VMware Hands-on Labs - HOL-1803-03-NET


Lab Overview - HOL-1803-03-NET - VMware NSX: Operations and Visability

Lab Guidance


Note: It will take more than 90 minutes to complete this lab. You should expect to only finish 2-3 of the modules during your time.  The modules are independent of each other so you can start at the beginning of any module and proceed from there. You can use the Table of Contents to access any module of your choosing.

The Table of Contents can be accessed in the upper right-hand corner of the Lab Manual.

Welcome to  the VMware NSX Operations and Visibility Lab. Within this lab we will  guide you through all of the tools at your disposal to assist in not  only troubleshooting, but also gaining additional operational visibility  into your infrastructure. We start off by reviewing the NSX Content  pack for Log Insight and the new dashboard functionality that it serves up into Log Insight. We then look at the tool natively built  into NSX which include Flow Monitoring, Traceflow and Central CLI. The  complete Lab Module list is below and all modules are completely  independant so you can freely move between different modules.

Lab Module List:

 Lab Captains:

 

This lab manual can be downloaded from the Hands-on Labs Document site found here:

http://docs.hol.vmware.com

This lab may be available in other languages.  To set your language preference and have a localized manual deployed with your lab, you may utilize this document to help guide you through the process:

http://docs.hol.vmware.com/announcements/nee-default-language.pdf


 

Location of the Main Console

 

  1. The area in the RED box contains the Main Console.  The Lab Manual is on the tab to the Right of the Main Console.
  2. A particular lab may have additional consoles found on separate tabs in the upper left. You will be directed to open another specific console if needed.
  3. Your lab starts with 90 minutes on the timer.  The lab can not be saved.  All your work must be done during the lab session.  But you can click the EXTEND to increase your time.  If you are at a VMware event, you can extend your lab time twice, for up to 30 minutes.  Each click gives you an additional 15 minutes.  Outside of VMware events, you can extend your lab time up to 9 hours and 30 minutes. Each click gives you an additional hour.

 

 

Alternate Methods of Keyboard Data Entry

During this module, you will input text into the Main Console. Besides directly typing it in, there are two very helpful methods of entering data which make it easier to enter complex data.

 

 

Click and Drag Lab Manual Content Into Console Active Window

You can also click and drag text and Command Line Interface (CLI) commands directly from the Lab Manual into the active window in the Main Console.  

 

 

Accessing the Online International Keyboard

 

You can also use the Online International Keyboard found in the Main Console.

  1. Click on the Keyboard Icon found on the Windows Quick Launch Task Bar.

 

 

Activation Prompt or Watermark

 

When you first start your lab, you may notice a watermark on the desktop indicating that Windows is not activated.  

One of the major benefits of virtualization is that virtual machines can be moved and run on any platform.  The Hands-on Labs utilizes this benefit and we are able to run the labs out of multiple datacenters.  However, these datacenters may not have identical processors, which triggers a Microsoft activation check through the Internet.

Rest assured, VMware and the Hands-on Labs are in full compliance with Microsoft licensing requirements.  The lab that you are using is a self-contained pod and does not have full access to the Internet, which is required for Windows to verify the activation.  Without full access to the Internet, this automated process fails and you see this watermark.

This cosmetic issue has no effect on your lab.  

 

 

Look at the lower right portion of the screen

 

Please check to see that your lab is finished all the startup routines and is ready for you to start. If you see anything other than "Ready", please wait a few minutes.  If after 5 minutes your lab has not changed to "Ready", please ask for assistance.

 

Module 1 - Log Insight Management Pack Review (15 minutes)

Introduction


Traditional log management tools are not suitable for a dynamic hybrid cloud environment.  This is due, in part, to the fact that traditional tools do not leverage logs and other machine-data strategically to generate insights and troubleshoot IT infrastructure issues. In addition, machine-generated log data is massive in scale and difficult to capture and manage. Further, siloed approaches to virtual and physical infrastructure management lead to finger pointing and fire drills. Finally, other solutions may need additional piecemeal software in order to work with vSphere, and may not always support the latest version.


