VCP6-NV Study Notes-Section 6: Configure and Manage NSX Network Services – Part 2
Configure and Manage DHCP/DNS/NAT
Understand proper use and addition of a DHCP IP Pool
NSX Edge supports IP address pooling and one-to-one static IP address allocation. Static IP address binding is based on the vCenter managed object ID and interface ID of the requesting client.
NSX Edge DHCP service adheres to the following guidelines:
- Listens on the NSX Edge internal interface for DHCP discovery.
- Uses the IP address of the internal interface on NSX Edge as the default gateway address for all clients (except for non-directly connected pools), and the broadcast and subnet mask values of the internal interface for the container network.
It must be restored in the following situations:
- change or deletion of DHCP pool, default GW or DNS
- change of the internal IP address of NSX Edge
DHCP service requires a pool of IP addresses. An IP pool is a sequential range of IP addresses within the network. Virtual machines protected by NSX Edge that do not have an address binding are allocated an IP address from this pool. An IP pool’s range cannot intersect one another, thus one IP address can belong to only one IP pool.
Add a DHCP IP pool and enable DHCP service
Add IP pool:
- Click Networking & Security and then click NSX Edges.
- Click the Manage tab and then click the DHCP tab.
- Click the Add
- Configure the pool with the following options:
- Auto configure DNS
- Lease never expires
- Start IP
- End IP
- Domain name
- Primary name Server
- Secondary name Server
- Default gw
- Subnet mask
- Lease time
- Click OK
Enable DHCP Service:
- Click Networking & Security and then click NSX Edges.
- Click the Manage tab and then click the DHCP tab.
- Click Enable
- Select Enable logging if required and select the log level
- Click Publish Changes
Not it’s possible to bind an IP address to the MAX address of a VM. Follow the guide here: https://docs.vmware.com/en/VMware-NSX-for-vSphere/6.2/com.vmware.nsx.admin.doc/GUID-D562CD33-C368-4BB0-876B-2542CCB22535.html
Describe use and proper implementation of DNS services
It is possible configure external DNS servers to which NSX Edge can relay name resolution requests from clients. NSX Edge will relay client application requests to the DNS servers to fully resolve a network name and cache the response from the servers.
Simply click the Manage tab and then click the Settings tab, then in the DNS Configuration panel, click Change. Click Enable DNS Service to enable the DNS service and type IP addresses for both DNS servers (Change the default cache size if required).
Describe when and how to configure Source NAT and Destination NAT
NSX Edge provides network address translation (NAT) service to assign a public address to a computer or group of computers in a private network. This limits the number of public IP addresses that an organization or company must use. You must configure NAT rules to provide access to services running on privately addressed virtual machines:
- SNAT to change the source IP address from a public to private IP address or the reverse
- The translated (or public) IP address must been added to the Edge interface.
- Procedure:
- Click the Manage tab and then click the NAT tab.
- Click the Add icon and select Add SNAT Rule.
- Select the interface on which to add the rule (SNAT rules are not supported on sub-interfaces).
- Type the original source IP address in one of the following formats:
- ip address
- ip adress range
- IP address subnet
- any
- Type the translated (public) source IP address in one of the following formats:
- ip address
- ip adress range
- IP address subnet
- any
- Select Enabled to enable the rule.
- Click Enable logging to log the address translation.
- Click OK to add the rule and click Publish Changes.
- DNAT to change the destination IP address from a public to private IP address or the reverse.
- The original (public) IP address must have been added to the NSX Edge interface on which you want to add the rule
- Procedure
- Click the Manage tab and then click the NAT tab.
- Click the Add icon and select Add DNAT Rule.
- Select the interface on which to apply the DNAT rule.
- Type the original (public) IP address in one of the following formats:
- ip address
- ip adress range
- IP address subnet
- any
- Type the protocol.
- Type the original port or port range. (port number, port range, any)
- Type the translated IP address in one of the following formats
- ip address
- ip adress range
- IP address subnet
- any
- Type the translated port or port range. (port number, port range, any)
- Select Enabled and enable the rule
- Select Enable logging to log the address translation.
