VMware Hands-on Labs - HOL-1729-SDC-1


HOL-1729-SDC-1 - Introduction to vRealize Network Insight

Lab Guidance


Note: It will take approximately 90 minutes to complete this lab. You should expect to only finish 2 of the modules during your time if you are new to vRealize Network Insight.  The modules are independent of each other so you can start at the beginning of any module and proceed from there. You can use the Table of Contents to access any module of your choosing.

The Table of Contents can be accessed in the upper right-hand corner of the Lab Manual.

In this lab students will be presented with an overview and demonstration using vRealize Network Insight. This lab will focus on three particular capabilities and 2 use case scenarios. The first module introduces Micro-segmentation and the security within networks, followed by module two that will provide a detailed Map walk through of a Real Time flow rendering a 360 degree view for cross platform under and overlays. Module number three will focus on NSX Manager and provide an easy in-depth look at how we manage advanced NSX operations within vRealize Network Insight.

Lab Module List:

 

 Lab Captains:

This lab manual can be downloaded from the Hands-on Labs Document site found here:

http://docs.hol.vmware.com

This lab may be available in other languages.  To set your language preference and have a localized manual deployed with your lab, you may utilize this document to help guide you through the process:

http://docs.hol.vmware.com/announcements/nee-default-language.pdf


 

Location of the Main Console

 

  1. The area in the RED box contains the Main Console.  The Lab Manual is on the tab to the Right of the Main Console.
  2. A particular lab may have additional consoles found on separate tabs in the upper left. You will be directed to open another specific console if needed.
  3. Your lab starts with 90 minutes on the timer.  The lab can not be saved.  All your work must be done during the lab session.  But you can click the EXTEND to increase your time.  If you are at a VMware event, you can extend your lab time twice, for up to 30 minutes.  Each click gives you an additional 15 minutes.  Outside of VMware events, you can extend your lab time up to 9 hours and 30 minutes. Each click gives you an additional hour.

 

 

Click and Drag Lab Manual Content Into Console Active Window

You can also click and drag text and Command Line Interface (CLI) commands directly from the Lab Manual into the active window in the Main Console.  

 

 

Accessing the Online International Keyboard

 

You can also use the Online International Keyboard found in the Main Console.

  1. Click on the Keyboard Icon found on the Windows Quick Launch Task Bar.

 

 

Click once in active console window

 

In this example, you will use the Online Keyboard to enter the "@" sign used in email addresses. The "@" sign is Shift-2 on US keyboard layouts.

  1. Click once in the active console window.
  2. Click on the Shift key.

 

 

Click on the @ key

 

  1. Click on the "@" key.

Notice the @ sign entered in the active console window.

 

 

vRealize Network Insight -  Navigation

 

 

 

Activation Prompt or Watermark

 

When you first start your lab, you may notice a watermark on the desktop indicating that Windows is not activated.  

One of the major benefits of virtualization is that virtual machines can be moved and run on any platform.  The Hands-on Labs utilizes this benefit and we are able to run the labs out of multiple datacenters.  However, these datacenters may not have identical processors, which triggers a Microsoft activation check through the Internet.

Rest assured, VMware and the Hands-on Labs are in full compliance with Microsoft licensing requirements.  The lab that you are using is a self-contained pod and does not have full access to the Internet, which is required for Windows to verify the activation.  Without full access to the Internet, this automated process fails and you see this watermark.

This cosmetic issue has no effect on your lab.  

 

 

Look at the lower right portion of the screen

 

Please check to see that your lab is finished all the startup routines and is ready for you to start. If you see anything other than "Ready", please wait a few minutes.  If after 5 minutes you lab has not changed to "Ready", please ask for assistance.

 

Module 1 - Micro-Segmentation and Security (30 Minutes)

Micro-Segmentation Introduction


When mid to large-sized enterprises deploy NSX, they often struggle to define the level of micro segmentation needed between applications on networks. The most challenging part is knowing what information is required to get started, how to locate the information and traffic flow and how to capture the results.

vRealize Network Insight helps solve this problem by analyzing and categorizing VMs into logical groups based on specific compute and network characteristics. This process automatically generates a recommended model for security groups and specific firewalling rules for each group. This makes life much easier for Security Architects and Engineers.

vRealize Network Insight (vRNI) relies on the use of an IPFIX collector at the Virtual Distributed switch layer to capture data flows. We enable IPFIX at the Virtual Distributed switch layer for the ESXi Hosts to forward IPFIX UDP packets to the vRealize Network Insight appliance. The data capture will enable real time data flow for all port traffic and provide further filtering capabilities in order to explore East-West traffic.

We have two scenario's to help explain how vRealize Network Insight can be utilized to ensure we have full visibility and granular control to deploy firewall rules in order to complete micro-segmentation without guessing.

Scenario 1: (Brown Field deployment) Customer ABC bought ESXi and NSX and does not have a clear understanding of how to operationally deploy existing workloads with East-West firewall protection or how to segment the workload. The client will now use vRealize Network Insight to observe the real time data flow between ports in order to build the East-West firewall rules. The vRealize Network Insight process will observe the traffic patterns based on the captured data flow, recommendations will then be made in order to secure workloads for East-West communication. Current firewall and micro-segmentation can also be verified.

