenant Management): All tasks related to authentication can be performed on this screen. You can add directories (Identity Source) here and manager users and permissions.

Content Management: You use the content management APIs to manage software-defined data center (SDDC) content. To manage SDDC content, you first need to add them as an endpoint on this screen. There are several other options on this screen. You will have to check VMware detailed documentation if you want to take an advantage of content management.

Marketplace: Use this option to add and manage content from Marketplace.

‘Lifecycle Operations’ is the area of interest for us. All important tasks will be performed from this screen.

Click on ‘Environments’

We already have a globalenv (vIDM) & vRA-8. Check more details on ‘View Details’

Let’s create a new environment.

A message appears, Before you create an environment to deploy a product, you must download or discover the Product Binaries.

Settings> Binary Mapping >Add Binaries

Before you move on, make sure that you have uploaded all ova files of the vRealize Suite products to /data/ova location in the vRLCM appliance using winscp. I have following ova files downloaded, however I was not able to upload them all to vRLCM due to space issue. Remember, in previous post I mentioned that the storage requirement is 48 GB for vRLCM and it used all of that after uploading 3 files from below list. I will check on it to increase the storage allocation for vRLCM VM. For now, lets proceed with 3 products.

Uploaded vRLI, vRB & vROPS to /data/ova/vRLCM directory and discovered it in vRLCM.

Check the request for the status.

Request shows in progress for couple of minutes.

Let’s create an environment now.

Provide Name, admin email, password from the list & DC.

Click Next to select products that we want to install. I got an error at this stage which also answered my question regarding storage allocation.

‘Disk usage of the system is very high at 100%’

Settings> System Details >Click on ‘Extend Storage’

Provide the required information and click ‘Extend’

Check the request status.

Request will take a min to complete. At the same time, we see that the vRLCM VM disk2 size has been increased in vCenter. I also uploaded VRNI ova file to /data/ova/vrlcm folder. Go to ‘Requests’ and click on pending request to return to ‘Create Environment’ task.

Select the product that you want to install. I have selected vROPS & vRB. Deployment type as ‘Standard’ for all of them.

Check the EULA and click next.

Add appropriate licenses, Next.

Next is Certificate. Upload one or create one on the same page.

Select Infrastructure details. This is where your products will get installed.

Scroll down to select ‘Integrate with idm’. We want our domain users to access this product.

Provide common network parameters on this screen.

Select each product & fill out parameters as shows in the pic below.

Run the pre-check before you start the installation.

Resolve any issues that you see in the ‘Results’ section.

Check the summary and click ‘Submit’

You will a ‘Request’ in-progress.

At the same time, we see a vros VM getting created in vCenter.

Both, vROPS & vRB got installed.

Request shows completed in vRLCM.

We also a SDDC environment in ‘Environments’ section.

Click on View Details under SDDC to check more details.

Let’s log into vROPS.

And vRB is also in place. And both of them registered with vIDM.

I could not deploy rest of the products through vRLCM due to compute resource issue. Will try to cleanup and deploy remaining products as and when time permits. However, entire procedure remains as it is. Select vRNI & vRLI while creating new environment.

That’s it for this post. I hope that the information was helpful.

Are you looking out for a lab to practice VMware products..? If yes, then click here to know more about our Lab-as-a-Service (LaaS).

Subscribe here to receive emails for new posts on this website.

vRLCM 8.1– Part1: Deployment & Configuration

Introduction: vRealize Suite Lifecycle Manager provides a single installation and management platform for following vRealize Suite products.

We will install all of them using vRLCM. VMware has really made life easy by introducing vRLCM. It automates the installation, configuration, management & patching from single pane of glass.

With that, lets begin with the installation. Obtain ‘vra-lcm-installer 8.1.0’ ISO from VMware downloads. I am installing this on 4 host cluster with just a vCenter in it. Minimum hardware requirement for for vRLCM is, 6 GB of memory and 48 GB storage (Thick Provision).

Create DNS record for vRLCM VM.

Mount vRLCM ISO file on one of the windows machine in the environment.

Navigate to ‘vrlcm ui installer\win32’ and open ‘Installer’ application.

Install

Next

We will provide target vCenter, where we want our vRLCM to get installed.

Fill the information and Next.

Accept the certificate.

Next, Select location, Compute Resource & Storage location.

