Holodeck 5.1.1 Software Defined Networking (Manual)

Create SDN Lab Support VM's

Overview

Holodeck Toolkit 5.1 ships with several lab exercises designed to show software defined networking. These lab exercises require several predefined virtual machines. This section describes how to deploy the virtual machines using holodeck automation.

Prerequisites

• External network access from the Holodeck environment
• C:\VLC\VLC-Holo-Site-1\Holo-Build\Post-Deployment\Holodeck-Infrastructure.ps1 has been run post installation to create VM folders
• Ubuntu 18.04 cloud image available at C:\Users\Administrator\Downloads\bionic-server-cloudimg-amd64.ova

Create OpenCart SDN VMs

Overview

The Software Defined Networking and Security labs in the Holodeck series make use of three specifically configured Ubuntu 18.04 based VMs that implement a predefined OpenCart e-commerce deployment. This section covers the creation of these VM’s prior to starting the SDN lab series. NOTE:

Build OpenCart VM’s

1. From within the Holo-Console, click on Windows Start Menu-Windows PowerShell-Windows PowerShell  
2.  cd C:\VLC\VLC-Holo-Site-1\Holo Lab Support Files\SDN-Lab
3. .\SDN-OC-Create.ps1
4. The output resembles the following:

 

Test Open Cart VMs

1. Wait a proximately five minutes after  Set 1 completed status comes up to allow the Opencart system to build the database as part of the installation
2. Connect to the nested vCenter server instance for the VCF Management Domain.
3. Select the Holodeck folder  within VM and Template view within the vSphere Client, click on SDN-OC-Apache-A
4. Notice the IP address  10.0.0.231
5. Double click on the IP address, right click and select Go to 10.0.0.231

6. A Chrome window will open and display the following page

Prep OpenCart VM’s for lab use

This task reconfigures the OpenCart VMs as needed for the SDN lab.

1. Type the following command: .\SDN-OC-Finalize.ps1
2. The output will resemble

3. The virtual machines will be off-line in vCenter
4. The SDN Opencart machines are now prepared for use in the SDN lab

 

Deploying Segments and Distributed Routing

Overview

VMware Cloud Foundation leverages virtualized (Overlay) networking. This configuration encapsulates L2 network traffic within an L3 underlay network, which facilitates the delivery of networks and network services in a software defined way.

This lab exercise is designed to show the vSphere administrator the simplicity of creating distributed routing and overlay segments in Cloud Foundation

 

Creating Network Segments and Distributed Router

This lab deploys the necessary networking components to support an OpenCart two-tier application. This lab uses preconfigured VMs that will be attached to newly created SDN segments. This lab simulates a common issue, where a legacy application with hard coded networking dependencies needs to be deployed in a new data center. Rather than attempting to recreate subnets, VLAN and firewall components in hardware, we will create all the necessary infrastructure in software, faster.  Note: there is a corresponding terraform script to automate all of the steps in this lab at c:\VLC\VLC-Holo-Site-1\Holo-Build\TF-SDN-Lab-SDN\

 

Create a Tier-1 Router

1. On the Holo-Console, open a new tab in the Chrome browser
2. Click the Holodeck 5.1.1 folder in the bookmark bar then select Holo-Site-1->Mgmt Domain->Mgmt NSX
3. Log into NSX Manager as the user admin with the password VMware123!VMware123!
4. Click Networking
5. Click Tier-1 Gateways in the left navigation panel

5. Click on Add Tier-1 Gateway
6. Name the gateway OC-T1 and click Select Tier-0 Gateway and select VLC-Tier-0.

7. Click on the Edge Cluster dropdown.

8. Select EC-01 and Click Save.
9. Expand Route Advertisement
10. Enable All Connected Segments & Service Ports

11. Click Save
12. Click No at the dialog asking, ‘Do you want to continue configuring this Tier-1 Gateway?’

13. Click the refresh icon in the Status column until the status shows Success

 

 

Create Segments (OC-Web-Segment)

 

1. Click the Networking tab at the top of the screen
2. Click Segments in the left pane.
3. Click ADD SEGMENT button

4. In the Segment Name field, enter OC-Web-Segment
5. Select the OC-T1|Tier-1 for connected gateway
6. In the Select Transport Zone dropdown, select mgmt-domain-tz-overlay01 | Overlay
7. In the Gateway CIDR IPv4 field, enter 10.1.1.1/27 Note: This entry sets the subnet, CIDR and gateway at same time.

7. Scroll down and click SAVE

8. A notice is displayed informing of the success of the segment creation. Click No to answer the Do you want to continue configuring this Segment dialog

 

 

Create Segments (OC-DB-Segment)

 

1. Click the Networking tab at the top of the screen
2. Click Segments in the left-hand side pane.
3. Click ADD SEGMENT button
4. In the Segment Name field, enter OC-DB-Segment
5. Select the OC-T1|Tier-1 for connected gateway
6. In the Select Transport Zone dropdown, select mgmt-domain-tz-overlay01 | Overlay
7. In the Gateway CIDR IPv4 field, enter 10.1.1.33/27
8. Scroll down and click Save
9. A notice is displayed informing of the success of the segment creation. Click No to answer the Do you want to continue configuring this Segment dialog

 

 

Connect VMs to Segments

The following steps attach the SDN-OC-Apache-A web server VM to the OC-Web-Segment.

1. Using the Chrome bookmarks, access Management Domain vCenter Server Web Client
2. Select the vCenter Server folders view and expand out as shown

3. Right click on SDN-OC-Apache-A and click Edit Settings
4. In the settings window; Click the dropdown next to Network Adapter 1
5. Select Browse

 

5. Observe that the network segments created earlier are visible
6. Click OC-Web-Segment
7. Click OK

 

9. Click OK to save the settings
10. Power on the SDN-OC-Apache-A VM

 

Repeat the same steps to Attach SDN-OC-Apache-B to OC-Web-Segment

1. Right click on SDN-OC-Apache-B and click Edit Settings
2. Click the dropdown next to Network Adapter 1
3. Click Browse
4. Click OC-Web-Segment
5. Click OK
6. Click OK
7. Power on the SDN-OC-Apache-B VM

Repeat the same steps to Attach SDN-OC-MySQL to OC-DB-Segment

1. Right click on SDN-OC-MySQL and click Edit Settings
2. Click the dropdown next to Network Adapter 1
3. Click Browse
4. Click OC-DB-Segment
5. Click OK
6. Click OK
7. Power on the SDN-OC-MySQL VM

 

 

Test basic OpenCart functionality

1. Monitor the summary page for SDN-OC-Apache-A and wait for complete the boot process and IP address 10.1.1.18 to show up in virtual machine details.

2. Open a browser to 10.1.1.18.
3. You should see the following

 

 

View OC-Web-Segment in vCenter Server

1. Using the Chrome bookmarks, access the Management vCenter Server Web Client  using the username administrator@vsphere.local and the password of VMware123!
2. Click on the networking icon and expand the menu on the left-hand side of the vSphere Web Client
3. Click on OC-Web-Segment

4. Note the following:
    
   • The “N” denotes this is a NSX segment and not a standard port group
   • The segment ID and Transport Zone for the segment are shown
   • The vDS the segment is attached to
   • The hyperlink for the NSX Manager for the segment

5. Click on Ports
6. Note each VM attached to the segment has a port assigned. Other details, such as the MAC address and VLAN ID, are also displayed

7. Click on the Hosts tab
8. Note the OC-Web-Segment is connected on each ESXi host in the transport zone. When a segment is created, it is accessible to all hosts in the transport zone.

