Embed Size (px)
Citation preview
Table of ContentsLab Overview - HOL-1829-01-NET - Getting Started with vRealize Network Insight2
Lab Guidance 3Module 1 - Micro-Segmentation and Security (30 minutes) 9
Introduction 10Micro-Segmentation Introduction 12Conclusion 45
Module 2 - 360 degree Visibility across Virtual and Physical Networks (45 minutes)46Introduction 47360 Network Visibility and Troubleshooting 48Conclusion 82
Module 3 - Advanced NSX Management amp Operations (45 minutes) 84Introduction 85NSX Advanced Management Operations 86Hands-on Labs Interactive Simulation Advanced NSX Management amp Operations 97Conclusion 98
Module 4 - Manage Security for Public Clouds (AWS) (30 Minutes) 100Introduction 101Introduction to Managing Security for Public Clouds (AWS) 102Conclusion 120
HOL-1829-01-NET
Page 1HOL-1829-01-NET
Lab Overview -HOL-1829-01-NET -
Getting Started withvRealize Network Insight
HOL-1829-01-NET
Page 2HOL-1829-01-NET
Lab GuidanceNote It will take approximately 90 minutes to complete this lab You shouldexpect to only finish two of the modules during your time if you are new tovRealize Network Insight The modules are independent of each other so youcan start at the beginning of any module and proceed from there You can usethe Table of Contents to access any module of your choosing
The Table of Contents can be accessed in the upper right-hand corner of theLab Manual
In this lab students will be presented with an overview and demonstration usingvRealize Network Insight This lab will focus on four particular capabilities and two usecase scenarios The first module introduces Micro-segmentation and the security withinnetworks followed by module two that will provide a detailed Map walk through of aReal Time flow rendering a 360 degree view for cross platform under and overlaysModule number three will focus on NSX Manager and provide an easy in-depth look athow we manage advanced NSX operations within vRealize Network Insight Modulenumber four will focus on Manage Security for Public Clouds (AWS)
Lab Module List
bull Module 1 - Micro-Segmentation and Security (30 minutes)bull Module 2 - 360 degree Visibility across Virtual and Physical Networks (45
minutes)bull Module 3 - Advanced NSX Management amp Operations (45 minutes)bull Module 4 - Manage Security for Public Clouds (AWS) (30 minutes)
Lab Captain
bull Module 1 - 4 - Atif Qadeer Senior Systems Engineer - NSX UK
This lab manual can be downloaded from the Hands-on Labs Document site found here
[httpdocsholpubHOL-2017]
This lab may be available in other languages To set your language preference and havea localized manual deployed with your lab you may utilize this document to help guideyou through the process
httpdocsholvmwarecomannouncementsnee-default-languagepdf
HOL-1829-01-NET
Page 3HOL-1829-01-NET
Location of the Main Console
1 The area in the RED box contains the Main Console The Lab Manual is on the tabto the Right of the Main Console
2 A particular lab may have additional consoles found on separate tabs in the upperleft You will be directed to open another specific console if needed
3 Your lab starts with 90 minutes on the timer The lab can not be saved All yourwork must be done during the lab session But you can click the EXTEND toincrease your time If you are at a VMware event you can extend your lab timetwice for up to 30 minutes Each click gives you an additional 15 minutesOutside of VMware events you can extend your lab time up to 9 hours and 30
minutes Each click gives you an additional hour
Alternate Methods of Keyboard Data Entry
During this module you will input text into the Main Console Besides directly typing itin there are two very helpful methods of entering data which make it easier to entercomplex data
HOL-1829-01-NET
Page 4HOL-1829-01-NET
Click and Drag Lab Manual Content Into Console ActiveWindow
You can also click and drag text and Command Line Interface (CLI) commands directlyfrom the Lab Manual into the active window in the Main Console
Accessing the Online International Keyboard
You can also use the Online International Keyboard found in the Main Console
1 Click on the Keyboard Icon found on the Windows Quick Launch Task Bar
ltdiv class=player-unavailablegtlth1 class=messagegtAn error occurredlth1gtltdiv class=submessagegtltahref=httpwwwyoutubecomwatchv=xS07n6GzGuo target=_blankgtTry watching this video on wwwyoutubecomltagt or enableJavaScript if it is disabled in your browserltdivgtltdivgt
HOL-1829-01-NET
Page 5HOL-1829-01-NET
Click once in active console window
In this example you will use the Online Keyboard to enter the sign used in emailaddresses The sign is Shift-2 on US keyboard layouts
1 Click once in the active console window2 Click on the Shift key
Click on the key
1 Click on the key
Notice the sign entered in the active console window
HOL-1829-01-NET
Page 6HOL-1829-01-NET
vRealize Network Insight - Navigation
bull 1 - HOME - Use this if you need to return to the original navigation and searchscreen
bull 2 - Navigation Panebull 3 - Search Bar including time linebull 4 - Detail amp Information Panebull 5 - Alerts Pinboards Settings
Activation Prompt or Watermark
When you first start your lab you may notice a watermark on the desktop indicatingthat Windows is not activated
One of the major benefits of virtualization is that virtual machines can be moved andrun on any platform The Hands-on Labs utilizes this benefit and we are able to run thelabs out of multiple datacenters However these datacenters may not have identicalprocessors which triggers a Microsoft activation check through the Internet
Rest assured VMware and the Hands-on Labs are in full compliance with Microsoftlicensing requirements The lab that you are using is a self-contained pod and does nothave full access to the Internet which is required for Windows to verify the activationWithout full access to the Internet this automated process fails and you see this
watermark
This cosmetic issue has no effect on your lab
HOL-1829-01-NET
Page 7HOL-1829-01-NET
Look at the lower right portion of the screen
Please check to see that your lab is finished all the startup routines and is ready for youto start If you see anything other than Ready please wait a few minutes If after 5minutes your lab has not changed to Ready please ask for assistance
HOL-1829-01-NET
Page 8HOL-1829-01-NET
Module 1 - Micro-Segmentation and
Security (30 minutes)
HOL-1829-01-NET
Page 9HOL-1829-01-NET
IntroductionWhen mid to large-sized enterprises deploy NSX they often struggle to define the levelof micro segmentation needed between applications on networks The most challengingpart is knowing what information is required to get started how to locate theinformation and traffic flow and how to capture the results
vRealize Network Insight helps solve this problem by analyzing and categorizing VMsinto logical groups based on specific compute and network characteristics This processautomatically generates a recommended model for security groups and specificfirewalling rules for each group This makes life much easier for Security Architects andEngineers
vRealize Network Insight (vRNI) relies on the use of an IPFIX collector at the VirtualDistributed switch layer to capture data flows We enable IPFIX at the Virtual Distributedswitch layer for the ESXi Hosts to forward IPFIX UDP packets to the vRealize NetworkInsight appliance The data capture will enable real time data flow for all port trafficand provide further filtering capabilities in order to explore East-West traffic
We have two scenarios to help explain how vRealize Network Insight can be utilized toensure we have full visibility and granular control to deploy firewall rules in order tocomplete micro-segmentation without guessing
Scenario 1 (Brown Field deployment) Customer ABC bought ESXi and NSX and doesnot have a clear understanding of how to operationally deploy existing workloads withEast-West firewall protection or how to segment the workload The client will now usevRealize Network Insight to observe the real time data flow between ports in order tobuild the East-West firewall rules The vRealize Network Insight process will observe thetraffic patterns based on the captured data flow recommendations will then be made inorder to secure workloads for East-West communication Current firewall and micro-segmentation can also be verified
Scenario 2 (Green Field) Customer ABC has a new deployment project for DevOps andwouldnt know what the immediate firewall rules or recommendations would be UsingvRealize Network Insight we could immediately start to monitor the real time data flowas each deployment and development unfolds Based on the DevOps information wecan now apply the Firewall rules at the QampA stage and prep for testing to ensure whenwe move workloads into Production we will have day zero operational security for East-West traffic within the data center
NOTE NSX is not required at any stage to capture observe or implement successfulEast-West firewall rules The process of planning security only relies on IPFIX at the vDSlayer in order to capture and observe data flow between ports
This Module contains the following lessons
HOL-1829-01-NET
Page 10HOL-1829-01-NET
bull Identify firewall rules for Micro-segmentationbull Security Group Topologybull Tracking a firewall rulebull Exporting firewall rules to NSX Manager (Interactive Simulation)bull Conclusion
HOL-1829-01-NET
Page 11HOL-1829-01-NET
Micro-Segmentation IntroductionThis section contains the following lessons
bull Identify firewall rules for Micro-segmentationbull Security Group Topologybull Tracking a firewall rule
Lab Status Check
1 Make sure the Lab Status displays Ready before continuing
Close browser sessions from previous modules
Open Google Chrome
1 Open Chrome on the Control Centre Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
HOL-1829-01-NET
Page 12HOL-1829-01-NET
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize Network Insight did notload automatically)
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
HOL-1829-01-NET
Page 13HOL-1829-01-NET
Plan Security
When the vRealize Network Insight portal login completes the first screen will show asearch bar at the top
1 Type plan security (the search bar uses Auto Fill and predictive text willappear as you type)
2 Select the Time Icon
Plan Security - Specify a Preset
1 Select Presets2 Select Last Week3 Click the search icon to continue
HOL-1829-01-NET
Page 14HOL-1829-01-NET
Overview - Traffic Distribution (Left Pane)
Visual representation of traffic is shown to understand the logic relationship betweeneach component physical or virtual in order to track flows and sessions within anetwork
bull Internal Flows External Flowsbull Protected Flows Unprotected Flowsbull by VLAN or VXLAN
The default for this view is Last 1 day Please do not change this as we have alreadyspecified the time filter
HOL-1829-01-NET
Page 15HOL-1829-01-NET
Traffic Distribution - Overview (Right pane)
The Traffic distribution section is explained in a number format below Use these as areference and do not click on the links at this stage
bull A - This is the sum of all traffic flows with the percentage shown as East-Westonly traffic
bull B - This indicates the percent of traffic that was switchedbull C - The percentage of traffic that is routed between the East-West portsbull D - This indicates Virtual machine to Virtual Machine traffic as a percentage of the
sum in point number 1bull E - Traffic observed between virtual machines on the same hostbull F - Traffic that requires internet access
East-West (EW) - Traffic
In order to view specific details about data flows click on any of the 6 blocks to getdetailed information on flows and sessions (use the [x] in the right corner to close theobservation once completed in order to continue with the next step in this lab) Its
HOL-1829-01-NET
Page 16HOL-1829-01-NET
important to understand the entire distribution of flows and sessions in order to build aninformed strategy to achieve micro-segmentation
A Session is 5 tuple (source port is one of the five tuples in this which means everytime a new TCP connection is established and terminated a new session is recorded)
A Flow is 4 tuple aggregation of sessions It combines many 5 tuple sessions into oneIt ignores the source port as the source port is very dynamic wide range and keeps onchanging As long as multiple sessions have same source IP same destination IP samedestination port and same protocol they will be combined into one record called aflow
So 1000s of sessions in a day between two machines on a specific destination port (sshdns etc) would be combined into one flow with an aggregate count of packets bytessessions between them recorded as additional flow information
In any enterprise how many sessions happen in 1 day varies a lot Flows are moremanageable units and matter most for policy definitions and micro-segmentation
If one wants to see statistics of these flows like bytes transferred number of sessions(or even use these counters along with other query operations for other higher levelanalysis - like determining distribution of a virtual machines outgoing flow bydestination ip) the following metric counters can be used
Counter names
allowed sessions count of sessions (or 5 tuples) corresponding to a flow (4 Tuple)bytes total traffic volume exchanged on the flow (this sum of two counters described below)src bytes total bytes sent by src_ip of the flow to dst_ipportprotocoldst bytes total bytes received by src_ip of the flow from dst_ipportprotocol
1 Click on the East-West traffic block
This will bring a new window into view with detailed analysis of the traffic
HOL-1829-01-NET
Page 17HOL-1829-01-NET
East-West (EW) - Detailed view
This is only a few of the 1653 flows but the detailed views and filters can be used tonarrow down more specific information
A - Without clicking (just hover) on the time line to see the rate of flow indicated by thegreen line for that period
1 Click the close icon (x) to continue
ServicesPorts
HOL-1829-01-NET
Page 18HOL-1829-01-NET
Locating the Services screen for the next step
ServicesPorts - Time line view
Plan security makes use of Service and Ports overview on the right-hand side of thescreen The service view screen is used to observe the flow for each service andanalyzes a specific flow rate at a point in time Timelines can be adjusted to gain abetter understanding of what the plan security query delivers This module will followthe steps needed to observe and trace flows for port 5443
1 Click Show Data
HOL-1829-01-NET
Page 19HOL-1829-01-NET
ServicesPorts - Point in Time Service
The Services section provides an overview of flows over a specific port at a point intime either by bytes or by allowed sessions Look at the red highlighted area tounderstand how the flow is viewed in a pivot format to ensure a rate flow can bedelivered by hovering over a particular section
1 Hover to gain focus over the blue block above port 5443 and notice itpresents on demand the sum total of flows for the last 24 hours inGigabytes (GB) communicating over port 5443
2 Click on the block at the intersection of Last 24 hours and PORTS5443 to get a detailed view of the information
HOL-1829-01-NET
Page 20HOL-1829-01-NET
Flows for Port 5443
Communicating over port 5443 for the Last 24 hours we now have a detailedunderstanding of how 20 flows are distributed by following the list of entities You mayscroll down and examine the detailed traffic Further filters can be used on the left-handside of the screen to filter the view for a more specific result type
1 Click the entry to examine the detailed flow between Prod-DB-3 and Prod-DB-2over port 5443 ( order of flows may differ from screen above Prod-DB-3 andProd-DB-2 can be seventh flow entry)
Flow Key Properties - Timeline view
HOL-1829-01-NET
Page 21HOL-1829-01-NET
Flow Key Properties and Flow Key Metrics with the help of the timeline view gives agreater understanding of the traffic between these two specific VMs over port 5443 (A)- Hover over any part of the Flow Key Metrics graph to see statistics of the flow at aspecific point in time
1 Click on the 1M (last 1 month) Now hover the mouse over the greenblue linesto see a specific flow at a point in time
Flow Key Properties - Timeline view
1 Click the browser back button (once) to return to the plan security layoutscreen (once completed viewing the timelines for specific flows)
HOL-1829-01-NET
Page 22HOL-1829-01-NET
Micro-Segments
The screen should be back and focused on the Plan Security view Let us focus on theLeft-hand side of the plan security screen marked - Micro Segments This section willfocus on the subnet view and how this could be used to track flows between two ormultiple points
Note Segmenting flows can be achieved using views that will focus on VLANVXLANSubnet Folder Clusters VMs Ports Security Tag or Security Groups
1 Select Last 1 Day (to clear previous data range)2 Select the drop down box and then select by Subnet3 We can further analyze micro-segments by secondary groups ( This step is for
information only)4 Click Analyze to populate the data
HOL-1829-01-NET
Page 23HOL-1829-01-NET
Focus - 101780 Network
A - Hover over (do not click) the 101780 network and notice that this willimmediately highlight all flows and sessions from and to this network segment Othertraffic types will loose focus at this point turning light blue
The Keep Focus view creates a single visual endpoint diagram showing communicationto physical shared resources internet and other subnets The parentheses after thenetwork will indicate the number of virtual machines The coloured lines will indicate aconnected flow as OUTGOING INCOMING BIDIRECTIONAL
HOL-1829-01-NET
Page 24HOL-1829-01-NET
Focus - VLANVXLAN
Changing the view to track flows between Prod-Web to Prod-Midtier we will be switchingfrom Subnet view to VLANVXLAN view This will expose the traffic flow and ultimatelylead us to the recommended firewall rules
1 From the filter drop down select the VLANVXLAN option (the view willautomatically update)
HOL-1829-01-NET
Page 25HOL-1829-01-NET
Focus - Prod-Web (25)
1 Hover over Prod-Web2 Click on Keep Focus as we will follow the traffic for this group to see which
ports are in use and why3 Click on the line joining the Prod-Web and Prod-Midtier
Flows - Prod-Web to Prod-Midtier
HOL-1829-01-NET
Page 26HOL-1829-01-NET
( A ) - We have at this point identified 14 unique endpoints or flows that are beingcommunicated byover or to potential security groups These security groups are basedon VLANs folders subnets or a construct that can be defined
1 Click on the recommended firewall rules
Flows - Recommended Firewall Rules
Based on the observed analysis of the traffic flow between Prod-Web and Prod-Midtier arecommended firewall rule has been generated in order to secure and segment trafficfrom the rest of the VLANVXLAN
Due to the flow observation metrics the recommendation is (ALLOWED) on Port 8080between SG Prod-Web and SG-Prod-Midtier
1 Click the close icon (x) to continue
HOL-1829-01-NET
Page 27HOL-1829-01-NET
Multiple Ports and Firewall rules for Prod-web
1 Click on the Prod-Web group
Services and Flows for Prod-Web
On focus the user is presented with all the services flows and firewall rules for Prod-Webin a single pane
HOL-1829-01-NET
Page 28HOL-1829-01-NET
1 Click on Services In this group - 50 Unique service endpoints or flows that arebeing communicated by or to potential security groups are mapped with trafficrates included
2 Click on External Services Accessed- This is a breakdown of the 16 Externalservice endpoints that communicate with Prod-Web and include the portinformation (DNS HTTPS etc)
3 Click on Recommended Firewall Rules - Based on the 50 unique serviceendpoints that have 17 External services with 425 flows we can use thisobservation metric to determine that 6 firewall rules are required This would bethe minimum recommended segmentation approach for the Prod-Web group
4 Click the close icon (x) to continue
Application-Centric Micro-Segmentation
HOL-1829-01-NET
Page 29HOL-1829-01-NET
An application is a collection of tiers Each tier in an application is a collection of VMsbased on the user-defined filter criteria The applications allow you to create ahierarchical group of VMs and visualize trafficflows between the tiers of the sameapplication The trafficflows can be visualized between applications
1 Under Micro-segments click on the dropdown which says by VLANVXLAN2 Click on by Application
1 Hover over Prod-App (47) (do not click at this stage)2 Click on Keep Focus
You can see as per previous micro-segmentaion planning exercise - you can viewOutgoing Incoming and Bidirectional flow bespoke to Prod-App Clicking on Prod-App micro-segment will reveal the services
HOL-1829-01-NET
Page 30HOL-1829-01-NET
We shall now explore how we can define an application
Define an Application
1 In the search bar type Application2 Click the Search button
1 The Application search will return 4 entities ie application already created inthe system for you
2 This page also lets you create new application - click on Add Application
HOL-1829-01-NET
Page 31HOL-1829-01-NET
1 Under the Application Name type HOL-Pre-Prod2 Under Tier type the Name as HOL-Pre-Prod3 Our search criteria will be based on VM Names under Virtual Machines IP
Addresses Type Admin-VM1 Admin-VM2 (The search will auto completethe names for you)
4 Do not Save Click Cancel which will take you to previous screen
1 Here you can see the number of entities has increased by 1 ie 5 entities2 You can also see Hol-Pre-Prod in the list
HOL-Pre-Prod will now appear in Application section under Plan Security (not covered inthis lab)
Security Group Prod_MidTier
Network administrators and architects face daily challenges in identifying securityparameters groups that are in-place requiring a lot more detail around containertopology before continuing to execute or plan Micro-segmentation Lets look at how thiswould be possible in a single view that has granular integration with over and underlaynetworks
1 Using the search bar type Nsx Security Group Prod_MidTier (the search baruses Auto Fill and predictive text will appear as you type)
2 Click search to continue
HOL-1829-01-NET
Page 32HOL-1829-01-NET
The Help screen may pop-up (in this lab setting) to ensure the user has an instantguide called the Security Group Pinboard The reason for this guide is to point out thedetail view and topology layout Read through the help guide and once completed
1 Click the close icon (x) to continue
Results - PROD_MIDTIER
The search results from the query will show Prod_Web at the top of the screen Theresult will also be displayed to include the Translated VM Count and any Rulesassociated
1 Click on Prod_MidTier to continue
Security Group Prod_MidTier - Timeline
Security Group View Explanation
HOL-1829-01-NET
Page 33HOL-1829-01-NET
The Security Group provides a detailed view of the selected Security Group and acomprehensive listing of key properties and events The Security Group Topologyprovides a visual overview of how the security group is associated with other containersTimeline slider at the top of the current view will enable the point in time state of theSecurity Group and filters can be used to further focus on a particular aspect of theobject
Security Group Firewall Topology
(A) The Security Group Firewall Topology on the left shows the topology for SecurityGroup Prod_MidTier
HOL-1829-01-NET
Page 34HOL-1829-01-NET
(B) The Security Group Container Topology on the right will show anyall Child andParent groups in relation to Prod_Web This will identify the nesting and hierarchy ofsecurity groups
HOL-1829-01-NET
Page 35HOL-1829-01-NET
1 Click and select Prod_Web to Prod_Midtier Rule (will launch a pop up screencovered in next step)
1 In the pop up screen we can immediately see what the Source and destinationservice flow looks like in this example This can be done for any and eachsegment attached to Prod_Web and will provide all the current security GroupFirewall Topology information Feel free to click through all the segments in orderto fully understand each related security group
2 Click the close icon (x) on any pop-up menus that you viewed during youranalysis to continue with the next exercise
HOL-1829-01-NET
Page 36HOL-1829-01-NET
Tracking Prod_MidTier
1 Within the same view when you scroll down (below the Security Groupfirewall Topology) you are able to see the following security event information forProd_Web
A Events - Showing any changes for Prod_MidTier (direct or indirect) and the impactthat these changes bring to this security group
B Current Security Group Configuration and Firewall Rules Count will also providefurther assistance to manage the endpoints
C Visibility of the Virtual Machines in Security Groups ensure that we manage ourworkloads and segmentation with the correct level of efficiency
D Making use of the Indirect Firewall Rules will ensure you understand the inheritedimpact and the relationship leading to Prod_Web
E Direct Firewall Rules - NOTE The blue links will expose further detail for eachfirewall segment
HOL-1829-01-NET
Page 37HOL-1829-01-NET
this module explained and followed the traffic flow between Subnets and or VLANVXLAN for Prod_MidTier and we understand the analysis that make up firewall rules Theinformation for a specific segmentation of a Virtual Machine in Prod_MidTier can beviewed using the the logical switch information for Prod_MidTier
2 Click on Lab-Midtier (VMs in Security GroupgtLogical SwitchesgtLab-Midtier) anew TAB will open at the top of the screen
Lab-Midtier
1 Hover (do not click) over (1) Lab-Midtier-1 to gain focus in order to generatethe path
Do not click on any of the bubbles as they are used for reference only This is thecomplete flow of Prod-Web-9 (Example) to see how a flow is tracked from overlay tounderlay across Prod-Web
HOL-1829-01-NET
Page 38HOL-1829-01-NET
bull A - The host details for Lab-Midtier-1 -ddc1-pod2esx035dmdemocompanynet
bull B - The machine name within Lab-Midtier - Lab-Midtier-1bull C - DVS Switchbull D - VXLAN - Lab-Midtierbull E - 1st VMKNIC for DDC-1 hostbull F - DVS Switch Portbull G - Finally showing the L3 Switch (Arista)
2 When you are done with the current view close this tab in Chrome and returnto the original view
Firewall Rule - Tracking
Using the search bar we will demonstrate how you can track any firewall rule in yourenvironment This is only one example of how we can search for security related objectsin one easy statement and also export the results
Port Search
1 Type into the search bar
Firewall rule where action =ALLOW and Port=443 (the search bar uses Auto Fill andpredictive text will appear as you type)
2 Click search to continue
As you type notice all the different permutations of queries that can be assembled
HOL-1829-01-NET
Page 39HOL-1829-01-NET
Export Firewall Rules
Take some time to understand and get familiar with Firewall Rule search possibilitiesand the insight this can offer
1 Do not click - The result is grouped for convenience and allows the user to queryeach rule individually This is a live link that will expose further information
2 Do not click - The entire report can be exported by using the Save as CSV optionat the top right hand corner of the screen but we will not export any informationat this point
3 For the next step we will return to the top search bar
Firewall Rule Membership Change
Using the vRealize Network Insight search bar at the top of the screen we will focus on atime based search to see what Firewall Membership Changes occurred during a selectedperiod This will point out any changes made directly or indirectly as a result ofmembership changes This is extremely useful for auditing and troubleshooting
HOL-1829-01-NET
Page 40HOL-1829-01-NET
1 Type
Firewall Rule Membership Change
2 Select the DateTime window3 Click Between Select Date range from June30 to Jul 31 (using static data this
will ensure you see all the changes)4 Click search
Audit Rule - Firewall Rule Membership Changes
The search now displays the result of all the changes made to firewall rule membershipduring the preset date range This is pivotal to the audit change tracking process tounderstand exactly why when and how Firewall rules changed
The changes can now easily be tracked audited and also exported following any of thelive links in blue
HOL-1829-01-NET
Page 41HOL-1829-01-NET
User-defined Event
Continuing within the same screen users can create alerts to notify internal andexternal entities of any changes The alert feature is available through any view thatdisplays the alert icon Although the alert can be configured for this lab the results willnot be actioned as this is static data only This section will show how easy it is to reporton any Firewall Rule memberships changes The option for alerting will be immediatelywithin 1 hour or as a daily digest
1 Click the Notifications icon to create an event The notifications screen will pop-up
2 Notification and parameters can be adjusted as required Populate them withyour own preference as we will need to have information in order to save thealert and view in later steps
3 Once completed click save
HOL-1829-01-NET
Page 42HOL-1829-01-NET
Settings
You can view any of your previously configured User-defined Events in order to edit oractivate the Event parameters by using the settings page Changes can be configured tonotify members of the event group based on the user preference The previous eventthat you created can now be tracked by using the search bar at the top of the screen
1 Click in the search bar and type Settings2 Click User-defined Events (your alert is noted in this section as it was based on
the original search and alert notification Firewall rule membership change)3 Info Only - Do not click - View Edit Activate any notifications
Note that we have 2 types of notification User-defined and System Events
4 Click the System Events
HOL-1829-01-NET
Page 43HOL-1829-01-NET
System Notifications
System Events consist of 103 default alerts that are pre-configured Scroll down the listto see all the options and what is deemed to be a standard system event notification
Each Notification can be used to alert administrators or users of that group By defaultall System Notifications are set to never notify (this can be changed to immediatelywithin 1 hour or as a daily digest)
This concludes this module Please continue to the next module
HOL-1829-01-NET
Page 44HOL-1829-01-NET
ConclusionCongratulations on completing Module 1
In this module we introduced the minimum required steps in order to facilitate Micro-segmentation This module further demonstrated how we achieve day zero readinesstrack report and alert on each individual object or group of objects in Real Time Usingthe East-West traffic in this module vRealize Network Insight highlighted the ease ofacquiring network analysis and using this to automatically generate firewall rules forboth Green or Brown field deployments
Key facts to remember as demonstrated in this module
bull Persistence Security must be consistent in the face of constant changebull Ubiquity Security must be available everywherebull Extensibility Security must adapt to new situations
For additional information about the functionality showcased in this module visitwwwvmwarecom
Please close the Chrome Web browser
This concludes this module please continue to the next module
For More Information
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 45HOL-1829-01-NET
Module 2 - 360 degreeVisibility across Virtualand Physical Networks
(45 minutes)
HOL-1829-01-NET
Page 46HOL-1829-01-NET
IntroductionvRealize Network Insight includes advanced analytics that can collect and displayconfiguration data from all the components involved in the overlay and underlay of thenetwork Data is collected in realtime
vRealize Network Insight presents this via a smart user interface and simplifies thedetermination of problems as well as the visibility of firewall and networkconfigurations
vRealize Network Insight presents this in a smart user interface and makes problemdetermination and visibility of the firewall and network configurations very easy
This Module contains the following lessons
bull 360 Network Visibility and Troubleshootingbull Natural language search
HOL-1829-01-NET
Page 47HOL-1829-01-NET
360 Network Visibility andTroubleshootingThis section contains the following lessons
bull 360-degree view of data flow between two VM objectsbull Natural language search
Open Google Chrome
1 Open Chrome on the Control Center Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize NetworkInsight did not load automatically)
HOL-1829-01-NET
Page 48HOL-1829-01-NET
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
Path and Topology
This module will utilize the Path and Topology feature in vRealize Network Insight toget a 360-degree visibility into our network scenario The Path and Topology view can
HOL-1829-01-NET
Page 49HOL-1829-01-NET
also extend to host L3 networks security groups etc but in this module we will only befocusing on the path
From the main console
1 Click on Path and Topology2 Click on Path
Path - Select source and destination
In the pop-up box
1 Click on the grey field below Source2 Type dba into the source field and DBAdmin-VM1 will appear3 Click on DBAdmin-VM1 to select it
HOL-1829-01-NET
Page 50HOL-1829-01-NET
Path - source and destination continued
After selecting the source machine the destination box will automatically appear
1 Type prod in the destination field and the list of available options willappear
2 Select Prod-Db-2
Note The destination could also be an ip-address or Internet but in this lab we aregoing to use a VM
HOL-1829-01-NET
Page 51HOL-1829-01-NET
Path - source and destination continued
1 Click on Submit
Searching for path
Based on the VMs we selected in the wizard in our previous steps the search field isnow pre-populated with a search string As an alternative to using the wizard we canalso do manual searches
Do not change any parameters in the search field and please continue to the nextstep
HOL-1829-01-NET
Page 52HOL-1829-01-NET
VM Path Topology and VM Underlay
The topology involves both Layer 3 and Layer 2 components and consists of twodetailed views
HOL-1829-01-NET
Page 53HOL-1829-01-NET
1 VM Path Topology This view details the routers Edges or Logical DistributedRouters (LDRs) that are involved in the VM to VM network path and provides thecomplete routing and NAT information
2 VM Underlay ( The VM Underlay section that is on the right side of the VM Pathtopology shows the underlay information of the VMs involved and theirconnectivity to the top of the rack switches and the ports involved)
In the field named VM Path Topology
1 Click on the three dots in the top right corner of the field2 Click Maximize
The view will change and the route will be drawn on the map
HOL-1829-01-NET
Page 54HOL-1829-01-NET
VM Path Topology - Path Details
In this view we will get a 360-degree view of both the physical and the virtual networkWe will see the path of the traffic between two virtual machines The black arrow at thetop of the map will indicate the flow direction of the traffic In this use case fromDBAdmin-VM1 to Prod-Db-2
On the right hand side path details indicates the steps we pass through in each hop ofthe path The logical flow includes both physical and virtual elements displaying bothoverlay and underlay components
1 Scroll through the path details on the right hand side to verify the differenthops in the path Notice that we have items such as VMs physical switchesvirtual switches routers and NICs in the list of details
HOL-1829-01-NET
Page 55HOL-1829-01-NET
Component Overview
On the VM topology map
1 Click on the top left icon marked with a red square - the Virtual MachineDBAdmin-VM1
Virtual Machine - Details
HOL-1829-01-NET
Page 56HOL-1829-01-NET
A pop-up box will appear with the Virtual Machine details in it This information includesa lot of details made available by VMware Tools We can for example see network-information and the physical host in these details
A - Please spend some time on getting an overview of the information available in thisview
B - Please note that the Firewall Status indicates Unknown In this scenario there is noNSX firewall utilized in the VM so vRealize Network Insight displays Unknown as thestatus If NSX components were utilized but they were malfunctioning an errormessage will appear
1 When done reviewing close the pop-up windows by clicking on the (X) in thetop right corner
Physical ESXi Hosts
We are now going to look at the physical host running ESXi The large green blocksindicate the ESXi hosts (A) and (B)
1 Click on the large green field on the left side of the map marked in thepicture with a red squareThis will select the host where DBAdmin-VM1 isrunning
HOL-1829-01-NET
Page 57HOL-1829-01-NET
Host - Details
A pop-up box will appear that contains the physical ESXi host
A - Spend some time to review what information is available from the host Please donot click on any of the links
B - Notice that we receive information from both the Chassis and the Blade that thisESXi host is running on In a real life environment we could click on the links to getdetailed information about the physical environment through the links
C - Note that there are no NSX components on the host For example we can see thatthe Control Plane Sync Status is unknown and the Number of VTEPs is 0
1 When done reviewing click on the (X) in the top right corner
HOL-1829-01-NET
Page 58HOL-1829-01-NET
DVPG on the map
We are now going to look at the DVPG (Distributed Virtual Port Group) the VM uses toconnect to the network
1 On the map click on the little blue box marked by a red square onvlan-629
DVPG
A pop-up box will appear that contains the DVPG details
A - Spend some time review what information is available from the object Please donot click on any of the links
HOL-1829-01-NET
Page 59HOL-1829-01-NET
B - Notice that IPFIX is enabled
1 When done reviewing click on the (X) in the top right corner
VLAN-629 on the map
This is a brownfield network as indicated by the physical network components currentlydisplayed on the map
1 On the map click on the grey line marked by a red square on vlan-629
VLAN Network
A pop-up box will appear that contains the physical VLAN details
HOL-1829-01-NET
Page 60HOL-1829-01-NET
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - Notice the VLAN ID This is the actual VLAN in use
C - VM Count states 12 This is the number of VMs located on this VLAN in the entireenvironment
D - Under Hosts we can see that this is 28 (27+1) This is the amount of hosts that hasa connection to this vlan in the entire environment
1 When done reviewing click on the (X) in the top right corner
Switch ports on the map
1 From the map click on the icon marked by a red square to select the SwitchPort for the VM
HOL-1829-01-NET
Page 61HOL-1829-01-NET
Switch Port
A pop-up box will appear that contains the Switch Port details
In this view we are purely are looking at layer 3 and the connectivity to those layer 3devices Later in this module we will see some of the layer 2 devices
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - In this view we can see the physical NIC the traffic is transmitted from and receivedto In this scenario it is a NIC on a UCS fabric We can also see the VLANs Interfacespeed port and other details on the NIC
1 When done reviewing click on the (X) in the top right corner of the pop up box
HOL-1829-01-NET
Page 62HOL-1829-01-NET
Physical VRF on the map
1 From the map click on the icon marked by a red square to access thePhysical VRF details
HOL-1829-01-NET
Page 63HOL-1829-01-NET
VRF - Physical Switch
A pop-up box will appear that contains the Physical VRF details
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - In this scenario the first hop in the physical network perspective happens to be aCisco Nexus 7000 We are gathering all of the configuration data routing tables androuting interface information from this device
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 64HOL-1829-01-NET
VRF - continued
1 From the map click on the icon marked by a red square to access the nextPhysical VRF in the path
HOL-1829-01-NET
Page 65HOL-1829-01-NET
VRF - Physical Router
A pop-up box will appear that contains the Physical VRF details
In this scenario the second hop in the physical network perspective is a Palo Alto routerIn this view we will see the routing table as well as firewall rules The vRealize NetworkInsight platform is so powerful that these firewall rules are the applicable firewall rulesbetween the two objects we searched for There is probably going to be thousands offirewall rules in a normal network but these are the firewalls affecting thecommunication between the two selected VMs
HOL-1829-01-NET
Page 66HOL-1829-01-NET
A - Spend some time to review what information is available from the object Please donot click on any of the links
1 When done reviewing click on the (X) in the top right corner of the pop up box
Note The Palo Alto integration showcased is in beta testing
VRF - continued
1 From the map click on the icon marked by a red square to access the nextPhysical VRF in the path
HOL-1829-01-NET
Page 67HOL-1829-01-NET
VRF - Physical Switch
A pop-up box will appear that contains the Physical VRF details
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - In this scenario the third hop in the physical network perspective is an Arista deviceThere is information available on routing gateways interfaces etc These detailsshowcase that we can monitor devices from a multitude of vendors in case we arechanging from one vendor to another
1 When done reviewing click on the (X) in the top right corner
HOL-1829-01-NET
Page 68HOL-1829-01-NET
Accessing the virtual infrastructure
The next two steps in the path (as shown by arrows) are the same as we looked atpreviously in this module We are not going to look at the details on them in thisscenario as they are similar to the ones previously discussed
A - Hovermove the mouse over the icons marked with red arrow A without clicking onthe icon Notice the descriptive name
B - Hovermove the mouse over the icons marked with red arrow B without clicking onthe icon Notice the descriptive name
1 From the map click on the icon marked by a red square to access the nextVRF in the path
HOL-1829-01-NET
Page 69HOL-1829-01-NET
VRF - NSX Provider Edge 1
A pop-up box will appear that contains the Physical VRF details
A - Please spend some time to review what information is available from the objectPlease do not click on any of the links
B - The components we are looking at after the Arista device (described in previoussteps) is an NSX Edge cluster or a host associated with an Edge cluster The componentwe have selected is the NSX Edge VM named Provider-Edge 1 It has an uplink overVLAN 10 from the physical network (as shown in the map)
C - In the details we can see the routing table and routing interface details for thisparticular VRF
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 70HOL-1829-01-NET
VXLAN on the map
1 On the map click on the blue line marked by a red square to access theVXLAN details
VXLAN Network
A pop-up box will appear that contains the VXLAN details
HOL-1829-01-NET
Page 71HOL-1829-01-NET
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - We can see the VXLAN number (Segment ID) Underlay VLAN IDs Subnet andUnderlay Subnet
C - We also have visibility into what Primary Controller it is utilizing Hosts and VTEPs
D - Hovermove the mouse cursor over the text [38 more] to see the hosts associatedwith this VXLAN Do not click on the blue text
E - Hovermove the mouse cursor over the text [82 more] to see the VTEPs associatedwith this VXLAN Do not click on the blue text
1 When done reviewing click on the X in the top right corner of the pop-up box
VRF - LDR
1 From the map click on the icon marked by a red square to access the VRFdetails
HOL-1829-01-NET
Page 72HOL-1829-01-NET
VRF - LDR-Corporate
A pop-up box will appear that contains the VRF details From here we hit our In-kernelnetwork
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - Notice the distributed router name We are using this device to access our corporatenetwork
C - This device is going to route for us to a different interface The interface is going toroute to the interface on the Prod-DB Network as the next step in the path (this will beillustrated in the next step)
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 73HOL-1829-01-NET
Routing - NSX Firewall
The traffic is routed through the VRF onto the Prod-DB network over to the next physicalhost (as shown with arrows)
The first device it will hit on the virtual network on the physical host is the FirewallPlease notice that there are two firewalls next to the VM One Firewall from Palo Alto andone Firewall from NSX
1 From the map click on the icon marked by a red square to access the NSXFirewall details (the top one of the two)
HOL-1829-01-NET
Page 74HOL-1829-01-NET
Firewall - NSX
A pop-up box will appear that contains the Firewall details
A - Spend some time to review what information is available from the object Please donot click on any of the links
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 75HOL-1829-01-NET
Redirect on the map - PAN Firewall
Please notice that there are two firewalls next to the VM One Firewall from Palo Alto andone Firewall from NSX We are now going to look into the details of the lower Firewall
1 From the map click on the icon marked by a red square to access the PaloAlto Firewall details (the lower one of the two)
Firewall - PAN
HOL-1829-01-NET
Page 76HOL-1829-01-NET
In this scenario we also have an Palo Alto VM based offloading firewall The redirectfeature allows firewall rules to be transferred between the NSX firewall and the PANFirewall
1 When done reviewing click on the (X) in the top right corner of the pop up box
Reversing the analysis
1 In the section marked by a red square in the picture click on the arrowpointing left
The route on the map will change
HOL-1829-01-NET
Page 77HOL-1829-01-NET
Reversing the analysis continued
A - The analysis will now be done in the opposite direction Please note that the pathnow changes Instead of going through Provider-Edge 3 the traffic is now routedthrough Provider-Edge 2 This is exactly as the traffic will work in the real life
Please continue to the next step to conclude this module
HOL-1829-01-NET
Page 78HOL-1829-01-NET
VM Underlay
Lets now focus on VM Underlay
1 The VMUnderlay section that is on the right side of the VM Path topology showsthe underlay information of the VMs involved and their connectivity to the top ofthe rack switches and the ports involved
2 The VM Underlay path topology is shown here3 The components are labeled under Path Details
HOL-1829-01-NET
Page 79HOL-1829-01-NET
HOL-1829-01-NET
Page 80HOL-1829-01-NET
1 In this section the drop-down list at the top shows the endpoint VMs and theactive VMs at the edges
2 For each edgeVM the neighbouring drop-down list shows the ingress and theegress interface IP addresses
1 From the previous step we selected the Prod-DB-2 Virtual Machine2 Which changes the focus to corresponding Interface IP Address (VNIC)3 Shows the visual map (Path topology) of all the path objects4 Path details shows the labels and list the components
This concludes this module Please continue to the next module
HOL-1829-01-NET
Page 81HOL-1829-01-NET
ConclusionCongratulations on completing Module 2
This module has shown us that vRealize Network Insight is capable of tracing the flow ofdata between two objects throughout the network vRealize Network Insight is providingus with a 360 degrees view of the virtual as well as the physical components in thepath With the map function and the details on the map it is very easy to get a quickoverview of the components utilized in network communication
All the components in the map is based on a snapshot of real life data Feel free to clickon other icons shown in the map in this module before continuing to the next module tohave a look at other components
For More Information
For additional information about the functionality showcased in this module visithttpwwwvmwarecomvrealize network insight
This concludes this module Please continue to the next module
If you are looking for additional information try one of these
bull Click on this linkbull Or use your smart device to scan the QRC Code
HOL-1829-01-NET
Page 82HOL-1829-01-NET
Proceed to any module below which interests you most
bull Module 1 - Micro-Segmentation and Security (30 minutes)bull Module 2 - 360 degree Visibility across Virtual and Physical Networks (45
minutes)bull Module 3 - Advanced NSX Management amp Operations (45 minutes)bull (30 minutes)
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 83HOL-1829-01-NET
Module 3 - Advanced NSXManagement amp
Operations (45 minutes)
HOL-1829-01-NET
Page 84HOL-1829-01-NET
IntroductionIntroduction
vRealize Network Insight ensures that we have full visibility from an overlay andunderlay perspective and in this module focus on advanced operations of NSX withvRealize Network Insight Its important to note that the vRealize Network Insightprovides a real time view and a historical view The integration is not a simple SNMPquery but advanced CLI and Metadata information gathered in real time for NSX
This Module contains the following lessons
bull Operational guidance for NSX Managerbull Advanced NSX Management amp Operations Interactive Simulation
HOL-1829-01-NET
Page 85HOL-1829-01-NET
NSX Advanced ManagementOperationsLab Status Check
1 Make sure the Lab Status displays Ready before continuing
Close browser sessions from previous modules
Open Google Chrome
1 Open Chrome on the Control Centre Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
HOL-1829-01-NET
Page 86HOL-1829-01-NET
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize Network Insightdid not load automatically)
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
Search Bar - NSX Manager
Using the search bar on the entry screen
HOL-1829-01-NET
Page 87HOL-1829-01-NET
1 Type NSX Manager (this will list three NSX Managers2 Click Search
NSX Manager Information
The result now shows the NSX Manager (1016128170) and we can immediately seethat we have 50 problems associated with this endpoint
1 Click on the NSX Manager address to expose the layout and detailedinformation
HOL-1829-01-NET
Page 88HOL-1829-01-NET
Timeline - Visual Build-up
Explore information only - Do not click
bull A - Starting with the Timeline we can manipulate the results by simply draggingthe slider but by default the current time results will be displayed on entry Theslider and drop down (next to 1 day) makes it easy to filter on demand
bull B - The Properties give a clear understanding of the NSX Managers currentconfiguration (vRealize Network Insight accommodate multiple NSX managers)
bull C - Looking at the NSX Checklist Rules - ALL we can scroll up and down toview each point in the checklist that is used to monitorvalidate against the NSXManager
bull D - Because vRealize Network Insight supports multiple NSX managers andmultiple NSX controllers this is an important visual understanding of theTopology Each object can be queried individually within the same screen
bull E - NSX Problems will be key to understanding the issues for NSX
HOL-1829-01-NET
Page 89HOL-1829-01-NET
Topology - Focus on the NSX Controller
The logical view of the NSX Topology provides live links to each component in theconstruct to be queried in real time Topology layout displays all the related NSXservices bound to the NSX Manager including Clusters and hosts The red triangle on allthree NSX controllers indicates possible issues that may impact the NSX environmenteither as a starting point or a result thereof We can now query each object for detailedinformation
1 Click on the NSX controller (Look at each controller until you find thecontroller starting with NSX_Controller_5b6c6c8d-4d71 as they do changeorder)
HOL-1829-01-NET
Page 90HOL-1829-01-NET
NSX Controller - Detail
A - The controller query displays detailed information about controller-1 and relevantconfiguration This screen will help identify the Status Version Upgrade Availability andmany other critical identifiers of the NSX Controller at a quick glance including anyissues
B - The immediate issue on this NSX controller is also pointed out with a red triangleindicating that we have a control plane sync issue Tracking the issue can be furtherinvestigated by expanding (clicking on the red triangle) to view detailed information Wewill not be investigating this problem further in this exercise
1 Click the close sign (x) to continue
HOL-1829-01-NET
Page 91HOL-1829-01-NET
Topology - Explained
Note The Topology for the NSX environment will not show any load balancing devicestatus information in this release
1 Click the edge VMs icon to see detailed information about the edge services
HOL-1829-01-NET
Page 92HOL-1829-01-NET
Provider Edge
Rendering a complete view of the provider edge services and the associations we caninvestigate all the edge related activities
1 Click the blue link Provider Edge 4 The problem Icon can be used to furtherobtain information about the Provider-Edge 4 This will highlight a criticalcondition due to a possible network disruption of this edge device as it is nolonger in a serving state
HOL-1829-01-NET
Page 93HOL-1829-01-NET
Routers Provider Edge 4
This section lays out detailed root cause analysis for Routers Provider Edge 4
Return to Search View - NSX Manager
1 Now use the Chrome Back button click once to return the the NSX Managerinformation screen step
HOL-1829-01-NET
Page 94HOL-1829-01-NET
Infrastructure Problems - Warning Moderate
bull Scroll down to Infrastructure Problems Section
1 Click and select the WarningModerate to view problem areas
WarningModerate Issues
1 Use the blue icon + to expand the detailed view of the Logical networking out ofsync between host and NSX Controller
HOL-1829-01-NET
Page 95HOL-1829-01-NET
WarningModerate Issues (Continued)
When you expand the details you can analyse full detail of warning
In this view vRealize Network Insight is also showing you recommendations on how youwould resolve this issue which makes troubleshooting and root cause analysis veryeasy
1 Click the close sign (x) to continue
HOL-1829-01-NET
Page 96HOL-1829-01-NET
Hands-on Labs Interactive SimulationAdvanced NSX Management ampOperationsThis part of the lab is presented as a Hands-on Labs Interactive Simulation This willallow you to experience steps which are too time-consuming or resource intensive to dolive in the lab environment In this simulation you can use the software interface as ifyou are interacting with a live environment
1 Click here to open the interactive simulation It will open in a new browserwindow or tab
2 When finished click the ldquoReturn to the labrdquo link to continue with this lab
HOL-1829-01-NET
Page 97HOL-1829-01-NET
ConclusionCongratulations on completing Module 3
This module demonstrated the vRealize Network Insight capability of advancedmanagement operations vRealize Network Insight provides an in-depth analysis of thevirtual as well as the physical components associated with NSX (underlay and overlay)
For More Information
If you are looking for additional information try one of these
bull Click on this linkbull Or use your smart device to scan the QRC Code
Proceed to any module below which interests you most
bull Module 1 - Micro-Segmentation and Security (30 minutes)bull Module 2 - 360 degree Visibility across Virtual and Physical Networks (45
minutes)bull Module 3 - Advanced NSX Management amp Operations (45 minutes)bull Module 4 - Manage Security for Public Clouds (AWS) (30 minutes)
HOL-1829-01-NET
Page 98HOL-1829-01-NET
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 99HOL-1829-01-NET
Module 4 - ManageSecurity for Public Clouds
(AWS) (30 Minutes)
HOL-1829-01-NET
Page 100HOL-1829-01-NET
IntroductionEnterprise IT needs visibility into the network and security status of their workloadswhether hosted on premises or within AWS While many AWS workloads are sandboxesfor application development teams (DevOps) it is important to analyze these workloadsIncreasingly public cloud workloads are also fulfilling mission critical production needsfor many organizations Enterprise IT must be ready to determine the best locationsecurity posture and bandwidth allocation when deploying workloads Having trafficpattern details as well as security analysis and recommendations readily availablehelps organizations make the ideal hosting decisions to meet their business needs
vRealize Network Insight (vRNI) Supports Amazon Web Services (AWS) PublicCloud The vRNI traffic monitoring features provide visibility into native AWS constructssuch as Virtual Private Clouds VMs Security Groups firewall rules and tags vRNI alsoanalyzes AWS traffic flows to provide security and micro-segmentation views of cloudworkloads This means youll be able to plan micro-segmentation and understand trafficpatterns using data collected from your AWS instances
This Module contains the following lessons
bull Introduction to Managing Security for Public Clouds (AWS)
HOL-1829-01-NET
Page 101HOL-1829-01-NET
Introduction to Managing Security forPublic Clouds (AWS)Lab Status Check
1 Make sure the Lab Status displays Ready before continuing
Close browser sessions from previous modules
Open Google Chrome
1 Open Chrome on the Control Centre Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize Network Insightdid not load automatically)
HOL-1829-01-NET
Page 102HOL-1829-01-NET
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
AWS Configuration
Lets review the AWS VPC setup for the purpose of this lab
1 We have an on premise instance of vRealize Network Insight managing AWS2 There are two VPCs ie CRM and Common Services
HOL-1829-01-NET
Page 103HOL-1829-01-NET
3 VPC CRM consists of CRM Application which comprises of 3 tiers ie Web APP andDB
4 Internal users of Company can access Web Tier of the CRM on 80 internally viaJump-box
5 Web tier talks to App tier on port 80806 App tier talks to DB tier on port 33067 Web tier is open for internal datacenters VM on 80 port8 From Jump-box in VPC CRM all virtual machines have ssh access on port 229 All tiers of VPCCRM talks to DNS server on 53 and LogServer on 514 on VPC
Common Services10 This means connection to DB to Log Server (used for backup services) must exist
as configured by the Administrator but this in fact is the problem area where ourfocus will be
Plan Security - AWS Cloud
vRealize Network Insight extends micro-segmentation planning to AWS constructs TheCRM Application in AWS VPC has already been created for you
Application creation steps have been discussed in Module 3
HOL-1829-01-NET
Page 104HOL-1829-01-NET
1 On the vRealize Network Insight Click on Plan Security
From Plan Security dialogue box under Entity select
HOL-1829-01-NET
Page 105HOL-1829-01-NET
1 Application2 CRM3 Click Analyze
We can now visualize the three tier lsquoCRMrsquo Application in AWS in one VPC We Shallexplore the three Tier System Logic in proceeding steps
1 Please note that Micro-Segments are already filtered by Tier2 Web (Web tier talks to App tier on port 8080 Internal users of organisation can
access Web Tier of the CRM Application on port 80 internally)3 App (App tier talks to DB tier on port 3306)4 DB ( DB tier talks to Log Servers ) - This is the problem area we are going to
explore
All tiers of first VPC talks to DNS server on port 53 and LogServer on port 514 of SecondVPC
HOL-1829-01-NET
Page 106HOL-1829-01-NET
Exploring the Three Tier Application - Step by Step
We shall now explore the three their application setup to understand the security andcommunication posture
HOL-1829-01-NET
Page 107HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Yellow line to explore the flows This will reveal flows from Web to
App
HOL-1829-01-NET
Page 108HOL-1829-01-NET
1 The App tier talks to DB tier on Port 33062 Click X to continue
HOL-1829-01-NET
Page 109HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to DB
HOL-1829-01-NET
Page 110HOL-1829-01-NET
1 The App tier talks to DB tier on Port 33062 Click X to continue
HOL-1829-01-NET
Page 111HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Yellow Line to explore the flows This will reveal flows from DC
Virtual to App
HOL-1829-01-NET
Page 112HOL-1829-01-NET
1 DC Virtual (jump box) talks to App tier on Port 222 Click X to continue
HOL-1829-01-NET
Page 113HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to
Shared Virtual
HOL-1829-01-NET
Page 114HOL-1829-01-NET
1 The App tier talks to Shared Virtual on Port 53 and 514 respectively2 Click X to continue
HOL-1829-01-NET
Page 115HOL-1829-01-NET
1 Hover over to DB Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from DB to
Shared Virtual
1 By design the DB should be pushing logs to aws-log-server ie on port 514(Syslog) but the flow reveals that there is only one service ie port 53 aws-DNS-Server Effectively no communication to syslog server (which is the back upservice)
2 Click X to continue
Firewall Queries for CRM Application
To further troubleshoot the issue the administrator executes three firewall queries toestablish why DB to Shared Virtual does not have flow(s) for port 514 (syslog)
HOL-1829-01-NET
Page 116HOL-1829-01-NET
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and type new search query firewall action of flows where dstvm = aws-log-server This will return 5 results ie 4 Allow (for web andmidtier) and 1 Deny (for DB)
2 Click Search3 click on the DENY checkbox so we can focus on the deny rule
We can see a DENY rule which is preventing crm-databse to communicate with aws-log-server on port 514 Which indicates that AWS Admin forgot to add rule to allowtraffic from (Database) crm-database to (syslog server) aws-log-Server
HOL-1829-01-NET
Page 117HOL-1829-01-NET
1 On Chrome web browser right click2 Select Duplicate from the the menu
HOL-1829-01-NET
Page 118HOL-1829-01-NET
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-web1 and dst vm = aws-log-server
2 Click Search3 This will return 3 results ie 1 Inbound and 2 Outbound rules The result of this
query validates the communication from crm-web1 to aws-log-server
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-database and dst vm = aws-log-server
2 Click Search3 This will return 2 results for Outbound rules further explaining the firewall rule
behaviour from crm-database to aws-log-server
HOL-1829-01-NET
Page 119HOL-1829-01-NET
ConclusionCongratulations on completing Module 4
This module demonstrated the vRealize Network Insight capability to understand trafficpatterns and plan micro-segmentation across your private and public cloudenvironments This capability offers unparalleled visibility into public and private cloudsfor micro-segmentation planning network visibility and management
For More Information
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 120HOL-1829-01-NET
ConclusionThank you for participating in the VMware Hands-on Labs Be sure to visithttpholvmwarecom to continue your lab experience online
Lab SKU HOL-1829-01-NET
Version 20171010-152226
HOL-1829-01-NET
Page 121HOL-1829-01-NET
Lab Overview -HOL-1829-01-NET -
Getting Started withvRealize Network Insight
HOL-1829-01-NET
Page 2HOL-1829-01-NET
Lab GuidanceNote It will take approximately 90 minutes to complete this lab You shouldexpect to only finish two of the modules during your time if you are new tovRealize Network Insight The modules are independent of each other so youcan start at the beginning of any module and proceed from there You can usethe Table of Contents to access any module of your choosing
The Table of Contents can be accessed in the upper right-hand corner of theLab Manual
In this lab students will be presented with an overview and demonstration usingvRealize Network Insight This lab will focus on four particular capabilities and two usecase scenarios The first module introduces Micro-segmentation and the security withinnetworks followed by module two that will provide a detailed Map walk through of aReal Time flow rendering a 360 degree view for cross platform under and overlaysModule number three will focus on NSX Manager and provide an easy in-depth look athow we manage advanced NSX operations within vRealize Network Insight Modulenumber four will focus on Manage Security for Public Clouds (AWS)
Lab Module List
bull Module 1 - Micro-Segmentation and Security (30 minutes)bull Module 2 - 360 degree Visibility across Virtual and Physical Networks (45
minutes)bull Module 3 - Advanced NSX Management amp Operations (45 minutes)bull Module 4 - Manage Security for Public Clouds (AWS) (30 minutes)
Lab Captain
bull Module 1 - 4 - Atif Qadeer Senior Systems Engineer - NSX UK
This lab manual can be downloaded from the Hands-on Labs Document site found here
[httpdocsholpubHOL-2017]
This lab may be available in other languages To set your language preference and havea localized manual deployed with your lab you may utilize this document to help guideyou through the process
httpdocsholvmwarecomannouncementsnee-default-languagepdf
HOL-1829-01-NET
Page 3HOL-1829-01-NET
Location of the Main Console
1 The area in the RED box contains the Main Console The Lab Manual is on the tabto the Right of the Main Console
2 A particular lab may have additional consoles found on separate tabs in the upperleft You will be directed to open another specific console if needed
3 Your lab starts with 90 minutes on the timer The lab can not be saved All yourwork must be done during the lab session But you can click the EXTEND toincrease your time If you are at a VMware event you can extend your lab timetwice for up to 30 minutes Each click gives you an additional 15 minutesOutside of VMware events you can extend your lab time up to 9 hours and 30
minutes Each click gives you an additional hour
Alternate Methods of Keyboard Data Entry
During this module you will input text into the Main Console Besides directly typing itin there are two very helpful methods of entering data which make it easier to entercomplex data
HOL-1829-01-NET
Page 4HOL-1829-01-NET
Click and Drag Lab Manual Content Into Console ActiveWindow
You can also click and drag text and Command Line Interface (CLI) commands directlyfrom the Lab Manual into the active window in the Main Console
Accessing the Online International Keyboard
You can also use the Online International Keyboard found in the Main Console
1 Click on the Keyboard Icon found on the Windows Quick Launch Task Bar
ltdiv class=player-unavailablegtlth1 class=messagegtAn error occurredlth1gtltdiv class=submessagegtltahref=httpwwwyoutubecomwatchv=xS07n6GzGuo target=_blankgtTry watching this video on wwwyoutubecomltagt or enableJavaScript if it is disabled in your browserltdivgtltdivgt
HOL-1829-01-NET
Page 5HOL-1829-01-NET
Click once in active console window
In this example you will use the Online Keyboard to enter the sign used in emailaddresses The sign is Shift-2 on US keyboard layouts
1 Click once in the active console window2 Click on the Shift key
Click on the key
1 Click on the key
Notice the sign entered in the active console window
HOL-1829-01-NET
Page 6HOL-1829-01-NET
vRealize Network Insight - Navigation
bull 1 - HOME - Use this if you need to return to the original navigation and searchscreen
bull 2 - Navigation Panebull 3 - Search Bar including time linebull 4 - Detail amp Information Panebull 5 - Alerts Pinboards Settings
Activation Prompt or Watermark
When you first start your lab you may notice a watermark on the desktop indicatingthat Windows is not activated
One of the major benefits of virtualization is that virtual machines can be moved andrun on any platform The Hands-on Labs utilizes this benefit and we are able to run thelabs out of multiple datacenters However these datacenters may not have identicalprocessors which triggers a Microsoft activation check through the Internet
Rest assured VMware and the Hands-on Labs are in full compliance with Microsoftlicensing requirements The lab that you are using is a self-contained pod and does nothave full access to the Internet which is required for Windows to verify the activationWithout full access to the Internet this automated process fails and you see this
watermark
This cosmetic issue has no effect on your lab
HOL-1829-01-NET
Page 7HOL-1829-01-NET
Look at the lower right portion of the screen
Please check to see that your lab is finished all the startup routines and is ready for youto start If you see anything other than Ready please wait a few minutes If after 5minutes your lab has not changed to Ready please ask for assistance
HOL-1829-01-NET
Page 8HOL-1829-01-NET
Module 1 - Micro-Segmentation and
Security (30 minutes)
HOL-1829-01-NET
Page 9HOL-1829-01-NET
IntroductionWhen mid to large-sized enterprises deploy NSX they often struggle to define the levelof micro segmentation needed between applications on networks The most challengingpart is knowing what information is required to get started how to locate theinformation and traffic flow and how to capture the results
vRealize Network Insight helps solve this problem by analyzing and categorizing VMsinto logical groups based on specific compute and network characteristics This processautomatically generates a recommended model for security groups and specificfirewalling rules for each group This makes life much easier for Security Architects andEngineers
vRealize Network Insight (vRNI) relies on the use of an IPFIX collector at the VirtualDistributed switch layer to capture data flows We enable IPFIX at the Virtual Distributedswitch layer for the ESXi Hosts to forward IPFIX UDP packets to the vRealize NetworkInsight appliance The data capture will enable real time data flow for all port trafficand provide further filtering capabilities in order to explore East-West traffic
We have two scenarios to help explain how vRealize Network Insight can be utilized toensure we have full visibility and granular control to deploy firewall rules in order tocomplete micro-segmentation without guessing
Scenario 1 (Brown Field deployment) Customer ABC bought ESXi and NSX and doesnot have a clear understanding of how to operationally deploy existing workloads withEast-West firewall protection or how to segment the workload The client will now usevRealize Network Insight to observe the real time data flow between ports in order tobuild the East-West firewall rules The vRealize Network Insight process will observe thetraffic patterns based on the captured data flow recommendations will then be made inorder to secure workloads for East-West communication Current firewall and micro-segmentation can also be verified
Scenario 2 (Green Field) Customer ABC has a new deployment project for DevOps andwouldnt know what the immediate firewall rules or recommendations would be UsingvRealize Network Insight we could immediately start to monitor the real time data flowas each deployment and development unfolds Based on the DevOps information wecan now apply the Firewall rules at the QampA stage and prep for testing to ensure whenwe move workloads into Production we will have day zero operational security for East-West traffic within the data center
NOTE NSX is not required at any stage to capture observe or implement successfulEast-West firewall rules The process of planning security only relies on IPFIX at the vDSlayer in order to capture and observe data flow between ports
This Module contains the following lessons
HOL-1829-01-NET
Page 10HOL-1829-01-NET
bull Identify firewall rules for Micro-segmentationbull Security Group Topologybull Tracking a firewall rulebull Exporting firewall rules to NSX Manager (Interactive Simulation)bull Conclusion
HOL-1829-01-NET
Page 11HOL-1829-01-NET
Micro-Segmentation IntroductionThis section contains the following lessons
bull Identify firewall rules for Micro-segmentationbull Security Group Topologybull Tracking a firewall rule
Lab Status Check
1 Make sure the Lab Status displays Ready before continuing
Close browser sessions from previous modules
Open Google Chrome
1 Open Chrome on the Control Centre Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
HOL-1829-01-NET
Page 12HOL-1829-01-NET
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize Network Insight did notload automatically)
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
HOL-1829-01-NET
Page 13HOL-1829-01-NET
Plan Security
When the vRealize Network Insight portal login completes the first screen will show asearch bar at the top
1 Type plan security (the search bar uses Auto Fill and predictive text willappear as you type)
2 Select the Time Icon
Plan Security - Specify a Preset
1 Select Presets2 Select Last Week3 Click the search icon to continue
HOL-1829-01-NET
Page 14HOL-1829-01-NET
Overview - Traffic Distribution (Left Pane)
Visual representation of traffic is shown to understand the logic relationship betweeneach component physical or virtual in order to track flows and sessions within anetwork
bull Internal Flows External Flowsbull Protected Flows Unprotected Flowsbull by VLAN or VXLAN
The default for this view is Last 1 day Please do not change this as we have alreadyspecified the time filter
HOL-1829-01-NET
Page 15HOL-1829-01-NET
Traffic Distribution - Overview (Right pane)
The Traffic distribution section is explained in a number format below Use these as areference and do not click on the links at this stage
bull A - This is the sum of all traffic flows with the percentage shown as East-Westonly traffic
bull B - This indicates the percent of traffic that was switchedbull C - The percentage of traffic that is routed between the East-West portsbull D - This indicates Virtual machine to Virtual Machine traffic as a percentage of the
sum in point number 1bull E - Traffic observed between virtual machines on the same hostbull F - Traffic that requires internet access
East-West (EW) - Traffic
In order to view specific details about data flows click on any of the 6 blocks to getdetailed information on flows and sessions (use the [x] in the right corner to close theobservation once completed in order to continue with the next step in this lab) Its
HOL-1829-01-NET
Page 16HOL-1829-01-NET
important to understand the entire distribution of flows and sessions in order to build aninformed strategy to achieve micro-segmentation
A Session is 5 tuple (source port is one of the five tuples in this which means everytime a new TCP connection is established and terminated a new session is recorded)
A Flow is 4 tuple aggregation of sessions It combines many 5 tuple sessions into oneIt ignores the source port as the source port is very dynamic wide range and keeps onchanging As long as multiple sessions have same source IP same destination IP samedestination port and same protocol they will be combined into one record called aflow
So 1000s of sessions in a day between two machines on a specific destination port (sshdns etc) would be combined into one flow with an aggregate count of packets bytessessions between them recorded as additional flow information
In any enterprise how many sessions happen in 1 day varies a lot Flows are moremanageable units and matter most for policy definitions and micro-segmentation
If one wants to see statistics of these flows like bytes transferred number of sessions(or even use these counters along with other query operations for other higher levelanalysis - like determining distribution of a virtual machines outgoing flow bydestination ip) the following metric counters can be used
Counter names
allowed sessions count of sessions (or 5 tuples) corresponding to a flow (4 Tuple)bytes total traffic volume exchanged on the flow (this sum of two counters described below)src bytes total bytes sent by src_ip of the flow to dst_ipportprotocoldst bytes total bytes received by src_ip of the flow from dst_ipportprotocol
1 Click on the East-West traffic block
This will bring a new window into view with detailed analysis of the traffic
HOL-1829-01-NET
Page 17HOL-1829-01-NET
East-West (EW) - Detailed view
This is only a few of the 1653 flows but the detailed views and filters can be used tonarrow down more specific information
A - Without clicking (just hover) on the time line to see the rate of flow indicated by thegreen line for that period
1 Click the close icon (x) to continue
ServicesPorts
HOL-1829-01-NET
Page 18HOL-1829-01-NET
Locating the Services screen for the next step
ServicesPorts - Time line view
Plan security makes use of Service and Ports overview on the right-hand side of thescreen The service view screen is used to observe the flow for each service andanalyzes a specific flow rate at a point in time Timelines can be adjusted to gain abetter understanding of what the plan security query delivers This module will followthe steps needed to observe and trace flows for port 5443
1 Click Show Data
HOL-1829-01-NET
Page 19HOL-1829-01-NET
ServicesPorts - Point in Time Service
The Services section provides an overview of flows over a specific port at a point intime either by bytes or by allowed sessions Look at the red highlighted area tounderstand how the flow is viewed in a pivot format to ensure a rate flow can bedelivered by hovering over a particular section
1 Hover to gain focus over the blue block above port 5443 and notice itpresents on demand the sum total of flows for the last 24 hours inGigabytes (GB) communicating over port 5443
2 Click on the block at the intersection of Last 24 hours and PORTS5443 to get a detailed view of the information
HOL-1829-01-NET
Page 20HOL-1829-01-NET
Flows for Port 5443
Communicating over port 5443 for the Last 24 hours we now have a detailedunderstanding of how 20 flows are distributed by following the list of entities You mayscroll down and examine the detailed traffic Further filters can be used on the left-handside of the screen to filter the view for a more specific result type
1 Click the entry to examine the detailed flow between Prod-DB-3 and Prod-DB-2over port 5443 ( order of flows may differ from screen above Prod-DB-3 andProd-DB-2 can be seventh flow entry)
Flow Key Properties - Timeline view
HOL-1829-01-NET
Page 21HOL-1829-01-NET
Flow Key Properties and Flow Key Metrics with the help of the timeline view gives agreater understanding of the traffic between these two specific VMs over port 5443 (A)- Hover over any part of the Flow Key Metrics graph to see statistics of the flow at aspecific point in time
1 Click on the 1M (last 1 month) Now hover the mouse over the greenblue linesto see a specific flow at a point in time
Flow Key Properties - Timeline view
1 Click the browser back button (once) to return to the plan security layoutscreen (once completed viewing the timelines for specific flows)
HOL-1829-01-NET
Page 22HOL-1829-01-NET
Micro-Segments
The screen should be back and focused on the Plan Security view Let us focus on theLeft-hand side of the plan security screen marked - Micro Segments This section willfocus on the subnet view and how this could be used to track flows between two ormultiple points
Note Segmenting flows can be achieved using views that will focus on VLANVXLANSubnet Folder Clusters VMs Ports Security Tag or Security Groups
1 Select Last 1 Day (to clear previous data range)2 Select the drop down box and then select by Subnet3 We can further analyze micro-segments by secondary groups ( This step is for
information only)4 Click Analyze to populate the data
HOL-1829-01-NET
Page 23HOL-1829-01-NET
Focus - 101780 Network
A - Hover over (do not click) the 101780 network and notice that this willimmediately highlight all flows and sessions from and to this network segment Othertraffic types will loose focus at this point turning light blue
The Keep Focus view creates a single visual endpoint diagram showing communicationto physical shared resources internet and other subnets The parentheses after thenetwork will indicate the number of virtual machines The coloured lines will indicate aconnected flow as OUTGOING INCOMING BIDIRECTIONAL
HOL-1829-01-NET
Page 24HOL-1829-01-NET
Focus - VLANVXLAN
Changing the view to track flows between Prod-Web to Prod-Midtier we will be switchingfrom Subnet view to VLANVXLAN view This will expose the traffic flow and ultimatelylead us to the recommended firewall rules
1 From the filter drop down select the VLANVXLAN option (the view willautomatically update)
HOL-1829-01-NET
Page 25HOL-1829-01-NET
Focus - Prod-Web (25)
1 Hover over Prod-Web2 Click on Keep Focus as we will follow the traffic for this group to see which
ports are in use and why3 Click on the line joining the Prod-Web and Prod-Midtier
Flows - Prod-Web to Prod-Midtier
HOL-1829-01-NET
Page 26HOL-1829-01-NET
( A ) - We have at this point identified 14 unique endpoints or flows that are beingcommunicated byover or to potential security groups These security groups are basedon VLANs folders subnets or a construct that can be defined
1 Click on the recommended firewall rules
Flows - Recommended Firewall Rules
Based on the observed analysis of the traffic flow between Prod-Web and Prod-Midtier arecommended firewall rule has been generated in order to secure and segment trafficfrom the rest of the VLANVXLAN
Due to the flow observation metrics the recommendation is (ALLOWED) on Port 8080between SG Prod-Web and SG-Prod-Midtier
1 Click the close icon (x) to continue
HOL-1829-01-NET
Page 27HOL-1829-01-NET
Multiple Ports and Firewall rules for Prod-web
1 Click on the Prod-Web group
Services and Flows for Prod-Web
On focus the user is presented with all the services flows and firewall rules for Prod-Webin a single pane
HOL-1829-01-NET
Page 28HOL-1829-01-NET
1 Click on Services In this group - 50 Unique service endpoints or flows that arebeing communicated by or to potential security groups are mapped with trafficrates included
2 Click on External Services Accessed- This is a breakdown of the 16 Externalservice endpoints that communicate with Prod-Web and include the portinformation (DNS HTTPS etc)
3 Click on Recommended Firewall Rules - Based on the 50 unique serviceendpoints that have 17 External services with 425 flows we can use thisobservation metric to determine that 6 firewall rules are required This would bethe minimum recommended segmentation approach for the Prod-Web group
4 Click the close icon (x) to continue
Application-Centric Micro-Segmentation
HOL-1829-01-NET
Page 29HOL-1829-01-NET
An application is a collection of tiers Each tier in an application is a collection of VMsbased on the user-defined filter criteria The applications allow you to create ahierarchical group of VMs and visualize trafficflows between the tiers of the sameapplication The trafficflows can be visualized between applications
1 Under Micro-segments click on the dropdown which says by VLANVXLAN2 Click on by Application
1 Hover over Prod-App (47) (do not click at this stage)2 Click on Keep Focus
You can see as per previous micro-segmentaion planning exercise - you can viewOutgoing Incoming and Bidirectional flow bespoke to Prod-App Clicking on Prod-App micro-segment will reveal the services
HOL-1829-01-NET
Page 30HOL-1829-01-NET
We shall now explore how we can define an application
Define an Application
1 In the search bar type Application2 Click the Search button
1 The Application search will return 4 entities ie application already created inthe system for you
2 This page also lets you create new application - click on Add Application
HOL-1829-01-NET
Page 31HOL-1829-01-NET
1 Under the Application Name type HOL-Pre-Prod2 Under Tier type the Name as HOL-Pre-Prod3 Our search criteria will be based on VM Names under Virtual Machines IP
Addresses Type Admin-VM1 Admin-VM2 (The search will auto completethe names for you)
4 Do not Save Click Cancel which will take you to previous screen
1 Here you can see the number of entities has increased by 1 ie 5 entities2 You can also see Hol-Pre-Prod in the list
HOL-Pre-Prod will now appear in Application section under Plan Security (not covered inthis lab)
Security Group Prod_MidTier
Network administrators and architects face daily challenges in identifying securityparameters groups that are in-place requiring a lot more detail around containertopology before continuing to execute or plan Micro-segmentation Lets look at how thiswould be possible in a single view that has granular integration with over and underlaynetworks
1 Using the search bar type Nsx Security Group Prod_MidTier (the search baruses Auto Fill and predictive text will appear as you type)
2 Click search to continue
HOL-1829-01-NET
Page 32HOL-1829-01-NET
The Help screen may pop-up (in this lab setting) to ensure the user has an instantguide called the Security Group Pinboard The reason for this guide is to point out thedetail view and topology layout Read through the help guide and once completed
1 Click the close icon (x) to continue
Results - PROD_MIDTIER
The search results from the query will show Prod_Web at the top of the screen Theresult will also be displayed to include the Translated VM Count and any Rulesassociated
1 Click on Prod_MidTier to continue
Security Group Prod_MidTier - Timeline
Security Group View Explanation
HOL-1829-01-NET
Page 33HOL-1829-01-NET
The Security Group provides a detailed view of the selected Security Group and acomprehensive listing of key properties and events The Security Group Topologyprovides a visual overview of how the security group is associated with other containersTimeline slider at the top of the current view will enable the point in time state of theSecurity Group and filters can be used to further focus on a particular aspect of theobject
Security Group Firewall Topology
(A) The Security Group Firewall Topology on the left shows the topology for SecurityGroup Prod_MidTier
HOL-1829-01-NET
Page 34HOL-1829-01-NET
(B) The Security Group Container Topology on the right will show anyall Child andParent groups in relation to Prod_Web This will identify the nesting and hierarchy ofsecurity groups
HOL-1829-01-NET
Page 35HOL-1829-01-NET
1 Click and select Prod_Web to Prod_Midtier Rule (will launch a pop up screencovered in next step)
1 In the pop up screen we can immediately see what the Source and destinationservice flow looks like in this example This can be done for any and eachsegment attached to Prod_Web and will provide all the current security GroupFirewall Topology information Feel free to click through all the segments in orderto fully understand each related security group
2 Click the close icon (x) on any pop-up menus that you viewed during youranalysis to continue with the next exercise
HOL-1829-01-NET
Page 36HOL-1829-01-NET
Tracking Prod_MidTier
1 Within the same view when you scroll down (below the Security Groupfirewall Topology) you are able to see the following security event information forProd_Web
A Events - Showing any changes for Prod_MidTier (direct or indirect) and the impactthat these changes bring to this security group
B Current Security Group Configuration and Firewall Rules Count will also providefurther assistance to manage the endpoints
C Visibility of the Virtual Machines in Security Groups ensure that we manage ourworkloads and segmentation with the correct level of efficiency
D Making use of the Indirect Firewall Rules will ensure you understand the inheritedimpact and the relationship leading to Prod_Web
E Direct Firewall Rules - NOTE The blue links will expose further detail for eachfirewall segment
HOL-1829-01-NET
Page 37HOL-1829-01-NET
this module explained and followed the traffic flow between Subnets and or VLANVXLAN for Prod_MidTier and we understand the analysis that make up firewall rules Theinformation for a specific segmentation of a Virtual Machine in Prod_MidTier can beviewed using the the logical switch information for Prod_MidTier
2 Click on Lab-Midtier (VMs in Security GroupgtLogical SwitchesgtLab-Midtier) anew TAB will open at the top of the screen
Lab-Midtier
1 Hover (do not click) over (1) Lab-Midtier-1 to gain focus in order to generatethe path
Do not click on any of the bubbles as they are used for reference only This is thecomplete flow of Prod-Web-9 (Example) to see how a flow is tracked from overlay tounderlay across Prod-Web
HOL-1829-01-NET
Page 38HOL-1829-01-NET
bull A - The host details for Lab-Midtier-1 -ddc1-pod2esx035dmdemocompanynet
bull B - The machine name within Lab-Midtier - Lab-Midtier-1bull C - DVS Switchbull D - VXLAN - Lab-Midtierbull E - 1st VMKNIC for DDC-1 hostbull F - DVS Switch Portbull G - Finally showing the L3 Switch (Arista)
2 When you are done with the current view close this tab in Chrome and returnto the original view
Firewall Rule - Tracking
Using the search bar we will demonstrate how you can track any firewall rule in yourenvironment This is only one example of how we can search for security related objectsin one easy statement and also export the results
Port Search
1 Type into the search bar
Firewall rule where action =ALLOW and Port=443 (the search bar uses Auto Fill andpredictive text will appear as you type)
2 Click search to continue
As you type notice all the different permutations of queries that can be assembled
HOL-1829-01-NET
Page 39HOL-1829-01-NET
Export Firewall Rules
Take some time to understand and get familiar with Firewall Rule search possibilitiesand the insight this can offer
1 Do not click - The result is grouped for convenience and allows the user to queryeach rule individually This is a live link that will expose further information
2 Do not click - The entire report can be exported by using the Save as CSV optionat the top right hand corner of the screen but we will not export any informationat this point
3 For the next step we will return to the top search bar
Firewall Rule Membership Change
Using the vRealize Network Insight search bar at the top of the screen we will focus on atime based search to see what Firewall Membership Changes occurred during a selectedperiod This will point out any changes made directly or indirectly as a result ofmembership changes This is extremely useful for auditing and troubleshooting
HOL-1829-01-NET
Page 40HOL-1829-01-NET
1 Type
Firewall Rule Membership Change
2 Select the DateTime window3 Click Between Select Date range from June30 to Jul 31 (using static data this
will ensure you see all the changes)4 Click search
Audit Rule - Firewall Rule Membership Changes
The search now displays the result of all the changes made to firewall rule membershipduring the preset date range This is pivotal to the audit change tracking process tounderstand exactly why when and how Firewall rules changed
The changes can now easily be tracked audited and also exported following any of thelive links in blue
HOL-1829-01-NET
Page 41HOL-1829-01-NET
User-defined Event
Continuing within the same screen users can create alerts to notify internal andexternal entities of any changes The alert feature is available through any view thatdisplays the alert icon Although the alert can be configured for this lab the results willnot be actioned as this is static data only This section will show how easy it is to reporton any Firewall Rule memberships changes The option for alerting will be immediatelywithin 1 hour or as a daily digest
1 Click the Notifications icon to create an event The notifications screen will pop-up
2 Notification and parameters can be adjusted as required Populate them withyour own preference as we will need to have information in order to save thealert and view in later steps
3 Once completed click save
HOL-1829-01-NET
Page 42HOL-1829-01-NET
Settings
You can view any of your previously configured User-defined Events in order to edit oractivate the Event parameters by using the settings page Changes can be configured tonotify members of the event group based on the user preference The previous eventthat you created can now be tracked by using the search bar at the top of the screen
1 Click in the search bar and type Settings2 Click User-defined Events (your alert is noted in this section as it was based on
the original search and alert notification Firewall rule membership change)3 Info Only - Do not click - View Edit Activate any notifications
Note that we have 2 types of notification User-defined and System Events
4 Click the System Events
HOL-1829-01-NET
Page 43HOL-1829-01-NET
System Notifications
System Events consist of 103 default alerts that are pre-configured Scroll down the listto see all the options and what is deemed to be a standard system event notification
Each Notification can be used to alert administrators or users of that group By defaultall System Notifications are set to never notify (this can be changed to immediatelywithin 1 hour or as a daily digest)
This concludes this module Please continue to the next module
HOL-1829-01-NET
Page 44HOL-1829-01-NET
ConclusionCongratulations on completing Module 1
In this module we introduced the minimum required steps in order to facilitate Micro-segmentation This module further demonstrated how we achieve day zero readinesstrack report and alert on each individual object or group of objects in Real Time Usingthe East-West traffic in this module vRealize Network Insight highlighted the ease ofacquiring network analysis and using this to automatically generate firewall rules forboth Green or Brown field deployments
Key facts to remember as demonstrated in this module
bull Persistence Security must be consistent in the face of constant changebull Ubiquity Security must be available everywherebull Extensibility Security must adapt to new situations
For additional information about the functionality showcased in this module visitwwwvmwarecom
Please close the Chrome Web browser
This concludes this module please continue to the next module
For More Information
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 45HOL-1829-01-NET
Module 2 - 360 degreeVisibility across Virtualand Physical Networks
(45 minutes)
HOL-1829-01-NET
Page 46HOL-1829-01-NET
IntroductionvRealize Network Insight includes advanced analytics that can collect and displayconfiguration data from all the components involved in the overlay and underlay of thenetwork Data is collected in realtime
vRealize Network Insight presents this via a smart user interface and simplifies thedetermination of problems as well as the visibility of firewall and networkconfigurations
vRealize Network Insight presents this in a smart user interface and makes problemdetermination and visibility of the firewall and network configurations very easy
This Module contains the following lessons
bull 360 Network Visibility and Troubleshootingbull Natural language search
HOL-1829-01-NET
Page 47HOL-1829-01-NET
360 Network Visibility andTroubleshootingThis section contains the following lessons
bull 360-degree view of data flow between two VM objectsbull Natural language search
Open Google Chrome
1 Open Chrome on the Control Center Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize NetworkInsight did not load automatically)
HOL-1829-01-NET
Page 48HOL-1829-01-NET
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
Path and Topology
This module will utilize the Path and Topology feature in vRealize Network Insight toget a 360-degree visibility into our network scenario The Path and Topology view can
HOL-1829-01-NET
Page 49HOL-1829-01-NET
also extend to host L3 networks security groups etc but in this module we will only befocusing on the path
From the main console
1 Click on Path and Topology2 Click on Path
Path - Select source and destination
In the pop-up box
1 Click on the grey field below Source2 Type dba into the source field and DBAdmin-VM1 will appear3 Click on DBAdmin-VM1 to select it
HOL-1829-01-NET
Page 50HOL-1829-01-NET
Path - source and destination continued
After selecting the source machine the destination box will automatically appear
1 Type prod in the destination field and the list of available options willappear
2 Select Prod-Db-2
Note The destination could also be an ip-address or Internet but in this lab we aregoing to use a VM
HOL-1829-01-NET
Page 51HOL-1829-01-NET
Path - source and destination continued
1 Click on Submit
Searching for path
Based on the VMs we selected in the wizard in our previous steps the search field isnow pre-populated with a search string As an alternative to using the wizard we canalso do manual searches
Do not change any parameters in the search field and please continue to the nextstep
HOL-1829-01-NET
Page 52HOL-1829-01-NET
VM Path Topology and VM Underlay
The topology involves both Layer 3 and Layer 2 components and consists of twodetailed views
HOL-1829-01-NET
Page 53HOL-1829-01-NET
1 VM Path Topology This view details the routers Edges or Logical DistributedRouters (LDRs) that are involved in the VM to VM network path and provides thecomplete routing and NAT information
2 VM Underlay ( The VM Underlay section that is on the right side of the VM Pathtopology shows the underlay information of the VMs involved and theirconnectivity to the top of the rack switches and the ports involved)
In the field named VM Path Topology
1 Click on the three dots in the top right corner of the field2 Click Maximize
The view will change and the route will be drawn on the map
HOL-1829-01-NET
Page 54HOL-1829-01-NET
VM Path Topology - Path Details
In this view we will get a 360-degree view of both the physical and the virtual networkWe will see the path of the traffic between two virtual machines The black arrow at thetop of the map will indicate the flow direction of the traffic In this use case fromDBAdmin-VM1 to Prod-Db-2
On the right hand side path details indicates the steps we pass through in each hop ofthe path The logical flow includes both physical and virtual elements displaying bothoverlay and underlay components
1 Scroll through the path details on the right hand side to verify the differenthops in the path Notice that we have items such as VMs physical switchesvirtual switches routers and NICs in the list of details
HOL-1829-01-NET
Page 55HOL-1829-01-NET
Component Overview
On the VM topology map
1 Click on the top left icon marked with a red square - the Virtual MachineDBAdmin-VM1
Virtual Machine - Details
HOL-1829-01-NET
Page 56HOL-1829-01-NET
A pop-up box will appear with the Virtual Machine details in it This information includesa lot of details made available by VMware Tools We can for example see network-information and the physical host in these details
A - Please spend some time on getting an overview of the information available in thisview
B - Please note that the Firewall Status indicates Unknown In this scenario there is noNSX firewall utilized in the VM so vRealize Network Insight displays Unknown as thestatus If NSX components were utilized but they were malfunctioning an errormessage will appear
1 When done reviewing close the pop-up windows by clicking on the (X) in thetop right corner
Physical ESXi Hosts
We are now going to look at the physical host running ESXi The large green blocksindicate the ESXi hosts (A) and (B)
1 Click on the large green field on the left side of the map marked in thepicture with a red squareThis will select the host where DBAdmin-VM1 isrunning
HOL-1829-01-NET
Page 57HOL-1829-01-NET
Host - Details
A pop-up box will appear that contains the physical ESXi host
A - Spend some time to review what information is available from the host Please donot click on any of the links
B - Notice that we receive information from both the Chassis and the Blade that thisESXi host is running on In a real life environment we could click on the links to getdetailed information about the physical environment through the links
C - Note that there are no NSX components on the host For example we can see thatthe Control Plane Sync Status is unknown and the Number of VTEPs is 0
1 When done reviewing click on the (X) in the top right corner
HOL-1829-01-NET
Page 58HOL-1829-01-NET
DVPG on the map
We are now going to look at the DVPG (Distributed Virtual Port Group) the VM uses toconnect to the network
1 On the map click on the little blue box marked by a red square onvlan-629
DVPG
A pop-up box will appear that contains the DVPG details
A - Spend some time review what information is available from the object Please donot click on any of the links
HOL-1829-01-NET
Page 59HOL-1829-01-NET
B - Notice that IPFIX is enabled
1 When done reviewing click on the (X) in the top right corner
VLAN-629 on the map
This is a brownfield network as indicated by the physical network components currentlydisplayed on the map
1 On the map click on the grey line marked by a red square on vlan-629
VLAN Network
A pop-up box will appear that contains the physical VLAN details
HOL-1829-01-NET
Page 60HOL-1829-01-NET
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - Notice the VLAN ID This is the actual VLAN in use
C - VM Count states 12 This is the number of VMs located on this VLAN in the entireenvironment
D - Under Hosts we can see that this is 28 (27+1) This is the amount of hosts that hasa connection to this vlan in the entire environment
1 When done reviewing click on the (X) in the top right corner
Switch ports on the map
1 From the map click on the icon marked by a red square to select the SwitchPort for the VM
HOL-1829-01-NET
Page 61HOL-1829-01-NET
Switch Port
A pop-up box will appear that contains the Switch Port details
In this view we are purely are looking at layer 3 and the connectivity to those layer 3devices Later in this module we will see some of the layer 2 devices
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - In this view we can see the physical NIC the traffic is transmitted from and receivedto In this scenario it is a NIC on a UCS fabric We can also see the VLANs Interfacespeed port and other details on the NIC
1 When done reviewing click on the (X) in the top right corner of the pop up box
HOL-1829-01-NET
Page 62HOL-1829-01-NET
Physical VRF on the map
1 From the map click on the icon marked by a red square to access thePhysical VRF details
HOL-1829-01-NET
Page 63HOL-1829-01-NET
VRF - Physical Switch
A pop-up box will appear that contains the Physical VRF details
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - In this scenario the first hop in the physical network perspective happens to be aCisco Nexus 7000 We are gathering all of the configuration data routing tables androuting interface information from this device
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 64HOL-1829-01-NET
VRF - continued
1 From the map click on the icon marked by a red square to access the nextPhysical VRF in the path
HOL-1829-01-NET
Page 65HOL-1829-01-NET
VRF - Physical Router
A pop-up box will appear that contains the Physical VRF details
In this scenario the second hop in the physical network perspective is a Palo Alto routerIn this view we will see the routing table as well as firewall rules The vRealize NetworkInsight platform is so powerful that these firewall rules are the applicable firewall rulesbetween the two objects we searched for There is probably going to be thousands offirewall rules in a normal network but these are the firewalls affecting thecommunication between the two selected VMs
HOL-1829-01-NET
Page 66HOL-1829-01-NET
A - Spend some time to review what information is available from the object Please donot click on any of the links
1 When done reviewing click on the (X) in the top right corner of the pop up box
Note The Palo Alto integration showcased is in beta testing
VRF - continued
1 From the map click on the icon marked by a red square to access the nextPhysical VRF in the path
HOL-1829-01-NET
Page 67HOL-1829-01-NET
VRF - Physical Switch
A pop-up box will appear that contains the Physical VRF details
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - In this scenario the third hop in the physical network perspective is an Arista deviceThere is information available on routing gateways interfaces etc These detailsshowcase that we can monitor devices from a multitude of vendors in case we arechanging from one vendor to another
1 When done reviewing click on the (X) in the top right corner
HOL-1829-01-NET
Page 68HOL-1829-01-NET
Accessing the virtual infrastructure
The next two steps in the path (as shown by arrows) are the same as we looked atpreviously in this module We are not going to look at the details on them in thisscenario as they are similar to the ones previously discussed
A - Hovermove the mouse over the icons marked with red arrow A without clicking onthe icon Notice the descriptive name
B - Hovermove the mouse over the icons marked with red arrow B without clicking onthe icon Notice the descriptive name
1 From the map click on the icon marked by a red square to access the nextVRF in the path
HOL-1829-01-NET
Page 69HOL-1829-01-NET
VRF - NSX Provider Edge 1
A pop-up box will appear that contains the Physical VRF details
A - Please spend some time to review what information is available from the objectPlease do not click on any of the links
B - The components we are looking at after the Arista device (described in previoussteps) is an NSX Edge cluster or a host associated with an Edge cluster The componentwe have selected is the NSX Edge VM named Provider-Edge 1 It has an uplink overVLAN 10 from the physical network (as shown in the map)
C - In the details we can see the routing table and routing interface details for thisparticular VRF
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 70HOL-1829-01-NET
VXLAN on the map
1 On the map click on the blue line marked by a red square to access theVXLAN details
VXLAN Network
A pop-up box will appear that contains the VXLAN details
HOL-1829-01-NET
Page 71HOL-1829-01-NET
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - We can see the VXLAN number (Segment ID) Underlay VLAN IDs Subnet andUnderlay Subnet
C - We also have visibility into what Primary Controller it is utilizing Hosts and VTEPs
D - Hovermove the mouse cursor over the text [38 more] to see the hosts associatedwith this VXLAN Do not click on the blue text
E - Hovermove the mouse cursor over the text [82 more] to see the VTEPs associatedwith this VXLAN Do not click on the blue text
1 When done reviewing click on the X in the top right corner of the pop-up box
VRF - LDR
1 From the map click on the icon marked by a red square to access the VRFdetails
HOL-1829-01-NET
Page 72HOL-1829-01-NET
VRF - LDR-Corporate
A pop-up box will appear that contains the VRF details From here we hit our In-kernelnetwork
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - Notice the distributed router name We are using this device to access our corporatenetwork
C - This device is going to route for us to a different interface The interface is going toroute to the interface on the Prod-DB Network as the next step in the path (this will beillustrated in the next step)
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 73HOL-1829-01-NET
Routing - NSX Firewall
The traffic is routed through the VRF onto the Prod-DB network over to the next physicalhost (as shown with arrows)
The first device it will hit on the virtual network on the physical host is the FirewallPlease notice that there are two firewalls next to the VM One Firewall from Palo Alto andone Firewall from NSX
1 From the map click on the icon marked by a red square to access the NSXFirewall details (the top one of the two)
HOL-1829-01-NET
Page 74HOL-1829-01-NET
Firewall - NSX
A pop-up box will appear that contains the Firewall details
A - Spend some time to review what information is available from the object Please donot click on any of the links
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 75HOL-1829-01-NET
Redirect on the map - PAN Firewall
Please notice that there are two firewalls next to the VM One Firewall from Palo Alto andone Firewall from NSX We are now going to look into the details of the lower Firewall
1 From the map click on the icon marked by a red square to access the PaloAlto Firewall details (the lower one of the two)
Firewall - PAN
HOL-1829-01-NET
Page 76HOL-1829-01-NET
In this scenario we also have an Palo Alto VM based offloading firewall The redirectfeature allows firewall rules to be transferred between the NSX firewall and the PANFirewall
1 When done reviewing click on the (X) in the top right corner of the pop up box
Reversing the analysis
1 In the section marked by a red square in the picture click on the arrowpointing left
The route on the map will change
HOL-1829-01-NET
Page 77HOL-1829-01-NET
Reversing the analysis continued
A - The analysis will now be done in the opposite direction Please note that the pathnow changes Instead of going through Provider-Edge 3 the traffic is now routedthrough Provider-Edge 2 This is exactly as the traffic will work in the real life
Please continue to the next step to conclude this module
HOL-1829-01-NET
Page 78HOL-1829-01-NET
VM Underlay
Lets now focus on VM Underlay
1 The VMUnderlay section that is on the right side of the VM Path topology showsthe underlay information of the VMs involved and their connectivity to the top ofthe rack switches and the ports involved
2 The VM Underlay path topology is shown here3 The components are labeled under Path Details
HOL-1829-01-NET
Page 79HOL-1829-01-NET
HOL-1829-01-NET
Page 80HOL-1829-01-NET
1 In this section the drop-down list at the top shows the endpoint VMs and theactive VMs at the edges
2 For each edgeVM the neighbouring drop-down list shows the ingress and theegress interface IP addresses
1 From the previous step we selected the Prod-DB-2 Virtual Machine2 Which changes the focus to corresponding Interface IP Address (VNIC)3 Shows the visual map (Path topology) of all the path objects4 Path details shows the labels and list the components
This concludes this module Please continue to the next module
HOL-1829-01-NET
Page 81HOL-1829-01-NET
ConclusionCongratulations on completing Module 2
This module has shown us that vRealize Network Insight is capable of tracing the flow ofdata between two objects throughout the network vRealize Network Insight is providingus with a 360 degrees view of the virtual as well as the physical components in thepath With the map function and the details on the map it is very easy to get a quickoverview of the components utilized in network communication
All the components in the map is based on a snapshot of real life data Feel free to clickon other icons shown in the map in this module before continuing to the next module tohave a look at other components
For More Information
For additional information about the functionality showcased in this module visithttpwwwvmwarecomvrealize network insight
This concludes this module Please continue to the next module
If you are looking for additional information try one of these
bull Click on this linkbull Or use your smart device to scan the QRC Code
HOL-1829-01-NET
Page 82HOL-1829-01-NET
Proceed to any module below which interests you most
bull Module 1 - Micro-Segmentation and Security (30 minutes)bull Module 2 - 360 degree Visibility across Virtual and Physical Networks (45
minutes)bull Module 3 - Advanced NSX Management amp Operations (45 minutes)bull (30 minutes)
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 83HOL-1829-01-NET
Module 3 - Advanced NSXManagement amp
Operations (45 minutes)
HOL-1829-01-NET
Page 84HOL-1829-01-NET
IntroductionIntroduction
vRealize Network Insight ensures that we have full visibility from an overlay andunderlay perspective and in this module focus on advanced operations of NSX withvRealize Network Insight Its important to note that the vRealize Network Insightprovides a real time view and a historical view The integration is not a simple SNMPquery but advanced CLI and Metadata information gathered in real time for NSX
This Module contains the following lessons
bull Operational guidance for NSX Managerbull Advanced NSX Management amp Operations Interactive Simulation
HOL-1829-01-NET
Page 85HOL-1829-01-NET
NSX Advanced ManagementOperationsLab Status Check
1 Make sure the Lab Status displays Ready before continuing
Close browser sessions from previous modules
Open Google Chrome
1 Open Chrome on the Control Centre Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
HOL-1829-01-NET
Page 86HOL-1829-01-NET
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize Network Insightdid not load automatically)
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
Search Bar - NSX Manager
Using the search bar on the entry screen
HOL-1829-01-NET
Page 87HOL-1829-01-NET
1 Type NSX Manager (this will list three NSX Managers2 Click Search
NSX Manager Information
The result now shows the NSX Manager (1016128170) and we can immediately seethat we have 50 problems associated with this endpoint
1 Click on the NSX Manager address to expose the layout and detailedinformation
HOL-1829-01-NET
Page 88HOL-1829-01-NET
Timeline - Visual Build-up
Explore information only - Do not click
bull A - Starting with the Timeline we can manipulate the results by simply draggingthe slider but by default the current time results will be displayed on entry Theslider and drop down (next to 1 day) makes it easy to filter on demand
bull B - The Properties give a clear understanding of the NSX Managers currentconfiguration (vRealize Network Insight accommodate multiple NSX managers)
bull C - Looking at the NSX Checklist Rules - ALL we can scroll up and down toview each point in the checklist that is used to monitorvalidate against the NSXManager
bull D - Because vRealize Network Insight supports multiple NSX managers andmultiple NSX controllers this is an important visual understanding of theTopology Each object can be queried individually within the same screen
bull E - NSX Problems will be key to understanding the issues for NSX
HOL-1829-01-NET
Page 89HOL-1829-01-NET
Topology - Focus on the NSX Controller
The logical view of the NSX Topology provides live links to each component in theconstruct to be queried in real time Topology layout displays all the related NSXservices bound to the NSX Manager including Clusters and hosts The red triangle on allthree NSX controllers indicates possible issues that may impact the NSX environmenteither as a starting point or a result thereof We can now query each object for detailedinformation
1 Click on the NSX controller (Look at each controller until you find thecontroller starting with NSX_Controller_5b6c6c8d-4d71 as they do changeorder)
HOL-1829-01-NET
Page 90HOL-1829-01-NET
NSX Controller - Detail
A - The controller query displays detailed information about controller-1 and relevantconfiguration This screen will help identify the Status Version Upgrade Availability andmany other critical identifiers of the NSX Controller at a quick glance including anyissues
B - The immediate issue on this NSX controller is also pointed out with a red triangleindicating that we have a control plane sync issue Tracking the issue can be furtherinvestigated by expanding (clicking on the red triangle) to view detailed information Wewill not be investigating this problem further in this exercise
1 Click the close sign (x) to continue
HOL-1829-01-NET
Page 91HOL-1829-01-NET
Topology - Explained
Note The Topology for the NSX environment will not show any load balancing devicestatus information in this release
1 Click the edge VMs icon to see detailed information about the edge services
HOL-1829-01-NET
Page 92HOL-1829-01-NET
Provider Edge
Rendering a complete view of the provider edge services and the associations we caninvestigate all the edge related activities
1 Click the blue link Provider Edge 4 The problem Icon can be used to furtherobtain information about the Provider-Edge 4 This will highlight a criticalcondition due to a possible network disruption of this edge device as it is nolonger in a serving state
HOL-1829-01-NET
Page 93HOL-1829-01-NET
Routers Provider Edge 4
This section lays out detailed root cause analysis for Routers Provider Edge 4
Return to Search View - NSX Manager
1 Now use the Chrome Back button click once to return the the NSX Managerinformation screen step
HOL-1829-01-NET
Page 94HOL-1829-01-NET
Infrastructure Problems - Warning Moderate
bull Scroll down to Infrastructure Problems Section
1 Click and select the WarningModerate to view problem areas
WarningModerate Issues
1 Use the blue icon + to expand the detailed view of the Logical networking out ofsync between host and NSX Controller
HOL-1829-01-NET
Page 95HOL-1829-01-NET
WarningModerate Issues (Continued)
When you expand the details you can analyse full detail of warning
In this view vRealize Network Insight is also showing you recommendations on how youwould resolve this issue which makes troubleshooting and root cause analysis veryeasy
1 Click the close sign (x) to continue
HOL-1829-01-NET
Page 96HOL-1829-01-NET
Hands-on Labs Interactive SimulationAdvanced NSX Management ampOperationsThis part of the lab is presented as a Hands-on Labs Interactive Simulation This willallow you to experience steps which are too time-consuming or resource intensive to dolive in the lab environment In this simulation you can use the software interface as ifyou are interacting with a live environment
1 Click here to open the interactive simulation It will open in a new browserwindow or tab
2 When finished click the ldquoReturn to the labrdquo link to continue with this lab
HOL-1829-01-NET
Page 97HOL-1829-01-NET
ConclusionCongratulations on completing Module 3
This module demonstrated the vRealize Network Insight capability of advancedmanagement operations vRealize Network Insight provides an in-depth analysis of thevirtual as well as the physical components associated with NSX (underlay and overlay)
For More Information
If you are looking for additional information try one of these
bull Click on this linkbull Or use your smart device to scan the QRC Code
Proceed to any module below which interests you most
bull Module 1 - Micro-Segmentation and Security (30 minutes)bull Module 2 - 360 degree Visibility across Virtual and Physical Networks (45
minutes)bull Module 3 - Advanced NSX Management amp Operations (45 minutes)bull Module 4 - Manage Security for Public Clouds (AWS) (30 minutes)
HOL-1829-01-NET
Page 98HOL-1829-01-NET
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 99HOL-1829-01-NET
Module 4 - ManageSecurity for Public Clouds
(AWS) (30 Minutes)
HOL-1829-01-NET
Page 100HOL-1829-01-NET
IntroductionEnterprise IT needs visibility into the network and security status of their workloadswhether hosted on premises or within AWS While many AWS workloads are sandboxesfor application development teams (DevOps) it is important to analyze these workloadsIncreasingly public cloud workloads are also fulfilling mission critical production needsfor many organizations Enterprise IT must be ready to determine the best locationsecurity posture and bandwidth allocation when deploying workloads Having trafficpattern details as well as security analysis and recommendations readily availablehelps organizations make the ideal hosting decisions to meet their business needs
vRealize Network Insight (vRNI) Supports Amazon Web Services (AWS) PublicCloud The vRNI traffic monitoring features provide visibility into native AWS constructssuch as Virtual Private Clouds VMs Security Groups firewall rules and tags vRNI alsoanalyzes AWS traffic flows to provide security and micro-segmentation views of cloudworkloads This means youll be able to plan micro-segmentation and understand trafficpatterns using data collected from your AWS instances
This Module contains the following lessons
bull Introduction to Managing Security for Public Clouds (AWS)
HOL-1829-01-NET
Page 101HOL-1829-01-NET
Introduction to Managing Security forPublic Clouds (AWS)Lab Status Check
1 Make sure the Lab Status displays Ready before continuing
Close browser sessions from previous modules
Open Google Chrome
1 Open Chrome on the Control Centre Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize Network Insightdid not load automatically)
HOL-1829-01-NET
Page 102HOL-1829-01-NET
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
AWS Configuration
Lets review the AWS VPC setup for the purpose of this lab
1 We have an on premise instance of vRealize Network Insight managing AWS2 There are two VPCs ie CRM and Common Services
HOL-1829-01-NET
Page 103HOL-1829-01-NET
3 VPC CRM consists of CRM Application which comprises of 3 tiers ie Web APP andDB
4 Internal users of Company can access Web Tier of the CRM on 80 internally viaJump-box
5 Web tier talks to App tier on port 80806 App tier talks to DB tier on port 33067 Web tier is open for internal datacenters VM on 80 port8 From Jump-box in VPC CRM all virtual machines have ssh access on port 229 All tiers of VPCCRM talks to DNS server on 53 and LogServer on 514 on VPC
Common Services10 This means connection to DB to Log Server (used for backup services) must exist
as configured by the Administrator but this in fact is the problem area where ourfocus will be
Plan Security - AWS Cloud
vRealize Network Insight extends micro-segmentation planning to AWS constructs TheCRM Application in AWS VPC has already been created for you
Application creation steps have been discussed in Module 3
HOL-1829-01-NET
Page 104HOL-1829-01-NET
1 On the vRealize Network Insight Click on Plan Security
From Plan Security dialogue box under Entity select
HOL-1829-01-NET
Page 105HOL-1829-01-NET
1 Application2 CRM3 Click Analyze
We can now visualize the three tier lsquoCRMrsquo Application in AWS in one VPC We Shallexplore the three Tier System Logic in proceeding steps
1 Please note that Micro-Segments are already filtered by Tier2 Web (Web tier talks to App tier on port 8080 Internal users of organisation can
access Web Tier of the CRM Application on port 80 internally)3 App (App tier talks to DB tier on port 3306)4 DB ( DB tier talks to Log Servers ) - This is the problem area we are going to
explore
All tiers of first VPC talks to DNS server on port 53 and LogServer on port 514 of SecondVPC
HOL-1829-01-NET
Page 106HOL-1829-01-NET
Exploring the Three Tier Application - Step by Step
We shall now explore the three their application setup to understand the security andcommunication posture
HOL-1829-01-NET
Page 107HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Yellow line to explore the flows This will reveal flows from Web to
App
HOL-1829-01-NET
Page 108HOL-1829-01-NET
1 The App tier talks to DB tier on Port 33062 Click X to continue
HOL-1829-01-NET
Page 109HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to DB
HOL-1829-01-NET
Page 110HOL-1829-01-NET
1 The App tier talks to DB tier on Port 33062 Click X to continue
HOL-1829-01-NET
Page 111HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Yellow Line to explore the flows This will reveal flows from DC
Virtual to App
HOL-1829-01-NET
Page 112HOL-1829-01-NET
1 DC Virtual (jump box) talks to App tier on Port 222 Click X to continue
HOL-1829-01-NET
Page 113HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to
Shared Virtual
HOL-1829-01-NET
Page 114HOL-1829-01-NET
1 The App tier talks to Shared Virtual on Port 53 and 514 respectively2 Click X to continue
HOL-1829-01-NET
Page 115HOL-1829-01-NET
1 Hover over to DB Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from DB to
Shared Virtual
1 By design the DB should be pushing logs to aws-log-server ie on port 514(Syslog) but the flow reveals that there is only one service ie port 53 aws-DNS-Server Effectively no communication to syslog server (which is the back upservice)
2 Click X to continue
Firewall Queries for CRM Application
To further troubleshoot the issue the administrator executes three firewall queries toestablish why DB to Shared Virtual does not have flow(s) for port 514 (syslog)
HOL-1829-01-NET
Page 116HOL-1829-01-NET
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and type new search query firewall action of flows where dstvm = aws-log-server This will return 5 results ie 4 Allow (for web andmidtier) and 1 Deny (for DB)
2 Click Search3 click on the DENY checkbox so we can focus on the deny rule
We can see a DENY rule which is preventing crm-databse to communicate with aws-log-server on port 514 Which indicates that AWS Admin forgot to add rule to allowtraffic from (Database) crm-database to (syslog server) aws-log-Server
HOL-1829-01-NET
Page 117HOL-1829-01-NET
1 On Chrome web browser right click2 Select Duplicate from the the menu
HOL-1829-01-NET
Page 118HOL-1829-01-NET
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-web1 and dst vm = aws-log-server
2 Click Search3 This will return 3 results ie 1 Inbound and 2 Outbound rules The result of this
query validates the communication from crm-web1 to aws-log-server
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-database and dst vm = aws-log-server
2 Click Search3 This will return 2 results for Outbound rules further explaining the firewall rule
behaviour from crm-database to aws-log-server
HOL-1829-01-NET
Page 119HOL-1829-01-NET
ConclusionCongratulations on completing Module 4
This module demonstrated the vRealize Network Insight capability to understand trafficpatterns and plan micro-segmentation across your private and public cloudenvironments This capability offers unparalleled visibility into public and private cloudsfor micro-segmentation planning network visibility and management
For More Information
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 120HOL-1829-01-NET
ConclusionThank you for participating in the VMware Hands-on Labs Be sure to visithttpholvmwarecom to continue your lab experience online
Lab SKU HOL-1829-01-NET
Version 20171010-152226
HOL-1829-01-NET
Page 121HOL-1829-01-NET
Lab GuidanceNote It will take approximately 90 minutes to complete this lab You shouldexpect to only finish two of the modules during your time if you are new tovRealize Network Insight The modules are independent of each other so youcan start at the beginning of any module and proceed from there You can usethe Table of Contents to access any module of your choosing
The Table of Contents can be accessed in the upper right-hand corner of theLab Manual
In this lab students will be presented with an overview and demonstration usingvRealize Network Insight This lab will focus on four particular capabilities and two usecase scenarios The first module introduces Micro-segmentation and the security withinnetworks followed by module two that will provide a detailed Map walk through of aReal Time flow rendering a 360 degree view for cross platform under and overlaysModule number three will focus on NSX Manager and provide an easy in-depth look athow we manage advanced NSX operations within vRealize Network Insight Modulenumber four will focus on Manage Security for Public Clouds (AWS)
Lab Module List
bull Module 1 - Micro-Segmentation and Security (30 minutes)bull Module 2 - 360 degree Visibility across Virtual and Physical Networks (45
minutes)bull Module 3 - Advanced NSX Management amp Operations (45 minutes)bull Module 4 - Manage Security for Public Clouds (AWS) (30 minutes)
Lab Captain
bull Module 1 - 4 - Atif Qadeer Senior Systems Engineer - NSX UK
This lab manual can be downloaded from the Hands-on Labs Document site found here
[httpdocsholpubHOL-2017]
This lab may be available in other languages To set your language preference and havea localized manual deployed with your lab you may utilize this document to help guideyou through the process
httpdocsholvmwarecomannouncementsnee-default-languagepdf
HOL-1829-01-NET
Page 3HOL-1829-01-NET
Location of the Main Console
1 The area in the RED box contains the Main Console The Lab Manual is on the tabto the Right of the Main Console
2 A particular lab may have additional consoles found on separate tabs in the upperleft You will be directed to open another specific console if needed
3 Your lab starts with 90 minutes on the timer The lab can not be saved All yourwork must be done during the lab session But you can click the EXTEND toincrease your time If you are at a VMware event you can extend your lab timetwice for up to 30 minutes Each click gives you an additional 15 minutesOutside of VMware events you can extend your lab time up to 9 hours and 30
minutes Each click gives you an additional hour
Alternate Methods of Keyboard Data Entry
During this module you will input text into the Main Console Besides directly typing itin there are two very helpful methods of entering data which make it easier to entercomplex data
HOL-1829-01-NET
Page 4HOL-1829-01-NET
Click and Drag Lab Manual Content Into Console ActiveWindow
You can also click and drag text and Command Line Interface (CLI) commands directlyfrom the Lab Manual into the active window in the Main Console
Accessing the Online International Keyboard
You can also use the Online International Keyboard found in the Main Console
1 Click on the Keyboard Icon found on the Windows Quick Launch Task Bar
ltdiv class=player-unavailablegtlth1 class=messagegtAn error occurredlth1gtltdiv class=submessagegtltahref=httpwwwyoutubecomwatchv=xS07n6GzGuo target=_blankgtTry watching this video on wwwyoutubecomltagt or enableJavaScript if it is disabled in your browserltdivgtltdivgt
HOL-1829-01-NET
Page 5HOL-1829-01-NET
Click once in active console window
In this example you will use the Online Keyboard to enter the sign used in emailaddresses The sign is Shift-2 on US keyboard layouts
1 Click once in the active console window2 Click on the Shift key
Click on the key
1 Click on the key
Notice the sign entered in the active console window
HOL-1829-01-NET
Page 6HOL-1829-01-NET
vRealize Network Insight - Navigation
bull 1 - HOME - Use this if you need to return to the original navigation and searchscreen
bull 2 - Navigation Panebull 3 - Search Bar including time linebull 4 - Detail amp Information Panebull 5 - Alerts Pinboards Settings
Activation Prompt or Watermark
When you first start your lab you may notice a watermark on the desktop indicatingthat Windows is not activated
One of the major benefits of virtualization is that virtual machines can be moved andrun on any platform The Hands-on Labs utilizes this benefit and we are able to run thelabs out of multiple datacenters However these datacenters may not have identicalprocessors which triggers a Microsoft activation check through the Internet
Rest assured VMware and the Hands-on Labs are in full compliance with Microsoftlicensing requirements The lab that you are using is a self-contained pod and does nothave full access to the Internet which is required for Windows to verify the activationWithout full access to the Internet this automated process fails and you see this
watermark
This cosmetic issue has no effect on your lab
HOL-1829-01-NET
Page 7HOL-1829-01-NET
Look at the lower right portion of the screen
Please check to see that your lab is finished all the startup routines and is ready for youto start If you see anything other than Ready please wait a few minutes If after 5minutes your lab has not changed to Ready please ask for assistance
HOL-1829-01-NET
Page 8HOL-1829-01-NET
Module 1 - Micro-Segmentation and
Security (30 minutes)
HOL-1829-01-NET
Page 9HOL-1829-01-NET
IntroductionWhen mid to large-sized enterprises deploy NSX they often struggle to define the levelof micro segmentation needed between applications on networks The most challengingpart is knowing what information is required to get started how to locate theinformation and traffic flow and how to capture the results
vRealize Network Insight helps solve this problem by analyzing and categorizing VMsinto logical groups based on specific compute and network characteristics This processautomatically generates a recommended model for security groups and specificfirewalling rules for each group This makes life much easier for Security Architects andEngineers
vRealize Network Insight (vRNI) relies on the use of an IPFIX collector at the VirtualDistributed switch layer to capture data flows We enable IPFIX at the Virtual Distributedswitch layer for the ESXi Hosts to forward IPFIX UDP packets to the vRealize NetworkInsight appliance The data capture will enable real time data flow for all port trafficand provide further filtering capabilities in order to explore East-West traffic
We have two scenarios to help explain how vRealize Network Insight can be utilized toensure we have full visibility and granular control to deploy firewall rules in order tocomplete micro-segmentation without guessing
Scenario 1 (Brown Field deployment) Customer ABC bought ESXi and NSX and doesnot have a clear understanding of how to operationally deploy existing workloads withEast-West firewall protection or how to segment the workload The client will now usevRealize Network Insight to observe the real time data flow between ports in order tobuild the East-West firewall rules The vRealize Network Insight process will observe thetraffic patterns based on the captured data flow recommendations will then be made inorder to secure workloads for East-West communication Current firewall and micro-segmentation can also be verified
Scenario 2 (Green Field) Customer ABC has a new deployment project for DevOps andwouldnt know what the immediate firewall rules or recommendations would be UsingvRealize Network Insight we could immediately start to monitor the real time data flowas each deployment and development unfolds Based on the DevOps information wecan now apply the Firewall rules at the QampA stage and prep for testing to ensure whenwe move workloads into Production we will have day zero operational security for East-West traffic within the data center
NOTE NSX is not required at any stage to capture observe or implement successfulEast-West firewall rules The process of planning security only relies on IPFIX at the vDSlayer in order to capture and observe data flow between ports
This Module contains the following lessons
HOL-1829-01-NET
Page 10HOL-1829-01-NET
bull Identify firewall rules for Micro-segmentationbull Security Group Topologybull Tracking a firewall rulebull Exporting firewall rules to NSX Manager (Interactive Simulation)bull Conclusion
HOL-1829-01-NET
Page 11HOL-1829-01-NET
Micro-Segmentation IntroductionThis section contains the following lessons
bull Identify firewall rules for Micro-segmentationbull Security Group Topologybull Tracking a firewall rule
Lab Status Check
1 Make sure the Lab Status displays Ready before continuing
Close browser sessions from previous modules
Open Google Chrome
1 Open Chrome on the Control Centre Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
HOL-1829-01-NET
Page 12HOL-1829-01-NET
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize Network Insight did notload automatically)
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
HOL-1829-01-NET
Page 13HOL-1829-01-NET
Plan Security
When the vRealize Network Insight portal login completes the first screen will show asearch bar at the top
1 Type plan security (the search bar uses Auto Fill and predictive text willappear as you type)
2 Select the Time Icon
Plan Security - Specify a Preset
1 Select Presets2 Select Last Week3 Click the search icon to continue
HOL-1829-01-NET
Page 14HOL-1829-01-NET
Overview - Traffic Distribution (Left Pane)
Visual representation of traffic is shown to understand the logic relationship betweeneach component physical or virtual in order to track flows and sessions within anetwork
bull Internal Flows External Flowsbull Protected Flows Unprotected Flowsbull by VLAN or VXLAN
The default for this view is Last 1 day Please do not change this as we have alreadyspecified the time filter
HOL-1829-01-NET
Page 15HOL-1829-01-NET
Traffic Distribution - Overview (Right pane)
The Traffic distribution section is explained in a number format below Use these as areference and do not click on the links at this stage
bull A - This is the sum of all traffic flows with the percentage shown as East-Westonly traffic
bull B - This indicates the percent of traffic that was switchedbull C - The percentage of traffic that is routed between the East-West portsbull D - This indicates Virtual machine to Virtual Machine traffic as a percentage of the
sum in point number 1bull E - Traffic observed between virtual machines on the same hostbull F - Traffic that requires internet access
East-West (EW) - Traffic
In order to view specific details about data flows click on any of the 6 blocks to getdetailed information on flows and sessions (use the [x] in the right corner to close theobservation once completed in order to continue with the next step in this lab) Its
HOL-1829-01-NET
Page 16HOL-1829-01-NET
important to understand the entire distribution of flows and sessions in order to build aninformed strategy to achieve micro-segmentation
A Session is 5 tuple (source port is one of the five tuples in this which means everytime a new TCP connection is established and terminated a new session is recorded)
A Flow is 4 tuple aggregation of sessions It combines many 5 tuple sessions into oneIt ignores the source port as the source port is very dynamic wide range and keeps onchanging As long as multiple sessions have same source IP same destination IP samedestination port and same protocol they will be combined into one record called aflow
So 1000s of sessions in a day between two machines on a specific destination port (sshdns etc) would be combined into one flow with an aggregate count of packets bytessessions between them recorded as additional flow information
In any enterprise how many sessions happen in 1 day varies a lot Flows are moremanageable units and matter most for policy definitions and micro-segmentation
If one wants to see statistics of these flows like bytes transferred number of sessions(or even use these counters along with other query operations for other higher levelanalysis - like determining distribution of a virtual machines outgoing flow bydestination ip) the following metric counters can be used
Counter names
allowed sessions count of sessions (or 5 tuples) corresponding to a flow (4 Tuple)bytes total traffic volume exchanged on the flow (this sum of two counters described below)src bytes total bytes sent by src_ip of the flow to dst_ipportprotocoldst bytes total bytes received by src_ip of the flow from dst_ipportprotocol
1 Click on the East-West traffic block
This will bring a new window into view with detailed analysis of the traffic
HOL-1829-01-NET
Page 17HOL-1829-01-NET
East-West (EW) - Detailed view
This is only a few of the 1653 flows but the detailed views and filters can be used tonarrow down more specific information
A - Without clicking (just hover) on the time line to see the rate of flow indicated by thegreen line for that period
1 Click the close icon (x) to continue
ServicesPorts
HOL-1829-01-NET
Page 18HOL-1829-01-NET
Locating the Services screen for the next step
ServicesPorts - Time line view
Plan security makes use of Service and Ports overview on the right-hand side of thescreen The service view screen is used to observe the flow for each service andanalyzes a specific flow rate at a point in time Timelines can be adjusted to gain abetter understanding of what the plan security query delivers This module will followthe steps needed to observe and trace flows for port 5443
1 Click Show Data
HOL-1829-01-NET
Page 19HOL-1829-01-NET
ServicesPorts - Point in Time Service
The Services section provides an overview of flows over a specific port at a point intime either by bytes or by allowed sessions Look at the red highlighted area tounderstand how the flow is viewed in a pivot format to ensure a rate flow can bedelivered by hovering over a particular section
1 Hover to gain focus over the blue block above port 5443 and notice itpresents on demand the sum total of flows for the last 24 hours inGigabytes (GB) communicating over port 5443
2 Click on the block at the intersection of Last 24 hours and PORTS5443 to get a detailed view of the information
HOL-1829-01-NET
Page 20HOL-1829-01-NET
Flows for Port 5443
Communicating over port 5443 for the Last 24 hours we now have a detailedunderstanding of how 20 flows are distributed by following the list of entities You mayscroll down and examine the detailed traffic Further filters can be used on the left-handside of the screen to filter the view for a more specific result type
1 Click the entry to examine the detailed flow between Prod-DB-3 and Prod-DB-2over port 5443 ( order of flows may differ from screen above Prod-DB-3 andProd-DB-2 can be seventh flow entry)
Flow Key Properties - Timeline view
HOL-1829-01-NET
Page 21HOL-1829-01-NET
Flow Key Properties and Flow Key Metrics with the help of the timeline view gives agreater understanding of the traffic between these two specific VMs over port 5443 (A)- Hover over any part of the Flow Key Metrics graph to see statistics of the flow at aspecific point in time
1 Click on the 1M (last 1 month) Now hover the mouse over the greenblue linesto see a specific flow at a point in time
Flow Key Properties - Timeline view
1 Click the browser back button (once) to return to the plan security layoutscreen (once completed viewing the timelines for specific flows)
HOL-1829-01-NET
Page 22HOL-1829-01-NET
Micro-Segments
The screen should be back and focused on the Plan Security view Let us focus on theLeft-hand side of the plan security screen marked - Micro Segments This section willfocus on the subnet view and how this could be used to track flows between two ormultiple points
Note Segmenting flows can be achieved using views that will focus on VLANVXLANSubnet Folder Clusters VMs Ports Security Tag or Security Groups
1 Select Last 1 Day (to clear previous data range)2 Select the drop down box and then select by Subnet3 We can further analyze micro-segments by secondary groups ( This step is for
information only)4 Click Analyze to populate the data
HOL-1829-01-NET
Page 23HOL-1829-01-NET
Focus - 101780 Network
A - Hover over (do not click) the 101780 network and notice that this willimmediately highlight all flows and sessions from and to this network segment Othertraffic types will loose focus at this point turning light blue
The Keep Focus view creates a single visual endpoint diagram showing communicationto physical shared resources internet and other subnets The parentheses after thenetwork will indicate the number of virtual machines The coloured lines will indicate aconnected flow as OUTGOING INCOMING BIDIRECTIONAL
HOL-1829-01-NET
Page 24HOL-1829-01-NET
Focus - VLANVXLAN
Changing the view to track flows between Prod-Web to Prod-Midtier we will be switchingfrom Subnet view to VLANVXLAN view This will expose the traffic flow and ultimatelylead us to the recommended firewall rules
1 From the filter drop down select the VLANVXLAN option (the view willautomatically update)
HOL-1829-01-NET
Page 25HOL-1829-01-NET
Focus - Prod-Web (25)
1 Hover over Prod-Web2 Click on Keep Focus as we will follow the traffic for this group to see which
ports are in use and why3 Click on the line joining the Prod-Web and Prod-Midtier
Flows - Prod-Web to Prod-Midtier
HOL-1829-01-NET
Page 26HOL-1829-01-NET
( A ) - We have at this point identified 14 unique endpoints or flows that are beingcommunicated byover or to potential security groups These security groups are basedon VLANs folders subnets or a construct that can be defined
1 Click on the recommended firewall rules
Flows - Recommended Firewall Rules
Based on the observed analysis of the traffic flow between Prod-Web and Prod-Midtier arecommended firewall rule has been generated in order to secure and segment trafficfrom the rest of the VLANVXLAN
Due to the flow observation metrics the recommendation is (ALLOWED) on Port 8080between SG Prod-Web and SG-Prod-Midtier
1 Click the close icon (x) to continue
HOL-1829-01-NET
Page 27HOL-1829-01-NET
Multiple Ports and Firewall rules for Prod-web
1 Click on the Prod-Web group
Services and Flows for Prod-Web
On focus the user is presented with all the services flows and firewall rules for Prod-Webin a single pane
HOL-1829-01-NET
Page 28HOL-1829-01-NET
1 Click on Services In this group - 50 Unique service endpoints or flows that arebeing communicated by or to potential security groups are mapped with trafficrates included
2 Click on External Services Accessed- This is a breakdown of the 16 Externalservice endpoints that communicate with Prod-Web and include the portinformation (DNS HTTPS etc)
3 Click on Recommended Firewall Rules - Based on the 50 unique serviceendpoints that have 17 External services with 425 flows we can use thisobservation metric to determine that 6 firewall rules are required This would bethe minimum recommended segmentation approach for the Prod-Web group
4 Click the close icon (x) to continue
Application-Centric Micro-Segmentation
HOL-1829-01-NET
Page 29HOL-1829-01-NET
An application is a collection of tiers Each tier in an application is a collection of VMsbased on the user-defined filter criteria The applications allow you to create ahierarchical group of VMs and visualize trafficflows between the tiers of the sameapplication The trafficflows can be visualized between applications
1 Under Micro-segments click on the dropdown which says by VLANVXLAN2 Click on by Application
1 Hover over Prod-App (47) (do not click at this stage)2 Click on Keep Focus
You can see as per previous micro-segmentaion planning exercise - you can viewOutgoing Incoming and Bidirectional flow bespoke to Prod-App Clicking on Prod-App micro-segment will reveal the services
HOL-1829-01-NET
Page 30HOL-1829-01-NET
We shall now explore how we can define an application
Define an Application
1 In the search bar type Application2 Click the Search button
1 The Application search will return 4 entities ie application already created inthe system for you
2 This page also lets you create new application - click on Add Application
HOL-1829-01-NET
Page 31HOL-1829-01-NET
1 Under the Application Name type HOL-Pre-Prod2 Under Tier type the Name as HOL-Pre-Prod3 Our search criteria will be based on VM Names under Virtual Machines IP
Addresses Type Admin-VM1 Admin-VM2 (The search will auto completethe names for you)
4 Do not Save Click Cancel which will take you to previous screen
1 Here you can see the number of entities has increased by 1 ie 5 entities2 You can also see Hol-Pre-Prod in the list
HOL-Pre-Prod will now appear in Application section under Plan Security (not covered inthis lab)
Security Group Prod_MidTier
Network administrators and architects face daily challenges in identifying securityparameters groups that are in-place requiring a lot more detail around containertopology before continuing to execute or plan Micro-segmentation Lets look at how thiswould be possible in a single view that has granular integration with over and underlaynetworks
1 Using the search bar type Nsx Security Group Prod_MidTier (the search baruses Auto Fill and predictive text will appear as you type)
2 Click search to continue
HOL-1829-01-NET
Page 32HOL-1829-01-NET
The Help screen may pop-up (in this lab setting) to ensure the user has an instantguide called the Security Group Pinboard The reason for this guide is to point out thedetail view and topology layout Read through the help guide and once completed
1 Click the close icon (x) to continue
Results - PROD_MIDTIER
The search results from the query will show Prod_Web at the top of the screen Theresult will also be displayed to include the Translated VM Count and any Rulesassociated
1 Click on Prod_MidTier to continue
Security Group Prod_MidTier - Timeline
Security Group View Explanation
HOL-1829-01-NET
Page 33HOL-1829-01-NET
The Security Group provides a detailed view of the selected Security Group and acomprehensive listing of key properties and events The Security Group Topologyprovides a visual overview of how the security group is associated with other containersTimeline slider at the top of the current view will enable the point in time state of theSecurity Group and filters can be used to further focus on a particular aspect of theobject
Security Group Firewall Topology
(A) The Security Group Firewall Topology on the left shows the topology for SecurityGroup Prod_MidTier
HOL-1829-01-NET
Page 34HOL-1829-01-NET
(B) The Security Group Container Topology on the right will show anyall Child andParent groups in relation to Prod_Web This will identify the nesting and hierarchy ofsecurity groups
HOL-1829-01-NET
Page 35HOL-1829-01-NET
1 Click and select Prod_Web to Prod_Midtier Rule (will launch a pop up screencovered in next step)
1 In the pop up screen we can immediately see what the Source and destinationservice flow looks like in this example This can be done for any and eachsegment attached to Prod_Web and will provide all the current security GroupFirewall Topology information Feel free to click through all the segments in orderto fully understand each related security group
2 Click the close icon (x) on any pop-up menus that you viewed during youranalysis to continue with the next exercise
HOL-1829-01-NET
Page 36HOL-1829-01-NET
Tracking Prod_MidTier
1 Within the same view when you scroll down (below the Security Groupfirewall Topology) you are able to see the following security event information forProd_Web
A Events - Showing any changes for Prod_MidTier (direct or indirect) and the impactthat these changes bring to this security group
B Current Security Group Configuration and Firewall Rules Count will also providefurther assistance to manage the endpoints
C Visibility of the Virtual Machines in Security Groups ensure that we manage ourworkloads and segmentation with the correct level of efficiency
D Making use of the Indirect Firewall Rules will ensure you understand the inheritedimpact and the relationship leading to Prod_Web
E Direct Firewall Rules - NOTE The blue links will expose further detail for eachfirewall segment
HOL-1829-01-NET
Page 37HOL-1829-01-NET
this module explained and followed the traffic flow between Subnets and or VLANVXLAN for Prod_MidTier and we understand the analysis that make up firewall rules Theinformation for a specific segmentation of a Virtual Machine in Prod_MidTier can beviewed using the the logical switch information for Prod_MidTier
2 Click on Lab-Midtier (VMs in Security GroupgtLogical SwitchesgtLab-Midtier) anew TAB will open at the top of the screen
Lab-Midtier
1 Hover (do not click) over (1) Lab-Midtier-1 to gain focus in order to generatethe path
Do not click on any of the bubbles as they are used for reference only This is thecomplete flow of Prod-Web-9 (Example) to see how a flow is tracked from overlay tounderlay across Prod-Web
HOL-1829-01-NET
Page 38HOL-1829-01-NET
bull A - The host details for Lab-Midtier-1 -ddc1-pod2esx035dmdemocompanynet
bull B - The machine name within Lab-Midtier - Lab-Midtier-1bull C - DVS Switchbull D - VXLAN - Lab-Midtierbull E - 1st VMKNIC for DDC-1 hostbull F - DVS Switch Portbull G - Finally showing the L3 Switch (Arista)
2 When you are done with the current view close this tab in Chrome and returnto the original view
Firewall Rule - Tracking
Using the search bar we will demonstrate how you can track any firewall rule in yourenvironment This is only one example of how we can search for security related objectsin one easy statement and also export the results
Port Search
1 Type into the search bar
Firewall rule where action =ALLOW and Port=443 (the search bar uses Auto Fill andpredictive text will appear as you type)
2 Click search to continue
As you type notice all the different permutations of queries that can be assembled
HOL-1829-01-NET
Page 39HOL-1829-01-NET
Export Firewall Rules
Take some time to understand and get familiar with Firewall Rule search possibilitiesand the insight this can offer
1 Do not click - The result is grouped for convenience and allows the user to queryeach rule individually This is a live link that will expose further information
2 Do not click - The entire report can be exported by using the Save as CSV optionat the top right hand corner of the screen but we will not export any informationat this point
3 For the next step we will return to the top search bar
Firewall Rule Membership Change
Using the vRealize Network Insight search bar at the top of the screen we will focus on atime based search to see what Firewall Membership Changes occurred during a selectedperiod This will point out any changes made directly or indirectly as a result ofmembership changes This is extremely useful for auditing and troubleshooting
HOL-1829-01-NET
Page 40HOL-1829-01-NET
1 Type
Firewall Rule Membership Change
2 Select the DateTime window3 Click Between Select Date range from June30 to Jul 31 (using static data this
will ensure you see all the changes)4 Click search
Audit Rule - Firewall Rule Membership Changes
The search now displays the result of all the changes made to firewall rule membershipduring the preset date range This is pivotal to the audit change tracking process tounderstand exactly why when and how Firewall rules changed
The changes can now easily be tracked audited and also exported following any of thelive links in blue
HOL-1829-01-NET
Page 41HOL-1829-01-NET
User-defined Event
Continuing within the same screen users can create alerts to notify internal andexternal entities of any changes The alert feature is available through any view thatdisplays the alert icon Although the alert can be configured for this lab the results willnot be actioned as this is static data only This section will show how easy it is to reporton any Firewall Rule memberships changes The option for alerting will be immediatelywithin 1 hour or as a daily digest
1 Click the Notifications icon to create an event The notifications screen will pop-up
2 Notification and parameters can be adjusted as required Populate them withyour own preference as we will need to have information in order to save thealert and view in later steps
3 Once completed click save
HOL-1829-01-NET
Page 42HOL-1829-01-NET
Settings
You can view any of your previously configured User-defined Events in order to edit oractivate the Event parameters by using the settings page Changes can be configured tonotify members of the event group based on the user preference The previous eventthat you created can now be tracked by using the search bar at the top of the screen
1 Click in the search bar and type Settings2 Click User-defined Events (your alert is noted in this section as it was based on
the original search and alert notification Firewall rule membership change)3 Info Only - Do not click - View Edit Activate any notifications
Note that we have 2 types of notification User-defined and System Events
4 Click the System Events
HOL-1829-01-NET
Page 43HOL-1829-01-NET
System Notifications
System Events consist of 103 default alerts that are pre-configured Scroll down the listto see all the options and what is deemed to be a standard system event notification
Each Notification can be used to alert administrators or users of that group By defaultall System Notifications are set to never notify (this can be changed to immediatelywithin 1 hour or as a daily digest)
This concludes this module Please continue to the next module
HOL-1829-01-NET
Page 44HOL-1829-01-NET
ConclusionCongratulations on completing Module 1
In this module we introduced the minimum required steps in order to facilitate Micro-segmentation This module further demonstrated how we achieve day zero readinesstrack report and alert on each individual object or group of objects in Real Time Usingthe East-West traffic in this module vRealize Network Insight highlighted the ease ofacquiring network analysis and using this to automatically generate firewall rules forboth Green or Brown field deployments
Key facts to remember as demonstrated in this module
bull Persistence Security must be consistent in the face of constant changebull Ubiquity Security must be available everywherebull Extensibility Security must adapt to new situations
For additional information about the functionality showcased in this module visitwwwvmwarecom
Please close the Chrome Web browser
This concludes this module please continue to the next module
For More Information
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 45HOL-1829-01-NET
Module 2 - 360 degreeVisibility across Virtualand Physical Networks
(45 minutes)
HOL-1829-01-NET
Page 46HOL-1829-01-NET
IntroductionvRealize Network Insight includes advanced analytics that can collect and displayconfiguration data from all the components involved in the overlay and underlay of thenetwork Data is collected in realtime
vRealize Network Insight presents this via a smart user interface and simplifies thedetermination of problems as well as the visibility of firewall and networkconfigurations
vRealize Network Insight presents this in a smart user interface and makes problemdetermination and visibility of the firewall and network configurations very easy
This Module contains the following lessons
bull 360 Network Visibility and Troubleshootingbull Natural language search
HOL-1829-01-NET
Page 47HOL-1829-01-NET
360 Network Visibility andTroubleshootingThis section contains the following lessons
bull 360-degree view of data flow between two VM objectsbull Natural language search
Open Google Chrome
1 Open Chrome on the Control Center Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize NetworkInsight did not load automatically)
HOL-1829-01-NET
Page 48HOL-1829-01-NET
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
Path and Topology
This module will utilize the Path and Topology feature in vRealize Network Insight toget a 360-degree visibility into our network scenario The Path and Topology view can
HOL-1829-01-NET
Page 49HOL-1829-01-NET
also extend to host L3 networks security groups etc but in this module we will only befocusing on the path
From the main console
1 Click on Path and Topology2 Click on Path
Path - Select source and destination
In the pop-up box
1 Click on the grey field below Source2 Type dba into the source field and DBAdmin-VM1 will appear3 Click on DBAdmin-VM1 to select it
HOL-1829-01-NET
Page 50HOL-1829-01-NET
Path - source and destination continued
After selecting the source machine the destination box will automatically appear
1 Type prod in the destination field and the list of available options willappear
2 Select Prod-Db-2
Note The destination could also be an ip-address or Internet but in this lab we aregoing to use a VM
HOL-1829-01-NET
Page 51HOL-1829-01-NET
Path - source and destination continued
1 Click on Submit
Searching for path
Based on the VMs we selected in the wizard in our previous steps the search field isnow pre-populated with a search string As an alternative to using the wizard we canalso do manual searches
Do not change any parameters in the search field and please continue to the nextstep
HOL-1829-01-NET
Page 52HOL-1829-01-NET
VM Path Topology and VM Underlay
The topology involves both Layer 3 and Layer 2 components and consists of twodetailed views
HOL-1829-01-NET
Page 53HOL-1829-01-NET
1 VM Path Topology This view details the routers Edges or Logical DistributedRouters (LDRs) that are involved in the VM to VM network path and provides thecomplete routing and NAT information
2 VM Underlay ( The VM Underlay section that is on the right side of the VM Pathtopology shows the underlay information of the VMs involved and theirconnectivity to the top of the rack switches and the ports involved)
In the field named VM Path Topology
1 Click on the three dots in the top right corner of the field2 Click Maximize
The view will change and the route will be drawn on the map
HOL-1829-01-NET
Page 54HOL-1829-01-NET
VM Path Topology - Path Details
In this view we will get a 360-degree view of both the physical and the virtual networkWe will see the path of the traffic between two virtual machines The black arrow at thetop of the map will indicate the flow direction of the traffic In this use case fromDBAdmin-VM1 to Prod-Db-2
On the right hand side path details indicates the steps we pass through in each hop ofthe path The logical flow includes both physical and virtual elements displaying bothoverlay and underlay components
1 Scroll through the path details on the right hand side to verify the differenthops in the path Notice that we have items such as VMs physical switchesvirtual switches routers and NICs in the list of details
HOL-1829-01-NET
Page 55HOL-1829-01-NET
Component Overview
On the VM topology map
1 Click on the top left icon marked with a red square - the Virtual MachineDBAdmin-VM1
Virtual Machine - Details
HOL-1829-01-NET
Page 56HOL-1829-01-NET
A pop-up box will appear with the Virtual Machine details in it This information includesa lot of details made available by VMware Tools We can for example see network-information and the physical host in these details
A - Please spend some time on getting an overview of the information available in thisview
B - Please note that the Firewall Status indicates Unknown In this scenario there is noNSX firewall utilized in the VM so vRealize Network Insight displays Unknown as thestatus If NSX components were utilized but they were malfunctioning an errormessage will appear
1 When done reviewing close the pop-up windows by clicking on the (X) in thetop right corner
Physical ESXi Hosts
We are now going to look at the physical host running ESXi The large green blocksindicate the ESXi hosts (A) and (B)
1 Click on the large green field on the left side of the map marked in thepicture with a red squareThis will select the host where DBAdmin-VM1 isrunning
HOL-1829-01-NET
Page 57HOL-1829-01-NET
Host - Details
A pop-up box will appear that contains the physical ESXi host
A - Spend some time to review what information is available from the host Please donot click on any of the links
B - Notice that we receive information from both the Chassis and the Blade that thisESXi host is running on In a real life environment we could click on the links to getdetailed information about the physical environment through the links
C - Note that there are no NSX components on the host For example we can see thatthe Control Plane Sync Status is unknown and the Number of VTEPs is 0
1 When done reviewing click on the (X) in the top right corner
HOL-1829-01-NET
Page 58HOL-1829-01-NET
DVPG on the map
We are now going to look at the DVPG (Distributed Virtual Port Group) the VM uses toconnect to the network
1 On the map click on the little blue box marked by a red square onvlan-629
DVPG
A pop-up box will appear that contains the DVPG details
A - Spend some time review what information is available from the object Please donot click on any of the links
HOL-1829-01-NET
Page 59HOL-1829-01-NET
B - Notice that IPFIX is enabled
1 When done reviewing click on the (X) in the top right corner
VLAN-629 on the map
This is a brownfield network as indicated by the physical network components currentlydisplayed on the map
1 On the map click on the grey line marked by a red square on vlan-629
VLAN Network
A pop-up box will appear that contains the physical VLAN details
HOL-1829-01-NET
Page 60HOL-1829-01-NET
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - Notice the VLAN ID This is the actual VLAN in use
C - VM Count states 12 This is the number of VMs located on this VLAN in the entireenvironment
D - Under Hosts we can see that this is 28 (27+1) This is the amount of hosts that hasa connection to this vlan in the entire environment
1 When done reviewing click on the (X) in the top right corner
Switch ports on the map
1 From the map click on the icon marked by a red square to select the SwitchPort for the VM
HOL-1829-01-NET
Page 61HOL-1829-01-NET
Switch Port
A pop-up box will appear that contains the Switch Port details
In this view we are purely are looking at layer 3 and the connectivity to those layer 3devices Later in this module we will see some of the layer 2 devices
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - In this view we can see the physical NIC the traffic is transmitted from and receivedto In this scenario it is a NIC on a UCS fabric We can also see the VLANs Interfacespeed port and other details on the NIC
1 When done reviewing click on the (X) in the top right corner of the pop up box
HOL-1829-01-NET
Page 62HOL-1829-01-NET
Physical VRF on the map
1 From the map click on the icon marked by a red square to access thePhysical VRF details
HOL-1829-01-NET
Page 63HOL-1829-01-NET
VRF - Physical Switch
A pop-up box will appear that contains the Physical VRF details
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - In this scenario the first hop in the physical network perspective happens to be aCisco Nexus 7000 We are gathering all of the configuration data routing tables androuting interface information from this device
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 64HOL-1829-01-NET
VRF - continued
1 From the map click on the icon marked by a red square to access the nextPhysical VRF in the path
HOL-1829-01-NET
Page 65HOL-1829-01-NET
VRF - Physical Router
A pop-up box will appear that contains the Physical VRF details
In this scenario the second hop in the physical network perspective is a Palo Alto routerIn this view we will see the routing table as well as firewall rules The vRealize NetworkInsight platform is so powerful that these firewall rules are the applicable firewall rulesbetween the two objects we searched for There is probably going to be thousands offirewall rules in a normal network but these are the firewalls affecting thecommunication between the two selected VMs
HOL-1829-01-NET
Page 66HOL-1829-01-NET
A - Spend some time to review what information is available from the object Please donot click on any of the links
1 When done reviewing click on the (X) in the top right corner of the pop up box
Note The Palo Alto integration showcased is in beta testing
VRF - continued
1 From the map click on the icon marked by a red square to access the nextPhysical VRF in the path
HOL-1829-01-NET
Page 67HOL-1829-01-NET
VRF - Physical Switch
A pop-up box will appear that contains the Physical VRF details
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - In this scenario the third hop in the physical network perspective is an Arista deviceThere is information available on routing gateways interfaces etc These detailsshowcase that we can monitor devices from a multitude of vendors in case we arechanging from one vendor to another
1 When done reviewing click on the (X) in the top right corner
HOL-1829-01-NET
Page 68HOL-1829-01-NET
Accessing the virtual infrastructure
The next two steps in the path (as shown by arrows) are the same as we looked atpreviously in this module We are not going to look at the details on them in thisscenario as they are similar to the ones previously discussed
A - Hovermove the mouse over the icons marked with red arrow A without clicking onthe icon Notice the descriptive name
B - Hovermove the mouse over the icons marked with red arrow B without clicking onthe icon Notice the descriptive name
1 From the map click on the icon marked by a red square to access the nextVRF in the path
HOL-1829-01-NET
Page 69HOL-1829-01-NET
VRF - NSX Provider Edge 1
A pop-up box will appear that contains the Physical VRF details
A - Please spend some time to review what information is available from the objectPlease do not click on any of the links
B - The components we are looking at after the Arista device (described in previoussteps) is an NSX Edge cluster or a host associated with an Edge cluster The componentwe have selected is the NSX Edge VM named Provider-Edge 1 It has an uplink overVLAN 10 from the physical network (as shown in the map)
C - In the details we can see the routing table and routing interface details for thisparticular VRF
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 70HOL-1829-01-NET
VXLAN on the map
1 On the map click on the blue line marked by a red square to access theVXLAN details
VXLAN Network
A pop-up box will appear that contains the VXLAN details
HOL-1829-01-NET
Page 71HOL-1829-01-NET
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - We can see the VXLAN number (Segment ID) Underlay VLAN IDs Subnet andUnderlay Subnet
C - We also have visibility into what Primary Controller it is utilizing Hosts and VTEPs
D - Hovermove the mouse cursor over the text [38 more] to see the hosts associatedwith this VXLAN Do not click on the blue text
E - Hovermove the mouse cursor over the text [82 more] to see the VTEPs associatedwith this VXLAN Do not click on the blue text
1 When done reviewing click on the X in the top right corner of the pop-up box
VRF - LDR
1 From the map click on the icon marked by a red square to access the VRFdetails
HOL-1829-01-NET
Page 72HOL-1829-01-NET
VRF - LDR-Corporate
A pop-up box will appear that contains the VRF details From here we hit our In-kernelnetwork
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - Notice the distributed router name We are using this device to access our corporatenetwork
C - This device is going to route for us to a different interface The interface is going toroute to the interface on the Prod-DB Network as the next step in the path (this will beillustrated in the next step)
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 73HOL-1829-01-NET
Routing - NSX Firewall
The traffic is routed through the VRF onto the Prod-DB network over to the next physicalhost (as shown with arrows)
The first device it will hit on the virtual network on the physical host is the FirewallPlease notice that there are two firewalls next to the VM One Firewall from Palo Alto andone Firewall from NSX
1 From the map click on the icon marked by a red square to access the NSXFirewall details (the top one of the two)
HOL-1829-01-NET
Page 74HOL-1829-01-NET
Firewall - NSX
A pop-up box will appear that contains the Firewall details
A - Spend some time to review what information is available from the object Please donot click on any of the links
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 75HOL-1829-01-NET
Redirect on the map - PAN Firewall
Please notice that there are two firewalls next to the VM One Firewall from Palo Alto andone Firewall from NSX We are now going to look into the details of the lower Firewall
1 From the map click on the icon marked by a red square to access the PaloAlto Firewall details (the lower one of the two)
Firewall - PAN
HOL-1829-01-NET
Page 76HOL-1829-01-NET
In this scenario we also have an Palo Alto VM based offloading firewall The redirectfeature allows firewall rules to be transferred between the NSX firewall and the PANFirewall
1 When done reviewing click on the (X) in the top right corner of the pop up box
Reversing the analysis
1 In the section marked by a red square in the picture click on the arrowpointing left
The route on the map will change
HOL-1829-01-NET
Page 77HOL-1829-01-NET
Reversing the analysis continued
A - The analysis will now be done in the opposite direction Please note that the pathnow changes Instead of going through Provider-Edge 3 the traffic is now routedthrough Provider-Edge 2 This is exactly as the traffic will work in the real life
Please continue to the next step to conclude this module
HOL-1829-01-NET
Page 78HOL-1829-01-NET
VM Underlay
Lets now focus on VM Underlay
1 The VMUnderlay section that is on the right side of the VM Path topology showsthe underlay information of the VMs involved and their connectivity to the top ofthe rack switches and the ports involved
2 The VM Underlay path topology is shown here3 The components are labeled under Path Details
HOL-1829-01-NET
Page 79HOL-1829-01-NET
HOL-1829-01-NET
Page 80HOL-1829-01-NET
1 In this section the drop-down list at the top shows the endpoint VMs and theactive VMs at the edges
2 For each edgeVM the neighbouring drop-down list shows the ingress and theegress interface IP addresses
1 From the previous step we selected the Prod-DB-2 Virtual Machine2 Which changes the focus to corresponding Interface IP Address (VNIC)3 Shows the visual map (Path topology) of all the path objects4 Path details shows the labels and list the components
This concludes this module Please continue to the next module
HOL-1829-01-NET
Page 81HOL-1829-01-NET
ConclusionCongratulations on completing Module 2
This module has shown us that vRealize Network Insight is capable of tracing the flow ofdata between two objects throughout the network vRealize Network Insight is providingus with a 360 degrees view of the virtual as well as the physical components in thepath With the map function and the details on the map it is very easy to get a quickoverview of the components utilized in network communication
All the components in the map is based on a snapshot of real life data Feel free to clickon other icons shown in the map in this module before continuing to the next module tohave a look at other components
For More Information
For additional information about the functionality showcased in this module visithttpwwwvmwarecomvrealize network insight
This concludes this module Please continue to the next module
If you are looking for additional information try one of these
bull Click on this linkbull Or use your smart device to scan the QRC Code
HOL-1829-01-NET
Page 82HOL-1829-01-NET
Proceed to any module below which interests you most
bull Module 1 - Micro-Segmentation and Security (30 minutes)bull Module 2 - 360 degree Visibility across Virtual and Physical Networks (45
minutes)bull Module 3 - Advanced NSX Management amp Operations (45 minutes)bull (30 minutes)
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 83HOL-1829-01-NET
Module 3 - Advanced NSXManagement amp
Operations (45 minutes)
HOL-1829-01-NET
Page 84HOL-1829-01-NET
IntroductionIntroduction
vRealize Network Insight ensures that we have full visibility from an overlay andunderlay perspective and in this module focus on advanced operations of NSX withvRealize Network Insight Its important to note that the vRealize Network Insightprovides a real time view and a historical view The integration is not a simple SNMPquery but advanced CLI and Metadata information gathered in real time for NSX
This Module contains the following lessons
bull Operational guidance for NSX Managerbull Advanced NSX Management amp Operations Interactive Simulation
HOL-1829-01-NET
Page 85HOL-1829-01-NET
NSX Advanced ManagementOperationsLab Status Check
1 Make sure the Lab Status displays Ready before continuing
Close browser sessions from previous modules
Open Google Chrome
1 Open Chrome on the Control Centre Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
HOL-1829-01-NET
Page 86HOL-1829-01-NET
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize Network Insightdid not load automatically)
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
Search Bar - NSX Manager
Using the search bar on the entry screen
HOL-1829-01-NET
Page 87HOL-1829-01-NET
1 Type NSX Manager (this will list three NSX Managers2 Click Search
NSX Manager Information
The result now shows the NSX Manager (1016128170) and we can immediately seethat we have 50 problems associated with this endpoint
1 Click on the NSX Manager address to expose the layout and detailedinformation
HOL-1829-01-NET
Page 88HOL-1829-01-NET
Timeline - Visual Build-up
Explore information only - Do not click
bull A - Starting with the Timeline we can manipulate the results by simply draggingthe slider but by default the current time results will be displayed on entry Theslider and drop down (next to 1 day) makes it easy to filter on demand
bull B - The Properties give a clear understanding of the NSX Managers currentconfiguration (vRealize Network Insight accommodate multiple NSX managers)
bull C - Looking at the NSX Checklist Rules - ALL we can scroll up and down toview each point in the checklist that is used to monitorvalidate against the NSXManager
bull D - Because vRealize Network Insight supports multiple NSX managers andmultiple NSX controllers this is an important visual understanding of theTopology Each object can be queried individually within the same screen
bull E - NSX Problems will be key to understanding the issues for NSX
HOL-1829-01-NET
Page 89HOL-1829-01-NET
Topology - Focus on the NSX Controller
The logical view of the NSX Topology provides live links to each component in theconstruct to be queried in real time Topology layout displays all the related NSXservices bound to the NSX Manager including Clusters and hosts The red triangle on allthree NSX controllers indicates possible issues that may impact the NSX environmenteither as a starting point or a result thereof We can now query each object for detailedinformation
1 Click on the NSX controller (Look at each controller until you find thecontroller starting with NSX_Controller_5b6c6c8d-4d71 as they do changeorder)
HOL-1829-01-NET
Page 90HOL-1829-01-NET
NSX Controller - Detail
A - The controller query displays detailed information about controller-1 and relevantconfiguration This screen will help identify the Status Version Upgrade Availability andmany other critical identifiers of the NSX Controller at a quick glance including anyissues
B - The immediate issue on this NSX controller is also pointed out with a red triangleindicating that we have a control plane sync issue Tracking the issue can be furtherinvestigated by expanding (clicking on the red triangle) to view detailed information Wewill not be investigating this problem further in this exercise
1 Click the close sign (x) to continue
HOL-1829-01-NET
Page 91HOL-1829-01-NET
Topology - Explained
Note The Topology for the NSX environment will not show any load balancing devicestatus information in this release
1 Click the edge VMs icon to see detailed information about the edge services
HOL-1829-01-NET
Page 92HOL-1829-01-NET
Provider Edge
Rendering a complete view of the provider edge services and the associations we caninvestigate all the edge related activities
1 Click the blue link Provider Edge 4 The problem Icon can be used to furtherobtain information about the Provider-Edge 4 This will highlight a criticalcondition due to a possible network disruption of this edge device as it is nolonger in a serving state
HOL-1829-01-NET
Page 93HOL-1829-01-NET
Routers Provider Edge 4
This section lays out detailed root cause analysis for Routers Provider Edge 4
Return to Search View - NSX Manager
1 Now use the Chrome Back button click once to return the the NSX Managerinformation screen step
HOL-1829-01-NET
Page 94HOL-1829-01-NET
Infrastructure Problems - Warning Moderate
bull Scroll down to Infrastructure Problems Section
1 Click and select the WarningModerate to view problem areas
WarningModerate Issues
1 Use the blue icon + to expand the detailed view of the Logical networking out ofsync between host and NSX Controller
HOL-1829-01-NET
Page 95HOL-1829-01-NET
WarningModerate Issues (Continued)
When you expand the details you can analyse full detail of warning
In this view vRealize Network Insight is also showing you recommendations on how youwould resolve this issue which makes troubleshooting and root cause analysis veryeasy
1 Click the close sign (x) to continue
HOL-1829-01-NET
Page 96HOL-1829-01-NET
Hands-on Labs Interactive SimulationAdvanced NSX Management ampOperationsThis part of the lab is presented as a Hands-on Labs Interactive Simulation This willallow you to experience steps which are too time-consuming or resource intensive to dolive in the lab environment In this simulation you can use the software interface as ifyou are interacting with a live environment
1 Click here to open the interactive simulation It will open in a new browserwindow or tab
2 When finished click the ldquoReturn to the labrdquo link to continue with this lab
HOL-1829-01-NET
Page 97HOL-1829-01-NET
ConclusionCongratulations on completing Module 3
This module demonstrated the vRealize Network Insight capability of advancedmanagement operations vRealize Network Insight provides an in-depth analysis of thevirtual as well as the physical components associated with NSX (underlay and overlay)
For More Information
If you are looking for additional information try one of these
bull Click on this linkbull Or use your smart device to scan the QRC Code
Proceed to any module below which interests you most
bull Module 1 - Micro-Segmentation and Security (30 minutes)bull Module 2 - 360 degree Visibility across Virtual and Physical Networks (45
minutes)bull Module 3 - Advanced NSX Management amp Operations (45 minutes)bull Module 4 - Manage Security for Public Clouds (AWS) (30 minutes)
HOL-1829-01-NET
Page 98HOL-1829-01-NET
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 99HOL-1829-01-NET
Module 4 - ManageSecurity for Public Clouds
(AWS) (30 Minutes)
HOL-1829-01-NET
Page 100HOL-1829-01-NET
IntroductionEnterprise IT needs visibility into the network and security status of their workloadswhether hosted on premises or within AWS While many AWS workloads are sandboxesfor application development teams (DevOps) it is important to analyze these workloadsIncreasingly public cloud workloads are also fulfilling mission critical production needsfor many organizations Enterprise IT must be ready to determine the best locationsecurity posture and bandwidth allocation when deploying workloads Having trafficpattern details as well as security analysis and recommendations readily availablehelps organizations make the ideal hosting decisions to meet their business needs