Next, Network Configuration. Here we specify network information for all 3 products. i.e. vRA, vRLCM & vIDM. We don’t provide an IP address of the application on this screen. Fill the info and next.

Password Configuration: This password will be applied to all root and admin accounts for all products.

Provide vRLCM hostname and ip address here. Rest to be left on default.

Next is VMware Identity Manager. You have an option to skip the deployment of vIDM and can be triggered later from vRLCM. Review the information given on this page.

Note: Without installing or importing a VMware Identity Manager, you cannot access any other environment from Lifecycle Manager.

If you decide to deploy it now, then you get 2 options. Either to install fresh instance or to import an existing vIDM.

 We will go with fresh install. Let’s create the DNS record for vIDM first.

Provide FQDN and IP address for vIDM VM.

Scroll down to enable ‘Sync Group’. If this is not done, then it only sync’s group names and users does not get permissions until the group is specifically entitled to an application.

Next is vRA deployment. You also have an option to skip this too.

We will disable this to install Standard deployment of vRA.

Create DNS record for vRA.

Enter the license key and ip address information.

Review the Summary and click Submit.

Installation starts and you see all your VM’s (vRLCM, vIDM & vRA) in your target vCenter.

It takes a while to install all components. Take a good long break here. 😊

Mine showed up an error at the end.

“vRealize Automation deployment has failed.  Check vRSLCM UI for more details.”

Checked the log file at mentioned location in the error.

Error ‘Failed to create vRA Environment’

By looking at the error in ‘Installation Process’, we could see that it has installed vRLCM, Binaries moved to vRLCM, Installed vIDM and failed vRA creation. I could also see a vRA VM in vCenter up and running.

Lets login to vRLCM to find out what went wrong while creating vRA Environment.

Browse to vRLCM FQDN and login with ‘admin@local’

Click ‘Lifecycle Operations’

I could see on the Dashboard that the vRA Env has failed.

Go to ‘Requests’ to check the status.

Click on ‘Failed’ and it will take you to the sub task.

We see that it has failed at ‘Stage2’. Click on the task ID to view more details.

‘Failed to set vRA license key’ – License key was incorrect.

Click ‘Retry’, enter the correct key and Submit.

Request shows in progress again.

And Done.

That’s it for this post. We have deployed vRLCM along with vRA and vIDM. Did little troubleshooting too. Next post will cover vRLCM navigation, binaries and few other configuration options.

Have a great day. I hope that the blog was helpful.

Are you looking out for a lab to practice VMware products..? If yes, then click here to know more about our Lab-as-a-Service (LaaS).


Subscribe here to receive emails for new posts on this website.

VMware vSphere 7.0 – Step by Step for Newbies (ESXi, vCenter, Distributed Switch, vMotion, VSAN, HA & DRS)

Hello Friends, This article will help you to install & configure VMware vSphere 7.0 environment and test features like vMotion, HA & DRS. Like my other posts, even this post will focus on practical instead of theory. Detailed VMware official information can be found here.

VMware vSphere 7.0 – ESXi Installation Guide
VMware vSphere 7.0 – vCenter Installation Guide

With that, lets get started.

Since it’s a base vSphere setup, I have taken pictures of it while doing the configuration and converted into a video. There is no explanation in this video. I have marked my comments in the pic wherever necessary.

These videos are for newbies, who has just started learning VMware, have little understanding of VMware vSphere product and wants to see configuration in GUI. I highly recommend checking VMware documentation side by side. The video is divided into multiple parts due to the restrictions of number of images. I will be happy answer your questions. You can change the speed of the video, so that it plays faster and change resolution to 720 for better image quality. Please leave your questions in comments section at the end of this blog.

 I have configured the environment on one single physical ESXi server. The entire setup is nested. Let me explain the setup.

Physical ESXi has following VM’s.

Domain Controller – For Authentication
JumpBox – To access the nested environment.
VyOS1 – Virtual router which acts as a TOR.
VyOS2 – 2nd TOR.

The exact setup can be created on VMware Workstation too without using TOR. You will have to keep same network for all portgroups. Check my previous blog for physical ESXi and TOR setup.

https://virtualrove.com/2020/04/30/vyos-virtual-router/

Hers is the sequence of the setup which is explained in the video.

