Skip to main content

Posts

Showing posts from November, 2019

NSX | All about control plane

When I was learning about NSX Control plane, I couldn't find all information in a single pane or page. Information was there but scattered. I thought to gather all the info and put it in below way. I found it better to learn in future.  Please don't shy to leave your feedback if you find it useful too. Below are the components of NSX control plan NSX Controller Cluster Control Plane Agent (netcpa) NSX Logical Router ControlVM Now Let's explore each of above in detail.  NSX Controller Cluster NSX controllers provide control plane functionality. Controllers distribute logical routing network information to ESXi hosts. It is responsible for updating ESXi host on the state of the logical network components. NSX cluster uses "Sharding" process to distribute workload across NSX controller cluster nodes. Sharding is the action of dividing the NSX controller workload into different shards so that each NSX controller instance has an equal porti

NSX | IP Discovery

Of course, NSX need to know the IP address of any VM and to find the IP address of any VM it uses below methods - VMware Tool installed on every VM - DHCP Snooping (Enabled on host cluster) - ARP Snooping (Enabled on host cluster) Multiple methods can be used to discover the IP and can be used in below operations\task by NSX Manger - Firewall Rules - Spoofguard IP Discovery with VMware Tools- VMware tools use thin agent that must be installed on each and every VMs which needs to be protected. Virtual Machine with installed VMware tool is automatically secured whenever they are started up on any ESXi host having NSX VIB installed. Protected virtual machines retains the security protection through shutdown and restart and even afrter vMotion move to another host with installed NSX VIBs. If Vmware tool is not installed then other methods can be used like DHCP and ARP snoopiong. IP Discovery with DHCP Snooping- As you already know that DHCP snooping can discover IP wi

PS | Automation can be dangerous!

Hi Folks, Everyone loves automation. It is very exciting to see that operations is happening automatically. But it will not take much to convert from excitement to graveyard regret if not executed in correctly or in a perfect manner. I would like to share one example where we were in process of upgrading all NSX edges. As per plan, we selected around 100 edges to upgrade first and then we had to wait for further approval and all. So we picked the powershell command and executed for those 100 edges. Command is very simple and one liner command. Nothing complex in that but..... A blank enter key created mess. Let's see how! Check the command first In that command, there is source file which is saved with .txt extension. In that file, edge ids needs to be mentioned. isn't it? Then execute the script. Very simple :) but what ruin the task is, in that .txt file, edge were mentioned like edge1 edge2 edge3 . . . and so on and nothing wrong. But in last row, t

NSX | Plan upgrade with care

Good Morning Folks, Purpose of this post is to make all of you aware about one of the supported feature of NSX which is no more supported started from version 6.4.4. Why specifically I am sharing it because it can be a good example on "How you should plan the upgrade". Feature is "Starting from 6.4.4, 3DES as an encryption algorithm in NSX Edge IPsec VPN service is no longer supported ." Now question is what does it mean and how it will impact production. What does it mean? Hope you know that in IPSec VPN tunnel there are two endpoints, one is local and other is remote. 3DES is encryption algorithm which we use to secure the connection between these two endpoints. In place of 3DES, we have AES, AES256 and AES-GCM. We have to select anyone of above because 3DES is no more supported or listed in nsx edge version 6.4.4. Why it is depreciated? Because it is not that strong. To elaborate, 3DES designed to auto-negotiate the encryption value to establish t

NSX | What is 3 and 5 tuple value?

This question was asked in one of my interview and I was not that knowledgeable to answer it at that time. I don't want anyone else (who learn NSX and my blog. I have no way to share it with all the world:)) to be unanswered on this question. With this thought, I am writing the answer below. It is very small thing but matter a lot while asked in an interview.   It refers to a set of three and five different values that comprise a TCP\IP connection. It include as shown below.   3-Tuple: The tuple (source IP address, destination IP address, ICMP Identifier). A 3-tuple uniquely identifies an ICMP Query session. When an ICMP Query session flows through a NAT64, each session has two different 3-tuples: one with IPv4 addresses and one with IPv6 addresses. 5-Tuple: The tuple (source IP address, source port, destination IP address, destination port, transport protocol). A 5-tuple uniquely identifies a UDP/TCP session. When a UDP/TCP s

PS | How to read content of any file inside GuestOS without logging in?