 

Log Insight Description

 

VMware vRealize Log Insight addresses these challenges and enables improved quality of service, operational efficiency and continuous compliance.  The following is a list of Log Insight's capbilities:

 

 

Installation of Log Insight

Log Insight is installed as a virtual appliance.  By default, the Log Insight virtual appliance has 2 vCPUs, 4GB of virtual memory, and 144GB of disk space provisioned. Log Insight uses 100GB of the disk space to store raw data, index, metadata, and so on.  There are many different factors that can impact the sizing of the virtual appliance.  These discussions are beyond the scope of this lab.  A deeper discussion of the vRealize Log Insight platform can also be found in :

HOL-1806-01 Module 2

The full documentation set can also be found at https://www.vmware.com/support/pubs/log-insight-pubs.html For the purposes of this lab, the log Insight Appliance has already been installed.  In the next section, we will log into the appliance and install the NSX Content Pack.

 

Install Log Insight Content Pack


In this module, we will be installing the Log Insight content pack for NSX. This will contain all the dashboards related to NSX.

Open google Chrome from the Control Center Desktop

 

 

From the control center desktop, click on the Google Chrome icon from the Desktop.


 

Install LogInsight content pack

Login to VRealize LogInsight

 

  1. CLICK on the vRealize LogInsight bookmark.
  2. Login with the following credentials:

Username is admin

Password is VMware1!

 

 

Install the LogInsight content pack

 

From the main login screen,

1. CLICK on the drop-down for settings.

2. SELECT CONTENT PACKS from the drop-down menu.

 

1. In the bottom left-hand corner of the menu, CLICK on Import Content Pack.

 

1.CLICK the Browse button.

2. In the resulting file window, navigate to the Desktop> VRealize Log Insight NSX Content Pack 3.6 > VMware-NSX-vSphere_3_6.vlcp.

3. Double-Click on the file name or CLICK Open.

4. CLICK on the Import Button to complete the installation of the content pack.

 

 

Complete the installation

 

  1. CLICK OK.

Once the  import is complete, the content pack is installed and you can begin to  explore the dashboards and other widgets in Log Insight specific to NSX.

 

Module 1 Conclusion


In this module we managed to install the NSX content pack for LogInsight. In the next lesson, we'll look at some of the dashboards.


 

You've finished Module 1

Congratulations on completing Module 1.

If you are looking for additional information on LogInsight, try one of these:

Proceed to any module below which interests you most.

Lab Module List:

 Lab Captain:

 

 

How to End Lab

 

To end your lab click on the END button.  

 

Module 2 - Log Insight Dashboards for NSX (15 minutes)

Introduction


The NSX for vSphere Log Insight Content Pack provides powerful operational reporting and alerting visibility for all sources of log data within NSX. Each major NSX function (logical switching, routing, distributed firewalls, VXLAN gateways, and edge services) is represented within this content pack via custom dashboards, filters, and alerts. This graphically rich, content pack is essential for analyzing and identifying NSX configuration, performance, security and trend related problems. The twelve NSX dashboards are easily selectable with intuitive mouse clicks. NSX log data is quickly sorted based upon user defined time intervals, and within seconds the data is presented graphically via bar graphs, pie charts and raw data collection widgets.


 

Dashboard overview

 

In this module we'll look at the different dashboards available from the NSX content pack.

 

Examine various Dashboards


In this lesson we'll be taking a tour around dashboards and what to expect from a reporting perspective.


 

Navigate to Dashboards and select the custom date and time

 

From this page click Dashboards.

 

Interactive Analytics


Interactive analytics allow interaction with logs in real time enabling the Administrator to select a specific event, show all the logs related to that event and then filter out the incidents.


 

Create a scenario - packet drop

 

On your vSphere web client,

  1. Click the home button.
  2. Click Networking and Security.

 

  1. Click on Firewall.
  2. Click on the + icon.

 

We will now create a firewall rule to simulate a packet drop scenario.

  1. Hover with your mouse pointer at the top right corner of each column to edit the value. You can use the following values:

 

Make sure you enable logging in action cloumn.

 

 

This is what the rule should look like, go ahead and publish the rule to activate it.

 

  1. Click on Publish Changes.

 

Verify rule has been published.

 

 

Test firewall rule

 

 

 

Navigate to LogInsight

 

  1. Click on the bookmark to go to the LogInsight Interface.
  2. Use the following Credentials to login

User name: admin

Password: VMware1!