Scenario 2: (Green Field) Customer ABC has a new deployment project for DevOps and wouldn't know what the immediate firewall rules or recommendations would be. Using vRealize Network Insight we could immediately start to monitor the real time data flow as each deployment and development unfolds. Based on the DevOps information we can now apply the Firewall rules at the Q&A stage and prep for testing to ensure when we move workloads into Production we will have day zero operational security for East-West traffic within the data center.

NOTE: NSX is not required at any stage to capture, observe or implement successful East-West firewall rules. The process of planning security only relies on IPFIX at the vDS layer in order to capture and observe data flow between ports.

This Module contains the following lessons:


 

Lab Status Check

 

  1. Make sure the Lab Status displays Ready before continuing.

Close browser sessions from previous modules

 

 

Open Google Chrome

 

  1. Open Chrome on the Control Centre Desktop.

Note: Internet Explorer will not work and is not certified to be used with vRealize Network Insight at the time of this release.

 

 

Select vRealize Network Insight Favorite

 

  1. Select the vRNI Shortcut on the favorites Bar (if vRealize Network Insight did not load automatically)

 

 

vRealize Network Insight - Login Screen

 

Login to the portal

  1. Username : admin@corp.local
  2. Password: VMware1!
  3. Click Login to continue

 

 

Plan Security

 

When the vRealize Network Insight portal login completes, the first screen will show a search bar at the top

  1. Type plan security (the search bar uses "Auto Fill" and predictive text will appear as you type).
  2. Select the Time Icon.

 

 

Plan Security - Specify the Date

 

  1. Select Between.
  2. Now use the time range to specify a custom date range. Select the START date as 1st September 2016 and the END Date and today's date.
  3. Click the search icon to continue.

 

 

Overview - Traffic Distribution (Left Pane)

 

Visual representation of traffic is shown to understand the logic relationship between each component, physical or virtual in order to track flows and sessions within a network:

 

 

Traffic Distribution - Overview (Right pane)

 

The Traffic distribution section is explained in a number format below. Use these as a reference and do not click on the links at this stage.

 

 

East-West (EW) - Traffic

 

In order to view specific detail about data flows click on any of the 6 blocks to get detailed information on flows and sessions (use the [x] in the right corner to close the observation once completed in order to continue with the next step in this lab). Its important to understand the entire distribution of flows and sessions in order to build an informed strategy to achieve micro-segmentation.

A Session is 5 tuple (source port is one of the five tuples in this, which means, every time a new TCP connection is established and terminated, a new session is recorded)  

Flow is 4 tuple aggregation of sessions (It combines many 5 tuple sessions into one. It ignores the source port as the source port is very dynamic, wide range and keeps on changing. As long as multiple sessions have same source IP, same destination IP, same destination port, and same protocol, they will be combined into one record called a flow.   

So 1000s of sessions in a day between two machines on a specific destination port (ssh, dns, etc) would be combined into 1 flow with an aggregate count of packets, bytes, sessions between them recorded as additional flow information.

In any enterprise how many sessions happen in 1 day varies a lot. Flows are more manageable units and matters most for policy definitions and micro-segmentation. 

If one wants to see statistics of these flows, like bytes transferred, number of sessions (or even use these counters along with other query operations for other higher level analysis - like determining distribution of a virtual machines outgoing flow by destination ip), the following metric counters can be used:

Counter names

allowed sessions: count of sessions (or 5 tuples) corresponding to a flow (4 Tuple)
bytes : total traffic volume exchanged on the flow (this sum of two counters described below)
 src bytes: total bytes sent by src_ip of the flow to dst_ip:port:protocol
 dst bytes: total bytes received by src_ip of the flow from dst_ip:port:protocol
  1. Click on the East-West traffic block

This will bring a new window into view with detailed analysis of the traffic.

 

 

East-West (EW) - Detailed view

 

This is only a few of the 1559 flows, but the detailed views and filters can be used to narrow down more specific information.

A - Without clicking (just hover) on the time line to see the rate of flow indicated by the green line for that period

  1. Click the close icon (x) to continue.

 

 

Services/Ports

 

Locating the Services screen for the next step

 

 

Services/Ports - Time line view

 

Plan security makes use of Service and Ports overview on the right-hand side of the screen. The service view screen is used to observe the flow for each service and analyzes a specific flow rate at a point in time. Timelines can be adjusted to gain a better understanding of what the "plan security" query delivers. This module will follow the steps needed to observe and trace flows for port 5443.

  1. Click Show Data.

 

 

Services/Ports - Point in Time Service

 

The Services section provides an overview of flows over a specific port at a point in time, either by bytes or by allowed sessions. Look at the red highlighted area to understand how the flow is viewed in a pivot format to ensure a rate flow can be delivered by hovering over a particular section.

  1. Hover to gain focus over the blue block above port 5443 and notice it presents on demand the sum total of flows for the last 24 hours in Gigabytes (GB) communicating over port 5443
  2. Click on the block at the intersection of "Last 24 hours" and "PORTS 5443" to get a detailed view of the information

 

 

Flows for Port 5443

 

Communicating over port 5443 for the Last 24 hours, we now have a detailed understanding of how 20 flows are distributed by following the list of entities. You may scroll down and examine the detailed traffic. Further filters can be used on the left-hand side of the screen to filter the view for a more specific result type.

