Author Archives: admin

projectclarity

Project Clarity – Learning to build an Angular JS App

I always wanted to learn more about Angular JS and I thought Project Clarity would be a great way to start. A couple of months back I tried to install npm, it failed and I did not bother to look at it and partly I was busy with other stuff.

Last couple of weeks I have been putting vSphere Integrated Containers (VIC) into my Lab to prepare myself before going to Customer place for VIC + NSX POC. I was thinking, since there is a quick way of spinning up containers, why not spin up one to try Clarity. I was also trigged by a twitter post by Grant Orchard that it is very easy to start. Also I have been reading Cody posts on his Amazon Echo and vSphere application that he built using Clarity. Here we go.

Screen Shot 2017-07-12 at 11.55.34 PM

I was pointed to https://vmware.github.io/clarity/get-started. If you look below, its really brief. Already, I know how to install git but I have totally no clue about npm.

Screen Shot 2017-07-12 at 9.33.40 AM

 

A little google research on NPM and its node.js framework. Alright, cool!

Screen Shot 2017-07-12 at 9.35.48 AM

 

So I reckon, I need a linux container to start off with. CentOS which closest to RHEL would be a good bet. That is after I failed with nimmis/apache-php5 image.

Screen Shot 2017-07-12 at 9.39.16 AM

Now I tried centos image.

docker -H 192.168.120.127:2376 –tls run –name test12 –net=external01 -it centos /bin/bash

Everything looks OK until…

Screen Shot 2017-07-12 at 9.41.43 AMSo far the steps that I took.

1) yum install git
2)  yum install -y gcc-c++ make
3)  curl -sL https://rpm.nodesource.com/setup_6.x |  bash –
https://www.e2enetworks.com/help/knowledge-base/how-to-install-node-js-and-npm-on-centos/
4)  yum install -y nodejs
5) git clone https://github.com/vmware/clarity-seed.git
6) npm install [This failed! You will need to go into the clarity-seed folder!!]
7) cd clarity-seed
8) npm install [Until I hit an error]

The npm installation takes awhile but I was thinking if it was successfully, I should commit this image into my Harbor registry. I was disappointed the built did not go successfully.

[Update]
OK. after some google search again, it was found out to be bzip2 related. Replace step 7 with below should work.
7) yum install -y bzip2
8) npm install

Some warnings but lets see.

Screen Shot 2017-07-12 at 10.16.10 AM

BOOM! My first Clarity App successfully running!

Screen Shot 2017-07-12 at 10.18.10 AM

Ok. Still doesn’t work because its on localhost. Need to open up package.json and at the start, add in the host, ng serve –host 10.10.12.5.

Happiness, successfully deployed my first Clarity App!

Screen Shot 2017-07-12 at 10.56.01 PM

 

 

 

Screen Shot 2017-07-02 at 5.14.20 PM

Powershell script to customise drivers into ESXi

The Supermicro E300 require the igxbe drivers for their 10GE NICs as the standard ESXi ISO does not natively support. Therefore I’m require to custom build the ESXi ISO.

The igxbe 4.5.1 drivers were from Paul Blog – https://tinkertry.com/how-to-install-intel-x552-vib-on-esxi-6-on-superserver-5028d-tn4t.

Download here.

The powershell script were from here. https://www.v-front.de/p/esxi-customizer-ps.html 

These are the commands used.

PowerCLI C:\> C:\Users\Administrator\Downloads\ESXi-Customizer-PS-v2.5.ps1 -izip C:\Users\Administrator\Downloads\update-from-esxi6.0-6.0_update03.zip -pkgDir E:\pkg

PowerCLI C:\> C:\Users\Administrator\Downloads\ESXi-Customizer-PS-v2.5.ps1 -izip C:\Users\Administrator\Downlods\ESXi650-201704001.zip -pkgDir E:\pkg

Screenshot:
Screen Shot 2017-07-02 at 5.14.20 PM

You must be wondering why can’t I just update the drivers after installation. I wanted to PXE boot for ESXi installer and somehow or rather the NIC on the E300 that support PXE boot were the 10GE NICs. That was the reason why I have to custom build the igxbe driver into the ISO.

vic-product

VMware VIC – vSphere Integrated Containers Testing

Recently partly due to my interest and also work requirements, I wanted to test out VIC. You can read more about VIC here https://vmware.github.io/vic-product/.

Below shows a screenshot that I had successfully deployed a vSphere Container Host(VCH). I wasn’t successfully the first time I tried to set it up just by reading the github documentation. Ben Corrie released an updated the VIC 1.1 Installation video and that help me a lot and I was successful deploying the VCH after following his steps in his video. You can watch the video here. https://www.youtube.com/watch?v=7WRFhJLZHJI

Screen Shot 2017-06-21 at 12.01.47 PM

 

Screen Shot 2017-06-09 at 12.18.23 AM

 

Here are some of the steps I took to create the environment. I also want to use this post as a guide to list down the docker commands that I used so that I can refer to this page when I need it in a POC or showing a demo.

