Upgrading the virtual network to use NSX is not a heavy or large task. It can be, depending on what you are doing, but the basics are fairly straightforward. These basics are not the wholesale replacement of your existing virtual network. They are not the inclusion of new forms or routing in your virtual environment. The are the addition of NSX on top of what you already have. Once you have NSX in place, then you can dream, plan, and adopt those better ways of managing and creating virtual networks.
Getting started with NSX is fairly simple. Here are the steps I took to get to the point at which I could create my first NSX Edge Service Gateway or firewall.
- You need to install the NSX Manager. That is pretty straightforward as well. You either simply import the OVA and fill out a bunch of fields, and voilà: you are done, or you can setup the .ov-defaults file with the following fields and run the OVF/OVA Import script I wrote for importing OVA/OVFs en masse or when the vSphere client will not. If you go the import script approach, your ~/.ov-defaults file needs fields similar to the following:
# NSX 192.168.2.30 ip-NSX_Manager 192.168.2.10 dns-NSX_Manager 192.168.2.1 gw-NSX_Manager 192.168.2.10 ntp-NSX_Manager Management network-NSX_Manager True ssh-NSX_Manager PASSWORD password-NSX_Manager nsx.example.com hostname-NSX_Manager example.com domain-NSX_Manager False ceip-NSX_Manager
The above tells the script how to import NSX Manager using ovftool. The one thing you need to do once the import is completed is double check all the network settings and then set your syslog setting to be your Log Insight server (or any other syslog server). PASSWORD in this file implies to ask for the password. Make sure you use a good password.
- After the import, you are directed to log in to the NSX Manager via a web interface. You would do that using the password given before and the admin user. Now it is time to hook up vCenter and NSX. Once you log in, ensure all services are running before proceeding. (Figure 1)
Figure 1: All Services Running - Next we double check the network and other settings. In my case, I had to add the syslog server. Everything else was set during the ovftool import. (Figure 2)
Figure 2: NSX Management Service - Next we hook up vCenter’s Lookup Service and vCenter itself. These two steps happen on the same screen.
Figure 3: Completed vCenter Hookup The process is pretty simple. First, hook up the lookup service.
Figure 4: Hookup Lookup Service Accept the certificate of the vCenter server.
Figure 5: Trust Lookup Service Certificate Then, connect to vCenter using a service account. I used one from within my example.local vCenter SSO.
Figure 6: Hookup vCenter Server Now we are back to Figure 3, the completed version where all settings are green with no errors.
- Now we need to configure vCenter correctly. To do this, you would log in to the vCenter Server using the flash-based web client as the same service account you used to hook up vCenter, per Figure 6. This step is important, as this is now the only user that can manipulate users within NSX.
Figure 7: Login as NSX Service Account - Go to Networking and Security from the main menu of the webclient.
Figure 8: Networking and Security If you are properly logged in, you will see the NSX Dashboard. At this point, only the NSX Service account can see this screen properly filled in.
Figure 9: NSX Dashboard Go to NSX Managers and select the IP of the Manager just installed. Once you do that, a new dashboard will appear. Select the Manage tab, then within that tab, select the Users tab. There are only two users: the service account and a CLI user.
Figure 11: NSX Users Add your user name to the NSX User list. I use domain users to represent non-service accounts within vSphere, and VMware SSO for service accounts within vSphere. Be sure to mark this user as an Enterprise Administrator. You should never need to log in as the service account again.
Figure 12: Create a NSX Enterprise Administrator Account Logout of the service account and login as the user just added.
- Now, we are ready to install NSX into our cluster. Go back to the main Networking and Security dashboard and select Installation. You will see listed your NSX Manager and no NSX Controllers. Select the Host Preparation tab, and install NSX into your cluster.
Figure 14: Install into Cluster Each host in the cluster will be prepared. This consists of installing ISOs into each node so that you can easily deploy NSX Edge Firewalls, Routers, and DFW components.
Figure 15: Waiting for NSX Host Preparation Host preparation takes some time, as there are lots of things to do.
Figure 16: Hosts Prepared At this time, your hosts are prepared and ready for the next step.
- Create an NSX Edge Service Gateway (ESG). You do not need any fancy networking to do this, so you do not need VXLAN or even VDS. You just need a form of a virtual switch for outside the network and one inside the network.
Now we have completed the NSX Install and gotten an Edge appliance created. My Edge allows only certain things through, such as SSH and RDP, and is NAT based. This is the simplest form of network segmentation known. Next, we will get more complex.
All in 8 steps. These are the basics of getting started. At this point, you may not want to go any further, but without this, you cannot go further down the NSX journey. There is much, much more you can do now. At this point, we have used NSX to replace part of VMware’s VCNS product.
Edward L. Haletky, aka Texiwill, is an author, analyst, developer, technologist, and business owner. Edward owns AstroArch Consulting, Inc., providing virtualization, security, network consulting and development and TVP Strategy where he is also an Analyst. Edward is the Moderator and Host of the Virtualization Security Podcast as well as a guru and moderator for the VMware Communities Forums, providing answers to security and configuration questions. Edward is working on new books on Virtualization.