  1. Click the first entry to exam the detail flow between Prod-DB-2 and Prod-DB-5 over port 5443

 

 

Flow Key Properties - Timeline view

 

Flow Key Properties and Flow Key Metrics with the help of the timeline view gives a greater understanding of the traffic between these two specific VM's over port 5443. (A) - Hover over any part of the Flow Key Metrics graph to see statistics of the flow at a specific point in time.

  1. Click on the 3M (last 3 months). Now hover the mouse over the green/blue lines to see a specific flow at a point in time.

 

 

Flow Key Properties - Timeline view

 

  1. Click the browser back button (twice) to return to the plan security layout screen (once completed viewing the timelines for specific flows).

 

 

Micro-Segments

 

The screen should be back and focused on the Plan Security view. Let us focus on the Left-hand side of the plan security screen marked - Micro Segments. This section will focus on the subnet view and how this could be used to track flows between two or multiple points.

Note: Segmenting flows can be achieved using views that will focus on VLAN/VXLAN, Subnet, Folder, Clusters, VM's, Ports, Security Tag or Security Groups.

  1. Select Last 1 Day (to clear previous data range)
  2. Select the drop down box and then select by Subnet.

 

 

Focus 10.17.8.0 Network

 

The "Keep Focus" view creates a single visual endpoint diagram showing communication to physical, shared resources, internet and other subnets. The parentheses after the network will indicate the number of virtual machines. The colored lines will indicate a connected flow as OUTGOING / INCOMING / BIDIRECTIONAL

 

 

Focus - VLAN/VXLAN

 

Changing the view to track flows between Prod-Web to Prod-Midtier we will be switching from Subnet view to VLAN/VXLAN view. This will expose the traffic flow and ultimately lead us to the recommended firewall rules.

  1. From the filter drop down select the VLAN/VXLAN option (the view will automatically update).

 

 

Focus - Prod-Web (25)

 

  1. Hover over Prod-Web
  2. Click on Keep Focus as we will follow the traffic for this group to see which ports are in used and why.
  3. Click on the line joining the Prod-Web and Prod-Midtier.

 

 

Flows - Prod-Web to Prod-Midtier

 

( A ) - We have at this point identified 14 unique endpoints or flows that are being communicated by/over or to potential security groups. These security groups are based on VLAN's, folders, subnets or a construct that can be defined.

  1. Click on the recommended firewall rules.

 

 

Flows - Recommended Firewall Rules

 

Based on the observed analysis of the traffic flow between Prod-Web and Prod-Midtier, a recommended firewall rule has been generated in order to secure and segment traffic from the rest of the VLAN/VXLAN.

Due to the flow observation metrics, the recommendation is (ALLOWED) on Port 8080 between SG Prod-Web and SG-Prod-Midtier.

  1. Click the close icon (x) to continue.

 

 

Multiple Ports and Firewall rules for Prod-web

 

  1. Click on the Prod-Web group.

 

 

Services and Flows for Prod-Web

 

On focus the user is presented with all the services, flows and firewall rules for Prod-Web in a single pane.

  1. Click on Services In this group - 50 Unique service endpoints or flows that are being communicated by or to potential security groups are mapped with traffic rates included.
  2. Click on External Services Accessed - This is a breakdown of the 16 External service endpoints that communicate with Prod-Web and include the port information (DNS, HTTPS, etc).
  3. Click on Flows - This is the incoming and outgoing flows at this point in time (LAST 24 HOURS). The 16 external services are made up of the 546 flows (internal and external) as indicated. Feel free to hover over any green line to see the flow rate in MB at a specific point in time.
  4. Click on Recommended Firewall Rules - Based on the 50 unique service endpoints that have 16 External services with 546 flows we can use this observation metric to determine that 4 firewall rules are required. This would be the minimum recommended segmentation approach for the Prod-Web group.
  5. Click the close icon (x) to continue.

 

 

Security Group 'Prod_Web'

 

Network administrators and architects face daily challenges in identifying security paramters/groups that are in-place, requiring a lot more detail around container topology before continuing to execute or plan Micro-segmentation. Lets look at how this would be possible in a single view that has granular integration with over and underlay networks.

  1. Using the search bar, type Security Group 'Prod_Web' (the search bar uses "Auto Fill" and predictive text will appear as you type).
  2. Click search to continue.

 

 

Results - Prod_Web

 

The search results from the query will show Prod_Web at the top of the screen. The result will also be displayed to include the Translated VM Count and any Rules associated

  1. Click on Prod_Web to continue.

 

 

Security Group Pinboard - Pop-up

 

The Help screen may pop-up (in this lab setting) to ensure the user has a instant guide, called the Security Group Pinboard . The reason for this guide is to point out the detail view and topology layout. Read through the help guide and once completed:

  1. Click the close icon (x) to continue.

 

 

Security Group Prod_Web - Timeline

 

Security Group View Explanation

The Security Group provides a detailed view of the selected Security Group and a comprehensive listing of key properties and events. The Security Group Topology provides a visual overview of how the security group is associated with other containers. Timeline slider at the top of the current view will enable the point in time state of the Security Group and filters can be used to further focus on a particular aspect of the object.