 

 

Verify result from Dashboards

 

in this view, in the Firewall Actions dashboard, select the drop event on the 13th of june. If you hover with your mouse on top of it, you should get event id 30.

  1. Click Dashboards.
  2. Click Distributed Firewall - Overview.
  3. Change your time range to be from the 1st of March 2017 till the 15th of June 2017 (time of the development of this module - you can find a detailed step by step in the previous lab: Examine various Dashboards)
  4. Click refresh.
  5. Using your mouse go to the Firewall actions dashborad and hover over the dropped packed portion of the bar. Left Click on the bar.
  6. Select Interactive Analytics.

 

 

Interactive Analytics

 

  1. You can start by selecting the bar that is the closest representation of the time that you want investigate.
  2. In the Filter section you can dynamically extract any field from the data by providing a regular expression. The extracted fields can be used for selection, projection, and aggregation, similar to how the fields that are extracted at parse time are used.
  3. This shows a list of the data classifications and keywords that you can choose to show or hide. you can also choose to assign a specific value to further filter your results.

The resulting information shows that 172.16.60.20 (fin-web-01a) was issuing a ping to 172.16.60.10  (hr-web-01a) and it was dropped due to FW rule # 1018.

 

Module 2 Conclusion


In this module, we looked at the different dashboards available in the NSX content pack for Log Insight. We focused on the distributed firewall dashboards.

Finally we looked at Interactive analytics and how we can monitor events live to help provide a root cause analysis for incidents


 

You've finished Module 2

Congratulations on completing Module 2.

If you are looking for additional information on Flow Monitoring visit the URL below:

Proceed to any module below which interests you most.

Lab Module List:

 Lab Captain:

 

 

How to End Lab

 

To end your lab click on the END button.  

 

Module 3 - Flow Monitoring Configuration (30 minutes)

Introduction to Improved Operational Visibility with Flow Monitoring


Flow Monitoring is a traffic analysis tool that provides a detailed view of the traffic to and from virtual machines. When flow monitoring is enabled, its output defines which machines are exchanging data and over which application. This data includes the number of sessions and packets transmitted per session. Session details include sources, destinations, applications, and ports being used. Session details can be used to create firewall allow or block rules.

You can view TCP and UDP connections to and from a selected vNIC. You can also exclude flows by specifying filters.

Flow Monitoring can thus be used as a forensic tool to detect rogue services and examine outbound sessions.


Tour of Flow Monitoring


Flow Monitoring is accessed via the Network and Security tab within vSphere Web Client.


 

Launch the Google Chrome browser

 

Click on the Chrome browser icon from within the taskbar or on the desktop of the main console.

 

 

vCenter - Region A bookmark

 

  1. If the page does not automatically default to the vSphere Web Client page click on the vCenter - Region A link in the bookmarks bar.

 

 

Login to the vSphere Web Client

 

If you are not already logged into the vSphere Web Client:

(The home page should be the vSphere Web Client.  If not, Click on the vSphere Web Client Taskbar icon for Google Chrome.)

  1. Click the checkmark next to Use windows session authentication.
  2. Click Login

 

 

Navigate to Networking & Security

 

  1. From within the vSphere Web Client click on the Networking & Security tab.

 

 

Navigate to Flow Monitoring

 

  1. From within the Networking & Security tab click on the Flow Monitoring tab.

 

 

Flow Monitoring tabs

 

Within Flow Monitoring we have five tabs available:

  1. Dashboard - Displays Top Flows, Top Destinations and Top Sources and allows you to modify the time interval that you are currently viewing.
  2. Details by Service - Displays Allowed and Blocked Flows by service.
  3. Live Flow - Enables you to monitor the flows or a particular vNIC from within your infrastructure.
  4. Configuration - Enables Flow Monitoring and allows you to exclude certain flows.
  5. Application Rule Manager - Simplifies the process of  microsegmenting an application by creating security groups and firewall  rules for existing applications.

 

 

Modifying the Time Interval

 

  1. If you are not already at the Dashboard tab then please click on it.
  2. In order to modify the time interval you may need to move the screen focus to the right by using the windows arrows. You can modify the time interval by clicking on the calendar icon.
  3. Select the time frame to view.
  4. Leave the default value of Last 15 minutes and click OK to continue.