 

 

Discover the Software Defined Network Topology

1. On the Holo-Console, open a new tab in the Chrome browser
2. Click the Holodeck 5.1 folder in the bookmark bar then select Holo-Site-1->Mgmt Domain->Mgmt NSX
3. Log into NSX Manager as the user admin with the password VMware123!VMware123!
4. Click the Networking tab
5. Select Network Topology from the left-hand side menu
6. Click Skip to close the mini-tour if needed.
7. Locate the OC-T1 on the topology view (Zoom in iif neccessary)

8. Click on 2 VMs under OC-Web-Segment to expand the view
9. Notice the two VMs previously configured on the OC-Web-Segment
10. Repeat the action for the OC-DB-Segment

11. Scroll to the top of the topology view. Note the Tier 0 router which connects to the customer core network using an ECMP connection with BGP route propagation. The Tier 0 is typically connected to the customer network when the VCF Workload Domain is initially deployed by the network engineering team. After that, the operations team can create tier 1 routers as needed with no additional network configuration required on the physical network.

 

 

Lab Summary

 

This lab demonstrated how VCF virtualized networking can be utilized to quickly  provision L2 and L3 services on existing infrastructure. This enables:

• Easily delivering network services needed by an application with the application
• Eliminating delays with traditional network provisioning processes, which can take days to months.
• Empowering operations staff to deploy approved networks or retain control with the network admin team.
• Building a virtualized networking foundation that facilitates ease of workload migrations to other VMware Cloud properties for Disaster Recovery or Cloud Bursting activities.

This lab usually takes less than 30 minutes to complete. How does this compare to your experience in getting a multi tier network provisioned for VM use?

Tagging VMs and Grouping Workloads based on Tags

Prerequisites

• SDN Lab Support VM's completed
• Deploying Segments and Distributed Routing completed or Terraform plan at C:\VLC\VLC-Holo-Site-1\Holo-Lab-Support-Files\TF-SDN-Lab-SDN has been applied

Lab 1: Tagging VMs and Grouping Workloads based on Tags

This lab explores the use of tagging to create groups of VMs to apply specific distributed firewall rules to. In small environments, creating groups based on VM name may suffice. However, as an environment grows, tagging may be a better alternative. This lab assumes the user has familiarity with the NSX interface.

Terminology and definitions:

Tags – A virtual machine is not directly managed by NSX, however, NSX allows attachment of tags to a virtual machine. This tagging enables tag-based grouping of objects. For example, a tag called AppServer can be associated to all application servers).

Security Groups – A security group is a collection of assets or grouping objects from your vSphere inventory.

Security Groups are containers that can contain multiple object types including logical switch, vNIC, IPset, and Virtual Machine (VM). Security groups can have dynamic membership criteria based on security tags, VM name or logical switch name. For example, all VMs that have the security tag web will be automatically added to a specific security group destined for Web servers. After creating a security group, a security policy is applied to that group.

Security Policies – A security policy is a set of Guest Introspection, firewall, and network introspection services that can be applied to a security group. The order in which security policies are displayed is determined by the weight associated with the policy. By default, a new policy is assigned the highest weight so that it is at the top of the table. However, you can modify the default suggested weight to change the order assigned to the new policy. Policies can be stateful or stateless.

Note: Tagging in NSX is distinct from tagging in vCenter Server. At this time, vCenter Server tags cannot be used to create groupings in NSX. In larger, more automated environments, customers use a solution such as vRealize Automation to deploy virtual machines and containers with security tagging set at time of creation.

Given that the OpenCart application used in this lab only has two web servers and one database server, we’re going to create two tags as criteria for two groups. This might seem somewhat redundant, creating one tag per group, however it’s essential to remember:

This is a small sample two-tier application. For applications leveraging micro-services, you’ll be able to group more than one machine under one tag, and better leverage the security groups

The advantage of using tags and groups is also an operational one. Once you create your infrastructure around Security Groups that contain tags, the moment you tag a machine with a specific tag, it immediately inherits the specific Security Group, firewall rules and so on. This brings us closer to the cloud delivery model.

The downside is that a certain level of caution needs to be implemented when working with tags and Security Groups, meaning that it’s just as easy to add a machine to an existing Security Group and avoid the complication that comes with setting up the firewall rules, but it is also just as easy to evade good security by giving the new machine too many permissions due to old tags/security group configurations.

To show the capability of tags we will set up SDN-OC-Apache-A,  SDN-OC-Apache-B and SDN-OC-MySQL with the appropriate Tags and Security Group. The VM-Tag-Group mapping is as follows

�VM	�IP Address	�Tag	�Security �Group
SDN-OC-MySQL	10.1.1.50	SDN-OC-DB-Tag	SDN-OC-DB-Group
SDN-OC-Apache-A	10.1.1.18	SDN-OC-Web-Tag	SDN-OC-Web-group
SDN-OC-Apache-B	10.1.1.19	SDN-OC-Web-Tag	SDN-OC-Web-Group

Create Tags

1. On the Holo-Console, open a new tab in the Chrome browser
2. Click the Holodeck-5.1.1 folder in the bookmark bar then select Holo-Site-1 -> Mgmt Domain -> Mgmt NSX
3. Log into NSX Manager as the user admin with the password VMware123!VMware123!
4. Navigate to Inventory-Tags
5. Click on ADD TAG

6. We will first create a new tag for  the web servers. Add the name SDN-SDN-OC-Web-Tag in the Tag field. Don’t hit save yet. As you can see, the note says the tag must be assigned to at least one object first.

7. Assign this tag to the SDN-OC-Apache-A and SDN-OC-Apache-B virtual machines. Click on the Set Virtual Machines link field and select the SDN-OC-Apache-A  and SDN-OC-Apache-B virtual machines (you may need to scroll).

 

8. Click APPLY
9. Note the “Assigned To” value has incremented to 2
10. Click SAVE to save the new tag

 

11. Click Add Tag
12. Add the name “SDN-OC-DB-Tag”

 

13. Click Set Virtual Machines then select SDN-OC-MySQL
14. Click Apply
15. Click Save

 

Verify Tags

1. Click on Inventory-Tags-Filter by Name, Path and more
2. Click Tag

 

3. Search for Tags with the string “SDN-OC” in the name and click OK

4. Verify the two tags created earlier are displayed

 

 

Verify virtual machines are mapped to tags.

1. Select Inventory-Virtual Machines and click in the Filter area
2. Scroll down in Basic Detail and select Tag

 

3. Select our two tags and click Apply

4. Verify SDN-OC-Apache-A, SDN-OC-Apache-B  and SDN-OC-MySQL are present

 

 

Create SDN-OC-Web-Group

1. Click Inventory-Groups-ADD GROUP

2. Add group name SDN-OC-Web-Group

 

3. Click on “Set” in the Compute Members column to add group members. In this example we will use the tags we just created to populate the group.
4. Click Add Criterion

 

5. Select Virtual Machine, that filters on Tag Equals “SDN-OC-Web-Tag”

 

6. Click Apply
7. Click Save

 

Create SDN-OC-DB-Group

1. Click Inventory-Groups-ADD GROUP

2. Add group name SDN-OC-DB-Group
3. Click on Set to add group members. In this example we will use the tags we just created to populate the group

 

4. Click Add Criterion
5. Click on the Scope and select the SDN-OC-DB-Tag tag

 

6. Click Apply
7. Click Save

 

Verify Groups

1. On the Inventory-Groups panel click in the Filter by Name, Path and More field

2. Click on Name in the Basic Detail column

 

3. Type OC to filter for our group names
4. Select the SDN-OC-Web-Group and SDN-OC-DB-Group groups
5. Click Apply

 

6. Click View Members for each group
7. Each group should have a single VM as a member (we can ignore IP addresses, Ports and VIF for now).