vRealize Network Insight (vRNI) Supports Amazon Web Services (AWS) PublicCloud The vRNI traffic monitoring features provide visibility into native AWS constructssuch as Virtual Private Clouds VMs Security Groups firewall rules and tags vRNI alsoanalyzes AWS traffic flows to provide security and micro-segmentation views of cloudworkloads This means youll be able to plan micro-segmentation and understand trafficpatterns using data collected from your AWS instances
This Module contains the following lessons
bull Introduction to Managing Security for Public Clouds (AWS)
HOL-1829-01-NET
Page 101HOL-1829-01-NET
Introduction to Managing Security forPublic Clouds (AWS)Lab Status Check
1 Make sure the Lab Status displays Ready before continuing
Close browser sessions from previous modules
Open Google Chrome
1 Open Chrome on the Control Centre Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize Network Insightdid not load automatically)
HOL-1829-01-NET
Page 102HOL-1829-01-NET
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
AWS Configuration
Lets review the AWS VPC setup for the purpose of this lab
1 We have an on premise instance of vRealize Network Insight managing AWS2 There are two VPCs ie CRM and Common Services
HOL-1829-01-NET
Page 103HOL-1829-01-NET
3 VPC CRM consists of CRM Application which comprises of 3 tiers ie Web APP andDB
4 Internal users of Company can access Web Tier of the CRM on 80 internally viaJump-box
5 Web tier talks to App tier on port 80806 App tier talks to DB tier on port 33067 Web tier is open for internal datacenters VM on 80 port8 From Jump-box in VPC CRM all virtual machines have ssh access on port 229 All tiers of VPCCRM talks to DNS server on 53 and LogServer on 514 on VPC
Common Services10 This means connection to DB to Log Server (used for backup services) must exist
as configured by the Administrator but this in fact is the problem area where ourfocus will be
Plan Security - AWS Cloud
vRealize Network Insight extends micro-segmentation planning to AWS constructs TheCRM Application in AWS VPC has already been created for you
Application creation steps have been discussed in Module 3
HOL-1829-01-NET
Page 104HOL-1829-01-NET
1 On the vRealize Network Insight Click on Plan Security
From Plan Security dialogue box under Entity select
HOL-1829-01-NET
Page 105HOL-1829-01-NET
1 Application2 CRM3 Click Analyze
We can now visualize the three tier lsquoCRMrsquo Application in AWS in one VPC We Shallexplore the three Tier System Logic in proceeding steps
1 Please note that Micro-Segments are already filtered by Tier2 Web (Web tier talks to App tier on port 8080 Internal users of organisation can
access Web Tier of the CRM Application on port 80 internally)3 App (App tier talks to DB tier on port 3306)4 DB ( DB tier talks to Log Servers ) - This is the problem area we are going to
explore
All tiers of first VPC talks to DNS server on port 53 and LogServer on port 514 of SecondVPC
HOL-1829-01-NET
Page 106HOL-1829-01-NET
Exploring the Three Tier Application - Step by Step
We shall now explore the three their application setup to understand the security andcommunication posture
HOL-1829-01-NET
Page 107HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Yellow line to explore the flows This will reveal flows from Web to
App
HOL-1829-01-NET
Page 108HOL-1829-01-NET
1 The App tier talks to DB tier on Port 33062 Click X to continue
HOL-1829-01-NET
Page 109HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to DB
HOL-1829-01-NET
Page 110HOL-1829-01-NET
1 The App tier talks to DB tier on Port 33062 Click X to continue
HOL-1829-01-NET
Page 111HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Yellow Line to explore the flows This will reveal flows from DC
Virtual to App
HOL-1829-01-NET
Page 112HOL-1829-01-NET
1 DC Virtual (jump box) talks to App tier on Port 222 Click X to continue
HOL-1829-01-NET
Page 113HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to
Shared Virtual
HOL-1829-01-NET
Page 114HOL-1829-01-NET
1 The App tier talks to Shared Virtual on Port 53 and 514 respectively2 Click X to continue
HOL-1829-01-NET
Page 115HOL-1829-01-NET
1 Hover over to DB Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from DB to
Shared Virtual
1 By design the DB should be pushing logs to aws-log-server ie on port 514(Syslog) but the flow reveals that there is only one service ie port 53 aws-DNS-Server Effectively no communication to syslog server (which is the back upservice)
2 Click X to continue
Firewall Queries for CRM Application
To further troubleshoot the issue the administrator executes three firewall queries toestablish why DB to Shared Virtual does not have flow(s) for port 514 (syslog)
HOL-1829-01-NET
Page 116HOL-1829-01-NET
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and type new search query firewall action of flows where dstvm = aws-log-server This will return 5 results ie 4 Allow (for web andmidtier) and 1 Deny (for DB)
2 Click Search3 click on the DENY checkbox so we can focus on the deny rule
We can see a DENY rule which is preventing crm-databse to communicate with aws-log-server on port 514 Which indicates that AWS Admin forgot to add rule to allowtraffic from (Database) crm-database to (syslog server) aws-log-Server
HOL-1829-01-NET
Page 117HOL-1829-01-NET
1 On Chrome web browser right click2 Select Duplicate from the the menu
HOL-1829-01-NET
Page 118HOL-1829-01-NET
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-web1 and dst vm = aws-log-server
2 Click Search3 This will return 3 results ie 1 Inbound and 2 Outbound rules The result of this
query validates the communication from crm-web1 to aws-log-server
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-database and dst vm = aws-log-server
2 Click Search3 This will return 2 results for Outbound rules further explaining the firewall rule
behaviour from crm-database to aws-log-server
HOL-1829-01-NET
Page 119HOL-1829-01-NET
ConclusionCongratulations on completing Module 4
This module demonstrated the vRealize Network Insight capability to understand trafficpatterns and plan micro-segmentation across your private and public cloudenvironments This capability offers unparalleled visibility into public and private cloudsfor micro-segmentation planning network visibility and management
For More Information
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 120HOL-1829-01-NET
ConclusionThank you for participating in the VMware Hands-on Labs Be sure to visithttpholvmwarecom to continue your lab experience online
Lab SKU HOL-1829-01-NET
Version 20171010-152226
HOL-1829-01-NET
Page 121HOL-1829-01-NET
Location of the Main Console
1 The area in the RED box contains the Main Console The Lab Manual is on the tabto the Right of the Main Console
2 A particular lab may have additional consoles found on separate tabs in the upperleft You will be directed to open another specific console if needed
3 Your lab starts with 90 minutes on the timer The lab can not be saved All yourwork must be done during the lab session But you can click the EXTEND toincrease your time If you are at a VMware event you can extend your lab timetwice for up to 30 minutes Each click gives you an additional 15 minutesOutside of VMware events you can extend your lab time up to 9 hours and 30
minutes Each click gives you an additional hour
Alternate Methods of Keyboard Data Entry
During this module you will input text into the Main Console Besides directly typing itin there are two very helpful methods of entering data which make it easier to entercomplex data
HOL-1829-01-NET
Page 4HOL-1829-01-NET
Click and Drag Lab Manual Content Into Console ActiveWindow
You can also click and drag text and Command Line Interface (CLI) commands directlyfrom the Lab Manual into the active window in the Main Console
Accessing the Online International Keyboard
You can also use the Online International Keyboard found in the Main Console
1 Click on the Keyboard Icon found on the Windows Quick Launch Task Bar
ltdiv class=player-unavailablegtlth1 class=messagegtAn error occurredlth1gtltdiv class=submessagegtltahref=httpwwwyoutubecomwatchv=xS07n6GzGuo target=_blankgtTry watching this video on wwwyoutubecomltagt or enableJavaScript if it is disabled in your browserltdivgtltdivgt
HOL-1829-01-NET
Page 5HOL-1829-01-NET
Click once in active console window
In this example you will use the Online Keyboard to enter the sign used in emailaddresses The sign is Shift-2 on US keyboard layouts
1 Click once in the active console window2 Click on the Shift key
Click on the key
1 Click on the key
Notice the sign entered in the active console window
HOL-1829-01-NET
Page 6HOL-1829-01-NET
vRealize Network Insight - Navigation
bull 1 - HOME - Use this if you need to return to the original navigation and searchscreen
bull 2 - Navigation Panebull 3 - Search Bar including time linebull 4 - Detail amp Information Panebull 5 - Alerts Pinboards Settings
Activation Prompt or Watermark
When you first start your lab you may notice a watermark on the desktop indicatingthat Windows is not activated
One of the major benefits of virtualization is that virtual machines can be moved andrun on any platform The Hands-on Labs utilizes this benefit and we are able to run thelabs out of multiple datacenters However these datacenters may not have identicalprocessors which triggers a Microsoft activation check through the Internet
Rest assured VMware and the Hands-on Labs are in full compliance with Microsoftlicensing requirements The lab that you are using is a self-contained pod and does nothave full access to the Internet which is required for Windows to verify the activationWithout full access to the Internet this automated process fails and you see this
watermark
This cosmetic issue has no effect on your lab
HOL-1829-01-NET
Page 7HOL-1829-01-NET
Look at the lower right portion of the screen
Please check to see that your lab is finished all the startup routines and is ready for youto start If you see anything other than Ready please wait a few minutes If after 5minutes your lab has not changed to Ready please ask for assistance
HOL-1829-01-NET
Page 8HOL-1829-01-NET
Module 1 - Micro-Segmentation and
Security (30 minutes)
HOL-1829-01-NET
Page 9HOL-1829-01-NET
IntroductionWhen mid to large-sized enterprises deploy NSX they often struggle to define the levelof micro segmentation needed between applications on networks The most challengingpart is knowing what information is required to get started how to locate theinformation and traffic flow and how to capture the results
vRealize Network Insight helps solve this problem by analyzing and categorizing VMsinto logical groups based on specific compute and network characteristics This processautomatically generates a recommended model for security groups and specificfirewalling rules for each group This makes life much easier for Security Architects andEngineers
vRealize Network Insight (vRNI) relies on the use of an IPFIX collector at the VirtualDistributed switch layer to capture data flows We enable IPFIX at the Virtual Distributedswitch layer for the ESXi Hosts to forward IPFIX UDP packets to the vRealize NetworkInsight appliance The data capture will enable real time data flow for all port trafficand provide further filtering capabilities in order to explore East-West traffic
We have two scenarios to help explain how vRealize Network Insight can be utilized toensure we have full visibility and granular control to deploy firewall rules in order tocomplete micro-segmentation without guessing
Scenario 1 (Brown Field deployment) Customer ABC bought ESXi and NSX and doesnot have a clear understanding of how to operationally deploy existing workloads withEast-West firewall protection or how to segment the workload The client will now usevRealize Network Insight to observe the real time data flow between ports in order tobuild the East-West firewall rules The vRealize Network Insight process will observe thetraffic patterns based on the captured data flow recommendations will then be made inorder to secure workloads for East-West communication Current firewall and micro-segmentation can also be verified
Scenario 2 (Green Field) Customer ABC has a new deployment project for DevOps andwouldnt know what the immediate firewall rules or recommendations would be UsingvRealize Network Insight we could immediately start to monitor the real time data flowas each deployment and development unfolds Based on the DevOps information wecan now apply the Firewall rules at the QampA stage and prep for testing to ensure whenwe move workloads into Production we will have day zero operational security for East-West traffic within the data center
NOTE NSX is not required at any stage to capture observe or implement successfulEast-West firewall rules The process of planning security only relies on IPFIX at the vDSlayer in order to capture and observe data flow between ports
This Module contains the following lessons
HOL-1829-01-NET
Page 10HOL-1829-01-NET
bull Identify firewall rules for Micro-segmentationbull Security Group Topologybull Tracking a firewall rulebull Exporting firewall rules to NSX Manager (Interactive Simulation)bull Conclusion
HOL-1829-01-NET
Page 11HOL-1829-01-NET
Micro-Segmentation IntroductionThis section contains the following lessons
bull Identify firewall rules for Micro-segmentationbull Security Group Topologybull Tracking a firewall rule
Lab Status Check
1 Make sure the Lab Status displays Ready before continuing
Close browser sessions from previous modules
Open Google Chrome
1 Open Chrome on the Control Centre Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
HOL-1829-01-NET
Page 12HOL-1829-01-NET
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize Network Insight did notload automatically)
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
HOL-1829-01-NET
Page 13HOL-1829-01-NET
Plan Security
When the vRealize Network Insight portal login completes the first screen will show asearch bar at the top
1 Type plan security (the search bar uses Auto Fill and predictive text willappear as you type)
2 Select the Time Icon
Plan Security - Specify a Preset
1 Select Presets2 Select Last Week3 Click the search icon to continue
HOL-1829-01-NET
Page 14HOL-1829-01-NET
Overview - Traffic Distribution (Left Pane)
Visual representation of traffic is shown to understand the logic relationship betweeneach component physical or virtual in order to track flows and sessions within anetwork
bull Internal Flows External Flowsbull Protected Flows Unprotected Flowsbull by VLAN or VXLAN
The default for this view is Last 1 day Please do not change this as we have alreadyspecified the time filter
HOL-1829-01-NET
Page 15HOL-1829-01-NET
Traffic Distribution - Overview (Right pane)
The Traffic distribution section is explained in a number format below Use these as areference and do not click on the links at this stage
bull A - This is the sum of all traffic flows with the percentage shown as East-Westonly traffic
bull B - This indicates the percent of traffic that was switchedbull C - The percentage of traffic that is routed between the East-West portsbull D - This indicates Virtual machine to Virtual Machine traffic as a percentage of the
sum in point number 1bull E - Traffic observed between virtual machines on the same hostbull F - Traffic that requires internet access
East-West (EW) - Traffic
In order to view specific details about data flows click on any of the 6 blocks to getdetailed information on flows and sessions (use the [x] in the right corner to close theobservation once completed in order to continue with the next step in this lab) Its
HOL-1829-01-NET
Page 16HOL-1829-01-NET
important to understand the entire distribution of flows and sessions in order to build aninformed strategy to achieve micro-segmentation
A Session is 5 tuple (source port is one of the five tuples in this which means everytime a new TCP connection is established and terminated a new session is recorded)
A Flow is 4 tuple aggregation of sessions It combines many 5 tuple sessions into oneIt ignores the source port as the source port is very dynamic wide range and keeps onchanging As long as multiple sessions have same source IP same destination IP samedestination port and same protocol they will be combined into one record called aflow
So 1000s of sessions in a day between two machines on a specific destination port (sshdns etc) would be combined into one flow with an aggregate count of packets bytessessions between them recorded as additional flow information
In any enterprise how many sessions happen in 1 day varies a lot Flows are moremanageable units and matter most for policy definitions and micro-segmentation
If one wants to see statistics of these flows like bytes transferred number of sessions(or even use these counters along with other query operations for other higher levelanalysis - like determining distribution of a virtual machines outgoing flow bydestination ip) the following metric counters can be used
Counter names
allowed sessions count of sessions (or 5 tuples) corresponding to a flow (4 Tuple)bytes total traffic volume exchanged on the flow (this sum of two counters described below)src bytes total bytes sent by src_ip of the flow to dst_ipportprotocoldst bytes total bytes received by src_ip of the flow from dst_ipportprotocol
1 Click on the East-West traffic block
This will bring a new window into view with detailed analysis of the traffic
HOL-1829-01-NET
Page 17HOL-1829-01-NET
East-West (EW) - Detailed view
This is only a few of the 1653 flows but the detailed views and filters can be used tonarrow down more specific information
A - Without clicking (just hover) on the time line to see the rate of flow indicated by thegreen line for that period
1 Click the close icon (x) to continue
ServicesPorts
HOL-1829-01-NET
Page 18HOL-1829-01-NET
Locating the Services screen for the next step
ServicesPorts - Time line view
Plan security makes use of Service and Ports overview on the right-hand side of thescreen The service view screen is used to observe the flow for each service andanalyzes a specific flow rate at a point in time Timelines can be adjusted to gain abetter understanding of what the plan security query delivers This module will followthe steps needed to observe and trace flows for port 5443
1 Click Show Data
HOL-1829-01-NET
Page 19HOL-1829-01-NET
ServicesPorts - Point in Time Service
The Services section provides an overview of flows over a specific port at a point intime either by bytes or by allowed sessions Look at the red highlighted area tounderstand how the flow is viewed in a pivot format to ensure a rate flow can bedelivered by hovering over a particular section
1 Hover to gain focus over the blue block above port 5443 and notice itpresents on demand the sum total of flows for the last 24 hours inGigabytes (GB) communicating over port 5443
2 Click on the block at the intersection of Last 24 hours and PORTS5443 to get a detailed view of the information
HOL-1829-01-NET
Page 20HOL-1829-01-NET
Flows for Port 5443
Communicating over port 5443 for the Last 24 hours we now have a detailedunderstanding of how 20 flows are distributed by following the list of entities You mayscroll down and examine the detailed traffic Further filters can be used on the left-handside of the screen to filter the view for a more specific result type
1 Click the entry to examine the detailed flow between Prod-DB-3 and Prod-DB-2over port 5443 ( order of flows may differ from screen above Prod-DB-3 andProd-DB-2 can be seventh flow entry)
Flow Key Properties - Timeline view
HOL-1829-01-NET
Page 21HOL-1829-01-NET
Flow Key Properties and Flow Key Metrics with the help of the timeline view gives agreater understanding of the traffic between these two specific VMs over port 5443 (A)- Hover over any part of the Flow Key Metrics graph to see statistics of the flow at aspecific point in time
1 Click on the 1M (last 1 month) Now hover the mouse over the greenblue linesto see a specific flow at a point in time
Flow Key Properties - Timeline view
1 Click the browser back button (once) to return to the plan security layoutscreen (once completed viewing the timelines for specific flows)
HOL-1829-01-NET
Page 22HOL-1829-01-NET
Micro-Segments
The screen should be back and focused on the Plan Security view Let us focus on theLeft-hand side of the plan security screen marked - Micro Segments This section willfocus on the subnet view and how this could be used to track flows between two ormultiple points
Note Segmenting flows can be achieved using views that will focus on VLANVXLANSubnet Folder Clusters VMs Ports Security Tag or Security Groups
1 Select Last 1 Day (to clear previous data range)2 Select the drop down box and then select by Subnet3 We can further analyze micro-segments by secondary groups ( This step is for
information only)4 Click Analyze to populate the data
HOL-1829-01-NET
Page 23HOL-1829-01-NET
Focus - 101780 Network
A - Hover over (do not click) the 101780 network and notice that this willimmediately highlight all flows and sessions from and to this network segment Othertraffic types will loose focus at this point turning light blue
The Keep Focus view creates a single visual endpoint diagram showing communicationto physical shared resources internet and other subnets The parentheses after thenetwork will indicate the number of virtual machines The coloured lines will indicate aconnected flow as OUTGOING INCOMING BIDIRECTIONAL
HOL-1829-01-NET
Page 24HOL-1829-01-NET
Focus - VLANVXLAN
Changing the view to track flows between Prod-Web to Prod-Midtier we will be switchingfrom Subnet view to VLANVXLAN view This will expose the traffic flow and ultimatelylead us to the recommended firewall rules
1 From the filter drop down select the VLANVXLAN option (the view willautomatically update)
HOL-1829-01-NET
Page 25HOL-1829-01-NET
Focus - Prod-Web (25)
1 Hover over Prod-Web2 Click on Keep Focus as we will follow the traffic for this group to see which
ports are in use and why3 Click on the line joining the Prod-Web and Prod-Midtier
Flows - Prod-Web to Prod-Midtier
HOL-1829-01-NET
Page 26HOL-1829-01-NET
( A ) - We have at this point identified 14 unique endpoints or flows that are beingcommunicated byover or to potential security groups These security groups are basedon VLANs folders subnets or a construct that can be defined
1 Click on the recommended firewall rules
Flows - Recommended Firewall Rules
Based on the observed analysis of the traffic flow between Prod-Web and Prod-Midtier arecommended firewall rule has been generated in order to secure and segment trafficfrom the rest of the VLANVXLAN
Due to the flow observation metrics the recommendation is (ALLOWED) on Port 8080between SG Prod-Web and SG-Prod-Midtier
1 Click the close icon (x) to continue
HOL-1829-01-NET
Page 27HOL-1829-01-NET
Multiple Ports and Firewall rules for Prod-web
1 Click on the Prod-Web group
Services and Flows for Prod-Web
On focus the user is presented with all the services flows and firewall rules for Prod-Webin a single pane
HOL-1829-01-NET
Page 28HOL-1829-01-NET
1 Click on Services In this group - 50 Unique service endpoints or flows that arebeing communicated by or to potential security groups are mapped with trafficrates included
2 Click on External Services Accessed- This is a breakdown of the 16 Externalservice endpoints that communicate with Prod-Web and include the portinformation (DNS HTTPS etc)
3 Click on Recommended Firewall Rules - Based on the 50 unique serviceendpoints that have 17 External services with 425 flows we can use thisobservation metric to determine that 6 firewall rules are required This would bethe minimum recommended segmentation approach for the Prod-Web group
4 Click the close icon (x) to continue
Application-Centric Micro-Segmentation
HOL-1829-01-NET
Page 29HOL-1829-01-NET
An application is a collection of tiers Each tier in an application is a collection of VMsbased on the user-defined filter criteria The applications allow you to create ahierarchical group of VMs and visualize trafficflows between the tiers of the sameapplication The trafficflows can be visualized between applications
1 Under Micro-segments click on the dropdown which says by VLANVXLAN2 Click on by Application
1 Hover over Prod-App (47) (do not click at this stage)2 Click on Keep Focus
You can see as per previous micro-segmentaion planning exercise - you can viewOutgoing Incoming and Bidirectional flow bespoke to Prod-App Clicking on Prod-App micro-segment will reveal the services
HOL-1829-01-NET
Page 30HOL-1829-01-NET
We shall now explore how we can define an application
Define an Application
1 In the search bar type Application2 Click the Search button
1 The Application search will return 4 entities ie application already created inthe system for you
2 This page also lets you create new application - click on Add Application
HOL-1829-01-NET
Page 31HOL-1829-01-NET
1 Under the Application Name type HOL-Pre-Prod2 Under Tier type the Name as HOL-Pre-Prod3 Our search criteria will be based on VM Names under Virtual Machines IP
Addresses Type Admin-VM1 Admin-VM2 (The search will auto completethe names for you)
4 Do not Save Click Cancel which will take you to previous screen
1 Here you can see the number of entities has increased by 1 ie 5 entities2 You can also see Hol-Pre-Prod in the list
HOL-Pre-Prod will now appear in Application section under Plan Security (not covered inthis lab)
Security Group Prod_MidTier
Network administrators and architects face daily challenges in identifying securityparameters groups that are in-place requiring a lot more detail around containertopology before continuing to execute or plan Micro-segmentation Lets look at how thiswould be possible in a single view that has granular integration with over and underlaynetworks
1 Using the search bar type Nsx Security Group Prod_MidTier (the search baruses Auto Fill and predictive text will appear as you type)
2 Click search to continue
HOL-1829-01-NET
Page 32HOL-1829-01-NET
The Help screen may pop-up (in this lab setting) to ensure the user has an instantguide called the Security Group Pinboard The reason for this guide is to point out thedetail view and topology layout Read through the help guide and once completed
1 Click the close icon (x) to continue
Results - PROD_MIDTIER
The search results from the query will show Prod_Web at the top of the screen Theresult will also be displayed to include the Translated VM Count and any Rulesassociated
1 Click on Prod_MidTier to continue
Security Group Prod_MidTier - Timeline
Security Group View Explanation
HOL-1829-01-NET
Page 33HOL-1829-01-NET
The Security Group provides a detailed view of the selected Security Group and acomprehensive listing of key properties and events The Security Group Topologyprovides a visual overview of how the security group is associated with other containersTimeline slider at the top of the current view will enable the point in time state of theSecurity Group and filters can be used to further focus on a particular aspect of theobject
Security Group Firewall Topology
(A) The Security Group Firewall Topology on the left shows the topology for SecurityGroup Prod_MidTier
HOL-1829-01-NET
Page 34HOL-1829-01-NET
(B) The Security Group Container Topology on the right will show anyall Child andParent groups in relation to Prod_Web This will identify the nesting and hierarchy ofsecurity groups
HOL-1829-01-NET
Page 35HOL-1829-01-NET
1 Click and select Prod_Web to Prod_Midtier Rule (will launch a pop up screencovered in next step)
1 In the pop up screen we can immediately see what the Source and destinationservice flow looks like in this example This can be done for any and eachsegment attached to Prod_Web and will provide all the current security GroupFirewall Topology information Feel free to click through all the segments in orderto fully understand each related security group
2 Click the close icon (x) on any pop-up menus that you viewed during youranalysis to continue with the next exercise
HOL-1829-01-NET
Page 36HOL-1829-01-NET
Tracking Prod_MidTier
1 Within the same view when you scroll down (below the Security Groupfirewall Topology) you are able to see the following security event information forProd_Web
A Events - Showing any changes for Prod_MidTier (direct or indirect) and the impactthat these changes bring to this security group
B Current Security Group Configuration and Firewall Rules Count will also providefurther assistance to manage the endpoints
C Visibility of the Virtual Machines in Security Groups ensure that we manage ourworkloads and segmentation with the correct level of efficiency
D Making use of the Indirect Firewall Rules will ensure you understand the inheritedimpact and the relationship leading to Prod_Web
E Direct Firewall Rules - NOTE The blue links will expose further detail for eachfirewall segment
HOL-1829-01-NET
Page 37HOL-1829-01-NET
this module explained and followed the traffic flow between Subnets and or VLANVXLAN for Prod_MidTier and we understand the analysis that make up firewall rules Theinformation for a specific segmentation of a Virtual Machine in Prod_MidTier can beviewed using the the logical switch information for Prod_MidTier
2 Click on Lab-Midtier (VMs in Security GroupgtLogical SwitchesgtLab-Midtier) anew TAB will open at the top of the screen
Lab-Midtier
1 Hover (do not click) over (1) Lab-Midtier-1 to gain focus in order to generatethe path
Do not click on any of the bubbles as they are used for reference only This is thecomplete flow of Prod-Web-9 (Example) to see how a flow is tracked from overlay tounderlay across Prod-Web
HOL-1829-01-NET
Page 38HOL-1829-01-NET
bull A - The host details for Lab-Midtier-1 -ddc1-pod2esx035dmdemocompanynet
bull B - The machine name within Lab-Midtier - Lab-Midtier-1bull C - DVS Switchbull D - VXLAN - Lab-Midtierbull E - 1st VMKNIC for DDC-1 hostbull F - DVS Switch Portbull G - Finally showing the L3 Switch (Arista)
2 When you are done with the current view close this tab in Chrome and returnto the original view
Firewall Rule - Tracking
Using the search bar we will demonstrate how you can track any firewall rule in yourenvironment This is only one example of how we can search for security related objectsin one easy statement and also export the results
Port Search
1 Type into the search bar
Firewall rule where action =ALLOW and Port=443 (the search bar uses Auto Fill andpredictive text will appear as you type)
2 Click search to continue
As you type notice all the different permutations of queries that can be assembled
HOL-1829-01-NET
Page 39HOL-1829-01-NET
Export Firewall Rules
Take some time to understand and get familiar with Firewall Rule search possibilitiesand the insight this can offer
1 Do not click - The result is grouped for convenience and allows the user to queryeach rule individually This is a live link that will expose further information
2 Do not click - The entire report can be exported by using the Save as CSV optionat the top right hand corner of the screen but we will not export any informationat this point
3 For the next step we will return to the top search bar
Firewall Rule Membership Change
Using the vRealize Network Insight search bar at the top of the screen we will focus on atime based search to see what Firewall Membership Changes occurred during a selectedperiod This will point out any changes made directly or indirectly as a result ofmembership changes This is extremely useful for auditing and troubleshooting
HOL-1829-01-NET
Page 40HOL-1829-01-NET
1 Type
Firewall Rule Membership Change
2 Select the DateTime window3 Click Between Select Date range from June30 to Jul 31 (using static data this
will ensure you see all the changes)4 Click search
Audit Rule - Firewall Rule Membership Changes
The search now displays the result of all the changes made to firewall rule membershipduring the preset date range This is pivotal to the audit change tracking process tounderstand exactly why when and how Firewall rules changed
The changes can now easily be tracked audited and also exported following any of thelive links in blue
HOL-1829-01-NET
Page 41HOL-1829-01-NET
User-defined Event
Continuing within the same screen users can create alerts to notify internal andexternal entities of any changes The alert feature is available through any view thatdisplays the alert icon Although the alert can be configured for this lab the results willnot be actioned as this is static data only This section will show how easy it is to reporton any Firewall Rule memberships changes The option for alerting will be immediatelywithin 1 hour or as a daily digest
1 Click the Notifications icon to create an event The notifications screen will pop-up
2 Notification and parameters can be adjusted as required Populate them withyour own preference as we will need to have information in order to save thealert and view in later steps
3 Once completed click save
HOL-1829-01-NET
Page 42HOL-1829-01-NET
Settings
You can view any of your previously configured User-defined Events in order to edit oractivate the Event parameters by using the settings page Changes can be configured tonotify members of the event group based on the user preference The previous eventthat you created can now be tracked by using the search bar at the top of the screen
1 Click in the search bar and type Settings2 Click User-defined Events (your alert is noted in this section as it was based on
the original search and alert notification Firewall rule membership change)3 Info Only - Do not click - View Edit Activate any notifications
Note that we have 2 types of notification User-defined and System Events
4 Click the System Events
HOL-1829-01-NET
Page 43HOL-1829-01-NET
System Notifications
System Events consist of 103 default alerts that are pre-configured Scroll down the listto see all the options and what is deemed to be a standard system event notification
Each Notification can be used to alert administrators or users of that group By defaultall System Notifications are set to never notify (this can be changed to immediatelywithin 1 hour or as a daily digest)
This concludes this module Please continue to the next module
HOL-1829-01-NET
Page 44HOL-1829-01-NET
ConclusionCongratulations on completing Module 1
In this module we introduced the minimum required steps in order to facilitate Micro-segmentation This module further demonstrated how we achieve day zero readinesstrack report and alert on each individual object or group of objects in Real Time Usingthe East-West traffic in this module vRealize Network Insight highlighted the ease ofacquiring network analysis and using this to automatically generate firewall rules forboth Green or Brown field deployments
Key facts to remember as demonstrated in this module
bull Persistence Security must be consistent in the face of constant changebull Ubiquity Security must be available everywherebull Extensibility Security must adapt to new situations
For additional information about the functionality showcased in this module visitwwwvmwarecom
Please close the Chrome Web browser
This concludes this module please continue to the next module
For More Information
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 45HOL-1829-01-NET
Module 2 - 360 degreeVisibility across Virtualand Physical Networks
(45 minutes)
HOL-1829-01-NET
Page 46HOL-1829-01-NET
IntroductionvRealize Network Insight includes advanced analytics that can collect and displayconfiguration data from all the components involved in the overlay and underlay of thenetwork Data is collected in realtime
vRealize Network Insight presents this via a smart user interface and simplifies thedetermination of problems as well as the visibility of firewall and networkconfigurations
vRealize Network Insight presents this in a smart user interface and makes problemdetermination and visibility of the firewall and network configurations very easy
This Module contains the following lessons
bull 360 Network Visibility and Troubleshootingbull Natural language search
HOL-1829-01-NET
Page 47HOL-1829-01-NET
360 Network Visibility andTroubleshootingThis section contains the following lessons
bull 360-degree view of data flow between two VM objectsbull Natural language search
Open Google Chrome
1 Open Chrome on the Control Center Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize NetworkInsight did not load automatically)
HOL-1829-01-NET
Page 48HOL-1829-01-NET
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
Path and Topology
This module will utilize the Path and Topology feature in vRealize Network Insight toget a 360-degree visibility into our network scenario The Path and Topology view can
HOL-1829-01-NET
Page 49HOL-1829-01-NET
also extend to host L3 networks security groups etc but in this module we will only befocusing on the path
From the main console
1 Click on Path and Topology2 Click on Path
Path - Select source and destination
In the pop-up box
1 Click on the grey field below Source2 Type dba into the source field and DBAdmin-VM1 will appear3 Click on DBAdmin-VM1 to select it
HOL-1829-01-NET
Page 50HOL-1829-01-NET
Path - source and destination continued
After selecting the source machine the destination box will automatically appear
1 Type prod in the destination field and the list of available options willappear
2 Select Prod-Db-2
Note The destination could also be an ip-address or Internet but in this lab we aregoing to use a VM
HOL-1829-01-NET
Page 51HOL-1829-01-NET
Path - source and destination continued
1 Click on Submit
Searching for path
Based on the VMs we selected in the wizard in our previous steps the search field isnow pre-populated with a search string As an alternative to using the wizard we canalso do manual searches
Do not change any parameters in the search field and please continue to the nextstep
HOL-1829-01-NET
Page 52HOL-1829-01-NET
VM Path Topology and VM Underlay
The topology involves both Layer 3 and Layer 2 components and consists of twodetailed views
HOL-1829-01-NET
Page 53HOL-1829-01-NET
1 VM Path Topology This view details the routers Edges or Logical DistributedRouters (LDRs) that are involved in the VM to VM network path and provides thecomplete routing and NAT information
2 VM Underlay ( The VM Underlay section that is on the right side of the VM Pathtopology shows the underlay information of the VMs involved and theirconnectivity to the top of the rack switches and the ports involved)
In the field named VM Path Topology
1 Click on the three dots in the top right corner of the field2 Click Maximize
The view will change and the route will be drawn on the map
HOL-1829-01-NET
Page 54HOL-1829-01-NET
VM Path Topology - Path Details
In this view we will get a 360-degree view of both the physical and the virtual networkWe will see the path of the traffic between two virtual machines The black arrow at thetop of the map will indicate the flow direction of the traffic In this use case fromDBAdmin-VM1 to Prod-Db-2
On the right hand side path details indicates the steps we pass through in each hop ofthe path The logical flow includes both physical and virtual elements displaying bothoverlay and underlay components
1 Scroll through the path details on the right hand side to verify the differenthops in the path Notice that we have items such as VMs physical switchesvirtual switches routers and NICs in the list of details
HOL-1829-01-NET
Page 55HOL-1829-01-NET
Component Overview
On the VM topology map
1 Click on the top left icon marked with a red square - the Virtual MachineDBAdmin-VM1
Virtual Machine - Details
HOL-1829-01-NET
Page 56HOL-1829-01-NET
A pop-up box will appear with the Virtual Machine details in it This information includesa lot of details made available by VMware Tools We can for example see network-information and the physical host in these details
A - Please spend some time on getting an overview of the information available in thisview
B - Please note that the Firewall Status indicates Unknown In this scenario there is noNSX firewall utilized in the VM so vRealize Network Insight displays Unknown as thestatus If NSX components were utilized but they were malfunctioning an errormessage will appear
1 When done reviewing close the pop-up windows by clicking on the (X) in thetop right corner
Physical ESXi Hosts
We are now going to look at the physical host running ESXi The large green blocksindicate the ESXi hosts (A) and (B)
1 Click on the large green field on the left side of the map marked in thepicture with a red squareThis will select the host where DBAdmin-VM1 isrunning
HOL-1829-01-NET
Page 57HOL-1829-01-NET
Host - Details
A pop-up box will appear that contains the physical ESXi host
A - Spend some time to review what information is available from the host Please donot click on any of the links
B - Notice that we receive information from both the Chassis and the Blade that thisESXi host is running on In a real life environment we could click on the links to getdetailed information about the physical environment through the links
C - Note that there are no NSX components on the host For example we can see thatthe Control Plane Sync Status is unknown and the Number of VTEPs is 0
1 When done reviewing click on the (X) in the top right corner
HOL-1829-01-NET
Page 58HOL-1829-01-NET
DVPG on the map
We are now going to look at the DVPG (Distributed Virtual Port Group) the VM uses toconnect to the network
1 On the map click on the little blue box marked by a red square onvlan-629
DVPG
A pop-up box will appear that contains the DVPG details
A - Spend some time review what information is available from the object Please donot click on any of the links
HOL-1829-01-NET
Page 59HOL-1829-01-NET
B - Notice that IPFIX is enabled
1 When done reviewing click on the (X) in the top right corner
VLAN-629 on the map
This is a brownfield network as indicated by the physical network components currentlydisplayed on the map
1 On the map click on the grey line marked by a red square on vlan-629
VLAN Network
A pop-up box will appear that contains the physical VLAN details
HOL-1829-01-NET
Page 60HOL-1829-01-NET
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - Notice the VLAN ID This is the actual VLAN in use
C - VM Count states 12 This is the number of VMs located on this VLAN in the entireenvironment
D - Under Hosts we can see that this is 28 (27+1) This is the amount of hosts that hasa connection to this vlan in the entire environment
1 When done reviewing click on the (X) in the top right corner
Switch ports on the map
1 From the map click on the icon marked by a red square to select the SwitchPort for the VM
HOL-1829-01-NET
Page 61HOL-1829-01-NET
Switch Port
A pop-up box will appear that contains the Switch Port details
In this view we are purely are looking at layer 3 and the connectivity to those layer 3devices Later in this module we will see some of the layer 2 devices
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - In this view we can see the physical NIC the traffic is transmitted from and receivedto In this scenario it is a NIC on a UCS fabric We can also see the VLANs Interfacespeed port and other details on the NIC
1 When done reviewing click on the (X) in the top right corner of the pop up box
HOL-1829-01-NET
Page 62HOL-1829-01-NET
Physical VRF on the map
1 From the map click on the icon marked by a red square to access thePhysical VRF details
HOL-1829-01-NET
Page 63HOL-1829-01-NET
VRF - Physical Switch
A pop-up box will appear that contains the Physical VRF details
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - In this scenario the first hop in the physical network perspective happens to be aCisco Nexus 7000 We are gathering all of the configuration data routing tables androuting interface information from this device
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 64HOL-1829-01-NET
VRF - continued
1 From the map click on the icon marked by a red square to access the nextPhysical VRF in the path
HOL-1829-01-NET
Page 65HOL-1829-01-NET
VRF - Physical Router
A pop-up box will appear that contains the Physical VRF details
In this scenario the second hop in the physical network perspective is a Palo Alto routerIn this view we will see the routing table as well as firewall rules The vRealize NetworkInsight platform is so powerful that these firewall rules are the applicable firewall rulesbetween the two objects we searched for There is probably going to be thousands offirewall rules in a normal network but these are the firewalls affecting thecommunication between the two selected VMs
HOL-1829-01-NET
Page 66HOL-1829-01-NET
A - Spend some time to review what information is available from the object Please donot click on any of the links
1 When done reviewing click on the (X) in the top right corner of the pop up box
Note The Palo Alto integration showcased is in beta testing
VRF - continued
1 From the map click on the icon marked by a red square to access the nextPhysical VRF in the path
HOL-1829-01-NET
Page 67HOL-1829-01-NET
VRF - Physical Switch
A pop-up box will appear that contains the Physical VRF details
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - In this scenario the third hop in the physical network perspective is an Arista deviceThere is information available on routing gateways interfaces etc These detailsshowcase that we can monitor devices from a multitude of vendors in case we arechanging from one vendor to another
1 When done reviewing click on the (X) in the top right corner
HOL-1829-01-NET
Page 68HOL-1829-01-NET
Accessing the virtual infrastructure
The next two steps in the path (as shown by arrows) are the same as we looked atpreviously in this module We are not going to look at the details on them in thisscenario as they are similar to the ones previously discussed
A - Hovermove the mouse over the icons marked with red arrow A without clicking onthe icon Notice the descriptive name
B - Hovermove the mouse over the icons marked with red arrow B without clicking onthe icon Notice the descriptive name
1 From the map click on the icon marked by a red square to access the nextVRF in the path
HOL-1829-01-NET
Page 69HOL-1829-01-NET
VRF - NSX Provider Edge 1
A pop-up box will appear that contains the Physical VRF details
A - Please spend some time to review what information is available from the objectPlease do not click on any of the links
B - The components we are looking at after the Arista device (described in previoussteps) is an NSX Edge cluster or a host associated with an Edge cluster The componentwe have selected is the NSX Edge VM named Provider-Edge 1 It has an uplink overVLAN 10 from the physical network (as shown in the map)
C - In the details we can see the routing table and routing interface details for thisparticular VRF
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 70HOL-1829-01-NET
VXLAN on the map
1 On the map click on the blue line marked by a red square to access theVXLAN details
VXLAN Network
A pop-up box will appear that contains the VXLAN details
HOL-1829-01-NET
Page 71HOL-1829-01-NET
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - We can see the VXLAN number (Segment ID) Underlay VLAN IDs Subnet andUnderlay Subnet
C - We also have visibility into what Primary Controller it is utilizing Hosts and VTEPs
D - Hovermove the mouse cursor over the text [38 more] to see the hosts associatedwith this VXLAN Do not click on the blue text
E - Hovermove the mouse cursor over the text [82 more] to see the VTEPs associatedwith this VXLAN Do not click on the blue text
1 When done reviewing click on the X in the top right corner of the pop-up box
VRF - LDR
1 From the map click on the icon marked by a red square to access the VRFdetails
HOL-1829-01-NET
Page 72HOL-1829-01-NET
VRF - LDR-Corporate
A pop-up box will appear that contains the VRF details From here we hit our In-kernelnetwork
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - Notice the distributed router name We are using this device to access our corporatenetwork
C - This device is going to route for us to a different interface The interface is going toroute to the interface on the Prod-DB Network as the next step in the path (this will beillustrated in the next step)
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 73HOL-1829-01-NET
Routing - NSX Firewall
The traffic is routed through the VRF onto the Prod-DB network over to the next physicalhost (as shown with arrows)
The first device it will hit on the virtual network on the physical host is the FirewallPlease notice that there are two firewalls next to the VM One Firewall from Palo Alto andone Firewall from NSX
1 From the map click on the icon marked by a red square to access the NSXFirewall details (the top one of the two)
HOL-1829-01-NET
Page 74HOL-1829-01-NET
Firewall - NSX
A pop-up box will appear that contains the Firewall details
A - Spend some time to review what information is available from the object Please donot click on any of the links
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 75HOL-1829-01-NET
Redirect on the map - PAN Firewall
Please notice that there are two firewalls next to the VM One Firewall from Palo Alto andone Firewall from NSX We are now going to look into the details of the lower Firewall
1 From the map click on the icon marked by a red square to access the PaloAlto Firewall details (the lower one of the two)
Firewall - PAN
HOL-1829-01-NET
Page 76HOL-1829-01-NET
In this scenario we also have an Palo Alto VM based offloading firewall The redirectfeature allows firewall rules to be transferred between the NSX firewall and the PANFirewall
1 When done reviewing click on the (X) in the top right corner of the pop up box
Reversing the analysis
1 In the section marked by a red square in the picture click on the arrowpointing left
The route on the map will change
HOL-1829-01-NET
Page 77HOL-1829-01-NET
Reversing the analysis continued
A - The analysis will now be done in the opposite direction Please note that the pathnow changes Instead of going through Provider-Edge 3 the traffic is now routedthrough Provider-Edge 2 This is exactly as the traffic will work in the real life
Please continue to the next step to conclude this module
HOL-1829-01-NET
Page 78HOL-1829-01-NET
VM Underlay
Lets now focus on VM Underlay
1 The VMUnderlay section that is on the right side of the VM Path topology showsthe underlay information of the VMs involved and their connectivity to the top ofthe rack switches and the ports involved
2 The VM Underlay path topology is shown here3 The components are labeled under Path Details
HOL-1829-01-NET
Page 79HOL-1829-01-NET
HOL-1829-01-NET
Page 80HOL-1829-01-NET
1 In this section the drop-down list at the top shows the endpoint VMs and theactive VMs at the edges
2 For each edgeVM the neighbouring drop-down list shows the ingress and theegress interface IP addresses
1 From the previous step we selected the Prod-DB-2 Virtual Machine2 Which changes the focus to corresponding Interface IP Address (VNIC)3 Shows the visual map (Path topology) of all the path objects4 Path details shows the labels and list the components
This concludes this module Please continue to the next module
HOL-1829-01-NET
Page 81HOL-1829-01-NET
ConclusionCongratulations on completing Module 2
This module has shown us that vRealize Network Insight is capable of tracing the flow ofdata between two objects throughout the network vRealize Network Insight is providingus with a 360 degrees view of the virtual as well as the physical components in thepath With the map function and the details on the map it is very easy to get a quickoverview of the components utilized in network communication
All the components in the map is based on a snapshot of real life data Feel free to clickon other icons shown in the map in this module before continuing to the next module tohave a look at other components
For More Information
For additional information about the functionality showcased in this module visithttpwwwvmwarecomvrealize network insight
This concludes this module Please continue to the next module
If you are looking for additional information try one of these
bull Click on this linkbull Or use your smart device to scan the QRC Code
HOL-1829-01-NET
Page 82HOL-1829-01-NET
Proceed to any module below which interests you most
bull Module 1 - Micro-Segmentation and Security (30 minutes)bull Module 2 - 360 degree Visibility across Virtual and Physical Networks (45
minutes)bull Module 3 - Advanced NSX Management amp Operations (45 minutes)bull (30 minutes)
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 83HOL-1829-01-NET
Module 3 - Advanced NSXManagement amp
Operations (45 minutes)
HOL-1829-01-NET
Page 84HOL-1829-01-NET
IntroductionIntroduction
vRealize Network Insight ensures that we have full visibility from an overlay andunderlay perspective and in this module focus on advanced operations of NSX withvRealize Network Insight Its important to note that the vRealize Network Insightprovides a real time view and a historical view The integration is not a simple SNMPquery but advanced CLI and Metadata information gathered in real time for NSX
This Module contains the following lessons
bull Operational guidance for NSX Managerbull Advanced NSX Management amp Operations Interactive Simulation
HOL-1829-01-NET
Page 85HOL-1829-01-NET
NSX Advanced ManagementOperationsLab Status Check
1 Make sure the Lab Status displays Ready before continuing
Close browser sessions from previous modules
Open Google Chrome
1 Open Chrome on the Control Centre Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
HOL-1829-01-NET
Page 86HOL-1829-01-NET
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize Network Insightdid not load automatically)
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
Search Bar - NSX Manager
Using the search bar on the entry screen
HOL-1829-01-NET
Page 87HOL-1829-01-NET
1 Type NSX Manager (this will list three NSX Managers2 Click Search
NSX Manager Information
The result now shows the NSX Manager (1016128170) and we can immediately seethat we have 50 problems associated with this endpoint
1 Click on the NSX Manager address to expose the layout and detailedinformation
HOL-1829-01-NET
Page 88HOL-1829-01-NET
Timeline - Visual Build-up
Explore information only - Do not click
bull A - Starting with the Timeline we can manipulate the results by simply draggingthe slider but by default the current time results will be displayed on entry Theslider and drop down (next to 1 day) makes it easy to filter on demand
bull B - The Properties give a clear understanding of the NSX Managers currentconfiguration (vRealize Network Insight accommodate multiple NSX managers)
bull C - Looking at the NSX Checklist Rules - ALL we can scroll up and down toview each point in the checklist that is used to monitorvalidate against the NSXManager
bull D - Because vRealize Network Insight supports multiple NSX managers andmultiple NSX controllers this is an important visual understanding of theTopology Each object can be queried individually within the same screen
bull E - NSX Problems will be key to understanding the issues for NSX
HOL-1829-01-NET
Page 89HOL-1829-01-NET
Topology - Focus on the NSX Controller
The logical view of the NSX Topology provides live links to each component in theconstruct to be queried in real time Topology layout displays all the related NSXservices bound to the NSX Manager including Clusters and hosts The red triangle on allthree NSX controllers indicates possible issues that may impact the NSX environmenteither as a starting point or a result thereof We can now query each object for detailedinformation
1 Click on the NSX controller (Look at each controller until you find thecontroller starting with NSX_Controller_5b6c6c8d-4d71 as they do changeorder)
HOL-1829-01-NET
Page 90HOL-1829-01-NET
NSX Controller - Detail
A - The controller query displays detailed information about controller-1 and relevantconfiguration This screen will help identify the Status Version Upgrade Availability andmany other critical identifiers of the NSX Controller at a quick glance including anyissues
B - The immediate issue on this NSX controller is also pointed out with a red triangleindicating that we have a control plane sync issue Tracking the issue can be furtherinvestigated by expanding (clicking on the red triangle) to view detailed information Wewill not be investigating this problem further in this exercise
1 Click the close sign (x) to continue
HOL-1829-01-NET
Page 91HOL-1829-01-NET
Topology - Explained
Note The Topology for the NSX environment will not show any load balancing devicestatus information in this release
1 Click the edge VMs icon to see detailed information about the edge services
HOL-1829-01-NET
Page 92HOL-1829-01-NET
Provider Edge
Rendering a complete view of the provider edge services and the associations we caninvestigate all the edge related activities
1 Click the blue link Provider Edge 4 The problem Icon can be used to furtherobtain information about the Provider-Edge 4 This will highlight a criticalcondition due to a possible network disruption of this edge device as it is nolonger in a serving state
HOL-1829-01-NET
Page 93HOL-1829-01-NET
Routers Provider Edge 4
This section lays out detailed root cause analysis for Routers Provider Edge 4
Return to Search View - NSX Manager
1 Now use the Chrome Back button click once to return the the NSX Managerinformation screen step
HOL-1829-01-NET
Page 94HOL-1829-01-NET
Infrastructure Problems - Warning Moderate
bull Scroll down to Infrastructure Problems Section
1 Click and select the WarningModerate to view problem areas
WarningModerate Issues
1 Use the blue icon + to expand the detailed view of the Logical networking out ofsync between host and NSX Controller
HOL-1829-01-NET
Page 95HOL-1829-01-NET
WarningModerate Issues (Continued)
When you expand the details you can analyse full detail of warning
In this view vRealize Network Insight is also showing you recommendations on how youwould resolve this issue which makes troubleshooting and root cause analysis veryeasy
1 Click the close sign (x) to continue
HOL-1829-01-NET
Page 96HOL-1829-01-NET
Hands-on Labs Interactive SimulationAdvanced NSX Management ampOperationsThis part of the lab is presented as a Hands-on Labs Interactive Simulation This willallow you to experience steps which are too time-consuming or resource intensive to dolive in the lab environment In this simulation you can use the software interface as ifyou are interacting with a live environment
1 Click here to open the interactive simulation It will open in a new browserwindow or tab
2 When finished click the ldquoReturn to the labrdquo link to continue with this lab
HOL-1829-01-NET
Page 97HOL-1829-01-NET
ConclusionCongratulations on completing Module 3
This module demonstrated the vRealize Network Insight capability of advancedmanagement operations vRealize Network Insight provides an in-depth analysis of thevirtual as well as the physical components associated with NSX (underlay and overlay)
For More Information
If you are looking for additional information try one of these
bull Click on this linkbull Or use your smart device to scan the QRC Code
Proceed to any module below which interests you most
bull Module 1 - Micro-Segmentation and Security (30 minutes)bull Module 2 - 360 degree Visibility across Virtual and Physical Networks (45
minutes)bull Module 3 - Advanced NSX Management amp Operations (45 minutes)bull Module 4 - Manage Security for Public Clouds (AWS) (30 minutes)
HOL-1829-01-NET
Page 98HOL-1829-01-NET
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 99HOL-1829-01-NET
Module 4 - ManageSecurity for Public Clouds
(AWS) (30 Minutes)
HOL-1829-01-NET
Page 100HOL-1829-01-NET
IntroductionEnterprise IT needs visibility into the network and security status of their workloadswhether hosted on premises or within AWS While many AWS workloads are sandboxesfor application development teams (DevOps) it is important to analyze these workloadsIncreasingly public cloud workloads are also fulfilling mission critical production needsfor many organizations Enterprise IT must be ready to determine the best locationsecurity posture and bandwidth allocation when deploying workloads Having trafficpattern details as well as security analysis and recommendations readily availablehelps organizations make the ideal hosting decisions to meet their business needs
vRealize Network Insight (vRNI) Supports Amazon Web Services (AWS) PublicCloud The vRNI traffic monitoring features provide visibility into native AWS constructssuch as Virtual Private Clouds VMs Security Groups firewall rules and tags vRNI alsoanalyzes AWS traffic flows to provide security and micro-segmentation views of cloudworkloads This means youll be able to plan micro-segmentation and understand trafficpatterns using data collected from your AWS instances
This Module contains the following lessons
bull Introduction to Managing Security for Public Clouds (AWS)
HOL-1829-01-NET
Page 101HOL-1829-01-NET
Introduction to Managing Security forPublic Clouds (AWS)Lab Status Check
1 Make sure the Lab Status displays Ready before continuing
Close browser sessions from previous modules
Open Google Chrome
1 Open Chrome on the Control Centre Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize Network Insightdid not load automatically)
HOL-1829-01-NET
Page 102HOL-1829-01-NET
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
AWS Configuration
Lets review the AWS VPC setup for the purpose of this lab
1 We have an on premise instance of vRealize Network Insight managing AWS2 There are two VPCs ie CRM and Common Services
HOL-1829-01-NET
Page 103HOL-1829-01-NET
3 VPC CRM consists of CRM Application which comprises of 3 tiers ie Web APP andDB
4 Internal users of Company can access Web Tier of the CRM on 80 internally viaJump-box
5 Web tier talks to App tier on port 80806 App tier talks to DB tier on port 33067 Web tier is open for internal datacenters VM on 80 port8 From Jump-box in VPC CRM all virtual machines have ssh access on port 229 All tiers of VPCCRM talks to DNS server on 53 and LogServer on 514 on VPC
Common Services10 This means connection to DB to Log Server (used for backup services) must exist
as configured by the Administrator but this in fact is the problem area where ourfocus will be
Plan Security - AWS Cloud
vRealize Network Insight extends micro-segmentation planning to AWS constructs TheCRM Application in AWS VPC has already been created for you
Application creation steps have been discussed in Module 3
HOL-1829-01-NET
Page 104HOL-1829-01-NET
1 On the vRealize Network Insight Click on Plan Security
From Plan Security dialogue box under Entity select
HOL-1829-01-NET
Page 105HOL-1829-01-NET
1 Application2 CRM3 Click Analyze
We can now visualize the three tier lsquoCRMrsquo Application in AWS in one VPC We Shallexplore the three Tier System Logic in proceeding steps
1 Please note that Micro-Segments are already filtered by Tier2 Web (Web tier talks to App tier on port 8080 Internal users of organisation can
access Web Tier of the CRM Application on port 80 internally)3 App (App tier talks to DB tier on port 3306)4 DB ( DB tier talks to Log Servers ) - This is the problem area we are going to
explore
All tiers of first VPC talks to DNS server on port 53 and LogServer on port 514 of SecondVPC
HOL-1829-01-NET
Page 106HOL-1829-01-NET
Exploring the Three Tier Application - Step by Step
We shall now explore the three their application setup to understand the security andcommunication posture
HOL-1829-01-NET
Page 107HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Yellow line to explore the flows This will reveal flows from Web to
App
HOL-1829-01-NET
Page 108HOL-1829-01-NET
1 The App tier talks to DB tier on Port 33062 Click X to continue
HOL-1829-01-NET
Page 109HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to DB
HOL-1829-01-NET
Page 110HOL-1829-01-NET
1 The App tier talks to DB tier on Port 33062 Click X to continue
HOL-1829-01-NET
Page 111HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Yellow Line to explore the flows This will reveal flows from DC
Virtual to App
HOL-1829-01-NET
Page 112HOL-1829-01-NET
1 DC Virtual (jump box) talks to App tier on Port 222 Click X to continue
HOL-1829-01-NET
Page 113HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to
Shared Virtual
HOL-1829-01-NET
Page 114HOL-1829-01-NET
1 The App tier talks to Shared Virtual on Port 53 and 514 respectively2 Click X to continue
HOL-1829-01-NET
Page 115HOL-1829-01-NET
1 Hover over to DB Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from DB to
Shared Virtual
1 By design the DB should be pushing logs to aws-log-server ie on port 514(Syslog) but the flow reveals that there is only one service ie port 53 aws-DNS-Server Effectively no communication to syslog server (which is the back upservice)
2 Click X to continue
Firewall Queries for CRM Application
To further troubleshoot the issue the administrator executes three firewall queries toestablish why DB to Shared Virtual does not have flow(s) for port 514 (syslog)
HOL-1829-01-NET
Page 116HOL-1829-01-NET
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and type new search query firewall action of flows where dstvm = aws-log-server This will return 5 results ie 4 Allow (for web andmidtier) and 1 Deny (for DB)
2 Click Search3 click on the DENY checkbox so we can focus on the deny rule
We can see a DENY rule which is preventing crm-databse to communicate with aws-log-server on port 514 Which indicates that AWS Admin forgot to add rule to allowtraffic from (Database) crm-database to (syslog server) aws-log-Server
HOL-1829-01-NET
Page 117HOL-1829-01-NET
1 On Chrome web browser right click2 Select Duplicate from the the menu
HOL-1829-01-NET
Page 118HOL-1829-01-NET
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-web1 and dst vm = aws-log-server
2 Click Search3 This will return 3 results ie 1 Inbound and 2 Outbound rules The result of this
query validates the communication from crm-web1 to aws-log-server
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-database and dst vm = aws-log-server
2 Click Search3 This will return 2 results for Outbound rules further explaining the firewall rule
behaviour from crm-database to aws-log-server
HOL-1829-01-NET
Page 119HOL-1829-01-NET
ConclusionCongratulations on completing Module 4
This module demonstrated the vRealize Network Insight capability to understand trafficpatterns and plan micro-segmentation across your private and public cloudenvironments This capability offers unparalleled visibility into public and private cloudsfor micro-segmentation planning network visibility and management
For More Information
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 120HOL-1829-01-NET
ConclusionThank you for participating in the VMware Hands-on Labs Be sure to visithttpholvmwarecom to continue your lab experience online
Lab SKU HOL-1829-01-NET
Version 20171010-152226
HOL-1829-01-NET
Page 121HOL-1829-01-NET
Click and Drag Lab Manual Content Into Console ActiveWindow
You can also click and drag text and Command Line Interface (CLI) commands directlyfrom the Lab Manual into the active window in the Main Console
Accessing the Online International Keyboard
You can also use the Online International Keyboard found in the Main Console
1 Click on the Keyboard Icon found on the Windows Quick Launch Task Bar
ltdiv class=player-unavailablegtlth1 class=messagegtAn error occurredlth1gtltdiv class=submessagegtltahref=httpwwwyoutubecomwatchv=xS07n6GzGuo target=_blankgtTry watching this video on wwwyoutubecomltagt or enableJavaScript if it is disabled in your browserltdivgtltdivgt
HOL-1829-01-NET
Page 5HOL-1829-01-NET
Click once in active console window
In this example you will use the Online Keyboard to enter the sign used in emailaddresses The sign is Shift-2 on US keyboard layouts
1 Click once in the active console window2 Click on the Shift key
Click on the key
1 Click on the key
Notice the sign entered in the active console window
HOL-1829-01-NET
Page 6HOL-1829-01-NET
vRealize Network Insight - Navigation
bull 1 - HOME - Use this if you need to return to the original navigation and searchscreen
bull 2 - Navigation Panebull 3 - Search Bar including time linebull 4 - Detail amp Information Panebull 5 - Alerts Pinboards Settings
Activation Prompt or Watermark
When you first start your lab you may notice a watermark on the desktop indicatingthat Windows is not activated
One of the major benefits of virtualization is that virtual machines can be moved andrun on any platform The Hands-on Labs utilizes this benefit and we are able to run thelabs out of multiple datacenters However these datacenters may not have identicalprocessors which triggers a Microsoft activation check through the Internet
Rest assured VMware and the Hands-on Labs are in full compliance with Microsoftlicensing requirements The lab that you are using is a self-contained pod and does nothave full access to the Internet which is required for Windows to verify the activationWithout full access to the Internet this automated process fails and you see this
watermark
This cosmetic issue has no effect on your lab
HOL-1829-01-NET
Page 7HOL-1829-01-NET
Look at the lower right portion of the screen
Please check to see that your lab is finished all the startup routines and is ready for youto start If you see anything other than Ready please wait a few minutes If after 5minutes your lab has not changed to Ready please ask for assistance
HOL-1829-01-NET
Page 8HOL-1829-01-NET
Module 1 - Micro-Segmentation and
Security (30 minutes)
HOL-1829-01-NET
Page 9HOL-1829-01-NET
IntroductionWhen mid to large-sized enterprises deploy NSX they often struggle to define the levelof micro segmentation needed between applications on networks The most challengingpart is knowing what information is required to get started how to locate theinformation and traffic flow and how to capture the results
vRealize Network Insight helps solve this problem by analyzing and categorizing VMsinto logical groups based on specific compute and network characteristics This processautomatically generates a recommended model for security groups and specificfirewalling rules for each group This makes life much easier for Security Architects andEngineers
vRealize Network Insight (vRNI) relies on the use of an IPFIX collector at the VirtualDistributed switch layer to capture data flows We enable IPFIX at the Virtual Distributedswitch layer for the ESXi Hosts to forward IPFIX UDP packets to the vRealize NetworkInsight appliance The data capture will enable real time data flow for all port trafficand provide further filtering capabilities in order to explore East-West traffic
We have two scenarios to help explain how vRealize Network Insight can be utilized toensure we have full visibility and granular control to deploy firewall rules in order tocomplete micro-segmentation without guessing
Scenario 1 (Brown Field deployment) Customer ABC bought ESXi and NSX and doesnot have a clear understanding of how to operationally deploy existing workloads withEast-West firewall protection or how to segment the workload The client will now usevRealize Network Insight to observe the real time data flow between ports in order tobuild the East-West firewall rules The vRealize Network Insight process will observe thetraffic patterns based on the captured data flow recommendations will then be made inorder to secure workloads for East-West communication Current firewall and micro-segmentation can also be verified
Scenario 2 (Green Field) Customer ABC has a new deployment project for DevOps andwouldnt know what the immediate firewall rules or recommendations would be UsingvRealize Network Insight we could immediately start to monitor the real time data flowas each deployment and development unfolds Based on the DevOps information wecan now apply the Firewall rules at the QampA stage and prep for testing to ensure whenwe move workloads into Production we will have day zero operational security for East-West traffic within the data center
NOTE NSX is not required at any stage to capture observe or implement successfulEast-West firewall rules The process of planning security only relies on IPFIX at the vDSlayer in order to capture and observe data flow between ports
This Module contains the following lessons
HOL-1829-01-NET
Page 10HOL-1829-01-NET
bull Identify firewall rules for Micro-segmentationbull Security Group Topologybull Tracking a firewall rulebull Exporting firewall rules to NSX Manager (Interactive Simulation)bull Conclusion
HOL-1829-01-NET
Page 11HOL-1829-01-NET
Micro-Segmentation IntroductionThis section contains the following lessons
bull Identify firewall rules for Micro-segmentationbull Security Group Topologybull Tracking a firewall rule
Lab Status Check
1 Make sure the Lab Status displays Ready before continuing
Close browser sessions from previous modules
Open Google Chrome
1 Open Chrome on the Control Centre Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
HOL-1829-01-NET
Page 12HOL-1829-01-NET
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize Network Insight did notload automatically)
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
HOL-1829-01-NET
Page 13HOL-1829-01-NET
Plan Security
When the vRealize Network Insight portal login completes the first screen will show asearch bar at the top
1 Type plan security (the search bar uses Auto Fill and predictive text willappear as you type)
2 Select the Time Icon
Plan Security - Specify a Preset
1 Select Presets2 Select Last Week3 Click the search icon to continue
HOL-1829-01-NET
Page 14HOL-1829-01-NET
Overview - Traffic Distribution (Left Pane)
Visual representation of traffic is shown to understand the logic relationship betweeneach component physical or virtual in order to track flows and sessions within anetwork
bull Internal Flows External Flowsbull Protected Flows Unprotected Flowsbull by VLAN or VXLAN
The default for this view is Last 1 day Please do not change this as we have alreadyspecified the time filter
HOL-1829-01-NET
Page 15HOL-1829-01-NET
Traffic Distribution - Overview (Right pane)
The Traffic distribution section is explained in a number format below Use these as areference and do not click on the links at this stage
bull A - This is the sum of all traffic flows with the percentage shown as East-Westonly traffic
bull B - This indicates the percent of traffic that was switchedbull C - The percentage of traffic that is routed between the East-West portsbull D - This indicates Virtual machine to Virtual Machine traffic as a percentage of the
sum in point number 1bull E - Traffic observed between virtual machines on the same hostbull F - Traffic that requires internet access
East-West (EW) - Traffic
In order to view specific details about data flows click on any of the 6 blocks to getdetailed information on flows and sessions (use the [x] in the right corner to close theobservation once completed in order to continue with the next step in this lab) Its
HOL-1829-01-NET
Page 16HOL-1829-01-NET
important to understand the entire distribution of flows and sessions in order to build aninformed strategy to achieve micro-segmentation
A Session is 5 tuple (source port is one of the five tuples in this which means everytime a new TCP connection is established and terminated a new session is recorded)
A Flow is 4 tuple aggregation of sessions It combines many 5 tuple sessions into oneIt ignores the source port as the source port is very dynamic wide range and keeps onchanging As long as multiple sessions have same source IP same destination IP samedestination port and same protocol they will be combined into one record called aflow
So 1000s of sessions in a day between two machines on a specific destination port (sshdns etc) would be combined into one flow with an aggregate count of packets bytessessions between them recorded as additional flow information
In any enterprise how many sessions happen in 1 day varies a lot Flows are moremanageable units and matter most for policy definitions and micro-segmentation
If one wants to see statistics of these flows like bytes transferred number of sessions(or even use these counters along with other query operations for other higher levelanalysis - like determining distribution of a virtual machines outgoing flow bydestination ip) the following metric counters can be used
Counter names
allowed sessions count of sessions (or 5 tuples) corresponding to a flow (4 Tuple)bytes total traffic volume exchanged on the flow (this sum of two counters described below)src bytes total bytes sent by src_ip of the flow to dst_ipportprotocoldst bytes total bytes received by src_ip of the flow from dst_ipportprotocol
1 Click on the East-West traffic block
This will bring a new window into view with detailed analysis of the traffic
HOL-1829-01-NET
Page 17HOL-1829-01-NET
East-West (EW) - Detailed view
This is only a few of the 1653 flows but the detailed views and filters can be used tonarrow down more specific information
A - Without clicking (just hover) on the time line to see the rate of flow indicated by thegreen line for that period
1 Click the close icon (x) to continue
ServicesPorts
HOL-1829-01-NET
Page 18HOL-1829-01-NET
Locating the Services screen for the next step
ServicesPorts - Time line view
Plan security makes use of Service and Ports overview on the right-hand side of thescreen The service view screen is used to observe the flow for each service andanalyzes a specific flow rate at a point in time Timelines can be adjusted to gain abetter understanding of what the plan security query delivers This module will followthe steps needed to observe and trace flows for port 5443
1 Click Show Data
HOL-1829-01-NET
Page 19HOL-1829-01-NET
ServicesPorts - Point in Time Service
The Services section provides an overview of flows over a specific port at a point intime either by bytes or by allowed sessions Look at the red highlighted area tounderstand how the flow is viewed in a pivot format to ensure a rate flow can bedelivered by hovering over a particular section
1 Hover to gain focus over the blue block above port 5443 and notice itpresents on demand the sum total of flows for the last 24 hours inGigabytes (GB) communicating over port 5443
2 Click on the block at the intersection of Last 24 hours and PORTS5443 to get a detailed view of the information
HOL-1829-01-NET
Page 20HOL-1829-01-NET
Flows for Port 5443
Communicating over port 5443 for the Last 24 hours we now have a detailedunderstanding of how 20 flows are distributed by following the list of entities You mayscroll down and examine the detailed traffic Further filters can be used on the left-handside of the screen to filter the view for a more specific result type
1 Click the entry to examine the detailed flow between Prod-DB-3 and Prod-DB-2over port 5443 ( order of flows may differ from screen above Prod-DB-3 andProd-DB-2 can be seventh flow entry)
Flow Key Properties - Timeline view
HOL-1829-01-NET
Page 21HOL-1829-01-NET
Flow Key Properties and Flow Key Metrics with the help of the timeline view gives agreater understanding of the traffic between these two specific VMs over port 5443 (A)- Hover over any part of the Flow Key Metrics graph to see statistics of the flow at aspecific point in time
1 Click on the 1M (last 1 month) Now hover the mouse over the greenblue linesto see a specific flow at a point in time
Flow Key Properties - Timeline view
1 Click the browser back button (once) to return to the plan security layoutscreen (once completed viewing the timelines for specific flows)
HOL-1829-01-NET
Page 22HOL-1829-01-NET
Micro-Segments
The screen should be back and focused on the Plan Security view Let us focus on theLeft-hand side of the plan security screen marked - Micro Segments This section willfocus on the subnet view and how this could be used to track flows between two ormultiple points
Note Segmenting flows can be achieved using views that will focus on VLANVXLANSubnet Folder Clusters VMs Ports Security Tag or Security Groups
1 Select Last 1 Day (to clear previous data range)2 Select the drop down box and then select by Subnet3 We can further analyze micro-segments by secondary groups ( This step is for
information only)4 Click Analyze to populate the data
HOL-1829-01-NET
Page 23HOL-1829-01-NET
Focus - 101780 Network
A - Hover over (do not click) the 101780 network and notice that this willimmediately highlight all flows and sessions from and to this network segment Othertraffic types will loose focus at this point turning light blue
The Keep Focus view creates a single visual endpoint diagram showing communicationto physical shared resources internet and other subnets The parentheses after thenetwork will indicate the number of virtual machines The coloured lines will indicate aconnected flow as OUTGOING INCOMING BIDIRECTIONAL
HOL-1829-01-NET
Page 24HOL-1829-01-NET
Focus - VLANVXLAN
Changing the view to track flows between Prod-Web to Prod-Midtier we will be switchingfrom Subnet view to VLANVXLAN view This will expose the traffic flow and ultimatelylead us to the recommended firewall rules
1 From the filter drop down select the VLANVXLAN option (the view willautomatically update)
HOL-1829-01-NET
Page 25HOL-1829-01-NET
Focus - Prod-Web (25)
1 Hover over Prod-Web2 Click on Keep Focus as we will follow the traffic for this group to see which
ports are in use and why3 Click on the line joining the Prod-Web and Prod-Midtier
Flows - Prod-Web to Prod-Midtier
HOL-1829-01-NET
Page 26HOL-1829-01-NET
( A ) - We have at this point identified 14 unique endpoints or flows that are beingcommunicated byover or to potential security groups These security groups are basedon VLANs folders subnets or a construct that can be defined
1 Click on the recommended firewall rules
Flows - Recommended Firewall Rules
Based on the observed analysis of the traffic flow between Prod-Web and Prod-Midtier arecommended firewall rule has been generated in order to secure and segment trafficfrom the rest of the VLANVXLAN
Due to the flow observation metrics the recommendation is (ALLOWED) on Port 8080between SG Prod-Web and SG-Prod-Midtier
1 Click the close icon (x) to continue
HOL-1829-01-NET
Page 27HOL-1829-01-NET
Multiple Ports and Firewall rules for Prod-web
1 Click on the Prod-Web group
Services and Flows for Prod-Web
On focus the user is presented with all the services flows and firewall rules for Prod-Webin a single pane
HOL-1829-01-NET
Page 28HOL-1829-01-NET
1 Click on Services In this group - 50 Unique service endpoints or flows that arebeing communicated by or to potential security groups are mapped with trafficrates included
2 Click on External Services Accessed- This is a breakdown of the 16 Externalservice endpoints that communicate with Prod-Web and include the portinformation (DNS HTTPS etc)
3 Click on Recommended Firewall Rules - Based on the 50 unique serviceendpoints that have 17 External services with 425 flows we can use thisobservation metric to determine that 6 firewall rules are required This would bethe minimum recommended segmentation approach for the Prod-Web group
4 Click the close icon (x) to continue
Application-Centric Micro-Segmentation
HOL-1829-01-NET
Page 29HOL-1829-01-NET
An application is a collection of tiers Each tier in an application is a collection of VMsbased on the user-defined filter criteria The applications allow you to create ahierarchical group of VMs and visualize trafficflows between the tiers of the sameapplication The trafficflows can be visualized between applications
1 Under Micro-segments click on the dropdown which says by VLANVXLAN2 Click on by Application
1 Hover over Prod-App (47) (do not click at this stage)2 Click on Keep Focus
You can see as per previous micro-segmentaion planning exercise - you can viewOutgoing Incoming and Bidirectional flow bespoke to Prod-App Clicking on Prod-App micro-segment will reveal the services
HOL-1829-01-NET
Page 30HOL-1829-01-NET
We shall now explore how we can define an application
Define an Application
1 In the search bar type Application2 Click the Search button
1 The Application search will return 4 entities ie application already created inthe system for you
2 This page also lets you create new application - click on Add Application
HOL-1829-01-NET
Page 31HOL-1829-01-NET
1 Under the Application Name type HOL-Pre-Prod2 Under Tier type the Name as HOL-Pre-Prod3 Our search criteria will be based on VM Names under Virtual Machines IP
Addresses Type Admin-VM1 Admin-VM2 (The search will auto completethe names for you)
4 Do not Save Click Cancel which will take you to previous screen
1 Here you can see the number of entities has increased by 1 ie 5 entities2 You can also see Hol-Pre-Prod in the list
HOL-Pre-Prod will now appear in Application section under Plan Security (not covered inthis lab)
Security Group Prod_MidTier
Network administrators and architects face daily challenges in identifying securityparameters groups that are in-place requiring a lot more detail around containertopology before continuing to execute or plan Micro-segmentation Lets look at how thiswould be possible in a single view that has granular integration with over and underlaynetworks
1 Using the search bar type Nsx Security Group Prod_MidTier (the search baruses Auto Fill and predictive text will appear as you type)
2 Click search to continue
HOL-1829-01-NET
Page 32HOL-1829-01-NET
The Help screen may pop-up (in this lab setting) to ensure the user has an instantguide called the Security Group Pinboard The reason for this guide is to point out thedetail view and topology layout Read through the help guide and once completed
1 Click the close icon (x) to continue
Results - PROD_MIDTIER
The search results from the query will show Prod_Web at the top of the screen Theresult will also be displayed to include the Translated VM Count and any Rulesassociated
1 Click on Prod_MidTier to continue
Security Group Prod_MidTier - Timeline
Security Group View Explanation
HOL-1829-01-NET
Page 33HOL-1829-01-NET
The Security Group provides a detailed view of the selected Security Group and acomprehensive listing of key properties and events The Security Group Topologyprovides a visual overview of how the security group is associated with other containersTimeline slider at the top of the current view will enable the point in time state of theSecurity Group and filters can be used to further focus on a particular aspect of theobject
Security Group Firewall Topology
(A) The Security Group Firewall Topology on the left shows the topology for SecurityGroup Prod_MidTier
HOL-1829-01-NET
Page 34HOL-1829-01-NET
(B) The Security Group Container Topology on the right will show anyall Child andParent groups in relation to Prod_Web This will identify the nesting and hierarchy ofsecurity groups
HOL-1829-01-NET
Page 35HOL-1829-01-NET
1 Click and select Prod_Web to Prod_Midtier Rule (will launch a pop up screencovered in next step)
1 In the pop up screen we can immediately see what the Source and destinationservice flow looks like in this example This can be done for any and eachsegment attached to Prod_Web and will provide all the current security GroupFirewall Topology information Feel free to click through all the segments in orderto fully understand each related security group
2 Click the close icon (x) on any pop-up menus that you viewed during youranalysis to continue with the next exercise
HOL-1829-01-NET
Page 36HOL-1829-01-NET
Tracking Prod_MidTier
1 Within the same view when you scroll down (below the Security Groupfirewall Topology) you are able to see the following security event information forProd_Web
A Events - Showing any changes for Prod_MidTier (direct or indirect) and the impactthat these changes bring to this security group
B Current Security Group Configuration and Firewall Rules Count will also providefurther assistance to manage the endpoints
C Visibility of the Virtual Machines in Security Groups ensure that we manage ourworkloads and segmentation with the correct level of efficiency
D Making use of the Indirect Firewall Rules will ensure you understand the inheritedimpact and the relationship leading to Prod_Web
E Direct Firewall Rules - NOTE The blue links will expose further detail for eachfirewall segment
HOL-1829-01-NET
Page 37HOL-1829-01-NET
this module explained and followed the traffic flow between Subnets and or VLANVXLAN for Prod_MidTier and we understand the analysis that make up firewall rules Theinformation for a specific segmentation of a Virtual Machine in Prod_MidTier can beviewed using the the logical switch information for Prod_MidTier
2 Click on Lab-Midtier (VMs in Security GroupgtLogical SwitchesgtLab-Midtier) anew TAB will open at the top of the screen
Lab-Midtier
1 Hover (do not click) over (1) Lab-Midtier-1 to gain focus in order to generatethe path
Do not click on any of the bubbles as they are used for reference only This is thecomplete flow of Prod-Web-9 (Example) to see how a flow is tracked from overlay tounderlay across Prod-Web
HOL-1829-01-NET
Page 38HOL-1829-01-NET
bull A - The host details for Lab-Midtier-1 -ddc1-pod2esx035dmdemocompanynet
bull B - The machine name within Lab-Midtier - Lab-Midtier-1bull C - DVS Switchbull D - VXLAN - Lab-Midtierbull E - 1st VMKNIC for DDC-1 hostbull F - DVS Switch Portbull G - Finally showing the L3 Switch (Arista)
2 When you are done with the current view close this tab in Chrome and returnto the original view
Firewall Rule - Tracking
Using the search bar we will demonstrate how you can track any firewall rule in yourenvironment This is only one example of how we can search for security related objectsin one easy statement and also export the results
Port Search
1 Type into the search bar
Firewall rule where action =ALLOW and Port=443 (the search bar uses Auto Fill andpredictive text will appear as you type)
2 Click search to continue
As you type notice all the different permutations of queries that can be assembled
HOL-1829-01-NET
Page 39HOL-1829-01-NET
Export Firewall Rules
Take some time to understand and get familiar with Firewall Rule search possibilitiesand the insight this can offer
1 Do not click - The result is grouped for convenience and allows the user to queryeach rule individually This is a live link that will expose further information
2 Do not click - The entire report can be exported by using the Save as CSV optionat the top right hand corner of the screen but we will not export any informationat this point
3 For the next step we will return to the top search bar
Firewall Rule Membership Change
Using the vRealize Network Insight search bar at the top of the screen we will focus on atime based search to see what Firewall Membership Changes occurred during a selectedperiod This will point out any changes made directly or indirectly as a result ofmembership changes This is extremely useful for auditing and troubleshooting
HOL-1829-01-NET
Page 40HOL-1829-01-NET
1 Type
Firewall Rule Membership Change
2 Select the DateTime window3 Click Between Select Date range from June30 to Jul 31 (using static data this
will ensure you see all the changes)4 Click search
Audit Rule - Firewall Rule Membership Changes
The search now displays the result of all the changes made to firewall rule membershipduring the preset date range This is pivotal to the audit change tracking process tounderstand exactly why when and how Firewall rules changed
The changes can now easily be tracked audited and also exported following any of thelive links in blue
HOL-1829-01-NET
Page 41HOL-1829-01-NET
User-defined Event
Continuing within the same screen users can create alerts to notify internal andexternal entities of any changes The alert feature is available through any view thatdisplays the alert icon Although the alert can be configured for this lab the results willnot be actioned as this is static data only This section will show how easy it is to reporton any Firewall Rule memberships changes The option for alerting will be immediatelywithin 1 hour or as a daily digest
1 Click the Notifications icon to create an event The notifications screen will pop-up
2 Notification and parameters can be adjusted as required Populate them withyour own preference as we will need to have information in order to save thealert and view in later steps
3 Once completed click save
HOL-1829-01-NET
Page 42HOL-1829-01-NET
Settings
You can view any of your previously configured User-defined Events in order to edit oractivate the Event parameters by using the settings page Changes can be configured tonotify members of the event group based on the user preference The previous eventthat you created can now be tracked by using the search bar at the top of the screen
1 Click in the search bar and type Settings2 Click User-defined Events (your alert is noted in this section as it was based on
the original search and alert notification Firewall rule membership change)3 Info Only - Do not click - View Edit Activate any notifications
Note that we have 2 types of notification User-defined and System Events
4 Click the System Events
HOL-1829-01-NET
Page 43HOL-1829-01-NET
System Notifications
System Events consist of 103 default alerts that are pre-configured Scroll down the listto see all the options and what is deemed to be a standard system event notification
Each Notification can be used to alert administrators or users of that group By defaultall System Notifications are set to never notify (this can be changed to immediatelywithin 1 hour or as a daily digest)
This concludes this module Please continue to the next module
HOL-1829-01-NET
Page 44HOL-1829-01-NET
ConclusionCongratulations on completing Module 1
In this module we introduced the minimum required steps in order to facilitate Micro-segmentation This module further demonstrated how we achieve day zero readinesstrack report and alert on each individual object or group of objects in Real Time Usingthe East-West traffic in this module vRealize Network Insight highlighted the ease ofacquiring network analysis and using this to automatically generate firewall rules forboth Green or Brown field deployments
Key facts to remember as demonstrated in this module
bull Persistence Security must be consistent in the face of constant changebull Ubiquity Security must be available everywherebull Extensibility Security must adapt to new situations
For additional information about the functionality showcased in this module visitwwwvmwarecom
Please close the Chrome Web browser
This concludes this module please continue to the next module
For More Information
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 45HOL-1829-01-NET
Module 2 - 360 degreeVisibility across Virtualand Physical Networks
(45 minutes)
HOL-1829-01-NET
Page 46HOL-1829-01-NET
IntroductionvRealize Network Insight includes advanced analytics that can collect and displayconfiguration data from all the components involved in the overlay and underlay of thenetwork Data is collected in realtime
vRealize Network Insight presents this via a smart user interface and simplifies thedetermination of problems as well as the visibility of firewall and networkconfigurations
vRealize Network Insight presents this in a smart user interface and makes problemdetermination and visibility of the firewall and network configurations very easy
This Module contains the following lessons
bull 360 Network Visibility and Troubleshootingbull Natural language search
HOL-1829-01-NET
Page 47HOL-1829-01-NET
360 Network Visibility andTroubleshootingThis section contains the following lessons
bull 360-degree view of data flow between two VM objectsbull Natural language search
Open Google Chrome
1 Open Chrome on the Control Center Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize NetworkInsight did not load automatically)
HOL-1829-01-NET
Page 48HOL-1829-01-NET
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
Path and Topology
This module will utilize the Path and Topology feature in vRealize Network Insight toget a 360-degree visibility into our network scenario The Path and Topology view can
HOL-1829-01-NET
Page 49HOL-1829-01-NET
also extend to host L3 networks security groups etc but in this module we will only befocusing on the path
From the main console
1 Click on Path and Topology2 Click on Path
Path - Select source and destination
In the pop-up box
1 Click on the grey field below Source2 Type dba into the source field and DBAdmin-VM1 will appear3 Click on DBAdmin-VM1 to select it
HOL-1829-01-NET
Page 50HOL-1829-01-NET
Path - source and destination continued
After selecting the source machine the destination box will automatically appear
1 Type prod in the destination field and the list of available options willappear
2 Select Prod-Db-2
Note The destination could also be an ip-address or Internet but in this lab we aregoing to use a VM
HOL-1829-01-NET
Page 51HOL-1829-01-NET
Path - source and destination continued
1 Click on Submit
Searching for path
Based on the VMs we selected in the wizard in our previous steps the search field isnow pre-populated with a search string As an alternative to using the wizard we canalso do manual searches
Do not change any parameters in the search field and please continue to the nextstep
HOL-1829-01-NET
Page 52HOL-1829-01-NET
VM Path Topology and VM Underlay
The topology involves both Layer 3 and Layer 2 components and consists of twodetailed views
HOL-1829-01-NET
Page 53HOL-1829-01-NET
1 VM Path Topology This view details the routers Edges or Logical DistributedRouters (LDRs) that are involved in the VM to VM network path and provides thecomplete routing and NAT information
2 VM Underlay ( The VM Underlay section that is on the right side of the VM Pathtopology shows the underlay information of the VMs involved and theirconnectivity to the top of the rack switches and the ports involved)
In the field named VM Path Topology
1 Click on the three dots in the top right corner of the field2 Click Maximize
The view will change and the route will be drawn on the map
HOL-1829-01-NET
Page 54HOL-1829-01-NET
VM Path Topology - Path Details
In this view we will get a 360-degree view of both the physical and the virtual networkWe will see the path of the traffic between two virtual machines The black arrow at thetop of the map will indicate the flow direction of the traffic In this use case fromDBAdmin-VM1 to Prod-Db-2
On the right hand side path details indicates the steps we pass through in each hop ofthe path The logical flow includes both physical and virtual elements displaying bothoverlay and underlay components
1 Scroll through the path details on the right hand side to verify the differenthops in the path Notice that we have items such as VMs physical switchesvirtual switches routers and NICs in the list of details
HOL-1829-01-NET
Page 55HOL-1829-01-NET
Component Overview
On the VM topology map
1 Click on the top left icon marked with a red square - the Virtual MachineDBAdmin-VM1
Virtual Machine - Details
HOL-1829-01-NET
Page 56HOL-1829-01-NET
A pop-up box will appear with the Virtual Machine details in it This information includesa lot of details made available by VMware Tools We can for example see network-information and the physical host in these details
A - Please spend some time on getting an overview of the information available in thisview
B - Please note that the Firewall Status indicates Unknown In this scenario there is noNSX firewall utilized in the VM so vRealize Network Insight displays Unknown as thestatus If NSX components were utilized but they were malfunctioning an errormessage will appear
1 When done reviewing close the pop-up windows by clicking on the (X) in thetop right corner
Physical ESXi Hosts
We are now going to look at the physical host running ESXi The large green blocksindicate the ESXi hosts (A) and (B)
1 Click on the large green field on the left side of the map marked in thepicture with a red squareThis will select the host where DBAdmin-VM1 isrunning
HOL-1829-01-NET
Page 57HOL-1829-01-NET
Host - Details
A pop-up box will appear that contains the physical ESXi host
A - Spend some time to review what information is available from the host Please donot click on any of the links
B - Notice that we receive information from both the Chassis and the Blade that thisESXi host is running on In a real life environment we could click on the links to getdetailed information about the physical environment through the links
C - Note that there are no NSX components on the host For example we can see thatthe Control Plane Sync Status is unknown and the Number of VTEPs is 0
1 When done reviewing click on the (X) in the top right corner
HOL-1829-01-NET
Page 58HOL-1829-01-NET
DVPG on the map
We are now going to look at the DVPG (Distributed Virtual Port Group) the VM uses toconnect to the network
1 On the map click on the little blue box marked by a red square onvlan-629
DVPG
A pop-up box will appear that contains the DVPG details
A - Spend some time review what information is available from the object Please donot click on any of the links
HOL-1829-01-NET
Page 59HOL-1829-01-NET
B - Notice that IPFIX is enabled
1 When done reviewing click on the (X) in the top right corner
VLAN-629 on the map
This is a brownfield network as indicated by the physical network components currentlydisplayed on the map
1 On the map click on the grey line marked by a red square on vlan-629
VLAN Network
A pop-up box will appear that contains the physical VLAN details
HOL-1829-01-NET
Page 60HOL-1829-01-NET
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - Notice the VLAN ID This is the actual VLAN in use
C - VM Count states 12 This is the number of VMs located on this VLAN in the entireenvironment
D - Under Hosts we can see that this is 28 (27+1) This is the amount of hosts that hasa connection to this vlan in the entire environment
1 When done reviewing click on the (X) in the top right corner
Switch ports on the map
1 From the map click on the icon marked by a red square to select the SwitchPort for the VM
HOL-1829-01-NET
Page 61HOL-1829-01-NET
Switch Port
A pop-up box will appear that contains the Switch Port details
In this view we are purely are looking at layer 3 and the connectivity to those layer 3devices Later in this module we will see some of the layer 2 devices
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - In this view we can see the physical NIC the traffic is transmitted from and receivedto In this scenario it is a NIC on a UCS fabric We can also see the VLANs Interfacespeed port and other details on the NIC
1 When done reviewing click on the (X) in the top right corner of the pop up box
HOL-1829-01-NET
Page 62HOL-1829-01-NET
Physical VRF on the map
1 From the map click on the icon marked by a red square to access thePhysical VRF details
HOL-1829-01-NET
Page 63HOL-1829-01-NET
VRF - Physical Switch
A pop-up box will appear that contains the Physical VRF details
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - In this scenario the first hop in the physical network perspective happens to be aCisco Nexus 7000 We are gathering all of the configuration data routing tables androuting interface information from this device
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 64HOL-1829-01-NET
VRF - continued
1 From the map click on the icon marked by a red square to access the nextPhysical VRF in the path
HOL-1829-01-NET
Page 65HOL-1829-01-NET
VRF - Physical Router
A pop-up box will appear that contains the Physical VRF details
In this scenario the second hop in the physical network perspective is a Palo Alto routerIn this view we will see the routing table as well as firewall rules The vRealize NetworkInsight platform is so powerful that these firewall rules are the applicable firewall rulesbetween the two objects we searched for There is probably going to be thousands offirewall rules in a normal network but these are the firewalls affecting thecommunication between the two selected VMs
HOL-1829-01-NET
Page 66HOL-1829-01-NET
A - Spend some time to review what information is available from the object Please donot click on any of the links
1 When done reviewing click on the (X) in the top right corner of the pop up box
Note The Palo Alto integration showcased is in beta testing
VRF - continued
1 From the map click on the icon marked by a red square to access the nextPhysical VRF in the path
HOL-1829-01-NET
Page 67HOL-1829-01-NET
VRF - Physical Switch
A pop-up box will appear that contains the Physical VRF details
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - In this scenario the third hop in the physical network perspective is an Arista deviceThere is information available on routing gateways interfaces etc These detailsshowcase that we can monitor devices from a multitude of vendors in case we arechanging from one vendor to another
1 When done reviewing click on the (X) in the top right corner
HOL-1829-01-NET
Page 68HOL-1829-01-NET
Accessing the virtual infrastructure
The next two steps in the path (as shown by arrows) are the same as we looked atpreviously in this module We are not going to look at the details on them in thisscenario as they are similar to the ones previously discussed
A - Hovermove the mouse over the icons marked with red arrow A without clicking onthe icon Notice the descriptive name
B - Hovermove the mouse over the icons marked with red arrow B without clicking onthe icon Notice the descriptive name
1 From the map click on the icon marked by a red square to access the nextVRF in the path
HOL-1829-01-NET
Page 69HOL-1829-01-NET
VRF - NSX Provider Edge 1
A pop-up box will appear that contains the Physical VRF details
A - Please spend some time to review what information is available from the objectPlease do not click on any of the links
B - The components we are looking at after the Arista device (described in previoussteps) is an NSX Edge cluster or a host associated with an Edge cluster The componentwe have selected is the NSX Edge VM named Provider-Edge 1 It has an uplink overVLAN 10 from the physical network (as shown in the map)
C - In the details we can see the routing table and routing interface details for thisparticular VRF
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 70HOL-1829-01-NET
VXLAN on the map
1 On the map click on the blue line marked by a red square to access theVXLAN details
VXLAN Network
A pop-up box will appear that contains the VXLAN details
HOL-1829-01-NET
Page 71HOL-1829-01-NET
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - We can see the VXLAN number (Segment ID) Underlay VLAN IDs Subnet andUnderlay Subnet
C - We also have visibility into what Primary Controller it is utilizing Hosts and VTEPs
D - Hovermove the mouse cursor over the text [38 more] to see the hosts associatedwith this VXLAN Do not click on the blue text
E - Hovermove the mouse cursor over the text [82 more] to see the VTEPs associatedwith this VXLAN Do not click on the blue text
1 When done reviewing click on the X in the top right corner of the pop-up box
VRF - LDR
1 From the map click on the icon marked by a red square to access the VRFdetails
HOL-1829-01-NET
Page 72HOL-1829-01-NET
VRF - LDR-Corporate
A pop-up box will appear that contains the VRF details From here we hit our In-kernelnetwork
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - Notice the distributed router name We are using this device to access our corporatenetwork
C - This device is going to route for us to a different interface The interface is going toroute to the interface on the Prod-DB Network as the next step in the path (this will beillustrated in the next step)
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 73HOL-1829-01-NET
Routing - NSX Firewall
The traffic is routed through the VRF onto the Prod-DB network over to the next physicalhost (as shown with arrows)
The first device it will hit on the virtual network on the physical host is the FirewallPlease notice that there are two firewalls next to the VM One Firewall from Palo Alto andone Firewall from NSX
1 From the map click on the icon marked by a red square to access the NSXFirewall details (the top one of the two)
HOL-1829-01-NET
Page 74HOL-1829-01-NET
Firewall - NSX
A pop-up box will appear that contains the Firewall details
A - Spend some time to review what information is available from the object Please donot click on any of the links
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 75HOL-1829-01-NET
Redirect on the map - PAN Firewall
Please notice that there are two firewalls next to the VM One Firewall from Palo Alto andone Firewall from NSX We are now going to look into the details of the lower Firewall
1 From the map click on the icon marked by a red square to access the PaloAlto Firewall details (the lower one of the two)
Firewall - PAN
HOL-1829-01-NET
Page 76HOL-1829-01-NET
In this scenario we also have an Palo Alto VM based offloading firewall The redirectfeature allows firewall rules to be transferred between the NSX firewall and the PANFirewall
1 When done reviewing click on the (X) in the top right corner of the pop up box
Reversing the analysis
1 In the section marked by a red square in the picture click on the arrowpointing left
The route on the map will change
HOL-1829-01-NET
Page 77HOL-1829-01-NET
Reversing the analysis continued
A - The analysis will now be done in the opposite direction Please note that the pathnow changes Instead of going through Provider-Edge 3 the traffic is now routedthrough Provider-Edge 2 This is exactly as the traffic will work in the real life
Please continue to the next step to conclude this module
HOL-1829-01-NET
Page 78HOL-1829-01-NET
VM Underlay
Lets now focus on VM Underlay
1 The VMUnderlay section that is on the right side of the VM Path topology showsthe underlay information of the VMs involved and their connectivity to the top ofthe rack switches and the ports involved
2 The VM Underlay path topology is shown here3 The components are labeled under Path Details
HOL-1829-01-NET
Page 79HOL-1829-01-NET
HOL-1829-01-NET
Page 80HOL-1829-01-NET
1 In this section the drop-down list at the top shows the endpoint VMs and theactive VMs at the edges
2 For each edgeVM the neighbouring drop-down list shows the ingress and theegress interface IP addresses
1 From the previous step we selected the Prod-DB-2 Virtual Machine2 Which changes the focus to corresponding Interface IP Address (VNIC)3 Shows the visual map (Path topology) of all the path objects4 Path details shows the labels and list the components
This concludes this module Please continue to the next module
HOL-1829-01-NET
Page 81HOL-1829-01-NET
ConclusionCongratulations on completing Module 2
This module has shown us that vRealize Network Insight is capable of tracing the flow ofdata between two objects throughout the network vRealize Network Insight is providingus with a 360 degrees view of the virtual as well as the physical components in thepath With the map function and the details on the map it is very easy to get a quickoverview of the components utilized in network communication
All the components in the map is based on a snapshot of real life data Feel free to clickon other icons shown in the map in this module before continuing to the next module tohave a look at other components
For More Information
For additional information about the functionality showcased in this module visithttpwwwvmwarecomvrealize network insight
This concludes this module Please continue to the next module
If you are looking for additional information try one of these
bull Click on this linkbull Or use your smart device to scan the QRC Code
HOL-1829-01-NET
Page 82HOL-1829-01-NET
Proceed to any module below which interests you most
bull Module 1 - Micro-Segmentation and Security (30 minutes)bull Module 2 - 360 degree Visibility across Virtual and Physical Networks (45
minutes)bull Module 3 - Advanced NSX Management amp Operations (45 minutes)bull (30 minutes)
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 83HOL-1829-01-NET
Module 3 - Advanced NSXManagement amp
Operations (45 minutes)
HOL-1829-01-NET
Page 84HOL-1829-01-NET
IntroductionIntroduction
vRealize Network Insight ensures that we have full visibility from an overlay andunderlay perspective and in this module focus on advanced operations of NSX withvRealize Network Insight Its important to note that the vRealize Network Insightprovides a real time view and a historical view The integration is not a simple SNMPquery but advanced CLI and Metadata information gathered in real time for NSX
This Module contains the following lessons
bull Operational guidance for NSX Managerbull Advanced NSX Management amp Operations Interactive Simulation
HOL-1829-01-NET
Page 85HOL-1829-01-NET
NSX Advanced ManagementOperationsLab Status Check
1 Make sure the Lab Status displays Ready before continuing
Close browser sessions from previous modules
Open Google Chrome
1 Open Chrome on the Control Centre Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
HOL-1829-01-NET
Page 86HOL-1829-01-NET
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize Network Insightdid not load automatically)
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
Search Bar - NSX Manager
Using the search bar on the entry screen
HOL-1829-01-NET
Page 87HOL-1829-01-NET
1 Type NSX Manager (this will list three NSX Managers2 Click Search
NSX Manager Information
The result now shows the NSX Manager (1016128170) and we can immediately seethat we have 50 problems associated with this endpoint
1 Click on the NSX Manager address to expose the layout and detailedinformation
HOL-1829-01-NET
Page 88HOL-1829-01-NET
Timeline - Visual Build-up
Explore information only - Do not click
bull A - Starting with the Timeline we can manipulate the results by simply draggingthe slider but by default the current time results will be displayed on entry Theslider and drop down (next to 1 day) makes it easy to filter on demand
bull B - The Properties give a clear understanding of the NSX Managers currentconfiguration (vRealize Network Insight accommodate multiple NSX managers)
bull C - Looking at the NSX Checklist Rules - ALL we can scroll up and down toview each point in the checklist that is used to monitorvalidate against the NSXManager
bull D - Because vRealize Network Insight supports multiple NSX managers andmultiple NSX controllers this is an important visual understanding of theTopology Each object can be queried individually within the same screen
bull E - NSX Problems will be key to understanding the issues for NSX
HOL-1829-01-NET
Page 89HOL-1829-01-NET
Topology - Focus on the NSX Controller
The logical view of the NSX Topology provides live links to each component in theconstruct to be queried in real time Topology layout displays all the related NSXservices bound to the NSX Manager including Clusters and hosts The red triangle on allthree NSX controllers indicates possible issues that may impact the NSX environmenteither as a starting point or a result thereof We can now query each object for detailedinformation
1 Click on the NSX controller (Look at each controller until you find thecontroller starting with NSX_Controller_5b6c6c8d-4d71 as they do changeorder)
HOL-1829-01-NET
Page 90HOL-1829-01-NET
NSX Controller - Detail
A - The controller query displays detailed information about controller-1 and relevantconfiguration This screen will help identify the Status Version Upgrade Availability andmany other critical identifiers of the NSX Controller at a quick glance including anyissues
B - The immediate issue on this NSX controller is also pointed out with a red triangleindicating that we have a control plane sync issue Tracking the issue can be furtherinvestigated by expanding (clicking on the red triangle) to view detailed information Wewill not be investigating this problem further in this exercise
1 Click the close sign (x) to continue
HOL-1829-01-NET
Page 91HOL-1829-01-NET
Topology - Explained
Note The Topology for the NSX environment will not show any load balancing devicestatus information in this release
1 Click the edge VMs icon to see detailed information about the edge services
HOL-1829-01-NET
Page 92HOL-1829-01-NET
Provider Edge
Rendering a complete view of the provider edge services and the associations we caninvestigate all the edge related activities
1 Click the blue link Provider Edge 4 The problem Icon can be used to furtherobtain information about the Provider-Edge 4 This will highlight a criticalcondition due to a possible network disruption of this edge device as it is nolonger in a serving state
HOL-1829-01-NET
Page 93HOL-1829-01-NET
Routers Provider Edge 4
This section lays out detailed root cause analysis for Routers Provider Edge 4
Return to Search View - NSX Manager
1 Now use the Chrome Back button click once to return the the NSX Managerinformation screen step
HOL-1829-01-NET
Page 94HOL-1829-01-NET
Infrastructure Problems - Warning Moderate
bull Scroll down to Infrastructure Problems Section
1 Click and select the WarningModerate to view problem areas
WarningModerate Issues
1 Use the blue icon + to expand the detailed view of the Logical networking out ofsync between host and NSX Controller
HOL-1829-01-NET
Page 95HOL-1829-01-NET
WarningModerate Issues (Continued)
When you expand the details you can analyse full detail of warning
In this view vRealize Network Insight is also showing you recommendations on how youwould resolve this issue which makes troubleshooting and root cause analysis veryeasy
1 Click the close sign (x) to continue
HOL-1829-01-NET
Page 96HOL-1829-01-NET
Hands-on Labs Interactive SimulationAdvanced NSX Management ampOperationsThis part of the lab is presented as a Hands-on Labs Interactive Simulation This willallow you to experience steps which are too time-consuming or resource intensive to dolive in the lab environment In this simulation you can use the software interface as ifyou are interacting with a live environment
1 Click here to open the interactive simulation It will open in a new browserwindow or tab
2 When finished click the ldquoReturn to the labrdquo link to continue with this lab
HOL-1829-01-NET
Page 97HOL-1829-01-NET
ConclusionCongratulations on completing Module 3
This module demonstrated the vRealize Network Insight capability of advancedmanagement operations vRealize Network Insight provides an in-depth analysis of thevirtual as well as the physical components associated with NSX (underlay and overlay)
For More Information
If you are looking for additional information try one of these
bull Click on this linkbull Or use your smart device to scan the QRC Code
Proceed to any module below which interests you most
bull Module 1 - Micro-Segmentation and Security (30 minutes)bull Module 2 - 360 degree Visibility across Virtual and Physical Networks (45
minutes)bull Module 3 - Advanced NSX Management amp Operations (45 minutes)bull Module 4 - Manage Security for Public Clouds (AWS) (30 minutes)
HOL-1829-01-NET
Page 98HOL-1829-01-NET
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 99HOL-1829-01-NET
Module 4 - ManageSecurity for Public Clouds
(AWS) (30 Minutes)
HOL-1829-01-NET
Page 100HOL-1829-01-NET
IntroductionEnterprise IT needs visibility into the network and security status of their workloadswhether hosted on premises or within AWS While many AWS workloads are sandboxesfor application development teams (DevOps) it is important to analyze these workloadsIncreasingly public cloud workloads are also fulfilling mission critical production needsfor many organizations Enterprise IT must be ready to determine the best locationsecurity posture and bandwidth allocation when deploying workloads Having trafficpattern details as well as security analysis and recommendations readily availablehelps organizations make the ideal hosting decisions to meet their business needs
vRealize Network Insight (vRNI) Supports Amazon Web Services (AWS) PublicCloud The vRNI traffic monitoring features provide visibility into native AWS constructssuch as Virtual Private Clouds VMs Security Groups firewall rules and tags vRNI alsoanalyzes AWS traffic flows to provide security and micro-segmentation views of cloudworkloads This means youll be able to plan micro-segmentation and understand trafficpatterns using data collected from your AWS instances
This Module contains the following lessons
bull Introduction to Managing Security for Public Clouds (AWS)
HOL-1829-01-NET
Page 101HOL-1829-01-NET
Introduction to Managing Security forPublic Clouds (AWS)Lab Status Check
1 Make sure the Lab Status displays Ready before continuing
Close browser sessions from previous modules
Open Google Chrome
1 Open Chrome on the Control Centre Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize Network Insightdid not load automatically)
HOL-1829-01-NET
Page 102HOL-1829-01-NET
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
AWS Configuration
Lets review the AWS VPC setup for the purpose of this lab
1 We have an on premise instance of vRealize Network Insight managing AWS2 There are two VPCs ie CRM and Common Services
HOL-1829-01-NET
Page 103HOL-1829-01-NET
3 VPC CRM consists of CRM Application which comprises of 3 tiers ie Web APP andDB
4 Internal users of Company can access Web Tier of the CRM on 80 internally viaJump-box
5 Web tier talks to App tier on port 80806 App tier talks to DB tier on port 33067 Web tier is open for internal datacenters VM on 80 port8 From Jump-box in VPC CRM all virtual machines have ssh access on port 229 All tiers of VPCCRM talks to DNS server on 53 and LogServer on 514 on VPC
Common Services10 This means connection to DB to Log Server (used for backup services) must exist
as configured by the Administrator but this in fact is the problem area where ourfocus will be
Plan Security - AWS Cloud
vRealize Network Insight extends micro-segmentation planning to AWS constructs TheCRM Application in AWS VPC has already been created for you
Application creation steps have been discussed in Module 3
HOL-1829-01-NET
Page 104HOL-1829-01-NET
1 On the vRealize Network Insight Click on Plan Security
From Plan Security dialogue box under Entity select
HOL-1829-01-NET
Page 105HOL-1829-01-NET
1 Application2 CRM3 Click Analyze
We can now visualize the three tier lsquoCRMrsquo Application in AWS in one VPC We Shallexplore the three Tier System Logic in proceeding steps
1 Please note that Micro-Segments are already filtered by Tier2 Web (Web tier talks to App tier on port 8080 Internal users of organisation can
access Web Tier of the CRM Application on port 80 internally)3 App (App tier talks to DB tier on port 3306)4 DB ( DB tier talks to Log Servers ) - This is the problem area we are going to
explore
All tiers of first VPC talks to DNS server on port 53 and LogServer on port 514 of SecondVPC
HOL-1829-01-NET
Page 106HOL-1829-01-NET
Exploring the Three Tier Application - Step by Step
We shall now explore the three their application setup to understand the security andcommunication posture
HOL-1829-01-NET
Page 107HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Yellow line to explore the flows This will reveal flows from Web to
App
HOL-1829-01-NET
Page 108HOL-1829-01-NET
1 The App tier talks to DB tier on Port 33062 Click X to continue
HOL-1829-01-NET
Page 109HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to DB
HOL-1829-01-NET
Page 110HOL-1829-01-NET
1 The App tier talks to DB tier on Port 33062 Click X to continue
HOL-1829-01-NET
Page 111HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Yellow Line to explore the flows This will reveal flows from DC
Virtual to App
HOL-1829-01-NET
Page 112HOL-1829-01-NET
1 DC Virtual (jump box) talks to App tier on Port 222 Click X to continue
HOL-1829-01-NET
Page 113HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to
Shared Virtual
HOL-1829-01-NET
Page 114HOL-1829-01-NET
1 The App tier talks to Shared Virtual on Port 53 and 514 respectively2 Click X to continue
HOL-1829-01-NET
Page 115HOL-1829-01-NET
1 Hover over to DB Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from DB to
Shared Virtual
1 By design the DB should be pushing logs to aws-log-server ie on port 514(Syslog) but the flow reveals that there is only one service ie port 53 aws-DNS-Server Effectively no communication to syslog server (which is the back upservice)
2 Click X to continue
Firewall Queries for CRM Application
To further troubleshoot the issue the administrator executes three firewall queries toestablish why DB to Shared Virtual does not have flow(s) for port 514 (syslog)
HOL-1829-01-NET
Page 116HOL-1829-01-NET
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and type new search query firewall action of flows where dstvm = aws-log-server This will return 5 results ie 4 Allow (for web andmidtier) and 1 Deny (for DB)
2 Click Search3 click on the DENY checkbox so we can focus on the deny rule
We can see a DENY rule which is preventing crm-databse to communicate with aws-log-server on port 514 Which indicates that AWS Admin forgot to add rule to allowtraffic from (Database) crm-database to (syslog server) aws-log-Server
HOL-1829-01-NET
Page 117HOL-1829-01-NET
1 On Chrome web browser right click2 Select Duplicate from the the menu
HOL-1829-01-NET
Page 118HOL-1829-01-NET
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-web1 and dst vm = aws-log-server
2 Click Search3 This will return 3 results ie 1 Inbound and 2 Outbound rules The result of this
query validates the communication from crm-web1 to aws-log-server
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-database and dst vm = aws-log-server
2 Click Search3 This will return 2 results for Outbound rules further explaining the firewall rule
behaviour from crm-database to aws-log-server
HOL-1829-01-NET
Page 119HOL-1829-01-NET
ConclusionCongratulations on completing Module 4
This module demonstrated the vRealize Network Insight capability to understand trafficpatterns and plan micro-segmentation across your private and public cloudenvironments This capability offers unparalleled visibility into public and private cloudsfor micro-segmentation planning network visibility and management
For More Information
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 120HOL-1829-01-NET
ConclusionThank you for participating in the VMware Hands-on Labs Be sure to visithttpholvmwarecom to continue your lab experience online
Lab SKU HOL-1829-01-NET
Version 20171010-152226
HOL-1829-01-NET
Page 121HOL-1829-01-NET
Click once in active console window
In this example you will use the Online Keyboard to enter the sign used in emailaddresses The sign is Shift-2 on US keyboard layouts
1 Click once in the active console window2 Click on the Shift key
Click on the key
1 Click on the key
Notice the sign entered in the active console window
HOL-1829-01-NET
Page 6HOL-1829-01-NET
vRealize Network Insight - Navigation
bull 1 - HOME - Use this if you need to return to the original navigation and searchscreen
bull 2 - Navigation Panebull 3 - Search Bar including time linebull 4 - Detail amp Information Panebull 5 - Alerts Pinboards Settings
Activation Prompt or Watermark
When you first start your lab you may notice a watermark on the desktop indicatingthat Windows is not activated
One of the major benefits of virtualization is that virtual machines can be moved andrun on any platform The Hands-on Labs utilizes this benefit and we are able to run thelabs out of multiple datacenters However these datacenters may not have identicalprocessors which triggers a Microsoft activation check through the Internet
Rest assured VMware and the Hands-on Labs are in full compliance with Microsoftlicensing requirements The lab that you are using is a self-contained pod and does nothave full access to the Internet which is required for Windows to verify the activationWithout full access to the Internet this automated process fails and you see this
watermark
This cosmetic issue has no effect on your lab
HOL-1829-01-NET
Page 7HOL-1829-01-NET
Look at the lower right portion of the screen
Please check to see that your lab is finished all the startup routines and is ready for youto start If you see anything other than Ready please wait a few minutes If after 5minutes your lab has not changed to Ready please ask for assistance
HOL-1829-01-NET
Page 8HOL-1829-01-NET
Module 1 - Micro-Segmentation and
Security (30 minutes)
HOL-1829-01-NET
Page 9HOL-1829-01-NET
IntroductionWhen mid to large-sized enterprises deploy NSX they often struggle to define the levelof micro segmentation needed between applications on networks The most challengingpart is knowing what information is required to get started how to locate theinformation and traffic flow and how to capture the results
vRealize Network Insight helps solve this problem by analyzing and categorizing VMsinto logical groups based on specific compute and network characteristics This processautomatically generates a recommended model for security groups and specificfirewalling rules for each group This makes life much easier for Security Architects andEngineers
vRealize Network Insight (vRNI) relies on the use of an IPFIX collector at the VirtualDistributed switch layer to capture data flows We enable IPFIX at the Virtual Distributedswitch layer for the ESXi Hosts to forward IPFIX UDP packets to the vRealize NetworkInsight appliance The data capture will enable real time data flow for all port trafficand provide further filtering capabilities in order to explore East-West traffic
We have two scenarios to help explain how vRealize Network Insight can be utilized toensure we have full visibility and granular control to deploy firewall rules in order tocomplete micro-segmentation without guessing
Scenario 1 (Brown Field deployment) Customer ABC bought ESXi and NSX and doesnot have a clear understanding of how to operationally deploy existing workloads withEast-West firewall protection or how to segment the workload The client will now usevRealize Network Insight to observe the real time data flow between ports in order tobuild the East-West firewall rules The vRealize Network Insight process will observe thetraffic patterns based on the captured data flow recommendations will then be made inorder to secure workloads for East-West communication Current firewall and micro-segmentation can also be verified
Scenario 2 (Green Field) Customer ABC has a new deployment project for DevOps andwouldnt know what the immediate firewall rules or recommendations would be UsingvRealize Network Insight we could immediately start to monitor the real time data flowas each deployment and development unfolds Based on the DevOps information wecan now apply the Firewall rules at the QampA stage and prep for testing to ensure whenwe move workloads into Production we will have day zero operational security for East-West traffic within the data center
NOTE NSX is not required at any stage to capture observe or implement successfulEast-West firewall rules The process of planning security only relies on IPFIX at the vDSlayer in order to capture and observe data flow between ports
This Module contains the following lessons
HOL-1829-01-NET
Page 10HOL-1829-01-NET
bull Identify firewall rules for Micro-segmentationbull Security Group Topologybull Tracking a firewall rulebull Exporting firewall rules to NSX Manager (Interactive Simulation)bull Conclusion
HOL-1829-01-NET
Page 11HOL-1829-01-NET
Micro-Segmentation IntroductionThis section contains the following lessons
bull Identify firewall rules for Micro-segmentationbull Security Group Topologybull Tracking a firewall rule
Lab Status Check
1 Make sure the Lab Status displays Ready before continuing
Close browser sessions from previous modules
Open Google Chrome
1 Open Chrome on the Control Centre Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
HOL-1829-01-NET
Page 12HOL-1829-01-NET
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize Network Insight did notload automatically)
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
HOL-1829-01-NET
Page 13HOL-1829-01-NET
Plan Security
When the vRealize Network Insight portal login completes the first screen will show asearch bar at the top
1 Type plan security (the search bar uses Auto Fill and predictive text willappear as you type)
2 Select the Time Icon
Plan Security - Specify a Preset
1 Select Presets2 Select Last Week3 Click the search icon to continue
HOL-1829-01-NET
Page 14HOL-1829-01-NET
Overview - Traffic Distribution (Left Pane)
Visual representation of traffic is shown to understand the logic relationship betweeneach component physical or virtual in order to track flows and sessions within anetwork
bull Internal Flows External Flowsbull Protected Flows Unprotected Flowsbull by VLAN or VXLAN
The default for this view is Last 1 day Please do not change this as we have alreadyspecified the time filter
HOL-1829-01-NET
Page 15HOL-1829-01-NET
Traffic Distribution - Overview (Right pane)
The Traffic distribution section is explained in a number format below Use these as areference and do not click on the links at this stage
bull A - This is the sum of all traffic flows with the percentage shown as East-Westonly traffic
bull B - This indicates the percent of traffic that was switchedbull C - The percentage of traffic that is routed between the East-West portsbull D - This indicates Virtual machine to Virtual Machine traffic as a percentage of the
sum in point number 1bull E - Traffic observed between virtual machines on the same hostbull F - Traffic that requires internet access
East-West (EW) - Traffic
In order to view specific details about data flows click on any of the 6 blocks to getdetailed information on flows and sessions (use the [x] in the right corner to close theobservation once completed in order to continue with the next step in this lab) Its
HOL-1829-01-NET
Page 16HOL-1829-01-NET
important to understand the entire distribution of flows and sessions in order to build aninformed strategy to achieve micro-segmentation
A Session is 5 tuple (source port is one of the five tuples in this which means everytime a new TCP connection is established and terminated a new session is recorded)
A Flow is 4 tuple aggregation of sessions It combines many 5 tuple sessions into oneIt ignores the source port as the source port is very dynamic wide range and keeps onchanging As long as multiple sessions have same source IP same destination IP samedestination port and same protocol they will be combined into one record called aflow
So 1000s of sessions in a day between two machines on a specific destination port (sshdns etc) would be combined into one flow with an aggregate count of packets bytessessions between them recorded as additional flow information
In any enterprise how many sessions happen in 1 day varies a lot Flows are moremanageable units and matter most for policy definitions and micro-segmentation
If one wants to see statistics of these flows like bytes transferred number of sessions(or even use these counters along with other query operations for other higher levelanalysis - like determining distribution of a virtual machines outgoing flow bydestination ip) the following metric counters can be used
Counter names
allowed sessions count of sessions (or 5 tuples) corresponding to a flow (4 Tuple)bytes total traffic volume exchanged on the flow (this sum of two counters described below)src bytes total bytes sent by src_ip of the flow to dst_ipportprotocoldst bytes total bytes received by src_ip of the flow from dst_ipportprotocol
1 Click on the East-West traffic block
This will bring a new window into view with detailed analysis of the traffic
HOL-1829-01-NET
Page 17HOL-1829-01-NET
East-West (EW) - Detailed view
This is only a few of the 1653 flows but the detailed views and filters can be used tonarrow down more specific information
A - Without clicking (just hover) on the time line to see the rate of flow indicated by thegreen line for that period
1 Click the close icon (x) to continue
ServicesPorts
HOL-1829-01-NET
Page 18HOL-1829-01-NET
Locating the Services screen for the next step
ServicesPorts - Time line view
Plan security makes use of Service and Ports overview on the right-hand side of thescreen The service view screen is used to observe the flow for each service andanalyzes a specific flow rate at a point in time Timelines can be adjusted to gain abetter understanding of what the plan security query delivers This module will followthe steps needed to observe and trace flows for port 5443
1 Click Show Data
HOL-1829-01-NET
Page 19HOL-1829-01-NET
ServicesPorts - Point in Time Service
The Services section provides an overview of flows over a specific port at a point intime either by bytes or by allowed sessions Look at the red highlighted area tounderstand how the flow is viewed in a pivot format to ensure a rate flow can bedelivered by hovering over a particular section
1 Hover to gain focus over the blue block above port 5443 and notice itpresents on demand the sum total of flows for the last 24 hours inGigabytes (GB) communicating over port 5443
2 Click on the block at the intersection of Last 24 hours and PORTS5443 to get a detailed view of the information
HOL-1829-01-NET
Page 20HOL-1829-01-NET
Flows for Port 5443
Communicating over port 5443 for the Last 24 hours we now have a detailedunderstanding of how 20 flows are distributed by following the list of entities You mayscroll down and examine the detailed traffic Further filters can be used on the left-handside of the screen to filter the view for a more specific result type
1 Click the entry to examine the detailed flow between Prod-DB-3 and Prod-DB-2over port 5443 ( order of flows may differ from screen above Prod-DB-3 andProd-DB-2 can be seventh flow entry)
Flow Key Properties - Timeline view
HOL-1829-01-NET
Page 21HOL-1829-01-NET
Flow Key Properties and Flow Key Metrics with the help of the timeline view gives agreater understanding of the traffic between these two specific VMs over port 5443 (A)- Hover over any part of the Flow Key Metrics graph to see statistics of the flow at aspecific point in time
1 Click on the 1M (last 1 month) Now hover the mouse over the greenblue linesto see a specific flow at a point in time
Flow Key Properties - Timeline view
1 Click the browser back button (once) to return to the plan security layoutscreen (once completed viewing the timelines for specific flows)
HOL-1829-01-NET
Page 22HOL-1829-01-NET
Micro-Segments
The screen should be back and focused on the Plan Security view Let us focus on theLeft-hand side of the plan security screen marked - Micro Segments This section willfocus on the subnet view and how this could be used to track flows between two ormultiple points
Note Segmenting flows can be achieved using views that will focus on VLANVXLANSubnet Folder Clusters VMs Ports Security Tag or Security Groups
1 Select Last 1 Day (to clear previous data range)2 Select the drop down box and then select by Subnet3 We can further analyze micro-segments by secondary groups ( This step is for
information only)4 Click Analyze to populate the data
HOL-1829-01-NET
Page 23HOL-1829-01-NET
Focus - 101780 Network
A - Hover over (do not click) the 101780 network and notice that this willimmediately highlight all flows and sessions from and to this network segment Othertraffic types will loose focus at this point turning light blue
The Keep Focus view creates a single visual endpoint diagram showing communicationto physical shared resources internet and other subnets The parentheses after thenetwork will indicate the number of virtual machines The coloured lines will indicate aconnected flow as OUTGOING INCOMING BIDIRECTIONAL
HOL-1829-01-NET
Page 24HOL-1829-01-NET
Focus - VLANVXLAN
Changing the view to track flows between Prod-Web to Prod-Midtier we will be switchingfrom Subnet view to VLANVXLAN view This will expose the traffic flow and ultimatelylead us to the recommended firewall rules
1 From the filter drop down select the VLANVXLAN option (the view willautomatically update)
HOL-1829-01-NET
Page 25HOL-1829-01-NET
Focus - Prod-Web (25)
1 Hover over Prod-Web2 Click on Keep Focus as we will follow the traffic for this group to see which
ports are in use and why3 Click on the line joining the Prod-Web and Prod-Midtier
Flows - Prod-Web to Prod-Midtier
HOL-1829-01-NET
Page 26HOL-1829-01-NET
( A ) - We have at this point identified 14 unique endpoints or flows that are beingcommunicated byover or to potential security groups These security groups are basedon VLANs folders subnets or a construct that can be defined
1 Click on the recommended firewall rules
Flows - Recommended Firewall Rules
Based on the observed analysis of the traffic flow between Prod-Web and Prod-Midtier arecommended firewall rule has been generated in order to secure and segment trafficfrom the rest of the VLANVXLAN
Due to the flow observation metrics the recommendation is (ALLOWED) on Port 8080between SG Prod-Web and SG-Prod-Midtier
1 Click the close icon (x) to continue
HOL-1829-01-NET
Page 27HOL-1829-01-NET
Multiple Ports and Firewall rules for Prod-web
1 Click on the Prod-Web group
Services and Flows for Prod-Web
On focus the user is presented with all the services flows and firewall rules for Prod-Webin a single pane
HOL-1829-01-NET
Page 28HOL-1829-01-NET
1 Click on Services In this group - 50 Unique service endpoints or flows that arebeing communicated by or to potential security groups are mapped with trafficrates included
2 Click on External Services Accessed- This is a breakdown of the 16 Externalservice endpoints that communicate with Prod-Web and include the portinformation (DNS HTTPS etc)
3 Click on Recommended Firewall Rules - Based on the 50 unique serviceendpoints that have 17 External services with 425 flows we can use thisobservation metric to determine that 6 firewall rules are required This would bethe minimum recommended segmentation approach for the Prod-Web group
4 Click the close icon (x) to continue
Application-Centric Micro-Segmentation
HOL-1829-01-NET
Page 29HOL-1829-01-NET
An application is a collection of tiers Each tier in an application is a collection of VMsbased on the user-defined filter criteria The applications allow you to create ahierarchical group of VMs and visualize trafficflows between the tiers of the sameapplication The trafficflows can be visualized between applications
1 Under Micro-segments click on the dropdown which says by VLANVXLAN2 Click on by Application
1 Hover over Prod-App (47) (do not click at this stage)2 Click on Keep Focus
You can see as per previous micro-segmentaion planning exercise - you can viewOutgoing Incoming and Bidirectional flow bespoke to Prod-App Clicking on Prod-App micro-segment will reveal the services
HOL-1829-01-NET
Page 30HOL-1829-01-NET
We shall now explore how we can define an application
Define an Application
1 In the search bar type Application2 Click the Search button
1 The Application search will return 4 entities ie application already created inthe system for you
2 This page also lets you create new application - click on Add Application
HOL-1829-01-NET
Page 31HOL-1829-01-NET
1 Under the Application Name type HOL-Pre-Prod2 Under Tier type the Name as HOL-Pre-Prod3 Our search criteria will be based on VM Names under Virtual Machines IP
Addresses Type Admin-VM1 Admin-VM2 (The search will auto completethe names for you)
4 Do not Save Click Cancel which will take you to previous screen
1 Here you can see the number of entities has increased by 1 ie 5 entities2 You can also see Hol-Pre-Prod in the list
HOL-Pre-Prod will now appear in Application section under Plan Security (not covered inthis lab)
Security Group Prod_MidTier
Network administrators and architects face daily challenges in identifying securityparameters groups that are in-place requiring a lot more detail around containertopology before continuing to execute or plan Micro-segmentation Lets look at how thiswould be possible in a single view that has granular integration with over and underlaynetworks
1 Using the search bar type Nsx Security Group Prod_MidTier (the search baruses Auto Fill and predictive text will appear as you type)
2 Click search to continue
HOL-1829-01-NET
Page 32HOL-1829-01-NET
The Help screen may pop-up (in this lab setting) to ensure the user has an instantguide called the Security Group Pinboard The reason for this guide is to point out thedetail view and topology layout Read through the help guide and once completed
1 Click the close icon (x) to continue
Results - PROD_MIDTIER
The search results from the query will show Prod_Web at the top of the screen Theresult will also be displayed to include the Translated VM Count and any Rulesassociated
1 Click on Prod_MidTier to continue
Security Group Prod_MidTier - Timeline
Security Group View Explanation
HOL-1829-01-NET
Page 33HOL-1829-01-NET
The Security Group provides a detailed view of the selected Security Group and acomprehensive listing of key properties and events The Security Group Topologyprovides a visual overview of how the security group is associated with other containersTimeline slider at the top of the current view will enable the point in time state of theSecurity Group and filters can be used to further focus on a particular aspect of theobject
Security Group Firewall Topology
(A) The Security Group Firewall Topology on the left shows the topology for SecurityGroup Prod_MidTier
HOL-1829-01-NET
Page 34HOL-1829-01-NET
(B) The Security Group Container Topology on the right will show anyall Child andParent groups in relation to Prod_Web This will identify the nesting and hierarchy ofsecurity groups
HOL-1829-01-NET
Page 35HOL-1829-01-NET
1 Click and select Prod_Web to Prod_Midtier Rule (will launch a pop up screencovered in next step)
1 In the pop up screen we can immediately see what the Source and destinationservice flow looks like in this example This can be done for any and eachsegment attached to Prod_Web and will provide all the current security GroupFirewall Topology information Feel free to click through all the segments in orderto fully understand each related security group
2 Click the close icon (x) on any pop-up menus that you viewed during youranalysis to continue with the next exercise
HOL-1829-01-NET
Page 36HOL-1829-01-NET
Tracking Prod_MidTier
1 Within the same view when you scroll down (below the Security Groupfirewall Topology) you are able to see the following security event information forProd_Web
A Events - Showing any changes for Prod_MidTier (direct or indirect) and the impactthat these changes bring to this security group
B Current Security Group Configuration and Firewall Rules Count will also providefurther assistance to manage the endpoints
C Visibility of the Virtual Machines in Security Groups ensure that we manage ourworkloads and segmentation with the correct level of efficiency
D Making use of the Indirect Firewall Rules will ensure you understand the inheritedimpact and the relationship leading to Prod_Web
E Direct Firewall Rules - NOTE The blue links will expose further detail for eachfirewall segment
HOL-1829-01-NET
Page 37HOL-1829-01-NET
this module explained and followed the traffic flow between Subnets and or VLANVXLAN for Prod_MidTier and we understand the analysis that make up firewall rules Theinformation for a specific segmentation of a Virtual Machine in Prod_MidTier can beviewed using the the logical switch information for Prod_MidTier
2 Click on Lab-Midtier (VMs in Security GroupgtLogical SwitchesgtLab-Midtier) anew TAB will open at the top of the screen
Lab-Midtier
1 Hover (do not click) over (1) Lab-Midtier-1 to gain focus in order to generatethe path
Do not click on any of the bubbles as they are used for reference only This is thecomplete flow of Prod-Web-9 (Example) to see how a flow is tracked from overlay tounderlay across Prod-Web
HOL-1829-01-NET
Page 38HOL-1829-01-NET
bull A - The host details for Lab-Midtier-1 -ddc1-pod2esx035dmdemocompanynet
bull B - The machine name within Lab-Midtier - Lab-Midtier-1bull C - DVS Switchbull D - VXLAN - Lab-Midtierbull E - 1st VMKNIC for DDC-1 hostbull F - DVS Switch Portbull G - Finally showing the L3 Switch (Arista)
2 When you are done with the current view close this tab in Chrome and returnto the original view
Firewall Rule - Tracking
Using the search bar we will demonstrate how you can track any firewall rule in yourenvironment This is only one example of how we can search for security related objectsin one easy statement and also export the results
Port Search
1 Type into the search bar
Firewall rule where action =ALLOW and Port=443 (the search bar uses Auto Fill andpredictive text will appear as you type)
2 Click search to continue
As you type notice all the different permutations of queries that can be assembled
HOL-1829-01-NET
Page 39HOL-1829-01-NET
Export Firewall Rules
Take some time to understand and get familiar with Firewall Rule search possibilitiesand the insight this can offer
1 Do not click - The result is grouped for convenience and allows the user to queryeach rule individually This is a live link that will expose further information
2 Do not click - The entire report can be exported by using the Save as CSV optionat the top right hand corner of the screen but we will not export any informationat this point
3 For the next step we will return to the top search bar
Firewall Rule Membership Change
Using the vRealize Network Insight search bar at the top of the screen we will focus on atime based search to see what Firewall Membership Changes occurred during a selectedperiod This will point out any changes made directly or indirectly as a result ofmembership changes This is extremely useful for auditing and troubleshooting
HOL-1829-01-NET
Page 40HOL-1829-01-NET
1 Type
Firewall Rule Membership Change
2 Select the DateTime window3 Click Between Select Date range from June30 to Jul 31 (using static data this
will ensure you see all the changes)4 Click search
Audit Rule - Firewall Rule Membership Changes
The search now displays the result of all the changes made to firewall rule membershipduring the preset date range This is pivotal to the audit change tracking process tounderstand exactly why when and how Firewall rules changed
The changes can now easily be tracked audited and also exported following any of thelive links in blue
HOL-1829-01-NET
Page 41HOL-1829-01-NET
User-defined Event
Continuing within the same screen users can create alerts to notify internal andexternal entities of any changes The alert feature is available through any view thatdisplays the alert icon Although the alert can be configured for this lab the results willnot be actioned as this is static data only This section will show how easy it is to reporton any Firewall Rule memberships changes The option for alerting will be immediatelywithin 1 hour or as a daily digest
1 Click the Notifications icon to create an event The notifications screen will pop-up
2 Notification and parameters can be adjusted as required Populate them withyour own preference as we will need to have information in order to save thealert and view in later steps
3 Once completed click save
HOL-1829-01-NET
Page 42HOL-1829-01-NET
Settings
You can view any of your previously configured User-defined Events in order to edit oractivate the Event parameters by using the settings page Changes can be configured tonotify members of the event group based on the user preference The previous eventthat you created can now be tracked by using the search bar at the top of the screen
1 Click in the search bar and type Settings2 Click User-defined Events (your alert is noted in this section as it was based on
the original search and alert notification Firewall rule membership change)3 Info Only - Do not click - View Edit Activate any notifications
Note that we have 2 types of notification User-defined and System Events
4 Click the System Events
HOL-1829-01-NET
Page 43HOL-1829-01-NET
System Notifications
System Events consist of 103 default alerts that are pre-configured Scroll down the listto see all the options and what is deemed to be a standard system event notification
Each Notification can be used to alert administrators or users of that group By defaultall System Notifications are set to never notify (this can be changed to immediatelywithin 1 hour or as a daily digest)
This concludes this module Please continue to the next module
HOL-1829-01-NET
Page 44HOL-1829-01-NET
ConclusionCongratulations on completing Module 1
In this module we introduced the minimum required steps in order to facilitate Micro-segmentation This module further demonstrated how we achieve day zero readinesstrack report and alert on each individual object or group of objects in Real Time Usingthe East-West traffic in this module vRealize Network Insight highlighted the ease ofacquiring network analysis and using this to automatically generate firewall rules forboth Green or Brown field deployments
Key facts to remember as demonstrated in this module
bull Persistence Security must be consistent in the face of constant changebull Ubiquity Security must be available everywherebull Extensibility Security must adapt to new situations
For additional information about the functionality showcased in this module visitwwwvmwarecom
Please close the Chrome Web browser
This concludes this module please continue to the next module
For More Information
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 45HOL-1829-01-NET
Module 2 - 360 degreeVisibility across Virtualand Physical Networks
(45 minutes)
HOL-1829-01-NET
Page 46HOL-1829-01-NET
IntroductionvRealize Network Insight includes advanced analytics that can collect and displayconfiguration data from all the components involved in the overlay and underlay of thenetwork Data is collected in realtime
vRealize Network Insight presents this via a smart user interface and simplifies thedetermination of problems as well as the visibility of firewall and networkconfigurations
vRealize Network Insight presents this in a smart user interface and makes problemdetermination and visibility of the firewall and network configurations very easy
This Module contains the following lessons
bull 360 Network Visibility and Troubleshootingbull Natural language search
HOL-1829-01-NET
Page 47HOL-1829-01-NET
360 Network Visibility andTroubleshootingThis section contains the following lessons
bull 360-degree view of data flow between two VM objectsbull Natural language search
Open Google Chrome
1 Open Chrome on the Control Center Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize NetworkInsight did not load automatically)
HOL-1829-01-NET
Page 48HOL-1829-01-NET
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
Path and Topology
This module will utilize the Path and Topology feature in vRealize Network Insight toget a 360-degree visibility into our network scenario The Path and Topology view can
HOL-1829-01-NET
Page 49HOL-1829-01-NET
also extend to host L3 networks security groups etc but in this module we will only befocusing on the path
From the main console
1 Click on Path and Topology2 Click on Path
Path - Select source and destination
In the pop-up box
1 Click on the grey field below Source2 Type dba into the source field and DBAdmin-VM1 will appear3 Click on DBAdmin-VM1 to select it
HOL-1829-01-NET
Page 50HOL-1829-01-NET
Path - source and destination continued
After selecting the source machine the destination box will automatically appear
1 Type prod in the destination field and the list of available options willappear
2 Select Prod-Db-2
Note The destination could also be an ip-address or Internet but in this lab we aregoing to use a VM
HOL-1829-01-NET
Page 51HOL-1829-01-NET
Path - source and destination continued
1 Click on Submit
Searching for path
Based on the VMs we selected in the wizard in our previous steps the search field isnow pre-populated with a search string As an alternative to using the wizard we canalso do manual searches
Do not change any parameters in the search field and please continue to the nextstep
HOL-1829-01-NET
Page 52HOL-1829-01-NET
VM Path Topology and VM Underlay
The topology involves both Layer 3 and Layer 2 components and consists of twodetailed views
HOL-1829-01-NET
Page 53HOL-1829-01-NET
1 VM Path Topology This view details the routers Edges or Logical DistributedRouters (LDRs) that are involved in the VM to VM network path and provides thecomplete routing and NAT information
2 VM Underlay ( The VM Underlay section that is on the right side of the VM Pathtopology shows the underlay information of the VMs involved and theirconnectivity to the top of the rack switches and the ports involved)
In the field named VM Path Topology
1 Click on the three dots in the top right corner of the field2 Click Maximize
The view will change and the route will be drawn on the map
HOL-1829-01-NET
Page 54HOL-1829-01-NET
VM Path Topology - Path Details
In this view we will get a 360-degree view of both the physical and the virtual networkWe will see the path of the traffic between two virtual machines The black arrow at thetop of the map will indicate the flow direction of the traffic In this use case fromDBAdmin-VM1 to Prod-Db-2
On the right hand side path details indicates the steps we pass through in each hop ofthe path The logical flow includes both physical and virtual elements displaying bothoverlay and underlay components
1 Scroll through the path details on the right hand side to verify the differenthops in the path Notice that we have items such as VMs physical switchesvirtual switches routers and NICs in the list of details
HOL-1829-01-NET
Page 55HOL-1829-01-NET
Component Overview
On the VM topology map
1 Click on the top left icon marked with a red square - the Virtual MachineDBAdmin-VM1
Virtual Machine - Details
HOL-1829-01-NET
Page 56HOL-1829-01-NET
A pop-up box will appear with the Virtual Machine details in it This information includesa lot of details made available by VMware Tools We can for example see network-information and the physical host in these details
A - Please spend some time on getting an overview of the information available in thisview
B - Please note that the Firewall Status indicates Unknown In this scenario there is noNSX firewall utilized in the VM so vRealize Network Insight displays Unknown as thestatus If NSX components were utilized but they were malfunctioning an errormessage will appear
1 When done reviewing close the pop-up windows by clicking on the (X) in thetop right corner
Physical ESXi Hosts
We are now going to look at the physical host running ESXi The large green blocksindicate the ESXi hosts (A) and (B)
1 Click on the large green field on the left side of the map marked in thepicture with a red squareThis will select the host where DBAdmin-VM1 isrunning
HOL-1829-01-NET
Page 57HOL-1829-01-NET
Host - Details
A pop-up box will appear that contains the physical ESXi host
A - Spend some time to review what information is available from the host Please donot click on any of the links
B - Notice that we receive information from both the Chassis and the Blade that thisESXi host is running on In a real life environment we could click on the links to getdetailed information about the physical environment through the links
C - Note that there are no NSX components on the host For example we can see thatthe Control Plane Sync Status is unknown and the Number of VTEPs is 0
1 When done reviewing click on the (X) in the top right corner
HOL-1829-01-NET
Page 58HOL-1829-01-NET
DVPG on the map
We are now going to look at the DVPG (Distributed Virtual Port Group) the VM uses toconnect to the network
1 On the map click on the little blue box marked by a red square onvlan-629
DVPG
A pop-up box will appear that contains the DVPG details
A - Spend some time review what information is available from the object Please donot click on any of the links
HOL-1829-01-NET
Page 59HOL-1829-01-NET
B - Notice that IPFIX is enabled
1 When done reviewing click on the (X) in the top right corner
VLAN-629 on the map
This is a brownfield network as indicated by the physical network components currentlydisplayed on the map
1 On the map click on the grey line marked by a red square on vlan-629
VLAN Network
A pop-up box will appear that contains the physical VLAN details
HOL-1829-01-NET
Page 60HOL-1829-01-NET
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - Notice the VLAN ID This is the actual VLAN in use
C - VM Count states 12 This is the number of VMs located on this VLAN in the entireenvironment
D - Under Hosts we can see that this is 28 (27+1) This is the amount of hosts that hasa connection to this vlan in the entire environment
1 When done reviewing click on the (X) in the top right corner
Switch ports on the map
1 From the map click on the icon marked by a red square to select the SwitchPort for the VM
HOL-1829-01-NET
Page 61HOL-1829-01-NET
Switch Port
A pop-up box will appear that contains the Switch Port details
In this view we are purely are looking at layer 3 and the connectivity to those layer 3devices Later in this module we will see some of the layer 2 devices
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - In this view we can see the physical NIC the traffic is transmitted from and receivedto In this scenario it is a NIC on a UCS fabric We can also see the VLANs Interfacespeed port and other details on the NIC
1 When done reviewing click on the (X) in the top right corner of the pop up box
HOL-1829-01-NET
Page 62HOL-1829-01-NET
Physical VRF on the map
1 From the map click on the icon marked by a red square to access thePhysical VRF details
HOL-1829-01-NET
Page 63HOL-1829-01-NET
VRF - Physical Switch
A pop-up box will appear that contains the Physical VRF details
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - In this scenario the first hop in the physical network perspective happens to be aCisco Nexus 7000 We are gathering all of the configuration data routing tables androuting interface information from this device
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 64HOL-1829-01-NET
VRF - continued
1 From the map click on the icon marked by a red square to access the nextPhysical VRF in the path
HOL-1829-01-NET
Page 65HOL-1829-01-NET
VRF - Physical Router
A pop-up box will appear that contains the Physical VRF details
In this scenario the second hop in the physical network perspective is a Palo Alto routerIn this view we will see the routing table as well as firewall rules The vRealize NetworkInsight platform is so powerful that these firewall rules are the applicable firewall rulesbetween the two objects we searched for There is probably going to be thousands offirewall rules in a normal network but these are the firewalls affecting thecommunication between the two selected VMs
HOL-1829-01-NET
Page 66HOL-1829-01-NET
A - Spend some time to review what information is available from the object Please donot click on any of the links
1 When done reviewing click on the (X) in the top right corner of the pop up box
Note The Palo Alto integration showcased is in beta testing
VRF - continued
1 From the map click on the icon marked by a red square to access the nextPhysical VRF in the path
HOL-1829-01-NET
Page 67HOL-1829-01-NET
VRF - Physical Switch
A pop-up box will appear that contains the Physical VRF details
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - In this scenario the third hop in the physical network perspective is an Arista deviceThere is information available on routing gateways interfaces etc These detailsshowcase that we can monitor devices from a multitude of vendors in case we arechanging from one vendor to another
1 When done reviewing click on the (X) in the top right corner
HOL-1829-01-NET
Page 68HOL-1829-01-NET
Accessing the virtual infrastructure
The next two steps in the path (as shown by arrows) are the same as we looked atpreviously in this module We are not going to look at the details on them in thisscenario as they are similar to the ones previously discussed
A - Hovermove the mouse over the icons marked with red arrow A without clicking onthe icon Notice the descriptive name
B - Hovermove the mouse over the icons marked with red arrow B without clicking onthe icon Notice the descriptive name
1 From the map click on the icon marked by a red square to access the nextVRF in the path
HOL-1829-01-NET
Page 69HOL-1829-01-NET
VRF - NSX Provider Edge 1
A pop-up box will appear that contains the Physical VRF details
A - Please spend some time to review what information is available from the objectPlease do not click on any of the links
B - The components we are looking at after the Arista device (described in previoussteps) is an NSX Edge cluster or a host associated with an Edge cluster The componentwe have selected is the NSX Edge VM named Provider-Edge 1 It has an uplink overVLAN 10 from the physical network (as shown in the map)
C - In the details we can see the routing table and routing interface details for thisparticular VRF
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 70HOL-1829-01-NET
VXLAN on the map
1 On the map click on the blue line marked by a red square to access theVXLAN details
VXLAN Network
A pop-up box will appear that contains the VXLAN details
HOL-1829-01-NET
Page 71HOL-1829-01-NET
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - We can see the VXLAN number (Segment ID) Underlay VLAN IDs Subnet andUnderlay Subnet
C - We also have visibility into what Primary Controller it is utilizing Hosts and VTEPs
D - Hovermove the mouse cursor over the text [38 more] to see the hosts associatedwith this VXLAN Do not click on the blue text
E - Hovermove the mouse cursor over the text [82 more] to see the VTEPs associatedwith this VXLAN Do not click on the blue text
1 When done reviewing click on the X in the top right corner of the pop-up box
VRF - LDR
1 From the map click on the icon marked by a red square to access the VRFdetails
HOL-1829-01-NET
Page 72HOL-1829-01-NET
VRF - LDR-Corporate
A pop-up box will appear that contains the VRF details From here we hit our In-kernelnetwork
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - Notice the distributed router name We are using this device to access our corporatenetwork
C - This device is going to route for us to a different interface The interface is going toroute to the interface on the Prod-DB Network as the next step in the path (this will beillustrated in the next step)
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 73HOL-1829-01-NET
Routing - NSX Firewall
The traffic is routed through the VRF onto the Prod-DB network over to the next physicalhost (as shown with arrows)
The first device it will hit on the virtual network on the physical host is the FirewallPlease notice that there are two firewalls next to the VM One Firewall from Palo Alto andone Firewall from NSX
1 From the map click on the icon marked by a red square to access the NSXFirewall details (the top one of the two)
HOL-1829-01-NET
Page 74HOL-1829-01-NET
Firewall - NSX
A pop-up box will appear that contains the Firewall details
A - Spend some time to review what information is available from the object Please donot click on any of the links
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 75HOL-1829-01-NET
Redirect on the map - PAN Firewall
Please notice that there are two firewalls next to the VM One Firewall from Palo Alto andone Firewall from NSX We are now going to look into the details of the lower Firewall
1 From the map click on the icon marked by a red square to access the PaloAlto Firewall details (the lower one of the two)
Firewall - PAN
HOL-1829-01-NET
Page 76HOL-1829-01-NET
In this scenario we also have an Palo Alto VM based offloading firewall The redirectfeature allows firewall rules to be transferred between the NSX firewall and the PANFirewall
1 When done reviewing click on the (X) in the top right corner of the pop up box
Reversing the analysis
1 In the section marked by a red square in the picture click on the arrowpointing left
The route on the map will change
HOL-1829-01-NET
Page 77HOL-1829-01-NET
Reversing the analysis continued
A - The analysis will now be done in the opposite direction Please note that the pathnow changes Instead of going through Provider-Edge 3 the traffic is now routedthrough Provider-Edge 2 This is exactly as the traffic will work in the real life
Please continue to the next step to conclude this module
HOL-1829-01-NET
Page 78HOL-1829-01-NET
VM Underlay
Lets now focus on VM Underlay
1 The VMUnderlay section that is on the right side of the VM Path topology showsthe underlay information of the VMs involved and their connectivity to the top ofthe rack switches and the ports involved
2 The VM Underlay path topology is shown here3 The components are labeled under Path Details
HOL-1829-01-NET
Page 79HOL-1829-01-NET
HOL-1829-01-NET
Page 80HOL-1829-01-NET
1 In this section the drop-down list at the top shows the endpoint VMs and theactive VMs at the edges
2 For each edgeVM the neighbouring drop-down list shows the ingress and theegress interface IP addresses
1 From the previous step we selected the Prod-DB-2 Virtual Machine2 Which changes the focus to corresponding Interface IP Address (VNIC)3 Shows the visual map (Path topology) of all the path objects4 Path details shows the labels and list the components
This concludes this module Please continue to the next module
HOL-1829-01-NET
Page 81HOL-1829-01-NET
ConclusionCongratulations on completing Module 2
This module has shown us that vRealize Network Insight is capable of tracing the flow ofdata between two objects throughout the network vRealize Network Insight is providingus with a 360 degrees view of the virtual as well as the physical components in thepath With the map function and the details on the map it is very easy to get a quickoverview of the components utilized in network communication
All the components in the map is based on a snapshot of real life data Feel free to clickon other icons shown in the map in this module before continuing to the next module tohave a look at other components
For More Information
For additional information about the functionality showcased in this module visithttpwwwvmwarecomvrealize network insight
This concludes this module Please continue to the next module
If you are looking for additional information try one of these
bull Click on this linkbull Or use your smart device to scan the QRC Code
HOL-1829-01-NET
Page 82HOL-1829-01-NET
Proceed to any module below which interests you most
bull Module 1 - Micro-Segmentation and Security (30 minutes)bull Module 2 - 360 degree Visibility across Virtual and Physical Networks (45
minutes)bull Module 3 - Advanced NSX Management amp Operations (45 minutes)bull (30 minutes)
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 83HOL-1829-01-NET
Module 3 - Advanced NSXManagement amp
Operations (45 minutes)
HOL-1829-01-NET
Page 84HOL-1829-01-NET
IntroductionIntroduction
vRealize Network Insight ensures that we have full visibility from an overlay andunderlay perspective and in this module focus on advanced operations of NSX withvRealize Network Insight Its important to note that the vRealize Network Insightprovides a real time view and a historical view The integration is not a simple SNMPquery but advanced CLI and Metadata information gathered in real time for NSX
This Module contains the following lessons
bull Operational guidance for NSX Managerbull Advanced NSX Management amp Operations Interactive Simulation
HOL-1829-01-NET
Page 85HOL-1829-01-NET
NSX Advanced ManagementOperationsLab Status Check
1 Make sure the Lab Status displays Ready before continuing
Close browser sessions from previous modules
Open Google Chrome
1 Open Chrome on the Control Centre Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
HOL-1829-01-NET
Page 86HOL-1829-01-NET
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize Network Insightdid not load automatically)
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
Search Bar - NSX Manager
Using the search bar on the entry screen
HOL-1829-01-NET
Page 87HOL-1829-01-NET
1 Type NSX Manager (this will list three NSX Managers2 Click Search
NSX Manager Information
The result now shows the NSX Manager (1016128170) and we can immediately seethat we have 50 problems associated with this endpoint
1 Click on the NSX Manager address to expose the layout and detailedinformation
HOL-1829-01-NET
Page 88HOL-1829-01-NET
Timeline - Visual Build-up
Explore information only - Do not click
bull A - Starting with the Timeline we can manipulate the results by simply draggingthe slider but by default the current time results will be displayed on entry Theslider and drop down (next to 1 day) makes it easy to filter on demand
bull B - The Properties give a clear understanding of the NSX Managers currentconfiguration (vRealize Network Insight accommodate multiple NSX managers)
bull C - Looking at the NSX Checklist Rules - ALL we can scroll up and down toview each point in the checklist that is used to monitorvalidate against the NSXManager
bull D - Because vRealize Network Insight supports multiple NSX managers andmultiple NSX controllers this is an important visual understanding of theTopology Each object can be queried individually within the same screen
bull E - NSX Problems will be key to understanding the issues for NSX
HOL-1829-01-NET
Page 89HOL-1829-01-NET
Topology - Focus on the NSX Controller
The logical view of the NSX Topology provides live links to each component in theconstruct to be queried in real time Topology layout displays all the related NSXservices bound to the NSX Manager including Clusters and hosts The red triangle on allthree NSX controllers indicates possible issues that may impact the NSX environmenteither as a starting point or a result thereof We can now query each object for detailedinformation
1 Click on the NSX controller (Look at each controller until you find thecontroller starting with NSX_Controller_5b6c6c8d-4d71 as they do changeorder)
HOL-1829-01-NET
Page 90HOL-1829-01-NET
NSX Controller - Detail
A - The controller query displays detailed information about controller-1 and relevantconfiguration This screen will help identify the Status Version Upgrade Availability andmany other critical identifiers of the NSX Controller at a quick glance including anyissues
B - The immediate issue on this NSX controller is also pointed out with a red triangleindicating that we have a control plane sync issue Tracking the issue can be furtherinvestigated by expanding (clicking on the red triangle) to view detailed information Wewill not be investigating this problem further in this exercise
1 Click the close sign (x) to continue
HOL-1829-01-NET
Page 91HOL-1829-01-NET
Topology - Explained
Note The Topology for the NSX environment will not show any load balancing devicestatus information in this release
1 Click the edge VMs icon to see detailed information about the edge services
HOL-1829-01-NET
Page 92HOL-1829-01-NET
Provider Edge
Rendering a complete view of the provider edge services and the associations we caninvestigate all the edge related activities
1 Click the blue link Provider Edge 4 The problem Icon can be used to furtherobtain information about the Provider-Edge 4 This will highlight a criticalcondition due to a possible network disruption of this edge device as it is nolonger in a serving state
HOL-1829-01-NET
Page 93HOL-1829-01-NET
Routers Provider Edge 4
This section lays out detailed root cause analysis for Routers Provider Edge 4
Return to Search View - NSX Manager
1 Now use the Chrome Back button click once to return the the NSX Managerinformation screen step
HOL-1829-01-NET
Page 94HOL-1829-01-NET
Infrastructure Problems - Warning Moderate
bull Scroll down to Infrastructure Problems Section
1 Click and select the WarningModerate to view problem areas
WarningModerate Issues
1 Use the blue icon + to expand the detailed view of the Logical networking out ofsync between host and NSX Controller
HOL-1829-01-NET
Page 95HOL-1829-01-NET
WarningModerate Issues (Continued)
When you expand the details you can analyse full detail of warning
In this view vRealize Network Insight is also showing you recommendations on how youwould resolve this issue which makes troubleshooting and root cause analysis veryeasy
1 Click the close sign (x) to continue
HOL-1829-01-NET
Page 96HOL-1829-01-NET
Hands-on Labs Interactive SimulationAdvanced NSX Management ampOperationsThis part of the lab is presented as a Hands-on Labs Interactive Simulation This willallow you to experience steps which are too time-consuming or resource intensive to dolive in the lab environment In this simulation you can use the software interface as ifyou are interacting with a live environment
1 Click here to open the interactive simulation It will open in a new browserwindow or tab
2 When finished click the ldquoReturn to the labrdquo link to continue with this lab
HOL-1829-01-NET
Page 97HOL-1829-01-NET
ConclusionCongratulations on completing Module 3
This module demonstrated the vRealize Network Insight capability of advancedmanagement operations vRealize Network Insight provides an in-depth analysis of thevirtual as well as the physical components associated with NSX (underlay and overlay)
For More Information
If you are looking for additional information try one of these
bull Click on this linkbull Or use your smart device to scan the QRC Code
Proceed to any module below which interests you most
bull Module 1 - Micro-Segmentation and Security (30 minutes)bull Module 2 - 360 degree Visibility across Virtual and Physical Networks (45
minutes)bull Module 3 - Advanced NSX Management amp Operations (45 minutes)bull Module 4 - Manage Security for Public Clouds (AWS) (30 minutes)
HOL-1829-01-NET
Page 98HOL-1829-01-NET
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 99HOL-1829-01-NET
Module 4 - ManageSecurity for Public Clouds
(AWS) (30 Minutes)
HOL-1829-01-NET
Page 100HOL-1829-01-NET
IntroductionEnterprise IT needs visibility into the network and security status of their workloadswhether hosted on premises or within AWS While many AWS workloads are sandboxesfor application development teams (DevOps) it is important to analyze these workloadsIncreasingly public cloud workloads are also fulfilling mission critical production needsfor many organizations Enterprise IT must be ready to determine the best locationsecurity posture and bandwidth allocation when deploying workloads Having trafficpattern details as well as security analysis and recommendations readily availablehelps organizations make the ideal hosting decisions to meet their business needs
vRealize Network Insight (vRNI) Supports Amazon Web Services (AWS) PublicCloud The vRNI traffic monitoring features provide visibility into native AWS constructssuch as Virtual Private Clouds VMs Security Groups firewall rules and tags vRNI alsoanalyzes AWS traffic flows to provide security and micro-segmentation views of cloudworkloads This means youll be able to plan micro-segmentation and understand trafficpatterns using data collected from your AWS instances
This Module contains the following lessons
bull Introduction to Managing Security for Public Clouds (AWS)
HOL-1829-01-NET
Page 101HOL-1829-01-NET
Introduction to Managing Security forPublic Clouds (AWS)Lab Status Check
1 Make sure the Lab Status displays Ready before continuing
Close browser sessions from previous modules
Open Google Chrome
1 Open Chrome on the Control Centre Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize Network Insightdid not load automatically)
HOL-1829-01-NET
Page 102HOL-1829-01-NET
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
AWS Configuration
Lets review the AWS VPC setup for the purpose of this lab
1 We have an on premise instance of vRealize Network Insight managing AWS2 There are two VPCs ie CRM and Common Services
HOL-1829-01-NET
Page 103HOL-1829-01-NET
3 VPC CRM consists of CRM Application which comprises of 3 tiers ie Web APP andDB
4 Internal users of Company can access Web Tier of the CRM on 80 internally viaJump-box
5 Web tier talks to App tier on port 80806 App tier talks to DB tier on port 33067 Web tier is open for internal datacenters VM on 80 port8 From Jump-box in VPC CRM all virtual machines have ssh access on port 229 All tiers of VPCCRM talks to DNS server on 53 and LogServer on 514 on VPC
Common Services10 This means connection to DB to Log Server (used for backup services) must exist
as configured by the Administrator but this in fact is the problem area where ourfocus will be
Plan Security - AWS Cloud
vRealize Network Insight extends micro-segmentation planning to AWS constructs TheCRM Application in AWS VPC has already been created for you
Application creation steps have been discussed in Module 3
HOL-1829-01-NET
Page 104HOL-1829-01-NET
1 On the vRealize Network Insight Click on Plan Security
From Plan Security dialogue box under Entity select
HOL-1829-01-NET
Page 105HOL-1829-01-NET
1 Application2 CRM3 Click Analyze
We can now visualize the three tier lsquoCRMrsquo Application in AWS in one VPC We Shallexplore the three Tier System Logic in proceeding steps
1 Please note that Micro-Segments are already filtered by Tier2 Web (Web tier talks to App tier on port 8080 Internal users of organisation can
access Web Tier of the CRM Application on port 80 internally)3 App (App tier talks to DB tier on port 3306)4 DB ( DB tier talks to Log Servers ) - This is the problem area we are going to
explore
All tiers of first VPC talks to DNS server on port 53 and LogServer on port 514 of SecondVPC
HOL-1829-01-NET
Page 106HOL-1829-01-NET
Exploring the Three Tier Application - Step by Step