 

 

Security Group Firewall Topology

 

(A) The Security Group Container Topology on the right will show any/all Child and Parent groups in relation to Prod_Web. This will identify the nesting and hierarchy of security groups.

  1. Click and selectProd_MidTier, (we will have a pop up screen) and we can immediately see what the Source and destination service flow looks like in this example. This can be done for any and each segment attached to Prod_Web and will provide all the current security Group Firewall Topology information. Feel free to click through all the segments in order to fully understand each related security group.
  2. Click the close icon (x) on any pop-up menus that you viewed during your analysis to continue with the next exercise.

 

 

Tracking Prod-Web

 

  1. Within the same view when you scroll down (below the Security Group firewall Topology), you are able to see the following security event information for Prod_Web:

A: Events - Showing any changes for Prod_Web (direct or indirect) and the impact that these changes bring to this security group

B: Current Security Group Configuration and Firewall Rules Count will also provide further assistance to manage the endpoints.

C: Visibility of the Virtual Machines in Security Groups ensure that we manage our workloads and segmentation with the correct level of efficiency.

D: Making use of the Indirect Firewall Rules will ensure you understand the inherited impact and the relationship leading to Prod_Web.

E: Direct Firewall Rules - NOTE: The blue links will expose further detail for each firewall segment.

this module explained and followed the traffic flow between Subnets and or VLAN/VXLAN for Prod-Web and we understand the analysis that make up firewall rules. The information for a specific segmentation of a Virtual Machine in Prod-Web can be view using the the logical switch information for Prod-Web.

  1. Click on Prod-Web (VM's in Security Group>Logical Switches>Prod-Web) a new TAB will open at the top of the screen.

 

 

Prod-Web

 

  1. Hover (do not click) over (1) Prod-Web-9 to gain focus in order to generate the path.

Do not click on any of the bubbles, as they are used for reference only. This is the complete flow of Prod-Web-9 (Example) to see how a flow is tracked from overlay to underlay across Prod-Web

  1. When you are done with the current view, close this tab in Chrome and return to the original view.

 

 

Firewall Rule - Tracking

 

Using the search bar we will demonstrate how you can track any firewall rule in your environment. This is only one example of how we can search for security related objects in one easy statement and also export the results.

 

 

Port Search

 

  1. Type into the search bar
Firewall rule where action ='ALLOW' and Port=443 (the search bar uses "Auto Fill" and predictive text will appear as you type).
  1. Click search to continue.

As you type notice all the different permutations of queries that can be assembled.

 

 

Export Firewall Rules

 

Take some time to understand and get familiar with  Firewall Rule search possibilities and the insight this can offer.

  1. Do not click - The result is grouped for convenience and allows the user to query each rule individually. This is a live link that will expose further information.
  2. Do not click - The entire report can be exported by using the Save as CSV option at the top right hand corner of the screen, but we will not export any information at this point.
  3. For the next step we will return to the top search bar.

 

 

Firewall Rule Membership Change

 

Using the vRealize Network Insight search bar at the top of the screen we will focus on a time based search to see what Firewall Membership Changes occurred during a selected period. This will point out any changes made directly or indirectly as a result of membership changes. This is extremely useful for auditing and troubleshooting.

  1. Type
Firewall Rule Membership Change 
  1. Select the Date/Time window.
  2. Click Between. Make sure you select the time range for the Firewall query to include at least 6 months worth of data . Click and Select the date range between 1st Jan 2016 as the start date and today's date (using static data this will ensure you see all the changes).
  3. Click search.

 

 

Audit Rule - Firewall Rule Membership Changes

 

The search now displays the result of all the changes made to firewall rule membership during the preset date range. This is pivotal to the audit change tracking process to understand exactly why, when and how Firewall rules changed.

The changes can now easily be tracked, audited and also exported, following any of the live links in blue.

 

 

Search-based Notification

 

Continuing within the same screen, users can create alerts to notify internal and external entities of any changes. The alert feature is available through any view that displays the alert icon. Although the alert can be configured for this lab, the results will not be actioned as this is static data only. This section will show how easy it is to report on any Firewall Rule memberships changes. The option for alerting will be immediately, within 1 hour or as a daily digest.

  1. Click the Notifications icon to create an alert. The notifications screen will pop-up.
  2. Notification and parameters can be adjusted as required. Populate them with your own preference as we will need to have information in order to save the alert and view in later steps.
  3. Once completed click save.

 

 

Settings

 

You can view any of your previously configured search-based notifications in order to edit or activate the Alert parameters by using the settings page. Changes can be configured to notify members of the alert group based on the user preference. The previous alert that you created can now be tracked by using the search bar at the top of the screen.

  1. Click in the search bar and type Settings.
  2. Click Search-based Notifications (your alert is noted in this section as it was based on the original search and alert notification "Firewall rule membership change").
  3. Info Only - Do not click - View / Edit / Activate any notifications.

Note that we have 2 types of notification, Search-based and System Notifications

  1. Click the System Notifications.

 

 

System Notifications

 

System Notifications consist of 101 default alerts that are pre-configured. Scroll down the list to see all the options and what is deemed to be a standard system alert notification.