 

The following example shows the view when looking at the View Members details for the SDN-OC-DB-Group

 

 

Summary

This process showed how to implement tagging and grouping in NSX. This capability allows creation and management of a scalable set of distributed firewall rules. At this point we have implemented the following:

�VM	�Tag	�Group
SDN-OC-Apache-A 10.1.1.18	SDN-OC-Web-Tag	SDN-OC-Web-Group
SDN-OC-Apache-B 10.1.1.19	SDN-OC-Web-Tag	SDN-OC-Web-Group
SDN-OC-MySQL 10.1.1.50	SDN-OC-DB-Tag	SDN-OC-DB-Group

 

 

Utilizing Distributed Firewall

Prerequisites

• SDN Lab Support VM's completed
• Deploying Segments and Distributed Routing completed or Terraform plan at C:\VLC\VLC-Holo-Site-1\Holo-Lab-Support-Files\TF-SDN-Lab-SDN has been applied
• Tagging VMs and Grouping Workloads based on Tags

This lab will show implementing a zero trust configuration with the distributed firewall and only opening necessary communications to access in our Opencart Application. For the purposes of this lab, we will create the following rules. Note: this is a very simplified example, and does not represent production security rules.

�Name	�Source	�Destination	�Port/Protocol	�Allowed	�Notes
HTTP-Allow	Any	SDN-OC-Web-Group	HTTP (80)	Allow	Outside to web port 80
Web-DB	SDN-OC-Web-Group	SDN-OC-DB-Group	3306 (MySQL)	Allow	Web to DB comms
ssh-admin	10.0.0.0/24	SDN-OC-DB-Group SDN-OC-Web-Group	SSH	Allow	SSH from Holo console only
ICMP-Admin	10.0.0.0/24	SDN-OC-DB-Group SDN-OC-Web-Group	ICMP ALL	Allow	Allow ICMP only from Holo console
SDN-Lab-Deny-All�	Any	SDN-OC-DB-Group SDNOC-Web-Group	Any	Reject	Reject all else inbound

 

Keep in mind that this all happening at the distributed firewall level, where firewall rules are implemented at the VM switch port versus needing the services of a routed (perimeter) firewall to implement. Since we have created groups in the previous lab, now we can create access rules based on these groups. 

Create New Policy

1. If necessary, open a new tab in the Chrome browser
2. Click the Management NSX-T shortcut in the bookmark bar (click advanced / proceed to nsx-mgmt.vcf.sddc.lab, if required to accept the certificate)
3. Log into NSX Manager as user: admin with the password: VMware123!VMware123!
4. Navigate to Security  Distributed Firewall in the NSX-T Console
5. Click on Add Policy
6. Click  New policy, and change the name to “SDN-OC”

7. Hover over DFW in the SDN-OC policy row, then click the pencil.
8. Note the default is the entire distributed firewall, however we want this rule to apply to the groups we created in the previous labs.
9. Click the Groups radio button
10. Click Filter by Name, Path and more
11. Select Name
12. Search for SDN
13. Search for OC then select SDN-OC-DB-Group and SDN-OC-Web-Group

14. Select the two groups and then click apply

 

Add SDN-Lab-Deny-All Rule

1. Click on the three vertical dots on the left of the SDN-OC policy.
2. Click Add Rule

3. Click on Add Rule and change name to SDN-Lab-Deny-All
4. Set the action to Reject

5. Click Publish
6. Your results should be (notice the publish is grayed out, because there are no unpublished rules)

Test Opencart

1. Open a web browser (or refresh an existing window) for 10.1.1.18 and/or 10.1.1.19
2. Access to the web server should be blocked

Add HTTP–Allow rule

1. Click the three dots on SDN-OC and Add Rule
2. Change name of the rule to HTTP-Allow
3. Set the destination to SDN–OC-Web-Group
4. Click apply

5. Click the pencil icon for services
6. Filter by name for HTTP and select that service
7. Click apply

8. Your results should look like the following

9. Click PUBLISH to make the rules active

Test Opencart

1. Open a web browser (or refresh an existing window) for 10.1.1.18 and/or 10.1.1.19
2. The error should change to the following. This is due to allowing access to the web server, but they deny all rule, still blocking access from the web server to the database server.

Add Web-DB rule

The step will Allow communications from  the Apache web servers to MySQL

1. Click the three dots on SDN-OC and Add Rule
2. Change name of the rule to Web-DB
3. Set the Source to SDN–OC-Web-Group
4. Set the Destination to SDN–OC-DB-Group
5. Set services to MySQL

5. Click the pencil icon for services
6. Filter by name for HTTP and select that service
7. Click apply

8. Your results should look like the following

9. Click PUBLISH to make the rules active

Test Opencart

1. Open a web browser (or refresh an existing window) for 10.1.1.18 and/or 10.1.1.19
2. Access to the web server should be restored

Add SSH-Admin Rule

This rule simulates allowing trusted access from a small set of hosts in the administrative area but blocking lateral SSH in the environment

1. Add a new rule call SSH-Admin
2. Click on  the pencil icon for source, then select IP addresses
3. Set a range of 10.0.0.0/24  (Holodeck administrative network with Holo-Console )
4. Select service SSH
5. Your rules should look like this

Test SSH access

1. On Holo-Console, click the start menu and then putty
2. Open an SSH session to 10.1.1.18
3. Accept the security warning if needed

5. Login as ocuser with password VMware123!
6. You should successfully login

7. Attempt to SSH laterally to 10.1.1.19.

Add ICMP-Admin Rule

This rule simulates allowing ICMP Ping for troubleshooting from a small set of hosts in the administrative area but blocking lateral ping in the environment

1. Add a new rule call ICMP-Admin
2. Click on  the pencil icon for source, then select IP addresses
3. Set a range of 10.0.0.0/24  (Holodeck administrative network with Holo-Console )
4. Select service ICMP ALL
5. Your rules should look like this

Test ICMP access

1. On Holo-Console open a command window
2. Ping 10.1.1.18
3. Ping from the Holo Console should work

5. Open or reopen a Puddy session to 10.1.1.18.
6. Login as ocuser with password VMware123!
7. You should successfully login
8. Attempt to ping of 10.1.1.19.

[Lab 2 Summary]

Lab 2 shows the power of the distributed firewall capability in NSX. Using tagging and grouping, we were able to create a scalable set of rules for our Opencart application that only allow necessary communications for application operation, while blocking all other traffic. This was all done directly at the vSphere VDS switch port level, versus a piece of hardware elsewhere in the datacenter.  

7.3 - Holodeck 5.1.1  Load Balancing

Configure load balancer

This module will configure an L3-L7 load balancer on the OC-T11 Router created earlier.