We shall now explore the three their application setup to understand the security andcommunication posture
HOL-1829-01-NET
Page 107HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Yellow line to explore the flows This will reveal flows from Web to
App
HOL-1829-01-NET
Page 108HOL-1829-01-NET
1 The App tier talks to DB tier on Port 33062 Click X to continue
HOL-1829-01-NET
Page 109HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to DB
HOL-1829-01-NET
Page 110HOL-1829-01-NET
1 The App tier talks to DB tier on Port 33062 Click X to continue
HOL-1829-01-NET
Page 111HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Yellow Line to explore the flows This will reveal flows from DC
Virtual to App
HOL-1829-01-NET
Page 112HOL-1829-01-NET
1 DC Virtual (jump box) talks to App tier on Port 222 Click X to continue
HOL-1829-01-NET
Page 113HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to
Shared Virtual
HOL-1829-01-NET
Page 114HOL-1829-01-NET
1 The App tier talks to Shared Virtual on Port 53 and 514 respectively2 Click X to continue
HOL-1829-01-NET
Page 115HOL-1829-01-NET
1 Hover over to DB Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from DB to
Shared Virtual
1 By design the DB should be pushing logs to aws-log-server ie on port 514(Syslog) but the flow reveals that there is only one service ie port 53 aws-DNS-Server Effectively no communication to syslog server (which is the back upservice)
2 Click X to continue
Firewall Queries for CRM Application
To further troubleshoot the issue the administrator executes three firewall queries toestablish why DB to Shared Virtual does not have flow(s) for port 514 (syslog)
HOL-1829-01-NET
Page 116HOL-1829-01-NET
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and type new search query firewall action of flows where dstvm = aws-log-server This will return 5 results ie 4 Allow (for web andmidtier) and 1 Deny (for DB)
2 Click Search3 click on the DENY checkbox so we can focus on the deny rule
We can see a DENY rule which is preventing crm-databse to communicate with aws-log-server on port 514 Which indicates that AWS Admin forgot to add rule to allowtraffic from (Database) crm-database to (syslog server) aws-log-Server
HOL-1829-01-NET
Page 117HOL-1829-01-NET
1 On Chrome web browser right click2 Select Duplicate from the the menu
HOL-1829-01-NET
Page 118HOL-1829-01-NET
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-web1 and dst vm = aws-log-server
2 Click Search3 This will return 3 results ie 1 Inbound and 2 Outbound rules The result of this
query validates the communication from crm-web1 to aws-log-server
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-database and dst vm = aws-log-server
2 Click Search3 This will return 2 results for Outbound rules further explaining the firewall rule
behaviour from crm-database to aws-log-server
HOL-1829-01-NET
Page 119HOL-1829-01-NET
ConclusionCongratulations on completing Module 4
This module demonstrated the vRealize Network Insight capability to understand trafficpatterns and plan micro-segmentation across your private and public cloudenvironments This capability offers unparalleled visibility into public and private cloudsfor micro-segmentation planning network visibility and management
For More Information
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 120HOL-1829-01-NET
ConclusionThank you for participating in the VMware Hands-on Labs Be sure to visithttpholvmwarecom to continue your lab experience online
Lab SKU HOL-1829-01-NET
Version 20171010-152226
HOL-1829-01-NET
Page 121HOL-1829-01-NET
vRealize Network Insight - Navigation
bull 1 - HOME - Use this if you need to return to the original navigation and searchscreen
bull 2 - Navigation Panebull 3 - Search Bar including time linebull 4 - Detail amp Information Panebull 5 - Alerts Pinboards Settings
Activation Prompt or Watermark
When you first start your lab you may notice a watermark on the desktop indicatingthat Windows is not activated
One of the major benefits of virtualization is that virtual machines can be moved andrun on any platform The Hands-on Labs utilizes this benefit and we are able to run thelabs out of multiple datacenters However these datacenters may not have identicalprocessors which triggers a Microsoft activation check through the Internet
Rest assured VMware and the Hands-on Labs are in full compliance with Microsoftlicensing requirements The lab that you are using is a self-contained pod and does nothave full access to the Internet which is required for Windows to verify the activationWithout full access to the Internet this automated process fails and you see this
watermark
This cosmetic issue has no effect on your lab
HOL-1829-01-NET
Page 7HOL-1829-01-NET
Look at the lower right portion of the screen
Please check to see that your lab is finished all the startup routines and is ready for youto start If you see anything other than Ready please wait a few minutes If after 5minutes your lab has not changed to Ready please ask for assistance
HOL-1829-01-NET
Page 8HOL-1829-01-NET
Module 1 - Micro-Segmentation and
Security (30 minutes)
HOL-1829-01-NET
Page 9HOL-1829-01-NET
IntroductionWhen mid to large-sized enterprises deploy NSX they often struggle to define the levelof micro segmentation needed between applications on networks The most challengingpart is knowing what information is required to get started how to locate theinformation and traffic flow and how to capture the results
vRealize Network Insight helps solve this problem by analyzing and categorizing VMsinto logical groups based on specific compute and network characteristics This processautomatically generates a recommended model for security groups and specificfirewalling rules for each group This makes life much easier for Security Architects andEngineers
vRealize Network Insight (vRNI) relies on the use of an IPFIX collector at the VirtualDistributed switch layer to capture data flows We enable IPFIX at the Virtual Distributedswitch layer for the ESXi Hosts to forward IPFIX UDP packets to the vRealize NetworkInsight appliance The data capture will enable real time data flow for all port trafficand provide further filtering capabilities in order to explore East-West traffic
We have two scenarios to help explain how vRealize Network Insight can be utilized toensure we have full visibility and granular control to deploy firewall rules in order tocomplete micro-segmentation without guessing
Scenario 1 (Brown Field deployment) Customer ABC bought ESXi and NSX and doesnot have a clear understanding of how to operationally deploy existing workloads withEast-West firewall protection or how to segment the workload The client will now usevRealize Network Insight to observe the real time data flow between ports in order tobuild the East-West firewall rules The vRealize Network Insight process will observe thetraffic patterns based on the captured data flow recommendations will then be made inorder to secure workloads for East-West communication Current firewall and micro-segmentation can also be verified
Scenario 2 (Green Field) Customer ABC has a new deployment project for DevOps andwouldnt know what the immediate firewall rules or recommendations would be UsingvRealize Network Insight we could immediately start to monitor the real time data flowas each deployment and development unfolds Based on the DevOps information wecan now apply the Firewall rules at the QampA stage and prep for testing to ensure whenwe move workloads into Production we will have day zero operational security for East-West traffic within the data center
NOTE NSX is not required at any stage to capture observe or implement successfulEast-West firewall rules The process of planning security only relies on IPFIX at the vDSlayer in order to capture and observe data flow between ports
This Module contains the following lessons
HOL-1829-01-NET
Page 10HOL-1829-01-NET
bull Identify firewall rules for Micro-segmentationbull Security Group Topologybull Tracking a firewall rulebull Exporting firewall rules to NSX Manager (Interactive Simulation)bull Conclusion
HOL-1829-01-NET
Page 11HOL-1829-01-NET
Micro-Segmentation IntroductionThis section contains the following lessons
bull Identify firewall rules for Micro-segmentationbull Security Group Topologybull Tracking a firewall rule
Lab Status Check
1 Make sure the Lab Status displays Ready before continuing
Close browser sessions from previous modules
Open Google Chrome
1 Open Chrome on the Control Centre Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
HOL-1829-01-NET
Page 12HOL-1829-01-NET
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize Network Insight did notload automatically)
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
HOL-1829-01-NET
Page 13HOL-1829-01-NET
Plan Security
When the vRealize Network Insight portal login completes the first screen will show asearch bar at the top
1 Type plan security (the search bar uses Auto Fill and predictive text willappear as you type)
2 Select the Time Icon
Plan Security - Specify a Preset
1 Select Presets2 Select Last Week3 Click the search icon to continue
HOL-1829-01-NET
Page 14HOL-1829-01-NET
Overview - Traffic Distribution (Left Pane)
Visual representation of traffic is shown to understand the logic relationship betweeneach component physical or virtual in order to track flows and sessions within anetwork
bull Internal Flows External Flowsbull Protected Flows Unprotected Flowsbull by VLAN or VXLAN
The default for this view is Last 1 day Please do not change this as we have alreadyspecified the time filter
HOL-1829-01-NET
Page 15HOL-1829-01-NET
Traffic Distribution - Overview (Right pane)
The Traffic distribution section is explained in a number format below Use these as areference and do not click on the links at this stage
bull A - This is the sum of all traffic flows with the percentage shown as East-Westonly traffic
bull B - This indicates the percent of traffic that was switchedbull C - The percentage of traffic that is routed between the East-West portsbull D - This indicates Virtual machine to Virtual Machine traffic as a percentage of the
sum in point number 1bull E - Traffic observed between virtual machines on the same hostbull F - Traffic that requires internet access
East-West (EW) - Traffic
In order to view specific details about data flows click on any of the 6 blocks to getdetailed information on flows and sessions (use the [x] in the right corner to close theobservation once completed in order to continue with the next step in this lab) Its
HOL-1829-01-NET
Page 16HOL-1829-01-NET
important to understand the entire distribution of flows and sessions in order to build aninformed strategy to achieve micro-segmentation
A Session is 5 tuple (source port is one of the five tuples in this which means everytime a new TCP connection is established and terminated a new session is recorded)
A Flow is 4 tuple aggregation of sessions It combines many 5 tuple sessions into oneIt ignores the source port as the source port is very dynamic wide range and keeps onchanging As long as multiple sessions have same source IP same destination IP samedestination port and same protocol they will be combined into one record called aflow
So 1000s of sessions in a day between two machines on a specific destination port (sshdns etc) would be combined into one flow with an aggregate count of packets bytessessions between them recorded as additional flow information
In any enterprise how many sessions happen in 1 day varies a lot Flows are moremanageable units and matter most for policy definitions and micro-segmentation
If one wants to see statistics of these flows like bytes transferred number of sessions(or even use these counters along with other query operations for other higher levelanalysis - like determining distribution of a virtual machines outgoing flow bydestination ip) the following metric counters can be used
Counter names
allowed sessions count of sessions (or 5 tuples) corresponding to a flow (4 Tuple)bytes total traffic volume exchanged on the flow (this sum of two counters described below)src bytes total bytes sent by src_ip of the flow to dst_ipportprotocoldst bytes total bytes received by src_ip of the flow from dst_ipportprotocol
1 Click on the East-West traffic block
This will bring a new window into view with detailed analysis of the traffic
HOL-1829-01-NET
Page 17HOL-1829-01-NET
East-West (EW) - Detailed view
This is only a few of the 1653 flows but the detailed views and filters can be used tonarrow down more specific information
A - Without clicking (just hover) on the time line to see the rate of flow indicated by thegreen line for that period
1 Click the close icon (x) to continue
ServicesPorts
HOL-1829-01-NET
Page 18HOL-1829-01-NET
Locating the Services screen for the next step
ServicesPorts - Time line view
Plan security makes use of Service and Ports overview on the right-hand side of thescreen The service view screen is used to observe the flow for each service andanalyzes a specific flow rate at a point in time Timelines can be adjusted to gain abetter understanding of what the plan security query delivers This module will followthe steps needed to observe and trace flows for port 5443
1 Click Show Data
HOL-1829-01-NET
Page 19HOL-1829-01-NET
ServicesPorts - Point in Time Service
The Services section provides an overview of flows over a specific port at a point intime either by bytes or by allowed sessions Look at the red highlighted area tounderstand how the flow is viewed in a pivot format to ensure a rate flow can bedelivered by hovering over a particular section
1 Hover to gain focus over the blue block above port 5443 and notice itpresents on demand the sum total of flows for the last 24 hours inGigabytes (GB) communicating over port 5443
2 Click on the block at the intersection of Last 24 hours and PORTS5443 to get a detailed view of the information
HOL-1829-01-NET
Page 20HOL-1829-01-NET
Flows for Port 5443
Communicating over port 5443 for the Last 24 hours we now have a detailedunderstanding of how 20 flows are distributed by following the list of entities You mayscroll down and examine the detailed traffic Further filters can be used on the left-handside of the screen to filter the view for a more specific result type
1 Click the entry to examine the detailed flow between Prod-DB-3 and Prod-DB-2over port 5443 ( order of flows may differ from screen above Prod-DB-3 andProd-DB-2 can be seventh flow entry)
Flow Key Properties - Timeline view
HOL-1829-01-NET
Page 21HOL-1829-01-NET
Flow Key Properties and Flow Key Metrics with the help of the timeline view gives agreater understanding of the traffic between these two specific VMs over port 5443 (A)- Hover over any part of the Flow Key Metrics graph to see statistics of the flow at aspecific point in time
1 Click on the 1M (last 1 month) Now hover the mouse over the greenblue linesto see a specific flow at a point in time
Flow Key Properties - Timeline view
1 Click the browser back button (once) to return to the plan security layoutscreen (once completed viewing the timelines for specific flows)
HOL-1829-01-NET
Page 22HOL-1829-01-NET
Micro-Segments
The screen should be back and focused on the Plan Security view Let us focus on theLeft-hand side of the plan security screen marked - Micro Segments This section willfocus on the subnet view and how this could be used to track flows between two ormultiple points
Note Segmenting flows can be achieved using views that will focus on VLANVXLANSubnet Folder Clusters VMs Ports Security Tag or Security Groups
1 Select Last 1 Day (to clear previous data range)2 Select the drop down box and then select by Subnet3 We can further analyze micro-segments by secondary groups ( This step is for
information only)4 Click Analyze to populate the data
HOL-1829-01-NET
Page 23HOL-1829-01-NET
Focus - 101780 Network
A - Hover over (do not click) the 101780 network and notice that this willimmediately highlight all flows and sessions from and to this network segment Othertraffic types will loose focus at this point turning light blue
The Keep Focus view creates a single visual endpoint diagram showing communicationto physical shared resources internet and other subnets The parentheses after thenetwork will indicate the number of virtual machines The coloured lines will indicate aconnected flow as OUTGOING INCOMING BIDIRECTIONAL
HOL-1829-01-NET
Page 24HOL-1829-01-NET
Focus - VLANVXLAN
Changing the view to track flows between Prod-Web to Prod-Midtier we will be switchingfrom Subnet view to VLANVXLAN view This will expose the traffic flow and ultimatelylead us to the recommended firewall rules
1 From the filter drop down select the VLANVXLAN option (the view willautomatically update)
HOL-1829-01-NET
Page 25HOL-1829-01-NET
Focus - Prod-Web (25)
1 Hover over Prod-Web2 Click on Keep Focus as we will follow the traffic for this group to see which
ports are in use and why3 Click on the line joining the Prod-Web and Prod-Midtier
Flows - Prod-Web to Prod-Midtier
HOL-1829-01-NET
Page 26HOL-1829-01-NET
( A ) - We have at this point identified 14 unique endpoints or flows that are beingcommunicated byover or to potential security groups These security groups are basedon VLANs folders subnets or a construct that can be defined
1 Click on the recommended firewall rules
Flows - Recommended Firewall Rules
Based on the observed analysis of the traffic flow between Prod-Web and Prod-Midtier arecommended firewall rule has been generated in order to secure and segment trafficfrom the rest of the VLANVXLAN
Due to the flow observation metrics the recommendation is (ALLOWED) on Port 8080between SG Prod-Web and SG-Prod-Midtier
1 Click the close icon (x) to continue
HOL-1829-01-NET
Page 27HOL-1829-01-NET
Multiple Ports and Firewall rules for Prod-web
1 Click on the Prod-Web group
Services and Flows for Prod-Web
On focus the user is presented with all the services flows and firewall rules for Prod-Webin a single pane
HOL-1829-01-NET
Page 28HOL-1829-01-NET
1 Click on Services In this group - 50 Unique service endpoints or flows that arebeing communicated by or to potential security groups are mapped with trafficrates included
2 Click on External Services Accessed- This is a breakdown of the 16 Externalservice endpoints that communicate with Prod-Web and include the portinformation (DNS HTTPS etc)
3 Click on Recommended Firewall Rules - Based on the 50 unique serviceendpoints that have 17 External services with 425 flows we can use thisobservation metric to determine that 6 firewall rules are required This would bethe minimum recommended segmentation approach for the Prod-Web group
4 Click the close icon (x) to continue
Application-Centric Micro-Segmentation
HOL-1829-01-NET
Page 29HOL-1829-01-NET
An application is a collection of tiers Each tier in an application is a collection of VMsbased on the user-defined filter criteria The applications allow you to create ahierarchical group of VMs and visualize trafficflows between the tiers of the sameapplication The trafficflows can be visualized between applications
1 Under Micro-segments click on the dropdown which says by VLANVXLAN2 Click on by Application
1 Hover over Prod-App (47) (do not click at this stage)2 Click on Keep Focus
You can see as per previous micro-segmentaion planning exercise - you can viewOutgoing Incoming and Bidirectional flow bespoke to Prod-App Clicking on Prod-App micro-segment will reveal the services
HOL-1829-01-NET
Page 30HOL-1829-01-NET
We shall now explore how we can define an application
Define an Application
1 In the search bar type Application2 Click the Search button
1 The Application search will return 4 entities ie application already created inthe system for you
2 This page also lets you create new application - click on Add Application
HOL-1829-01-NET
Page 31HOL-1829-01-NET
1 Under the Application Name type HOL-Pre-Prod2 Under Tier type the Name as HOL-Pre-Prod3 Our search criteria will be based on VM Names under Virtual Machines IP
Addresses Type Admin-VM1 Admin-VM2 (The search will auto completethe names for you)
4 Do not Save Click Cancel which will take you to previous screen
1 Here you can see the number of entities has increased by 1 ie 5 entities2 You can also see Hol-Pre-Prod in the list
HOL-Pre-Prod will now appear in Application section under Plan Security (not covered inthis lab)
Security Group Prod_MidTier
Network administrators and architects face daily challenges in identifying securityparameters groups that are in-place requiring a lot more detail around containertopology before continuing to execute or plan Micro-segmentation Lets look at how thiswould be possible in a single view that has granular integration with over and underlaynetworks
1 Using the search bar type Nsx Security Group Prod_MidTier (the search baruses Auto Fill and predictive text will appear as you type)
2 Click search to continue
HOL-1829-01-NET
Page 32HOL-1829-01-NET
The Help screen may pop-up (in this lab setting) to ensure the user has an instantguide called the Security Group Pinboard The reason for this guide is to point out thedetail view and topology layout Read through the help guide and once completed
1 Click the close icon (x) to continue
Results - PROD_MIDTIER
The search results from the query will show Prod_Web at the top of the screen Theresult will also be displayed to include the Translated VM Count and any Rulesassociated
1 Click on Prod_MidTier to continue
Security Group Prod_MidTier - Timeline
Security Group View Explanation
HOL-1829-01-NET
Page 33HOL-1829-01-NET
The Security Group provides a detailed view of the selected Security Group and acomprehensive listing of key properties and events The Security Group Topologyprovides a visual overview of how the security group is associated with other containersTimeline slider at the top of the current view will enable the point in time state of theSecurity Group and filters can be used to further focus on a particular aspect of theobject
Security Group Firewall Topology
(A) The Security Group Firewall Topology on the left shows the topology for SecurityGroup Prod_MidTier
HOL-1829-01-NET
Page 34HOL-1829-01-NET
(B) The Security Group Container Topology on the right will show anyall Child andParent groups in relation to Prod_Web This will identify the nesting and hierarchy ofsecurity groups
HOL-1829-01-NET
Page 35HOL-1829-01-NET
1 Click and select Prod_Web to Prod_Midtier Rule (will launch a pop up screencovered in next step)
1 In the pop up screen we can immediately see what the Source and destinationservice flow looks like in this example This can be done for any and eachsegment attached to Prod_Web and will provide all the current security GroupFirewall Topology information Feel free to click through all the segments in orderto fully understand each related security group
2 Click the close icon (x) on any pop-up menus that you viewed during youranalysis to continue with the next exercise
HOL-1829-01-NET
Page 36HOL-1829-01-NET
Tracking Prod_MidTier
1 Within the same view when you scroll down (below the Security Groupfirewall Topology) you are able to see the following security event information forProd_Web
A Events - Showing any changes for Prod_MidTier (direct or indirect) and the impactthat these changes bring to this security group
B Current Security Group Configuration and Firewall Rules Count will also providefurther assistance to manage the endpoints
C Visibility of the Virtual Machines in Security Groups ensure that we manage ourworkloads and segmentation with the correct level of efficiency
D Making use of the Indirect Firewall Rules will ensure you understand the inheritedimpact and the relationship leading to Prod_Web
E Direct Firewall Rules - NOTE The blue links will expose further detail for eachfirewall segment
HOL-1829-01-NET
Page 37HOL-1829-01-NET
this module explained and followed the traffic flow between Subnets and or VLANVXLAN for Prod_MidTier and we understand the analysis that make up firewall rules Theinformation for a specific segmentation of a Virtual Machine in Prod_MidTier can beviewed using the the logical switch information for Prod_MidTier
2 Click on Lab-Midtier (VMs in Security GroupgtLogical SwitchesgtLab-Midtier) anew TAB will open at the top of the screen
Lab-Midtier
1 Hover (do not click) over (1) Lab-Midtier-1 to gain focus in order to generatethe path
Do not click on any of the bubbles as they are used for reference only This is thecomplete flow of Prod-Web-9 (Example) to see how a flow is tracked from overlay tounderlay across Prod-Web
HOL-1829-01-NET
Page 38HOL-1829-01-NET
bull A - The host details for Lab-Midtier-1 -ddc1-pod2esx035dmdemocompanynet
bull B - The machine name within Lab-Midtier - Lab-Midtier-1bull C - DVS Switchbull D - VXLAN - Lab-Midtierbull E - 1st VMKNIC for DDC-1 hostbull F - DVS Switch Portbull G - Finally showing the L3 Switch (Arista)
2 When you are done with the current view close this tab in Chrome and returnto the original view
Firewall Rule - Tracking
Using the search bar we will demonstrate how you can track any firewall rule in yourenvironment This is only one example of how we can search for security related objectsin one easy statement and also export the results
Port Search
1 Type into the search bar
Firewall rule where action =ALLOW and Port=443 (the search bar uses Auto Fill andpredictive text will appear as you type)
2 Click search to continue
As you type notice all the different permutations of queries that can be assembled
HOL-1829-01-NET
Page 39HOL-1829-01-NET
Export Firewall Rules
Take some time to understand and get familiar with Firewall Rule search possibilitiesand the insight this can offer
1 Do not click - The result is grouped for convenience and allows the user to queryeach rule individually This is a live link that will expose further information
2 Do not click - The entire report can be exported by using the Save as CSV optionat the top right hand corner of the screen but we will not export any informationat this point
3 For the next step we will return to the top search bar
Firewall Rule Membership Change
Using the vRealize Network Insight search bar at the top of the screen we will focus on atime based search to see what Firewall Membership Changes occurred during a selectedperiod This will point out any changes made directly or indirectly as a result ofmembership changes This is extremely useful for auditing and troubleshooting
HOL-1829-01-NET
Page 40HOL-1829-01-NET
1 Type
Firewall Rule Membership Change
2 Select the DateTime window3 Click Between Select Date range from June30 to Jul 31 (using static data this
will ensure you see all the changes)4 Click search
Audit Rule - Firewall Rule Membership Changes
The search now displays the result of all the changes made to firewall rule membershipduring the preset date range This is pivotal to the audit change tracking process tounderstand exactly why when and how Firewall rules changed
The changes can now easily be tracked audited and also exported following any of thelive links in blue
HOL-1829-01-NET
Page 41HOL-1829-01-NET
User-defined Event
Continuing within the same screen users can create alerts to notify internal andexternal entities of any changes The alert feature is available through any view thatdisplays the alert icon Although the alert can be configured for this lab the results willnot be actioned as this is static data only This section will show how easy it is to reporton any Firewall Rule memberships changes The option for alerting will be immediatelywithin 1 hour or as a daily digest
1 Click the Notifications icon to create an event The notifications screen will pop-up
2 Notification and parameters can be adjusted as required Populate them withyour own preference as we will need to have information in order to save thealert and view in later steps
3 Once completed click save
HOL-1829-01-NET
Page 42HOL-1829-01-NET
Settings
You can view any of your previously configured User-defined Events in order to edit oractivate the Event parameters by using the settings page Changes can be configured tonotify members of the event group based on the user preference The previous eventthat you created can now be tracked by using the search bar at the top of the screen
1 Click in the search bar and type Settings2 Click User-defined Events (your alert is noted in this section as it was based on
the original search and alert notification Firewall rule membership change)3 Info Only - Do not click - View Edit Activate any notifications
Note that we have 2 types of notification User-defined and System Events
4 Click the System Events
HOL-1829-01-NET
Page 43HOL-1829-01-NET
System Notifications
System Events consist of 103 default alerts that are pre-configured Scroll down the listto see all the options and what is deemed to be a standard system event notification
Each Notification can be used to alert administrators or users of that group By defaultall System Notifications are set to never notify (this can be changed to immediatelywithin 1 hour or as a daily digest)
This concludes this module Please continue to the next module
HOL-1829-01-NET
Page 44HOL-1829-01-NET
ConclusionCongratulations on completing Module 1
In this module we introduced the minimum required steps in order to facilitate Micro-segmentation This module further demonstrated how we achieve day zero readinesstrack report and alert on each individual object or group of objects in Real Time Usingthe East-West traffic in this module vRealize Network Insight highlighted the ease ofacquiring network analysis and using this to automatically generate firewall rules forboth Green or Brown field deployments
Key facts to remember as demonstrated in this module
bull Persistence Security must be consistent in the face of constant changebull Ubiquity Security must be available everywherebull Extensibility Security must adapt to new situations
For additional information about the functionality showcased in this module visitwwwvmwarecom
Please close the Chrome Web browser
This concludes this module please continue to the next module
For More Information
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 45HOL-1829-01-NET
Module 2 - 360 degreeVisibility across Virtualand Physical Networks
(45 minutes)
HOL-1829-01-NET
Page 46HOL-1829-01-NET
IntroductionvRealize Network Insight includes advanced analytics that can collect and displayconfiguration data from all the components involved in the overlay and underlay of thenetwork Data is collected in realtime
vRealize Network Insight presents this via a smart user interface and simplifies thedetermination of problems as well as the visibility of firewall and networkconfigurations
vRealize Network Insight presents this in a smart user interface and makes problemdetermination and visibility of the firewall and network configurations very easy
This Module contains the following lessons
bull 360 Network Visibility and Troubleshootingbull Natural language search
HOL-1829-01-NET
Page 47HOL-1829-01-NET
360 Network Visibility andTroubleshootingThis section contains the following lessons
bull 360-degree view of data flow between two VM objectsbull Natural language search
Open Google Chrome
1 Open Chrome on the Control Center Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize NetworkInsight did not load automatically)
HOL-1829-01-NET
Page 48HOL-1829-01-NET
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
Path and Topology
This module will utilize the Path and Topology feature in vRealize Network Insight toget a 360-degree visibility into our network scenario The Path and Topology view can
HOL-1829-01-NET
Page 49HOL-1829-01-NET
also extend to host L3 networks security groups etc but in this module we will only befocusing on the path
From the main console
1 Click on Path and Topology2 Click on Path
Path - Select source and destination
In the pop-up box
1 Click on the grey field below Source2 Type dba into the source field and DBAdmin-VM1 will appear3 Click on DBAdmin-VM1 to select it
HOL-1829-01-NET
Page 50HOL-1829-01-NET
Path - source and destination continued
After selecting the source machine the destination box will automatically appear
1 Type prod in the destination field and the list of available options willappear
2 Select Prod-Db-2
Note The destination could also be an ip-address or Internet but in this lab we aregoing to use a VM
HOL-1829-01-NET
Page 51HOL-1829-01-NET
Path - source and destination continued
1 Click on Submit
Searching for path
Based on the VMs we selected in the wizard in our previous steps the search field isnow pre-populated with a search string As an alternative to using the wizard we canalso do manual searches
Do not change any parameters in the search field and please continue to the nextstep
HOL-1829-01-NET
Page 52HOL-1829-01-NET
VM Path Topology and VM Underlay
The topology involves both Layer 3 and Layer 2 components and consists of twodetailed views
HOL-1829-01-NET
Page 53HOL-1829-01-NET
1 VM Path Topology This view details the routers Edges or Logical DistributedRouters (LDRs) that are involved in the VM to VM network path and provides thecomplete routing and NAT information
2 VM Underlay ( The VM Underlay section that is on the right side of the VM Pathtopology shows the underlay information of the VMs involved and theirconnectivity to the top of the rack switches and the ports involved)
In the field named VM Path Topology
1 Click on the three dots in the top right corner of the field2 Click Maximize
The view will change and the route will be drawn on the map
HOL-1829-01-NET
Page 54HOL-1829-01-NET
VM Path Topology - Path Details
In this view we will get a 360-degree view of both the physical and the virtual networkWe will see the path of the traffic between two virtual machines The black arrow at thetop of the map will indicate the flow direction of the traffic In this use case fromDBAdmin-VM1 to Prod-Db-2
On the right hand side path details indicates the steps we pass through in each hop ofthe path The logical flow includes both physical and virtual elements displaying bothoverlay and underlay components
1 Scroll through the path details on the right hand side to verify the differenthops in the path Notice that we have items such as VMs physical switchesvirtual switches routers and NICs in the list of details
HOL-1829-01-NET
Page 55HOL-1829-01-NET
Component Overview
On the VM topology map
1 Click on the top left icon marked with a red square - the Virtual MachineDBAdmin-VM1
Virtual Machine - Details
HOL-1829-01-NET
Page 56HOL-1829-01-NET
A pop-up box will appear with the Virtual Machine details in it This information includesa lot of details made available by VMware Tools We can for example see network-information and the physical host in these details
A - Please spend some time on getting an overview of the information available in thisview
B - Please note that the Firewall Status indicates Unknown In this scenario there is noNSX firewall utilized in the VM so vRealize Network Insight displays Unknown as thestatus If NSX components were utilized but they were malfunctioning an errormessage will appear
1 When done reviewing close the pop-up windows by clicking on the (X) in thetop right corner
Physical ESXi Hosts
We are now going to look at the physical host running ESXi The large green blocksindicate the ESXi hosts (A) and (B)
1 Click on the large green field on the left side of the map marked in thepicture with a red squareThis will select the host where DBAdmin-VM1 isrunning
HOL-1829-01-NET
Page 57HOL-1829-01-NET
Host - Details
A pop-up box will appear that contains the physical ESXi host
A - Spend some time to review what information is available from the host Please donot click on any of the links
B - Notice that we receive information from both the Chassis and the Blade that thisESXi host is running on In a real life environment we could click on the links to getdetailed information about the physical environment through the links
C - Note that there are no NSX components on the host For example we can see thatthe Control Plane Sync Status is unknown and the Number of VTEPs is 0
1 When done reviewing click on the (X) in the top right corner
HOL-1829-01-NET
Page 58HOL-1829-01-NET
DVPG on the map
We are now going to look at the DVPG (Distributed Virtual Port Group) the VM uses toconnect to the network
1 On the map click on the little blue box marked by a red square onvlan-629
DVPG
A pop-up box will appear that contains the DVPG details
A - Spend some time review what information is available from the object Please donot click on any of the links
HOL-1829-01-NET
Page 59HOL-1829-01-NET
B - Notice that IPFIX is enabled
1 When done reviewing click on the (X) in the top right corner
VLAN-629 on the map
This is a brownfield network as indicated by the physical network components currentlydisplayed on the map
1 On the map click on the grey line marked by a red square on vlan-629
VLAN Network
A pop-up box will appear that contains the physical VLAN details
HOL-1829-01-NET
Page 60HOL-1829-01-NET
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - Notice the VLAN ID This is the actual VLAN in use
C - VM Count states 12 This is the number of VMs located on this VLAN in the entireenvironment
D - Under Hosts we can see that this is 28 (27+1) This is the amount of hosts that hasa connection to this vlan in the entire environment
1 When done reviewing click on the (X) in the top right corner
Switch ports on the map
1 From the map click on the icon marked by a red square to select the SwitchPort for the VM
HOL-1829-01-NET
Page 61HOL-1829-01-NET
Switch Port
A pop-up box will appear that contains the Switch Port details
In this view we are purely are looking at layer 3 and the connectivity to those layer 3devices Later in this module we will see some of the layer 2 devices
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - In this view we can see the physical NIC the traffic is transmitted from and receivedto In this scenario it is a NIC on a UCS fabric We can also see the VLANs Interfacespeed port and other details on the NIC
1 When done reviewing click on the (X) in the top right corner of the pop up box
HOL-1829-01-NET
Page 62HOL-1829-01-NET
Physical VRF on the map
1 From the map click on the icon marked by a red square to access thePhysical VRF details
HOL-1829-01-NET
Page 63HOL-1829-01-NET
VRF - Physical Switch
A pop-up box will appear that contains the Physical VRF details
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - In this scenario the first hop in the physical network perspective happens to be aCisco Nexus 7000 We are gathering all of the configuration data routing tables androuting interface information from this device
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 64HOL-1829-01-NET
VRF - continued
1 From the map click on the icon marked by a red square to access the nextPhysical VRF in the path
HOL-1829-01-NET
Page 65HOL-1829-01-NET
VRF - Physical Router
A pop-up box will appear that contains the Physical VRF details
In this scenario the second hop in the physical network perspective is a Palo Alto routerIn this view we will see the routing table as well as firewall rules The vRealize NetworkInsight platform is so powerful that these firewall rules are the applicable firewall rulesbetween the two objects we searched for There is probably going to be thousands offirewall rules in a normal network but these are the firewalls affecting thecommunication between the two selected VMs
HOL-1829-01-NET
Page 66HOL-1829-01-NET
A - Spend some time to review what information is available from the object Please donot click on any of the links
1 When done reviewing click on the (X) in the top right corner of the pop up box
Note The Palo Alto integration showcased is in beta testing
VRF - continued
1 From the map click on the icon marked by a red square to access the nextPhysical VRF in the path
HOL-1829-01-NET
Page 67HOL-1829-01-NET
VRF - Physical Switch
A pop-up box will appear that contains the Physical VRF details
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - In this scenario the third hop in the physical network perspective is an Arista deviceThere is information available on routing gateways interfaces etc These detailsshowcase that we can monitor devices from a multitude of vendors in case we arechanging from one vendor to another
1 When done reviewing click on the (X) in the top right corner
HOL-1829-01-NET
Page 68HOL-1829-01-NET
Accessing the virtual infrastructure
The next two steps in the path (as shown by arrows) are the same as we looked atpreviously in this module We are not going to look at the details on them in thisscenario as they are similar to the ones previously discussed
A - Hovermove the mouse over the icons marked with red arrow A without clicking onthe icon Notice the descriptive name
B - Hovermove the mouse over the icons marked with red arrow B without clicking onthe icon Notice the descriptive name
1 From the map click on the icon marked by a red square to access the nextVRF in the path
HOL-1829-01-NET
Page 69HOL-1829-01-NET
VRF - NSX Provider Edge 1
A pop-up box will appear that contains the Physical VRF details
A - Please spend some time to review what information is available from the objectPlease do not click on any of the links
B - The components we are looking at after the Arista device (described in previoussteps) is an NSX Edge cluster or a host associated with an Edge cluster The componentwe have selected is the NSX Edge VM named Provider-Edge 1 It has an uplink overVLAN 10 from the physical network (as shown in the map)
C - In the details we can see the routing table and routing interface details for thisparticular VRF
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 70HOL-1829-01-NET
VXLAN on the map
1 On the map click on the blue line marked by a red square to access theVXLAN details
VXLAN Network
A pop-up box will appear that contains the VXLAN details
HOL-1829-01-NET
Page 71HOL-1829-01-NET
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - We can see the VXLAN number (Segment ID) Underlay VLAN IDs Subnet andUnderlay Subnet
C - We also have visibility into what Primary Controller it is utilizing Hosts and VTEPs
D - Hovermove the mouse cursor over the text [38 more] to see the hosts associatedwith this VXLAN Do not click on the blue text
E - Hovermove the mouse cursor over the text [82 more] to see the VTEPs associatedwith this VXLAN Do not click on the blue text
1 When done reviewing click on the X in the top right corner of the pop-up box
VRF - LDR
1 From the map click on the icon marked by a red square to access the VRFdetails
HOL-1829-01-NET
Page 72HOL-1829-01-NET
VRF - LDR-Corporate
A pop-up box will appear that contains the VRF details From here we hit our In-kernelnetwork
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - Notice the distributed router name We are using this device to access our corporatenetwork
C - This device is going to route for us to a different interface The interface is going toroute to the interface on the Prod-DB Network as the next step in the path (this will beillustrated in the next step)
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 73HOL-1829-01-NET
Routing - NSX Firewall
The traffic is routed through the VRF onto the Prod-DB network over to the next physicalhost (as shown with arrows)
The first device it will hit on the virtual network on the physical host is the FirewallPlease notice that there are two firewalls next to the VM One Firewall from Palo Alto andone Firewall from NSX
1 From the map click on the icon marked by a red square to access the NSXFirewall details (the top one of the two)
HOL-1829-01-NET
Page 74HOL-1829-01-NET
Firewall - NSX
A pop-up box will appear that contains the Firewall details
A - Spend some time to review what information is available from the object Please donot click on any of the links
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 75HOL-1829-01-NET
Redirect on the map - PAN Firewall
Please notice that there are two firewalls next to the VM One Firewall from Palo Alto andone Firewall from NSX We are now going to look into the details of the lower Firewall
1 From the map click on the icon marked by a red square to access the PaloAlto Firewall details (the lower one of the two)
Firewall - PAN
HOL-1829-01-NET
Page 76HOL-1829-01-NET
In this scenario we also have an Palo Alto VM based offloading firewall The redirectfeature allows firewall rules to be transferred between the NSX firewall and the PANFirewall
1 When done reviewing click on the (X) in the top right corner of the pop up box
Reversing the analysis
1 In the section marked by a red square in the picture click on the arrowpointing left
The route on the map will change
HOL-1829-01-NET
Page 77HOL-1829-01-NET
Reversing the analysis continued
A - The analysis will now be done in the opposite direction Please note that the pathnow changes Instead of going through Provider-Edge 3 the traffic is now routedthrough Provider-Edge 2 This is exactly as the traffic will work in the real life
Please continue to the next step to conclude this module
HOL-1829-01-NET
Page 78HOL-1829-01-NET
VM Underlay
Lets now focus on VM Underlay
1 The VMUnderlay section that is on the right side of the VM Path topology showsthe underlay information of the VMs involved and their connectivity to the top ofthe rack switches and the ports involved
2 The VM Underlay path topology is shown here3 The components are labeled under Path Details
HOL-1829-01-NET
Page 79HOL-1829-01-NET
HOL-1829-01-NET
Page 80HOL-1829-01-NET
1 In this section the drop-down list at the top shows the endpoint VMs and theactive VMs at the edges
2 For each edgeVM the neighbouring drop-down list shows the ingress and theegress interface IP addresses
1 From the previous step we selected the Prod-DB-2 Virtual Machine2 Which changes the focus to corresponding Interface IP Address (VNIC)3 Shows the visual map (Path topology) of all the path objects4 Path details shows the labels and list the components
This concludes this module Please continue to the next module
HOL-1829-01-NET
Page 81HOL-1829-01-NET
ConclusionCongratulations on completing Module 2
This module has shown us that vRealize Network Insight is capable of tracing the flow ofdata between two objects throughout the network vRealize Network Insight is providingus with a 360 degrees view of the virtual as well as the physical components in thepath With the map function and the details on the map it is very easy to get a quickoverview of the components utilized in network communication
All the components in the map is based on a snapshot of real life data Feel free to clickon other icons shown in the map in this module before continuing to the next module tohave a look at other components
For More Information
For additional information about the functionality showcased in this module visithttpwwwvmwarecomvrealize network insight
This concludes this module Please continue to the next module
If you are looking for additional information try one of these
bull Click on this linkbull Or use your smart device to scan the QRC Code
HOL-1829-01-NET
Page 82HOL-1829-01-NET
Proceed to any module below which interests you most
bull Module 1 - Micro-Segmentation and Security (30 minutes)bull Module 2 - 360 degree Visibility across Virtual and Physical Networks (45
minutes)bull Module 3 - Advanced NSX Management amp Operations (45 minutes)bull (30 minutes)
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 83HOL-1829-01-NET
Module 3 - Advanced NSXManagement amp
Operations (45 minutes)
HOL-1829-01-NET
Page 84HOL-1829-01-NET
IntroductionIntroduction
vRealize Network Insight ensures that we have full visibility from an overlay andunderlay perspective and in this module focus on advanced operations of NSX withvRealize Network Insight Its important to note that the vRealize Network Insightprovides a real time view and a historical view The integration is not a simple SNMPquery but advanced CLI and Metadata information gathered in real time for NSX
This Module contains the following lessons
bull Operational guidance for NSX Managerbull Advanced NSX Management amp Operations Interactive Simulation
HOL-1829-01-NET
Page 85HOL-1829-01-NET
NSX Advanced ManagementOperationsLab Status Check
1 Make sure the Lab Status displays Ready before continuing
Close browser sessions from previous modules
Open Google Chrome
1 Open Chrome on the Control Centre Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
HOL-1829-01-NET
Page 86HOL-1829-01-NET
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize Network Insightdid not load automatically)
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
Search Bar - NSX Manager
Using the search bar on the entry screen
HOL-1829-01-NET
Page 87HOL-1829-01-NET
1 Type NSX Manager (this will list three NSX Managers2 Click Search
NSX Manager Information
The result now shows the NSX Manager (1016128170) and we can immediately seethat we have 50 problems associated with this endpoint
1 Click on the NSX Manager address to expose the layout and detailedinformation
HOL-1829-01-NET
Page 88HOL-1829-01-NET
Timeline - Visual Build-up
Explore information only - Do not click
bull A - Starting with the Timeline we can manipulate the results by simply draggingthe slider but by default the current time results will be displayed on entry Theslider and drop down (next to 1 day) makes it easy to filter on demand
bull B - The Properties give a clear understanding of the NSX Managers currentconfiguration (vRealize Network Insight accommodate multiple NSX managers)
bull C - Looking at the NSX Checklist Rules - ALL we can scroll up and down toview each point in the checklist that is used to monitorvalidate against the NSXManager
bull D - Because vRealize Network Insight supports multiple NSX managers andmultiple NSX controllers this is an important visual understanding of theTopology Each object can be queried individually within the same screen
bull E - NSX Problems will be key to understanding the issues for NSX
HOL-1829-01-NET
Page 89HOL-1829-01-NET
Topology - Focus on the NSX Controller
The logical view of the NSX Topology provides live links to each component in theconstruct to be queried in real time Topology layout displays all the related NSXservices bound to the NSX Manager including Clusters and hosts The red triangle on allthree NSX controllers indicates possible issues that may impact the NSX environmenteither as a starting point or a result thereof We can now query each object for detailedinformation
1 Click on the NSX controller (Look at each controller until you find thecontroller starting with NSX_Controller_5b6c6c8d-4d71 as they do changeorder)
HOL-1829-01-NET
Page 90HOL-1829-01-NET
NSX Controller - Detail
A - The controller query displays detailed information about controller-1 and relevantconfiguration This screen will help identify the Status Version Upgrade Availability andmany other critical identifiers of the NSX Controller at a quick glance including anyissues
B - The immediate issue on this NSX controller is also pointed out with a red triangleindicating that we have a control plane sync issue Tracking the issue can be furtherinvestigated by expanding (clicking on the red triangle) to view detailed information Wewill not be investigating this problem further in this exercise
1 Click the close sign (x) to continue
HOL-1829-01-NET
Page 91HOL-1829-01-NET
Topology - Explained
Note The Topology for the NSX environment will not show any load balancing devicestatus information in this release
1 Click the edge VMs icon to see detailed information about the edge services
HOL-1829-01-NET
Page 92HOL-1829-01-NET
Provider Edge
Rendering a complete view of the provider edge services and the associations we caninvestigate all the edge related activities
1 Click the blue link Provider Edge 4 The problem Icon can be used to furtherobtain information about the Provider-Edge 4 This will highlight a criticalcondition due to a possible network disruption of this edge device as it is nolonger in a serving state
HOL-1829-01-NET
Page 93HOL-1829-01-NET
Routers Provider Edge 4
This section lays out detailed root cause analysis for Routers Provider Edge 4
Return to Search View - NSX Manager
1 Now use the Chrome Back button click once to return the the NSX Managerinformation screen step
HOL-1829-01-NET
Page 94HOL-1829-01-NET
Infrastructure Problems - Warning Moderate
bull Scroll down to Infrastructure Problems Section
1 Click and select the WarningModerate to view problem areas
WarningModerate Issues
1 Use the blue icon + to expand the detailed view of the Logical networking out ofsync between host and NSX Controller
HOL-1829-01-NET
Page 95HOL-1829-01-NET
WarningModerate Issues (Continued)
When you expand the details you can analyse full detail of warning
In this view vRealize Network Insight is also showing you recommendations on how youwould resolve this issue which makes troubleshooting and root cause analysis veryeasy
1 Click the close sign (x) to continue
HOL-1829-01-NET
Page 96HOL-1829-01-NET
Hands-on Labs Interactive SimulationAdvanced NSX Management ampOperationsThis part of the lab is presented as a Hands-on Labs Interactive Simulation This willallow you to experience steps which are too time-consuming or resource intensive to dolive in the lab environment In this simulation you can use the software interface as ifyou are interacting with a live environment
1 Click here to open the interactive simulation It will open in a new browserwindow or tab
2 When finished click the ldquoReturn to the labrdquo link to continue with this lab
HOL-1829-01-NET
Page 97HOL-1829-01-NET
ConclusionCongratulations on completing Module 3
This module demonstrated the vRealize Network Insight capability of advancedmanagement operations vRealize Network Insight provides an in-depth analysis of thevirtual as well as the physical components associated with NSX (underlay and overlay)
For More Information
If you are looking for additional information try one of these
bull Click on this linkbull Or use your smart device to scan the QRC Code
Proceed to any module below which interests you most
bull Module 1 - Micro-Segmentation and Security (30 minutes)bull Module 2 - 360 degree Visibility across Virtual and Physical Networks (45
minutes)bull Module 3 - Advanced NSX Management amp Operations (45 minutes)bull Module 4 - Manage Security for Public Clouds (AWS) (30 minutes)
HOL-1829-01-NET
Page 98HOL-1829-01-NET
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 99HOL-1829-01-NET
Module 4 - ManageSecurity for Public Clouds
(AWS) (30 Minutes)
HOL-1829-01-NET
Page 100HOL-1829-01-NET
IntroductionEnterprise IT needs visibility into the network and security status of their workloadswhether hosted on premises or within AWS While many AWS workloads are sandboxesfor application development teams (DevOps) it is important to analyze these workloadsIncreasingly public cloud workloads are also fulfilling mission critical production needsfor many organizations Enterprise IT must be ready to determine the best locationsecurity posture and bandwidth allocation when deploying workloads Having trafficpattern details as well as security analysis and recommendations readily availablehelps organizations make the ideal hosting decisions to meet their business needs
vRealize Network Insight (vRNI) Supports Amazon Web Services (AWS) PublicCloud The vRNI traffic monitoring features provide visibility into native AWS constructssuch as Virtual Private Clouds VMs Security Groups firewall rules and tags vRNI alsoanalyzes AWS traffic flows to provide security and micro-segmentation views of cloudworkloads This means youll be able to plan micro-segmentation and understand trafficpatterns using data collected from your AWS instances
This Module contains the following lessons
bull Introduction to Managing Security for Public Clouds (AWS)
HOL-1829-01-NET
Page 101HOL-1829-01-NET
Introduction to Managing Security forPublic Clouds (AWS)Lab Status Check
1 Make sure the Lab Status displays Ready before continuing
Close browser sessions from previous modules
Open Google Chrome
1 Open Chrome on the Control Centre Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize Network Insightdid not load automatically)
HOL-1829-01-NET
Page 102HOL-1829-01-NET
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
AWS Configuration
Lets review the AWS VPC setup for the purpose of this lab
1 We have an on premise instance of vRealize Network Insight managing AWS2 There are two VPCs ie CRM and Common Services
HOL-1829-01-NET
Page 103HOL-1829-01-NET
3 VPC CRM consists of CRM Application which comprises of 3 tiers ie Web APP andDB
4 Internal users of Company can access Web Tier of the CRM on 80 internally viaJump-box
5 Web tier talks to App tier on port 80806 App tier talks to DB tier on port 33067 Web tier is open for internal datacenters VM on 80 port8 From Jump-box in VPC CRM all virtual machines have ssh access on port 229 All tiers of VPCCRM talks to DNS server on 53 and LogServer on 514 on VPC
Common Services10 This means connection to DB to Log Server (used for backup services) must exist
as configured by the Administrator but this in fact is the problem area where ourfocus will be
Plan Security - AWS Cloud
vRealize Network Insight extends micro-segmentation planning to AWS constructs TheCRM Application in AWS VPC has already been created for you
Application creation steps have been discussed in Module 3
HOL-1829-01-NET
Page 104HOL-1829-01-NET
1 On the vRealize Network Insight Click on Plan Security
From Plan Security dialogue box under Entity select
HOL-1829-01-NET
Page 105HOL-1829-01-NET
1 Application2 CRM3 Click Analyze
We can now visualize the three tier lsquoCRMrsquo Application in AWS in one VPC We Shallexplore the three Tier System Logic in proceeding steps
1 Please note that Micro-Segments are already filtered by Tier2 Web (Web tier talks to App tier on port 8080 Internal users of organisation can
access Web Tier of the CRM Application on port 80 internally)3 App (App tier talks to DB tier on port 3306)4 DB ( DB tier talks to Log Servers ) - This is the problem area we are going to
explore
All tiers of first VPC talks to DNS server on port 53 and LogServer on port 514 of SecondVPC
HOL-1829-01-NET
Page 106HOL-1829-01-NET
Exploring the Three Tier Application - Step by Step
We shall now explore the three their application setup to understand the security andcommunication posture
HOL-1829-01-NET
Page 107HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Yellow line to explore the flows This will reveal flows from Web to
App
HOL-1829-01-NET
Page 108HOL-1829-01-NET
1 The App tier talks to DB tier on Port 33062 Click X to continue
HOL-1829-01-NET
Page 109HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to DB
HOL-1829-01-NET
Page 110HOL-1829-01-NET
1 The App tier talks to DB tier on Port 33062 Click X to continue
HOL-1829-01-NET
Page 111HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Yellow Line to explore the flows This will reveal flows from DC
Virtual to App
HOL-1829-01-NET
Page 112HOL-1829-01-NET
1 DC Virtual (jump box) talks to App tier on Port 222 Click X to continue
HOL-1829-01-NET
Page 113HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to
Shared Virtual
HOL-1829-01-NET
Page 114HOL-1829-01-NET
1 The App tier talks to Shared Virtual on Port 53 and 514 respectively2 Click X to continue
HOL-1829-01-NET
Page 115HOL-1829-01-NET
1 Hover over to DB Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from DB to
Shared Virtual
1 By design the DB should be pushing logs to aws-log-server ie on port 514(Syslog) but the flow reveals that there is only one service ie port 53 aws-DNS-Server Effectively no communication to syslog server (which is the back upservice)
2 Click X to continue
Firewall Queries for CRM Application
To further troubleshoot the issue the administrator executes three firewall queries toestablish why DB to Shared Virtual does not have flow(s) for port 514 (syslog)
HOL-1829-01-NET
Page 116HOL-1829-01-NET
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and type new search query firewall action of flows where dstvm = aws-log-server This will return 5 results ie 4 Allow (for web andmidtier) and 1 Deny (for DB)
2 Click Search3 click on the DENY checkbox so we can focus on the deny rule
We can see a DENY rule which is preventing crm-databse to communicate with aws-log-server on port 514 Which indicates that AWS Admin forgot to add rule to allowtraffic from (Database) crm-database to (syslog server) aws-log-Server
HOL-1829-01-NET
Page 117HOL-1829-01-NET
1 On Chrome web browser right click2 Select Duplicate from the the menu
HOL-1829-01-NET
Page 118HOL-1829-01-NET
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-web1 and dst vm = aws-log-server
2 Click Search3 This will return 3 results ie 1 Inbound and 2 Outbound rules The result of this
query validates the communication from crm-web1 to aws-log-server
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-database and dst vm = aws-log-server
2 Click Search3 This will return 2 results for Outbound rules further explaining the firewall rule
behaviour from crm-database to aws-log-server
HOL-1829-01-NET
Page 119HOL-1829-01-NET
ConclusionCongratulations on completing Module 4
This module demonstrated the vRealize Network Insight capability to understand trafficpatterns and plan micro-segmentation across your private and public cloudenvironments This capability offers unparalleled visibility into public and private cloudsfor micro-segmentation planning network visibility and management
For More Information
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 120HOL-1829-01-NET
ConclusionThank you for participating in the VMware Hands-on Labs Be sure to visithttpholvmwarecom to continue your lab experience online
Lab SKU HOL-1829-01-NET
Version 20171010-152226
HOL-1829-01-NET
Page 121HOL-1829-01-NET
Look at the lower right portion of the screen
Please check to see that your lab is finished all the startup routines and is ready for youto start If you see anything other than Ready please wait a few minutes If after 5minutes your lab has not changed to Ready please ask for assistance
HOL-1829-01-NET
Page 8HOL-1829-01-NET
Module 1 - Micro-Segmentation and
Security (30 minutes)
HOL-1829-01-NET
Page 9HOL-1829-01-NET
IntroductionWhen mid to large-sized enterprises deploy NSX they often struggle to define the levelof micro segmentation needed between applications on networks The most challengingpart is knowing what information is required to get started how to locate theinformation and traffic flow and how to capture the results
vRealize Network Insight helps solve this problem by analyzing and categorizing VMsinto logical groups based on specific compute and network characteristics This processautomatically generates a recommended model for security groups and specificfirewalling rules for each group This makes life much easier for Security Architects andEngineers
vRealize Network Insight (vRNI) relies on the use of an IPFIX collector at the VirtualDistributed switch layer to capture data flows We enable IPFIX at the Virtual Distributedswitch layer for the ESXi Hosts to forward IPFIX UDP packets to the vRealize NetworkInsight appliance The data capture will enable real time data flow for all port trafficand provide further filtering capabilities in order to explore East-West traffic
We have two scenarios to help explain how vRealize Network Insight can be utilized toensure we have full visibility and granular control to deploy firewall rules in order tocomplete micro-segmentation without guessing
Scenario 1 (Brown Field deployment) Customer ABC bought ESXi and NSX and doesnot have a clear understanding of how to operationally deploy existing workloads withEast-West firewall protection or how to segment the workload The client will now usevRealize Network Insight to observe the real time data flow between ports in order tobuild the East-West firewall rules The vRealize Network Insight process will observe thetraffic patterns based on the captured data flow recommendations will then be made inorder to secure workloads for East-West communication Current firewall and micro-segmentation can also be verified
Scenario 2 (Green Field) Customer ABC has a new deployment project for DevOps andwouldnt know what the immediate firewall rules or recommendations would be UsingvRealize Network Insight we could immediately start to monitor the real time data flowas each deployment and development unfolds Based on the DevOps information wecan now apply the Firewall rules at the QampA stage and prep for testing to ensure whenwe move workloads into Production we will have day zero operational security for East-West traffic within the data center
NOTE NSX is not required at any stage to capture observe or implement successfulEast-West firewall rules The process of planning security only relies on IPFIX at the vDSlayer in order to capture and observe data flow between ports
This Module contains the following lessons
HOL-1829-01-NET
Page 10HOL-1829-01-NET
bull Identify firewall rules for Micro-segmentationbull Security Group Topologybull Tracking a firewall rulebull Exporting firewall rules to NSX Manager (Interactive Simulation)bull Conclusion
HOL-1829-01-NET
Page 11HOL-1829-01-NET
Micro-Segmentation IntroductionThis section contains the following lessons
bull Identify firewall rules for Micro-segmentationbull Security Group Topologybull Tracking a firewall rule
Lab Status Check
1 Make sure the Lab Status displays Ready before continuing
Close browser sessions from previous modules
Open Google Chrome
1 Open Chrome on the Control Centre Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
HOL-1829-01-NET
Page 12HOL-1829-01-NET
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize Network Insight did notload automatically)
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
HOL-1829-01-NET
Page 13HOL-1829-01-NET
Plan Security
When the vRealize Network Insight portal login completes the first screen will show asearch bar at the top
1 Type plan security (the search bar uses Auto Fill and predictive text willappear as you type)
2 Select the Time Icon
Plan Security - Specify a Preset
1 Select Presets2 Select Last Week3 Click the search icon to continue
HOL-1829-01-NET
Page 14HOL-1829-01-NET
Overview - Traffic Distribution (Left Pane)
Visual representation of traffic is shown to understand the logic relationship betweeneach component physical or virtual in order to track flows and sessions within anetwork
bull Internal Flows External Flowsbull Protected Flows Unprotected Flowsbull by VLAN or VXLAN
The default for this view is Last 1 day Please do not change this as we have alreadyspecified the time filter
HOL-1829-01-NET
Page 15HOL-1829-01-NET
Traffic Distribution - Overview (Right pane)
The Traffic distribution section is explained in a number format below Use these as areference and do not click on the links at this stage
bull A - This is the sum of all traffic flows with the percentage shown as East-Westonly traffic
bull B - This indicates the percent of traffic that was switchedbull C - The percentage of traffic that is routed between the East-West portsbull D - This indicates Virtual machine to Virtual Machine traffic as a percentage of the
sum in point number 1bull E - Traffic observed between virtual machines on the same hostbull F - Traffic that requires internet access
East-West (EW) - Traffic
In order to view specific details about data flows click on any of the 6 blocks to getdetailed information on flows and sessions (use the [x] in the right corner to close theobservation once completed in order to continue with the next step in this lab) Its
HOL-1829-01-NET
Page 16HOL-1829-01-NET
important to understand the entire distribution of flows and sessions in order to build aninformed strategy to achieve micro-segmentation
A Session is 5 tuple (source port is one of the five tuples in this which means everytime a new TCP connection is established and terminated a new session is recorded)
A Flow is 4 tuple aggregation of sessions It combines many 5 tuple sessions into oneIt ignores the source port as the source port is very dynamic wide range and keeps onchanging As long as multiple sessions have same source IP same destination IP samedestination port and same protocol they will be combined into one record called aflow
So 1000s of sessions in a day between two machines on a specific destination port (sshdns etc) would be combined into one flow with an aggregate count of packets bytessessions between them recorded as additional flow information
In any enterprise how many sessions happen in 1 day varies a lot Flows are moremanageable units and matter most for policy definitions and micro-segmentation
If one wants to see statistics of these flows like bytes transferred number of sessions(or even use these counters along with other query operations for other higher levelanalysis - like determining distribution of a virtual machines outgoing flow bydestination ip) the following metric counters can be used
Counter names
allowed sessions count of sessions (or 5 tuples) corresponding to a flow (4 Tuple)bytes total traffic volume exchanged on the flow (this sum of two counters described below)src bytes total bytes sent by src_ip of the flow to dst_ipportprotocoldst bytes total bytes received by src_ip of the flow from dst_ipportprotocol
1 Click on the East-West traffic block
This will bring a new window into view with detailed analysis of the traffic
HOL-1829-01-NET
Page 17HOL-1829-01-NET
East-West (EW) - Detailed view
This is only a few of the 1653 flows but the detailed views and filters can be used tonarrow down more specific information
A - Without clicking (just hover) on the time line to see the rate of flow indicated by thegreen line for that period
1 Click the close icon (x) to continue
ServicesPorts
HOL-1829-01-NET
Page 18HOL-1829-01-NET
Locating the Services screen for the next step
ServicesPorts - Time line view
Plan security makes use of Service and Ports overview on the right-hand side of thescreen The service view screen is used to observe the flow for each service andanalyzes a specific flow rate at a point in time Timelines can be adjusted to gain abetter understanding of what the plan security query delivers This module will followthe steps needed to observe and trace flows for port 5443
1 Click Show Data
HOL-1829-01-NET
Page 19HOL-1829-01-NET
ServicesPorts - Point in Time Service
The Services section provides an overview of flows over a specific port at a point intime either by bytes or by allowed sessions Look at the red highlighted area tounderstand how the flow is viewed in a pivot format to ensure a rate flow can bedelivered by hovering over a particular section
1 Hover to gain focus over the blue block above port 5443 and notice itpresents on demand the sum total of flows for the last 24 hours inGigabytes (GB) communicating over port 5443
2 Click on the block at the intersection of Last 24 hours and PORTS5443 to get a detailed view of the information
HOL-1829-01-NET
Page 20HOL-1829-01-NET
Flows for Port 5443
Communicating over port 5443 for the Last 24 hours we now have a detailedunderstanding of how 20 flows are distributed by following the list of entities You mayscroll down and examine the detailed traffic Further filters can be used on the left-handside of the screen to filter the view for a more specific result type
1 Click the entry to examine the detailed flow between Prod-DB-3 and Prod-DB-2over port 5443 ( order of flows may differ from screen above Prod-DB-3 andProd-DB-2 can be seventh flow entry)
Flow Key Properties - Timeline view
HOL-1829-01-NET
Page 21HOL-1829-01-NET
Flow Key Properties and Flow Key Metrics with the help of the timeline view gives agreater understanding of the traffic between these two specific VMs over port 5443 (A)- Hover over any part of the Flow Key Metrics graph to see statistics of the flow at aspecific point in time
1 Click on the 1M (last 1 month) Now hover the mouse over the greenblue linesto see a specific flow at a point in time
Flow Key Properties - Timeline view
1 Click the browser back button (once) to return to the plan security layoutscreen (once completed viewing the timelines for specific flows)
HOL-1829-01-NET
Page 22HOL-1829-01-NET
Micro-Segments
The screen should be back and focused on the Plan Security view Let us focus on theLeft-hand side of the plan security screen marked - Micro Segments This section willfocus on the subnet view and how this could be used to track flows between two ormultiple points
Note Segmenting flows can be achieved using views that will focus on VLANVXLANSubnet Folder Clusters VMs Ports Security Tag or Security Groups
1 Select Last 1 Day (to clear previous data range)2 Select the drop down box and then select by Subnet3 We can further analyze micro-segments by secondary groups ( This step is for
information only)4 Click Analyze to populate the data
HOL-1829-01-NET
Page 23HOL-1829-01-NET
Focus - 101780 Network
A - Hover over (do not click) the 101780 network and notice that this willimmediately highlight all flows and sessions from and to this network segment Othertraffic types will loose focus at this point turning light blue
The Keep Focus view creates a single visual endpoint diagram showing communicationto physical shared resources internet and other subnets The parentheses after thenetwork will indicate the number of virtual machines The coloured lines will indicate aconnected flow as OUTGOING INCOMING BIDIRECTIONAL
HOL-1829-01-NET
Page 24HOL-1829-01-NET
Focus - VLANVXLAN
Changing the view to track flows between Prod-Web to Prod-Midtier we will be switchingfrom Subnet view to VLANVXLAN view This will expose the traffic flow and ultimatelylead us to the recommended firewall rules
1 From the filter drop down select the VLANVXLAN option (the view willautomatically update)
HOL-1829-01-NET
Page 25HOL-1829-01-NET
Focus - Prod-Web (25)
1 Hover over Prod-Web2 Click on Keep Focus as we will follow the traffic for this group to see which
ports are in use and why3 Click on the line joining the Prod-Web and Prod-Midtier
Flows - Prod-Web to Prod-Midtier
HOL-1829-01-NET
Page 26HOL-1829-01-NET
( A ) - We have at this point identified 14 unique endpoints or flows that are beingcommunicated byover or to potential security groups These security groups are basedon VLANs folders subnets or a construct that can be defined
1 Click on the recommended firewall rules
Flows - Recommended Firewall Rules
Based on the observed analysis of the traffic flow between Prod-Web and Prod-Midtier arecommended firewall rule has been generated in order to secure and segment trafficfrom the rest of the VLANVXLAN
Due to the flow observation metrics the recommendation is (ALLOWED) on Port 8080between SG Prod-Web and SG-Prod-Midtier
1 Click the close icon (x) to continue
HOL-1829-01-NET
Page 27HOL-1829-01-NET
Multiple Ports and Firewall rules for Prod-web
1 Click on the Prod-Web group
Services and Flows for Prod-Web
On focus the user is presented with all the services flows and firewall rules for Prod-Webin a single pane
HOL-1829-01-NET
Page 28HOL-1829-01-NET
1 Click on Services In this group - 50 Unique service endpoints or flows that arebeing communicated by or to potential security groups are mapped with trafficrates included
2 Click on External Services Accessed- This is a breakdown of the 16 Externalservice endpoints that communicate with Prod-Web and include the portinformation (DNS HTTPS etc)
3 Click on Recommended Firewall Rules - Based on the 50 unique serviceendpoints that have 17 External services with 425 flows we can use thisobservation metric to determine that 6 firewall rules are required This would bethe minimum recommended segmentation approach for the Prod-Web group
4 Click the close icon (x) to continue
Application-Centric Micro-Segmentation
HOL-1829-01-NET
Page 29HOL-1829-01-NET
An application is a collection of tiers Each tier in an application is a collection of VMsbased on the user-defined filter criteria The applications allow you to create ahierarchical group of VMs and visualize trafficflows between the tiers of the sameapplication The trafficflows can be visualized between applications
1 Under Micro-segments click on the dropdown which says by VLANVXLAN2 Click on by Application
1 Hover over Prod-App (47) (do not click at this stage)2 Click on Keep Focus
You can see as per previous micro-segmentaion planning exercise - you can viewOutgoing Incoming and Bidirectional flow bespoke to Prod-App Clicking on Prod-App micro-segment will reveal the services
HOL-1829-01-NET
Page 30HOL-1829-01-NET
We shall now explore how we can define an application
Define an Application
1 In the search bar type Application2 Click the Search button
1 The Application search will return 4 entities ie application already created inthe system for you
2 This page also lets you create new application - click on Add Application
HOL-1829-01-NET
Page 31HOL-1829-01-NET
1 Under the Application Name type HOL-Pre-Prod2 Under Tier type the Name as HOL-Pre-Prod3 Our search criteria will be based on VM Names under Virtual Machines IP
Addresses Type Admin-VM1 Admin-VM2 (The search will auto completethe names for you)
4 Do not Save Click Cancel which will take you to previous screen
1 Here you can see the number of entities has increased by 1 ie 5 entities2 You can also see Hol-Pre-Prod in the list
HOL-Pre-Prod will now appear in Application section under Plan Security (not covered inthis lab)
Security Group Prod_MidTier
Network administrators and architects face daily challenges in identifying securityparameters groups that are in-place requiring a lot more detail around containertopology before continuing to execute or plan Micro-segmentation Lets look at how thiswould be possible in a single view that has granular integration with over and underlaynetworks
1 Using the search bar type Nsx Security Group Prod_MidTier (the search baruses Auto Fill and predictive text will appear as you type)
2 Click search to continue
HOL-1829-01-NET
Page 32HOL-1829-01-NET
The Help screen may pop-up (in this lab setting) to ensure the user has an instantguide called the Security Group Pinboard The reason for this guide is to point out thedetail view and topology layout Read through the help guide and once completed
1 Click the close icon (x) to continue
Results - PROD_MIDTIER
The search results from the query will show Prod_Web at the top of the screen Theresult will also be displayed to include the Translated VM Count and any Rulesassociated
1 Click on Prod_MidTier to continue
Security Group Prod_MidTier - Timeline
Security Group View Explanation
HOL-1829-01-NET
Page 33HOL-1829-01-NET
The Security Group provides a detailed view of the selected Security Group and acomprehensive listing of key properties and events The Security Group Topologyprovides a visual overview of how the security group is associated with other containersTimeline slider at the top of the current view will enable the point in time state of theSecurity Group and filters can be used to further focus on a particular aspect of theobject
Security Group Firewall Topology
(A) The Security Group Firewall Topology on the left shows the topology for SecurityGroup Prod_MidTier
HOL-1829-01-NET
Page 34HOL-1829-01-NET
(B) The Security Group Container Topology on the right will show anyall Child andParent groups in relation to Prod_Web This will identify the nesting and hierarchy ofsecurity groups
HOL-1829-01-NET
Page 35HOL-1829-01-NET
1 Click and select Prod_Web to Prod_Midtier Rule (will launch a pop up screencovered in next step)
1 In the pop up screen we can immediately see what the Source and destinationservice flow looks like in this example This can be done for any and eachsegment attached to Prod_Web and will provide all the current security GroupFirewall Topology information Feel free to click through all the segments in orderto fully understand each related security group
2 Click the close icon (x) on any pop-up menus that you viewed during youranalysis to continue with the next exercise
HOL-1829-01-NET
Page 36HOL-1829-01-NET
Tracking Prod_MidTier
1 Within the same view when you scroll down (below the Security Groupfirewall Topology) you are able to see the following security event information forProd_Web
A Events - Showing any changes for Prod_MidTier (direct or indirect) and the impactthat these changes bring to this security group
B Current Security Group Configuration and Firewall Rules Count will also providefurther assistance to manage the endpoints
C Visibility of the Virtual Machines in Security Groups ensure that we manage ourworkloads and segmentation with the correct level of efficiency
D Making use of the Indirect Firewall Rules will ensure you understand the inheritedimpact and the relationship leading to Prod_Web
E Direct Firewall Rules - NOTE The blue links will expose further detail for eachfirewall segment
HOL-1829-01-NET
Page 37HOL-1829-01-NET
this module explained and followed the traffic flow between Subnets and or VLANVXLAN for Prod_MidTier and we understand the analysis that make up firewall rules Theinformation for a specific segmentation of a Virtual Machine in Prod_MidTier can beviewed using the the logical switch information for Prod_MidTier
2 Click on Lab-Midtier (VMs in Security GroupgtLogical SwitchesgtLab-Midtier) anew TAB will open at the top of the screen
Lab-Midtier
1 Hover (do not click) over (1) Lab-Midtier-1 to gain focus in order to generatethe path
Do not click on any of the bubbles as they are used for reference only This is thecomplete flow of Prod-Web-9 (Example) to see how a flow is tracked from overlay tounderlay across Prod-Web
HOL-1829-01-NET
Page 38HOL-1829-01-NET
bull A - The host details for Lab-Midtier-1 -ddc1-pod2esx035dmdemocompanynet
bull B - The machine name within Lab-Midtier - Lab-Midtier-1bull C - DVS Switchbull D - VXLAN - Lab-Midtierbull E - 1st VMKNIC for DDC-1 hostbull F - DVS Switch Portbull G - Finally showing the L3 Switch (Arista)
2 When you are done with the current view close this tab in Chrome and returnto the original view
Firewall Rule - Tracking
Using the search bar we will demonstrate how you can track any firewall rule in yourenvironment This is only one example of how we can search for security related objectsin one easy statement and also export the results
Port Search
1 Type into the search bar
Firewall rule where action =ALLOW and Port=443 (the search bar uses Auto Fill andpredictive text will appear as you type)
2 Click search to continue
As you type notice all the different permutations of queries that can be assembled
HOL-1829-01-NET
Page 39HOL-1829-01-NET
Export Firewall Rules
Take some time to understand and get familiar with Firewall Rule search possibilitiesand the insight this can offer
1 Do not click - The result is grouped for convenience and allows the user to queryeach rule individually This is a live link that will expose further information
2 Do not click - The entire report can be exported by using the Save as CSV optionat the top right hand corner of the screen but we will not export any informationat this point
3 For the next step we will return to the top search bar
Firewall Rule Membership Change
Using the vRealize Network Insight search bar at the top of the screen we will focus on atime based search to see what Firewall Membership Changes occurred during a selectedperiod This will point out any changes made directly or indirectly as a result ofmembership changes This is extremely useful for auditing and troubleshooting
HOL-1829-01-NET
Page 40HOL-1829-01-NET
1 Type
Firewall Rule Membership Change
2 Select the DateTime window3 Click Between Select Date range from June30 to Jul 31 (using static data this
will ensure you see all the changes)4 Click search
Audit Rule - Firewall Rule Membership Changes
The search now displays the result of all the changes made to firewall rule membershipduring the preset date range This is pivotal to the audit change tracking process tounderstand exactly why when and how Firewall rules changed
The changes can now easily be tracked audited and also exported following any of thelive links in blue
HOL-1829-01-NET
Page 41HOL-1829-01-NET
User-defined Event
Continuing within the same screen users can create alerts to notify internal andexternal entities of any changes The alert feature is available through any view thatdisplays the alert icon Although the alert can be configured for this lab the results willnot be actioned as this is static data only This section will show how easy it is to reporton any Firewall Rule memberships changes The option for alerting will be immediatelywithin 1 hour or as a daily digest
1 Click the Notifications icon to create an event The notifications screen will pop-up
2 Notification and parameters can be adjusted as required Populate them withyour own preference as we will need to have information in order to save thealert and view in later steps
3 Once completed click save
HOL-1829-01-NET
Page 42HOL-1829-01-NET
Settings
You can view any of your previously configured User-defined Events in order to edit oractivate the Event parameters by using the settings page Changes can be configured tonotify members of the event group based on the user preference The previous eventthat you created can now be tracked by using the search bar at the top of the screen
1 Click in the search bar and type Settings2 Click User-defined Events (your alert is noted in this section as it was based on
the original search and alert notification Firewall rule membership change)3 Info Only - Do not click - View Edit Activate any notifications
Note that we have 2 types of notification User-defined and System Events
4 Click the System Events
HOL-1829-01-NET
Page 43HOL-1829-01-NET
System Notifications
System Events consist of 103 default alerts that are pre-configured Scroll down the listto see all the options and what is deemed to be a standard system event notification
Each Notification can be used to alert administrators or users of that group By defaultall System Notifications are set to never notify (this can be changed to immediatelywithin 1 hour or as a daily digest)
This concludes this module Please continue to the next module
HOL-1829-01-NET
Page 44HOL-1829-01-NET
ConclusionCongratulations on completing Module 1
In this module we introduced the minimum required steps in order to facilitate Micro-segmentation This module further demonstrated how we achieve day zero readinesstrack report and alert on each individual object or group of objects in Real Time Usingthe East-West traffic in this module vRealize Network Insight highlighted the ease ofacquiring network analysis and using this to automatically generate firewall rules forboth Green or Brown field deployments
Key facts to remember as demonstrated in this module
bull Persistence Security must be consistent in the face of constant changebull Ubiquity Security must be available everywherebull Extensibility Security must adapt to new situations
For additional information about the functionality showcased in this module visitwwwvmwarecom
Please close the Chrome Web browser
This concludes this module please continue to the next module
For More Information
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 45HOL-1829-01-NET
Module 2 - 360 degreeVisibility across Virtualand Physical Networks
(45 minutes)
HOL-1829-01-NET
Page 46HOL-1829-01-NET
IntroductionvRealize Network Insight includes advanced analytics that can collect and displayconfiguration data from all the components involved in the overlay and underlay of thenetwork Data is collected in realtime
vRealize Network Insight presents this via a smart user interface and simplifies thedetermination of problems as well as the visibility of firewall and networkconfigurations
vRealize Network Insight presents this in a smart user interface and makes problemdetermination and visibility of the firewall and network configurations very easy
This Module contains the following lessons
bull 360 Network Visibility and Troubleshootingbull Natural language search
HOL-1829-01-NET
Page 47HOL-1829-01-NET
360 Network Visibility andTroubleshootingThis section contains the following lessons
bull 360-degree view of data flow between two VM objectsbull Natural language search
Open Google Chrome
1 Open Chrome on the Control Center Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize NetworkInsight did not load automatically)
HOL-1829-01-NET
Page 48HOL-1829-01-NET
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
Path and Topology
This module will utilize the Path and Topology feature in vRealize Network Insight toget a 360-degree visibility into our network scenario The Path and Topology view can
HOL-1829-01-NET
Page 49HOL-1829-01-NET
also extend to host L3 networks security groups etc but in this module we will only befocusing on the path
From the main console
1 Click on Path and Topology2 Click on Path
Path - Select source and destination
In the pop-up box
1 Click on the grey field below Source2 Type dba into the source field and DBAdmin-VM1 will appear3 Click on DBAdmin-VM1 to select it
HOL-1829-01-NET
Page 50HOL-1829-01-NET
Path - source and destination continued
After selecting the source machine the destination box will automatically appear
1 Type prod in the destination field and the list of available options willappear
2 Select Prod-Db-2
Note The destination could also be an ip-address or Internet but in this lab we aregoing to use a VM
HOL-1829-01-NET
Page 51HOL-1829-01-NET
Path - source and destination continued
1 Click on Submit
Searching for path
Based on the VMs we selected in the wizard in our previous steps the search field isnow pre-populated with a search string As an alternative to using the wizard we canalso do manual searches
Do not change any parameters in the search field and please continue to the nextstep
HOL-1829-01-NET
Page 52HOL-1829-01-NET
VM Path Topology and VM Underlay
The topology involves both Layer 3 and Layer 2 components and consists of twodetailed views
HOL-1829-01-NET
Page 53HOL-1829-01-NET
1 VM Path Topology This view details the routers Edges or Logical DistributedRouters (LDRs) that are involved in the VM to VM network path and provides thecomplete routing and NAT information
2 VM Underlay ( The VM Underlay section that is on the right side of the VM Pathtopology shows the underlay information of the VMs involved and theirconnectivity to the top of the rack switches and the ports involved)
In the field named VM Path Topology
1 Click on the three dots in the top right corner of the field2 Click Maximize
The view will change and the route will be drawn on the map
HOL-1829-01-NET
Page 54HOL-1829-01-NET
VM Path Topology - Path Details
In this view we will get a 360-degree view of both the physical and the virtual networkWe will see the path of the traffic between two virtual machines The black arrow at thetop of the map will indicate the flow direction of the traffic In this use case fromDBAdmin-VM1 to Prod-Db-2
On the right hand side path details indicates the steps we pass through in each hop ofthe path The logical flow includes both physical and virtual elements displaying bothoverlay and underlay components
1 Scroll through the path details on the right hand side to verify the differenthops in the path Notice that we have items such as VMs physical switchesvirtual switches routers and NICs in the list of details
HOL-1829-01-NET
Page 55HOL-1829-01-NET
Component Overview
On the VM topology map
1 Click on the top left icon marked with a red square - the Virtual MachineDBAdmin-VM1
Virtual Machine - Details
HOL-1829-01-NET
Page 56HOL-1829-01-NET
A pop-up box will appear with the Virtual Machine details in it This information includesa lot of details made available by VMware Tools We can for example see network-information and the physical host in these details
A - Please spend some time on getting an overview of the information available in thisview
B - Please note that the Firewall Status indicates Unknown In this scenario there is noNSX firewall utilized in the VM so vRealize Network Insight displays Unknown as thestatus If NSX components were utilized but they were malfunctioning an errormessage will appear
1 When done reviewing close the pop-up windows by clicking on the (X) in thetop right corner
Physical ESXi Hosts
We are now going to look at the physical host running ESXi The large green blocksindicate the ESXi hosts (A) and (B)
1 Click on the large green field on the left side of the map marked in thepicture with a red squareThis will select the host where DBAdmin-VM1 isrunning
HOL-1829-01-NET
Page 57HOL-1829-01-NET
Host - Details
A pop-up box will appear that contains the physical ESXi host
A - Spend some time to review what information is available from the host Please donot click on any of the links
B - Notice that we receive information from both the Chassis and the Blade that thisESXi host is running on In a real life environment we could click on the links to getdetailed information about the physical environment through the links
C - Note that there are no NSX components on the host For example we can see thatthe Control Plane Sync Status is unknown and the Number of VTEPs is 0
1 When done reviewing click on the (X) in the top right corner
HOL-1829-01-NET
Page 58HOL-1829-01-NET
DVPG on the map
We are now going to look at the DVPG (Distributed Virtual Port Group) the VM uses toconnect to the network
1 On the map click on the little blue box marked by a red square onvlan-629
DVPG
A pop-up box will appear that contains the DVPG details
A - Spend some time review what information is available from the object Please donot click on any of the links
HOL-1829-01-NET
Page 59HOL-1829-01-NET
B - Notice that IPFIX is enabled
1 When done reviewing click on the (X) in the top right corner
VLAN-629 on the map
This is a brownfield network as indicated by the physical network components currentlydisplayed on the map
1 On the map click on the grey line marked by a red square on vlan-629
VLAN Network
A pop-up box will appear that contains the physical VLAN details
HOL-1829-01-NET
Page 60HOL-1829-01-NET
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - Notice the VLAN ID This is the actual VLAN in use
C - VM Count states 12 This is the number of VMs located on this VLAN in the entireenvironment
D - Under Hosts we can see that this is 28 (27+1) This is the amount of hosts that hasa connection to this vlan in the entire environment
1 When done reviewing click on the (X) in the top right corner
Switch ports on the map
1 From the map click on the icon marked by a red square to select the SwitchPort for the VM
HOL-1829-01-NET
Page 61HOL-1829-01-NET
Switch Port
A pop-up box will appear that contains the Switch Port details
In this view we are purely are looking at layer 3 and the connectivity to those layer 3devices Later in this module we will see some of the layer 2 devices
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - In this view we can see the physical NIC the traffic is transmitted from and receivedto In this scenario it is a NIC on a UCS fabric We can also see the VLANs Interfacespeed port and other details on the NIC
1 When done reviewing click on the (X) in the top right corner of the pop up box
HOL-1829-01-NET
Page 62HOL-1829-01-NET
Physical VRF on the map
1 From the map click on the icon marked by a red square to access thePhysical VRF details
HOL-1829-01-NET
Page 63HOL-1829-01-NET
VRF - Physical Switch
A pop-up box will appear that contains the Physical VRF details
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - In this scenario the first hop in the physical network perspective happens to be aCisco Nexus 7000 We are gathering all of the configuration data routing tables androuting interface information from this device
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 64HOL-1829-01-NET
VRF - continued
1 From the map click on the icon marked by a red square to access the nextPhysical VRF in the path
HOL-1829-01-NET
Page 65HOL-1829-01-NET
VRF - Physical Router
A pop-up box will appear that contains the Physical VRF details
In this scenario the second hop in the physical network perspective is a Palo Alto routerIn this view we will see the routing table as well as firewall rules The vRealize NetworkInsight platform is so powerful that these firewall rules are the applicable firewall rulesbetween the two objects we searched for There is probably going to be thousands offirewall rules in a normal network but these are the firewalls affecting thecommunication between the two selected VMs
HOL-1829-01-NET
Page 66HOL-1829-01-NET
A - Spend some time to review what information is available from the object Please donot click on any of the links
1 When done reviewing click on the (X) in the top right corner of the pop up box
Note The Palo Alto integration showcased is in beta testing
VRF - continued
1 From the map click on the icon marked by a red square to access the nextPhysical VRF in the path
HOL-1829-01-NET
Page 67HOL-1829-01-NET
VRF - Physical Switch
A pop-up box will appear that contains the Physical VRF details
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - In this scenario the third hop in the physical network perspective is an Arista deviceThere is information available on routing gateways interfaces etc These detailsshowcase that we can monitor devices from a multitude of vendors in case we arechanging from one vendor to another
1 When done reviewing click on the (X) in the top right corner
HOL-1829-01-NET
Page 68HOL-1829-01-NET
Accessing the virtual infrastructure
The next two steps in the path (as shown by arrows) are the same as we looked atpreviously in this module We are not going to look at the details on them in thisscenario as they are similar to the ones previously discussed
A - Hovermove the mouse over the icons marked with red arrow A without clicking onthe icon Notice the descriptive name
B - Hovermove the mouse over the icons marked with red arrow B without clicking onthe icon Notice the descriptive name
1 From the map click on the icon marked by a red square to access the nextVRF in the path
HOL-1829-01-NET
Page 69HOL-1829-01-NET
VRF - NSX Provider Edge 1
A pop-up box will appear that contains the Physical VRF details
A - Please spend some time to review what information is available from the objectPlease do not click on any of the links
B - The components we are looking at after the Arista device (described in previoussteps) is an NSX Edge cluster or a host associated with an Edge cluster The componentwe have selected is the NSX Edge VM named Provider-Edge 1 It has an uplink overVLAN 10 from the physical network (as shown in the map)
C - In the details we can see the routing table and routing interface details for thisparticular VRF
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 70HOL-1829-01-NET
VXLAN on the map
1 On the map click on the blue line marked by a red square to access theVXLAN details
VXLAN Network
A pop-up box will appear that contains the VXLAN details
HOL-1829-01-NET
Page 71HOL-1829-01-NET
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - We can see the VXLAN number (Segment ID) Underlay VLAN IDs Subnet andUnderlay Subnet
C - We also have visibility into what Primary Controller it is utilizing Hosts and VTEPs
D - Hovermove the mouse cursor over the text [38 more] to see the hosts associatedwith this VXLAN Do not click on the blue text
E - Hovermove the mouse cursor over the text [82 more] to see the VTEPs associatedwith this VXLAN Do not click on the blue text
1 When done reviewing click on the X in the top right corner of the pop-up box
VRF - LDR
1 From the map click on the icon marked by a red square to access the VRFdetails
HOL-1829-01-NET
Page 72HOL-1829-01-NET
VRF - LDR-Corporate
A pop-up box will appear that contains the VRF details From here we hit our In-kernelnetwork
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - Notice the distributed router name We are using this device to access our corporatenetwork
C - This device is going to route for us to a different interface The interface is going toroute to the interface on the Prod-DB Network as the next step in the path (this will beillustrated in the next step)
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 73HOL-1829-01-NET
Routing - NSX Firewall
The traffic is routed through the VRF onto the Prod-DB network over to the next physicalhost (as shown with arrows)
The first device it will hit on the virtual network on the physical host is the FirewallPlease notice that there are two firewalls next to the VM One Firewall from Palo Alto andone Firewall from NSX
1 From the map click on the icon marked by a red square to access the NSXFirewall details (the top one of the two)
HOL-1829-01-NET
Page 74HOL-1829-01-NET
Firewall - NSX
A pop-up box will appear that contains the Firewall details
A - Spend some time to review what information is available from the object Please donot click on any of the links
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 75HOL-1829-01-NET
Redirect on the map - PAN Firewall
Please notice that there are two firewalls next to the VM One Firewall from Palo Alto andone Firewall from NSX We are now going to look into the details of the lower Firewall
1 From the map click on the icon marked by a red square to access the PaloAlto Firewall details (the lower one of the two)
Firewall - PAN
HOL-1829-01-NET
Page 76HOL-1829-01-NET
In this scenario we also have an Palo Alto VM based offloading firewall The redirectfeature allows firewall rules to be transferred between the NSX firewall and the PANFirewall
1 When done reviewing click on the (X) in the top right corner of the pop up box
Reversing the analysis
1 In the section marked by a red square in the picture click on the arrowpointing left
The route on the map will change
HOL-1829-01-NET
Page 77HOL-1829-01-NET
Reversing the analysis continued
A - The analysis will now be done in the opposite direction Please note that the pathnow changes Instead of going through Provider-Edge 3 the traffic is now routedthrough Provider-Edge 2 This is exactly as the traffic will work in the real life
Please continue to the next step to conclude this module
HOL-1829-01-NET
Page 78HOL-1829-01-NET
VM Underlay
Lets now focus on VM Underlay
1 The VMUnderlay section that is on the right side of the VM Path topology showsthe underlay information of the VMs involved and their connectivity to the top ofthe rack switches and the ports involved
2 The VM Underlay path topology is shown here3 The components are labeled under Path Details
HOL-1829-01-NET
Page 79HOL-1829-01-NET
HOL-1829-01-NET
Page 80HOL-1829-01-NET
1 In this section the drop-down list at the top shows the endpoint VMs and theactive VMs at the edges
2 For each edgeVM the neighbouring drop-down list shows the ingress and theegress interface IP addresses
1 From the previous step we selected the Prod-DB-2 Virtual Machine2 Which changes the focus to corresponding Interface IP Address (VNIC)3 Shows the visual map (Path topology) of all the path objects4 Path details shows the labels and list the components
This concludes this module Please continue to the next module
HOL-1829-01-NET
Page 81HOL-1829-01-NET
ConclusionCongratulations on completing Module 2
This module has shown us that vRealize Network Insight is capable of tracing the flow ofdata between two objects throughout the network vRealize Network Insight is providingus with a 360 degrees view of the virtual as well as the physical components in thepath With the map function and the details on the map it is very easy to get a quickoverview of the components utilized in network communication
All the components in the map is based on a snapshot of real life data Feel free to clickon other icons shown in the map in this module before continuing to the next module tohave a look at other components
For More Information
For additional information about the functionality showcased in this module visithttpwwwvmwarecomvrealize network insight
This concludes this module Please continue to the next module
If you are looking for additional information try one of these
bull Click on this linkbull Or use your smart device to scan the QRC Code
HOL-1829-01-NET
Page 82HOL-1829-01-NET
Proceed to any module below which interests you most
bull Module 1 - Micro-Segmentation and Security (30 minutes)bull Module 2 - 360 degree Visibility across Virtual and Physical Networks (45
minutes)bull Module 3 - Advanced NSX Management amp Operations (45 minutes)bull (30 minutes)
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 83HOL-1829-01-NET
Module 3 - Advanced NSXManagement amp
Operations (45 minutes)
HOL-1829-01-NET
Page 84HOL-1829-01-NET
IntroductionIntroduction
vRealize Network Insight ensures that we have full visibility from an overlay andunderlay perspective and in this module focus on advanced operations of NSX withvRealize Network Insight Its important to note that the vRealize Network Insightprovides a real time view and a historical view The integration is not a simple SNMPquery but advanced CLI and Metadata information gathered in real time for NSX
This Module contains the following lessons
bull Operational guidance for NSX Managerbull Advanced NSX Management amp Operations Interactive Simulation
HOL-1829-01-NET
Page 85HOL-1829-01-NET
NSX Advanced ManagementOperationsLab Status Check
1 Make sure the Lab Status displays Ready before continuing
Close browser sessions from previous modules
Open Google Chrome
1 Open Chrome on the Control Centre Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
HOL-1829-01-NET
Page 86HOL-1829-01-NET
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize Network Insightdid not load automatically)
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
Search Bar - NSX Manager
Using the search bar on the entry screen
HOL-1829-01-NET
Page 87HOL-1829-01-NET
1 Type NSX Manager (this will list three NSX Managers2 Click Search
NSX Manager Information
The result now shows the NSX Manager (1016128170) and we can immediately seethat we have 50 problems associated with this endpoint
1 Click on the NSX Manager address to expose the layout and detailedinformation
HOL-1829-01-NET
Page 88HOL-1829-01-NET
Timeline - Visual Build-up
Explore information only - Do not click
bull A - Starting with the Timeline we can manipulate the results by simply draggingthe slider but by default the current time results will be displayed on entry Theslider and drop down (next to 1 day) makes it easy to filter on demand
bull B - The Properties give a clear understanding of the NSX Managers currentconfiguration (vRealize Network Insight accommodate multiple NSX managers)
bull C - Looking at the NSX Checklist Rules - ALL we can scroll up and down toview each point in the checklist that is used to monitorvalidate against the NSXManager
bull D - Because vRealize Network Insight supports multiple NSX managers andmultiple NSX controllers this is an important visual understanding of theTopology Each object can be queried individually within the same screen
bull E - NSX Problems will be key to understanding the issues for NSX
HOL-1829-01-NET
Page 89HOL-1829-01-NET
Topology - Focus on the NSX Controller
The logical view of the NSX Topology provides live links to each component in theconstruct to be queried in real time Topology layout displays all the related NSXservices bound to the NSX Manager including Clusters and hosts The red triangle on allthree NSX controllers indicates possible issues that may impact the NSX environmenteither as a starting point or a result thereof We can now query each object for detailedinformation
1 Click on the NSX controller (Look at each controller until you find thecontroller starting with NSX_Controller_5b6c6c8d-4d71 as they do changeorder)
HOL-1829-01-NET
Page 90HOL-1829-01-NET
NSX Controller - Detail
A - The controller query displays detailed information about controller-1 and relevantconfiguration This screen will help identify the Status Version Upgrade Availability andmany other critical identifiers of the NSX Controller at a quick glance including anyissues
B - The immediate issue on this NSX controller is also pointed out with a red triangleindicating that we have a control plane sync issue Tracking the issue can be furtherinvestigated by expanding (clicking on the red triangle) to view detailed information Wewill not be investigating this problem further in this exercise
1 Click the close sign (x) to continue
HOL-1829-01-NET
Page 91HOL-1829-01-NET
Topology - Explained
Note The Topology for the NSX environment will not show any load balancing devicestatus information in this release
1 Click the edge VMs icon to see detailed information about the edge services
HOL-1829-01-NET
Page 92HOL-1829-01-NET
Provider Edge
Rendering a complete view of the provider edge services and the associations we caninvestigate all the edge related activities
1 Click the blue link Provider Edge 4 The problem Icon can be used to furtherobtain information about the Provider-Edge 4 This will highlight a criticalcondition due to a possible network disruption of this edge device as it is nolonger in a serving state
HOL-1829-01-NET
Page 93HOL-1829-01-NET
Routers Provider Edge 4
This section lays out detailed root cause analysis for Routers Provider Edge 4
Return to Search View - NSX Manager
1 Now use the Chrome Back button click once to return the the NSX Managerinformation screen step
HOL-1829-01-NET
Page 94HOL-1829-01-NET
Infrastructure Problems - Warning Moderate
bull Scroll down to Infrastructure Problems Section
1 Click and select the WarningModerate to view problem areas
WarningModerate Issues
1 Use the blue icon + to expand the detailed view of the Logical networking out ofsync between host and NSX Controller
HOL-1829-01-NET
Page 95HOL-1829-01-NET
WarningModerate Issues (Continued)
When you expand the details you can analyse full detail of warning
In this view vRealize Network Insight is also showing you recommendations on how youwould resolve this issue which makes troubleshooting and root cause analysis veryeasy
1 Click the close sign (x) to continue
HOL-1829-01-NET
Page 96HOL-1829-01-NET
Hands-on Labs Interactive SimulationAdvanced NSX Management ampOperationsThis part of the lab is presented as a Hands-on Labs Interactive Simulation This willallow you to experience steps which are too time-consuming or resource intensive to dolive in the lab environment In this simulation you can use the software interface as ifyou are interacting with a live environment
1 Click here to open the interactive simulation It will open in a new browserwindow or tab
2 When finished click the ldquoReturn to the labrdquo link to continue with this lab
HOL-1829-01-NET
Page 97HOL-1829-01-NET
ConclusionCongratulations on completing Module 3
This module demonstrated the vRealize Network Insight capability of advancedmanagement operations vRealize Network Insight provides an in-depth analysis of thevirtual as well as the physical components associated with NSX (underlay and overlay)
For More Information
If you are looking for additional information try one of these
bull Click on this linkbull Or use your smart device to scan the QRC Code
Proceed to any module below which interests you most
bull Module 1 - Micro-Segmentation and Security (30 minutes)bull Module 2 - 360 degree Visibility across Virtual and Physical Networks (45
minutes)bull Module 3 - Advanced NSX Management amp Operations (45 minutes)bull Module 4 - Manage Security for Public Clouds (AWS) (30 minutes)
HOL-1829-01-NET
Page 98HOL-1829-01-NET
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 99HOL-1829-01-NET
Module 4 - ManageSecurity for Public Clouds
(AWS) (30 Minutes)
HOL-1829-01-NET
Page 100HOL-1829-01-NET
IntroductionEnterprise IT needs visibility into the network and security status of their workloadswhether hosted on premises or within AWS While many AWS workloads are sandboxesfor application development teams (DevOps) it is important to analyze these workloadsIncreasingly public cloud workloads are also fulfilling mission critical production needsfor many organizations Enterprise IT must be ready to determine the best locationsecurity posture and bandwidth allocation when deploying workloads Having trafficpattern details as well as security analysis and recommendations readily availablehelps organizations make the ideal hosting decisions to meet their business needs
vRealize Network Insight (vRNI) Supports Amazon Web Services (AWS) PublicCloud The vRNI traffic monitoring features provide visibility into native AWS constructssuch as Virtual Private Clouds VMs Security Groups firewall rules and tags vRNI alsoanalyzes AWS traffic flows to provide security and micro-segmentation views of cloudworkloads This means youll be able to plan micro-segmentation and understand trafficpatterns using data collected from your AWS instances
This Module contains the following lessons
bull Introduction to Managing Security for Public Clouds (AWS)
HOL-1829-01-NET
Page 101HOL-1829-01-NET
Introduction to Managing Security forPublic Clouds (AWS)Lab Status Check
1 Make sure the Lab Status displays Ready before continuing
Close browser sessions from previous modules
Open Google Chrome
1 Open Chrome on the Control Centre Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize Network Insightdid not load automatically)
HOL-1829-01-NET
Page 102HOL-1829-01-NET
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
AWS Configuration
Lets review the AWS VPC setup for the purpose of this lab
1 We have an on premise instance of vRealize Network Insight managing AWS2 There are two VPCs ie CRM and Common Services
HOL-1829-01-NET
Page 103HOL-1829-01-NET
3 VPC CRM consists of CRM Application which comprises of 3 tiers ie Web APP andDB
4 Internal users of Company can access Web Tier of the CRM on 80 internally viaJump-box
5 Web tier talks to App tier on port 80806 App tier talks to DB tier on port 33067 Web tier is open for internal datacenters VM on 80 port8 From Jump-box in VPC CRM all virtual machines have ssh access on port 229 All tiers of VPCCRM talks to DNS server on 53 and LogServer on 514 on VPC
Common Services10 This means connection to DB to Log Server (used for backup services) must exist
as configured by the Administrator but this in fact is the problem area where ourfocus will be
Plan Security - AWS Cloud
vRealize Network Insight extends micro-segmentation planning to AWS constructs TheCRM Application in AWS VPC has already been created for you
Application creation steps have been discussed in Module 3
HOL-1829-01-NET
Page 104HOL-1829-01-NET
1 On the vRealize Network Insight Click on Plan Security
From Plan Security dialogue box under Entity select
HOL-1829-01-NET
Page 105HOL-1829-01-NET
1 Application2 CRM3 Click Analyze
We can now visualize the three tier lsquoCRMrsquo Application in AWS in one VPC We Shallexplore the three Tier System Logic in proceeding steps
1 Please note that Micro-Segments are already filtered by Tier2 Web (Web tier talks to App tier on port 8080 Internal users of organisation can
access Web Tier of the CRM Application on port 80 internally)3 App (App tier talks to DB tier on port 3306)4 DB ( DB tier talks to Log Servers ) - This is the problem area we are going to
explore
All tiers of first VPC talks to DNS server on port 53 and LogServer on port 514 of SecondVPC
HOL-1829-01-NET
Page 106HOL-1829-01-NET
Exploring the Three Tier Application - Step by Step
We shall now explore the three their application setup to understand the security andcommunication posture
HOL-1829-01-NET
Page 107HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Yellow line to explore the flows This will reveal flows from Web to
App
HOL-1829-01-NET
Page 108HOL-1829-01-NET
1 The App tier talks to DB tier on Port 33062 Click X to continue
HOL-1829-01-NET
Page 109HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to DB
HOL-1829-01-NET
Page 110HOL-1829-01-NET
1 The App tier talks to DB tier on Port 33062 Click X to continue
HOL-1829-01-NET
Page 111HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Yellow Line to explore the flows This will reveal flows from DC
Virtual to App
HOL-1829-01-NET
Page 112HOL-1829-01-NET
1 DC Virtual (jump box) talks to App tier on Port 222 Click X to continue
HOL-1829-01-NET
Page 113HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to
Shared Virtual
HOL-1829-01-NET
Page 114HOL-1829-01-NET
1 The App tier talks to Shared Virtual on Port 53 and 514 respectively2 Click X to continue
HOL-1829-01-NET
Page 115HOL-1829-01-NET
1 Hover over to DB Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from DB to
Shared Virtual
1 By design the DB should be pushing logs to aws-log-server ie on port 514(Syslog) but the flow reveals that there is only one service ie port 53 aws-DNS-Server Effectively no communication to syslog server (which is the back upservice)
2 Click X to continue
Firewall Queries for CRM Application
To further troubleshoot the issue the administrator executes three firewall queries toestablish why DB to Shared Virtual does not have flow(s) for port 514 (syslog)
HOL-1829-01-NET
Page 116HOL-1829-01-NET
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and type new search query firewall action of flows where dstvm = aws-log-server This will return 5 results ie 4 Allow (for web andmidtier) and 1 Deny (for DB)
2 Click Search3 click on the DENY checkbox so we can focus on the deny rule
We can see a DENY rule which is preventing crm-databse to communicate with aws-log-server on port 514 Which indicates that AWS Admin forgot to add rule to allowtraffic from (Database) crm-database to (syslog server) aws-log-Server
HOL-1829-01-NET
Page 117HOL-1829-01-NET
1 On Chrome web browser right click2 Select Duplicate from the the menu
HOL-1829-01-NET
Page 118HOL-1829-01-NET
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-web1 and dst vm = aws-log-server
2 Click Search3 This will return 3 results ie 1 Inbound and 2 Outbound rules The result of this
query validates the communication from crm-web1 to aws-log-server
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-database and dst vm = aws-log-server
2 Click Search3 This will return 2 results for Outbound rules further explaining the firewall rule
behaviour from crm-database to aws-log-server
HOL-1829-01-NET
Page 119HOL-1829-01-NET
ConclusionCongratulations on completing Module 4
This module demonstrated the vRealize Network Insight capability to understand trafficpatterns and plan micro-segmentation across your private and public cloudenvironments This capability offers unparalleled visibility into public and private cloudsfor micro-segmentation planning network visibility and management
For More Information
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 120HOL-1829-01-NET
ConclusionThank you for participating in the VMware Hands-on Labs Be sure to visithttpholvmwarecom to continue your lab experience online
Lab SKU HOL-1829-01-NET
Version 20171010-152226
HOL-1829-01-NET
Page 121HOL-1829-01-NET
Module 1 - Micro-Segmentation and
Security (30 minutes)
HOL-1829-01-NET
Page 9HOL-1829-01-NET
IntroductionWhen mid to large-sized enterprises deploy NSX they often struggle to define the levelof micro segmentation needed between applications on networks The most challengingpart is knowing what information is required to get started how to locate theinformation and traffic flow and how to capture the results
vRealize Network Insight helps solve this problem by analyzing and categorizing VMsinto logical groups based on specific compute and network characteristics This processautomatically generates a recommended model for security groups and specificfirewalling rules for each group This makes life much easier for Security Architects andEngineers
vRealize Network Insight (vRNI) relies on the use of an IPFIX collector at the VirtualDistributed switch layer to capture data flows We enable IPFIX at the Virtual Distributedswitch layer for the ESXi Hosts to forward IPFIX UDP packets to the vRealize NetworkInsight appliance The data capture will enable real time data flow for all port trafficand provide further filtering capabilities in order to explore East-West traffic
We have two scenarios to help explain how vRealize Network Insight can be utilized toensure we have full visibility and granular control to deploy firewall rules in order tocomplete micro-segmentation without guessing
Scenario 1 (Brown Field deployment) Customer ABC bought ESXi and NSX and doesnot have a clear understanding of how to operationally deploy existing workloads withEast-West firewall protection or how to segment the workload The client will now usevRealize Network Insight to observe the real time data flow between ports in order tobuild the East-West firewall rules The vRealize Network Insight process will observe thetraffic patterns based on the captured data flow recommendations will then be made inorder to secure workloads for East-West communication Current firewall and micro-segmentation can also be verified
Scenario 2 (Green Field) Customer ABC has a new deployment project for DevOps andwouldnt know what the immediate firewall rules or recommendations would be UsingvRealize Network Insight we could immediately start to monitor the real time data flowas each deployment and development unfolds Based on the DevOps information wecan now apply the Firewall rules at the QampA stage and prep for testing to ensure whenwe move workloads into Production we will have day zero operational security for East-West traffic within the data center
NOTE NSX is not required at any stage to capture observe or implement successfulEast-West firewall rules The process of planning security only relies on IPFIX at the vDSlayer in order to capture and observe data flow between ports
This Module contains the following lessons
HOL-1829-01-NET
Page 10HOL-1829-01-NET
bull Identify firewall rules for Micro-segmentationbull Security Group Topologybull Tracking a firewall rulebull Exporting firewall rules to NSX Manager (Interactive Simulation)bull Conclusion
HOL-1829-01-NET
Page 11HOL-1829-01-NET
Micro-Segmentation IntroductionThis section contains the following lessons
bull Identify firewall rules for Micro-segmentationbull Security Group Topologybull Tracking a firewall rule
Lab Status Check
1 Make sure the Lab Status displays Ready before continuing
Close browser sessions from previous modules
Open Google Chrome
1 Open Chrome on the Control Centre Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
HOL-1829-01-NET
Page 12HOL-1829-01-NET
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize Network Insight did notload automatically)
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
HOL-1829-01-NET
Page 13HOL-1829-01-NET
Plan Security
When the vRealize Network Insight portal login completes the first screen will show asearch bar at the top
1 Type plan security (the search bar uses Auto Fill and predictive text willappear as you type)
2 Select the Time Icon
Plan Security - Specify a Preset
1 Select Presets2 Select Last Week3 Click the search icon to continue
HOL-1829-01-NET
Page 14HOL-1829-01-NET
Overview - Traffic Distribution (Left Pane)
Visual representation of traffic is shown to understand the logic relationship betweeneach component physical or virtual in order to track flows and sessions within anetwork
bull Internal Flows External Flowsbull Protected Flows Unprotected Flowsbull by VLAN or VXLAN
The default for this view is Last 1 day Please do not change this as we have alreadyspecified the time filter
HOL-1829-01-NET
Page 15HOL-1829-01-NET
Traffic Distribution - Overview (Right pane)
The Traffic distribution section is explained in a number format below Use these as areference and do not click on the links at this stage
bull A - This is the sum of all traffic flows with the percentage shown as East-Westonly traffic
bull B - This indicates the percent of traffic that was switchedbull C - The percentage of traffic that is routed between the East-West portsbull D - This indicates Virtual machine to Virtual Machine traffic as a percentage of the
sum in point number 1bull E - Traffic observed between virtual machines on the same hostbull F - Traffic that requires internet access
East-West (EW) - Traffic
In order to view specific details about data flows click on any of the 6 blocks to getdetailed information on flows and sessions (use the [x] in the right corner to close theobservation once completed in order to continue with the next step in this lab) Its
HOL-1829-01-NET
Page 16HOL-1829-01-NET
important to understand the entire distribution of flows and sessions in order to build aninformed strategy to achieve micro-segmentation
A Session is 5 tuple (source port is one of the five tuples in this which means everytime a new TCP connection is established and terminated a new session is recorded)
A Flow is 4 tuple aggregation of sessions It combines many 5 tuple sessions into oneIt ignores the source port as the source port is very dynamic wide range and keeps onchanging As long as multiple sessions have same source IP same destination IP samedestination port and same protocol they will be combined into one record called aflow
So 1000s of sessions in a day between two machines on a specific destination port (sshdns etc) would be combined into one flow with an aggregate count of packets bytessessions between them recorded as additional flow information
In any enterprise how many sessions happen in 1 day varies a lot Flows are moremanageable units and matter most for policy definitions and micro-segmentation
If one wants to see statistics of these flows like bytes transferred number of sessions(or even use these counters along with other query operations for other higher levelanalysis - like determining distribution of a virtual machines outgoing flow bydestination ip) the following metric counters can be used
Counter names
allowed sessions count of sessions (or 5 tuples) corresponding to a flow (4 Tuple)bytes total traffic volume exchanged on the flow (this sum of two counters described below)src bytes total bytes sent by src_ip of the flow to dst_ipportprotocoldst bytes total bytes received by src_ip of the flow from dst_ipportprotocol
1 Click on the East-West traffic block
This will bring a new window into view with detailed analysis of the traffic
HOL-1829-01-NET
Page 17HOL-1829-01-NET
East-West (EW) - Detailed view
This is only a few of the 1653 flows but the detailed views and filters can be used tonarrow down more specific information
A - Without clicking (just hover) on the time line to see the rate of flow indicated by thegreen line for that period
1 Click the close icon (x) to continue
ServicesPorts
HOL-1829-01-NET
Page 18HOL-1829-01-NET
Locating the Services screen for the next step
ServicesPorts - Time line view
Plan security makes use of Service and Ports overview on the right-hand side of thescreen The service view screen is used to observe the flow for each service andanalyzes a specific flow rate at a point in time Timelines can be adjusted to gain abetter understanding of what the plan security query delivers This module will followthe steps needed to observe and trace flows for port 5443
1 Click Show Data
HOL-1829-01-NET
Page 19HOL-1829-01-NET
ServicesPorts - Point in Time Service
The Services section provides an overview of flows over a specific port at a point intime either by bytes or by allowed sessions Look at the red highlighted area tounderstand how the flow is viewed in a pivot format to ensure a rate flow can bedelivered by hovering over a particular section
1 Hover to gain focus over the blue block above port 5443 and notice itpresents on demand the sum total of flows for the last 24 hours inGigabytes (GB) communicating over port 5443
2 Click on the block at the intersection of Last 24 hours and PORTS5443 to get a detailed view of the information
HOL-1829-01-NET
Page 20HOL-1829-01-NET
Flows for Port 5443
Communicating over port 5443 for the Last 24 hours we now have a detailedunderstanding of how 20 flows are distributed by following the list of entities You mayscroll down and examine the detailed traffic Further filters can be used on the left-handside of the screen to filter the view for a more specific result type
1 Click the entry to examine the detailed flow between Prod-DB-3 and Prod-DB-2over port 5443 ( order of flows may differ from screen above Prod-DB-3 andProd-DB-2 can be seventh flow entry)
Flow Key Properties - Timeline view
HOL-1829-01-NET
Page 21HOL-1829-01-NET
Flow Key Properties and Flow Key Metrics with the help of the timeline view gives agreater understanding of the traffic between these two specific VMs over port 5443 (A)- Hover over any part of the Flow Key Metrics graph to see statistics of the flow at aspecific point in time
1 Click on the 1M (last 1 month) Now hover the mouse over the greenblue linesto see a specific flow at a point in time
Flow Key Properties - Timeline view
1 Click the browser back button (once) to return to the plan security layoutscreen (once completed viewing the timelines for specific flows)
HOL-1829-01-NET
Page 22HOL-1829-01-NET
Micro-Segments
The screen should be back and focused on the Plan Security view Let us focus on theLeft-hand side of the plan security screen marked - Micro Segments This section willfocus on the subnet view and how this could be used to track flows between two ormultiple points
Note Segmenting flows can be achieved using views that will focus on VLANVXLANSubnet Folder Clusters VMs Ports Security Tag or Security Groups
1 Select Last 1 Day (to clear previous data range)2 Select the drop down box and then select by Subnet3 We can further analyze micro-segments by secondary groups ( This step is for
information only)4 Click Analyze to populate the data
HOL-1829-01-NET
Page 23HOL-1829-01-NET
Focus - 101780 Network
A - Hover over (do not click) the 101780 network and notice that this willimmediately highlight all flows and sessions from and to this network segment Othertraffic types will loose focus at this point turning light blue
The Keep Focus view creates a single visual endpoint diagram showing communicationto physical shared resources internet and other subnets The parentheses after thenetwork will indicate the number of virtual machines The coloured lines will indicate aconnected flow as OUTGOING INCOMING BIDIRECTIONAL
HOL-1829-01-NET
Page 24HOL-1829-01-NET
Focus - VLANVXLAN
Changing the view to track flows between Prod-Web to Prod-Midtier we will be switchingfrom Subnet view to VLANVXLAN view This will expose the traffic flow and ultimatelylead us to the recommended firewall rules
1 From the filter drop down select the VLANVXLAN option (the view willautomatically update)
HOL-1829-01-NET
Page 25HOL-1829-01-NET
Focus - Prod-Web (25)
1 Hover over Prod-Web2 Click on Keep Focus as we will follow the traffic for this group to see which
ports are in use and why3 Click on the line joining the Prod-Web and Prod-Midtier
Flows - Prod-Web to Prod-Midtier
HOL-1829-01-NET
Page 26HOL-1829-01-NET
( A ) - We have at this point identified 14 unique endpoints or flows that are beingcommunicated byover or to potential security groups These security groups are basedon VLANs folders subnets or a construct that can be defined
1 Click on the recommended firewall rules
Flows - Recommended Firewall Rules
Based on the observed analysis of the traffic flow between Prod-Web and Prod-Midtier arecommended firewall rule has been generated in order to secure and segment trafficfrom the rest of the VLANVXLAN
Due to the flow observation metrics the recommendation is (ALLOWED) on Port 8080between SG Prod-Web and SG-Prod-Midtier
1 Click the close icon (x) to continue
HOL-1829-01-NET
Page 27HOL-1829-01-NET
Multiple Ports and Firewall rules for Prod-web
1 Click on the Prod-Web group
Services and Flows for Prod-Web
On focus the user is presented with all the services flows and firewall rules for Prod-Webin a single pane
HOL-1829-01-NET
Page 28HOL-1829-01-NET
1 Click on Services In this group - 50 Unique service endpoints or flows that arebeing communicated by or to potential security groups are mapped with trafficrates included
2 Click on External Services Accessed- This is a breakdown of the 16 Externalservice endpoints that communicate with Prod-Web and include the portinformation (DNS HTTPS etc)
3 Click on Recommended Firewall Rules - Based on the 50 unique serviceendpoints that have 17 External services with 425 flows we can use thisobservation metric to determine that 6 firewall rules are required This would bethe minimum recommended segmentation approach for the Prod-Web group
4 Click the close icon (x) to continue
Application-Centric Micro-Segmentation
HOL-1829-01-NET
Page 29HOL-1829-01-NET
An application is a collection of tiers Each tier in an application is a collection of VMsbased on the user-defined filter criteria The applications allow you to create ahierarchical group of VMs and visualize trafficflows between the tiers of the sameapplication The trafficflows can be visualized between applications
1 Under Micro-segments click on the dropdown which says by VLANVXLAN2 Click on by Application
1 Hover over Prod-App (47) (do not click at this stage)2 Click on Keep Focus
You can see as per previous micro-segmentaion planning exercise - you can viewOutgoing Incoming and Bidirectional flow bespoke to Prod-App Clicking on Prod-App micro-segment will reveal the services
HOL-1829-01-NET
Page 30HOL-1829-01-NET
We shall now explore how we can define an application
Define an Application
1 In the search bar type Application2 Click the Search button
1 The Application search will return 4 entities ie application already created inthe system for you
2 This page also lets you create new application - click on Add Application
HOL-1829-01-NET
Page 31HOL-1829-01-NET
1 Under the Application Name type HOL-Pre-Prod2 Under Tier type the Name as HOL-Pre-Prod3 Our search criteria will be based on VM Names under Virtual Machines IP
Addresses Type Admin-VM1 Admin-VM2 (The search will auto completethe names for you)
4 Do not Save Click Cancel which will take you to previous screen
1 Here you can see the number of entities has increased by 1 ie 5 entities2 You can also see Hol-Pre-Prod in the list
HOL-Pre-Prod will now appear in Application section under Plan Security (not covered inthis lab)
Security Group Prod_MidTier
Network administrators and architects face daily challenges in identifying securityparameters groups that are in-place requiring a lot more detail around containertopology before continuing to execute or plan Micro-segmentation Lets look at how thiswould be possible in a single view that has granular integration with over and underlaynetworks
1 Using the search bar type Nsx Security Group Prod_MidTier (the search baruses Auto Fill and predictive text will appear as you type)
2 Click search to continue
HOL-1829-01-NET
Page 32HOL-1829-01-NET
The Help screen may pop-up (in this lab setting) to ensure the user has an instantguide called the Security Group Pinboard The reason for this guide is to point out thedetail view and topology layout Read through the help guide and once completed
1 Click the close icon (x) to continue
Results - PROD_MIDTIER
The search results from the query will show Prod_Web at the top of the screen Theresult will also be displayed to include the Translated VM Count and any Rulesassociated
1 Click on Prod_MidTier to continue
Security Group Prod_MidTier - Timeline
Security Group View Explanation
HOL-1829-01-NET
Page 33HOL-1829-01-NET
The Security Group provides a detailed view of the selected Security Group and acomprehensive listing of key properties and events The Security Group Topologyprovides a visual overview of how the security group is associated with other containersTimeline slider at the top of the current view will enable the point in time state of theSecurity Group and filters can be used to further focus on a particular aspect of theobject
Security Group Firewall Topology
(A) The Security Group Firewall Topology on the left shows the topology for SecurityGroup Prod_MidTier
HOL-1829-01-NET
Page 34HOL-1829-01-NET
(B) The Security Group Container Topology on the right will show anyall Child andParent groups in relation to Prod_Web This will identify the nesting and hierarchy ofsecurity groups
HOL-1829-01-NET
Page 35HOL-1829-01-NET
1 Click and select Prod_Web to Prod_Midtier Rule (will launch a pop up screencovered in next step)
1 In the pop up screen we can immediately see what the Source and destinationservice flow looks like in this example This can be done for any and eachsegment attached to Prod_Web and will provide all the current security GroupFirewall Topology information Feel free to click through all the segments in orderto fully understand each related security group
2 Click the close icon (x) on any pop-up menus that you viewed during youranalysis to continue with the next exercise
HOL-1829-01-NET
Page 36HOL-1829-01-NET
Tracking Prod_MidTier
1 Within the same view when you scroll down (below the Security Groupfirewall Topology) you are able to see the following security event information forProd_Web
A Events - Showing any changes for Prod_MidTier (direct or indirect) and the impactthat these changes bring to this security group
B Current Security Group Configuration and Firewall Rules Count will also providefurther assistance to manage the endpoints
C Visibility of the Virtual Machines in Security Groups ensure that we manage ourworkloads and segmentation with the correct level of efficiency
D Making use of the Indirect Firewall Rules will ensure you understand the inheritedimpact and the relationship leading to Prod_Web
E Direct Firewall Rules - NOTE The blue links will expose further detail for eachfirewall segment
HOL-1829-01-NET
Page 37HOL-1829-01-NET
this module explained and followed the traffic flow between Subnets and or VLANVXLAN for Prod_MidTier and we understand the analysis that make up firewall rules Theinformation for a specific segmentation of a Virtual Machine in Prod_MidTier can beviewed using the the logical switch information for Prod_MidTier
2 Click on Lab-Midtier (VMs in Security GroupgtLogical SwitchesgtLab-Midtier) anew TAB will open at the top of the screen
Lab-Midtier
1 Hover (do not click) over (1) Lab-Midtier-1 to gain focus in order to generatethe path
Do not click on any of the bubbles as they are used for reference only This is thecomplete flow of Prod-Web-9 (Example) to see how a flow is tracked from overlay tounderlay across Prod-Web
HOL-1829-01-NET
Page 38HOL-1829-01-NET
bull A - The host details for Lab-Midtier-1 -ddc1-pod2esx035dmdemocompanynet
bull B - The machine name within Lab-Midtier - Lab-Midtier-1bull C - DVS Switchbull D - VXLAN - Lab-Midtierbull E - 1st VMKNIC for DDC-1 hostbull F - DVS Switch Portbull G - Finally showing the L3 Switch (Arista)
2 When you are done with the current view close this tab in Chrome and returnto the original view
Firewall Rule - Tracking
Using the search bar we will demonstrate how you can track any firewall rule in yourenvironment This is only one example of how we can search for security related objectsin one easy statement and also export the results
Port Search
1 Type into the search bar
Firewall rule where action =ALLOW and Port=443 (the search bar uses Auto Fill andpredictive text will appear as you type)
2 Click search to continue
As you type notice all the different permutations of queries that can be assembled
HOL-1829-01-NET
Page 39HOL-1829-01-NET
Export Firewall Rules
Take some time to understand and get familiar with Firewall Rule search possibilitiesand the insight this can offer
1 Do not click - The result is grouped for convenience and allows the user to queryeach rule individually This is a live link that will expose further information
2 Do not click - The entire report can be exported by using the Save as CSV optionat the top right hand corner of the screen but we will not export any informationat this point
3 For the next step we will return to the top search bar
Firewall Rule Membership Change
Using the vRealize Network Insight search bar at the top of the screen we will focus on atime based search to see what Firewall Membership Changes occurred during a selectedperiod This will point out any changes made directly or indirectly as a result ofmembership changes This is extremely useful for auditing and troubleshooting
HOL-1829-01-NET
Page 40HOL-1829-01-NET
1 Type
Firewall Rule Membership Change
2 Select the DateTime window3 Click Between Select Date range from June30 to Jul 31 (using static data this
will ensure you see all the changes)4 Click search
Audit Rule - Firewall Rule Membership Changes
The search now displays the result of all the changes made to firewall rule membershipduring the preset date range This is pivotal to the audit change tracking process tounderstand exactly why when and how Firewall rules changed
The changes can now easily be tracked audited and also exported following any of thelive links in blue
HOL-1829-01-NET
Page 41HOL-1829-01-NET
User-defined Event
Continuing within the same screen users can create alerts to notify internal andexternal entities of any changes The alert feature is available through any view thatdisplays the alert icon Although the alert can be configured for this lab the results willnot be actioned as this is static data only This section will show how easy it is to reporton any Firewall Rule memberships changes The option for alerting will be immediatelywithin 1 hour or as a daily digest
1 Click the Notifications icon to create an event The notifications screen will pop-up
2 Notification and parameters can be adjusted as required Populate them withyour own preference as we will need to have information in order to save thealert and view in later steps
3 Once completed click save
HOL-1829-01-NET
Page 42HOL-1829-01-NET
Settings
You can view any of your previously configured User-defined Events in order to edit oractivate the Event parameters by using the settings page Changes can be configured tonotify members of the event group based on the user preference The previous eventthat you created can now be tracked by using the search bar at the top of the screen
1 Click in the search bar and type Settings2 Click User-defined Events (your alert is noted in this section as it was based on
the original search and alert notification Firewall rule membership change)3 Info Only - Do not click - View Edit Activate any notifications
Note that we have 2 types of notification User-defined and System Events
4 Click the System Events
HOL-1829-01-NET
Page 43HOL-1829-01-NET
System Notifications
System Events consist of 103 default alerts that are pre-configured Scroll down the listto see all the options and what is deemed to be a standard system event notification
Each Notification can be used to alert administrators or users of that group By defaultall System Notifications are set to never notify (this can be changed to immediatelywithin 1 hour or as a daily digest)
This concludes this module Please continue to the next module
HOL-1829-01-NET
Page 44HOL-1829-01-NET
ConclusionCongratulations on completing Module 1
In this module we introduced the minimum required steps in order to facilitate Micro-segmentation This module further demonstrated how we achieve day zero readinesstrack report and alert on each individual object or group of objects in Real Time Usingthe East-West traffic in this module vRealize Network Insight highlighted the ease ofacquiring network analysis and using this to automatically generate firewall rules forboth Green or Brown field deployments
Key facts to remember as demonstrated in this module
bull Persistence Security must be consistent in the face of constant changebull Ubiquity Security must be available everywherebull Extensibility Security must adapt to new situations
For additional information about the functionality showcased in this module visitwwwvmwarecom
Please close the Chrome Web browser
This concludes this module please continue to the next module
For More Information
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 45HOL-1829-01-NET
Module 2 - 360 degreeVisibility across Virtualand Physical Networks
(45 minutes)
HOL-1829-01-NET
Page 46HOL-1829-01-NET
IntroductionvRealize Network Insight includes advanced analytics that can collect and displayconfiguration data from all the components involved in the overlay and underlay of thenetwork Data is collected in realtime
vRealize Network Insight presents this via a smart user interface and simplifies thedetermination of problems as well as the visibility of firewall and networkconfigurations
vRealize Network Insight presents this in a smart user interface and makes problemdetermination and visibility of the firewall and network configurations very easy
This Module contains the following lessons
bull 360 Network Visibility and Troubleshootingbull Natural language search
HOL-1829-01-NET
Page 47HOL-1829-01-NET
360 Network Visibility andTroubleshootingThis section contains the following lessons
bull 360-degree view of data flow between two VM objectsbull Natural language search
Open Google Chrome
1 Open Chrome on the Control Center Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize NetworkInsight did not load automatically)
HOL-1829-01-NET
Page 48HOL-1829-01-NET
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
Path and Topology
This module will utilize the Path and Topology feature in vRealize Network Insight toget a 360-degree visibility into our network scenario The Path and Topology view can
HOL-1829-01-NET
Page 49HOL-1829-01-NET
also extend to host L3 networks security groups etc but in this module we will only befocusing on the path
From the main console
1 Click on Path and Topology2 Click on Path
Path - Select source and destination
In the pop-up box
1 Click on the grey field below Source2 Type dba into the source field and DBAdmin-VM1 will appear3 Click on DBAdmin-VM1 to select it
HOL-1829-01-NET
Page 50HOL-1829-01-NET
Path - source and destination continued
After selecting the source machine the destination box will automatically appear
1 Type prod in the destination field and the list of available options willappear
2 Select Prod-Db-2
Note The destination could also be an ip-address or Internet but in this lab we aregoing to use a VM
HOL-1829-01-NET
Page 51HOL-1829-01-NET
Path - source and destination continued
1 Click on Submit
Searching for path
Based on the VMs we selected in the wizard in our previous steps the search field isnow pre-populated with a search string As an alternative to using the wizard we canalso do manual searches
Do not change any parameters in the search field and please continue to the nextstep
HOL-1829-01-NET
Page 52HOL-1829-01-NET
VM Path Topology and VM Underlay
The topology involves both Layer 3 and Layer 2 components and consists of twodetailed views
HOL-1829-01-NET
Page 53HOL-1829-01-NET
1 VM Path Topology This view details the routers Edges or Logical DistributedRouters (LDRs) that are involved in the VM to VM network path and provides thecomplete routing and NAT information
2 VM Underlay ( The VM Underlay section that is on the right side of the VM Pathtopology shows the underlay information of the VMs involved and theirconnectivity to the top of the rack switches and the ports involved)
In the field named VM Path Topology
1 Click on the three dots in the top right corner of the field2 Click Maximize
The view will change and the route will be drawn on the map
HOL-1829-01-NET
Page 54HOL-1829-01-NET
VM Path Topology - Path Details
In this view we will get a 360-degree view of both the physical and the virtual networkWe will see the path of the traffic between two virtual machines The black arrow at thetop of the map will indicate the flow direction of the traffic In this use case fromDBAdmin-VM1 to Prod-Db-2
On the right hand side path details indicates the steps we pass through in each hop ofthe path The logical flow includes both physical and virtual elements displaying bothoverlay and underlay components
1 Scroll through the path details on the right hand side to verify the differenthops in the path Notice that we have items such as VMs physical switchesvirtual switches routers and NICs in the list of details
HOL-1829-01-NET
Page 55HOL-1829-01-NET
Component Overview
On the VM topology map
1 Click on the top left icon marked with a red square - the Virtual MachineDBAdmin-VM1
Virtual Machine - Details
HOL-1829-01-NET
Page 56HOL-1829-01-NET
A pop-up box will appear with the Virtual Machine details in it This information includesa lot of details made available by VMware Tools We can for example see network-information and the physical host in these details
A - Please spend some time on getting an overview of the information available in thisview
B - Please note that the Firewall Status indicates Unknown In this scenario there is noNSX firewall utilized in the VM so vRealize Network Insight displays Unknown as thestatus If NSX components were utilized but they were malfunctioning an errormessage will appear
1 When done reviewing close the pop-up windows by clicking on the (X) in thetop right corner
Physical ESXi Hosts
We are now going to look at the physical host running ESXi The large green blocksindicate the ESXi hosts (A) and (B)
1 Click on the large green field on the left side of the map marked in thepicture with a red squareThis will select the host where DBAdmin-VM1 isrunning
HOL-1829-01-NET
Page 57HOL-1829-01-NET
Host - Details
A pop-up box will appear that contains the physical ESXi host
A - Spend some time to review what information is available from the host Please donot click on any of the links
B - Notice that we receive information from both the Chassis and the Blade that thisESXi host is running on In a real life environment we could click on the links to getdetailed information about the physical environment through the links
C - Note that there are no NSX components on the host For example we can see thatthe Control Plane Sync Status is unknown and the Number of VTEPs is 0
1 When done reviewing click on the (X) in the top right corner
HOL-1829-01-NET
Page 58HOL-1829-01-NET
DVPG on the map
We are now going to look at the DVPG (Distributed Virtual Port Group) the VM uses toconnect to the network
1 On the map click on the little blue box marked by a red square onvlan-629
DVPG
A pop-up box will appear that contains the DVPG details
A - Spend some time review what information is available from the object Please donot click on any of the links
HOL-1829-01-NET
Page 59HOL-1829-01-NET
B - Notice that IPFIX is enabled
1 When done reviewing click on the (X) in the top right corner
VLAN-629 on the map
This is a brownfield network as indicated by the physical network components currentlydisplayed on the map
1 On the map click on the grey line marked by a red square on vlan-629
VLAN Network
A pop-up box will appear that contains the physical VLAN details
HOL-1829-01-NET
Page 60HOL-1829-01-NET
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - Notice the VLAN ID This is the actual VLAN in use
C - VM Count states 12 This is the number of VMs located on this VLAN in the entireenvironment
D - Under Hosts we can see that this is 28 (27+1) This is the amount of hosts that hasa connection to this vlan in the entire environment
1 When done reviewing click on the (X) in the top right corner
Switch ports on the map
1 From the map click on the icon marked by a red square to select the SwitchPort for the VM
HOL-1829-01-NET
Page 61HOL-1829-01-NET
Switch Port
A pop-up box will appear that contains the Switch Port details
In this view we are purely are looking at layer 3 and the connectivity to those layer 3devices Later in this module we will see some of the layer 2 devices
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - In this view we can see the physical NIC the traffic is transmitted from and receivedto In this scenario it is a NIC on a UCS fabric We can also see the VLANs Interfacespeed port and other details on the NIC
1 When done reviewing click on the (X) in the top right corner of the pop up box
HOL-1829-01-NET
Page 62HOL-1829-01-NET
Physical VRF on the map
1 From the map click on the icon marked by a red square to access thePhysical VRF details
HOL-1829-01-NET
Page 63HOL-1829-01-NET
VRF - Physical Switch
A pop-up box will appear that contains the Physical VRF details
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - In this scenario the first hop in the physical network perspective happens to be aCisco Nexus 7000 We are gathering all of the configuration data routing tables androuting interface information from this device
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 64HOL-1829-01-NET
VRF - continued
1 From the map click on the icon marked by a red square to access the nextPhysical VRF in the path
HOL-1829-01-NET
Page 65HOL-1829-01-NET
VRF - Physical Router
A pop-up box will appear that contains the Physical VRF details
In this scenario the second hop in the physical network perspective is a Palo Alto routerIn this view we will see the routing table as well as firewall rules The vRealize NetworkInsight platform is so powerful that these firewall rules are the applicable firewall rulesbetween the two objects we searched for There is probably going to be thousands offirewall rules in a normal network but these are the firewalls affecting thecommunication between the two selected VMs
HOL-1829-01-NET
Page 66HOL-1829-01-NET
A - Spend some time to review what information is available from the object Please donot click on any of the links
1 When done reviewing click on the (X) in the top right corner of the pop up box
Note The Palo Alto integration showcased is in beta testing
VRF - continued
1 From the map click on the icon marked by a red square to access the nextPhysical VRF in the path
HOL-1829-01-NET
Page 67HOL-1829-01-NET
VRF - Physical Switch
A pop-up box will appear that contains the Physical VRF details
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - In this scenario the third hop in the physical network perspective is an Arista deviceThere is information available on routing gateways interfaces etc These detailsshowcase that we can monitor devices from a multitude of vendors in case we arechanging from one vendor to another
1 When done reviewing click on the (X) in the top right corner
HOL-1829-01-NET
Page 68HOL-1829-01-NET
Accessing the virtual infrastructure
The next two steps in the path (as shown by arrows) are the same as we looked atpreviously in this module We are not going to look at the details on them in thisscenario as they are similar to the ones previously discussed
A - Hovermove the mouse over the icons marked with red arrow A without clicking onthe icon Notice the descriptive name
B - Hovermove the mouse over the icons marked with red arrow B without clicking onthe icon Notice the descriptive name
1 From the map click on the icon marked by a red square to access the nextVRF in the path
HOL-1829-01-NET
Page 69HOL-1829-01-NET
VRF - NSX Provider Edge 1
A pop-up box will appear that contains the Physical VRF details
A - Please spend some time to review what information is available from the objectPlease do not click on any of the links
B - The components we are looking at after the Arista device (described in previoussteps) is an NSX Edge cluster or a host associated with an Edge cluster The componentwe have selected is the NSX Edge VM named Provider-Edge 1 It has an uplink overVLAN 10 from the physical network (as shown in the map)
C - In the details we can see the routing table and routing interface details for thisparticular VRF
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 70HOL-1829-01-NET
VXLAN on the map
1 On the map click on the blue line marked by a red square to access theVXLAN details
VXLAN Network
A pop-up box will appear that contains the VXLAN details
HOL-1829-01-NET
Page 71HOL-1829-01-NET
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - We can see the VXLAN number (Segment ID) Underlay VLAN IDs Subnet andUnderlay Subnet
C - We also have visibility into what Primary Controller it is utilizing Hosts and VTEPs
D - Hovermove the mouse cursor over the text [38 more] to see the hosts associatedwith this VXLAN Do not click on the blue text
E - Hovermove the mouse cursor over the text [82 more] to see the VTEPs associatedwith this VXLAN Do not click on the blue text
1 When done reviewing click on the X in the top right corner of the pop-up box
VRF - LDR
1 From the map click on the icon marked by a red square to access the VRFdetails
HOL-1829-01-NET
Page 72HOL-1829-01-NET
VRF - LDR-Corporate
A pop-up box will appear that contains the VRF details From here we hit our In-kernelnetwork
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - Notice the distributed router name We are using this device to access our corporatenetwork
C - This device is going to route for us to a different interface The interface is going toroute to the interface on the Prod-DB Network as the next step in the path (this will beillustrated in the next step)
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 73HOL-1829-01-NET
Routing - NSX Firewall
The traffic is routed through the VRF onto the Prod-DB network over to the next physicalhost (as shown with arrows)
The first device it will hit on the virtual network on the physical host is the FirewallPlease notice that there are two firewalls next to the VM One Firewall from Palo Alto andone Firewall from NSX
1 From the map click on the icon marked by a red square to access the NSXFirewall details (the top one of the two)
HOL-1829-01-NET
Page 74HOL-1829-01-NET
Firewall - NSX
A pop-up box will appear that contains the Firewall details
A - Spend some time to review what information is available from the object Please donot click on any of the links
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 75HOL-1829-01-NET
Redirect on the map - PAN Firewall
Please notice that there are two firewalls next to the VM One Firewall from Palo Alto andone Firewall from NSX We are now going to look into the details of the lower Firewall
1 From the map click on the icon marked by a red square to access the PaloAlto Firewall details (the lower one of the two)
Firewall - PAN
HOL-1829-01-NET
Page 76HOL-1829-01-NET
In this scenario we also have an Palo Alto VM based offloading firewall The redirectfeature allows firewall rules to be transferred between the NSX firewall and the PANFirewall
1 When done reviewing click on the (X) in the top right corner of the pop up box
Reversing the analysis
1 In the section marked by a red square in the picture click on the arrowpointing left
The route on the map will change
HOL-1829-01-NET
Page 77HOL-1829-01-NET
Reversing the analysis continued
A - The analysis will now be done in the opposite direction Please note that the pathnow changes Instead of going through Provider-Edge 3 the traffic is now routedthrough Provider-Edge 2 This is exactly as the traffic will work in the real life
Please continue to the next step to conclude this module
HOL-1829-01-NET
Page 78HOL-1829-01-NET
VM Underlay
Lets now focus on VM Underlay
1 The VMUnderlay section that is on the right side of the VM Path topology showsthe underlay information of the VMs involved and their connectivity to the top ofthe rack switches and the ports involved
2 The VM Underlay path topology is shown here3 The components are labeled under Path Details
HOL-1829-01-NET
Page 79HOL-1829-01-NET
HOL-1829-01-NET
Page 80HOL-1829-01-NET
1 In this section the drop-down list at the top shows the endpoint VMs and theactive VMs at the edges
2 For each edgeVM the neighbouring drop-down list shows the ingress and theegress interface IP addresses
1 From the previous step we selected the Prod-DB-2 Virtual Machine2 Which changes the focus to corresponding Interface IP Address (VNIC)3 Shows the visual map (Path topology) of all the path objects4 Path details shows the labels and list the components
This concludes this module Please continue to the next module
HOL-1829-01-NET
Page 81HOL-1829-01-NET
ConclusionCongratulations on completing Module 2
This module has shown us that vRealize Network Insight is capable of tracing the flow ofdata between two objects throughout the network vRealize Network Insight is providingus with a 360 degrees view of the virtual as well as the physical components in thepath With the map function and the details on the map it is very easy to get a quickoverview of the components utilized in network communication
All the components in the map is based on a snapshot of real life data Feel free to clickon other icons shown in the map in this module before continuing to the next module tohave a look at other components
For More Information
For additional information about the functionality showcased in this module visithttpwwwvmwarecomvrealize network insight
This concludes this module Please continue to the next module
If you are looking for additional information try one of these
bull Click on this linkbull Or use your smart device to scan the QRC Code
HOL-1829-01-NET
Page 82HOL-1829-01-NET
Proceed to any module below which interests you most
bull Module 1 - Micro-Segmentation and Security (30 minutes)bull Module 2 - 360 degree Visibility across Virtual and Physical Networks (45
minutes)bull Module 3 - Advanced NSX Management amp Operations (45 minutes)bull (30 minutes)
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 83HOL-1829-01-NET
Module 3 - Advanced NSXManagement amp
Operations (45 minutes)
HOL-1829-01-NET
Page 84HOL-1829-01-NET
IntroductionIntroduction
vRealize Network Insight ensures that we have full visibility from an overlay andunderlay perspective and in this module focus on advanced operations of NSX withvRealize Network Insight Its important to note that the vRealize Network Insightprovides a real time view and a historical view The integration is not a simple SNMPquery but advanced CLI and Metadata information gathered in real time for NSX
This Module contains the following lessons
bull Operational guidance for NSX Managerbull Advanced NSX Management amp Operations Interactive Simulation
HOL-1829-01-NET
Page 85HOL-1829-01-NET
NSX Advanced ManagementOperationsLab Status Check
1 Make sure the Lab Status displays Ready before continuing
Close browser sessions from previous modules
Open Google Chrome
1 Open Chrome on the Control Centre Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
HOL-1829-01-NET
Page 86HOL-1829-01-NET
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize Network Insightdid not load automatically)
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
Search Bar - NSX Manager
Using the search bar on the entry screen
HOL-1829-01-NET
Page 87HOL-1829-01-NET
1 Type NSX Manager (this will list three NSX Managers2 Click Search
NSX Manager Information
The result now shows the NSX Manager (1016128170) and we can immediately seethat we have 50 problems associated with this endpoint
1 Click on the NSX Manager address to expose the layout and detailedinformation
HOL-1829-01-NET
Page 88HOL-1829-01-NET
Timeline - Visual Build-up
Explore information only - Do not click
bull A - Starting with the Timeline we can manipulate the results by simply draggingthe slider but by default the current time results will be displayed on entry Theslider and drop down (next to 1 day) makes it easy to filter on demand
bull B - The Properties give a clear understanding of the NSX Managers currentconfiguration (vRealize Network Insight accommodate multiple NSX managers)
bull C - Looking at the NSX Checklist Rules - ALL we can scroll up and down toview each point in the checklist that is used to monitorvalidate against the NSXManager
bull D - Because vRealize Network Insight supports multiple NSX managers andmultiple NSX controllers this is an important visual understanding of theTopology Each object can be queried individually within the same screen
bull E - NSX Problems will be key to understanding the issues for NSX
HOL-1829-01-NET
Page 89HOL-1829-01-NET
Topology - Focus on the NSX Controller
The logical view of the NSX Topology provides live links to each component in theconstruct to be queried in real time Topology layout displays all the related NSXservices bound to the NSX Manager including Clusters and hosts The red triangle on allthree NSX controllers indicates possible issues that may impact the NSX environmenteither as a starting point or a result thereof We can now query each object for detailedinformation
1 Click on the NSX controller (Look at each controller until you find thecontroller starting with NSX_Controller_5b6c6c8d-4d71 as they do changeorder)
HOL-1829-01-NET
Page 90HOL-1829-01-NET
NSX Controller - Detail
A - The controller query displays detailed information about controller-1 and relevantconfiguration This screen will help identify the Status Version Upgrade Availability andmany other critical identifiers of the NSX Controller at a quick glance including anyissues
B - The immediate issue on this NSX controller is also pointed out with a red triangleindicating that we have a control plane sync issue Tracking the issue can be furtherinvestigated by expanding (clicking on the red triangle) to view detailed information Wewill not be investigating this problem further in this exercise
1 Click the close sign (x) to continue
HOL-1829-01-NET
Page 91HOL-1829-01-NET
Topology - Explained
Note The Topology for the NSX environment will not show any load balancing devicestatus information in this release
1 Click the edge VMs icon to see detailed information about the edge services
HOL-1829-01-NET
Page 92HOL-1829-01-NET
Provider Edge
Rendering a complete view of the provider edge services and the associations we caninvestigate all the edge related activities
1 Click the blue link Provider Edge 4 The problem Icon can be used to furtherobtain information about the Provider-Edge 4 This will highlight a criticalcondition due to a possible network disruption of this edge device as it is nolonger in a serving state
HOL-1829-01-NET
Page 93HOL-1829-01-NET
Routers Provider Edge 4
This section lays out detailed root cause analysis for Routers Provider Edge 4
Return to Search View - NSX Manager
1 Now use the Chrome Back button click once to return the the NSX Managerinformation screen step
HOL-1829-01-NET
Page 94HOL-1829-01-NET
Infrastructure Problems - Warning Moderate
bull Scroll down to Infrastructure Problems Section
1 Click and select the WarningModerate to view problem areas
WarningModerate Issues
1 Use the blue icon + to expand the detailed view of the Logical networking out ofsync between host and NSX Controller
HOL-1829-01-NET
Page 95HOL-1829-01-NET
WarningModerate Issues (Continued)
When you expand the details you can analyse full detail of warning
In this view vRealize Network Insight is also showing you recommendations on how youwould resolve this issue which makes troubleshooting and root cause analysis veryeasy
1 Click the close sign (x) to continue
HOL-1829-01-NET
Page 96HOL-1829-01-NET
Hands-on Labs Interactive SimulationAdvanced NSX Management ampOperationsThis part of the lab is presented as a Hands-on Labs Interactive Simulation This willallow you to experience steps which are too time-consuming or resource intensive to dolive in the lab environment In this simulation you can use the software interface as ifyou are interacting with a live environment
1 Click here to open the interactive simulation It will open in a new browserwindow or tab
2 When finished click the ldquoReturn to the labrdquo link to continue with this lab
HOL-1829-01-NET
Page 97HOL-1829-01-NET
ConclusionCongratulations on completing Module 3
This module demonstrated the vRealize Network Insight capability of advancedmanagement operations vRealize Network Insight provides an in-depth analysis of thevirtual as well as the physical components associated with NSX (underlay and overlay)
For More Information
If you are looking for additional information try one of these
bull Click on this linkbull Or use your smart device to scan the QRC Code
Proceed to any module below which interests you most
bull Module 1 - Micro-Segmentation and Security (30 minutes)bull Module 2 - 360 degree Visibility across Virtual and Physical Networks (45
minutes)bull Module 3 - Advanced NSX Management amp Operations (45 minutes)bull Module 4 - Manage Security for Public Clouds (AWS) (30 minutes)
HOL-1829-01-NET
Page 98HOL-1829-01-NET
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 99HOL-1829-01-NET
Module 4 - ManageSecurity for Public Clouds
(AWS) (30 Minutes)
HOL-1829-01-NET
Page 100HOL-1829-01-NET
IntroductionEnterprise IT needs visibility into the network and security status of their workloadswhether hosted on premises or within AWS While many AWS workloads are sandboxesfor application development teams (DevOps) it is important to analyze these workloadsIncreasingly public cloud workloads are also fulfilling mission critical production needsfor many organizations Enterprise IT must be ready to determine the best locationsecurity posture and bandwidth allocation when deploying workloads Having trafficpattern details as well as security analysis and recommendations readily availablehelps organizations make the ideal hosting decisions to meet their business needs
vRealize Network Insight (vRNI) Supports Amazon Web Services (AWS) PublicCloud The vRNI traffic monitoring features provide visibility into native AWS constructssuch as Virtual Private Clouds VMs Security Groups firewall rules and tags vRNI alsoanalyzes AWS traffic flows to provide security and micro-segmentation views of cloudworkloads This means youll be able to plan micro-segmentation and understand trafficpatterns using data collected from your AWS instances
This Module contains the following lessons
bull Introduction to Managing Security for Public Clouds (AWS)
HOL-1829-01-NET
Page 101HOL-1829-01-NET
Introduction to Managing Security forPublic Clouds (AWS)Lab Status Check
1 Make sure the Lab Status displays Ready before continuing
Close browser sessions from previous modules
Open Google Chrome
1 Open Chrome on the Control Centre Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize Network Insightdid not load automatically)
HOL-1829-01-NET
Page 102HOL-1829-01-NET
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
AWS Configuration
Lets review the AWS VPC setup for the purpose of this lab
1 We have an on premise instance of vRealize Network Insight managing AWS2 There are two VPCs ie CRM and Common Services
HOL-1829-01-NET
Page 103HOL-1829-01-NET
3 VPC CRM consists of CRM Application which comprises of 3 tiers ie Web APP andDB
4 Internal users of Company can access Web Tier of the CRM on 80 internally viaJump-box
5 Web tier talks to App tier on port 80806 App tier talks to DB tier on port 33067 Web tier is open for internal datacenters VM on 80 port8 From Jump-box in VPC CRM all virtual machines have ssh access on port 229 All tiers of VPCCRM talks to DNS server on 53 and LogServer on 514 on VPC
Common Services10 This means connection to DB to Log Server (used for backup services) must exist
as configured by the Administrator but this in fact is the problem area where ourfocus will be
Plan Security - AWS Cloud
vRealize Network Insight extends micro-segmentation planning to AWS constructs TheCRM Application in AWS VPC has already been created for you
Application creation steps have been discussed in Module 3
HOL-1829-01-NET
Page 104HOL-1829-01-NET
1 On the vRealize Network Insight Click on Plan Security
From Plan Security dialogue box under Entity select
HOL-1829-01-NET
Page 105HOL-1829-01-NET
1 Application2 CRM3 Click Analyze
We can now visualize the three tier lsquoCRMrsquo Application in AWS in one VPC We Shallexplore the three Tier System Logic in proceeding steps
1 Please note that Micro-Segments are already filtered by Tier2 Web (Web tier talks to App tier on port 8080 Internal users of organisation can
access Web Tier of the CRM Application on port 80 internally)3 App (App tier talks to DB tier on port 3306)4 DB ( DB tier talks to Log Servers ) - This is the problem area we are going to
explore
All tiers of first VPC talks to DNS server on port 53 and LogServer on port 514 of SecondVPC
HOL-1829-01-NET
Page 106HOL-1829-01-NET
Exploring the Three Tier Application - Step by Step
We shall now explore the three their application setup to understand the security andcommunication posture
HOL-1829-01-NET
Page 107HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Yellow line to explore the flows This will reveal flows from Web to
App
HOL-1829-01-NET
Page 108HOL-1829-01-NET
1 The App tier talks to DB tier on Port 33062 Click X to continue
HOL-1829-01-NET
Page 109HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to DB
HOL-1829-01-NET
Page 110HOL-1829-01-NET
1 The App tier talks to DB tier on Port 33062 Click X to continue
HOL-1829-01-NET
Page 111HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Yellow Line to explore the flows This will reveal flows from DC
Virtual to App
HOL-1829-01-NET
Page 112HOL-1829-01-NET
1 DC Virtual (jump box) talks to App tier on Port 222 Click X to continue
HOL-1829-01-NET
Page 113HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to
Shared Virtual
HOL-1829-01-NET
Page 114HOL-1829-01-NET
1 The App tier talks to Shared Virtual on Port 53 and 514 respectively2 Click X to continue
HOL-1829-01-NET
Page 115HOL-1829-01-NET
1 Hover over to DB Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from DB to
Shared Virtual
1 By design the DB should be pushing logs to aws-log-server ie on port 514(Syslog) but the flow reveals that there is only one service ie port 53 aws-DNS-Server Effectively no communication to syslog server (which is the back upservice)
2 Click X to continue
Firewall Queries for CRM Application
To further troubleshoot the issue the administrator executes three firewall queries toestablish why DB to Shared Virtual does not have flow(s) for port 514 (syslog)
HOL-1829-01-NET
Page 116HOL-1829-01-NET
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and type new search query firewall action of flows where dstvm = aws-log-server This will return 5 results ie 4 Allow (for web andmidtier) and 1 Deny (for DB)
2 Click Search3 click on the DENY checkbox so we can focus on the deny rule
We can see a DENY rule which is preventing crm-databse to communicate with aws-log-server on port 514 Which indicates that AWS Admin forgot to add rule to allowtraffic from (Database) crm-database to (syslog server) aws-log-Server
HOL-1829-01-NET
Page 117HOL-1829-01-NET
1 On Chrome web browser right click2 Select Duplicate from the the menu
HOL-1829-01-NET
Page 118HOL-1829-01-NET
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-web1 and dst vm = aws-log-server
2 Click Search3 This will return 3 results ie 1 Inbound and 2 Outbound rules The result of this
query validates the communication from crm-web1 to aws-log-server
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-database and dst vm = aws-log-server
2 Click Search3 This will return 2 results for Outbound rules further explaining the firewall rule
behaviour from crm-database to aws-log-server
HOL-1829-01-NET
Page 119HOL-1829-01-NET
ConclusionCongratulations on completing Module 4
This module demonstrated the vRealize Network Insight capability to understand trafficpatterns and plan micro-segmentation across your private and public cloudenvironments This capability offers unparalleled visibility into public and private cloudsfor micro-segmentation planning network visibility and management
For More Information
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 120HOL-1829-01-NET
ConclusionThank you for participating in the VMware Hands-on Labs Be sure to visithttpholvmwarecom to continue your lab experience online
Lab SKU HOL-1829-01-NET
Version 20171010-152226
HOL-1829-01-NET
Page 121HOL-1829-01-NET
IntroductionWhen mid to large-sized enterprises deploy NSX they often struggle to define the levelof micro segmentation needed between applications on networks The most challengingpart is knowing what information is required to get started how to locate theinformation and traffic flow and how to capture the results
vRealize Network Insight helps solve this problem by analyzing and categorizing VMsinto logical groups based on specific compute and network characteristics This processautomatically generates a recommended model for security groups and specificfirewalling rules for each group This makes life much easier for Security Architects andEngineers
vRealize Network Insight (vRNI) relies on the use of an IPFIX collector at the VirtualDistributed switch layer to capture data flows We enable IPFIX at the Virtual Distributedswitch layer for the ESXi Hosts to forward IPFIX UDP packets to the vRealize NetworkInsight appliance The data capture will enable real time data flow for all port trafficand provide further filtering capabilities in order to explore East-West traffic
We have two scenarios to help explain how vRealize Network Insight can be utilized toensure we have full visibility and granular control to deploy firewall rules in order tocomplete micro-segmentation without guessing
Scenario 1 (Brown Field deployment) Customer ABC bought ESXi and NSX and doesnot have a clear understanding of how to operationally deploy existing workloads withEast-West firewall protection or how to segment the workload The client will now usevRealize Network Insight to observe the real time data flow between ports in order tobuild the East-West firewall rules The vRealize Network Insight process will observe thetraffic patterns based on the captured data flow recommendations will then be made inorder to secure workloads for East-West communication Current firewall and micro-segmentation can also be verified
Scenario 2 (Green Field) Customer ABC has a new deployment project for DevOps andwouldnt know what the immediate firewall rules or recommendations would be UsingvRealize Network Insight we could immediately start to monitor the real time data flowas each deployment and development unfolds Based on the DevOps information wecan now apply the Firewall rules at the QampA stage and prep for testing to ensure whenwe move workloads into Production we will have day zero operational security for East-West traffic within the data center
NOTE NSX is not required at any stage to capture observe or implement successfulEast-West firewall rules The process of planning security only relies on IPFIX at the vDSlayer in order to capture and observe data flow between ports
This Module contains the following lessons
HOL-1829-01-NET
Page 10HOL-1829-01-NET
bull Identify firewall rules for Micro-segmentationbull Security Group Topologybull Tracking a firewall rulebull Exporting firewall rules to NSX Manager (Interactive Simulation)bull Conclusion
HOL-1829-01-NET
Page 11HOL-1829-01-NET
Micro-Segmentation IntroductionThis section contains the following lessons
bull Identify firewall rules for Micro-segmentationbull Security Group Topologybull Tracking a firewall rule
Lab Status Check
1 Make sure the Lab Status displays Ready before continuing
Close browser sessions from previous modules
Open Google Chrome
1 Open Chrome on the Control Centre Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
HOL-1829-01-NET
Page 12HOL-1829-01-NET
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize Network Insight did notload automatically)
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
HOL-1829-01-NET
Page 13HOL-1829-01-NET
Plan Security
When the vRealize Network Insight portal login completes the first screen will show asearch bar at the top
1 Type plan security (the search bar uses Auto Fill and predictive text willappear as you type)
2 Select the Time Icon
Plan Security - Specify a Preset
1 Select Presets2 Select Last Week3 Click the search icon to continue
HOL-1829-01-NET
Page 14HOL-1829-01-NET
Overview - Traffic Distribution (Left Pane)
Visual representation of traffic is shown to understand the logic relationship betweeneach component physical or virtual in order to track flows and sessions within anetwork
bull Internal Flows External Flowsbull Protected Flows Unprotected Flowsbull by VLAN or VXLAN
The default for this view is Last 1 day Please do not change this as we have alreadyspecified the time filter
HOL-1829-01-NET
Page 15HOL-1829-01-NET
Traffic Distribution - Overview (Right pane)
The Traffic distribution section is explained in a number format below Use these as areference and do not click on the links at this stage
bull A - This is the sum of all traffic flows with the percentage shown as East-Westonly traffic
bull B - This indicates the percent of traffic that was switchedbull C - The percentage of traffic that is routed between the East-West portsbull D - This indicates Virtual machine to Virtual Machine traffic as a percentage of the
sum in point number 1bull E - Traffic observed between virtual machines on the same hostbull F - Traffic that requires internet access
East-West (EW) - Traffic
In order to view specific details about data flows click on any of the 6 blocks to getdetailed information on flows and sessions (use the [x] in the right corner to close theobservation once completed in order to continue with the next step in this lab) Its
HOL-1829-01-NET
Page 16HOL-1829-01-NET
