The document provides instructions for deploying the NSX Manager virtual appliance, which is the first step in enabling network virtualization in a vSphere environment. It lists prerequisites that must be satisfied before deployment, such as having an IP address and portgroup configured for the NSX Manager. It also describes filling out a table with deployment details. Finally, it discusses the next steps of replacing the default self-signed certificate with a signed certificate obtained from an internal certificate authority using either a certificate signing request or importing a PKCS#12 certificate bundle.
1. Deploying the NSX Manager virtual appliance
The deployment of NSX requires a lot of things to be in place for a successful
deployment of NSX and below I will list the most important things for a smooth and
successful deployment of NSX.
NSX, VMWARE VERSION OF SDN/ Software-Defined Data
Center (SDDC)
VMware NSXfor vSphere isa core componentof the VMware Software-DefinedData
Center(SDDC);itisthe componentthatenablesnetworkvirtualization.Network
virtualization provides alayerof abstractionoverthe physical networkusingaVXLAN network
overlay.WithNSX,networkoperationsare now independentof the physical hardware,and
functionssuchas logical firewalls,loadbalancers,logical routers,logical switches,andvirtual
private networkscanbe provisioned,modified,ortorndownas part of an automatedworkflow.
Choosing the right VMware NSX for vSphere edition
VMware NSX has four licensing editions: standard, advanced, enterprise, and remote
office/branch offices (ROBO). Each licensing tier provides distinctive functionality, available
per CPU socket on a perpetual basis at the vSphere cluster level.
The standard and advanced editions are also available as per 100 users in a pack basis to
align with virtual desktop deployments (vSphere for desktop). The enterprise edition
is also available on per-VM term basis. You can upgrade from standard to
advanced/enterprise and from advanced to enterprise.
2. Getting ready
Like vSphere licensing, VMware NSX is licensed per CPU socket. If you have a
separate Management vSphere Cluster that is used for Infrastructure VMs and are not
planning to protect it with the NSX Distributed Firewall or place NSX Edge Service
Gateways onto it, you are not required to license the CPUs on that Management
vSphere Cluster. The Compute vSphere cluster and Edge vSphere cluster need to be
licensed.
How To do It :
From your vSphere inventory you will need to do the following:
1. Determine how many CPU sockets you need
2. Determine the NSX features required
3. If you are planning to integrate third-party partner solutions with NSX
4. Choose the NSX edition based on the features required
VMware NSX editions
The four tiers of licenses are as follows:
1. Standard edition
2. Advanced edition
3. Enterprise edition
4. ROBO
Note : Check on VMware website for all license requirements before deploying.
3. Log Insight into NSX : VMware vRealize Log Insight for NSX
VMware vRealize Log Insight is a log management engine that collects logs from a
number of different sources and provides rich dashboards and search functionality.
Log Insight is available for NSX at no additional charge, you are entitled to one Log
Insight CPU per NSX CPU license. The support and subscription is included with the
NSX purchase. It is a fully functioning version of Log Insight but limited to vSphere and
NSX data sources and content packs only. If you need more data sources and content
packs, additional Log Insight licenses are required.
VMware NSX Monitoring Tools
Selecting ESXi hosts and network adapters
Similar to the requirements of a VMware vSphere solution, choosing the correct hardware is
still an important part of any NSX deployment; therefore, you need to follow the same process
that you did for vSphere to ensure the hardware you are deploying is on the VMware
Compatibility Guide.
The compatibility guide does not only list the supported servers, but you need to also check if
your network interface card (I/O devices) is supported and features such as VXLAN Offload
and Receive Side Scaling are also supported.
VXLAN Offload
VXLAN Offload is akin to TCP segmentation offload (TSO), but compared to TSO, which is
designed for TCP packet headers, VXLAN encapsulates the original (source) packet from a
virtual machine into a user datagram protocol (UDP) packet with its own unique header,
known as the VXLAN header. Placing this additional header onto a packet invalidates
traditional offloading mechanisms in-place and therefore increases load on the CPU as
additional CPU cycles are needed to encapsulate and decapsulate every VXLAN packet.
4. Receive Side Scaling
Receive Side Scaling (RSS) is a technique the Network Interface Card (NIC)
employs to ensure that data processing for a particular connection is balanced across
multiple CPU cores. Without RSS, all connections would be handled by a single CPU
core, which can adversely affect network performance.