Step 1: Create Server Pool

A server pool is a set of servers that can share the same content.

1. In NSX Manager, navigate to Networking and click on Load Balancing
2. The click on the Server Pools tab and click Add Server Pool
3. Name the pool OC-LB-Pool

4. Click Select Members
5. Click Add Member
6. Name SDN-OC-Apache-A, IP 10.1.1.18 Port 80

7. Click Save
8. Repeat steps for OC-Apache-B, using: Name OC-Apache-B, IP 10.1.1.19 Port 80

9. Click Apply
10. Click Set next to Active Monitor

11. Select the default HTTP Port 80 monitor, then click Apply

13. Click Apply
14. Notice the active monitor shown
15. Click Save

Step 2: Create Load Balancer

1. Navigate to Networking and click Load Balancing
2. Click Add Load Balancer
3. Name the Load Balancer OC-LB. On Attachment select OC-T1

4. Click Save
5. When prompted Want to continue configuring this Load Balancer, select No

Step 3: Create Virtual Servers

A Virtual Server is an IP address that acts as the front end for a Server Pool

1. Navigate to Networking and click on Load Balancing
2. Click the Virtual Servers tab and then Add Virtual Server, L7 HTTP

3. Name the Virtual Server OC-VIP, IP Address 10.1.1.2, Port 80
4. Type OC in the Load Balancer field and it will allow you to select OC-LB
5. Type OC in the Server Pool field and select OC-LB-Pool
6. Click on SAVE

Step 4: Test Load Balancer

1. Open a new tab for 10.1.1.2

2. Refresh the browser for this tab. You should see the opposite web server

Test OpenCart Application

 

1. Open a web browser (or refresh an existing window) for 10.1.1.18 and/or 10.1.1.19
2. Access to the web server should be blocked

Add HTTP–Allow rule

1. Click the three dots on SDN-OC and Add Rule
2. Change name of the rule to HTTP-Allow
3. Set the destination to SDN–OC-Web-Group
4. Click apply

5. Click the pencil icon for services
6. Filter by name for HTTP and select that service
7. Click apply

8. Your results should look like the following

9. Click PUBLISH to make the rules active

Test Opencart

1. Open a web browser (or refresh an existing window) for 10.1.1.18 and/or 10.1.1.19
2. The error should change to the following. This is due to allowing access to the web server, but they deny all rule, still blocking access from the web server to the database server.

Add Web-DB rule

The step will Allow communications from  the Apache web servers to MySQL

1. Click the three dots on SDN-OC and Add Rule
2. Change name of the rule to Web-DB
3. Set the Source to SDN–OC-Web-Group
4. Set the Destination to SDN–OC-DB-Group
5. Set services to MySQL

5. Click the pencil icon for services
6. Filter by name for HTTP and select that service
7. Click apply

8. Your results should look like the following

9. Click PUBLISH to make the rules active

Test Opencart

1. Open a web browser (or refresh an existing window) for 10.1.1.18 and/or 10.1.1.19
2. Access to the web server should be restored

Add SSH-Admin Rule

This rule simulates allowing trusted access from a small set of hosts in the administrative area but blocking lateral SSH in the environment

1. Add a new rule call SSH-Admin
2. Click on  the pencil icon for source, then select IP addresses
3. Set a range of 10.0.0.0/24  (Holodeck administrative network with Holo-Console )
4. Select service SSH
5. Your rules should look like this

Test SSH access

1. On Holo-Console, click the start menu and then putty
2. Open an SSH session to 10.1.1.18
3. Accept the security warning if needed

5. Login as ocuser with password VMware123!
6. You should successfully login

7. Attempt to SSH laterally to 10.1.1.19.

Add ICMP-Admin Rule

This rule simulates allowing ICMP Ping for troubleshooting from a small set of hosts in the administrative area but blocking lateral ping in the environment

1. Add a new rule call ICMP-Admin
2. Click on  the pencil icon for source, then select IP addresses
3. Set a range of 10.0.0.0/24  (Holodeck administrative network with Holo-Console )
4. Select service ICMP ALL
5. Your rules should look like this

Test ICMP access

1. On Holo-Console open a command window
2. Ping 10.1.1.18
3. Ping from the Holo Console should work

5. Open or reopen a Puddy session to 10.1.1.18.
6. Login as ocuser with password VMware123!
7. You should successfully login
8. Attempt to ping of 10.1.1.19.

[Lab 2 Summary]

Lab 2 shows the power of the distributed firewall capability in NSX. Using tagging and grouping, we were able to create a scalable set of rules for our Opencart application that only allow necessary communications for application operation, while blocking all other traffic. This was all done directly at the vSphere VDS switch port level, versus a piece of hardware elsewhere in the datacenter.  

7.3 - Holodeck 5.1.1  Load Balancing

Configure load balancer

This module will configure an L3-L7 load balancer on the OC-T11 Router created earlier.

Step 1: Create Server Pool

A server pool is a set of servers that can share the same content.

1. In NSX Manager, navigate to Networking and click on Load Balancing
2. The click on the Server Pools tab and click Add Server Pool
3. Name the pool OC-LB-Pool

4. Click Select Members
5. Click Add Member
6. Name SDN-OC-Apache-A, IP 10.1.1.18 Port 80

7. Click Save
8. Repeat steps for OC-Apache-B, using: Name OC-Apache-B, IP 10.1.1.19 Port 80

9. Click Apply
10. Click Set next to Active Monitor

11. Select the default HTTP Port 80 monitor, then click Apply

13. Click Apply
14. Notice the active monitor shown
15. Click Save

Step 2: Create Load Balancer

1. Navigate to Networking and click Load Balancing
2. Click Add Load Balancer
3. Name the Load Balancer OC-LB. On Attachment select OC-T1

4. Click Save
5. When prompted Want to continue configuring this Load Balancer, select No

Step 3: Create Virtual Servers

A Virtual Server is an IP address that acts as the front end for a Server Pool

1. Navigate to Networking and click on Load Balancing
2. Click the Virtual Servers tab and then Add Virtual Server, L7 HTTP

3. Name the Virtual Server OC-VIP, IP Address 10.1.1.2, Port 80
4. Type OC in the Load Balancer field and it will allow you to select OC-LB
5. Type OC in the Server Pool field and select OC-LB-Pool
6. Click on SAVE

Step 4: Test Load Balancer

1. Open a new tab for 10.1.1.2

2. Refresh the browser for this tab. You should see the opposite web server

Add HTTP–Allow rule

 

 

1. Click the three dots on SDN-OC and Add Rule
2. Change name of the rule to HTTP-Allow
3. Set the destination to SDN–OC-Web-Group
4. Click apply

5. Click the pencil icon for services
6. Filter by name for HTTP and select that service
7. Click apply

8. Your results should look like the following

9. Click PUBLISH to make the rules active

Test Opencart

1. Open a web browser (or refresh an existing window) for 10.1.1.18 and/or 10.1.1.19
2. The error should change to the following. This is due to allowing access to the web server, but they deny all rule, still blocking access from the web server to the database server.