important to understand the entire distribution of flows and sessions in order to build aninformed strategy to achieve micro-segmentation
A Session is 5 tuple (source port is one of the five tuples in this which means everytime a new TCP connection is established and terminated a new session is recorded)
A Flow is 4 tuple aggregation of sessions It combines many 5 tuple sessions into oneIt ignores the source port as the source port is very dynamic wide range and keeps onchanging As long as multiple sessions have same source IP same destination IP samedestination port and same protocol they will be combined into one record called aflow
So 1000s of sessions in a day between two machines on a specific destination port (sshdns etc) would be combined into one flow with an aggregate count of packets bytessessions between them recorded as additional flow information
In any enterprise how many sessions happen in 1 day varies a lot Flows are moremanageable units and matter most for policy definitions and micro-segmentation
If one wants to see statistics of these flows like bytes transferred number of sessions(or even use these counters along with other query operations for other higher levelanalysis - like determining distribution of a virtual machines outgoing flow bydestination ip) the following metric counters can be used
Counter names
allowed sessions count of sessions (or 5 tuples) corresponding to a flow (4 Tuple)bytes total traffic volume exchanged on the flow (this sum of two counters described below)src bytes total bytes sent by src_ip of the flow to dst_ipportprotocoldst bytes total bytes received by src_ip of the flow from dst_ipportprotocol
1 Click on the East-West traffic block
This will bring a new window into view with detailed analysis of the traffic
HOL-1829-01-NET
Page 17HOL-1829-01-NET
East-West (EW) - Detailed view
This is only a few of the 1653 flows but the detailed views and filters can be used tonarrow down more specific information
A - Without clicking (just hover) on the time line to see the rate of flow indicated by thegreen line for that period
1 Click the close icon (x) to continue
ServicesPorts
HOL-1829-01-NET
Page 18HOL-1829-01-NET
Locating the Services screen for the next step
ServicesPorts - Time line view
Plan security makes use of Service and Ports overview on the right-hand side of thescreen The service view screen is used to observe the flow for each service andanalyzes a specific flow rate at a point in time Timelines can be adjusted to gain abetter understanding of what the plan security query delivers This module will followthe steps needed to observe and trace flows for port 5443
1 Click Show Data
HOL-1829-01-NET
Page 19HOL-1829-01-NET
ServicesPorts - Point in Time Service
The Services section provides an overview of flows over a specific port at a point intime either by bytes or by allowed sessions Look at the red highlighted area tounderstand how the flow is viewed in a pivot format to ensure a rate flow can bedelivered by hovering over a particular section
1 Hover to gain focus over the blue block above port 5443 and notice itpresents on demand the sum total of flows for the last 24 hours inGigabytes (GB) communicating over port 5443
2 Click on the block at the intersection of Last 24 hours and PORTS5443 to get a detailed view of the information
HOL-1829-01-NET
Page 20HOL-1829-01-NET
Flows for Port 5443
Communicating over port 5443 for the Last 24 hours we now have a detailedunderstanding of how 20 flows are distributed by following the list of entities You mayscroll down and examine the detailed traffic Further filters can be used on the left-handside of the screen to filter the view for a more specific result type
1 Click the entry to examine the detailed flow between Prod-DB-3 and Prod-DB-2over port 5443 ( order of flows may differ from screen above Prod-DB-3 andProd-DB-2 can be seventh flow entry)
Flow Key Properties - Timeline view
HOL-1829-01-NET
Page 21HOL-1829-01-NET
Flow Key Properties and Flow Key Metrics with the help of the timeline view gives agreater understanding of the traffic between these two specific VMs over port 5443 (A)- Hover over any part of the Flow Key Metrics graph to see statistics of the flow at aspecific point in time
1 Click on the 1M (last 1 month) Now hover the mouse over the greenblue linesto see a specific flow at a point in time
Flow Key Properties - Timeline view
1 Click the browser back button (once) to return to the plan security layoutscreen (once completed viewing the timelines for specific flows)
HOL-1829-01-NET
Page 22HOL-1829-01-NET
Micro-Segments
The screen should be back and focused on the Plan Security view Let us focus on theLeft-hand side of the plan security screen marked - Micro Segments This section willfocus on the subnet view and how this could be used to track flows between two ormultiple points
Note Segmenting flows can be achieved using views that will focus on VLANVXLANSubnet Folder Clusters VMs Ports Security Tag or Security Groups
1 Select Last 1 Day (to clear previous data range)2 Select the drop down box and then select by Subnet3 We can further analyze micro-segments by secondary groups ( This step is for
information only)4 Click Analyze to populate the data
HOL-1829-01-NET
Page 23HOL-1829-01-NET
Focus - 101780 Network
A - Hover over (do not click) the 101780 network and notice that this willimmediately highlight all flows and sessions from and to this network segment Othertraffic types will loose focus at this point turning light blue
The Keep Focus view creates a single visual endpoint diagram showing communicationto physical shared resources internet and other subnets The parentheses after thenetwork will indicate the number of virtual machines The coloured lines will indicate aconnected flow as OUTGOING INCOMING BIDIRECTIONAL
HOL-1829-01-NET
Page 24HOL-1829-01-NET
Focus - VLANVXLAN
Changing the view to track flows between Prod-Web to Prod-Midtier we will be switchingfrom Subnet view to VLANVXLAN view This will expose the traffic flow and ultimatelylead us to the recommended firewall rules
1 From the filter drop down select the VLANVXLAN option (the view willautomatically update)
HOL-1829-01-NET
Page 25HOL-1829-01-NET
Focus - Prod-Web (25)
1 Hover over Prod-Web2 Click on Keep Focus as we will follow the traffic for this group to see which
ports are in use and why3 Click on the line joining the Prod-Web and Prod-Midtier
Flows - Prod-Web to Prod-Midtier
HOL-1829-01-NET
Page 26HOL-1829-01-NET
( A ) - We have at this point identified 14 unique endpoints or flows that are beingcommunicated byover or to potential security groups These security groups are basedon VLANs folders subnets or a construct that can be defined
1 Click on the recommended firewall rules
Flows - Recommended Firewall Rules
Based on the observed analysis of the traffic flow between Prod-Web and Prod-Midtier arecommended firewall rule has been generated in order to secure and segment trafficfrom the rest of the VLANVXLAN
Due to the flow observation metrics the recommendation is (ALLOWED) on Port 8080between SG Prod-Web and SG-Prod-Midtier
1 Click the close icon (x) to continue
HOL-1829-01-NET
Page 27HOL-1829-01-NET
Multiple Ports and Firewall rules for Prod-web
1 Click on the Prod-Web group
Services and Flows for Prod-Web
On focus the user is presented with all the services flows and firewall rules for Prod-Webin a single pane
HOL-1829-01-NET
Page 28HOL-1829-01-NET
1 Click on Services In this group - 50 Unique service endpoints or flows that arebeing communicated by or to potential security groups are mapped with trafficrates included
2 Click on External Services Accessed- This is a breakdown of the 16 Externalservice endpoints that communicate with Prod-Web and include the portinformation (DNS HTTPS etc)
3 Click on Recommended Firewall Rules - Based on the 50 unique serviceendpoints that have 17 External services with 425 flows we can use thisobservation metric to determine that 6 firewall rules are required This would bethe minimum recommended segmentation approach for the Prod-Web group
4 Click the close icon (x) to continue
Application-Centric Micro-Segmentation
HOL-1829-01-NET
Page 29HOL-1829-01-NET
An application is a collection of tiers Each tier in an application is a collection of VMsbased on the user-defined filter criteria The applications allow you to create ahierarchical group of VMs and visualize trafficflows between the tiers of the sameapplication The trafficflows can be visualized between applications
1 Under Micro-segments click on the dropdown which says by VLANVXLAN2 Click on by Application
1 Hover over Prod-App (47) (do not click at this stage)2 Click on Keep Focus
You can see as per previous micro-segmentaion planning exercise - you can viewOutgoing Incoming and Bidirectional flow bespoke to Prod-App Clicking on Prod-App micro-segment will reveal the services
HOL-1829-01-NET
Page 30HOL-1829-01-NET
We shall now explore how we can define an application
Define an Application
1 In the search bar type Application2 Click the Search button
1 The Application search will return 4 entities ie application already created inthe system for you
2 This page also lets you create new application - click on Add Application
HOL-1829-01-NET
Page 31HOL-1829-01-NET
1 Under the Application Name type HOL-Pre-Prod2 Under Tier type the Name as HOL-Pre-Prod3 Our search criteria will be based on VM Names under Virtual Machines IP
Addresses Type Admin-VM1 Admin-VM2 (The search will auto completethe names for you)
4 Do not Save Click Cancel which will take you to previous screen
1 Here you can see the number of entities has increased by 1 ie 5 entities2 You can also see Hol-Pre-Prod in the list
HOL-Pre-Prod will now appear in Application section under Plan Security (not covered inthis lab)
Security Group Prod_MidTier
Network administrators and architects face daily challenges in identifying securityparameters groups that are in-place requiring a lot more detail around containertopology before continuing to execute or plan Micro-segmentation Lets look at how thiswould be possible in a single view that has granular integration with over and underlaynetworks
1 Using the search bar type Nsx Security Group Prod_MidTier (the search baruses Auto Fill and predictive text will appear as you type)
2 Click search to continue
HOL-1829-01-NET
Page 32HOL-1829-01-NET
The Help screen may pop-up (in this lab setting) to ensure the user has an instantguide called the Security Group Pinboard The reason for this guide is to point out thedetail view and topology layout Read through the help guide and once completed
1 Click the close icon (x) to continue
Results - PROD_MIDTIER
The search results from the query will show Prod_Web at the top of the screen Theresult will also be displayed to include the Translated VM Count and any Rulesassociated
1 Click on Prod_MidTier to continue
Security Group Prod_MidTier - Timeline
Security Group View Explanation
HOL-1829-01-NET
Page 33HOL-1829-01-NET
The Security Group provides a detailed view of the selected Security Group and acomprehensive listing of key properties and events The Security Group Topologyprovides a visual overview of how the security group is associated with other containersTimeline slider at the top of the current view will enable the point in time state of theSecurity Group and filters can be used to further focus on a particular aspect of theobject
Security Group Firewall Topology
(A) The Security Group Firewall Topology on the left shows the topology for SecurityGroup Prod_MidTier
HOL-1829-01-NET
Page 34HOL-1829-01-NET
(B) The Security Group Container Topology on the right will show anyall Child andParent groups in relation to Prod_Web This will identify the nesting and hierarchy ofsecurity groups
HOL-1829-01-NET
Page 35HOL-1829-01-NET
1 Click and select Prod_Web to Prod_Midtier Rule (will launch a pop up screencovered in next step)
1 In the pop up screen we can immediately see what the Source and destinationservice flow looks like in this example This can be done for any and eachsegment attached to Prod_Web and will provide all the current security GroupFirewall Topology information Feel free to click through all the segments in orderto fully understand each related security group
2 Click the close icon (x) on any pop-up menus that you viewed during youranalysis to continue with the next exercise
HOL-1829-01-NET
Page 36HOL-1829-01-NET
Tracking Prod_MidTier
1 Within the same view when you scroll down (below the Security Groupfirewall Topology) you are able to see the following security event information forProd_Web
A Events - Showing any changes for Prod_MidTier (direct or indirect) and the impactthat these changes bring to this security group
B Current Security Group Configuration and Firewall Rules Count will also providefurther assistance to manage the endpoints
C Visibility of the Virtual Machines in Security Groups ensure that we manage ourworkloads and segmentation with the correct level of efficiency
D Making use of the Indirect Firewall Rules will ensure you understand the inheritedimpact and the relationship leading to Prod_Web
E Direct Firewall Rules - NOTE The blue links will expose further detail for eachfirewall segment
HOL-1829-01-NET
Page 37HOL-1829-01-NET
this module explained and followed the traffic flow between Subnets and or VLANVXLAN for Prod_MidTier and we understand the analysis that make up firewall rules Theinformation for a specific segmentation of a Virtual Machine in Prod_MidTier can beviewed using the the logical switch information for Prod_MidTier
2 Click on Lab-Midtier (VMs in Security GroupgtLogical SwitchesgtLab-Midtier) anew TAB will open at the top of the screen
Lab-Midtier
1 Hover (do not click) over (1) Lab-Midtier-1 to gain focus in order to generatethe path
Do not click on any of the bubbles as they are used for reference only This is thecomplete flow of Prod-Web-9 (Example) to see how a flow is tracked from overlay tounderlay across Prod-Web
HOL-1829-01-NET
Page 38HOL-1829-01-NET
bull A - The host details for Lab-Midtier-1 -ddc1-pod2esx035dmdemocompanynet
bull B - The machine name within Lab-Midtier - Lab-Midtier-1bull C - DVS Switchbull D - VXLAN - Lab-Midtierbull E - 1st VMKNIC for DDC-1 hostbull F - DVS Switch Portbull G - Finally showing the L3 Switch (Arista)
2 When you are done with the current view close this tab in Chrome and returnto the original view
Firewall Rule - Tracking
Using the search bar we will demonstrate how you can track any firewall rule in yourenvironment This is only one example of how we can search for security related objectsin one easy statement and also export the results
Port Search
1 Type into the search bar
Firewall rule where action =ALLOW and Port=443 (the search bar uses Auto Fill andpredictive text will appear as you type)
2 Click search to continue
As you type notice all the different permutations of queries that can be assembled
HOL-1829-01-NET
Page 39HOL-1829-01-NET
Export Firewall Rules
Take some time to understand and get familiar with Firewall Rule search possibilitiesand the insight this can offer
1 Do not click - The result is grouped for convenience and allows the user to queryeach rule individually This is a live link that will expose further information
2 Do not click - The entire report can be exported by using the Save as CSV optionat the top right hand corner of the screen but we will not export any informationat this point
3 For the next step we will return to the top search bar
Firewall Rule Membership Change
Using the vRealize Network Insight search bar at the top of the screen we will focus on atime based search to see what Firewall Membership Changes occurred during a selectedperiod This will point out any changes made directly or indirectly as a result ofmembership changes This is extremely useful for auditing and troubleshooting
HOL-1829-01-NET
Page 40HOL-1829-01-NET
1 Type
Firewall Rule Membership Change
2 Select the DateTime window3 Click Between Select Date range from June30 to Jul 31 (using static data this
will ensure you see all the changes)4 Click search
Audit Rule - Firewall Rule Membership Changes
The search now displays the result of all the changes made to firewall rule membershipduring the preset date range This is pivotal to the audit change tracking process tounderstand exactly why when and how Firewall rules changed
The changes can now easily be tracked audited and also exported following any of thelive links in blue
HOL-1829-01-NET
Page 41HOL-1829-01-NET
User-defined Event
Continuing within the same screen users can create alerts to notify internal andexternal entities of any changes The alert feature is available through any view thatdisplays the alert icon Although the alert can be configured for this lab the results willnot be actioned as this is static data only This section will show how easy it is to reporton any Firewall Rule memberships changes The option for alerting will be immediatelywithin 1 hour or as a daily digest
1 Click the Notifications icon to create an event The notifications screen will pop-up
2 Notification and parameters can be adjusted as required Populate them withyour own preference as we will need to have information in order to save thealert and view in later steps
3 Once completed click save
HOL-1829-01-NET
Page 42HOL-1829-01-NET
Settings
You can view any of your previously configured User-defined Events in order to edit oractivate the Event parameters by using the settings page Changes can be configured tonotify members of the event group based on the user preference The previous eventthat you created can now be tracked by using the search bar at the top of the screen
1 Click in the search bar and type Settings2 Click User-defined Events (your alert is noted in this section as it was based on
the original search and alert notification Firewall rule membership change)3 Info Only - Do not click - View Edit Activate any notifications
Note that we have 2 types of notification User-defined and System Events
4 Click the System Events
HOL-1829-01-NET
Page 43HOL-1829-01-NET
System Notifications
System Events consist of 103 default alerts that are pre-configured Scroll down the listto see all the options and what is deemed to be a standard system event notification
Each Notification can be used to alert administrators or users of that group By defaultall System Notifications are set to never notify (this can be changed to immediatelywithin 1 hour or as a daily digest)
This concludes this module Please continue to the next module
HOL-1829-01-NET
Page 44HOL-1829-01-NET
ConclusionCongratulations on completing Module 1
In this module we introduced the minimum required steps in order to facilitate Micro-segmentation This module further demonstrated how we achieve day zero readinesstrack report and alert on each individual object or group of objects in Real Time Usingthe East-West traffic in this module vRealize Network Insight highlighted the ease ofacquiring network analysis and using this to automatically generate firewall rules forboth Green or Brown field deployments
Key facts to remember as demonstrated in this module
bull Persistence Security must be consistent in the face of constant changebull Ubiquity Security must be available everywherebull Extensibility Security must adapt to new situations
For additional information about the functionality showcased in this module visitwwwvmwarecom
Please close the Chrome Web browser
This concludes this module please continue to the next module
For More Information
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 45HOL-1829-01-NET
Module 2 - 360 degreeVisibility across Virtualand Physical Networks
(45 minutes)
HOL-1829-01-NET
Page 46HOL-1829-01-NET
IntroductionvRealize Network Insight includes advanced analytics that can collect and displayconfiguration data from all the components involved in the overlay and underlay of thenetwork Data is collected in realtime
vRealize Network Insight presents this via a smart user interface and simplifies thedetermination of problems as well as the visibility of firewall and networkconfigurations
vRealize Network Insight presents this in a smart user interface and makes problemdetermination and visibility of the firewall and network configurations very easy
This Module contains the following lessons
bull 360 Network Visibility and Troubleshootingbull Natural language search
HOL-1829-01-NET
Page 47HOL-1829-01-NET
360 Network Visibility andTroubleshootingThis section contains the following lessons
bull 360-degree view of data flow between two VM objectsbull Natural language search
Open Google Chrome
1 Open Chrome on the Control Center Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize NetworkInsight did not load automatically)
HOL-1829-01-NET
Page 48HOL-1829-01-NET
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
Path and Topology
This module will utilize the Path and Topology feature in vRealize Network Insight toget a 360-degree visibility into our network scenario The Path and Topology view can
HOL-1829-01-NET
Page 49HOL-1829-01-NET
also extend to host L3 networks security groups etc but in this module we will only befocusing on the path
From the main console
1 Click on Path and Topology2 Click on Path
Path - Select source and destination
In the pop-up box
1 Click on the grey field below Source2 Type dba into the source field and DBAdmin-VM1 will appear3 Click on DBAdmin-VM1 to select it
HOL-1829-01-NET
Page 50HOL-1829-01-NET
Path - source and destination continued
After selecting the source machine the destination box will automatically appear
1 Type prod in the destination field and the list of available options willappear
2 Select Prod-Db-2
Note The destination could also be an ip-address or Internet but in this lab we aregoing to use a VM
HOL-1829-01-NET
Page 51HOL-1829-01-NET
Path - source and destination continued
1 Click on Submit
Searching for path
Based on the VMs we selected in the wizard in our previous steps the search field isnow pre-populated with a search string As an alternative to using the wizard we canalso do manual searches
Do not change any parameters in the search field and please continue to the nextstep
HOL-1829-01-NET
Page 52HOL-1829-01-NET
VM Path Topology and VM Underlay
The topology involves both Layer 3 and Layer 2 components and consists of twodetailed views
HOL-1829-01-NET
Page 53HOL-1829-01-NET
1 VM Path Topology This view details the routers Edges or Logical DistributedRouters (LDRs) that are involved in the VM to VM network path and provides thecomplete routing and NAT information
2 VM Underlay ( The VM Underlay section that is on the right side of the VM Pathtopology shows the underlay information of the VMs involved and theirconnectivity to the top of the rack switches and the ports involved)
In the field named VM Path Topology
1 Click on the three dots in the top right corner of the field2 Click Maximize
The view will change and the route will be drawn on the map
HOL-1829-01-NET
Page 54HOL-1829-01-NET
VM Path Topology - Path Details
In this view we will get a 360-degree view of both the physical and the virtual networkWe will see the path of the traffic between two virtual machines The black arrow at thetop of the map will indicate the flow direction of the traffic In this use case fromDBAdmin-VM1 to Prod-Db-2
On the right hand side path details indicates the steps we pass through in each hop ofthe path The logical flow includes both physical and virtual elements displaying bothoverlay and underlay components
1 Scroll through the path details on the right hand side to verify the differenthops in the path Notice that we have items such as VMs physical switchesvirtual switches routers and NICs in the list of details
HOL-1829-01-NET
Page 55HOL-1829-01-NET
Component Overview
On the VM topology map
1 Click on the top left icon marked with a red square - the Virtual MachineDBAdmin-VM1
Virtual Machine - Details
HOL-1829-01-NET
Page 56HOL-1829-01-NET
A pop-up box will appear with the Virtual Machine details in it This information includesa lot of details made available by VMware Tools We can for example see network-information and the physical host in these details
A - Please spend some time on getting an overview of the information available in thisview
B - Please note that the Firewall Status indicates Unknown In this scenario there is noNSX firewall utilized in the VM so vRealize Network Insight displays Unknown as thestatus If NSX components were utilized but they were malfunctioning an errormessage will appear
1 When done reviewing close the pop-up windows by clicking on the (X) in thetop right corner
Physical ESXi Hosts
We are now going to look at the physical host running ESXi The large green blocksindicate the ESXi hosts (A) and (B)
1 Click on the large green field on the left side of the map marked in thepicture with a red squareThis will select the host where DBAdmin-VM1 isrunning
HOL-1829-01-NET
Page 57HOL-1829-01-NET
Host - Details
A pop-up box will appear that contains the physical ESXi host
A - Spend some time to review what information is available from the host Please donot click on any of the links
B - Notice that we receive information from both the Chassis and the Blade that thisESXi host is running on In a real life environment we could click on the links to getdetailed information about the physical environment through the links
C - Note that there are no NSX components on the host For example we can see thatthe Control Plane Sync Status is unknown and the Number of VTEPs is 0
1 When done reviewing click on the (X) in the top right corner
HOL-1829-01-NET
Page 58HOL-1829-01-NET
DVPG on the map
We are now going to look at the DVPG (Distributed Virtual Port Group) the VM uses toconnect to the network
1 On the map click on the little blue box marked by a red square onvlan-629
DVPG
A pop-up box will appear that contains the DVPG details
A - Spend some time review what information is available from the object Please donot click on any of the links
HOL-1829-01-NET
Page 59HOL-1829-01-NET
B - Notice that IPFIX is enabled
1 When done reviewing click on the (X) in the top right corner
VLAN-629 on the map
This is a brownfield network as indicated by the physical network components currentlydisplayed on the map
1 On the map click on the grey line marked by a red square on vlan-629
VLAN Network
A pop-up box will appear that contains the physical VLAN details
HOL-1829-01-NET
Page 60HOL-1829-01-NET
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - Notice the VLAN ID This is the actual VLAN in use
C - VM Count states 12 This is the number of VMs located on this VLAN in the entireenvironment
D - Under Hosts we can see that this is 28 (27+1) This is the amount of hosts that hasa connection to this vlan in the entire environment
1 When done reviewing click on the (X) in the top right corner
Switch ports on the map
1 From the map click on the icon marked by a red square to select the SwitchPort for the VM
HOL-1829-01-NET
Page 61HOL-1829-01-NET
Switch Port
A pop-up box will appear that contains the Switch Port details
In this view we are purely are looking at layer 3 and the connectivity to those layer 3devices Later in this module we will see some of the layer 2 devices
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - In this view we can see the physical NIC the traffic is transmitted from and receivedto In this scenario it is a NIC on a UCS fabric We can also see the VLANs Interfacespeed port and other details on the NIC
1 When done reviewing click on the (X) in the top right corner of the pop up box
HOL-1829-01-NET
Page 62HOL-1829-01-NET
Physical VRF on the map
1 From the map click on the icon marked by a red square to access thePhysical VRF details
HOL-1829-01-NET
Page 63HOL-1829-01-NET
VRF - Physical Switch
A pop-up box will appear that contains the Physical VRF details
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - In this scenario the first hop in the physical network perspective happens to be aCisco Nexus 7000 We are gathering all of the configuration data routing tables androuting interface information from this device
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 64HOL-1829-01-NET
VRF - continued
1 From the map click on the icon marked by a red square to access the nextPhysical VRF in the path
HOL-1829-01-NET
Page 65HOL-1829-01-NET
VRF - Physical Router
A pop-up box will appear that contains the Physical VRF details
In this scenario the second hop in the physical network perspective is a Palo Alto routerIn this view we will see the routing table as well as firewall rules The vRealize NetworkInsight platform is so powerful that these firewall rules are the applicable firewall rulesbetween the two objects we searched for There is probably going to be thousands offirewall rules in a normal network but these are the firewalls affecting thecommunication between the two selected VMs
HOL-1829-01-NET
Page 66HOL-1829-01-NET
A - Spend some time to review what information is available from the object Please donot click on any of the links
1 When done reviewing click on the (X) in the top right corner of the pop up box
Note The Palo Alto integration showcased is in beta testing
VRF - continued
1 From the map click on the icon marked by a red square to access the nextPhysical VRF in the path
HOL-1829-01-NET
Page 67HOL-1829-01-NET
VRF - Physical Switch
A pop-up box will appear that contains the Physical VRF details
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - In this scenario the third hop in the physical network perspective is an Arista deviceThere is information available on routing gateways interfaces etc These detailsshowcase that we can monitor devices from a multitude of vendors in case we arechanging from one vendor to another
1 When done reviewing click on the (X) in the top right corner
HOL-1829-01-NET
Page 68HOL-1829-01-NET
Accessing the virtual infrastructure
The next two steps in the path (as shown by arrows) are the same as we looked atpreviously in this module We are not going to look at the details on them in thisscenario as they are similar to the ones previously discussed
A - Hovermove the mouse over the icons marked with red arrow A without clicking onthe icon Notice the descriptive name
B - Hovermove the mouse over the icons marked with red arrow B without clicking onthe icon Notice the descriptive name
1 From the map click on the icon marked by a red square to access the nextVRF in the path
HOL-1829-01-NET
Page 69HOL-1829-01-NET
VRF - NSX Provider Edge 1
A pop-up box will appear that contains the Physical VRF details
A - Please spend some time to review what information is available from the objectPlease do not click on any of the links
B - The components we are looking at after the Arista device (described in previoussteps) is an NSX Edge cluster or a host associated with an Edge cluster The componentwe have selected is the NSX Edge VM named Provider-Edge 1 It has an uplink overVLAN 10 from the physical network (as shown in the map)
C - In the details we can see the routing table and routing interface details for thisparticular VRF
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 70HOL-1829-01-NET
VXLAN on the map
1 On the map click on the blue line marked by a red square to access theVXLAN details
VXLAN Network
A pop-up box will appear that contains the VXLAN details
HOL-1829-01-NET
Page 71HOL-1829-01-NET
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - We can see the VXLAN number (Segment ID) Underlay VLAN IDs Subnet andUnderlay Subnet
C - We also have visibility into what Primary Controller it is utilizing Hosts and VTEPs
D - Hovermove the mouse cursor over the text [38 more] to see the hosts associatedwith this VXLAN Do not click on the blue text
E - Hovermove the mouse cursor over the text [82 more] to see the VTEPs associatedwith this VXLAN Do not click on the blue text
1 When done reviewing click on the X in the top right corner of the pop-up box
VRF - LDR
1 From the map click on the icon marked by a red square to access the VRFdetails
HOL-1829-01-NET
Page 72HOL-1829-01-NET
VRF - LDR-Corporate
A pop-up box will appear that contains the VRF details From here we hit our In-kernelnetwork
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - Notice the distributed router name We are using this device to access our corporatenetwork
C - This device is going to route for us to a different interface The interface is going toroute to the interface on the Prod-DB Network as the next step in the path (this will beillustrated in the next step)
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 73HOL-1829-01-NET
Routing - NSX Firewall
The traffic is routed through the VRF onto the Prod-DB network over to the next physicalhost (as shown with arrows)
The first device it will hit on the virtual network on the physical host is the FirewallPlease notice that there are two firewalls next to the VM One Firewall from Palo Alto andone Firewall from NSX
1 From the map click on the icon marked by a red square to access the NSXFirewall details (the top one of the two)
HOL-1829-01-NET
Page 74HOL-1829-01-NET
Firewall - NSX
A pop-up box will appear that contains the Firewall details
A - Spend some time to review what information is available from the object Please donot click on any of the links
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 75HOL-1829-01-NET
Redirect on the map - PAN Firewall
Please notice that there are two firewalls next to the VM One Firewall from Palo Alto andone Firewall from NSX We are now going to look into the details of the lower Firewall
1 From the map click on the icon marked by a red square to access the PaloAlto Firewall details (the lower one of the two)
Firewall - PAN
HOL-1829-01-NET
Page 76HOL-1829-01-NET
In this scenario we also have an Palo Alto VM based offloading firewall The redirectfeature allows firewall rules to be transferred between the NSX firewall and the PANFirewall
1 When done reviewing click on the (X) in the top right corner of the pop up box
Reversing the analysis
1 In the section marked by a red square in the picture click on the arrowpointing left
The route on the map will change
HOL-1829-01-NET
Page 77HOL-1829-01-NET
Reversing the analysis continued
A - The analysis will now be done in the opposite direction Please note that the pathnow changes Instead of going through Provider-Edge 3 the traffic is now routedthrough Provider-Edge 2 This is exactly as the traffic will work in the real life
Please continue to the next step to conclude this module
HOL-1829-01-NET
Page 78HOL-1829-01-NET
VM Underlay
Lets now focus on VM Underlay
1 The VMUnderlay section that is on the right side of the VM Path topology showsthe underlay information of the VMs involved and their connectivity to the top ofthe rack switches and the ports involved
2 The VM Underlay path topology is shown here3 The components are labeled under Path Details
HOL-1829-01-NET
Page 79HOL-1829-01-NET
HOL-1829-01-NET
Page 80HOL-1829-01-NET
1 In this section the drop-down list at the top shows the endpoint VMs and theactive VMs at the edges
2 For each edgeVM the neighbouring drop-down list shows the ingress and theegress interface IP addresses
1 From the previous step we selected the Prod-DB-2 Virtual Machine2 Which changes the focus to corresponding Interface IP Address (VNIC)3 Shows the visual map (Path topology) of all the path objects4 Path details shows the labels and list the components
This concludes this module Please continue to the next module
HOL-1829-01-NET
Page 81HOL-1829-01-NET
ConclusionCongratulations on completing Module 2
This module has shown us that vRealize Network Insight is capable of tracing the flow ofdata between two objects throughout the network vRealize Network Insight is providingus with a 360 degrees view of the virtual as well as the physical components in thepath With the map function and the details on the map it is very easy to get a quickoverview of the components utilized in network communication
All the components in the map is based on a snapshot of real life data Feel free to clickon other icons shown in the map in this module before continuing to the next module tohave a look at other components
For More Information
For additional information about the functionality showcased in this module visithttpwwwvmwarecomvrealize network insight
This concludes this module Please continue to the next module
If you are looking for additional information try one of these
bull Click on this linkbull Or use your smart device to scan the QRC Code
HOL-1829-01-NET
Page 82HOL-1829-01-NET
Proceed to any module below which interests you most
bull Module 1 - Micro-Segmentation and Security (30 minutes)bull Module 2 - 360 degree Visibility across Virtual and Physical Networks (45
minutes)bull Module 3 - Advanced NSX Management amp Operations (45 minutes)bull (30 minutes)
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 83HOL-1829-01-NET
Module 3 - Advanced NSXManagement amp
Operations (45 minutes)
HOL-1829-01-NET
Page 84HOL-1829-01-NET
IntroductionIntroduction
vRealize Network Insight ensures that we have full visibility from an overlay andunderlay perspective and in this module focus on advanced operations of NSX withvRealize Network Insight Its important to note that the vRealize Network Insightprovides a real time view and a historical view The integration is not a simple SNMPquery but advanced CLI and Metadata information gathered in real time for NSX
This Module contains the following lessons
bull Operational guidance for NSX Managerbull Advanced NSX Management amp Operations Interactive Simulation
HOL-1829-01-NET
Page 85HOL-1829-01-NET
NSX Advanced ManagementOperationsLab Status Check
1 Make sure the Lab Status displays Ready before continuing
Close browser sessions from previous modules
Open Google Chrome
1 Open Chrome on the Control Centre Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
HOL-1829-01-NET
Page 86HOL-1829-01-NET
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize Network Insightdid not load automatically)
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
Search Bar - NSX Manager
Using the search bar on the entry screen
HOL-1829-01-NET
Page 87HOL-1829-01-NET
1 Type NSX Manager (this will list three NSX Managers2 Click Search
NSX Manager Information
The result now shows the NSX Manager (1016128170) and we can immediately seethat we have 50 problems associated with this endpoint
1 Click on the NSX Manager address to expose the layout and detailedinformation
HOL-1829-01-NET
Page 88HOL-1829-01-NET
Timeline - Visual Build-up
Explore information only - Do not click
bull A - Starting with the Timeline we can manipulate the results by simply draggingthe slider but by default the current time results will be displayed on entry Theslider and drop down (next to 1 day) makes it easy to filter on demand
bull B - The Properties give a clear understanding of the NSX Managers currentconfiguration (vRealize Network Insight accommodate multiple NSX managers)
bull C - Looking at the NSX Checklist Rules - ALL we can scroll up and down toview each point in the checklist that is used to monitorvalidate against the NSXManager
bull D - Because vRealize Network Insight supports multiple NSX managers andmultiple NSX controllers this is an important visual understanding of theTopology Each object can be queried individually within the same screen
bull E - NSX Problems will be key to understanding the issues for NSX
HOL-1829-01-NET
Page 89HOL-1829-01-NET
Topology - Focus on the NSX Controller
The logical view of the NSX Topology provides live links to each component in theconstruct to be queried in real time Topology layout displays all the related NSXservices bound to the NSX Manager including Clusters and hosts The red triangle on allthree NSX controllers indicates possible issues that may impact the NSX environmenteither as a starting point or a result thereof We can now query each object for detailedinformation
1 Click on the NSX controller (Look at each controller until you find thecontroller starting with NSX_Controller_5b6c6c8d-4d71 as they do changeorder)
HOL-1829-01-NET
Page 90HOL-1829-01-NET
NSX Controller - Detail
A - The controller query displays detailed information about controller-1 and relevantconfiguration This screen will help identify the Status Version Upgrade Availability andmany other critical identifiers of the NSX Controller at a quick glance including anyissues
B - The immediate issue on this NSX controller is also pointed out with a red triangleindicating that we have a control plane sync issue Tracking the issue can be furtherinvestigated by expanding (clicking on the red triangle) to view detailed information Wewill not be investigating this problem further in this exercise
1 Click the close sign (x) to continue
HOL-1829-01-NET
Page 91HOL-1829-01-NET
Topology - Explained
Note The Topology for the NSX environment will not show any load balancing devicestatus information in this release
1 Click the edge VMs icon to see detailed information about the edge services
HOL-1829-01-NET
Page 92HOL-1829-01-NET
Provider Edge
Rendering a complete view of the provider edge services and the associations we caninvestigate all the edge related activities
1 Click the blue link Provider Edge 4 The problem Icon can be used to furtherobtain information about the Provider-Edge 4 This will highlight a criticalcondition due to a possible network disruption of this edge device as it is nolonger in a serving state
HOL-1829-01-NET
Page 93HOL-1829-01-NET
Routers Provider Edge 4
This section lays out detailed root cause analysis for Routers Provider Edge 4
Return to Search View - NSX Manager
1 Now use the Chrome Back button click once to return the the NSX Managerinformation screen step
HOL-1829-01-NET
Page 94HOL-1829-01-NET
Infrastructure Problems - Warning Moderate
bull Scroll down to Infrastructure Problems Section
1 Click and select the WarningModerate to view problem areas
WarningModerate Issues
1 Use the blue icon + to expand the detailed view of the Logical networking out ofsync between host and NSX Controller
HOL-1829-01-NET
Page 95HOL-1829-01-NET
WarningModerate Issues (Continued)
When you expand the details you can analyse full detail of warning
In this view vRealize Network Insight is also showing you recommendations on how youwould resolve this issue which makes troubleshooting and root cause analysis veryeasy
1 Click the close sign (x) to continue
HOL-1829-01-NET
Page 96HOL-1829-01-NET
Hands-on Labs Interactive SimulationAdvanced NSX Management ampOperationsThis part of the lab is presented as a Hands-on Labs Interactive Simulation This willallow you to experience steps which are too time-consuming or resource intensive to dolive in the lab environment In this simulation you can use the software interface as ifyou are interacting with a live environment
1 Click here to open the interactive simulation It will open in a new browserwindow or tab
2 When finished click the ldquoReturn to the labrdquo link to continue with this lab
HOL-1829-01-NET
Page 97HOL-1829-01-NET
ConclusionCongratulations on completing Module 3
This module demonstrated the vRealize Network Insight capability of advancedmanagement operations vRealize Network Insight provides an in-depth analysis of thevirtual as well as the physical components associated with NSX (underlay and overlay)
For More Information
If you are looking for additional information try one of these
bull Click on this linkbull Or use your smart device to scan the QRC Code
Proceed to any module below which interests you most
bull Module 1 - Micro-Segmentation and Security (30 minutes)bull Module 2 - 360 degree Visibility across Virtual and Physical Networks (45
minutes)bull Module 3 - Advanced NSX Management amp Operations (45 minutes)bull Module 4 - Manage Security for Public Clouds (AWS) (30 minutes)
HOL-1829-01-NET
Page 98HOL-1829-01-NET
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 99HOL-1829-01-NET
Module 4 - ManageSecurity for Public Clouds
(AWS) (30 Minutes)
HOL-1829-01-NET
Page 100HOL-1829-01-NET
IntroductionEnterprise IT needs visibility into the network and security status of their workloadswhether hosted on premises or within AWS While many AWS workloads are sandboxesfor application development teams (DevOps) it is important to analyze these workloadsIncreasingly public cloud workloads are also fulfilling mission critical production needsfor many organizations Enterprise IT must be ready to determine the best locationsecurity posture and bandwidth allocation when deploying workloads Having trafficpattern details as well as security analysis and recommendations readily availablehelps organizations make the ideal hosting decisions to meet their business needs
vRealize Network Insight (vRNI) Supports Amazon Web Services (AWS) PublicCloud The vRNI traffic monitoring features provide visibility into native AWS constructssuch as Virtual Private Clouds VMs Security Groups firewall rules and tags vRNI alsoanalyzes AWS traffic flows to provide security and micro-segmentation views of cloudworkloads This means youll be able to plan micro-segmentation and understand trafficpatterns using data collected from your AWS instances
This Module contains the following lessons
bull Introduction to Managing Security for Public Clouds (AWS)
HOL-1829-01-NET
Page 101HOL-1829-01-NET
Introduction to Managing Security forPublic Clouds (AWS)Lab Status Check
1 Make sure the Lab Status displays Ready before continuing
Close browser sessions from previous modules
Open Google Chrome
1 Open Chrome on the Control Centre Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize Network Insightdid not load automatically)
HOL-1829-01-NET
Page 102HOL-1829-01-NET
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
AWS Configuration
Lets review the AWS VPC setup for the purpose of this lab
1 We have an on premise instance of vRealize Network Insight managing AWS2 There are two VPCs ie CRM and Common Services
HOL-1829-01-NET
Page 103HOL-1829-01-NET
3 VPC CRM consists of CRM Application which comprises of 3 tiers ie Web APP andDB
4 Internal users of Company can access Web Tier of the CRM on 80 internally viaJump-box
5 Web tier talks to App tier on port 80806 App tier talks to DB tier on port 33067 Web tier is open for internal datacenters VM on 80 port8 From Jump-box in VPC CRM all virtual machines have ssh access on port 229 All tiers of VPCCRM talks to DNS server on 53 and LogServer on 514 on VPC
Common Services10 This means connection to DB to Log Server (used for backup services) must exist
as configured by the Administrator but this in fact is the problem area where ourfocus will be
Plan Security - AWS Cloud
vRealize Network Insight extends micro-segmentation planning to AWS constructs TheCRM Application in AWS VPC has already been created for you
Application creation steps have been discussed in Module 3
HOL-1829-01-NET
Page 104HOL-1829-01-NET
1 On the vRealize Network Insight Click on Plan Security
From Plan Security dialogue box under Entity select
HOL-1829-01-NET
Page 105HOL-1829-01-NET
1 Application2 CRM3 Click Analyze
We can now visualize the three tier lsquoCRMrsquo Application in AWS in one VPC We Shallexplore the three Tier System Logic in proceeding steps
1 Please note that Micro-Segments are already filtered by Tier2 Web (Web tier talks to App tier on port 8080 Internal users of organisation can
access Web Tier of the CRM Application on port 80 internally)3 App (App tier talks to DB tier on port 3306)4 DB ( DB tier talks to Log Servers ) - This is the problem area we are going to
explore
All tiers of first VPC talks to DNS server on port 53 and LogServer on port 514 of SecondVPC
HOL-1829-01-NET
Page 106HOL-1829-01-NET
Exploring the Three Tier Application - Step by Step
We shall now explore the three their application setup to understand the security andcommunication posture
HOL-1829-01-NET
Page 107HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Yellow line to explore the flows This will reveal flows from Web to
App
HOL-1829-01-NET
Page 108HOL-1829-01-NET
1 The App tier talks to DB tier on Port 33062 Click X to continue
HOL-1829-01-NET
Page 109HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to DB
HOL-1829-01-NET
Page 110HOL-1829-01-NET
1 The App tier talks to DB tier on Port 33062 Click X to continue
HOL-1829-01-NET
Page 111HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Yellow Line to explore the flows This will reveal flows from DC
Virtual to App
HOL-1829-01-NET
Page 112HOL-1829-01-NET
1 DC Virtual (jump box) talks to App tier on Port 222 Click X to continue
HOL-1829-01-NET
Page 113HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to
Shared Virtual
HOL-1829-01-NET
Page 114HOL-1829-01-NET
1 The App tier talks to Shared Virtual on Port 53 and 514 respectively2 Click X to continue
HOL-1829-01-NET
Page 115HOL-1829-01-NET
1 Hover over to DB Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from DB to
Shared Virtual
1 By design the DB should be pushing logs to aws-log-server ie on port 514(Syslog) but the flow reveals that there is only one service ie port 53 aws-DNS-Server Effectively no communication to syslog server (which is the back upservice)
2 Click X to continue
Firewall Queries for CRM Application
To further troubleshoot the issue the administrator executes three firewall queries toestablish why DB to Shared Virtual does not have flow(s) for port 514 (syslog)
HOL-1829-01-NET
Page 116HOL-1829-01-NET
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and type new search query firewall action of flows where dstvm = aws-log-server This will return 5 results ie 4 Allow (for web andmidtier) and 1 Deny (for DB)
2 Click Search3 click on the DENY checkbox so we can focus on the deny rule
We can see a DENY rule which is preventing crm-databse to communicate with aws-log-server on port 514 Which indicates that AWS Admin forgot to add rule to allowtraffic from (Database) crm-database to (syslog server) aws-log-Server
HOL-1829-01-NET
Page 117HOL-1829-01-NET
1 On Chrome web browser right click2 Select Duplicate from the the menu
HOL-1829-01-NET
Page 118HOL-1829-01-NET
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-web1 and dst vm = aws-log-server
2 Click Search3 This will return 3 results ie 1 Inbound and 2 Outbound rules The result of this
query validates the communication from crm-web1 to aws-log-server
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-database and dst vm = aws-log-server
2 Click Search3 This will return 2 results for Outbound rules further explaining the firewall rule
behaviour from crm-database to aws-log-server
HOL-1829-01-NET
Page 119HOL-1829-01-NET
ConclusionCongratulations on completing Module 4
This module demonstrated the vRealize Network Insight capability to understand trafficpatterns and plan micro-segmentation across your private and public cloudenvironments This capability offers unparalleled visibility into public and private cloudsfor micro-segmentation planning network visibility and management
For More Information
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 120HOL-1829-01-NET
ConclusionThank you for participating in the VMware Hands-on Labs Be sure to visithttpholvmwarecom to continue your lab experience online
Lab SKU HOL-1829-01-NET
Version 20171010-152226
HOL-1829-01-NET
Page 121HOL-1829-01-NET
bull Identify firewall rules for Micro-segmentationbull Security Group Topologybull Tracking a firewall rulebull Exporting firewall rules to NSX Manager (Interactive Simulation)bull Conclusion
HOL-1829-01-NET
Page 11HOL-1829-01-NET
Micro-Segmentation IntroductionThis section contains the following lessons
bull Identify firewall rules for Micro-segmentationbull Security Group Topologybull Tracking a firewall rule
Lab Status Check
1 Make sure the Lab Status displays Ready before continuing
Close browser sessions from previous modules
Open Google Chrome
1 Open Chrome on the Control Centre Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
HOL-1829-01-NET
Page 12HOL-1829-01-NET
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize Network Insight did notload automatically)
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
HOL-1829-01-NET
Page 13HOL-1829-01-NET
Plan Security
When the vRealize Network Insight portal login completes the first screen will show asearch bar at the top
1 Type plan security (the search bar uses Auto Fill and predictive text willappear as you type)
2 Select the Time Icon
Plan Security - Specify a Preset
1 Select Presets2 Select Last Week3 Click the search icon to continue
HOL-1829-01-NET
Page 14HOL-1829-01-NET
Overview - Traffic Distribution (Left Pane)
Visual representation of traffic is shown to understand the logic relationship betweeneach component physical or virtual in order to track flows and sessions within anetwork
bull Internal Flows External Flowsbull Protected Flows Unprotected Flowsbull by VLAN or VXLAN
The default for this view is Last 1 day Please do not change this as we have alreadyspecified the time filter
HOL-1829-01-NET
Page 15HOL-1829-01-NET
Traffic Distribution - Overview (Right pane)
The Traffic distribution section is explained in a number format below Use these as areference and do not click on the links at this stage
bull A - This is the sum of all traffic flows with the percentage shown as East-Westonly traffic
bull B - This indicates the percent of traffic that was switchedbull C - The percentage of traffic that is routed between the East-West portsbull D - This indicates Virtual machine to Virtual Machine traffic as a percentage of the
sum in point number 1bull E - Traffic observed between virtual machines on the same hostbull F - Traffic that requires internet access
East-West (EW) - Traffic
In order to view specific details about data flows click on any of the 6 blocks to getdetailed information on flows and sessions (use the [x] in the right corner to close theobservation once completed in order to continue with the next step in this lab) Its
HOL-1829-01-NET
Page 16HOL-1829-01-NET
important to understand the entire distribution of flows and sessions in order to build aninformed strategy to achieve micro-segmentation
A Session is 5 tuple (source port is one of the five tuples in this which means everytime a new TCP connection is established and terminated a new session is recorded)
A Flow is 4 tuple aggregation of sessions It combines many 5 tuple sessions into oneIt ignores the source port as the source port is very dynamic wide range and keeps onchanging As long as multiple sessions have same source IP same destination IP samedestination port and same protocol they will be combined into one record called aflow
So 1000s of sessions in a day between two machines on a specific destination port (sshdns etc) would be combined into one flow with an aggregate count of packets bytessessions between them recorded as additional flow information
In any enterprise how many sessions happen in 1 day varies a lot Flows are moremanageable units and matter most for policy definitions and micro-segmentation
If one wants to see statistics of these flows like bytes transferred number of sessions(or even use these counters along with other query operations for other higher levelanalysis - like determining distribution of a virtual machines outgoing flow bydestination ip) the following metric counters can be used
Counter names
allowed sessions count of sessions (or 5 tuples) corresponding to a flow (4 Tuple)bytes total traffic volume exchanged on the flow (this sum of two counters described below)src bytes total bytes sent by src_ip of the flow to dst_ipportprotocoldst bytes total bytes received by src_ip of the flow from dst_ipportprotocol
1 Click on the East-West traffic block
This will bring a new window into view with detailed analysis of the traffic
HOL-1829-01-NET
Page 17HOL-1829-01-NET
East-West (EW) - Detailed view
This is only a few of the 1653 flows but the detailed views and filters can be used tonarrow down more specific information
A - Without clicking (just hover) on the time line to see the rate of flow indicated by thegreen line for that period
1 Click the close icon (x) to continue
ServicesPorts
HOL-1829-01-NET
Page 18HOL-1829-01-NET
Locating the Services screen for the next step
ServicesPorts - Time line view
Plan security makes use of Service and Ports overview on the right-hand side of thescreen The service view screen is used to observe the flow for each service andanalyzes a specific flow rate at a point in time Timelines can be adjusted to gain abetter understanding of what the plan security query delivers This module will followthe steps needed to observe and trace flows for port 5443
1 Click Show Data
HOL-1829-01-NET
Page 19HOL-1829-01-NET
ServicesPorts - Point in Time Service
The Services section provides an overview of flows over a specific port at a point intime either by bytes or by allowed sessions Look at the red highlighted area tounderstand how the flow is viewed in a pivot format to ensure a rate flow can bedelivered by hovering over a particular section
1 Hover to gain focus over the blue block above port 5443 and notice itpresents on demand the sum total of flows for the last 24 hours inGigabytes (GB) communicating over port 5443
2 Click on the block at the intersection of Last 24 hours and PORTS5443 to get a detailed view of the information
HOL-1829-01-NET
Page 20HOL-1829-01-NET
Flows for Port 5443
Communicating over port 5443 for the Last 24 hours we now have a detailedunderstanding of how 20 flows are distributed by following the list of entities You mayscroll down and examine the detailed traffic Further filters can be used on the left-handside of the screen to filter the view for a more specific result type
1 Click the entry to examine the detailed flow between Prod-DB-3 and Prod-DB-2over port 5443 ( order of flows may differ from screen above Prod-DB-3 andProd-DB-2 can be seventh flow entry)
Flow Key Properties - Timeline view
HOL-1829-01-NET
Page 21HOL-1829-01-NET
Flow Key Properties and Flow Key Metrics with the help of the timeline view gives agreater understanding of the traffic between these two specific VMs over port 5443 (A)- Hover over any part of the Flow Key Metrics graph to see statistics of the flow at aspecific point in time
1 Click on the 1M (last 1 month) Now hover the mouse over the greenblue linesto see a specific flow at a point in time
Flow Key Properties - Timeline view
1 Click the browser back button (once) to return to the plan security layoutscreen (once completed viewing the timelines for specific flows)
HOL-1829-01-NET
Page 22HOL-1829-01-NET
Micro-Segments
The screen should be back and focused on the Plan Security view Let us focus on theLeft-hand side of the plan security screen marked - Micro Segments This section willfocus on the subnet view and how this could be used to track flows between two ormultiple points
Note Segmenting flows can be achieved using views that will focus on VLANVXLANSubnet Folder Clusters VMs Ports Security Tag or Security Groups
1 Select Last 1 Day (to clear previous data range)2 Select the drop down box and then select by Subnet3 We can further analyze micro-segments by secondary groups ( This step is for
information only)4 Click Analyze to populate the data
HOL-1829-01-NET
Page 23HOL-1829-01-NET
Focus - 101780 Network
A - Hover over (do not click) the 101780 network and notice that this willimmediately highlight all flows and sessions from and to this network segment Othertraffic types will loose focus at this point turning light blue
The Keep Focus view creates a single visual endpoint diagram showing communicationto physical shared resources internet and other subnets The parentheses after thenetwork will indicate the number of virtual machines The coloured lines will indicate aconnected flow as OUTGOING INCOMING BIDIRECTIONAL
HOL-1829-01-NET
Page 24HOL-1829-01-NET
Focus - VLANVXLAN
Changing the view to track flows between Prod-Web to Prod-Midtier we will be switchingfrom Subnet view to VLANVXLAN view This will expose the traffic flow and ultimatelylead us to the recommended firewall rules
1 From the filter drop down select the VLANVXLAN option (the view willautomatically update)
HOL-1829-01-NET
Page 25HOL-1829-01-NET
Focus - Prod-Web (25)
1 Hover over Prod-Web2 Click on Keep Focus as we will follow the traffic for this group to see which
ports are in use and why3 Click on the line joining the Prod-Web and Prod-Midtier
Flows - Prod-Web to Prod-Midtier
HOL-1829-01-NET
Page 26HOL-1829-01-NET
( A ) - We have at this point identified 14 unique endpoints or flows that are beingcommunicated byover or to potential security groups These security groups are basedon VLANs folders subnets or a construct that can be defined
1 Click on the recommended firewall rules
Flows - Recommended Firewall Rules
Based on the observed analysis of the traffic flow between Prod-Web and Prod-Midtier arecommended firewall rule has been generated in order to secure and segment trafficfrom the rest of the VLANVXLAN
Due to the flow observation metrics the recommendation is (ALLOWED) on Port 8080between SG Prod-Web and SG-Prod-Midtier
1 Click the close icon (x) to continue
HOL-1829-01-NET
Page 27HOL-1829-01-NET
Multiple Ports and Firewall rules for Prod-web
1 Click on the Prod-Web group
Services and Flows for Prod-Web
On focus the user is presented with all the services flows and firewall rules for Prod-Webin a single pane
HOL-1829-01-NET
Page 28HOL-1829-01-NET
1 Click on Services In this group - 50 Unique service endpoints or flows that arebeing communicated by or to potential security groups are mapped with trafficrates included
2 Click on External Services Accessed- This is a breakdown of the 16 Externalservice endpoints that communicate with Prod-Web and include the portinformation (DNS HTTPS etc)
3 Click on Recommended Firewall Rules - Based on the 50 unique serviceendpoints that have 17 External services with 425 flows we can use thisobservation metric to determine that 6 firewall rules are required This would bethe minimum recommended segmentation approach for the Prod-Web group
4 Click the close icon (x) to continue
Application-Centric Micro-Segmentation
HOL-1829-01-NET
Page 29HOL-1829-01-NET
An application is a collection of tiers Each tier in an application is a collection of VMsbased on the user-defined filter criteria The applications allow you to create ahierarchical group of VMs and visualize trafficflows between the tiers of the sameapplication The trafficflows can be visualized between applications
1 Under Micro-segments click on the dropdown which says by VLANVXLAN2 Click on by Application
1 Hover over Prod-App (47) (do not click at this stage)2 Click on Keep Focus
You can see as per previous micro-segmentaion planning exercise - you can viewOutgoing Incoming and Bidirectional flow bespoke to Prod-App Clicking on Prod-App micro-segment will reveal the services
HOL-1829-01-NET
Page 30HOL-1829-01-NET
We shall now explore how we can define an application
Define an Application
1 In the search bar type Application2 Click the Search button
1 The Application search will return 4 entities ie application already created inthe system for you
2 This page also lets you create new application - click on Add Application
HOL-1829-01-NET
Page 31HOL-1829-01-NET
1 Under the Application Name type HOL-Pre-Prod2 Under Tier type the Name as HOL-Pre-Prod3 Our search criteria will be based on VM Names under Virtual Machines IP
Addresses Type Admin-VM1 Admin-VM2 (The search will auto completethe names for you)
4 Do not Save Click Cancel which will take you to previous screen
1 Here you can see the number of entities has increased by 1 ie 5 entities2 You can also see Hol-Pre-Prod in the list
HOL-Pre-Prod will now appear in Application section under Plan Security (not covered inthis lab)
Security Group Prod_MidTier
Network administrators and architects face daily challenges in identifying securityparameters groups that are in-place requiring a lot more detail around containertopology before continuing to execute or plan Micro-segmentation Lets look at how thiswould be possible in a single view that has granular integration with over and underlaynetworks
1 Using the search bar type Nsx Security Group Prod_MidTier (the search baruses Auto Fill and predictive text will appear as you type)
2 Click search to continue
HOL-1829-01-NET
Page 32HOL-1829-01-NET
The Help screen may pop-up (in this lab setting) to ensure the user has an instantguide called the Security Group Pinboard The reason for this guide is to point out thedetail view and topology layout Read through the help guide and once completed
1 Click the close icon (x) to continue
Results - PROD_MIDTIER
The search results from the query will show Prod_Web at the top of the screen Theresult will also be displayed to include the Translated VM Count and any Rulesassociated
1 Click on Prod_MidTier to continue
Security Group Prod_MidTier - Timeline
Security Group View Explanation
HOL-1829-01-NET
Page 33HOL-1829-01-NET
The Security Group provides a detailed view of the selected Security Group and acomprehensive listing of key properties and events The Security Group Topologyprovides a visual overview of how the security group is associated with other containersTimeline slider at the top of the current view will enable the point in time state of theSecurity Group and filters can be used to further focus on a particular aspect of theobject
Security Group Firewall Topology
(A) The Security Group Firewall Topology on the left shows the topology for SecurityGroup Prod_MidTier
HOL-1829-01-NET
Page 34HOL-1829-01-NET
(B) The Security Group Container Topology on the right will show anyall Child andParent groups in relation to Prod_Web This will identify the nesting and hierarchy ofsecurity groups
HOL-1829-01-NET
Page 35HOL-1829-01-NET
1 Click and select Prod_Web to Prod_Midtier Rule (will launch a pop up screencovered in next step)
1 In the pop up screen we can immediately see what the Source and destinationservice flow looks like in this example This can be done for any and eachsegment attached to Prod_Web and will provide all the current security GroupFirewall Topology information Feel free to click through all the segments in orderto fully understand each related security group
2 Click the close icon (x) on any pop-up menus that you viewed during youranalysis to continue with the next exercise
HOL-1829-01-NET
Page 36HOL-1829-01-NET
Tracking Prod_MidTier
1 Within the same view when you scroll down (below the Security Groupfirewall Topology) you are able to see the following security event information forProd_Web
A Events - Showing any changes for Prod_MidTier (direct or indirect) and the impactthat these changes bring to this security group
B Current Security Group Configuration and Firewall Rules Count will also providefurther assistance to manage the endpoints
C Visibility of the Virtual Machines in Security Groups ensure that we manage ourworkloads and segmentation with the correct level of efficiency
D Making use of the Indirect Firewall Rules will ensure you understand the inheritedimpact and the relationship leading to Prod_Web
E Direct Firewall Rules - NOTE The blue links will expose further detail for eachfirewall segment
HOL-1829-01-NET
Page 37HOL-1829-01-NET
this module explained and followed the traffic flow between Subnets and or VLANVXLAN for Prod_MidTier and we understand the analysis that make up firewall rules Theinformation for a specific segmentation of a Virtual Machine in Prod_MidTier can beviewed using the the logical switch information for Prod_MidTier
2 Click on Lab-Midtier (VMs in Security GroupgtLogical SwitchesgtLab-Midtier) anew TAB will open at the top of the screen
Lab-Midtier
1 Hover (do not click) over (1) Lab-Midtier-1 to gain focus in order to generatethe path
Do not click on any of the bubbles as they are used for reference only This is thecomplete flow of Prod-Web-9 (Example) to see how a flow is tracked from overlay tounderlay across Prod-Web
HOL-1829-01-NET
Page 38HOL-1829-01-NET
bull A - The host details for Lab-Midtier-1 -ddc1-pod2esx035dmdemocompanynet
bull B - The machine name within Lab-Midtier - Lab-Midtier-1bull C - DVS Switchbull D - VXLAN - Lab-Midtierbull E - 1st VMKNIC for DDC-1 hostbull F - DVS Switch Portbull G - Finally showing the L3 Switch (Arista)
2 When you are done with the current view close this tab in Chrome and returnto the original view
Firewall Rule - Tracking
Using the search bar we will demonstrate how you can track any firewall rule in yourenvironment This is only one example of how we can search for security related objectsin one easy statement and also export the results
Port Search
1 Type into the search bar
Firewall rule where action =ALLOW and Port=443 (the search bar uses Auto Fill andpredictive text will appear as you type)
2 Click search to continue
As you type notice all the different permutations of queries that can be assembled
HOL-1829-01-NET
Page 39HOL-1829-01-NET
Export Firewall Rules
Take some time to understand and get familiar with Firewall Rule search possibilitiesand the insight this can offer
1 Do not click - The result is grouped for convenience and allows the user to queryeach rule individually This is a live link that will expose further information
2 Do not click - The entire report can be exported by using the Save as CSV optionat the top right hand corner of the screen but we will not export any informationat this point
3 For the next step we will return to the top search bar
Firewall Rule Membership Change
Using the vRealize Network Insight search bar at the top of the screen we will focus on atime based search to see what Firewall Membership Changes occurred during a selectedperiod This will point out any changes made directly or indirectly as a result ofmembership changes This is extremely useful for auditing and troubleshooting
HOL-1829-01-NET
Page 40HOL-1829-01-NET
1 Type
Firewall Rule Membership Change
2 Select the DateTime window3 Click Between Select Date range from June30 to Jul 31 (using static data this
will ensure you see all the changes)4 Click search
Audit Rule - Firewall Rule Membership Changes
The search now displays the result of all the changes made to firewall rule membershipduring the preset date range This is pivotal to the audit change tracking process tounderstand exactly why when and how Firewall rules changed
The changes can now easily be tracked audited and also exported following any of thelive links in blue
HOL-1829-01-NET
Page 41HOL-1829-01-NET
User-defined Event
Continuing within the same screen users can create alerts to notify internal andexternal entities of any changes The alert feature is available through any view thatdisplays the alert icon Although the alert can be configured for this lab the results willnot be actioned as this is static data only This section will show how easy it is to reporton any Firewall Rule memberships changes The option for alerting will be immediatelywithin 1 hour or as a daily digest
1 Click the Notifications icon to create an event The notifications screen will pop-up
2 Notification and parameters can be adjusted as required Populate them withyour own preference as we will need to have information in order to save thealert and view in later steps
3 Once completed click save
HOL-1829-01-NET
Page 42HOL-1829-01-NET
Settings
You can view any of your previously configured User-defined Events in order to edit oractivate the Event parameters by using the settings page Changes can be configured tonotify members of the event group based on the user preference The previous eventthat you created can now be tracked by using the search bar at the top of the screen
1 Click in the search bar and type Settings2 Click User-defined Events (your alert is noted in this section as it was based on
the original search and alert notification Firewall rule membership change)3 Info Only - Do not click - View Edit Activate any notifications
Note that we have 2 types of notification User-defined and System Events
4 Click the System Events
HOL-1829-01-NET
Page 43HOL-1829-01-NET
System Notifications
System Events consist of 103 default alerts that are pre-configured Scroll down the listto see all the options and what is deemed to be a standard system event notification
Each Notification can be used to alert administrators or users of that group By defaultall System Notifications are set to never notify (this can be changed to immediatelywithin 1 hour or as a daily digest)
This concludes this module Please continue to the next module
HOL-1829-01-NET
Page 44HOL-1829-01-NET
ConclusionCongratulations on completing Module 1
In this module we introduced the minimum required steps in order to facilitate Micro-segmentation This module further demonstrated how we achieve day zero readinesstrack report and alert on each individual object or group of objects in Real Time Usingthe East-West traffic in this module vRealize Network Insight highlighted the ease ofacquiring network analysis and using this to automatically generate firewall rules forboth Green or Brown field deployments
Key facts to remember as demonstrated in this module
bull Persistence Security must be consistent in the face of constant changebull Ubiquity Security must be available everywherebull Extensibility Security must adapt to new situations
For additional information about the functionality showcased in this module visitwwwvmwarecom
Please close the Chrome Web browser
This concludes this module please continue to the next module
For More Information
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 45HOL-1829-01-NET
Module 2 - 360 degreeVisibility across Virtualand Physical Networks
(45 minutes)
HOL-1829-01-NET
Page 46HOL-1829-01-NET
IntroductionvRealize Network Insight includes advanced analytics that can collect and displayconfiguration data from all the components involved in the overlay and underlay of thenetwork Data is collected in realtime
vRealize Network Insight presents this via a smart user interface and simplifies thedetermination of problems as well as the visibility of firewall and networkconfigurations
vRealize Network Insight presents this in a smart user interface and makes problemdetermination and visibility of the firewall and network configurations very easy
This Module contains the following lessons
bull 360 Network Visibility and Troubleshootingbull Natural language search
HOL-1829-01-NET
Page 47HOL-1829-01-NET
360 Network Visibility andTroubleshootingThis section contains the following lessons
bull 360-degree view of data flow between two VM objectsbull Natural language search
Open Google Chrome
1 Open Chrome on the Control Center Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize NetworkInsight did not load automatically)
HOL-1829-01-NET
Page 48HOL-1829-01-NET
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
Path and Topology
This module will utilize the Path and Topology feature in vRealize Network Insight toget a 360-degree visibility into our network scenario The Path and Topology view can
HOL-1829-01-NET
Page 49HOL-1829-01-NET
also extend to host L3 networks security groups etc but in this module we will only befocusing on the path
From the main console
1 Click on Path and Topology2 Click on Path
Path - Select source and destination
In the pop-up box
1 Click on the grey field below Source2 Type dba into the source field and DBAdmin-VM1 will appear3 Click on DBAdmin-VM1 to select it
HOL-1829-01-NET
Page 50HOL-1829-01-NET
Path - source and destination continued
After selecting the source machine the destination box will automatically appear
1 Type prod in the destination field and the list of available options willappear
2 Select Prod-Db-2
Note The destination could also be an ip-address or Internet but in this lab we aregoing to use a VM
HOL-1829-01-NET
Page 51HOL-1829-01-NET
Path - source and destination continued
1 Click on Submit
Searching for path
Based on the VMs we selected in the wizard in our previous steps the search field isnow pre-populated with a search string As an alternative to using the wizard we canalso do manual searches
Do not change any parameters in the search field and please continue to the nextstep
HOL-1829-01-NET
Page 52HOL-1829-01-NET
VM Path Topology and VM Underlay
The topology involves both Layer 3 and Layer 2 components and consists of twodetailed views
HOL-1829-01-NET
Page 53HOL-1829-01-NET
1 VM Path Topology This view details the routers Edges or Logical DistributedRouters (LDRs) that are involved in the VM to VM network path and provides thecomplete routing and NAT information
2 VM Underlay ( The VM Underlay section that is on the right side of the VM Pathtopology shows the underlay information of the VMs involved and theirconnectivity to the top of the rack switches and the ports involved)
In the field named VM Path Topology
1 Click on the three dots in the top right corner of the field2 Click Maximize
The view will change and the route will be drawn on the map
HOL-1829-01-NET
Page 54HOL-1829-01-NET
VM Path Topology - Path Details
In this view we will get a 360-degree view of both the physical and the virtual networkWe will see the path of the traffic between two virtual machines The black arrow at thetop of the map will indicate the flow direction of the traffic In this use case fromDBAdmin-VM1 to Prod-Db-2
On the right hand side path details indicates the steps we pass through in each hop ofthe path The logical flow includes both physical and virtual elements displaying bothoverlay and underlay components
1 Scroll through the path details on the right hand side to verify the differenthops in the path Notice that we have items such as VMs physical switchesvirtual switches routers and NICs in the list of details
HOL-1829-01-NET
Page 55HOL-1829-01-NET
Component Overview
On the VM topology map
1 Click on the top left icon marked with a red square - the Virtual MachineDBAdmin-VM1
Virtual Machine - Details
HOL-1829-01-NET
Page 56HOL-1829-01-NET
A pop-up box will appear with the Virtual Machine details in it This information includesa lot of details made available by VMware Tools We can for example see network-information and the physical host in these details
A - Please spend some time on getting an overview of the information available in thisview
B - Please note that the Firewall Status indicates Unknown In this scenario there is noNSX firewall utilized in the VM so vRealize Network Insight displays Unknown as thestatus If NSX components were utilized but they were malfunctioning an errormessage will appear
1 When done reviewing close the pop-up windows by clicking on the (X) in thetop right corner
Physical ESXi Hosts
We are now going to look at the physical host running ESXi The large green blocksindicate the ESXi hosts (A) and (B)
1 Click on the large green field on the left side of the map marked in thepicture with a red squareThis will select the host where DBAdmin-VM1 isrunning
HOL-1829-01-NET
Page 57HOL-1829-01-NET
Host - Details
A pop-up box will appear that contains the physical ESXi host
A - Spend some time to review what information is available from the host Please donot click on any of the links
B - Notice that we receive information from both the Chassis and the Blade that thisESXi host is running on In a real life environment we could click on the links to getdetailed information about the physical environment through the links
C - Note that there are no NSX components on the host For example we can see thatthe Control Plane Sync Status is unknown and the Number of VTEPs is 0
1 When done reviewing click on the (X) in the top right corner
HOL-1829-01-NET
Page 58HOL-1829-01-NET
DVPG on the map
We are now going to look at the DVPG (Distributed Virtual Port Group) the VM uses toconnect to the network
1 On the map click on the little blue box marked by a red square onvlan-629
DVPG
A pop-up box will appear that contains the DVPG details
A - Spend some time review what information is available from the object Please donot click on any of the links
HOL-1829-01-NET
Page 59HOL-1829-01-NET
B - Notice that IPFIX is enabled
1 When done reviewing click on the (X) in the top right corner
VLAN-629 on the map
This is a brownfield network as indicated by the physical network components currentlydisplayed on the map
1 On the map click on the grey line marked by a red square on vlan-629
VLAN Network
A pop-up box will appear that contains the physical VLAN details
HOL-1829-01-NET
Page 60HOL-1829-01-NET
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - Notice the VLAN ID This is the actual VLAN in use
C - VM Count states 12 This is the number of VMs located on this VLAN in the entireenvironment
D - Under Hosts we can see that this is 28 (27+1) This is the amount of hosts that hasa connection to this vlan in the entire environment
1 When done reviewing click on the (X) in the top right corner
Switch ports on the map
1 From the map click on the icon marked by a red square to select the SwitchPort for the VM
HOL-1829-01-NET
Page 61HOL-1829-01-NET
Switch Port
A pop-up box will appear that contains the Switch Port details
In this view we are purely are looking at layer 3 and the connectivity to those layer 3devices Later in this module we will see some of the layer 2 devices
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - In this view we can see the physical NIC the traffic is transmitted from and receivedto In this scenario it is a NIC on a UCS fabric We can also see the VLANs Interfacespeed port and other details on the NIC
1 When done reviewing click on the (X) in the top right corner of the pop up box
HOL-1829-01-NET
Page 62HOL-1829-01-NET
Physical VRF on the map
1 From the map click on the icon marked by a red square to access thePhysical VRF details
HOL-1829-01-NET
Page 63HOL-1829-01-NET
VRF - Physical Switch
A pop-up box will appear that contains the Physical VRF details
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - In this scenario the first hop in the physical network perspective happens to be aCisco Nexus 7000 We are gathering all of the configuration data routing tables androuting interface information from this device
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 64HOL-1829-01-NET
VRF - continued
1 From the map click on the icon marked by a red square to access the nextPhysical VRF in the path
HOL-1829-01-NET
Page 65HOL-1829-01-NET
VRF - Physical Router
A pop-up box will appear that contains the Physical VRF details
In this scenario the second hop in the physical network perspective is a Palo Alto routerIn this view we will see the routing table as well as firewall rules The vRealize NetworkInsight platform is so powerful that these firewall rules are the applicable firewall rulesbetween the two objects we searched for There is probably going to be thousands offirewall rules in a normal network but these are the firewalls affecting thecommunication between the two selected VMs
HOL-1829-01-NET
Page 66HOL-1829-01-NET
A - Spend some time to review what information is available from the object Please donot click on any of the links
1 When done reviewing click on the (X) in the top right corner of the pop up box
Note The Palo Alto integration showcased is in beta testing
VRF - continued
1 From the map click on the icon marked by a red square to access the nextPhysical VRF in the path
HOL-1829-01-NET
Page 67HOL-1829-01-NET
VRF - Physical Switch
A pop-up box will appear that contains the Physical VRF details
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - In this scenario the third hop in the physical network perspective is an Arista deviceThere is information available on routing gateways interfaces etc These detailsshowcase that we can monitor devices from a multitude of vendors in case we arechanging from one vendor to another
1 When done reviewing click on the (X) in the top right corner
HOL-1829-01-NET
Page 68HOL-1829-01-NET
Accessing the virtual infrastructure
The next two steps in the path (as shown by arrows) are the same as we looked atpreviously in this module We are not going to look at the details on them in thisscenario as they are similar to the ones previously discussed
A - Hovermove the mouse over the icons marked with red arrow A without clicking onthe icon Notice the descriptive name
B - Hovermove the mouse over the icons marked with red arrow B without clicking onthe icon Notice the descriptive name
1 From the map click on the icon marked by a red square to access the nextVRF in the path
HOL-1829-01-NET
Page 69HOL-1829-01-NET
VRF - NSX Provider Edge 1
A pop-up box will appear that contains the Physical VRF details
A - Please spend some time to review what information is available from the objectPlease do not click on any of the links
B - The components we are looking at after the Arista device (described in previoussteps) is an NSX Edge cluster or a host associated with an Edge cluster The componentwe have selected is the NSX Edge VM named Provider-Edge 1 It has an uplink overVLAN 10 from the physical network (as shown in the map)
C - In the details we can see the routing table and routing interface details for thisparticular VRF
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 70HOL-1829-01-NET
VXLAN on the map
1 On the map click on the blue line marked by a red square to access theVXLAN details
VXLAN Network
A pop-up box will appear that contains the VXLAN details
HOL-1829-01-NET
Page 71HOL-1829-01-NET
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - We can see the VXLAN number (Segment ID) Underlay VLAN IDs Subnet andUnderlay Subnet
C - We also have visibility into what Primary Controller it is utilizing Hosts and VTEPs
D - Hovermove the mouse cursor over the text [38 more] to see the hosts associatedwith this VXLAN Do not click on the blue text
E - Hovermove the mouse cursor over the text [82 more] to see the VTEPs associatedwith this VXLAN Do not click on the blue text
1 When done reviewing click on the X in the top right corner of the pop-up box
VRF - LDR
1 From the map click on the icon marked by a red square to access the VRFdetails
HOL-1829-01-NET
Page 72HOL-1829-01-NET
VRF - LDR-Corporate
A pop-up box will appear that contains the VRF details From here we hit our In-kernelnetwork
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - Notice the distributed router name We are using this device to access our corporatenetwork
C - This device is going to route for us to a different interface The interface is going toroute to the interface on the Prod-DB Network as the next step in the path (this will beillustrated in the next step)
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 73HOL-1829-01-NET
Routing - NSX Firewall
The traffic is routed through the VRF onto the Prod-DB network over to the next physicalhost (as shown with arrows)
The first device it will hit on the virtual network on the physical host is the FirewallPlease notice that there are two firewalls next to the VM One Firewall from Palo Alto andone Firewall from NSX
1 From the map click on the icon marked by a red square to access the NSXFirewall details (the top one of the two)
HOL-1829-01-NET
Page 74HOL-1829-01-NET
Firewall - NSX
A pop-up box will appear that contains the Firewall details
A - Spend some time to review what information is available from the object Please donot click on any of the links
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 75HOL-1829-01-NET
Redirect on the map - PAN Firewall
Please notice that there are two firewalls next to the VM One Firewall from Palo Alto andone Firewall from NSX We are now going to look into the details of the lower Firewall
1 From the map click on the icon marked by a red square to access the PaloAlto Firewall details (the lower one of the two)
Firewall - PAN
HOL-1829-01-NET
Page 76HOL-1829-01-NET
In this scenario we also have an Palo Alto VM based offloading firewall The redirectfeature allows firewall rules to be transferred between the NSX firewall and the PANFirewall
1 When done reviewing click on the (X) in the top right corner of the pop up box
Reversing the analysis
1 In the section marked by a red square in the picture click on the arrowpointing left
The route on the map will change
HOL-1829-01-NET
Page 77HOL-1829-01-NET
Reversing the analysis continued
A - The analysis will now be done in the opposite direction Please note that the pathnow changes Instead of going through Provider-Edge 3 the traffic is now routedthrough Provider-Edge 2 This is exactly as the traffic will work in the real life
Please continue to the next step to conclude this module
HOL-1829-01-NET
Page 78HOL-1829-01-NET
VM Underlay
Lets now focus on VM Underlay
1 The VMUnderlay section that is on the right side of the VM Path topology showsthe underlay information of the VMs involved and their connectivity to the top ofthe rack switches and the ports involved
2 The VM Underlay path topology is shown here3 The components are labeled under Path Details
HOL-1829-01-NET
Page 79HOL-1829-01-NET
HOL-1829-01-NET
Page 80HOL-1829-01-NET
1 In this section the drop-down list at the top shows the endpoint VMs and theactive VMs at the edges
2 For each edgeVM the neighbouring drop-down list shows the ingress and theegress interface IP addresses
1 From the previous step we selected the Prod-DB-2 Virtual Machine2 Which changes the focus to corresponding Interface IP Address (VNIC)3 Shows the visual map (Path topology) of all the path objects4 Path details shows the labels and list the components
This concludes this module Please continue to the next module
HOL-1829-01-NET
Page 81HOL-1829-01-NET
ConclusionCongratulations on completing Module 2
This module has shown us that vRealize Network Insight is capable of tracing the flow ofdata between two objects throughout the network vRealize Network Insight is providingus with a 360 degrees view of the virtual as well as the physical components in thepath With the map function and the details on the map it is very easy to get a quickoverview of the components utilized in network communication
All the components in the map is based on a snapshot of real life data Feel free to clickon other icons shown in the map in this module before continuing to the next module tohave a look at other components
For More Information
For additional information about the functionality showcased in this module visithttpwwwvmwarecomvrealize network insight
This concludes this module Please continue to the next module
If you are looking for additional information try one of these
bull Click on this linkbull Or use your smart device to scan the QRC Code
HOL-1829-01-NET
Page 82HOL-1829-01-NET
Proceed to any module below which interests you most
bull Module 1 - Micro-Segmentation and Security (30 minutes)bull Module 2 - 360 degree Visibility across Virtual and Physical Networks (45
minutes)bull Module 3 - Advanced NSX Management amp Operations (45 minutes)bull (30 minutes)
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 83HOL-1829-01-NET
Module 3 - Advanced NSXManagement amp
Operations (45 minutes)
HOL-1829-01-NET
Page 84HOL-1829-01-NET
IntroductionIntroduction
vRealize Network Insight ensures that we have full visibility from an overlay andunderlay perspective and in this module focus on advanced operations of NSX withvRealize Network Insight Its important to note that the vRealize Network Insightprovides a real time view and a historical view The integration is not a simple SNMPquery but advanced CLI and Metadata information gathered in real time for NSX
This Module contains the following lessons
bull Operational guidance for NSX Managerbull Advanced NSX Management amp Operations Interactive Simulation
HOL-1829-01-NET
Page 85HOL-1829-01-NET
NSX Advanced ManagementOperationsLab Status Check
1 Make sure the Lab Status displays Ready before continuing
Close browser sessions from previous modules
Open Google Chrome
1 Open Chrome on the Control Centre Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
HOL-1829-01-NET
Page 86HOL-1829-01-NET
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize Network Insightdid not load automatically)
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
Search Bar - NSX Manager
Using the search bar on the entry screen
HOL-1829-01-NET
Page 87HOL-1829-01-NET
1 Type NSX Manager (this will list three NSX Managers2 Click Search
NSX Manager Information
The result now shows the NSX Manager (1016128170) and we can immediately seethat we have 50 problems associated with this endpoint
1 Click on the NSX Manager address to expose the layout and detailedinformation
HOL-1829-01-NET
Page 88HOL-1829-01-NET
Timeline - Visual Build-up
Explore information only - Do not click
bull A - Starting with the Timeline we can manipulate the results by simply draggingthe slider but by default the current time results will be displayed on entry Theslider and drop down (next to 1 day) makes it easy to filter on demand
bull B - The Properties give a clear understanding of the NSX Managers currentconfiguration (vRealize Network Insight accommodate multiple NSX managers)
bull C - Looking at the NSX Checklist Rules - ALL we can scroll up and down toview each point in the checklist that is used to monitorvalidate against the NSXManager
bull D - Because vRealize Network Insight supports multiple NSX managers andmultiple NSX controllers this is an important visual understanding of theTopology Each object can be queried individually within the same screen
bull E - NSX Problems will be key to understanding the issues for NSX
HOL-1829-01-NET
Page 89HOL-1829-01-NET
Topology - Focus on the NSX Controller
The logical view of the NSX Topology provides live links to each component in theconstruct to be queried in real time Topology layout displays all the related NSXservices bound to the NSX Manager including Clusters and hosts The red triangle on allthree NSX controllers indicates possible issues that may impact the NSX environmenteither as a starting point or a result thereof We can now query each object for detailedinformation
1 Click on the NSX controller (Look at each controller until you find thecontroller starting with NSX_Controller_5b6c6c8d-4d71 as they do changeorder)
HOL-1829-01-NET
Page 90HOL-1829-01-NET
NSX Controller - Detail
A - The controller query displays detailed information about controller-1 and relevantconfiguration This screen will help identify the Status Version Upgrade Availability andmany other critical identifiers of the NSX Controller at a quick glance including anyissues
B - The immediate issue on this NSX controller is also pointed out with a red triangleindicating that we have a control plane sync issue Tracking the issue can be furtherinvestigated by expanding (clicking on the red triangle) to view detailed information Wewill not be investigating this problem further in this exercise
1 Click the close sign (x) to continue
HOL-1829-01-NET
Page 91HOL-1829-01-NET
Topology - Explained
Note The Topology for the NSX environment will not show any load balancing devicestatus information in this release
1 Click the edge VMs icon to see detailed information about the edge services
HOL-1829-01-NET
Page 92HOL-1829-01-NET
Provider Edge
Rendering a complete view of the provider edge services and the associations we caninvestigate all the edge related activities
1 Click the blue link Provider Edge 4 The problem Icon can be used to furtherobtain information about the Provider-Edge 4 This will highlight a criticalcondition due to a possible network disruption of this edge device as it is nolonger in a serving state
HOL-1829-01-NET
Page 93HOL-1829-01-NET
Routers Provider Edge 4
This section lays out detailed root cause analysis for Routers Provider Edge 4
Return to Search View - NSX Manager
1 Now use the Chrome Back button click once to return the the NSX Managerinformation screen step
HOL-1829-01-NET
Page 94HOL-1829-01-NET
Infrastructure Problems - Warning Moderate
bull Scroll down to Infrastructure Problems Section
1 Click and select the WarningModerate to view problem areas
WarningModerate Issues
1 Use the blue icon + to expand the detailed view of the Logical networking out ofsync between host and NSX Controller
HOL-1829-01-NET
Page 95HOL-1829-01-NET
WarningModerate Issues (Continued)
When you expand the details you can analyse full detail of warning
In this view vRealize Network Insight is also showing you recommendations on how youwould resolve this issue which makes troubleshooting and root cause analysis veryeasy
1 Click the close sign (x) to continue
HOL-1829-01-NET
Page 96HOL-1829-01-NET
Hands-on Labs Interactive SimulationAdvanced NSX Management ampOperationsThis part of the lab is presented as a Hands-on Labs Interactive Simulation This willallow you to experience steps which are too time-consuming or resource intensive to dolive in the lab environment In this simulation you can use the software interface as ifyou are interacting with a live environment
1 Click here to open the interactive simulation It will open in a new browserwindow or tab
2 When finished click the ldquoReturn to the labrdquo link to continue with this lab
HOL-1829-01-NET
Page 97HOL-1829-01-NET
ConclusionCongratulations on completing Module 3
This module demonstrated the vRealize Network Insight capability of advancedmanagement operations vRealize Network Insight provides an in-depth analysis of thevirtual as well as the physical components associated with NSX (underlay and overlay)
For More Information
If you are looking for additional information try one of these
bull Click on this linkbull Or use your smart device to scan the QRC Code
Proceed to any module below which interests you most
bull Module 1 - Micro-Segmentation and Security (30 minutes)bull Module 2 - 360 degree Visibility across Virtual and Physical Networks (45
minutes)bull Module 3 - Advanced NSX Management amp Operations (45 minutes)bull Module 4 - Manage Security for Public Clouds (AWS) (30 minutes)
HOL-1829-01-NET
Page 98HOL-1829-01-NET
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 99HOL-1829-01-NET
Module 4 - ManageSecurity for Public Clouds
(AWS) (30 Minutes)
HOL-1829-01-NET
Page 100HOL-1829-01-NET
IntroductionEnterprise IT needs visibility into the network and security status of their workloadswhether hosted on premises or within AWS While many AWS workloads are sandboxesfor application development teams (DevOps) it is important to analyze these workloadsIncreasingly public cloud workloads are also fulfilling mission critical production needsfor many organizations Enterprise IT must be ready to determine the best locationsecurity posture and bandwidth allocation when deploying workloads Having trafficpattern details as well as security analysis and recommendations readily availablehelps organizations make the ideal hosting decisions to meet their business needs
vRealize Network Insight (vRNI) Supports Amazon Web Services (AWS) PublicCloud The vRNI traffic monitoring features provide visibility into native AWS constructssuch as Virtual Private Clouds VMs Security Groups firewall rules and tags vRNI alsoanalyzes AWS traffic flows to provide security and micro-segmentation views of cloudworkloads This means youll be able to plan micro-segmentation and understand trafficpatterns using data collected from your AWS instances
This Module contains the following lessons
bull Introduction to Managing Security for Public Clouds (AWS)
HOL-1829-01-NET
Page 101HOL-1829-01-NET
Introduction to Managing Security forPublic Clouds (AWS)Lab Status Check
1 Make sure the Lab Status displays Ready before continuing
Close browser sessions from previous modules
Open Google Chrome
1 Open Chrome on the Control Centre Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize Network Insightdid not load automatically)
HOL-1829-01-NET
Page 102HOL-1829-01-NET
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
AWS Configuration
Lets review the AWS VPC setup for the purpose of this lab
1 We have an on premise instance of vRealize Network Insight managing AWS2 There are two VPCs ie CRM and Common Services
HOL-1829-01-NET
Page 103HOL-1829-01-NET
3 VPC CRM consists of CRM Application which comprises of 3 tiers ie Web APP andDB
4 Internal users of Company can access Web Tier of the CRM on 80 internally viaJump-box
5 Web tier talks to App tier on port 80806 App tier talks to DB tier on port 33067 Web tier is open for internal datacenters VM on 80 port8 From Jump-box in VPC CRM all virtual machines have ssh access on port 229 All tiers of VPCCRM talks to DNS server on 53 and LogServer on 514 on VPC
Common Services10 This means connection to DB to Log Server (used for backup services) must exist
as configured by the Administrator but this in fact is the problem area where ourfocus will be
Plan Security - AWS Cloud
vRealize Network Insight extends micro-segmentation planning to AWS constructs TheCRM Application in AWS VPC has already been created for you
Application creation steps have been discussed in Module 3
HOL-1829-01-NET
Page 104HOL-1829-01-NET
1 On the vRealize Network Insight Click on Plan Security
From Plan Security dialogue box under Entity select
HOL-1829-01-NET
Page 105HOL-1829-01-NET
1 Application2 CRM3 Click Analyze
We can now visualize the three tier lsquoCRMrsquo Application in AWS in one VPC We Shallexplore the three Tier System Logic in proceeding steps
1 Please note that Micro-Segments are already filtered by Tier2 Web (Web tier talks to App tier on port 8080 Internal users of organisation can
access Web Tier of the CRM Application on port 80 internally)3 App (App tier talks to DB tier on port 3306)4 DB ( DB tier talks to Log Servers ) - This is the problem area we are going to
explore
All tiers of first VPC talks to DNS server on port 53 and LogServer on port 514 of SecondVPC
HOL-1829-01-NET
Page 106HOL-1829-01-NET
Exploring the Three Tier Application - Step by Step
We shall now explore the three their application setup to understand the security andcommunication posture
HOL-1829-01-NET
Page 107HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Yellow line to explore the flows This will reveal flows from Web to
App
HOL-1829-01-NET
Page 108HOL-1829-01-NET
1 The App tier talks to DB tier on Port 33062 Click X to continue
HOL-1829-01-NET
Page 109HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to DB
HOL-1829-01-NET
Page 110HOL-1829-01-NET
1 The App tier talks to DB tier on Port 33062 Click X to continue
HOL-1829-01-NET
Page 111HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Yellow Line to explore the flows This will reveal flows from DC
Virtual to App
HOL-1829-01-NET
Page 112HOL-1829-01-NET
1 DC Virtual (jump box) talks to App tier on Port 222 Click X to continue
HOL-1829-01-NET
Page 113HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to
Shared Virtual
HOL-1829-01-NET
Page 114HOL-1829-01-NET
1 The App tier talks to Shared Virtual on Port 53 and 514 respectively2 Click X to continue
HOL-1829-01-NET
Page 115HOL-1829-01-NET
1 Hover over to DB Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from DB to
Shared Virtual
1 By design the DB should be pushing logs to aws-log-server ie on port 514(Syslog) but the flow reveals that there is only one service ie port 53 aws-DNS-Server Effectively no communication to syslog server (which is the back upservice)
2 Click X to continue
Firewall Queries for CRM Application
To further troubleshoot the issue the administrator executes three firewall queries toestablish why DB to Shared Virtual does not have flow(s) for port 514 (syslog)
HOL-1829-01-NET
Page 116HOL-1829-01-NET
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and type new search query firewall action of flows where dstvm = aws-log-server This will return 5 results ie 4 Allow (for web andmidtier) and 1 Deny (for DB)
2 Click Search3 click on the DENY checkbox so we can focus on the deny rule
We can see a DENY rule which is preventing crm-databse to communicate with aws-log-server on port 514 Which indicates that AWS Admin forgot to add rule to allowtraffic from (Database) crm-database to (syslog server) aws-log-Server
HOL-1829-01-NET
Page 117HOL-1829-01-NET
1 On Chrome web browser right click2 Select Duplicate from the the menu
HOL-1829-01-NET
Page 118HOL-1829-01-NET
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-web1 and dst vm = aws-log-server
2 Click Search3 This will return 3 results ie 1 Inbound and 2 Outbound rules The result of this
query validates the communication from crm-web1 to aws-log-server
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-database and dst vm = aws-log-server
2 Click Search3 This will return 2 results for Outbound rules further explaining the firewall rule
behaviour from crm-database to aws-log-server
HOL-1829-01-NET
Page 119HOL-1829-01-NET
ConclusionCongratulations on completing Module 4
This module demonstrated the vRealize Network Insight capability to understand trafficpatterns and plan micro-segmentation across your private and public cloudenvironments This capability offers unparalleled visibility into public and private cloudsfor micro-segmentation planning network visibility and management
For More Information
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 120HOL-1829-01-NET
ConclusionThank you for participating in the VMware Hands-on Labs Be sure to visithttpholvmwarecom to continue your lab experience online
Lab SKU HOL-1829-01-NET
Version 20171010-152226
HOL-1829-01-NET
Page 121HOL-1829-01-NET
Micro-Segmentation IntroductionThis section contains the following lessons
bull Identify firewall rules for Micro-segmentationbull Security Group Topologybull Tracking a firewall rule
Lab Status Check
1 Make sure the Lab Status displays Ready before continuing
Close browser sessions from previous modules
Open Google Chrome
1 Open Chrome on the Control Centre Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
HOL-1829-01-NET
Page 12HOL-1829-01-NET
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize Network Insight did notload automatically)
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
HOL-1829-01-NET
Page 13HOL-1829-01-NET
Plan Security
When the vRealize Network Insight portal login completes the first screen will show asearch bar at the top
1 Type plan security (the search bar uses Auto Fill and predictive text willappear as you type)
2 Select the Time Icon
Plan Security - Specify a Preset
1 Select Presets2 Select Last Week3 Click the search icon to continue
HOL-1829-01-NET
Page 14HOL-1829-01-NET
Overview - Traffic Distribution (Left Pane)
Visual representation of traffic is shown to understand the logic relationship betweeneach component physical or virtual in order to track flows and sessions within anetwork
bull Internal Flows External Flowsbull Protected Flows Unprotected Flowsbull by VLAN or VXLAN
The default for this view is Last 1 day Please do not change this as we have alreadyspecified the time filter
HOL-1829-01-NET
Page 15HOL-1829-01-NET
Traffic Distribution - Overview (Right pane)
The Traffic distribution section is explained in a number format below Use these as areference and do not click on the links at this stage
bull A - This is the sum of all traffic flows with the percentage shown as East-Westonly traffic
bull B - This indicates the percent of traffic that was switchedbull C - The percentage of traffic that is routed between the East-West portsbull D - This indicates Virtual machine to Virtual Machine traffic as a percentage of the
sum in point number 1bull E - Traffic observed between virtual machines on the same hostbull F - Traffic that requires internet access
East-West (EW) - Traffic
In order to view specific details about data flows click on any of the 6 blocks to getdetailed information on flows and sessions (use the [x] in the right corner to close theobservation once completed in order to continue with the next step in this lab) Its
HOL-1829-01-NET
Page 16HOL-1829-01-NET
important to understand the entire distribution of flows and sessions in order to build aninformed strategy to achieve micro-segmentation
A Session is 5 tuple (source port is one of the five tuples in this which means everytime a new TCP connection is established and terminated a new session is recorded)
A Flow is 4 tuple aggregation of sessions It combines many 5 tuple sessions into oneIt ignores the source port as the source port is very dynamic wide range and keeps onchanging As long as multiple sessions have same source IP same destination IP samedestination port and same protocol they will be combined into one record called aflow
So 1000s of sessions in a day between two machines on a specific destination port (sshdns etc) would be combined into one flow with an aggregate count of packets bytessessions between them recorded as additional flow information
In any enterprise how many sessions happen in 1 day varies a lot Flows are moremanageable units and matter most for policy definitions and micro-segmentation
If one wants to see statistics of these flows like bytes transferred number of sessions(or even use these counters along with other query operations for other higher levelanalysis - like determining distribution of a virtual machines outgoing flow bydestination ip) the following metric counters can be used
Counter names
allowed sessions count of sessions (or 5 tuples) corresponding to a flow (4 Tuple)bytes total traffic volume exchanged on the flow (this sum of two counters described below)src bytes total bytes sent by src_ip of the flow to dst_ipportprotocoldst bytes total bytes received by src_ip of the flow from dst_ipportprotocol
1 Click on the East-West traffic block
This will bring a new window into view with detailed analysis of the traffic
HOL-1829-01-NET
Page 17HOL-1829-01-NET
East-West (EW) - Detailed view
This is only a few of the 1653 flows but the detailed views and filters can be used tonarrow down more specific information
A - Without clicking (just hover) on the time line to see the rate of flow indicated by thegreen line for that period
1 Click the close icon (x) to continue
ServicesPorts
HOL-1829-01-NET
Page 18HOL-1829-01-NET
Locating the Services screen for the next step
ServicesPorts - Time line view
Plan security makes use of Service and Ports overview on the right-hand side of thescreen The service view screen is used to observe the flow for each service andanalyzes a specific flow rate at a point in time Timelines can be adjusted to gain abetter understanding of what the plan security query delivers This module will followthe steps needed to observe and trace flows for port 5443
1 Click Show Data
HOL-1829-01-NET
Page 19HOL-1829-01-NET
ServicesPorts - Point in Time Service
The Services section provides an overview of flows over a specific port at a point intime either by bytes or by allowed sessions Look at the red highlighted area tounderstand how the flow is viewed in a pivot format to ensure a rate flow can bedelivered by hovering over a particular section
1 Hover to gain focus over the blue block above port 5443 and notice itpresents on demand the sum total of flows for the last 24 hours inGigabytes (GB) communicating over port 5443
2 Click on the block at the intersection of Last 24 hours and PORTS5443 to get a detailed view of the information
HOL-1829-01-NET
Page 20HOL-1829-01-NET
Flows for Port 5443
Communicating over port 5443 for the Last 24 hours we now have a detailedunderstanding of how 20 flows are distributed by following the list of entities You mayscroll down and examine the detailed traffic Further filters can be used on the left-handside of the screen to filter the view for a more specific result type
1 Click the entry to examine the detailed flow between Prod-DB-3 and Prod-DB-2over port 5443 ( order of flows may differ from screen above Prod-DB-3 andProd-DB-2 can be seventh flow entry)
Flow Key Properties - Timeline view
HOL-1829-01-NET
Page 21HOL-1829-01-NET
Flow Key Properties and Flow Key Metrics with the help of the timeline view gives agreater understanding of the traffic between these two specific VMs over port 5443 (A)- Hover over any part of the Flow Key Metrics graph to see statistics of the flow at aspecific point in time
1 Click on the 1M (last 1 month) Now hover the mouse over the greenblue linesto see a specific flow at a point in time
Flow Key Properties - Timeline view
1 Click the browser back button (once) to return to the plan security layoutscreen (once completed viewing the timelines for specific flows)
HOL-1829-01-NET
Page 22HOL-1829-01-NET
Micro-Segments
The screen should be back and focused on the Plan Security view Let us focus on theLeft-hand side of the plan security screen marked - Micro Segments This section willfocus on the subnet view and how this could be used to track flows between two ormultiple points
Note Segmenting flows can be achieved using views that will focus on VLANVXLANSubnet Folder Clusters VMs Ports Security Tag or Security Groups
1 Select Last 1 Day (to clear previous data range)2 Select the drop down box and then select by Subnet3 We can further analyze micro-segments by secondary groups ( This step is for
information only)4 Click Analyze to populate the data
HOL-1829-01-NET
Page 23HOL-1829-01-NET
Focus - 101780 Network
A - Hover over (do not click) the 101780 network and notice that this willimmediately highlight all flows and sessions from and to this network segment Othertraffic types will loose focus at this point turning light blue
The Keep Focus view creates a single visual endpoint diagram showing communicationto physical shared resources internet and other subnets The parentheses after thenetwork will indicate the number of virtual machines The coloured lines will indicate aconnected flow as OUTGOING INCOMING BIDIRECTIONAL
HOL-1829-01-NET
Page 24HOL-1829-01-NET
Focus - VLANVXLAN
Changing the view to track flows between Prod-Web to Prod-Midtier we will be switchingfrom Subnet view to VLANVXLAN view This will expose the traffic flow and ultimatelylead us to the recommended firewall rules
1 From the filter drop down select the VLANVXLAN option (the view willautomatically update)
HOL-1829-01-NET
Page 25HOL-1829-01-NET
Focus - Prod-Web (25)
1 Hover over Prod-Web2 Click on Keep Focus as we will follow the traffic for this group to see which
ports are in use and why3 Click on the line joining the Prod-Web and Prod-Midtier
Flows - Prod-Web to Prod-Midtier
HOL-1829-01-NET
Page 26HOL-1829-01-NET
( A ) - We have at this point identified 14 unique endpoints or flows that are beingcommunicated byover or to potential security groups These security groups are basedon VLANs folders subnets or a construct that can be defined
1 Click on the recommended firewall rules
Flows - Recommended Firewall Rules
Based on the observed analysis of the traffic flow between Prod-Web and Prod-Midtier arecommended firewall rule has been generated in order to secure and segment trafficfrom the rest of the VLANVXLAN
Due to the flow observation metrics the recommendation is (ALLOWED) on Port 8080between SG Prod-Web and SG-Prod-Midtier
1 Click the close icon (x) to continue
HOL-1829-01-NET
Page 27HOL-1829-01-NET
Multiple Ports and Firewall rules for Prod-web
1 Click on the Prod-Web group
Services and Flows for Prod-Web
On focus the user is presented with all the services flows and firewall rules for Prod-Webin a single pane
HOL-1829-01-NET
Page 28HOL-1829-01-NET
1 Click on Services In this group - 50 Unique service endpoints or flows that arebeing communicated by or to potential security groups are mapped with trafficrates included
2 Click on External Services Accessed- This is a breakdown of the 16 Externalservice endpoints that communicate with Prod-Web and include the portinformation (DNS HTTPS etc)
3 Click on Recommended Firewall Rules - Based on the 50 unique serviceendpoints that have 17 External services with 425 flows we can use thisobservation metric to determine that 6 firewall rules are required This would bethe minimum recommended segmentation approach for the Prod-Web group
4 Click the close icon (x) to continue
Application-Centric Micro-Segmentation
HOL-1829-01-NET
Page 29HOL-1829-01-NET
An application is a collection of tiers Each tier in an application is a collection of VMsbased on the user-defined filter criteria The applications allow you to create ahierarchical group of VMs and visualize trafficflows between the tiers of the sameapplication The trafficflows can be visualized between applications
1 Under Micro-segments click on the dropdown which says by VLANVXLAN2 Click on by Application
1 Hover over Prod-App (47) (do not click at this stage)2 Click on Keep Focus
You can see as per previous micro-segmentaion planning exercise - you can viewOutgoing Incoming and Bidirectional flow bespoke to Prod-App Clicking on Prod-App micro-segment will reveal the services
HOL-1829-01-NET
Page 30HOL-1829-01-NET
We shall now explore how we can define an application
Define an Application
1 In the search bar type Application2 Click the Search button
1 The Application search will return 4 entities ie application already created inthe system for you
2 This page also lets you create new application - click on Add Application
HOL-1829-01-NET
Page 31HOL-1829-01-NET
1 Under the Application Name type HOL-Pre-Prod2 Under Tier type the Name as HOL-Pre-Prod3 Our search criteria will be based on VM Names under Virtual Machines IP
Addresses Type Admin-VM1 Admin-VM2 (The search will auto completethe names for you)
4 Do not Save Click Cancel which will take you to previous screen
1 Here you can see the number of entities has increased by 1 ie 5 entities2 You can also see Hol-Pre-Prod in the list
HOL-Pre-Prod will now appear in Application section under Plan Security (not covered inthis lab)
Security Group Prod_MidTier
Network administrators and architects face daily challenges in identifying securityparameters groups that are in-place requiring a lot more detail around containertopology before continuing to execute or plan Micro-segmentation Lets look at how thiswould be possible in a single view that has granular integration with over and underlaynetworks
1 Using the search bar type Nsx Security Group Prod_MidTier (the search baruses Auto Fill and predictive text will appear as you type)
2 Click search to continue
HOL-1829-01-NET
Page 32HOL-1829-01-NET
The Help screen may pop-up (in this lab setting) to ensure the user has an instantguide called the Security Group Pinboard The reason for this guide is to point out thedetail view and topology layout Read through the help guide and once completed
1 Click the close icon (x) to continue
Results - PROD_MIDTIER
The search results from the query will show Prod_Web at the top of the screen Theresult will also be displayed to include the Translated VM Count and any Rulesassociated
1 Click on Prod_MidTier to continue
Security Group Prod_MidTier - Timeline
Security Group View Explanation
HOL-1829-01-NET
Page 33HOL-1829-01-NET
The Security Group provides a detailed view of the selected Security Group and acomprehensive listing of key properties and events The Security Group Topologyprovides a visual overview of how the security group is associated with other containersTimeline slider at the top of the current view will enable the point in time state of theSecurity Group and filters can be used to further focus on a particular aspect of theobject
Security Group Firewall Topology
(A) The Security Group Firewall Topology on the left shows the topology for SecurityGroup Prod_MidTier
HOL-1829-01-NET
Page 34HOL-1829-01-NET
(B) The Security Group Container Topology on the right will show anyall Child andParent groups in relation to Prod_Web This will identify the nesting and hierarchy ofsecurity groups
HOL-1829-01-NET
Page 35HOL-1829-01-NET
1 Click and select Prod_Web to Prod_Midtier Rule (will launch a pop up screencovered in next step)
1 In the pop up screen we can immediately see what the Source and destinationservice flow looks like in this example This can be done for any and eachsegment attached to Prod_Web and will provide all the current security GroupFirewall Topology information Feel free to click through all the segments in orderto fully understand each related security group
2 Click the close icon (x) on any pop-up menus that you viewed during youranalysis to continue with the next exercise
HOL-1829-01-NET
Page 36HOL-1829-01-NET
Tracking Prod_MidTier
1 Within the same view when you scroll down (below the Security Groupfirewall Topology) you are able to see the following security event information forProd_Web
A Events - Showing any changes for Prod_MidTier (direct or indirect) and the impactthat these changes bring to this security group
B Current Security Group Configuration and Firewall Rules Count will also providefurther assistance to manage the endpoints
C Visibility of the Virtual Machines in Security Groups ensure that we manage ourworkloads and segmentation with the correct level of efficiency
D Making use of the Indirect Firewall Rules will ensure you understand the inheritedimpact and the relationship leading to Prod_Web
E Direct Firewall Rules - NOTE The blue links will expose further detail for eachfirewall segment
HOL-1829-01-NET
Page 37HOL-1829-01-NET
this module explained and followed the traffic flow between Subnets and or VLANVXLAN for Prod_MidTier and we understand the analysis that make up firewall rules Theinformation for a specific segmentation of a Virtual Machine in Prod_MidTier can beviewed using the the logical switch information for Prod_MidTier
2 Click on Lab-Midtier (VMs in Security GroupgtLogical SwitchesgtLab-Midtier) anew TAB will open at the top of the screen
Lab-Midtier
1 Hover (do not click) over (1) Lab-Midtier-1 to gain focus in order to generatethe path
Do not click on any of the bubbles as they are used for reference only This is thecomplete flow of Prod-Web-9 (Example) to see how a flow is tracked from overlay tounderlay across Prod-Web
HOL-1829-01-NET
Page 38HOL-1829-01-NET
bull A - The host details for Lab-Midtier-1 -ddc1-pod2esx035dmdemocompanynet
bull B - The machine name within Lab-Midtier - Lab-Midtier-1bull C - DVS Switchbull D - VXLAN - Lab-Midtierbull E - 1st VMKNIC for DDC-1 hostbull F - DVS Switch Portbull G - Finally showing the L3 Switch (Arista)
2 When you are done with the current view close this tab in Chrome and returnto the original view
Firewall Rule - Tracking
Using the search bar we will demonstrate how you can track any firewall rule in yourenvironment This is only one example of how we can search for security related objectsin one easy statement and also export the results
Port Search
1 Type into the search bar
Firewall rule where action =ALLOW and Port=443 (the search bar uses Auto Fill andpredictive text will appear as you type)
2 Click search to continue
As you type notice all the different permutations of queries that can be assembled
HOL-1829-01-NET
Page 39HOL-1829-01-NET
Export Firewall Rules
Take some time to understand and get familiar with Firewall Rule search possibilitiesand the insight this can offer
1 Do not click - The result is grouped for convenience and allows the user to queryeach rule individually This is a live link that will expose further information
2 Do not click - The entire report can be exported by using the Save as CSV optionat the top right hand corner of the screen but we will not export any informationat this point
3 For the next step we will return to the top search bar
Firewall Rule Membership Change
Using the vRealize Network Insight search bar at the top of the screen we will focus on atime based search to see what Firewall Membership Changes occurred during a selectedperiod This will point out any changes made directly or indirectly as a result ofmembership changes This is extremely useful for auditing and troubleshooting
HOL-1829-01-NET
Page 40HOL-1829-01-NET
1 Type
Firewall Rule Membership Change
2 Select the DateTime window3 Click Between Select Date range from June30 to Jul 31 (using static data this
will ensure you see all the changes)4 Click search
Audit Rule - Firewall Rule Membership Changes
The search now displays the result of all the changes made to firewall rule membershipduring the preset date range This is pivotal to the audit change tracking process tounderstand exactly why when and how Firewall rules changed
The changes can now easily be tracked audited and also exported following any of thelive links in blue
HOL-1829-01-NET
Page 41HOL-1829-01-NET
User-defined Event
Continuing within the same screen users can create alerts to notify internal andexternal entities of any changes The alert feature is available through any view thatdisplays the alert icon Although the alert can be configured for this lab the results willnot be actioned as this is static data only This section will show how easy it is to reporton any Firewall Rule memberships changes The option for alerting will be immediatelywithin 1 hour or as a daily digest
1 Click the Notifications icon to create an event The notifications screen will pop-up
2 Notification and parameters can be adjusted as required Populate them withyour own preference as we will need to have information in order to save thealert and view in later steps
3 Once completed click save
HOL-1829-01-NET
Page 42HOL-1829-01-NET
Settings
You can view any of your previously configured User-defined Events in order to edit oractivate the Event parameters by using the settings page Changes can be configured tonotify members of the event group based on the user preference The previous eventthat you created can now be tracked by using the search bar at the top of the screen
1 Click in the search bar and type Settings2 Click User-defined Events (your alert is noted in this section as it was based on
the original search and alert notification Firewall rule membership change)3 Info Only - Do not click - View Edit Activate any notifications
Note that we have 2 types of notification User-defined and System Events
4 Click the System Events
HOL-1829-01-NET
Page 43HOL-1829-01-NET
System Notifications
System Events consist of 103 default alerts that are pre-configured Scroll down the listto see all the options and what is deemed to be a standard system event notification
Each Notification can be used to alert administrators or users of that group By defaultall System Notifications are set to never notify (this can be changed to immediatelywithin 1 hour or as a daily digest)
This concludes this module Please continue to the next module
HOL-1829-01-NET
Page 44HOL-1829-01-NET
ConclusionCongratulations on completing Module 1
In this module we introduced the minimum required steps in order to facilitate Micro-segmentation This module further demonstrated how we achieve day zero readinesstrack report and alert on each individual object or group of objects in Real Time Usingthe East-West traffic in this module vRealize Network Insight highlighted the ease ofacquiring network analysis and using this to automatically generate firewall rules forboth Green or Brown field deployments
Key facts to remember as demonstrated in this module
bull Persistence Security must be consistent in the face of constant changebull Ubiquity Security must be available everywherebull Extensibility Security must adapt to new situations
For additional information about the functionality showcased in this module visitwwwvmwarecom
Please close the Chrome Web browser
This concludes this module please continue to the next module
For More Information
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 45HOL-1829-01-NET
Module 2 - 360 degreeVisibility across Virtualand Physical Networks
(45 minutes)
HOL-1829-01-NET
Page 46HOL-1829-01-NET
IntroductionvRealize Network Insight includes advanced analytics that can collect and displayconfiguration data from all the components involved in the overlay and underlay of thenetwork Data is collected in realtime
vRealize Network Insight presents this via a smart user interface and simplifies thedetermination of problems as well as the visibility of firewall and networkconfigurations
vRealize Network Insight presents this in a smart user interface and makes problemdetermination and visibility of the firewall and network configurations very easy
This Module contains the following lessons
bull 360 Network Visibility and Troubleshootingbull Natural language search
HOL-1829-01-NET
Page 47HOL-1829-01-NET
360 Network Visibility andTroubleshootingThis section contains the following lessons
bull 360-degree view of data flow between two VM objectsbull Natural language search
Open Google Chrome
1 Open Chrome on the Control Center Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize NetworkInsight did not load automatically)
HOL-1829-01-NET
Page 48HOL-1829-01-NET
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
Path and Topology
This module will utilize the Path and Topology feature in vRealize Network Insight toget a 360-degree visibility into our network scenario The Path and Topology view can
HOL-1829-01-NET
Page 49HOL-1829-01-NET
also extend to host L3 networks security groups etc but in this module we will only befocusing on the path
From the main console
1 Click on Path and Topology2 Click on Path
Path - Select source and destination
In the pop-up box
1 Click on the grey field below Source2 Type dba into the source field and DBAdmin-VM1 will appear3 Click on DBAdmin-VM1 to select it
HOL-1829-01-NET
Page 50HOL-1829-01-NET
Path - source and destination continued
After selecting the source machine the destination box will automatically appear
1 Type prod in the destination field and the list of available options willappear
2 Select Prod-Db-2
Note The destination could also be an ip-address or Internet but in this lab we aregoing to use a VM
HOL-1829-01-NET
Page 51HOL-1829-01-NET
Path - source and destination continued
1 Click on Submit
Searching for path
Based on the VMs we selected in the wizard in our previous steps the search field isnow pre-populated with a search string As an alternative to using the wizard we canalso do manual searches
Do not change any parameters in the search field and please continue to the nextstep
HOL-1829-01-NET
Page 52HOL-1829-01-NET
VM Path Topology and VM Underlay
The topology involves both Layer 3 and Layer 2 components and consists of twodetailed views
HOL-1829-01-NET
Page 53HOL-1829-01-NET
1 VM Path Topology This view details the routers Edges or Logical DistributedRouters (LDRs) that are involved in the VM to VM network path and provides thecomplete routing and NAT information
2 VM Underlay ( The VM Underlay section that is on the right side of the VM Pathtopology shows the underlay information of the VMs involved and theirconnectivity to the top of the rack switches and the ports involved)
In the field named VM Path Topology
1 Click on the three dots in the top right corner of the field2 Click Maximize
The view will change and the route will be drawn on the map
HOL-1829-01-NET
Page 54HOL-1829-01-NET
VM Path Topology - Path Details
In this view we will get a 360-degree view of both the physical and the virtual networkWe will see the path of the traffic between two virtual machines The black arrow at thetop of the map will indicate the flow direction of the traffic In this use case fromDBAdmin-VM1 to Prod-Db-2
On the right hand side path details indicates the steps we pass through in each hop ofthe path The logical flow includes both physical and virtual elements displaying bothoverlay and underlay components
1 Scroll through the path details on the right hand side to verify the differenthops in the path Notice that we have items such as VMs physical switchesvirtual switches routers and NICs in the list of details
HOL-1829-01-NET
Page 55HOL-1829-01-NET
Component Overview
On the VM topology map
1 Click on the top left icon marked with a red square - the Virtual MachineDBAdmin-VM1
Virtual Machine - Details
HOL-1829-01-NET
Page 56HOL-1829-01-NET
A pop-up box will appear with the Virtual Machine details in it This information includesa lot of details made available by VMware Tools We can for example see network-information and the physical host in these details
A - Please spend some time on getting an overview of the information available in thisview
B - Please note that the Firewall Status indicates Unknown In this scenario there is noNSX firewall utilized in the VM so vRealize Network Insight displays Unknown as thestatus If NSX components were utilized but they were malfunctioning an errormessage will appear
1 When done reviewing close the pop-up windows by clicking on the (X) in thetop right corner
Physical ESXi Hosts
We are now going to look at the physical host running ESXi The large green blocksindicate the ESXi hosts (A) and (B)
1 Click on the large green field on the left side of the map marked in thepicture with a red squareThis will select the host where DBAdmin-VM1 isrunning
HOL-1829-01-NET
Page 57HOL-1829-01-NET
Host - Details
A pop-up box will appear that contains the physical ESXi host
A - Spend some time to review what information is available from the host Please donot click on any of the links
B - Notice that we receive information from both the Chassis and the Blade that thisESXi host is running on In a real life environment we could click on the links to getdetailed information about the physical environment through the links
C - Note that there are no NSX components on the host For example we can see thatthe Control Plane Sync Status is unknown and the Number of VTEPs is 0
1 When done reviewing click on the (X) in the top right corner
HOL-1829-01-NET
Page 58HOL-1829-01-NET
DVPG on the map
We are now going to look at the DVPG (Distributed Virtual Port Group) the VM uses toconnect to the network
1 On the map click on the little blue box marked by a red square onvlan-629
DVPG
A pop-up box will appear that contains the DVPG details
A - Spend some time review what information is available from the object Please donot click on any of the links
HOL-1829-01-NET
Page 59HOL-1829-01-NET
B - Notice that IPFIX is enabled
1 When done reviewing click on the (X) in the top right corner
VLAN-629 on the map
This is a brownfield network as indicated by the physical network components currentlydisplayed on the map
1 On the map click on the grey line marked by a red square on vlan-629
VLAN Network
A pop-up box will appear that contains the physical VLAN details
HOL-1829-01-NET
Page 60HOL-1829-01-NET
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - Notice the VLAN ID This is the actual VLAN in use
C - VM Count states 12 This is the number of VMs located on this VLAN in the entireenvironment
D - Under Hosts we can see that this is 28 (27+1) This is the amount of hosts that hasa connection to this vlan in the entire environment
1 When done reviewing click on the (X) in the top right corner
Switch ports on the map
1 From the map click on the icon marked by a red square to select the SwitchPort for the VM
HOL-1829-01-NET
Page 61HOL-1829-01-NET
Switch Port
A pop-up box will appear that contains the Switch Port details
In this view we are purely are looking at layer 3 and the connectivity to those layer 3devices Later in this module we will see some of the layer 2 devices
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - In this view we can see the physical NIC the traffic is transmitted from and receivedto In this scenario it is a NIC on a UCS fabric We can also see the VLANs Interfacespeed port and other details on the NIC
1 When done reviewing click on the (X) in the top right corner of the pop up box
HOL-1829-01-NET
Page 62HOL-1829-01-NET
Physical VRF on the map
1 From the map click on the icon marked by a red square to access thePhysical VRF details
HOL-1829-01-NET
Page 63HOL-1829-01-NET
VRF - Physical Switch
A pop-up box will appear that contains the Physical VRF details
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - In this scenario the first hop in the physical network perspective happens to be aCisco Nexus 7000 We are gathering all of the configuration data routing tables androuting interface information from this device
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 64HOL-1829-01-NET
VRF - continued
1 From the map click on the icon marked by a red square to access the nextPhysical VRF in the path
HOL-1829-01-NET
Page 65HOL-1829-01-NET
VRF - Physical Router
A pop-up box will appear that contains the Physical VRF details
In this scenario the second hop in the physical network perspective is a Palo Alto routerIn this view we will see the routing table as well as firewall rules The vRealize NetworkInsight platform is so powerful that these firewall rules are the applicable firewall rulesbetween the two objects we searched for There is probably going to be thousands offirewall rules in a normal network but these are the firewalls affecting thecommunication between the two selected VMs
HOL-1829-01-NET
Page 66HOL-1829-01-NET
A - Spend some time to review what information is available from the object Please donot click on any of the links
1 When done reviewing click on the (X) in the top right corner of the pop up box
Note The Palo Alto integration showcased is in beta testing
VRF - continued
1 From the map click on the icon marked by a red square to access the nextPhysical VRF in the path
HOL-1829-01-NET
Page 67HOL-1829-01-NET
VRF - Physical Switch
A pop-up box will appear that contains the Physical VRF details
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - In this scenario the third hop in the physical network perspective is an Arista deviceThere is information available on routing gateways interfaces etc These detailsshowcase that we can monitor devices from a multitude of vendors in case we arechanging from one vendor to another
1 When done reviewing click on the (X) in the top right corner
HOL-1829-01-NET
Page 68HOL-1829-01-NET
Accessing the virtual infrastructure
The next two steps in the path (as shown by arrows) are the same as we looked atpreviously in this module We are not going to look at the details on them in thisscenario as they are similar to the ones previously discussed
A - Hovermove the mouse over the icons marked with red arrow A without clicking onthe icon Notice the descriptive name
B - Hovermove the mouse over the icons marked with red arrow B without clicking onthe icon Notice the descriptive name
1 From the map click on the icon marked by a red square to access the nextVRF in the path
HOL-1829-01-NET
Page 69HOL-1829-01-NET
VRF - NSX Provider Edge 1
A pop-up box will appear that contains the Physical VRF details
A - Please spend some time to review what information is available from the objectPlease do not click on any of the links
B - The components we are looking at after the Arista device (described in previoussteps) is an NSX Edge cluster or a host associated with an Edge cluster The componentwe have selected is the NSX Edge VM named Provider-Edge 1 It has an uplink overVLAN 10 from the physical network (as shown in the map)
C - In the details we can see the routing table and routing interface details for thisparticular VRF
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 70HOL-1829-01-NET
VXLAN on the map
1 On the map click on the blue line marked by a red square to access theVXLAN details
VXLAN Network
A pop-up box will appear that contains the VXLAN details
HOL-1829-01-NET
Page 71HOL-1829-01-NET
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - We can see the VXLAN number (Segment ID) Underlay VLAN IDs Subnet andUnderlay Subnet
C - We also have visibility into what Primary Controller it is utilizing Hosts and VTEPs
D - Hovermove the mouse cursor over the text [38 more] to see the hosts associatedwith this VXLAN Do not click on the blue text
E - Hovermove the mouse cursor over the text [82 more] to see the VTEPs associatedwith this VXLAN Do not click on the blue text
1 When done reviewing click on the X in the top right corner of the pop-up box
VRF - LDR
1 From the map click on the icon marked by a red square to access the VRFdetails
HOL-1829-01-NET
Page 72HOL-1829-01-NET
VRF - LDR-Corporate
A pop-up box will appear that contains the VRF details From here we hit our In-kernelnetwork
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - Notice the distributed router name We are using this device to access our corporatenetwork
C - This device is going to route for us to a different interface The interface is going toroute to the interface on the Prod-DB Network as the next step in the path (this will beillustrated in the next step)
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 73HOL-1829-01-NET
Routing - NSX Firewall
The traffic is routed through the VRF onto the Prod-DB network over to the next physicalhost (as shown with arrows)
The first device it will hit on the virtual network on the physical host is the FirewallPlease notice that there are two firewalls next to the VM One Firewall from Palo Alto andone Firewall from NSX
1 From the map click on the icon marked by a red square to access the NSXFirewall details (the top one of the two)
HOL-1829-01-NET
Page 74HOL-1829-01-NET
Firewall - NSX
A pop-up box will appear that contains the Firewall details
A - Spend some time to review what information is available from the object Please donot click on any of the links
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 75HOL-1829-01-NET
Redirect on the map - PAN Firewall
Please notice that there are two firewalls next to the VM One Firewall from Palo Alto andone Firewall from NSX We are now going to look into the details of the lower Firewall
1 From the map click on the icon marked by a red square to access the PaloAlto Firewall details (the lower one of the two)
Firewall - PAN
HOL-1829-01-NET
Page 76HOL-1829-01-NET
In this scenario we also have an Palo Alto VM based offloading firewall The redirectfeature allows firewall rules to be transferred between the NSX firewall and the PANFirewall
1 When done reviewing click on the (X) in the top right corner of the pop up box
Reversing the analysis
1 In the section marked by a red square in the picture click on the arrowpointing left
The route on the map will change
HOL-1829-01-NET
Page 77HOL-1829-01-NET
Reversing the analysis continued
A - The analysis will now be done in the opposite direction Please note that the pathnow changes Instead of going through Provider-Edge 3 the traffic is now routedthrough Provider-Edge 2 This is exactly as the traffic will work in the real life
Please continue to the next step to conclude this module
HOL-1829-01-NET
Page 78HOL-1829-01-NET
VM Underlay
Lets now focus on VM Underlay
1 The VMUnderlay section that is on the right side of the VM Path topology showsthe underlay information of the VMs involved and their connectivity to the top ofthe rack switches and the ports involved
2 The VM Underlay path topology is shown here3 The components are labeled under Path Details
HOL-1829-01-NET
Page 79HOL-1829-01-NET
HOL-1829-01-NET
Page 80HOL-1829-01-NET
1 In this section the drop-down list at the top shows the endpoint VMs and theactive VMs at the edges
2 For each edgeVM the neighbouring drop-down list shows the ingress and theegress interface IP addresses
1 From the previous step we selected the Prod-DB-2 Virtual Machine2 Which changes the focus to corresponding Interface IP Address (VNIC)3 Shows the visual map (Path topology) of all the path objects4 Path details shows the labels and list the components
This concludes this module Please continue to the next module
HOL-1829-01-NET
Page 81HOL-1829-01-NET
ConclusionCongratulations on completing Module 2
This module has shown us that vRealize Network Insight is capable of tracing the flow ofdata between two objects throughout the network vRealize Network Insight is providingus with a 360 degrees view of the virtual as well as the physical components in thepath With the map function and the details on the map it is very easy to get a quickoverview of the components utilized in network communication
All the components in the map is based on a snapshot of real life data Feel free to clickon other icons shown in the map in this module before continuing to the next module tohave a look at other components
For More Information
For additional information about the functionality showcased in this module visithttpwwwvmwarecomvrealize network insight
This concludes this module Please continue to the next module
If you are looking for additional information try one of these
bull Click on this linkbull Or use your smart device to scan the QRC Code
HOL-1829-01-NET
Page 82HOL-1829-01-NET
Proceed to any module below which interests you most
bull Module 1 - Micro-Segmentation and Security (30 minutes)bull Module 2 - 360 degree Visibility across Virtual and Physical Networks (45
minutes)bull Module 3 - Advanced NSX Management amp Operations (45 minutes)bull (30 minutes)
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 83HOL-1829-01-NET
Module 3 - Advanced NSXManagement amp
Operations (45 minutes)
HOL-1829-01-NET
Page 84HOL-1829-01-NET
IntroductionIntroduction
vRealize Network Insight ensures that we have full visibility from an overlay andunderlay perspective and in this module focus on advanced operations of NSX withvRealize Network Insight Its important to note that the vRealize Network Insightprovides a real time view and a historical view The integration is not a simple SNMPquery but advanced CLI and Metadata information gathered in real time for NSX
This Module contains the following lessons
bull Operational guidance for NSX Managerbull Advanced NSX Management amp Operations Interactive Simulation
HOL-1829-01-NET
Page 85HOL-1829-01-NET
NSX Advanced ManagementOperationsLab Status Check
1 Make sure the Lab Status displays Ready before continuing
Close browser sessions from previous modules
Open Google Chrome
1 Open Chrome on the Control Centre Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
HOL-1829-01-NET
Page 86HOL-1829-01-NET
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize Network Insightdid not load automatically)
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
Search Bar - NSX Manager
Using the search bar on the entry screen
HOL-1829-01-NET
Page 87HOL-1829-01-NET
1 Type NSX Manager (this will list three NSX Managers2 Click Search
NSX Manager Information
The result now shows the NSX Manager (1016128170) and we can immediately seethat we have 50 problems associated with this endpoint
1 Click on the NSX Manager address to expose the layout and detailedinformation
HOL-1829-01-NET
Page 88HOL-1829-01-NET
Timeline - Visual Build-up
Explore information only - Do not click
bull A - Starting with the Timeline we can manipulate the results by simply draggingthe slider but by default the current time results will be displayed on entry Theslider and drop down (next to 1 day) makes it easy to filter on demand
bull B - The Properties give a clear understanding of the NSX Managers currentconfiguration (vRealize Network Insight accommodate multiple NSX managers)
bull C - Looking at the NSX Checklist Rules - ALL we can scroll up and down toview each point in the checklist that is used to monitorvalidate against the NSXManager
bull D - Because vRealize Network Insight supports multiple NSX managers andmultiple NSX controllers this is an important visual understanding of theTopology Each object can be queried individually within the same screen
bull E - NSX Problems will be key to understanding the issues for NSX
HOL-1829-01-NET
Page 89HOL-1829-01-NET
Topology - Focus on the NSX Controller
The logical view of the NSX Topology provides live links to each component in theconstruct to be queried in real time Topology layout displays all the related NSXservices bound to the NSX Manager including Clusters and hosts The red triangle on allthree NSX controllers indicates possible issues that may impact the NSX environmenteither as a starting point or a result thereof We can now query each object for detailedinformation
1 Click on the NSX controller (Look at each controller until you find thecontroller starting with NSX_Controller_5b6c6c8d-4d71 as they do changeorder)
HOL-1829-01-NET
Page 90HOL-1829-01-NET
NSX Controller - Detail
A - The controller query displays detailed information about controller-1 and relevantconfiguration This screen will help identify the Status Version Upgrade Availability andmany other critical identifiers of the NSX Controller at a quick glance including anyissues
B - The immediate issue on this NSX controller is also pointed out with a red triangleindicating that we have a control plane sync issue Tracking the issue can be furtherinvestigated by expanding (clicking on the red triangle) to view detailed information Wewill not be investigating this problem further in this exercise
1 Click the close sign (x) to continue
HOL-1829-01-NET
Page 91HOL-1829-01-NET
Topology - Explained
Note The Topology for the NSX environment will not show any load balancing devicestatus information in this release
1 Click the edge VMs icon to see detailed information about the edge services
HOL-1829-01-NET
Page 92HOL-1829-01-NET
Provider Edge
Rendering a complete view of the provider edge services and the associations we caninvestigate all the edge related activities
1 Click the blue link Provider Edge 4 The problem Icon can be used to furtherobtain information about the Provider-Edge 4 This will highlight a criticalcondition due to a possible network disruption of this edge device as it is nolonger in a serving state
HOL-1829-01-NET
Page 93HOL-1829-01-NET
Routers Provider Edge 4
This section lays out detailed root cause analysis for Routers Provider Edge 4
Return to Search View - NSX Manager
1 Now use the Chrome Back button click once to return the the NSX Managerinformation screen step
HOL-1829-01-NET
Page 94HOL-1829-01-NET
Infrastructure Problems - Warning Moderate
bull Scroll down to Infrastructure Problems Section
1 Click and select the WarningModerate to view problem areas
WarningModerate Issues
1 Use the blue icon + to expand the detailed view of the Logical networking out ofsync between host and NSX Controller
HOL-1829-01-NET
Page 95HOL-1829-01-NET
WarningModerate Issues (Continued)
When you expand the details you can analyse full detail of warning
In this view vRealize Network Insight is also showing you recommendations on how youwould resolve this issue which makes troubleshooting and root cause analysis veryeasy
1 Click the close sign (x) to continue
HOL-1829-01-NET
Page 96HOL-1829-01-NET
Hands-on Labs Interactive SimulationAdvanced NSX Management ampOperationsThis part of the lab is presented as a Hands-on Labs Interactive Simulation This willallow you to experience steps which are too time-consuming or resource intensive to dolive in the lab environment In this simulation you can use the software interface as ifyou are interacting with a live environment
1 Click here to open the interactive simulation It will open in a new browserwindow or tab
2 When finished click the ldquoReturn to the labrdquo link to continue with this lab
HOL-1829-01-NET
Page 97HOL-1829-01-NET
ConclusionCongratulations on completing Module 3
This module demonstrated the vRealize Network Insight capability of advancedmanagement operations vRealize Network Insight provides an in-depth analysis of thevirtual as well as the physical components associated with NSX (underlay and overlay)
For More Information
If you are looking for additional information try one of these
bull Click on this linkbull Or use your smart device to scan the QRC Code
Proceed to any module below which interests you most
bull Module 1 - Micro-Segmentation and Security (30 minutes)bull Module 2 - 360 degree Visibility across Virtual and Physical Networks (45
minutes)bull Module 3 - Advanced NSX Management amp Operations (45 minutes)bull Module 4 - Manage Security for Public Clouds (AWS) (30 minutes)
HOL-1829-01-NET
Page 98HOL-1829-01-NET
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 99HOL-1829-01-NET
Module 4 - ManageSecurity for Public Clouds
(AWS) (30 Minutes)
HOL-1829-01-NET
Page 100HOL-1829-01-NET
IntroductionEnterprise IT needs visibility into the network and security status of their workloadswhether hosted on premises or within AWS While many AWS workloads are sandboxesfor application development teams (DevOps) it is important to analyze these workloadsIncreasingly public cloud workloads are also fulfilling mission critical production needsfor many organizations Enterprise IT must be ready to determine the best locationsecurity posture and bandwidth allocation when deploying workloads Having trafficpattern details as well as security analysis and recommendations readily availablehelps organizations make the ideal hosting decisions to meet their business needs
vRealize Network Insight (vRNI) Supports Amazon Web Services (AWS) PublicCloud The vRNI traffic monitoring features provide visibility into native AWS constructssuch as Virtual Private Clouds VMs Security Groups firewall rules and tags vRNI alsoanalyzes AWS traffic flows to provide security and micro-segmentation views of cloudworkloads This means youll be able to plan micro-segmentation and understand trafficpatterns using data collected from your AWS instances
This Module contains the following lessons
bull Introduction to Managing Security for Public Clouds (AWS)
HOL-1829-01-NET
Page 101HOL-1829-01-NET
Introduction to Managing Security forPublic Clouds (AWS)Lab Status Check
1 Make sure the Lab Status displays Ready before continuing
Close browser sessions from previous modules
Open Google Chrome
1 Open Chrome on the Control Centre Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize Network Insightdid not load automatically)
HOL-1829-01-NET
Page 102HOL-1829-01-NET
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
AWS Configuration
Lets review the AWS VPC setup for the purpose of this lab
1 We have an on premise instance of vRealize Network Insight managing AWS2 There are two VPCs ie CRM and Common Services
HOL-1829-01-NET
Page 103HOL-1829-01-NET
3 VPC CRM consists of CRM Application which comprises of 3 tiers ie Web APP andDB
4 Internal users of Company can access Web Tier of the CRM on 80 internally viaJump-box
5 Web tier talks to App tier on port 80806 App tier talks to DB tier on port 33067 Web tier is open for internal datacenters VM on 80 port8 From Jump-box in VPC CRM all virtual machines have ssh access on port 229 All tiers of VPCCRM talks to DNS server on 53 and LogServer on 514 on VPC
Common Services10 This means connection to DB to Log Server (used for backup services) must exist
as configured by the Administrator but this in fact is the problem area where ourfocus will be
Plan Security - AWS Cloud
vRealize Network Insight extends micro-segmentation planning to AWS constructs TheCRM Application in AWS VPC has already been created for you
Application creation steps have been discussed in Module 3
HOL-1829-01-NET
Page 104HOL-1829-01-NET
1 On the vRealize Network Insight Click on Plan Security
From Plan Security dialogue box under Entity select
HOL-1829-01-NET
Page 105HOL-1829-01-NET
1 Application2 CRM3 Click Analyze
We can now visualize the three tier lsquoCRMrsquo Application in AWS in one VPC We Shallexplore the three Tier System Logic in proceeding steps
1 Please note that Micro-Segments are already filtered by Tier2 Web (Web tier talks to App tier on port 8080 Internal users of organisation can
access Web Tier of the CRM Application on port 80 internally)3 App (App tier talks to DB tier on port 3306)4 DB ( DB tier talks to Log Servers ) - This is the problem area we are going to
explore
All tiers of first VPC talks to DNS server on port 53 and LogServer on port 514 of SecondVPC
HOL-1829-01-NET
Page 106HOL-1829-01-NET
Exploring the Three Tier Application - Step by Step
We shall now explore the three their application setup to understand the security andcommunication posture
HOL-1829-01-NET
Page 107HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Yellow line to explore the flows This will reveal flows from Web to
App
HOL-1829-01-NET
Page 108HOL-1829-01-NET
1 The App tier talks to DB tier on Port 33062 Click X to continue
HOL-1829-01-NET
Page 109HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to DB
HOL-1829-01-NET
Page 110HOL-1829-01-NET
1 The App tier talks to DB tier on Port 33062 Click X to continue
HOL-1829-01-NET
Page 111HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Yellow Line to explore the flows This will reveal flows from DC
Virtual to App
HOL-1829-01-NET
Page 112HOL-1829-01-NET
1 DC Virtual (jump box) talks to App tier on Port 222 Click X to continue
HOL-1829-01-NET
Page 113HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to
Shared Virtual
HOL-1829-01-NET
Page 114HOL-1829-01-NET
1 The App tier talks to Shared Virtual on Port 53 and 514 respectively2 Click X to continue
HOL-1829-01-NET
Page 115HOL-1829-01-NET
1 Hover over to DB Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from DB to
Shared Virtual
1 By design the DB should be pushing logs to aws-log-server ie on port 514(Syslog) but the flow reveals that there is only one service ie port 53 aws-DNS-Server Effectively no communication to syslog server (which is the back upservice)
2 Click X to continue
Firewall Queries for CRM Application
To further troubleshoot the issue the administrator executes three firewall queries toestablish why DB to Shared Virtual does not have flow(s) for port 514 (syslog)
HOL-1829-01-NET
Page 116HOL-1829-01-NET
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and type new search query firewall action of flows where dstvm = aws-log-server This will return 5 results ie 4 Allow (for web andmidtier) and 1 Deny (for DB)
2 Click Search3 click on the DENY checkbox so we can focus on the deny rule
We can see a DENY rule which is preventing crm-databse to communicate with aws-log-server on port 514 Which indicates that AWS Admin forgot to add rule to allowtraffic from (Database) crm-database to (syslog server) aws-log-Server
HOL-1829-01-NET
Page 117HOL-1829-01-NET
1 On Chrome web browser right click2 Select Duplicate from the the menu
HOL-1829-01-NET
Page 118HOL-1829-01-NET
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-web1 and dst vm = aws-log-server
2 Click Search3 This will return 3 results ie 1 Inbound and 2 Outbound rules The result of this
query validates the communication from crm-web1 to aws-log-server
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-database and dst vm = aws-log-server
2 Click Search3 This will return 2 results for Outbound rules further explaining the firewall rule
behaviour from crm-database to aws-log-server
HOL-1829-01-NET
Page 119HOL-1829-01-NET
ConclusionCongratulations on completing Module 4
This module demonstrated the vRealize Network Insight capability to understand trafficpatterns and plan micro-segmentation across your private and public cloudenvironments This capability offers unparalleled visibility into public and private cloudsfor micro-segmentation planning network visibility and management
For More Information
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 120HOL-1829-01-NET
ConclusionThank you for participating in the VMware Hands-on Labs Be sure to visithttpholvmwarecom to continue your lab experience online
Lab SKU HOL-1829-01-NET
Version 20171010-152226
HOL-1829-01-NET
Page 121HOL-1829-01-NET
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize Network Insight did notload automatically)
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
HOL-1829-01-NET
Page 13HOL-1829-01-NET
Plan Security
When the vRealize Network Insight portal login completes the first screen will show asearch bar at the top
1 Type plan security (the search bar uses Auto Fill and predictive text willappear as you type)
2 Select the Time Icon
Plan Security - Specify a Preset
1 Select Presets2 Select Last Week3 Click the search icon to continue
HOL-1829-01-NET
Page 14HOL-1829-01-NET
Overview - Traffic Distribution (Left Pane)
Visual representation of traffic is shown to understand the logic relationship betweeneach component physical or virtual in order to track flows and sessions within anetwork
bull Internal Flows External Flowsbull Protected Flows Unprotected Flowsbull by VLAN or VXLAN
The default for this view is Last 1 day Please do not change this as we have alreadyspecified the time filter
HOL-1829-01-NET
Page 15HOL-1829-01-NET
Traffic Distribution - Overview (Right pane)
The Traffic distribution section is explained in a number format below Use these as areference and do not click on the links at this stage
bull A - This is the sum of all traffic flows with the percentage shown as East-Westonly traffic
bull B - This indicates the percent of traffic that was switchedbull C - The percentage of traffic that is routed between the East-West portsbull D - This indicates Virtual machine to Virtual Machine traffic as a percentage of the
sum in point number 1bull E - Traffic observed between virtual machines on the same hostbull F - Traffic that requires internet access
East-West (EW) - Traffic
In order to view specific details about data flows click on any of the 6 blocks to getdetailed information on flows and sessions (use the [x] in the right corner to close theobservation once completed in order to continue with the next step in this lab) Its
HOL-1829-01-NET
Page 16HOL-1829-01-NET
important to understand the entire distribution of flows and sessions in order to build aninformed strategy to achieve micro-segmentation
A Session is 5 tuple (source port is one of the five tuples in this which means everytime a new TCP connection is established and terminated a new session is recorded)
A Flow is 4 tuple aggregation of sessions It combines many 5 tuple sessions into oneIt ignores the source port as the source port is very dynamic wide range and keeps onchanging As long as multiple sessions have same source IP same destination IP samedestination port and same protocol they will be combined into one record called aflow
So 1000s of sessions in a day between two machines on a specific destination port (sshdns etc) would be combined into one flow with an aggregate count of packets bytessessions between them recorded as additional flow information
In any enterprise how many sessions happen in 1 day varies a lot Flows are moremanageable units and matter most for policy definitions and micro-segmentation
If one wants to see statistics of these flows like bytes transferred number of sessions(or even use these counters along with other query operations for other higher levelanalysis - like determining distribution of a virtual machines outgoing flow bydestination ip) the following metric counters can be used
Counter names
allowed sessions count of sessions (or 5 tuples) corresponding to a flow (4 Tuple)bytes total traffic volume exchanged on the flow (this sum of two counters described below)src bytes total bytes sent by src_ip of the flow to dst_ipportprotocoldst bytes total bytes received by src_ip of the flow from dst_ipportprotocol
1 Click on the East-West traffic block
This will bring a new window into view with detailed analysis of the traffic
HOL-1829-01-NET
Page 17HOL-1829-01-NET
East-West (EW) - Detailed view
This is only a few of the 1653 flows but the detailed views and filters can be used tonarrow down more specific information
A - Without clicking (just hover) on the time line to see the rate of flow indicated by thegreen line for that period
1 Click the close icon (x) to continue
ServicesPorts
HOL-1829-01-NET
Page 18HOL-1829-01-NET
Locating the Services screen for the next step
ServicesPorts - Time line view
Plan security makes use of Service and Ports overview on the right-hand side of thescreen The service view screen is used to observe the flow for each service andanalyzes a specific flow rate at a point in time Timelines can be adjusted to gain abetter understanding of what the plan security query delivers This module will followthe steps needed to observe and trace flows for port 5443
1 Click Show Data
HOL-1829-01-NET
Page 19HOL-1829-01-NET
ServicesPorts - Point in Time Service
The Services section provides an overview of flows over a specific port at a point intime either by bytes or by allowed sessions Look at the red highlighted area tounderstand how the flow is viewed in a pivot format to ensure a rate flow can bedelivered by hovering over a particular section
1 Hover to gain focus over the blue block above port 5443 and notice itpresents on demand the sum total of flows for the last 24 hours inGigabytes (GB) communicating over port 5443
2 Click on the block at the intersection of Last 24 hours and PORTS5443 to get a detailed view of the information
HOL-1829-01-NET
Page 20HOL-1829-01-NET
Flows for Port 5443
Communicating over port 5443 for the Last 24 hours we now have a detailedunderstanding of how 20 flows are distributed by following the list of entities You mayscroll down and examine the detailed traffic Further filters can be used on the left-handside of the screen to filter the view for a more specific result type
1 Click the entry to examine the detailed flow between Prod-DB-3 and Prod-DB-2over port 5443 ( order of flows may differ from screen above Prod-DB-3 andProd-DB-2 can be seventh flow entry)
Flow Key Properties - Timeline view
HOL-1829-01-NET
Page 21HOL-1829-01-NET
Flow Key Properties and Flow Key Metrics with the help of the timeline view gives agreater understanding of the traffic between these two specific VMs over port 5443 (A)- Hover over any part of the Flow Key Metrics graph to see statistics of the flow at aspecific point in time
1 Click on the 1M (last 1 month) Now hover the mouse over the greenblue linesto see a specific flow at a point in time
Flow Key Properties - Timeline view
1 Click the browser back button (once) to return to the plan security layoutscreen (once completed viewing the timelines for specific flows)
HOL-1829-01-NET
Page 22HOL-1829-01-NET
Micro-Segments
The screen should be back and focused on the Plan Security view Let us focus on theLeft-hand side of the plan security screen marked - Micro Segments This section willfocus on the subnet view and how this could be used to track flows between two ormultiple points
Note Segmenting flows can be achieved using views that will focus on VLANVXLANSubnet Folder Clusters VMs Ports Security Tag or Security Groups
1 Select Last 1 Day (to clear previous data range)2 Select the drop down box and then select by Subnet3 We can further analyze micro-segments by secondary groups ( This step is for
information only)4 Click Analyze to populate the data
HOL-1829-01-NET
Page 23HOL-1829-01-NET
Focus - 101780 Network
A - Hover over (do not click) the 101780 network and notice that this willimmediately highlight all flows and sessions from and to this network segment Othertraffic types will loose focus at this point turning light blue
The Keep Focus view creates a single visual endpoint diagram showing communicationto physical shared resources internet and other subnets The parentheses after thenetwork will indicate the number of virtual machines The coloured lines will indicate aconnected flow as OUTGOING INCOMING BIDIRECTIONAL
HOL-1829-01-NET
Page 24HOL-1829-01-NET
Focus - VLANVXLAN
Changing the view to track flows between Prod-Web to Prod-Midtier we will be switchingfrom Subnet view to VLANVXLAN view This will expose the traffic flow and ultimatelylead us to the recommended firewall rules
1 From the filter drop down select the VLANVXLAN option (the view willautomatically update)
HOL-1829-01-NET
Page 25HOL-1829-01-NET
Focus - Prod-Web (25)
1 Hover over Prod-Web2 Click on Keep Focus as we will follow the traffic for this group to see which
ports are in use and why3 Click on the line joining the Prod-Web and Prod-Midtier
Flows - Prod-Web to Prod-Midtier
HOL-1829-01-NET
Page 26HOL-1829-01-NET
( A ) - We have at this point identified 14 unique endpoints or flows that are beingcommunicated byover or to potential security groups These security groups are basedon VLANs folders subnets or a construct that can be defined
1 Click on the recommended firewall rules
Flows - Recommended Firewall Rules
Based on the observed analysis of the traffic flow between Prod-Web and Prod-Midtier arecommended firewall rule has been generated in order to secure and segment trafficfrom the rest of the VLANVXLAN
Due to the flow observation metrics the recommendation is (ALLOWED) on Port 8080between SG Prod-Web and SG-Prod-Midtier
1 Click the close icon (x) to continue
HOL-1829-01-NET
Page 27HOL-1829-01-NET
Multiple Ports and Firewall rules for Prod-web
1 Click on the Prod-Web group
Services and Flows for Prod-Web
On focus the user is presented with all the services flows and firewall rules for Prod-Webin a single pane
HOL-1829-01-NET
Page 28HOL-1829-01-NET
1 Click on Services In this group - 50 Unique service endpoints or flows that arebeing communicated by or to potential security groups are mapped with trafficrates included
2 Click on External Services Accessed- This is a breakdown of the 16 Externalservice endpoints that communicate with Prod-Web and include the portinformation (DNS HTTPS etc)
3 Click on Recommended Firewall Rules - Based on the 50 unique serviceendpoints that have 17 External services with 425 flows we can use thisobservation metric to determine that 6 firewall rules are required This would bethe minimum recommended segmentation approach for the Prod-Web group
4 Click the close icon (x) to continue
Application-Centric Micro-Segmentation
HOL-1829-01-NET
Page 29HOL-1829-01-NET
An application is a collection of tiers Each tier in an application is a collection of VMsbased on the user-defined filter criteria The applications allow you to create ahierarchical group of VMs and visualize trafficflows between the tiers of the sameapplication The trafficflows can be visualized between applications
1 Under Micro-segments click on the dropdown which says by VLANVXLAN2 Click on by Application
1 Hover over Prod-App (47) (do not click at this stage)2 Click on Keep Focus
You can see as per previous micro-segmentaion planning exercise - you can viewOutgoing Incoming and Bidirectional flow bespoke to Prod-App Clicking on Prod-App micro-segment will reveal the services
HOL-1829-01-NET
Page 30HOL-1829-01-NET
We shall now explore how we can define an application
Define an Application
1 In the search bar type Application2 Click the Search button
1 The Application search will return 4 entities ie application already created inthe system for you
2 This page also lets you create new application - click on Add Application
HOL-1829-01-NET
Page 31HOL-1829-01-NET
1 Under the Application Name type HOL-Pre-Prod2 Under Tier type the Name as HOL-Pre-Prod3 Our search criteria will be based on VM Names under Virtual Machines IP
Addresses Type Admin-VM1 Admin-VM2 (The search will auto completethe names for you)
4 Do not Save Click Cancel which will take you to previous screen
1 Here you can see the number of entities has increased by 1 ie 5 entities2 You can also see Hol-Pre-Prod in the list
HOL-Pre-Prod will now appear in Application section under Plan Security (not covered inthis lab)
Security Group Prod_MidTier
Network administrators and architects face daily challenges in identifying securityparameters groups that are in-place requiring a lot more detail around containertopology before continuing to execute or plan Micro-segmentation Lets look at how thiswould be possible in a single view that has granular integration with over and underlaynetworks
1 Using the search bar type Nsx Security Group Prod_MidTier (the search baruses Auto Fill and predictive text will appear as you type)
2 Click search to continue
HOL-1829-01-NET
Page 32HOL-1829-01-NET
The Help screen may pop-up (in this lab setting) to ensure the user has an instantguide called the Security Group Pinboard The reason for this guide is to point out thedetail view and topology layout Read through the help guide and once completed
1 Click the close icon (x) to continue
Results - PROD_MIDTIER
The search results from the query will show Prod_Web at the top of the screen Theresult will also be displayed to include the Translated VM Count and any Rulesassociated
1 Click on Prod_MidTier to continue
Security Group Prod_MidTier - Timeline
Security Group View Explanation
HOL-1829-01-NET
Page 33HOL-1829-01-NET
The Security Group provides a detailed view of the selected Security Group and acomprehensive listing of key properties and events The Security Group Topologyprovides a visual overview of how the security group is associated with other containersTimeline slider at the top of the current view will enable the point in time state of theSecurity Group and filters can be used to further focus on a particular aspect of theobject
Security Group Firewall Topology
(A) The Security Group Firewall Topology on the left shows the topology for SecurityGroup Prod_MidTier
HOL-1829-01-NET
Page 34HOL-1829-01-NET
(B) The Security Group Container Topology on the right will show anyall Child andParent groups in relation to Prod_Web This will identify the nesting and hierarchy ofsecurity groups
HOL-1829-01-NET
Page 35HOL-1829-01-NET
1 Click and select Prod_Web to Prod_Midtier Rule (will launch a pop up screencovered in next step)
1 In the pop up screen we can immediately see what the Source and destinationservice flow looks like in this example This can be done for any and eachsegment attached to Prod_Web and will provide all the current security GroupFirewall Topology information Feel free to click through all the segments in orderto fully understand each related security group
2 Click the close icon (x) on any pop-up menus that you viewed during youranalysis to continue with the next exercise
HOL-1829-01-NET
Page 36HOL-1829-01-NET
Tracking Prod_MidTier
1 Within the same view when you scroll down (below the Security Groupfirewall Topology) you are able to see the following security event information forProd_Web
A Events - Showing any changes for Prod_MidTier (direct or indirect) and the impactthat these changes bring to this security group
B Current Security Group Configuration and Firewall Rules Count will also providefurther assistance to manage the endpoints
C Visibility of the Virtual Machines in Security Groups ensure that we manage ourworkloads and segmentation with the correct level of efficiency
D Making use of the Indirect Firewall Rules will ensure you understand the inheritedimpact and the relationship leading to Prod_Web
E Direct Firewall Rules - NOTE The blue links will expose further detail for eachfirewall segment
HOL-1829-01-NET
Page 37HOL-1829-01-NET
this module explained and followed the traffic flow between Subnets and or VLANVXLAN for Prod_MidTier and we understand the analysis that make up firewall rules Theinformation for a specific segmentation of a Virtual Machine in Prod_MidTier can beviewed using the the logical switch information for Prod_MidTier
2 Click on Lab-Midtier (VMs in Security GroupgtLogical SwitchesgtLab-Midtier) anew TAB will open at the top of the screen
Lab-Midtier
1 Hover (do not click) over (1) Lab-Midtier-1 to gain focus in order to generatethe path
Do not click on any of the bubbles as they are used for reference only This is thecomplete flow of Prod-Web-9 (Example) to see how a flow is tracked from overlay tounderlay across Prod-Web
HOL-1829-01-NET
Page 38HOL-1829-01-NET
bull A - The host details for Lab-Midtier-1 -ddc1-pod2esx035dmdemocompanynet
bull B - The machine name within Lab-Midtier - Lab-Midtier-1bull C - DVS Switchbull D - VXLAN - Lab-Midtierbull E - 1st VMKNIC for DDC-1 hostbull F - DVS Switch Portbull G - Finally showing the L3 Switch (Arista)
2 When you are done with the current view close this tab in Chrome and returnto the original view
Firewall Rule - Tracking
Using the search bar we will demonstrate how you can track any firewall rule in yourenvironment This is only one example of how we can search for security related objectsin one easy statement and also export the results
Port Search
1 Type into the search bar
Firewall rule where action =ALLOW and Port=443 (the search bar uses Auto Fill andpredictive text will appear as you type)
2 Click search to continue
As you type notice all the different permutations of queries that can be assembled
HOL-1829-01-NET
Page 39HOL-1829-01-NET
Export Firewall Rules
Take some time to understand and get familiar with Firewall Rule search possibilitiesand the insight this can offer
1 Do not click - The result is grouped for convenience and allows the user to queryeach rule individually This is a live link that will expose further information
2 Do not click - The entire report can be exported by using the Save as CSV optionat the top right hand corner of the screen but we will not export any informationat this point
3 For the next step we will return to the top search bar
Firewall Rule Membership Change
Using the vRealize Network Insight search bar at the top of the screen we will focus on atime based search to see what Firewall Membership Changes occurred during a selectedperiod This will point out any changes made directly or indirectly as a result ofmembership changes This is extremely useful for auditing and troubleshooting
HOL-1829-01-NET
Page 40HOL-1829-01-NET
1 Type
Firewall Rule Membership Change
2 Select the DateTime window3 Click Between Select Date range from June30 to Jul 31 (using static data this
will ensure you see all the changes)4 Click search
Audit Rule - Firewall Rule Membership Changes
The search now displays the result of all the changes made to firewall rule membershipduring the preset date range This is pivotal to the audit change tracking process tounderstand exactly why when and how Firewall rules changed
The changes can now easily be tracked audited and also exported following any of thelive links in blue
HOL-1829-01-NET
Page 41HOL-1829-01-NET
User-defined Event
Continuing within the same screen users can create alerts to notify internal andexternal entities of any changes The alert feature is available through any view thatdisplays the alert icon Although the alert can be configured for this lab the results willnot be actioned as this is static data only This section will show how easy it is to reporton any Firewall Rule memberships changes The option for alerting will be immediatelywithin 1 hour or as a daily digest
1 Click the Notifications icon to create an event The notifications screen will pop-up
2 Notification and parameters can be adjusted as required Populate them withyour own preference as we will need to have information in order to save thealert and view in later steps
3 Once completed click save
HOL-1829-01-NET
Page 42HOL-1829-01-NET
Settings
You can view any of your previously configured User-defined Events in order to edit oractivate the Event parameters by using the settings page Changes can be configured tonotify members of the event group based on the user preference The previous eventthat you created can now be tracked by using the search bar at the top of the screen
1 Click in the search bar and type Settings2 Click User-defined Events (your alert is noted in this section as it was based on
the original search and alert notification Firewall rule membership change)3 Info Only - Do not click - View Edit Activate any notifications
Note that we have 2 types of notification User-defined and System Events
4 Click the System Events
HOL-1829-01-NET
Page 43HOL-1829-01-NET
System Notifications
System Events consist of 103 default alerts that are pre-configured Scroll down the listto see all the options and what is deemed to be a standard system event notification
Each Notification can be used to alert administrators or users of that group By defaultall System Notifications are set to never notify (this can be changed to immediatelywithin 1 hour or as a daily digest)
This concludes this module Please continue to the next module
HOL-1829-01-NET
Page 44HOL-1829-01-NET
ConclusionCongratulations on completing Module 1
In this module we introduced the minimum required steps in order to facilitate Micro-segmentation This module further demonstrated how we achieve day zero readinesstrack report and alert on each individual object or group of objects in Real Time Usingthe East-West traffic in this module vRealize Network Insight highlighted the ease ofacquiring network analysis and using this to automatically generate firewall rules forboth Green or Brown field deployments
Key facts to remember as demonstrated in this module
bull Persistence Security must be consistent in the face of constant changebull Ubiquity Security must be available everywherebull Extensibility Security must adapt to new situations
For additional information about the functionality showcased in this module visitwwwvmwarecom
Please close the Chrome Web browser
This concludes this module please continue to the next module
For More Information
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 45HOL-1829-01-NET
Module 2 - 360 degreeVisibility across Virtualand Physical Networks
(45 minutes)
HOL-1829-01-NET
Page 46HOL-1829-01-NET
IntroductionvRealize Network Insight includes advanced analytics that can collect and displayconfiguration data from all the components involved in the overlay and underlay of thenetwork Data is collected in realtime
vRealize Network Insight presents this via a smart user interface and simplifies thedetermination of problems as well as the visibility of firewall and networkconfigurations
vRealize Network Insight presents this in a smart user interface and makes problemdetermination and visibility of the firewall and network configurations very easy