 

 

Flow Monitoring Dashboard

 

  1. Clicking on the Dashboard tab shows you a list of flow information from within the environment which includes actual flows, and statistical information around the percentage of flows allowed, blocked by rules or blocked by spoofguard.

You can also view Top Flows, Top Destinations and Top Sources occurring within your environment.

 

 

Flow Monitoring Details by Service

 

  1. Details by Service shows flow statistics based on services within the environment.

 

 

Flow Monitoring Configuration

 

  1. Click on the Flow Monitoring Configuration tab.
  2. You have the ability to Enable or Disable Flow Monitoring, by default Flow Monitoring is disabled so you have to manually enable it.  Within the lab this has already been enabled.

 

Monitoring the Flows of a Virtual Machine


Now that we've walked through the configuration options available for Flow Monitoring, let's start monitoring some flows which will include allowed and blocked flows.


 

Enable Flow Monitoring Distributed Firewall rule

The first step that we need complete is to enable the Distributed Firewall rule that will block communication from web-01a.corp.local (172.16.10.11) to app-01.corp.local (172.16.20.11). This will allow us to test Flow Monitoring and show the difference between an allowed and blocked flow.

 

Application Rule Manager


The Application Rule Manager tool is a new tool that was introduced in NSX 6.3. ARM simplifies the process of microsegmenting an application by creating security groups and firewall rules for existing applications.    

Flow monitoring is used for long term data collection across the system, while the application rule manager is used for a targeted modeling of an application.      

There are three steps in the application rule manager workflow:  

  1. Select virtual machines (VMs) that form the application and need to be monitored. Once configured, all incoming and outgoing flows for a defined set of VNICs (Virtualized Network Interface Cards) on the VMs are monitored. There can be up to five sessions collecting flows at a time.
  2. Stop the monitoring to generate the flow tables. The flows are analyzed to reveal the interaction between VMs. The flows can be filtered to bring the flow records to a limited working set.
  3. Use flow tables to create grouping objects such as security groups, IP sets, services and service groups and firewall rules.  

 

Application Rule Manager Flows

Before we can view flow data for VMs, we need to gather it first. To  start gathering, navigate to the Application Rule Manager tab and click Start New Session.

 

Module 3 Conclusion


In this module we showed the various options that can be configured as part of Flow Monitoring as well as the ability to actually monitor allowed or denied flows to and from a virtual machines network interface card. Flow monitoring is very useful in troubleshooting connectivity as well as helping to lock down the application by only allowing flows the application requires.


 

You've finished Module 3

Congratulations on completing Module 3.

If you are looking for additional information on Flow Monitoring visit the URL below:

Proceed to any module below which interests you most.

Lab Module List:

 Lab Captain:

 

 

How to End Lab

 

To end your lab click on the END button.  

 

Module 4 - Traceflow with NSX (30 minutes)

Introduction to improved operational visibility with Traceflow


Traceflow is a feature that improves operational visibility and troubleshooting NSX within your virtual environment. Traceflow allows you to inject a packet into the vNIC, which has no reliance on the guest operating system, and follow it through the various distributed firewall policies all the way through to the destination virtual machine. Traceflow supports both L2 and L3 destinations and allows you to quickly identify problems and pinpoint an issue in the NSX data path.


Traceflow between two Virtual Machines


Within the module we are going to walk you through performing a Traceflow between two virtual machines and analysing the results of a successful and blocked packet flows.


 

Accessing the vSphere Web Client

Before we can perform a Traceflow we need to login to the vSphere Web Client.

 

 

Enable Traceflow Distributed Firewall rule

The first step that we need to complete is to enable the Distributed Firewall rule that will block communication from web-01a.corp.local (172.16.10.11) to web-02a.corp.local (172.16.10.12). This will allow us to perform a Traceflow between the two virtual machines on the same L2 segment.

 

 

Perform a Traceflow

 

  1. Within the Networking & Security tab click on Traceflow.

 

 

Disable Traceflow Distributed Firewall rule

If we now disable the Distributed Firewall rule to allow communication from web-01a.corp.local (172.16.10.11) to web-02a.corp.local (172.16.10.11) we can perform the Traceflow again and see a successful packet delivery.