Create 4 new ESXi hosts (as a VM on physical host).
Install & Configure ESXi 7.0 hypervisor.
Connect to 1st ESXi from JumpBox and configure necessary settings.
Convert HDD of 1st ESXi to SSD for 1 node VSAN configuration (this is for initial setup only).
Download and Deploy vCenter 7.0 on 1st ESXi host.
Connect to vCenter rename Datacenter and Cluster names.
Add remaining 3 ESXi hosts to the cluster.
Create new VDS and add all 4 hosts to it. Delete standard switch.
Create vMotion and VSAN VMkernel (vmk) ports.
Configure VSAN.
Test vMotion.
Enable HA and DRS on the cluster.
The End

VMware vSphere 7.0 Step by Step – Part 1

VMware vSphere 7.0 Step by Step – Part 2

VMware vSphere 7.0 Step by Step – Part 3

VMware vSphere 7.0 Step by Step – Part 4

VMware vSphere 7.0 Step by Step – Part 5

VMware vSphere 7.0 Step by Step – Part 6

VMware vSphere 7.0 Step by Step – Part 7

VMware vSphere 7.0 Step by Step – Part 8

VMware vSphere 7.0 Step by Step – Part 9

That’s it for this post. I hope that all videos are informational. DO leave your comment if you have any questions.

Are you looking out for a lab to practice VMware products..? If yes, then click here to know more about our Lab-as-a-Service (LaaS).

Subscribe here to receive emails for new posts on this website.

NSX-T 3.0 – Active Directory Integration

While working on NSX-T, you will want to add multiple users from Active Directory to manage your NSX-T environment. You can integrate up to 3 identity sources into your NSX-T env. Optionally, you can add VMware Identity Manager to authenticate users. In this post, we will cover AD integration with NSX-T.

I have created ‘NSX_ADMINS’ Security Group in (Users OU) my Active Directory and added few users to it.

Next, Select ‘Users’ >View > Select Advance Features to get additional Attributes of ‘Users’ OU.

Right Click on ‘Users’ OU >Properties >Attribute Editor Tab.

View & Copy the ‘distinguishedName’ Value

We need this value while configuring Identity Source in NSX-T.

Next, Log into NSX-T Manager VIP with ‘admin’ account.

Navigate to System >Users & Roles >LADAP & Click on ‘ADD IDENTITY SOURCES’

Name: DTAGLAB
Domain Name: dtaglab.local
Type: Active Directory over LDAP.
Base DN: Paste the value that copied earlier.
LADAP Server: Click on ‘SET’

Note: ‘SET’ will only populate when you fill entire information.

Click ADD LADAP SERVER

Hostname: dc.dtaglab.local
Protocol: LDAP
Port: Leave is to default.

Click on ‘Check Status’

It Failed because we did not provide the username.

Note: Even though ‘Bind Identity’ & ‘Password’ does not show mandatory asterisk, it is mandatory for LDAP.

Provide the correct credentials and you should be good to go.

Click ADD

Apply.

Verify that the ‘LDAP SERVERS’ shows ‘1’ and click on SAVE.

Click on ‘Check Status’ in Connection Type to verify.

We have added an identity source in NSX-T.
Next, move to adding users / groups from ‘Users’ OU.

Click on ‘Users’

A message appears, ‘Çhecking Authentication providers connection status’. Wait for some time until message clears. Then click on ADD.

Note: ‘Role Assignment for LDAP’ does not show up until the above message clears.

Select your domain and type nsx in next box. The AD group will auto populate. Click on Roles and select ‘Enterprise Admin’ & SAVE.

We have added ‘NSX_ADMINS’ group to ‘Enterprise Admin’ role. Any user added to this group now gets full permission to NSX-T Env.

Logout and Log back in with the user in ‘NSX_ADMINS’ OU and you should be good to go.

Additionally, NSX-T has built-in 11 Roles already added. Each Role has different permissions.

You can expand each Role to check what permissions it has.

That’s it for this post. Thank you for reading. 😊

Are you looking out for a lab to practice VMware products..? If yes, then click here to know more about our Lab-as-a-Service (LaaS).

Subscribe here to receive emails for new posts on this website.

NSX-T 3.0 Series: Part10-Testing NSX-T Environment

Hello Friends, We have completed all 9 parts and by now you should have your entire NSX-T 3.0 env up and running. This post will specifically focus on testing the env that we have deployed in this series.