This Module contains the following lessons
bull 360 Network Visibility and Troubleshootingbull Natural language search
HOL-1829-01-NET
Page 47HOL-1829-01-NET
360 Network Visibility andTroubleshootingThis section contains the following lessons
bull 360-degree view of data flow between two VM objectsbull Natural language search
Open Google Chrome
1 Open Chrome on the Control Center Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize NetworkInsight did not load automatically)
HOL-1829-01-NET
Page 48HOL-1829-01-NET
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
Path and Topology
This module will utilize the Path and Topology feature in vRealize Network Insight toget a 360-degree visibility into our network scenario The Path and Topology view can
HOL-1829-01-NET
Page 49HOL-1829-01-NET
also extend to host L3 networks security groups etc but in this module we will only befocusing on the path
From the main console
1 Click on Path and Topology2 Click on Path
Path - Select source and destination
In the pop-up box
1 Click on the grey field below Source2 Type dba into the source field and DBAdmin-VM1 will appear3 Click on DBAdmin-VM1 to select it
HOL-1829-01-NET
Page 50HOL-1829-01-NET
Path - source and destination continued
After selecting the source machine the destination box will automatically appear
1 Type prod in the destination field and the list of available options willappear
2 Select Prod-Db-2
Note The destination could also be an ip-address or Internet but in this lab we aregoing to use a VM
HOL-1829-01-NET
Page 51HOL-1829-01-NET
Path - source and destination continued
1 Click on Submit
Searching for path
Based on the VMs we selected in the wizard in our previous steps the search field isnow pre-populated with a search string As an alternative to using the wizard we canalso do manual searches
Do not change any parameters in the search field and please continue to the nextstep
HOL-1829-01-NET
Page 52HOL-1829-01-NET
VM Path Topology and VM Underlay
The topology involves both Layer 3 and Layer 2 components and consists of twodetailed views
HOL-1829-01-NET
Page 53HOL-1829-01-NET
1 VM Path Topology This view details the routers Edges or Logical DistributedRouters (LDRs) that are involved in the VM to VM network path and provides thecomplete routing and NAT information
2 VM Underlay ( The VM Underlay section that is on the right side of the VM Pathtopology shows the underlay information of the VMs involved and theirconnectivity to the top of the rack switches and the ports involved)
In the field named VM Path Topology
1 Click on the three dots in the top right corner of the field2 Click Maximize
The view will change and the route will be drawn on the map
HOL-1829-01-NET
Page 54HOL-1829-01-NET
VM Path Topology - Path Details
In this view we will get a 360-degree view of both the physical and the virtual networkWe will see the path of the traffic between two virtual machines The black arrow at thetop of the map will indicate the flow direction of the traffic In this use case fromDBAdmin-VM1 to Prod-Db-2
On the right hand side path details indicates the steps we pass through in each hop ofthe path The logical flow includes both physical and virtual elements displaying bothoverlay and underlay components
1 Scroll through the path details on the right hand side to verify the differenthops in the path Notice that we have items such as VMs physical switchesvirtual switches routers and NICs in the list of details
HOL-1829-01-NET
Page 55HOL-1829-01-NET
Component Overview
On the VM topology map
1 Click on the top left icon marked with a red square - the Virtual MachineDBAdmin-VM1
Virtual Machine - Details
HOL-1829-01-NET
Page 56HOL-1829-01-NET
A pop-up box will appear with the Virtual Machine details in it This information includesa lot of details made available by VMware Tools We can for example see network-information and the physical host in these details
A - Please spend some time on getting an overview of the information available in thisview
B - Please note that the Firewall Status indicates Unknown In this scenario there is noNSX firewall utilized in the VM so vRealize Network Insight displays Unknown as thestatus If NSX components were utilized but they were malfunctioning an errormessage will appear
1 When done reviewing close the pop-up windows by clicking on the (X) in thetop right corner
Physical ESXi Hosts
We are now going to look at the physical host running ESXi The large green blocksindicate the ESXi hosts (A) and (B)
1 Click on the large green field on the left side of the map marked in thepicture with a red squareThis will select the host where DBAdmin-VM1 isrunning
HOL-1829-01-NET
Page 57HOL-1829-01-NET
Host - Details
A pop-up box will appear that contains the physical ESXi host
A - Spend some time to review what information is available from the host Please donot click on any of the links
B - Notice that we receive information from both the Chassis and the Blade that thisESXi host is running on In a real life environment we could click on the links to getdetailed information about the physical environment through the links
C - Note that there are no NSX components on the host For example we can see thatthe Control Plane Sync Status is unknown and the Number of VTEPs is 0
1 When done reviewing click on the (X) in the top right corner
HOL-1829-01-NET
Page 58HOL-1829-01-NET
DVPG on the map
We are now going to look at the DVPG (Distributed Virtual Port Group) the VM uses toconnect to the network
1 On the map click on the little blue box marked by a red square onvlan-629
DVPG
A pop-up box will appear that contains the DVPG details
A - Spend some time review what information is available from the object Please donot click on any of the links
HOL-1829-01-NET
Page 59HOL-1829-01-NET
B - Notice that IPFIX is enabled
1 When done reviewing click on the (X) in the top right corner
VLAN-629 on the map
This is a brownfield network as indicated by the physical network components currentlydisplayed on the map
1 On the map click on the grey line marked by a red square on vlan-629
VLAN Network
A pop-up box will appear that contains the physical VLAN details
HOL-1829-01-NET
Page 60HOL-1829-01-NET
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - Notice the VLAN ID This is the actual VLAN in use
C - VM Count states 12 This is the number of VMs located on this VLAN in the entireenvironment
D - Under Hosts we can see that this is 28 (27+1) This is the amount of hosts that hasa connection to this vlan in the entire environment
1 When done reviewing click on the (X) in the top right corner
Switch ports on the map
1 From the map click on the icon marked by a red square to select the SwitchPort for the VM
HOL-1829-01-NET
Page 61HOL-1829-01-NET
Switch Port
A pop-up box will appear that contains the Switch Port details
In this view we are purely are looking at layer 3 and the connectivity to those layer 3devices Later in this module we will see some of the layer 2 devices
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - In this view we can see the physical NIC the traffic is transmitted from and receivedto In this scenario it is a NIC on a UCS fabric We can also see the VLANs Interfacespeed port and other details on the NIC
1 When done reviewing click on the (X) in the top right corner of the pop up box
HOL-1829-01-NET
Page 62HOL-1829-01-NET
Physical VRF on the map
1 From the map click on the icon marked by a red square to access thePhysical VRF details
HOL-1829-01-NET
Page 63HOL-1829-01-NET
VRF - Physical Switch
A pop-up box will appear that contains the Physical VRF details
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - In this scenario the first hop in the physical network perspective happens to be aCisco Nexus 7000 We are gathering all of the configuration data routing tables androuting interface information from this device
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 64HOL-1829-01-NET
VRF - continued
1 From the map click on the icon marked by a red square to access the nextPhysical VRF in the path
HOL-1829-01-NET
Page 65HOL-1829-01-NET
VRF - Physical Router
A pop-up box will appear that contains the Physical VRF details
In this scenario the second hop in the physical network perspective is a Palo Alto routerIn this view we will see the routing table as well as firewall rules The vRealize NetworkInsight platform is so powerful that these firewall rules are the applicable firewall rulesbetween the two objects we searched for There is probably going to be thousands offirewall rules in a normal network but these are the firewalls affecting thecommunication between the two selected VMs
HOL-1829-01-NET
Page 66HOL-1829-01-NET
A - Spend some time to review what information is available from the object Please donot click on any of the links
1 When done reviewing click on the (X) in the top right corner of the pop up box
Note The Palo Alto integration showcased is in beta testing
VRF - continued
1 From the map click on the icon marked by a red square to access the nextPhysical VRF in the path
HOL-1829-01-NET
Page 67HOL-1829-01-NET
VRF - Physical Switch
A pop-up box will appear that contains the Physical VRF details
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - In this scenario the third hop in the physical network perspective is an Arista deviceThere is information available on routing gateways interfaces etc These detailsshowcase that we can monitor devices from a multitude of vendors in case we arechanging from one vendor to another
1 When done reviewing click on the (X) in the top right corner
HOL-1829-01-NET
Page 68HOL-1829-01-NET
Accessing the virtual infrastructure
The next two steps in the path (as shown by arrows) are the same as we looked atpreviously in this module We are not going to look at the details on them in thisscenario as they are similar to the ones previously discussed
A - Hovermove the mouse over the icons marked with red arrow A without clicking onthe icon Notice the descriptive name
B - Hovermove the mouse over the icons marked with red arrow B without clicking onthe icon Notice the descriptive name
1 From the map click on the icon marked by a red square to access the nextVRF in the path
HOL-1829-01-NET
Page 69HOL-1829-01-NET
VRF - NSX Provider Edge 1
A pop-up box will appear that contains the Physical VRF details
A - Please spend some time to review what information is available from the objectPlease do not click on any of the links
B - The components we are looking at after the Arista device (described in previoussteps) is an NSX Edge cluster or a host associated with an Edge cluster The componentwe have selected is the NSX Edge VM named Provider-Edge 1 It has an uplink overVLAN 10 from the physical network (as shown in the map)
C - In the details we can see the routing table and routing interface details for thisparticular VRF
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 70HOL-1829-01-NET
VXLAN on the map
1 On the map click on the blue line marked by a red square to access theVXLAN details
VXLAN Network
A pop-up box will appear that contains the VXLAN details
HOL-1829-01-NET
Page 71HOL-1829-01-NET
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - We can see the VXLAN number (Segment ID) Underlay VLAN IDs Subnet andUnderlay Subnet
C - We also have visibility into what Primary Controller it is utilizing Hosts and VTEPs
D - Hovermove the mouse cursor over the text [38 more] to see the hosts associatedwith this VXLAN Do not click on the blue text
E - Hovermove the mouse cursor over the text [82 more] to see the VTEPs associatedwith this VXLAN Do not click on the blue text
1 When done reviewing click on the X in the top right corner of the pop-up box
VRF - LDR
1 From the map click on the icon marked by a red square to access the VRFdetails
HOL-1829-01-NET
Page 72HOL-1829-01-NET
VRF - LDR-Corporate
A pop-up box will appear that contains the VRF details From here we hit our In-kernelnetwork
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - Notice the distributed router name We are using this device to access our corporatenetwork
C - This device is going to route for us to a different interface The interface is going toroute to the interface on the Prod-DB Network as the next step in the path (this will beillustrated in the next step)
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 73HOL-1829-01-NET
Routing - NSX Firewall
The traffic is routed through the VRF onto the Prod-DB network over to the next physicalhost (as shown with arrows)
The first device it will hit on the virtual network on the physical host is the FirewallPlease notice that there are two firewalls next to the VM One Firewall from Palo Alto andone Firewall from NSX
1 From the map click on the icon marked by a red square to access the NSXFirewall details (the top one of the two)
HOL-1829-01-NET
Page 74HOL-1829-01-NET
Firewall - NSX
A pop-up box will appear that contains the Firewall details
A - Spend some time to review what information is available from the object Please donot click on any of the links
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 75HOL-1829-01-NET
Redirect on the map - PAN Firewall
Please notice that there are two firewalls next to the VM One Firewall from Palo Alto andone Firewall from NSX We are now going to look into the details of the lower Firewall
1 From the map click on the icon marked by a red square to access the PaloAlto Firewall details (the lower one of the two)
Firewall - PAN
HOL-1829-01-NET
Page 76HOL-1829-01-NET
In this scenario we also have an Palo Alto VM based offloading firewall The redirectfeature allows firewall rules to be transferred between the NSX firewall and the PANFirewall
1 When done reviewing click on the (X) in the top right corner of the pop up box
Reversing the analysis
1 In the section marked by a red square in the picture click on the arrowpointing left
The route on the map will change
HOL-1829-01-NET
Page 77HOL-1829-01-NET
Reversing the analysis continued
A - The analysis will now be done in the opposite direction Please note that the pathnow changes Instead of going through Provider-Edge 3 the traffic is now routedthrough Provider-Edge 2 This is exactly as the traffic will work in the real life
Please continue to the next step to conclude this module
HOL-1829-01-NET
Page 78HOL-1829-01-NET
VM Underlay
Lets now focus on VM Underlay
1 The VMUnderlay section that is on the right side of the VM Path topology showsthe underlay information of the VMs involved and their connectivity to the top ofthe rack switches and the ports involved
2 The VM Underlay path topology is shown here3 The components are labeled under Path Details
HOL-1829-01-NET
Page 79HOL-1829-01-NET
HOL-1829-01-NET
Page 80HOL-1829-01-NET
1 In this section the drop-down list at the top shows the endpoint VMs and theactive VMs at the edges
2 For each edgeVM the neighbouring drop-down list shows the ingress and theegress interface IP addresses
1 From the previous step we selected the Prod-DB-2 Virtual Machine2 Which changes the focus to corresponding Interface IP Address (VNIC)3 Shows the visual map (Path topology) of all the path objects4 Path details shows the labels and list the components
This concludes this module Please continue to the next module
HOL-1829-01-NET
Page 81HOL-1829-01-NET
ConclusionCongratulations on completing Module 2
This module has shown us that vRealize Network Insight is capable of tracing the flow ofdata between two objects throughout the network vRealize Network Insight is providingus with a 360 degrees view of the virtual as well as the physical components in thepath With the map function and the details on the map it is very easy to get a quickoverview of the components utilized in network communication
All the components in the map is based on a snapshot of real life data Feel free to clickon other icons shown in the map in this module before continuing to the next module tohave a look at other components
For More Information
For additional information about the functionality showcased in this module visithttpwwwvmwarecomvrealize network insight
This concludes this module Please continue to the next module
If you are looking for additional information try one of these
bull Click on this linkbull Or use your smart device to scan the QRC Code
HOL-1829-01-NET
Page 82HOL-1829-01-NET
Proceed to any module below which interests you most
bull Module 1 - Micro-Segmentation and Security (30 minutes)bull Module 2 - 360 degree Visibility across Virtual and Physical Networks (45
minutes)bull Module 3 - Advanced NSX Management amp Operations (45 minutes)bull (30 minutes)
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 83HOL-1829-01-NET
Module 3 - Advanced NSXManagement amp
Operations (45 minutes)
HOL-1829-01-NET
Page 84HOL-1829-01-NET
IntroductionIntroduction
vRealize Network Insight ensures that we have full visibility from an overlay andunderlay perspective and in this module focus on advanced operations of NSX withvRealize Network Insight Its important to note that the vRealize Network Insightprovides a real time view and a historical view The integration is not a simple SNMPquery but advanced CLI and Metadata information gathered in real time for NSX
This Module contains the following lessons
bull Operational guidance for NSX Managerbull Advanced NSX Management amp Operations Interactive Simulation
HOL-1829-01-NET
Page 85HOL-1829-01-NET
NSX Advanced ManagementOperationsLab Status Check
1 Make sure the Lab Status displays Ready before continuing
Close browser sessions from previous modules
Open Google Chrome
1 Open Chrome on the Control Centre Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
HOL-1829-01-NET
Page 86HOL-1829-01-NET
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize Network Insightdid not load automatically)
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
Search Bar - NSX Manager
Using the search bar on the entry screen
HOL-1829-01-NET
Page 87HOL-1829-01-NET
1 Type NSX Manager (this will list three NSX Managers2 Click Search
NSX Manager Information
The result now shows the NSX Manager (1016128170) and we can immediately seethat we have 50 problems associated with this endpoint
1 Click on the NSX Manager address to expose the layout and detailedinformation
HOL-1829-01-NET
Page 88HOL-1829-01-NET
Timeline - Visual Build-up
Explore information only - Do not click
bull A - Starting with the Timeline we can manipulate the results by simply draggingthe slider but by default the current time results will be displayed on entry Theslider and drop down (next to 1 day) makes it easy to filter on demand
bull B - The Properties give a clear understanding of the NSX Managers currentconfiguration (vRealize Network Insight accommodate multiple NSX managers)
bull C - Looking at the NSX Checklist Rules - ALL we can scroll up and down toview each point in the checklist that is used to monitorvalidate against the NSXManager
bull D - Because vRealize Network Insight supports multiple NSX managers andmultiple NSX controllers this is an important visual understanding of theTopology Each object can be queried individually within the same screen
bull E - NSX Problems will be key to understanding the issues for NSX
HOL-1829-01-NET
Page 89HOL-1829-01-NET
Topology - Focus on the NSX Controller
The logical view of the NSX Topology provides live links to each component in theconstruct to be queried in real time Topology layout displays all the related NSXservices bound to the NSX Manager including Clusters and hosts The red triangle on allthree NSX controllers indicates possible issues that may impact the NSX environmenteither as a starting point or a result thereof We can now query each object for detailedinformation
1 Click on the NSX controller (Look at each controller until you find thecontroller starting with NSX_Controller_5b6c6c8d-4d71 as they do changeorder)
HOL-1829-01-NET
Page 90HOL-1829-01-NET
NSX Controller - Detail
A - The controller query displays detailed information about controller-1 and relevantconfiguration This screen will help identify the Status Version Upgrade Availability andmany other critical identifiers of the NSX Controller at a quick glance including anyissues
B - The immediate issue on this NSX controller is also pointed out with a red triangleindicating that we have a control plane sync issue Tracking the issue can be furtherinvestigated by expanding (clicking on the red triangle) to view detailed information Wewill not be investigating this problem further in this exercise
1 Click the close sign (x) to continue
HOL-1829-01-NET
Page 91HOL-1829-01-NET
Topology - Explained
Note The Topology for the NSX environment will not show any load balancing devicestatus information in this release
1 Click the edge VMs icon to see detailed information about the edge services
HOL-1829-01-NET
Page 92HOL-1829-01-NET
Provider Edge
Rendering a complete view of the provider edge services and the associations we caninvestigate all the edge related activities
1 Click the blue link Provider Edge 4 The problem Icon can be used to furtherobtain information about the Provider-Edge 4 This will highlight a criticalcondition due to a possible network disruption of this edge device as it is nolonger in a serving state
HOL-1829-01-NET
Page 93HOL-1829-01-NET
Routers Provider Edge 4
This section lays out detailed root cause analysis for Routers Provider Edge 4
Return to Search View - NSX Manager
1 Now use the Chrome Back button click once to return the the NSX Managerinformation screen step
HOL-1829-01-NET
Page 94HOL-1829-01-NET
Infrastructure Problems - Warning Moderate
bull Scroll down to Infrastructure Problems Section
1 Click and select the WarningModerate to view problem areas
WarningModerate Issues
1 Use the blue icon + to expand the detailed view of the Logical networking out ofsync between host and NSX Controller
HOL-1829-01-NET
Page 95HOL-1829-01-NET
WarningModerate Issues (Continued)
When you expand the details you can analyse full detail of warning
In this view vRealize Network Insight is also showing you recommendations on how youwould resolve this issue which makes troubleshooting and root cause analysis veryeasy
1 Click the close sign (x) to continue
HOL-1829-01-NET
Page 96HOL-1829-01-NET
Hands-on Labs Interactive SimulationAdvanced NSX Management ampOperationsThis part of the lab is presented as a Hands-on Labs Interactive Simulation This willallow you to experience steps which are too time-consuming or resource intensive to dolive in the lab environment In this simulation you can use the software interface as ifyou are interacting with a live environment
1 Click here to open the interactive simulation It will open in a new browserwindow or tab
2 When finished click the ldquoReturn to the labrdquo link to continue with this lab
HOL-1829-01-NET
Page 97HOL-1829-01-NET
ConclusionCongratulations on completing Module 3
This module demonstrated the vRealize Network Insight capability of advancedmanagement operations vRealize Network Insight provides an in-depth analysis of thevirtual as well as the physical components associated with NSX (underlay and overlay)
For More Information
If you are looking for additional information try one of these
bull Click on this linkbull Or use your smart device to scan the QRC Code
Proceed to any module below which interests you most
bull Module 1 - Micro-Segmentation and Security (30 minutes)bull Module 2 - 360 degree Visibility across Virtual and Physical Networks (45
minutes)bull Module 3 - Advanced NSX Management amp Operations (45 minutes)bull Module 4 - Manage Security for Public Clouds (AWS) (30 minutes)
HOL-1829-01-NET
Page 98HOL-1829-01-NET
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 99HOL-1829-01-NET
Module 4 - ManageSecurity for Public Clouds
(AWS) (30 Minutes)
HOL-1829-01-NET
Page 100HOL-1829-01-NET
IntroductionEnterprise IT needs visibility into the network and security status of their workloadswhether hosted on premises or within AWS While many AWS workloads are sandboxesfor application development teams (DevOps) it is important to analyze these workloadsIncreasingly public cloud workloads are also fulfilling mission critical production needsfor many organizations Enterprise IT must be ready to determine the best locationsecurity posture and bandwidth allocation when deploying workloads Having trafficpattern details as well as security analysis and recommendations readily availablehelps organizations make the ideal hosting decisions to meet their business needs
vRealize Network Insight (vRNI) Supports Amazon Web Services (AWS) PublicCloud The vRNI traffic monitoring features provide visibility into native AWS constructssuch as Virtual Private Clouds VMs Security Groups firewall rules and tags vRNI alsoanalyzes AWS traffic flows to provide security and micro-segmentation views of cloudworkloads This means youll be able to plan micro-segmentation and understand trafficpatterns using data collected from your AWS instances
This Module contains the following lessons
bull Introduction to Managing Security for Public Clouds (AWS)
HOL-1829-01-NET
Page 101HOL-1829-01-NET
Introduction to Managing Security forPublic Clouds (AWS)Lab Status Check
1 Make sure the Lab Status displays Ready before continuing
Close browser sessions from previous modules
Open Google Chrome
1 Open Chrome on the Control Centre Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize Network Insightdid not load automatically)
HOL-1829-01-NET
Page 102HOL-1829-01-NET
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
AWS Configuration
Lets review the AWS VPC setup for the purpose of this lab
1 We have an on premise instance of vRealize Network Insight managing AWS2 There are two VPCs ie CRM and Common Services
HOL-1829-01-NET
Page 103HOL-1829-01-NET
3 VPC CRM consists of CRM Application which comprises of 3 tiers ie Web APP andDB
4 Internal users of Company can access Web Tier of the CRM on 80 internally viaJump-box
5 Web tier talks to App tier on port 80806 App tier talks to DB tier on port 33067 Web tier is open for internal datacenters VM on 80 port8 From Jump-box in VPC CRM all virtual machines have ssh access on port 229 All tiers of VPCCRM talks to DNS server on 53 and LogServer on 514 on VPC
Common Services10 This means connection to DB to Log Server (used for backup services) must exist
as configured by the Administrator but this in fact is the problem area where ourfocus will be
Plan Security - AWS Cloud
vRealize Network Insight extends micro-segmentation planning to AWS constructs TheCRM Application in AWS VPC has already been created for you
Application creation steps have been discussed in Module 3
HOL-1829-01-NET
Page 104HOL-1829-01-NET
1 On the vRealize Network Insight Click on Plan Security
From Plan Security dialogue box under Entity select
HOL-1829-01-NET
Page 105HOL-1829-01-NET
1 Application2 CRM3 Click Analyze
We can now visualize the three tier lsquoCRMrsquo Application in AWS in one VPC We Shallexplore the three Tier System Logic in proceeding steps
1 Please note that Micro-Segments are already filtered by Tier2 Web (Web tier talks to App tier on port 8080 Internal users of organisation can
access Web Tier of the CRM Application on port 80 internally)3 App (App tier talks to DB tier on port 3306)4 DB ( DB tier talks to Log Servers ) - This is the problem area we are going to
explore
All tiers of first VPC talks to DNS server on port 53 and LogServer on port 514 of SecondVPC
HOL-1829-01-NET
Page 106HOL-1829-01-NET
Exploring the Three Tier Application - Step by Step
We shall now explore the three their application setup to understand the security andcommunication posture
HOL-1829-01-NET
Page 107HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Yellow line to explore the flows This will reveal flows from Web to
App
HOL-1829-01-NET
Page 108HOL-1829-01-NET
1 The App tier talks to DB tier on Port 33062 Click X to continue
HOL-1829-01-NET
Page 109HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to DB
HOL-1829-01-NET
Page 110HOL-1829-01-NET
1 The App tier talks to DB tier on Port 33062 Click X to continue
HOL-1829-01-NET
Page 111HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Yellow Line to explore the flows This will reveal flows from DC
Virtual to App
HOL-1829-01-NET
Page 112HOL-1829-01-NET
1 DC Virtual (jump box) talks to App tier on Port 222 Click X to continue
HOL-1829-01-NET
Page 113HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to
Shared Virtual
HOL-1829-01-NET
Page 114HOL-1829-01-NET
1 The App tier talks to Shared Virtual on Port 53 and 514 respectively2 Click X to continue
HOL-1829-01-NET
Page 115HOL-1829-01-NET
1 Hover over to DB Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from DB to
Shared Virtual
1 By design the DB should be pushing logs to aws-log-server ie on port 514(Syslog) but the flow reveals that there is only one service ie port 53 aws-DNS-Server Effectively no communication to syslog server (which is the back upservice)
2 Click X to continue
Firewall Queries for CRM Application
To further troubleshoot the issue the administrator executes three firewall queries toestablish why DB to Shared Virtual does not have flow(s) for port 514 (syslog)
HOL-1829-01-NET
Page 116HOL-1829-01-NET
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and type new search query firewall action of flows where dstvm = aws-log-server This will return 5 results ie 4 Allow (for web andmidtier) and 1 Deny (for DB)
2 Click Search3 click on the DENY checkbox so we can focus on the deny rule
We can see a DENY rule which is preventing crm-databse to communicate with aws-log-server on port 514 Which indicates that AWS Admin forgot to add rule to allowtraffic from (Database) crm-database to (syslog server) aws-log-Server
HOL-1829-01-NET
Page 117HOL-1829-01-NET
1 On Chrome web browser right click2 Select Duplicate from the the menu
HOL-1829-01-NET
Page 118HOL-1829-01-NET
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-web1 and dst vm = aws-log-server
2 Click Search3 This will return 3 results ie 1 Inbound and 2 Outbound rules The result of this
query validates the communication from crm-web1 to aws-log-server
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-database and dst vm = aws-log-server
2 Click Search3 This will return 2 results for Outbound rules further explaining the firewall rule
behaviour from crm-database to aws-log-server
HOL-1829-01-NET
Page 119HOL-1829-01-NET
ConclusionCongratulations on completing Module 4
This module demonstrated the vRealize Network Insight capability to understand trafficpatterns and plan micro-segmentation across your private and public cloudenvironments This capability offers unparalleled visibility into public and private cloudsfor micro-segmentation planning network visibility and management
For More Information
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 120HOL-1829-01-NET
ConclusionThank you for participating in the VMware Hands-on Labs Be sure to visithttpholvmwarecom to continue your lab experience online
Lab SKU HOL-1829-01-NET
Version 20171010-152226
HOL-1829-01-NET
Page 121HOL-1829-01-NET
Plan Security
When the vRealize Network Insight portal login completes the first screen will show asearch bar at the top
1 Type plan security (the search bar uses Auto Fill and predictive text willappear as you type)
2 Select the Time Icon
Plan Security - Specify a Preset
1 Select Presets2 Select Last Week3 Click the search icon to continue
HOL-1829-01-NET
Page 14HOL-1829-01-NET
Overview - Traffic Distribution (Left Pane)
Visual representation of traffic is shown to understand the logic relationship betweeneach component physical or virtual in order to track flows and sessions within anetwork
bull Internal Flows External Flowsbull Protected Flows Unprotected Flowsbull by VLAN or VXLAN
The default for this view is Last 1 day Please do not change this as we have alreadyspecified the time filter
HOL-1829-01-NET
Page 15HOL-1829-01-NET
Traffic Distribution - Overview (Right pane)
The Traffic distribution section is explained in a number format below Use these as areference and do not click on the links at this stage
bull A - This is the sum of all traffic flows with the percentage shown as East-Westonly traffic
bull B - This indicates the percent of traffic that was switchedbull C - The percentage of traffic that is routed between the East-West portsbull D - This indicates Virtual machine to Virtual Machine traffic as a percentage of the
sum in point number 1bull E - Traffic observed between virtual machines on the same hostbull F - Traffic that requires internet access
East-West (EW) - Traffic
In order to view specific details about data flows click on any of the 6 blocks to getdetailed information on flows and sessions (use the [x] in the right corner to close theobservation once completed in order to continue with the next step in this lab) Its
HOL-1829-01-NET
Page 16HOL-1829-01-NET
important to understand the entire distribution of flows and sessions in order to build aninformed strategy to achieve micro-segmentation
A Session is 5 tuple (source port is one of the five tuples in this which means everytime a new TCP connection is established and terminated a new session is recorded)
A Flow is 4 tuple aggregation of sessions It combines many 5 tuple sessions into oneIt ignores the source port as the source port is very dynamic wide range and keeps onchanging As long as multiple sessions have same source IP same destination IP samedestination port and same protocol they will be combined into one record called aflow
So 1000s of sessions in a day between two machines on a specific destination port (sshdns etc) would be combined into one flow with an aggregate count of packets bytessessions between them recorded as additional flow information
In any enterprise how many sessions happen in 1 day varies a lot Flows are moremanageable units and matter most for policy definitions and micro-segmentation
If one wants to see statistics of these flows like bytes transferred number of sessions(or even use these counters along with other query operations for other higher levelanalysis - like determining distribution of a virtual machines outgoing flow bydestination ip) the following metric counters can be used
Counter names
allowed sessions count of sessions (or 5 tuples) corresponding to a flow (4 Tuple)bytes total traffic volume exchanged on the flow (this sum of two counters described below)src bytes total bytes sent by src_ip of the flow to dst_ipportprotocoldst bytes total bytes received by src_ip of the flow from dst_ipportprotocol
1 Click on the East-West traffic block
This will bring a new window into view with detailed analysis of the traffic
HOL-1829-01-NET
Page 17HOL-1829-01-NET
East-West (EW) - Detailed view
This is only a few of the 1653 flows but the detailed views and filters can be used tonarrow down more specific information
A - Without clicking (just hover) on the time line to see the rate of flow indicated by thegreen line for that period
1 Click the close icon (x) to continue
ServicesPorts
HOL-1829-01-NET
Page 18HOL-1829-01-NET
Locating the Services screen for the next step
ServicesPorts - Time line view
Plan security makes use of Service and Ports overview on the right-hand side of thescreen The service view screen is used to observe the flow for each service andanalyzes a specific flow rate at a point in time Timelines can be adjusted to gain abetter understanding of what the plan security query delivers This module will followthe steps needed to observe and trace flows for port 5443
1 Click Show Data
HOL-1829-01-NET
Page 19HOL-1829-01-NET
ServicesPorts - Point in Time Service
The Services section provides an overview of flows over a specific port at a point intime either by bytes or by allowed sessions Look at the red highlighted area tounderstand how the flow is viewed in a pivot format to ensure a rate flow can bedelivered by hovering over a particular section
1 Hover to gain focus over the blue block above port 5443 and notice itpresents on demand the sum total of flows for the last 24 hours inGigabytes (GB) communicating over port 5443
2 Click on the block at the intersection of Last 24 hours and PORTS5443 to get a detailed view of the information
HOL-1829-01-NET
Page 20HOL-1829-01-NET
Flows for Port 5443
Communicating over port 5443 for the Last 24 hours we now have a detailedunderstanding of how 20 flows are distributed by following the list of entities You mayscroll down and examine the detailed traffic Further filters can be used on the left-handside of the screen to filter the view for a more specific result type
1 Click the entry to examine the detailed flow between Prod-DB-3 and Prod-DB-2over port 5443 ( order of flows may differ from screen above Prod-DB-3 andProd-DB-2 can be seventh flow entry)
Flow Key Properties - Timeline view
HOL-1829-01-NET
Page 21HOL-1829-01-NET
Flow Key Properties and Flow Key Metrics with the help of the timeline view gives agreater understanding of the traffic between these two specific VMs over port 5443 (A)- Hover over any part of the Flow Key Metrics graph to see statistics of the flow at aspecific point in time
1 Click on the 1M (last 1 month) Now hover the mouse over the greenblue linesto see a specific flow at a point in time
Flow Key Properties - Timeline view
1 Click the browser back button (once) to return to the plan security layoutscreen (once completed viewing the timelines for specific flows)
HOL-1829-01-NET
Page 22HOL-1829-01-NET
Micro-Segments
The screen should be back and focused on the Plan Security view Let us focus on theLeft-hand side of the plan security screen marked - Micro Segments This section willfocus on the subnet view and how this could be used to track flows between two ormultiple points
Note Segmenting flows can be achieved using views that will focus on VLANVXLANSubnet Folder Clusters VMs Ports Security Tag or Security Groups
1 Select Last 1 Day (to clear previous data range)2 Select the drop down box and then select by Subnet3 We can further analyze micro-segments by secondary groups ( This step is for
information only)4 Click Analyze to populate the data
HOL-1829-01-NET
Page 23HOL-1829-01-NET
Focus - 101780 Network
A - Hover over (do not click) the 101780 network and notice that this willimmediately highlight all flows and sessions from and to this network segment Othertraffic types will loose focus at this point turning light blue
The Keep Focus view creates a single visual endpoint diagram showing communicationto physical shared resources internet and other subnets The parentheses after thenetwork will indicate the number of virtual machines The coloured lines will indicate aconnected flow as OUTGOING INCOMING BIDIRECTIONAL
HOL-1829-01-NET
Page 24HOL-1829-01-NET
Focus - VLANVXLAN
Changing the view to track flows between Prod-Web to Prod-Midtier we will be switchingfrom Subnet view to VLANVXLAN view This will expose the traffic flow and ultimatelylead us to the recommended firewall rules
1 From the filter drop down select the VLANVXLAN option (the view willautomatically update)
HOL-1829-01-NET
Page 25HOL-1829-01-NET
Focus - Prod-Web (25)
1 Hover over Prod-Web2 Click on Keep Focus as we will follow the traffic for this group to see which
ports are in use and why3 Click on the line joining the Prod-Web and Prod-Midtier
Flows - Prod-Web to Prod-Midtier
HOL-1829-01-NET
Page 26HOL-1829-01-NET
( A ) - We have at this point identified 14 unique endpoints or flows that are beingcommunicated byover or to potential security groups These security groups are basedon VLANs folders subnets or a construct that can be defined
1 Click on the recommended firewall rules
Flows - Recommended Firewall Rules
Based on the observed analysis of the traffic flow between Prod-Web and Prod-Midtier arecommended firewall rule has been generated in order to secure and segment trafficfrom the rest of the VLANVXLAN
Due to the flow observation metrics the recommendation is (ALLOWED) on Port 8080between SG Prod-Web and SG-Prod-Midtier
1 Click the close icon (x) to continue
HOL-1829-01-NET
Page 27HOL-1829-01-NET
Multiple Ports and Firewall rules for Prod-web
1 Click on the Prod-Web group
Services and Flows for Prod-Web
On focus the user is presented with all the services flows and firewall rules for Prod-Webin a single pane
HOL-1829-01-NET
Page 28HOL-1829-01-NET
1 Click on Services In this group - 50 Unique service endpoints or flows that arebeing communicated by or to potential security groups are mapped with trafficrates included
2 Click on External Services Accessed- This is a breakdown of the 16 Externalservice endpoints that communicate with Prod-Web and include the portinformation (DNS HTTPS etc)
3 Click on Recommended Firewall Rules - Based on the 50 unique serviceendpoints that have 17 External services with 425 flows we can use thisobservation metric to determine that 6 firewall rules are required This would bethe minimum recommended segmentation approach for the Prod-Web group
4 Click the close icon (x) to continue
Application-Centric Micro-Segmentation
HOL-1829-01-NET
Page 29HOL-1829-01-NET
An application is a collection of tiers Each tier in an application is a collection of VMsbased on the user-defined filter criteria The applications allow you to create ahierarchical group of VMs and visualize trafficflows between the tiers of the sameapplication The trafficflows can be visualized between applications
1 Under Micro-segments click on the dropdown which says by VLANVXLAN2 Click on by Application
1 Hover over Prod-App (47) (do not click at this stage)2 Click on Keep Focus
You can see as per previous micro-segmentaion planning exercise - you can viewOutgoing Incoming and Bidirectional flow bespoke to Prod-App Clicking on Prod-App micro-segment will reveal the services
HOL-1829-01-NET
Page 30HOL-1829-01-NET
We shall now explore how we can define an application
Define an Application
1 In the search bar type Application2 Click the Search button
1 The Application search will return 4 entities ie application already created inthe system for you
2 This page also lets you create new application - click on Add Application
HOL-1829-01-NET
Page 31HOL-1829-01-NET
1 Under the Application Name type HOL-Pre-Prod2 Under Tier type the Name as HOL-Pre-Prod3 Our search criteria will be based on VM Names under Virtual Machines IP
Addresses Type Admin-VM1 Admin-VM2 (The search will auto completethe names for you)
4 Do not Save Click Cancel which will take you to previous screen
1 Here you can see the number of entities has increased by 1 ie 5 entities2 You can also see Hol-Pre-Prod in the list
HOL-Pre-Prod will now appear in Application section under Plan Security (not covered inthis lab)
Security Group Prod_MidTier
Network administrators and architects face daily challenges in identifying securityparameters groups that are in-place requiring a lot more detail around containertopology before continuing to execute or plan Micro-segmentation Lets look at how thiswould be possible in a single view that has granular integration with over and underlaynetworks
1 Using the search bar type Nsx Security Group Prod_MidTier (the search baruses Auto Fill and predictive text will appear as you type)
2 Click search to continue
HOL-1829-01-NET
Page 32HOL-1829-01-NET
The Help screen may pop-up (in this lab setting) to ensure the user has an instantguide called the Security Group Pinboard The reason for this guide is to point out thedetail view and topology layout Read through the help guide and once completed
1 Click the close icon (x) to continue
Results - PROD_MIDTIER
The search results from the query will show Prod_Web at the top of the screen Theresult will also be displayed to include the Translated VM Count and any Rulesassociated
1 Click on Prod_MidTier to continue
Security Group Prod_MidTier - Timeline
Security Group View Explanation
HOL-1829-01-NET
Page 33HOL-1829-01-NET
The Security Group provides a detailed view of the selected Security Group and acomprehensive listing of key properties and events The Security Group Topologyprovides a visual overview of how the security group is associated with other containersTimeline slider at the top of the current view will enable the point in time state of theSecurity Group and filters can be used to further focus on a particular aspect of theobject
Security Group Firewall Topology
(A) The Security Group Firewall Topology on the left shows the topology for SecurityGroup Prod_MidTier
HOL-1829-01-NET
Page 34HOL-1829-01-NET
(B) The Security Group Container Topology on the right will show anyall Child andParent groups in relation to Prod_Web This will identify the nesting and hierarchy ofsecurity groups
HOL-1829-01-NET
Page 35HOL-1829-01-NET
1 Click and select Prod_Web to Prod_Midtier Rule (will launch a pop up screencovered in next step)
1 In the pop up screen we can immediately see what the Source and destinationservice flow looks like in this example This can be done for any and eachsegment attached to Prod_Web and will provide all the current security GroupFirewall Topology information Feel free to click through all the segments in orderto fully understand each related security group
2 Click the close icon (x) on any pop-up menus that you viewed during youranalysis to continue with the next exercise
HOL-1829-01-NET
Page 36HOL-1829-01-NET
Tracking Prod_MidTier
1 Within the same view when you scroll down (below the Security Groupfirewall Topology) you are able to see the following security event information forProd_Web
A Events - Showing any changes for Prod_MidTier (direct or indirect) and the impactthat these changes bring to this security group
B Current Security Group Configuration and Firewall Rules Count will also providefurther assistance to manage the endpoints
C Visibility of the Virtual Machines in Security Groups ensure that we manage ourworkloads and segmentation with the correct level of efficiency
D Making use of the Indirect Firewall Rules will ensure you understand the inheritedimpact and the relationship leading to Prod_Web
E Direct Firewall Rules - NOTE The blue links will expose further detail for eachfirewall segment
HOL-1829-01-NET
Page 37HOL-1829-01-NET
this module explained and followed the traffic flow between Subnets and or VLANVXLAN for Prod_MidTier and we understand the analysis that make up firewall rules Theinformation for a specific segmentation of a Virtual Machine in Prod_MidTier can beviewed using the the logical switch information for Prod_MidTier
2 Click on Lab-Midtier (VMs in Security GroupgtLogical SwitchesgtLab-Midtier) anew TAB will open at the top of the screen
Lab-Midtier
1 Hover (do not click) over (1) Lab-Midtier-1 to gain focus in order to generatethe path
Do not click on any of the bubbles as they are used for reference only This is thecomplete flow of Prod-Web-9 (Example) to see how a flow is tracked from overlay tounderlay across Prod-Web
HOL-1829-01-NET
Page 38HOL-1829-01-NET
bull A - The host details for Lab-Midtier-1 -ddc1-pod2esx035dmdemocompanynet
bull B - The machine name within Lab-Midtier - Lab-Midtier-1bull C - DVS Switchbull D - VXLAN - Lab-Midtierbull E - 1st VMKNIC for DDC-1 hostbull F - DVS Switch Portbull G - Finally showing the L3 Switch (Arista)
2 When you are done with the current view close this tab in Chrome and returnto the original view
Firewall Rule - Tracking
Using the search bar we will demonstrate how you can track any firewall rule in yourenvironment This is only one example of how we can search for security related objectsin one easy statement and also export the results
Port Search
1 Type into the search bar
Firewall rule where action =ALLOW and Port=443 (the search bar uses Auto Fill andpredictive text will appear as you type)
2 Click search to continue
As you type notice all the different permutations of queries that can be assembled
HOL-1829-01-NET
Page 39HOL-1829-01-NET
Export Firewall Rules
Take some time to understand and get familiar with Firewall Rule search possibilitiesand the insight this can offer
1 Do not click - The result is grouped for convenience and allows the user to queryeach rule individually This is a live link that will expose further information
2 Do not click - The entire report can be exported by using the Save as CSV optionat the top right hand corner of the screen but we will not export any informationat this point
3 For the next step we will return to the top search bar
Firewall Rule Membership Change
Using the vRealize Network Insight search bar at the top of the screen we will focus on atime based search to see what Firewall Membership Changes occurred during a selectedperiod This will point out any changes made directly or indirectly as a result ofmembership changes This is extremely useful for auditing and troubleshooting
HOL-1829-01-NET
Page 40HOL-1829-01-NET
1 Type
Firewall Rule Membership Change
2 Select the DateTime window3 Click Between Select Date range from June30 to Jul 31 (using static data this
will ensure you see all the changes)4 Click search
Audit Rule - Firewall Rule Membership Changes
The search now displays the result of all the changes made to firewall rule membershipduring the preset date range This is pivotal to the audit change tracking process tounderstand exactly why when and how Firewall rules changed
The changes can now easily be tracked audited and also exported following any of thelive links in blue
HOL-1829-01-NET
Page 41HOL-1829-01-NET
User-defined Event
Continuing within the same screen users can create alerts to notify internal andexternal entities of any changes The alert feature is available through any view thatdisplays the alert icon Although the alert can be configured for this lab the results willnot be actioned as this is static data only This section will show how easy it is to reporton any Firewall Rule memberships changes The option for alerting will be immediatelywithin 1 hour or as a daily digest
1 Click the Notifications icon to create an event The notifications screen will pop-up
2 Notification and parameters can be adjusted as required Populate them withyour own preference as we will need to have information in order to save thealert and view in later steps
3 Once completed click save
HOL-1829-01-NET
Page 42HOL-1829-01-NET
Settings
You can view any of your previously configured User-defined Events in order to edit oractivate the Event parameters by using the settings page Changes can be configured tonotify members of the event group based on the user preference The previous eventthat you created can now be tracked by using the search bar at the top of the screen
1 Click in the search bar and type Settings2 Click User-defined Events (your alert is noted in this section as it was based on
the original search and alert notification Firewall rule membership change)3 Info Only - Do not click - View Edit Activate any notifications
Note that we have 2 types of notification User-defined and System Events
4 Click the System Events
HOL-1829-01-NET
Page 43HOL-1829-01-NET
System Notifications
System Events consist of 103 default alerts that are pre-configured Scroll down the listto see all the options and what is deemed to be a standard system event notification
Each Notification can be used to alert administrators or users of that group By defaultall System Notifications are set to never notify (this can be changed to immediatelywithin 1 hour or as a daily digest)
This concludes this module Please continue to the next module
HOL-1829-01-NET
Page 44HOL-1829-01-NET
ConclusionCongratulations on completing Module 1
In this module we introduced the minimum required steps in order to facilitate Micro-segmentation This module further demonstrated how we achieve day zero readinesstrack report and alert on each individual object or group of objects in Real Time Usingthe East-West traffic in this module vRealize Network Insight highlighted the ease ofacquiring network analysis and using this to automatically generate firewall rules forboth Green or Brown field deployments
Key facts to remember as demonstrated in this module
bull Persistence Security must be consistent in the face of constant changebull Ubiquity Security must be available everywherebull Extensibility Security must adapt to new situations
For additional information about the functionality showcased in this module visitwwwvmwarecom
Please close the Chrome Web browser
This concludes this module please continue to the next module
For More Information
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 45HOL-1829-01-NET
Module 2 - 360 degreeVisibility across Virtualand Physical Networks
(45 minutes)
HOL-1829-01-NET
Page 46HOL-1829-01-NET
IntroductionvRealize Network Insight includes advanced analytics that can collect and displayconfiguration data from all the components involved in the overlay and underlay of thenetwork Data is collected in realtime
vRealize Network Insight presents this via a smart user interface and simplifies thedetermination of problems as well as the visibility of firewall and networkconfigurations
vRealize Network Insight presents this in a smart user interface and makes problemdetermination and visibility of the firewall and network configurations very easy
This Module contains the following lessons
bull 360 Network Visibility and Troubleshootingbull Natural language search
HOL-1829-01-NET
Page 47HOL-1829-01-NET
360 Network Visibility andTroubleshootingThis section contains the following lessons
bull 360-degree view of data flow between two VM objectsbull Natural language search
Open Google Chrome
1 Open Chrome on the Control Center Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize NetworkInsight did not load automatically)
HOL-1829-01-NET
Page 48HOL-1829-01-NET
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
Path and Topology
This module will utilize the Path and Topology feature in vRealize Network Insight toget a 360-degree visibility into our network scenario The Path and Topology view can
HOL-1829-01-NET
Page 49HOL-1829-01-NET
also extend to host L3 networks security groups etc but in this module we will only befocusing on the path
From the main console
1 Click on Path and Topology2 Click on Path
Path - Select source and destination
In the pop-up box
1 Click on the grey field below Source2 Type dba into the source field and DBAdmin-VM1 will appear3 Click on DBAdmin-VM1 to select it
HOL-1829-01-NET
Page 50HOL-1829-01-NET
Path - source and destination continued
After selecting the source machine the destination box will automatically appear
1 Type prod in the destination field and the list of available options willappear
2 Select Prod-Db-2
Note The destination could also be an ip-address or Internet but in this lab we aregoing to use a VM
HOL-1829-01-NET
Page 51HOL-1829-01-NET
Path - source and destination continued
1 Click on Submit
Searching for path
Based on the VMs we selected in the wizard in our previous steps the search field isnow pre-populated with a search string As an alternative to using the wizard we canalso do manual searches
Do not change any parameters in the search field and please continue to the nextstep
HOL-1829-01-NET
Page 52HOL-1829-01-NET
VM Path Topology and VM Underlay
The topology involves both Layer 3 and Layer 2 components and consists of twodetailed views
HOL-1829-01-NET
Page 53HOL-1829-01-NET
1 VM Path Topology This view details the routers Edges or Logical DistributedRouters (LDRs) that are involved in the VM to VM network path and provides thecomplete routing and NAT information
2 VM Underlay ( The VM Underlay section that is on the right side of the VM Pathtopology shows the underlay information of the VMs involved and theirconnectivity to the top of the rack switches and the ports involved)
In the field named VM Path Topology
1 Click on the three dots in the top right corner of the field2 Click Maximize
The view will change and the route will be drawn on the map
HOL-1829-01-NET
Page 54HOL-1829-01-NET
VM Path Topology - Path Details
In this view we will get a 360-degree view of both the physical and the virtual networkWe will see the path of the traffic between two virtual machines The black arrow at thetop of the map will indicate the flow direction of the traffic In this use case fromDBAdmin-VM1 to Prod-Db-2
On the right hand side path details indicates the steps we pass through in each hop ofthe path The logical flow includes both physical and virtual elements displaying bothoverlay and underlay components
1 Scroll through the path details on the right hand side to verify the differenthops in the path Notice that we have items such as VMs physical switchesvirtual switches routers and NICs in the list of details
HOL-1829-01-NET
Page 55HOL-1829-01-NET
Component Overview
On the VM topology map
1 Click on the top left icon marked with a red square - the Virtual MachineDBAdmin-VM1
Virtual Machine - Details
HOL-1829-01-NET
Page 56HOL-1829-01-NET
A pop-up box will appear with the Virtual Machine details in it This information includesa lot of details made available by VMware Tools We can for example see network-information and the physical host in these details
A - Please spend some time on getting an overview of the information available in thisview
B - Please note that the Firewall Status indicates Unknown In this scenario there is noNSX firewall utilized in the VM so vRealize Network Insight displays Unknown as thestatus If NSX components were utilized but they were malfunctioning an errormessage will appear
1 When done reviewing close the pop-up windows by clicking on the (X) in thetop right corner
Physical ESXi Hosts
We are now going to look at the physical host running ESXi The large green blocksindicate the ESXi hosts (A) and (B)
1 Click on the large green field on the left side of the map marked in thepicture with a red squareThis will select the host where DBAdmin-VM1 isrunning
HOL-1829-01-NET
Page 57HOL-1829-01-NET
Host - Details
A pop-up box will appear that contains the physical ESXi host
A - Spend some time to review what information is available from the host Please donot click on any of the links
B - Notice that we receive information from both the Chassis and the Blade that thisESXi host is running on In a real life environment we could click on the links to getdetailed information about the physical environment through the links
C - Note that there are no NSX components on the host For example we can see thatthe Control Plane Sync Status is unknown and the Number of VTEPs is 0
1 When done reviewing click on the (X) in the top right corner
HOL-1829-01-NET
Page 58HOL-1829-01-NET
DVPG on the map
We are now going to look at the DVPG (Distributed Virtual Port Group) the VM uses toconnect to the network
1 On the map click on the little blue box marked by a red square onvlan-629
DVPG
A pop-up box will appear that contains the DVPG details
A - Spend some time review what information is available from the object Please donot click on any of the links
HOL-1829-01-NET
Page 59HOL-1829-01-NET
B - Notice that IPFIX is enabled
1 When done reviewing click on the (X) in the top right corner
VLAN-629 on the map
This is a brownfield network as indicated by the physical network components currentlydisplayed on the map
1 On the map click on the grey line marked by a red square on vlan-629
VLAN Network
A pop-up box will appear that contains the physical VLAN details
HOL-1829-01-NET
Page 60HOL-1829-01-NET
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - Notice the VLAN ID This is the actual VLAN in use
C - VM Count states 12 This is the number of VMs located on this VLAN in the entireenvironment
D - Under Hosts we can see that this is 28 (27+1) This is the amount of hosts that hasa connection to this vlan in the entire environment
1 When done reviewing click on the (X) in the top right corner
Switch ports on the map
1 From the map click on the icon marked by a red square to select the SwitchPort for the VM
HOL-1829-01-NET
Page 61HOL-1829-01-NET
Switch Port
A pop-up box will appear that contains the Switch Port details
In this view we are purely are looking at layer 3 and the connectivity to those layer 3devices Later in this module we will see some of the layer 2 devices
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - In this view we can see the physical NIC the traffic is transmitted from and receivedto In this scenario it is a NIC on a UCS fabric We can also see the VLANs Interfacespeed port and other details on the NIC
1 When done reviewing click on the (X) in the top right corner of the pop up box
HOL-1829-01-NET
Page 62HOL-1829-01-NET
Physical VRF on the map
1 From the map click on the icon marked by a red square to access thePhysical VRF details
HOL-1829-01-NET
Page 63HOL-1829-01-NET
VRF - Physical Switch
A pop-up box will appear that contains the Physical VRF details
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - In this scenario the first hop in the physical network perspective happens to be aCisco Nexus 7000 We are gathering all of the configuration data routing tables androuting interface information from this device
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 64HOL-1829-01-NET
VRF - continued
1 From the map click on the icon marked by a red square to access the nextPhysical VRF in the path
HOL-1829-01-NET
Page 65HOL-1829-01-NET
VRF - Physical Router
A pop-up box will appear that contains the Physical VRF details
In this scenario the second hop in the physical network perspective is a Palo Alto routerIn this view we will see the routing table as well as firewall rules The vRealize NetworkInsight platform is so powerful that these firewall rules are the applicable firewall rulesbetween the two objects we searched for There is probably going to be thousands offirewall rules in a normal network but these are the firewalls affecting thecommunication between the two selected VMs
HOL-1829-01-NET
Page 66HOL-1829-01-NET
A - Spend some time to review what information is available from the object Please donot click on any of the links
1 When done reviewing click on the (X) in the top right corner of the pop up box
Note The Palo Alto integration showcased is in beta testing
VRF - continued
1 From the map click on the icon marked by a red square to access the nextPhysical VRF in the path
HOL-1829-01-NET
Page 67HOL-1829-01-NET
VRF - Physical Switch
A pop-up box will appear that contains the Physical VRF details
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - In this scenario the third hop in the physical network perspective is an Arista deviceThere is information available on routing gateways interfaces etc These detailsshowcase that we can monitor devices from a multitude of vendors in case we arechanging from one vendor to another
1 When done reviewing click on the (X) in the top right corner
HOL-1829-01-NET
Page 68HOL-1829-01-NET
Accessing the virtual infrastructure
The next two steps in the path (as shown by arrows) are the same as we looked atpreviously in this module We are not going to look at the details on them in thisscenario as they are similar to the ones previously discussed
A - Hovermove the mouse over the icons marked with red arrow A without clicking onthe icon Notice the descriptive name
B - Hovermove the mouse over the icons marked with red arrow B without clicking onthe icon Notice the descriptive name
1 From the map click on the icon marked by a red square to access the nextVRF in the path
HOL-1829-01-NET
Page 69HOL-1829-01-NET
VRF - NSX Provider Edge 1
A pop-up box will appear that contains the Physical VRF details
A - Please spend some time to review what information is available from the objectPlease do not click on any of the links
B - The components we are looking at after the Arista device (described in previoussteps) is an NSX Edge cluster or a host associated with an Edge cluster The componentwe have selected is the NSX Edge VM named Provider-Edge 1 It has an uplink overVLAN 10 from the physical network (as shown in the map)
C - In the details we can see the routing table and routing interface details for thisparticular VRF
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 70HOL-1829-01-NET
VXLAN on the map
1 On the map click on the blue line marked by a red square to access theVXLAN details
VXLAN Network
A pop-up box will appear that contains the VXLAN details
HOL-1829-01-NET
Page 71HOL-1829-01-NET
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - We can see the VXLAN number (Segment ID) Underlay VLAN IDs Subnet andUnderlay Subnet
C - We also have visibility into what Primary Controller it is utilizing Hosts and VTEPs
D - Hovermove the mouse cursor over the text [38 more] to see the hosts associatedwith this VXLAN Do not click on the blue text
E - Hovermove the mouse cursor over the text [82 more] to see the VTEPs associatedwith this VXLAN Do not click on the blue text
1 When done reviewing click on the X in the top right corner of the pop-up box
VRF - LDR
1 From the map click on the icon marked by a red square to access the VRFdetails
HOL-1829-01-NET
Page 72HOL-1829-01-NET
VRF - LDR-Corporate
A pop-up box will appear that contains the VRF details From here we hit our In-kernelnetwork
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - Notice the distributed router name We are using this device to access our corporatenetwork
C - This device is going to route for us to a different interface The interface is going toroute to the interface on the Prod-DB Network as the next step in the path (this will beillustrated in the next step)
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 73HOL-1829-01-NET
Routing - NSX Firewall
The traffic is routed through the VRF onto the Prod-DB network over to the next physicalhost (as shown with arrows)
The first device it will hit on the virtual network on the physical host is the FirewallPlease notice that there are two firewalls next to the VM One Firewall from Palo Alto andone Firewall from NSX
1 From the map click on the icon marked by a red square to access the NSXFirewall details (the top one of the two)
HOL-1829-01-NET
Page 74HOL-1829-01-NET
Firewall - NSX
A pop-up box will appear that contains the Firewall details
A - Spend some time to review what information is available from the object Please donot click on any of the links
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 75HOL-1829-01-NET
Redirect on the map - PAN Firewall
Please notice that there are two firewalls next to the VM One Firewall from Palo Alto andone Firewall from NSX We are now going to look into the details of the lower Firewall
1 From the map click on the icon marked by a red square to access the PaloAlto Firewall details (the lower one of the two)
Firewall - PAN
HOL-1829-01-NET
Page 76HOL-1829-01-NET
In this scenario we also have an Palo Alto VM based offloading firewall The redirectfeature allows firewall rules to be transferred between the NSX firewall and the PANFirewall
1 When done reviewing click on the (X) in the top right corner of the pop up box
Reversing the analysis
1 In the section marked by a red square in the picture click on the arrowpointing left
The route on the map will change
HOL-1829-01-NET
Page 77HOL-1829-01-NET
Reversing the analysis continued
A - The analysis will now be done in the opposite direction Please note that the pathnow changes Instead of going through Provider-Edge 3 the traffic is now routedthrough Provider-Edge 2 This is exactly as the traffic will work in the real life
Please continue to the next step to conclude this module
HOL-1829-01-NET
Page 78HOL-1829-01-NET
VM Underlay
Lets now focus on VM Underlay
1 The VMUnderlay section that is on the right side of the VM Path topology showsthe underlay information of the VMs involved and their connectivity to the top ofthe rack switches and the ports involved
2 The VM Underlay path topology is shown here3 The components are labeled under Path Details
HOL-1829-01-NET
Page 79HOL-1829-01-NET
HOL-1829-01-NET
Page 80HOL-1829-01-NET
1 In this section the drop-down list at the top shows the endpoint VMs and theactive VMs at the edges
2 For each edgeVM the neighbouring drop-down list shows the ingress and theegress interface IP addresses
1 From the previous step we selected the Prod-DB-2 Virtual Machine2 Which changes the focus to corresponding Interface IP Address (VNIC)3 Shows the visual map (Path topology) of all the path objects4 Path details shows the labels and list the components
This concludes this module Please continue to the next module
HOL-1829-01-NET
Page 81HOL-1829-01-NET
ConclusionCongratulations on completing Module 2
This module has shown us that vRealize Network Insight is capable of tracing the flow ofdata between two objects throughout the network vRealize Network Insight is providingus with a 360 degrees view of the virtual as well as the physical components in thepath With the map function and the details on the map it is very easy to get a quickoverview of the components utilized in network communication
All the components in the map is based on a snapshot of real life data Feel free to clickon other icons shown in the map in this module before continuing to the next module tohave a look at other components
For More Information
For additional information about the functionality showcased in this module visithttpwwwvmwarecomvrealize network insight
This concludes this module Please continue to the next module
If you are looking for additional information try one of these
bull Click on this linkbull Or use your smart device to scan the QRC Code
HOL-1829-01-NET
Page 82HOL-1829-01-NET
Proceed to any module below which interests you most
bull Module 1 - Micro-Segmentation and Security (30 minutes)bull Module 2 - 360 degree Visibility across Virtual and Physical Networks (45
minutes)bull Module 3 - Advanced NSX Management amp Operations (45 minutes)bull (30 minutes)
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 83HOL-1829-01-NET
Module 3 - Advanced NSXManagement amp
Operations (45 minutes)
HOL-1829-01-NET
Page 84HOL-1829-01-NET
IntroductionIntroduction
vRealize Network Insight ensures that we have full visibility from an overlay andunderlay perspective and in this module focus on advanced operations of NSX withvRealize Network Insight Its important to note that the vRealize Network Insightprovides a real time view and a historical view The integration is not a simple SNMPquery but advanced CLI and Metadata information gathered in real time for NSX
This Module contains the following lessons
bull Operational guidance for NSX Managerbull Advanced NSX Management amp Operations Interactive Simulation
HOL-1829-01-NET
Page 85HOL-1829-01-NET
NSX Advanced ManagementOperationsLab Status Check
1 Make sure the Lab Status displays Ready before continuing
Close browser sessions from previous modules
Open Google Chrome
1 Open Chrome on the Control Centre Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
HOL-1829-01-NET
Page 86HOL-1829-01-NET
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize Network Insightdid not load automatically)
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
Search Bar - NSX Manager
Using the search bar on the entry screen
HOL-1829-01-NET
Page 87HOL-1829-01-NET
1 Type NSX Manager (this will list three NSX Managers2 Click Search
NSX Manager Information
The result now shows the NSX Manager (1016128170) and we can immediately seethat we have 50 problems associated with this endpoint
1 Click on the NSX Manager address to expose the layout and detailedinformation
HOL-1829-01-NET
Page 88HOL-1829-01-NET
Timeline - Visual Build-up
Explore information only - Do not click
bull A - Starting with the Timeline we can manipulate the results by simply draggingthe slider but by default the current time results will be displayed on entry Theslider and drop down (next to 1 day) makes it easy to filter on demand
bull B - The Properties give a clear understanding of the NSX Managers currentconfiguration (vRealize Network Insight accommodate multiple NSX managers)
bull C - Looking at the NSX Checklist Rules - ALL we can scroll up and down toview each point in the checklist that is used to monitorvalidate against the NSXManager
bull D - Because vRealize Network Insight supports multiple NSX managers andmultiple NSX controllers this is an important visual understanding of theTopology Each object can be queried individually within the same screen
bull E - NSX Problems will be key to understanding the issues for NSX
HOL-1829-01-NET
Page 89HOL-1829-01-NET
Topology - Focus on the NSX Controller
The logical view of the NSX Topology provides live links to each component in theconstruct to be queried in real time Topology layout displays all the related NSXservices bound to the NSX Manager including Clusters and hosts The red triangle on allthree NSX controllers indicates possible issues that may impact the NSX environmenteither as a starting point or a result thereof We can now query each object for detailedinformation
1 Click on the NSX controller (Look at each controller until you find thecontroller starting with NSX_Controller_5b6c6c8d-4d71 as they do changeorder)
HOL-1829-01-NET
Page 90HOL-1829-01-NET
NSX Controller - Detail
A - The controller query displays detailed information about controller-1 and relevantconfiguration This screen will help identify the Status Version Upgrade Availability andmany other critical identifiers of the NSX Controller at a quick glance including anyissues
B - The immediate issue on this NSX controller is also pointed out with a red triangleindicating that we have a control plane sync issue Tracking the issue can be furtherinvestigated by expanding (clicking on the red triangle) to view detailed information Wewill not be investigating this problem further in this exercise
1 Click the close sign (x) to continue
HOL-1829-01-NET
Page 91HOL-1829-01-NET
Topology - Explained
Note The Topology for the NSX environment will not show any load balancing devicestatus information in this release
1 Click the edge VMs icon to see detailed information about the edge services
HOL-1829-01-NET
Page 92HOL-1829-01-NET
Provider Edge
Rendering a complete view of the provider edge services and the associations we caninvestigate all the edge related activities
1 Click the blue link Provider Edge 4 The problem Icon can be used to furtherobtain information about the Provider-Edge 4 This will highlight a criticalcondition due to a possible network disruption of this edge device as it is nolonger in a serving state
HOL-1829-01-NET
Page 93HOL-1829-01-NET
Routers Provider Edge 4
This section lays out detailed root cause analysis for Routers Provider Edge 4
Return to Search View - NSX Manager
1 Now use the Chrome Back button click once to return the the NSX Managerinformation screen step
HOL-1829-01-NET
Page 94HOL-1829-01-NET
Infrastructure Problems - Warning Moderate
bull Scroll down to Infrastructure Problems Section
1 Click and select the WarningModerate to view problem areas
WarningModerate Issues
1 Use the blue icon + to expand the detailed view of the Logical networking out ofsync between host and NSX Controller
HOL-1829-01-NET
Page 95HOL-1829-01-NET
WarningModerate Issues (Continued)
When you expand the details you can analyse full detail of warning
In this view vRealize Network Insight is also showing you recommendations on how youwould resolve this issue which makes troubleshooting and root cause analysis veryeasy
1 Click the close sign (x) to continue
HOL-1829-01-NET
Page 96HOL-1829-01-NET
Hands-on Labs Interactive SimulationAdvanced NSX Management ampOperationsThis part of the lab is presented as a Hands-on Labs Interactive Simulation This willallow you to experience steps which are too time-consuming or resource intensive to dolive in the lab environment In this simulation you can use the software interface as ifyou are interacting with a live environment
1 Click here to open the interactive simulation It will open in a new browserwindow or tab
2 When finished click the ldquoReturn to the labrdquo link to continue with this lab
HOL-1829-01-NET
Page 97HOL-1829-01-NET
ConclusionCongratulations on completing Module 3
This module demonstrated the vRealize Network Insight capability of advancedmanagement operations vRealize Network Insight provides an in-depth analysis of thevirtual as well as the physical components associated with NSX (underlay and overlay)
For More Information
If you are looking for additional information try one of these
bull Click on this linkbull Or use your smart device to scan the QRC Code
Proceed to any module below which interests you most
bull Module 1 - Micro-Segmentation and Security (30 minutes)bull Module 2 - 360 degree Visibility across Virtual and Physical Networks (45
minutes)bull Module 3 - Advanced NSX Management amp Operations (45 minutes)bull Module 4 - Manage Security for Public Clouds (AWS) (30 minutes)
HOL-1829-01-NET
Page 98HOL-1829-01-NET
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 99HOL-1829-01-NET
Module 4 - ManageSecurity for Public Clouds
(AWS) (30 Minutes)
HOL-1829-01-NET
Page 100HOL-1829-01-NET
IntroductionEnterprise IT needs visibility into the network and security status of their workloadswhether hosted on premises or within AWS While many AWS workloads are sandboxesfor application development teams (DevOps) it is important to analyze these workloadsIncreasingly public cloud workloads are also fulfilling mission critical production needsfor many organizations Enterprise IT must be ready to determine the best locationsecurity posture and bandwidth allocation when deploying workloads Having trafficpattern details as well as security analysis and recommendations readily availablehelps organizations make the ideal hosting decisions to meet their business needs
vRealize Network Insight (vRNI) Supports Amazon Web Services (AWS) PublicCloud The vRNI traffic monitoring features provide visibility into native AWS constructssuch as Virtual Private Clouds VMs Security Groups firewall rules and tags vRNI alsoanalyzes AWS traffic flows to provide security and micro-segmentation views of cloudworkloads This means youll be able to plan micro-segmentation and understand trafficpatterns using data collected from your AWS instances
This Module contains the following lessons
bull Introduction to Managing Security for Public Clouds (AWS)
HOL-1829-01-NET
Page 101HOL-1829-01-NET
Introduction to Managing Security forPublic Clouds (AWS)Lab Status Check
1 Make sure the Lab Status displays Ready before continuing
Close browser sessions from previous modules
Open Google Chrome
1 Open Chrome on the Control Centre Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize Network Insightdid not load automatically)
HOL-1829-01-NET
Page 102HOL-1829-01-NET
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
AWS Configuration
Lets review the AWS VPC setup for the purpose of this lab
1 We have an on premise instance of vRealize Network Insight managing AWS2 There are two VPCs ie CRM and Common Services
HOL-1829-01-NET
Page 103HOL-1829-01-NET
3 VPC CRM consists of CRM Application which comprises of 3 tiers ie Web APP andDB
4 Internal users of Company can access Web Tier of the CRM on 80 internally viaJump-box
5 Web tier talks to App tier on port 80806 App tier talks to DB tier on port 33067 Web tier is open for internal datacenters VM on 80 port8 From Jump-box in VPC CRM all virtual machines have ssh access on port 229 All tiers of VPCCRM talks to DNS server on 53 and LogServer on 514 on VPC
Common Services10 This means connection to DB to Log Server (used for backup services) must exist
as configured by the Administrator but this in fact is the problem area where ourfocus will be
Plan Security - AWS Cloud
vRealize Network Insight extends micro-segmentation planning to AWS constructs TheCRM Application in AWS VPC has already been created for you
Application creation steps have been discussed in Module 3
HOL-1829-01-NET
Page 104HOL-1829-01-NET
1 On the vRealize Network Insight Click on Plan Security
From Plan Security dialogue box under Entity select
HOL-1829-01-NET
Page 105HOL-1829-01-NET
1 Application2 CRM3 Click Analyze
We can now visualize the three tier lsquoCRMrsquo Application in AWS in one VPC We Shallexplore the three Tier System Logic in proceeding steps
1 Please note that Micro-Segments are already filtered by Tier2 Web (Web tier talks to App tier on port 8080 Internal users of organisation can
access Web Tier of the CRM Application on port 80 internally)3 App (App tier talks to DB tier on port 3306)4 DB ( DB tier talks to Log Servers ) - This is the problem area we are going to
explore
All tiers of first VPC talks to DNS server on port 53 and LogServer on port 514 of SecondVPC
HOL-1829-01-NET
Page 106HOL-1829-01-NET
Exploring the Three Tier Application - Step by Step
We shall now explore the three their application setup to understand the security andcommunication posture
HOL-1829-01-NET
Page 107HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Yellow line to explore the flows This will reveal flows from Web to
App
HOL-1829-01-NET
Page 108HOL-1829-01-NET
1 The App tier talks to DB tier on Port 33062 Click X to continue
HOL-1829-01-NET
Page 109HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to DB
HOL-1829-01-NET
Page 110HOL-1829-01-NET
1 The App tier talks to DB tier on Port 33062 Click X to continue
HOL-1829-01-NET
Page 111HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Yellow Line to explore the flows This will reveal flows from DC
Virtual to App
HOL-1829-01-NET
Page 112HOL-1829-01-NET
1 DC Virtual (jump box) talks to App tier on Port 222 Click X to continue
HOL-1829-01-NET
Page 113HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to
Shared Virtual
HOL-1829-01-NET
Page 114HOL-1829-01-NET
1 The App tier talks to Shared Virtual on Port 53 and 514 respectively2 Click X to continue
HOL-1829-01-NET
Page 115HOL-1829-01-NET
1 Hover over to DB Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from DB to
Shared Virtual
1 By design the DB should be pushing logs to aws-log-server ie on port 514(Syslog) but the flow reveals that there is only one service ie port 53 aws-DNS-Server Effectively no communication to syslog server (which is the back upservice)
2 Click X to continue
Firewall Queries for CRM Application
To further troubleshoot the issue the administrator executes three firewall queries toestablish why DB to Shared Virtual does not have flow(s) for port 514 (syslog)
HOL-1829-01-NET
Page 116HOL-1829-01-NET
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and type new search query firewall action of flows where dstvm = aws-log-server This will return 5 results ie 4 Allow (for web andmidtier) and 1 Deny (for DB)
2 Click Search3 click on the DENY checkbox so we can focus on the deny rule
We can see a DENY rule which is preventing crm-databse to communicate with aws-log-server on port 514 Which indicates that AWS Admin forgot to add rule to allowtraffic from (Database) crm-database to (syslog server) aws-log-Server
HOL-1829-01-NET
Page 117HOL-1829-01-NET
1 On Chrome web browser right click2 Select Duplicate from the the menu
HOL-1829-01-NET
Page 118HOL-1829-01-NET
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-web1 and dst vm = aws-log-server
2 Click Search3 This will return 3 results ie 1 Inbound and 2 Outbound rules The result of this
query validates the communication from crm-web1 to aws-log-server
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-database and dst vm = aws-log-server
2 Click Search3 This will return 2 results for Outbound rules further explaining the firewall rule
behaviour from crm-database to aws-log-server
HOL-1829-01-NET
Page 119HOL-1829-01-NET
ConclusionCongratulations on completing Module 4
This module demonstrated the vRealize Network Insight capability to understand trafficpatterns and plan micro-segmentation across your private and public cloudenvironments This capability offers unparalleled visibility into public and private cloudsfor micro-segmentation planning network visibility and management
For More Information
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 120HOL-1829-01-NET
ConclusionThank you for participating in the VMware Hands-on Labs Be sure to visithttpholvmwarecom to continue your lab experience online
Lab SKU HOL-1829-01-NET
Version 20171010-152226
HOL-1829-01-NET
Page 121HOL-1829-01-NET
Overview - Traffic Distribution (Left Pane)
Visual representation of traffic is shown to understand the logic relationship betweeneach component physical or virtual in order to track flows and sessions within anetwork
bull Internal Flows External Flowsbull Protected Flows Unprotected Flowsbull by VLAN or VXLAN
The default for this view is Last 1 day Please do not change this as we have alreadyspecified the time filter
HOL-1829-01-NET
Page 15HOL-1829-01-NET
Traffic Distribution - Overview (Right pane)
The Traffic distribution section is explained in a number format below Use these as areference and do not click on the links at this stage
bull A - This is the sum of all traffic flows with the percentage shown as East-Westonly traffic
bull B - This indicates the percent of traffic that was switchedbull C - The percentage of traffic that is routed between the East-West portsbull D - This indicates Virtual machine to Virtual Machine traffic as a percentage of the
sum in point number 1bull E - Traffic observed between virtual machines on the same hostbull F - Traffic that requires internet access
East-West (EW) - Traffic
In order to view specific details about data flows click on any of the 6 blocks to getdetailed information on flows and sessions (use the [x] in the right corner to close theobservation once completed in order to continue with the next step in this lab) Its
HOL-1829-01-NET
Page 16HOL-1829-01-NET
important to understand the entire distribution of flows and sessions in order to build aninformed strategy to achieve micro-segmentation
A Session is 5 tuple (source port is one of the five tuples in this which means everytime a new TCP connection is established and terminated a new session is recorded)
A Flow is 4 tuple aggregation of sessions It combines many 5 tuple sessions into oneIt ignores the source port as the source port is very dynamic wide range and keeps onchanging As long as multiple sessions have same source IP same destination IP samedestination port and same protocol they will be combined into one record called aflow
So 1000s of sessions in a day between two machines on a specific destination port (sshdns etc) would be combined into one flow with an aggregate count of packets bytessessions between them recorded as additional flow information
In any enterprise how many sessions happen in 1 day varies a lot Flows are moremanageable units and matter most for policy definitions and micro-segmentation
If one wants to see statistics of these flows like bytes transferred number of sessions(or even use these counters along with other query operations for other higher levelanalysis - like determining distribution of a virtual machines outgoing flow bydestination ip) the following metric counters can be used
Counter names
allowed sessions count of sessions (or 5 tuples) corresponding to a flow (4 Tuple)bytes total traffic volume exchanged on the flow (this sum of two counters described below)src bytes total bytes sent by src_ip of the flow to dst_ipportprotocoldst bytes total bytes received by src_ip of the flow from dst_ipportprotocol
1 Click on the East-West traffic block
This will bring a new window into view with detailed analysis of the traffic
HOL-1829-01-NET
Page 17HOL-1829-01-NET
East-West (EW) - Detailed view
This is only a few of the 1653 flows but the detailed views and filters can be used tonarrow down more specific information
A - Without clicking (just hover) on the time line to see the rate of flow indicated by thegreen line for that period
1 Click the close icon (x) to continue
ServicesPorts
HOL-1829-01-NET
Page 18HOL-1829-01-NET
Locating the Services screen for the next step
ServicesPorts - Time line view
Plan security makes use of Service and Ports overview on the right-hand side of thescreen The service view screen is used to observe the flow for each service andanalyzes a specific flow rate at a point in time Timelines can be adjusted to gain abetter understanding of what the plan security query delivers This module will followthe steps needed to observe and trace flows for port 5443
1 Click Show Data
HOL-1829-01-NET
Page 19HOL-1829-01-NET
ServicesPorts - Point in Time Service
The Services section provides an overview of flows over a specific port at a point intime either by bytes or by allowed sessions Look at the red highlighted area tounderstand how the flow is viewed in a pivot format to ensure a rate flow can bedelivered by hovering over a particular section
1 Hover to gain focus over the blue block above port 5443 and notice itpresents on demand the sum total of flows for the last 24 hours inGigabytes (GB) communicating over port 5443
2 Click on the block at the intersection of Last 24 hours and PORTS5443 to get a detailed view of the information
HOL-1829-01-NET
Page 20HOL-1829-01-NET
Flows for Port 5443
Communicating over port 5443 for the Last 24 hours we now have a detailedunderstanding of how 20 flows are distributed by following the list of entities You mayscroll down and examine the detailed traffic Further filters can be used on the left-handside of the screen to filter the view for a more specific result type
1 Click the entry to examine the detailed flow between Prod-DB-3 and Prod-DB-2over port 5443 ( order of flows may differ from screen above Prod-DB-3 andProd-DB-2 can be seventh flow entry)
Flow Key Properties - Timeline view
HOL-1829-01-NET
Page 21HOL-1829-01-NET
Flow Key Properties and Flow Key Metrics with the help of the timeline view gives agreater understanding of the traffic between these two specific VMs over port 5443 (A)- Hover over any part of the Flow Key Metrics graph to see statistics of the flow at aspecific point in time
1 Click on the 1M (last 1 month) Now hover the mouse over the greenblue linesto see a specific flow at a point in time
Flow Key Properties - Timeline view
1 Click the browser back button (once) to return to the plan security layoutscreen (once completed viewing the timelines for specific flows)
HOL-1829-01-NET
Page 22HOL-1829-01-NET
Micro-Segments
The screen should be back and focused on the Plan Security view Let us focus on theLeft-hand side of the plan security screen marked - Micro Segments This section willfocus on the subnet view and how this could be used to track flows between two ormultiple points
Note Segmenting flows can be achieved using views that will focus on VLANVXLANSubnet Folder Clusters VMs Ports Security Tag or Security Groups
1 Select Last 1 Day (to clear previous data range)2 Select the drop down box and then select by Subnet3 We can further analyze micro-segments by secondary groups ( This step is for
information only)4 Click Analyze to populate the data
HOL-1829-01-NET
Page 23HOL-1829-01-NET
Focus - 101780 Network
A - Hover over (do not click) the 101780 network and notice that this willimmediately highlight all flows and sessions from and to this network segment Othertraffic types will loose focus at this point turning light blue
The Keep Focus view creates a single visual endpoint diagram showing communicationto physical shared resources internet and other subnets The parentheses after thenetwork will indicate the number of virtual machines The coloured lines will indicate aconnected flow as OUTGOING INCOMING BIDIRECTIONAL
HOL-1829-01-NET
Page 24HOL-1829-01-NET
Focus - VLANVXLAN
Changing the view to track flows between Prod-Web to Prod-Midtier we will be switchingfrom Subnet view to VLANVXLAN view This will expose the traffic flow and ultimatelylead us to the recommended firewall rules
1 From the filter drop down select the VLANVXLAN option (the view willautomatically update)
HOL-1829-01-NET
Page 25HOL-1829-01-NET
Focus - Prod-Web (25)
1 Hover over Prod-Web2 Click on Keep Focus as we will follow the traffic for this group to see which
ports are in use and why3 Click on the line joining the Prod-Web and Prod-Midtier
Flows - Prod-Web to Prod-Midtier
HOL-1829-01-NET
Page 26HOL-1829-01-NET
( A ) - We have at this point identified 14 unique endpoints or flows that are beingcommunicated byover or to potential security groups These security groups are basedon VLANs folders subnets or a construct that can be defined
1 Click on the recommended firewall rules
Flows - Recommended Firewall Rules
Based on the observed analysis of the traffic flow between Prod-Web and Prod-Midtier arecommended firewall rule has been generated in order to secure and segment trafficfrom the rest of the VLANVXLAN
Due to the flow observation metrics the recommendation is (ALLOWED) on Port 8080between SG Prod-Web and SG-Prod-Midtier
1 Click the close icon (x) to continue
HOL-1829-01-NET
Page 27HOL-1829-01-NET
Multiple Ports and Firewall rules for Prod-web
1 Click on the Prod-Web group
Services and Flows for Prod-Web
On focus the user is presented with all the services flows and firewall rules for Prod-Webin a single pane
HOL-1829-01-NET
Page 28HOL-1829-01-NET
1 Click on Services In this group - 50 Unique service endpoints or flows that arebeing communicated by or to potential security groups are mapped with trafficrates included
2 Click on External Services Accessed- This is a breakdown of the 16 Externalservice endpoints that communicate with Prod-Web and include the portinformation (DNS HTTPS etc)
3 Click on Recommended Firewall Rules - Based on the 50 unique serviceendpoints that have 17 External services with 425 flows we can use thisobservation metric to determine that 6 firewall rules are required This would bethe minimum recommended segmentation approach for the Prod-Web group
4 Click the close icon (x) to continue
Application-Centric Micro-Segmentation
HOL-1829-01-NET
Page 29HOL-1829-01-NET
An application is a collection of tiers Each tier in an application is a collection of VMsbased on the user-defined filter criteria The applications allow you to create ahierarchical group of VMs and visualize trafficflows between the tiers of the sameapplication The trafficflows can be visualized between applications
1 Under Micro-segments click on the dropdown which says by VLANVXLAN2 Click on by Application
1 Hover over Prod-App (47) (do not click at this stage)2 Click on Keep Focus
You can see as per previous micro-segmentaion planning exercise - you can viewOutgoing Incoming and Bidirectional flow bespoke to Prod-App Clicking on Prod-App micro-segment will reveal the services
HOL-1829-01-NET
Page 30HOL-1829-01-NET
We shall now explore how we can define an application
Define an Application
1 In the search bar type Application2 Click the Search button
1 The Application search will return 4 entities ie application already created inthe system for you
2 This page also lets you create new application - click on Add Application
HOL-1829-01-NET
Page 31HOL-1829-01-NET
1 Under the Application Name type HOL-Pre-Prod2 Under Tier type the Name as HOL-Pre-Prod3 Our search criteria will be based on VM Names under Virtual Machines IP
Addresses Type Admin-VM1 Admin-VM2 (The search will auto completethe names for you)
4 Do not Save Click Cancel which will take you to previous screen
1 Here you can see the number of entities has increased by 1 ie 5 entities2 You can also see Hol-Pre-Prod in the list
HOL-Pre-Prod will now appear in Application section under Plan Security (not covered inthis lab)
Security Group Prod_MidTier
Network administrators and architects face daily challenges in identifying securityparameters groups that are in-place requiring a lot more detail around containertopology before continuing to execute or plan Micro-segmentation Lets look at how thiswould be possible in a single view that has granular integration with over and underlaynetworks
1 Using the search bar type Nsx Security Group Prod_MidTier (the search baruses Auto Fill and predictive text will appear as you type)
2 Click search to continue
HOL-1829-01-NET
Page 32HOL-1829-01-NET
The Help screen may pop-up (in this lab setting) to ensure the user has an instantguide called the Security Group Pinboard The reason for this guide is to point out thedetail view and topology layout Read through the help guide and once completed
1 Click the close icon (x) to continue
Results - PROD_MIDTIER
The search results from the query will show Prod_Web at the top of the screen Theresult will also be displayed to include the Translated VM Count and any Rulesassociated
1 Click on Prod_MidTier to continue
Security Group Prod_MidTier - Timeline
Security Group View Explanation
HOL-1829-01-NET
Page 33HOL-1829-01-NET
The Security Group provides a detailed view of the selected Security Group and acomprehensive listing of key properties and events The Security Group Topologyprovides a visual overview of how the security group is associated with other containersTimeline slider at the top of the current view will enable the point in time state of theSecurity Group and filters can be used to further focus on a particular aspect of theobject
Security Group Firewall Topology
(A) The Security Group Firewall Topology on the left shows the topology for SecurityGroup Prod_MidTier
HOL-1829-01-NET
Page 34HOL-1829-01-NET
(B) The Security Group Container Topology on the right will show anyall Child andParent groups in relation to Prod_Web This will identify the nesting and hierarchy ofsecurity groups
HOL-1829-01-NET
Page 35HOL-1829-01-NET
1 Click and select Prod_Web to Prod_Midtier Rule (will launch a pop up screencovered in next step)
1 In the pop up screen we can immediately see what the Source and destinationservice flow looks like in this example This can be done for any and eachsegment attached to Prod_Web and will provide all the current security GroupFirewall Topology information Feel free to click through all the segments in orderto fully understand each related security group
2 Click the close icon (x) on any pop-up menus that you viewed during youranalysis to continue with the next exercise
HOL-1829-01-NET
Page 36HOL-1829-01-NET
Tracking Prod_MidTier
1 Within the same view when you scroll down (below the Security Groupfirewall Topology) you are able to see the following security event information forProd_Web
A Events - Showing any changes for Prod_MidTier (direct or indirect) and the impactthat these changes bring to this security group
B Current Security Group Configuration and Firewall Rules Count will also providefurther assistance to manage the endpoints
C Visibility of the Virtual Machines in Security Groups ensure that we manage ourworkloads and segmentation with the correct level of efficiency
D Making use of the Indirect Firewall Rules will ensure you understand the inheritedimpact and the relationship leading to Prod_Web
E Direct Firewall Rules - NOTE The blue links will expose further detail for eachfirewall segment
HOL-1829-01-NET
Page 37HOL-1829-01-NET
this module explained and followed the traffic flow between Subnets and or VLANVXLAN for Prod_MidTier and we understand the analysis that make up firewall rules Theinformation for a specific segmentation of a Virtual Machine in Prod_MidTier can beviewed using the the logical switch information for Prod_MidTier
2 Click on Lab-Midtier (VMs in Security GroupgtLogical SwitchesgtLab-Midtier) anew TAB will open at the top of the screen
Lab-Midtier
1 Hover (do not click) over (1) Lab-Midtier-1 to gain focus in order to generatethe path
Do not click on any of the bubbles as they are used for reference only This is thecomplete flow of Prod-Web-9 (Example) to see how a flow is tracked from overlay tounderlay across Prod-Web
HOL-1829-01-NET
Page 38HOL-1829-01-NET
bull A - The host details for Lab-Midtier-1 -ddc1-pod2esx035dmdemocompanynet
bull B - The machine name within Lab-Midtier - Lab-Midtier-1bull C - DVS Switchbull D - VXLAN - Lab-Midtierbull E - 1st VMKNIC for DDC-1 hostbull F - DVS Switch Portbull G - Finally showing the L3 Switch (Arista)
2 When you are done with the current view close this tab in Chrome and returnto the original view
Firewall Rule - Tracking
Using the search bar we will demonstrate how you can track any firewall rule in yourenvironment This is only one example of how we can search for security related objectsin one easy statement and also export the results
Port Search
1 Type into the search bar
Firewall rule where action =ALLOW and Port=443 (the search bar uses Auto Fill andpredictive text will appear as you type)
2 Click search to continue
As you type notice all the different permutations of queries that can be assembled
HOL-1829-01-NET
Page 39HOL-1829-01-NET
Export Firewall Rules
Take some time to understand and get familiar with Firewall Rule search possibilitiesand the insight this can offer
1 Do not click - The result is grouped for convenience and allows the user to queryeach rule individually This is a live link that will expose further information
2 Do not click - The entire report can be exported by using the Save as CSV optionat the top right hand corner of the screen but we will not export any informationat this point
3 For the next step we will return to the top search bar
Firewall Rule Membership Change
Using the vRealize Network Insight search bar at the top of the screen we will focus on atime based search to see what Firewall Membership Changes occurred during a selectedperiod This will point out any changes made directly or indirectly as a result ofmembership changes This is extremely useful for auditing and troubleshooting
HOL-1829-01-NET
Page 40HOL-1829-01-NET
1 Type
Firewall Rule Membership Change
2 Select the DateTime window3 Click Between Select Date range from June30 to Jul 31 (using static data this
will ensure you see all the changes)4 Click search
Audit Rule - Firewall Rule Membership Changes
The search now displays the result of all the changes made to firewall rule membershipduring the preset date range This is pivotal to the audit change tracking process tounderstand exactly why when and how Firewall rules changed
The changes can now easily be tracked audited and also exported following any of thelive links in blue
HOL-1829-01-NET
Page 41HOL-1829-01-NET
User-defined Event
Continuing within the same screen users can create alerts to notify internal andexternal entities of any changes The alert feature is available through any view thatdisplays the alert icon Although the alert can be configured for this lab the results willnot be actioned as this is static data only This section will show how easy it is to reporton any Firewall Rule memberships changes The option for alerting will be immediatelywithin 1 hour or as a daily digest
1 Click the Notifications icon to create an event The notifications screen will pop-up
2 Notification and parameters can be adjusted as required Populate them withyour own preference as we will need to have information in order to save thealert and view in later steps
3 Once completed click save
HOL-1829-01-NET
Page 42HOL-1829-01-NET
Settings
You can view any of your previously configured User-defined Events in order to edit oractivate the Event parameters by using the settings page Changes can be configured tonotify members of the event group based on the user preference The previous eventthat you created can now be tracked by using the search bar at the top of the screen
1 Click in the search bar and type Settings2 Click User-defined Events (your alert is noted in this section as it was based on
the original search and alert notification Firewall rule membership change)3 Info Only - Do not click - View Edit Activate any notifications
Note that we have 2 types of notification User-defined and System Events
4 Click the System Events
HOL-1829-01-NET
Page 43HOL-1829-01-NET
System Notifications
System Events consist of 103 default alerts that are pre-configured Scroll down the listto see all the options and what is deemed to be a standard system event notification
Each Notification can be used to alert administrators or users of that group By defaultall System Notifications are set to never notify (this can be changed to immediatelywithin 1 hour or as a daily digest)
This concludes this module Please continue to the next module
HOL-1829-01-NET
Page 44HOL-1829-01-NET
ConclusionCongratulations on completing Module 1
In this module we introduced the minimum required steps in order to facilitate Micro-segmentation This module further demonstrated how we achieve day zero readinesstrack report and alert on each individual object or group of objects in Real Time Usingthe East-West traffic in this module vRealize Network Insight highlighted the ease ofacquiring network analysis and using this to automatically generate firewall rules forboth Green or Brown field deployments
Key facts to remember as demonstrated in this module
bull Persistence Security must be consistent in the face of constant changebull Ubiquity Security must be available everywherebull Extensibility Security must adapt to new situations
For additional information about the functionality showcased in this module visitwwwvmwarecom
Please close the Chrome Web browser
This concludes this module please continue to the next module
For More Information
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 45HOL-1829-01-NET
Module 2 - 360 degreeVisibility across Virtualand Physical Networks
(45 minutes)
HOL-1829-01-NET
Page 46HOL-1829-01-NET
IntroductionvRealize Network Insight includes advanced analytics that can collect and displayconfiguration data from all the components involved in the overlay and underlay of thenetwork Data is collected in realtime
vRealize Network Insight presents this via a smart user interface and simplifies thedetermination of problems as well as the visibility of firewall and networkconfigurations
vRealize Network Insight presents this in a smart user interface and makes problemdetermination and visibility of the firewall and network configurations very easy
This Module contains the following lessons
bull 360 Network Visibility and Troubleshootingbull Natural language search
HOL-1829-01-NET
Page 47HOL-1829-01-NET
360 Network Visibility andTroubleshootingThis section contains the following lessons
bull 360-degree view of data flow between two VM objectsbull Natural language search
Open Google Chrome
1 Open Chrome on the Control Center Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize NetworkInsight did not load automatically)
HOL-1829-01-NET
Page 48HOL-1829-01-NET
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
Path and Topology
This module will utilize the Path and Topology feature in vRealize Network Insight toget a 360-degree visibility into our network scenario The Path and Topology view can
HOL-1829-01-NET
Page 49HOL-1829-01-NET
also extend to host L3 networks security groups etc but in this module we will only befocusing on the path
From the main console
1 Click on Path and Topology2 Click on Path
Path - Select source and destination
In the pop-up box
1 Click on the grey field below Source2 Type dba into the source field and DBAdmin-VM1 will appear3 Click on DBAdmin-VM1 to select it
HOL-1829-01-NET
Page 50HOL-1829-01-NET
Path - source and destination continued
After selecting the source machine the destination box will automatically appear
1 Type prod in the destination field and the list of available options willappear
2 Select Prod-Db-2
Note The destination could also be an ip-address or Internet but in this lab we aregoing to use a VM
HOL-1829-01-NET
Page 51HOL-1829-01-NET
Path - source and destination continued
1 Click on Submit
Searching for path
Based on the VMs we selected in the wizard in our previous steps the search field isnow pre-populated with a search string As an alternative to using the wizard we canalso do manual searches
Do not change any parameters in the search field and please continue to the nextstep
HOL-1829-01-NET
Page 52HOL-1829-01-NET
VM Path Topology and VM Underlay
The topology involves both Layer 3 and Layer 2 components and consists of twodetailed views
HOL-1829-01-NET
Page 53HOL-1829-01-NET
1 VM Path Topology This view details the routers Edges or Logical DistributedRouters (LDRs) that are involved in the VM to VM network path and provides thecomplete routing and NAT information
2 VM Underlay ( The VM Underlay section that is on the right side of the VM Pathtopology shows the underlay information of the VMs involved and theirconnectivity to the top of the rack switches and the ports involved)
In the field named VM Path Topology
1 Click on the three dots in the top right corner of the field2 Click Maximize
The view will change and the route will be drawn on the map
HOL-1829-01-NET
Page 54HOL-1829-01-NET
VM Path Topology - Path Details
In this view we will get a 360-degree view of both the physical and the virtual networkWe will see the path of the traffic between two virtual machines The black arrow at thetop of the map will indicate the flow direction of the traffic In this use case fromDBAdmin-VM1 to Prod-Db-2
On the right hand side path details indicates the steps we pass through in each hop ofthe path The logical flow includes both physical and virtual elements displaying bothoverlay and underlay components
1 Scroll through the path details on the right hand side to verify the differenthops in the path Notice that we have items such as VMs physical switchesvirtual switches routers and NICs in the list of details
HOL-1829-01-NET
Page 55HOL-1829-01-NET
Component Overview
On the VM topology map
1 Click on the top left icon marked with a red square - the Virtual MachineDBAdmin-VM1
Virtual Machine - Details
HOL-1829-01-NET
Page 56HOL-1829-01-NET
A pop-up box will appear with the Virtual Machine details in it This information includesa lot of details made available by VMware Tools We can for example see network-information and the physical host in these details
A - Please spend some time on getting an overview of the information available in thisview
B - Please note that the Firewall Status indicates Unknown In this scenario there is noNSX firewall utilized in the VM so vRealize Network Insight displays Unknown as thestatus If NSX components were utilized but they were malfunctioning an errormessage will appear
1 When done reviewing close the pop-up windows by clicking on the (X) in thetop right corner
Physical ESXi Hosts
We are now going to look at the physical host running ESXi The large green blocksindicate the ESXi hosts (A) and (B)
1 Click on the large green field on the left side of the map marked in thepicture with a red squareThis will select the host where DBAdmin-VM1 isrunning
HOL-1829-01-NET
Page 57HOL-1829-01-NET
Host - Details
A pop-up box will appear that contains the physical ESXi host
A - Spend some time to review what information is available from the host Please donot click on any of the links
B - Notice that we receive information from both the Chassis and the Blade that thisESXi host is running on In a real life environment we could click on the links to getdetailed information about the physical environment through the links
C - Note that there are no NSX components on the host For example we can see thatthe Control Plane Sync Status is unknown and the Number of VTEPs is 0
1 When done reviewing click on the (X) in the top right corner
HOL-1829-01-NET
Page 58HOL-1829-01-NET
DVPG on the map
We are now going to look at the DVPG (Distributed Virtual Port Group) the VM uses toconnect to the network
1 On the map click on the little blue box marked by a red square onvlan-629
DVPG
A pop-up box will appear that contains the DVPG details
A - Spend some time review what information is available from the object Please donot click on any of the links
HOL-1829-01-NET
Page 59HOL-1829-01-NET
B - Notice that IPFIX is enabled
1 When done reviewing click on the (X) in the top right corner
VLAN-629 on the map
This is a brownfield network as indicated by the physical network components currentlydisplayed on the map
1 On the map click on the grey line marked by a red square on vlan-629
VLAN Network
A pop-up box will appear that contains the physical VLAN details
HOL-1829-01-NET
Page 60HOL-1829-01-NET
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - Notice the VLAN ID This is the actual VLAN in use
C - VM Count states 12 This is the number of VMs located on this VLAN in the entireenvironment
D - Under Hosts we can see that this is 28 (27+1) This is the amount of hosts that hasa connection to this vlan in the entire environment
1 When done reviewing click on the (X) in the top right corner
Switch ports on the map
1 From the map click on the icon marked by a red square to select the SwitchPort for the VM
HOL-1829-01-NET
Page 61HOL-1829-01-NET
Switch Port
A pop-up box will appear that contains the Switch Port details
In this view we are purely are looking at layer 3 and the connectivity to those layer 3devices Later in this module we will see some of the layer 2 devices
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - In this view we can see the physical NIC the traffic is transmitted from and receivedto In this scenario it is a NIC on a UCS fabric We can also see the VLANs Interfacespeed port and other details on the NIC
1 When done reviewing click on the (X) in the top right corner of the pop up box
HOL-1829-01-NET
Page 62HOL-1829-01-NET
Physical VRF on the map
1 From the map click on the icon marked by a red square to access thePhysical VRF details
HOL-1829-01-NET
Page 63HOL-1829-01-NET
VRF - Physical Switch
A pop-up box will appear that contains the Physical VRF details
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - In this scenario the first hop in the physical network perspective happens to be aCisco Nexus 7000 We are gathering all of the configuration data routing tables androuting interface information from this device
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 64HOL-1829-01-NET
VRF - continued
1 From the map click on the icon marked by a red square to access the nextPhysical VRF in the path
HOL-1829-01-NET
Page 65HOL-1829-01-NET
VRF - Physical Router
A pop-up box will appear that contains the Physical VRF details
In this scenario the second hop in the physical network perspective is a Palo Alto routerIn this view we will see the routing table as well as firewall rules The vRealize NetworkInsight platform is so powerful that these firewall rules are the applicable firewall rulesbetween the two objects we searched for There is probably going to be thousands offirewall rules in a normal network but these are the firewalls affecting thecommunication between the two selected VMs
HOL-1829-01-NET
Page 66HOL-1829-01-NET
A - Spend some time to review what information is available from the object Please donot click on any of the links
1 When done reviewing click on the (X) in the top right corner of the pop up box
Note The Palo Alto integration showcased is in beta testing
VRF - continued
1 From the map click on the icon marked by a red square to access the nextPhysical VRF in the path
HOL-1829-01-NET
Page 67HOL-1829-01-NET
VRF - Physical Switch
A pop-up box will appear that contains the Physical VRF details
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - In this scenario the third hop in the physical network perspective is an Arista deviceThere is information available on routing gateways interfaces etc These detailsshowcase that we can monitor devices from a multitude of vendors in case we arechanging from one vendor to another
1 When done reviewing click on the (X) in the top right corner
HOL-1829-01-NET
Page 68HOL-1829-01-NET
Accessing the virtual infrastructure
The next two steps in the path (as shown by arrows) are the same as we looked atpreviously in this module We are not going to look at the details on them in thisscenario as they are similar to the ones previously discussed
A - Hovermove the mouse over the icons marked with red arrow A without clicking onthe icon Notice the descriptive name
B - Hovermove the mouse over the icons marked with red arrow B without clicking onthe icon Notice the descriptive name
1 From the map click on the icon marked by a red square to access the nextVRF in the path
HOL-1829-01-NET
Page 69HOL-1829-01-NET
VRF - NSX Provider Edge 1
A pop-up box will appear that contains the Physical VRF details
A - Please spend some time to review what information is available from the objectPlease do not click on any of the links
B - The components we are looking at after the Arista device (described in previoussteps) is an NSX Edge cluster or a host associated with an Edge cluster The componentwe have selected is the NSX Edge VM named Provider-Edge 1 It has an uplink overVLAN 10 from the physical network (as shown in the map)
C - In the details we can see the routing table and routing interface details for thisparticular VRF
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 70HOL-1829-01-NET
VXLAN on the map
1 On the map click on the blue line marked by a red square to access theVXLAN details
VXLAN Network
A pop-up box will appear that contains the VXLAN details
HOL-1829-01-NET
Page 71HOL-1829-01-NET
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - We can see the VXLAN number (Segment ID) Underlay VLAN IDs Subnet andUnderlay Subnet
C - We also have visibility into what Primary Controller it is utilizing Hosts and VTEPs
D - Hovermove the mouse cursor over the text [38 more] to see the hosts associatedwith this VXLAN Do not click on the blue text
E - Hovermove the mouse cursor over the text [82 more] to see the VTEPs associatedwith this VXLAN Do not click on the blue text
1 When done reviewing click on the X in the top right corner of the pop-up box
VRF - LDR
1 From the map click on the icon marked by a red square to access the VRFdetails
HOL-1829-01-NET
Page 72HOL-1829-01-NET
VRF - LDR-Corporate
A pop-up box will appear that contains the VRF details From here we hit our In-kernelnetwork
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - Notice the distributed router name We are using this device to access our corporatenetwork
C - This device is going to route for us to a different interface The interface is going toroute to the interface on the Prod-DB Network as the next step in the path (this will beillustrated in the next step)
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 73HOL-1829-01-NET
Routing - NSX Firewall
The traffic is routed through the VRF onto the Prod-DB network over to the next physicalhost (as shown with arrows)
The first device it will hit on the virtual network on the physical host is the FirewallPlease notice that there are two firewalls next to the VM One Firewall from Palo Alto andone Firewall from NSX
1 From the map click on the icon marked by a red square to access the NSXFirewall details (the top one of the two)
HOL-1829-01-NET
Page 74HOL-1829-01-NET
Firewall - NSX
A pop-up box will appear that contains the Firewall details
A - Spend some time to review what information is available from the object Please donot click on any of the links
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 75HOL-1829-01-NET
Redirect on the map - PAN Firewall
Please notice that there are two firewalls next to the VM One Firewall from Palo Alto andone Firewall from NSX We are now going to look into the details of the lower Firewall
1 From the map click on the icon marked by a red square to access the PaloAlto Firewall details (the lower one of the two)
Firewall - PAN
HOL-1829-01-NET
Page 76HOL-1829-01-NET
In this scenario we also have an Palo Alto VM based offloading firewall The redirectfeature allows firewall rules to be transferred between the NSX firewall and the PANFirewall
1 When done reviewing click on the (X) in the top right corner of the pop up box
Reversing the analysis
1 In the section marked by a red square in the picture click on the arrowpointing left
The route on the map will change
HOL-1829-01-NET
Page 77HOL-1829-01-NET
Reversing the analysis continued
A - The analysis will now be done in the opposite direction Please note that the pathnow changes Instead of going through Provider-Edge 3 the traffic is now routedthrough Provider-Edge 2 This is exactly as the traffic will work in the real life
Please continue to the next step to conclude this module
HOL-1829-01-NET
Page 78HOL-1829-01-NET
VM Underlay
Lets now focus on VM Underlay
1 The VMUnderlay section that is on the right side of the VM Path topology showsthe underlay information of the VMs involved and their connectivity to the top ofthe rack switches and the ports involved
2 The VM Underlay path topology is shown here3 The components are labeled under Path Details
HOL-1829-01-NET
Page 79HOL-1829-01-NET
HOL-1829-01-NET
Page 80HOL-1829-01-NET
1 In this section the drop-down list at the top shows the endpoint VMs and theactive VMs at the edges
2 For each edgeVM the neighbouring drop-down list shows the ingress and theegress interface IP addresses
1 From the previous step we selected the Prod-DB-2 Virtual Machine2 Which changes the focus to corresponding Interface IP Address (VNIC)3 Shows the visual map (Path topology) of all the path objects4 Path details shows the labels and list the components
This concludes this module Please continue to the next module
HOL-1829-01-NET
Page 81HOL-1829-01-NET
ConclusionCongratulations on completing Module 2
This module has shown us that vRealize Network Insight is capable of tracing the flow ofdata between two objects throughout the network vRealize Network Insight is providingus with a 360 degrees view of the virtual as well as the physical components in thepath With the map function and the details on the map it is very easy to get a quickoverview of the components utilized in network communication
All the components in the map is based on a snapshot of real life data Feel free to clickon other icons shown in the map in this module before continuing to the next module tohave a look at other components
For More Information
For additional information about the functionality showcased in this module visithttpwwwvmwarecomvrealize network insight
This concludes this module Please continue to the next module
If you are looking for additional information try one of these
bull Click on this linkbull Or use your smart device to scan the QRC Code
HOL-1829-01-NET
Page 82HOL-1829-01-NET
Proceed to any module below which interests you most
bull Module 1 - Micro-Segmentation and Security (30 minutes)bull Module 2 - 360 degree Visibility across Virtual and Physical Networks (45
minutes)bull Module 3 - Advanced NSX Management amp Operations (45 minutes)bull (30 minutes)
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 83HOL-1829-01-NET
Module 3 - Advanced NSXManagement amp
Operations (45 minutes)
HOL-1829-01-NET
Page 84HOL-1829-01-NET
IntroductionIntroduction
vRealize Network Insight ensures that we have full visibility from an overlay andunderlay perspective and in this module focus on advanced operations of NSX withvRealize Network Insight Its important to note that the vRealize Network Insightprovides a real time view and a historical view The integration is not a simple SNMPquery but advanced CLI and Metadata information gathered in real time for NSX
This Module contains the following lessons
bull Operational guidance for NSX Managerbull Advanced NSX Management amp Operations Interactive Simulation
HOL-1829-01-NET
Page 85HOL-1829-01-NET
NSX Advanced ManagementOperationsLab Status Check
1 Make sure the Lab Status displays Ready before continuing
Close browser sessions from previous modules
Open Google Chrome
1 Open Chrome on the Control Centre Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
HOL-1829-01-NET
Page 86HOL-1829-01-NET
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize Network Insightdid not load automatically)
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
Search Bar - NSX Manager
Using the search bar on the entry screen
HOL-1829-01-NET
Page 87HOL-1829-01-NET
1 Type NSX Manager (this will list three NSX Managers2 Click Search
NSX Manager Information
The result now shows the NSX Manager (1016128170) and we can immediately seethat we have 50 problems associated with this endpoint
1 Click on the NSX Manager address to expose the layout and detailedinformation
HOL-1829-01-NET
Page 88HOL-1829-01-NET
Timeline - Visual Build-up
Explore information only - Do not click
bull A - Starting with the Timeline we can manipulate the results by simply draggingthe slider but by default the current time results will be displayed on entry Theslider and drop down (next to 1 day) makes it easy to filter on demand
bull B - The Properties give a clear understanding of the NSX Managers currentconfiguration (vRealize Network Insight accommodate multiple NSX managers)
bull C - Looking at the NSX Checklist Rules - ALL we can scroll up and down toview each point in the checklist that is used to monitorvalidate against the NSXManager
bull D - Because vRealize Network Insight supports multiple NSX managers andmultiple NSX controllers this is an important visual understanding of theTopology Each object can be queried individually within the same screen
bull E - NSX Problems will be key to understanding the issues for NSX
HOL-1829-01-NET
Page 89HOL-1829-01-NET
Topology - Focus on the NSX Controller
The logical view of the NSX Topology provides live links to each component in theconstruct to be queried in real time Topology layout displays all the related NSXservices bound to the NSX Manager including Clusters and hosts The red triangle on allthree NSX controllers indicates possible issues that may impact the NSX environmenteither as a starting point or a result thereof We can now query each object for detailedinformation
1 Click on the NSX controller (Look at each controller until you find thecontroller starting with NSX_Controller_5b6c6c8d-4d71 as they do changeorder)
HOL-1829-01-NET
Page 90HOL-1829-01-NET
NSX Controller - Detail
A - The controller query displays detailed information about controller-1 and relevantconfiguration This screen will help identify the Status Version Upgrade Availability andmany other critical identifiers of the NSX Controller at a quick glance including anyissues
B - The immediate issue on this NSX controller is also pointed out with a red triangleindicating that we have a control plane sync issue Tracking the issue can be furtherinvestigated by expanding (clicking on the red triangle) to view detailed information Wewill not be investigating this problem further in this exercise
1 Click the close sign (x) to continue
HOL-1829-01-NET
Page 91HOL-1829-01-NET
Topology - Explained
Note The Topology for the NSX environment will not show any load balancing devicestatus information in this release
1 Click the edge VMs icon to see detailed information about the edge services
HOL-1829-01-NET
Page 92HOL-1829-01-NET
Provider Edge
Rendering a complete view of the provider edge services and the associations we caninvestigate all the edge related activities
1 Click the blue link Provider Edge 4 The problem Icon can be used to furtherobtain information about the Provider-Edge 4 This will highlight a criticalcondition due to a possible network disruption of this edge device as it is nolonger in a serving state
HOL-1829-01-NET
Page 93HOL-1829-01-NET
Routers Provider Edge 4
This section lays out detailed root cause analysis for Routers Provider Edge 4
Return to Search View - NSX Manager
1 Now use the Chrome Back button click once to return the the NSX Managerinformation screen step
HOL-1829-01-NET
Page 94HOL-1829-01-NET
Infrastructure Problems - Warning Moderate
bull Scroll down to Infrastructure Problems Section
1 Click and select the WarningModerate to view problem areas
WarningModerate Issues
1 Use the blue icon + to expand the detailed view of the Logical networking out ofsync between host and NSX Controller
HOL-1829-01-NET
Page 95HOL-1829-01-NET
WarningModerate Issues (Continued)
When you expand the details you can analyse full detail of warning
In this view vRealize Network Insight is also showing you recommendations on how youwould resolve this issue which makes troubleshooting and root cause analysis veryeasy
1 Click the close sign (x) to continue
HOL-1829-01-NET
Page 96HOL-1829-01-NET
Hands-on Labs Interactive SimulationAdvanced NSX Management ampOperationsThis part of the lab is presented as a Hands-on Labs Interactive Simulation This willallow you to experience steps which are too time-consuming or resource intensive to dolive in the lab environment In this simulation you can use the software interface as ifyou are interacting with a live environment
1 Click here to open the interactive simulation It will open in a new browserwindow or tab
2 When finished click the ldquoReturn to the labrdquo link to continue with this lab
HOL-1829-01-NET
Page 97HOL-1829-01-NET
ConclusionCongratulations on completing Module 3
This module demonstrated the vRealize Network Insight capability of advancedmanagement operations vRealize Network Insight provides an in-depth analysis of thevirtual as well as the physical components associated with NSX (underlay and overlay)
For More Information
If you are looking for additional information try one of these
bull Click on this linkbull Or use your smart device to scan the QRC Code
Proceed to any module below which interests you most
bull Module 1 - Micro-Segmentation and Security (30 minutes)bull Module 2 - 360 degree Visibility across Virtual and Physical Networks (45
minutes)bull Module 3 - Advanced NSX Management amp Operations (45 minutes)bull Module 4 - Manage Security for Public Clouds (AWS) (30 minutes)
HOL-1829-01-NET
Page 98HOL-1829-01-NET
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 99HOL-1829-01-NET
Module 4 - ManageSecurity for Public Clouds
(AWS) (30 Minutes)
HOL-1829-01-NET
Page 100HOL-1829-01-NET
IntroductionEnterprise IT needs visibility into the network and security status of their workloadswhether hosted on premises or within AWS While many AWS workloads are sandboxesfor application development teams (DevOps) it is important to analyze these workloadsIncreasingly public cloud workloads are also fulfilling mission critical production needsfor many organizations Enterprise IT must be ready to determine the best locationsecurity posture and bandwidth allocation when deploying workloads Having trafficpattern details as well as security analysis and recommendations readily availablehelps organizations make the ideal hosting decisions to meet their business needs
vRealize Network Insight (vRNI) Supports Amazon Web Services (AWS) PublicCloud The vRNI traffic monitoring features provide visibility into native AWS constructssuch as Virtual Private Clouds VMs Security Groups firewall rules and tags vRNI alsoanalyzes AWS traffic flows to provide security and micro-segmentation views of cloudworkloads This means youll be able to plan micro-segmentation and understand trafficpatterns using data collected from your AWS instances
This Module contains the following lessons
bull Introduction to Managing Security for Public Clouds (AWS)
HOL-1829-01-NET
Page 101HOL-1829-01-NET
Introduction to Managing Security forPublic Clouds (AWS)Lab Status Check
1 Make sure the Lab Status displays Ready before continuing
Close browser sessions from previous modules
Open Google Chrome
1 Open Chrome on the Control Centre Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize Network Insightdid not load automatically)
HOL-1829-01-NET
Page 102HOL-1829-01-NET
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
AWS Configuration
Lets review the AWS VPC setup for the purpose of this lab
1 We have an on premise instance of vRealize Network Insight managing AWS2 There are two VPCs ie CRM and Common Services
HOL-1829-01-NET
Page 103HOL-1829-01-NET
3 VPC CRM consists of CRM Application which comprises of 3 tiers ie Web APP andDB
4 Internal users of Company can access Web Tier of the CRM on 80 internally viaJump-box
5 Web tier talks to App tier on port 80806 App tier talks to DB tier on port 33067 Web tier is open for internal datacenters VM on 80 port8 From Jump-box in VPC CRM all virtual machines have ssh access on port 229 All tiers of VPCCRM talks to DNS server on 53 and LogServer on 514 on VPC
Common Services10 This means connection to DB to Log Server (used for backup services) must exist
as configured by the Administrator but this in fact is the problem area where ourfocus will be
Plan Security - AWS Cloud
vRealize Network Insight extends micro-segmentation planning to AWS constructs TheCRM Application in AWS VPC has already been created for you
Application creation steps have been discussed in Module 3
HOL-1829-01-NET
Page 104HOL-1829-01-NET
1 On the vRealize Network Insight Click on Plan Security
From Plan Security dialogue box under Entity select
HOL-1829-01-NET
Page 105HOL-1829-01-NET
1 Application2 CRM3 Click Analyze
We can now visualize the three tier lsquoCRMrsquo Application in AWS in one VPC We Shallexplore the three Tier System Logic in proceeding steps
1 Please note that Micro-Segments are already filtered by Tier2 Web (Web tier talks to App tier on port 8080 Internal users of organisation can
access Web Tier of the CRM Application on port 80 internally)3 App (App tier talks to DB tier on port 3306)4 DB ( DB tier talks to Log Servers ) - This is the problem area we are going to
explore
All tiers of first VPC talks to DNS server on port 53 and LogServer on port 514 of SecondVPC
HOL-1829-01-NET
Page 106HOL-1829-01-NET
Exploring the Three Tier Application - Step by Step
We shall now explore the three their application setup to understand the security andcommunication posture
HOL-1829-01-NET
Page 107HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Yellow line to explore the flows This will reveal flows from Web to
App
HOL-1829-01-NET
Page 108HOL-1829-01-NET
1 The App tier talks to DB tier on Port 33062 Click X to continue
HOL-1829-01-NET
Page 109HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to DB
HOL-1829-01-NET
Page 110HOL-1829-01-NET
1 The App tier talks to DB tier on Port 33062 Click X to continue
HOL-1829-01-NET
Page 111HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Yellow Line to explore the flows This will reveal flows from DC
Virtual to App
HOL-1829-01-NET
Page 112HOL-1829-01-NET
1 DC Virtual (jump box) talks to App tier on Port 222 Click X to continue
HOL-1829-01-NET
Page 113HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to
Shared Virtual
HOL-1829-01-NET
Page 114HOL-1829-01-NET
1 The App tier talks to Shared Virtual on Port 53 and 514 respectively2 Click X to continue
HOL-1829-01-NET
Page 115HOL-1829-01-NET
1 Hover over to DB Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from DB to
Shared Virtual
1 By design the DB should be pushing logs to aws-log-server ie on port 514(Syslog) but the flow reveals that there is only one service ie port 53 aws-DNS-Server Effectively no communication to syslog server (which is the back upservice)
2 Click X to continue
Firewall Queries for CRM Application
To further troubleshoot the issue the administrator executes three firewall queries toestablish why DB to Shared Virtual does not have flow(s) for port 514 (syslog)
HOL-1829-01-NET
Page 116HOL-1829-01-NET
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and type new search query firewall action of flows where dstvm = aws-log-server This will return 5 results ie 4 Allow (for web andmidtier) and 1 Deny (for DB)
2 Click Search3 click on the DENY checkbox so we can focus on the deny rule
We can see a DENY rule which is preventing crm-databse to communicate with aws-log-server on port 514 Which indicates that AWS Admin forgot to add rule to allowtraffic from (Database) crm-database to (syslog server) aws-log-Server
HOL-1829-01-NET
Page 117HOL-1829-01-NET
1 On Chrome web browser right click2 Select Duplicate from the the menu
HOL-1829-01-NET
Page 118HOL-1829-01-NET
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-web1 and dst vm = aws-log-server
2 Click Search3 This will return 3 results ie 1 Inbound and 2 Outbound rules The result of this
query validates the communication from crm-web1 to aws-log-server
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-database and dst vm = aws-log-server
2 Click Search3 This will return 2 results for Outbound rules further explaining the firewall rule
behaviour from crm-database to aws-log-server
HOL-1829-01-NET
Page 119HOL-1829-01-NET
ConclusionCongratulations on completing Module 4
This module demonstrated the vRealize Network Insight capability to understand trafficpatterns and plan micro-segmentation across your private and public cloudenvironments This capability offers unparalleled visibility into public and private cloudsfor micro-segmentation planning network visibility and management
For More Information
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 120HOL-1829-01-NET
ConclusionThank you for participating in the VMware Hands-on Labs Be sure to visithttpholvmwarecom to continue your lab experience online
Lab SKU HOL-1829-01-NET
Version 20171010-152226
HOL-1829-01-NET
Page 121HOL-1829-01-NET
Traffic Distribution - Overview (Right pane)
The Traffic distribution section is explained in a number format below Use these as areference and do not click on the links at this stage
bull A - This is the sum of all traffic flows with the percentage shown as East-Westonly traffic
bull B - This indicates the percent of traffic that was switchedbull C - The percentage of traffic that is routed between the East-West portsbull D - This indicates Virtual machine to Virtual Machine traffic as a percentage of the
sum in point number 1bull E - Traffic observed between virtual machines on the same hostbull F - Traffic that requires internet access
East-West (EW) - Traffic
In order to view specific details about data flows click on any of the 6 blocks to getdetailed information on flows and sessions (use the [x] in the right corner to close theobservation once completed in order to continue with the next step in this lab) Its
HOL-1829-01-NET
Page 16HOL-1829-01-NET
important to understand the entire distribution of flows and sessions in order to build aninformed strategy to achieve micro-segmentation
A Session is 5 tuple (source port is one of the five tuples in this which means everytime a new TCP connection is established and terminated a new session is recorded)
A Flow is 4 tuple aggregation of sessions It combines many 5 tuple sessions into oneIt ignores the source port as the source port is very dynamic wide range and keeps onchanging As long as multiple sessions have same source IP same destination IP samedestination port and same protocol they will be combined into one record called aflow
So 1000s of sessions in a day between two machines on a specific destination port (sshdns etc) would be combined into one flow with an aggregate count of packets bytessessions between them recorded as additional flow information
In any enterprise how many sessions happen in 1 day varies a lot Flows are moremanageable units and matter most for policy definitions and micro-segmentation
If one wants to see statistics of these flows like bytes transferred number of sessions(or even use these counters along with other query operations for other higher levelanalysis - like determining distribution of a virtual machines outgoing flow bydestination ip) the following metric counters can be used
Counter names
allowed sessions count of sessions (or 5 tuples) corresponding to a flow (4 Tuple)bytes total traffic volume exchanged on the flow (this sum of two counters described below)src bytes total bytes sent by src_ip of the flow to dst_ipportprotocoldst bytes total bytes received by src_ip of the flow from dst_ipportprotocol
1 Click on the East-West traffic block
This will bring a new window into view with detailed analysis of the traffic
HOL-1829-01-NET
Page 17HOL-1829-01-NET
East-West (EW) - Detailed view
This is only a few of the 1653 flows but the detailed views and filters can be used tonarrow down more specific information
A - Without clicking (just hover) on the time line to see the rate of flow indicated by thegreen line for that period
1 Click the close icon (x) to continue
ServicesPorts
HOL-1829-01-NET
Page 18HOL-1829-01-NET
Locating the Services screen for the next step
ServicesPorts - Time line view
Plan security makes use of Service and Ports overview on the right-hand side of thescreen The service view screen is used to observe the flow for each service andanalyzes a specific flow rate at a point in time Timelines can be adjusted to gain abetter understanding of what the plan security query delivers This module will followthe steps needed to observe and trace flows for port 5443
1 Click Show Data
HOL-1829-01-NET
Page 19HOL-1829-01-NET
ServicesPorts - Point in Time Service
The Services section provides an overview of flows over a specific port at a point intime either by bytes or by allowed sessions Look at the red highlighted area tounderstand how the flow is viewed in a pivot format to ensure a rate flow can bedelivered by hovering over a particular section
1 Hover to gain focus over the blue block above port 5443 and notice itpresents on demand the sum total of flows for the last 24 hours inGigabytes (GB) communicating over port 5443
2 Click on the block at the intersection of Last 24 hours and PORTS5443 to get a detailed view of the information
HOL-1829-01-NET
Page 20HOL-1829-01-NET
Flows for Port 5443
Communicating over port 5443 for the Last 24 hours we now have a detailedunderstanding of how 20 flows are distributed by following the list of entities You mayscroll down and examine the detailed traffic Further filters can be used on the left-handside of the screen to filter the view for a more specific result type
1 Click the entry to examine the detailed flow between Prod-DB-3 and Prod-DB-2over port 5443 ( order of flows may differ from screen above Prod-DB-3 andProd-DB-2 can be seventh flow entry)
Flow Key Properties - Timeline view
HOL-1829-01-NET
Page 21HOL-1829-01-NET
Flow Key Properties and Flow Key Metrics with the help of the timeline view gives agreater understanding of the traffic between these two specific VMs over port 5443 (A)- Hover over any part of the Flow Key Metrics graph to see statistics of the flow at aspecific point in time
1 Click on the 1M (last 1 month) Now hover the mouse over the greenblue linesto see a specific flow at a point in time
Flow Key Properties - Timeline view
1 Click the browser back button (once) to return to the plan security layoutscreen (once completed viewing the timelines for specific flows)
HOL-1829-01-NET
Page 22HOL-1829-01-NET
Micro-Segments
The screen should be back and focused on the Plan Security view Let us focus on theLeft-hand side of the plan security screen marked - Micro Segments This section willfocus on the subnet view and how this could be used to track flows between two ormultiple points
Note Segmenting flows can be achieved using views that will focus on VLANVXLANSubnet Folder Clusters VMs Ports Security Tag or Security Groups
1 Select Last 1 Day (to clear previous data range)2 Select the drop down box and then select by Subnet3 We can further analyze micro-segments by secondary groups ( This step is for
information only)4 Click Analyze to populate the data
HOL-1829-01-NET
Page 23HOL-1829-01-NET
Focus - 101780 Network
A - Hover over (do not click) the 101780 network and notice that this willimmediately highlight all flows and sessions from and to this network segment Othertraffic types will loose focus at this point turning light blue
The Keep Focus view creates a single visual endpoint diagram showing communicationto physical shared resources internet and other subnets The parentheses after thenetwork will indicate the number of virtual machines The coloured lines will indicate aconnected flow as OUTGOING INCOMING BIDIRECTIONAL
HOL-1829-01-NET
Page 24HOL-1829-01-NET
Focus - VLANVXLAN
Changing the view to track flows between Prod-Web to Prod-Midtier we will be switchingfrom Subnet view to VLANVXLAN view This will expose the traffic flow and ultimatelylead us to the recommended firewall rules
1 From the filter drop down select the VLANVXLAN option (the view willautomatically update)
HOL-1829-01-NET
Page 25HOL-1829-01-NET
Focus - Prod-Web (25)
1 Hover over Prod-Web2 Click on Keep Focus as we will follow the traffic for this group to see which
ports are in use and why3 Click on the line joining the Prod-Web and Prod-Midtier
Flows - Prod-Web to Prod-Midtier
HOL-1829-01-NET
Page 26HOL-1829-01-NET
( A ) - We have at this point identified 14 unique endpoints or flows that are beingcommunicated byover or to potential security groups These security groups are basedon VLANs folders subnets or a construct that can be defined
1 Click on the recommended firewall rules
Flows - Recommended Firewall Rules
Based on the observed analysis of the traffic flow between Prod-Web and Prod-Midtier arecommended firewall rule has been generated in order to secure and segment trafficfrom the rest of the VLANVXLAN
Due to the flow observation metrics the recommendation is (ALLOWED) on Port 8080between SG Prod-Web and SG-Prod-Midtier
1 Click the close icon (x) to continue
HOL-1829-01-NET
Page 27HOL-1829-01-NET
Multiple Ports and Firewall rules for Prod-web
1 Click on the Prod-Web group
Services and Flows for Prod-Web
On focus the user is presented with all the services flows and firewall rules for Prod-Webin a single pane
HOL-1829-01-NET
Page 28HOL-1829-01-NET
1 Click on Services In this group - 50 Unique service endpoints or flows that arebeing communicated by or to potential security groups are mapped with trafficrates included
2 Click on External Services Accessed- This is a breakdown of the 16 Externalservice endpoints that communicate with Prod-Web and include the portinformation (DNS HTTPS etc)
3 Click on Recommended Firewall Rules - Based on the 50 unique serviceendpoints that have 17 External services with 425 flows we can use thisobservation metric to determine that 6 firewall rules are required This would bethe minimum recommended segmentation approach for the Prod-Web group
4 Click the close icon (x) to continue
Application-Centric Micro-Segmentation
HOL-1829-01-NET
Page 29HOL-1829-01-NET
An application is a collection of tiers Each tier in an application is a collection of VMsbased on the user-defined filter criteria The applications allow you to create ahierarchical group of VMs and visualize trafficflows between the tiers of the sameapplication The trafficflows can be visualized between applications
1 Under Micro-segments click on the dropdown which says by VLANVXLAN2 Click on by Application
1 Hover over Prod-App (47) (do not click at this stage)2 Click on Keep Focus
You can see as per previous micro-segmentaion planning exercise - you can viewOutgoing Incoming and Bidirectional flow bespoke to Prod-App Clicking on Prod-App micro-segment will reveal the services
HOL-1829-01-NET
Page 30HOL-1829-01-NET
We shall now explore how we can define an application
Define an Application
1 In the search bar type Application2 Click the Search button
1 The Application search will return 4 entities ie application already created inthe system for you
2 This page also lets you create new application - click on Add Application
HOL-1829-01-NET
Page 31HOL-1829-01-NET
1 Under the Application Name type HOL-Pre-Prod2 Under Tier type the Name as HOL-Pre-Prod3 Our search criteria will be based on VM Names under Virtual Machines IP
Addresses Type Admin-VM1 Admin-VM2 (The search will auto completethe names for you)
4 Do not Save Click Cancel which will take you to previous screen
1 Here you can see the number of entities has increased by 1 ie 5 entities2 You can also see Hol-Pre-Prod in the list
HOL-Pre-Prod will now appear in Application section under Plan Security (not covered inthis lab)
Security Group Prod_MidTier
Network administrators and architects face daily challenges in identifying securityparameters groups that are in-place requiring a lot more detail around containertopology before continuing to execute or plan Micro-segmentation Lets look at how thiswould be possible in a single view that has granular integration with over and underlaynetworks
1 Using the search bar type Nsx Security Group Prod_MidTier (the search baruses Auto Fill and predictive text will appear as you type)
2 Click search to continue
HOL-1829-01-NET
Page 32HOL-1829-01-NET
The Help screen may pop-up (in this lab setting) to ensure the user has an instantguide called the Security Group Pinboard The reason for this guide is to point out thedetail view and topology layout Read through the help guide and once completed
1 Click the close icon (x) to continue
Results - PROD_MIDTIER
The search results from the query will show Prod_Web at the top of the screen Theresult will also be displayed to include the Translated VM Count and any Rulesassociated
1 Click on Prod_MidTier to continue
Security Group Prod_MidTier - Timeline
Security Group View Explanation
HOL-1829-01-NET
Page 33HOL-1829-01-NET
The Security Group provides a detailed view of the selected Security Group and acomprehensive listing of key properties and events The Security Group Topologyprovides a visual overview of how the security group is associated with other containersTimeline slider at the top of the current view will enable the point in time state of theSecurity Group and filters can be used to further focus on a particular aspect of theobject
Security Group Firewall Topology
(A) The Security Group Firewall Topology on the left shows the topology for SecurityGroup Prod_MidTier
HOL-1829-01-NET
Page 34HOL-1829-01-NET
(B) The Security Group Container Topology on the right will show anyall Child andParent groups in relation to Prod_Web This will identify the nesting and hierarchy ofsecurity groups
HOL-1829-01-NET
Page 35HOL-1829-01-NET
1 Click and select Prod_Web to Prod_Midtier Rule (will launch a pop up screencovered in next step)
1 In the pop up screen we can immediately see what the Source and destinationservice flow looks like in this example This can be done for any and eachsegment attached to Prod_Web and will provide all the current security GroupFirewall Topology information Feel free to click through all the segments in orderto fully understand each related security group
2 Click the close icon (x) on any pop-up menus that you viewed during youranalysis to continue with the next exercise
HOL-1829-01-NET
Page 36HOL-1829-01-NET
Tracking Prod_MidTier
1 Within the same view when you scroll down (below the Security Groupfirewall Topology) you are able to see the following security event information forProd_Web
A Events - Showing any changes for Prod_MidTier (direct or indirect) and the impactthat these changes bring to this security group
B Current Security Group Configuration and Firewall Rules Count will also providefurther assistance to manage the endpoints
C Visibility of the Virtual Machines in Security Groups ensure that we manage ourworkloads and segmentation with the correct level of efficiency
D Making use of the Indirect Firewall Rules will ensure you understand the inheritedimpact and the relationship leading to Prod_Web
E Direct Firewall Rules - NOTE The blue links will expose further detail for eachfirewall segment
HOL-1829-01-NET
Page 37HOL-1829-01-NET
this module explained and followed the traffic flow between Subnets and or VLANVXLAN for Prod_MidTier and we understand the analysis that make up firewall rules Theinformation for a specific segmentation of a Virtual Machine in Prod_MidTier can beviewed using the the logical switch information for Prod_MidTier
2 Click on Lab-Midtier (VMs in Security GroupgtLogical SwitchesgtLab-Midtier) anew TAB will open at the top of the screen
Lab-Midtier
1 Hover (do not click) over (1) Lab-Midtier-1 to gain focus in order to generatethe path
Do not click on any of the bubbles as they are used for reference only This is thecomplete flow of Prod-Web-9 (Example) to see how a flow is tracked from overlay tounderlay across Prod-Web
HOL-1829-01-NET
Page 38HOL-1829-01-NET
bull A - The host details for Lab-Midtier-1 -ddc1-pod2esx035dmdemocompanynet
bull B - The machine name within Lab-Midtier - Lab-Midtier-1bull C - DVS Switchbull D - VXLAN - Lab-Midtierbull E - 1st VMKNIC for DDC-1 hostbull F - DVS Switch Portbull G - Finally showing the L3 Switch (Arista)
2 When you are done with the current view close this tab in Chrome and returnto the original view
Firewall Rule - Tracking
Using the search bar we will demonstrate how you can track any firewall rule in yourenvironment This is only one example of how we can search for security related objectsin one easy statement and also export the results
Port Search
1 Type into the search bar
Firewall rule where action =ALLOW and Port=443 (the search bar uses Auto Fill andpredictive text will appear as you type)
2 Click search to continue
As you type notice all the different permutations of queries that can be assembled
HOL-1829-01-NET
Page 39HOL-1829-01-NET
Export Firewall Rules
Take some time to understand and get familiar with Firewall Rule search possibilitiesand the insight this can offer
1 Do not click - The result is grouped for convenience and allows the user to queryeach rule individually This is a live link that will expose further information
2 Do not click - The entire report can be exported by using the Save as CSV optionat the top right hand corner of the screen but we will not export any informationat this point
3 For the next step we will return to the top search bar
Firewall Rule Membership Change
Using the vRealize Network Insight search bar at the top of the screen we will focus on atime based search to see what Firewall Membership Changes occurred during a selectedperiod This will point out any changes made directly or indirectly as a result ofmembership changes This is extremely useful for auditing and troubleshooting
HOL-1829-01-NET
Page 40HOL-1829-01-NET
1 Type
Firewall Rule Membership Change
2 Select the DateTime window3 Click Between Select Date range from June30 to Jul 31 (using static data this
will ensure you see all the changes)4 Click search
Audit Rule - Firewall Rule Membership Changes
The search now displays the result of all the changes made to firewall rule membershipduring the preset date range This is pivotal to the audit change tracking process tounderstand exactly why when and how Firewall rules changed
The changes can now easily be tracked audited and also exported following any of thelive links in blue
HOL-1829-01-NET
Page 41HOL-1829-01-NET
User-defined Event
Continuing within the same screen users can create alerts to notify internal andexternal entities of any changes The alert feature is available through any view thatdisplays the alert icon Although the alert can be configured for this lab the results willnot be actioned as this is static data only This section will show how easy it is to reporton any Firewall Rule memberships changes The option for alerting will be immediatelywithin 1 hour or as a daily digest
1 Click the Notifications icon to create an event The notifications screen will pop-up
2 Notification and parameters can be adjusted as required Populate them withyour own preference as we will need to have information in order to save thealert and view in later steps
3 Once completed click save
HOL-1829-01-NET
Page 42HOL-1829-01-NET
Settings
You can view any of your previously configured User-defined Events in order to edit oractivate the Event parameters by using the settings page Changes can be configured tonotify members of the event group based on the user preference The previous eventthat you created can now be tracked by using the search bar at the top of the screen
1 Click in the search bar and type Settings2 Click User-defined Events (your alert is noted in this section as it was based on
the original search and alert notification Firewall rule membership change)3 Info Only - Do not click - View Edit Activate any notifications
Note that we have 2 types of notification User-defined and System Events
4 Click the System Events
HOL-1829-01-NET
Page 43HOL-1829-01-NET
System Notifications
System Events consist of 103 default alerts that are pre-configured Scroll down the listto see all the options and what is deemed to be a standard system event notification
Each Notification can be used to alert administrators or users of that group By defaultall System Notifications are set to never notify (this can be changed to immediatelywithin 1 hour or as a daily digest)
This concludes this module Please continue to the next module
HOL-1829-01-NET
Page 44HOL-1829-01-NET
ConclusionCongratulations on completing Module 1
In this module we introduced the minimum required steps in order to facilitate Micro-segmentation This module further demonstrated how we achieve day zero readinesstrack report and alert on each individual object or group of objects in Real Time Usingthe East-West traffic in this module vRealize Network Insight highlighted the ease ofacquiring network analysis and using this to automatically generate firewall rules forboth Green or Brown field deployments
Key facts to remember as demonstrated in this module
bull Persistence Security must be consistent in the face of constant changebull Ubiquity Security must be available everywherebull Extensibility Security must adapt to new situations
For additional information about the functionality showcased in this module visitwwwvmwarecom
Please close the Chrome Web browser
This concludes this module please continue to the next module
For More Information
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 45HOL-1829-01-NET
Module 2 - 360 degreeVisibility across Virtualand Physical Networks
(45 minutes)
HOL-1829-01-NET
Page 46HOL-1829-01-NET
IntroductionvRealize Network Insight includes advanced analytics that can collect and displayconfiguration data from all the components involved in the overlay and underlay of thenetwork Data is collected in realtime
vRealize Network Insight presents this via a smart user interface and simplifies thedetermination of problems as well as the visibility of firewall and networkconfigurations
vRealize Network Insight presents this in a smart user interface and makes problemdetermination and visibility of the firewall and network configurations very easy
This Module contains the following lessons
bull 360 Network Visibility and Troubleshootingbull Natural language search
HOL-1829-01-NET
Page 47HOL-1829-01-NET
360 Network Visibility andTroubleshootingThis section contains the following lessons
bull 360-degree view of data flow between two VM objectsbull Natural language search
Open Google Chrome
1 Open Chrome on the Control Center Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize NetworkInsight did not load automatically)
HOL-1829-01-NET
Page 48HOL-1829-01-NET
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
Path and Topology
This module will utilize the Path and Topology feature in vRealize Network Insight toget a 360-degree visibility into our network scenario The Path and Topology view can
HOL-1829-01-NET
Page 49HOL-1829-01-NET
also extend to host L3 networks security groups etc but in this module we will only befocusing on the path
From the main console
1 Click on Path and Topology2 Click on Path
Path - Select source and destination
In the pop-up box
1 Click on the grey field below Source2 Type dba into the source field and DBAdmin-VM1 will appear3 Click on DBAdmin-VM1 to select it
HOL-1829-01-NET
Page 50HOL-1829-01-NET
Path - source and destination continued
After selecting the source machine the destination box will automatically appear
1 Type prod in the destination field and the list of available options willappear
2 Select Prod-Db-2
Note The destination could also be an ip-address or Internet but in this lab we aregoing to use a VM
HOL-1829-01-NET
Page 51HOL-1829-01-NET
Path - source and destination continued
1 Click on Submit
Searching for path
Based on the VMs we selected in the wizard in our previous steps the search field isnow pre-populated with a search string As an alternative to using the wizard we canalso do manual searches
Do not change any parameters in the search field and please continue to the nextstep
HOL-1829-01-NET
Page 52HOL-1829-01-NET
VM Path Topology and VM Underlay
The topology involves both Layer 3 and Layer 2 components and consists of twodetailed views
HOL-1829-01-NET
Page 53HOL-1829-01-NET
1 VM Path Topology This view details the routers Edges or Logical DistributedRouters (LDRs) that are involved in the VM to VM network path and provides thecomplete routing and NAT information
2 VM Underlay ( The VM Underlay section that is on the right side of the VM Pathtopology shows the underlay information of the VMs involved and theirconnectivity to the top of the rack switches and the ports involved)
In the field named VM Path Topology
1 Click on the three dots in the top right corner of the field2 Click Maximize
The view will change and the route will be drawn on the map
HOL-1829-01-NET
Page 54HOL-1829-01-NET
VM Path Topology - Path Details
In this view we will get a 360-degree view of both the physical and the virtual networkWe will see the path of the traffic between two virtual machines The black arrow at thetop of the map will indicate the flow direction of the traffic In this use case fromDBAdmin-VM1 to Prod-Db-2
On the right hand side path details indicates the steps we pass through in each hop ofthe path The logical flow includes both physical and virtual elements displaying bothoverlay and underlay components
1 Scroll through the path details on the right hand side to verify the differenthops in the path Notice that we have items such as VMs physical switchesvirtual switches routers and NICs in the list of details
HOL-1829-01-NET
Page 55HOL-1829-01-NET
Component Overview
On the VM topology map
1 Click on the top left icon marked with a red square - the Virtual MachineDBAdmin-VM1
Virtual Machine - Details
HOL-1829-01-NET
Page 56HOL-1829-01-NET
A pop-up box will appear with the Virtual Machine details in it This information includesa lot of details made available by VMware Tools We can for example see network-information and the physical host in these details
A - Please spend some time on getting an overview of the information available in thisview
B - Please note that the Firewall Status indicates Unknown In this scenario there is noNSX firewall utilized in the VM so vRealize Network Insight displays Unknown as thestatus If NSX components were utilized but they were malfunctioning an errormessage will appear
1 When done reviewing close the pop-up windows by clicking on the (X) in thetop right corner
Physical ESXi Hosts
We are now going to look at the physical host running ESXi The large green blocksindicate the ESXi hosts (A) and (B)
1 Click on the large green field on the left side of the map marked in thepicture with a red squareThis will select the host where DBAdmin-VM1 isrunning
HOL-1829-01-NET
Page 57HOL-1829-01-NET
Host - Details
A pop-up box will appear that contains the physical ESXi host
A - Spend some time to review what information is available from the host Please donot click on any of the links
B - Notice that we receive information from both the Chassis and the Blade that thisESXi host is running on In a real life environment we could click on the links to getdetailed information about the physical environment through the links
C - Note that there are no NSX components on the host For example we can see thatthe Control Plane Sync Status is unknown and the Number of VTEPs is 0
1 When done reviewing click on the (X) in the top right corner
HOL-1829-01-NET
Page 58HOL-1829-01-NET
DVPG on the map
We are now going to look at the DVPG (Distributed Virtual Port Group) the VM uses toconnect to the network
1 On the map click on the little blue box marked by a red square onvlan-629
DVPG
A pop-up box will appear that contains the DVPG details
A - Spend some time review what information is available from the object Please donot click on any of the links
HOL-1829-01-NET
Page 59HOL-1829-01-NET
B - Notice that IPFIX is enabled
1 When done reviewing click on the (X) in the top right corner
VLAN-629 on the map
This is a brownfield network as indicated by the physical network components currentlydisplayed on the map
1 On the map click on the grey line marked by a red square on vlan-629
VLAN Network
A pop-up box will appear that contains the physical VLAN details
HOL-1829-01-NET
Page 60HOL-1829-01-NET
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - Notice the VLAN ID This is the actual VLAN in use
C - VM Count states 12 This is the number of VMs located on this VLAN in the entireenvironment
D - Under Hosts we can see that this is 28 (27+1) This is the amount of hosts that hasa connection to this vlan in the entire environment
1 When done reviewing click on the (X) in the top right corner
Switch ports on the map
1 From the map click on the icon marked by a red square to select the SwitchPort for the VM
HOL-1829-01-NET
Page 61HOL-1829-01-NET
Switch Port
A pop-up box will appear that contains the Switch Port details
In this view we are purely are looking at layer 3 and the connectivity to those layer 3devices Later in this module we will see some of the layer 2 devices
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - In this view we can see the physical NIC the traffic is transmitted from and receivedto In this scenario it is a NIC on a UCS fabric We can also see the VLANs Interfacespeed port and other details on the NIC
1 When done reviewing click on the (X) in the top right corner of the pop up box
HOL-1829-01-NET
Page 62HOL-1829-01-NET
Physical VRF on the map
1 From the map click on the icon marked by a red square to access thePhysical VRF details
HOL-1829-01-NET
Page 63HOL-1829-01-NET
VRF - Physical Switch
A pop-up box will appear that contains the Physical VRF details
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - In this scenario the first hop in the physical network perspective happens to be aCisco Nexus 7000 We are gathering all of the configuration data routing tables androuting interface information from this device
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 64HOL-1829-01-NET
VRF - continued
1 From the map click on the icon marked by a red square to access the nextPhysical VRF in the path
HOL-1829-01-NET
Page 65HOL-1829-01-NET
VRF - Physical Router
A pop-up box will appear that contains the Physical VRF details
In this scenario the second hop in the physical network perspective is a Palo Alto routerIn this view we will see the routing table as well as firewall rules The vRealize NetworkInsight platform is so powerful that these firewall rules are the applicable firewall rulesbetween the two objects we searched for There is probably going to be thousands offirewall rules in a normal network but these are the firewalls affecting thecommunication between the two selected VMs
HOL-1829-01-NET
Page 66HOL-1829-01-NET
A - Spend some time to review what information is available from the object Please donot click on any of the links
1 When done reviewing click on the (X) in the top right corner of the pop up box
Note The Palo Alto integration showcased is in beta testing
VRF - continued
1 From the map click on the icon marked by a red square to access the nextPhysical VRF in the path
HOL-1829-01-NET
Page 67HOL-1829-01-NET
VRF - Physical Switch
A pop-up box will appear that contains the Physical VRF details
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - In this scenario the third hop in the physical network perspective is an Arista deviceThere is information available on routing gateways interfaces etc These detailsshowcase that we can monitor devices from a multitude of vendors in case we arechanging from one vendor to another
1 When done reviewing click on the (X) in the top right corner
HOL-1829-01-NET
Page 68HOL-1829-01-NET
Accessing the virtual infrastructure
The next two steps in the path (as shown by arrows) are the same as we looked atpreviously in this module We are not going to look at the details on them in thisscenario as they are similar to the ones previously discussed
A - Hovermove the mouse over the icons marked with red arrow A without clicking onthe icon Notice the descriptive name
B - Hovermove the mouse over the icons marked with red arrow B without clicking onthe icon Notice the descriptive name
1 From the map click on the icon marked by a red square to access the nextVRF in the path
HOL-1829-01-NET
Page 69HOL-1829-01-NET
VRF - NSX Provider Edge 1
A pop-up box will appear that contains the Physical VRF details
A - Please spend some time to review what information is available from the objectPlease do not click on any of the links
B - The components we are looking at after the Arista device (described in previoussteps) is an NSX Edge cluster or a host associated with an Edge cluster The componentwe have selected is the NSX Edge VM named Provider-Edge 1 It has an uplink overVLAN 10 from the physical network (as shown in the map)
C - In the details we can see the routing table and routing interface details for thisparticular VRF
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 70HOL-1829-01-NET
VXLAN on the map
1 On the map click on the blue line marked by a red square to access theVXLAN details
VXLAN Network
A pop-up box will appear that contains the VXLAN details
HOL-1829-01-NET
Page 71HOL-1829-01-NET
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - We can see the VXLAN number (Segment ID) Underlay VLAN IDs Subnet andUnderlay Subnet
C - We also have visibility into what Primary Controller it is utilizing Hosts and VTEPs
D - Hovermove the mouse cursor over the text [38 more] to see the hosts associatedwith this VXLAN Do not click on the blue text
E - Hovermove the mouse cursor over the text [82 more] to see the VTEPs associatedwith this VXLAN Do not click on the blue text
1 When done reviewing click on the X in the top right corner of the pop-up box
VRF - LDR
1 From the map click on the icon marked by a red square to access the VRFdetails
HOL-1829-01-NET
Page 72HOL-1829-01-NET
VRF - LDR-Corporate
A pop-up box will appear that contains the VRF details From here we hit our In-kernelnetwork
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - Notice the distributed router name We are using this device to access our corporatenetwork
C - This device is going to route for us to a different interface The interface is going toroute to the interface on the Prod-DB Network as the next step in the path (this will beillustrated in the next step)
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 73HOL-1829-01-NET
Routing - NSX Firewall
The traffic is routed through the VRF onto the Prod-DB network over to the next physicalhost (as shown with arrows)
The first device it will hit on the virtual network on the physical host is the FirewallPlease notice that there are two firewalls next to the VM One Firewall from Palo Alto andone Firewall from NSX
1 From the map click on the icon marked by a red square to access the NSXFirewall details (the top one of the two)
HOL-1829-01-NET
Page 74HOL-1829-01-NET
Firewall - NSX
A pop-up box will appear that contains the Firewall details
A - Spend some time to review what information is available from the object Please donot click on any of the links
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 75HOL-1829-01-NET
Redirect on the map - PAN Firewall
Please notice that there are two firewalls next to the VM One Firewall from Palo Alto andone Firewall from NSX We are now going to look into the details of the lower Firewall
1 From the map click on the icon marked by a red square to access the PaloAlto Firewall details (the lower one of the two)
Firewall - PAN
HOL-1829-01-NET
Page 76HOL-1829-01-NET
In this scenario we also have an Palo Alto VM based offloading firewall The redirectfeature allows firewall rules to be transferred between the NSX firewall and the PANFirewall
1 When done reviewing click on the (X) in the top right corner of the pop up box
Reversing the analysis
1 In the section marked by a red square in the picture click on the arrowpointing left
The route on the map will change
HOL-1829-01-NET
Page 77HOL-1829-01-NET
Reversing the analysis continued
A - The analysis will now be done in the opposite direction Please note that the pathnow changes Instead of going through Provider-Edge 3 the traffic is now routedthrough Provider-Edge 2 This is exactly as the traffic will work in the real life
Please continue to the next step to conclude this module
HOL-1829-01-NET
Page 78HOL-1829-01-NET
VM Underlay
Lets now focus on VM Underlay
1 The VMUnderlay section that is on the right side of the VM Path topology showsthe underlay information of the VMs involved and their connectivity to the top ofthe rack switches and the ports involved
2 The VM Underlay path topology is shown here3 The components are labeled under Path Details
HOL-1829-01-NET
Page 79HOL-1829-01-NET
HOL-1829-01-NET
Page 80HOL-1829-01-NET
1 In this section the drop-down list at the top shows the endpoint VMs and theactive VMs at the edges
2 For each edgeVM the neighbouring drop-down list shows the ingress and theegress interface IP addresses
1 From the previous step we selected the Prod-DB-2 Virtual Machine2 Which changes the focus to corresponding Interface IP Address (VNIC)3 Shows the visual map (Path topology) of all the path objects4 Path details shows the labels and list the components
This concludes this module Please continue to the next module
HOL-1829-01-NET
Page 81HOL-1829-01-NET
ConclusionCongratulations on completing Module 2
This module has shown us that vRealize Network Insight is capable of tracing the flow ofdata between two objects throughout the network vRealize Network Insight is providingus with a 360 degrees view of the virtual as well as the physical components in thepath With the map function and the details on the map it is very easy to get a quickoverview of the components utilized in network communication
All the components in the map is based on a snapshot of real life data Feel free to clickon other icons shown in the map in this module before continuing to the next module tohave a look at other components
For More Information
For additional information about the functionality showcased in this module visithttpwwwvmwarecomvrealize network insight
This concludes this module Please continue to the next module
If you are looking for additional information try one of these
bull Click on this linkbull Or use your smart device to scan the QRC Code
HOL-1829-01-NET
Page 82HOL-1829-01-NET
Proceed to any module below which interests you most
bull Module 1 - Micro-Segmentation and Security (30 minutes)bull Module 2 - 360 degree Visibility across Virtual and Physical Networks (45
minutes)bull Module 3 - Advanced NSX Management amp Operations (45 minutes)bull (30 minutes)
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 83HOL-1829-01-NET
Module 3 - Advanced NSXManagement amp
Operations (45 minutes)
HOL-1829-01-NET
Page 84HOL-1829-01-NET
IntroductionIntroduction
vRealize Network Insight ensures that we have full visibility from an overlay andunderlay perspective and in this module focus on advanced operations of NSX withvRealize Network Insight Its important to note that the vRealize Network Insightprovides a real time view and a historical view The integration is not a simple SNMPquery but advanced CLI and Metadata information gathered in real time for NSX
This Module contains the following lessons
bull Operational guidance for NSX Managerbull Advanced NSX Management amp Operations Interactive Simulation
HOL-1829-01-NET
Page 85HOL-1829-01-NET
NSX Advanced ManagementOperationsLab Status Check
1 Make sure the Lab Status displays Ready before continuing
Close browser sessions from previous modules
Open Google Chrome
1 Open Chrome on the Control Centre Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
HOL-1829-01-NET
Page 86HOL-1829-01-NET
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize Network Insightdid not load automatically)
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
Search Bar - NSX Manager
Using the search bar on the entry screen
HOL-1829-01-NET
Page 87HOL-1829-01-NET
1 Type NSX Manager (this will list three NSX Managers2 Click Search
NSX Manager Information
The result now shows the NSX Manager (1016128170) and we can immediately seethat we have 50 problems associated with this endpoint
1 Click on the NSX Manager address to expose the layout and detailedinformation
HOL-1829-01-NET
Page 88HOL-1829-01-NET
Timeline - Visual Build-up
Explore information only - Do not click
bull A - Starting with the Timeline we can manipulate the results by simply draggingthe slider but by default the current time results will be displayed on entry Theslider and drop down (next to 1 day) makes it easy to filter on demand
bull B - The Properties give a clear understanding of the NSX Managers currentconfiguration (vRealize Network Insight accommodate multiple NSX managers)
bull C - Looking at the NSX Checklist Rules - ALL we can scroll up and down toview each point in the checklist that is used to monitorvalidate against the NSXManager
bull D - Because vRealize Network Insight supports multiple NSX managers andmultiple NSX controllers this is an important visual understanding of theTopology Each object can be queried individually within the same screen
bull E - NSX Problems will be key to understanding the issues for NSX
HOL-1829-01-NET
Page 89HOL-1829-01-NET
Topology - Focus on the NSX Controller
The logical view of the NSX Topology provides live links to each component in theconstruct to be queried in real time Topology layout displays all the related NSXservices bound to the NSX Manager including Clusters and hosts The red triangle on allthree NSX controllers indicates possible issues that may impact the NSX environmenteither as a starting point or a result thereof We can now query each object for detailedinformation
1 Click on the NSX controller (Look at each controller until you find thecontroller starting with NSX_Controller_5b6c6c8d-4d71 as they do changeorder)
HOL-1829-01-NET
Page 90HOL-1829-01-NET
NSX Controller - Detail
A - The controller query displays detailed information about controller-1 and relevantconfiguration This screen will help identify the Status Version Upgrade Availability andmany other critical identifiers of the NSX Controller at a quick glance including anyissues
B - The immediate issue on this NSX controller is also pointed out with a red triangleindicating that we have a control plane sync issue Tracking the issue can be furtherinvestigated by expanding (clicking on the red triangle) to view detailed information Wewill not be investigating this problem further in this exercise
1 Click the close sign (x) to continue
HOL-1829-01-NET
Page 91HOL-1829-01-NET
Topology - Explained
Note The Topology for the NSX environment will not show any load balancing devicestatus information in this release
1 Click the edge VMs icon to see detailed information about the edge services
HOL-1829-01-NET
Page 92HOL-1829-01-NET
Provider Edge
Rendering a complete view of the provider edge services and the associations we caninvestigate all the edge related activities
1 Click the blue link Provider Edge 4 The problem Icon can be used to furtherobtain information about the Provider-Edge 4 This will highlight a criticalcondition due to a possible network disruption of this edge device as it is nolonger in a serving state
HOL-1829-01-NET
Page 93HOL-1829-01-NET
Routers Provider Edge 4
This section lays out detailed root cause analysis for Routers Provider Edge 4
Return to Search View - NSX Manager
1 Now use the Chrome Back button click once to return the the NSX Managerinformation screen step
HOL-1829-01-NET
Page 94HOL-1829-01-NET
Infrastructure Problems - Warning Moderate
bull Scroll down to Infrastructure Problems Section
1 Click and select the WarningModerate to view problem areas
WarningModerate Issues
1 Use the blue icon + to expand the detailed view of the Logical networking out ofsync between host and NSX Controller
HOL-1829-01-NET
Page 95HOL-1829-01-NET
WarningModerate Issues (Continued)
When you expand the details you can analyse full detail of warning
In this view vRealize Network Insight is also showing you recommendations on how youwould resolve this issue which makes troubleshooting and root cause analysis veryeasy
1 Click the close sign (x) to continue
HOL-1829-01-NET
Page 96HOL-1829-01-NET
Hands-on Labs Interactive SimulationAdvanced NSX Management ampOperationsThis part of the lab is presented as a Hands-on Labs Interactive Simulation This willallow you to experience steps which are too time-consuming or resource intensive to dolive in the lab environment In this simulation you can use the software interface as ifyou are interacting with a live environment
1 Click here to open the interactive simulation It will open in a new browserwindow or tab
2 When finished click the ldquoReturn to the labrdquo link to continue with this lab
HOL-1829-01-NET
Page 97HOL-1829-01-NET
ConclusionCongratulations on completing Module 3
This module demonstrated the vRealize Network Insight capability of advancedmanagement operations vRealize Network Insight provides an in-depth analysis of thevirtual as well as the physical components associated with NSX (underlay and overlay)
For More Information
If you are looking for additional information try one of these