 

 

Perform a Traceflow

 

  1. Within the Networking & Security tab click onTraceflow.

 

 

Filtering results

 

  1. You also have the ability to filter the results based on Observation Type, Component Type, Component Name and Host by clicking on the filter icon and selecting the appropriate criteria.
  2. Select the appropriate filter criteria.
  3. Click Apply.

 

Module 4 Conclusion


In this module we showed how to perform a Traceflow between two virtual machines and the expected results from both a successful and failed delivery attempt. We also showed how additional options could also be configured to perform a Traceflow based on ports rather than ICMP as well as filtering the response.


 

You've finished Module 4

Congratulations on completing Module 4.

If you are looking for additional information on Traceflow visit the URL below:

Go to https://tinyurl.com/y8dkb4kj

Proceed to any module below which interests you most.

Lab Module List:

 Lab Captain:

 

 

How to End Lab

 

To end your lab click on the END button.  

 

Module 5 - The NSX Central CLI (15 minutes)

Introduction to Improved Operation Visibility with Central CLI


In this module, you will be exploring Central CLI, which is a tool to assist in operational activities when working with NSX for vSphere.

Prior to Central CLI if an administrator wanted to gain details on constructs such as the NSX Edge Gateways (as well as the services running on them), Distributed Logical Routers, and Logical Switches, they would require console access to one or more of the following:

With Central CLI one can simply gain access to the console of the NSX Manager for gaining such details, rather than jumping between multiple console/SSH sessions.  This provides administrators with a more streamlined path for accessing operational data, and can help speed up the troubleshooting of issues that may occur within an environment where NSX for vSphere is deployed.

Before going into more detail about what those new commands are, and the types of scenarios you will be going through in this module, please proceed to the next step where you will be performing a number of setup steps to get logged into the primary NSX Manager.


 

Setup

You will be performing a number of commands on the primary NSX Manager (nsxmgr-01a.corp.local) via the Windows SSH client PuTTY.

 

 

NSX Centralized CLI Command List

Before continuing, it is worth taking a look at a list of the available commands within NSX Manager.  To do this simply type in the following command at the command prompt:

list

As you can see, there are quite a few new options available for obtaining information from the NSX Manager CLI, including options that used to require an administrator to gain console access to individual NSX Edge Gateways, ESXi Hosts, or NSX Controllers.

  1. You might have to scroll up and down within the PuTTY window to view the entire list of commands.

Please leave this PuTTY window open, and proceed to the next step, where you will start with taking a look at some commands that will help out in troubleshooting VXLAN connectivity.

 

 

Troubleshooting Logical Switches


Prior to Central CLI it was necessary to SSH/console into the NSX Manager, ESXi hosts, and NSX Controllers to get troubleshooting information for constructs like:

In this section, you will be exposed to a number of commands available from the NSX Manager CLI to allow an administrator to gather details regarding the above in one place. Continue to the next step to start gathering details about the vSphere Clusters, ESXi Hosts, and Virtual Machines on matters pertaining to network virtualization.

Note: You may find it useful to increase the width of the PuTTY window, or maximize the size of the window before proceeding as some of the output from the following commands may run over more than one line, which may make it difficult to read.


 

Cluster/Host/VM Details

For a majority of the commands covered in this module, it's required to know a specific Host-iD (ESXi Host), Domain-ID (vSphere Cluster), VM-ID (Virtual Machine), and/or vNIC-ID (Virtual NIC on Virtual Machine). The following commands will walk you through how to obtain those values. The specific IDs will be mentioned in the later sections of this module, but this is how one would normally find those identifiers.  

 

 

Logical Switch Commands

Next up, you'll be going through the set of options available in the "show logical-switch" command.  Specifically, you'll be going through the following scenarios:

Continue to the next step to learn about how to list all logical switches within the new NSX Manager Central CLI.

 

Troubleshooting Distributed Logical Routers


Next, you will learn about some of the commands available to troubleshoot the distributed logical routers you have deployed in your NSX for vSphere environment. Before we jump into the commands themselves, take a look at the next page to get a refresher on some of the unique identifiers that will be utilized for some of these commands, and what they refer to.  Feel free to come back to that page during the rest of the steps in this section if you want.


