When NSX was released i really wanted to set this up in my lab and get a closer look at the features. Once you deploy the NSX Manger appliance you will see an additional section in the web client called “Networking and Security”. From here you will be able to deploy small edge vm’s onto the ESXi hosts. Edge vm’s are like addons to ESXI/vCenter and they offer a lot more networking functionality.
Here is a screenshot of some of the edge settings (Firewall/DHCP/NAT/Routing/Load Bancer/VPN/SSL VPN)
The only way to understand it is to dive in and set it up yourself. I manged to set this whole NSX Lab on one 250GB SSD drive running on an I5 Desktop with 16 GB of memory running in VMware Workstation. I had to adjust the cpu/memory on a few VM’s as I was running out of memory, 32GB would be ideal.
Here is a quick overview how the whole config works.
-Going from bottom to the top in the big diagram below
-Two ESXi hosts connected to vCenter using distributed switches
-Two Logical switches were created in the web client, one with segment 5000 for CustA and one with segment 5001 for CustB (Segements are like VLANs)
-Every VM for CustA is connected to a Distributed switch called CustA-LS
-Every VM for CustB is connected to a Distributed switch called CustB-LS
-The default gateway for customer A VM’s is the IP address of the Edge device. So basically all the traffic that needs to come out of a VM goes through the CustA Edge device.
-The edge device for Customer A has a few services running. Firewall/NAT/DHCP, there are many more you can configure like load balancing, etc..
-When the Customer A VM tries to reach the outside world it goes to the edge VM IP as this is it’s default gateway. There is an SNAT rule configured on the edge device that receives traffic from Customer A VM 22.214.171.124. The SNAT rule translates any IP coming from 126.96.36.199/24 network to 192.168.11.10, which puts it on the same network as my router and the traffic is able to leave as the edge devices’s default gateway is my router.
My NSX LAB Overview
To get started you need to do the following:
1. At this point you should have DC/vCenter/2ESXi hosts up and running
2. Next download and deploy the NSX Manger 6.2 appliance
VMware-NSX-Manager-6.2.2-3604087.ova. Follow the wizard nothing complicated here. Look at the console for details how to connect to it through a browser, default user Admin and the password you set up.
3. Register NSX manager with vCenter, on the NSX Manger console log in and click on “Manage vCenter Registrations” Fill in the details https://192.168.11.120:7444/lookupservice/sdk with firstname.lastname@example.org, vcenter credentials.
4. Log into vCenter with the web client and you should see a “Networking and Security” section.
5. Click on Networking and Security > Installation. Deploy NSX Edge devices. There should be 3 for redundancy but for this lab I deployed 2.
6. Next you need to configure a VXLAN/Segments/Edge devices, see below but at this point you should have NSX ready for configuration.
Configuring NSX and deploying EDGE gateway devices
1. On Each ESXi host create a VMkernel port of type VXLAN and give it a unique IP on the same subnet, my first host has 172.2.2 as the VXLAN IP. This is the main VXLAN that spans across ESXi hosts and encapsulates the customer segments (VLAN’s) 5000 and 5001 See the main diagram above for reference
2. Here is a screenshot of the ports, one VMkernel for management and one VXLAN.
3. NSX Controller nodes. You should have a minimum of 3 nodes. I only deployed 1 due to resource constraints but it worked great just to test this out.
4. Health-check page to see if your VXLAN is configured and that the NSX components are installed correctly on the ESXi hosts.
5. Logical Network configuration
6. I configured the segment ID’s to start from 5000-6000. They are similar to VLAN’s. Later on I assigned Segment 5000 to customer A and 5001 to customer B to keep them isolated from each other.
7. Configure a Global Transport Zone, I chose Unicast for my lab.
8. Add two Logical Switches and specify which segment ID they will be using. I created one called CustA-LS and one called Custb-LS.
9. Deploy the edge devices to the ESXi. They are small VM’s that run on each ESXi host.
10. Configure the edge device interfaces. I have one external interface 192.168.11.10 which connects to my home network and another internal interlace 188.8.131.52 which is behind the edge device. See main chart for reference.
11. My external edge interface details.
12. My internal interface details
13. Configuring the edge devices. I am turning on the firewall service and only allowing certain ports to reach my VM’s behind the edge.
14. I am configuring another service on the edge DHCP. All the CustA VM’s behind this edge will receive an IP from the DHCP server running on this edge device.
15. SNAT rule to allow the VM’s to get external connectivity. Any IP on the following subnet 184.108.40.206/24 will get it’s IP translated to 192.168.11.10 and that will give it access to my home network.
16. SNAT rule settings
17. Setting up the default gateway for my external interface which is my home router.
18. Testing my set up. The network adapter on VM1 will be set to use the CustA-LS logical switch. And VM2 will be configured to use the CustB-LS logical switch. These are the distributed switches (Logical switches we created above)
19. We can see that the VM picked up a 220.127.116.11 IP from the EDGE DHCP server. It is able to ping the google dns server 18.104.22.168 so it looks like the SNAT rule is also working correctly. It is translating 22.214.171.124 IP to a 192.168.11.10 IP and that is able to reach my router and get outside.
20. Here is a screenshot of the Edge device. It is a 1vCPU 512MB VM
21. Here is the “Damn Small Linix” distro i am using for testing. You can see the network on this VM points to CustLA-LS logical switch.
22. Another screenshot of
23. Another screenshot of the CustA-EdgeVM for reference