lunedì 27 aprile 2020

NSX-T - Error to fetch SSH Fingerprint

Issue
Recently I needed to set up backups of a NSX-T Manager for a one time backup. I have performed the procedures shown in this link: I logged in with admin privileges to an NSX Manager at https://<nsx-manager-ip-address>. Selected System > Backup & Restore then Edit (in the upper right of the page to configure backups) and filled up all forms except the once regarding the SSH fingerprint of the server that stores the backups, because as indicated, I could leave it blank.
Doing so, I received the following error message:

Error while fetching fingerprint of fileserver Algorithm negotiation fail. Possibly, there is no ecdsa and ed25519 support for public keys (Error code: 29259)
- Please retry or provide the fingerprint.




By carefully reading the documentation about the Prerequisites, at the link says:

Verify that you have the SSH fingerprint of the backup file server. Only an SHA256 hashed ECDSA key is accepted as a fingerprint. See Find the SSH Fingerprint of a Remote Server.

Solution
In case was not practicable to follow the instructions suggested in the link, is it possible to get the SSH Fingerprint of a Remote Server through a REST API request. Info about NSX-T Data Center API Guide regarding NSX-T Data Center 2.5.0 can be found here.

So, to fetch the SHA256 fingerprint of the SFTP backup target, in my case, I used the following CURL command:

curl --user admin -H 'Content-Type: application/json' --request POST  https://<nsx-manager-ip-address>/api/v1/cluster/backups?action=retrieve_ssh_fingerprint -k -d '{ "server":"<Target-Backup-IP-Address>","port":22}'

The NSX-T Manager API responds with the SHA256 fingerprint of the SFTP server:



A very great post on configuring and troubleshooting NSX-T SFTP backups, wrote by Gary Hills is available here.


That's it.

martedì 21 aprile 2020

NSX - Enable and Disable Firewall are greyed out

Issue
Today I face out with a singular issue, whole clusters show me Communication Channels DOWN and Firewall status ERROR.


Checking inside ACTIONS in Host Preparation tab I saw that Resolve, Enable and Disable Firewall was greyed out as well even if EAM was UP and running Normal.


Looking inside logs, I haven't found something interesting ... NSX Controllers were UP and Running Normal, NSX Cluster was UP, communication between various components of the NSX environment has been tested successfully with the ping ... so, everything seemed to work properly.

I tried to create new objects (examples Logical Switches) and was created and synced correctly on every hosts.

Then alternatively I tried to reboot both NSX Manager and vCenter ... without success. Communication channel were still DOWN and Firewall status still in ERROR.

I also tried to restart the on Control Plane Agent (netcpad service) on some hosts, randomly chosen, but without success .... communication between NSX's objects works fine but at GUI level I continue to see the error.



Solution
The fastest way I found to resolve the issue was to put into maintenance mode the ESXi host and then, one by one, reboot every single host of the whole cluster.
After the reboot of the ESXi host, the Communication channel and the Firewall status was properly recognized.


After all hosts have been restarted, the grayed out option in ACTIONS became available.


That's it.


mercoledì 8 aprile 2020

What's new in NSX-T Data Center 3.0

What's new in NSX-T Data Center 3.0
NSX-T Data Center 3.0 version has been released today, with this release VMware introduce a variety of new features to provide new functionality for virtualized networking and security for private, public, and multi-clouds. Highlights include the following focus areas and new features:

  • Cloud-scale Networking: NSX Federation
  • Intrinsic Security: Distributed IDS, Micro-Segmentation for Windows Physical Servers, Time-based Firewall Rules, and a feature preview of URL Analysis
  • Modern Apps Networking: NSX-T for vSphere with Kubernetes, container networking and security enhancements
  • Next-Gen Telco Cloud: L3 EVPN for VM mobility, accelerated data plane performance, NAT64, IPv6 support for containers, E-W service chaining for NFV
Some of the new features will be discussed down here, most o them and enhancements are available in the NSX-T Data Center 3.0.0 release Notes.

Before to drill down into the new features I would like to remember that VMware NSX-T provide functionality, all the way from layer two layer seven on the stacks of connectivity. They have logical layer two layer three across physical bare metal and container workloads. They also support layer to VPN and layer three base route and policy VPN. and so on .. the are continuing to add more Layer seven capabilities and more Context Aware inside the Firewall engine.
Below a simple picture of a NSX-T Single Heterogeneous SDN Platform before NSX-T Data Center version 3.0


Release of the new features concern Full-stack Networking and Security Virtualization ...