NSX-T 3.0 Series: Part1-NSX-T Manager Installation
NSX-T 3.0 Series: Part2-Add additional NSX-T Manger & Configure VIP
NSX-T 3.0 Series: Part3-Add a Compute Manager (vCenter Server)
NSX-T 3.0 Series: Part4-Create Transport Zones & Uplink Profiles
NSX-T 3.0 Series: Part5-Configure NSX on Host Transport Nodes
NSX-T 3.0 Series: Part6-Depoy Edge Transport Nodes & Create Edge Clusters
NSX-T 3.0 Series: Part7-Add a Tier-0 gateway and configure BGP routing
NSX-T 3.0 Series: Part8-Add a Tier-1 gateway
NSX-T 3.0 Series: Part9-Create Segments & attach to T1 gateway
NSX-T 3.0 Series: Part10-Testing NSX-T Environment

This is how our logical topology looks like after the deployment.

All topologies in the NSX-T env can be found on NSX Manager UI.

Log into NSX Manager VIP >Networking >Networking Topology

You can filter to check specific object. Like I have filtered it for HR segment.
Export it to have a closer look.

Let’s verify north-south routing in the environment. We need to verify if the HR segment network shows as BGP learned route from 172.27.11.10 & 172.27.12.10 on respective TOR (VyOS) switches.

VyOS1

‘10.10.70.0’ network learned from ‘172.27.11.10’ and this is our Edge uplink1.

VyOS2

‘10.10.70.0’ network learned from ‘172.27.12.10’ and this is our Edge uplink2.

All good. We see the network on our TOR, which means our routing is working perfectly fine. Now, any network that gets added to NSX-T env will show up on TOR and should be reachable from TOR. Let’s check the connectivity from TOR.

Voila, we are able to ping the gateway of HR segment from both TOR. End to End (North-South) routing working as expected.

IF you don’t see newly created HR segment network on the TOR, then you have to check if the route is reaching till your Tier-0 router.

Log into edge03.dtaglab.local via putty.

Enable SSH from the console if you are not able to connect.

‘get logical-router’

We need to connect to Service Router of Tier-0 to check further details. Note that the VRF ID for Tier-0 Service Router is ‘1’

‘vrf 1’

‘get route’

We see ’10.10.70.0/24’ network as t1c (Tier-1 Connected). That means, route is reaching till Edge. If its not, you know what to troubleshoot.

Next, if route is on the Edge and not on the TOR, then you need to check BGP neighborship.

‘get bgp neighbor’

I see BGP state = Established for both BGP neighbor. (172.27.11.1 & 172.27.12.1). If not, then you need to recheck your BGP neighbor settings in NSX manager. Use ‘’traceroute’ command from vrf’s and edge to trace the packet.

That’s it for this series. I hope you enjoyed reading blogs from this series.

Happy Learning. 😊

Are you looking out for a lab to practice VMware products..? If yes, then click here to know more about our Lab-as-a-Service (LaaS).

Subscribe here to receive emails for new posts on this website.

NSX-T 3.0 Series: Part9-Create Segments & attach to T1 gateway

In Part 9, we move to creating a Segments (also known as logical switches in NSX-V).

NSX-T 3.0 Series: Part1-NSX-T Manager Installation
NSX-T 3.0 Series: Part2-Add additional NSX-T Manger & Configure VIP
NSX-T 3.0 Series: Part3-Add a Compute Manager (vCenter Server)
NSX-T 3.0 Series: Part4-Create Transport Zones & Uplink Profiles
NSX-T 3.0 Series: Part5-Configure NSX on Host Transport Nodes
NSX-T 3.0 Series: Part6-Depoy Edge Transport Nodes & Create Edge Clusters
NSX-T 3.0 Series: Part7-Add a Tier-0 gateway and configure BGP routing
NSX-T 3.0 Series: Part8-Add a Tier-1 gateway
NSX-T 3.0 Series: Part9-Create Segments & attach to T1 gateway
NSX-T 3.0 Series: Part10-Testing NSX-T Environment

Let me highlight logical switches / segments from the diagram in my earlier post.

App, Web & DB are segments in this diagram. And can have any network that you define while creating the segment. (.1) will be the gateway ip address for all VM’s that gets attached to these segments respectively. It’s a layer 2 domain since it has to cross the router to reach different network. Lets have a look at the types of Segments.

