vrandom yet another random IT blog

NSX Python - Part 1 - Introduction and Preparation

Overview

In this series of articles we will configure our NSX environment so it can support a number of isolated test environments, which we will dynamically deploy using our python script. Our end script will be idempotent - which means if its run multiple times it won’t do any harm. In this post we will prepare our lab with a Perimeter Edge Device, a Distributed Logical Router, and a couple of Logical Networks.

Environment Preparation

Before we start writing any scripts we are going to need to ensure some supporting NSX infrastructure is available. You should have an NSX lab configured with VXLAN and fully working before commencing with the below.

We are aiming to create a networking structure as described in the below networking diagram (obviously you can change the IP scheme as required): overview We haven’t detailed the ‘pod’ networking yet, we are concentrating on the supporting services at this point. We will detail the pod networking in a later post.

We need to deploy (or configure if you already have them) the below devices:

  1. Edge Services Gateway - This will provide our connectivity onto the physical network. Its not strictly required, as we could connect the DLR to VLANs directly, however we’re here to play with NSX so you can never have enough Edges!
  2. Distributed Logical Router - This will provide connectivity between our Perimeter Edge Gateway, and the Edge devices we will deploy with each pod.
  3. A Perimeter Logical Switch - To provide connectivity between the above two devices

Logical Switches

First lets create the Logical Switches we will require: logical switches - perimeter inside logical switches - pod transit We should now have two logical switches defined, as similar to the below (ignore ‘lab2’ thats for another project): logical switches - pod transit

Now deploy an Edge Services Gateway and a Distributed Logical Router. When deploying the DLR do select “Deploy Edge Appliance” as we will be configuring routing later on, and also enable SSH access to the devices. As these are deployed connect them to the correct Logical Networks using our network design as a reference. When you have completed this the interfaces on your ESG and DLR should look like this:

Edge Services Gateway:

esg interfaces

Distributed Logical Router:

dlr interfaces

Check connectivity

Lets SSH onto the ESG and check we have connectivity to the DLR:

[alex@web01 ~]$ ssh admin@10.30.20.5

***************************************************************************
NOTICE TO USERS


This computer system is the private property of its owner, whether
individual, corporate or government.  It is for authorized use only.
Users (authorized or unauthorized) have no explicit or implicit
expectation of privacy.

Any or all uses of this system and all files on this system may be
intercepted, monitored, recorded, copied, audited, inspected, and
disclosed to your employer, to authorized site, government, and law
enforcement personnel, as well as authorized officials of government
agencies, both domestic and foreign.

By using this system, the user consents to such interception, monitoring,
recording, copying, auditing, inspection, and disclosure at the
discretion of such personnel or officials.  Unauthorized or improper use
of this system may result in civil and criminal penalties and
administrative or disciplinary action, as appropriate. By continuing to
use this system you indicate your awareness of and consent to these terms
and conditions of use. LOG OFF IMMEDIATELY if you do not agree to the
conditions stated in this warning.

****************************************************************************
admin@10.30.20.5's password: 
Last login: Tue Feb  2 12:31:11 GMT 2016 from web01.lab.vrandom.com on pts/0
Name:                 vShield Edge
Version:              6.1.3
Build number:         2578756
Kernel:               3.2.31

edge01.lab.vrandom.com-0> ping 10.30.25.10
PING 10.30.25.10 (10.30.25.10) 56(84) bytes of data.
64 bytes from 10.30.25.10: icmp_seq=1 ttl=64 time=2.51 ms
64 bytes from 10.30.25.10: icmp_seq=2 ttl=64 time=0.238 ms
64 bytes from 10.30.25.10: icmp_seq=3 ttl=64 time=0.222 ms
^C
--- 10.30.25.10 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2002ms
rtt min/avg/max/mdev = 0.222/0.991/2.514/1.077 ms

ping test

Firewall & NAT Rules

Connectivity between the DLR and the Perimeter Edge look okay, lets ensure the ruleset on both devices allows traffic, and we will configure NAT’ing on the Perimeter Edge.

Distributed Logical Router:

Either configure the default rule to Accept, or add a specific rule for the perimeter network (10.30.25.0/24 in my diagram): dlr rules

Perimeter Edge Services Gateway:

Again ensure a firewall rule allows traffic out, as we did with the DLR: esg rules Then we will add a SNAT rule. This will re-write matching traffic so that when it leaves the Perimeter Edge is appears to be from the ESG IP address (10.30.20.5 in my instance): esg nat esg nat

Routing

Finally we need to ensure the DLR knows how to route traffic to the rest of the network, to do this we will configure the default gateway for the DLR to the IP address of the Perimeter Edge Gateway in the perimeter-inside segment: dlr gw

Test pod-transit connectivity

Now we have applied our firewall and NAT rules we should be able to connect into the pod-transit to the DLR and then ping from the DLR onto the wider network. To do this we need to first add a route from our test host, to ensure it knows how to access the pod-transit network:

[alex@web01 ~]$ sudo route add -net 10.30.25.0/24 gw 10.30.20.5

Then we should then be able to SSH to the DLR, with the traffic traversing the Perimeter Edge. When we’re on the device we will then confirm we have wider network connectivity, I ran a ping against 10.30.20.1 (the physical gateway) and 8.8.8.8 to check the expecting connectivity was present.

[alex@web01 ~]$ ssh admin@10.30.25.10

***************************************************************************
NOTICE TO USERS


This computer system is the private property of its owner, whether
individual, corporate or government.  It is for authorized use only.
Users (authorized or unauthorized) have no explicit or implicit
expectation of privacy.

Any or all uses of this system and all files on this system may be
intercepted, monitored, recorded, copied, audited, inspected, and
disclosed to your employer, to authorized site, government, and law
enforcement personnel, as well as authorized officials of government
agencies, both domestic and foreign.

By using this system, the user consents to such interception, monitoring,
recording, copying, auditing, inspection, and disclosure at the
discretion of such personnel or officials.  Unauthorized or improper use
of this system may result in civil and criminal penalties and
administrative or disciplinary action, as appropriate. By continuing to
use this system you indicate your awareness of and consent to these terms
and conditions of use. LOG OFF IMMEDIATELY if you do not agree to the
conditions stated in this warning.

****************************************************************************
admin@10.30.25.10's password: 
Last login: Tue Feb  2 12:44:47 GMT 2016 from 10.30.20.29 on pts/0
Name:                 vShield Edge
Version:              6.2.0
Build number:         2982179
Kernel:               3.2.62

vShield-edge-3-0> ping 10.30.20.1
PING 10.30.20.1 (10.30.20.1) 56(84) bytes of data.
64 bytes from 10.30.20.1: icmp_seq=1 ttl=63 time=1.15 ms
^C
vShield-edge-3-0> 
--- 10.30.20.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 1.157/1.157/1.157/0.000 ms
vShield-edge-3-0> ping 8.8.8.8   
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=52 time=13.7 ms
^C
vShield-edge-3-0> 
--- 8.8.8.8 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 13.766/13.766/13.766/0.000 ms
vShield-edge-3-0>

ssh dlr

We can see the DLR has connectivity to the wider network via the Perimeter ESG.

 Summary

We now have our lab environment configured with an Edge Services Gateway, a Distributed Logical Router and two Logical Switches. The network is now ready for devices (such as an Edge Service Gateway) to be added to the pod-transit network, and they should have connectivity through the DLR and Perimeter ESG to the wider network. In Part 2 we will cover deploying these ESG’s manually, and automatically using a python script.

FIN