Add Web-DB rule

The step will Allow communications from  the Apache web servers to MySQL

1. Click the three dots on SDN-OC and Add Rule
2. Change name of the rule to Web-DB
3. Set the Source to SDN–OC-Web-Group
4. Set the Destination to SDN–OC-DB-Group
5. Set services to MySQL

5. Click the pencil icon for services
6. Filter by name for HTTP and select that service
7. Click apply

8. Your results should look like the following

9. Click PUBLISH to make the rules active

Test Opencart

1. Open a web browser (or refresh an existing window) for 10.1.1.18 and/or 10.1.1.19
2. Access to the web server should be restored

Add SSH-Admin Rule

This rule simulates allowing trusted access from a small set of hosts in the administrative area but blocking lateral SSH in the environment

1. Add a new rule call SSH-Admin
2. Click on  the pencil icon for source, then select IP addresses
3. Set a range of 10.0.0.0/24  (Holodeck administrative network with Holo-Console )
4. Select service SSH
5. Your rules should look like this

Test SSH access

1. On Holo-Console, click the start menu and then putty
2. Open an SSH session to 10.1.1.18
3. Accept the security warning if needed

5. Login as ocuser with password VMware123!
6. You should successfully login

7. Attempt to SSH laterally to 10.1.1.19.

Add ICMP-Admin Rule

This rule simulates allowing ICMP Ping for troubleshooting from a small set of hosts in the administrative area but blocking lateral ping in the environment

1. Add a new rule call ICMP-Admin
2. Click on  the pencil icon for source, then select IP addresses
3. Set a range of 10.0.0.0/24  (Holodeck administrative network with Holo-Console )
4. Select service ICMP ALL
5. Your rules should look like this

Test ICMP access

1. On Holo-Console open a command window
2. Ping 10.1.1.18
3. Ping from the Holo Console should work

5. Open or reopen a Puddy session to 10.1.1.18.
6. Login as ocuser with password VMware123!
7. You should successfully login
8. Attempt to ping of 10.1.1.19.

[Lab 2 Summary]

Lab 2 shows the power of the distributed firewall capability in NSX. Using tagging and grouping, we were able to create a scalable set of rules for our Opencart application that only allow necessary communications for application operation, while blocking all other traffic. This was all done directly at the vSphere VDS switch port level, versus a piece of hardware elsewhere in the datacenter.  

7.3 - Holodeck 5.1.1  Load Balancing

Configure load balancer

This module will configure an L3-L7 load balancer on the OC-T11 Router created earlier.

Step 1: Create Server Pool

A server pool is a set of servers that can share the same content.

1. In NSX Manager, navigate to Networking and click on Load Balancing
2. The click on the Server Pools tab and click Add Server Pool
3. Name the pool OC-LB-Pool

4. Click Select Members
5. Click Add Member
6. Name SDN-OC-Apache-A, IP 10.1.1.18 Port 80

7. Click Save
8. Repeat steps for OC-Apache-B, using: Name OC-Apache-B, IP 10.1.1.19 Port 80

9. Click Apply
10. Click Set next to Active Monitor

11. Select the default HTTP Port 80 monitor, then click Apply

13. Click Apply
14. Notice the active monitor shown
15. Click Save

Step 2: Create Load Balancer

1. Navigate to Networking and click Load Balancing
2. Click Add Load Balancer
3. Name the Load Balancer OC-LB. On Attachment select OC-T1

4. Click Save
5. When prompted Want to continue configuring this Load Balancer, select No

Step 3: Create Virtual Servers

A Virtual Server is an IP address that acts as the front end for a Server Pool

1. Navigate to Networking and click on Load Balancing
2. Click the Virtual Servers tab and then Add Virtual Server, L7 HTTP

3. Name the Virtual Server OC-VIP, IP Address 10.1.1.2, Port 80
4. Type OC in the Load Balancer field and it will allow you to select OC-LB
5. Type OC in the Server Pool field and select OC-LB-Pool
6. Click on SAVE

Step 4: Test Load Balancer

1. Open a new tab for 10.1.1.2

2. Refresh the browser for this tab. You should see the opposite web server

Re-Test OpenCart Application

1. Open a web browser (or refresh an existing window) for 10.1.1.18 and/or 10.1.1.19
2. The error should change to the following. This is due to allowing access to the web server, but they deny all rule, still blocking access from the web server to the database server.

Add Web-DB rule

The step will Allow communications from  the Apache web servers to MySQL

1. Click the three dots on SDN-OC and Add Rule
2. Change name of the rule to Web-DB
3. Set the Source to SDN–OC-Web-Group
4. Set the Destination to SDN–OC-DB-Group
5. Set services to MySQL

5. Click the pencil icon for services
6. Filter by name for HTTP and select that service
7. Click apply

8. Your results should look like the following

9. Click PUBLISH to make the rules active

Test Opencart

1. Open a web browser (or refresh an existing window) for 10.1.1.18 and/or 10.1.1.19
2. Access to the web server should be restored

Add SSH-Admin Rule

This rule simulates allowing trusted access from a small set of hosts in the administrative area but blocking lateral SSH in the environment

1. Add a new rule call SSH-Admin
2. Click on  the pencil icon for source, then select IP addresses
3. Set a range of 10.0.0.0/24  (Holodeck administrative network with Holo-Console )
4. Select service SSH
5. Your rules should look like this

Test SSH access

1. On Holo-Console, click the start menu and then putty
2. Open an SSH session to 10.1.1.18
3. Accept the security warning if needed

5. Login as ocuser with password VMware123!
6. You should successfully login

7. Attempt to SSH laterally to 10.1.1.19.

Add ICMP-Admin Rule

This rule simulates allowing ICMP Ping for troubleshooting from a small set of hosts in the administrative area but blocking lateral ping in the environment

1. Add a new rule call ICMP-Admin
2. Click on  the pencil icon for source, then select IP addresses
3. Set a range of 10.0.0.0/24  (Holodeck administrative network with Holo-Console )
4. Select service ICMP ALL
5. Your rules should look like this

Test ICMP access

1. On Holo-Console open a command window
2. Ping 10.1.1.18
3. Ping from the Holo Console should work

5. Open or reopen a Puddy session to 10.1.1.18.
6. Login as ocuser with password VMware123!
7. You should successfully login
8. Attempt to ping of 10.1.1.19.

[Lab 2 Summary]

Lab 2 shows the power of the distributed firewall capability in NSX. Using tagging and grouping, we were able to create a scalable set of rules for our Opencart application that only allow necessary communications for application operation, while blocking all other traffic. This was all done directly at the vSphere VDS switch port level, versus a piece of hardware elsewhere in the datacenter.  

7.3 - Holodeck 5.1.1  Load Balancing

Configure load balancer

This module will configure an L3-L7 load balancer on the OC-T11 Router created earlier.

Step 1: Create Server Pool

A server pool is a set of servers that can share the same content.

