Since its nascence, NSX has been a significant product within VMware's portfolio; looking forward, that significance will only increase. Pat Gelsinger, CEO of VMware, deemed NSX the "next vSphere" and the "secret sauce" of the company's core initiatives. As the internet of things develops, the security NSX networking provides will prove essential. If you don't already use NSX but are interested in doing so, it can be difficult to figure out where to begin. In this article, we'll review how to configure the products that make up NSX and how to apply them to your infrastructure.
First, a warning: Don't attempt this configuration on a live vSphere infrastructure. Although you likely won't break anything while installing NSX, it's always best to play it safe. Also, note that NSX networking only works with vSphere Distributed Switch (vDS), which is typically only available as part of the vSphere Enterprise Plus license. However, if you purchase NSX, you'll also receive a license for vDS.
Deploy the NSX controller
To set up NSX, first deploy the NSX controller, which you can download from the My VMware site. Deploy the controller as you would a normal Open Virtualization Format (OVF) file, and fill in all the required items. Make a note of the NSX controller's IP address. If you don't fill in all of the required fields, your installation will fail. Most of the fields are normal entries, such as domain name system, IP, gateways and so on. It requires quite a bit of memory -- 16 GB, to be exact -- to set up the NSX controller. When I set up NSX in my data center, I allotted 32 GB per node to accommodate this. Each NSX management appliance also requires 4 virtual CPUs, so plan accordingly.
Once you've deployed the OVF -- which could take a while -- and powered it on, log in using the IP address specified during setup, the username admin and the password you chose during deployment.
In order to implement NSX components in a vSphere environment, there are several important items, organized in two groups, which you need to configure. First, click Manage vCenter Registration. This will load a screen similar to the one shown in Figure A.
Click the Edit button next to the Lookup Service URL, and enter the details for the Lookup Service URL, Single Sign-On Administrator User Name and password. The URL will be your platform controller service. Use an account registered to vsphere.local with admin rights.
If you see a prompt that asks you to trust a certificate during setup, click Yes.
Next, you must connect to vCenter Server. This enables NSX Manager to display the VMware infrastructure inventory. If you skip this step, NSX management extensions won't load into the web GUI.
Log out of any web clients, and then log back in with your email@example.com account. This might take slightly longer than normal. Once this is done, you'll see a new icon in the vSphere web client that says Networking & Security.
It's important to understand how these features fit together. The OVF, which you deployed earlier, is the management appliance that manages the NSX infrastructure as a whole. In the event of a failure in the VM, the network will still function, but update and modification capabilities will be affected.
Deploy the NSX infrastructure
Before you proceed, ensure that each host in the cluster has a VMkernel port to use with NSX. Also, install your NSX networking license. Without this, NSX won't deploy to any hosts.
Once that's done, click the Networking & Security icon, and navigate to Installation.
Next, deploy the network controllers. These controllers essentially form the backbone of the NSX networking infrastructure. Controllers do the lifting behind the scenes to configure all the various network connectivity. Controllers also deploy in odd numbers, never even. The recommended amount is three per cluster; however, for the sake of this test lab, one will suffice.
Navigate to the NSX Controller nodes box, and click the green plus sign. A window, like the one shown in Figure C, will appear that asks for several items of information. Most of these items are simple questions, with the exceptions of Connected To and IP Pool. Next to Connected To, click Change, and select the distributed port group. With regards to IP Pool, click Select, and create a new IP pool. Once you've answered all of these items, click OK, and the controller should install.
Enable NSX on the cluster nodes
You can now enable NSX on the cluster nodes. Enable each node in the cluster for NSX. The reason for this is that, if High Availability or vMotion were to move a machine to a non-NSX cluster, it would effectively be lost to the network.
Navigate to the Host Preparation tab, and click the Actions menu. From this menu, select Install. A prompt will appear that asks if you want to proceed with the installation on each host; click Yes.
This installation process installs several security and networking vSphere Installation Bundle files. The networking file is configured to create Virtual Tunnel End Point (VTEP). VTEP is the network connectivity from the host to the virtual network points NSX provides. Think of it as a trunk that allows data to flow in and out through the security module. There can be multiple VMkernel ports to make up a single uplink to provide redundancy. This also installs a firewall module as part of the local security setup. This firewall allows all traffic at install time by default. Before you try to alter any of these items, make sure you thoroughly understand how everything works.
Navigate to the Network and Security item on the menu to install VTEP requirements on the host.
Configure the Virtual Extensible LAN
Finally, configure the Virtual Extensible LAN (VXLAN). Each VXLAN is similar, in a way, to a virtual LAN, but a VXLAN functions at layer two and can be stretched across sites and physical networks if necessary.
Navigate back to the host preparation screen; all the cluster nodes should be set up and configured for NSX. Notice that the status of the VXLAN is Not Configured. Click the hyperlink, and a window, like the one shown in Figure D, will appear with VXLAN networking configuration details filled out. In order to use VXLAN, you'll need a maximum transmission unit size of 1,600 bytes.
You've officially installed all of the NSX fundamentals. The next step is to activate them. In the future, we'll look at the functionality of NSX networking, including how to use it for north-south data communication and how to use its built-in firewall capabilities.
Peder Ulander discusses the expanding role of NSX
NSX becomes central to VMware strategy
NSX to become a staple in business infrastructures