FIRST STEP’S Before Deployment
Deploying the NSX Manager virtual appliance is the first step to enabling network
virtualization in your vSphere environment. In this recipe, you will go through the steps
to enable your environment for NSX.
The following diagram depicts the logical process of enabling your environment for
network virtualization, and the first four steps will be covered here :
5.
6. Things Needed Before Deployment :
Before deploying NSX Manager, the following prerequisites need to be satisfied:
Static IP address and portgroup for NSX Manager
Firewall ports open between NSX Manager, vCenter server, and ESXi VMKernel 0
Interface on each host (refer to vmware website for a complete list of ports)
Forward and reverse DNS entries for NSX Manager
NTP server is accessible; minimum of four is recommended for accurate time
Shared datastore for the appliance to be deployed onto
Satisfy minimum requirements for NSX Manager
Fill in the following table before deployment : (Also make sure to include the cli password and cli
privilege password )
7. Afteryouhave gatheredall the neededinfoaslistedabove follow the steps below todeployNSX
Manager.
1. Log into the vSphere Web Client
2. Select Hosts and Clusters, right-click on the target cluster and select Deploy OVF
Template
3. Select Local File and locate the NSX Manager OVA downloaded earlier; click on Next
4. Type in the Name of the virtual appliance and click on Next
5. Select the vSphere cluster and resource where you want to deploy NSX Manager and
select Next
6. Review details, Accept license agreements and click on Next
7. Select the shared datastore of where you want the virtual appliance to be deployment onto
8. Select the VLAN-backed portgroup as defined earlier and click on Next
9. Fill in the template details as highlighted in the preceding table and click on Next
10. Ensure all details are correct and click on Finish:
8. Next Step will be to :
Replacing the NSX Manager certificate
When you first deploy the NSX Manager, it creates a self-signed certificate. Using a self-
signed certificate is generally not a recommended security practice. It is recommended to
deploy a signed certificate from your internal certificate authority. NSX Manager supports two
ways of deploying a signed certificate, which are as follows:
Certificate signing request to a Certificate Authority (CA)
Importing a PKCS#12 certificate archive (bundle) onto the NSX Manager, which includes
the private and public key for NSX Manager and certificate chain of any subordinate CAs in
your environment
Next we will explore how you can create a certificate signing request on NSX Manager and
how to import a PKCS#12 certificate bundle onto the NSX Manager.
Certificate Signing Request
A Certificate Signing Request (CSR) is the first part in a three-step process; this process
involves the following steps:
1. The NSX Manager creating a CSR
2. The CSR is sent as a request to the certificate authority, which then signs the certificate
and sends back a signed certificate
3. Importing the signed certificate into the NSX Manager
The procedure to complete a certificate signing request is as follows:
1. Log into NSX Manager via your web browser
2. Click on Manage Appliance Settings
3. Click on SSL Certificates
9. 4. Click on Generate CSR and follow the prompts as per the following screenshot:
5. Click on OK and select Download CSR
6. Send the CSR file to your security administrator and get the certificate signed
7. With the returned certificate, click on Import so you can import the correct certificate into
the NSX Manager
8. Reboot the NSX Manager to complete the process of importing a signed certificate into the
NSX Manager
10. Using a PKCS#12 certificate
Importing PKCS#12 into the NSX Manager is used when the certificate signing was
not completed using the CSR method outlined in the previous recipe. The PKCS#12
format is typically used in scripted installations of NSX Manager and other
components. If a CSR was not generated by the NSX Manager itself, it is required that
the PKCS#12 archive is imported into NSX Manager.
The PKCS#12 archive generally consists of the following:
A signed server certificate
A private key for the signed certificate
Root and intermediate certificate authority public keys
The PKCS#12 is also password-protected, so it's important to have the password
before attempting to import the PKCS#12 archive into NSX Manager.
In some cases, the received signed certificate may not be in the PCKS#12 format. In
this event, you must convert the certificates into the PKCS#12 format for import into
the NSX Manager. This can be achieved using openSSL (https://www.openssl.org/),
and the command to achieve this is as follows:
openssl pkcs12-export-outserver.p12-inkeyserver.key -inserver.crt-certfile CACert.crt
11. The procedure to import the PCKS#12 archive is as follows:
1. Log into the NSX Manager via your web browser
2. Click on Manage Appliance Settings
3. Click on SSL Certificates
4. Click on Upload PCKS#12Keystore and browse to the file
5. Enter the password for archive and click on Import
6. Reboot the NSX Manager to complete the process of importing the signed certificate
Until NextTime…………………………………