... let's have a look below of some new features:

NSX Federation
NSX-T 3.0 introduces the ability to federate multiple on-premises data centers through a single pane of glass, called Global Manager (GM). GM provides a graphical user interface and an intent-based REST API endpoint. Through the GM, you can configure consistent security policies across multiple locations and stretched networking objects: Tier0 and Tier1 gateways and segments.



VRF Lite in NSX-T 3.0
Now is possible to have multi-tenant data plane isolation through Virtual Routing Forwarding (VRF) in Tier-0 gateway. VRF has its own isolated routing table, uplinks, NAT and gateway firewall services; the solution can scale up to 100 VRFs per Tier0 Gateway.



Converged VDS
With new vSphere version 7.0 is possible to run NSX straight on VDS 7.0 that's part of it, giving the possibility to use the existing VDS dvPortGroups for NSX switching.


Actually this features is for GreenField only, where you start with a fresh deploy. Where we already have a previous NSX-T installation we can continue to leverage on N-VDS. However, it is recommended that new deployments of NSX and vSphere take advantage of this close integration and start to move toward the use of NSX-T on VDS. The N-VDS NSX-T host switch will be deprecated in a future release. Going forward, the plan is to converge NSX-T and ESXi host switches. The N-VDS remains the switch on the KVM, NSX-T Edge Nodes, native public cloud NSX agents and for bare metal workloads.


Some UI enahcement
In previous NSX-T 2.4 version was introduced the whole policy UI mode and Advanced mode. So now we have a switch to seamlessly switch between the policy and the manager view to configure objects


New Getting Started Wizard to prepare clusters for micro-segmentation has been introduced.


Networking topology visualizations has been introduced. This feature provide graphical visualization of the network infrastructure with the possibility to export the topology in PDF.
With this new features, we can see containers attached if we have containers networking in our views; it is also possible to drill deep inside a particular topology and look the routing table, the forwarding tables etc.


New Alarm Dashboard for managing alarms.



Distributed Intrusion Detection System (D-IDS)
Challenges with the traditional Data Center IDS/IPS (picture below) most of the time deployed in a physical IDS/IPS appliance in large clusters that are deployed behind firewall with their own management console (when IDS/IPS in not integrated into firewall) and traffic is hairpin across the physical network.


Introducing in NSX Platform the capability of Distributed Intrusion Detection as a part of the platform's Threat & Vulnerability Detection capabilities. This feature allows you to enable intrusion detection capabilities within the hypervisor to detect vulnerable network traffic. This distributed mechanism can be enabled on a per VM and per vNIC of a VM basis with granular rule inspection. As part of this feature set, the NSX Manager is able to download the latest signature packs from the NSX Signature Service. This keeps the NSX Distributed IDS updated with the latest threat signatures in the environment.



Service Insertion and Guest Introspection
E-W Service Chaining for NFV-SFC at the Edge - The ability to chain multiple services was earlier available only to distributed traffic but is now available for edge traffic. The East-West service chains can now also be extended to redirect edge traffic.
Disable cloning of NSX Service VMs - Cloning of Service VMs is now prevented from the vSphere Client to prevent malfunctioning of the VMs.



Container Networking and Security
Container Inventory & Monitoring in User Interface - Container cluster, Namespace, Network Policy, Pod level inventory can be visualized in the NSX-T User Interface. Visibility is also provided into co-relation of Container/K8 objects to NSX-T logical objects.
IPAM Flexibility - The NSX Policy IP Block API has been enhanced to carve out IP subnets of variable sizes. This functionality helps the NSX Container Plugin carve out variable size subnets for Namespaces using Policy API.
NCP Component Health Monitoring - The NSX Container Plugin and related component health information like NCP Status, NSX Node Agent Status, NSX Hyperbus Agent Status can be monitored using the NSX Manager UI/API.


..... most of the features and enhancements are available in the NSX-T Data Center 3.0.0 release Notes


Enjoy!!

Notes: All information, texts and images contained in this article are owned by VMware.

giovedì 2 aprile 2020

VMs with active Snapshots

Issue
I need to get a list of VMs with active snapshots.

Solution
Below a very simple PowerCLI script that will return the list of snapshots that are in the environment.
First of all, after you have opened a powershell terminal (doesn't mind if Windows/Linux/MacOS), you need to connect to the vCenter Server, providing a proper User and Password:

Connect-VIServer -Server “IP/hostname/FQDN”
Once connected you can execute the following command:
Get-VM | Get-Snapshot | Select VM, Name, Created, @{N="SizeGB";E={[math]::round($_.SizeGB,4)}}


That's it.