bull Click on this linkbull Or use your smart device to scan the QRC Code
Proceed to any module below which interests you most
bull Module 1 - Micro-Segmentation and Security (30 minutes)bull Module 2 - 360 degree Visibility across Virtual and Physical Networks (45
minutes)bull Module 3 - Advanced NSX Management amp Operations (45 minutes)bull Module 4 - Manage Security for Public Clouds (AWS) (30 minutes)
HOL-1829-01-NET
Page 98HOL-1829-01-NET
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 99HOL-1829-01-NET
Module 4 - ManageSecurity for Public Clouds
(AWS) (30 Minutes)
HOL-1829-01-NET
Page 100HOL-1829-01-NET
IntroductionEnterprise IT needs visibility into the network and security status of their workloadswhether hosted on premises or within AWS While many AWS workloads are sandboxesfor application development teams (DevOps) it is important to analyze these workloadsIncreasingly public cloud workloads are also fulfilling mission critical production needsfor many organizations Enterprise IT must be ready to determine the best locationsecurity posture and bandwidth allocation when deploying workloads Having trafficpattern details as well as security analysis and recommendations readily availablehelps organizations make the ideal hosting decisions to meet their business needs
vRealize Network Insight (vRNI) Supports Amazon Web Services (AWS) PublicCloud The vRNI traffic monitoring features provide visibility into native AWS constructssuch as Virtual Private Clouds VMs Security Groups firewall rules and tags vRNI alsoanalyzes AWS traffic flows to provide security and micro-segmentation views of cloudworkloads This means youll be able to plan micro-segmentation and understand trafficpatterns using data collected from your AWS instances
This Module contains the following lessons
bull Introduction to Managing Security for Public Clouds (AWS)
HOL-1829-01-NET
Page 101HOL-1829-01-NET
Introduction to Managing Security forPublic Clouds (AWS)Lab Status Check
1 Make sure the Lab Status displays Ready before continuing
Close browser sessions from previous modules
Open Google Chrome
1 Open Chrome on the Control Centre Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize Network Insightdid not load automatically)
HOL-1829-01-NET
Page 102HOL-1829-01-NET
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
AWS Configuration
Lets review the AWS VPC setup for the purpose of this lab
1 We have an on premise instance of vRealize Network Insight managing AWS2 There are two VPCs ie CRM and Common Services
HOL-1829-01-NET
Page 103HOL-1829-01-NET
3 VPC CRM consists of CRM Application which comprises of 3 tiers ie Web APP andDB
4 Internal users of Company can access Web Tier of the CRM on 80 internally viaJump-box
5 Web tier talks to App tier on port 80806 App tier talks to DB tier on port 33067 Web tier is open for internal datacenters VM on 80 port8 From Jump-box in VPC CRM all virtual machines have ssh access on port 229 All tiers of VPCCRM talks to DNS server on 53 and LogServer on 514 on VPC
Common Services10 This means connection to DB to Log Server (used for backup services) must exist
as configured by the Administrator but this in fact is the problem area where ourfocus will be
Plan Security - AWS Cloud
vRealize Network Insight extends micro-segmentation planning to AWS constructs TheCRM Application in AWS VPC has already been created for you
Application creation steps have been discussed in Module 3
HOL-1829-01-NET
Page 104HOL-1829-01-NET
1 On the vRealize Network Insight Click on Plan Security
From Plan Security dialogue box under Entity select
HOL-1829-01-NET
Page 105HOL-1829-01-NET
1 Application2 CRM3 Click Analyze
We can now visualize the three tier lsquoCRMrsquo Application in AWS in one VPC We Shallexplore the three Tier System Logic in proceeding steps
1 Please note that Micro-Segments are already filtered by Tier2 Web (Web tier talks to App tier on port 8080 Internal users of organisation can
access Web Tier of the CRM Application on port 80 internally)3 App (App tier talks to DB tier on port 3306)4 DB ( DB tier talks to Log Servers ) - This is the problem area we are going to
explore
All tiers of first VPC talks to DNS server on port 53 and LogServer on port 514 of SecondVPC
HOL-1829-01-NET
Page 106HOL-1829-01-NET
Exploring the Three Tier Application - Step by Step
We shall now explore the three their application setup to understand the security andcommunication posture
HOL-1829-01-NET
Page 107HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Yellow line to explore the flows This will reveal flows from Web to
App
HOL-1829-01-NET
Page 108HOL-1829-01-NET
1 The App tier talks to DB tier on Port 33062 Click X to continue
HOL-1829-01-NET
Page 109HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to DB
HOL-1829-01-NET
Page 110HOL-1829-01-NET
1 The App tier talks to DB tier on Port 33062 Click X to continue
HOL-1829-01-NET
Page 111HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Yellow Line to explore the flows This will reveal flows from DC
Virtual to App
HOL-1829-01-NET
Page 112HOL-1829-01-NET
1 DC Virtual (jump box) talks to App tier on Port 222 Click X to continue
HOL-1829-01-NET
Page 113HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to
Shared Virtual
HOL-1829-01-NET
Page 114HOL-1829-01-NET
1 The App tier talks to Shared Virtual on Port 53 and 514 respectively2 Click X to continue
HOL-1829-01-NET
Page 115HOL-1829-01-NET
1 Hover over to DB Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from DB to
Shared Virtual
1 By design the DB should be pushing logs to aws-log-server ie on port 514(Syslog) but the flow reveals that there is only one service ie port 53 aws-DNS-Server Effectively no communication to syslog server (which is the back upservice)
2 Click X to continue
Firewall Queries for CRM Application
To further troubleshoot the issue the administrator executes three firewall queries toestablish why DB to Shared Virtual does not have flow(s) for port 514 (syslog)
HOL-1829-01-NET
Page 116HOL-1829-01-NET
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and type new search query firewall action of flows where dstvm = aws-log-server This will return 5 results ie 4 Allow (for web andmidtier) and 1 Deny (for DB)
2 Click Search3 click on the DENY checkbox so we can focus on the deny rule
We can see a DENY rule which is preventing crm-databse to communicate with aws-log-server on port 514 Which indicates that AWS Admin forgot to add rule to allowtraffic from (Database) crm-database to (syslog server) aws-log-Server
HOL-1829-01-NET
Page 117HOL-1829-01-NET
1 On Chrome web browser right click2 Select Duplicate from the the menu
HOL-1829-01-NET
Page 118HOL-1829-01-NET
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-web1 and dst vm = aws-log-server
2 Click Search3 This will return 3 results ie 1 Inbound and 2 Outbound rules The result of this
query validates the communication from crm-web1 to aws-log-server
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-database and dst vm = aws-log-server
2 Click Search3 This will return 2 results for Outbound rules further explaining the firewall rule
behaviour from crm-database to aws-log-server
HOL-1829-01-NET
Page 119HOL-1829-01-NET
ConclusionCongratulations on completing Module 4
This module demonstrated the vRealize Network Insight capability to understand trafficpatterns and plan micro-segmentation across your private and public cloudenvironments This capability offers unparalleled visibility into public and private cloudsfor micro-segmentation planning network visibility and management
For More Information
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 120HOL-1829-01-NET
ConclusionThank you for participating in the VMware Hands-on Labs Be sure to visithttpholvmwarecom to continue your lab experience online
Lab SKU HOL-1829-01-NET
Version 20171010-152226
HOL-1829-01-NET
Page 121HOL-1829-01-NET
important to understand the entire distribution of flows and sessions in order to build aninformed strategy to achieve micro-segmentation
A Session is 5 tuple (source port is one of the five tuples in this which means everytime a new TCP connection is established and terminated a new session is recorded)
A Flow is 4 tuple aggregation of sessions It combines many 5 tuple sessions into oneIt ignores the source port as the source port is very dynamic wide range and keeps onchanging As long as multiple sessions have same source IP same destination IP samedestination port and same protocol they will be combined into one record called aflow
So 1000s of sessions in a day between two machines on a specific destination port (sshdns etc) would be combined into one flow with an aggregate count of packets bytessessions between them recorded as additional flow information
In any enterprise how many sessions happen in 1 day varies a lot Flows are moremanageable units and matter most for policy definitions and micro-segmentation
If one wants to see statistics of these flows like bytes transferred number of sessions(or even use these counters along with other query operations for other higher levelanalysis - like determining distribution of a virtual machines outgoing flow bydestination ip) the following metric counters can be used
Counter names
allowed sessions count of sessions (or 5 tuples) corresponding to a flow (4 Tuple)bytes total traffic volume exchanged on the flow (this sum of two counters described below)src bytes total bytes sent by src_ip of the flow to dst_ipportprotocoldst bytes total bytes received by src_ip of the flow from dst_ipportprotocol
1 Click on the East-West traffic block
This will bring a new window into view with detailed analysis of the traffic
HOL-1829-01-NET
Page 17HOL-1829-01-NET
East-West (EW) - Detailed view
This is only a few of the 1653 flows but the detailed views and filters can be used tonarrow down more specific information
A - Without clicking (just hover) on the time line to see the rate of flow indicated by thegreen line for that period
1 Click the close icon (x) to continue
ServicesPorts
HOL-1829-01-NET
Page 18HOL-1829-01-NET
Locating the Services screen for the next step
ServicesPorts - Time line view
Plan security makes use of Service and Ports overview on the right-hand side of thescreen The service view screen is used to observe the flow for each service andanalyzes a specific flow rate at a point in time Timelines can be adjusted to gain abetter understanding of what the plan security query delivers This module will followthe steps needed to observe and trace flows for port 5443
1 Click Show Data
HOL-1829-01-NET
Page 19HOL-1829-01-NET
ServicesPorts - Point in Time Service
The Services section provides an overview of flows over a specific port at a point intime either by bytes or by allowed sessions Look at the red highlighted area tounderstand how the flow is viewed in a pivot format to ensure a rate flow can bedelivered by hovering over a particular section
1 Hover to gain focus over the blue block above port 5443 and notice itpresents on demand the sum total of flows for the last 24 hours inGigabytes (GB) communicating over port 5443
2 Click on the block at the intersection of Last 24 hours and PORTS5443 to get a detailed view of the information
HOL-1829-01-NET
Page 20HOL-1829-01-NET
Flows for Port 5443
Communicating over port 5443 for the Last 24 hours we now have a detailedunderstanding of how 20 flows are distributed by following the list of entities You mayscroll down and examine the detailed traffic Further filters can be used on the left-handside of the screen to filter the view for a more specific result type
1 Click the entry to examine the detailed flow between Prod-DB-3 and Prod-DB-2over port 5443 ( order of flows may differ from screen above Prod-DB-3 andProd-DB-2 can be seventh flow entry)
Flow Key Properties - Timeline view
HOL-1829-01-NET
Page 21HOL-1829-01-NET
Flow Key Properties and Flow Key Metrics with the help of the timeline view gives agreater understanding of the traffic between these two specific VMs over port 5443 (A)- Hover over any part of the Flow Key Metrics graph to see statistics of the flow at aspecific point in time
1 Click on the 1M (last 1 month) Now hover the mouse over the greenblue linesto see a specific flow at a point in time
Flow Key Properties - Timeline view
1 Click the browser back button (once) to return to the plan security layoutscreen (once completed viewing the timelines for specific flows)
HOL-1829-01-NET
Page 22HOL-1829-01-NET
Micro-Segments
The screen should be back and focused on the Plan Security view Let us focus on theLeft-hand side of the plan security screen marked - Micro Segments This section willfocus on the subnet view and how this could be used to track flows between two ormultiple points
Note Segmenting flows can be achieved using views that will focus on VLANVXLANSubnet Folder Clusters VMs Ports Security Tag or Security Groups
1 Select Last 1 Day (to clear previous data range)2 Select the drop down box and then select by Subnet3 We can further analyze micro-segments by secondary groups ( This step is for
information only)4 Click Analyze to populate the data
HOL-1829-01-NET
Page 23HOL-1829-01-NET
Focus - 101780 Network
A - Hover over (do not click) the 101780 network and notice that this willimmediately highlight all flows and sessions from and to this network segment Othertraffic types will loose focus at this point turning light blue
The Keep Focus view creates a single visual endpoint diagram showing communicationto physical shared resources internet and other subnets The parentheses after thenetwork will indicate the number of virtual machines The coloured lines will indicate aconnected flow as OUTGOING INCOMING BIDIRECTIONAL
HOL-1829-01-NET
Page 24HOL-1829-01-NET
Focus - VLANVXLAN
Changing the view to track flows between Prod-Web to Prod-Midtier we will be switchingfrom Subnet view to VLANVXLAN view This will expose the traffic flow and ultimatelylead us to the recommended firewall rules
1 From the filter drop down select the VLANVXLAN option (the view willautomatically update)
HOL-1829-01-NET
Page 25HOL-1829-01-NET
Focus - Prod-Web (25)
1 Hover over Prod-Web2 Click on Keep Focus as we will follow the traffic for this group to see which
ports are in use and why3 Click on the line joining the Prod-Web and Prod-Midtier
Flows - Prod-Web to Prod-Midtier
HOL-1829-01-NET
Page 26HOL-1829-01-NET
( A ) - We have at this point identified 14 unique endpoints or flows that are beingcommunicated byover or to potential security groups These security groups are basedon VLANs folders subnets or a construct that can be defined
1 Click on the recommended firewall rules
Flows - Recommended Firewall Rules
Based on the observed analysis of the traffic flow between Prod-Web and Prod-Midtier arecommended firewall rule has been generated in order to secure and segment trafficfrom the rest of the VLANVXLAN
Due to the flow observation metrics the recommendation is (ALLOWED) on Port 8080between SG Prod-Web and SG-Prod-Midtier
1 Click the close icon (x) to continue
HOL-1829-01-NET
Page 27HOL-1829-01-NET
Multiple Ports and Firewall rules for Prod-web
1 Click on the Prod-Web group
Services and Flows for Prod-Web
On focus the user is presented with all the services flows and firewall rules for Prod-Webin a single pane
HOL-1829-01-NET
Page 28HOL-1829-01-NET
1 Click on Services In this group - 50 Unique service endpoints or flows that arebeing communicated by or to potential security groups are mapped with trafficrates included
2 Click on External Services Accessed- This is a breakdown of the 16 Externalservice endpoints that communicate with Prod-Web and include the portinformation (DNS HTTPS etc)
3 Click on Recommended Firewall Rules - Based on the 50 unique serviceendpoints that have 17 External services with 425 flows we can use thisobservation metric to determine that 6 firewall rules are required This would bethe minimum recommended segmentation approach for the Prod-Web group
4 Click the close icon (x) to continue
Application-Centric Micro-Segmentation
HOL-1829-01-NET
Page 29HOL-1829-01-NET
An application is a collection of tiers Each tier in an application is a collection of VMsbased on the user-defined filter criteria The applications allow you to create ahierarchical group of VMs and visualize trafficflows between the tiers of the sameapplication The trafficflows can be visualized between applications
1 Under Micro-segments click on the dropdown which says by VLANVXLAN2 Click on by Application
1 Hover over Prod-App (47) (do not click at this stage)2 Click on Keep Focus
You can see as per previous micro-segmentaion planning exercise - you can viewOutgoing Incoming and Bidirectional flow bespoke to Prod-App Clicking on Prod-App micro-segment will reveal the services
HOL-1829-01-NET
Page 30HOL-1829-01-NET
We shall now explore how we can define an application
Define an Application
1 In the search bar type Application2 Click the Search button
1 The Application search will return 4 entities ie application already created inthe system for you
2 This page also lets you create new application - click on Add Application
HOL-1829-01-NET
Page 31HOL-1829-01-NET
1 Under the Application Name type HOL-Pre-Prod2 Under Tier type the Name as HOL-Pre-Prod3 Our search criteria will be based on VM Names under Virtual Machines IP
Addresses Type Admin-VM1 Admin-VM2 (The search will auto completethe names for you)
4 Do not Save Click Cancel which will take you to previous screen
1 Here you can see the number of entities has increased by 1 ie 5 entities2 You can also see Hol-Pre-Prod in the list
HOL-Pre-Prod will now appear in Application section under Plan Security (not covered inthis lab)
Security Group Prod_MidTier
Network administrators and architects face daily challenges in identifying securityparameters groups that are in-place requiring a lot more detail around containertopology before continuing to execute or plan Micro-segmentation Lets look at how thiswould be possible in a single view that has granular integration with over and underlaynetworks
1 Using the search bar type Nsx Security Group Prod_MidTier (the search baruses Auto Fill and predictive text will appear as you type)
2 Click search to continue
HOL-1829-01-NET
Page 32HOL-1829-01-NET
The Help screen may pop-up (in this lab setting) to ensure the user has an instantguide called the Security Group Pinboard The reason for this guide is to point out thedetail view and topology layout Read through the help guide and once completed
1 Click the close icon (x) to continue
Results - PROD_MIDTIER
The search results from the query will show Prod_Web at the top of the screen Theresult will also be displayed to include the Translated VM Count and any Rulesassociated
1 Click on Prod_MidTier to continue
Security Group Prod_MidTier - Timeline
Security Group View Explanation
HOL-1829-01-NET
Page 33HOL-1829-01-NET
The Security Group provides a detailed view of the selected Security Group and acomprehensive listing of key properties and events The Security Group Topologyprovides a visual overview of how the security group is associated with other containersTimeline slider at the top of the current view will enable the point in time state of theSecurity Group and filters can be used to further focus on a particular aspect of theobject
Security Group Firewall Topology
(A) The Security Group Firewall Topology on the left shows the topology for SecurityGroup Prod_MidTier
HOL-1829-01-NET
Page 34HOL-1829-01-NET
(B) The Security Group Container Topology on the right will show anyall Child andParent groups in relation to Prod_Web This will identify the nesting and hierarchy ofsecurity groups
HOL-1829-01-NET
Page 35HOL-1829-01-NET
1 Click and select Prod_Web to Prod_Midtier Rule (will launch a pop up screencovered in next step)
1 In the pop up screen we can immediately see what the Source and destinationservice flow looks like in this example This can be done for any and eachsegment attached to Prod_Web and will provide all the current security GroupFirewall Topology information Feel free to click through all the segments in orderto fully understand each related security group
2 Click the close icon (x) on any pop-up menus that you viewed during youranalysis to continue with the next exercise
HOL-1829-01-NET
Page 36HOL-1829-01-NET
Tracking Prod_MidTier
1 Within the same view when you scroll down (below the Security Groupfirewall Topology) you are able to see the following security event information forProd_Web
A Events - Showing any changes for Prod_MidTier (direct or indirect) and the impactthat these changes bring to this security group
B Current Security Group Configuration and Firewall Rules Count will also providefurther assistance to manage the endpoints
C Visibility of the Virtual Machines in Security Groups ensure that we manage ourworkloads and segmentation with the correct level of efficiency
D Making use of the Indirect Firewall Rules will ensure you understand the inheritedimpact and the relationship leading to Prod_Web
E Direct Firewall Rules - NOTE The blue links will expose further detail for eachfirewall segment
HOL-1829-01-NET
Page 37HOL-1829-01-NET
this module explained and followed the traffic flow between Subnets and or VLANVXLAN for Prod_MidTier and we understand the analysis that make up firewall rules Theinformation for a specific segmentation of a Virtual Machine in Prod_MidTier can beviewed using the the logical switch information for Prod_MidTier
2 Click on Lab-Midtier (VMs in Security GroupgtLogical SwitchesgtLab-Midtier) anew TAB will open at the top of the screen
Lab-Midtier
1 Hover (do not click) over (1) Lab-Midtier-1 to gain focus in order to generatethe path
Do not click on any of the bubbles as they are used for reference only This is thecomplete flow of Prod-Web-9 (Example) to see how a flow is tracked from overlay tounderlay across Prod-Web
HOL-1829-01-NET
Page 38HOL-1829-01-NET
bull A - The host details for Lab-Midtier-1 -ddc1-pod2esx035dmdemocompanynet
bull B - The machine name within Lab-Midtier - Lab-Midtier-1bull C - DVS Switchbull D - VXLAN - Lab-Midtierbull E - 1st VMKNIC for DDC-1 hostbull F - DVS Switch Portbull G - Finally showing the L3 Switch (Arista)
2 When you are done with the current view close this tab in Chrome and returnto the original view
Firewall Rule - Tracking
Using the search bar we will demonstrate how you can track any firewall rule in yourenvironment This is only one example of how we can search for security related objectsin one easy statement and also export the results
Port Search
1 Type into the search bar
Firewall rule where action =ALLOW and Port=443 (the search bar uses Auto Fill andpredictive text will appear as you type)
2 Click search to continue
As you type notice all the different permutations of queries that can be assembled
HOL-1829-01-NET
Page 39HOL-1829-01-NET
Export Firewall Rules
Take some time to understand and get familiar with Firewall Rule search possibilitiesand the insight this can offer
1 Do not click - The result is grouped for convenience and allows the user to queryeach rule individually This is a live link that will expose further information
2 Do not click - The entire report can be exported by using the Save as CSV optionat the top right hand corner of the screen but we will not export any informationat this point
3 For the next step we will return to the top search bar
Firewall Rule Membership Change
Using the vRealize Network Insight search bar at the top of the screen we will focus on atime based search to see what Firewall Membership Changes occurred during a selectedperiod This will point out any changes made directly or indirectly as a result ofmembership changes This is extremely useful for auditing and troubleshooting
HOL-1829-01-NET
Page 40HOL-1829-01-NET
1 Type
Firewall Rule Membership Change
2 Select the DateTime window3 Click Between Select Date range from June30 to Jul 31 (using static data this
will ensure you see all the changes)4 Click search
Audit Rule - Firewall Rule Membership Changes
The search now displays the result of all the changes made to firewall rule membershipduring the preset date range This is pivotal to the audit change tracking process tounderstand exactly why when and how Firewall rules changed
The changes can now easily be tracked audited and also exported following any of thelive links in blue
HOL-1829-01-NET
Page 41HOL-1829-01-NET
User-defined Event
Continuing within the same screen users can create alerts to notify internal andexternal entities of any changes The alert feature is available through any view thatdisplays the alert icon Although the alert can be configured for this lab the results willnot be actioned as this is static data only This section will show how easy it is to reporton any Firewall Rule memberships changes The option for alerting will be immediatelywithin 1 hour or as a daily digest
1 Click the Notifications icon to create an event The notifications screen will pop-up
2 Notification and parameters can be adjusted as required Populate them withyour own preference as we will need to have information in order to save thealert and view in later steps
3 Once completed click save
HOL-1829-01-NET
Page 42HOL-1829-01-NET
Settings
You can view any of your previously configured User-defined Events in order to edit oractivate the Event parameters by using the settings page Changes can be configured tonotify members of the event group based on the user preference The previous eventthat you created can now be tracked by using the search bar at the top of the screen
1 Click in the search bar and type Settings2 Click User-defined Events (your alert is noted in this section as it was based on
the original search and alert notification Firewall rule membership change)3 Info Only - Do not click - View Edit Activate any notifications
Note that we have 2 types of notification User-defined and System Events
4 Click the System Events
HOL-1829-01-NET
Page 43HOL-1829-01-NET
System Notifications
System Events consist of 103 default alerts that are pre-configured Scroll down the listto see all the options and what is deemed to be a standard system event notification
Each Notification can be used to alert administrators or users of that group By defaultall System Notifications are set to never notify (this can be changed to immediatelywithin 1 hour or as a daily digest)
This concludes this module Please continue to the next module
HOL-1829-01-NET
Page 44HOL-1829-01-NET
ConclusionCongratulations on completing Module 1
In this module we introduced the minimum required steps in order to facilitate Micro-segmentation This module further demonstrated how we achieve day zero readinesstrack report and alert on each individual object or group of objects in Real Time Usingthe East-West traffic in this module vRealize Network Insight highlighted the ease ofacquiring network analysis and using this to automatically generate firewall rules forboth Green or Brown field deployments
Key facts to remember as demonstrated in this module
bull Persistence Security must be consistent in the face of constant changebull Ubiquity Security must be available everywherebull Extensibility Security must adapt to new situations
For additional information about the functionality showcased in this module visitwwwvmwarecom
Please close the Chrome Web browser
This concludes this module please continue to the next module
For More Information
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 45HOL-1829-01-NET
Module 2 - 360 degreeVisibility across Virtualand Physical Networks
(45 minutes)
HOL-1829-01-NET
Page 46HOL-1829-01-NET
IntroductionvRealize Network Insight includes advanced analytics that can collect and displayconfiguration data from all the components involved in the overlay and underlay of thenetwork Data is collected in realtime
vRealize Network Insight presents this via a smart user interface and simplifies thedetermination of problems as well as the visibility of firewall and networkconfigurations
vRealize Network Insight presents this in a smart user interface and makes problemdetermination and visibility of the firewall and network configurations very easy
This Module contains the following lessons
bull 360 Network Visibility and Troubleshootingbull Natural language search
HOL-1829-01-NET
Page 47HOL-1829-01-NET
360 Network Visibility andTroubleshootingThis section contains the following lessons
bull 360-degree view of data flow between two VM objectsbull Natural language search
Open Google Chrome
1 Open Chrome on the Control Center Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize NetworkInsight did not load automatically)
HOL-1829-01-NET
Page 48HOL-1829-01-NET
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
Path and Topology
This module will utilize the Path and Topology feature in vRealize Network Insight toget a 360-degree visibility into our network scenario The Path and Topology view can
HOL-1829-01-NET
Page 49HOL-1829-01-NET
also extend to host L3 networks security groups etc but in this module we will only befocusing on the path
From the main console
1 Click on Path and Topology2 Click on Path
Path - Select source and destination
In the pop-up box
1 Click on the grey field below Source2 Type dba into the source field and DBAdmin-VM1 will appear3 Click on DBAdmin-VM1 to select it
HOL-1829-01-NET
Page 50HOL-1829-01-NET
Path - source and destination continued
After selecting the source machine the destination box will automatically appear
1 Type prod in the destination field and the list of available options willappear
2 Select Prod-Db-2
Note The destination could also be an ip-address or Internet but in this lab we aregoing to use a VM
HOL-1829-01-NET
Page 51HOL-1829-01-NET
Path - source and destination continued
1 Click on Submit
Searching for path
Based on the VMs we selected in the wizard in our previous steps the search field isnow pre-populated with a search string As an alternative to using the wizard we canalso do manual searches
Do not change any parameters in the search field and please continue to the nextstep
HOL-1829-01-NET
Page 52HOL-1829-01-NET
VM Path Topology and VM Underlay
The topology involves both Layer 3 and Layer 2 components and consists of twodetailed views
HOL-1829-01-NET
Page 53HOL-1829-01-NET
1 VM Path Topology This view details the routers Edges or Logical DistributedRouters (LDRs) that are involved in the VM to VM network path and provides thecomplete routing and NAT information
2 VM Underlay ( The VM Underlay section that is on the right side of the VM Pathtopology shows the underlay information of the VMs involved and theirconnectivity to the top of the rack switches and the ports involved)
In the field named VM Path Topology
1 Click on the three dots in the top right corner of the field2 Click Maximize
The view will change and the route will be drawn on the map
HOL-1829-01-NET
Page 54HOL-1829-01-NET
VM Path Topology - Path Details
In this view we will get a 360-degree view of both the physical and the virtual networkWe will see the path of the traffic between two virtual machines The black arrow at thetop of the map will indicate the flow direction of the traffic In this use case fromDBAdmin-VM1 to Prod-Db-2
On the right hand side path details indicates the steps we pass through in each hop ofthe path The logical flow includes both physical and virtual elements displaying bothoverlay and underlay components
1 Scroll through the path details on the right hand side to verify the differenthops in the path Notice that we have items such as VMs physical switchesvirtual switches routers and NICs in the list of details
HOL-1829-01-NET
Page 55HOL-1829-01-NET
Component Overview
On the VM topology map
1 Click on the top left icon marked with a red square - the Virtual MachineDBAdmin-VM1
Virtual Machine - Details
HOL-1829-01-NET
Page 56HOL-1829-01-NET
A pop-up box will appear with the Virtual Machine details in it This information includesa lot of details made available by VMware Tools We can for example see network-information and the physical host in these details
A - Please spend some time on getting an overview of the information available in thisview
B - Please note that the Firewall Status indicates Unknown In this scenario there is noNSX firewall utilized in the VM so vRealize Network Insight displays Unknown as thestatus If NSX components were utilized but they were malfunctioning an errormessage will appear
1 When done reviewing close the pop-up windows by clicking on the (X) in thetop right corner
Physical ESXi Hosts
We are now going to look at the physical host running ESXi The large green blocksindicate the ESXi hosts (A) and (B)
1 Click on the large green field on the left side of the map marked in thepicture with a red squareThis will select the host where DBAdmin-VM1 isrunning
HOL-1829-01-NET
Page 57HOL-1829-01-NET
Host - Details
A pop-up box will appear that contains the physical ESXi host
A - Spend some time to review what information is available from the host Please donot click on any of the links
B - Notice that we receive information from both the Chassis and the Blade that thisESXi host is running on In a real life environment we could click on the links to getdetailed information about the physical environment through the links
C - Note that there are no NSX components on the host For example we can see thatthe Control Plane Sync Status is unknown and the Number of VTEPs is 0
1 When done reviewing click on the (X) in the top right corner
HOL-1829-01-NET
Page 58HOL-1829-01-NET
DVPG on the map
We are now going to look at the DVPG (Distributed Virtual Port Group) the VM uses toconnect to the network
1 On the map click on the little blue box marked by a red square onvlan-629
DVPG
A pop-up box will appear that contains the DVPG details
A - Spend some time review what information is available from the object Please donot click on any of the links
HOL-1829-01-NET
Page 59HOL-1829-01-NET
B - Notice that IPFIX is enabled
1 When done reviewing click on the (X) in the top right corner
VLAN-629 on the map
This is a brownfield network as indicated by the physical network components currentlydisplayed on the map
1 On the map click on the grey line marked by a red square on vlan-629
VLAN Network
A pop-up box will appear that contains the physical VLAN details
HOL-1829-01-NET
Page 60HOL-1829-01-NET
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - Notice the VLAN ID This is the actual VLAN in use
C - VM Count states 12 This is the number of VMs located on this VLAN in the entireenvironment
D - Under Hosts we can see that this is 28 (27+1) This is the amount of hosts that hasa connection to this vlan in the entire environment
1 When done reviewing click on the (X) in the top right corner
Switch ports on the map
1 From the map click on the icon marked by a red square to select the SwitchPort for the VM
HOL-1829-01-NET
Page 61HOL-1829-01-NET
Switch Port
A pop-up box will appear that contains the Switch Port details
In this view we are purely are looking at layer 3 and the connectivity to those layer 3devices Later in this module we will see some of the layer 2 devices
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - In this view we can see the physical NIC the traffic is transmitted from and receivedto In this scenario it is a NIC on a UCS fabric We can also see the VLANs Interfacespeed port and other details on the NIC
1 When done reviewing click on the (X) in the top right corner of the pop up box
HOL-1829-01-NET
Page 62HOL-1829-01-NET
Physical VRF on the map
1 From the map click on the icon marked by a red square to access thePhysical VRF details
HOL-1829-01-NET
Page 63HOL-1829-01-NET
VRF - Physical Switch
A pop-up box will appear that contains the Physical VRF details
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - In this scenario the first hop in the physical network perspective happens to be aCisco Nexus 7000 We are gathering all of the configuration data routing tables androuting interface information from this device
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 64HOL-1829-01-NET
VRF - continued
1 From the map click on the icon marked by a red square to access the nextPhysical VRF in the path
HOL-1829-01-NET
Page 65HOL-1829-01-NET
VRF - Physical Router
A pop-up box will appear that contains the Physical VRF details
In this scenario the second hop in the physical network perspective is a Palo Alto routerIn this view we will see the routing table as well as firewall rules The vRealize NetworkInsight platform is so powerful that these firewall rules are the applicable firewall rulesbetween the two objects we searched for There is probably going to be thousands offirewall rules in a normal network but these are the firewalls affecting thecommunication between the two selected VMs
HOL-1829-01-NET
Page 66HOL-1829-01-NET
A - Spend some time to review what information is available from the object Please donot click on any of the links
1 When done reviewing click on the (X) in the top right corner of the pop up box
Note The Palo Alto integration showcased is in beta testing
VRF - continued
1 From the map click on the icon marked by a red square to access the nextPhysical VRF in the path
HOL-1829-01-NET
Page 67HOL-1829-01-NET
VRF - Physical Switch
A pop-up box will appear that contains the Physical VRF details
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - In this scenario the third hop in the physical network perspective is an Arista deviceThere is information available on routing gateways interfaces etc These detailsshowcase that we can monitor devices from a multitude of vendors in case we arechanging from one vendor to another
1 When done reviewing click on the (X) in the top right corner
HOL-1829-01-NET
Page 68HOL-1829-01-NET
Accessing the virtual infrastructure
The next two steps in the path (as shown by arrows) are the same as we looked atpreviously in this module We are not going to look at the details on them in thisscenario as they are similar to the ones previously discussed
A - Hovermove the mouse over the icons marked with red arrow A without clicking onthe icon Notice the descriptive name
B - Hovermove the mouse over the icons marked with red arrow B without clicking onthe icon Notice the descriptive name
1 From the map click on the icon marked by a red square to access the nextVRF in the path
HOL-1829-01-NET
Page 69HOL-1829-01-NET
VRF - NSX Provider Edge 1
A pop-up box will appear that contains the Physical VRF details
A - Please spend some time to review what information is available from the objectPlease do not click on any of the links
B - The components we are looking at after the Arista device (described in previoussteps) is an NSX Edge cluster or a host associated with an Edge cluster The componentwe have selected is the NSX Edge VM named Provider-Edge 1 It has an uplink overVLAN 10 from the physical network (as shown in the map)
C - In the details we can see the routing table and routing interface details for thisparticular VRF
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 70HOL-1829-01-NET
VXLAN on the map
1 On the map click on the blue line marked by a red square to access theVXLAN details
VXLAN Network
A pop-up box will appear that contains the VXLAN details
HOL-1829-01-NET
Page 71HOL-1829-01-NET
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - We can see the VXLAN number (Segment ID) Underlay VLAN IDs Subnet andUnderlay Subnet
C - We also have visibility into what Primary Controller it is utilizing Hosts and VTEPs
D - Hovermove the mouse cursor over the text [38 more] to see the hosts associatedwith this VXLAN Do not click on the blue text
E - Hovermove the mouse cursor over the text [82 more] to see the VTEPs associatedwith this VXLAN Do not click on the blue text
1 When done reviewing click on the X in the top right corner of the pop-up box
VRF - LDR
1 From the map click on the icon marked by a red square to access the VRFdetails
HOL-1829-01-NET
Page 72HOL-1829-01-NET
VRF - LDR-Corporate
A pop-up box will appear that contains the VRF details From here we hit our In-kernelnetwork
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - Notice the distributed router name We are using this device to access our corporatenetwork
C - This device is going to route for us to a different interface The interface is going toroute to the interface on the Prod-DB Network as the next step in the path (this will beillustrated in the next step)
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 73HOL-1829-01-NET
Routing - NSX Firewall
The traffic is routed through the VRF onto the Prod-DB network over to the next physicalhost (as shown with arrows)
The first device it will hit on the virtual network on the physical host is the FirewallPlease notice that there are two firewalls next to the VM One Firewall from Palo Alto andone Firewall from NSX
1 From the map click on the icon marked by a red square to access the NSXFirewall details (the top one of the two)
HOL-1829-01-NET
Page 74HOL-1829-01-NET
Firewall - NSX
A pop-up box will appear that contains the Firewall details
A - Spend some time to review what information is available from the object Please donot click on any of the links
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 75HOL-1829-01-NET
Redirect on the map - PAN Firewall
Please notice that there are two firewalls next to the VM One Firewall from Palo Alto andone Firewall from NSX We are now going to look into the details of the lower Firewall
1 From the map click on the icon marked by a red square to access the PaloAlto Firewall details (the lower one of the two)
Firewall - PAN
HOL-1829-01-NET
Page 76HOL-1829-01-NET
In this scenario we also have an Palo Alto VM based offloading firewall The redirectfeature allows firewall rules to be transferred between the NSX firewall and the PANFirewall
1 When done reviewing click on the (X) in the top right corner of the pop up box
Reversing the analysis
1 In the section marked by a red square in the picture click on the arrowpointing left
The route on the map will change
HOL-1829-01-NET
Page 77HOL-1829-01-NET
Reversing the analysis continued
A - The analysis will now be done in the opposite direction Please note that the pathnow changes Instead of going through Provider-Edge 3 the traffic is now routedthrough Provider-Edge 2 This is exactly as the traffic will work in the real life
Please continue to the next step to conclude this module
HOL-1829-01-NET
Page 78HOL-1829-01-NET
VM Underlay
Lets now focus on VM Underlay
1 The VMUnderlay section that is on the right side of the VM Path topology showsthe underlay information of the VMs involved and their connectivity to the top ofthe rack switches and the ports involved
2 The VM Underlay path topology is shown here3 The components are labeled under Path Details
HOL-1829-01-NET
Page 79HOL-1829-01-NET
HOL-1829-01-NET
Page 80HOL-1829-01-NET
1 In this section the drop-down list at the top shows the endpoint VMs and theactive VMs at the edges
2 For each edgeVM the neighbouring drop-down list shows the ingress and theegress interface IP addresses
1 From the previous step we selected the Prod-DB-2 Virtual Machine2 Which changes the focus to corresponding Interface IP Address (VNIC)3 Shows the visual map (Path topology) of all the path objects4 Path details shows the labels and list the components
This concludes this module Please continue to the next module
HOL-1829-01-NET
Page 81HOL-1829-01-NET
ConclusionCongratulations on completing Module 2
This module has shown us that vRealize Network Insight is capable of tracing the flow ofdata between two objects throughout the network vRealize Network Insight is providingus with a 360 degrees view of the virtual as well as the physical components in thepath With the map function and the details on the map it is very easy to get a quickoverview of the components utilized in network communication
All the components in the map is based on a snapshot of real life data Feel free to clickon other icons shown in the map in this module before continuing to the next module tohave a look at other components
For More Information
For additional information about the functionality showcased in this module visithttpwwwvmwarecomvrealize network insight
This concludes this module Please continue to the next module
If you are looking for additional information try one of these
bull Click on this linkbull Or use your smart device to scan the QRC Code
HOL-1829-01-NET
Page 82HOL-1829-01-NET
Proceed to any module below which interests you most
bull Module 1 - Micro-Segmentation and Security (30 minutes)bull Module 2 - 360 degree Visibility across Virtual and Physical Networks (45
minutes)bull Module 3 - Advanced NSX Management amp Operations (45 minutes)bull (30 minutes)
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 83HOL-1829-01-NET
Module 3 - Advanced NSXManagement amp
Operations (45 minutes)
HOL-1829-01-NET
Page 84HOL-1829-01-NET
IntroductionIntroduction
vRealize Network Insight ensures that we have full visibility from an overlay andunderlay perspective and in this module focus on advanced operations of NSX withvRealize Network Insight Its important to note that the vRealize Network Insightprovides a real time view and a historical view The integration is not a simple SNMPquery but advanced CLI and Metadata information gathered in real time for NSX
This Module contains the following lessons
bull Operational guidance for NSX Managerbull Advanced NSX Management amp Operations Interactive Simulation
HOL-1829-01-NET
Page 85HOL-1829-01-NET
NSX Advanced ManagementOperationsLab Status Check
1 Make sure the Lab Status displays Ready before continuing
Close browser sessions from previous modules
Open Google Chrome
1 Open Chrome on the Control Centre Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
HOL-1829-01-NET
Page 86HOL-1829-01-NET
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize Network Insightdid not load automatically)
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
Search Bar - NSX Manager
Using the search bar on the entry screen
HOL-1829-01-NET
Page 87HOL-1829-01-NET
1 Type NSX Manager (this will list three NSX Managers2 Click Search
NSX Manager Information
The result now shows the NSX Manager (1016128170) and we can immediately seethat we have 50 problems associated with this endpoint
1 Click on the NSX Manager address to expose the layout and detailedinformation
HOL-1829-01-NET
Page 88HOL-1829-01-NET
Timeline - Visual Build-up
Explore information only - Do not click
bull A - Starting with the Timeline we can manipulate the results by simply draggingthe slider but by default the current time results will be displayed on entry Theslider and drop down (next to 1 day) makes it easy to filter on demand
bull B - The Properties give a clear understanding of the NSX Managers currentconfiguration (vRealize Network Insight accommodate multiple NSX managers)
bull C - Looking at the NSX Checklist Rules - ALL we can scroll up and down toview each point in the checklist that is used to monitorvalidate against the NSXManager
bull D - Because vRealize Network Insight supports multiple NSX managers andmultiple NSX controllers this is an important visual understanding of theTopology Each object can be queried individually within the same screen
bull E - NSX Problems will be key to understanding the issues for NSX
HOL-1829-01-NET
Page 89HOL-1829-01-NET
Topology - Focus on the NSX Controller
The logical view of the NSX Topology provides live links to each component in theconstruct to be queried in real time Topology layout displays all the related NSXservices bound to the NSX Manager including Clusters and hosts The red triangle on allthree NSX controllers indicates possible issues that may impact the NSX environmenteither as a starting point or a result thereof We can now query each object for detailedinformation
1 Click on the NSX controller (Look at each controller until you find thecontroller starting with NSX_Controller_5b6c6c8d-4d71 as they do changeorder)
HOL-1829-01-NET
Page 90HOL-1829-01-NET
NSX Controller - Detail
A - The controller query displays detailed information about controller-1 and relevantconfiguration This screen will help identify the Status Version Upgrade Availability andmany other critical identifiers of the NSX Controller at a quick glance including anyissues
B - The immediate issue on this NSX controller is also pointed out with a red triangleindicating that we have a control plane sync issue Tracking the issue can be furtherinvestigated by expanding (clicking on the red triangle) to view detailed information Wewill not be investigating this problem further in this exercise
1 Click the close sign (x) to continue
HOL-1829-01-NET
Page 91HOL-1829-01-NET
Topology - Explained
Note The Topology for the NSX environment will not show any load balancing devicestatus information in this release
1 Click the edge VMs icon to see detailed information about the edge services
HOL-1829-01-NET
Page 92HOL-1829-01-NET
Provider Edge
Rendering a complete view of the provider edge services and the associations we caninvestigate all the edge related activities
1 Click the blue link Provider Edge 4 The problem Icon can be used to furtherobtain information about the Provider-Edge 4 This will highlight a criticalcondition due to a possible network disruption of this edge device as it is nolonger in a serving state
HOL-1829-01-NET
Page 93HOL-1829-01-NET
Routers Provider Edge 4
This section lays out detailed root cause analysis for Routers Provider Edge 4
Return to Search View - NSX Manager
1 Now use the Chrome Back button click once to return the the NSX Managerinformation screen step
HOL-1829-01-NET
Page 94HOL-1829-01-NET
Infrastructure Problems - Warning Moderate
bull Scroll down to Infrastructure Problems Section
1 Click and select the WarningModerate to view problem areas
WarningModerate Issues
1 Use the blue icon + to expand the detailed view of the Logical networking out ofsync between host and NSX Controller
HOL-1829-01-NET
Page 95HOL-1829-01-NET
WarningModerate Issues (Continued)
When you expand the details you can analyse full detail of warning
In this view vRealize Network Insight is also showing you recommendations on how youwould resolve this issue which makes troubleshooting and root cause analysis veryeasy
1 Click the close sign (x) to continue
HOL-1829-01-NET
Page 96HOL-1829-01-NET
Hands-on Labs Interactive SimulationAdvanced NSX Management ampOperationsThis part of the lab is presented as a Hands-on Labs Interactive Simulation This willallow you to experience steps which are too time-consuming or resource intensive to dolive in the lab environment In this simulation you can use the software interface as ifyou are interacting with a live environment
1 Click here to open the interactive simulation It will open in a new browserwindow or tab
2 When finished click the ldquoReturn to the labrdquo link to continue with this lab
HOL-1829-01-NET
Page 97HOL-1829-01-NET
ConclusionCongratulations on completing Module 3
This module demonstrated the vRealize Network Insight capability of advancedmanagement operations vRealize Network Insight provides an in-depth analysis of thevirtual as well as the physical components associated with NSX (underlay and overlay)
For More Information
If you are looking for additional information try one of these
bull Click on this linkbull Or use your smart device to scan the QRC Code
Proceed to any module below which interests you most
bull Module 1 - Micro-Segmentation and Security (30 minutes)bull Module 2 - 360 degree Visibility across Virtual and Physical Networks (45
minutes)bull Module 3 - Advanced NSX Management amp Operations (45 minutes)bull Module 4 - Manage Security for Public Clouds (AWS) (30 minutes)
HOL-1829-01-NET
Page 98HOL-1829-01-NET
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 99HOL-1829-01-NET
Module 4 - ManageSecurity for Public Clouds
(AWS) (30 Minutes)
HOL-1829-01-NET
Page 100HOL-1829-01-NET
IntroductionEnterprise IT needs visibility into the network and security status of their workloadswhether hosted on premises or within AWS While many AWS workloads are sandboxesfor application development teams (DevOps) it is important to analyze these workloadsIncreasingly public cloud workloads are also fulfilling mission critical production needsfor many organizations Enterprise IT must be ready to determine the best locationsecurity posture and bandwidth allocation when deploying workloads Having trafficpattern details as well as security analysis and recommendations readily availablehelps organizations make the ideal hosting decisions to meet their business needs
vRealize Network Insight (vRNI) Supports Amazon Web Services (AWS) PublicCloud The vRNI traffic monitoring features provide visibility into native AWS constructssuch as Virtual Private Clouds VMs Security Groups firewall rules and tags vRNI alsoanalyzes AWS traffic flows to provide security and micro-segmentation views of cloudworkloads This means youll be able to plan micro-segmentation and understand trafficpatterns using data collected from your AWS instances
This Module contains the following lessons
bull Introduction to Managing Security for Public Clouds (AWS)
HOL-1829-01-NET
Page 101HOL-1829-01-NET
Introduction to Managing Security forPublic Clouds (AWS)Lab Status Check
1 Make sure the Lab Status displays Ready before continuing
Close browser sessions from previous modules
Open Google Chrome
1 Open Chrome on the Control Centre Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize Network Insightdid not load automatically)
HOL-1829-01-NET
Page 102HOL-1829-01-NET
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
AWS Configuration
Lets review the AWS VPC setup for the purpose of this lab
1 We have an on premise instance of vRealize Network Insight managing AWS2 There are two VPCs ie CRM and Common Services
HOL-1829-01-NET
Page 103HOL-1829-01-NET
3 VPC CRM consists of CRM Application which comprises of 3 tiers ie Web APP andDB
4 Internal users of Company can access Web Tier of the CRM on 80 internally viaJump-box
5 Web tier talks to App tier on port 80806 App tier talks to DB tier on port 33067 Web tier is open for internal datacenters VM on 80 port8 From Jump-box in VPC CRM all virtual machines have ssh access on port 229 All tiers of VPCCRM talks to DNS server on 53 and LogServer on 514 on VPC
Common Services10 This means connection to DB to Log Server (used for backup services) must exist
as configured by the Administrator but this in fact is the problem area where ourfocus will be
Plan Security - AWS Cloud
vRealize Network Insight extends micro-segmentation planning to AWS constructs TheCRM Application in AWS VPC has already been created for you
Application creation steps have been discussed in Module 3
HOL-1829-01-NET
Page 104HOL-1829-01-NET
1 On the vRealize Network Insight Click on Plan Security
From Plan Security dialogue box under Entity select
HOL-1829-01-NET
Page 105HOL-1829-01-NET
1 Application2 CRM3 Click Analyze
We can now visualize the three tier lsquoCRMrsquo Application in AWS in one VPC We Shallexplore the three Tier System Logic in proceeding steps
1 Please note that Micro-Segments are already filtered by Tier2 Web (Web tier talks to App tier on port 8080 Internal users of organisation can
access Web Tier of the CRM Application on port 80 internally)3 App (App tier talks to DB tier on port 3306)4 DB ( DB tier talks to Log Servers ) - This is the problem area we are going to
explore
All tiers of first VPC talks to DNS server on port 53 and LogServer on port 514 of SecondVPC
HOL-1829-01-NET
Page 106HOL-1829-01-NET
Exploring the Three Tier Application - Step by Step
We shall now explore the three their application setup to understand the security andcommunication posture
HOL-1829-01-NET
Page 107HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Yellow line to explore the flows This will reveal flows from Web to
App
HOL-1829-01-NET
Page 108HOL-1829-01-NET
1 The App tier talks to DB tier on Port 33062 Click X to continue
HOL-1829-01-NET
Page 109HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to DB
HOL-1829-01-NET
Page 110HOL-1829-01-NET
1 The App tier talks to DB tier on Port 33062 Click X to continue
HOL-1829-01-NET
Page 111HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Yellow Line to explore the flows This will reveal flows from DC
Virtual to App
HOL-1829-01-NET
Page 112HOL-1829-01-NET
1 DC Virtual (jump box) talks to App tier on Port 222 Click X to continue
HOL-1829-01-NET
Page 113HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to
Shared Virtual
HOL-1829-01-NET
Page 114HOL-1829-01-NET
1 The App tier talks to Shared Virtual on Port 53 and 514 respectively2 Click X to continue
HOL-1829-01-NET
Page 115HOL-1829-01-NET
1 Hover over to DB Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from DB to
Shared Virtual
1 By design the DB should be pushing logs to aws-log-server ie on port 514(Syslog) but the flow reveals that there is only one service ie port 53 aws-DNS-Server Effectively no communication to syslog server (which is the back upservice)
2 Click X to continue
Firewall Queries for CRM Application
To further troubleshoot the issue the administrator executes three firewall queries toestablish why DB to Shared Virtual does not have flow(s) for port 514 (syslog)
HOL-1829-01-NET
Page 116HOL-1829-01-NET
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and type new search query firewall action of flows where dstvm = aws-log-server This will return 5 results ie 4 Allow (for web andmidtier) and 1 Deny (for DB)
2 Click Search3 click on the DENY checkbox so we can focus on the deny rule
We can see a DENY rule which is preventing crm-databse to communicate with aws-log-server on port 514 Which indicates that AWS Admin forgot to add rule to allowtraffic from (Database) crm-database to (syslog server) aws-log-Server
HOL-1829-01-NET
Page 117HOL-1829-01-NET
1 On Chrome web browser right click2 Select Duplicate from the the menu
HOL-1829-01-NET
Page 118HOL-1829-01-NET
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-web1 and dst vm = aws-log-server
2 Click Search3 This will return 3 results ie 1 Inbound and 2 Outbound rules The result of this
query validates the communication from crm-web1 to aws-log-server
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-database and dst vm = aws-log-server
2 Click Search3 This will return 2 results for Outbound rules further explaining the firewall rule
behaviour from crm-database to aws-log-server
HOL-1829-01-NET
Page 119HOL-1829-01-NET
ConclusionCongratulations on completing Module 4
This module demonstrated the vRealize Network Insight capability to understand trafficpatterns and plan micro-segmentation across your private and public cloudenvironments This capability offers unparalleled visibility into public and private cloudsfor micro-segmentation planning network visibility and management
For More Information
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 120HOL-1829-01-NET
ConclusionThank you for participating in the VMware Hands-on Labs Be sure to visithttpholvmwarecom to continue your lab experience online
Lab SKU HOL-1829-01-NET
Version 20171010-152226
HOL-1829-01-NET
Page 121HOL-1829-01-NET
East-West (EW) - Detailed view
This is only a few of the 1653 flows but the detailed views and filters can be used tonarrow down more specific information
A - Without clicking (just hover) on the time line to see the rate of flow indicated by thegreen line for that period
1 Click the close icon (x) to continue
ServicesPorts
HOL-1829-01-NET
Page 18HOL-1829-01-NET
Locating the Services screen for the next step
ServicesPorts - Time line view
Plan security makes use of Service and Ports overview on the right-hand side of thescreen The service view screen is used to observe the flow for each service andanalyzes a specific flow rate at a point in time Timelines can be adjusted to gain abetter understanding of what the plan security query delivers This module will followthe steps needed to observe and trace flows for port 5443
1 Click Show Data
HOL-1829-01-NET
Page 19HOL-1829-01-NET
ServicesPorts - Point in Time Service
The Services section provides an overview of flows over a specific port at a point intime either by bytes or by allowed sessions Look at the red highlighted area tounderstand how the flow is viewed in a pivot format to ensure a rate flow can bedelivered by hovering over a particular section
1 Hover to gain focus over the blue block above port 5443 and notice itpresents on demand the sum total of flows for the last 24 hours inGigabytes (GB) communicating over port 5443
2 Click on the block at the intersection of Last 24 hours and PORTS5443 to get a detailed view of the information
HOL-1829-01-NET
Page 20HOL-1829-01-NET
Flows for Port 5443
Communicating over port 5443 for the Last 24 hours we now have a detailedunderstanding of how 20 flows are distributed by following the list of entities You mayscroll down and examine the detailed traffic Further filters can be used on the left-handside of the screen to filter the view for a more specific result type
1 Click the entry to examine the detailed flow between Prod-DB-3 and Prod-DB-2over port 5443 ( order of flows may differ from screen above Prod-DB-3 andProd-DB-2 can be seventh flow entry)
Flow Key Properties - Timeline view
HOL-1829-01-NET
Page 21HOL-1829-01-NET
Flow Key Properties and Flow Key Metrics with the help of the timeline view gives agreater understanding of the traffic between these two specific VMs over port 5443 (A)- Hover over any part of the Flow Key Metrics graph to see statistics of the flow at aspecific point in time
1 Click on the 1M (last 1 month) Now hover the mouse over the greenblue linesto see a specific flow at a point in time
Flow Key Properties - Timeline view
1 Click the browser back button (once) to return to the plan security layoutscreen (once completed viewing the timelines for specific flows)
HOL-1829-01-NET
Page 22HOL-1829-01-NET
Micro-Segments
The screen should be back and focused on the Plan Security view Let us focus on theLeft-hand side of the plan security screen marked - Micro Segments This section willfocus on the subnet view and how this could be used to track flows between two ormultiple points
Note Segmenting flows can be achieved using views that will focus on VLANVXLANSubnet Folder Clusters VMs Ports Security Tag or Security Groups
1 Select Last 1 Day (to clear previous data range)2 Select the drop down box and then select by Subnet3 We can further analyze micro-segments by secondary groups ( This step is for
information only)4 Click Analyze to populate the data
HOL-1829-01-NET
Page 23HOL-1829-01-NET
Focus - 101780 Network
A - Hover over (do not click) the 101780 network and notice that this willimmediately highlight all flows and sessions from and to this network segment Othertraffic types will loose focus at this point turning light blue
The Keep Focus view creates a single visual endpoint diagram showing communicationto physical shared resources internet and other subnets The parentheses after thenetwork will indicate the number of virtual machines The coloured lines will indicate aconnected flow as OUTGOING INCOMING BIDIRECTIONAL
HOL-1829-01-NET
Page 24HOL-1829-01-NET
Focus - VLANVXLAN
Changing the view to track flows between Prod-Web to Prod-Midtier we will be switchingfrom Subnet view to VLANVXLAN view This will expose the traffic flow and ultimatelylead us to the recommended firewall rules
1 From the filter drop down select the VLANVXLAN option (the view willautomatically update)
HOL-1829-01-NET
Page 25HOL-1829-01-NET
Focus - Prod-Web (25)
1 Hover over Prod-Web2 Click on Keep Focus as we will follow the traffic for this group to see which
ports are in use and why3 Click on the line joining the Prod-Web and Prod-Midtier
Flows - Prod-Web to Prod-Midtier
HOL-1829-01-NET
Page 26HOL-1829-01-NET
( A ) - We have at this point identified 14 unique endpoints or flows that are beingcommunicated byover or to potential security groups These security groups are basedon VLANs folders subnets or a construct that can be defined
1 Click on the recommended firewall rules
Flows - Recommended Firewall Rules
Based on the observed analysis of the traffic flow between Prod-Web and Prod-Midtier arecommended firewall rule has been generated in order to secure and segment trafficfrom the rest of the VLANVXLAN
Due to the flow observation metrics the recommendation is (ALLOWED) on Port 8080between SG Prod-Web and SG-Prod-Midtier
1 Click the close icon (x) to continue
HOL-1829-01-NET
Page 27HOL-1829-01-NET
Multiple Ports and Firewall rules for Prod-web
1 Click on the Prod-Web group
Services and Flows for Prod-Web
On focus the user is presented with all the services flows and firewall rules for Prod-Webin a single pane
HOL-1829-01-NET
Page 28HOL-1829-01-NET
1 Click on Services In this group - 50 Unique service endpoints or flows that arebeing communicated by or to potential security groups are mapped with trafficrates included
2 Click on External Services Accessed- This is a breakdown of the 16 Externalservice endpoints that communicate with Prod-Web and include the portinformation (DNS HTTPS etc)
3 Click on Recommended Firewall Rules - Based on the 50 unique serviceendpoints that have 17 External services with 425 flows we can use thisobservation metric to determine that 6 firewall rules are required This would bethe minimum recommended segmentation approach for the Prod-Web group
4 Click the close icon (x) to continue
Application-Centric Micro-Segmentation
HOL-1829-01-NET
Page 29HOL-1829-01-NET
An application is a collection of tiers Each tier in an application is a collection of VMsbased on the user-defined filter criteria The applications allow you to create ahierarchical group of VMs and visualize trafficflows between the tiers of the sameapplication The trafficflows can be visualized between applications
1 Under Micro-segments click on the dropdown which says by VLANVXLAN2 Click on by Application
1 Hover over Prod-App (47) (do not click at this stage)2 Click on Keep Focus
You can see as per previous micro-segmentaion planning exercise - you can viewOutgoing Incoming and Bidirectional flow bespoke to Prod-App Clicking on Prod-App micro-segment will reveal the services
HOL-1829-01-NET
Page 30HOL-1829-01-NET
We shall now explore how we can define an application
Define an Application
1 In the search bar type Application2 Click the Search button
1 The Application search will return 4 entities ie application already created inthe system for you
2 This page also lets you create new application - click on Add Application
HOL-1829-01-NET
Page 31HOL-1829-01-NET
1 Under the Application Name type HOL-Pre-Prod2 Under Tier type the Name as HOL-Pre-Prod3 Our search criteria will be based on VM Names under Virtual Machines IP
Addresses Type Admin-VM1 Admin-VM2 (The search will auto completethe names for you)
4 Do not Save Click Cancel which will take you to previous screen
1 Here you can see the number of entities has increased by 1 ie 5 entities2 You can also see Hol-Pre-Prod in the list
HOL-Pre-Prod will now appear in Application section under Plan Security (not covered inthis lab)
Security Group Prod_MidTier
Network administrators and architects face daily challenges in identifying securityparameters groups that are in-place requiring a lot more detail around containertopology before continuing to execute or plan Micro-segmentation Lets look at how thiswould be possible in a single view that has granular integration with over and underlaynetworks
1 Using the search bar type Nsx Security Group Prod_MidTier (the search baruses Auto Fill and predictive text will appear as you type)
2 Click search to continue
HOL-1829-01-NET
Page 32HOL-1829-01-NET
The Help screen may pop-up (in this lab setting) to ensure the user has an instantguide called the Security Group Pinboard The reason for this guide is to point out thedetail view and topology layout Read through the help guide and once completed
1 Click the close icon (x) to continue
Results - PROD_MIDTIER
The search results from the query will show Prod_Web at the top of the screen Theresult will also be displayed to include the Translated VM Count and any Rulesassociated
1 Click on Prod_MidTier to continue
Security Group Prod_MidTier - Timeline
Security Group View Explanation
HOL-1829-01-NET
Page 33HOL-1829-01-NET
The Security Group provides a detailed view of the selected Security Group and acomprehensive listing of key properties and events The Security Group Topologyprovides a visual overview of how the security group is associated with other containersTimeline slider at the top of the current view will enable the point in time state of theSecurity Group and filters can be used to further focus on a particular aspect of theobject
Security Group Firewall Topology
(A) The Security Group Firewall Topology on the left shows the topology for SecurityGroup Prod_MidTier
HOL-1829-01-NET
Page 34HOL-1829-01-NET
(B) The Security Group Container Topology on the right will show anyall Child andParent groups in relation to Prod_Web This will identify the nesting and hierarchy ofsecurity groups
HOL-1829-01-NET
Page 35HOL-1829-01-NET
1 Click and select Prod_Web to Prod_Midtier Rule (will launch a pop up screencovered in next step)
1 In the pop up screen we can immediately see what the Source and destinationservice flow looks like in this example This can be done for any and eachsegment attached to Prod_Web and will provide all the current security GroupFirewall Topology information Feel free to click through all the segments in orderto fully understand each related security group
2 Click the close icon (x) on any pop-up menus that you viewed during youranalysis to continue with the next exercise
HOL-1829-01-NET
Page 36HOL-1829-01-NET
Tracking Prod_MidTier
1 Within the same view when you scroll down (below the Security Groupfirewall Topology) you are able to see the following security event information forProd_Web
A Events - Showing any changes for Prod_MidTier (direct or indirect) and the impactthat these changes bring to this security group
B Current Security Group Configuration and Firewall Rules Count will also providefurther assistance to manage the endpoints
C Visibility of the Virtual Machines in Security Groups ensure that we manage ourworkloads and segmentation with the correct level of efficiency
D Making use of the Indirect Firewall Rules will ensure you understand the inheritedimpact and the relationship leading to Prod_Web
E Direct Firewall Rules - NOTE The blue links will expose further detail for eachfirewall segment
HOL-1829-01-NET
Page 37HOL-1829-01-NET
this module explained and followed the traffic flow between Subnets and or VLANVXLAN for Prod_MidTier and we understand the analysis that make up firewall rules Theinformation for a specific segmentation of a Virtual Machine in Prod_MidTier can beviewed using the the logical switch information for Prod_MidTier
2 Click on Lab-Midtier (VMs in Security GroupgtLogical SwitchesgtLab-Midtier) anew TAB will open at the top of the screen
Lab-Midtier
1 Hover (do not click) over (1) Lab-Midtier-1 to gain focus in order to generatethe path
Do not click on any of the bubbles as they are used for reference only This is thecomplete flow of Prod-Web-9 (Example) to see how a flow is tracked from overlay tounderlay across Prod-Web
HOL-1829-01-NET
Page 38HOL-1829-01-NET
bull A - The host details for Lab-Midtier-1 -ddc1-pod2esx035dmdemocompanynet
bull B - The machine name within Lab-Midtier - Lab-Midtier-1bull C - DVS Switchbull D - VXLAN - Lab-Midtierbull E - 1st VMKNIC for DDC-1 hostbull F - DVS Switch Portbull G - Finally showing the L3 Switch (Arista)
2 When you are done with the current view close this tab in Chrome and returnto the original view
Firewall Rule - Tracking
Using the search bar we will demonstrate how you can track any firewall rule in yourenvironment This is only one example of how we can search for security related objectsin one easy statement and also export the results
Port Search
1 Type into the search bar
Firewall rule where action =ALLOW and Port=443 (the search bar uses Auto Fill andpredictive text will appear as you type)
2 Click search to continue
As you type notice all the different permutations of queries that can be assembled
HOL-1829-01-NET
Page 39HOL-1829-01-NET
Export Firewall Rules
Take some time to understand and get familiar with Firewall Rule search possibilitiesand the insight this can offer
1 Do not click - The result is grouped for convenience and allows the user to queryeach rule individually This is a live link that will expose further information
2 Do not click - The entire report can be exported by using the Save as CSV optionat the top right hand corner of the screen but we will not export any informationat this point
3 For the next step we will return to the top search bar
Firewall Rule Membership Change
Using the vRealize Network Insight search bar at the top of the screen we will focus on atime based search to see what Firewall Membership Changes occurred during a selectedperiod This will point out any changes made directly or indirectly as a result ofmembership changes This is extremely useful for auditing and troubleshooting
HOL-1829-01-NET
Page 40HOL-1829-01-NET
1 Type
Firewall Rule Membership Change
2 Select the DateTime window3 Click Between Select Date range from June30 to Jul 31 (using static data this
will ensure you see all the changes)4 Click search
Audit Rule - Firewall Rule Membership Changes
The search now displays the result of all the changes made to firewall rule membershipduring the preset date range This is pivotal to the audit change tracking process tounderstand exactly why when and how Firewall rules changed
The changes can now easily be tracked audited and also exported following any of thelive links in blue
HOL-1829-01-NET
Page 41HOL-1829-01-NET
User-defined Event
Continuing within the same screen users can create alerts to notify internal andexternal entities of any changes The alert feature is available through any view thatdisplays the alert icon Although the alert can be configured for this lab the results willnot be actioned as this is static data only This section will show how easy it is to reporton any Firewall Rule memberships changes The option for alerting will be immediatelywithin 1 hour or as a daily digest
1 Click the Notifications icon to create an event The notifications screen will pop-up
2 Notification and parameters can be adjusted as required Populate them withyour own preference as we will need to have information in order to save thealert and view in later steps
3 Once completed click save
HOL-1829-01-NET
Page 42HOL-1829-01-NET
Settings
You can view any of your previously configured User-defined Events in order to edit oractivate the Event parameters by using the settings page Changes can be configured tonotify members of the event group based on the user preference The previous eventthat you created can now be tracked by using the search bar at the top of the screen
1 Click in the search bar and type Settings2 Click User-defined Events (your alert is noted in this section as it was based on
the original search and alert notification Firewall rule membership change)3 Info Only - Do not click - View Edit Activate any notifications
Note that we have 2 types of notification User-defined and System Events
4 Click the System Events
HOL-1829-01-NET
Page 43HOL-1829-01-NET
System Notifications
System Events consist of 103 default alerts that are pre-configured Scroll down the listto see all the options and what is deemed to be a standard system event notification
Each Notification can be used to alert administrators or users of that group By defaultall System Notifications are set to never notify (this can be changed to immediatelywithin 1 hour or as a daily digest)
This concludes this module Please continue to the next module
HOL-1829-01-NET
Page 44HOL-1829-01-NET
ConclusionCongratulations on completing Module 1
In this module we introduced the minimum required steps in order to facilitate Micro-segmentation This module further demonstrated how we achieve day zero readinesstrack report and alert on each individual object or group of objects in Real Time Usingthe East-West traffic in this module vRealize Network Insight highlighted the ease ofacquiring network analysis and using this to automatically generate firewall rules forboth Green or Brown field deployments
Key facts to remember as demonstrated in this module
bull Persistence Security must be consistent in the face of constant changebull Ubiquity Security must be available everywherebull Extensibility Security must adapt to new situations
For additional information about the functionality showcased in this module visitwwwvmwarecom
Please close the Chrome Web browser
This concludes this module please continue to the next module
For More Information
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 45HOL-1829-01-NET
Module 2 - 360 degreeVisibility across Virtualand Physical Networks
(45 minutes)
HOL-1829-01-NET
Page 46HOL-1829-01-NET
IntroductionvRealize Network Insight includes advanced analytics that can collect and displayconfiguration data from all the components involved in the overlay and underlay of thenetwork Data is collected in realtime
vRealize Network Insight presents this via a smart user interface and simplifies thedetermination of problems as well as the visibility of firewall and networkconfigurations
vRealize Network Insight presents this in a smart user interface and makes problemdetermination and visibility of the firewall and network configurations very easy
This Module contains the following lessons
bull 360 Network Visibility and Troubleshootingbull Natural language search
HOL-1829-01-NET
Page 47HOL-1829-01-NET
360 Network Visibility andTroubleshootingThis section contains the following lessons
bull 360-degree view of data flow between two VM objectsbull Natural language search
Open Google Chrome
1 Open Chrome on the Control Center Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize NetworkInsight did not load automatically)
HOL-1829-01-NET
Page 48HOL-1829-01-NET
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
Path and Topology
This module will utilize the Path and Topology feature in vRealize Network Insight toget a 360-degree visibility into our network scenario The Path and Topology view can
HOL-1829-01-NET
Page 49HOL-1829-01-NET
also extend to host L3 networks security groups etc but in this module we will only befocusing on the path
From the main console
1 Click on Path and Topology2 Click on Path
Path - Select source and destination
In the pop-up box
1 Click on the grey field below Source2 Type dba into the source field and DBAdmin-VM1 will appear3 Click on DBAdmin-VM1 to select it
HOL-1829-01-NET
Page 50HOL-1829-01-NET
Path - source and destination continued
After selecting the source machine the destination box will automatically appear
1 Type prod in the destination field and the list of available options willappear
2 Select Prod-Db-2
Note The destination could also be an ip-address or Internet but in this lab we aregoing to use a VM
HOL-1829-01-NET
Page 51HOL-1829-01-NET
Path - source and destination continued
1 Click on Submit
Searching for path
Based on the VMs we selected in the wizard in our previous steps the search field isnow pre-populated with a search string As an alternative to using the wizard we canalso do manual searches
Do not change any parameters in the search field and please continue to the nextstep
HOL-1829-01-NET
Page 52HOL-1829-01-NET
VM Path Topology and VM Underlay
The topology involves both Layer 3 and Layer 2 components and consists of twodetailed views
HOL-1829-01-NET
Page 53HOL-1829-01-NET
1 VM Path Topology This view details the routers Edges or Logical DistributedRouters (LDRs) that are involved in the VM to VM network path and provides thecomplete routing and NAT information
2 VM Underlay ( The VM Underlay section that is on the right side of the VM Pathtopology shows the underlay information of the VMs involved and theirconnectivity to the top of the rack switches and the ports involved)
In the field named VM Path Topology
1 Click on the three dots in the top right corner of the field2 Click Maximize
The view will change and the route will be drawn on the map
HOL-1829-01-NET
Page 54HOL-1829-01-NET
VM Path Topology - Path Details
In this view we will get a 360-degree view of both the physical and the virtual networkWe will see the path of the traffic between two virtual machines The black arrow at thetop of the map will indicate the flow direction of the traffic In this use case fromDBAdmin-VM1 to Prod-Db-2
On the right hand side path details indicates the steps we pass through in each hop ofthe path The logical flow includes both physical and virtual elements displaying bothoverlay and underlay components
1 Scroll through the path details on the right hand side to verify the differenthops in the path Notice that we have items such as VMs physical switchesvirtual switches routers and NICs in the list of details
HOL-1829-01-NET
Page 55HOL-1829-01-NET
Component Overview
On the VM topology map
1 Click on the top left icon marked with a red square - the Virtual MachineDBAdmin-VM1
Virtual Machine - Details
HOL-1829-01-NET
Page 56HOL-1829-01-NET
A pop-up box will appear with the Virtual Machine details in it This information includesa lot of details made available by VMware Tools We can for example see network-information and the physical host in these details
A - Please spend some time on getting an overview of the information available in thisview
B - Please note that the Firewall Status indicates Unknown In this scenario there is noNSX firewall utilized in the VM so vRealize Network Insight displays Unknown as thestatus If NSX components were utilized but they were malfunctioning an errormessage will appear
1 When done reviewing close the pop-up windows by clicking on the (X) in thetop right corner
Physical ESXi Hosts
We are now going to look at the physical host running ESXi The large green blocksindicate the ESXi hosts (A) and (B)
1 Click on the large green field on the left side of the map marked in thepicture with a red squareThis will select the host where DBAdmin-VM1 isrunning
HOL-1829-01-NET
Page 57HOL-1829-01-NET
Host - Details
A pop-up box will appear that contains the physical ESXi host
A - Spend some time to review what information is available from the host Please donot click on any of the links
B - Notice that we receive information from both the Chassis and the Blade that thisESXi host is running on In a real life environment we could click on the links to getdetailed information about the physical environment through the links
C - Note that there are no NSX components on the host For example we can see thatthe Control Plane Sync Status is unknown and the Number of VTEPs is 0
1 When done reviewing click on the (X) in the top right corner
HOL-1829-01-NET
Page 58HOL-1829-01-NET
DVPG on the map
We are now going to look at the DVPG (Distributed Virtual Port Group) the VM uses toconnect to the network
1 On the map click on the little blue box marked by a red square onvlan-629
DVPG
A pop-up box will appear that contains the DVPG details
A - Spend some time review what information is available from the object Please donot click on any of the links
HOL-1829-01-NET
Page 59HOL-1829-01-NET
B - Notice that IPFIX is enabled
1 When done reviewing click on the (X) in the top right corner
VLAN-629 on the map
This is a brownfield network as indicated by the physical network components currentlydisplayed on the map
1 On the map click on the grey line marked by a red square on vlan-629
VLAN Network
A pop-up box will appear that contains the physical VLAN details
HOL-1829-01-NET
Page 60HOL-1829-01-NET
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - Notice the VLAN ID This is the actual VLAN in use
C - VM Count states 12 This is the number of VMs located on this VLAN in the entireenvironment
D - Under Hosts we can see that this is 28 (27+1) This is the amount of hosts that hasa connection to this vlan in the entire environment
1 When done reviewing click on the (X) in the top right corner
Switch ports on the map
1 From the map click on the icon marked by a red square to select the SwitchPort for the VM
HOL-1829-01-NET
Page 61HOL-1829-01-NET
Switch Port
A pop-up box will appear that contains the Switch Port details
In this view we are purely are looking at layer 3 and the connectivity to those layer 3devices Later in this module we will see some of the layer 2 devices
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - In this view we can see the physical NIC the traffic is transmitted from and receivedto In this scenario it is a NIC on a UCS fabric We can also see the VLANs Interfacespeed port and other details on the NIC
1 When done reviewing click on the (X) in the top right corner of the pop up box
HOL-1829-01-NET
Page 62HOL-1829-01-NET
Physical VRF on the map
1 From the map click on the icon marked by a red square to access thePhysical VRF details
HOL-1829-01-NET
Page 63HOL-1829-01-NET
VRF - Physical Switch
A pop-up box will appear that contains the Physical VRF details
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - In this scenario the first hop in the physical network perspective happens to be aCisco Nexus 7000 We are gathering all of the configuration data routing tables androuting interface information from this device
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 64HOL-1829-01-NET
VRF - continued
1 From the map click on the icon marked by a red square to access the nextPhysical VRF in the path
HOL-1829-01-NET
Page 65HOL-1829-01-NET
VRF - Physical Router
A pop-up box will appear that contains the Physical VRF details
In this scenario the second hop in the physical network perspective is a Palo Alto routerIn this view we will see the routing table as well as firewall rules The vRealize NetworkInsight platform is so powerful that these firewall rules are the applicable firewall rulesbetween the two objects we searched for There is probably going to be thousands offirewall rules in a normal network but these are the firewalls affecting thecommunication between the two selected VMs
HOL-1829-01-NET
Page 66HOL-1829-01-NET
A - Spend some time to review what information is available from the object Please donot click on any of the links
1 When done reviewing click on the (X) in the top right corner of the pop up box
Note The Palo Alto integration showcased is in beta testing
VRF - continued
1 From the map click on the icon marked by a red square to access the nextPhysical VRF in the path
HOL-1829-01-NET
Page 67HOL-1829-01-NET
VRF - Physical Switch
A pop-up box will appear that contains the Physical VRF details
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - In this scenario the third hop in the physical network perspective is an Arista deviceThere is information available on routing gateways interfaces etc These detailsshowcase that we can monitor devices from a multitude of vendors in case we arechanging from one vendor to another
1 When done reviewing click on the (X) in the top right corner
HOL-1829-01-NET
Page 68HOL-1829-01-NET
Accessing the virtual infrastructure
The next two steps in the path (as shown by arrows) are the same as we looked atpreviously in this module We are not going to look at the details on them in thisscenario as they are similar to the ones previously discussed
A - Hovermove the mouse over the icons marked with red arrow A without clicking onthe icon Notice the descriptive name
B - Hovermove the mouse over the icons marked with red arrow B without clicking onthe icon Notice the descriptive name
1 From the map click on the icon marked by a red square to access the nextVRF in the path
HOL-1829-01-NET
Page 69HOL-1829-01-NET
VRF - NSX Provider Edge 1
A pop-up box will appear that contains the Physical VRF details
A - Please spend some time to review what information is available from the objectPlease do not click on any of the links
B - The components we are looking at after the Arista device (described in previoussteps) is an NSX Edge cluster or a host associated with an Edge cluster The componentwe have selected is the NSX Edge VM named Provider-Edge 1 It has an uplink overVLAN 10 from the physical network (as shown in the map)
C - In the details we can see the routing table and routing interface details for thisparticular VRF
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 70HOL-1829-01-NET
VXLAN on the map
1 On the map click on the blue line marked by a red square to access theVXLAN details
VXLAN Network
A pop-up box will appear that contains the VXLAN details
HOL-1829-01-NET
Page 71HOL-1829-01-NET
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - We can see the VXLAN number (Segment ID) Underlay VLAN IDs Subnet andUnderlay Subnet
C - We also have visibility into what Primary Controller it is utilizing Hosts and VTEPs
D - Hovermove the mouse cursor over the text [38 more] to see the hosts associatedwith this VXLAN Do not click on the blue text
E - Hovermove the mouse cursor over the text [82 more] to see the VTEPs associatedwith this VXLAN Do not click on the blue text
1 When done reviewing click on the X in the top right corner of the pop-up box
VRF - LDR
1 From the map click on the icon marked by a red square to access the VRFdetails
HOL-1829-01-NET
Page 72HOL-1829-01-NET
VRF - LDR-Corporate
A pop-up box will appear that contains the VRF details From here we hit our In-kernelnetwork
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - Notice the distributed router name We are using this device to access our corporatenetwork
C - This device is going to route for us to a different interface The interface is going toroute to the interface on the Prod-DB Network as the next step in the path (this will beillustrated in the next step)
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 73HOL-1829-01-NET
Routing - NSX Firewall
The traffic is routed through the VRF onto the Prod-DB network over to the next physicalhost (as shown with arrows)
The first device it will hit on the virtual network on the physical host is the FirewallPlease notice that there are two firewalls next to the VM One Firewall from Palo Alto andone Firewall from NSX
1 From the map click on the icon marked by a red square to access the NSXFirewall details (the top one of the two)
HOL-1829-01-NET
Page 74HOL-1829-01-NET
Firewall - NSX
A pop-up box will appear that contains the Firewall details
A - Spend some time to review what information is available from the object Please donot click on any of the links
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 75HOL-1829-01-NET
Redirect on the map - PAN Firewall
Please notice that there are two firewalls next to the VM One Firewall from Palo Alto andone Firewall from NSX We are now going to look into the details of the lower Firewall
1 From the map click on the icon marked by a red square to access the PaloAlto Firewall details (the lower one of the two)
Firewall - PAN
HOL-1829-01-NET
Page 76HOL-1829-01-NET
In this scenario we also have an Palo Alto VM based offloading firewall The redirectfeature allows firewall rules to be transferred between the NSX firewall and the PANFirewall
1 When done reviewing click on the (X) in the top right corner of the pop up box
Reversing the analysis
1 In the section marked by a red square in the picture click on the arrowpointing left
The route on the map will change
HOL-1829-01-NET
Page 77HOL-1829-01-NET
Reversing the analysis continued
A - The analysis will now be done in the opposite direction Please note that the pathnow changes Instead of going through Provider-Edge 3 the traffic is now routedthrough Provider-Edge 2 This is exactly as the traffic will work in the real life
Please continue to the next step to conclude this module
HOL-1829-01-NET
Page 78HOL-1829-01-NET
VM Underlay
Lets now focus on VM Underlay
1 The VMUnderlay section that is on the right side of the VM Path topology showsthe underlay information of the VMs involved and their connectivity to the top ofthe rack switches and the ports involved
2 The VM Underlay path topology is shown here3 The components are labeled under Path Details
HOL-1829-01-NET
Page 79HOL-1829-01-NET
HOL-1829-01-NET
Page 80HOL-1829-01-NET
1 In this section the drop-down list at the top shows the endpoint VMs and theactive VMs at the edges
2 For each edgeVM the neighbouring drop-down list shows the ingress and theegress interface IP addresses
1 From the previous step we selected the Prod-DB-2 Virtual Machine2 Which changes the focus to corresponding Interface IP Address (VNIC)3 Shows the visual map (Path topology) of all the path objects4 Path details shows the labels and list the components
This concludes this module Please continue to the next module
HOL-1829-01-NET
Page 81HOL-1829-01-NET
ConclusionCongratulations on completing Module 2
This module has shown us that vRealize Network Insight is capable of tracing the flow ofdata between two objects throughout the network vRealize Network Insight is providingus with a 360 degrees view of the virtual as well as the physical components in thepath With the map function and the details on the map it is very easy to get a quickoverview of the components utilized in network communication
All the components in the map is based on a snapshot of real life data Feel free to clickon other icons shown in the map in this module before continuing to the next module tohave a look at other components
For More Information
For additional information about the functionality showcased in this module visithttpwwwvmwarecomvrealize network insight
This concludes this module Please continue to the next module
If you are looking for additional information try one of these
bull Click on this linkbull Or use your smart device to scan the QRC Code
HOL-1829-01-NET
Page 82HOL-1829-01-NET
Proceed to any module below which interests you most
bull Module 1 - Micro-Segmentation and Security (30 minutes)bull Module 2 - 360 degree Visibility across Virtual and Physical Networks (45
minutes)bull Module 3 - Advanced NSX Management amp Operations (45 minutes)bull (30 minutes)
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 83HOL-1829-01-NET
Module 3 - Advanced NSXManagement amp
Operations (45 minutes)
HOL-1829-01-NET
Page 84HOL-1829-01-NET
IntroductionIntroduction
vRealize Network Insight ensures that we have full visibility from an overlay andunderlay perspective and in this module focus on advanced operations of NSX withvRealize Network Insight Its important to note that the vRealize Network Insightprovides a real time view and a historical view The integration is not a simple SNMPquery but advanced CLI and Metadata information gathered in real time for NSX
This Module contains the following lessons
bull Operational guidance for NSX Managerbull Advanced NSX Management amp Operations Interactive Simulation
HOL-1829-01-NET
Page 85HOL-1829-01-NET
NSX Advanced ManagementOperationsLab Status Check
1 Make sure the Lab Status displays Ready before continuing
Close browser sessions from previous modules
Open Google Chrome
1 Open Chrome on the Control Centre Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
HOL-1829-01-NET
Page 86HOL-1829-01-NET
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize Network Insightdid not load automatically)
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
Search Bar - NSX Manager
Using the search bar on the entry screen
HOL-1829-01-NET
Page 87HOL-1829-01-NET
1 Type NSX Manager (this will list three NSX Managers2 Click Search
NSX Manager Information
The result now shows the NSX Manager (1016128170) and we can immediately seethat we have 50 problems associated with this endpoint
1 Click on the NSX Manager address to expose the layout and detailedinformation
HOL-1829-01-NET
Page 88HOL-1829-01-NET
Timeline - Visual Build-up
Explore information only - Do not click
bull A - Starting with the Timeline we can manipulate the results by simply draggingthe slider but by default the current time results will be displayed on entry Theslider and drop down (next to 1 day) makes it easy to filter on demand
bull B - The Properties give a clear understanding of the NSX Managers currentconfiguration (vRealize Network Insight accommodate multiple NSX managers)
bull C - Looking at the NSX Checklist Rules - ALL we can scroll up and down toview each point in the checklist that is used to monitorvalidate against the NSXManager
bull D - Because vRealize Network Insight supports multiple NSX managers andmultiple NSX controllers this is an important visual understanding of theTopology Each object can be queried individually within the same screen
bull E - NSX Problems will be key to understanding the issues for NSX
HOL-1829-01-NET
Page 89HOL-1829-01-NET
Topology - Focus on the NSX Controller
The logical view of the NSX Topology provides live links to each component in theconstruct to be queried in real time Topology layout displays all the related NSXservices bound to the NSX Manager including Clusters and hosts The red triangle on allthree NSX controllers indicates possible issues that may impact the NSX environmenteither as a starting point or a result thereof We can now query each object for detailedinformation
1 Click on the NSX controller (Look at each controller until you find thecontroller starting with NSX_Controller_5b6c6c8d-4d71 as they do changeorder)
HOL-1829-01-NET
Page 90HOL-1829-01-NET
NSX Controller - Detail
A - The controller query displays detailed information about controller-1 and relevantconfiguration This screen will help identify the Status Version Upgrade Availability andmany other critical identifiers of the NSX Controller at a quick glance including anyissues
B - The immediate issue on this NSX controller is also pointed out with a red triangleindicating that we have a control plane sync issue Tracking the issue can be furtherinvestigated by expanding (clicking on the red triangle) to view detailed information Wewill not be investigating this problem further in this exercise
1 Click the close sign (x) to continue
HOL-1829-01-NET
Page 91HOL-1829-01-NET
Topology - Explained
Note The Topology for the NSX environment will not show any load balancing devicestatus information in this release
1 Click the edge VMs icon to see detailed information about the edge services
HOL-1829-01-NET
Page 92HOL-1829-01-NET
Provider Edge
Rendering a complete view of the provider edge services and the associations we caninvestigate all the edge related activities
1 Click the blue link Provider Edge 4 The problem Icon can be used to furtherobtain information about the Provider-Edge 4 This will highlight a criticalcondition due to a possible network disruption of this edge device as it is nolonger in a serving state
HOL-1829-01-NET
Page 93HOL-1829-01-NET
Routers Provider Edge 4
This section lays out detailed root cause analysis for Routers Provider Edge 4
Return to Search View - NSX Manager
1 Now use the Chrome Back button click once to return the the NSX Managerinformation screen step
HOL-1829-01-NET
Page 94HOL-1829-01-NET
Infrastructure Problems - Warning Moderate
bull Scroll down to Infrastructure Problems Section
1 Click and select the WarningModerate to view problem areas
WarningModerate Issues
1 Use the blue icon + to expand the detailed view of the Logical networking out ofsync between host and NSX Controller
HOL-1829-01-NET
Page 95HOL-1829-01-NET
WarningModerate Issues (Continued)
When you expand the details you can analyse full detail of warning
In this view vRealize Network Insight is also showing you recommendations on how youwould resolve this issue which makes troubleshooting and root cause analysis veryeasy
1 Click the close sign (x) to continue
HOL-1829-01-NET
Page 96HOL-1829-01-NET
Hands-on Labs Interactive SimulationAdvanced NSX Management ampOperationsThis part of the lab is presented as a Hands-on Labs Interactive Simulation This willallow you to experience steps which are too time-consuming or resource intensive to dolive in the lab environment In this simulation you can use the software interface as ifyou are interacting with a live environment
1 Click here to open the interactive simulation It will open in a new browserwindow or tab
2 When finished click the ldquoReturn to the labrdquo link to continue with this lab
HOL-1829-01-NET
Page 97HOL-1829-01-NET
ConclusionCongratulations on completing Module 3
This module demonstrated the vRealize Network Insight capability of advancedmanagement operations vRealize Network Insight provides an in-depth analysis of thevirtual as well as the physical components associated with NSX (underlay and overlay)
For More Information
If you are looking for additional information try one of these
bull Click on this linkbull Or use your smart device to scan the QRC Code
Proceed to any module below which interests you most
bull Module 1 - Micro-Segmentation and Security (30 minutes)bull Module 2 - 360 degree Visibility across Virtual and Physical Networks (45
minutes)bull Module 3 - Advanced NSX Management amp Operations (45 minutes)bull Module 4 - Manage Security for Public Clouds (AWS) (30 minutes)
HOL-1829-01-NET
Page 98HOL-1829-01-NET
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 99HOL-1829-01-NET
Module 4 - ManageSecurity for Public Clouds
(AWS) (30 Minutes)
HOL-1829-01-NET
Page 100HOL-1829-01-NET
IntroductionEnterprise IT needs visibility into the network and security status of their workloadswhether hosted on premises or within AWS While many AWS workloads are sandboxesfor application development teams (DevOps) it is important to analyze these workloadsIncreasingly public cloud workloads are also fulfilling mission critical production needsfor many organizations Enterprise IT must be ready to determine the best locationsecurity posture and bandwidth allocation when deploying workloads Having trafficpattern details as well as security analysis and recommendations readily availablehelps organizations make the ideal hosting decisions to meet their business needs
vRealize Network Insight (vRNI) Supports Amazon Web Services (AWS) PublicCloud The vRNI traffic monitoring features provide visibility into native AWS constructssuch as Virtual Private Clouds VMs Security Groups firewall rules and tags vRNI alsoanalyzes AWS traffic flows to provide security and micro-segmentation views of cloudworkloads This means youll be able to plan micro-segmentation and understand trafficpatterns using data collected from your AWS instances
This Module contains the following lessons
bull Introduction to Managing Security for Public Clouds (AWS)
HOL-1829-01-NET
Page 101HOL-1829-01-NET
Introduction to Managing Security forPublic Clouds (AWS)Lab Status Check
1 Make sure the Lab Status displays Ready before continuing
Close browser sessions from previous modules
Open Google Chrome
1 Open Chrome on the Control Centre Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize Network Insightdid not load automatically)
HOL-1829-01-NET
Page 102HOL-1829-01-NET
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
AWS Configuration
Lets review the AWS VPC setup for the purpose of this lab
1 We have an on premise instance of vRealize Network Insight managing AWS2 There are two VPCs ie CRM and Common Services
HOL-1829-01-NET
Page 103HOL-1829-01-NET
3 VPC CRM consists of CRM Application which comprises of 3 tiers ie Web APP andDB
4 Internal users of Company can access Web Tier of the CRM on 80 internally viaJump-box
5 Web tier talks to App tier on port 80806 App tier talks to DB tier on port 33067 Web tier is open for internal datacenters VM on 80 port8 From Jump-box in VPC CRM all virtual machines have ssh access on port 229 All tiers of VPCCRM talks to DNS server on 53 and LogServer on 514 on VPC
Common Services10 This means connection to DB to Log Server (used for backup services) must exist
as configured by the Administrator but this in fact is the problem area where ourfocus will be
Plan Security - AWS Cloud
vRealize Network Insight extends micro-segmentation planning to AWS constructs TheCRM Application in AWS VPC has already been created for you
Application creation steps have been discussed in Module 3
HOL-1829-01-NET
Page 104HOL-1829-01-NET
1 On the vRealize Network Insight Click on Plan Security
From Plan Security dialogue box under Entity select
HOL-1829-01-NET
Page 105HOL-1829-01-NET
1 Application2 CRM3 Click Analyze
We can now visualize the three tier lsquoCRMrsquo Application in AWS in one VPC We Shallexplore the three Tier System Logic in proceeding steps
1 Please note that Micro-Segments are already filtered by Tier2 Web (Web tier talks to App tier on port 8080 Internal users of organisation can
access Web Tier of the CRM Application on port 80 internally)3 App (App tier talks to DB tier on port 3306)4 DB ( DB tier talks to Log Servers ) - This is the problem area we are going to
explore
All tiers of first VPC talks to DNS server on port 53 and LogServer on port 514 of SecondVPC
HOL-1829-01-NET
Page 106HOL-1829-01-NET
Exploring the Three Tier Application - Step by Step
We shall now explore the three their application setup to understand the security andcommunication posture
HOL-1829-01-NET
Page 107HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Yellow line to explore the flows This will reveal flows from Web to
App
HOL-1829-01-NET
Page 108HOL-1829-01-NET
1 The App tier talks to DB tier on Port 33062 Click X to continue
HOL-1829-01-NET
Page 109HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to DB
HOL-1829-01-NET
Page 110HOL-1829-01-NET
1 The App tier talks to DB tier on Port 33062 Click X to continue
HOL-1829-01-NET
Page 111HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Yellow Line to explore the flows This will reveal flows from DC
Virtual to App
HOL-1829-01-NET
Page 112HOL-1829-01-NET
1 DC Virtual (jump box) talks to App tier on Port 222 Click X to continue
HOL-1829-01-NET
Page 113HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to
Shared Virtual
HOL-1829-01-NET
Page 114HOL-1829-01-NET
1 The App tier talks to Shared Virtual on Port 53 and 514 respectively2 Click X to continue
HOL-1829-01-NET
Page 115HOL-1829-01-NET
1 Hover over to DB Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from DB to
Shared Virtual
1 By design the DB should be pushing logs to aws-log-server ie on port 514(Syslog) but the flow reveals that there is only one service ie port 53 aws-DNS-Server Effectively no communication to syslog server (which is the back upservice)
2 Click X to continue
Firewall Queries for CRM Application
To further troubleshoot the issue the administrator executes three firewall queries toestablish why DB to Shared Virtual does not have flow(s) for port 514 (syslog)
HOL-1829-01-NET
Page 116HOL-1829-01-NET
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and type new search query firewall action of flows where dstvm = aws-log-server This will return 5 results ie 4 Allow (for web andmidtier) and 1 Deny (for DB)
2 Click Search3 click on the DENY checkbox so we can focus on the deny rule
We can see a DENY rule which is preventing crm-databse to communicate with aws-log-server on port 514 Which indicates that AWS Admin forgot to add rule to allowtraffic from (Database) crm-database to (syslog server) aws-log-Server
HOL-1829-01-NET
Page 117HOL-1829-01-NET
1 On Chrome web browser right click2 Select Duplicate from the the menu
HOL-1829-01-NET
Page 118HOL-1829-01-NET
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-web1 and dst vm = aws-log-server
2 Click Search3 This will return 3 results ie 1 Inbound and 2 Outbound rules The result of this
query validates the communication from crm-web1 to aws-log-server
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-database and dst vm = aws-log-server
2 Click Search3 This will return 2 results for Outbound rules further explaining the firewall rule
behaviour from crm-database to aws-log-server
HOL-1829-01-NET
Page 119HOL-1829-01-NET
ConclusionCongratulations on completing Module 4
This module demonstrated the vRealize Network Insight capability to understand trafficpatterns and plan micro-segmentation across your private and public cloudenvironments This capability offers unparalleled visibility into public and private cloudsfor micro-segmentation planning network visibility and management
For More Information
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 120HOL-1829-01-NET
ConclusionThank you for participating in the VMware Hands-on Labs Be sure to visithttpholvmwarecom to continue your lab experience online
Lab SKU HOL-1829-01-NET
Version 20171010-152226
HOL-1829-01-NET
Page 121HOL-1829-01-NET
Locating the Services screen for the next step
ServicesPorts - Time line view
Plan security makes use of Service and Ports overview on the right-hand side of thescreen The service view screen is used to observe the flow for each service andanalyzes a specific flow rate at a point in time Timelines can be adjusted to gain abetter understanding of what the plan security query delivers This module will followthe steps needed to observe and trace flows for port 5443
1 Click Show Data
HOL-1829-01-NET
Page 19HOL-1829-01-NET
ServicesPorts - Point in Time Service
The Services section provides an overview of flows over a specific port at a point intime either by bytes or by allowed sessions Look at the red highlighted area tounderstand how the flow is viewed in a pivot format to ensure a rate flow can bedelivered by hovering over a particular section
1 Hover to gain focus over the blue block above port 5443 and notice itpresents on demand the sum total of flows for the last 24 hours inGigabytes (GB) communicating over port 5443
2 Click on the block at the intersection of Last 24 hours and PORTS5443 to get a detailed view of the information
HOL-1829-01-NET
Page 20HOL-1829-01-NET
Flows for Port 5443
Communicating over port 5443 for the Last 24 hours we now have a detailedunderstanding of how 20 flows are distributed by following the list of entities You mayscroll down and examine the detailed traffic Further filters can be used on the left-handside of the screen to filter the view for a more specific result type
1 Click the entry to examine the detailed flow between Prod-DB-3 and Prod-DB-2over port 5443 ( order of flows may differ from screen above Prod-DB-3 andProd-DB-2 can be seventh flow entry)
Flow Key Properties - Timeline view
HOL-1829-01-NET
Page 21HOL-1829-01-NET
Flow Key Properties and Flow Key Metrics with the help of the timeline view gives agreater understanding of the traffic between these two specific VMs over port 5443 (A)- Hover over any part of the Flow Key Metrics graph to see statistics of the flow at aspecific point in time
1 Click on the 1M (last 1 month) Now hover the mouse over the greenblue linesto see a specific flow at a point in time
Flow Key Properties - Timeline view
1 Click the browser back button (once) to return to the plan security layoutscreen (once completed viewing the timelines for specific flows)
HOL-1829-01-NET
Page 22HOL-1829-01-NET
Micro-Segments
The screen should be back and focused on the Plan Security view Let us focus on theLeft-hand side of the plan security screen marked - Micro Segments This section willfocus on the subnet view and how this could be used to track flows between two ormultiple points
Note Segmenting flows can be achieved using views that will focus on VLANVXLANSubnet Folder Clusters VMs Ports Security Tag or Security Groups
1 Select Last 1 Day (to clear previous data range)2 Select the drop down box and then select by Subnet3 We can further analyze micro-segments by secondary groups ( This step is for
information only)4 Click Analyze to populate the data
HOL-1829-01-NET
Page 23HOL-1829-01-NET
Focus - 101780 Network
A - Hover over (do not click) the 101780 network and notice that this willimmediately highlight all flows and sessions from and to this network segment Othertraffic types will loose focus at this point turning light blue
The Keep Focus view creates a single visual endpoint diagram showing communicationto physical shared resources internet and other subnets The parentheses after thenetwork will indicate the number of virtual machines The coloured lines will indicate aconnected flow as OUTGOING INCOMING BIDIRECTIONAL
HOL-1829-01-NET
Page 24HOL-1829-01-NET
Focus - VLANVXLAN
Changing the view to track flows between Prod-Web to Prod-Midtier we will be switchingfrom Subnet view to VLANVXLAN view This will expose the traffic flow and ultimatelylead us to the recommended firewall rules
1 From the filter drop down select the VLANVXLAN option (the view willautomatically update)
HOL-1829-01-NET
Page 25HOL-1829-01-NET
Focus - Prod-Web (25)
1 Hover over Prod-Web2 Click on Keep Focus as we will follow the traffic for this group to see which
ports are in use and why3 Click on the line joining the Prod-Web and Prod-Midtier
Flows - Prod-Web to Prod-Midtier
HOL-1829-01-NET
Page 26HOL-1829-01-NET
( A ) - We have at this point identified 14 unique endpoints or flows that are beingcommunicated byover or to potential security groups These security groups are basedon VLANs folders subnets or a construct that can be defined
1 Click on the recommended firewall rules
Flows - Recommended Firewall Rules
Based on the observed analysis of the traffic flow between Prod-Web and Prod-Midtier arecommended firewall rule has been generated in order to secure and segment trafficfrom the rest of the VLANVXLAN
Due to the flow observation metrics the recommendation is (ALLOWED) on Port 8080between SG Prod-Web and SG-Prod-Midtier
1 Click the close icon (x) to continue
HOL-1829-01-NET
Page 27HOL-1829-01-NET
Multiple Ports and Firewall rules for Prod-web
1 Click on the Prod-Web group
Services and Flows for Prod-Web
On focus the user is presented with all the services flows and firewall rules for Prod-Webin a single pane
HOL-1829-01-NET
Page 28HOL-1829-01-NET
1 Click on Services In this group - 50 Unique service endpoints or flows that arebeing communicated by or to potential security groups are mapped with trafficrates included
2 Click on External Services Accessed- This is a breakdown of the 16 Externalservice endpoints that communicate with Prod-Web and include the portinformation (DNS HTTPS etc)
3 Click on Recommended Firewall Rules - Based on the 50 unique serviceendpoints that have 17 External services with 425 flows we can use thisobservation metric to determine that 6 firewall rules are required This would bethe minimum recommended segmentation approach for the Prod-Web group
4 Click the close icon (x) to continue
Application-Centric Micro-Segmentation
HOL-1829-01-NET
Page 29HOL-1829-01-NET
An application is a collection of tiers Each tier in an application is a collection of VMsbased on the user-defined filter criteria The applications allow you to create ahierarchical group of VMs and visualize trafficflows between the tiers of the sameapplication The trafficflows can be visualized between applications
1 Under Micro-segments click on the dropdown which says by VLANVXLAN2 Click on by Application
1 Hover over Prod-App (47) (do not click at this stage)2 Click on Keep Focus
You can see as per previous micro-segmentaion planning exercise - you can viewOutgoing Incoming and Bidirectional flow bespoke to Prod-App Clicking on Prod-App micro-segment will reveal the services
HOL-1829-01-NET
Page 30HOL-1829-01-NET
We shall now explore how we can define an application
Define an Application
1 In the search bar type Application2 Click the Search button
1 The Application search will return 4 entities ie application already created inthe system for you
2 This page also lets you create new application - click on Add Application
HOL-1829-01-NET
Page 31HOL-1829-01-NET
1 Under the Application Name type HOL-Pre-Prod2 Under Tier type the Name as HOL-Pre-Prod3 Our search criteria will be based on VM Names under Virtual Machines IP
Addresses Type Admin-VM1 Admin-VM2 (The search will auto completethe names for you)
4 Do not Save Click Cancel which will take you to previous screen
1 Here you can see the number of entities has increased by 1 ie 5 entities2 You can also see Hol-Pre-Prod in the list
HOL-Pre-Prod will now appear in Application section under Plan Security (not covered inthis lab)
Security Group Prod_MidTier
Network administrators and architects face daily challenges in identifying securityparameters groups that are in-place requiring a lot more detail around containertopology before continuing to execute or plan Micro-segmentation Lets look at how thiswould be possible in a single view that has granular integration with over and underlaynetworks
1 Using the search bar type Nsx Security Group Prod_MidTier (the search baruses Auto Fill and predictive text will appear as you type)
2 Click search to continue
HOL-1829-01-NET
Page 32HOL-1829-01-NET
The Help screen may pop-up (in this lab setting) to ensure the user has an instantguide called the Security Group Pinboard The reason for this guide is to point out thedetail view and topology layout Read through the help guide and once completed
1 Click the close icon (x) to continue
Results - PROD_MIDTIER
The search results from the query will show Prod_Web at the top of the screen Theresult will also be displayed to include the Translated VM Count and any Rulesassociated
1 Click on Prod_MidTier to continue
Security Group Prod_MidTier - Timeline
Security Group View Explanation
HOL-1829-01-NET
Page 33HOL-1829-01-NET
The Security Group provides a detailed view of the selected Security Group and acomprehensive listing of key properties and events The Security Group Topologyprovides a visual overview of how the security group is associated with other containersTimeline slider at the top of the current view will enable the point in time state of theSecurity Group and filters can be used to further focus on a particular aspect of theobject
Security Group Firewall Topology
(A) The Security Group Firewall Topology on the left shows the topology for SecurityGroup Prod_MidTier
HOL-1829-01-NET
Page 34HOL-1829-01-NET
(B) The Security Group Container Topology on the right will show anyall Child andParent groups in relation to Prod_Web This will identify the nesting and hierarchy ofsecurity groups
HOL-1829-01-NET
Page 35HOL-1829-01-NET
1 Click and select Prod_Web to Prod_Midtier Rule (will launch a pop up screencovered in next step)
1 In the pop up screen we can immediately see what the Source and destinationservice flow looks like in this example This can be done for any and eachsegment attached to Prod_Web and will provide all the current security GroupFirewall Topology information Feel free to click through all the segments in orderto fully understand each related security group
2 Click the close icon (x) on any pop-up menus that you viewed during youranalysis to continue with the next exercise
HOL-1829-01-NET
Page 36HOL-1829-01-NET
Tracking Prod_MidTier
1 Within the same view when you scroll down (below the Security Groupfirewall Topology) you are able to see the following security event information forProd_Web
A Events - Showing any changes for Prod_MidTier (direct or indirect) and the impactthat these changes bring to this security group
B Current Security Group Configuration and Firewall Rules Count will also providefurther assistance to manage the endpoints
C Visibility of the Virtual Machines in Security Groups ensure that we manage ourworkloads and segmentation with the correct level of efficiency
D Making use of the Indirect Firewall Rules will ensure you understand the inheritedimpact and the relationship leading to Prod_Web
E Direct Firewall Rules - NOTE The blue links will expose further detail for eachfirewall segment
HOL-1829-01-NET
Page 37HOL-1829-01-NET
this module explained and followed the traffic flow between Subnets and or VLANVXLAN for Prod_MidTier and we understand the analysis that make up firewall rules Theinformation for a specific segmentation of a Virtual Machine in Prod_MidTier can beviewed using the the logical switch information for Prod_MidTier
2 Click on Lab-Midtier (VMs in Security GroupgtLogical SwitchesgtLab-Midtier) anew TAB will open at the top of the screen
Lab-Midtier
1 Hover (do not click) over (1) Lab-Midtier-1 to gain focus in order to generatethe path
Do not click on any of the bubbles as they are used for reference only This is thecomplete flow of Prod-Web-9 (Example) to see how a flow is tracked from overlay tounderlay across Prod-Web
HOL-1829-01-NET
Page 38HOL-1829-01-NET
bull A - The host details for Lab-Midtier-1 -ddc1-pod2esx035dmdemocompanynet
bull B - The machine name within Lab-Midtier - Lab-Midtier-1bull C - DVS Switchbull D - VXLAN - Lab-Midtierbull E - 1st VMKNIC for DDC-1 hostbull F - DVS Switch Portbull G - Finally showing the L3 Switch (Arista)
2 When you are done with the current view close this tab in Chrome and returnto the original view
Firewall Rule - Tracking
Using the search bar we will demonstrate how you can track any firewall rule in yourenvironment This is only one example of how we can search for security related objectsin one easy statement and also export the results
Port Search
1 Type into the search bar
Firewall rule where action =ALLOW and Port=443 (the search bar uses Auto Fill andpredictive text will appear as you type)
2 Click search to continue
As you type notice all the different permutations of queries that can be assembled
HOL-1829-01-NET
Page 39HOL-1829-01-NET
Export Firewall Rules
Take some time to understand and get familiar with Firewall Rule search possibilitiesand the insight this can offer
1 Do not click - The result is grouped for convenience and allows the user to queryeach rule individually This is a live link that will expose further information
2 Do not click - The entire report can be exported by using the Save as CSV optionat the top right hand corner of the screen but we will not export any informationat this point
3 For the next step we will return to the top search bar
Firewall Rule Membership Change
Using the vRealize Network Insight search bar at the top of the screen we will focus on atime based search to see what Firewall Membership Changes occurred during a selectedperiod This will point out any changes made directly or indirectly as a result ofmembership changes This is extremely useful for auditing and troubleshooting
HOL-1829-01-NET
Page 40HOL-1829-01-NET
1 Type
Firewall Rule Membership Change
2 Select the DateTime window3 Click Between Select Date range from June30 to Jul 31 (using static data this
will ensure you see all the changes)4 Click search
Audit Rule - Firewall Rule Membership Changes
The search now displays the result of all the changes made to firewall rule membershipduring the preset date range This is pivotal to the audit change tracking process tounderstand exactly why when and how Firewall rules changed
The changes can now easily be tracked audited and also exported following any of thelive links in blue
HOL-1829-01-NET
Page 41HOL-1829-01-NET
User-defined Event
Continuing within the same screen users can create alerts to notify internal andexternal entities of any changes The alert feature is available through any view thatdisplays the alert icon Although the alert can be configured for this lab the results willnot be actioned as this is static data only This section will show how easy it is to reporton any Firewall Rule memberships changes The option for alerting will be immediatelywithin 1 hour or as a daily digest
1 Click the Notifications icon to create an event The notifications screen will pop-up
2 Notification and parameters can be adjusted as required Populate them withyour own preference as we will need to have information in order to save thealert and view in later steps
3 Once completed click save
HOL-1829-01-NET
Page 42HOL-1829-01-NET
Settings
You can view any of your previously configured User-defined Events in order to edit oractivate the Event parameters by using the settings page Changes can be configured tonotify members of the event group based on the user preference The previous eventthat you created can now be tracked by using the search bar at the top of the screen
1 Click in the search bar and type Settings2 Click User-defined Events (your alert is noted in this section as it was based on
the original search and alert notification Firewall rule membership change)3 Info Only - Do not click - View Edit Activate any notifications
Note that we have 2 types of notification User-defined and System Events
4 Click the System Events
HOL-1829-01-NET
Page 43HOL-1829-01-NET
System Notifications
System Events consist of 103 default alerts that are pre-configured Scroll down the listto see all the options and what is deemed to be a standard system event notification
Each Notification can be used to alert administrators or users of that group By defaultall System Notifications are set to never notify (this can be changed to immediatelywithin 1 hour or as a daily digest)
This concludes this module Please continue to the next module
HOL-1829-01-NET
Page 44HOL-1829-01-NET
ConclusionCongratulations on completing Module 1
In this module we introduced the minimum required steps in order to facilitate Micro-segmentation This module further demonstrated how we achieve day zero readinesstrack report and alert on each individual object or group of objects in Real Time Usingthe East-West traffic in this module vRealize Network Insight highlighted the ease ofacquiring network analysis and using this to automatically generate firewall rules forboth Green or Brown field deployments
Key facts to remember as demonstrated in this module
bull Persistence Security must be consistent in the face of constant changebull Ubiquity Security must be available everywherebull Extensibility Security must adapt to new situations
For additional information about the functionality showcased in this module visitwwwvmwarecom
Please close the Chrome Web browser
This concludes this module please continue to the next module
For More Information
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 45HOL-1829-01-NET
Module 2 - 360 degreeVisibility across Virtualand Physical Networks
(45 minutes)
HOL-1829-01-NET
Page 46HOL-1829-01-NET
IntroductionvRealize Network Insight includes advanced analytics that can collect and displayconfiguration data from all the components involved in the overlay and underlay of thenetwork Data is collected in realtime
vRealize Network Insight presents this via a smart user interface and simplifies thedetermination of problems as well as the visibility of firewall and networkconfigurations
vRealize Network Insight presents this in a smart user interface and makes problemdetermination and visibility of the firewall and network configurations very easy
This Module contains the following lessons
bull 360 Network Visibility and Troubleshootingbull Natural language search
HOL-1829-01-NET
Page 47HOL-1829-01-NET
360 Network Visibility andTroubleshootingThis section contains the following lessons
bull 360-degree view of data flow between two VM objectsbull Natural language search
Open Google Chrome
1 Open Chrome on the Control Center Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize NetworkInsight did not load automatically)
HOL-1829-01-NET
Page 48HOL-1829-01-NET
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
Path and Topology
This module will utilize the Path and Topology feature in vRealize Network Insight toget a 360-degree visibility into our network scenario The Path and Topology view can
HOL-1829-01-NET
Page 49HOL-1829-01-NET
also extend to host L3 networks security groups etc but in this module we will only befocusing on the path
From the main console
1 Click on Path and Topology2 Click on Path
Path - Select source and destination
In the pop-up box
1 Click on the grey field below Source2 Type dba into the source field and DBAdmin-VM1 will appear3 Click on DBAdmin-VM1 to select it
HOL-1829-01-NET
Page 50HOL-1829-01-NET
Path - source and destination continued
After selecting the source machine the destination box will automatically appear
1 Type prod in the destination field and the list of available options willappear
2 Select Prod-Db-2
Note The destination could also be an ip-address or Internet but in this lab we aregoing to use a VM
HOL-1829-01-NET
Page 51HOL-1829-01-NET
Path - source and destination continued
1 Click on Submit
Searching for path
Based on the VMs we selected in the wizard in our previous steps the search field isnow pre-populated with a search string As an alternative to using the wizard we canalso do manual searches
Do not change any parameters in the search field and please continue to the nextstep
HOL-1829-01-NET
Page 52HOL-1829-01-NET
VM Path Topology and VM Underlay
The topology involves both Layer 3 and Layer 2 components and consists of twodetailed views
HOL-1829-01-NET
Page 53HOL-1829-01-NET
1 VM Path Topology This view details the routers Edges or Logical DistributedRouters (LDRs) that are involved in the VM to VM network path and provides thecomplete routing and NAT information
2 VM Underlay ( The VM Underlay section that is on the right side of the VM Pathtopology shows the underlay information of the VMs involved and theirconnectivity to the top of the rack switches and the ports involved)
In the field named VM Path Topology
1 Click on the three dots in the top right corner of the field2 Click Maximize
The view will change and the route will be drawn on the map
HOL-1829-01-NET
Page 54HOL-1829-01-NET
VM Path Topology - Path Details
In this view we will get a 360-degree view of both the physical and the virtual networkWe will see the path of the traffic between two virtual machines The black arrow at thetop of the map will indicate the flow direction of the traffic In this use case fromDBAdmin-VM1 to Prod-Db-2
On the right hand side path details indicates the steps we pass through in each hop ofthe path The logical flow includes both physical and virtual elements displaying bothoverlay and underlay components
1 Scroll through the path details on the right hand side to verify the differenthops in the path Notice that we have items such as VMs physical switchesvirtual switches routers and NICs in the list of details
HOL-1829-01-NET
Page 55HOL-1829-01-NET
Component Overview
On the VM topology map
1 Click on the top left icon marked with a red square - the Virtual MachineDBAdmin-VM1
Virtual Machine - Details
HOL-1829-01-NET
Page 56HOL-1829-01-NET
A pop-up box will appear with the Virtual Machine details in it This information includesa lot of details made available by VMware Tools We can for example see network-information and the physical host in these details
A - Please spend some time on getting an overview of the information available in thisview
B - Please note that the Firewall Status indicates Unknown In this scenario there is noNSX firewall utilized in the VM so vRealize Network Insight displays Unknown as thestatus If NSX components were utilized but they were malfunctioning an errormessage will appear
1 When done reviewing close the pop-up windows by clicking on the (X) in thetop right corner
Physical ESXi Hosts
We are now going to look at the physical host running ESXi The large green blocksindicate the ESXi hosts (A) and (B)
1 Click on the large green field on the left side of the map marked in thepicture with a red squareThis will select the host where DBAdmin-VM1 isrunning
HOL-1829-01-NET
Page 57HOL-1829-01-NET
Host - Details
A pop-up box will appear that contains the physical ESXi host
A - Spend some time to review what information is available from the host Please donot click on any of the links
B - Notice that we receive information from both the Chassis and the Blade that thisESXi host is running on In a real life environment we could click on the links to getdetailed information about the physical environment through the links
C - Note that there are no NSX components on the host For example we can see thatthe Control Plane Sync Status is unknown and the Number of VTEPs is 0
1 When done reviewing click on the (X) in the top right corner
HOL-1829-01-NET
Page 58HOL-1829-01-NET
DVPG on the map
We are now going to look at the DVPG (Distributed Virtual Port Group) the VM uses toconnect to the network
1 On the map click on the little blue box marked by a red square onvlan-629
DVPG
A pop-up box will appear that contains the DVPG details
A - Spend some time review what information is available from the object Please donot click on any of the links
HOL-1829-01-NET
Page 59HOL-1829-01-NET
B - Notice that IPFIX is enabled
1 When done reviewing click on the (X) in the top right corner
VLAN-629 on the map
This is a brownfield network as indicated by the physical network components currentlydisplayed on the map
1 On the map click on the grey line marked by a red square on vlan-629
VLAN Network
A pop-up box will appear that contains the physical VLAN details
HOL-1829-01-NET
Page 60HOL-1829-01-NET
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - Notice the VLAN ID This is the actual VLAN in use
C - VM Count states 12 This is the number of VMs located on this VLAN in the entireenvironment
D - Under Hosts we can see that this is 28 (27+1) This is the amount of hosts that hasa connection to this vlan in the entire environment
1 When done reviewing click on the (X) in the top right corner
Switch ports on the map
1 From the map click on the icon marked by a red square to select the SwitchPort for the VM
HOL-1829-01-NET
Page 61HOL-1829-01-NET
Switch Port
A pop-up box will appear that contains the Switch Port details
In this view we are purely are looking at layer 3 and the connectivity to those layer 3devices Later in this module we will see some of the layer 2 devices
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - In this view we can see the physical NIC the traffic is transmitted from and receivedto In this scenario it is a NIC on a UCS fabric We can also see the VLANs Interfacespeed port and other details on the NIC
1 When done reviewing click on the (X) in the top right corner of the pop up box
HOL-1829-01-NET
Page 62HOL-1829-01-NET
Physical VRF on the map
1 From the map click on the icon marked by a red square to access thePhysical VRF details
HOL-1829-01-NET
Page 63HOL-1829-01-NET
VRF - Physical Switch
A pop-up box will appear that contains the Physical VRF details
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - In this scenario the first hop in the physical network perspective happens to be aCisco Nexus 7000 We are gathering all of the configuration data routing tables androuting interface information from this device
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 64HOL-1829-01-NET
VRF - continued
1 From the map click on the icon marked by a red square to access the nextPhysical VRF in the path
HOL-1829-01-NET
Page 65HOL-1829-01-NET
VRF - Physical Router
A pop-up box will appear that contains the Physical VRF details
In this scenario the second hop in the physical network perspective is a Palo Alto routerIn this view we will see the routing table as well as firewall rules The vRealize NetworkInsight platform is so powerful that these firewall rules are the applicable firewall rulesbetween the two objects we searched for There is probably going to be thousands offirewall rules in a normal network but these are the firewalls affecting thecommunication between the two selected VMs
HOL-1829-01-NET
Page 66HOL-1829-01-NET
A - Spend some time to review what information is available from the object Please donot click on any of the links
1 When done reviewing click on the (X) in the top right corner of the pop up box
Note The Palo Alto integration showcased is in beta testing
VRF - continued
1 From the map click on the icon marked by a red square to access the nextPhysical VRF in the path
HOL-1829-01-NET
Page 67HOL-1829-01-NET
VRF - Physical Switch
A pop-up box will appear that contains the Physical VRF details
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - In this scenario the third hop in the physical network perspective is an Arista deviceThere is information available on routing gateways interfaces etc These detailsshowcase that we can monitor devices from a multitude of vendors in case we arechanging from one vendor to another
1 When done reviewing click on the (X) in the top right corner
HOL-1829-01-NET
Page 68HOL-1829-01-NET
Accessing the virtual infrastructure
The next two steps in the path (as shown by arrows) are the same as we looked atpreviously in this module We are not going to look at the details on them in thisscenario as they are similar to the ones previously discussed
A - Hovermove the mouse over the icons marked with red arrow A without clicking onthe icon Notice the descriptive name
B - Hovermove the mouse over the icons marked with red arrow B without clicking onthe icon Notice the descriptive name
1 From the map click on the icon marked by a red square to access the nextVRF in the path
HOL-1829-01-NET
Page 69HOL-1829-01-NET
VRF - NSX Provider Edge 1
A pop-up box will appear that contains the Physical VRF details
A - Please spend some time to review what information is available from the objectPlease do not click on any of the links
B - The components we are looking at after the Arista device (described in previoussteps) is an NSX Edge cluster or a host associated with an Edge cluster The componentwe have selected is the NSX Edge VM named Provider-Edge 1 It has an uplink overVLAN 10 from the physical network (as shown in the map)
C - In the details we can see the routing table and routing interface details for thisparticular VRF
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 70HOL-1829-01-NET
VXLAN on the map
1 On the map click on the blue line marked by a red square to access theVXLAN details
VXLAN Network
A pop-up box will appear that contains the VXLAN details
HOL-1829-01-NET
Page 71HOL-1829-01-NET
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - We can see the VXLAN number (Segment ID) Underlay VLAN IDs Subnet andUnderlay Subnet
C - We also have visibility into what Primary Controller it is utilizing Hosts and VTEPs
D - Hovermove the mouse cursor over the text [38 more] to see the hosts associatedwith this VXLAN Do not click on the blue text
E - Hovermove the mouse cursor over the text [82 more] to see the VTEPs associatedwith this VXLAN Do not click on the blue text
1 When done reviewing click on the X in the top right corner of the pop-up box
VRF - LDR
1 From the map click on the icon marked by a red square to access the VRFdetails
HOL-1829-01-NET
Page 72HOL-1829-01-NET
VRF - LDR-Corporate
A pop-up box will appear that contains the VRF details From here we hit our In-kernelnetwork
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - Notice the distributed router name We are using this device to access our corporatenetwork
C - This device is going to route for us to a different interface The interface is going toroute to the interface on the Prod-DB Network as the next step in the path (this will beillustrated in the next step)
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 73HOL-1829-01-NET
Routing - NSX Firewall
The traffic is routed through the VRF onto the Prod-DB network over to the next physicalhost (as shown with arrows)
The first device it will hit on the virtual network on the physical host is the FirewallPlease notice that there are two firewalls next to the VM One Firewall from Palo Alto andone Firewall from NSX
1 From the map click on the icon marked by a red square to access the NSXFirewall details (the top one of the two)
HOL-1829-01-NET
Page 74HOL-1829-01-NET
Firewall - NSX
A pop-up box will appear that contains the Firewall details
A - Spend some time to review what information is available from the object Please donot click on any of the links
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 75HOL-1829-01-NET
Redirect on the map - PAN Firewall
Please notice that there are two firewalls next to the VM One Firewall from Palo Alto andone Firewall from NSX We are now going to look into the details of the lower Firewall
1 From the map click on the icon marked by a red square to access the PaloAlto Firewall details (the lower one of the two)
Firewall - PAN
HOL-1829-01-NET
Page 76HOL-1829-01-NET
In this scenario we also have an Palo Alto VM based offloading firewall The redirectfeature allows firewall rules to be transferred between the NSX firewall and the PANFirewall
1 When done reviewing click on the (X) in the top right corner of the pop up box
Reversing the analysis
1 In the section marked by a red square in the picture click on the arrowpointing left
The route on the map will change
HOL-1829-01-NET
Page 77HOL-1829-01-NET
Reversing the analysis continued
A - The analysis will now be done in the opposite direction Please note that the pathnow changes Instead of going through Provider-Edge 3 the traffic is now routedthrough Provider-Edge 2 This is exactly as the traffic will work in the real life
Please continue to the next step to conclude this module
HOL-1829-01-NET
Page 78HOL-1829-01-NET
VM Underlay
Lets now focus on VM Underlay
1 The VMUnderlay section that is on the right side of the VM Path topology showsthe underlay information of the VMs involved and their connectivity to the top ofthe rack switches and the ports involved
2 The VM Underlay path topology is shown here3 The components are labeled under Path Details
HOL-1829-01-NET
Page 79HOL-1829-01-NET
HOL-1829-01-NET
Page 80HOL-1829-01-NET
1 In this section the drop-down list at the top shows the endpoint VMs and theactive VMs at the edges
2 For each edgeVM the neighbouring drop-down list shows the ingress and theegress interface IP addresses
1 From the previous step we selected the Prod-DB-2 Virtual Machine2 Which changes the focus to corresponding Interface IP Address (VNIC)3 Shows the visual map (Path topology) of all the path objects4 Path details shows the labels and list the components
This concludes this module Please continue to the next module
HOL-1829-01-NET
Page 81HOL-1829-01-NET
ConclusionCongratulations on completing Module 2
This module has shown us that vRealize Network Insight is capable of tracing the flow ofdata between two objects throughout the network vRealize Network Insight is providingus with a 360 degrees view of the virtual as well as the physical components in thepath With the map function and the details on the map it is very easy to get a quickoverview of the components utilized in network communication
All the components in the map is based on a snapshot of real life data Feel free to clickon other icons shown in the map in this module before continuing to the next module tohave a look at other components
For More Information
For additional information about the functionality showcased in this module visithttpwwwvmwarecomvrealize network insight
This concludes this module Please continue to the next module
If you are looking for additional information try one of these
bull Click on this linkbull Or use your smart device to scan the QRC Code
HOL-1829-01-NET
Page 82HOL-1829-01-NET
Proceed to any module below which interests you most
bull Module 1 - Micro-Segmentation and Security (30 minutes)bull Module 2 - 360 degree Visibility across Virtual and Physical Networks (45
minutes)bull Module 3 - Advanced NSX Management amp Operations (45 minutes)bull (30 minutes)
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 83HOL-1829-01-NET
Module 3 - Advanced NSXManagement amp
Operations (45 minutes)
HOL-1829-01-NET
Page 84HOL-1829-01-NET
IntroductionIntroduction
vRealize Network Insight ensures that we have full visibility from an overlay andunderlay perspective and in this module focus on advanced operations of NSX withvRealize Network Insight Its important to note that the vRealize Network Insightprovides a real time view and a historical view The integration is not a simple SNMPquery but advanced CLI and Metadata information gathered in real time for NSX
This Module contains the following lessons
bull Operational guidance for NSX Managerbull Advanced NSX Management amp Operations Interactive Simulation
HOL-1829-01-NET
Page 85HOL-1829-01-NET
NSX Advanced ManagementOperationsLab Status Check
1 Make sure the Lab Status displays Ready before continuing
Close browser sessions from previous modules
Open Google Chrome
1 Open Chrome on the Control Centre Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
HOL-1829-01-NET
Page 86HOL-1829-01-NET
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize Network Insightdid not load automatically)
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
Search Bar - NSX Manager
Using the search bar on the entry screen
HOL-1829-01-NET
Page 87HOL-1829-01-NET
1 Type NSX Manager (this will list three NSX Managers2 Click Search
NSX Manager Information
The result now shows the NSX Manager (1016128170) and we can immediately seethat we have 50 problems associated with this endpoint
1 Click on the NSX Manager address to expose the layout and detailedinformation
HOL-1829-01-NET
Page 88HOL-1829-01-NET
Timeline - Visual Build-up
Explore information only - Do not click
bull A - Starting with the Timeline we can manipulate the results by simply draggingthe slider but by default the current time results will be displayed on entry Theslider and drop down (next to 1 day) makes it easy to filter on demand
bull B - The Properties give a clear understanding of the NSX Managers currentconfiguration (vRealize Network Insight accommodate multiple NSX managers)
bull C - Looking at the NSX Checklist Rules - ALL we can scroll up and down toview each point in the checklist that is used to monitorvalidate against the NSXManager
bull D - Because vRealize Network Insight supports multiple NSX managers andmultiple NSX controllers this is an important visual understanding of theTopology Each object can be queried individually within the same screen
bull E - NSX Problems will be key to understanding the issues for NSX
HOL-1829-01-NET
Page 89HOL-1829-01-NET
Topology - Focus on the NSX Controller
The logical view of the NSX Topology provides live links to each component in theconstruct to be queried in real time Topology layout displays all the related NSXservices bound to the NSX Manager including Clusters and hosts The red triangle on allthree NSX controllers indicates possible issues that may impact the NSX environmenteither as a starting point or a result thereof We can now query each object for detailedinformation
1 Click on the NSX controller (Look at each controller until you find thecontroller starting with NSX_Controller_5b6c6c8d-4d71 as they do changeorder)
HOL-1829-01-NET
Page 90HOL-1829-01-NET
NSX Controller - Detail
A - The controller query displays detailed information about controller-1 and relevantconfiguration This screen will help identify the Status Version Upgrade Availability andmany other critical identifiers of the NSX Controller at a quick glance including anyissues
B - The immediate issue on this NSX controller is also pointed out with a red triangleindicating that we have a control plane sync issue Tracking the issue can be furtherinvestigated by expanding (clicking on the red triangle) to view detailed information Wewill not be investigating this problem further in this exercise
1 Click the close sign (x) to continue
HOL-1829-01-NET
Page 91HOL-1829-01-NET
Topology - Explained
Note The Topology for the NSX environment will not show any load balancing devicestatus information in this release
1 Click the edge VMs icon to see detailed information about the edge services
HOL-1829-01-NET
Page 92HOL-1829-01-NET
Provider Edge
Rendering a complete view of the provider edge services and the associations we caninvestigate all the edge related activities
1 Click the blue link Provider Edge 4 The problem Icon can be used to furtherobtain information about the Provider-Edge 4 This will highlight a criticalcondition due to a possible network disruption of this edge device as it is nolonger in a serving state
HOL-1829-01-NET
Page 93HOL-1829-01-NET
Routers Provider Edge 4
This section lays out detailed root cause analysis for Routers Provider Edge 4
Return to Search View - NSX Manager
1 Now use the Chrome Back button click once to return the the NSX Managerinformation screen step
HOL-1829-01-NET
Page 94HOL-1829-01-NET
Infrastructure Problems - Warning Moderate
bull Scroll down to Infrastructure Problems Section
1 Click and select the WarningModerate to view problem areas
WarningModerate Issues
1 Use the blue icon + to expand the detailed view of the Logical networking out ofsync between host and NSX Controller
HOL-1829-01-NET
Page 95HOL-1829-01-NET
WarningModerate Issues (Continued)
When you expand the details you can analyse full detail of warning
In this view vRealize Network Insight is also showing you recommendations on how youwould resolve this issue which makes troubleshooting and root cause analysis veryeasy
1 Click the close sign (x) to continue
HOL-1829-01-NET
Page 96HOL-1829-01-NET
Hands-on Labs Interactive SimulationAdvanced NSX Management ampOperationsThis part of the lab is presented as a Hands-on Labs Interactive Simulation This willallow you to experience steps which are too time-consuming or resource intensive to dolive in the lab environment In this simulation you can use the software interface as ifyou are interacting with a live environment
1 Click here to open the interactive simulation It will open in a new browserwindow or tab
2 When finished click the ldquoReturn to the labrdquo link to continue with this lab
HOL-1829-01-NET
Page 97HOL-1829-01-NET
ConclusionCongratulations on completing Module 3
This module demonstrated the vRealize Network Insight capability of advancedmanagement operations vRealize Network Insight provides an in-depth analysis of thevirtual as well as the physical components associated with NSX (underlay and overlay)
For More Information
If you are looking for additional information try one of these
bull Click on this linkbull Or use your smart device to scan the QRC Code
Proceed to any module below which interests you most
bull Module 1 - Micro-Segmentation and Security (30 minutes)bull Module 2 - 360 degree Visibility across Virtual and Physical Networks (45
minutes)bull Module 3 - Advanced NSX Management amp Operations (45 minutes)bull Module 4 - Manage Security for Public Clouds (AWS) (30 minutes)
HOL-1829-01-NET
Page 98HOL-1829-01-NET
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 99HOL-1829-01-NET
Module 4 - ManageSecurity for Public Clouds
(AWS) (30 Minutes)
HOL-1829-01-NET
Page 100HOL-1829-01-NET
IntroductionEnterprise IT needs visibility into the network and security status of their workloadswhether hosted on premises or within AWS While many AWS workloads are sandboxesfor application development teams (DevOps) it is important to analyze these workloadsIncreasingly public cloud workloads are also fulfilling mission critical production needsfor many organizations Enterprise IT must be ready to determine the best locationsecurity posture and bandwidth allocation when deploying workloads Having trafficpattern details as well as security analysis and recommendations readily availablehelps organizations make the ideal hosting decisions to meet their business needs
vRealize Network Insight (vRNI) Supports Amazon Web Services (AWS) PublicCloud The vRNI traffic monitoring features provide visibility into native AWS constructssuch as Virtual Private Clouds VMs Security Groups firewall rules and tags vRNI alsoanalyzes AWS traffic flows to provide security and micro-segmentation views of cloudworkloads This means youll be able to plan micro-segmentation and understand trafficpatterns using data collected from your AWS instances
This Module contains the following lessons
bull Introduction to Managing Security for Public Clouds (AWS)
HOL-1829-01-NET
Page 101HOL-1829-01-NET
Introduction to Managing Security forPublic Clouds (AWS)Lab Status Check
1 Make sure the Lab Status displays Ready before continuing
Close browser sessions from previous modules
Open Google Chrome
1 Open Chrome on the Control Centre Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize Network Insightdid not load automatically)
HOL-1829-01-NET
Page 102HOL-1829-01-NET
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
AWS Configuration
Lets review the AWS VPC setup for the purpose of this lab
1 We have an on premise instance of vRealize Network Insight managing AWS2 There are two VPCs ie CRM and Common Services
HOL-1829-01-NET
Page 103HOL-1829-01-NET
3 VPC CRM consists of CRM Application which comprises of 3 tiers ie Web APP andDB
4 Internal users of Company can access Web Tier of the CRM on 80 internally viaJump-box
5 Web tier talks to App tier on port 80806 App tier talks to DB tier on port 33067 Web tier is open for internal datacenters VM on 80 port8 From Jump-box in VPC CRM all virtual machines have ssh access on port 229 All tiers of VPCCRM talks to DNS server on 53 and LogServer on 514 on VPC
Common Services10 This means connection to DB to Log Server (used for backup services) must exist
as configured by the Administrator but this in fact is the problem area where ourfocus will be
Plan Security - AWS Cloud
vRealize Network Insight extends micro-segmentation planning to AWS constructs TheCRM Application in AWS VPC has already been created for you
Application creation steps have been discussed in Module 3
HOL-1829-01-NET
Page 104HOL-1829-01-NET
1 On the vRealize Network Insight Click on Plan Security
From Plan Security dialogue box under Entity select
HOL-1829-01-NET
Page 105HOL-1829-01-NET
1 Application2 CRM3 Click Analyze
We can now visualize the three tier lsquoCRMrsquo Application in AWS in one VPC We Shallexplore the three Tier System Logic in proceeding steps
1 Please note that Micro-Segments are already filtered by Tier2 Web (Web tier talks to App tier on port 8080 Internal users of organisation can
access Web Tier of the CRM Application on port 80 internally)3 App (App tier talks to DB tier on port 3306)4 DB ( DB tier talks to Log Servers ) - This is the problem area we are going to
explore
All tiers of first VPC talks to DNS server on port 53 and LogServer on port 514 of SecondVPC
HOL-1829-01-NET
Page 106HOL-1829-01-NET
Exploring the Three Tier Application - Step by Step
We shall now explore the three their application setup to understand the security andcommunication posture
HOL-1829-01-NET
Page 107HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Yellow line to explore the flows This will reveal flows from Web to
App
HOL-1829-01-NET
Page 108HOL-1829-01-NET
1 The App tier talks to DB tier on Port 33062 Click X to continue
HOL-1829-01-NET
Page 109HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to DB
HOL-1829-01-NET
Page 110HOL-1829-01-NET
1 The App tier talks to DB tier on Port 33062 Click X to continue
HOL-1829-01-NET
Page 111HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Yellow Line to explore the flows This will reveal flows from DC
Virtual to App
HOL-1829-01-NET
Page 112HOL-1829-01-NET
1 DC Virtual (jump box) talks to App tier on Port 222 Click X to continue
HOL-1829-01-NET
Page 113HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to
Shared Virtual
HOL-1829-01-NET
Page 114HOL-1829-01-NET
1 The App tier talks to Shared Virtual on Port 53 and 514 respectively2 Click X to continue
HOL-1829-01-NET
Page 115HOL-1829-01-NET
1 Hover over to DB Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from DB to
Shared Virtual
1 By design the DB should be pushing logs to aws-log-server ie on port 514(Syslog) but the flow reveals that there is only one service ie port 53 aws-DNS-Server Effectively no communication to syslog server (which is the back upservice)
2 Click X to continue
Firewall Queries for CRM Application
To further troubleshoot the issue the administrator executes three firewall queries toestablish why DB to Shared Virtual does not have flow(s) for port 514 (syslog)
HOL-1829-01-NET
Page 116HOL-1829-01-NET
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and type new search query firewall action of flows where dstvm = aws-log-server This will return 5 results ie 4 Allow (for web andmidtier) and 1 Deny (for DB)
2 Click Search3 click on the DENY checkbox so we can focus on the deny rule
We can see a DENY rule which is preventing crm-databse to communicate with aws-log-server on port 514 Which indicates that AWS Admin forgot to add rule to allowtraffic from (Database) crm-database to (syslog server) aws-log-Server
HOL-1829-01-NET
Page 117HOL-1829-01-NET
1 On Chrome web browser right click2 Select Duplicate from the the menu
HOL-1829-01-NET
Page 118HOL-1829-01-NET
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-web1 and dst vm = aws-log-server
2 Click Search3 This will return 3 results ie 1 Inbound and 2 Outbound rules The result of this
query validates the communication from crm-web1 to aws-log-server
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-database and dst vm = aws-log-server
2 Click Search3 This will return 2 results for Outbound rules further explaining the firewall rule
behaviour from crm-database to aws-log-server
HOL-1829-01-NET
Page 119HOL-1829-01-NET
ConclusionCongratulations on completing Module 4
This module demonstrated the vRealize Network Insight capability to understand trafficpatterns and plan micro-segmentation across your private and public cloudenvironments This capability offers unparalleled visibility into public and private cloudsfor micro-segmentation planning network visibility and management
For More Information
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 120HOL-1829-01-NET
ConclusionThank you for participating in the VMware Hands-on Labs Be sure to visithttpholvmwarecom to continue your lab experience online
Lab SKU HOL-1829-01-NET
Version 20171010-152226
HOL-1829-01-NET
Page 121HOL-1829-01-NET
ServicesPorts - Point in Time Service
The Services section provides an overview of flows over a specific port at a point intime either by bytes or by allowed sessions Look at the red highlighted area tounderstand how the flow is viewed in a pivot format to ensure a rate flow can bedelivered by hovering over a particular section
1 Hover to gain focus over the blue block above port 5443 and notice itpresents on demand the sum total of flows for the last 24 hours inGigabytes (GB) communicating over port 5443
2 Click on the block at the intersection of Last 24 hours and PORTS5443 to get a detailed view of the information
HOL-1829-01-NET
Page 20HOL-1829-01-NET
Flows for Port 5443
Communicating over port 5443 for the Last 24 hours we now have a detailedunderstanding of how 20 flows are distributed by following the list of entities You mayscroll down and examine the detailed traffic Further filters can be used on the left-handside of the screen to filter the view for a more specific result type
1 Click the entry to examine the detailed flow between Prod-DB-3 and Prod-DB-2over port 5443 ( order of flows may differ from screen above Prod-DB-3 andProd-DB-2 can be seventh flow entry)
Flow Key Properties - Timeline view
HOL-1829-01-NET
Page 21HOL-1829-01-NET
Flow Key Properties and Flow Key Metrics with the help of the timeline view gives agreater understanding of the traffic between these two specific VMs over port 5443 (A)- Hover over any part of the Flow Key Metrics graph to see statistics of the flow at aspecific point in time
1 Click on the 1M (last 1 month) Now hover the mouse over the greenblue linesto see a specific flow at a point in time
Flow Key Properties - Timeline view
1 Click the browser back button (once) to return to the plan security layoutscreen (once completed viewing the timelines for specific flows)
HOL-1829-01-NET
Page 22HOL-1829-01-NET
Micro-Segments
The screen should be back and focused on the Plan Security view Let us focus on theLeft-hand side of the plan security screen marked - Micro Segments This section willfocus on the subnet view and how this could be used to track flows between two ormultiple points
Note Segmenting flows can be achieved using views that will focus on VLANVXLANSubnet Folder Clusters VMs Ports Security Tag or Security Groups
1 Select Last 1 Day (to clear previous data range)2 Select the drop down box and then select by Subnet3 We can further analyze micro-segments by secondary groups ( This step is for
information only)4 Click Analyze to populate the data
HOL-1829-01-NET
Page 23HOL-1829-01-NET
Focus - 101780 Network
A - Hover over (do not click) the 101780 network and notice that this willimmediately highlight all flows and sessions from and to this network segment Othertraffic types will loose focus at this point turning light blue
The Keep Focus view creates a single visual endpoint diagram showing communicationto physical shared resources internet and other subnets The parentheses after thenetwork will indicate the number of virtual machines The coloured lines will indicate aconnected flow as OUTGOING INCOMING BIDIRECTIONAL
HOL-1829-01-NET
Page 24HOL-1829-01-NET
Focus - VLANVXLAN
Changing the view to track flows between Prod-Web to Prod-Midtier we will be switchingfrom Subnet view to VLANVXLAN view This will expose the traffic flow and ultimatelylead us to the recommended firewall rules
1 From the filter drop down select the VLANVXLAN option (the view willautomatically update)
HOL-1829-01-NET
Page 25HOL-1829-01-NET
Focus - Prod-Web (25)
1 Hover over Prod-Web2 Click on Keep Focus as we will follow the traffic for this group to see which
ports are in use and why3 Click on the line joining the Prod-Web and Prod-Midtier
Flows - Prod-Web to Prod-Midtier
HOL-1829-01-NET
Page 26HOL-1829-01-NET
( A ) - We have at this point identified 14 unique endpoints or flows that are beingcommunicated byover or to potential security groups These security groups are basedon VLANs folders subnets or a construct that can be defined
1 Click on the recommended firewall rules
Flows - Recommended Firewall Rules
Based on the observed analysis of the traffic flow between Prod-Web and Prod-Midtier arecommended firewall rule has been generated in order to secure and segment trafficfrom the rest of the VLANVXLAN
Due to the flow observation metrics the recommendation is (ALLOWED) on Port 8080between SG Prod-Web and SG-Prod-Midtier
1 Click the close icon (x) to continue
HOL-1829-01-NET
Page 27HOL-1829-01-NET
Multiple Ports and Firewall rules for Prod-web
1 Click on the Prod-Web group
Services and Flows for Prod-Web
On focus the user is presented with all the services flows and firewall rules for Prod-Webin a single pane
HOL-1829-01-NET
Page 28HOL-1829-01-NET
1 Click on Services In this group - 50 Unique service endpoints or flows that arebeing communicated by or to potential security groups are mapped with trafficrates included
2 Click on External Services Accessed- This is a breakdown of the 16 Externalservice endpoints that communicate with Prod-Web and include the portinformation (DNS HTTPS etc)
3 Click on Recommended Firewall Rules - Based on the 50 unique serviceendpoints that have 17 External services with 425 flows we can use thisobservation metric to determine that 6 firewall rules are required This would bethe minimum recommended segmentation approach for the Prod-Web group
4 Click the close icon (x) to continue
Application-Centric Micro-Segmentation
HOL-1829-01-NET
Page 29HOL-1829-01-NET
An application is a collection of tiers Each tier in an application is a collection of VMsbased on the user-defined filter criteria The applications allow you to create ahierarchical group of VMs and visualize trafficflows between the tiers of the sameapplication The trafficflows can be visualized between applications
1 Under Micro-segments click on the dropdown which says by VLANVXLAN2 Click on by Application
1 Hover over Prod-App (47) (do not click at this stage)2 Click on Keep Focus
You can see as per previous micro-segmentaion planning exercise - you can viewOutgoing Incoming and Bidirectional flow bespoke to Prod-App Clicking on Prod-App micro-segment will reveal the services
HOL-1829-01-NET
Page 30HOL-1829-01-NET
We shall now explore how we can define an application
Define an Application
1 In the search bar type Application2 Click the Search button
1 The Application search will return 4 entities ie application already created inthe system for you
2 This page also lets you create new application - click on Add Application
HOL-1829-01-NET
Page 31HOL-1829-01-NET
1 Under the Application Name type HOL-Pre-Prod2 Under Tier type the Name as HOL-Pre-Prod3 Our search criteria will be based on VM Names under Virtual Machines IP
Addresses Type Admin-VM1 Admin-VM2 (The search will auto completethe names for you)
4 Do not Save Click Cancel which will take you to previous screen
1 Here you can see the number of entities has increased by 1 ie 5 entities2 You can also see Hol-Pre-Prod in the list
HOL-Pre-Prod will now appear in Application section under Plan Security (not covered inthis lab)
Security Group Prod_MidTier
Network administrators and architects face daily challenges in identifying securityparameters groups that are in-place requiring a lot more detail around containertopology before continuing to execute or plan Micro-segmentation Lets look at how thiswould be possible in a single view that has granular integration with over and underlaynetworks
1 Using the search bar type Nsx Security Group Prod_MidTier (the search baruses Auto Fill and predictive text will appear as you type)
2 Click search to continue
HOL-1829-01-NET
Page 32HOL-1829-01-NET
The Help screen may pop-up (in this lab setting) to ensure the user has an instantguide called the Security Group Pinboard The reason for this guide is to point out thedetail view and topology layout Read through the help guide and once completed
1 Click the close icon (x) to continue
Results - PROD_MIDTIER
The search results from the query will show Prod_Web at the top of the screen Theresult will also be displayed to include the Translated VM Count and any Rulesassociated
1 Click on Prod_MidTier to continue
Security Group Prod_MidTier - Timeline
Security Group View Explanation
HOL-1829-01-NET
Page 33HOL-1829-01-NET
The Security Group provides a detailed view of the selected Security Group and acomprehensive listing of key properties and events The Security Group Topologyprovides a visual overview of how the security group is associated with other containersTimeline slider at the top of the current view will enable the point in time state of theSecurity Group and filters can be used to further focus on a particular aspect of theobject
Security Group Firewall Topology
(A) The Security Group Firewall Topology on the left shows the topology for SecurityGroup Prod_MidTier
HOL-1829-01-NET
Page 34HOL-1829-01-NET
(B) The Security Group Container Topology on the right will show anyall Child andParent groups in relation to Prod_Web This will identify the nesting and hierarchy ofsecurity groups
HOL-1829-01-NET
Page 35HOL-1829-01-NET
1 Click and select Prod_Web to Prod_Midtier Rule (will launch a pop up screencovered in next step)
1 In the pop up screen we can immediately see what the Source and destinationservice flow looks like in this example This can be done for any and eachsegment attached to Prod_Web and will provide all the current security GroupFirewall Topology information Feel free to click through all the segments in orderto fully understand each related security group
2 Click the close icon (x) on any pop-up menus that you viewed during youranalysis to continue with the next exercise
HOL-1829-01-NET
Page 36HOL-1829-01-NET
Tracking Prod_MidTier
1 Within the same view when you scroll down (below the Security Groupfirewall Topology) you are able to see the following security event information forProd_Web
A Events - Showing any changes for Prod_MidTier (direct or indirect) and the impactthat these changes bring to this security group
B Current Security Group Configuration and Firewall Rules Count will also providefurther assistance to manage the endpoints
C Visibility of the Virtual Machines in Security Groups ensure that we manage ourworkloads and segmentation with the correct level of efficiency
D Making use of the Indirect Firewall Rules will ensure you understand the inheritedimpact and the relationship leading to Prod_Web
E Direct Firewall Rules - NOTE The blue links will expose further detail for eachfirewall segment
HOL-1829-01-NET
Page 37HOL-1829-01-NET
this module explained and followed the traffic flow between Subnets and or VLANVXLAN for Prod_MidTier and we understand the analysis that make up firewall rules Theinformation for a specific segmentation of a Virtual Machine in Prod_MidTier can beviewed using the the logical switch information for Prod_MidTier
2 Click on Lab-Midtier (VMs in Security GroupgtLogical SwitchesgtLab-Midtier) anew TAB will open at the top of the screen
Lab-Midtier
1 Hover (do not click) over (1) Lab-Midtier-1 to gain focus in order to generatethe path
Do not click on any of the bubbles as they are used for reference only This is thecomplete flow of Prod-Web-9 (Example) to see how a flow is tracked from overlay tounderlay across Prod-Web
HOL-1829-01-NET
Page 38HOL-1829-01-NET
bull A - The host details for Lab-Midtier-1 -ddc1-pod2esx035dmdemocompanynet
bull B - The machine name within Lab-Midtier - Lab-Midtier-1bull C - DVS Switchbull D - VXLAN - Lab-Midtierbull E - 1st VMKNIC for DDC-1 hostbull F - DVS Switch Portbull G - Finally showing the L3 Switch (Arista)
2 When you are done with the current view close this tab in Chrome and returnto the original view
Firewall Rule - Tracking
Using the search bar we will demonstrate how you can track any firewall rule in yourenvironment This is only one example of how we can search for security related objectsin one easy statement and also export the results
Port Search
1 Type into the search bar
Firewall rule where action =ALLOW and Port=443 (the search bar uses Auto Fill andpredictive text will appear as you type)
2 Click search to continue
As you type notice all the different permutations of queries that can be assembled
HOL-1829-01-NET
Page 39HOL-1829-01-NET
Export Firewall Rules
Take some time to understand and get familiar with Firewall Rule search possibilitiesand the insight this can offer
1 Do not click - The result is grouped for convenience and allows the user to queryeach rule individually This is a live link that will expose further information
2 Do not click - The entire report can be exported by using the Save as CSV optionat the top right hand corner of the screen but we will not export any informationat this point
3 For the next step we will return to the top search bar
Firewall Rule Membership Change
Using the vRealize Network Insight search bar at the top of the screen we will focus on atime based search to see what Firewall Membership Changes occurred during a selectedperiod This will point out any changes made directly or indirectly as a result ofmembership changes This is extremely useful for auditing and troubleshooting
HOL-1829-01-NET
Page 40HOL-1829-01-NET
1 Type
Firewall Rule Membership Change
2 Select the DateTime window3 Click Between Select Date range from June30 to Jul 31 (using static data this
will ensure you see all the changes)4 Click search
Audit Rule - Firewall Rule Membership Changes
The search now displays the result of all the changes made to firewall rule membershipduring the preset date range This is pivotal to the audit change tracking process tounderstand exactly why when and how Firewall rules changed
The changes can now easily be tracked audited and also exported following any of thelive links in blue
HOL-1829-01-NET
Page 41HOL-1829-01-NET
User-defined Event
Continuing within the same screen users can create alerts to notify internal andexternal entities of any changes The alert feature is available through any view thatdisplays the alert icon Although the alert can be configured for this lab the results willnot be actioned as this is static data only This section will show how easy it is to reporton any Firewall Rule memberships changes The option for alerting will be immediatelywithin 1 hour or as a daily digest
1 Click the Notifications icon to create an event The notifications screen will pop-up
2 Notification and parameters can be adjusted as required Populate them withyour own preference as we will need to have information in order to save thealert and view in later steps
3 Once completed click save
HOL-1829-01-NET
Page 42HOL-1829-01-NET
Settings
You can view any of your previously configured User-defined Events in order to edit oractivate the Event parameters by using the settings page Changes can be configured tonotify members of the event group based on the user preference The previous eventthat you created can now be tracked by using the search bar at the top of the screen
1 Click in the search bar and type Settings2 Click User-defined Events (your alert is noted in this section as it was based on
the original search and alert notification Firewall rule membership change)3 Info Only - Do not click - View Edit Activate any notifications
Note that we have 2 types of notification User-defined and System Events
4 Click the System Events
HOL-1829-01-NET
Page 43HOL-1829-01-NET
System Notifications
System Events consist of 103 default alerts that are pre-configured Scroll down the listto see all the options and what is deemed to be a standard system event notification
Each Notification can be used to alert administrators or users of that group By defaultall System Notifications are set to never notify (this can be changed to immediatelywithin 1 hour or as a daily digest)
This concludes this module Please continue to the next module
HOL-1829-01-NET
Page 44HOL-1829-01-NET
ConclusionCongratulations on completing Module 1
In this module we introduced the minimum required steps in order to facilitate Micro-segmentation This module further demonstrated how we achieve day zero readinesstrack report and alert on each individual object or group of objects in Real Time Usingthe East-West traffic in this module vRealize Network Insight highlighted the ease ofacquiring network analysis and using this to automatically generate firewall rules forboth Green or Brown field deployments
Key facts to remember as demonstrated in this module
bull Persistence Security must be consistent in the face of constant changebull Ubiquity Security must be available everywherebull Extensibility Security must adapt to new situations
For additional information about the functionality showcased in this module visitwwwvmwarecom
Please close the Chrome Web browser
This concludes this module please continue to the next module
For More Information
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 45HOL-1829-01-NET
Module 2 - 360 degreeVisibility across Virtualand Physical Networks
(45 minutes)
HOL-1829-01-NET
Page 46HOL-1829-01-NET
IntroductionvRealize Network Insight includes advanced analytics that can collect and displayconfiguration data from all the components involved in the overlay and underlay of thenetwork Data is collected in realtime
vRealize Network Insight presents this via a smart user interface and simplifies thedetermination of problems as well as the visibility of firewall and networkconfigurations
vRealize Network Insight presents this in a smart user interface and makes problemdetermination and visibility of the firewall and network configurations very easy
This Module contains the following lessons
bull 360 Network Visibility and Troubleshootingbull Natural language search
HOL-1829-01-NET
Page 47HOL-1829-01-NET
360 Network Visibility andTroubleshootingThis section contains the following lessons
bull 360-degree view of data flow between two VM objectsbull Natural language search
Open Google Chrome
1 Open Chrome on the Control Center Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize NetworkInsight did not load automatically)
HOL-1829-01-NET
Page 48HOL-1829-01-NET
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
Path and Topology
This module will utilize the Path and Topology feature in vRealize Network Insight toget a 360-degree visibility into our network scenario The Path and Topology view can
HOL-1829-01-NET
Page 49HOL-1829-01-NET
also extend to host L3 networks security groups etc but in this module we will only befocusing on the path
From the main console
1 Click on Path and Topology2 Click on Path
Path - Select source and destination
In the pop-up box
1 Click on the grey field below Source2 Type dba into the source field and DBAdmin-VM1 will appear3 Click on DBAdmin-VM1 to select it
HOL-1829-01-NET
Page 50HOL-1829-01-NET
Path - source and destination continued
After selecting the source machine the destination box will automatically appear
1 Type prod in the destination field and the list of available options willappear
2 Select Prod-Db-2
Note The destination could also be an ip-address or Internet but in this lab we aregoing to use a VM
HOL-1829-01-NET
Page 51HOL-1829-01-NET
Path - source and destination continued
1 Click on Submit
Searching for path
Based on the VMs we selected in the wizard in our previous steps the search field isnow pre-populated with a search string As an alternative to using the wizard we canalso do manual searches
Do not change any parameters in the search field and please continue to the nextstep
HOL-1829-01-NET
Page 52HOL-1829-01-NET
VM Path Topology and VM Underlay
The topology involves both Layer 3 and Layer 2 components and consists of twodetailed views
HOL-1829-01-NET
Page 53HOL-1829-01-NET
1 VM Path Topology This view details the routers Edges or Logical DistributedRouters (LDRs) that are involved in the VM to VM network path and provides thecomplete routing and NAT information
2 VM Underlay ( The VM Underlay section that is on the right side of the VM Pathtopology shows the underlay information of the VMs involved and theirconnectivity to the top of the rack switches and the ports involved)
In the field named VM Path Topology
1 Click on the three dots in the top right corner of the field2 Click Maximize
The view will change and the route will be drawn on the map
HOL-1829-01-NET
Page 54HOL-1829-01-NET
VM Path Topology - Path Details
In this view we will get a 360-degree view of both the physical and the virtual networkWe will see the path of the traffic between two virtual machines The black arrow at thetop of the map will indicate the flow direction of the traffic In this use case fromDBAdmin-VM1 to Prod-Db-2
On the right hand side path details indicates the steps we pass through in each hop ofthe path The logical flow includes both physical and virtual elements displaying bothoverlay and underlay components
1 Scroll through the path details on the right hand side to verify the differenthops in the path Notice that we have items such as VMs physical switchesvirtual switches routers and NICs in the list of details
HOL-1829-01-NET
Page 55HOL-1829-01-NET
Component Overview
On the VM topology map
1 Click on the top left icon marked with a red square - the Virtual MachineDBAdmin-VM1
Virtual Machine - Details
HOL-1829-01-NET
Page 56HOL-1829-01-NET
A pop-up box will appear with the Virtual Machine details in it This information includesa lot of details made available by VMware Tools We can for example see network-information and the physical host in these details
A - Please spend some time on getting an overview of the information available in thisview
B - Please note that the Firewall Status indicates Unknown In this scenario there is noNSX firewall utilized in the VM so vRealize Network Insight displays Unknown as thestatus If NSX components were utilized but they were malfunctioning an errormessage will appear
1 When done reviewing close the pop-up windows by clicking on the (X) in thetop right corner
Physical ESXi Hosts
We are now going to look at the physical host running ESXi The large green blocksindicate the ESXi hosts (A) and (B)
1 Click on the large green field on the left side of the map marked in thepicture with a red squareThis will select the host where DBAdmin-VM1 isrunning
HOL-1829-01-NET
Page 57HOL-1829-01-NET
Host - Details
A pop-up box will appear that contains the physical ESXi host
A - Spend some time to review what information is available from the host Please donot click on any of the links
B - Notice that we receive information from both the Chassis and the Blade that thisESXi host is running on In a real life environment we could click on the links to getdetailed information about the physical environment through the links
C - Note that there are no NSX components on the host For example we can see thatthe Control Plane Sync Status is unknown and the Number of VTEPs is 0
1 When done reviewing click on the (X) in the top right corner
HOL-1829-01-NET
Page 58HOL-1829-01-NET
DVPG on the map
We are now going to look at the DVPG (Distributed Virtual Port Group) the VM uses toconnect to the network
1 On the map click on the little blue box marked by a red square onvlan-629
DVPG
A pop-up box will appear that contains the DVPG details
A - Spend some time review what information is available from the object Please donot click on any of the links
HOL-1829-01-NET
Page 59HOL-1829-01-NET
B - Notice that IPFIX is enabled
1 When done reviewing click on the (X) in the top right corner
VLAN-629 on the map
This is a brownfield network as indicated by the physical network components currentlydisplayed on the map