I am doing lot around powershell these day. Let's see one more Challenge given and provided solution. Basically, this challenge belongs to my last blog. Here I was asked to read the content of a file in a VM without accessing RDP. Sound interesting? isn't it? #Start here Connect-VIServer vCenter1 $VM = read-host "Enter VM Name " #here is the target vm name $Chpass = @" #below command will read and give output for entire file (Get-Content -Path C:\DRTask\vm-startup-regIpDns_v9.ps1 #below command will read line number 8 and will give you output     (Get-Content -Path C:\DRTask\vm-startup-regIpDns_v9.ps1 -TotalCount 8)[-1] "@ Invoke-VMScript -VM $VM -ScriptText $Chpass #-GuestUser "$user" -GuestPassword "$pass"  -ScriptType Powershell #Start here Below is output- I got the text in line number8 that that has the IP address in file inside the guest OS. Basically it read the file with the help of VMware tools in vcent

Powershell | Transfer file into VM

Hi Guys, I hope that this post will help many because everyone once in their career might encounter this issue. The issue is, "RDP for this VM is not working\allowed, how can I transfer this file into this VM". I have seen many guys facing this issue, So, below is the solution #start here clear $VC = Read-Host "Enter the IP address\fqdn of vCenter server" Connect-VIServer $VC Write-Host "Enter the requested info please" -ForegroundColor Cyan Function Collectdata{ Write-Host "Enter the path of source file. For example, C:\temp\transferfile.txt" $source = Read-Host "Enter the path here" Write-Host "Enter the destination folder in VM where you want to copy above file. For example, C:\temp" $dest = Read-host "enter the destination folder path here" $VM = Read-Host "Enter the VM Name" $user = Read-Host "Enter the username" $pass = Read-Host "enter password" -AsSecureString Write-Host "Th

Powershell | Modify password for user account inside GuestOS of a VM

Today I got this challenge and I did it in below way- #Start here $VC = Read-host "Enter your vCenter server name\IP " Connect-VIServer $VC $vmName = Read-host "Enter the target VM Name in vCenter " $UN = read-host "Enter the target username " $pswd = 'Password' #Enter password here which you want to set in '' mark $Chpass = @" `$securePswd = ConvertTo-SecureString -AsPlainText -String $pswd -Force Get-LocalUser -Name $newUser | Set-LocalUser  -Password `$securePswd -Confirm:`$false "@ Invoke-VMScript -VM TestVM -ScriptText $Chpass -GuestUser "$UN" -GuestPassword "Asdf@1234" -ScriptType Powershell | Select -ExpandProperty scriptoutput #End here Please note that - "Asdf@1234" is existing password of the guestOS In case any error, do let me know, will surely help you out Thank you, Team vCloudNotes

NSX | Bit about Firewall

Types of Firewall rules based on protocols and security layer- General Rules - These rules are applied to the L3, L4 and L7 protocols and fields such as IP addresses, TCP\UDP port numbers and APP-IDs. In addition, vCenter attributes like datacenters and resource pools can be part of the group. Ethernet Rules - These rules can define a set of MAC addresses as source or destination and enforce policy on L2 protocols. Ethernet rules are enforced before General rules. Partner Security Services - These rules can define traffic flows to be redirected to partner solutions for additional network introspection. Firewall rules are managed in centralized manner. Each traffic session is checked against the top rule in firewall table before moving down the subsequent rule in the table. The first rule in the table that matches the traffic parameter is enforced Types of Firewall rules based on where and who creates them- user-defined rules : rules created by administrators Internal ru

[Update] Powershell

Hi Guys, I am still working on the idea to create a Centralize tool for many vCenter Operational tasks with the help of powershell in a time efficient way. I have divided it into three category. Get or Search Engine ....................In Progress Set or operations Engine ...............To be initiated Deploy and Automation Engine.... To be initiated Below is the updated glimpse of the work- Please give your ideas to make it more exhaustive. I will share once all three steps will be completed. Thank you, Team vCloudNotes

NSX | How NSX provide more security to datacenters?

It secure the data center by addressing one of the key issues in traditional security solutions, which are as below- 1. NSX has visibility not only on virtual datacenter components like VM, ESXi host, portgroups but also within Guest-OS, application and its service hence secure SDDC not only from external attacks but also from within vulnerabilities. Here we know something known as Micro-Segmentation. For example: if once VM is infected with some viruses\malware or any other malicious software then NSX block the VM and don't allow it to infect other VMs. Below is reference snippet. First image(from left) is for traditional datacenter and with traditional security. Second image is with NSX 2. It don't need any in Guest Antivirus agent. Separate antivirus solution is not required if you have Guest-Introspection enabled with NSX.  Explanation: I have 10 ESXi host in a cluster and 100 VMs. I'll just prepare my ESXi Host for NSX (Let me know if you wa

NSX | Service Composer

Below is the excellent article on Service composer in NSX. Very well explained and to the point detail. Read it completely and feel free to start any discussion. https://blogs.vmware.com/consulting/tag/nsx-service-composer Thank you, Team vCloudNotes