Each Notification can be used to alert administrators or users of that group. By default all System Notifications are set to never notify (this can be changed to immediately, within 1 hour or as a daily digest).

 

 

Conclusion

 

In this module we introduced the minimum required steps in order to facilitate Micro-segmentation. This module further demonstrated how we achieve day zero readiness, track, report and alert on each individual object or group of objects in Real Time. Using the East-West traffic in this module, vRealize Network Insight highlighted the ease of acquiring network analysis and using this to automatically generate firewall rules for both "Green" or "Brown field" deployments.

Key facts to remember as demonstrated in this module:

For additional information about the functionality showcased in this module visit www.vmware.com

Please close the Chrome Web browser.

This concludes this module, please continue to the next module.

 

Module 2 - 360° Visibility across Virtual & Physical Network (45 Minutes)

360 Degrees of Visibility


vRealize Network Insight includes advanced analytics that can collect and display configuration data from all the components involved in the overlay and underlay of the network. Data is collected in realtime. vRealize Network Insight can with ease gather intelligence from the network and all the components involved in sending and receiving network traffic between two objects.

vRealize Network Insight presenst this in a smart user interface, and make problem determination and visibility of the firewall and network configurations very easy.

This Module contains the following lessons:


 

Open Google Chrome

 

  1. Open Chrome on the Control Center Desktop.

Note: Internet Explorer will not work and is not certified to be used with vRealize Network Insight at the time of this release.

 

 

Select vRealize Network Insight Favorite

 

  1. Select the vRNI Shortcut on the favorites Bar (if vRealize Network Insight did not load automatically).

 

 

vRealize Network Insight - Login Screen

 

Login to the portal.

  1. Username : admin@corp.local.
  2. Password:" VMware1!".
  3. Click Login to continue.

 

 

Path of Visibility

 

This module will utilize the "Path and Topology" feature in vRealize Network Insight to get a 360 degrees visibility into our network scenario. The "Path and Topology" view can also extend to host, L3 networks, security groups etc, but in this module we will only be focusing on the path.

From the main console:

  1. Click on "Path and Topology".
  2. Click on "Path".

 

 

Path - Select source and destination

 

In the pop-up box:

  1. Click on the grey field below "Source".
  2. Type "dba" into the source field, and "DBAdmin-VM1" will appear.
  3. Click on "DBAdmin-VM1" to select it.

 

 

Path - source and destination continued

 

After selecting the source machine, the destination box will automatically appear.

  1. Type "prod" in the destination field, and the list of available options will appear.
  2. Select "Prod-Db-2".

Note: The destination could also be an ip-address or Internet, but in this lab we are going to use a VM.

 

 

Path - source and destination continued

 

  1. Click on Submit.

 

 

Help - Path of visibility

 

Help information will appear.

  1. Spend some time to get familiar with the layout, then click on the (X) in the top right corner to continue.

 

 

Searching for path

 

Based on the VMs we selected in the wizard in our previous steps, the search field is now pre-populated with a search string. As an alternative to using the wizard we can also do manual searches.

Do notchange any parameters in the search field, and please continue to the next step.

 

 

VM Path Topology

 

In the field named  "VM Path Topology":

  1. Click on the three dots in the top right corner of the field.
  2. Click Maximize.

The view will change and the route will be drawn on the map.

 

 

VM Path Topology - Path Details

 

In this view we will get an 360 degrees view of both the physical and the virtual network. We will see the path of the traffic between two virtual machines. The black arrow at the top of the map will indicate the flow direction of the traffic. In this use case from "DBAdmin-VM1" to "Prod-Db-2".

On the right hand side path details indicates the steps we pass trough in each hop of the path. The logical flow includes both physical and virtual elements, displaying both overlay and underlay components.

  1. Scroll through the path details on the right hand side to verify the different hops in the path. Notice that we have items such as VMs, physical switches, virtual switches, routers and NICs  in the list of details.

 

 

Component Overview

 

On the VM topology map:

  1. Click on the top left icon marked with a red square - the Virtual Machine "DBAdmin-VM1".

 

 

Virtual Machine - Details

 

A pop-up box will appear with the Virtual Machine details in it. This information includes a lot of details made available by VMware Tools. We can for example see network-information and the physical host in these details.

A - Please spend some time on getting an overview of the information available in this view.

B - Please note that the Firewall Status indicates "Unknown". In this scenario there is no NSX firewall utilized in the VM, so vRealize Network Insight displays "Unknown" as the status. If NSX components was utilized, but they were malfunctioning, an error message will appear.

  1. When done reviewing, close the pop-up windows by clicking on the (X) in the top right corner. 

 

 

Physical ESXi Hosts

 

We are now going to look at the physical host running ESXi. The large green blocks indicate the ESXi hosts (A) and (B)

  1. Click on the large green field on the left side of the map marked in the picture with a red square.This will select the host where "DBAdmin-VM1" is running.

 

 

Host - Details

 

A pop-up box will appear that contains the physical ESXi host.

A - Spend some time to review what information is available from the host. Please do not click on any of the links.

B - Notice that we receive information from both the Chassis and the Blade that this ESXi host is running on. In a real life environment we could click on the links to get detailed information about the physical environment through the links.