1. In NSX Manager, navigate to Networking and click on Load Balancing
2. The click on the Server Pools tab and click Add Server Pool
3. Name the pool OC-LB-Pool

4. Click Select Members
5. Click Add Member
6. Name SDN-OC-Apache-A, IP 10.1.1.18 Port 80

7. Click Save
8. Repeat steps for OC-Apache-B, using: Name OC-Apache-B, IP 10.1.1.19 Port 80

9. Click Apply
10. Click Set next to Active Monitor

11. Select the default HTTP Port 80 monitor, then click Apply

13. Click Apply
14. Notice the active monitor shown
15. Click Save

Step 2: Create Load Balancer

1. Navigate to Networking and click Load Balancing
2. Click Add Load Balancer
3. Name the Load Balancer OC-LB. On Attachment select OC-T1

4. Click Save
5. When prompted Want to continue configuring this Load Balancer, select No

Step 3: Create Virtual Servers

A Virtual Server is an IP address that acts as the front end for a Server Pool

1. Navigate to Networking and click on Load Balancing
2. Click the Virtual Servers tab and then Add Virtual Server, L7 HTTP

3. Name the Virtual Server OC-VIP, IP Address 10.1.1.2, Port 80
4. Type OC in the Load Balancer field and it will allow you to select OC-LB
5. Type OC in the Server Pool field and select OC-LB-Pool
6. Click on SAVE

Step 4: Test Load Balancer

1. Open a new tab for 10.1.1.2

2. Refresh the browser for this tab. You should see the opposite web server

Add Web-DB rule

 

The step will Allow communications from  the Apache web servers to MySQL

1. Click the three dots on SDN-OC and Add Rule
2. Change name of the rule to Web-DB
3. Set the Source to SDN–OC-Web-Group
4. Set the Destination to SDN–OC-DB-Group
5. Set services to MySQL

5. Click the pencil icon for services
6. Filter by name for HTTP and select that service
7. Click apply

8. Your results should look like the following

9. Click PUBLISH to make the rules active

Test Opencart

1. Open a web browser (or refresh an existing window) for 10.1.1.18 and/or 10.1.1.19
2. Access to the web server should be restored

Add SSH-Admin Rule

This rule simulates allowing trusted access from a small set of hosts in the administrative area but blocking lateral SSH in the environment

1. Add a new rule call SSH-Admin
2. Click on  the pencil icon for source, then select IP addresses
3. Set a range of 10.0.0.0/24  (Holodeck administrative network with Holo-Console )
4. Select service SSH
5. Your rules should look like this

Test SSH access

1. On Holo-Console, click the start menu and then putty
2. Open an SSH session to 10.1.1.18
3. Accept the security warning if needed

5. Login as ocuser with password VMware123!
6. You should successfully login

7. Attempt to SSH laterally to 10.1.1.19.

Add ICMP-Admin Rule

This rule simulates allowing ICMP Ping for troubleshooting from a small set of hosts in the administrative area but blocking lateral ping in the environment

1. Add a new rule call ICMP-Admin
2. Click on  the pencil icon for source, then select IP addresses
3. Set a range of 10.0.0.0/24  (Holodeck administrative network with Holo-Console )
4. Select service ICMP ALL
5. Your rules should look like this

Test ICMP access

1. On Holo-Console open a command window
2. Ping 10.1.1.18
3. Ping from the Holo Console should work

5. Open or reopen a Puddy session to 10.1.1.18.
6. Login as ocuser with password VMware123!
7. You should successfully login
8. Attempt to ping of 10.1.1.19.

[Lab 2 Summary]

Lab 2 shows the power of the distributed firewall capability in NSX. Using tagging and grouping, we were able to create a scalable set of rules for our Opencart application that only allow necessary communications for application operation, while blocking all other traffic. This was all done directly at the vSphere VDS switch port level, versus a piece of hardware elsewhere in the datacenter.  

7.3 - Holodeck 5.1.1  Load Balancing

Configure load balancer

This module will configure an L3-L7 load balancer on the OC-T11 Router created earlier.

Step 1: Create Server Pool

A server pool is a set of servers that can share the same content.

1. In NSX Manager, navigate to Networking and click on Load Balancing
2. The click on the Server Pools tab and click Add Server Pool
3. Name the pool OC-LB-Pool

4. Click Select Members
5. Click Add Member
6. Name SDN-OC-Apache-A, IP 10.1.1.18 Port 80

7. Click Save
8. Repeat steps for OC-Apache-B, using: Name OC-Apache-B, IP 10.1.1.19 Port 80

9. Click Apply
10. Click Set next to Active Monitor

11. Select the default HTTP Port 80 monitor, then click Apply

13. Click Apply
14. Notice the active monitor shown
15. Click Save

Step 2: Create Load Balancer

1. Navigate to Networking and click Load Balancing
2. Click Add Load Balancer
3. Name the Load Balancer OC-LB. On Attachment select OC-T1

4. Click Save
5. When prompted Want to continue configuring this Load Balancer, select No

Step 3: Create Virtual Servers

A Virtual Server is an IP address that acts as the front end for a Server Pool

1. Navigate to Networking and click on Load Balancing
2. Click the Virtual Servers tab and then Add Virtual Server, L7 HTTP

3. Name the Virtual Server OC-VIP, IP Address 10.1.1.2, Port 80
4. Type OC in the Load Balancer field and it will allow you to select OC-LB
5. Type OC in the Server Pool field and select OC-LB-Pool
6. Click on SAVE

Step 4: Test Load Balancer

1. Open a new tab for 10.1.1.2

2. Refresh the browser for this tab. You should see the opposite web server

Add SSH-Admin Rule

 

This rule simulates allowing trusted access from a small set of hosts in the administrative area but blocking lateral SSH in the environment

1. Add a new rule call SSH-Admin
2. Click on  the pencil icon for source, then select IP addresses
3. Set a range of 10.0.0.0/24  (Holodeck administrative network with Holo-Console )
4. Select service SSH
5. Your rules should look like this

Test SSH access

1. On Holo-Console, click the start menu and then putty
2. Open an SSH session to 10.1.1.18
3. Accept the security warning if needed

5. Login as ocuser with password VMware123!
6. You should successfully login

7. Attempt to SSH laterally to 10.1.1.19.

Add ICMP-Admin Rule

This rule simulates allowing ICMP Ping for troubleshooting from a small set of hosts in the administrative area but blocking lateral ping in the environment

1. Add a new rule call ICMP-Admin
2. Click on  the pencil icon for source, then select IP addresses
3. Set a range of 10.0.0.0/24  (Holodeck administrative network with Holo-Console )
4. Select service ICMP ALL
5. Your rules should look like this

Test ICMP access

1. On Holo-Console open a command window
2. Ping 10.1.1.18
3. Ping from the Holo Console should work

5. Open or reopen a Puddy session to 10.1.1.18.
6. Login as ocuser with password VMware123!
7. You should successfully login
8. Attempt to ping of 10.1.1.19.

[Lab 2 Summary]

Lab 2 shows the power of the distributed firewall capability in NSX. Using tagging and grouping, we were able to create a scalable set of rules for our Opencart application that only allow necessary communications for application operation, while blocking all other traffic. This was all done directly at the vSphere VDS switch port level, versus a piece of hardware elsewhere in the datacenter.  

7.3 - Holodeck 5.1.1  Load Balancing

Configure load balancer

This module will configure an L3-L7 load balancer on the OC-T11 Router created earlier.

Step 1: Create Server Pool

A server pool is a set of servers that can share the same content.