 

Reference IDs

As with the logical switch commands, there are a number of unique identifiers to be referenced when running some of the new logical-router commands in the NSX Manager CLI.  These are provided here for ease of reference:

vSphere Clusters

RegionA01-MGMT01 :  domain-c121

RegionA01-COMP01 :  domain-c26

RegionA01-COMP02 :  domain-c265

 

ESXi Hosts

esx-01a.corp.local :  host-29

esx-02a.corp.local :  host-31

 

Virtual Machines

web-01a.corp.local : vm-272

web-02a.corp.local : vm-273

web-03a.corp.local : vm-275

app-01a.corp.local : vm-278

db-01a.corp.local : vm-277

hr-db-01a.corp.local : vm-287

fin-db-01a.corp.local : vm-281

win-xp-01.corp.local : vm-290

 

 

Logical Router Commands

Now that you have a refresher on some of the identifiers for the objects you will be looking at, move on to the next step to learn how to obtain a list of all deployed distributed logical routers.

 

Troubleshooting Edge Service Gateways


Remember when one had to enable SSH or utilize a VMRC session to get access to an Edge Gateway and obtain details about the services running on it?  

Those days are gone; welcome to the age of Central CLI.

This section will go over some of the many options available to the NSX Administrator with regards to the Edge Gateways.  Provided in the next step are a set of Reference IDs for the vSphere clusters, ESXi hosts, and Virtual Machines in the environment for easy reference.  After that, you will jump right in to going over some of the Edge Gateway related commands available in Central CLI located on the NSX Manager.


 

Reference IDs

These are provided here for ease of reference:

vSphere Clusters

RegionA01-MGMT01 : domain-c121

RegionA01-COMP01 : domain-c26

RegionA01-COMP02 : domain-c265

 

ESXi Hosts

esx-01a.corp.local :  host-29

esx-02a.corp.local :  host-31

 

Virtual Machines

web-01a.corp.local : vm-272

web-02a.corp.local : vm-273

web-03a.corp.local : vm-275

app-01a.corp.local : vm-278

db-01a.corp.local : vm-277

hr-db-01a.corp.local : vm-287

fin-db-01a.corp.local : vm-281

win-xp-01.corp.local : vm-290

 

 

NSX Edge Gateway Commands

As mentioned before, feel free to come back to the Reference-IDs section if you happen to forget how to obtain any of the unique identifiers for objects like clusters, hosts, or VMs.  Next up, you'll learn how to obtain a list of all deployed NSX Edge Gateways in an environment.

 

Troubleshooting Distributed Firewall


In this last section of the module for exploring Central CLI, you'll be looking at some of the commands available to deal with the Distributed Firewall (DFW).  As in previous sections, the next step will include a list of Reference IDs for objects such as vSphere clusters, ESXi Hosts, and VMs for quick reference.


 

Reference IDs

These are provided here for ease of reference:

vSphere Clusters

RegionA01-MGMT01 : domain-c121

RegionA01-COMP01 : domain-c26

RegionA01-COMP02 : domain-c265

 

ESXi Hosts

esx-01a.corp.local :  host-29

esx-02a.corp.local :  host-31

 

Virtual Machines

web-01a.corp.local : vm-272

web-02a.corp.local : vm-273

web-03a.corp.local : vm-275

app-01a.corp.local : vm-278

db-01a.corp.local : vm-277

hr-db-01a.corp.local : vm-287

fin-db-01a.corp.local : vm-281

win-xp-01.corp.local : vm-290

 

 

Accessing the vSphere Web Client

Before we can view Distributed Firewall rules via Central CLI we need to enable a rule.

 

 

Enable Traceflow Distributed Firewall rule

The first step that we need to complete is to enable the Distributed Firewall rule that will block communication from web-01a.corp.local (172.16.10.11) to web-02a.corp.local (172.16.10.11). This will allow us to see the rule actually pushed down to the hypervisor and applied to web-01a.corp.local that will be visible in Central CLI.

 

 

Distributed Firewall Commands

Next you will learn how to show the current status of the Distributed Firewall on all vSphere clusters managed by a particular NSX Manager.