Deploying VCH

vic-machine-windows.exe update firewall –target vcenter01.acepod.com –user administrator@vsphere.local –password ****** –compute-resource Cluster03-ComputeA –thumbprint 94:0D:18:EB:93:8B:50:C2:3D:1A:56:BB:9F:10:39:29:C2:4C:58:92 –allow

vic-machine-windows.exe create –target vcenter01.acepod.com –user administrator@vsphere.local –password ****** –name VCH01 –public-network “VLAN193-External03″ –public-network-ip 192.168.191.38/29 –public-network-gateway 192.168.191.33  –bridge-network vxw-dvs-80-universalwire-127-sid-8021-VIC-Bridge01 –bridge-network-range “10.11.0.0/16″ –dns-server 10.206.1.10 –tls-cname=*.acepod.com –no-tlsverify –compute-resource Cluster03-ComputeA –thumbprint 94:0D:18:EB:93:8B:50:C2:3D:1A:56:BB:9F:10:39:29:C2:4C:58:92 –image-store ds-xpe01-nfs02

 

 

Containers Creation and Management

To start a container and attach to the console of the container
docker -H 192.168.191.38:2376 –tls run –name test3 -it busybox

To list the containers running in the host
docker -H 192.168.191.38:2376 –tls ps -a

To exit a container without shutting down the container
Ctrl+P, Q(still holding Ctrl)

To attach back to a running container
docker -H 192.168.191.38:2376 –tls attach test3

To delete the container
docker -H 192.168.191.38:2376 –tls rm test3

To start a stopped container
docker -H 192.168.191.38:2376 –tls start test3

Some other useful commands:
To list the volumes
docker -H 192.168.191.38:2376 –tls network ls

To list the volumes
docker -H 192.168.191.38:2376 –tls volume ls

Screen Shot 2017-05-30 at 12.52.15 AM

VMs Security Tags during Disaster Recovery

If you use VM Security Tags for Security Group membership, these Security Tags are not applied on those VMs on the recovery site.

On the protected site.

Screen Shot 2017-05-30 at 12.52.15 AM

After using SRM for a planned migration or during a disaster recovery.

Screen Shot 2017-05-30 at 12.51.18 AM

 

I have created the same Security Tags on both the NSX Managers.

Primary NSX Manager:Screen Shot 2017-05-30 at 12.57.09 AM

Secondary NSX Manager:Screen Shot 2017-05-30 at 12.57.45 AM

Please let me know if you have any solution.

Screen Shot 2017-05-23 at 3.28.28 PM

How should I connect NSX Edges to Firewalls?

In most of the NSX design documents, you will find that they usually consider connecting the NSX ESG(Edge Services Gateway) to physical routers which are usually the border leaf if you are using a Spine-Leaf architecture or Core switches if you are using a 3-Tier architecture. Below are some examples.
Reference: NSX Design Guide
Screen Shot 2017-05-23 at 5.28.02 PM      Screen Shot 2017-05-23 at 5.28.17 PM

 

Screen Shot 2017-05-23 at 5.38.56 PM

In certain scenarios, the above might not be always the case. Especially, an existing 2/3-Tier Firewalls exist and you cannot change the architecture. There are also instances whereby you have a combine compute-edge or management-edge cluster where the Top of Racks(ToR) are the only switches you have to be able to connect to the NSX Edges. Therefore, the ESXi management VLAN SVI and the External VLANs SVI for NSX Uplinks are all terminating at the same ToR which means they are routable.

Screen Shot 2017-05-23 at 4.57.46 PM

Normally, there is Perimeter Firewall, could be Internet facing or Internal Firewall which could help to prevent these inter-routing of these SVIs but terminating the External VLANs SVI on the Perimeter Firewall. Viola! But don’t be too happy yet, because back to my first point, there are not much documentation out there explaining to you how to do that. That explains the rationale for this post!

Screen Shot 2017-05-23 at 5.13.49 PM

Personally, from my customer engagement experiences, majority of the time, I have to design connecting the NSX ESG to Firewalls.

Lets list down all the considerations and options.

Availability
I would assume Firewalls are deployed in a pair for High Availability and for maintenance purposes. Typically most of the vendors would support Active/Standby and Active/Active. I would say most of the deployments I seen were Active/Standby as the traffic flow is more deterministic and easier to troubleshoot.

NSX Edges could be deployed in Edge-HA mode or ECMP. Basically the major difference is stateful services. Edge-HA would support stateful services like NAT, Firewall and Load Balancer while ECMP mode will do routing only.

Performance
Firewalls in Active/Active mode would definitely have better performance than Active/Standby as both physical firewall appliance would be able to process traffic.

NSX Edges ECMP mode can support up to 8 Edges. So if require Performance, ECMP NSX Edges would be the choice.

Manageability
From my knowledge, there are some firewall vendors would be able to do clustering of up to 8 firewalls and in Active/Active. Active/Active firewall would be more scalable but the difficulty in operating this kind of deployment, I doubt there would be any of these kind of deployments. I still think Active/Standby firewall model is still more manageable.