VLAN Baked Segments: In this type, you will define a VLAN ID for the segments, however you also have to make sure that the same vlan DOES exists on your physical infrastructure too.

Overlay Backed Segments: This segment can be configured without any configuration on the physical infrastructure. It gets attached to Overlay Transport Zone and traffic is carried by a tunnel between the hosts.

We will create an Overlay Backed Segment.

Log into NSX-T Manager VIP and navigate to Networking >Segments >Segments >ADD SEGMENT

Name: HR
Connectivity: Connect it to your Tier-1 Gateway that you created in earlier step.
Transport Zone: Select ‘Horizon-OverlayTZ’
Subnet: ’10.10.70.2/24’ You need to discuss this with your network admin beforehand.

Rest all parameters to be on default for now.

Click Save.

Likewise, You can create App, Web & DB segments and connect it to Tier-1 router. Attach a VM to respective segments and they should be able to ping to each other.

For example,
VM1 with an IP address 172.16.11.10/24 and gateway 172.16.11.1 – Connect it to App Segment.
VM2 with an IP address 172.16.12.10/24 and gateway 172.16.12.1 – Connect it to Web Segment.

Both of them should be able to ping each other. Here, we achieve East-West routing. Routing takes place at Tier-1 router without going North. Check the topology after creating those 3 segments.

That’s it. We have created new network for our VM’s to connect to.

Are you looking out for a lab to practice VMware products..? If yes, then click here to know more about our Lab-as-a-Service (LaaS).

Subscribe here to recevie emails for new posts on this website.

NSX-T 3.0 Series: Part8-Add a Tier-1 gateway

In this post, we will add a Tier-1 Gateway for our Segments (Logical Switches) to connect to.

NSX-T 3.0 Series: Part1-NSX-T Manager Installation
NSX-T 3.0 Series: Part2-Add additional NSX-T Manger & Configure VIP
NSX-T 3.0 Series: Part3-Add a Compute Manager (vCenter Server)
NSX-T 3.0 Series: Part4-Create Transport Zones & Uplink Profiles
NSX-T 3.0 Series: Part5-Configure NSX on Host Transport Nodes
NSX-T 3.0 Series: Part6-Depoy Edge Transport Nodes & Create Edge Clusters
NSX-T 3.0 Series: Part7-Add a Tier-0 gateway and configure BGP routing
NSX-T 3.0 Series: Part8-Add a Tier-1 gateway
NSX-T 3.0 Series: Part9-Create Segments & attach to T1 gateway
NSX-T 3.0 Series: Part10-Testing NSX-T Environment

Tier-1 Gateway:

It’s a gateway that connects to Tier-0 router via its uplink and to our segments through downlink. You can define on which routes to be advertise from Tier-1 Gateway. Check my previous blog for Tier-1 gateway topology.

Log into NSX-T Manager VIP and navigate to Networking >Tier-1 Gateway > ADD TIER-1 GATEWAY

Name: Give an appropriate name.
Linked Tier-0 Gateway: Select the Tier-0 Gateway that we created in earlier post.
Edge Cluster: Select associated cluster.

Scroll down to Route and make sure that all routes are selected.

Rest all option to be default & Click on Save.

That’s it. Short and Simple. 😊

Are you looking out for a lab to practice VMware products..? If yes, then click here to know more about our Lab-as-a-Service (LaaS).

Subscribe here to recevie emails for new posts on this website.

NSX-T 3.0 Series: Part7-Add a Tier-0 gateway and configure BGP routing

We have completed 6 parts of this series. Check my earlier posts to move to Tier-0 & Tier-1 gateway.

NSX-T 3.0 Series: Part1-NSX-T Manager Installation
NSX-T 3.0 Series: Part2-Add additional NSX-T Manger & Configure VIP
NSX-T 3.0 Series: Part3-Add a Compute Manager (vCenter Server)
NSX-T 3.0 Series: Part4-Create Transport Zones & Uplink Profiles
NSX-T 3.0 Series: Part5-Configure NSX on Host Transport Nodes
NSX-T 3.0 Series: Part6-Depoy Edge Transport Nodes & Create Edge Clusters
NSX-T 3.0 Series: Part7-Add a Tier-0 gateway and configure BGP routing
NSX-T 3.0 Series: Part8-Add a Tier-1 gateway
NSX-T 3.0 Series: Part9-Create Segments & attach to T1 gateway
NSX-T 3.0 Series: Part10-Testing NSX-T Environment

Tier-0 Gateway:

This Gateway is used to process traffic between logical segments and physical network (TOR) by using routing protocol or static route. Here is the logical topology of Tier-0 & Tier-1 router.