1 On the map click on the grey line marked by a red square on vlan-629
VLAN Network
A pop-up box will appear that contains the physical VLAN details
HOL-1829-01-NET
Page 60HOL-1829-01-NET
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - Notice the VLAN ID This is the actual VLAN in use
C - VM Count states 12 This is the number of VMs located on this VLAN in the entireenvironment
D - Under Hosts we can see that this is 28 (27+1) This is the amount of hosts that hasa connection to this vlan in the entire environment
1 When done reviewing click on the (X) in the top right corner
Switch ports on the map
1 From the map click on the icon marked by a red square to select the SwitchPort for the VM
HOL-1829-01-NET
Page 61HOL-1829-01-NET
Switch Port
A pop-up box will appear that contains the Switch Port details
In this view we are purely are looking at layer 3 and the connectivity to those layer 3devices Later in this module we will see some of the layer 2 devices
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - In this view we can see the physical NIC the traffic is transmitted from and receivedto In this scenario it is a NIC on a UCS fabric We can also see the VLANs Interfacespeed port and other details on the NIC
1 When done reviewing click on the (X) in the top right corner of the pop up box
HOL-1829-01-NET
Page 62HOL-1829-01-NET
Physical VRF on the map
1 From the map click on the icon marked by a red square to access thePhysical VRF details
HOL-1829-01-NET
Page 63HOL-1829-01-NET
VRF - Physical Switch
A pop-up box will appear that contains the Physical VRF details
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - In this scenario the first hop in the physical network perspective happens to be aCisco Nexus 7000 We are gathering all of the configuration data routing tables androuting interface information from this device
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 64HOL-1829-01-NET
VRF - continued
1 From the map click on the icon marked by a red square to access the nextPhysical VRF in the path
HOL-1829-01-NET
Page 65HOL-1829-01-NET
VRF - Physical Router
A pop-up box will appear that contains the Physical VRF details
In this scenario the second hop in the physical network perspective is a Palo Alto routerIn this view we will see the routing table as well as firewall rules The vRealize NetworkInsight platform is so powerful that these firewall rules are the applicable firewall rulesbetween the two objects we searched for There is probably going to be thousands offirewall rules in a normal network but these are the firewalls affecting thecommunication between the two selected VMs
HOL-1829-01-NET
Page 66HOL-1829-01-NET
A - Spend some time to review what information is available from the object Please donot click on any of the links
1 When done reviewing click on the (X) in the top right corner of the pop up box
Note The Palo Alto integration showcased is in beta testing
VRF - continued
1 From the map click on the icon marked by a red square to access the nextPhysical VRF in the path
HOL-1829-01-NET
Page 67HOL-1829-01-NET
VRF - Physical Switch
A pop-up box will appear that contains the Physical VRF details
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - In this scenario the third hop in the physical network perspective is an Arista deviceThere is information available on routing gateways interfaces etc These detailsshowcase that we can monitor devices from a multitude of vendors in case we arechanging from one vendor to another
1 When done reviewing click on the (X) in the top right corner
HOL-1829-01-NET
Page 68HOL-1829-01-NET
Accessing the virtual infrastructure
The next two steps in the path (as shown by arrows) are the same as we looked atpreviously in this module We are not going to look at the details on them in thisscenario as they are similar to the ones previously discussed
A - Hovermove the mouse over the icons marked with red arrow A without clicking onthe icon Notice the descriptive name
B - Hovermove the mouse over the icons marked with red arrow B without clicking onthe icon Notice the descriptive name
1 From the map click on the icon marked by a red square to access the nextVRF in the path
HOL-1829-01-NET
Page 69HOL-1829-01-NET
VRF - NSX Provider Edge 1
A pop-up box will appear that contains the Physical VRF details
A - Please spend some time to review what information is available from the objectPlease do not click on any of the links
B - The components we are looking at after the Arista device (described in previoussteps) is an NSX Edge cluster or a host associated with an Edge cluster The componentwe have selected is the NSX Edge VM named Provider-Edge 1 It has an uplink overVLAN 10 from the physical network (as shown in the map)
C - In the details we can see the routing table and routing interface details for thisparticular VRF
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 70HOL-1829-01-NET
VXLAN on the map
1 On the map click on the blue line marked by a red square to access theVXLAN details
VXLAN Network
A pop-up box will appear that contains the VXLAN details
HOL-1829-01-NET
Page 71HOL-1829-01-NET
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - We can see the VXLAN number (Segment ID) Underlay VLAN IDs Subnet andUnderlay Subnet
C - We also have visibility into what Primary Controller it is utilizing Hosts and VTEPs
D - Hovermove the mouse cursor over the text [38 more] to see the hosts associatedwith this VXLAN Do not click on the blue text
E - Hovermove the mouse cursor over the text [82 more] to see the VTEPs associatedwith this VXLAN Do not click on the blue text
1 When done reviewing click on the X in the top right corner of the pop-up box
VRF - LDR
1 From the map click on the icon marked by a red square to access the VRFdetails
HOL-1829-01-NET
Page 72HOL-1829-01-NET
VRF - LDR-Corporate
A pop-up box will appear that contains the VRF details From here we hit our In-kernelnetwork
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - Notice the distributed router name We are using this device to access our corporatenetwork
C - This device is going to route for us to a different interface The interface is going toroute to the interface on the Prod-DB Network as the next step in the path (this will beillustrated in the next step)
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 73HOL-1829-01-NET
Routing - NSX Firewall
The traffic is routed through the VRF onto the Prod-DB network over to the next physicalhost (as shown with arrows)
The first device it will hit on the virtual network on the physical host is the FirewallPlease notice that there are two firewalls next to the VM One Firewall from Palo Alto andone Firewall from NSX
1 From the map click on the icon marked by a red square to access the NSXFirewall details (the top one of the two)
HOL-1829-01-NET
Page 74HOL-1829-01-NET
Firewall - NSX
A pop-up box will appear that contains the Firewall details
A - Spend some time to review what information is available from the object Please donot click on any of the links
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 75HOL-1829-01-NET
Redirect on the map - PAN Firewall
Please notice that there are two firewalls next to the VM One Firewall from Palo Alto andone Firewall from NSX We are now going to look into the details of the lower Firewall
1 From the map click on the icon marked by a red square to access the PaloAlto Firewall details (the lower one of the two)
Firewall - PAN
HOL-1829-01-NET
Page 76HOL-1829-01-NET
In this scenario we also have an Palo Alto VM based offloading firewall The redirectfeature allows firewall rules to be transferred between the NSX firewall and the PANFirewall
1 When done reviewing click on the (X) in the top right corner of the pop up box
Reversing the analysis
1 In the section marked by a red square in the picture click on the arrowpointing left
The route on the map will change
HOL-1829-01-NET
Page 77HOL-1829-01-NET
Reversing the analysis continued
A - The analysis will now be done in the opposite direction Please note that the pathnow changes Instead of going through Provider-Edge 3 the traffic is now routedthrough Provider-Edge 2 This is exactly as the traffic will work in the real life
Please continue to the next step to conclude this module
HOL-1829-01-NET
Page 78HOL-1829-01-NET
VM Underlay
Lets now focus on VM Underlay
1 The VMUnderlay section that is on the right side of the VM Path topology showsthe underlay information of the VMs involved and their connectivity to the top ofthe rack switches and the ports involved
2 The VM Underlay path topology is shown here3 The components are labeled under Path Details
HOL-1829-01-NET
Page 79HOL-1829-01-NET
HOL-1829-01-NET
Page 80HOL-1829-01-NET
1 In this section the drop-down list at the top shows the endpoint VMs and theactive VMs at the edges
2 For each edgeVM the neighbouring drop-down list shows the ingress and theegress interface IP addresses
1 From the previous step we selected the Prod-DB-2 Virtual Machine2 Which changes the focus to corresponding Interface IP Address (VNIC)3 Shows the visual map (Path topology) of all the path objects4 Path details shows the labels and list the components
This concludes this module Please continue to the next module
HOL-1829-01-NET
Page 81HOL-1829-01-NET
ConclusionCongratulations on completing Module 2
This module has shown us that vRealize Network Insight is capable of tracing the flow ofdata between two objects throughout the network vRealize Network Insight is providingus with a 360 degrees view of the virtual as well as the physical components in thepath With the map function and the details on the map it is very easy to get a quickoverview of the components utilized in network communication
All the components in the map is based on a snapshot of real life data Feel free to clickon other icons shown in the map in this module before continuing to the next module tohave a look at other components
For More Information
For additional information about the functionality showcased in this module visithttpwwwvmwarecomvrealize network insight
This concludes this module Please continue to the next module
If you are looking for additional information try one of these
bull Click on this linkbull Or use your smart device to scan the QRC Code
HOL-1829-01-NET
Page 82HOL-1829-01-NET
Proceed to any module below which interests you most
bull Module 1 - Micro-Segmentation and Security (30 minutes)bull Module 2 - 360 degree Visibility across Virtual and Physical Networks (45
minutes)bull Module 3 - Advanced NSX Management amp Operations (45 minutes)bull (30 minutes)
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 83HOL-1829-01-NET
Module 3 - Advanced NSXManagement amp
Operations (45 minutes)
HOL-1829-01-NET
Page 84HOL-1829-01-NET
IntroductionIntroduction
vRealize Network Insight ensures that we have full visibility from an overlay andunderlay perspective and in this module focus on advanced operations of NSX withvRealize Network Insight Its important to note that the vRealize Network Insightprovides a real time view and a historical view The integration is not a simple SNMPquery but advanced CLI and Metadata information gathered in real time for NSX
This Module contains the following lessons
bull Operational guidance for NSX Managerbull Advanced NSX Management amp Operations Interactive Simulation
HOL-1829-01-NET
Page 85HOL-1829-01-NET
NSX Advanced ManagementOperationsLab Status Check
1 Make sure the Lab Status displays Ready before continuing
Close browser sessions from previous modules
Open Google Chrome
1 Open Chrome on the Control Centre Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
HOL-1829-01-NET
Page 86HOL-1829-01-NET
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize Network Insightdid not load automatically)
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
Search Bar - NSX Manager
Using the search bar on the entry screen
HOL-1829-01-NET
Page 87HOL-1829-01-NET
1 Type NSX Manager (this will list three NSX Managers2 Click Search
NSX Manager Information
The result now shows the NSX Manager (1016128170) and we can immediately seethat we have 50 problems associated with this endpoint
1 Click on the NSX Manager address to expose the layout and detailedinformation
HOL-1829-01-NET
Page 88HOL-1829-01-NET
Timeline - Visual Build-up
Explore information only - Do not click
bull A - Starting with the Timeline we can manipulate the results by simply draggingthe slider but by default the current time results will be displayed on entry Theslider and drop down (next to 1 day) makes it easy to filter on demand
bull B - The Properties give a clear understanding of the NSX Managers currentconfiguration (vRealize Network Insight accommodate multiple NSX managers)
bull C - Looking at the NSX Checklist Rules - ALL we can scroll up and down toview each point in the checklist that is used to monitorvalidate against the NSXManager
bull D - Because vRealize Network Insight supports multiple NSX managers andmultiple NSX controllers this is an important visual understanding of theTopology Each object can be queried individually within the same screen
bull E - NSX Problems will be key to understanding the issues for NSX
HOL-1829-01-NET
Page 89HOL-1829-01-NET
Topology - Focus on the NSX Controller
The logical view of the NSX Topology provides live links to each component in theconstruct to be queried in real time Topology layout displays all the related NSXservices bound to the NSX Manager including Clusters and hosts The red triangle on allthree NSX controllers indicates possible issues that may impact the NSX environmenteither as a starting point or a result thereof We can now query each object for detailedinformation
1 Click on the NSX controller (Look at each controller until you find thecontroller starting with NSX_Controller_5b6c6c8d-4d71 as they do changeorder)
HOL-1829-01-NET
Page 90HOL-1829-01-NET
NSX Controller - Detail
A - The controller query displays detailed information about controller-1 and relevantconfiguration This screen will help identify the Status Version Upgrade Availability andmany other critical identifiers of the NSX Controller at a quick glance including anyissues
B - The immediate issue on this NSX controller is also pointed out with a red triangleindicating that we have a control plane sync issue Tracking the issue can be furtherinvestigated by expanding (clicking on the red triangle) to view detailed information Wewill not be investigating this problem further in this exercise
1 Click the close sign (x) to continue
HOL-1829-01-NET
Page 91HOL-1829-01-NET
Topology - Explained
Note The Topology for the NSX environment will not show any load balancing devicestatus information in this release
1 Click the edge VMs icon to see detailed information about the edge services
HOL-1829-01-NET
Page 92HOL-1829-01-NET
Provider Edge
Rendering a complete view of the provider edge services and the associations we caninvestigate all the edge related activities
1 Click the blue link Provider Edge 4 The problem Icon can be used to furtherobtain information about the Provider-Edge 4 This will highlight a criticalcondition due to a possible network disruption of this edge device as it is nolonger in a serving state
HOL-1829-01-NET
Page 93HOL-1829-01-NET
Routers Provider Edge 4
This section lays out detailed root cause analysis for Routers Provider Edge 4
Return to Search View - NSX Manager
1 Now use the Chrome Back button click once to return the the NSX Managerinformation screen step
HOL-1829-01-NET
Page 94HOL-1829-01-NET
Infrastructure Problems - Warning Moderate
bull Scroll down to Infrastructure Problems Section
1 Click and select the WarningModerate to view problem areas
WarningModerate Issues
1 Use the blue icon + to expand the detailed view of the Logical networking out ofsync between host and NSX Controller
HOL-1829-01-NET
Page 95HOL-1829-01-NET
WarningModerate Issues (Continued)
When you expand the details you can analyse full detail of warning
In this view vRealize Network Insight is also showing you recommendations on how youwould resolve this issue which makes troubleshooting and root cause analysis veryeasy
1 Click the close sign (x) to continue
HOL-1829-01-NET
Page 96HOL-1829-01-NET
Hands-on Labs Interactive SimulationAdvanced NSX Management ampOperationsThis part of the lab is presented as a Hands-on Labs Interactive Simulation This willallow you to experience steps which are too time-consuming or resource intensive to dolive in the lab environment In this simulation you can use the software interface as ifyou are interacting with a live environment
1 Click here to open the interactive simulation It will open in a new browserwindow or tab
2 When finished click the ldquoReturn to the labrdquo link to continue with this lab
HOL-1829-01-NET
Page 97HOL-1829-01-NET
ConclusionCongratulations on completing Module 3
This module demonstrated the vRealize Network Insight capability of advancedmanagement operations vRealize Network Insight provides an in-depth analysis of thevirtual as well as the physical components associated with NSX (underlay and overlay)
For More Information
If you are looking for additional information try one of these
bull Click on this linkbull Or use your smart device to scan the QRC Code
Proceed to any module below which interests you most
bull Module 1 - Micro-Segmentation and Security (30 minutes)bull Module 2 - 360 degree Visibility across Virtual and Physical Networks (45
minutes)bull Module 3 - Advanced NSX Management amp Operations (45 minutes)bull Module 4 - Manage Security for Public Clouds (AWS) (30 minutes)
HOL-1829-01-NET
Page 98HOL-1829-01-NET
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 99HOL-1829-01-NET
Module 4 - ManageSecurity for Public Clouds
(AWS) (30 Minutes)
HOL-1829-01-NET
Page 100HOL-1829-01-NET
IntroductionEnterprise IT needs visibility into the network and security status of their workloadswhether hosted on premises or within AWS While many AWS workloads are sandboxesfor application development teams (DevOps) it is important to analyze these workloadsIncreasingly public cloud workloads are also fulfilling mission critical production needsfor many organizations Enterprise IT must be ready to determine the best locationsecurity posture and bandwidth allocation when deploying workloads Having trafficpattern details as well as security analysis and recommendations readily availablehelps organizations make the ideal hosting decisions to meet their business needs
vRealize Network Insight (vRNI) Supports Amazon Web Services (AWS) PublicCloud The vRNI traffic monitoring features provide visibility into native AWS constructssuch as Virtual Private Clouds VMs Security Groups firewall rules and tags vRNI alsoanalyzes AWS traffic flows to provide security and micro-segmentation views of cloudworkloads This means youll be able to plan micro-segmentation and understand trafficpatterns using data collected from your AWS instances
This Module contains the following lessons
bull Introduction to Managing Security for Public Clouds (AWS)
HOL-1829-01-NET
Page 101HOL-1829-01-NET
Introduction to Managing Security forPublic Clouds (AWS)Lab Status Check
1 Make sure the Lab Status displays Ready before continuing
Close browser sessions from previous modules
Open Google Chrome
1 Open Chrome on the Control Centre Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize Network Insightdid not load automatically)
HOL-1829-01-NET
Page 102HOL-1829-01-NET
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
AWS Configuration
Lets review the AWS VPC setup for the purpose of this lab
1 We have an on premise instance of vRealize Network Insight managing AWS2 There are two VPCs ie CRM and Common Services
HOL-1829-01-NET
Page 103HOL-1829-01-NET
3 VPC CRM consists of CRM Application which comprises of 3 tiers ie Web APP andDB
4 Internal users of Company can access Web Tier of the CRM on 80 internally viaJump-box
5 Web tier talks to App tier on port 80806 App tier talks to DB tier on port 33067 Web tier is open for internal datacenters VM on 80 port8 From Jump-box in VPC CRM all virtual machines have ssh access on port 229 All tiers of VPCCRM talks to DNS server on 53 and LogServer on 514 on VPC
Common Services10 This means connection to DB to Log Server (used for backup services) must exist
as configured by the Administrator but this in fact is the problem area where ourfocus will be
Plan Security - AWS Cloud
vRealize Network Insight extends micro-segmentation planning to AWS constructs TheCRM Application in AWS VPC has already been created for you
Application creation steps have been discussed in Module 3
HOL-1829-01-NET
Page 104HOL-1829-01-NET
1 On the vRealize Network Insight Click on Plan Security
From Plan Security dialogue box under Entity select
HOL-1829-01-NET
Page 105HOL-1829-01-NET
1 Application2 CRM3 Click Analyze
We can now visualize the three tier lsquoCRMrsquo Application in AWS in one VPC We Shallexplore the three Tier System Logic in proceeding steps
1 Please note that Micro-Segments are already filtered by Tier2 Web (Web tier talks to App tier on port 8080 Internal users of organisation can
access Web Tier of the CRM Application on port 80 internally)3 App (App tier talks to DB tier on port 3306)4 DB ( DB tier talks to Log Servers ) - This is the problem area we are going to
explore
All tiers of first VPC talks to DNS server on port 53 and LogServer on port 514 of SecondVPC
HOL-1829-01-NET
Page 106HOL-1829-01-NET
Exploring the Three Tier Application - Step by Step
We shall now explore the three their application setup to understand the security andcommunication posture
HOL-1829-01-NET
Page 107HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Yellow line to explore the flows This will reveal flows from Web to
App
HOL-1829-01-NET
Page 108HOL-1829-01-NET
1 The App tier talks to DB tier on Port 33062 Click X to continue
HOL-1829-01-NET
Page 109HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to DB
HOL-1829-01-NET
Page 110HOL-1829-01-NET
1 The App tier talks to DB tier on Port 33062 Click X to continue
HOL-1829-01-NET
Page 111HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Yellow Line to explore the flows This will reveal flows from DC
Virtual to App
HOL-1829-01-NET
Page 112HOL-1829-01-NET
1 DC Virtual (jump box) talks to App tier on Port 222 Click X to continue
HOL-1829-01-NET
Page 113HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to
Shared Virtual
HOL-1829-01-NET
Page 114HOL-1829-01-NET
1 The App tier talks to Shared Virtual on Port 53 and 514 respectively2 Click X to continue
HOL-1829-01-NET
Page 115HOL-1829-01-NET
1 Hover over to DB Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from DB to
Shared Virtual
1 By design the DB should be pushing logs to aws-log-server ie on port 514(Syslog) but the flow reveals that there is only one service ie port 53 aws-DNS-Server Effectively no communication to syslog server (which is the back upservice)
2 Click X to continue
Firewall Queries for CRM Application
To further troubleshoot the issue the administrator executes three firewall queries toestablish why DB to Shared Virtual does not have flow(s) for port 514 (syslog)
HOL-1829-01-NET
Page 116HOL-1829-01-NET
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and type new search query firewall action of flows where dstvm = aws-log-server This will return 5 results ie 4 Allow (for web andmidtier) and 1 Deny (for DB)
2 Click Search3 click on the DENY checkbox so we can focus on the deny rule
We can see a DENY rule which is preventing crm-databse to communicate with aws-log-server on port 514 Which indicates that AWS Admin forgot to add rule to allowtraffic from (Database) crm-database to (syslog server) aws-log-Server
HOL-1829-01-NET
Page 117HOL-1829-01-NET
1 On Chrome web browser right click2 Select Duplicate from the the menu
HOL-1829-01-NET
Page 118HOL-1829-01-NET
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-web1 and dst vm = aws-log-server
2 Click Search3 This will return 3 results ie 1 Inbound and 2 Outbound rules The result of this
query validates the communication from crm-web1 to aws-log-server
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-database and dst vm = aws-log-server
2 Click Search3 This will return 2 results for Outbound rules further explaining the firewall rule
behaviour from crm-database to aws-log-server
HOL-1829-01-NET
Page 119HOL-1829-01-NET
ConclusionCongratulations on completing Module 4
This module demonstrated the vRealize Network Insight capability to understand trafficpatterns and plan micro-segmentation across your private and public cloudenvironments This capability offers unparalleled visibility into public and private cloudsfor micro-segmentation planning network visibility and management
For More Information
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 120HOL-1829-01-NET
ConclusionThank you for participating in the VMware Hands-on Labs Be sure to visithttpholvmwarecom to continue your lab experience online
Lab SKU HOL-1829-01-NET
Version 20171010-152226
HOL-1829-01-NET
Page 121HOL-1829-01-NET
Flows for Port 5443
Communicating over port 5443 for the Last 24 hours we now have a detailedunderstanding of how 20 flows are distributed by following the list of entities You mayscroll down and examine the detailed traffic Further filters can be used on the left-handside of the screen to filter the view for a more specific result type
1 Click the entry to examine the detailed flow between Prod-DB-3 and Prod-DB-2over port 5443 ( order of flows may differ from screen above Prod-DB-3 andProd-DB-2 can be seventh flow entry)
Flow Key Properties - Timeline view
HOL-1829-01-NET
Page 21HOL-1829-01-NET
Flow Key Properties and Flow Key Metrics with the help of the timeline view gives agreater understanding of the traffic between these two specific VMs over port 5443 (A)- Hover over any part of the Flow Key Metrics graph to see statistics of the flow at aspecific point in time
1 Click on the 1M (last 1 month) Now hover the mouse over the greenblue linesto see a specific flow at a point in time
Flow Key Properties - Timeline view
1 Click the browser back button (once) to return to the plan security layoutscreen (once completed viewing the timelines for specific flows)
HOL-1829-01-NET
Page 22HOL-1829-01-NET
Micro-Segments
The screen should be back and focused on the Plan Security view Let us focus on theLeft-hand side of the plan security screen marked - Micro Segments This section willfocus on the subnet view and how this could be used to track flows between two ormultiple points
Note Segmenting flows can be achieved using views that will focus on VLANVXLANSubnet Folder Clusters VMs Ports Security Tag or Security Groups
1 Select Last 1 Day (to clear previous data range)2 Select the drop down box and then select by Subnet3 We can further analyze micro-segments by secondary groups ( This step is for
information only)4 Click Analyze to populate the data
HOL-1829-01-NET
Page 23HOL-1829-01-NET
Focus - 101780 Network
A - Hover over (do not click) the 101780 network and notice that this willimmediately highlight all flows and sessions from and to this network segment Othertraffic types will loose focus at this point turning light blue
The Keep Focus view creates a single visual endpoint diagram showing communicationto physical shared resources internet and other subnets The parentheses after thenetwork will indicate the number of virtual machines The coloured lines will indicate aconnected flow as OUTGOING INCOMING BIDIRECTIONAL
HOL-1829-01-NET
Page 24HOL-1829-01-NET
Focus - VLANVXLAN
Changing the view to track flows between Prod-Web to Prod-Midtier we will be switchingfrom Subnet view to VLANVXLAN view This will expose the traffic flow and ultimatelylead us to the recommended firewall rules
1 From the filter drop down select the VLANVXLAN option (the view willautomatically update)
HOL-1829-01-NET
Page 25HOL-1829-01-NET
Focus - Prod-Web (25)
1 Hover over Prod-Web2 Click on Keep Focus as we will follow the traffic for this group to see which
ports are in use and why3 Click on the line joining the Prod-Web and Prod-Midtier
Flows - Prod-Web to Prod-Midtier
HOL-1829-01-NET
Page 26HOL-1829-01-NET
( A ) - We have at this point identified 14 unique endpoints or flows that are beingcommunicated byover or to potential security groups These security groups are basedon VLANs folders subnets or a construct that can be defined
1 Click on the recommended firewall rules
Flows - Recommended Firewall Rules
Based on the observed analysis of the traffic flow between Prod-Web and Prod-Midtier arecommended firewall rule has been generated in order to secure and segment trafficfrom the rest of the VLANVXLAN
Due to the flow observation metrics the recommendation is (ALLOWED) on Port 8080between SG Prod-Web and SG-Prod-Midtier
1 Click the close icon (x) to continue
HOL-1829-01-NET
Page 27HOL-1829-01-NET
Multiple Ports and Firewall rules for Prod-web
1 Click on the Prod-Web group
Services and Flows for Prod-Web
On focus the user is presented with all the services flows and firewall rules for Prod-Webin a single pane
HOL-1829-01-NET
Page 28HOL-1829-01-NET
1 Click on Services In this group - 50 Unique service endpoints or flows that arebeing communicated by or to potential security groups are mapped with trafficrates included
2 Click on External Services Accessed- This is a breakdown of the 16 Externalservice endpoints that communicate with Prod-Web and include the portinformation (DNS HTTPS etc)
3 Click on Recommended Firewall Rules - Based on the 50 unique serviceendpoints that have 17 External services with 425 flows we can use thisobservation metric to determine that 6 firewall rules are required This would bethe minimum recommended segmentation approach for the Prod-Web group
4 Click the close icon (x) to continue
Application-Centric Micro-Segmentation
HOL-1829-01-NET
Page 29HOL-1829-01-NET
An application is a collection of tiers Each tier in an application is a collection of VMsbased on the user-defined filter criteria The applications allow you to create ahierarchical group of VMs and visualize trafficflows between the tiers of the sameapplication The trafficflows can be visualized between applications
1 Under Micro-segments click on the dropdown which says by VLANVXLAN2 Click on by Application
1 Hover over Prod-App (47) (do not click at this stage)2 Click on Keep Focus
You can see as per previous micro-segmentaion planning exercise - you can viewOutgoing Incoming and Bidirectional flow bespoke to Prod-App Clicking on Prod-App micro-segment will reveal the services
HOL-1829-01-NET
Page 30HOL-1829-01-NET
We shall now explore how we can define an application
Define an Application
1 In the search bar type Application2 Click the Search button
1 The Application search will return 4 entities ie application already created inthe system for you
2 This page also lets you create new application - click on Add Application
HOL-1829-01-NET
Page 31HOL-1829-01-NET
1 Under the Application Name type HOL-Pre-Prod2 Under Tier type the Name as HOL-Pre-Prod3 Our search criteria will be based on VM Names under Virtual Machines IP
Addresses Type Admin-VM1 Admin-VM2 (The search will auto completethe names for you)
4 Do not Save Click Cancel which will take you to previous screen
1 Here you can see the number of entities has increased by 1 ie 5 entities2 You can also see Hol-Pre-Prod in the list
HOL-Pre-Prod will now appear in Application section under Plan Security (not covered inthis lab)
Security Group Prod_MidTier
Network administrators and architects face daily challenges in identifying securityparameters groups that are in-place requiring a lot more detail around containertopology before continuing to execute or plan Micro-segmentation Lets look at how thiswould be possible in a single view that has granular integration with over and underlaynetworks
1 Using the search bar type Nsx Security Group Prod_MidTier (the search baruses Auto Fill and predictive text will appear as you type)
2 Click search to continue
HOL-1829-01-NET
Page 32HOL-1829-01-NET
The Help screen may pop-up (in this lab setting) to ensure the user has an instantguide called the Security Group Pinboard The reason for this guide is to point out thedetail view and topology layout Read through the help guide and once completed
1 Click the close icon (x) to continue
Results - PROD_MIDTIER
The search results from the query will show Prod_Web at the top of the screen Theresult will also be displayed to include the Translated VM Count and any Rulesassociated
1 Click on Prod_MidTier to continue
Security Group Prod_MidTier - Timeline
Security Group View Explanation
HOL-1829-01-NET
Page 33HOL-1829-01-NET
The Security Group provides a detailed view of the selected Security Group and acomprehensive listing of key properties and events The Security Group Topologyprovides a visual overview of how the security group is associated with other containersTimeline slider at the top of the current view will enable the point in time state of theSecurity Group and filters can be used to further focus on a particular aspect of theobject
Security Group Firewall Topology
(A) The Security Group Firewall Topology on the left shows the topology for SecurityGroup Prod_MidTier
HOL-1829-01-NET
Page 34HOL-1829-01-NET
(B) The Security Group Container Topology on the right will show anyall Child andParent groups in relation to Prod_Web This will identify the nesting and hierarchy ofsecurity groups
HOL-1829-01-NET
Page 35HOL-1829-01-NET
1 Click and select Prod_Web to Prod_Midtier Rule (will launch a pop up screencovered in next step)
1 In the pop up screen we can immediately see what the Source and destinationservice flow looks like in this example This can be done for any and eachsegment attached to Prod_Web and will provide all the current security GroupFirewall Topology information Feel free to click through all the segments in orderto fully understand each related security group
2 Click the close icon (x) on any pop-up menus that you viewed during youranalysis to continue with the next exercise
HOL-1829-01-NET
Page 36HOL-1829-01-NET
Tracking Prod_MidTier
1 Within the same view when you scroll down (below the Security Groupfirewall Topology) you are able to see the following security event information forProd_Web
A Events - Showing any changes for Prod_MidTier (direct or indirect) and the impactthat these changes bring to this security group
B Current Security Group Configuration and Firewall Rules Count will also providefurther assistance to manage the endpoints
C Visibility of the Virtual Machines in Security Groups ensure that we manage ourworkloads and segmentation with the correct level of efficiency
D Making use of the Indirect Firewall Rules will ensure you understand the inheritedimpact and the relationship leading to Prod_Web
E Direct Firewall Rules - NOTE The blue links will expose further detail for eachfirewall segment
HOL-1829-01-NET
Page 37HOL-1829-01-NET
this module explained and followed the traffic flow between Subnets and or VLANVXLAN for Prod_MidTier and we understand the analysis that make up firewall rules Theinformation for a specific segmentation of a Virtual Machine in Prod_MidTier can beviewed using the the logical switch information for Prod_MidTier
2 Click on Lab-Midtier (VMs in Security GroupgtLogical SwitchesgtLab-Midtier) anew TAB will open at the top of the screen
Lab-Midtier
1 Hover (do not click) over (1) Lab-Midtier-1 to gain focus in order to generatethe path
Do not click on any of the bubbles as they are used for reference only This is thecomplete flow of Prod-Web-9 (Example) to see how a flow is tracked from overlay tounderlay across Prod-Web
HOL-1829-01-NET
Page 38HOL-1829-01-NET
bull A - The host details for Lab-Midtier-1 -ddc1-pod2esx035dmdemocompanynet
bull B - The machine name within Lab-Midtier - Lab-Midtier-1bull C - DVS Switchbull D - VXLAN - Lab-Midtierbull E - 1st VMKNIC for DDC-1 hostbull F - DVS Switch Portbull G - Finally showing the L3 Switch (Arista)
2 When you are done with the current view close this tab in Chrome and returnto the original view
Firewall Rule - Tracking
Using the search bar we will demonstrate how you can track any firewall rule in yourenvironment This is only one example of how we can search for security related objectsin one easy statement and also export the results
Port Search
1 Type into the search bar
Firewall rule where action =ALLOW and Port=443 (the search bar uses Auto Fill andpredictive text will appear as you type)
2 Click search to continue
As you type notice all the different permutations of queries that can be assembled
HOL-1829-01-NET
Page 39HOL-1829-01-NET
Export Firewall Rules
Take some time to understand and get familiar with Firewall Rule search possibilitiesand the insight this can offer
1 Do not click - The result is grouped for convenience and allows the user to queryeach rule individually This is a live link that will expose further information
2 Do not click - The entire report can be exported by using the Save as CSV optionat the top right hand corner of the screen but we will not export any informationat this point
3 For the next step we will return to the top search bar
Firewall Rule Membership Change
Using the vRealize Network Insight search bar at the top of the screen we will focus on atime based search to see what Firewall Membership Changes occurred during a selectedperiod This will point out any changes made directly or indirectly as a result ofmembership changes This is extremely useful for auditing and troubleshooting
HOL-1829-01-NET
Page 40HOL-1829-01-NET
1 Type
Firewall Rule Membership Change
2 Select the DateTime window3 Click Between Select Date range from June30 to Jul 31 (using static data this
will ensure you see all the changes)4 Click search
Audit Rule - Firewall Rule Membership Changes
The search now displays the result of all the changes made to firewall rule membershipduring the preset date range This is pivotal to the audit change tracking process tounderstand exactly why when and how Firewall rules changed
The changes can now easily be tracked audited and also exported following any of thelive links in blue
HOL-1829-01-NET
Page 41HOL-1829-01-NET
User-defined Event
Continuing within the same screen users can create alerts to notify internal andexternal entities of any changes The alert feature is available through any view thatdisplays the alert icon Although the alert can be configured for this lab the results willnot be actioned as this is static data only This section will show how easy it is to reporton any Firewall Rule memberships changes The option for alerting will be immediatelywithin 1 hour or as a daily digest
1 Click the Notifications icon to create an event The notifications screen will pop-up
2 Notification and parameters can be adjusted as required Populate them withyour own preference as we will need to have information in order to save thealert and view in later steps
3 Once completed click save
HOL-1829-01-NET
Page 42HOL-1829-01-NET
Settings
You can view any of your previously configured User-defined Events in order to edit oractivate the Event parameters by using the settings page Changes can be configured tonotify members of the event group based on the user preference The previous eventthat you created can now be tracked by using the search bar at the top of the screen
1 Click in the search bar and type Settings2 Click User-defined Events (your alert is noted in this section as it was based on
the original search and alert notification Firewall rule membership change)3 Info Only - Do not click - View Edit Activate any notifications
Note that we have 2 types of notification User-defined and System Events
4 Click the System Events
HOL-1829-01-NET
Page 43HOL-1829-01-NET
System Notifications
System Events consist of 103 default alerts that are pre-configured Scroll down the listto see all the options and what is deemed to be a standard system event notification
Each Notification can be used to alert administrators or users of that group By defaultall System Notifications are set to never notify (this can be changed to immediatelywithin 1 hour or as a daily digest)
This concludes this module Please continue to the next module
HOL-1829-01-NET
Page 44HOL-1829-01-NET
ConclusionCongratulations on completing Module 1
In this module we introduced the minimum required steps in order to facilitate Micro-segmentation This module further demonstrated how we achieve day zero readinesstrack report and alert on each individual object or group of objects in Real Time Usingthe East-West traffic in this module vRealize Network Insight highlighted the ease ofacquiring network analysis and using this to automatically generate firewall rules forboth Green or Brown field deployments
Key facts to remember as demonstrated in this module
bull Persistence Security must be consistent in the face of constant changebull Ubiquity Security must be available everywherebull Extensibility Security must adapt to new situations
For additional information about the functionality showcased in this module visitwwwvmwarecom
Please close the Chrome Web browser
This concludes this module please continue to the next module
For More Information
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 45HOL-1829-01-NET
Module 2 - 360 degreeVisibility across Virtualand Physical Networks
(45 minutes)
HOL-1829-01-NET
Page 46HOL-1829-01-NET
IntroductionvRealize Network Insight includes advanced analytics that can collect and displayconfiguration data from all the components involved in the overlay and underlay of thenetwork Data is collected in realtime
vRealize Network Insight presents this via a smart user interface and simplifies thedetermination of problems as well as the visibility of firewall and networkconfigurations
vRealize Network Insight presents this in a smart user interface and makes problemdetermination and visibility of the firewall and network configurations very easy
This Module contains the following lessons
bull 360 Network Visibility and Troubleshootingbull Natural language search
HOL-1829-01-NET
Page 47HOL-1829-01-NET
360 Network Visibility andTroubleshootingThis section contains the following lessons
bull 360-degree view of data flow between two VM objectsbull Natural language search
Open Google Chrome
1 Open Chrome on the Control Center Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize NetworkInsight did not load automatically)
HOL-1829-01-NET
Page 48HOL-1829-01-NET
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
Path and Topology
This module will utilize the Path and Topology feature in vRealize Network Insight toget a 360-degree visibility into our network scenario The Path and Topology view can
HOL-1829-01-NET
Page 49HOL-1829-01-NET
also extend to host L3 networks security groups etc but in this module we will only befocusing on the path
From the main console
1 Click on Path and Topology2 Click on Path
Path - Select source and destination
In the pop-up box
1 Click on the grey field below Source2 Type dba into the source field and DBAdmin-VM1 will appear3 Click on DBAdmin-VM1 to select it
HOL-1829-01-NET
Page 50HOL-1829-01-NET
Path - source and destination continued
After selecting the source machine the destination box will automatically appear
1 Type prod in the destination field and the list of available options willappear
2 Select Prod-Db-2
Note The destination could also be an ip-address or Internet but in this lab we aregoing to use a VM
HOL-1829-01-NET
Page 51HOL-1829-01-NET
Path - source and destination continued
1 Click on Submit
Searching for path
Based on the VMs we selected in the wizard in our previous steps the search field isnow pre-populated with a search string As an alternative to using the wizard we canalso do manual searches
Do not change any parameters in the search field and please continue to the nextstep
HOL-1829-01-NET
Page 52HOL-1829-01-NET
VM Path Topology and VM Underlay
The topology involves both Layer 3 and Layer 2 components and consists of twodetailed views
HOL-1829-01-NET
Page 53HOL-1829-01-NET
1 VM Path Topology This view details the routers Edges or Logical DistributedRouters (LDRs) that are involved in the VM to VM network path and provides thecomplete routing and NAT information
2 VM Underlay ( The VM Underlay section that is on the right side of the VM Pathtopology shows the underlay information of the VMs involved and theirconnectivity to the top of the rack switches and the ports involved)
In the field named VM Path Topology
1 Click on the three dots in the top right corner of the field2 Click Maximize
The view will change and the route will be drawn on the map
HOL-1829-01-NET
Page 54HOL-1829-01-NET
VM Path Topology - Path Details
In this view we will get a 360-degree view of both the physical and the virtual networkWe will see the path of the traffic between two virtual machines The black arrow at thetop of the map will indicate the flow direction of the traffic In this use case fromDBAdmin-VM1 to Prod-Db-2
On the right hand side path details indicates the steps we pass through in each hop ofthe path The logical flow includes both physical and virtual elements displaying bothoverlay and underlay components
1 Scroll through the path details on the right hand side to verify the differenthops in the path Notice that we have items such as VMs physical switchesvirtual switches routers and NICs in the list of details
HOL-1829-01-NET
Page 55HOL-1829-01-NET
Component Overview
On the VM topology map
1 Click on the top left icon marked with a red square - the Virtual MachineDBAdmin-VM1
Virtual Machine - Details
HOL-1829-01-NET
Page 56HOL-1829-01-NET
A pop-up box will appear with the Virtual Machine details in it This information includesa lot of details made available by VMware Tools We can for example see network-information and the physical host in these details
A - Please spend some time on getting an overview of the information available in thisview
B - Please note that the Firewall Status indicates Unknown In this scenario there is noNSX firewall utilized in the VM so vRealize Network Insight displays Unknown as thestatus If NSX components were utilized but they were malfunctioning an errormessage will appear
1 When done reviewing close the pop-up windows by clicking on the (X) in thetop right corner
Physical ESXi Hosts
We are now going to look at the physical host running ESXi The large green blocksindicate the ESXi hosts (A) and (B)
1 Click on the large green field on the left side of the map marked in thepicture with a red squareThis will select the host where DBAdmin-VM1 isrunning
HOL-1829-01-NET
Page 57HOL-1829-01-NET
Host - Details
A pop-up box will appear that contains the physical ESXi host
A - Spend some time to review what information is available from the host Please donot click on any of the links
B - Notice that we receive information from both the Chassis and the Blade that thisESXi host is running on In a real life environment we could click on the links to getdetailed information about the physical environment through the links
C - Note that there are no NSX components on the host For example we can see thatthe Control Plane Sync Status is unknown and the Number of VTEPs is 0
1 When done reviewing click on the (X) in the top right corner
HOL-1829-01-NET
Page 58HOL-1829-01-NET
DVPG on the map
We are now going to look at the DVPG (Distributed Virtual Port Group) the VM uses toconnect to the network
1 On the map click on the little blue box marked by a red square onvlan-629
DVPG
A pop-up box will appear that contains the DVPG details
A - Spend some time review what information is available from the object Please donot click on any of the links
HOL-1829-01-NET
Page 59HOL-1829-01-NET
B - Notice that IPFIX is enabled
1 When done reviewing click on the (X) in the top right corner
VLAN-629 on the map
This is a brownfield network as indicated by the physical network components currentlydisplayed on the map
1 On the map click on the grey line marked by a red square on vlan-629
VLAN Network
A pop-up box will appear that contains the physical VLAN details
HOL-1829-01-NET
Page 60HOL-1829-01-NET
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - Notice the VLAN ID This is the actual VLAN in use
C - VM Count states 12 This is the number of VMs located on this VLAN in the entireenvironment
D - Under Hosts we can see that this is 28 (27+1) This is the amount of hosts that hasa connection to this vlan in the entire environment
1 When done reviewing click on the (X) in the top right corner
Switch ports on the map
1 From the map click on the icon marked by a red square to select the SwitchPort for the VM
HOL-1829-01-NET
Page 61HOL-1829-01-NET
Switch Port
A pop-up box will appear that contains the Switch Port details
In this view we are purely are looking at layer 3 and the connectivity to those layer 3devices Later in this module we will see some of the layer 2 devices
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - In this view we can see the physical NIC the traffic is transmitted from and receivedto In this scenario it is a NIC on a UCS fabric We can also see the VLANs Interfacespeed port and other details on the NIC
1 When done reviewing click on the (X) in the top right corner of the pop up box
HOL-1829-01-NET
Page 62HOL-1829-01-NET
Physical VRF on the map
1 From the map click on the icon marked by a red square to access thePhysical VRF details
HOL-1829-01-NET
Page 63HOL-1829-01-NET
VRF - Physical Switch
A pop-up box will appear that contains the Physical VRF details
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - In this scenario the first hop in the physical network perspective happens to be aCisco Nexus 7000 We are gathering all of the configuration data routing tables androuting interface information from this device
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 64HOL-1829-01-NET
VRF - continued
1 From the map click on the icon marked by a red square to access the nextPhysical VRF in the path
HOL-1829-01-NET
Page 65HOL-1829-01-NET
VRF - Physical Router
A pop-up box will appear that contains the Physical VRF details
In this scenario the second hop in the physical network perspective is a Palo Alto routerIn this view we will see the routing table as well as firewall rules The vRealize NetworkInsight platform is so powerful that these firewall rules are the applicable firewall rulesbetween the two objects we searched for There is probably going to be thousands offirewall rules in a normal network but these are the firewalls affecting thecommunication between the two selected VMs
HOL-1829-01-NET
Page 66HOL-1829-01-NET
A - Spend some time to review what information is available from the object Please donot click on any of the links
1 When done reviewing click on the (X) in the top right corner of the pop up box
Note The Palo Alto integration showcased is in beta testing
VRF - continued
1 From the map click on the icon marked by a red square to access the nextPhysical VRF in the path
HOL-1829-01-NET
Page 67HOL-1829-01-NET
VRF - Physical Switch
A pop-up box will appear that contains the Physical VRF details
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - In this scenario the third hop in the physical network perspective is an Arista deviceThere is information available on routing gateways interfaces etc These detailsshowcase that we can monitor devices from a multitude of vendors in case we arechanging from one vendor to another
1 When done reviewing click on the (X) in the top right corner
HOL-1829-01-NET
Page 68HOL-1829-01-NET
Accessing the virtual infrastructure
The next two steps in the path (as shown by arrows) are the same as we looked atpreviously in this module We are not going to look at the details on them in thisscenario as they are similar to the ones previously discussed
A - Hovermove the mouse over the icons marked with red arrow A without clicking onthe icon Notice the descriptive name
B - Hovermove the mouse over the icons marked with red arrow B without clicking onthe icon Notice the descriptive name
1 From the map click on the icon marked by a red square to access the nextVRF in the path
HOL-1829-01-NET
Page 69HOL-1829-01-NET
VRF - NSX Provider Edge 1
A pop-up box will appear that contains the Physical VRF details
A - Please spend some time to review what information is available from the objectPlease do not click on any of the links
B - The components we are looking at after the Arista device (described in previoussteps) is an NSX Edge cluster or a host associated with an Edge cluster The componentwe have selected is the NSX Edge VM named Provider-Edge 1 It has an uplink overVLAN 10 from the physical network (as shown in the map)
C - In the details we can see the routing table and routing interface details for thisparticular VRF
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 70HOL-1829-01-NET
VXLAN on the map
1 On the map click on the blue line marked by a red square to access theVXLAN details
VXLAN Network
A pop-up box will appear that contains the VXLAN details
HOL-1829-01-NET
Page 71HOL-1829-01-NET
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - We can see the VXLAN number (Segment ID) Underlay VLAN IDs Subnet andUnderlay Subnet
C - We also have visibility into what Primary Controller it is utilizing Hosts and VTEPs
D - Hovermove the mouse cursor over the text [38 more] to see the hosts associatedwith this VXLAN Do not click on the blue text
E - Hovermove the mouse cursor over the text [82 more] to see the VTEPs associatedwith this VXLAN Do not click on the blue text
1 When done reviewing click on the X in the top right corner of the pop-up box
VRF - LDR
1 From the map click on the icon marked by a red square to access the VRFdetails
HOL-1829-01-NET
Page 72HOL-1829-01-NET
VRF - LDR-Corporate
A pop-up box will appear that contains the VRF details From here we hit our In-kernelnetwork
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - Notice the distributed router name We are using this device to access our corporatenetwork
C - This device is going to route for us to a different interface The interface is going toroute to the interface on the Prod-DB Network as the next step in the path (this will beillustrated in the next step)
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 73HOL-1829-01-NET
Routing - NSX Firewall
The traffic is routed through the VRF onto the Prod-DB network over to the next physicalhost (as shown with arrows)
The first device it will hit on the virtual network on the physical host is the FirewallPlease notice that there are two firewalls next to the VM One Firewall from Palo Alto andone Firewall from NSX
1 From the map click on the icon marked by a red square to access the NSXFirewall details (the top one of the two)
HOL-1829-01-NET
Page 74HOL-1829-01-NET
Firewall - NSX
A pop-up box will appear that contains the Firewall details
A - Spend some time to review what information is available from the object Please donot click on any of the links
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 75HOL-1829-01-NET
Redirect on the map - PAN Firewall
Please notice that there are two firewalls next to the VM One Firewall from Palo Alto andone Firewall from NSX We are now going to look into the details of the lower Firewall
1 From the map click on the icon marked by a red square to access the PaloAlto Firewall details (the lower one of the two)
Firewall - PAN
HOL-1829-01-NET
Page 76HOL-1829-01-NET
In this scenario we also have an Palo Alto VM based offloading firewall The redirectfeature allows firewall rules to be transferred between the NSX firewall and the PANFirewall
1 When done reviewing click on the (X) in the top right corner of the pop up box
Reversing the analysis
1 In the section marked by a red square in the picture click on the arrowpointing left
The route on the map will change
HOL-1829-01-NET
Page 77HOL-1829-01-NET
Reversing the analysis continued
A - The analysis will now be done in the opposite direction Please note that the pathnow changes Instead of going through Provider-Edge 3 the traffic is now routedthrough Provider-Edge 2 This is exactly as the traffic will work in the real life
Please continue to the next step to conclude this module
HOL-1829-01-NET
Page 78HOL-1829-01-NET
VM Underlay
Lets now focus on VM Underlay
1 The VMUnderlay section that is on the right side of the VM Path topology showsthe underlay information of the VMs involved and their connectivity to the top ofthe rack switches and the ports involved
2 The VM Underlay path topology is shown here3 The components are labeled under Path Details
HOL-1829-01-NET
Page 79HOL-1829-01-NET
HOL-1829-01-NET
Page 80HOL-1829-01-NET
1 In this section the drop-down list at the top shows the endpoint VMs and theactive VMs at the edges
2 For each edgeVM the neighbouring drop-down list shows the ingress and theegress interface IP addresses
1 From the previous step we selected the Prod-DB-2 Virtual Machine2 Which changes the focus to corresponding Interface IP Address (VNIC)3 Shows the visual map (Path topology) of all the path objects4 Path details shows the labels and list the components
This concludes this module Please continue to the next module
HOL-1829-01-NET
Page 81HOL-1829-01-NET
ConclusionCongratulations on completing Module 2
This module has shown us that vRealize Network Insight is capable of tracing the flow ofdata between two objects throughout the network vRealize Network Insight is providingus with a 360 degrees view of the virtual as well as the physical components in thepath With the map function and the details on the map it is very easy to get a quickoverview of the components utilized in network communication
All the components in the map is based on a snapshot of real life data Feel free to clickon other icons shown in the map in this module before continuing to the next module tohave a look at other components
For More Information
For additional information about the functionality showcased in this module visithttpwwwvmwarecomvrealize network insight
This concludes this module Please continue to the next module
If you are looking for additional information try one of these
bull Click on this linkbull Or use your smart device to scan the QRC Code
HOL-1829-01-NET
Page 82HOL-1829-01-NET
Proceed to any module below which interests you most
bull Module 1 - Micro-Segmentation and Security (30 minutes)bull Module 2 - 360 degree Visibility across Virtual and Physical Networks (45
minutes)bull Module 3 - Advanced NSX Management amp Operations (45 minutes)bull (30 minutes)
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 83HOL-1829-01-NET
Module 3 - Advanced NSXManagement amp
Operations (45 minutes)
HOL-1829-01-NET
Page 84HOL-1829-01-NET
IntroductionIntroduction
vRealize Network Insight ensures that we have full visibility from an overlay andunderlay perspective and in this module focus on advanced operations of NSX withvRealize Network Insight Its important to note that the vRealize Network Insightprovides a real time view and a historical view The integration is not a simple SNMPquery but advanced CLI and Metadata information gathered in real time for NSX
This Module contains the following lessons
bull Operational guidance for NSX Managerbull Advanced NSX Management amp Operations Interactive Simulation
HOL-1829-01-NET
Page 85HOL-1829-01-NET
NSX Advanced ManagementOperationsLab Status Check
1 Make sure the Lab Status displays Ready before continuing
Close browser sessions from previous modules
Open Google Chrome
1 Open Chrome on the Control Centre Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
HOL-1829-01-NET
Page 86HOL-1829-01-NET
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize Network Insightdid not load automatically)
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
Search Bar - NSX Manager
Using the search bar on the entry screen
HOL-1829-01-NET
Page 87HOL-1829-01-NET
1 Type NSX Manager (this will list three NSX Managers2 Click Search
NSX Manager Information
The result now shows the NSX Manager (1016128170) and we can immediately seethat we have 50 problems associated with this endpoint
1 Click on the NSX Manager address to expose the layout and detailedinformation
HOL-1829-01-NET
Page 88HOL-1829-01-NET
Timeline - Visual Build-up
Explore information only - Do not click
bull A - Starting with the Timeline we can manipulate the results by simply draggingthe slider but by default the current time results will be displayed on entry Theslider and drop down (next to 1 day) makes it easy to filter on demand
bull B - The Properties give a clear understanding of the NSX Managers currentconfiguration (vRealize Network Insight accommodate multiple NSX managers)
bull C - Looking at the NSX Checklist Rules - ALL we can scroll up and down toview each point in the checklist that is used to monitorvalidate against the NSXManager
bull D - Because vRealize Network Insight supports multiple NSX managers andmultiple NSX controllers this is an important visual understanding of theTopology Each object can be queried individually within the same screen
bull E - NSX Problems will be key to understanding the issues for NSX
HOL-1829-01-NET
Page 89HOL-1829-01-NET
Topology - Focus on the NSX Controller
The logical view of the NSX Topology provides live links to each component in theconstruct to be queried in real time Topology layout displays all the related NSXservices bound to the NSX Manager including Clusters and hosts The red triangle on allthree NSX controllers indicates possible issues that may impact the NSX environmenteither as a starting point or a result thereof We can now query each object for detailedinformation
1 Click on the NSX controller (Look at each controller until you find thecontroller starting with NSX_Controller_5b6c6c8d-4d71 as they do changeorder)
HOL-1829-01-NET
Page 90HOL-1829-01-NET
NSX Controller - Detail
A - The controller query displays detailed information about controller-1 and relevantconfiguration This screen will help identify the Status Version Upgrade Availability andmany other critical identifiers of the NSX Controller at a quick glance including anyissues
B - The immediate issue on this NSX controller is also pointed out with a red triangleindicating that we have a control plane sync issue Tracking the issue can be furtherinvestigated by expanding (clicking on the red triangle) to view detailed information Wewill not be investigating this problem further in this exercise
1 Click the close sign (x) to continue
HOL-1829-01-NET
Page 91HOL-1829-01-NET
Topology - Explained
Note The Topology for the NSX environment will not show any load balancing devicestatus information in this release
1 Click the edge VMs icon to see detailed information about the edge services
HOL-1829-01-NET
Page 92HOL-1829-01-NET
Provider Edge
Rendering a complete view of the provider edge services and the associations we caninvestigate all the edge related activities
1 Click the blue link Provider Edge 4 The problem Icon can be used to furtherobtain information about the Provider-Edge 4 This will highlight a criticalcondition due to a possible network disruption of this edge device as it is nolonger in a serving state
HOL-1829-01-NET
Page 93HOL-1829-01-NET
Routers Provider Edge 4
This section lays out detailed root cause analysis for Routers Provider Edge 4
Return to Search View - NSX Manager
1 Now use the Chrome Back button click once to return the the NSX Managerinformation screen step
HOL-1829-01-NET
Page 94HOL-1829-01-NET
Infrastructure Problems - Warning Moderate
bull Scroll down to Infrastructure Problems Section
1 Click and select the WarningModerate to view problem areas
WarningModerate Issues
1 Use the blue icon + to expand the detailed view of the Logical networking out ofsync between host and NSX Controller
HOL-1829-01-NET
Page 95HOL-1829-01-NET
WarningModerate Issues (Continued)
When you expand the details you can analyse full detail of warning
In this view vRealize Network Insight is also showing you recommendations on how youwould resolve this issue which makes troubleshooting and root cause analysis veryeasy
1 Click the close sign (x) to continue
HOL-1829-01-NET
Page 96HOL-1829-01-NET
Hands-on Labs Interactive SimulationAdvanced NSX Management ampOperationsThis part of the lab is presented as a Hands-on Labs Interactive Simulation This willallow you to experience steps which are too time-consuming or resource intensive to dolive in the lab environment In this simulation you can use the software interface as ifyou are interacting with a live environment
1 Click here to open the interactive simulation It will open in a new browserwindow or tab
2 When finished click the ldquoReturn to the labrdquo link to continue with this lab
HOL-1829-01-NET
Page 97HOL-1829-01-NET
ConclusionCongratulations on completing Module 3
This module demonstrated the vRealize Network Insight capability of advancedmanagement operations vRealize Network Insight provides an in-depth analysis of thevirtual as well as the physical components associated with NSX (underlay and overlay)
For More Information
If you are looking for additional information try one of these
bull Click on this linkbull Or use your smart device to scan the QRC Code
Proceed to any module below which interests you most
bull Module 1 - Micro-Segmentation and Security (30 minutes)bull Module 2 - 360 degree Visibility across Virtual and Physical Networks (45
minutes)bull Module 3 - Advanced NSX Management amp Operations (45 minutes)bull Module 4 - Manage Security for Public Clouds (AWS) (30 minutes)
HOL-1829-01-NET
Page 98HOL-1829-01-NET
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 99HOL-1829-01-NET
Module 4 - ManageSecurity for Public Clouds
(AWS) (30 Minutes)
HOL-1829-01-NET
Page 100HOL-1829-01-NET
IntroductionEnterprise IT needs visibility into the network and security status of their workloadswhether hosted on premises or within AWS While many AWS workloads are sandboxesfor application development teams (DevOps) it is important to analyze these workloadsIncreasingly public cloud workloads are also fulfilling mission critical production needsfor many organizations Enterprise IT must be ready to determine the best locationsecurity posture and bandwidth allocation when deploying workloads Having trafficpattern details as well as security analysis and recommendations readily availablehelps organizations make the ideal hosting decisions to meet their business needs
vRealize Network Insight (vRNI) Supports Amazon Web Services (AWS) PublicCloud The vRNI traffic monitoring features provide visibility into native AWS constructssuch as Virtual Private Clouds VMs Security Groups firewall rules and tags vRNI alsoanalyzes AWS traffic flows to provide security and micro-segmentation views of cloudworkloads This means youll be able to plan micro-segmentation and understand trafficpatterns using data collected from your AWS instances
This Module contains the following lessons
bull Introduction to Managing Security for Public Clouds (AWS)
HOL-1829-01-NET
Page 101HOL-1829-01-NET
Introduction to Managing Security forPublic Clouds (AWS)Lab Status Check
1 Make sure the Lab Status displays Ready before continuing
Close browser sessions from previous modules
Open Google Chrome
1 Open Chrome on the Control Centre Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize Network Insightdid not load automatically)
HOL-1829-01-NET
Page 102HOL-1829-01-NET
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
AWS Configuration
Lets review the AWS VPC setup for the purpose of this lab
1 We have an on premise instance of vRealize Network Insight managing AWS2 There are two VPCs ie CRM and Common Services
HOL-1829-01-NET
Page 103HOL-1829-01-NET
3 VPC CRM consists of CRM Application which comprises of 3 tiers ie Web APP andDB
4 Internal users of Company can access Web Tier of the CRM on 80 internally viaJump-box
5 Web tier talks to App tier on port 80806 App tier talks to DB tier on port 33067 Web tier is open for internal datacenters VM on 80 port8 From Jump-box in VPC CRM all virtual machines have ssh access on port 229 All tiers of VPCCRM talks to DNS server on 53 and LogServer on 514 on VPC
Common Services10 This means connection to DB to Log Server (used for backup services) must exist
as configured by the Administrator but this in fact is the problem area where ourfocus will be
Plan Security - AWS Cloud
vRealize Network Insight extends micro-segmentation planning to AWS constructs TheCRM Application in AWS VPC has already been created for you
Application creation steps have been discussed in Module 3
HOL-1829-01-NET
Page 104HOL-1829-01-NET
1 On the vRealize Network Insight Click on Plan Security
From Plan Security dialogue box under Entity select
HOL-1829-01-NET
Page 105HOL-1829-01-NET
1 Application2 CRM3 Click Analyze
We can now visualize the three tier lsquoCRMrsquo Application in AWS in one VPC We Shallexplore the three Tier System Logic in proceeding steps
1 Please note that Micro-Segments are already filtered by Tier2 Web (Web tier talks to App tier on port 8080 Internal users of organisation can
access Web Tier of the CRM Application on port 80 internally)3 App (App tier talks to DB tier on port 3306)4 DB ( DB tier talks to Log Servers ) - This is the problem area we are going to
explore
All tiers of first VPC talks to DNS server on port 53 and LogServer on port 514 of SecondVPC
HOL-1829-01-NET
Page 106HOL-1829-01-NET
Exploring the Three Tier Application - Step by Step
We shall now explore the three their application setup to understand the security andcommunication posture
HOL-1829-01-NET
Page 107HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Yellow line to explore the flows This will reveal flows from Web to
App
HOL-1829-01-NET
Page 108HOL-1829-01-NET
1 The App tier talks to DB tier on Port 33062 Click X to continue
HOL-1829-01-NET
Page 109HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to DB
HOL-1829-01-NET
Page 110HOL-1829-01-NET
1 The App tier talks to DB tier on Port 33062 Click X to continue
HOL-1829-01-NET
Page 111HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Yellow Line to explore the flows This will reveal flows from DC
Virtual to App
HOL-1829-01-NET
Page 112HOL-1829-01-NET
1 DC Virtual (jump box) talks to App tier on Port 222 Click X to continue
HOL-1829-01-NET
Page 113HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to
Shared Virtual
HOL-1829-01-NET
Page 114HOL-1829-01-NET
1 The App tier talks to Shared Virtual on Port 53 and 514 respectively2 Click X to continue
HOL-1829-01-NET
Page 115HOL-1829-01-NET
1 Hover over to DB Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from DB to
Shared Virtual
1 By design the DB should be pushing logs to aws-log-server ie on port 514(Syslog) but the flow reveals that there is only one service ie port 53 aws-DNS-Server Effectively no communication to syslog server (which is the back upservice)
2 Click X to continue
Firewall Queries for CRM Application
To further troubleshoot the issue the administrator executes three firewall queries toestablish why DB to Shared Virtual does not have flow(s) for port 514 (syslog)
HOL-1829-01-NET
Page 116HOL-1829-01-NET
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and type new search query firewall action of flows where dstvm = aws-log-server This will return 5 results ie 4 Allow (for web andmidtier) and 1 Deny (for DB)
2 Click Search3 click on the DENY checkbox so we can focus on the deny rule
We can see a DENY rule which is preventing crm-databse to communicate with aws-log-server on port 514 Which indicates that AWS Admin forgot to add rule to allowtraffic from (Database) crm-database to (syslog server) aws-log-Server
HOL-1829-01-NET
Page 117HOL-1829-01-NET
1 On Chrome web browser right click2 Select Duplicate from the the menu
HOL-1829-01-NET
Page 118HOL-1829-01-NET
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-web1 and dst vm = aws-log-server
2 Click Search3 This will return 3 results ie 1 Inbound and 2 Outbound rules The result of this
query validates the communication from crm-web1 to aws-log-server
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-database and dst vm = aws-log-server
2 Click Search3 This will return 2 results for Outbound rules further explaining the firewall rule
behaviour from crm-database to aws-log-server
HOL-1829-01-NET
Page 119HOL-1829-01-NET
ConclusionCongratulations on completing Module 4
This module demonstrated the vRealize Network Insight capability to understand trafficpatterns and plan micro-segmentation across your private and public cloudenvironments This capability offers unparalleled visibility into public and private cloudsfor micro-segmentation planning network visibility and management
For More Information
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 120HOL-1829-01-NET
ConclusionThank you for participating in the VMware Hands-on Labs Be sure to visithttpholvmwarecom to continue your lab experience online
Lab SKU HOL-1829-01-NET
Version 20171010-152226
HOL-1829-01-NET
Page 121HOL-1829-01-NET
Flow Key Properties and Flow Key Metrics with the help of the timeline view gives agreater understanding of the traffic between these two specific VMs over port 5443 (A)- Hover over any part of the Flow Key Metrics graph to see statistics of the flow at aspecific point in time
1 Click on the 1M (last 1 month) Now hover the mouse over the greenblue linesto see a specific flow at a point in time
Flow Key Properties - Timeline view
1 Click the browser back button (once) to return to the plan security layoutscreen (once completed viewing the timelines for specific flows)
HOL-1829-01-NET
Page 22HOL-1829-01-NET
Micro-Segments
The screen should be back and focused on the Plan Security view Let us focus on theLeft-hand side of the plan security screen marked - Micro Segments This section willfocus on the subnet view and how this could be used to track flows between two ormultiple points
Note Segmenting flows can be achieved using views that will focus on VLANVXLANSubnet Folder Clusters VMs Ports Security Tag or Security Groups
1 Select Last 1 Day (to clear previous data range)2 Select the drop down box and then select by Subnet3 We can further analyze micro-segments by secondary groups ( This step is for
information only)4 Click Analyze to populate the data
HOL-1829-01-NET
Page 23HOL-1829-01-NET
Focus - 101780 Network
A - Hover over (do not click) the 101780 network and notice that this willimmediately highlight all flows and sessions from and to this network segment Othertraffic types will loose focus at this point turning light blue
The Keep Focus view creates a single visual endpoint diagram showing communicationto physical shared resources internet and other subnets The parentheses after thenetwork will indicate the number of virtual machines The coloured lines will indicate aconnected flow as OUTGOING INCOMING BIDIRECTIONAL
HOL-1829-01-NET
Page 24HOL-1829-01-NET
Focus - VLANVXLAN
Changing the view to track flows between Prod-Web to Prod-Midtier we will be switchingfrom Subnet view to VLANVXLAN view This will expose the traffic flow and ultimatelylead us to the recommended firewall rules
1 From the filter drop down select the VLANVXLAN option (the view willautomatically update)
HOL-1829-01-NET
Page 25HOL-1829-01-NET
Focus - Prod-Web (25)
1 Hover over Prod-Web2 Click on Keep Focus as we will follow the traffic for this group to see which
ports are in use and why3 Click on the line joining the Prod-Web and Prod-Midtier
Flows - Prod-Web to Prod-Midtier
HOL-1829-01-NET
Page 26HOL-1829-01-NET
( A ) - We have at this point identified 14 unique endpoints or flows that are beingcommunicated byover or to potential security groups These security groups are basedon VLANs folders subnets or a construct that can be defined
1 Click on the recommended firewall rules
Flows - Recommended Firewall Rules
Based on the observed analysis of the traffic flow between Prod-Web and Prod-Midtier arecommended firewall rule has been generated in order to secure and segment trafficfrom the rest of the VLANVXLAN
Due to the flow observation metrics the recommendation is (ALLOWED) on Port 8080between SG Prod-Web and SG-Prod-Midtier
1 Click the close icon (x) to continue
HOL-1829-01-NET
Page 27HOL-1829-01-NET
Multiple Ports and Firewall rules for Prod-web
1 Click on the Prod-Web group
Services and Flows for Prod-Web
On focus the user is presented with all the services flows and firewall rules for Prod-Webin a single pane
HOL-1829-01-NET
Page 28HOL-1829-01-NET
1 Click on Services In this group - 50 Unique service endpoints or flows that arebeing communicated by or to potential security groups are mapped with trafficrates included
2 Click on External Services Accessed- This is a breakdown of the 16 Externalservice endpoints that communicate with Prod-Web and include the portinformation (DNS HTTPS etc)
3 Click on Recommended Firewall Rules - Based on the 50 unique serviceendpoints that have 17 External services with 425 flows we can use thisobservation metric to determine that 6 firewall rules are required This would bethe minimum recommended segmentation approach for the Prod-Web group
4 Click the close icon (x) to continue
Application-Centric Micro-Segmentation
HOL-1829-01-NET
Page 29HOL-1829-01-NET
An application is a collection of tiers Each tier in an application is a collection of VMsbased on the user-defined filter criteria The applications allow you to create ahierarchical group of VMs and visualize trafficflows between the tiers of the sameapplication The trafficflows can be visualized between applications
1 Under Micro-segments click on the dropdown which says by VLANVXLAN2 Click on by Application
1 Hover over Prod-App (47) (do not click at this stage)2 Click on Keep Focus
You can see as per previous micro-segmentaion planning exercise - you can viewOutgoing Incoming and Bidirectional flow bespoke to Prod-App Clicking on Prod-App micro-segment will reveal the services
HOL-1829-01-NET
Page 30HOL-1829-01-NET
We shall now explore how we can define an application
Define an Application
1 In the search bar type Application2 Click the Search button
1 The Application search will return 4 entities ie application already created inthe system for you
2 This page also lets you create new application - click on Add Application
HOL-1829-01-NET
Page 31HOL-1829-01-NET
1 Under the Application Name type HOL-Pre-Prod2 Under Tier type the Name as HOL-Pre-Prod3 Our search criteria will be based on VM Names under Virtual Machines IP
Addresses Type Admin-VM1 Admin-VM2 (The search will auto completethe names for you)
4 Do not Save Click Cancel which will take you to previous screen
1 Here you can see the number of entities has increased by 1 ie 5 entities2 You can also see Hol-Pre-Prod in the list
HOL-Pre-Prod will now appear in Application section under Plan Security (not covered inthis lab)
Security Group Prod_MidTier
Network administrators and architects face daily challenges in identifying securityparameters groups that are in-place requiring a lot more detail around containertopology before continuing to execute or plan Micro-segmentation Lets look at how thiswould be possible in a single view that has granular integration with over and underlaynetworks
1 Using the search bar type Nsx Security Group Prod_MidTier (the search baruses Auto Fill and predictive text will appear as you type)
2 Click search to continue
HOL-1829-01-NET
Page 32HOL-1829-01-NET
The Help screen may pop-up (in this lab setting) to ensure the user has an instantguide called the Security Group Pinboard The reason for this guide is to point out thedetail view and topology layout Read through the help guide and once completed
1 Click the close icon (x) to continue
Results - PROD_MIDTIER
The search results from the query will show Prod_Web at the top of the screen Theresult will also be displayed to include the Translated VM Count and any Rulesassociated
1 Click on Prod_MidTier to continue
Security Group Prod_MidTier - Timeline
Security Group View Explanation
HOL-1829-01-NET
Page 33HOL-1829-01-NET
The Security Group provides a detailed view of the selected Security Group and acomprehensive listing of key properties and events The Security Group Topologyprovides a visual overview of how the security group is associated with other containersTimeline slider at the top of the current view will enable the point in time state of theSecurity Group and filters can be used to further focus on a particular aspect of theobject
Security Group Firewall Topology
(A) The Security Group Firewall Topology on the left shows the topology for SecurityGroup Prod_MidTier
HOL-1829-01-NET
Page 34HOL-1829-01-NET
(B) The Security Group Container Topology on the right will show anyall Child andParent groups in relation to Prod_Web This will identify the nesting and hierarchy ofsecurity groups
HOL-1829-01-NET
Page 35HOL-1829-01-NET
1 Click and select Prod_Web to Prod_Midtier Rule (will launch a pop up screencovered in next step)
1 In the pop up screen we can immediately see what the Source and destinationservice flow looks like in this example This can be done for any and eachsegment attached to Prod_Web and will provide all the current security GroupFirewall Topology information Feel free to click through all the segments in orderto fully understand each related security group
2 Click the close icon (x) on any pop-up menus that you viewed during youranalysis to continue with the next exercise
HOL-1829-01-NET
Page 36HOL-1829-01-NET
Tracking Prod_MidTier
1 Within the same view when you scroll down (below the Security Groupfirewall Topology) you are able to see the following security event information forProd_Web
A Events - Showing any changes for Prod_MidTier (direct or indirect) and the impactthat these changes bring to this security group
B Current Security Group Configuration and Firewall Rules Count will also providefurther assistance to manage the endpoints
C Visibility of the Virtual Machines in Security Groups ensure that we manage ourworkloads and segmentation with the correct level of efficiency
D Making use of the Indirect Firewall Rules will ensure you understand the inheritedimpact and the relationship leading to Prod_Web
E Direct Firewall Rules - NOTE The blue links will expose further detail for eachfirewall segment
HOL-1829-01-NET
Page 37HOL-1829-01-NET
this module explained and followed the traffic flow between Subnets and or VLANVXLAN for Prod_MidTier and we understand the analysis that make up firewall rules Theinformation for a specific segmentation of a Virtual Machine in Prod_MidTier can beviewed using the the logical switch information for Prod_MidTier
2 Click on Lab-Midtier (VMs in Security GroupgtLogical SwitchesgtLab-Midtier) anew TAB will open at the top of the screen
Lab-Midtier
1 Hover (do not click) over (1) Lab-Midtier-1 to gain focus in order to generatethe path
Do not click on any of the bubbles as they are used for reference only This is thecomplete flow of Prod-Web-9 (Example) to see how a flow is tracked from overlay tounderlay across Prod-Web
HOL-1829-01-NET
Page 38HOL-1829-01-NET
bull A - The host details for Lab-Midtier-1 -ddc1-pod2esx035dmdemocompanynet
bull B - The machine name within Lab-Midtier - Lab-Midtier-1bull C - DVS Switchbull D - VXLAN - Lab-Midtierbull E - 1st VMKNIC for DDC-1 hostbull F - DVS Switch Portbull G - Finally showing the L3 Switch (Arista)
2 When you are done with the current view close this tab in Chrome and returnto the original view
Firewall Rule - Tracking
Using the search bar we will demonstrate how you can track any firewall rule in yourenvironment This is only one example of how we can search for security related objectsin one easy statement and also export the results
Port Search
1 Type into the search bar
Firewall rule where action =ALLOW and Port=443 (the search bar uses Auto Fill andpredictive text will appear as you type)
2 Click search to continue
As you type notice all the different permutations of queries that can be assembled
HOL-1829-01-NET
Page 39HOL-1829-01-NET
Export Firewall Rules
Take some time to understand and get familiar with Firewall Rule search possibilitiesand the insight this can offer
1 Do not click - The result is grouped for convenience and allows the user to queryeach rule individually This is a live link that will expose further information
2 Do not click - The entire report can be exported by using the Save as CSV optionat the top right hand corner of the screen but we will not export any informationat this point
3 For the next step we will return to the top search bar
Firewall Rule Membership Change
Using the vRealize Network Insight search bar at the top of the screen we will focus on atime based search to see what Firewall Membership Changes occurred during a selectedperiod This will point out any changes made directly or indirectly as a result ofmembership changes This is extremely useful for auditing and troubleshooting
HOL-1829-01-NET
Page 40HOL-1829-01-NET
1 Type
Firewall Rule Membership Change
2 Select the DateTime window3 Click Between Select Date range from June30 to Jul 31 (using static data this
will ensure you see all the changes)4 Click search
Audit Rule - Firewall Rule Membership Changes
The search now displays the result of all the changes made to firewall rule membershipduring the preset date range This is pivotal to the audit change tracking process tounderstand exactly why when and how Firewall rules changed
The changes can now easily be tracked audited and also exported following any of thelive links in blue
HOL-1829-01-NET
Page 41HOL-1829-01-NET
User-defined Event
Continuing within the same screen users can create alerts to notify internal andexternal entities of any changes The alert feature is available through any view thatdisplays the alert icon Although the alert can be configured for this lab the results willnot be actioned as this is static data only This section will show how easy it is to reporton any Firewall Rule memberships changes The option for alerting will be immediatelywithin 1 hour or as a daily digest
1 Click the Notifications icon to create an event The notifications screen will pop-up
2 Notification and parameters can be adjusted as required Populate them withyour own preference as we will need to have information in order to save thealert and view in later steps
3 Once completed click save
HOL-1829-01-NET
Page 42HOL-1829-01-NET
Settings
You can view any of your previously configured User-defined Events in order to edit oractivate the Event parameters by using the settings page Changes can be configured tonotify members of the event group based on the user preference The previous eventthat you created can now be tracked by using the search bar at the top of the screen
1 Click in the search bar and type Settings2 Click User-defined Events (your alert is noted in this section as it was based on
the original search and alert notification Firewall rule membership change)3 Info Only - Do not click - View Edit Activate any notifications
Note that we have 2 types of notification User-defined and System Events
4 Click the System Events
HOL-1829-01-NET
Page 43HOL-1829-01-NET
System Notifications
System Events consist of 103 default alerts that are pre-configured Scroll down the listto see all the options and what is deemed to be a standard system event notification
Each Notification can be used to alert administrators or users of that group By defaultall System Notifications are set to never notify (this can be changed to immediatelywithin 1 hour or as a daily digest)
This concludes this module Please continue to the next module
HOL-1829-01-NET
Page 44HOL-1829-01-NET
ConclusionCongratulations on completing Module 1
In this module we introduced the minimum required steps in order to facilitate Micro-segmentation This module further demonstrated how we achieve day zero readinesstrack report and alert on each individual object or group of objects in Real Time Usingthe East-West traffic in this module vRealize Network Insight highlighted the ease ofacquiring network analysis and using this to automatically generate firewall rules forboth Green or Brown field deployments
Key facts to remember as demonstrated in this module
bull Persistence Security must be consistent in the face of constant changebull Ubiquity Security must be available everywherebull Extensibility Security must adapt to new situations
For additional information about the functionality showcased in this module visitwwwvmwarecom
Please close the Chrome Web browser
This concludes this module please continue to the next module
For More Information
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 45HOL-1829-01-NET
Module 2 - 360 degreeVisibility across Virtualand Physical Networks
(45 minutes)
HOL-1829-01-NET
Page 46HOL-1829-01-NET
IntroductionvRealize Network Insight includes advanced analytics that can collect and displayconfiguration data from all the components involved in the overlay and underlay of thenetwork Data is collected in realtime
vRealize Network Insight presents this via a smart user interface and simplifies thedetermination of problems as well as the visibility of firewall and networkconfigurations
vRealize Network Insight presents this in a smart user interface and makes problemdetermination and visibility of the firewall and network configurations very easy
This Module contains the following lessons
bull 360 Network Visibility and Troubleshootingbull Natural language search
HOL-1829-01-NET
Page 47HOL-1829-01-NET
360 Network Visibility andTroubleshootingThis section contains the following lessons
bull 360-degree view of data flow between two VM objectsbull Natural language search
Open Google Chrome
1 Open Chrome on the Control Center Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize NetworkInsight did not load automatically)
HOL-1829-01-NET
Page 48HOL-1829-01-NET
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
Path and Topology
This module will utilize the Path and Topology feature in vRealize Network Insight toget a 360-degree visibility into our network scenario The Path and Topology view can
HOL-1829-01-NET
Page 49HOL-1829-01-NET
also extend to host L3 networks security groups etc but in this module we will only befocusing on the path
From the main console
1 Click on Path and Topology2 Click on Path
Path - Select source and destination
In the pop-up box
1 Click on the grey field below Source2 Type dba into the source field and DBAdmin-VM1 will appear3 Click on DBAdmin-VM1 to select it
HOL-1829-01-NET
Page 50HOL-1829-01-NET
Path - source and destination continued
After selecting the source machine the destination box will automatically appear
1 Type prod in the destination field and the list of available options willappear
2 Select Prod-Db-2
Note The destination could also be an ip-address or Internet but in this lab we aregoing to use a VM
HOL-1829-01-NET
Page 51HOL-1829-01-NET
Path - source and destination continued
1 Click on Submit
Searching for path
Based on the VMs we selected in the wizard in our previous steps the search field isnow pre-populated with a search string As an alternative to using the wizard we canalso do manual searches
Do not change any parameters in the search field and please continue to the nextstep
HOL-1829-01-NET
Page 52HOL-1829-01-NET
VM Path Topology and VM Underlay
The topology involves both Layer 3 and Layer 2 components and consists of twodetailed views
HOL-1829-01-NET
Page 53HOL-1829-01-NET
1 VM Path Topology This view details the routers Edges or Logical DistributedRouters (LDRs) that are involved in the VM to VM network path and provides thecomplete routing and NAT information
2 VM Underlay ( The VM Underlay section that is on the right side of the VM Pathtopology shows the underlay information of the VMs involved and theirconnectivity to the top of the rack switches and the ports involved)
In the field named VM Path Topology
1 Click on the three dots in the top right corner of the field2 Click Maximize
The view will change and the route will be drawn on the map
HOL-1829-01-NET
Page 54HOL-1829-01-NET
VM Path Topology - Path Details
In this view we will get a 360-degree view of both the physical and the virtual networkWe will see the path of the traffic between two virtual machines The black arrow at thetop of the map will indicate the flow direction of the traffic In this use case fromDBAdmin-VM1 to Prod-Db-2
On the right hand side path details indicates the steps we pass through in each hop ofthe path The logical flow includes both physical and virtual elements displaying bothoverlay and underlay components
1 Scroll through the path details on the right hand side to verify the differenthops in the path Notice that we have items such as VMs physical switchesvirtual switches routers and NICs in the list of details
HOL-1829-01-NET
Page 55HOL-1829-01-NET
Component Overview
On the VM topology map
1 Click on the top left icon marked with a red square - the Virtual MachineDBAdmin-VM1
Virtual Machine - Details
HOL-1829-01-NET
Page 56HOL-1829-01-NET
A pop-up box will appear with the Virtual Machine details in it This information includesa lot of details made available by VMware Tools We can for example see network-information and the physical host in these details
A - Please spend some time on getting an overview of the information available in thisview
B - Please note that the Firewall Status indicates Unknown In this scenario there is noNSX firewall utilized in the VM so vRealize Network Insight displays Unknown as thestatus If NSX components were utilized but they were malfunctioning an errormessage will appear
1 When done reviewing close the pop-up windows by clicking on the (X) in thetop right corner
Physical ESXi Hosts
We are now going to look at the physical host running ESXi The large green blocksindicate the ESXi hosts (A) and (B)
1 Click on the large green field on the left side of the map marked in thepicture with a red squareThis will select the host where DBAdmin-VM1 isrunning
HOL-1829-01-NET
Page 57HOL-1829-01-NET
Host - Details
A pop-up box will appear that contains the physical ESXi host
A - Spend some time to review what information is available from the host Please donot click on any of the links
B - Notice that we receive information from both the Chassis and the Blade that thisESXi host is running on In a real life environment we could click on the links to getdetailed information about the physical environment through the links
C - Note that there are no NSX components on the host For example we can see thatthe Control Plane Sync Status is unknown and the Number of VTEPs is 0
1 When done reviewing click on the (X) in the top right corner
HOL-1829-01-NET
Page 58HOL-1829-01-NET
DVPG on the map
We are now going to look at the DVPG (Distributed Virtual Port Group) the VM uses toconnect to the network
1 On the map click on the little blue box marked by a red square onvlan-629
DVPG
A pop-up box will appear that contains the DVPG details
A - Spend some time review what information is available from the object Please donot click on any of the links
HOL-1829-01-NET
Page 59HOL-1829-01-NET
B - Notice that IPFIX is enabled
1 When done reviewing click on the (X) in the top right corner
VLAN-629 on the map
This is a brownfield network as indicated by the physical network components currentlydisplayed on the map
1 On the map click on the grey line marked by a red square on vlan-629
VLAN Network
A pop-up box will appear that contains the physical VLAN details
HOL-1829-01-NET
Page 60HOL-1829-01-NET
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - Notice the VLAN ID This is the actual VLAN in use
C - VM Count states 12 This is the number of VMs located on this VLAN in the entireenvironment
D - Under Hosts we can see that this is 28 (27+1) This is the amount of hosts that hasa connection to this vlan in the entire environment
1 When done reviewing click on the (X) in the top right corner
Switch ports on the map
1 From the map click on the icon marked by a red square to select the SwitchPort for the VM
HOL-1829-01-NET
Page 61HOL-1829-01-NET
Switch Port
A pop-up box will appear that contains the Switch Port details
In this view we are purely are looking at layer 3 and the connectivity to those layer 3devices Later in this module we will see some of the layer 2 devices
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - In this view we can see the physical NIC the traffic is transmitted from and receivedto In this scenario it is a NIC on a UCS fabric We can also see the VLANs Interfacespeed port and other details on the NIC
1 When done reviewing click on the (X) in the top right corner of the pop up box
HOL-1829-01-NET
Page 62HOL-1829-01-NET
Physical VRF on the map
1 From the map click on the icon marked by a red square to access thePhysical VRF details
HOL-1829-01-NET
Page 63HOL-1829-01-NET
VRF - Physical Switch
A pop-up box will appear that contains the Physical VRF details
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - In this scenario the first hop in the physical network perspective happens to be aCisco Nexus 7000 We are gathering all of the configuration data routing tables androuting interface information from this device
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 64HOL-1829-01-NET
VRF - continued
1 From the map click on the icon marked by a red square to access the nextPhysical VRF in the path
HOL-1829-01-NET
Page 65HOL-1829-01-NET
VRF - Physical Router
A pop-up box will appear that contains the Physical VRF details
In this scenario the second hop in the physical network perspective is a Palo Alto routerIn this view we will see the routing table as well as firewall rules The vRealize NetworkInsight platform is so powerful that these firewall rules are the applicable firewall rulesbetween the two objects we searched for There is probably going to be thousands offirewall rules in a normal network but these are the firewalls affecting thecommunication between the two selected VMs
HOL-1829-01-NET
Page 66HOL-1829-01-NET
A - Spend some time to review what information is available from the object Please donot click on any of the links
1 When done reviewing click on the (X) in the top right corner of the pop up box
Note The Palo Alto integration showcased is in beta testing
VRF - continued
1 From the map click on the icon marked by a red square to access the nextPhysical VRF in the path
HOL-1829-01-NET
Page 67HOL-1829-01-NET
VRF - Physical Switch
A pop-up box will appear that contains the Physical VRF details
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - In this scenario the third hop in the physical network perspective is an Arista deviceThere is information available on routing gateways interfaces etc These detailsshowcase that we can monitor devices from a multitude of vendors in case we arechanging from one vendor to another
1 When done reviewing click on the (X) in the top right corner
HOL-1829-01-NET
Page 68HOL-1829-01-NET
Accessing the virtual infrastructure
The next two steps in the path (as shown by arrows) are the same as we looked atpreviously in this module We are not going to look at the details on them in thisscenario as they are similar to the ones previously discussed
A - Hovermove the mouse over the icons marked with red arrow A without clicking onthe icon Notice the descriptive name
B - Hovermove the mouse over the icons marked with red arrow B without clicking onthe icon Notice the descriptive name
1 From the map click on the icon marked by a red square to access the nextVRF in the path
HOL-1829-01-NET
Page 69HOL-1829-01-NET
VRF - NSX Provider Edge 1
A pop-up box will appear that contains the Physical VRF details
A - Please spend some time to review what information is available from the objectPlease do not click on any of the links
B - The components we are looking at after the Arista device (described in previoussteps) is an NSX Edge cluster or a host associated with an Edge cluster The componentwe have selected is the NSX Edge VM named Provider-Edge 1 It has an uplink overVLAN 10 from the physical network (as shown in the map)
C - In the details we can see the routing table and routing interface details for thisparticular VRF
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 70HOL-1829-01-NET
VXLAN on the map
1 On the map click on the blue line marked by a red square to access theVXLAN details
VXLAN Network
A pop-up box will appear that contains the VXLAN details
HOL-1829-01-NET
Page 71HOL-1829-01-NET
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - We can see the VXLAN number (Segment ID) Underlay VLAN IDs Subnet andUnderlay Subnet
C - We also have visibility into what Primary Controller it is utilizing Hosts and VTEPs
D - Hovermove the mouse cursor over the text [38 more] to see the hosts associatedwith this VXLAN Do not click on the blue text
E - Hovermove the mouse cursor over the text [82 more] to see the VTEPs associatedwith this VXLAN Do not click on the blue text
1 When done reviewing click on the X in the top right corner of the pop-up box
VRF - LDR
1 From the map click on the icon marked by a red square to access the VRFdetails
HOL-1829-01-NET
Page 72HOL-1829-01-NET
VRF - LDR-Corporate
A pop-up box will appear that contains the VRF details From here we hit our In-kernelnetwork
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - Notice the distributed router name We are using this device to access our corporatenetwork
C - This device is going to route for us to a different interface The interface is going toroute to the interface on the Prod-DB Network as the next step in the path (this will beillustrated in the next step)
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 73HOL-1829-01-NET
Routing - NSX Firewall
The traffic is routed through the VRF onto the Prod-DB network over to the next physicalhost (as shown with arrows)
The first device it will hit on the virtual network on the physical host is the FirewallPlease notice that there are two firewalls next to the VM One Firewall from Palo Alto andone Firewall from NSX
1 From the map click on the icon marked by a red square to access the NSXFirewall details (the top one of the two)
HOL-1829-01-NET
Page 74HOL-1829-01-NET
Firewall - NSX
A pop-up box will appear that contains the Firewall details
A - Spend some time to review what information is available from the object Please donot click on any of the links
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 75HOL-1829-01-NET
Redirect on the map - PAN Firewall
Please notice that there are two firewalls next to the VM One Firewall from Palo Alto andone Firewall from NSX We are now going to look into the details of the lower Firewall
1 From the map click on the icon marked by a red square to access the PaloAlto Firewall details (the lower one of the two)
Firewall - PAN
HOL-1829-01-NET
Page 76HOL-1829-01-NET
In this scenario we also have an Palo Alto VM based offloading firewall The redirectfeature allows firewall rules to be transferred between the NSX firewall and the PANFirewall
1 When done reviewing click on the (X) in the top right corner of the pop up box
Reversing the analysis
1 In the section marked by a red square in the picture click on the arrowpointing left
The route on the map will change
HOL-1829-01-NET
Page 77HOL-1829-01-NET
Reversing the analysis continued
A - The analysis will now be done in the opposite direction Please note that the pathnow changes Instead of going through Provider-Edge 3 the traffic is now routedthrough Provider-Edge 2 This is exactly as the traffic will work in the real life
Please continue to the next step to conclude this module
HOL-1829-01-NET
Page 78HOL-1829-01-NET
VM Underlay
Lets now focus on VM Underlay
1 The VMUnderlay section that is on the right side of the VM Path topology showsthe underlay information of the VMs involved and their connectivity to the top ofthe rack switches and the ports involved
2 The VM Underlay path topology is shown here3 The components are labeled under Path Details
HOL-1829-01-NET
Page 79HOL-1829-01-NET
HOL-1829-01-NET
Page 80HOL-1829-01-NET
1 In this section the drop-down list at the top shows the endpoint VMs and theactive VMs at the edges
2 For each edgeVM the neighbouring drop-down list shows the ingress and theegress interface IP addresses
1 From the previous step we selected the Prod-DB-2 Virtual Machine2 Which changes the focus to corresponding Interface IP Address (VNIC)3 Shows the visual map (Path topology) of all the path objects4 Path details shows the labels and list the components
This concludes this module Please continue to the next module
HOL-1829-01-NET
Page 81HOL-1829-01-NET
ConclusionCongratulations on completing Module 2
This module has shown us that vRealize Network Insight is capable of tracing the flow ofdata between two objects throughout the network vRealize Network Insight is providingus with a 360 degrees view of the virtual as well as the physical components in thepath With the map function and the details on the map it is very easy to get a quickoverview of the components utilized in network communication
All the components in the map is based on a snapshot of real life data Feel free to clickon other icons shown in the map in this module before continuing to the next module tohave a look at other components
For More Information
For additional information about the functionality showcased in this module visithttpwwwvmwarecomvrealize network insight
This concludes this module Please continue to the next module
If you are looking for additional information try one of these
bull Click on this linkbull Or use your smart device to scan the QRC Code
HOL-1829-01-NET
Page 82HOL-1829-01-NET
Proceed to any module below which interests you most
bull Module 1 - Micro-Segmentation and Security (30 minutes)bull Module 2 - 360 degree Visibility across Virtual and Physical Networks (45
minutes)bull Module 3 - Advanced NSX Management amp Operations (45 minutes)bull (30 minutes)
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 83HOL-1829-01-NET
Module 3 - Advanced NSXManagement amp
Operations (45 minutes)
HOL-1829-01-NET
Page 84HOL-1829-01-NET
IntroductionIntroduction
vRealize Network Insight ensures that we have full visibility from an overlay andunderlay perspective and in this module focus on advanced operations of NSX withvRealize Network Insight Its important to note that the vRealize Network Insightprovides a real time view and a historical view The integration is not a simple SNMPquery but advanced CLI and Metadata information gathered in real time for NSX
This Module contains the following lessons
bull Operational guidance for NSX Managerbull Advanced NSX Management amp Operations Interactive Simulation
HOL-1829-01-NET
Page 85HOL-1829-01-NET
NSX Advanced ManagementOperationsLab Status Check
1 Make sure the Lab Status displays Ready before continuing
Close browser sessions from previous modules
Open Google Chrome
1 Open Chrome on the Control Centre Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
HOL-1829-01-NET
Page 86HOL-1829-01-NET
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize Network Insightdid not load automatically)
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
Search Bar - NSX Manager
Using the search bar on the entry screen
HOL-1829-01-NET
Page 87HOL-1829-01-NET
1 Type NSX Manager (this will list three NSX Managers2 Click Search
NSX Manager Information
The result now shows the NSX Manager (1016128170) and we can immediately seethat we have 50 problems associated with this endpoint
1 Click on the NSX Manager address to expose the layout and detailedinformation
HOL-1829-01-NET
Page 88HOL-1829-01-NET
Timeline - Visual Build-up
Explore information only - Do not click
bull A - Starting with the Timeline we can manipulate the results by simply draggingthe slider but by default the current time results will be displayed on entry Theslider and drop down (next to 1 day) makes it easy to filter on demand
bull B - The Properties give a clear understanding of the NSX Managers currentconfiguration (vRealize Network Insight accommodate multiple NSX managers)
bull C - Looking at the NSX Checklist Rules - ALL we can scroll up and down toview each point in the checklist that is used to monitorvalidate against the NSXManager
bull D - Because vRealize Network Insight supports multiple NSX managers andmultiple NSX controllers this is an important visual understanding of theTopology Each object can be queried individually within the same screen
bull E - NSX Problems will be key to understanding the issues for NSX
HOL-1829-01-NET
Page 89HOL-1829-01-NET
Topology - Focus on the NSX Controller
The logical view of the NSX Topology provides live links to each component in theconstruct to be queried in real time Topology layout displays all the related NSXservices bound to the NSX Manager including Clusters and hosts The red triangle on allthree NSX controllers indicates possible issues that may impact the NSX environmenteither as a starting point or a result thereof We can now query each object for detailedinformation
1 Click on the NSX controller (Look at each controller until you find thecontroller starting with NSX_Controller_5b6c6c8d-4d71 as they do changeorder)
HOL-1829-01-NET
Page 90HOL-1829-01-NET
NSX Controller - Detail
A - The controller query displays detailed information about controller-1 and relevantconfiguration This screen will help identify the Status Version Upgrade Availability andmany other critical identifiers of the NSX Controller at a quick glance including anyissues
B - The immediate issue on this NSX controller is also pointed out with a red triangleindicating that we have a control plane sync issue Tracking the issue can be furtherinvestigated by expanding (clicking on the red triangle) to view detailed information Wewill not be investigating this problem further in this exercise
1 Click the close sign (x) to continue
HOL-1829-01-NET
Page 91HOL-1829-01-NET
Topology - Explained
Note The Topology for the NSX environment will not show any load balancing devicestatus information in this release
1 Click the edge VMs icon to see detailed information about the edge services
HOL-1829-01-NET
Page 92HOL-1829-01-NET
Provider Edge
Rendering a complete view of the provider edge services and the associations we caninvestigate all the edge related activities
1 Click the blue link Provider Edge 4 The problem Icon can be used to furtherobtain information about the Provider-Edge 4 This will highlight a criticalcondition due to a possible network disruption of this edge device as it is nolonger in a serving state
HOL-1829-01-NET
Page 93HOL-1829-01-NET
Routers Provider Edge 4
This section lays out detailed root cause analysis for Routers Provider Edge 4
Return to Search View - NSX Manager
1 Now use the Chrome Back button click once to return the the NSX Managerinformation screen step
HOL-1829-01-NET
Page 94HOL-1829-01-NET
Infrastructure Problems - Warning Moderate
bull Scroll down to Infrastructure Problems Section
1 Click and select the WarningModerate to view problem areas
WarningModerate Issues
1 Use the blue icon + to expand the detailed view of the Logical networking out ofsync between host and NSX Controller
HOL-1829-01-NET
Page 95HOL-1829-01-NET
WarningModerate Issues (Continued)
When you expand the details you can analyse full detail of warning
In this view vRealize Network Insight is also showing you recommendations on how youwould resolve this issue which makes troubleshooting and root cause analysis veryeasy
1 Click the close sign (x) to continue
HOL-1829-01-NET
Page 96HOL-1829-01-NET
Hands-on Labs Interactive SimulationAdvanced NSX Management ampOperationsThis part of the lab is presented as a Hands-on Labs Interactive Simulation This willallow you to experience steps which are too time-consuming or resource intensive to dolive in the lab environment In this simulation you can use the software interface as ifyou are interacting with a live environment
1 Click here to open the interactive simulation It will open in a new browserwindow or tab
2 When finished click the ldquoReturn to the labrdquo link to continue with this lab
HOL-1829-01-NET
Page 97HOL-1829-01-NET
ConclusionCongratulations on completing Module 3
This module demonstrated the vRealize Network Insight capability of advancedmanagement operations vRealize Network Insight provides an in-depth analysis of thevirtual as well as the physical components associated with NSX (underlay and overlay)
For More Information
If you are looking for additional information try one of these
bull Click on this linkbull Or use your smart device to scan the QRC Code
Proceed to any module below which interests you most
bull Module 1 - Micro-Segmentation and Security (30 minutes)bull Module 2 - 360 degree Visibility across Virtual and Physical Networks (45
minutes)bull Module 3 - Advanced NSX Management amp Operations (45 minutes)bull Module 4 - Manage Security for Public Clouds (AWS) (30 minutes)
HOL-1829-01-NET
Page 98HOL-1829-01-NET
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 99HOL-1829-01-NET
Module 4 - ManageSecurity for Public Clouds
(AWS) (30 Minutes)
HOL-1829-01-NET
Page 100HOL-1829-01-NET
IntroductionEnterprise IT needs visibility into the network and security status of their workloadswhether hosted on premises or within AWS While many AWS workloads are sandboxesfor application development teams (DevOps) it is important to analyze these workloadsIncreasingly public cloud workloads are also fulfilling mission critical production needsfor many organizations Enterprise IT must be ready to determine the best locationsecurity posture and bandwidth allocation when deploying workloads Having trafficpattern details as well as security analysis and recommendations readily availablehelps organizations make the ideal hosting decisions to meet their business needs
vRealize Network Insight (vRNI) Supports Amazon Web Services (AWS) PublicCloud The vRNI traffic monitoring features provide visibility into native AWS constructssuch as Virtual Private Clouds VMs Security Groups firewall rules and tags vRNI alsoanalyzes AWS traffic flows to provide security and micro-segmentation views of cloudworkloads This means youll be able to plan micro-segmentation and understand trafficpatterns using data collected from your AWS instances
This Module contains the following lessons
bull Introduction to Managing Security for Public Clouds (AWS)
HOL-1829-01-NET
Page 101HOL-1829-01-NET
Introduction to Managing Security forPublic Clouds (AWS)Lab Status Check
1 Make sure the Lab Status displays Ready before continuing
Close browser sessions from previous modules
Open Google Chrome
1 Open Chrome on the Control Centre Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize Network Insightdid not load automatically)
HOL-1829-01-NET
Page 102HOL-1829-01-NET
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
AWS Configuration
Lets review the AWS VPC setup for the purpose of this lab
1 We have an on premise instance of vRealize Network Insight managing AWS2 There are two VPCs ie CRM and Common Services
HOL-1829-01-NET
Page 103HOL-1829-01-NET
3 VPC CRM consists of CRM Application which comprises of 3 tiers ie Web APP andDB
4 Internal users of Company can access Web Tier of the CRM on 80 internally viaJump-box
5 Web tier talks to App tier on port 80806 App tier talks to DB tier on port 33067 Web tier is open for internal datacenters VM on 80 port8 From Jump-box in VPC CRM all virtual machines have ssh access on port 229 All tiers of VPCCRM talks to DNS server on 53 and LogServer on 514 on VPC
Common Services10 This means connection to DB to Log Server (used for backup services) must exist
as configured by the Administrator but this in fact is the problem area where ourfocus will be
Plan Security - AWS Cloud
vRealize Network Insight extends micro-segmentation planning to AWS constructs TheCRM Application in AWS VPC has already been created for you
Application creation steps have been discussed in Module 3
HOL-1829-01-NET
Page 104HOL-1829-01-NET
1 On the vRealize Network Insight Click on Plan Security
From Plan Security dialogue box under Entity select
HOL-1829-01-NET
Page 105HOL-1829-01-NET
1 Application2 CRM3 Click Analyze
We can now visualize the three tier lsquoCRMrsquo Application in AWS in one VPC We Shallexplore the three Tier System Logic in proceeding steps
1 Please note that Micro-Segments are already filtered by Tier2 Web (Web tier talks to App tier on port 8080 Internal users of organisation can
access Web Tier of the CRM Application on port 80 internally)3 App (App tier talks to DB tier on port 3306)4 DB ( DB tier talks to Log Servers ) - This is the problem area we are going to
explore
All tiers of first VPC talks to DNS server on port 53 and LogServer on port 514 of SecondVPC
HOL-1829-01-NET
Page 106HOL-1829-01-NET
Exploring the Three Tier Application - Step by Step
We shall now explore the three their application setup to understand the security andcommunication posture
HOL-1829-01-NET
Page 107HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Yellow line to explore the flows This will reveal flows from Web to
App
HOL-1829-01-NET
Page 108HOL-1829-01-NET
1 The App tier talks to DB tier on Port 33062 Click X to continue
HOL-1829-01-NET
Page 109HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to DB
HOL-1829-01-NET
Page 110HOL-1829-01-NET
1 The App tier talks to DB tier on Port 33062 Click X to continue
HOL-1829-01-NET
Page 111HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Yellow Line to explore the flows This will reveal flows from DC
Virtual to App
HOL-1829-01-NET
Page 112HOL-1829-01-NET
1 DC Virtual (jump box) talks to App tier on Port 222 Click X to continue
HOL-1829-01-NET
Page 113HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to
Shared Virtual
HOL-1829-01-NET
Page 114HOL-1829-01-NET
1 The App tier talks to Shared Virtual on Port 53 and 514 respectively2 Click X to continue
HOL-1829-01-NET
Page 115HOL-1829-01-NET
1 Hover over to DB Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from DB to
Shared Virtual
1 By design the DB should be pushing logs to aws-log-server ie on port 514(Syslog) but the flow reveals that there is only one service ie port 53 aws-DNS-Server Effectively no communication to syslog server (which is the back upservice)
2 Click X to continue
Firewall Queries for CRM Application
To further troubleshoot the issue the administrator executes three firewall queries toestablish why DB to Shared Virtual does not have flow(s) for port 514 (syslog)
HOL-1829-01-NET
Page 116HOL-1829-01-NET
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and type new search query firewall action of flows where dstvm = aws-log-server This will return 5 results ie 4 Allow (for web andmidtier) and 1 Deny (for DB)
2 Click Search3 click on the DENY checkbox so we can focus on the deny rule
We can see a DENY rule which is preventing crm-databse to communicate with aws-log-server on port 514 Which indicates that AWS Admin forgot to add rule to allowtraffic from (Database) crm-database to (syslog server) aws-log-Server
HOL-1829-01-NET
Page 117HOL-1829-01-NET
1 On Chrome web browser right click2 Select Duplicate from the the menu
HOL-1829-01-NET
Page 118HOL-1829-01-NET
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-web1 and dst vm = aws-log-server
2 Click Search3 This will return 3 results ie 1 Inbound and 2 Outbound rules The result of this
query validates the communication from crm-web1 to aws-log-server
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-database and dst vm = aws-log-server
2 Click Search3 This will return 2 results for Outbound rules further explaining the firewall rule
behaviour from crm-database to aws-log-server
HOL-1829-01-NET
Page 119HOL-1829-01-NET
ConclusionCongratulations on completing Module 4
This module demonstrated the vRealize Network Insight capability to understand trafficpatterns and plan micro-segmentation across your private and public cloudenvironments This capability offers unparalleled visibility into public and private cloudsfor micro-segmentation planning network visibility and management
For More Information
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 120HOL-1829-01-NET
ConclusionThank you for participating in the VMware Hands-on Labs Be sure to visithttpholvmwarecom to continue your lab experience online
Lab SKU HOL-1829-01-NET
Version 20171010-152226
HOL-1829-01-NET
Page 121HOL-1829-01-NET
Micro-Segments
The screen should be back and focused on the Plan Security view Let us focus on theLeft-hand side of the plan security screen marked - Micro Segments This section willfocus on the subnet view and how this could be used to track flows between two ormultiple points
Note Segmenting flows can be achieved using views that will focus on VLANVXLANSubnet Folder Clusters VMs Ports Security Tag or Security Groups
1 Select Last 1 Day (to clear previous data range)2 Select the drop down box and then select by Subnet3 We can further analyze micro-segments by secondary groups ( This step is for
information only)4 Click Analyze to populate the data
HOL-1829-01-NET
Page 23HOL-1829-01-NET
Focus - 101780 Network
A - Hover over (do not click) the 101780 network and notice that this willimmediately highlight all flows and sessions from and to this network segment Othertraffic types will loose focus at this point turning light blue
The Keep Focus view creates a single visual endpoint diagram showing communicationto physical shared resources internet and other subnets The parentheses after thenetwork will indicate the number of virtual machines The coloured lines will indicate aconnected flow as OUTGOING INCOMING BIDIRECTIONAL
HOL-1829-01-NET
Page 24HOL-1829-01-NET
Focus - VLANVXLAN
Changing the view to track flows between Prod-Web to Prod-Midtier we will be switchingfrom Subnet view to VLANVXLAN view This will expose the traffic flow and ultimatelylead us to the recommended firewall rules
1 From the filter drop down select the VLANVXLAN option (the view willautomatically update)
HOL-1829-01-NET
Page 25HOL-1829-01-NET
Focus - Prod-Web (25)
1 Hover over Prod-Web2 Click on Keep Focus as we will follow the traffic for this group to see which
ports are in use and why3 Click on the line joining the Prod-Web and Prod-Midtier
Flows - Prod-Web to Prod-Midtier
HOL-1829-01-NET
Page 26HOL-1829-01-NET
( A ) - We have at this point identified 14 unique endpoints or flows that are beingcommunicated byover or to potential security groups These security groups are basedon VLANs folders subnets or a construct that can be defined
1 Click on the recommended firewall rules
Flows - Recommended Firewall Rules
Based on the observed analysis of the traffic flow between Prod-Web and Prod-Midtier arecommended firewall rule has been generated in order to secure and segment trafficfrom the rest of the VLANVXLAN
Due to the flow observation metrics the recommendation is (ALLOWED) on Port 8080between SG Prod-Web and SG-Prod-Midtier
1 Click the close icon (x) to continue
HOL-1829-01-NET
Page 27HOL-1829-01-NET
Multiple Ports and Firewall rules for Prod-web
1 Click on the Prod-Web group
Services and Flows for Prod-Web
On focus the user is presented with all the services flows and firewall rules for Prod-Webin a single pane
HOL-1829-01-NET
Page 28HOL-1829-01-NET
1 Click on Services In this group - 50 Unique service endpoints or flows that arebeing communicated by or to potential security groups are mapped with trafficrates included
2 Click on External Services Accessed- This is a breakdown of the 16 Externalservice endpoints that communicate with Prod-Web and include the portinformation (DNS HTTPS etc)
3 Click on Recommended Firewall Rules - Based on the 50 unique serviceendpoints that have 17 External services with 425 flows we can use thisobservation metric to determine that 6 firewall rules are required This would bethe minimum recommended segmentation approach for the Prod-Web group
4 Click the close icon (x) to continue
Application-Centric Micro-Segmentation
HOL-1829-01-NET
Page 29HOL-1829-01-NET
An application is a collection of tiers Each tier in an application is a collection of VMsbased on the user-defined filter criteria The applications allow you to create ahierarchical group of VMs and visualize trafficflows between the tiers of the sameapplication The trafficflows can be visualized between applications
1 Under Micro-segments click on the dropdown which says by VLANVXLAN2 Click on by Application
1 Hover over Prod-App (47) (do not click at this stage)2 Click on Keep Focus
You can see as per previous micro-segmentaion planning exercise - you can viewOutgoing Incoming and Bidirectional flow bespoke to Prod-App Clicking on Prod-App micro-segment will reveal the services
HOL-1829-01-NET
Page 30HOL-1829-01-NET
We shall now explore how we can define an application
Define an Application
1 In the search bar type Application2 Click the Search button
1 The Application search will return 4 entities ie application already created inthe system for you
2 This page also lets you create new application - click on Add Application
HOL-1829-01-NET
Page 31HOL-1829-01-NET
1 Under the Application Name type HOL-Pre-Prod2 Under Tier type the Name as HOL-Pre-Prod3 Our search criteria will be based on VM Names under Virtual Machines IP
Addresses Type Admin-VM1 Admin-VM2 (The search will auto completethe names for you)
4 Do not Save Click Cancel which will take you to previous screen
1 Here you can see the number of entities has increased by 1 ie 5 entities2 You can also see Hol-Pre-Prod in the list
HOL-Pre-Prod will now appear in Application section under Plan Security (not covered inthis lab)
Security Group Prod_MidTier
Network administrators and architects face daily challenges in identifying securityparameters groups that are in-place requiring a lot more detail around containertopology before continuing to execute or plan Micro-segmentation Lets look at how thiswould be possible in a single view that has granular integration with over and underlaynetworks
1 Using the search bar type Nsx Security Group Prod_MidTier (the search baruses Auto Fill and predictive text will appear as you type)
2 Click search to continue
HOL-1829-01-NET
Page 32HOL-1829-01-NET
The Help screen may pop-up (in this lab setting) to ensure the user has an instantguide called the Security Group Pinboard The reason for this guide is to point out thedetail view and topology layout Read through the help guide and once completed
1 Click the close icon (x) to continue
Results - PROD_MIDTIER
The search results from the query will show Prod_Web at the top of the screen Theresult will also be displayed to include the Translated VM Count and any Rulesassociated
1 Click on Prod_MidTier to continue
Security Group Prod_MidTier - Timeline
Security Group View Explanation
HOL-1829-01-NET
Page 33HOL-1829-01-NET
The Security Group provides a detailed view of the selected Security Group and acomprehensive listing of key properties and events The Security Group Topologyprovides a visual overview of how the security group is associated with other containersTimeline slider at the top of the current view will enable the point in time state of theSecurity Group and filters can be used to further focus on a particular aspect of theobject
Security Group Firewall Topology
(A) The Security Group Firewall Topology on the left shows the topology for SecurityGroup Prod_MidTier
HOL-1829-01-NET
Page 34HOL-1829-01-NET
(B) The Security Group Container Topology on the right will show anyall Child andParent groups in relation to Prod_Web This will identify the nesting and hierarchy ofsecurity groups
HOL-1829-01-NET
Page 35HOL-1829-01-NET
1 Click and select Prod_Web to Prod_Midtier Rule (will launch a pop up screencovered in next step)
1 In the pop up screen we can immediately see what the Source and destinationservice flow looks like in this example This can be done for any and eachsegment attached to Prod_Web and will provide all the current security GroupFirewall Topology information Feel free to click through all the segments in orderto fully understand each related security group
2 Click the close icon (x) on any pop-up menus that you viewed during youranalysis to continue with the next exercise
HOL-1829-01-NET
Page 36HOL-1829-01-NET
Tracking Prod_MidTier
1 Within the same view when you scroll down (below the Security Groupfirewall Topology) you are able to see the following security event information forProd_Web
A Events - Showing any changes for Prod_MidTier (direct or indirect) and the impactthat these changes bring to this security group
B Current Security Group Configuration and Firewall Rules Count will also providefurther assistance to manage the endpoints
C Visibility of the Virtual Machines in Security Groups ensure that we manage ourworkloads and segmentation with the correct level of efficiency
D Making use of the Indirect Firewall Rules will ensure you understand the inheritedimpact and the relationship leading to Prod_Web
E Direct Firewall Rules - NOTE The blue links will expose further detail for eachfirewall segment
HOL-1829-01-NET
Page 37HOL-1829-01-NET
this module explained and followed the traffic flow between Subnets and or VLANVXLAN for Prod_MidTier and we understand the analysis that make up firewall rules Theinformation for a specific segmentation of a Virtual Machine in Prod_MidTier can beviewed using the the logical switch information for Prod_MidTier
2 Click on Lab-Midtier (VMs in Security GroupgtLogical SwitchesgtLab-Midtier) anew TAB will open at the top of the screen
Lab-Midtier
1 Hover (do not click) over (1) Lab-Midtier-1 to gain focus in order to generatethe path
Do not click on any of the bubbles as they are used for reference only This is thecomplete flow of Prod-Web-9 (Example) to see how a flow is tracked from overlay tounderlay across Prod-Web
HOL-1829-01-NET
Page 38HOL-1829-01-NET
bull A - The host details for Lab-Midtier-1 -ddc1-pod2esx035dmdemocompanynet
bull B - The machine name within Lab-Midtier - Lab-Midtier-1bull C - DVS Switchbull D - VXLAN - Lab-Midtierbull E - 1st VMKNIC for DDC-1 hostbull F - DVS Switch Portbull G - Finally showing the L3 Switch (Arista)
2 When you are done with the current view close this tab in Chrome and returnto the original view
Firewall Rule - Tracking
Using the search bar we will demonstrate how you can track any firewall rule in yourenvironment This is only one example of how we can search for security related objectsin one easy statement and also export the results
Port Search
1 Type into the search bar
Firewall rule where action =ALLOW and Port=443 (the search bar uses Auto Fill andpredictive text will appear as you type)
2 Click search to continue
As you type notice all the different permutations of queries that can be assembled
HOL-1829-01-NET
Page 39HOL-1829-01-NET
Export Firewall Rules
Take some time to understand and get familiar with Firewall Rule search possibilitiesand the insight this can offer
1 Do not click - The result is grouped for convenience and allows the user to queryeach rule individually This is a live link that will expose further information
2 Do not click - The entire report can be exported by using the Save as CSV optionat the top right hand corner of the screen but we will not export any informationat this point
3 For the next step we will return to the top search bar
Firewall Rule Membership Change
Using the vRealize Network Insight search bar at the top of the screen we will focus on atime based search to see what Firewall Membership Changes occurred during a selectedperiod This will point out any changes made directly or indirectly as a result ofmembership changes This is extremely useful for auditing and troubleshooting
HOL-1829-01-NET
Page 40HOL-1829-01-NET
1 Type
Firewall Rule Membership Change
2 Select the DateTime window3 Click Between Select Date range from June30 to Jul 31 (using static data this
will ensure you see all the changes)4 Click search
Audit Rule - Firewall Rule Membership Changes
The search now displays the result of all the changes made to firewall rule membershipduring the preset date range This is pivotal to the audit change tracking process tounderstand exactly why when and how Firewall rules changed
The changes can now easily be tracked audited and also exported following any of thelive links in blue
HOL-1829-01-NET
Page 41HOL-1829-01-NET
User-defined Event
Continuing within the same screen users can create alerts to notify internal andexternal entities of any changes The alert feature is available through any view thatdisplays the alert icon Although the alert can be configured for this lab the results willnot be actioned as this is static data only This section will show how easy it is to reporton any Firewall Rule memberships changes The option for alerting will be immediatelywithin 1 hour or as a daily digest
1 Click the Notifications icon to create an event The notifications screen will pop-up
2 Notification and parameters can be adjusted as required Populate them withyour own preference as we will need to have information in order to save thealert and view in later steps
3 Once completed click save
HOL-1829-01-NET
Page 42HOL-1829-01-NET
Settings
You can view any of your previously configured User-defined Events in order to edit oractivate the Event parameters by using the settings page Changes can be configured tonotify members of the event group based on the user preference The previous eventthat you created can now be tracked by using the search bar at the top of the screen
1 Click in the search bar and type Settings2 Click User-defined Events (your alert is noted in this section as it was based on
the original search and alert notification Firewall rule membership change)3 Info Only - Do not click - View Edit Activate any notifications
Note that we have 2 types of notification User-defined and System Events
4 Click the System Events
HOL-1829-01-NET
Page 43HOL-1829-01-NET
System Notifications
System Events consist of 103 default alerts that are pre-configured Scroll down the listto see all the options and what is deemed to be a standard system event notification
Each Notification can be used to alert administrators or users of that group By defaultall System Notifications are set to never notify (this can be changed to immediatelywithin 1 hour or as a daily digest)
This concludes this module Please continue to the next module
HOL-1829-01-NET
Page 44HOL-1829-01-NET
ConclusionCongratulations on completing Module 1
In this module we introduced the minimum required steps in order to facilitate Micro-segmentation This module further demonstrated how we achieve day zero readinesstrack report and alert on each individual object or group of objects in Real Time Usingthe East-West traffic in this module vRealize Network Insight highlighted the ease ofacquiring network analysis and using this to automatically generate firewall rules forboth Green or Brown field deployments
Key facts to remember as demonstrated in this module
bull Persistence Security must be consistent in the face of constant changebull Ubiquity Security must be available everywherebull Extensibility Security must adapt to new situations
For additional information about the functionality showcased in this module visitwwwvmwarecom
Please close the Chrome Web browser
This concludes this module please continue to the next module
For More Information
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 45HOL-1829-01-NET
Module 2 - 360 degreeVisibility across Virtualand Physical Networks
(45 minutes)
HOL-1829-01-NET
Page 46HOL-1829-01-NET
IntroductionvRealize Network Insight includes advanced analytics that can collect and displayconfiguration data from all the components involved in the overlay and underlay of thenetwork Data is collected in realtime
vRealize Network Insight presents this via a smart user interface and simplifies thedetermination of problems as well as the visibility of firewall and networkconfigurations
vRealize Network Insight presents this in a smart user interface and makes problemdetermination and visibility of the firewall and network configurations very easy
This Module contains the following lessons
bull 360 Network Visibility and Troubleshootingbull Natural language search
HOL-1829-01-NET
Page 47HOL-1829-01-NET
360 Network Visibility andTroubleshootingThis section contains the following lessons
bull 360-degree view of data flow between two VM objectsbull Natural language search
Open Google Chrome
1 Open Chrome on the Control Center Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize NetworkInsight did not load automatically)
HOL-1829-01-NET
Page 48HOL-1829-01-NET
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
Path and Topology
This module will utilize the Path and Topology feature in vRealize Network Insight toget a 360-degree visibility into our network scenario The Path and Topology view can
HOL-1829-01-NET
Page 49HOL-1829-01-NET
also extend to host L3 networks security groups etc but in this module we will only befocusing on the path
From the main console
1 Click on Path and Topology2 Click on Path
Path - Select source and destination
In the pop-up box
1 Click on the grey field below Source2 Type dba into the source field and DBAdmin-VM1 will appear3 Click on DBAdmin-VM1 to select it
HOL-1829-01-NET
Page 50HOL-1829-01-NET
Path - source and destination continued
After selecting the source machine the destination box will automatically appear
1 Type prod in the destination field and the list of available options willappear
2 Select Prod-Db-2
Note The destination could also be an ip-address or Internet but in this lab we aregoing to use a VM
HOL-1829-01-NET
Page 51HOL-1829-01-NET
Path - source and destination continued
1 Click on Submit
Searching for path
Based on the VMs we selected in the wizard in our previous steps the search field isnow pre-populated with a search string As an alternative to using the wizard we canalso do manual searches
Do not change any parameters in the search field and please continue to the nextstep
HOL-1829-01-NET
Page 52HOL-1829-01-NET
VM Path Topology and VM Underlay
The topology involves both Layer 3 and Layer 2 components and consists of twodetailed views
HOL-1829-01-NET
Page 53HOL-1829-01-NET
1 VM Path Topology This view details the routers Edges or Logical DistributedRouters (LDRs) that are involved in the VM to VM network path and provides thecomplete routing and NAT information
2 VM Underlay ( The VM Underlay section that is on the right side of the VM Pathtopology shows the underlay information of the VMs involved and theirconnectivity to the top of the rack switches and the ports involved)
In the field named VM Path Topology
1 Click on the three dots in the top right corner of the field2 Click Maximize
The view will change and the route will be drawn on the map
HOL-1829-01-NET
Page 54HOL-1829-01-NET
VM Path Topology - Path Details
In this view we will get a 360-degree view of both the physical and the virtual networkWe will see the path of the traffic between two virtual machines The black arrow at thetop of the map will indicate the flow direction of the traffic In this use case fromDBAdmin-VM1 to Prod-Db-2
On the right hand side path details indicates the steps we pass through in each hop ofthe path The logical flow includes both physical and virtual elements displaying bothoverlay and underlay components
1 Scroll through the path details on the right hand side to verify the differenthops in the path Notice that we have items such as VMs physical switchesvirtual switches routers and NICs in the list of details
HOL-1829-01-NET
Page 55HOL-1829-01-NET
Component Overview
On the VM topology map
1 Click on the top left icon marked with a red square - the Virtual MachineDBAdmin-VM1
Virtual Machine - Details
HOL-1829-01-NET
Page 56HOL-1829-01-NET
A pop-up box will appear with the Virtual Machine details in it This information includesa lot of details made available by VMware Tools We can for example see network-information and the physical host in these details
A - Please spend some time on getting an overview of the information available in thisview
B - Please note that the Firewall Status indicates Unknown In this scenario there is noNSX firewall utilized in the VM so vRealize Network Insight displays Unknown as thestatus If NSX components were utilized but they were malfunctioning an errormessage will appear
1 When done reviewing close the pop-up windows by clicking on the (X) in thetop right corner
Physical ESXi Hosts
We are now going to look at the physical host running ESXi The large green blocksindicate the ESXi hosts (A) and (B)
1 Click on the large green field on the left side of the map marked in thepicture with a red squareThis will select the host where DBAdmin-VM1 isrunning
HOL-1829-01-NET
Page 57HOL-1829-01-NET
Host - Details
A pop-up box will appear that contains the physical ESXi host
A - Spend some time to review what information is available from the host Please donot click on any of the links
B - Notice that we receive information from both the Chassis and the Blade that thisESXi host is running on In a real life environment we could click on the links to getdetailed information about the physical environment through the links
C - Note that there are no NSX components on the host For example we can see thatthe Control Plane Sync Status is unknown and the Number of VTEPs is 0
1 When done reviewing click on the (X) in the top right corner
HOL-1829-01-NET
Page 58HOL-1829-01-NET
DVPG on the map
We are now going to look at the DVPG (Distributed Virtual Port Group) the VM uses toconnect to the network
1 On the map click on the little blue box marked by a red square onvlan-629
DVPG
A pop-up box will appear that contains the DVPG details
A - Spend some time review what information is available from the object Please donot click on any of the links
HOL-1829-01-NET
Page 59HOL-1829-01-NET
B - Notice that IPFIX is enabled
1 When done reviewing click on the (X) in the top right corner
VLAN-629 on the map
This is a brownfield network as indicated by the physical network components currentlydisplayed on the map
1 On the map click on the grey line marked by a red square on vlan-629
VLAN Network
A pop-up box will appear that contains the physical VLAN details
HOL-1829-01-NET
Page 60HOL-1829-01-NET
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - Notice the VLAN ID This is the actual VLAN in use
C - VM Count states 12 This is the number of VMs located on this VLAN in the entireenvironment
D - Under Hosts we can see that this is 28 (27+1) This is the amount of hosts that hasa connection to this vlan in the entire environment
1 When done reviewing click on the (X) in the top right corner
Switch ports on the map
1 From the map click on the icon marked by a red square to select the SwitchPort for the VM
HOL-1829-01-NET
Page 61HOL-1829-01-NET
Switch Port
A pop-up box will appear that contains the Switch Port details
In this view we are purely are looking at layer 3 and the connectivity to those layer 3devices Later in this module we will see some of the layer 2 devices
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - In this view we can see the physical NIC the traffic is transmitted from and receivedto In this scenario it is a NIC on a UCS fabric We can also see the VLANs Interfacespeed port and other details on the NIC
1 When done reviewing click on the (X) in the top right corner of the pop up box
HOL-1829-01-NET
Page 62HOL-1829-01-NET
Physical VRF on the map
1 From the map click on the icon marked by a red square to access thePhysical VRF details
HOL-1829-01-NET
Page 63HOL-1829-01-NET
VRF - Physical Switch
A pop-up box will appear that contains the Physical VRF details
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - In this scenario the first hop in the physical network perspective happens to be aCisco Nexus 7000 We are gathering all of the configuration data routing tables androuting interface information from this device
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 64HOL-1829-01-NET
VRF - continued
1 From the map click on the icon marked by a red square to access the nextPhysical VRF in the path
HOL-1829-01-NET
Page 65HOL-1829-01-NET
VRF - Physical Router
A pop-up box will appear that contains the Physical VRF details
In this scenario the second hop in the physical network perspective is a Palo Alto routerIn this view we will see the routing table as well as firewall rules The vRealize NetworkInsight platform is so powerful that these firewall rules are the applicable firewall rulesbetween the two objects we searched for There is probably going to be thousands offirewall rules in a normal network but these are the firewalls affecting thecommunication between the two selected VMs
HOL-1829-01-NET
Page 66HOL-1829-01-NET
A - Spend some time to review what information is available from the object Please donot click on any of the links
1 When done reviewing click on the (X) in the top right corner of the pop up box
Note The Palo Alto integration showcased is in beta testing
VRF - continued
1 From the map click on the icon marked by a red square to access the nextPhysical VRF in the path
HOL-1829-01-NET
Page 67HOL-1829-01-NET
VRF - Physical Switch
A pop-up box will appear that contains the Physical VRF details
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - In this scenario the third hop in the physical network perspective is an Arista deviceThere is information available on routing gateways interfaces etc These detailsshowcase that we can monitor devices from a multitude of vendors in case we arechanging from one vendor to another
1 When done reviewing click on the (X) in the top right corner
HOL-1829-01-NET
Page 68HOL-1829-01-NET
Accessing the virtual infrastructure
The next two steps in the path (as shown by arrows) are the same as we looked atpreviously in this module We are not going to look at the details on them in thisscenario as they are similar to the ones previously discussed
A - Hovermove the mouse over the icons marked with red arrow A without clicking onthe icon Notice the descriptive name
B - Hovermove the mouse over the icons marked with red arrow B without clicking onthe icon Notice the descriptive name
1 From the map click on the icon marked by a red square to access the nextVRF in the path
HOL-1829-01-NET
Page 69HOL-1829-01-NET
VRF - NSX Provider Edge 1
A pop-up box will appear that contains the Physical VRF details
A - Please spend some time to review what information is available from the objectPlease do not click on any of the links
B - The components we are looking at after the Arista device (described in previoussteps) is an NSX Edge cluster or a host associated with an Edge cluster The componentwe have selected is the NSX Edge VM named Provider-Edge 1 It has an uplink overVLAN 10 from the physical network (as shown in the map)
C - In the details we can see the routing table and routing interface details for thisparticular VRF
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 70HOL-1829-01-NET
VXLAN on the map
1 On the map click on the blue line marked by a red square to access theVXLAN details
VXLAN Network
A pop-up box will appear that contains the VXLAN details
HOL-1829-01-NET
Page 71HOL-1829-01-NET
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - We can see the VXLAN number (Segment ID) Underlay VLAN IDs Subnet andUnderlay Subnet
C - We also have visibility into what Primary Controller it is utilizing Hosts and VTEPs
D - Hovermove the mouse cursor over the text [38 more] to see the hosts associatedwith this VXLAN Do not click on the blue text
E - Hovermove the mouse cursor over the text [82 more] to see the VTEPs associatedwith this VXLAN Do not click on the blue text
1 When done reviewing click on the X in the top right corner of the pop-up box
VRF - LDR
1 From the map click on the icon marked by a red square to access the VRFdetails
HOL-1829-01-NET
Page 72HOL-1829-01-NET
VRF - LDR-Corporate
A pop-up box will appear that contains the VRF details From here we hit our In-kernelnetwork
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - Notice the distributed router name We are using this device to access our corporatenetwork
C - This device is going to route for us to a different interface The interface is going toroute to the interface on the Prod-DB Network as the next step in the path (this will beillustrated in the next step)
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 73HOL-1829-01-NET
Routing - NSX Firewall
The traffic is routed through the VRF onto the Prod-DB network over to the next physicalhost (as shown with arrows)
The first device it will hit on the virtual network on the physical host is the FirewallPlease notice that there are two firewalls next to the VM One Firewall from Palo Alto andone Firewall from NSX
1 From the map click on the icon marked by a red square to access the NSXFirewall details (the top one of the two)
HOL-1829-01-NET
Page 74HOL-1829-01-NET
Firewall - NSX
A pop-up box will appear that contains the Firewall details
A - Spend some time to review what information is available from the object Please donot click on any of the links
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 75HOL-1829-01-NET
Redirect on the map - PAN Firewall
Please notice that there are two firewalls next to the VM One Firewall from Palo Alto andone Firewall from NSX We are now going to look into the details of the lower Firewall
1 From the map click on the icon marked by a red square to access the PaloAlto Firewall details (the lower one of the two)
Firewall - PAN
HOL-1829-01-NET
Page 76HOL-1829-01-NET
In this scenario we also have an Palo Alto VM based offloading firewall The redirectfeature allows firewall rules to be transferred between the NSX firewall and the PANFirewall
1 When done reviewing click on the (X) in the top right corner of the pop up box
Reversing the analysis
1 In the section marked by a red square in the picture click on the arrowpointing left
The route on the map will change
HOL-1829-01-NET
Page 77HOL-1829-01-NET
Reversing the analysis continued
A - The analysis will now be done in the opposite direction Please note that the pathnow changes Instead of going through Provider-Edge 3 the traffic is now routedthrough Provider-Edge 2 This is exactly as the traffic will work in the real life
Please continue to the next step to conclude this module
HOL-1829-01-NET
Page 78HOL-1829-01-NET
VM Underlay
Lets now focus on VM Underlay
1 The VMUnderlay section that is on the right side of the VM Path topology showsthe underlay information of the VMs involved and their connectivity to the top ofthe rack switches and the ports involved
2 The VM Underlay path topology is shown here3 The components are labeled under Path Details
HOL-1829-01-NET
Page 79HOL-1829-01-NET
HOL-1829-01-NET
Page 80HOL-1829-01-NET
1 In this section the drop-down list at the top shows the endpoint VMs and theactive VMs at the edges
2 For each edgeVM the neighbouring drop-down list shows the ingress and theegress interface IP addresses
1 From the previous step we selected the Prod-DB-2 Virtual Machine2 Which changes the focus to corresponding Interface IP Address (VNIC)3 Shows the visual map (Path topology) of all the path objects4 Path details shows the labels and list the components
This concludes this module Please continue to the next module
HOL-1829-01-NET
Page 81HOL-1829-01-NET
ConclusionCongratulations on completing Module 2
This module has shown us that vRealize Network Insight is capable of tracing the flow ofdata between two objects throughout the network vRealize Network Insight is providingus with a 360 degrees view of the virtual as well as the physical components in thepath With the map function and the details on the map it is very easy to get a quickoverview of the components utilized in network communication
All the components in the map is based on a snapshot of real life data Feel free to clickon other icons shown in the map in this module before continuing to the next module tohave a look at other components
For More Information
For additional information about the functionality showcased in this module visithttpwwwvmwarecomvrealize network insight
This concludes this module Please continue to the next module
If you are looking for additional information try one of these
bull Click on this linkbull Or use your smart device to scan the QRC Code
HOL-1829-01-NET
Page 82HOL-1829-01-NET
Proceed to any module below which interests you most
bull Module 1 - Micro-Segmentation and Security (30 minutes)bull Module 2 - 360 degree Visibility across Virtual and Physical Networks (45
minutes)bull Module 3 - Advanced NSX Management amp Operations (45 minutes)bull (30 minutes)
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 83HOL-1829-01-NET
Module 3 - Advanced NSXManagement amp
Operations (45 minutes)
HOL-1829-01-NET
Page 84HOL-1829-01-NET
IntroductionIntroduction
vRealize Network Insight ensures that we have full visibility from an overlay andunderlay perspective and in this module focus on advanced operations of NSX withvRealize Network Insight Its important to note that the vRealize Network Insightprovides a real time view and a historical view The integration is not a simple SNMPquery but advanced CLI and Metadata information gathered in real time for NSX
This Module contains the following lessons
bull Operational guidance for NSX Managerbull Advanced NSX Management amp Operations Interactive Simulation
HOL-1829-01-NET
Page 85HOL-1829-01-NET
NSX Advanced ManagementOperationsLab Status Check
1 Make sure the Lab Status displays Ready before continuing
Close browser sessions from previous modules
Open Google Chrome
1 Open Chrome on the Control Centre Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
HOL-1829-01-NET
Page 86HOL-1829-01-NET
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize Network Insightdid not load automatically)
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
Search Bar - NSX Manager
Using the search bar on the entry screen
HOL-1829-01-NET
Page 87HOL-1829-01-NET
1 Type NSX Manager (this will list three NSX Managers2 Click Search
NSX Manager Information
The result now shows the NSX Manager (1016128170) and we can immediately seethat we have 50 problems associated with this endpoint
1 Click on the NSX Manager address to expose the layout and detailedinformation
HOL-1829-01-NET
Page 88HOL-1829-01-NET
Timeline - Visual Build-up
Explore information only - Do not click
bull A - Starting with the Timeline we can manipulate the results by simply draggingthe slider but by default the current time results will be displayed on entry Theslider and drop down (next to 1 day) makes it easy to filter on demand
bull B - The Properties give a clear understanding of the NSX Managers currentconfiguration (vRealize Network Insight accommodate multiple NSX managers)
bull C - Looking at the NSX Checklist Rules - ALL we can scroll up and down toview each point in the checklist that is used to monitorvalidate against the NSXManager
bull D - Because vRealize Network Insight supports multiple NSX managers andmultiple NSX controllers this is an important visual understanding of theTopology Each object can be queried individually within the same screen
bull E - NSX Problems will be key to understanding the issues for NSX
HOL-1829-01-NET
Page 89HOL-1829-01-NET
Topology - Focus on the NSX Controller
The logical view of the NSX Topology provides live links to each component in theconstruct to be queried in real time Topology layout displays all the related NSXservices bound to the NSX Manager including Clusters and hosts The red triangle on allthree NSX controllers indicates possible issues that may impact the NSX environmenteither as a starting point or a result thereof We can now query each object for detailedinformation
1 Click on the NSX controller (Look at each controller until you find thecontroller starting with NSX_Controller_5b6c6c8d-4d71 as they do changeorder)
HOL-1829-01-NET
Page 90HOL-1829-01-NET
NSX Controller - Detail
A - The controller query displays detailed information about controller-1 and relevantconfiguration This screen will help identify the Status Version Upgrade Availability andmany other critical identifiers of the NSX Controller at a quick glance including anyissues
B - The immediate issue on this NSX controller is also pointed out with a red triangleindicating that we have a control plane sync issue Tracking the issue can be furtherinvestigated by expanding (clicking on the red triangle) to view detailed information Wewill not be investigating this problem further in this exercise
1 Click the close sign (x) to continue
HOL-1829-01-NET
Page 91HOL-1829-01-NET
Topology - Explained
Note The Topology for the NSX environment will not show any load balancing devicestatus information in this release
1 Click the edge VMs icon to see detailed information about the edge services
HOL-1829-01-NET
Page 92HOL-1829-01-NET
Provider Edge
Rendering a complete view of the provider edge services and the associations we caninvestigate all the edge related activities
1 Click the blue link Provider Edge 4 The problem Icon can be used to furtherobtain information about the Provider-Edge 4 This will highlight a criticalcondition due to a possible network disruption of this edge device as it is nolonger in a serving state
HOL-1829-01-NET
Page 93HOL-1829-01-NET
Routers Provider Edge 4
This section lays out detailed root cause analysis for Routers Provider Edge 4
Return to Search View - NSX Manager
1 Now use the Chrome Back button click once to return the the NSX Managerinformation screen step
HOL-1829-01-NET
Page 94HOL-1829-01-NET
Infrastructure Problems - Warning Moderate
bull Scroll down to Infrastructure Problems Section
1 Click and select the WarningModerate to view problem areas
WarningModerate Issues
1 Use the blue icon + to expand the detailed view of the Logical networking out ofsync between host and NSX Controller
HOL-1829-01-NET
Page 95HOL-1829-01-NET
WarningModerate Issues (Continued)
When you expand the details you can analyse full detail of warning
In this view vRealize Network Insight is also showing you recommendations on how youwould resolve this issue which makes troubleshooting and root cause analysis veryeasy
1 Click the close sign (x) to continue
HOL-1829-01-NET
Page 96HOL-1829-01-NET
Hands-on Labs Interactive SimulationAdvanced NSX Management ampOperationsThis part of the lab is presented as a Hands-on Labs Interactive Simulation This willallow you to experience steps which are too time-consuming or resource intensive to dolive in the lab environment In this simulation you can use the software interface as ifyou are interacting with a live environment
1 Click here to open the interactive simulation It will open in a new browserwindow or tab
2 When finished click the ldquoReturn to the labrdquo link to continue with this lab
HOL-1829-01-NET
Page 97HOL-1829-01-NET
ConclusionCongratulations on completing Module 3
This module demonstrated the vRealize Network Insight capability of advancedmanagement operations vRealize Network Insight provides an in-depth analysis of thevirtual as well as the physical components associated with NSX (underlay and overlay)
For More Information
If you are looking for additional information try one of these
bull Click on this linkbull Or use your smart device to scan the QRC Code
Proceed to any module below which interests you most
bull Module 1 - Micro-Segmentation and Security (30 minutes)bull Module 2 - 360 degree Visibility across Virtual and Physical Networks (45
minutes)bull Module 3 - Advanced NSX Management amp Operations (45 minutes)bull Module 4 - Manage Security for Public Clouds (AWS) (30 minutes)
HOL-1829-01-NET
Page 98HOL-1829-01-NET
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 99HOL-1829-01-NET
Module 4 - ManageSecurity for Public Clouds
(AWS) (30 Minutes)
HOL-1829-01-NET
Page 100HOL-1829-01-NET
IntroductionEnterprise IT needs visibility into the network and security status of their workloadswhether hosted on premises or within AWS While many AWS workloads are sandboxesfor application development teams (DevOps) it is important to analyze these workloadsIncreasingly public cloud workloads are also fulfilling mission critical production needsfor many organizations Enterprise IT must be ready to determine the best locationsecurity posture and bandwidth allocation when deploying workloads Having trafficpattern details as well as security analysis and recommendations readily availablehelps organizations make the ideal hosting decisions to meet their business needs
vRealize Network Insight (vRNI) Supports Amazon Web Services (AWS) PublicCloud The vRNI traffic monitoring features provide visibility into native AWS constructssuch as Virtual Private Clouds VMs Security Groups firewall rules and tags vRNI alsoanalyzes AWS traffic flows to provide security and micro-segmentation views of cloudworkloads This means youll be able to plan micro-segmentation and understand trafficpatterns using data collected from your AWS instances
This Module contains the following lessons
bull Introduction to Managing Security for Public Clouds (AWS)
HOL-1829-01-NET
Page 101HOL-1829-01-NET
Introduction to Managing Security forPublic Clouds (AWS)Lab Status Check
1 Make sure the Lab Status displays Ready before continuing
Close browser sessions from previous modules
Open Google Chrome
1 Open Chrome on the Control Centre Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize Network Insightdid not load automatically)
HOL-1829-01-NET
Page 102HOL-1829-01-NET
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
AWS Configuration
Lets review the AWS VPC setup for the purpose of this lab
1 We have an on premise instance of vRealize Network Insight managing AWS2 There are two VPCs ie CRM and Common Services
HOL-1829-01-NET
Page 103HOL-1829-01-NET
3 VPC CRM consists of CRM Application which comprises of 3 tiers ie Web APP andDB
4 Internal users of Company can access Web Tier of the CRM on 80 internally viaJump-box
5 Web tier talks to App tier on port 80806 App tier talks to DB tier on port 33067 Web tier is open for internal datacenters VM on 80 port8 From Jump-box in VPC CRM all virtual machines have ssh access on port 229 All tiers of VPCCRM talks to DNS server on 53 and LogServer on 514 on VPC
Common Services10 This means connection to DB to Log Server (used for backup services) must exist
as configured by the Administrator but this in fact is the problem area where ourfocus will be
Plan Security - AWS Cloud
vRealize Network Insight extends micro-segmentation planning to AWS constructs TheCRM Application in AWS VPC has already been created for you
Application creation steps have been discussed in Module 3
HOL-1829-01-NET
Page 104HOL-1829-01-NET
1 On the vRealize Network Insight Click on Plan Security
From Plan Security dialogue box under Entity select
HOL-1829-01-NET
Page 105HOL-1829-01-NET
1 Application2 CRM3 Click Analyze
We can now visualize the three tier lsquoCRMrsquo Application in AWS in one VPC We Shallexplore the three Tier System Logic in proceeding steps
1 Please note that Micro-Segments are already filtered by Tier2 Web (Web tier talks to App tier on port 8080 Internal users of organisation can
access Web Tier of the CRM Application on port 80 internally)3 App (App tier talks to DB tier on port 3306)4 DB ( DB tier talks to Log Servers ) - This is the problem area we are going to
explore
All tiers of first VPC talks to DNS server on port 53 and LogServer on port 514 of SecondVPC
HOL-1829-01-NET
Page 106HOL-1829-01-NET
Exploring the Three Tier Application - Step by Step
We shall now explore the three their application setup to understand the security andcommunication posture
HOL-1829-01-NET
Page 107HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Yellow line to explore the flows This will reveal flows from Web to
App
HOL-1829-01-NET
Page 108HOL-1829-01-NET
1 The App tier talks to DB tier on Port 33062 Click X to continue
HOL-1829-01-NET
Page 109HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to DB
HOL-1829-01-NET
Page 110HOL-1829-01-NET
1 The App tier talks to DB tier on Port 33062 Click X to continue
HOL-1829-01-NET
Page 111HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Yellow Line to explore the flows This will reveal flows from DC
Virtual to App
HOL-1829-01-NET
Page 112HOL-1829-01-NET
1 DC Virtual (jump box) talks to App tier on Port 222 Click X to continue
HOL-1829-01-NET
Page 113HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to
Shared Virtual
HOL-1829-01-NET
Page 114HOL-1829-01-NET
1 The App tier talks to Shared Virtual on Port 53 and 514 respectively2 Click X to continue
HOL-1829-01-NET
Page 115HOL-1829-01-NET
1 Hover over to DB Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from DB to
Shared Virtual
1 By design the DB should be pushing logs to aws-log-server ie on port 514(Syslog) but the flow reveals that there is only one service ie port 53 aws-DNS-Server Effectively no communication to syslog server (which is the back upservice)
2 Click X to continue
Firewall Queries for CRM Application
To further troubleshoot the issue the administrator executes three firewall queries toestablish why DB to Shared Virtual does not have flow(s) for port 514 (syslog)
HOL-1829-01-NET
Page 116HOL-1829-01-NET
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and type new search query firewall action of flows where dstvm = aws-log-server This will return 5 results ie 4 Allow (for web andmidtier) and 1 Deny (for DB)
2 Click Search3 click on the DENY checkbox so we can focus on the deny rule
We can see a DENY rule which is preventing crm-databse to communicate with aws-log-server on port 514 Which indicates that AWS Admin forgot to add rule to allowtraffic from (Database) crm-database to (syslog server) aws-log-Server
HOL-1829-01-NET
Page 117HOL-1829-01-NET
1 On Chrome web browser right click2 Select Duplicate from the the menu
HOL-1829-01-NET
Page 118HOL-1829-01-NET
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-web1 and dst vm = aws-log-server
2 Click Search3 This will return 3 results ie 1 Inbound and 2 Outbound rules The result of this
query validates the communication from crm-web1 to aws-log-server
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-database and dst vm = aws-log-server
2 Click Search3 This will return 2 results for Outbound rules further explaining the firewall rule
behaviour from crm-database to aws-log-server
HOL-1829-01-NET
Page 119HOL-1829-01-NET
ConclusionCongratulations on completing Module 4
This module demonstrated the vRealize Network Insight capability to understand trafficpatterns and plan micro-segmentation across your private and public cloudenvironments This capability offers unparalleled visibility into public and private cloudsfor micro-segmentation planning network visibility and management
For More Information
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 120HOL-1829-01-NET
ConclusionThank you for participating in the VMware Hands-on Labs Be sure to visithttpholvmwarecom to continue your lab experience online
Lab SKU HOL-1829-01-NET
Version 20171010-152226
HOL-1829-01-NET
Page 121HOL-1829-01-NET
Focus - 101780 Network
A - Hover over (do not click) the 101780 network and notice that this willimmediately highlight all flows and sessions from and to this network segment Othertraffic types will loose focus at this point turning light blue
The Keep Focus view creates a single visual endpoint diagram showing communicationto physical shared resources internet and other subnets The parentheses after thenetwork will indicate the number of virtual machines The coloured lines will indicate aconnected flow as OUTGOING INCOMING BIDIRECTIONAL
HOL-1829-01-NET
Page 24HOL-1829-01-NET
Focus - VLANVXLAN
Changing the view to track flows between Prod-Web to Prod-Midtier we will be switchingfrom Subnet view to VLANVXLAN view This will expose the traffic flow and ultimatelylead us to the recommended firewall rules
1 From the filter drop down select the VLANVXLAN option (the view willautomatically update)
HOL-1829-01-NET
Page 25HOL-1829-01-NET
Focus - Prod-Web (25)
1 Hover over Prod-Web2 Click on Keep Focus as we will follow the traffic for this group to see which
ports are in use and why3 Click on the line joining the Prod-Web and Prod-Midtier
Flows - Prod-Web to Prod-Midtier
HOL-1829-01-NET
Page 26HOL-1829-01-NET
( A ) - We have at this point identified 14 unique endpoints or flows that are beingcommunicated byover or to potential security groups These security groups are basedon VLANs folders subnets or a construct that can be defined
1 Click on the recommended firewall rules
Flows - Recommended Firewall Rules
Based on the observed analysis of the traffic flow between Prod-Web and Prod-Midtier arecommended firewall rule has been generated in order to secure and segment trafficfrom the rest of the VLANVXLAN
Due to the flow observation metrics the recommendation is (ALLOWED) on Port 8080between SG Prod-Web and SG-Prod-Midtier
1 Click the close icon (x) to continue
HOL-1829-01-NET
Page 27HOL-1829-01-NET
Multiple Ports and Firewall rules for Prod-web
1 Click on the Prod-Web group
Services and Flows for Prod-Web
On focus the user is presented with all the services flows and firewall rules for Prod-Webin a single pane
HOL-1829-01-NET
Page 28HOL-1829-01-NET
1 Click on Services In this group - 50 Unique service endpoints or flows that arebeing communicated by or to potential security groups are mapped with trafficrates included
2 Click on External Services Accessed- This is a breakdown of the 16 Externalservice endpoints that communicate with Prod-Web and include the portinformation (DNS HTTPS etc)
3 Click on Recommended Firewall Rules - Based on the 50 unique serviceendpoints that have 17 External services with 425 flows we can use thisobservation metric to determine that 6 firewall rules are required This would bethe minimum recommended segmentation approach for the Prod-Web group
4 Click the close icon (x) to continue
Application-Centric Micro-Segmentation
HOL-1829-01-NET
Page 29HOL-1829-01-NET
An application is a collection of tiers Each tier in an application is a collection of VMsbased on the user-defined filter criteria The applications allow you to create ahierarchical group of VMs and visualize trafficflows between the tiers of the sameapplication The trafficflows can be visualized between applications
1 Under Micro-segments click on the dropdown which says by VLANVXLAN2 Click on by Application
1 Hover over Prod-App (47) (do not click at this stage)2 Click on Keep Focus
You can see as per previous micro-segmentaion planning exercise - you can viewOutgoing Incoming and Bidirectional flow bespoke to Prod-App Clicking on Prod-App micro-segment will reveal the services
HOL-1829-01-NET
Page 30HOL-1829-01-NET
We shall now explore how we can define an application
Define an Application
1 In the search bar type Application2 Click the Search button
1 The Application search will return 4 entities ie application already created inthe system for you
2 This page also lets you create new application - click on Add Application
HOL-1829-01-NET
Page 31HOL-1829-01-NET
1 Under the Application Name type HOL-Pre-Prod2 Under Tier type the Name as HOL-Pre-Prod3 Our search criteria will be based on VM Names under Virtual Machines IP
Addresses Type Admin-VM1 Admin-VM2 (The search will auto completethe names for you)
4 Do not Save Click Cancel which will take you to previous screen
1 Here you can see the number of entities has increased by 1 ie 5 entities2 You can also see Hol-Pre-Prod in the list
HOL-Pre-Prod will now appear in Application section under Plan Security (not covered inthis lab)
Security Group Prod_MidTier
Network administrators and architects face daily challenges in identifying securityparameters groups that are in-place requiring a lot more detail around containertopology before continuing to execute or plan Micro-segmentation Lets look at how thiswould be possible in a single view that has granular integration with over and underlaynetworks
1 Using the search bar type Nsx Security Group Prod_MidTier (the search baruses Auto Fill and predictive text will appear as you type)
2 Click search to continue
HOL-1829-01-NET
Page 32HOL-1829-01-NET
The Help screen may pop-up (in this lab setting) to ensure the user has an instantguide called the Security Group Pinboard The reason for this guide is to point out thedetail view and topology layout Read through the help guide and once completed
1 Click the close icon (x) to continue
Results - PROD_MIDTIER
The search results from the query will show Prod_Web at the top of the screen Theresult will also be displayed to include the Translated VM Count and any Rulesassociated
1 Click on Prod_MidTier to continue
Security Group Prod_MidTier - Timeline
Security Group View Explanation
HOL-1829-01-NET
Page 33HOL-1829-01-NET
The Security Group provides a detailed view of the selected Security Group and acomprehensive listing of key properties and events The Security Group Topologyprovides a visual overview of how the security group is associated with other containersTimeline slider at the top of the current view will enable the point in time state of theSecurity Group and filters can be used to further focus on a particular aspect of theobject
Security Group Firewall Topology
(A) The Security Group Firewall Topology on the left shows the topology for SecurityGroup Prod_MidTier
HOL-1829-01-NET
Page 34HOL-1829-01-NET
(B) The Security Group Container Topology on the right will show anyall Child andParent groups in relation to Prod_Web This will identify the nesting and hierarchy ofsecurity groups
HOL-1829-01-NET
Page 35HOL-1829-01-NET
1 Click and select Prod_Web to Prod_Midtier Rule (will launch a pop up screencovered in next step)
1 In the pop up screen we can immediately see what the Source and destinationservice flow looks like in this example This can be done for any and eachsegment attached to Prod_Web and will provide all the current security GroupFirewall Topology information Feel free to click through all the segments in orderto fully understand each related security group
2 Click the close icon (x) on any pop-up menus that you viewed during youranalysis to continue with the next exercise
HOL-1829-01-NET
Page 36HOL-1829-01-NET
Tracking Prod_MidTier
1 Within the same view when you scroll down (below the Security Groupfirewall Topology) you are able to see the following security event information forProd_Web
A Events - Showing any changes for Prod_MidTier (direct or indirect) and the impactthat these changes bring to this security group
B Current Security Group Configuration and Firewall Rules Count will also providefurther assistance to manage the endpoints
C Visibility of the Virtual Machines in Security Groups ensure that we manage ourworkloads and segmentation with the correct level of efficiency
D Making use of the Indirect Firewall Rules will ensure you understand the inheritedimpact and the relationship leading to Prod_Web
E Direct Firewall Rules - NOTE The blue links will expose further detail for eachfirewall segment
HOL-1829-01-NET
Page 37HOL-1829-01-NET
this module explained and followed the traffic flow between Subnets and or VLANVXLAN for Prod_MidTier and we understand the analysis that make up firewall rules Theinformation for a specific segmentation of a Virtual Machine in Prod_MidTier can beviewed using the the logical switch information for Prod_MidTier
2 Click on Lab-Midtier (VMs in Security GroupgtLogical SwitchesgtLab-Midtier) anew TAB will open at the top of the screen
Lab-Midtier
1 Hover (do not click) over (1) Lab-Midtier-1 to gain focus in order to generatethe path
Do not click on any of the bubbles as they are used for reference only This is thecomplete flow of Prod-Web-9 (Example) to see how a flow is tracked from overlay tounderlay across Prod-Web
HOL-1829-01-NET
Page 38HOL-1829-01-NET
bull A - The host details for Lab-Midtier-1 -ddc1-pod2esx035dmdemocompanynet
bull B - The machine name within Lab-Midtier - Lab-Midtier-1bull C - DVS Switchbull D - VXLAN - Lab-Midtierbull E - 1st VMKNIC for DDC-1 hostbull F - DVS Switch Portbull G - Finally showing the L3 Switch (Arista)
2 When you are done with the current view close this tab in Chrome and returnto the original view
Firewall Rule - Tracking
Using the search bar we will demonstrate how you can track any firewall rule in yourenvironment This is only one example of how we can search for security related objectsin one easy statement and also export the results
Port Search
1 Type into the search bar
Firewall rule where action =ALLOW and Port=443 (the search bar uses Auto Fill andpredictive text will appear as you type)
2 Click search to continue
As you type notice all the different permutations of queries that can be assembled
HOL-1829-01-NET
Page 39HOL-1829-01-NET
Export Firewall Rules
Take some time to understand and get familiar with Firewall Rule search possibilitiesand the insight this can offer
1 Do not click - The result is grouped for convenience and allows the user to queryeach rule individually This is a live link that will expose further information
2 Do not click - The entire report can be exported by using the Save as CSV optionat the top right hand corner of the screen but we will not export any informationat this point
3 For the next step we will return to the top search bar
Firewall Rule Membership Change
Using the vRealize Network Insight search bar at the top of the screen we will focus on atime based search to see what Firewall Membership Changes occurred during a selectedperiod This will point out any changes made directly or indirectly as a result ofmembership changes This is extremely useful for auditing and troubleshooting
HOL-1829-01-NET
Page 40HOL-1829-01-NET
1 Type
Firewall Rule Membership Change
2 Select the DateTime window3 Click Between Select Date range from June30 to Jul 31 (using static data this
will ensure you see all the changes)4 Click search
Audit Rule - Firewall Rule Membership Changes
The search now displays the result of all the changes made to firewall rule membershipduring the preset date range This is pivotal to the audit change tracking process tounderstand exactly why when and how Firewall rules changed
The changes can now easily be tracked audited and also exported following any of thelive links in blue
HOL-1829-01-NET
Page 41HOL-1829-01-NET
User-defined Event
Continuing within the same screen users can create alerts to notify internal andexternal entities of any changes The alert feature is available through any view thatdisplays the alert icon Although the alert can be configured for this lab the results willnot be actioned as this is static data only This section will show how easy it is to reporton any Firewall Rule memberships changes The option for alerting will be immediatelywithin 1 hour or as a daily digest
1 Click the Notifications icon to create an event The notifications screen will pop-up
2 Notification and parameters can be adjusted as required Populate them withyour own preference as we will need to have information in order to save thealert and view in later steps
3 Once completed click save
HOL-1829-01-NET
Page 42HOL-1829-01-NET
Settings
You can view any of your previously configured User-defined Events in order to edit oractivate the Event parameters by using the settings page Changes can be configured tonotify members of the event group based on the user preference The previous eventthat you created can now be tracked by using the search bar at the top of the screen
1 Click in the search bar and type Settings2 Click User-defined Events (your alert is noted in this section as it was based on
the original search and alert notification Firewall rule membership change)3 Info Only - Do not click - View Edit Activate any notifications
Note that we have 2 types of notification User-defined and System Events
4 Click the System Events
HOL-1829-01-NET
Page 43HOL-1829-01-NET
System Notifications
System Events consist of 103 default alerts that are pre-configured Scroll down the listto see all the options and what is deemed to be a standard system event notification
Each Notification can be used to alert administrators or users of that group By defaultall System Notifications are set to never notify (this can be changed to immediatelywithin 1 hour or as a daily digest)
This concludes this module Please continue to the next module
HOL-1829-01-NET
Page 44HOL-1829-01-NET
ConclusionCongratulations on completing Module 1
In this module we introduced the minimum required steps in order to facilitate Micro-segmentation This module further demonstrated how we achieve day zero readinesstrack report and alert on each individual object or group of objects in Real Time Usingthe East-West traffic in this module vRealize Network Insight highlighted the ease ofacquiring network analysis and using this to automatically generate firewall rules forboth Green or Brown field deployments
Key facts to remember as demonstrated in this module
bull Persistence Security must be consistent in the face of constant changebull Ubiquity Security must be available everywherebull Extensibility Security must adapt to new situations
For additional information about the functionality showcased in this module visitwwwvmwarecom
Please close the Chrome Web browser