1. In NSX Manager, navigate to Networking and click on Load Balancing
2. The click on the Server Pools tab and click Add Server Pool
3. Name the pool OC-LB-Pool

4. Click Select Members
5. Click Add Member
6. Name SDN-OC-Apache-A, IP 10.1.1.18 Port 80

7. Click Save
8. Repeat steps for OC-Apache-B, using: Name OC-Apache-B, IP 10.1.1.19 Port 80

9. Click Apply
10. Click Set next to Active Monitor

11. Select the default HTTP Port 80 monitor, then click Apply

13. Click Apply
14. Notice the active monitor shown
15. Click Save

Step 2: Create Load Balancer

1. Navigate to Networking and click Load Balancing
2. Click Add Load Balancer
3. Name the Load Balancer OC-LB. On Attachment select OC-T1

4. Click Save
5. When prompted Want to continue configuring this Load Balancer, select No

Step 3: Create Virtual Servers

A Virtual Server is an IP address that acts as the front end for a Server Pool

1. Navigate to Networking and click on Load Balancing
2. Click the Virtual Servers tab and then Add Virtual Server, L7 HTTP

3. Name the Virtual Server OC-VIP, IP Address 10.1.1.2, Port 80
4. Type OC in the Load Balancer field and it will allow you to select OC-LB
5. Type OC in the Server Pool field and select OC-LB-Pool
6. Click on SAVE

Step 4: Test Load Balancer

1. Open a new tab for 10.1.1.2

2. Refresh the browser for this tab. You should see the opposite web server

Re-Test OpenCart Application

Re-Test OpenCart Application

 

 

1. Open a web browser (or refresh an existing window) for 10.1.1.18 and/or 10.1.1.19
2. Access to the web server should be restored

 

Add SSH-Admin Rule

 

This rule simulates allowing trusted access from a small set of hosts in the administrative area but blocking lateral SSH in the environment

1. Add a new rule call SSH-Admin
2. Click on  the pencil icon for source, then select IP addresses
3. Set a range of 10.0.0.0/24  (Holodeck administrative network with Holo-Console )
4. Select service SSH
5. Your rules should look like this

Test SSH access

1. On Holo-Console, click the start menu and then putty
2. Open an SSH session to 10.1.1.18
3. Accept the security warning if needed

5. Login as ocuser with password VMware123!
6. You should successfully login

7. Attempt to SSH laterally to 10.1.1.19.

Add ICMP-Admin Rule

This rule simulates allowing ICMP Ping for troubleshooting from a small set of hosts in the administrative area but blocking lateral ping in the environment

1. Add a new rule call ICMP-Admin
2. Click on  the pencil icon for source, then select IP addresses
3. Set a range of 10.0.0.0/24  (Holodeck administrative network with Holo-Console )
4. Select service ICMP ALL
5. Your rules should look like this

Test ICMP access

1. On Holo-Console open a command window
2. Ping 10.1.1.18
3. Ping from the Holo Console should work

5. Open or reopen a Puddy session to 10.1.1.18.
6. Login as ocuser with password VMware123!
7. You should successfully login
8. Attempt to ping of 10.1.1.19.

[Lab 2 Summary]

Lab 2 shows the power of the distributed firewall capability in NSX. Using tagging and grouping, we were able to create a scalable set of rules for our Opencart application that only allow necessary communications for application operation, while blocking all other traffic. This was all done directly at the vSphere VDS switch port level, versus a piece of hardware elsewhere in the datacenter.  

7.3 - Holodeck 5.1.1  Load Balancing

Configure load balancer

This module will configure an L3-L7 load balancer on the OC-T11 Router created earlier.

Step 1: Create Server Pool

A server pool is a set of servers that can share the same content.

1. In NSX Manager, navigate to Networking and click on Load Balancing
2. The click on the Server Pools tab and click Add Server Pool
3. Name the pool OC-LB-Pool

4. Click Select Members
5. Click Add Member
6. Name SDN-OC-Apache-A, IP 10.1.1.18 Port 80

7. Click Save
8. Repeat steps for OC-Apache-B, using: Name OC-Apache-B, IP 10.1.1.19 Port 80

9. Click Apply
10. Click Set next to Active Monitor

11. Select the default HTTP Port 80 monitor, then click Apply

13. Click Apply
14. Notice the active monitor shown
15. Click Save

Step 2: Create Load Balancer

1. Navigate to Networking and click Load Balancing
2. Click Add Load Balancer
3. Name the Load Balancer OC-LB. On Attachment select OC-T1

4. Click Save
5. When prompted Want to continue configuring this Load Balancer, select No

Step 3: Create Virtual Servers

A Virtual Server is an IP address that acts as the front end for a Server Pool

1. Navigate to Networking and click on Load Balancing
2. Click the Virtual Servers tab and then Add Virtual Server, L7 HTTP

3. Name the Virtual Server OC-VIP, IP Address 10.1.1.2, Port 80
4. Type OC in the Load Balancer field and it will allow you to select OC-LB
5. Type OC in the Server Pool field and select OC-LB-Pool
6. Click on SAVE

Step 4: Test Load Balancer

1. Open a new tab for 10.1.1.2

2. Refresh the browser for this tab. You should see the opposite web server

Test SSH access

1. On Holo-Console, click the start menu and then putty
2. Open an SSH session to 10.1.1.18
3. Accept the security warning if needed

5. Login as ocuser with password VMware123!
6. You should successfully login

7. Attempt to SSH laterally to 10.1.1.19.

Add ICMP-Admin Rule

This rule simulates allowing ICMP Ping for troubleshooting from a small set of hosts in the administrative area but blocking lateral ping in the environment

1. Add a new rule call ICMP-Admin
2. Click on  the pencil icon for source, then select IP addresses
3. Set a range of 10.0.0.0/24  (Holodeck administrative network with Holo-Console )
4. Select service ICMP ALL
5. Your rules should look like this

Test ICMP access

1. On Holo-Console open a command window
2. Ping 10.1.1.18
3. Ping from the Holo Console should work

5. Open or reopen a Puddy session to 10.1.1.18.
6. Login as ocuser with password VMware123!
7. You should successfully login
8. Attempt to ping of 10.1.1.19.

[Lab 2 Summary]

Lab 2 shows the power of the distributed firewall capability in NSX. Using tagging and grouping, we were able to create a scalable set of rules for our Opencart application that only allow necessary communications for application operation, while blocking all other traffic. This was all done directly at the vSphere VDS switch port level, versus a piece of hardware elsewhere in the datacenter.  

7.3 - Holodeck 5.1.1  Load Balancing

Configure load balancer

This module will configure an L3-L7 load balancer on the OC-T11 Router created earlier.

Step 1: Create Server Pool

A server pool is a set of servers that can share the same content.

1. In NSX Manager, navigate to Networking and click on Load Balancing
2. The click on the Server Pools tab and click Add Server Pool
3. Name the pool OC-LB-Pool

4. Click Select Members
5. Click Add Member
6. Name SDN-OC-Apache-A, IP 10.1.1.18 Port 80

7. Click Save
8. Repeat steps for OC-Apache-B, using: Name OC-Apache-B, IP 10.1.1.19 Port 80

9. Click Apply
10. Click Set next to Active Monitor

11. Select the default HTTP Port 80 monitor, then click Apply

13. Click Apply
14. Notice the active monitor shown
15. Click Save

Step 2: Create Load Balancer

1. Navigate to Networking and click Load Balancing
2. Click Add Load Balancer
3. Name the Load Balancer OC-LB. On Attachment select OC-T1

4. Click Save
5. When prompted Want to continue configuring this Load Balancer, select No

Step 3: Create Virtual Servers

A Virtual Server is an IP address that acts as the front end for a Server Pool

1. Navigate to Networking and click on Load Balancing
2. Click the Virtual Servers tab and then Add Virtual Server, L7 HTTP

3. Name the Virtual Server OC-VIP, IP Address 10.1.1.2, Port 80
4. Type OC in the Load Balancer field and it will allow you to select OC-LB
5. Type OC in the Server Pool field and select OC-LB-Pool
6. Click on SAVE

Step 4: Test Load Balancer

1. Open a new tab for 10.1.1.2

2. Refresh the browser for this tab. You should see the opposite web server

Add ICMP-Admin Rule

This rule simulates allowing ICMP Ping for troubleshooting from a small set of hosts in the administrative area but blocking lateral ping in the environment

1. Add a new rule call ICMP-Admin
2. Click on  the pencil icon for source, then select IP addresses
3. Set a range of 10.0.0.0/24  (Holodeck administrative network with Holo-Console )
4. Select service ICMP ALL
5. Your rules should look like this

Test ICMP access

1. On Holo-Console open a command window
2. Ping 10.1.1.18
3. Ping from the Holo Console should work

5. Open or reopen a Puddy session to 10.1.1.18.
6. Login as ocuser with password VMware123!
7. You should successfully login
8. Attempt to ping of 10.1.1.19.