C -  Note that there is no NSX components on the host. For example we can see that the "Control Plane Sync Status" is unknown, and the "Number of VTEP's" is 0.

  1. When done reviewing, click on the (X) in the top right corner.

 

 

DVPG on the map

 

We are now going to look at the DVPG (Distributed Virtual Port Group) the VM uses to connect to the network.

  1. On the map, click on the little blue box marked by a red square onvlan-629.

 

 

DVPG

 

A pop-up box will appear that contains the DVPG details.

A - Spend some time review what information is available from the object. Please do not click on any of the links.

B - Notice that IPFIX is enabled

  1. When done reviewing, click on the (X) in the top right corner.

 

 

VLAN-629 on the map

 

This is a brownfield network as indicated by the physical network components currently displayed on the map.

  1. On the map, click on the green line marked by a red square onvlan-629.

 

 

VLAN Network

 

A pop-up box will appear that contains the physical VLAN details.

A - Spend some time review what information is available from the object. Please do not click on any of the links.

B - Notice the VLAN ID. This is the actual VLAN in use.

C- VM Count states 12. This is the number of VMs located on this VLAN in the entire environment.

D - Under Hosts we can see that this is 28 (27+1). This is the amount of hosts that has a connection to this vlan in the entire environment.

  1. When done reviewing, click on the (X) in the top right corner.

 

 

Switch ports on the map

 

  1. From the map, click on the icon marked by a red square to select the Switch Port for the VM.

 

 

Switch Port

 

A pop-up box will appear that contains the Switch Port details.

In this view we are purely are looking at layer 3 and the connectivity to those layer 3 devices. Later in this module we will see some of the layer 4 devices.

A - Spend some time to review what information is available from the object. Please do not click on any of the links.

B - In this view we can see the physical NIC the traffic is transmitted from and received to. In this scenario it is a NIC on a UCS fabric. We can also see the VLANs, Interface speed, port and other details on the NIC.

  1. When done reviewing, click on the (X) in the top right corner of the pop up box.

 

 

Physical VRF on the map

 

  1. From the map, click on the icon marked by a red square to access the Physical VRF details.

 

 

VRF - Physical Switch

 

A pop-up box will appear that contains the Physical VRF details.

A - Spend some time to review what information is available from the object. Please do not click on any of the links.

B - In this scenario, the first hop in the physical network perspective happens to be a Cisco Nexus 7000. We are gathering all of the configuration data, routing tables and routing interface information from this device.

  1. When done reviewing, click on the (X) in the top right corner of the pop-up box.

 

 

VRF - continued

 

  1. From the map, click on the icon marked by a red square to access the next Physical VRF in the path.

 

 

VRF - Physical Router

 

A pop-up box will appear that contains the Physical VRF details.

In this scenario, the second hop in the physical network perspective is a Palo Alto router. In this view we will see the routing table as well as firewall rules. The vRealize Network Insight platform is so powerful, that these firewall rules are the applicable firewall rules between the two objects we searched for. There is probably going to be thousands of firewall rules in a normal network, but these are the firewalls affecting the communication between the two selected VMs.

A - Spend some time to review what information is available from the object. Please do not click on any of the links.

  1. When done reviewing, click on the (X) in the top right corner of the pop up box.

Note:  The Palo Alto integration showcased is in beta testing.

 

 

VRF - continued

 

  1. From the map, click on the icon marked by a red square to access the next Physical VRF in the path.

 

 

VRF - Physical Switch

 

A pop-up box will appear that contains the Physical VRF details.

A - Spend some time to review what information is available from the object. Please do not click on any of the links.

B - In this scenario, the third hop in the physical network perspective is an Arista device. There is information available on routing, gateways, interfaces etc. These details showcase that we can monitor devices from a multitude of vendors in case we are changing from one vendor to another.

  1. When done reviewing, click on the (X) in the top right corner.

 

 

Accessing the virtual infrastructure

 

The next two steps in the path (as shown by arrows) are the same as we looked at previously in this module. We are not going to look at the details on them in this scenario as they are similar to the ones previously discussed.

A - Hover/move the mouse over the icons marked with red arrow A without clicking on the icon. Notice the descriptive name.

B - Hover/move the mouse over the icons marked with red arrow B without clicking on the icon. Notice the descriptive name.

  1. From the map, click on the icon marked by a red square to access the next VRF in the path.

 

 

VRF - NSX Provider Edge 1

 

A pop-up box will appear that contains the Physical VRF details.

A - Please spend some time to review what information is available from the object. Please do not click on any of the links.

B - The components we are looking at after the Arista device (described in previous steps) is an NSX Edge cluster, or a host associated with an Edge cluster.The component we have selected is the NSX Edge VM named Provider-Edge 1. It has an uplink over VLAN 10 from the physical network (as shown in the map).

C - In the details we can see the routing table and routing interface details for this particular VRF.

D - There also seems to be a problem with the Provider-Edge. If the Provider-Edge is having a big problem one or more arrows in the path would disappear from the map.  In this step we are seeing problems as an alert. Even if the problems might not affect this path, it might affect other scenarios or paths. The information provided on these details is calling out things that might be a potential problem.