NSX Edge-HA is just a checkbox you select during deployment. NSX ECMP have to be configured one by one. In terms of manageability, NSX Edge-HA would be easier.

NSX Edge-HA will also allow you to configure any stateful services without any redeployment of NSX Edges.

Recoverability
Active/Active firewall during a failure will have a lesser impact to the traffic as compare to Active/Standby firewall as all the traffic have to redirected from one appliance to another appliance.

NSX Edge-HA failover from the Active Edge to Standby Edge will take about 15 seconds. My colleague Kian Wah would say 22 seconds because he tested it. NSX ECMP during failover would take about 3-4 seconds depending on the routing protocol timers you configured.

Security
Nothing much to be consider here for Security aspects.

Possible Options
1) Active/Standby Firewalls with NSX Edge-HA
2) Active/Standby Firewalls with NSX Edge-ECMP
3) Active/Active Firewalls with NSX Edge-HA
4) Active/Active Firewalls with NSX Edge-ECMP

Decision on what to Test
I would like to test all the above scenarios if I have the time. Lets just pick one option to test and hopefully that would be able to meet 80% of the scenarios. I usually don’t have requirements for Active/Active Firewalls so I will rule out Option 3 and 4.

The major design quality that separate out Option 1 and 2 I would say is Performance. If you require more than 10Gbps, Option 2 would be the way to go. Again, I seldom see customer requirements that have 10Gbps North-South requirements. Lets explore more on Option 1.

Additional note on Option 2: I’m not sure whether does this option even make sense. Have to revisit this option again or probably have to test it out. For now, Focus will be on Option 1.

Routing Protocols
Most of the Firewall vendors support Static routing, OSPFv2 and BGP. NSX Edge likewise support the same. NSX Edge-ECMP logically would require OSPF or BGP for ECMP.

Possible Options with Routing Protocol
1) Active/Standby Firewalls with NSX Edge-HA using static routing protocol
Screen Shot 2017-05-23 at 4.03.58 PM

2) Active/Standby Firewalls with NSX Edge-HA using OSPF routing protocol
Screen Shot 2017-05-23 at 4.03.46 PM

3) Active/Standby Firewalls with NSX Edge-HA using BGP routing protocol
Screen Shot 2017-05-23 at 4.03.34 PM

Decision on what to Test and Goal
I would test all 3 scenarios because I am not sure what would be the behaviour like. The goal of these testings would provide the basis for future design decisions and provide some recommendations for my customers.

I foresee this will probably going take awhile to test and document all the various options, I decided to break up into 3 parts.

1) Active/Standby Firewalls with NSX Edge-HA using static routing protocol (Part 1) [Not Done]
2) Active/Standby Firewalls with NSX Edge-HA using OSPF routing protocol (Part 2)
3) Active/Standby Firewalls with NSX Edge-HA using BGP routing protocol (Part 3) [Not Done]

Firewall vendors
I would probably have access to Cisco ASA and Checkpoint VE appliances. Most of the firewalls high availability works almost the same way so I guess these two brands would be suffice to represent the rest.

Test cases
1) Ping test to make sure everything working
2) Failover test – Fail the Firewall Active and measure how long does the failover takes
3) Failover test – Fail the NSX ESG Edge-HA Active and measure how long does the failover takes

To be continued…

Advantage-NSX-Icon

TWO new VMware NSX Offerings – Now Part of VMUG Advantage!

NSX is included in EVALExperience!

Enjoy exclusive access to 365-day evaluation licenses for the following VMware solutions:

  • VMware NSX Enterprise Edition – NEW!
  • VMware vCenter Server Standard for vSphere 6.5
  • VMware vSphere with Operations Management Enterprise Plus v6.5
  • VMware vSAN
  • VMware vCloud Suite Standard
  • VMware vRealize Orchestrator
  • VMware vRealize Operations 6 Enterprise
  • VMware vRealize Log Insight
  • VMware vRealize Operations for Horizon
  • VMware Horizon Advanced Edition
  • VMware Workstation Pro 12.5 & VMware Fusion Pro 8.5

 

Looking to get your NSX Certification?

Look no further, VMUG Advantage has teamed up with VMware NSX to offer an exclusive training package to help you earn your VCP-NV.  Purchasing similar products individually would cost over $4,000. Follow along with the NSX Learning Path.

NSX Training & Certification Package: Exclusive Price $1,995 (offer valid until June 30th, 2017).

  • VMware NSX: Install, Configure, Manage [V6.2] – On Demand Content
  • VMware NSX: Install, Configure, Manage [V6.2] – On Demand Lab
  • VMware vSphere 6 Foundations Exam Voucher
  • VMware Certification Exam Prep: VCP6 – Network Virtualization Exam v6.2
  • VMware Certification Exam Prep: vSphere 6 Foundations Exam

Learn more about VMUG Advantage today!