 

Module 5 Conclusion


In this module we showed the how to use the Central CLI commands available within NSX Manager to gather information and help troubleshoot your environment from a single interface. We covered gathering information from Logical Switches, Distributed Logical Routers, Edge Service Gateways as well as the Distributed Firewall.


 

You've finished Module 5

Congratulations on completing Module 5.

If you are looking for additional information on Central CLI visit the URL below:

Go to https://tinyurl.com/y9ezapa9

Proceed to any module below which interests you most.

Lab Module List:

 Lab Captain:

 

 

How to End Lab

 

To end your lab click on the END button.  

 

Module 6 - Endpoint Monitoring with NSX (15 minutes)

Introduction


In this module we will be discussing Endpoint monitoring, this is a new feature that was introduced in NSX 6.3.

Endpoint Monitoring enables you to profile applications inside the guest including visibility into specific application processes and their associated network connections. Used together, you have end-to-end visibility of your applications and simplified firewall rule creation to help operationalize micro-segmentation even faster and more effectively than ever before.


 

How does it work?

Endpoint Profiling is done via the existing Server Activity Monitoring Resultant static analysis of processes making network connections is reported in the UI

Security group can be selected for monitoring. After profiling, users can see a list of:

- Details of each process running on each VM

- VM to VM communication

- Process to Process communication

You can also see a visual representation of the VMs and SG

- Intra and Inter Security Group communication

Users can sort and filters VM specific flows vs application specific flows

 

 

Scaleability

 

 

Requirements

 

 

Interoperability

 

Endpoint Monitoring Data Collection


 

Application owner will provide a set of VMs (maximum 20) that will be a representative state of its application for profiling. The profiling will be done via existing server activity monitoring. The resultant static analysis of processes in the guest making network connections will then be processed by NSX manager and reported in the UI.

Server Activity Monitoring has to be enabled for this feature. This implies –  VMTools (File and Network drivers) and Guest Introspection Service in deployed.

User will have to deploy Guest Introspection Service on the required clusters where the applications are deployed. They will also deploy VMtools with file and network drivers enabled in virtual machines.


 

Prerequisites

  1. Guest introspection must be installed on Virtual Machines (VMs).
  2. VMware Tools must be running and current on your Windows desktop VMs.                    
  3. Security Groups with 20 or fewer VMs are needed for data collection before Endpoint Monitoring can begin.
  4. Data collection must be enabled for one or more virtual machines on a vCenter Server before running an Endpoint Monitoring report. Before running a report, ensure that the enabled virtual machines are active and are generating network traffic.    

 

 

1.Deploy Guest Introspection

 

  1. Click Home icon.
  2. Click Networking & Security.

 

  1. Select Installation.
  2. Select Service Deployments tab.
  3. Click + icon to deploy Guest Introspection.

 

 

Guest Introspection deployment wizard

 

  1. Select Guest Introspection service.
  2. Click Next.

 

  1. Select RegionA01-COMP01.
  2. Click Next.

 

  1. Leave default values.
  2. Click Next

 

 

Starting Data Collection

 

  1. Click Finish.

Wait a few minutes for the installation to complete and then confirm successful installation to the cluster.

 

 

 

Verify Guest Introspection installation on hosts

 

  1. Click Home icon.
  2. Click Hosts and Clusters.

 

  1. Expand the RegionA01-COMP1 folder.
  2. Expand the ESX Agents folder
  3. Verify both Guest Introspection VMs are operational and deployed on each host.
  4. Verify both VMs have an IP address assigned.

 

 

2.Install VMware tools

VMware tools must be installed on the VM that is being monitored with Endpoint Monitoring. In order to ensure all required filter drivers are installed, perform a complete install. This should already be done for you, in this labe we will be showing you how to do it.

 

  1. Select win-xp-01.corp.local.

 

  1. Select Update VMware Tools.
  2. Select Interactive Upgrade.
  3. Click Upgrade.

 

  1. Launch remote console.

 

  1. Login in with username administrator and password VMware1!.
  2. Click OK.

 

 

Installing VMware Tools

 

  1. Click Next.

 

Choose the Complete installation option to ensure all the required drivers are installed.

After installation finishes, click Yes to restart the VM.