- Click OK to add the rule and click Publish Changes.
Objective 6.4: Configure and Manage Edge Services High Availability
NSX Edge replicates the configuration of the primary appliance for the standby appliance and ensures that the two HA NSX Edge virtual machines are not on the same ESX host even after you use DRS and vMotion. Two virtual machines are deployed on vCenter in the same resource pool and datastore as the appliance you configured. Local link IPs are assigned to HA virtual machines in the NSX Edge HA so that they can communicate with each other. You can specify management IP addresses to override the local links.
Stateful HA:
All NSX Edge services run on the active appliance. The primary appliance maintains a heartbeat with the standby appliance and sends service updates through an internal interface.
If a heartbeat is not received from the primary appliance within the specified time (default value is 15 seconds), the primary appliance is declared dead. The standby appliance moves to the active state, takes over the interface configuration of the primary appliance, and starts the NSX Edge services that were running on the primary appliance. When the switch over takes place, a system event is displayed in the System Events tab of Settings & Reports. Load Balancer and VPN services need to re-establish TCP connection with NSX Edge, so service is disrupted for a short while. Logical switch connections and firewall sessions are synched between the primary and standby appliances, so there is no service disruption during switch over.
If the NSX Edge appliance fails and a bad state is reported, HA force syncs the failed appliance in order to revive it. When revived, it takes on the configuration of the now-active appliance and stays in a standby state. If the NSX Edge appliance is dead, you must delete the appliance and add a new one.
NSX Edge ensures that the two HA NSX Edge virtual machines are not on the same ESX host even after you use DRS and vMotion (unless you manually vMotion them to the same host).
vSphere HA
NSX Edge HA is compatible with vSphere HA. If the host on which a NSX Edge instance is running dies, the NSX Edge is restarted on the standby host thereby ensuring the NSX Edge HA pair is still available to take another failover.
Procedure
In order to enable HA during Edge creation:
- Select the internal interface for which to configure HA parameters. If you select ANY for interface but there are no internal interfaces configured, the UI does not display an error. Two Edge appliances are created but since there is no internal interface configured, the new Edge remains in standby and HA is disabled. Once an internal interface is configured, HA will get enabled on the Edge appliance.
- (Optional) Type the period in seconds within which, if the backup appliance does not receive a heartbeat signal from the primary appliance, the primary appliance is considered inactive and the back up appliance takes over. The default interval is 15 seconds.
- (Optional) Type two management IP addresses in CIDR format to override the local link IPs assigned to the HA virtual machines. Ensure that the management IP addresses do not overlap with the IPs used for any other interface and do not interfere with traffic routing. You should not use an IP that exists somewhere else on your network, even if that network is not directly attached to the NSX Edge.
Source: http://pubs.vmware.com/NSX-6/topic/com.vmware.ICbase/PDF/nsx_6_install.pdf
Source: http://pubs.vmware.com/NSX-6/topic/com.vmware.ICbase/PDF/nsx_6_admin.pdf
Configure Equal-Cost Multi-Path Routing (ECMP)
ECMP is a routing strategy that allows next-hop packet forwarding to a single destination can occur over multiple best paths. These best paths can be added statically or as a result of metric calculations by dynamic routing protocols like OSPF or BGP. Multiple paths for static routes can be added by providing multiple next hops separated by commas in the Static Routes dialog box
The Edge Services Gateway utilizes Linux network stack implementation, a round-robin algorithm with a randomness component. After a next hop is selected for a particular source and destination IP address pair, the route cache stores the selected next hop. All packets for that flow go to the selected next hop. The default IPv4 route cache timeout is 300 seconds (gc_timeout). If an entry is inactive for this time, it is eligible to be removed from the route cache. The actual removal happens when garbage collection timer activates (gc_interval = 60 seconds).
To change Equal-cost multi-path routing (ECMP) configuration click Edit next to Routing then click Enable or Disable next to ECMP.
Source: https://docs.vmware.com/en/VMware-NSX-for-vSphere/6.2/nsx_62_admin.pdf