[Lab 2 Summary]

Lab 2 shows the power of the distributed firewall capability in NSX. Using tagging and grouping, we were able to create a scalable set of rules for our Opencart application that only allow necessary communications for application operation, while blocking all other traffic. This was all done directly at the vSphere VDS switch port level, versus a piece of hardware elsewhere in the datacenter.  

7.3 - Holodeck 5.1.1  Load Balancing

Configure load balancer

This module will configure an L3-L7 load balancer on the OC-T11 Router created earlier.

Step 1: Create Server Pool

A server pool is a set of servers that can share the same content.

1. In NSX Manager, navigate to Networking and click on Load Balancing
2. The click on the Server Pools tab and click Add Server Pool
3. Name the pool OC-LB-Pool

4. Click Select Members
5. Click Add Member
6. Name SDN-OC-Apache-A, IP 10.1.1.18 Port 80

7. Click Save
8. Repeat steps for OC-Apache-B, using: Name OC-Apache-B, IP 10.1.1.19 Port 80

9. Click Apply
10. Click Set next to Active Monitor

11. Select the default HTTP Port 80 monitor, then click Apply

13. Click Apply
14. Notice the active monitor shown
15. Click Save

Step 2: Create Load Balancer

1. Navigate to Networking and click Load Balancing
2. Click Add Load Balancer
3. Name the Load Balancer OC-LB. On Attachment select OC-T1

4. Click Save
5. When prompted Want to continue configuring this Load Balancer, select No

Step 3: Create Virtual Servers

A Virtual Server is an IP address that acts as the front end for a Server Pool

1. Navigate to Networking and click on Load Balancing
2. Click the Virtual Servers tab and then Add Virtual Server, L7 HTTP

3. Name the Virtual Server OC-VIP, IP Address 10.1.1.2, Port 80
4. Type OC in the Load Balancer field and it will allow you to select OC-LB
5. Type OC in the Server Pool field and select OC-LB-Pool
6. Click on SAVE

Step 4: Test Load Balancer

1. Open a new tab for 10.1.1.2

2. Refresh the browser for this tab. You should see the opposite web server

Test ICMP access

 

1. On Holo-Console open a command window
2. Ping 10.1.1.18
3. Ping from the Holo Console should work

5. Open or reopen a Putty session to 10.1.1.18.
6. Login as ocuser with password VMware123!
7. You should successfully login
8. Attempt to ping of 10.1.1.19.

[Lab 2 Summary]

Lab 2 shows the power of the distributed firewall capability in NSX. Using tagging and grouping, we were able to create a scalable set of rules for our Opencart application that only allow necessary communications for application operation, while blocking all other traffic. This was all done directly at the vSphere VDS switch port level, versus a piece of hardware elsewhere in the datacenter.  

 

Lab Summary

This lab shows the power of the distributed firewall capability in NSX. Using tagging and grouping, we were able to create a scalable set of rules for our Opencart application that only allow necessary communications for application operation, while blocking all other traffic. This was all done directly at the vSphere VDS switch port level, versus a piece of hardware elsewhere in the datacenter.  

 

Implementing zero trust with VCF Distributed Firewall

 Prerequisites

• SDN Lab Support VM's completed
• Deploying Segments and Distributed Routing completed or Terraform plan at C:\VLC\VLC-Holo-Site-1\Holo-Lab-Support-Files\TF-SDN-Lab-SDN has been applied

Implementing zero trust with VCF Distributed Firewall

This lab will show implementing a zero trust configuration with the distributed firewall and only opening necessary communications to access in our Opencart Application. For the purposes of this lab, we will create the following rules. Note: this is a very simplified example, and does not represent production security rules.

�Name	�Source	�Destination	�Port/Protocol	�Allowed	�Notes
HTTP-Allow	Any	SDN-OC-Web-Group	HTTP (80)	Allow	Outside to web port 80
Web-DB	SDN-OC-Web-Group	SDN-OC-DB-Group	3306 (MySQL)	Allow	Web to DB comms
ssh-admin	10.0.0.0/24	SDN-OC-DB-Group SDN-OC-Web-Group	SSH	Allow	SSH from Holo console only
ICMP-Admin	10.0.0.0/24	SDN-OC-DB-Group SDN-OC-Web-Group	ICMP ALL	Allow	Allow ICMP only from Holo console
SDN-Lab-Deny-All�	Any	SDN-OC-DB-Group SDNOC-Web-Group	Any	Reject	Reject all else inbound

Keep in mind that this all happening at the distributed firewall level, where firewall rules are implemented at the VM switch port versus needing the services of a routed (perimeter) firewall to implement. Since we have created groups in the previous lab, now we can create access rules based on these groups.

Implement load balancer

This module will configure and implement an L3-L7 load balancer on the OC-T11 Router created earlier.

 

Create Server Pool

A server pool is a set of servers that can share the same content.

1. In NSX Manager, navigate to Networking and click on Load Balancing
2. The click on the Server Pools tab and click Add Server Pool
3. Name the pool OC-LB-Pool

4. Click Select Members
5. Click Add Member
6. Name SDN-OC-Apache-A, IP 10.1.1.18 Port 80

7. Click Save
8. Repeat steps for OC-Apache-B, using: Name OC-Apache-B, IP 10.1.1.19 Port 80

9. Click Apply
10. Click Set next to Active Monitor

11. Select the default HTTP Port 80 monitor, then click Apply

13. Click Apply
14. Notice the active monitor shown
15. Click Save

 

Create Load Balancer

1. Navigate to Networking and click Load Balancing
2. Click Add Load Balancer
3. Name the Load Balancer OC-LB. On Attachment select OC-T1

4. Click Save
5. When prompted Want to continue configuring this Load Balancer, select No

 

Create Virtual Servers

A Virtual Server is an IP address that acts as the front end for a Server Pool

1. Navigate to Networking and click on Load Balancing
2. Click the Virtual Servers tab and then Add Virtual Server, L7 HTTP

3. Name the Virtual Server OC-VIP, IP Address 10.1.1.2, Port 80
4. Type OC in the Load Balancer field and it will allow you to select OC-LB
5. Type OC in the Server Pool field and select OC-LB-Pool
6. Click on SAVE

 

Test Load Balancer

1. Open a new tab for 10.1.1.2

2. Refresh the browser for this tab. You should see the opposite web server