 

 

3.Create Security Group

We need to create a Security Group and Firewall rule to allow win-xp-01.corp.local to communicate

 

  1. Using vSphere web client, go to NSX home and then click on Service Composer.
  2. Select Security Groups tab.
  3. Click on new Security Group icon

 

 

Create a new security group using the following characteristics:

 

 

4.Add Firewall Rule

 

  1. Click on Firewall.
  2. Right - click the arrow and choose Add section.

 

  1. Add a new section above and name it: Endpoint FW rules.
  2. Click Add a new section above section and name it Endpoint

 

Click the + icon to add a new rule.

 

  1. Click Endpoint Monitoring.
  2. Click Summary.
  3. Click Start Collecting Data.

 

 

Adding a new rule to the newly created FW section

 

Add a rule in the new section with the following parameters:

You can edit the value for each coloumn by clicking on the pencil on the top right corner

  1. Name: Allow win-xp
  2. Source: Endpoint - Windows XP (security group)
  3. Destination: any
  4. Service: any
  5. Action: Allow
  6. Applied To: win-xp-01.corp.local (virtual machine)
  7. Click Publish Changes.

 

Verify the new firewall rule has been published.

 

 

Begin Endpoint monitoring

Now that we have installed VMware tools and deployed Guest Introspection, we can start Endpoint Monitoring.

 

  1. Using vSphere web client, go to NSX home and then click Endpoint Monitoring.
  2. Click Start Collecting Data on the top right of the screen and choose Add section.

 

  1. Click Select your security group here.
  2. Select Endpoint - Windows XP.
  3. Click OK.
  4. Switch Data Collection to ON.
  5. Click OK.

 

 

Generating traffic on the monitored VM

 

Generate some network traffic by opening a few applications on  win-xp-01.corp.local

Using vSphere web client, go to Hosts and Clusters, select win-xp-01.corp.local and click Launch Remote Console.

  1. Login with username corp\Administrator and password VMware1! .
  2. Perform the following steps inside the RDP session to generate some flows. You can also use any other application/destination of choice if you prefer.
  3. Open a console window and type ftp ftpsite.vmware.com to initiate an FTP connection. No need to log in.
  4. Open a Putty window and open an SSH session to 172.16.60.20
  5. Open Firefox and open the 3-tier App http://172.16.60.20

 

 

View Endpoint Monitoring Results

 

Now we can look at the discovered flows and process to flow mapping in Endpoint Monitoring

  1. Using vSphere web client, go to NSX home and then click Endpoint Monitoring
  2. Click Stop Collecting Data on the top right of the screen and confirm you want to stop the collection process.
  3. In the summary page, you should see 1 VM is running, and at a number of processes are generating a larger number of flows.
  4. Click on the VM flows tab, which represents the VMs that are communicating. The bubble chart shows the win-xp-01.corp.local VM has initiated flows with a few destinations. Click on the Line in between the bubbles to find the flows that you generated in the previous step.

 

 

 

 

Process flows

 

Now Click on the Process flows tab, which shows each process that is generating  flows, along with process and flow details.

Verify the Process Version information that is displayed matches with the version of that application (Putty, Firefox) on the VM. Go back to the Remote Console to verify this.

 

Click line in between the bubbles to confirm the flow information matches with the flows that you generated in the previous step for each application.

 

 

 

Lab end

You have now completed the overview lab on Endpoint monitoring. Thank you for taking the time to go through the lab.

 

Module 6 Conclusion


In this module we showed an overview on Endpoint Monitoring. We provided a highlevel description on how it works, we went through the pre-requisites and configured an example. Endpoint Monitoring enables you to profile applications inside the guest  including visibility into specific application processes and their associated network connections.


 

You've finished Module 6

Congratulations on completing Module 6.

If you are looking for additional information on Flow Monitoring visit the URL below:

Proceed to any module below which interests you most.

Lab Module List:

 Lab Captain:

 

 

How to End Lab

 

To end your lab click on the END button.  

 

Conclusion

Thank you for participating in the VMware Hands-on Labs. Be sure to visit http://hol.vmware.com/ to continue your lab experience online.

Lab SKU: HOL-1803-03-NET

Version: 20180215-205108