  1. When done reviewing, click on the (X) in the top right corner of the pop-up box.

 

 

VXLAN on the map

 

  1. On the map, click on the blue line marked by a red square to access the VXLAN details.

 

 

VXLAN Network

 

A pop-up box will appear that contains the VXLAN details.

A - Spend some time to review what information is available from the object. Please do not click on any of the links.

B - We can see the VXLAN number (Segment ID), Underlay VLAN IDs, Subnet and Underlay Subnet

C - We also have visibility into what Primary Controller it is utilizing, Hosts and VTEPs.

D - Hover/move the mouse cursor over the text [38 more] to see the hosts associated with this VXLAN, Do not click on the blue text.

E - Hover/move the mouse cursor over the text [82 more] to see the VTEPs associated with this VXLAN. Do not click on the blue text.

  1. When done reviewing, click on the X in the top right corner of the pop-up box.

 

 

VRF - LDR

 

  1. From the map, click on the icon marked by a red square to access the VRF details.

 

 

VRF - LDR-Corporate

 

A pop-up box will appear that contains the VRF details. From here we hit our In-kernel network.

A - Spend some time to review what information is available from the object. Please do not click on any of the links.

B - Notice the distributed router name. We are using this device to access our corporate network.

C - This device is going to route for us to a different interface. The interface is going to route to the interface on the Prod-DB Network as the next step in the path (this will be illustrated in the next step).

  1. When done reviewing, click on the (X) in the top right corner of the pop-up box.

 

 

Routing - NSX Firewall

 

The traffic is routed through the VRF onto the Prod-DB network over to the next physical host (as shown with arrows).

The first device it will hit on the virtual network on the physical host is the Firewall. Please notice that there are two firewalls next to the VM. One Firewall from Palo Alto and one Firewall from NSX.

  1. From the map, click on the icon marked by a red square to access the NSX Firewall details (the top one of the two).

 

 

Firewall - NSX

 

A pop-up box will appear that contains the Firewall details.

A - Spend some time to review what information is available from the object. Please do not click on any of the links.

B - As we noticed in the previous steps there are two firewalls in front of the VM. This is a way of getting hold of the details for all firewalls throughout the path of the traffic. This is exactly the firewall rules that is between the two VMs. We will get full insight of all the applicable firewall rules on both a virtual and a physical level in real time.

C - Please also notice the "Applicable Firewall Redirect Rules". This will be explained in the next step.

  1. When done reviewing, click on the (X) in the top right corner of the pop-up box.

 

 

Redirect on the map - PAN Firewall

 

Please notice that there are two firewalls next to the VM. One Firewall from Palo Alto and one Firewall from NSX. We are now going to look into the details of the lower Firewall.

  1. From the map, click on the icon marked by a red square to access the Palo Alto Firewall details (the lower one of the two).

 

 

Firewall - PAN

 

In this scenario we also have an Palo Alto VM based offloading firewall. The redirect feature allows firewall rules to be transferred between the NSX firewall and the PAN Firewall.

A - As we noticed in an earlier step the NSX Firewall details contained the redirected firewall rules on the bottom of its details page. This allows for visibility across between these objects.

  1. When done reviewing, click on the (X) in the top right corner of the pop up box.

 

 

Reversing the analysis

 

  1. In the section marked by a red square in the picture click on the arrow pointing left.

The route on the map will change.

 

 

Reversing the analysis continued

 

A - The analysis will now be done in the opposite direction. Please note that the path now changes. Instead of going through Provider-Edge 1 the traffic is now routed through Provider-Edge 2. This is exactly  as the traffic will work in the real life.

Please continue to the next step to conclude this module.

 

 

Conclusion

 

This module has shown us that vRealize Network Insight is capable of tracing the flow of data between two objects throughout the network. vRealize Network Insight is providing us with a 360 degrees view of the virtual as well as the physical components in the path. With the map function and the details on the map it is very easy to get a quick overview of the components utilized in network communication.

All the components in the map is based on a snapshot of real life data. Feel free to click on other icons shown in the map in this module before continuing to the next module to have a look at other components.

For additional information about the functionality showcased in this module visit http://www.vmware.com/vrealizenetworkinsight.

This concludes this module. Please continue to the next module.

 

Module 3 - Advanced NSX Management & Operations (45 Minutes)

NSX Advanced Management Operations


Introduction

vRealize Network Insight ensures that we have full visibility from an over and underlay perspective and in this module focus on advanced operations of NSX with vRealize Network Insight. Its important to note that the vRealize Network Insight provides a real time view and a historical view. The integration is not a simple SNMP query, but advanced CLI and Metadata information gathered in real time for NSX.

This Module contains the following lessons:


 

Lab Status Check

 

Make sure the Lab Status displays Ready before continuing.

Close browser sessions from previous modules.

 

 

Open Google Chrome

 

  1. Open Chrome on the Control Centre Desktop.

Note: Internet Explorer will not work and is not certified to be used with vRealize Network Insight at the time of this release.