Tier-0 & Tier-1 are logical routers. And each logical router has Service Router (SR) & Distributed Router (DR). Service Router is required for the services which can not be distributed like NAT, BGP, LB and Firewall. It’s a service on the Edge Node. Whereas, DR runs as a kernel module in all hypervisors also known as transport nodes and provides east-west routing.

With that, let’s get started creating Tier-0 router.

While creating Tier-0 gateway, we will configure uplink interfaces to TOR to form BGP neighborship. To connect your Uplink to TOR we need VLAN based logical switches in place. You must connect a Tier-0 router to VLAN based logical switch. VLAN ID for logical switch & TOR port for EDGE uplink should match. Here is the topology.

All components except TOR will be in same VLAN Transport Zone.

Log into NSX-T Manager VIP and navigate to Networking >Segments >Segments >ADD SEGMENT

Segment Name: Give an appropriate name.
Transport Zone: ‘Horizon-Edge-VLAN-TZ’

VLAN ID: 2711

Follow the same process to create one more segment for VLAN ID 2712.

We now move to creating Tier-0 Gateway.

Log into NSX-T Manager VIP and navigate to Networking >Tier-0 Gateways >ADD GATEWAY >Tier-0

Tier-0 Gateway Name: Horizon
HA Mode: Active-Active (default mode).

In Active-Active mode, traffic traffic is load balanced aross all members whereas ‘Active-Standby’ elects active member for traffic flow. NAT, Load Balance, Firewall & VPN is only supported in ‘Active-Standby’ Mode.

Edge Cluster: ‘HorizonEdgeClust’

Scroll down to configure additional settigns.
Click on ‘SET’ under ‘Interfaces’

Add Interface

Name: Give an appropriate name.
Type: External
IP Address: 172.27.11.10/24
Conneted To: Select the Segment for VLAN ID 2711
Edge Node: Edge03 (Since each edge will have different uplink)
MTU: 9000

Rest paramenter to be default. Click on Save.

Follow the same process to add an 2nd uplink interface (172.27.12.10/24) for VLAN 2712.

Status for both the interfaces will show as ‘Uninitialized’ for few seconds. Click the Refresh and it should show ‘SUCCESS’

These two IP addresses will be configured on out TOR (VyOS) as a BGP neighbor.

Move to BGP section of Tier-0 Gateway to configure it further.

Local AS: 65004
InterSR iBGP: Enable (An iBGP peering gets established between both SR with Subnet (169.254.0.0/25) managed by NSX.
ECMP: Enabled
Graceful Restart: Graceful Restart & Helper.
By default, the Graceful Restart mode is set to Helper Only. Helper mode is useful for eliminating and/or reducing the disruption of traffic associated with routes learned from a neighbor capable of Graceful Restart. The neighbor must be able to preserve its forwarding table while it undergoes a restart.

BGP Neighbor: Click on Set.
IP Address: 172.27.11.1 (We have configured this as an interface IP on TOR (VyOS)
Remote AS: 65001 (Configured on TOR)
Source IP: 172.27.11.10 (Uplink IP)

Follow the same process for IP address ‘172.27.12.1’

Both Neighbors will show status as ‘Down’ until you configure BGP on your TOR.
Ran following commands on my TOR to form a neighborship.

VyOS1

set protocols bgp 65001 neighbor 172.27.11.10 update-source eth4
set protocols bgp 65001 neighbor 172.27.11.10 remote-as ‘65004’

VyOS2

set protocols bgp 65001 neighbor 172.27.12.10 update-source eth0
set protocols bgp 65001 neighbor 172.27.12.10 remote-as ‘65004’

Click Refresh and it should show ‘Success’

We have successfully deployed a Tier-0 Gateway and BGP has been established with TOR.

That’s it for this post. I hope you enjoyed reading. Comments are Welcome. 😊

Are you looking out for a lab to practice VMware products..? If yes, then click here to know more about our Lab-as-a-Service (LaaS).

Subscribe here to receive emails for my new posts on this website.