 

 

Select vRealize Network Insight Favorite

 

  1. Select the vRNI Shortcut on the favorites Bar (if vRealize Network Insight did not load automatically)

 

 

vRealize Network Insight - Login Screen

 

Login to the portal

  1. Username : admin@corp.local.
  2. Password: "VMware1!".
  3. Click Login to continue.

 

 

Search Bar - NSX Manager

 

Using the search bar on the entry screen

  1. TypeNSX Manager (We only have one manager in this lab, so no need to specify further filters).
  2. Click Search.

 

 

NSX Manager Information

 

The result now shows the NSX Manager (10.16.128.170) and we can immediately see that we have 31 problems associated with this endpoint.

  1. Click on the NSX Manager address to expose the layout and detailed information.

 

 

Timeline - Visual Build-up

 

Explore information only - Do not click

 

 

Topology - Focus on the NSX Controller

 

The logical view of the NSX Topology provides live links to each component in the construct to be queried in real time. Topology layout displays all the related NSX services bound to the NSX Manager, including Clusters and hosts. The red triangle on all three NSX controllers indicates possible issues that may impact the NSX environment either as a starting point or a result thereof. We can now query each object for detailed information

  1. Click on the NSX controller (Look at each controller until you find the controller starting with NSX_Controller_5b6c6c8d-4d71.....as they do change order).

 

 

NSX Controller - Detail

 

A - The controller query displays detailed information about controller-1 and relevant configuration. This screen will help identify the Status, Version, Upgrade Availability and many other critical identifiers of the NSX Controller at a quick glance including any issues.

B - The immediate issue on this NSX controller is also pointed out with a red triangle indicating that we have a control plane sync issue. Tracking the issue can be further investigated by expanding (clicking on the red triangle) to view detailed information. We will not be investigating this problem further in this exercise.  

  1. Click the close sign (x) to continue.

 

 

Topology - Explained

 

Note: The Topology for the NSX environment will not show any load balancing device status information in this release.

  1. Click the edge VM's icon to see detailed information about the edge services.

 

 

Provider Edge

 

Rendering a complete view of the provider edge services and the associations we can investigate all the edge related activities.

  1. Click the blue linkProvider Edge 4. The problem Icon can be used to further obtain information about the Provider-Edge 4. This will highlight a critical condition due to a possible network disruption of this edge device as it is no longer in a serving state.

 

 

Routers Provider Edge 4

 

  1. Hover your mouse over the "days" and two options will appear, then click the + symbol to expand. This will show the detailed state of controller-4 indicating "None of the NSX Edge VMs found in serving state".  
  2. Once the Provider edge device has been inspected close the window by Clicking on the close sign (x) to continue.

 

 

Return to Search View - NSX Manager

 

  1. Now use the Chrome Back button, click once to return the the NSX Manager information screen step.

 

 

NSX Problems - Configuration

 

  1. Click and select theConfiguration Problems to view advanced NSX Controller information.

 

 

Configuration Problems

 

  1. Use the blue icon + to expand the detailed view of the Masked firewall rule.You will need to hover next to the "days" before the + will show up, then click the + symbol to expand.

It is clear that the controller is subjected to 2 firewall rules. The first rule is the ALLOW> ANY from Lab to Lab. This rule clearly takes priority as Sequence Number 1.

The second rule is Sequence number 12 and clearly a lower priority that will not enforce the Lab Web to Lab DB> DBService> DENY rule. We can see that this will be an easy fix.

  1. Click the close sign (x) to continue.

 

 

NSX Problems - Checklist Rules

 

  1. Click on the Checklist Rules-Failed to see a detailed view.

 

 

Checklist Rules-Failed

 

  1. Click Expand All to see detail information of the issues listed.

In this example we can see in section MODULE NOT LOADED that the netcpa-worker module is having communication issues on host ddc1-pod2esx035 and this host will need remediation before the user world agent will communicate through SSL with the NSX Controller.

Traditionally the NSX administrator would issue a command similar to this [ # esxcli network ip connection list| grep tcp | grep 1234 ] and then manually check the controller connections in order to establish possible communication issue.

  1. Click the close sign (x) to continue.

 

 

Entities Affected Currently

 

Whats the impact/reach of the NSX controller issues? Scroll down to the Entities Affected Currently section andnotice that we also have a view of the Underlay VLANs and any Associated  Physical VRFs.

  1. Click on the VMs section to see a detailed view.

 

 

Provider Edge 4-0

 

  1. Expand the view using the Expand All icon

We notice that the Provider Edge-4 is called a VM. We also identified earlier on that this edge device had critical issues that needed to be resolved. This is one of many options you can use to pinpoint the exact extent and impact caused by the current configuration. More advanced options within the NSX Manager view screen include all the relevant information to manage Provide Edge-4 and to understand the topology link between a single object and the NSX Manager. Feel free to familiarize yourself with this information, but remember this is static data within this lab.

2.     Click the close sign (x) to continue.

 

 

Conclusion

 

This module demonstrated the vRealize Network Insight capability of advanced management operations. vRealize Network Insight provides an in-depth analysis of the virtual as well as the physical components associated with NSX (underlay and overlay).

For additional information about the functionality showcased in this module visit http://www.vmware.com

Please close the Chrome Web browser.

This concludes this module, please continue to the next module.

 

Conclusion

Thank you for participating in the VMware Hands-on Labs. Be sure to visit http://hol.vmware.com/ to continue your lab experience online.

Lab SKU: HOL-1729-SDC-1

Version: 20170502-055245