This concludes this module please continue to the next module
For More Information
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 45HOL-1829-01-NET
Module 2 - 360 degreeVisibility across Virtualand Physical Networks
(45 minutes)
HOL-1829-01-NET
Page 46HOL-1829-01-NET
IntroductionvRealize Network Insight includes advanced analytics that can collect and displayconfiguration data from all the components involved in the overlay and underlay of thenetwork Data is collected in realtime
vRealize Network Insight presents this via a smart user interface and simplifies thedetermination of problems as well as the visibility of firewall and networkconfigurations
vRealize Network Insight presents this in a smart user interface and makes problemdetermination and visibility of the firewall and network configurations very easy
This Module contains the following lessons
bull 360 Network Visibility and Troubleshootingbull Natural language search
HOL-1829-01-NET
Page 47HOL-1829-01-NET
360 Network Visibility andTroubleshootingThis section contains the following lessons
bull 360-degree view of data flow between two VM objectsbull Natural language search
Open Google Chrome
1 Open Chrome on the Control Center Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize NetworkInsight did not load automatically)
HOL-1829-01-NET
Page 48HOL-1829-01-NET
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
Path and Topology
This module will utilize the Path and Topology feature in vRealize Network Insight toget a 360-degree visibility into our network scenario The Path and Topology view can
HOL-1829-01-NET
Page 49HOL-1829-01-NET
also extend to host L3 networks security groups etc but in this module we will only befocusing on the path
From the main console
1 Click on Path and Topology2 Click on Path
Path - Select source and destination
In the pop-up box
1 Click on the grey field below Source2 Type dba into the source field and DBAdmin-VM1 will appear3 Click on DBAdmin-VM1 to select it
HOL-1829-01-NET
Page 50HOL-1829-01-NET
Path - source and destination continued
After selecting the source machine the destination box will automatically appear
1 Type prod in the destination field and the list of available options willappear
2 Select Prod-Db-2
Note The destination could also be an ip-address or Internet but in this lab we aregoing to use a VM
HOL-1829-01-NET
Page 51HOL-1829-01-NET
Path - source and destination continued
1 Click on Submit
Searching for path
Based on the VMs we selected in the wizard in our previous steps the search field isnow pre-populated with a search string As an alternative to using the wizard we canalso do manual searches
Do not change any parameters in the search field and please continue to the nextstep
HOL-1829-01-NET
Page 52HOL-1829-01-NET
VM Path Topology and VM Underlay
The topology involves both Layer 3 and Layer 2 components and consists of twodetailed views
HOL-1829-01-NET
Page 53HOL-1829-01-NET
1 VM Path Topology This view details the routers Edges or Logical DistributedRouters (LDRs) that are involved in the VM to VM network path and provides thecomplete routing and NAT information
2 VM Underlay ( The VM Underlay section that is on the right side of the VM Pathtopology shows the underlay information of the VMs involved and theirconnectivity to the top of the rack switches and the ports involved)
In the field named VM Path Topology
1 Click on the three dots in the top right corner of the field2 Click Maximize
The view will change and the route will be drawn on the map
HOL-1829-01-NET
Page 54HOL-1829-01-NET
VM Path Topology - Path Details
In this view we will get a 360-degree view of both the physical and the virtual networkWe will see the path of the traffic between two virtual machines The black arrow at thetop of the map will indicate the flow direction of the traffic In this use case fromDBAdmin-VM1 to Prod-Db-2
On the right hand side path details indicates the steps we pass through in each hop ofthe path The logical flow includes both physical and virtual elements displaying bothoverlay and underlay components
1 Scroll through the path details on the right hand side to verify the differenthops in the path Notice that we have items such as VMs physical switchesvirtual switches routers and NICs in the list of details
HOL-1829-01-NET
Page 55HOL-1829-01-NET
Component Overview
On the VM topology map
1 Click on the top left icon marked with a red square - the Virtual MachineDBAdmin-VM1
Virtual Machine - Details
HOL-1829-01-NET
Page 56HOL-1829-01-NET
A pop-up box will appear with the Virtual Machine details in it This information includesa lot of details made available by VMware Tools We can for example see network-information and the physical host in these details
A - Please spend some time on getting an overview of the information available in thisview
B - Please note that the Firewall Status indicates Unknown In this scenario there is noNSX firewall utilized in the VM so vRealize Network Insight displays Unknown as thestatus If NSX components were utilized but they were malfunctioning an errormessage will appear
1 When done reviewing close the pop-up windows by clicking on the (X) in thetop right corner
Physical ESXi Hosts
We are now going to look at the physical host running ESXi The large green blocksindicate the ESXi hosts (A) and (B)
1 Click on the large green field on the left side of the map marked in thepicture with a red squareThis will select the host where DBAdmin-VM1 isrunning
HOL-1829-01-NET
Page 57HOL-1829-01-NET
Host - Details
A pop-up box will appear that contains the physical ESXi host
A - Spend some time to review what information is available from the host Please donot click on any of the links
B - Notice that we receive information from both the Chassis and the Blade that thisESXi host is running on In a real life environment we could click on the links to getdetailed information about the physical environment through the links
C - Note that there are no NSX components on the host For example we can see thatthe Control Plane Sync Status is unknown and the Number of VTEPs is 0
1 When done reviewing click on the (X) in the top right corner
HOL-1829-01-NET
Page 58HOL-1829-01-NET
DVPG on the map
We are now going to look at the DVPG (Distributed Virtual Port Group) the VM uses toconnect to the network
1 On the map click on the little blue box marked by a red square onvlan-629
DVPG
A pop-up box will appear that contains the DVPG details
A - Spend some time review what information is available from the object Please donot click on any of the links
HOL-1829-01-NET
Page 59HOL-1829-01-NET
B - Notice that IPFIX is enabled
1 When done reviewing click on the (X) in the top right corner
VLAN-629 on the map
This is a brownfield network as indicated by the physical network components currentlydisplayed on the map
1 On the map click on the grey line marked by a red square on vlan-629
VLAN Network
A pop-up box will appear that contains the physical VLAN details
HOL-1829-01-NET
Page 60HOL-1829-01-NET
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - Notice the VLAN ID This is the actual VLAN in use
C - VM Count states 12 This is the number of VMs located on this VLAN in the entireenvironment
D - Under Hosts we can see that this is 28 (27+1) This is the amount of hosts that hasa connection to this vlan in the entire environment
1 When done reviewing click on the (X) in the top right corner
Switch ports on the map
1 From the map click on the icon marked by a red square to select the SwitchPort for the VM
HOL-1829-01-NET
Page 61HOL-1829-01-NET
Switch Port
A pop-up box will appear that contains the Switch Port details
In this view we are purely are looking at layer 3 and the connectivity to those layer 3devices Later in this module we will see some of the layer 2 devices
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - In this view we can see the physical NIC the traffic is transmitted from and receivedto In this scenario it is a NIC on a UCS fabric We can also see the VLANs Interfacespeed port and other details on the NIC
1 When done reviewing click on the (X) in the top right corner of the pop up box
HOL-1829-01-NET
Page 62HOL-1829-01-NET
Physical VRF on the map
1 From the map click on the icon marked by a red square to access thePhysical VRF details
HOL-1829-01-NET
Page 63HOL-1829-01-NET
VRF - Physical Switch
A pop-up box will appear that contains the Physical VRF details
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - In this scenario the first hop in the physical network perspective happens to be aCisco Nexus 7000 We are gathering all of the configuration data routing tables androuting interface information from this device
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 64HOL-1829-01-NET
VRF - continued
1 From the map click on the icon marked by a red square to access the nextPhysical VRF in the path
HOL-1829-01-NET
Page 65HOL-1829-01-NET
VRF - Physical Router
A pop-up box will appear that contains the Physical VRF details
In this scenario the second hop in the physical network perspective is a Palo Alto routerIn this view we will see the routing table as well as firewall rules The vRealize NetworkInsight platform is so powerful that these firewall rules are the applicable firewall rulesbetween the two objects we searched for There is probably going to be thousands offirewall rules in a normal network but these are the firewalls affecting thecommunication between the two selected VMs
HOL-1829-01-NET
Page 66HOL-1829-01-NET
A - Spend some time to review what information is available from the object Please donot click on any of the links
1 When done reviewing click on the (X) in the top right corner of the pop up box
Note The Palo Alto integration showcased is in beta testing
VRF - continued
1 From the map click on the icon marked by a red square to access the nextPhysical VRF in the path
HOL-1829-01-NET
Page 67HOL-1829-01-NET
VRF - Physical Switch
A pop-up box will appear that contains the Physical VRF details
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - In this scenario the third hop in the physical network perspective is an Arista deviceThere is information available on routing gateways interfaces etc These detailsshowcase that we can monitor devices from a multitude of vendors in case we arechanging from one vendor to another
1 When done reviewing click on the (X) in the top right corner
HOL-1829-01-NET
Page 68HOL-1829-01-NET
Accessing the virtual infrastructure
The next two steps in the path (as shown by arrows) are the same as we looked atpreviously in this module We are not going to look at the details on them in thisscenario as they are similar to the ones previously discussed
A - Hovermove the mouse over the icons marked with red arrow A without clicking onthe icon Notice the descriptive name
B - Hovermove the mouse over the icons marked with red arrow B without clicking onthe icon Notice the descriptive name
1 From the map click on the icon marked by a red square to access the nextVRF in the path
HOL-1829-01-NET
Page 69HOL-1829-01-NET
VRF - NSX Provider Edge 1
A pop-up box will appear that contains the Physical VRF details
A - Please spend some time to review what information is available from the objectPlease do not click on any of the links
B - The components we are looking at after the Arista device (described in previoussteps) is an NSX Edge cluster or a host associated with an Edge cluster The componentwe have selected is the NSX Edge VM named Provider-Edge 1 It has an uplink overVLAN 10 from the physical network (as shown in the map)
C - In the details we can see the routing table and routing interface details for thisparticular VRF
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 70HOL-1829-01-NET
VXLAN on the map
1 On the map click on the blue line marked by a red square to access theVXLAN details
VXLAN Network
A pop-up box will appear that contains the VXLAN details
HOL-1829-01-NET
Page 71HOL-1829-01-NET
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - We can see the VXLAN number (Segment ID) Underlay VLAN IDs Subnet andUnderlay Subnet
C - We also have visibility into what Primary Controller it is utilizing Hosts and VTEPs
D - Hovermove the mouse cursor over the text [38 more] to see the hosts associatedwith this VXLAN Do not click on the blue text
E - Hovermove the mouse cursor over the text [82 more] to see the VTEPs associatedwith this VXLAN Do not click on the blue text
1 When done reviewing click on the X in the top right corner of the pop-up box
VRF - LDR
1 From the map click on the icon marked by a red square to access the VRFdetails
HOL-1829-01-NET
Page 72HOL-1829-01-NET
VRF - LDR-Corporate
A pop-up box will appear that contains the VRF details From here we hit our In-kernelnetwork
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - Notice the distributed router name We are using this device to access our corporatenetwork
C - This device is going to route for us to a different interface The interface is going toroute to the interface on the Prod-DB Network as the next step in the path (this will beillustrated in the next step)
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 73HOL-1829-01-NET
Routing - NSX Firewall
The traffic is routed through the VRF onto the Prod-DB network over to the next physicalhost (as shown with arrows)
The first device it will hit on the virtual network on the physical host is the FirewallPlease notice that there are two firewalls next to the VM One Firewall from Palo Alto andone Firewall from NSX
1 From the map click on the icon marked by a red square to access the NSXFirewall details (the top one of the two)
HOL-1829-01-NET
Page 74HOL-1829-01-NET
Firewall - NSX
A pop-up box will appear that contains the Firewall details
A - Spend some time to review what information is available from the object Please donot click on any of the links
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 75HOL-1829-01-NET
Redirect on the map - PAN Firewall
Please notice that there are two firewalls next to the VM One Firewall from Palo Alto andone Firewall from NSX We are now going to look into the details of the lower Firewall
1 From the map click on the icon marked by a red square to access the PaloAlto Firewall details (the lower one of the two)
Firewall - PAN
HOL-1829-01-NET
Page 76HOL-1829-01-NET
In this scenario we also have an Palo Alto VM based offloading firewall The redirectfeature allows firewall rules to be transferred between the NSX firewall and the PANFirewall
1 When done reviewing click on the (X) in the top right corner of the pop up box
Reversing the analysis
1 In the section marked by a red square in the picture click on the arrowpointing left
The route on the map will change
HOL-1829-01-NET
Page 77HOL-1829-01-NET
Reversing the analysis continued
A - The analysis will now be done in the opposite direction Please note that the pathnow changes Instead of going through Provider-Edge 3 the traffic is now routedthrough Provider-Edge 2 This is exactly as the traffic will work in the real life
Please continue to the next step to conclude this module
HOL-1829-01-NET
Page 78HOL-1829-01-NET
VM Underlay
Lets now focus on VM Underlay
1 The VMUnderlay section that is on the right side of the VM Path topology showsthe underlay information of the VMs involved and their connectivity to the top ofthe rack switches and the ports involved
2 The VM Underlay path topology is shown here3 The components are labeled under Path Details
HOL-1829-01-NET
Page 79HOL-1829-01-NET
HOL-1829-01-NET
Page 80HOL-1829-01-NET
1 In this section the drop-down list at the top shows the endpoint VMs and theactive VMs at the edges
2 For each edgeVM the neighbouring drop-down list shows the ingress and theegress interface IP addresses
1 From the previous step we selected the Prod-DB-2 Virtual Machine2 Which changes the focus to corresponding Interface IP Address (VNIC)3 Shows the visual map (Path topology) of all the path objects4 Path details shows the labels and list the components
This concludes this module Please continue to the next module
HOL-1829-01-NET
Page 81HOL-1829-01-NET
ConclusionCongratulations on completing Module 2
This module has shown us that vRealize Network Insight is capable of tracing the flow ofdata between two objects throughout the network vRealize Network Insight is providingus with a 360 degrees view of the virtual as well as the physical components in thepath With the map function and the details on the map it is very easy to get a quickoverview of the components utilized in network communication
All the components in the map is based on a snapshot of real life data Feel free to clickon other icons shown in the map in this module before continuing to the next module tohave a look at other components
For More Information
For additional information about the functionality showcased in this module visithttpwwwvmwarecomvrealize network insight
This concludes this module Please continue to the next module
If you are looking for additional information try one of these
bull Click on this linkbull Or use your smart device to scan the QRC Code
HOL-1829-01-NET
Page 82HOL-1829-01-NET
Proceed to any module below which interests you most
bull Module 1 - Micro-Segmentation and Security (30 minutes)bull Module 2 - 360 degree Visibility across Virtual and Physical Networks (45
minutes)bull Module 3 - Advanced NSX Management amp Operations (45 minutes)bull (30 minutes)
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 83HOL-1829-01-NET
Module 3 - Advanced NSXManagement amp
Operations (45 minutes)
HOL-1829-01-NET
Page 84HOL-1829-01-NET
IntroductionIntroduction
vRealize Network Insight ensures that we have full visibility from an overlay andunderlay perspective and in this module focus on advanced operations of NSX withvRealize Network Insight Its important to note that the vRealize Network Insightprovides a real time view and a historical view The integration is not a simple SNMPquery but advanced CLI and Metadata information gathered in real time for NSX
This Module contains the following lessons
bull Operational guidance for NSX Managerbull Advanced NSX Management amp Operations Interactive Simulation
HOL-1829-01-NET
Page 85HOL-1829-01-NET
NSX Advanced ManagementOperationsLab Status Check
1 Make sure the Lab Status displays Ready before continuing
Close browser sessions from previous modules
Open Google Chrome
1 Open Chrome on the Control Centre Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
HOL-1829-01-NET
Page 86HOL-1829-01-NET
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize Network Insightdid not load automatically)
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
Search Bar - NSX Manager
Using the search bar on the entry screen
HOL-1829-01-NET
Page 87HOL-1829-01-NET
1 Type NSX Manager (this will list three NSX Managers2 Click Search
NSX Manager Information
The result now shows the NSX Manager (1016128170) and we can immediately seethat we have 50 problems associated with this endpoint
1 Click on the NSX Manager address to expose the layout and detailedinformation
HOL-1829-01-NET
Page 88HOL-1829-01-NET
Timeline - Visual Build-up
Explore information only - Do not click
bull A - Starting with the Timeline we can manipulate the results by simply draggingthe slider but by default the current time results will be displayed on entry Theslider and drop down (next to 1 day) makes it easy to filter on demand
bull B - The Properties give a clear understanding of the NSX Managers currentconfiguration (vRealize Network Insight accommodate multiple NSX managers)
bull C - Looking at the NSX Checklist Rules - ALL we can scroll up and down toview each point in the checklist that is used to monitorvalidate against the NSXManager
bull D - Because vRealize Network Insight supports multiple NSX managers andmultiple NSX controllers this is an important visual understanding of theTopology Each object can be queried individually within the same screen
bull E - NSX Problems will be key to understanding the issues for NSX
HOL-1829-01-NET
Page 89HOL-1829-01-NET
Topology - Focus on the NSX Controller
The logical view of the NSX Topology provides live links to each component in theconstruct to be queried in real time Topology layout displays all the related NSXservices bound to the NSX Manager including Clusters and hosts The red triangle on allthree NSX controllers indicates possible issues that may impact the NSX environmenteither as a starting point or a result thereof We can now query each object for detailedinformation
1 Click on the NSX controller (Look at each controller until you find thecontroller starting with NSX_Controller_5b6c6c8d-4d71 as they do changeorder)
HOL-1829-01-NET
Page 90HOL-1829-01-NET
NSX Controller - Detail
A - The controller query displays detailed information about controller-1 and relevantconfiguration This screen will help identify the Status Version Upgrade Availability andmany other critical identifiers of the NSX Controller at a quick glance including anyissues
B - The immediate issue on this NSX controller is also pointed out with a red triangleindicating that we have a control plane sync issue Tracking the issue can be furtherinvestigated by expanding (clicking on the red triangle) to view detailed information Wewill not be investigating this problem further in this exercise
1 Click the close sign (x) to continue
HOL-1829-01-NET
Page 91HOL-1829-01-NET
Topology - Explained
Note The Topology for the NSX environment will not show any load balancing devicestatus information in this release
1 Click the edge VMs icon to see detailed information about the edge services
HOL-1829-01-NET
Page 92HOL-1829-01-NET
Provider Edge
Rendering a complete view of the provider edge services and the associations we caninvestigate all the edge related activities
1 Click the blue link Provider Edge 4 The problem Icon can be used to furtherobtain information about the Provider-Edge 4 This will highlight a criticalcondition due to a possible network disruption of this edge device as it is nolonger in a serving state
HOL-1829-01-NET
Page 93HOL-1829-01-NET
Routers Provider Edge 4
This section lays out detailed root cause analysis for Routers Provider Edge 4
Return to Search View - NSX Manager
1 Now use the Chrome Back button click once to return the the NSX Managerinformation screen step
HOL-1829-01-NET
Page 94HOL-1829-01-NET
Infrastructure Problems - Warning Moderate
bull Scroll down to Infrastructure Problems Section
1 Click and select the WarningModerate to view problem areas
WarningModerate Issues
1 Use the blue icon + to expand the detailed view of the Logical networking out ofsync between host and NSX Controller
HOL-1829-01-NET
Page 95HOL-1829-01-NET
WarningModerate Issues (Continued)
When you expand the details you can analyse full detail of warning
In this view vRealize Network Insight is also showing you recommendations on how youwould resolve this issue which makes troubleshooting and root cause analysis veryeasy
1 Click the close sign (x) to continue
HOL-1829-01-NET
Page 96HOL-1829-01-NET
Hands-on Labs Interactive SimulationAdvanced NSX Management ampOperationsThis part of the lab is presented as a Hands-on Labs Interactive Simulation This willallow you to experience steps which are too time-consuming or resource intensive to dolive in the lab environment In this simulation you can use the software interface as ifyou are interacting with a live environment
1 Click here to open the interactive simulation It will open in a new browserwindow or tab
2 When finished click the ldquoReturn to the labrdquo link to continue with this lab
HOL-1829-01-NET
Page 97HOL-1829-01-NET
ConclusionCongratulations on completing Module 3
This module demonstrated the vRealize Network Insight capability of advancedmanagement operations vRealize Network Insight provides an in-depth analysis of thevirtual as well as the physical components associated with NSX (underlay and overlay)
For More Information
If you are looking for additional information try one of these
bull Click on this linkbull Or use your smart device to scan the QRC Code
Proceed to any module below which interests you most
bull Module 1 - Micro-Segmentation and Security (30 minutes)bull Module 2 - 360 degree Visibility across Virtual and Physical Networks (45
minutes)bull Module 3 - Advanced NSX Management amp Operations (45 minutes)bull Module 4 - Manage Security for Public Clouds (AWS) (30 minutes)
HOL-1829-01-NET
Page 98HOL-1829-01-NET
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 99HOL-1829-01-NET
Module 4 - ManageSecurity for Public Clouds
(AWS) (30 Minutes)
HOL-1829-01-NET
Page 100HOL-1829-01-NET
IntroductionEnterprise IT needs visibility into the network and security status of their workloadswhether hosted on premises or within AWS While many AWS workloads are sandboxesfor application development teams (DevOps) it is important to analyze these workloadsIncreasingly public cloud workloads are also fulfilling mission critical production needsfor many organizations Enterprise IT must be ready to determine the best locationsecurity posture and bandwidth allocation when deploying workloads Having trafficpattern details as well as security analysis and recommendations readily availablehelps organizations make the ideal hosting decisions to meet their business needs
vRealize Network Insight (vRNI) Supports Amazon Web Services (AWS) PublicCloud The vRNI traffic monitoring features provide visibility into native AWS constructssuch as Virtual Private Clouds VMs Security Groups firewall rules and tags vRNI alsoanalyzes AWS traffic flows to provide security and micro-segmentation views of cloudworkloads This means youll be able to plan micro-segmentation and understand trafficpatterns using data collected from your AWS instances
This Module contains the following lessons
bull Introduction to Managing Security for Public Clouds (AWS)
HOL-1829-01-NET
Page 101HOL-1829-01-NET
Introduction to Managing Security forPublic Clouds (AWS)Lab Status Check
1 Make sure the Lab Status displays Ready before continuing
Close browser sessions from previous modules
Open Google Chrome
1 Open Chrome on the Control Centre Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize Network Insightdid not load automatically)
HOL-1829-01-NET
Page 102HOL-1829-01-NET
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
AWS Configuration
Lets review the AWS VPC setup for the purpose of this lab
1 We have an on premise instance of vRealize Network Insight managing AWS2 There are two VPCs ie CRM and Common Services
HOL-1829-01-NET
Page 103HOL-1829-01-NET
3 VPC CRM consists of CRM Application which comprises of 3 tiers ie Web APP andDB
4 Internal users of Company can access Web Tier of the CRM on 80 internally viaJump-box
5 Web tier talks to App tier on port 80806 App tier talks to DB tier on port 33067 Web tier is open for internal datacenters VM on 80 port8 From Jump-box in VPC CRM all virtual machines have ssh access on port 229 All tiers of VPCCRM talks to DNS server on 53 and LogServer on 514 on VPC
Common Services10 This means connection to DB to Log Server (used for backup services) must exist
as configured by the Administrator but this in fact is the problem area where ourfocus will be
Plan Security - AWS Cloud
vRealize Network Insight extends micro-segmentation planning to AWS constructs TheCRM Application in AWS VPC has already been created for you
Application creation steps have been discussed in Module 3
HOL-1829-01-NET
Page 104HOL-1829-01-NET
1 On the vRealize Network Insight Click on Plan Security
From Plan Security dialogue box under Entity select
HOL-1829-01-NET
Page 105HOL-1829-01-NET
1 Application2 CRM3 Click Analyze
We can now visualize the three tier lsquoCRMrsquo Application in AWS in one VPC We Shallexplore the three Tier System Logic in proceeding steps
1 Please note that Micro-Segments are already filtered by Tier2 Web (Web tier talks to App tier on port 8080 Internal users of organisation can
access Web Tier of the CRM Application on port 80 internally)3 App (App tier talks to DB tier on port 3306)4 DB ( DB tier talks to Log Servers ) - This is the problem area we are going to
explore
All tiers of first VPC talks to DNS server on port 53 and LogServer on port 514 of SecondVPC
HOL-1829-01-NET
Page 106HOL-1829-01-NET
Exploring the Three Tier Application - Step by Step
We shall now explore the three their application setup to understand the security andcommunication posture
HOL-1829-01-NET
Page 107HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Yellow line to explore the flows This will reveal flows from Web to
App
HOL-1829-01-NET
Page 108HOL-1829-01-NET
1 The App tier talks to DB tier on Port 33062 Click X to continue
HOL-1829-01-NET
Page 109HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to DB
HOL-1829-01-NET
Page 110HOL-1829-01-NET
1 The App tier talks to DB tier on Port 33062 Click X to continue
HOL-1829-01-NET
Page 111HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Yellow Line to explore the flows This will reveal flows from DC
Virtual to App
HOL-1829-01-NET
Page 112HOL-1829-01-NET
1 DC Virtual (jump box) talks to App tier on Port 222 Click X to continue
HOL-1829-01-NET
Page 113HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to
Shared Virtual
HOL-1829-01-NET
Page 114HOL-1829-01-NET
1 The App tier talks to Shared Virtual on Port 53 and 514 respectively2 Click X to continue
HOL-1829-01-NET
Page 115HOL-1829-01-NET
1 Hover over to DB Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from DB to
Shared Virtual
1 By design the DB should be pushing logs to aws-log-server ie on port 514(Syslog) but the flow reveals that there is only one service ie port 53 aws-DNS-Server Effectively no communication to syslog server (which is the back upservice)
2 Click X to continue
Firewall Queries for CRM Application
To further troubleshoot the issue the administrator executes three firewall queries toestablish why DB to Shared Virtual does not have flow(s) for port 514 (syslog)
HOL-1829-01-NET
Page 116HOL-1829-01-NET
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and type new search query firewall action of flows where dstvm = aws-log-server This will return 5 results ie 4 Allow (for web andmidtier) and 1 Deny (for DB)
2 Click Search3 click on the DENY checkbox so we can focus on the deny rule
We can see a DENY rule which is preventing crm-databse to communicate with aws-log-server on port 514 Which indicates that AWS Admin forgot to add rule to allowtraffic from (Database) crm-database to (syslog server) aws-log-Server
HOL-1829-01-NET
Page 117HOL-1829-01-NET
1 On Chrome web browser right click2 Select Duplicate from the the menu
HOL-1829-01-NET
Page 118HOL-1829-01-NET
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-web1 and dst vm = aws-log-server
2 Click Search3 This will return 3 results ie 1 Inbound and 2 Outbound rules The result of this
query validates the communication from crm-web1 to aws-log-server
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-database and dst vm = aws-log-server
2 Click Search3 This will return 2 results for Outbound rules further explaining the firewall rule
behaviour from crm-database to aws-log-server
HOL-1829-01-NET
Page 119HOL-1829-01-NET
ConclusionCongratulations on completing Module 4
This module demonstrated the vRealize Network Insight capability to understand trafficpatterns and plan micro-segmentation across your private and public cloudenvironments This capability offers unparalleled visibility into public and private cloudsfor micro-segmentation planning network visibility and management
For More Information
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 120HOL-1829-01-NET
ConclusionThank you for participating in the VMware Hands-on Labs Be sure to visithttpholvmwarecom to continue your lab experience online
Lab SKU HOL-1829-01-NET
Version 20171010-152226
HOL-1829-01-NET
Page 121HOL-1829-01-NET
Focus - VLANVXLAN
Changing the view to track flows between Prod-Web to Prod-Midtier we will be switchingfrom Subnet view to VLANVXLAN view This will expose the traffic flow and ultimatelylead us to the recommended firewall rules
1 From the filter drop down select the VLANVXLAN option (the view willautomatically update)
HOL-1829-01-NET
Page 25HOL-1829-01-NET
Focus - Prod-Web (25)
1 Hover over Prod-Web2 Click on Keep Focus as we will follow the traffic for this group to see which
ports are in use and why3 Click on the line joining the Prod-Web and Prod-Midtier
Flows - Prod-Web to Prod-Midtier
HOL-1829-01-NET
Page 26HOL-1829-01-NET
( A ) - We have at this point identified 14 unique endpoints or flows that are beingcommunicated byover or to potential security groups These security groups are basedon VLANs folders subnets or a construct that can be defined
1 Click on the recommended firewall rules
Flows - Recommended Firewall Rules
Based on the observed analysis of the traffic flow between Prod-Web and Prod-Midtier arecommended firewall rule has been generated in order to secure and segment trafficfrom the rest of the VLANVXLAN
Due to the flow observation metrics the recommendation is (ALLOWED) on Port 8080between SG Prod-Web and SG-Prod-Midtier
1 Click the close icon (x) to continue
HOL-1829-01-NET
Page 27HOL-1829-01-NET
Multiple Ports and Firewall rules for Prod-web
1 Click on the Prod-Web group
Services and Flows for Prod-Web
On focus the user is presented with all the services flows and firewall rules for Prod-Webin a single pane
HOL-1829-01-NET
Page 28HOL-1829-01-NET
1 Click on Services In this group - 50 Unique service endpoints or flows that arebeing communicated by or to potential security groups are mapped with trafficrates included
2 Click on External Services Accessed- This is a breakdown of the 16 Externalservice endpoints that communicate with Prod-Web and include the portinformation (DNS HTTPS etc)
3 Click on Recommended Firewall Rules - Based on the 50 unique serviceendpoints that have 17 External services with 425 flows we can use thisobservation metric to determine that 6 firewall rules are required This would bethe minimum recommended segmentation approach for the Prod-Web group
4 Click the close icon (x) to continue
Application-Centric Micro-Segmentation
HOL-1829-01-NET
Page 29HOL-1829-01-NET
An application is a collection of tiers Each tier in an application is a collection of VMsbased on the user-defined filter criteria The applications allow you to create ahierarchical group of VMs and visualize trafficflows between the tiers of the sameapplication The trafficflows can be visualized between applications
1 Under Micro-segments click on the dropdown which says by VLANVXLAN2 Click on by Application
1 Hover over Prod-App (47) (do not click at this stage)2 Click on Keep Focus
You can see as per previous micro-segmentaion planning exercise - you can viewOutgoing Incoming and Bidirectional flow bespoke to Prod-App Clicking on Prod-App micro-segment will reveal the services
HOL-1829-01-NET
Page 30HOL-1829-01-NET
We shall now explore how we can define an application
Define an Application
1 In the search bar type Application2 Click the Search button
1 The Application search will return 4 entities ie application already created inthe system for you
2 This page also lets you create new application - click on Add Application
HOL-1829-01-NET
Page 31HOL-1829-01-NET
1 Under the Application Name type HOL-Pre-Prod2 Under Tier type the Name as HOL-Pre-Prod3 Our search criteria will be based on VM Names under Virtual Machines IP
Addresses Type Admin-VM1 Admin-VM2 (The search will auto completethe names for you)
4 Do not Save Click Cancel which will take you to previous screen
1 Here you can see the number of entities has increased by 1 ie 5 entities2 You can also see Hol-Pre-Prod in the list
HOL-Pre-Prod will now appear in Application section under Plan Security (not covered inthis lab)
Security Group Prod_MidTier
Network administrators and architects face daily challenges in identifying securityparameters groups that are in-place requiring a lot more detail around containertopology before continuing to execute or plan Micro-segmentation Lets look at how thiswould be possible in a single view that has granular integration with over and underlaynetworks
1 Using the search bar type Nsx Security Group Prod_MidTier (the search baruses Auto Fill and predictive text will appear as you type)
2 Click search to continue
HOL-1829-01-NET
Page 32HOL-1829-01-NET
The Help screen may pop-up (in this lab setting) to ensure the user has an instantguide called the Security Group Pinboard The reason for this guide is to point out thedetail view and topology layout Read through the help guide and once completed
1 Click the close icon (x) to continue
Results - PROD_MIDTIER
The search results from the query will show Prod_Web at the top of the screen Theresult will also be displayed to include the Translated VM Count and any Rulesassociated
1 Click on Prod_MidTier to continue
Security Group Prod_MidTier - Timeline
Security Group View Explanation
HOL-1829-01-NET
Page 33HOL-1829-01-NET
The Security Group provides a detailed view of the selected Security Group and acomprehensive listing of key properties and events The Security Group Topologyprovides a visual overview of how the security group is associated with other containersTimeline slider at the top of the current view will enable the point in time state of theSecurity Group and filters can be used to further focus on a particular aspect of theobject
Security Group Firewall Topology
(A) The Security Group Firewall Topology on the left shows the topology for SecurityGroup Prod_MidTier
HOL-1829-01-NET
Page 34HOL-1829-01-NET
(B) The Security Group Container Topology on the right will show anyall Child andParent groups in relation to Prod_Web This will identify the nesting and hierarchy ofsecurity groups
HOL-1829-01-NET
Page 35HOL-1829-01-NET
1 Click and select Prod_Web to Prod_Midtier Rule (will launch a pop up screencovered in next step)
1 In the pop up screen we can immediately see what the Source and destinationservice flow looks like in this example This can be done for any and eachsegment attached to Prod_Web and will provide all the current security GroupFirewall Topology information Feel free to click through all the segments in orderto fully understand each related security group
2 Click the close icon (x) on any pop-up menus that you viewed during youranalysis to continue with the next exercise
HOL-1829-01-NET
Page 36HOL-1829-01-NET
Tracking Prod_MidTier
1 Within the same view when you scroll down (below the Security Groupfirewall Topology) you are able to see the following security event information forProd_Web
A Events - Showing any changes for Prod_MidTier (direct or indirect) and the impactthat these changes bring to this security group
B Current Security Group Configuration and Firewall Rules Count will also providefurther assistance to manage the endpoints
C Visibility of the Virtual Machines in Security Groups ensure that we manage ourworkloads and segmentation with the correct level of efficiency
D Making use of the Indirect Firewall Rules will ensure you understand the inheritedimpact and the relationship leading to Prod_Web
E Direct Firewall Rules - NOTE The blue links will expose further detail for eachfirewall segment
HOL-1829-01-NET
Page 37HOL-1829-01-NET
this module explained and followed the traffic flow between Subnets and or VLANVXLAN for Prod_MidTier and we understand the analysis that make up firewall rules Theinformation for a specific segmentation of a Virtual Machine in Prod_MidTier can beviewed using the the logical switch information for Prod_MidTier
2 Click on Lab-Midtier (VMs in Security GroupgtLogical SwitchesgtLab-Midtier) anew TAB will open at the top of the screen
Lab-Midtier
1 Hover (do not click) over (1) Lab-Midtier-1 to gain focus in order to generatethe path
Do not click on any of the bubbles as they are used for reference only This is thecomplete flow of Prod-Web-9 (Example) to see how a flow is tracked from overlay tounderlay across Prod-Web
HOL-1829-01-NET
Page 38HOL-1829-01-NET
bull A - The host details for Lab-Midtier-1 -ddc1-pod2esx035dmdemocompanynet
bull B - The machine name within Lab-Midtier - Lab-Midtier-1bull C - DVS Switchbull D - VXLAN - Lab-Midtierbull E - 1st VMKNIC for DDC-1 hostbull F - DVS Switch Portbull G - Finally showing the L3 Switch (Arista)
2 When you are done with the current view close this tab in Chrome and returnto the original view
Firewall Rule - Tracking
Using the search bar we will demonstrate how you can track any firewall rule in yourenvironment This is only one example of how we can search for security related objectsin one easy statement and also export the results
Port Search
1 Type into the search bar
Firewall rule where action =ALLOW and Port=443 (the search bar uses Auto Fill andpredictive text will appear as you type)
2 Click search to continue
As you type notice all the different permutations of queries that can be assembled
HOL-1829-01-NET
Page 39HOL-1829-01-NET
Export Firewall Rules
Take some time to understand and get familiar with Firewall Rule search possibilitiesand the insight this can offer
1 Do not click - The result is grouped for convenience and allows the user to queryeach rule individually This is a live link that will expose further information
2 Do not click - The entire report can be exported by using the Save as CSV optionat the top right hand corner of the screen but we will not export any informationat this point
3 For the next step we will return to the top search bar
Firewall Rule Membership Change
Using the vRealize Network Insight search bar at the top of the screen we will focus on atime based search to see what Firewall Membership Changes occurred during a selectedperiod This will point out any changes made directly or indirectly as a result ofmembership changes This is extremely useful for auditing and troubleshooting
HOL-1829-01-NET
Page 40HOL-1829-01-NET
1 Type
Firewall Rule Membership Change
2 Select the DateTime window3 Click Between Select Date range from June30 to Jul 31 (using static data this
will ensure you see all the changes)4 Click search
Audit Rule - Firewall Rule Membership Changes
The search now displays the result of all the changes made to firewall rule membershipduring the preset date range This is pivotal to the audit change tracking process tounderstand exactly why when and how Firewall rules changed
The changes can now easily be tracked audited and also exported following any of thelive links in blue
HOL-1829-01-NET
Page 41HOL-1829-01-NET
User-defined Event
Continuing within the same screen users can create alerts to notify internal andexternal entities of any changes The alert feature is available through any view thatdisplays the alert icon Although the alert can be configured for this lab the results willnot be actioned as this is static data only This section will show how easy it is to reporton any Firewall Rule memberships changes The option for alerting will be immediatelywithin 1 hour or as a daily digest
1 Click the Notifications icon to create an event The notifications screen will pop-up
2 Notification and parameters can be adjusted as required Populate them withyour own preference as we will need to have information in order to save thealert and view in later steps
3 Once completed click save
HOL-1829-01-NET
Page 42HOL-1829-01-NET
Settings
You can view any of your previously configured User-defined Events in order to edit oractivate the Event parameters by using the settings page Changes can be configured tonotify members of the event group based on the user preference The previous eventthat you created can now be tracked by using the search bar at the top of the screen
1 Click in the search bar and type Settings2 Click User-defined Events (your alert is noted in this section as it was based on
the original search and alert notification Firewall rule membership change)3 Info Only - Do not click - View Edit Activate any notifications
Note that we have 2 types of notification User-defined and System Events
4 Click the System Events
HOL-1829-01-NET
Page 43HOL-1829-01-NET
System Notifications
System Events consist of 103 default alerts that are pre-configured Scroll down the listto see all the options and what is deemed to be a standard system event notification
Each Notification can be used to alert administrators or users of that group By defaultall System Notifications are set to never notify (this can be changed to immediatelywithin 1 hour or as a daily digest)
This concludes this module Please continue to the next module
HOL-1829-01-NET
Page 44HOL-1829-01-NET
ConclusionCongratulations on completing Module 1
In this module we introduced the minimum required steps in order to facilitate Micro-segmentation This module further demonstrated how we achieve day zero readinesstrack report and alert on each individual object or group of objects in Real Time Usingthe East-West traffic in this module vRealize Network Insight highlighted the ease ofacquiring network analysis and using this to automatically generate firewall rules forboth Green or Brown field deployments
Key facts to remember as demonstrated in this module
bull Persistence Security must be consistent in the face of constant changebull Ubiquity Security must be available everywherebull Extensibility Security must adapt to new situations
For additional information about the functionality showcased in this module visitwwwvmwarecom
Please close the Chrome Web browser
This concludes this module please continue to the next module
For More Information
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 45HOL-1829-01-NET
Module 2 - 360 degreeVisibility across Virtualand Physical Networks
(45 minutes)
HOL-1829-01-NET
Page 46HOL-1829-01-NET
IntroductionvRealize Network Insight includes advanced analytics that can collect and displayconfiguration data from all the components involved in the overlay and underlay of thenetwork Data is collected in realtime
vRealize Network Insight presents this via a smart user interface and simplifies thedetermination of problems as well as the visibility of firewall and networkconfigurations
vRealize Network Insight presents this in a smart user interface and makes problemdetermination and visibility of the firewall and network configurations very easy
This Module contains the following lessons
bull 360 Network Visibility and Troubleshootingbull Natural language search
HOL-1829-01-NET
Page 47HOL-1829-01-NET
360 Network Visibility andTroubleshootingThis section contains the following lessons
bull 360-degree view of data flow between two VM objectsbull Natural language search
Open Google Chrome
1 Open Chrome on the Control Center Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize NetworkInsight did not load automatically)
HOL-1829-01-NET
Page 48HOL-1829-01-NET
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
Path and Topology
This module will utilize the Path and Topology feature in vRealize Network Insight toget a 360-degree visibility into our network scenario The Path and Topology view can
HOL-1829-01-NET
Page 49HOL-1829-01-NET
also extend to host L3 networks security groups etc but in this module we will only befocusing on the path
From the main console
1 Click on Path and Topology2 Click on Path
Path - Select source and destination
In the pop-up box
1 Click on the grey field below Source2 Type dba into the source field and DBAdmin-VM1 will appear3 Click on DBAdmin-VM1 to select it
HOL-1829-01-NET
Page 50HOL-1829-01-NET
Path - source and destination continued
After selecting the source machine the destination box will automatically appear
1 Type prod in the destination field and the list of available options willappear
2 Select Prod-Db-2
Note The destination could also be an ip-address or Internet but in this lab we aregoing to use a VM
HOL-1829-01-NET
Page 51HOL-1829-01-NET
Path - source and destination continued
1 Click on Submit
Searching for path
Based on the VMs we selected in the wizard in our previous steps the search field isnow pre-populated with a search string As an alternative to using the wizard we canalso do manual searches
Do not change any parameters in the search field and please continue to the nextstep
HOL-1829-01-NET
Page 52HOL-1829-01-NET
VM Path Topology and VM Underlay
The topology involves both Layer 3 and Layer 2 components and consists of twodetailed views
HOL-1829-01-NET
Page 53HOL-1829-01-NET
1 VM Path Topology This view details the routers Edges or Logical DistributedRouters (LDRs) that are involved in the VM to VM network path and provides thecomplete routing and NAT information
2 VM Underlay ( The VM Underlay section that is on the right side of the VM Pathtopology shows the underlay information of the VMs involved and theirconnectivity to the top of the rack switches and the ports involved)
In the field named VM Path Topology
1 Click on the three dots in the top right corner of the field2 Click Maximize
The view will change and the route will be drawn on the map
HOL-1829-01-NET
Page 54HOL-1829-01-NET
VM Path Topology - Path Details
In this view we will get a 360-degree view of both the physical and the virtual networkWe will see the path of the traffic between two virtual machines The black arrow at thetop of the map will indicate the flow direction of the traffic In this use case fromDBAdmin-VM1 to Prod-Db-2
On the right hand side path details indicates the steps we pass through in each hop ofthe path The logical flow includes both physical and virtual elements displaying bothoverlay and underlay components
1 Scroll through the path details on the right hand side to verify the differenthops in the path Notice that we have items such as VMs physical switchesvirtual switches routers and NICs in the list of details
HOL-1829-01-NET
Page 55HOL-1829-01-NET
Component Overview
On the VM topology map
1 Click on the top left icon marked with a red square - the Virtual MachineDBAdmin-VM1
Virtual Machine - Details
HOL-1829-01-NET
Page 56HOL-1829-01-NET
A pop-up box will appear with the Virtual Machine details in it This information includesa lot of details made available by VMware Tools We can for example see network-information and the physical host in these details
A - Please spend some time on getting an overview of the information available in thisview
B - Please note that the Firewall Status indicates Unknown In this scenario there is noNSX firewall utilized in the VM so vRealize Network Insight displays Unknown as thestatus If NSX components were utilized but they were malfunctioning an errormessage will appear
1 When done reviewing close the pop-up windows by clicking on the (X) in thetop right corner
Physical ESXi Hosts
We are now going to look at the physical host running ESXi The large green blocksindicate the ESXi hosts (A) and (B)
1 Click on the large green field on the left side of the map marked in thepicture with a red squareThis will select the host where DBAdmin-VM1 isrunning
HOL-1829-01-NET
Page 57HOL-1829-01-NET
Host - Details
A pop-up box will appear that contains the physical ESXi host
A - Spend some time to review what information is available from the host Please donot click on any of the links
B - Notice that we receive information from both the Chassis and the Blade that thisESXi host is running on In a real life environment we could click on the links to getdetailed information about the physical environment through the links
C - Note that there are no NSX components on the host For example we can see thatthe Control Plane Sync Status is unknown and the Number of VTEPs is 0
1 When done reviewing click on the (X) in the top right corner
HOL-1829-01-NET
Page 58HOL-1829-01-NET
DVPG on the map
We are now going to look at the DVPG (Distributed Virtual Port Group) the VM uses toconnect to the network
1 On the map click on the little blue box marked by a red square onvlan-629
DVPG
A pop-up box will appear that contains the DVPG details
A - Spend some time review what information is available from the object Please donot click on any of the links
HOL-1829-01-NET
Page 59HOL-1829-01-NET
B - Notice that IPFIX is enabled
1 When done reviewing click on the (X) in the top right corner
VLAN-629 on the map
This is a brownfield network as indicated by the physical network components currentlydisplayed on the map
1 On the map click on the grey line marked by a red square on vlan-629
VLAN Network
A pop-up box will appear that contains the physical VLAN details
HOL-1829-01-NET
Page 60HOL-1829-01-NET
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - Notice the VLAN ID This is the actual VLAN in use
C - VM Count states 12 This is the number of VMs located on this VLAN in the entireenvironment
D - Under Hosts we can see that this is 28 (27+1) This is the amount of hosts that hasa connection to this vlan in the entire environment
1 When done reviewing click on the (X) in the top right corner
Switch ports on the map
1 From the map click on the icon marked by a red square to select the SwitchPort for the VM
HOL-1829-01-NET
Page 61HOL-1829-01-NET
Switch Port
A pop-up box will appear that contains the Switch Port details
In this view we are purely are looking at layer 3 and the connectivity to those layer 3devices Later in this module we will see some of the layer 2 devices
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - In this view we can see the physical NIC the traffic is transmitted from and receivedto In this scenario it is a NIC on a UCS fabric We can also see the VLANs Interfacespeed port and other details on the NIC
1 When done reviewing click on the (X) in the top right corner of the pop up box
HOL-1829-01-NET
Page 62HOL-1829-01-NET
Physical VRF on the map
1 From the map click on the icon marked by a red square to access thePhysical VRF details
HOL-1829-01-NET
Page 63HOL-1829-01-NET
VRF - Physical Switch
A pop-up box will appear that contains the Physical VRF details
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - In this scenario the first hop in the physical network perspective happens to be aCisco Nexus 7000 We are gathering all of the configuration data routing tables androuting interface information from this device
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 64HOL-1829-01-NET
VRF - continued
1 From the map click on the icon marked by a red square to access the nextPhysical VRF in the path
HOL-1829-01-NET
Page 65HOL-1829-01-NET
VRF - Physical Router
A pop-up box will appear that contains the Physical VRF details
In this scenario the second hop in the physical network perspective is a Palo Alto routerIn this view we will see the routing table as well as firewall rules The vRealize NetworkInsight platform is so powerful that these firewall rules are the applicable firewall rulesbetween the two objects we searched for There is probably going to be thousands offirewall rules in a normal network but these are the firewalls affecting thecommunication between the two selected VMs
HOL-1829-01-NET
Page 66HOL-1829-01-NET
A - Spend some time to review what information is available from the object Please donot click on any of the links
1 When done reviewing click on the (X) in the top right corner of the pop up box
Note The Palo Alto integration showcased is in beta testing
VRF - continued
1 From the map click on the icon marked by a red square to access the nextPhysical VRF in the path
HOL-1829-01-NET
Page 67HOL-1829-01-NET
VRF - Physical Switch
A pop-up box will appear that contains the Physical VRF details
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - In this scenario the third hop in the physical network perspective is an Arista deviceThere is information available on routing gateways interfaces etc These detailsshowcase that we can monitor devices from a multitude of vendors in case we arechanging from one vendor to another
1 When done reviewing click on the (X) in the top right corner
HOL-1829-01-NET
Page 68HOL-1829-01-NET
Accessing the virtual infrastructure
The next two steps in the path (as shown by arrows) are the same as we looked atpreviously in this module We are not going to look at the details on them in thisscenario as they are similar to the ones previously discussed
A - Hovermove the mouse over the icons marked with red arrow A without clicking onthe icon Notice the descriptive name
B - Hovermove the mouse over the icons marked with red arrow B without clicking onthe icon Notice the descriptive name
1 From the map click on the icon marked by a red square to access the nextVRF in the path
HOL-1829-01-NET
Page 69HOL-1829-01-NET
VRF - NSX Provider Edge 1
A pop-up box will appear that contains the Physical VRF details
A - Please spend some time to review what information is available from the objectPlease do not click on any of the links
B - The components we are looking at after the Arista device (described in previoussteps) is an NSX Edge cluster or a host associated with an Edge cluster The componentwe have selected is the NSX Edge VM named Provider-Edge 1 It has an uplink overVLAN 10 from the physical network (as shown in the map)
C - In the details we can see the routing table and routing interface details for thisparticular VRF
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 70HOL-1829-01-NET
VXLAN on the map
1 On the map click on the blue line marked by a red square to access theVXLAN details
VXLAN Network
A pop-up box will appear that contains the VXLAN details
HOL-1829-01-NET
Page 71HOL-1829-01-NET
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - We can see the VXLAN number (Segment ID) Underlay VLAN IDs Subnet andUnderlay Subnet
C - We also have visibility into what Primary Controller it is utilizing Hosts and VTEPs
D - Hovermove the mouse cursor over the text [38 more] to see the hosts associatedwith this VXLAN Do not click on the blue text
E - Hovermove the mouse cursor over the text [82 more] to see the VTEPs associatedwith this VXLAN Do not click on the blue text
1 When done reviewing click on the X in the top right corner of the pop-up box
VRF - LDR
1 From the map click on the icon marked by a red square to access the VRFdetails
HOL-1829-01-NET
Page 72HOL-1829-01-NET
VRF - LDR-Corporate
A pop-up box will appear that contains the VRF details From here we hit our In-kernelnetwork
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - Notice the distributed router name We are using this device to access our corporatenetwork
C - This device is going to route for us to a different interface The interface is going toroute to the interface on the Prod-DB Network as the next step in the path (this will beillustrated in the next step)
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 73HOL-1829-01-NET
Routing - NSX Firewall
The traffic is routed through the VRF onto the Prod-DB network over to the next physicalhost (as shown with arrows)
The first device it will hit on the virtual network on the physical host is the FirewallPlease notice that there are two firewalls next to the VM One Firewall from Palo Alto andone Firewall from NSX
1 From the map click on the icon marked by a red square to access the NSXFirewall details (the top one of the two)
HOL-1829-01-NET
Page 74HOL-1829-01-NET
Firewall - NSX
A pop-up box will appear that contains the Firewall details
A - Spend some time to review what information is available from the object Please donot click on any of the links
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 75HOL-1829-01-NET
Redirect on the map - PAN Firewall
Please notice that there are two firewalls next to the VM One Firewall from Palo Alto andone Firewall from NSX We are now going to look into the details of the lower Firewall
1 From the map click on the icon marked by a red square to access the PaloAlto Firewall details (the lower one of the two)
Firewall - PAN
HOL-1829-01-NET
Page 76HOL-1829-01-NET
In this scenario we also have an Palo Alto VM based offloading firewall The redirectfeature allows firewall rules to be transferred between the NSX firewall and the PANFirewall
1 When done reviewing click on the (X) in the top right corner of the pop up box
Reversing the analysis
1 In the section marked by a red square in the picture click on the arrowpointing left
The route on the map will change
HOL-1829-01-NET
Page 77HOL-1829-01-NET
Reversing the analysis continued
A - The analysis will now be done in the opposite direction Please note that the pathnow changes Instead of going through Provider-Edge 3 the traffic is now routedthrough Provider-Edge 2 This is exactly as the traffic will work in the real life
Please continue to the next step to conclude this module
HOL-1829-01-NET
Page 78HOL-1829-01-NET
VM Underlay
Lets now focus on VM Underlay
1 The VMUnderlay section that is on the right side of the VM Path topology showsthe underlay information of the VMs involved and their connectivity to the top ofthe rack switches and the ports involved
2 The VM Underlay path topology is shown here3 The components are labeled under Path Details
HOL-1829-01-NET
Page 79HOL-1829-01-NET
HOL-1829-01-NET
Page 80HOL-1829-01-NET
1 In this section the drop-down list at the top shows the endpoint VMs and theactive VMs at the edges
2 For each edgeVM the neighbouring drop-down list shows the ingress and theegress interface IP addresses
1 From the previous step we selected the Prod-DB-2 Virtual Machine2 Which changes the focus to corresponding Interface IP Address (VNIC)3 Shows the visual map (Path topology) of all the path objects4 Path details shows the labels and list the components
This concludes this module Please continue to the next module
HOL-1829-01-NET
Page 81HOL-1829-01-NET
ConclusionCongratulations on completing Module 2
This module has shown us that vRealize Network Insight is capable of tracing the flow ofdata between two objects throughout the network vRealize Network Insight is providingus with a 360 degrees view of the virtual as well as the physical components in thepath With the map function and the details on the map it is very easy to get a quickoverview of the components utilized in network communication
All the components in the map is based on a snapshot of real life data Feel free to clickon other icons shown in the map in this module before continuing to the next module tohave a look at other components
For More Information
For additional information about the functionality showcased in this module visithttpwwwvmwarecomvrealize network insight
This concludes this module Please continue to the next module
If you are looking for additional information try one of these
bull Click on this linkbull Or use your smart device to scan the QRC Code
HOL-1829-01-NET
Page 82HOL-1829-01-NET
Proceed to any module below which interests you most
bull Module 1 - Micro-Segmentation and Security (30 minutes)bull Module 2 - 360 degree Visibility across Virtual and Physical Networks (45
minutes)bull Module 3 - Advanced NSX Management amp Operations (45 minutes)bull (30 minutes)
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 83HOL-1829-01-NET
Module 3 - Advanced NSXManagement amp
Operations (45 minutes)
HOL-1829-01-NET
Page 84HOL-1829-01-NET
IntroductionIntroduction
vRealize Network Insight ensures that we have full visibility from an overlay andunderlay perspective and in this module focus on advanced operations of NSX withvRealize Network Insight Its important to note that the vRealize Network Insightprovides a real time view and a historical view The integration is not a simple SNMPquery but advanced CLI and Metadata information gathered in real time for NSX
This Module contains the following lessons
bull Operational guidance for NSX Managerbull Advanced NSX Management amp Operations Interactive Simulation
HOL-1829-01-NET
Page 85HOL-1829-01-NET
NSX Advanced ManagementOperationsLab Status Check
1 Make sure the Lab Status displays Ready before continuing
Close browser sessions from previous modules
Open Google Chrome
1 Open Chrome on the Control Centre Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
HOL-1829-01-NET
Page 86HOL-1829-01-NET
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize Network Insightdid not load automatically)
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
Search Bar - NSX Manager
Using the search bar on the entry screen
HOL-1829-01-NET
Page 87HOL-1829-01-NET
1 Type NSX Manager (this will list three NSX Managers2 Click Search
NSX Manager Information
The result now shows the NSX Manager (1016128170) and we can immediately seethat we have 50 problems associated with this endpoint
1 Click on the NSX Manager address to expose the layout and detailedinformation
HOL-1829-01-NET
Page 88HOL-1829-01-NET
Timeline - Visual Build-up
Explore information only - Do not click
bull A - Starting with the Timeline we can manipulate the results by simply draggingthe slider but by default the current time results will be displayed on entry Theslider and drop down (next to 1 day) makes it easy to filter on demand
bull B - The Properties give a clear understanding of the NSX Managers currentconfiguration (vRealize Network Insight accommodate multiple NSX managers)
bull C - Looking at the NSX Checklist Rules - ALL we can scroll up and down toview each point in the checklist that is used to monitorvalidate against the NSXManager
bull D - Because vRealize Network Insight supports multiple NSX managers andmultiple NSX controllers this is an important visual understanding of theTopology Each object can be queried individually within the same screen
bull E - NSX Problems will be key to understanding the issues for NSX
HOL-1829-01-NET
Page 89HOL-1829-01-NET
Topology - Focus on the NSX Controller
The logical view of the NSX Topology provides live links to each component in theconstruct to be queried in real time Topology layout displays all the related NSXservices bound to the NSX Manager including Clusters and hosts The red triangle on allthree NSX controllers indicates possible issues that may impact the NSX environmenteither as a starting point or a result thereof We can now query each object for detailedinformation
1 Click on the NSX controller (Look at each controller until you find thecontroller starting with NSX_Controller_5b6c6c8d-4d71 as they do changeorder)
HOL-1829-01-NET
Page 90HOL-1829-01-NET
NSX Controller - Detail
A - The controller query displays detailed information about controller-1 and relevantconfiguration This screen will help identify the Status Version Upgrade Availability andmany other critical identifiers of the NSX Controller at a quick glance including anyissues
B - The immediate issue on this NSX controller is also pointed out with a red triangleindicating that we have a control plane sync issue Tracking the issue can be furtherinvestigated by expanding (clicking on the red triangle) to view detailed information Wewill not be investigating this problem further in this exercise
1 Click the close sign (x) to continue
HOL-1829-01-NET
Page 91HOL-1829-01-NET
Topology - Explained
Note The Topology for the NSX environment will not show any load balancing devicestatus information in this release
1 Click the edge VMs icon to see detailed information about the edge services
HOL-1829-01-NET
Page 92HOL-1829-01-NET
Provider Edge
Rendering a complete view of the provider edge services and the associations we caninvestigate all the edge related activities
1 Click the blue link Provider Edge 4 The problem Icon can be used to furtherobtain information about the Provider-Edge 4 This will highlight a criticalcondition due to a possible network disruption of this edge device as it is nolonger in a serving state
HOL-1829-01-NET
Page 93HOL-1829-01-NET
Routers Provider Edge 4
This section lays out detailed root cause analysis for Routers Provider Edge 4
Return to Search View - NSX Manager
1 Now use the Chrome Back button click once to return the the NSX Managerinformation screen step
HOL-1829-01-NET
Page 94HOL-1829-01-NET
Infrastructure Problems - Warning Moderate
bull Scroll down to Infrastructure Problems Section
1 Click and select the WarningModerate to view problem areas
WarningModerate Issues
1 Use the blue icon + to expand the detailed view of the Logical networking out ofsync between host and NSX Controller
HOL-1829-01-NET
Page 95HOL-1829-01-NET
WarningModerate Issues (Continued)
When you expand the details you can analyse full detail of warning
In this view vRealize Network Insight is also showing you recommendations on how youwould resolve this issue which makes troubleshooting and root cause analysis veryeasy
1 Click the close sign (x) to continue
HOL-1829-01-NET
Page 96HOL-1829-01-NET
Hands-on Labs Interactive SimulationAdvanced NSX Management ampOperationsThis part of the lab is presented as a Hands-on Labs Interactive Simulation This willallow you to experience steps which are too time-consuming or resource intensive to dolive in the lab environment In this simulation you can use the software interface as ifyou are interacting with a live environment
1 Click here to open the interactive simulation It will open in a new browserwindow or tab
2 When finished click the ldquoReturn to the labrdquo link to continue with this lab
HOL-1829-01-NET
Page 97HOL-1829-01-NET
ConclusionCongratulations on completing Module 3
This module demonstrated the vRealize Network Insight capability of advancedmanagement operations vRealize Network Insight provides an in-depth analysis of thevirtual as well as the physical components associated with NSX (underlay and overlay)
For More Information
If you are looking for additional information try one of these
bull Click on this linkbull Or use your smart device to scan the QRC Code
Proceed to any module below which interests you most
bull Module 1 - Micro-Segmentation and Security (30 minutes)bull Module 2 - 360 degree Visibility across Virtual and Physical Networks (45
minutes)bull Module 3 - Advanced NSX Management amp Operations (45 minutes)bull Module 4 - Manage Security for Public Clouds (AWS) (30 minutes)
HOL-1829-01-NET
Page 98HOL-1829-01-NET
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 99HOL-1829-01-NET
Module 4 - ManageSecurity for Public Clouds
(AWS) (30 Minutes)
HOL-1829-01-NET
Page 100HOL-1829-01-NET
IntroductionEnterprise IT needs visibility into the network and security status of their workloadswhether hosted on premises or within AWS While many AWS workloads are sandboxesfor application development teams (DevOps) it is important to analyze these workloadsIncreasingly public cloud workloads are also fulfilling mission critical production needsfor many organizations Enterprise IT must be ready to determine the best locationsecurity posture and bandwidth allocation when deploying workloads Having trafficpattern details as well as security analysis and recommendations readily availablehelps organizations make the ideal hosting decisions to meet their business needs
vRealize Network Insight (vRNI) Supports Amazon Web Services (AWS) PublicCloud The vRNI traffic monitoring features provide visibility into native AWS constructssuch as Virtual Private Clouds VMs Security Groups firewall rules and tags vRNI alsoanalyzes AWS traffic flows to provide security and micro-segmentation views of cloudworkloads This means youll be able to plan micro-segmentation and understand trafficpatterns using data collected from your AWS instances
This Module contains the following lessons
bull Introduction to Managing Security for Public Clouds (AWS)
HOL-1829-01-NET
Page 101HOL-1829-01-NET
Introduction to Managing Security forPublic Clouds (AWS)Lab Status Check
1 Make sure the Lab Status displays Ready before continuing
Close browser sessions from previous modules
Open Google Chrome
1 Open Chrome on the Control Centre Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize Network Insightdid not load automatically)
HOL-1829-01-NET
Page 102HOL-1829-01-NET
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
AWS Configuration
Lets review the AWS VPC setup for the purpose of this lab
1 We have an on premise instance of vRealize Network Insight managing AWS2 There are two VPCs ie CRM and Common Services
HOL-1829-01-NET
Page 103HOL-1829-01-NET
3 VPC CRM consists of CRM Application which comprises of 3 tiers ie Web APP andDB
4 Internal users of Company can access Web Tier of the CRM on 80 internally viaJump-box
5 Web tier talks to App tier on port 80806 App tier talks to DB tier on port 33067 Web tier is open for internal datacenters VM on 80 port8 From Jump-box in VPC CRM all virtual machines have ssh access on port 229 All tiers of VPCCRM talks to DNS server on 53 and LogServer on 514 on VPC
Common Services10 This means connection to DB to Log Server (used for backup services) must exist
as configured by the Administrator but this in fact is the problem area where ourfocus will be
Plan Security - AWS Cloud
vRealize Network Insight extends micro-segmentation planning to AWS constructs TheCRM Application in AWS VPC has already been created for you
Application creation steps have been discussed in Module 3
HOL-1829-01-NET
Page 104HOL-1829-01-NET
1 On the vRealize Network Insight Click on Plan Security
From Plan Security dialogue box under Entity select
HOL-1829-01-NET
Page 105HOL-1829-01-NET
1 Application2 CRM3 Click Analyze
We can now visualize the three tier lsquoCRMrsquo Application in AWS in one VPC We Shallexplore the three Tier System Logic in proceeding steps
1 Please note that Micro-Segments are already filtered by Tier2 Web (Web tier talks to App tier on port 8080 Internal users of organisation can
access Web Tier of the CRM Application on port 80 internally)3 App (App tier talks to DB tier on port 3306)4 DB ( DB tier talks to Log Servers ) - This is the problem area we are going to
explore
All tiers of first VPC talks to DNS server on port 53 and LogServer on port 514 of SecondVPC
HOL-1829-01-NET
Page 106HOL-1829-01-NET
Exploring the Three Tier Application - Step by Step
We shall now explore the three their application setup to understand the security andcommunication posture
HOL-1829-01-NET
Page 107HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Yellow line to explore the flows This will reveal flows from Web to
App
HOL-1829-01-NET
Page 108HOL-1829-01-NET
1 The App tier talks to DB tier on Port 33062 Click X to continue
HOL-1829-01-NET
Page 109HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to DB
HOL-1829-01-NET
Page 110HOL-1829-01-NET
1 The App tier talks to DB tier on Port 33062 Click X to continue
HOL-1829-01-NET
Page 111HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Yellow Line to explore the flows This will reveal flows from DC
Virtual to App
HOL-1829-01-NET
Page 112HOL-1829-01-NET
1 DC Virtual (jump box) talks to App tier on Port 222 Click X to continue
HOL-1829-01-NET
Page 113HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to
Shared Virtual
HOL-1829-01-NET
Page 114HOL-1829-01-NET
1 The App tier talks to Shared Virtual on Port 53 and 514 respectively2 Click X to continue
HOL-1829-01-NET
Page 115HOL-1829-01-NET
1 Hover over to DB Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from DB to
Shared Virtual
1 By design the DB should be pushing logs to aws-log-server ie on port 514(Syslog) but the flow reveals that there is only one service ie port 53 aws-DNS-Server Effectively no communication to syslog server (which is the back upservice)
2 Click X to continue
Firewall Queries for CRM Application
To further troubleshoot the issue the administrator executes three firewall queries toestablish why DB to Shared Virtual does not have flow(s) for port 514 (syslog)
HOL-1829-01-NET
Page 116HOL-1829-01-NET
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and type new search query firewall action of flows where dstvm = aws-log-server This will return 5 results ie 4 Allow (for web andmidtier) and 1 Deny (for DB)
2 Click Search3 click on the DENY checkbox so we can focus on the deny rule
We can see a DENY rule which is preventing crm-databse to communicate with aws-log-server on port 514 Which indicates that AWS Admin forgot to add rule to allowtraffic from (Database) crm-database to (syslog server) aws-log-Server
HOL-1829-01-NET
Page 117HOL-1829-01-NET
1 On Chrome web browser right click2 Select Duplicate from the the menu
HOL-1829-01-NET
Page 118HOL-1829-01-NET
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-web1 and dst vm = aws-log-server
2 Click Search3 This will return 3 results ie 1 Inbound and 2 Outbound rules The result of this
query validates the communication from crm-web1 to aws-log-server
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-database and dst vm = aws-log-server
2 Click Search3 This will return 2 results for Outbound rules further explaining the firewall rule
behaviour from crm-database to aws-log-server
HOL-1829-01-NET
Page 119HOL-1829-01-NET
ConclusionCongratulations on completing Module 4
This module demonstrated the vRealize Network Insight capability to understand trafficpatterns and plan micro-segmentation across your private and public cloudenvironments This capability offers unparalleled visibility into public and private cloudsfor micro-segmentation planning network visibility and management
For More Information
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 120HOL-1829-01-NET
ConclusionThank you for participating in the VMware Hands-on Labs Be sure to visithttpholvmwarecom to continue your lab experience online
Lab SKU HOL-1829-01-NET
Version 20171010-152226
HOL-1829-01-NET
Page 121HOL-1829-01-NET
Focus - Prod-Web (25)
1 Hover over Prod-Web2 Click on Keep Focus as we will follow the traffic for this group to see which
ports are in use and why3 Click on the line joining the Prod-Web and Prod-Midtier
Flows - Prod-Web to Prod-Midtier
HOL-1829-01-NET
Page 26HOL-1829-01-NET
( A ) - We have at this point identified 14 unique endpoints or flows that are beingcommunicated byover or to potential security groups These security groups are basedon VLANs folders subnets or a construct that can be defined
1 Click on the recommended firewall rules
Flows - Recommended Firewall Rules
Based on the observed analysis of the traffic flow between Prod-Web and Prod-Midtier arecommended firewall rule has been generated in order to secure and segment trafficfrom the rest of the VLANVXLAN
Due to the flow observation metrics the recommendation is (ALLOWED) on Port 8080between SG Prod-Web and SG-Prod-Midtier
1 Click the close icon (x) to continue
HOL-1829-01-NET
Page 27HOL-1829-01-NET
Multiple Ports and Firewall rules for Prod-web
1 Click on the Prod-Web group
Services and Flows for Prod-Web
On focus the user is presented with all the services flows and firewall rules for Prod-Webin a single pane
HOL-1829-01-NET
Page 28HOL-1829-01-NET
1 Click on Services In this group - 50 Unique service endpoints or flows that arebeing communicated by or to potential security groups are mapped with trafficrates included
2 Click on External Services Accessed- This is a breakdown of the 16 Externalservice endpoints that communicate with Prod-Web and include the portinformation (DNS HTTPS etc)
3 Click on Recommended Firewall Rules - Based on the 50 unique serviceendpoints that have 17 External services with 425 flows we can use thisobservation metric to determine that 6 firewall rules are required This would bethe minimum recommended segmentation approach for the Prod-Web group
4 Click the close icon (x) to continue
Application-Centric Micro-Segmentation
HOL-1829-01-NET
Page 29HOL-1829-01-NET
An application is a collection of tiers Each tier in an application is a collection of VMsbased on the user-defined filter criteria The applications allow you to create ahierarchical group of VMs and visualize trafficflows between the tiers of the sameapplication The trafficflows can be visualized between applications
1 Under Micro-segments click on the dropdown which says by VLANVXLAN2 Click on by Application
1 Hover over Prod-App (47) (do not click at this stage)2 Click on Keep Focus
You can see as per previous micro-segmentaion planning exercise - you can viewOutgoing Incoming and Bidirectional flow bespoke to Prod-App Clicking on Prod-App micro-segment will reveal the services
HOL-1829-01-NET
Page 30HOL-1829-01-NET
We shall now explore how we can define an application
Define an Application
1 In the search bar type Application2 Click the Search button
1 The Application search will return 4 entities ie application already created inthe system for you
2 This page also lets you create new application - click on Add Application
HOL-1829-01-NET
Page 31HOL-1829-01-NET
1 Under the Application Name type HOL-Pre-Prod2 Under Tier type the Name as HOL-Pre-Prod3 Our search criteria will be based on VM Names under Virtual Machines IP
Addresses Type Admin-VM1 Admin-VM2 (The search will auto completethe names for you)
4 Do not Save Click Cancel which will take you to previous screen
1 Here you can see the number of entities has increased by 1 ie 5 entities2 You can also see Hol-Pre-Prod in the list
HOL-Pre-Prod will now appear in Application section under Plan Security (not covered inthis lab)
Security Group Prod_MidTier
Network administrators and architects face daily challenges in identifying securityparameters groups that are in-place requiring a lot more detail around containertopology before continuing to execute or plan Micro-segmentation Lets look at how thiswould be possible in a single view that has granular integration with over and underlaynetworks
1 Using the search bar type Nsx Security Group Prod_MidTier (the search baruses Auto Fill and predictive text will appear as you type)
2 Click search to continue
HOL-1829-01-NET
Page 32HOL-1829-01-NET
The Help screen may pop-up (in this lab setting) to ensure the user has an instantguide called the Security Group Pinboard The reason for this guide is to point out thedetail view and topology layout Read through the help guide and once completed
1 Click the close icon (x) to continue
Results - PROD_MIDTIER
The search results from the query will show Prod_Web at the top of the screen Theresult will also be displayed to include the Translated VM Count and any Rulesassociated
1 Click on Prod_MidTier to continue
Security Group Prod_MidTier - Timeline
Security Group View Explanation
HOL-1829-01-NET
Page 33HOL-1829-01-NET
The Security Group provides a detailed view of the selected Security Group and acomprehensive listing of key properties and events The Security Group Topologyprovides a visual overview of how the security group is associated with other containersTimeline slider at the top of the current view will enable the point in time state of theSecurity Group and filters can be used to further focus on a particular aspect of theobject
Security Group Firewall Topology
(A) The Security Group Firewall Topology on the left shows the topology for SecurityGroup Prod_MidTier
HOL-1829-01-NET
Page 34HOL-1829-01-NET
(B) The Security Group Container Topology on the right will show anyall Child andParent groups in relation to Prod_Web This will identify the nesting and hierarchy ofsecurity groups
HOL-1829-01-NET
Page 35HOL-1829-01-NET
1 Click and select Prod_Web to Prod_Midtier Rule (will launch a pop up screencovered in next step)
1 In the pop up screen we can immediately see what the Source and destinationservice flow looks like in this example This can be done for any and eachsegment attached to Prod_Web and will provide all the current security GroupFirewall Topology information Feel free to click through all the segments in orderto fully understand each related security group
2 Click the close icon (x) on any pop-up menus that you viewed during youranalysis to continue with the next exercise
HOL-1829-01-NET
Page 36HOL-1829-01-NET
Tracking Prod_MidTier
1 Within the same view when you scroll down (below the Security Groupfirewall Topology) you are able to see the following security event information forProd_Web
A Events - Showing any changes for Prod_MidTier (direct or indirect) and the impactthat these changes bring to this security group
B Current Security Group Configuration and Firewall Rules Count will also providefurther assistance to manage the endpoints
C Visibility of the Virtual Machines in Security Groups ensure that we manage ourworkloads and segmentation with the correct level of efficiency
D Making use of the Indirect Firewall Rules will ensure you understand the inheritedimpact and the relationship leading to Prod_Web
E Direct Firewall Rules - NOTE The blue links will expose further detail for eachfirewall segment
HOL-1829-01-NET
Page 37HOL-1829-01-NET
this module explained and followed the traffic flow between Subnets and or VLANVXLAN for Prod_MidTier and we understand the analysis that make up firewall rules Theinformation for a specific segmentation of a Virtual Machine in Prod_MidTier can beviewed using the the logical switch information for Prod_MidTier
2 Click on Lab-Midtier (VMs in Security GroupgtLogical SwitchesgtLab-Midtier) anew TAB will open at the top of the screen
Lab-Midtier
1 Hover (do not click) over (1) Lab-Midtier-1 to gain focus in order to generatethe path
Do not click on any of the bubbles as they are used for reference only This is thecomplete flow of Prod-Web-9 (Example) to see how a flow is tracked from overlay tounderlay across Prod-Web
HOL-1829-01-NET
Page 38HOL-1829-01-NET
bull A - The host details for Lab-Midtier-1 -ddc1-pod2esx035dmdemocompanynet
bull B - The machine name within Lab-Midtier - Lab-Midtier-1bull C - DVS Switchbull D - VXLAN - Lab-Midtierbull E - 1st VMKNIC for DDC-1 hostbull F - DVS Switch Portbull G - Finally showing the L3 Switch (Arista)
2 When you are done with the current view close this tab in Chrome and returnto the original view
Firewall Rule - Tracking
Using the search bar we will demonstrate how you can track any firewall rule in yourenvironment This is only one example of how we can search for security related objectsin one easy statement and also export the results
Port Search
1 Type into the search bar
Firewall rule where action =ALLOW and Port=443 (the search bar uses Auto Fill andpredictive text will appear as you type)
2 Click search to continue
As you type notice all the different permutations of queries that can be assembled
HOL-1829-01-NET
Page 39HOL-1829-01-NET
Export Firewall Rules
Take some time to understand and get familiar with Firewall Rule search possibilitiesand the insight this can offer
1 Do not click - The result is grouped for convenience and allows the user to queryeach rule individually This is a live link that will expose further information
2 Do not click - The entire report can be exported by using the Save as CSV optionat the top right hand corner of the screen but we will not export any informationat this point
3 For the next step we will return to the top search bar
Firewall Rule Membership Change
Using the vRealize Network Insight search bar at the top of the screen we will focus on atime based search to see what Firewall Membership Changes occurred during a selectedperiod This will point out any changes made directly or indirectly as a result ofmembership changes This is extremely useful for auditing and troubleshooting
HOL-1829-01-NET
Page 40HOL-1829-01-NET
1 Type
Firewall Rule Membership Change
2 Select the DateTime window3 Click Between Select Date range from June30 to Jul 31 (using static data this
will ensure you see all the changes)4 Click search
Audit Rule - Firewall Rule Membership Changes
The search now displays the result of all the changes made to firewall rule membershipduring the preset date range This is pivotal to the audit change tracking process tounderstand exactly why when and how Firewall rules changed
The changes can now easily be tracked audited and also exported following any of thelive links in blue
HOL-1829-01-NET
Page 41HOL-1829-01-NET
User-defined Event
Continuing within the same screen users can create alerts to notify internal andexternal entities of any changes The alert feature is available through any view thatdisplays the alert icon Although the alert can be configured for this lab the results willnot be actioned as this is static data only This section will show how easy it is to reporton any Firewall Rule memberships changes The option for alerting will be immediatelywithin 1 hour or as a daily digest
1 Click the Notifications icon to create an event The notifications screen will pop-up
2 Notification and parameters can be adjusted as required Populate them withyour own preference as we will need to have information in order to save thealert and view in later steps
3 Once completed click save
HOL-1829-01-NET
Page 42HOL-1829-01-NET
Settings
You can view any of your previously configured User-defined Events in order to edit oractivate the Event parameters by using the settings page Changes can be configured tonotify members of the event group based on the user preference The previous eventthat you created can now be tracked by using the search bar at the top of the screen
1 Click in the search bar and type Settings2 Click User-defined Events (your alert is noted in this section as it was based on
the original search and alert notification Firewall rule membership change)3 Info Only - Do not click - View Edit Activate any notifications
Note that we have 2 types of notification User-defined and System Events
4 Click the System Events
HOL-1829-01-NET
Page 43HOL-1829-01-NET
System Notifications
System Events consist of 103 default alerts that are pre-configured Scroll down the listto see all the options and what is deemed to be a standard system event notification
Each Notification can be used to alert administrators or users of that group By defaultall System Notifications are set to never notify (this can be changed to immediatelywithin 1 hour or as a daily digest)
This concludes this module Please continue to the next module
HOL-1829-01-NET
Page 44HOL-1829-01-NET
ConclusionCongratulations on completing Module 1
In this module we introduced the minimum required steps in order to facilitate Micro-segmentation This module further demonstrated how we achieve day zero readinesstrack report and alert on each individual object or group of objects in Real Time Usingthe East-West traffic in this module vRealize Network Insight highlighted the ease ofacquiring network analysis and using this to automatically generate firewall rules forboth Green or Brown field deployments
Key facts to remember as demonstrated in this module
bull Persistence Security must be consistent in the face of constant changebull Ubiquity Security must be available everywherebull Extensibility Security must adapt to new situations
For additional information about the functionality showcased in this module visitwwwvmwarecom
Please close the Chrome Web browser
This concludes this module please continue to the next module
For More Information
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 45HOL-1829-01-NET
Module 2 - 360 degreeVisibility across Virtualand Physical Networks
(45 minutes)
HOL-1829-01-NET
Page 46HOL-1829-01-NET
IntroductionvRealize Network Insight includes advanced analytics that can collect and displayconfiguration data from all the components involved in the overlay and underlay of thenetwork Data is collected in realtime
vRealize Network Insight presents this via a smart user interface and simplifies thedetermination of problems as well as the visibility of firewall and networkconfigurations
vRealize Network Insight presents this in a smart user interface and makes problemdetermination and visibility of the firewall and network configurations very easy
This Module contains the following lessons
bull 360 Network Visibility and Troubleshootingbull Natural language search
HOL-1829-01-NET
Page 47HOL-1829-01-NET
360 Network Visibility andTroubleshootingThis section contains the following lessons
bull 360-degree view of data flow between two VM objectsbull Natural language search
Open Google Chrome
1 Open Chrome on the Control Center Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize NetworkInsight did not load automatically)
HOL-1829-01-NET
Page 48HOL-1829-01-NET
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
Path and Topology
This module will utilize the Path and Topology feature in vRealize Network Insight toget a 360-degree visibility into our network scenario The Path and Topology view can
HOL-1829-01-NET
Page 49HOL-1829-01-NET
also extend to host L3 networks security groups etc but in this module we will only befocusing on the path
From the main console
1 Click on Path and Topology2 Click on Path
Path - Select source and destination
In the pop-up box
1 Click on the grey field below Source2 Type dba into the source field and DBAdmin-VM1 will appear3 Click on DBAdmin-VM1 to select it
HOL-1829-01-NET
Page 50HOL-1829-01-NET
Path - source and destination continued
After selecting the source machine the destination box will automatically appear
1 Type prod in the destination field and the list of available options willappear
2 Select Prod-Db-2
Note The destination could also be an ip-address or Internet but in this lab we aregoing to use a VM
HOL-1829-01-NET
Page 51HOL-1829-01-NET
Path - source and destination continued
1 Click on Submit
Searching for path
Based on the VMs we selected in the wizard in our previous steps the search field isnow pre-populated with a search string As an alternative to using the wizard we canalso do manual searches
Do not change any parameters in the search field and please continue to the nextstep
HOL-1829-01-NET
Page 52HOL-1829-01-NET
VM Path Topology and VM Underlay
The topology involves both Layer 3 and Layer 2 components and consists of twodetailed views
HOL-1829-01-NET
Page 53HOL-1829-01-NET
1 VM Path Topology This view details the routers Edges or Logical DistributedRouters (LDRs) that are involved in the VM to VM network path and provides thecomplete routing and NAT information
2 VM Underlay ( The VM Underlay section that is on the right side of the VM Pathtopology shows the underlay information of the VMs involved and theirconnectivity to the top of the rack switches and the ports involved)
In the field named VM Path Topology
1 Click on the three dots in the top right corner of the field2 Click Maximize
The view will change and the route will be drawn on the map
HOL-1829-01-NET
Page 54HOL-1829-01-NET
VM Path Topology - Path Details
In this view we will get a 360-degree view of both the physical and the virtual networkWe will see the path of the traffic between two virtual machines The black arrow at thetop of the map will indicate the flow direction of the traffic In this use case fromDBAdmin-VM1 to Prod-Db-2
On the right hand side path details indicates the steps we pass through in each hop ofthe path The logical flow includes both physical and virtual elements displaying bothoverlay and underlay components
1 Scroll through the path details on the right hand side to verify the differenthops in the path Notice that we have items such as VMs physical switchesvirtual switches routers and NICs in the list of details
HOL-1829-01-NET
Page 55HOL-1829-01-NET
Component Overview
On the VM topology map
1 Click on the top left icon marked with a red square - the Virtual MachineDBAdmin-VM1
Virtual Machine - Details
HOL-1829-01-NET
Page 56HOL-1829-01-NET
A pop-up box will appear with the Virtual Machine details in it This information includesa lot of details made available by VMware Tools We can for example see network-information and the physical host in these details
A - Please spend some time on getting an overview of the information available in thisview
B - Please note that the Firewall Status indicates Unknown In this scenario there is noNSX firewall utilized in the VM so vRealize Network Insight displays Unknown as thestatus If NSX components were utilized but they were malfunctioning an errormessage will appear
1 When done reviewing close the pop-up windows by clicking on the (X) in thetop right corner
Physical ESXi Hosts
We are now going to look at the physical host running ESXi The large green blocksindicate the ESXi hosts (A) and (B)
1 Click on the large green field on the left side of the map marked in thepicture with a red squareThis will select the host where DBAdmin-VM1 isrunning
HOL-1829-01-NET
Page 57HOL-1829-01-NET
Host - Details
A pop-up box will appear that contains the physical ESXi host
A - Spend some time to review what information is available from the host Please donot click on any of the links
B - Notice that we receive information from both the Chassis and the Blade that thisESXi host is running on In a real life environment we could click on the links to getdetailed information about the physical environment through the links
C - Note that there are no NSX components on the host For example we can see thatthe Control Plane Sync Status is unknown and the Number of VTEPs is 0
1 When done reviewing click on the (X) in the top right corner
HOL-1829-01-NET
Page 58HOL-1829-01-NET
DVPG on the map
We are now going to look at the DVPG (Distributed Virtual Port Group) the VM uses toconnect to the network
1 On the map click on the little blue box marked by a red square onvlan-629
DVPG
A pop-up box will appear that contains the DVPG details
A - Spend some time review what information is available from the object Please donot click on any of the links
HOL-1829-01-NET
Page 59HOL-1829-01-NET
B - Notice that IPFIX is enabled
1 When done reviewing click on the (X) in the top right corner
VLAN-629 on the map
This is a brownfield network as indicated by the physical network components currentlydisplayed on the map
1 On the map click on the grey line marked by a red square on vlan-629
VLAN Network
A pop-up box will appear that contains the physical VLAN details
HOL-1829-01-NET
Page 60HOL-1829-01-NET
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - Notice the VLAN ID This is the actual VLAN in use
C - VM Count states 12 This is the number of VMs located on this VLAN in the entireenvironment
D - Under Hosts we can see that this is 28 (27+1) This is the amount of hosts that hasa connection to this vlan in the entire environment
1 When done reviewing click on the (X) in the top right corner
Switch ports on the map
1 From the map click on the icon marked by a red square to select the SwitchPort for the VM
HOL-1829-01-NET
Page 61HOL-1829-01-NET
Switch Port
A pop-up box will appear that contains the Switch Port details
In this view we are purely are looking at layer 3 and the connectivity to those layer 3devices Later in this module we will see some of the layer 2 devices
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - In this view we can see the physical NIC the traffic is transmitted from and receivedto In this scenario it is a NIC on a UCS fabric We can also see the VLANs Interfacespeed port and other details on the NIC
1 When done reviewing click on the (X) in the top right corner of the pop up box
HOL-1829-01-NET
Page 62HOL-1829-01-NET
Physical VRF on the map
1 From the map click on the icon marked by a red square to access thePhysical VRF details
HOL-1829-01-NET
Page 63HOL-1829-01-NET
VRF - Physical Switch
A pop-up box will appear that contains the Physical VRF details
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - In this scenario the first hop in the physical network perspective happens to be aCisco Nexus 7000 We are gathering all of the configuration data routing tables androuting interface information from this device
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 64HOL-1829-01-NET
VRF - continued
1 From the map click on the icon marked by a red square to access the nextPhysical VRF in the path
HOL-1829-01-NET
Page 65HOL-1829-01-NET
VRF - Physical Router
A pop-up box will appear that contains the Physical VRF details
In this scenario the second hop in the physical network perspective is a Palo Alto routerIn this view we will see the routing table as well as firewall rules The vRealize NetworkInsight platform is so powerful that these firewall rules are the applicable firewall rulesbetween the two objects we searched for There is probably going to be thousands offirewall rules in a normal network but these are the firewalls affecting thecommunication between the two selected VMs
HOL-1829-01-NET
Page 66HOL-1829-01-NET
A - Spend some time to review what information is available from the object Please donot click on any of the links
1 When done reviewing click on the (X) in the top right corner of the pop up box
Note The Palo Alto integration showcased is in beta testing
VRF - continued
1 From the map click on the icon marked by a red square to access the nextPhysical VRF in the path
HOL-1829-01-NET
Page 67HOL-1829-01-NET
VRF - Physical Switch
A pop-up box will appear that contains the Physical VRF details
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - In this scenario the third hop in the physical network perspective is an Arista deviceThere is information available on routing gateways interfaces etc These detailsshowcase that we can monitor devices from a multitude of vendors in case we arechanging from one vendor to another
1 When done reviewing click on the (X) in the top right corner
HOL-1829-01-NET
Page 68HOL-1829-01-NET
Accessing the virtual infrastructure
The next two steps in the path (as shown by arrows) are the same as we looked atpreviously in this module We are not going to look at the details on them in thisscenario as they are similar to the ones previously discussed
A - Hovermove the mouse over the icons marked with red arrow A without clicking onthe icon Notice the descriptive name
B - Hovermove the mouse over the icons marked with red arrow B without clicking onthe icon Notice the descriptive name
1 From the map click on the icon marked by a red square to access the nextVRF in the path
HOL-1829-01-NET
Page 69HOL-1829-01-NET
VRF - NSX Provider Edge 1
A pop-up box will appear that contains the Physical VRF details
A - Please spend some time to review what information is available from the objectPlease do not click on any of the links
B - The components we are looking at after the Arista device (described in previoussteps) is an NSX Edge cluster or a host associated with an Edge cluster The componentwe have selected is the NSX Edge VM named Provider-Edge 1 It has an uplink overVLAN 10 from the physical network (as shown in the map)
C - In the details we can see the routing table and routing interface details for thisparticular VRF
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 70HOL-1829-01-NET
VXLAN on the map
1 On the map click on the blue line marked by a red square to access theVXLAN details
VXLAN Network
A pop-up box will appear that contains the VXLAN details
HOL-1829-01-NET
Page 71HOL-1829-01-NET
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - We can see the VXLAN number (Segment ID) Underlay VLAN IDs Subnet andUnderlay Subnet
C - We also have visibility into what Primary Controller it is utilizing Hosts and VTEPs
D - Hovermove the mouse cursor over the text [38 more] to see the hosts associatedwith this VXLAN Do not click on the blue text
E - Hovermove the mouse cursor over the text [82 more] to see the VTEPs associatedwith this VXLAN Do not click on the blue text
1 When done reviewing click on the X in the top right corner of the pop-up box
VRF - LDR
1 From the map click on the icon marked by a red square to access the VRFdetails
HOL-1829-01-NET
Page 72HOL-1829-01-NET
VRF - LDR-Corporate
A pop-up box will appear that contains the VRF details From here we hit our In-kernelnetwork
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - Notice the distributed router name We are using this device to access our corporatenetwork
C - This device is going to route for us to a different interface The interface is going toroute to the interface on the Prod-DB Network as the next step in the path (this will beillustrated in the next step)
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 73HOL-1829-01-NET
Routing - NSX Firewall
The traffic is routed through the VRF onto the Prod-DB network over to the next physicalhost (as shown with arrows)
The first device it will hit on the virtual network on the physical host is the FirewallPlease notice that there are two firewalls next to the VM One Firewall from Palo Alto andone Firewall from NSX
1 From the map click on the icon marked by a red square to access the NSXFirewall details (the top one of the two)
HOL-1829-01-NET
Page 74HOL-1829-01-NET
Firewall - NSX
A pop-up box will appear that contains the Firewall details
A - Spend some time to review what information is available from the object Please donot click on any of the links
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 75HOL-1829-01-NET
Redirect on the map - PAN Firewall
Please notice that there are two firewalls next to the VM One Firewall from Palo Alto andone Firewall from NSX We are now going to look into the details of the lower Firewall
1 From the map click on the icon marked by a red square to access the PaloAlto Firewall details (the lower one of the two)
Firewall - PAN
HOL-1829-01-NET
Page 76HOL-1829-01-NET
In this scenario we also have an Palo Alto VM based offloading firewall The redirectfeature allows firewall rules to be transferred between the NSX firewall and the PANFirewall
1 When done reviewing click on the (X) in the top right corner of the pop up box
Reversing the analysis
1 In the section marked by a red square in the picture click on the arrowpointing left
The route on the map will change
HOL-1829-01-NET
Page 77HOL-1829-01-NET
Reversing the analysis continued
A - The analysis will now be done in the opposite direction Please note that the pathnow changes Instead of going through Provider-Edge 3 the traffic is now routedthrough Provider-Edge 2 This is exactly as the traffic will work in the real life
Please continue to the next step to conclude this module
HOL-1829-01-NET
Page 78HOL-1829-01-NET
VM Underlay
Lets now focus on VM Underlay
1 The VMUnderlay section that is on the right side of the VM Path topology showsthe underlay information of the VMs involved and their connectivity to the top ofthe rack switches and the ports involved
2 The VM Underlay path topology is shown here3 The components are labeled under Path Details
HOL-1829-01-NET
Page 79HOL-1829-01-NET
HOL-1829-01-NET
Page 80HOL-1829-01-NET
1 In this section the drop-down list at the top shows the endpoint VMs and theactive VMs at the edges
2 For each edgeVM the neighbouring drop-down list shows the ingress and theegress interface IP addresses
1 From the previous step we selected the Prod-DB-2 Virtual Machine2 Which changes the focus to corresponding Interface IP Address (VNIC)3 Shows the visual map (Path topology) of all the path objects4 Path details shows the labels and list the components
This concludes this module Please continue to the next module
HOL-1829-01-NET
Page 81HOL-1829-01-NET
ConclusionCongratulations on completing Module 2
This module has shown us that vRealize Network Insight is capable of tracing the flow ofdata between two objects throughout the network vRealize Network Insight is providingus with a 360 degrees view of the virtual as well as the physical components in thepath With the map function and the details on the map it is very easy to get a quickoverview of the components utilized in network communication
All the components in the map is based on a snapshot of real life data Feel free to clickon other icons shown in the map in this module before continuing to the next module tohave a look at other components
For More Information
For additional information about the functionality showcased in this module visithttpwwwvmwarecomvrealize network insight
This concludes this module Please continue to the next module
If you are looking for additional information try one of these
bull Click on this linkbull Or use your smart device to scan the QRC Code
HOL-1829-01-NET
Page 82HOL-1829-01-NET
Proceed to any module below which interests you most
bull Module 1 - Micro-Segmentation and Security (30 minutes)bull Module 2 - 360 degree Visibility across Virtual and Physical Networks (45
minutes)bull Module 3 - Advanced NSX Management amp Operations (45 minutes)bull (30 minutes)
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 83HOL-1829-01-NET
Module 3 - Advanced NSXManagement amp
Operations (45 minutes)
HOL-1829-01-NET
Page 84HOL-1829-01-NET
IntroductionIntroduction
vRealize Network Insight ensures that we have full visibility from an overlay andunderlay perspective and in this module focus on advanced operations of NSX withvRealize Network Insight Its important to note that the vRealize Network Insightprovides a real time view and a historical view The integration is not a simple SNMPquery but advanced CLI and Metadata information gathered in real time for NSX
This Module contains the following lessons
bull Operational guidance for NSX Managerbull Advanced NSX Management amp Operations Interactive Simulation
HOL-1829-01-NET
Page 85HOL-1829-01-NET
NSX Advanced ManagementOperationsLab Status Check
1 Make sure the Lab Status displays Ready before continuing
Close browser sessions from previous modules
Open Google Chrome
1 Open Chrome on the Control Centre Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
HOL-1829-01-NET
Page 86HOL-1829-01-NET
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize Network Insightdid not load automatically)
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
Search Bar - NSX Manager
Using the search bar on the entry screen
HOL-1829-01-NET
Page 87HOL-1829-01-NET
1 Type NSX Manager (this will list three NSX Managers2 Click Search
NSX Manager Information
The result now shows the NSX Manager (1016128170) and we can immediately seethat we have 50 problems associated with this endpoint
1 Click on the NSX Manager address to expose the layout and detailedinformation
HOL-1829-01-NET
Page 88HOL-1829-01-NET
Timeline - Visual Build-up
Explore information only - Do not click
bull A - Starting with the Timeline we can manipulate the results by simply draggingthe slider but by default the current time results will be displayed on entry Theslider and drop down (next to 1 day) makes it easy to filter on demand
bull B - The Properties give a clear understanding of the NSX Managers currentconfiguration (vRealize Network Insight accommodate multiple NSX managers)
bull C - Looking at the NSX Checklist Rules - ALL we can scroll up and down toview each point in the checklist that is used to monitorvalidate against the NSXManager
bull D - Because vRealize Network Insight supports multiple NSX managers andmultiple NSX controllers this is an important visual understanding of theTopology Each object can be queried individually within the same screen
bull E - NSX Problems will be key to understanding the issues for NSX
HOL-1829-01-NET
Page 89HOL-1829-01-NET
Topology - Focus on the NSX Controller
The logical view of the NSX Topology provides live links to each component in theconstruct to be queried in real time Topology layout displays all the related NSXservices bound to the NSX Manager including Clusters and hosts The red triangle on allthree NSX controllers indicates possible issues that may impact the NSX environmenteither as a starting point or a result thereof We can now query each object for detailedinformation
1 Click on the NSX controller (Look at each controller until you find thecontroller starting with NSX_Controller_5b6c6c8d-4d71 as they do changeorder)
HOL-1829-01-NET
Page 90HOL-1829-01-NET
NSX Controller - Detail
A - The controller query displays detailed information about controller-1 and relevantconfiguration This screen will help identify the Status Version Upgrade Availability andmany other critical identifiers of the NSX Controller at a quick glance including anyissues
B - The immediate issue on this NSX controller is also pointed out with a red triangleindicating that we have a control plane sync issue Tracking the issue can be furtherinvestigated by expanding (clicking on the red triangle) to view detailed information Wewill not be investigating this problem further in this exercise
1 Click the close sign (x) to continue
HOL-1829-01-NET
Page 91HOL-1829-01-NET
Topology - Explained
Note The Topology for the NSX environment will not show any load balancing devicestatus information in this release
1 Click the edge VMs icon to see detailed information about the edge services
HOL-1829-01-NET
Page 92HOL-1829-01-NET
Provider Edge
Rendering a complete view of the provider edge services and the associations we caninvestigate all the edge related activities
1 Click the blue link Provider Edge 4 The problem Icon can be used to furtherobtain information about the Provider-Edge 4 This will highlight a criticalcondition due to a possible network disruption of this edge device as it is nolonger in a serving state
HOL-1829-01-NET
Page 93HOL-1829-01-NET
Routers Provider Edge 4
This section lays out detailed root cause analysis for Routers Provider Edge 4
Return to Search View - NSX Manager
1 Now use the Chrome Back button click once to return the the NSX Managerinformation screen step
HOL-1829-01-NET
Page 94HOL-1829-01-NET
Infrastructure Problems - Warning Moderate
bull Scroll down to Infrastructure Problems Section
1 Click and select the WarningModerate to view problem areas
WarningModerate Issues
1 Use the blue icon + to expand the detailed view of the Logical networking out ofsync between host and NSX Controller
HOL-1829-01-NET
Page 95HOL-1829-01-NET
WarningModerate Issues (Continued)
When you expand the details you can analyse full detail of warning
In this view vRealize Network Insight is also showing you recommendations on how youwould resolve this issue which makes troubleshooting and root cause analysis veryeasy
1 Click the close sign (x) to continue
HOL-1829-01-NET
Page 96HOL-1829-01-NET
Hands-on Labs Interactive SimulationAdvanced NSX Management ampOperationsThis part of the lab is presented as a Hands-on Labs Interactive Simulation This willallow you to experience steps which are too time-consuming or resource intensive to dolive in the lab environment In this simulation you can use the software interface as ifyou are interacting with a live environment
1 Click here to open the interactive simulation It will open in a new browserwindow or tab
2 When finished click the ldquoReturn to the labrdquo link to continue with this lab
HOL-1829-01-NET
Page 97HOL-1829-01-NET
ConclusionCongratulations on completing Module 3
This module demonstrated the vRealize Network Insight capability of advancedmanagement operations vRealize Network Insight provides an in-depth analysis of thevirtual as well as the physical components associated with NSX (underlay and overlay)
For More Information
If you are looking for additional information try one of these
bull Click on this linkbull Or use your smart device to scan the QRC Code
Proceed to any module below which interests you most
bull Module 1 - Micro-Segmentation and Security (30 minutes)bull Module 2 - 360 degree Visibility across Virtual and Physical Networks (45
minutes)bull Module 3 - Advanced NSX Management amp Operations (45 minutes)bull Module 4 - Manage Security for Public Clouds (AWS) (30 minutes)
HOL-1829-01-NET
Page 98HOL-1829-01-NET
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 99HOL-1829-01-NET
Module 4 - ManageSecurity for Public Clouds
(AWS) (30 Minutes)
HOL-1829-01-NET
Page 100HOL-1829-01-NET
IntroductionEnterprise IT needs visibility into the network and security status of their workloadswhether hosted on premises or within AWS While many AWS workloads are sandboxesfor application development teams (DevOps) it is important to analyze these workloadsIncreasingly public cloud workloads are also fulfilling mission critical production needsfor many organizations Enterprise IT must be ready to determine the best locationsecurity posture and bandwidth allocation when deploying workloads Having trafficpattern details as well as security analysis and recommendations readily availablehelps organizations make the ideal hosting decisions to meet their business needs
vRealize Network Insight (vRNI) Supports Amazon Web Services (AWS) PublicCloud The vRNI traffic monitoring features provide visibility into native AWS constructssuch as Virtual Private Clouds VMs Security Groups firewall rules and tags vRNI alsoanalyzes AWS traffic flows to provide security and micro-segmentation views of cloudworkloads This means youll be able to plan micro-segmentation and understand trafficpatterns using data collected from your AWS instances
This Module contains the following lessons
bull Introduction to Managing Security for Public Clouds (AWS)
HOL-1829-01-NET
Page 101HOL-1829-01-NET
Introduction to Managing Security forPublic Clouds (AWS)Lab Status Check
1 Make sure the Lab Status displays Ready before continuing
Close browser sessions from previous modules
Open Google Chrome
1 Open Chrome on the Control Centre Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize Network Insightdid not load automatically)
HOL-1829-01-NET
Page 102HOL-1829-01-NET
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
AWS Configuration
Lets review the AWS VPC setup for the purpose of this lab
1 We have an on premise instance of vRealize Network Insight managing AWS2 There are two VPCs ie CRM and Common Services
HOL-1829-01-NET
Page 103HOL-1829-01-NET
3 VPC CRM consists of CRM Application which comprises of 3 tiers ie Web APP andDB
4 Internal users of Company can access Web Tier of the CRM on 80 internally viaJump-box
5 Web tier talks to App tier on port 80806 App tier talks to DB tier on port 33067 Web tier is open for internal datacenters VM on 80 port8 From Jump-box in VPC CRM all virtual machines have ssh access on port 229 All tiers of VPCCRM talks to DNS server on 53 and LogServer on 514 on VPC
Common Services10 This means connection to DB to Log Server (used for backup services) must exist
as configured by the Administrator but this in fact is the problem area where ourfocus will be
Plan Security - AWS Cloud
vRealize Network Insight extends micro-segmentation planning to AWS constructs TheCRM Application in AWS VPC has already been created for you
Application creation steps have been discussed in Module 3
HOL-1829-01-NET
Page 104HOL-1829-01-NET
1 On the vRealize Network Insight Click on Plan Security
From Plan Security dialogue box under Entity select
HOL-1829-01-NET
Page 105HOL-1829-01-NET
1 Application2 CRM3 Click Analyze
We can now visualize the three tier lsquoCRMrsquo Application in AWS in one VPC We Shallexplore the three Tier System Logic in proceeding steps
1 Please note that Micro-Segments are already filtered by Tier2 Web (Web tier talks to App tier on port 8080 Internal users of organisation can
access Web Tier of the CRM Application on port 80 internally)3 App (App tier talks to DB tier on port 3306)4 DB ( DB tier talks to Log Servers ) - This is the problem area we are going to
explore
All tiers of first VPC talks to DNS server on port 53 and LogServer on port 514 of SecondVPC
HOL-1829-01-NET
Page 106HOL-1829-01-NET
Exploring the Three Tier Application - Step by Step
We shall now explore the three their application setup to understand the security andcommunication posture
HOL-1829-01-NET
Page 107HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Yellow line to explore the flows This will reveal flows from Web to
App
HOL-1829-01-NET
Page 108HOL-1829-01-NET
1 The App tier talks to DB tier on Port 33062 Click X to continue
HOL-1829-01-NET
Page 109HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to DB
HOL-1829-01-NET
Page 110HOL-1829-01-NET
1 The App tier talks to DB tier on Port 33062 Click X to continue
HOL-1829-01-NET
Page 111HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Yellow Line to explore the flows This will reveal flows from DC
Virtual to App
HOL-1829-01-NET
Page 112HOL-1829-01-NET
1 DC Virtual (jump box) talks to App tier on Port 222 Click X to continue
HOL-1829-01-NET
Page 113HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to
Shared Virtual
HOL-1829-01-NET
Page 114HOL-1829-01-NET
1 The App tier talks to Shared Virtual on Port 53 and 514 respectively2 Click X to continue
HOL-1829-01-NET
Page 115HOL-1829-01-NET
1 Hover over to DB Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from DB to
Shared Virtual
1 By design the DB should be pushing logs to aws-log-server ie on port 514(Syslog) but the flow reveals that there is only one service ie port 53 aws-DNS-Server Effectively no communication to syslog server (which is the back upservice)
2 Click X to continue
Firewall Queries for CRM Application
To further troubleshoot the issue the administrator executes three firewall queries toestablish why DB to Shared Virtual does not have flow(s) for port 514 (syslog)
HOL-1829-01-NET
Page 116HOL-1829-01-NET
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and type new search query firewall action of flows where dstvm = aws-log-server This will return 5 results ie 4 Allow (for web andmidtier) and 1 Deny (for DB)
2 Click Search3 click on the DENY checkbox so we can focus on the deny rule
We can see a DENY rule which is preventing crm-databse to communicate with aws-log-server on port 514 Which indicates that AWS Admin forgot to add rule to allowtraffic from (Database) crm-database to (syslog server) aws-log-Server
HOL-1829-01-NET
Page 117HOL-1829-01-NET
1 On Chrome web browser right click2 Select Duplicate from the the menu
HOL-1829-01-NET
Page 118HOL-1829-01-NET
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-web1 and dst vm = aws-log-server
2 Click Search3 This will return 3 results ie 1 Inbound and 2 Outbound rules The result of this
query validates the communication from crm-web1 to aws-log-server
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-database and dst vm = aws-log-server
2 Click Search3 This will return 2 results for Outbound rules further explaining the firewall rule
behaviour from crm-database to aws-log-server
HOL-1829-01-NET
Page 119HOL-1829-01-NET
ConclusionCongratulations on completing Module 4
This module demonstrated the vRealize Network Insight capability to understand trafficpatterns and plan micro-segmentation across your private and public cloudenvironments This capability offers unparalleled visibility into public and private cloudsfor micro-segmentation planning network visibility and management
For More Information
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 120HOL-1829-01-NET
ConclusionThank you for participating in the VMware Hands-on Labs Be sure to visithttpholvmwarecom to continue your lab experience online
Lab SKU HOL-1829-01-NET
Version 20171010-152226
HOL-1829-01-NET
Page 121HOL-1829-01-NET
( A ) - We have at this point identified 14 unique endpoints or flows that are beingcommunicated byover or to potential security groups These security groups are basedon VLANs folders subnets or a construct that can be defined
1 Click on the recommended firewall rules
Flows - Recommended Firewall Rules
Based on the observed analysis of the traffic flow between Prod-Web and Prod-Midtier arecommended firewall rule has been generated in order to secure and segment trafficfrom the rest of the VLANVXLAN
Due to the flow observation metrics the recommendation is (ALLOWED) on Port 8080between SG Prod-Web and SG-Prod-Midtier
1 Click the close icon (x) to continue
HOL-1829-01-NET
Page 27HOL-1829-01-NET
Multiple Ports and Firewall rules for Prod-web
1 Click on the Prod-Web group
Services and Flows for Prod-Web
On focus the user is presented with all the services flows and firewall rules for Prod-Webin a single pane
HOL-1829-01-NET
Page 28HOL-1829-01-NET
1 Click on Services In this group - 50 Unique service endpoints or flows that arebeing communicated by or to potential security groups are mapped with trafficrates included
2 Click on External Services Accessed- This is a breakdown of the 16 Externalservice endpoints that communicate with Prod-Web and include the portinformation (DNS HTTPS etc)
3 Click on Recommended Firewall Rules - Based on the 50 unique serviceendpoints that have 17 External services with 425 flows we can use thisobservation metric to determine that 6 firewall rules are required This would bethe minimum recommended segmentation approach for the Prod-Web group
4 Click the close icon (x) to continue
Application-Centric Micro-Segmentation
HOL-1829-01-NET
Page 29HOL-1829-01-NET
An application is a collection of tiers Each tier in an application is a collection of VMsbased on the user-defined filter criteria The applications allow you to create ahierarchical group of VMs and visualize trafficflows between the tiers of the sameapplication The trafficflows can be visualized between applications
1 Under Micro-segments click on the dropdown which says by VLANVXLAN2 Click on by Application
1 Hover over Prod-App (47) (do not click at this stage)2 Click on Keep Focus
You can see as per previous micro-segmentaion planning exercise - you can viewOutgoing Incoming and Bidirectional flow bespoke to Prod-App Clicking on Prod-App micro-segment will reveal the services
HOL-1829-01-NET
Page 30HOL-1829-01-NET
We shall now explore how we can define an application
Define an Application
1 In the search bar type Application2 Click the Search button
1 The Application search will return 4 entities ie application already created inthe system for you
2 This page also lets you create new application - click on Add Application
HOL-1829-01-NET
Page 31HOL-1829-01-NET
1 Under the Application Name type HOL-Pre-Prod2 Under Tier type the Name as HOL-Pre-Prod3 Our search criteria will be based on VM Names under Virtual Machines IP
Addresses Type Admin-VM1 Admin-VM2 (The search will auto completethe names for you)
4 Do not Save Click Cancel which will take you to previous screen
1 Here you can see the number of entities has increased by 1 ie 5 entities2 You can also see Hol-Pre-Prod in the list
HOL-Pre-Prod will now appear in Application section under Plan Security (not covered inthis lab)
Security Group Prod_MidTier
Network administrators and architects face daily challenges in identifying securityparameters groups that are in-place requiring a lot more detail around containertopology before continuing to execute or plan Micro-segmentation Lets look at how thiswould be possible in a single view that has granular integration with over and underlaynetworks
1 Using the search bar type Nsx Security Group Prod_MidTier (the search baruses Auto Fill and predictive text will appear as you type)
2 Click search to continue
HOL-1829-01-NET
Page 32HOL-1829-01-NET
The Help screen may pop-up (in this lab setting) to ensure the user has an instantguide called the Security Group Pinboard The reason for this guide is to point out thedetail view and topology layout Read through the help guide and once completed
1 Click the close icon (x) to continue
Results - PROD_MIDTIER
The search results from the query will show Prod_Web at the top of the screen Theresult will also be displayed to include the Translated VM Count and any Rulesassociated
1 Click on Prod_MidTier to continue
Security Group Prod_MidTier - Timeline
Security Group View Explanation
HOL-1829-01-NET
Page 33HOL-1829-01-NET
The Security Group provides a detailed view of the selected Security Group and acomprehensive listing of key properties and events The Security Group Topologyprovides a visual overview of how the security group is associated with other containersTimeline slider at the top of the current view will enable the point in time state of theSecurity Group and filters can be used to further focus on a particular aspect of theobject
Security Group Firewall Topology
(A) The Security Group Firewall Topology on the left shows the topology for SecurityGroup Prod_MidTier
HOL-1829-01-NET
Page 34HOL-1829-01-NET
(B) The Security Group Container Topology on the right will show anyall Child andParent groups in relation to Prod_Web This will identify the nesting and hierarchy ofsecurity groups
HOL-1829-01-NET
Page 35HOL-1829-01-NET
1 Click and select Prod_Web to Prod_Midtier Rule (will launch a pop up screencovered in next step)
1 In the pop up screen we can immediately see what the Source and destinationservice flow looks like in this example This can be done for any and eachsegment attached to Prod_Web and will provide all the current security GroupFirewall Topology information Feel free to click through all the segments in orderto fully understand each related security group
2 Click the close icon (x) on any pop-up menus that you viewed during youranalysis to continue with the next exercise
HOL-1829-01-NET
Page 36HOL-1829-01-NET
Tracking Prod_MidTier
1 Within the same view when you scroll down (below the Security Groupfirewall Topology) you are able to see the following security event information forProd_Web
A Events - Showing any changes for Prod_MidTier (direct or indirect) and the impactthat these changes bring to this security group
B Current Security Group Configuration and Firewall Rules Count will also providefurther assistance to manage the endpoints
C Visibility of the Virtual Machines in Security Groups ensure that we manage ourworkloads and segmentation with the correct level of efficiency
D Making use of the Indirect Firewall Rules will ensure you understand the inheritedimpact and the relationship leading to Prod_Web
E Direct Firewall Rules - NOTE The blue links will expose further detail for eachfirewall segment
HOL-1829-01-NET
Page 37HOL-1829-01-NET
this module explained and followed the traffic flow between Subnets and or VLANVXLAN for Prod_MidTier and we understand the analysis that make up firewall rules Theinformation for a specific segmentation of a Virtual Machine in Prod_MidTier can beviewed using the the logical switch information for Prod_MidTier
2 Click on Lab-Midtier (VMs in Security GroupgtLogical SwitchesgtLab-Midtier) anew TAB will open at the top of the screen
Lab-Midtier
1 Hover (do not click) over (1) Lab-Midtier-1 to gain focus in order to generatethe path
Do not click on any of the bubbles as they are used for reference only This is thecomplete flow of Prod-Web-9 (Example) to see how a flow is tracked from overlay tounderlay across Prod-Web
HOL-1829-01-NET
Page 38HOL-1829-01-NET
bull A - The host details for Lab-Midtier-1 -ddc1-pod2esx035dmdemocompanynet
bull B - The machine name within Lab-Midtier - Lab-Midtier-1bull C - DVS Switchbull D - VXLAN - Lab-Midtierbull E - 1st VMKNIC for DDC-1 hostbull F - DVS Switch Portbull G - Finally showing the L3 Switch (Arista)
2 When you are done with the current view close this tab in Chrome and returnto the original view
Firewall Rule - Tracking
Using the search bar we will demonstrate how you can track any firewall rule in yourenvironment This is only one example of how we can search for security related objectsin one easy statement and also export the results
Port Search
1 Type into the search bar
Firewall rule where action =ALLOW and Port=443 (the search bar uses Auto Fill andpredictive text will appear as you type)
2 Click search to continue
As you type notice all the different permutations of queries that can be assembled
HOL-1829-01-NET
Page 39HOL-1829-01-NET
Export Firewall Rules
Take some time to understand and get familiar with Firewall Rule search possibilitiesand the insight this can offer
1 Do not click - The result is grouped for convenience and allows the user to queryeach rule individually This is a live link that will expose further information
2 Do not click - The entire report can be exported by using the Save as CSV optionat the top right hand corner of the screen but we will not export any informationat this point
3 For the next step we will return to the top search bar
Firewall Rule Membership Change
Using the vRealize Network Insight search bar at the top of the screen we will focus on atime based search to see what Firewall Membership Changes occurred during a selectedperiod This will point out any changes made directly or indirectly as a result ofmembership changes This is extremely useful for auditing and troubleshooting
HOL-1829-01-NET
Page 40HOL-1829-01-NET
1 Type
Firewall Rule Membership Change
2 Select the DateTime window3 Click Between Select Date range from June30 to Jul 31 (using static data this
will ensure you see all the changes)4 Click search
Audit Rule - Firewall Rule Membership Changes
The search now displays the result of all the changes made to firewall rule membershipduring the preset date range This is pivotal to the audit change tracking process tounderstand exactly why when and how Firewall rules changed
The changes can now easily be tracked audited and also exported following any of thelive links in blue
HOL-1829-01-NET
Page 41HOL-1829-01-NET
User-defined Event
Continuing within the same screen users can create alerts to notify internal andexternal entities of any changes The alert feature is available through any view thatdisplays the alert icon Although the alert can be configured for this lab the results willnot be actioned as this is static data only This section will show how easy it is to reporton any Firewall Rule memberships changes The option for alerting will be immediatelywithin 1 hour or as a daily digest
1 Click the Notifications icon to create an event The notifications screen will pop-up
2 Notification and parameters can be adjusted as required Populate them withyour own preference as we will need to have information in order to save thealert and view in later steps
3 Once completed click save
HOL-1829-01-NET
Page 42HOL-1829-01-NET
Settings
You can view any of your previously configured User-defined Events in order to edit oractivate the Event parameters by using the settings page Changes can be configured tonotify members of the event group based on the user preference The previous eventthat you created can now be tracked by using the search bar at the top of the screen
1 Click in the search bar and type Settings2 Click User-defined Events (your alert is noted in this section as it was based on
the original search and alert notification Firewall rule membership change)3 Info Only - Do not click - View Edit Activate any notifications
Note that we have 2 types of notification User-defined and System Events
4 Click the System Events
HOL-1829-01-NET
Page 43HOL-1829-01-NET
System Notifications
System Events consist of 103 default alerts that are pre-configured Scroll down the listto see all the options and what is deemed to be a standard system event notification
Each Notification can be used to alert administrators or users of that group By defaultall System Notifications are set to never notify (this can be changed to immediatelywithin 1 hour or as a daily digest)
This concludes this module Please continue to the next module
HOL-1829-01-NET
Page 44HOL-1829-01-NET
ConclusionCongratulations on completing Module 1
In this module we introduced the minimum required steps in order to facilitate Micro-segmentation This module further demonstrated how we achieve day zero readinesstrack report and alert on each individual object or group of objects in Real Time Usingthe East-West traffic in this module vRealize Network Insight highlighted the ease ofacquiring network analysis and using this to automatically generate firewall rules forboth Green or Brown field deployments
Key facts to remember as demonstrated in this module
bull Persistence Security must be consistent in the face of constant changebull Ubiquity Security must be available everywherebull Extensibility Security must adapt to new situations
For additional information about the functionality showcased in this module visitwwwvmwarecom
Please close the Chrome Web browser
This concludes this module please continue to the next module
For More Information
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 45HOL-1829-01-NET
Module 2 - 360 degreeVisibility across Virtualand Physical Networks
(45 minutes)
HOL-1829-01-NET
Page 46HOL-1829-01-NET
IntroductionvRealize Network Insight includes advanced analytics that can collect and displayconfiguration data from all the components involved in the overlay and underlay of thenetwork Data is collected in realtime
vRealize Network Insight presents this via a smart user interface and simplifies thedetermination of problems as well as the visibility of firewall and networkconfigurations
vRealize Network Insight presents this in a smart user interface and makes problemdetermination and visibility of the firewall and network configurations very easy
This Module contains the following lessons
bull 360 Network Visibility and Troubleshootingbull Natural language search
HOL-1829-01-NET
Page 47HOL-1829-01-NET
360 Network Visibility andTroubleshootingThis section contains the following lessons
bull 360-degree view of data flow between two VM objectsbull Natural language search
Open Google Chrome
1 Open Chrome on the Control Center Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize NetworkInsight did not load automatically)
HOL-1829-01-NET
Page 48HOL-1829-01-NET
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
Path and Topology
This module will utilize the Path and Topology feature in vRealize Network Insight toget a 360-degree visibility into our network scenario The Path and Topology view can
HOL-1829-01-NET
Page 49HOL-1829-01-NET
also extend to host L3 networks security groups etc but in this module we will only befocusing on the path
From the main console
1 Click on Path and Topology2 Click on Path
Path - Select source and destination
In the pop-up box
1 Click on the grey field below Source2 Type dba into the source field and DBAdmin-VM1 will appear3 Click on DBAdmin-VM1 to select it
HOL-1829-01-NET
Page 50HOL-1829-01-NET
Path - source and destination continued
After selecting the source machine the destination box will automatically appear
1 Type prod in the destination field and the list of available options willappear
2 Select Prod-Db-2
Note The destination could also be an ip-address or Internet but in this lab we aregoing to use a VM
HOL-1829-01-NET
Page 51HOL-1829-01-NET
Path - source and destination continued
1 Click on Submit
Searching for path
Based on the VMs we selected in the wizard in our previous steps the search field isnow pre-populated with a search string As an alternative to using the wizard we canalso do manual searches
Do not change any parameters in the search field and please continue to the nextstep
HOL-1829-01-NET
Page 52HOL-1829-01-NET
VM Path Topology and VM Underlay
The topology involves both Layer 3 and Layer 2 components and consists of twodetailed views
HOL-1829-01-NET
Page 53HOL-1829-01-NET
1 VM Path Topology This view details the routers Edges or Logical DistributedRouters (LDRs) that are involved in the VM to VM network path and provides thecomplete routing and NAT information
2 VM Underlay ( The VM Underlay section that is on the right side of the VM Pathtopology shows the underlay information of the VMs involved and theirconnectivity to the top of the rack switches and the ports involved)
In the field named VM Path Topology
1 Click on the three dots in the top right corner of the field2 Click Maximize
The view will change and the route will be drawn on the map
HOL-1829-01-NET
Page 54HOL-1829-01-NET
VM Path Topology - Path Details
In this view we will get a 360-degree view of both the physical and the virtual networkWe will see the path of the traffic between two virtual machines The black arrow at thetop of the map will indicate the flow direction of the traffic In this use case fromDBAdmin-VM1 to Prod-Db-2
On the right hand side path details indicates the steps we pass through in each hop ofthe path The logical flow includes both physical and virtual elements displaying bothoverlay and underlay components
1 Scroll through the path details on the right hand side to verify the differenthops in the path Notice that we have items such as VMs physical switchesvirtual switches routers and NICs in the list of details
HOL-1829-01-NET
Page 55HOL-1829-01-NET
Component Overview
On the VM topology map
1 Click on the top left icon marked with a red square - the Virtual MachineDBAdmin-VM1
Virtual Machine - Details
HOL-1829-01-NET
Page 56HOL-1829-01-NET
A pop-up box will appear with the Virtual Machine details in it This information includesa lot of details made available by VMware Tools We can for example see network-information and the physical host in these details
A - Please spend some time on getting an overview of the information available in thisview
B - Please note that the Firewall Status indicates Unknown In this scenario there is noNSX firewall utilized in the VM so vRealize Network Insight displays Unknown as thestatus If NSX components were utilized but they were malfunctioning an errormessage will appear
1 When done reviewing close the pop-up windows by clicking on the (X) in thetop right corner
Physical ESXi Hosts
We are now going to look at the physical host running ESXi The large green blocksindicate the ESXi hosts (A) and (B)
1 Click on the large green field on the left side of the map marked in thepicture with a red squareThis will select the host where DBAdmin-VM1 isrunning
HOL-1829-01-NET
Page 57HOL-1829-01-NET
Host - Details
A pop-up box will appear that contains the physical ESXi host
A - Spend some time to review what information is available from the host Please donot click on any of the links
B - Notice that we receive information from both the Chassis and the Blade that thisESXi host is running on In a real life environment we could click on the links to getdetailed information about the physical environment through the links
C - Note that there are no NSX components on the host For example we can see thatthe Control Plane Sync Status is unknown and the Number of VTEPs is 0
1 When done reviewing click on the (X) in the top right corner
HOL-1829-01-NET
Page 58HOL-1829-01-NET
DVPG on the map
We are now going to look at the DVPG (Distributed Virtual Port Group) the VM uses toconnect to the network
1 On the map click on the little blue box marked by a red square onvlan-629
DVPG
A pop-up box will appear that contains the DVPG details
A - Spend some time review what information is available from the object Please donot click on any of the links
HOL-1829-01-NET
Page 59HOL-1829-01-NET
B - Notice that IPFIX is enabled
1 When done reviewing click on the (X) in the top right corner
VLAN-629 on the map
This is a brownfield network as indicated by the physical network components currentlydisplayed on the map
1 On the map click on the grey line marked by a red square on vlan-629
VLAN Network
A pop-up box will appear that contains the physical VLAN details
HOL-1829-01-NET
Page 60HOL-1829-01-NET
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - Notice the VLAN ID This is the actual VLAN in use
C - VM Count states 12 This is the number of VMs located on this VLAN in the entireenvironment
D - Under Hosts we can see that this is 28 (27+1) This is the amount of hosts that hasa connection to this vlan in the entire environment
1 When done reviewing click on the (X) in the top right corner
Switch ports on the map
1 From the map click on the icon marked by a red square to select the SwitchPort for the VM
HOL-1829-01-NET
Page 61HOL-1829-01-NET
Switch Port
A pop-up box will appear that contains the Switch Port details
In this view we are purely are looking at layer 3 and the connectivity to those layer 3devices Later in this module we will see some of the layer 2 devices
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - In this view we can see the physical NIC the traffic is transmitted from and receivedto In this scenario it is a NIC on a UCS fabric We can also see the VLANs Interfacespeed port and other details on the NIC
1 When done reviewing click on the (X) in the top right corner of the pop up box
HOL-1829-01-NET
Page 62HOL-1829-01-NET
Physical VRF on the map
1 From the map click on the icon marked by a red square to access thePhysical VRF details
HOL-1829-01-NET
Page 63HOL-1829-01-NET
VRF - Physical Switch
A pop-up box will appear that contains the Physical VRF details
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - In this scenario the first hop in the physical network perspective happens to be aCisco Nexus 7000 We are gathering all of the configuration data routing tables androuting interface information from this device
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 64HOL-1829-01-NET
VRF - continued
1 From the map click on the icon marked by a red square to access the nextPhysical VRF in the path
HOL-1829-01-NET
Page 65HOL-1829-01-NET
VRF - Physical Router
A pop-up box will appear that contains the Physical VRF details
In this scenario the second hop in the physical network perspective is a Palo Alto routerIn this view we will see the routing table as well as firewall rules The vRealize NetworkInsight platform is so powerful that these firewall rules are the applicable firewall rulesbetween the two objects we searched for There is probably going to be thousands offirewall rules in a normal network but these are the firewalls affecting thecommunication between the two selected VMs
HOL-1829-01-NET
Page 66HOL-1829-01-NET
A - Spend some time to review what information is available from the object Please donot click on any of the links
1 When done reviewing click on the (X) in the top right corner of the pop up box
Note The Palo Alto integration showcased is in beta testing
VRF - continued
1 From the map click on the icon marked by a red square to access the nextPhysical VRF in the path
HOL-1829-01-NET
Page 67HOL-1829-01-NET
VRF - Physical Switch
A pop-up box will appear that contains the Physical VRF details
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - In this scenario the third hop in the physical network perspective is an Arista deviceThere is information available on routing gateways interfaces etc These detailsshowcase that we can monitor devices from a multitude of vendors in case we arechanging from one vendor to another
1 When done reviewing click on the (X) in the top right corner
HOL-1829-01-NET
Page 68HOL-1829-01-NET
Accessing the virtual infrastructure
The next two steps in the path (as shown by arrows) are the same as we looked atpreviously in this module We are not going to look at the details on them in thisscenario as they are similar to the ones previously discussed
A - Hovermove the mouse over the icons marked with red arrow A without clicking onthe icon Notice the descriptive name
B - Hovermove the mouse over the icons marked with red arrow B without clicking onthe icon Notice the descriptive name
1 From the map click on the icon marked by a red square to access the nextVRF in the path
HOL-1829-01-NET
Page 69HOL-1829-01-NET
VRF - NSX Provider Edge 1
A pop-up box will appear that contains the Physical VRF details
A - Please spend some time to review what information is available from the objectPlease do not click on any of the links
B - The components we are looking at after the Arista device (described in previoussteps) is an NSX Edge cluster or a host associated with an Edge cluster The componentwe have selected is the NSX Edge VM named Provider-Edge 1 It has an uplink overVLAN 10 from the physical network (as shown in the map)
C - In the details we can see the routing table and routing interface details for thisparticular VRF
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 70HOL-1829-01-NET
VXLAN on the map
1 On the map click on the blue line marked by a red square to access theVXLAN details
VXLAN Network
A pop-up box will appear that contains the VXLAN details
HOL-1829-01-NET
Page 71HOL-1829-01-NET
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - We can see the VXLAN number (Segment ID) Underlay VLAN IDs Subnet andUnderlay Subnet
C - We also have visibility into what Primary Controller it is utilizing Hosts and VTEPs
D - Hovermove the mouse cursor over the text [38 more] to see the hosts associatedwith this VXLAN Do not click on the blue text
E - Hovermove the mouse cursor over the text [82 more] to see the VTEPs associatedwith this VXLAN Do not click on the blue text
1 When done reviewing click on the X in the top right corner of the pop-up box
VRF - LDR
1 From the map click on the icon marked by a red square to access the VRFdetails
HOL-1829-01-NET
Page 72HOL-1829-01-NET
VRF - LDR-Corporate
A pop-up box will appear that contains the VRF details From here we hit our In-kernelnetwork
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - Notice the distributed router name We are using this device to access our corporatenetwork
C - This device is going to route for us to a different interface The interface is going toroute to the interface on the Prod-DB Network as the next step in the path (this will beillustrated in the next step)
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 73HOL-1829-01-NET
Routing - NSX Firewall
The traffic is routed through the VRF onto the Prod-DB network over to the next physicalhost (as shown with arrows)
The first device it will hit on the virtual network on the physical host is the FirewallPlease notice that there are two firewalls next to the VM One Firewall from Palo Alto andone Firewall from NSX
1 From the map click on the icon marked by a red square to access the NSXFirewall details (the top one of the two)
HOL-1829-01-NET
Page 74HOL-1829-01-NET
Firewall - NSX
A pop-up box will appear that contains the Firewall details
A - Spend some time to review what information is available from the object Please donot click on any of the links
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 75HOL-1829-01-NET
Redirect on the map - PAN Firewall
Please notice that there are two firewalls next to the VM One Firewall from Palo Alto andone Firewall from NSX We are now going to look into the details of the lower Firewall
1 From the map click on the icon marked by a red square to access the PaloAlto Firewall details (the lower one of the two)
Firewall - PAN
HOL-1829-01-NET
Page 76HOL-1829-01-NET
In this scenario we also have an Palo Alto VM based offloading firewall The redirectfeature allows firewall rules to be transferred between the NSX firewall and the PANFirewall
1 When done reviewing click on the (X) in the top right corner of the pop up box
Reversing the analysis
1 In the section marked by a red square in the picture click on the arrowpointing left
The route on the map will change
HOL-1829-01-NET
Page 77HOL-1829-01-NET
Reversing the analysis continued
A - The analysis will now be done in the opposite direction Please note that the pathnow changes Instead of going through Provider-Edge 3 the traffic is now routedthrough Provider-Edge 2 This is exactly as the traffic will work in the real life
Please continue to the next step to conclude this module
HOL-1829-01-NET
Page 78HOL-1829-01-NET
VM Underlay
Lets now focus on VM Underlay
1 The VMUnderlay section that is on the right side of the VM Path topology showsthe underlay information of the VMs involved and their connectivity to the top ofthe rack switches and the ports involved
2 The VM Underlay path topology is shown here3 The components are labeled under Path Details
HOL-1829-01-NET
Page 79HOL-1829-01-NET
HOL-1829-01-NET
Page 80HOL-1829-01-NET
1 In this section the drop-down list at the top shows the endpoint VMs and theactive VMs at the edges
2 For each edgeVM the neighbouring drop-down list shows the ingress and theegress interface IP addresses
1 From the previous step we selected the Prod-DB-2 Virtual Machine2 Which changes the focus to corresponding Interface IP Address (VNIC)3 Shows the visual map (Path topology) of all the path objects4 Path details shows the labels and list the components
This concludes this module Please continue to the next module
HOL-1829-01-NET
Page 81HOL-1829-01-NET
ConclusionCongratulations on completing Module 2
This module has shown us that vRealize Network Insight is capable of tracing the flow ofdata between two objects throughout the network vRealize Network Insight is providingus with a 360 degrees view of the virtual as well as the physical components in thepath With the map function and the details on the map it is very easy to get a quickoverview of the components utilized in network communication
All the components in the map is based on a snapshot of real life data Feel free to clickon other icons shown in the map in this module before continuing to the next module tohave a look at other components
For More Information
For additional information about the functionality showcased in this module visithttpwwwvmwarecomvrealize network insight
This concludes this module Please continue to the next module
If you are looking for additional information try one of these
bull Click on this linkbull Or use your smart device to scan the QRC Code
HOL-1829-01-NET
Page 82HOL-1829-01-NET
Proceed to any module below which interests you most
bull Module 1 - Micro-Segmentation and Security (30 minutes)bull Module 2 - 360 degree Visibility across Virtual and Physical Networks (45
minutes)bull Module 3 - Advanced NSX Management amp Operations (45 minutes)bull (30 minutes)
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 83HOL-1829-01-NET
Module 3 - Advanced NSXManagement amp
Operations (45 minutes)
HOL-1829-01-NET
Page 84HOL-1829-01-NET
IntroductionIntroduction
vRealize Network Insight ensures that we have full visibility from an overlay andunderlay perspective and in this module focus on advanced operations of NSX withvRealize Network Insight Its important to note that the vRealize Network Insightprovides a real time view and a historical view The integration is not a simple SNMPquery but advanced CLI and Metadata information gathered in real time for NSX
This Module contains the following lessons
bull Operational guidance for NSX Managerbull Advanced NSX Management amp Operations Interactive Simulation
HOL-1829-01-NET
Page 85HOL-1829-01-NET
NSX Advanced ManagementOperationsLab Status Check
1 Make sure the Lab Status displays Ready before continuing
Close browser sessions from previous modules
Open Google Chrome
1 Open Chrome on the Control Centre Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
HOL-1829-01-NET
Page 86HOL-1829-01-NET
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize Network Insightdid not load automatically)
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
Search Bar - NSX Manager
Using the search bar on the entry screen
HOL-1829-01-NET
Page 87HOL-1829-01-NET
1 Type NSX Manager (this will list three NSX Managers2 Click Search
NSX Manager Information
The result now shows the NSX Manager (1016128170) and we can immediately seethat we have 50 problems associated with this endpoint
1 Click on the NSX Manager address to expose the layout and detailedinformation
HOL-1829-01-NET
Page 88HOL-1829-01-NET
Timeline - Visual Build-up
Explore information only - Do not click
bull A - Starting with the Timeline we can manipulate the results by simply draggingthe slider but by default the current time results will be displayed on entry Theslider and drop down (next to 1 day) makes it easy to filter on demand
bull B - The Properties give a clear understanding of the NSX Managers currentconfiguration (vRealize Network Insight accommodate multiple NSX managers)
bull C - Looking at the NSX Checklist Rules - ALL we can scroll up and down toview each point in the checklist that is used to monitorvalidate against the NSXManager
bull D - Because vRealize Network Insight supports multiple NSX managers andmultiple NSX controllers this is an important visual understanding of theTopology Each object can be queried individually within the same screen
bull E - NSX Problems will be key to understanding the issues for NSX
HOL-1829-01-NET
Page 89HOL-1829-01-NET
Topology - Focus on the NSX Controller
The logical view of the NSX Topology provides live links to each component in theconstruct to be queried in real time Topology layout displays all the related NSXservices bound to the NSX Manager including Clusters and hosts The red triangle on allthree NSX controllers indicates possible issues that may impact the NSX environmenteither as a starting point or a result thereof We can now query each object for detailedinformation
1 Click on the NSX controller (Look at each controller until you find thecontroller starting with NSX_Controller_5b6c6c8d-4d71 as they do changeorder)
HOL-1829-01-NET
Page 90HOL-1829-01-NET
NSX Controller - Detail
A - The controller query displays detailed information about controller-1 and relevantconfiguration This screen will help identify the Status Version Upgrade Availability andmany other critical identifiers of the NSX Controller at a quick glance including anyissues
B - The immediate issue on this NSX controller is also pointed out with a red triangleindicating that we have a control plane sync issue Tracking the issue can be furtherinvestigated by expanding (clicking on the red triangle) to view detailed information Wewill not be investigating this problem further in this exercise
1 Click the close sign (x) to continue
HOL-1829-01-NET
Page 91HOL-1829-01-NET
Topology - Explained
Note The Topology for the NSX environment will not show any load balancing devicestatus information in this release
1 Click the edge VMs icon to see detailed information about the edge services
HOL-1829-01-NET
Page 92HOL-1829-01-NET
Provider Edge
Rendering a complete view of the provider edge services and the associations we caninvestigate all the edge related activities
1 Click the blue link Provider Edge 4 The problem Icon can be used to furtherobtain information about the Provider-Edge 4 This will highlight a criticalcondition due to a possible network disruption of this edge device as it is nolonger in a serving state
HOL-1829-01-NET
Page 93HOL-1829-01-NET
Routers Provider Edge 4
This section lays out detailed root cause analysis for Routers Provider Edge 4
Return to Search View - NSX Manager
1 Now use the Chrome Back button click once to return the the NSX Managerinformation screen step
HOL-1829-01-NET
Page 94HOL-1829-01-NET
Infrastructure Problems - Warning Moderate
bull Scroll down to Infrastructure Problems Section
1 Click and select the WarningModerate to view problem areas
WarningModerate Issues
1 Use the blue icon + to expand the detailed view of the Logical networking out ofsync between host and NSX Controller
HOL-1829-01-NET
Page 95HOL-1829-01-NET
WarningModerate Issues (Continued)
When you expand the details you can analyse full detail of warning
In this view vRealize Network Insight is also showing you recommendations on how youwould resolve this issue which makes troubleshooting and root cause analysis veryeasy
1 Click the close sign (x) to continue
HOL-1829-01-NET
Page 96HOL-1829-01-NET
Hands-on Labs Interactive SimulationAdvanced NSX Management ampOperationsThis part of the lab is presented as a Hands-on Labs Interactive Simulation This willallow you to experience steps which are too time-consuming or resource intensive to dolive in the lab environment In this simulation you can use the software interface as ifyou are interacting with a live environment
1 Click here to open the interactive simulation It will open in a new browserwindow or tab
2 When finished click the ldquoReturn to the labrdquo link to continue with this lab
HOL-1829-01-NET
Page 97HOL-1829-01-NET
ConclusionCongratulations on completing Module 3
This module demonstrated the vRealize Network Insight capability of advancedmanagement operations vRealize Network Insight provides an in-depth analysis of thevirtual as well as the physical components associated with NSX (underlay and overlay)
For More Information
If you are looking for additional information try one of these
bull Click on this linkbull Or use your smart device to scan the QRC Code
Proceed to any module below which interests you most
bull Module 1 - Micro-Segmentation and Security (30 minutes)bull Module 2 - 360 degree Visibility across Virtual and Physical Networks (45
minutes)bull Module 3 - Advanced NSX Management amp Operations (45 minutes)bull Module 4 - Manage Security for Public Clouds (AWS) (30 minutes)
HOL-1829-01-NET
Page 98HOL-1829-01-NET
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 99HOL-1829-01-NET
Module 4 - ManageSecurity for Public Clouds
(AWS) (30 Minutes)
HOL-1829-01-NET
Page 100HOL-1829-01-NET
IntroductionEnterprise IT needs visibility into the network and security status of their workloadswhether hosted on premises or within AWS While many AWS workloads are sandboxesfor application development teams (DevOps) it is important to analyze these workloadsIncreasingly public cloud workloads are also fulfilling mission critical production needsfor many organizations Enterprise IT must be ready to determine the best locationsecurity posture and bandwidth allocation when deploying workloads Having trafficpattern details as well as security analysis and recommendations readily availablehelps organizations make the ideal hosting decisions to meet their business needs
vRealize Network Insight (vRNI) Supports Amazon Web Services (AWS) PublicCloud The vRNI traffic monitoring features provide visibility into native AWS constructssuch as Virtual Private Clouds VMs Security Groups firewall rules and tags vRNI alsoanalyzes AWS traffic flows to provide security and micro-segmentation views of cloudworkloads This means youll be able to plan micro-segmentation and understand trafficpatterns using data collected from your AWS instances
This Module contains the following lessons
bull Introduction to Managing Security for Public Clouds (AWS)
HOL-1829-01-NET
Page 101HOL-1829-01-NET
Introduction to Managing Security forPublic Clouds (AWS)Lab Status Check
1 Make sure the Lab Status displays Ready before continuing
Close browser sessions from previous modules
Open Google Chrome
1 Open Chrome on the Control Centre Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize Network Insightdid not load automatically)
HOL-1829-01-NET
Page 102HOL-1829-01-NET
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
AWS Configuration
Lets review the AWS VPC setup for the purpose of this lab
1 We have an on premise instance of vRealize Network Insight managing AWS2 There are two VPCs ie CRM and Common Services
HOL-1829-01-NET
Page 103HOL-1829-01-NET
3 VPC CRM consists of CRM Application which comprises of 3 tiers ie Web APP andDB
4 Internal users of Company can access Web Tier of the CRM on 80 internally viaJump-box
5 Web tier talks to App tier on port 80806 App tier talks to DB tier on port 33067 Web tier is open for internal datacenters VM on 80 port8 From Jump-box in VPC CRM all virtual machines have ssh access on port 229 All tiers of VPCCRM talks to DNS server on 53 and LogServer on 514 on VPC
Common Services10 This means connection to DB to Log Server (used for backup services) must exist
as configured by the Administrator but this in fact is the problem area where ourfocus will be
Plan Security - AWS Cloud
vRealize Network Insight extends micro-segmentation planning to AWS constructs TheCRM Application in AWS VPC has already been created for you
Application creation steps have been discussed in Module 3
HOL-1829-01-NET
Page 104HOL-1829-01-NET
1 On the vRealize Network Insight Click on Plan Security
From Plan Security dialogue box under Entity select
HOL-1829-01-NET
Page 105HOL-1829-01-NET
1 Application2 CRM3 Click Analyze
We can now visualize the three tier lsquoCRMrsquo Application in AWS in one VPC We Shallexplore the three Tier System Logic in proceeding steps
1 Please note that Micro-Segments are already filtered by Tier2 Web (Web tier talks to App tier on port 8080 Internal users of organisation can
access Web Tier of the CRM Application on port 80 internally)3 App (App tier talks to DB tier on port 3306)4 DB ( DB tier talks to Log Servers ) - This is the problem area we are going to
explore
All tiers of first VPC talks to DNS server on port 53 and LogServer on port 514 of SecondVPC
HOL-1829-01-NET
Page 106HOL-1829-01-NET
Exploring the Three Tier Application - Step by Step
We shall now explore the three their application setup to understand the security andcommunication posture
HOL-1829-01-NET
Page 107HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Yellow line to explore the flows This will reveal flows from Web to
App
HOL-1829-01-NET
Page 108HOL-1829-01-NET
1 The App tier talks to DB tier on Port 33062 Click X to continue
HOL-1829-01-NET
Page 109HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to DB
HOL-1829-01-NET
Page 110HOL-1829-01-NET
1 The App tier talks to DB tier on Port 33062 Click X to continue
HOL-1829-01-NET
Page 111HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Yellow Line to explore the flows This will reveal flows from DC
Virtual to App
HOL-1829-01-NET
Page 112HOL-1829-01-NET
1 DC Virtual (jump box) talks to App tier on Port 222 Click X to continue
HOL-1829-01-NET
Page 113HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to
Shared Virtual
HOL-1829-01-NET
Page 114HOL-1829-01-NET
1 The App tier talks to Shared Virtual on Port 53 and 514 respectively2 Click X to continue
HOL-1829-01-NET
Page 115HOL-1829-01-NET
1 Hover over to DB Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from DB to
Shared Virtual
1 By design the DB should be pushing logs to aws-log-server ie on port 514(Syslog) but the flow reveals that there is only one service ie port 53 aws-DNS-Server Effectively no communication to syslog server (which is the back upservice)
2 Click X to continue
Firewall Queries for CRM Application
To further troubleshoot the issue the administrator executes three firewall queries toestablish why DB to Shared Virtual does not have flow(s) for port 514 (syslog)
HOL-1829-01-NET
Page 116HOL-1829-01-NET
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and type new search query firewall action of flows where dstvm = aws-log-server This will return 5 results ie 4 Allow (for web andmidtier) and 1 Deny (for DB)
2 Click Search3 click on the DENY checkbox so we can focus on the deny rule
We can see a DENY rule which is preventing crm-databse to communicate with aws-log-server on port 514 Which indicates that AWS Admin forgot to add rule to allowtraffic from (Database) crm-database to (syslog server) aws-log-Server
HOL-1829-01-NET
Page 117HOL-1829-01-NET
1 On Chrome web browser right click2 Select Duplicate from the the menu
HOL-1829-01-NET
Page 118HOL-1829-01-NET
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-web1 and dst vm = aws-log-server
2 Click Search3 This will return 3 results ie 1 Inbound and 2 Outbound rules The result of this
query validates the communication from crm-web1 to aws-log-server
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-database and dst vm = aws-log-server
2 Click Search3 This will return 2 results for Outbound rules further explaining the firewall rule
behaviour from crm-database to aws-log-server
HOL-1829-01-NET
Page 119HOL-1829-01-NET
ConclusionCongratulations on completing Module 4
This module demonstrated the vRealize Network Insight capability to understand trafficpatterns and plan micro-segmentation across your private and public cloudenvironments This capability offers unparalleled visibility into public and private cloudsfor micro-segmentation planning network visibility and management
For More Information
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 120HOL-1829-01-NET
ConclusionThank you for participating in the VMware Hands-on Labs Be sure to visithttpholvmwarecom to continue your lab experience online
Lab SKU HOL-1829-01-NET
Version 20171010-152226
HOL-1829-01-NET
Page 121HOL-1829-01-NET
Multiple Ports and Firewall rules for Prod-web
1 Click on the Prod-Web group
Services and Flows for Prod-Web
On focus the user is presented with all the services flows and firewall rules for Prod-Webin a single pane
HOL-1829-01-NET
Page 28HOL-1829-01-NET
1 Click on Services In this group - 50 Unique service endpoints or flows that arebeing communicated by or to potential security groups are mapped with trafficrates included
2 Click on External Services Accessed- This is a breakdown of the 16 Externalservice endpoints that communicate with Prod-Web and include the portinformation (DNS HTTPS etc)
3 Click on Recommended Firewall Rules - Based on the 50 unique serviceendpoints that have 17 External services with 425 flows we can use thisobservation metric to determine that 6 firewall rules are required This would bethe minimum recommended segmentation approach for the Prod-Web group
4 Click the close icon (x) to continue
Application-Centric Micro-Segmentation
HOL-1829-01-NET
Page 29HOL-1829-01-NET
An application is a collection of tiers Each tier in an application is a collection of VMsbased on the user-defined filter criteria The applications allow you to create ahierarchical group of VMs and visualize trafficflows between the tiers of the sameapplication The trafficflows can be visualized between applications
1 Under Micro-segments click on the dropdown which says by VLANVXLAN2 Click on by Application
1 Hover over Prod-App (47) (do not click at this stage)2 Click on Keep Focus
You can see as per previous micro-segmentaion planning exercise - you can viewOutgoing Incoming and Bidirectional flow bespoke to Prod-App Clicking on Prod-App micro-segment will reveal the services
HOL-1829-01-NET
Page 30HOL-1829-01-NET
We shall now explore how we can define an application
Define an Application
1 In the search bar type Application2 Click the Search button
1 The Application search will return 4 entities ie application already created inthe system for you
2 This page also lets you create new application - click on Add Application
HOL-1829-01-NET
Page 31HOL-1829-01-NET
1 Under the Application Name type HOL-Pre-Prod2 Under Tier type the Name as HOL-Pre-Prod3 Our search criteria will be based on VM Names under Virtual Machines IP
Addresses Type Admin-VM1 Admin-VM2 (The search will auto completethe names for you)
4 Do not Save Click Cancel which will take you to previous screen
1 Here you can see the number of entities has increased by 1 ie 5 entities2 You can also see Hol-Pre-Prod in the list
HOL-Pre-Prod will now appear in Application section under Plan Security (not covered inthis lab)
Security Group Prod_MidTier
Network administrators and architects face daily challenges in identifying securityparameters groups that are in-place requiring a lot more detail around containertopology before continuing to execute or plan Micro-segmentation Lets look at how thiswould be possible in a single view that has granular integration with over and underlaynetworks
1 Using the search bar type Nsx Security Group Prod_MidTier (the search baruses Auto Fill and predictive text will appear as you type)
2 Click search to continue
HOL-1829-01-NET
Page 32HOL-1829-01-NET
The Help screen may pop-up (in this lab setting) to ensure the user has an instantguide called the Security Group Pinboard The reason for this guide is to point out thedetail view and topology layout Read through the help guide and once completed
1 Click the close icon (x) to continue
Results - PROD_MIDTIER
The search results from the query will show Prod_Web at the top of the screen Theresult will also be displayed to include the Translated VM Count and any Rulesassociated
1 Click on Prod_MidTier to continue
Security Group Prod_MidTier - Timeline
Security Group View Explanation
HOL-1829-01-NET
Page 33HOL-1829-01-NET
The Security Group provides a detailed view of the selected Security Group and acomprehensive listing of key properties and events The Security Group Topologyprovides a visual overview of how the security group is associated with other containersTimeline slider at the top of the current view will enable the point in time state of theSecurity Group and filters can be used to further focus on a particular aspect of theobject
Security Group Firewall Topology
(A) The Security Group Firewall Topology on the left shows the topology for SecurityGroup Prod_MidTier
HOL-1829-01-NET
Page 34HOL-1829-01-NET
(B) The Security Group Container Topology on the right will show anyall Child andParent groups in relation to Prod_Web This will identify the nesting and hierarchy ofsecurity groups
HOL-1829-01-NET
Page 35HOL-1829-01-NET
1 Click and select Prod_Web to Prod_Midtier Rule (will launch a pop up screencovered in next step)
1 In the pop up screen we can immediately see what the Source and destinationservice flow looks like in this example This can be done for any and eachsegment attached to Prod_Web and will provide all the current security GroupFirewall Topology information Feel free to click through all the segments in orderto fully understand each related security group
2 Click the close icon (x) on any pop-up menus that you viewed during youranalysis to continue with the next exercise
HOL-1829-01-NET
Page 36HOL-1829-01-NET
Tracking Prod_MidTier
1 Within the same view when you scroll down (below the Security Groupfirewall Topology) you are able to see the following security event information forProd_Web
A Events - Showing any changes for Prod_MidTier (direct or indirect) and the impactthat these changes bring to this security group
B Current Security Group Configuration and Firewall Rules Count will also providefurther assistance to manage the endpoints
C Visibility of the Virtual Machines in Security Groups ensure that we manage ourworkloads and segmentation with the correct level of efficiency
D Making use of the Indirect Firewall Rules will ensure you understand the inheritedimpact and the relationship leading to Prod_Web
E Direct Firewall Rules - NOTE The blue links will expose further detail for eachfirewall segment
HOL-1829-01-NET
Page 37HOL-1829-01-NET
this module explained and followed the traffic flow between Subnets and or VLANVXLAN for Prod_MidTier and we understand the analysis that make up firewall rules Theinformation for a specific segmentation of a Virtual Machine in Prod_MidTier can beviewed using the the logical switch information for Prod_MidTier
2 Click on Lab-Midtier (VMs in Security GroupgtLogical SwitchesgtLab-Midtier) anew TAB will open at the top of the screen
Lab-Midtier
1 Hover (do not click) over (1) Lab-Midtier-1 to gain focus in order to generatethe path
Do not click on any of the bubbles as they are used for reference only This is thecomplete flow of Prod-Web-9 (Example) to see how a flow is tracked from overlay tounderlay across Prod-Web
HOL-1829-01-NET
Page 38HOL-1829-01-NET
bull A - The host details for Lab-Midtier-1 -ddc1-pod2esx035dmdemocompanynet
bull B - The machine name within Lab-Midtier - Lab-Midtier-1bull C - DVS Switchbull D - VXLAN - Lab-Midtierbull E - 1st VMKNIC for DDC-1 hostbull F - DVS Switch Portbull G - Finally showing the L3 Switch (Arista)
2 When you are done with the current view close this tab in Chrome and returnto the original view
Firewall Rule - Tracking
Using the search bar we will demonstrate how you can track any firewall rule in yourenvironment This is only one example of how we can search for security related objectsin one easy statement and also export the results
Port Search
1 Type into the search bar
Firewall rule where action =ALLOW and Port=443 (the search bar uses Auto Fill andpredictive text will appear as you type)
2 Click search to continue
As you type notice all the different permutations of queries that can be assembled
HOL-1829-01-NET
Page 39HOL-1829-01-NET
Export Firewall Rules
Take some time to understand and get familiar with Firewall Rule search possibilitiesand the insight this can offer
1 Do not click - The result is grouped for convenience and allows the user to queryeach rule individually This is a live link that will expose further information
2 Do not click - The entire report can be exported by using the Save as CSV optionat the top right hand corner of the screen but we will not export any informationat this point
3 For the next step we will return to the top search bar
Firewall Rule Membership Change
Using the vRealize Network Insight search bar at the top of the screen we will focus on atime based search to see what Firewall Membership Changes occurred during a selectedperiod This will point out any changes made directly or indirectly as a result ofmembership changes This is extremely useful for auditing and troubleshooting
HOL-1829-01-NET
Page 40HOL-1829-01-NET
1 Type
Firewall Rule Membership Change
2 Select the DateTime window3 Click Between Select Date range from June30 to Jul 31 (using static data this
will ensure you see all the changes)4 Click search
Audit Rule - Firewall Rule Membership Changes
The search now displays the result of all the changes made to firewall rule membershipduring the preset date range This is pivotal to the audit change tracking process tounderstand exactly why when and how Firewall rules changed
The changes can now easily be tracked audited and also exported following any of thelive links in blue
HOL-1829-01-NET
Page 41HOL-1829-01-NET
User-defined Event
Continuing within the same screen users can create alerts to notify internal andexternal entities of any changes The alert feature is available through any view thatdisplays the alert icon Although the alert can be configured for this lab the results willnot be actioned as this is static data only This section will show how easy it is to reporton any Firewall Rule memberships changes The option for alerting will be immediatelywithin 1 hour or as a daily digest
1 Click the Notifications icon to create an event The notifications screen will pop-up
2 Notification and parameters can be adjusted as required Populate them withyour own preference as we will need to have information in order to save thealert and view in later steps
3 Once completed click save
HOL-1829-01-NET
Page 42HOL-1829-01-NET
Settings
You can view any of your previously configured User-defined Events in order to edit oractivate the Event parameters by using the settings page Changes can be configured tonotify members of the event group based on the user preference The previous eventthat you created can now be tracked by using the search bar at the top of the screen
1 Click in the search bar and type Settings2 Click User-defined Events (your alert is noted in this section as it was based on
the original search and alert notification Firewall rule membership change)3 Info Only - Do not click - View Edit Activate any notifications
Note that we have 2 types of notification User-defined and System Events
4 Click the System Events
HOL-1829-01-NET
Page 43HOL-1829-01-NET
System Notifications
System Events consist of 103 default alerts that are pre-configured Scroll down the listto see all the options and what is deemed to be a standard system event notification
Each Notification can be used to alert administrators or users of that group By defaultall System Notifications are set to never notify (this can be changed to immediatelywithin 1 hour or as a daily digest)
This concludes this module Please continue to the next module
HOL-1829-01-NET
Page 44HOL-1829-01-NET
ConclusionCongratulations on completing Module 1
In this module we introduced the minimum required steps in order to facilitate Micro-segmentation This module further demonstrated how we achieve day zero readinesstrack report and alert on each individual object or group of objects in Real Time Usingthe East-West traffic in this module vRealize Network Insight highlighted the ease ofacquiring network analysis and using this to automatically generate firewall rules forboth Green or Brown field deployments
Key facts to remember as demonstrated in this module
bull Persistence Security must be consistent in the face of constant changebull Ubiquity Security must be available everywherebull Extensibility Security must adapt to new situations
For additional information about the functionality showcased in this module visitwwwvmwarecom
Please close the Chrome Web browser
This concludes this module please continue to the next module
For More Information
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 45HOL-1829-01-NET
Module 2 - 360 degreeVisibility across Virtualand Physical Networks
(45 minutes)
HOL-1829-01-NET
Page 46HOL-1829-01-NET
IntroductionvRealize Network Insight includes advanced analytics that can collect and displayconfiguration data from all the components involved in the overlay and underlay of thenetwork Data is collected in realtime
vRealize Network Insight presents this via a smart user interface and simplifies thedetermination of problems as well as the visibility of firewall and networkconfigurations
vRealize Network Insight presents this in a smart user interface and makes problemdetermination and visibility of the firewall and network configurations very easy
This Module contains the following lessons
bull 360 Network Visibility and Troubleshootingbull Natural language search
HOL-1829-01-NET
Page 47HOL-1829-01-NET
360 Network Visibility andTroubleshootingThis section contains the following lessons
bull 360-degree view of data flow between two VM objectsbull Natural language search
Open Google Chrome
1 Open Chrome on the Control Center Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize NetworkInsight did not load automatically)
HOL-1829-01-NET
Page 48HOL-1829-01-NET
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
Path and Topology
This module will utilize the Path and Topology feature in vRealize Network Insight toget a 360-degree visibility into our network scenario The Path and Topology view can
HOL-1829-01-NET
Page 49HOL-1829-01-NET
also extend to host L3 networks security groups etc but in this module we will only befocusing on the path
From the main console
1 Click on Path and Topology2 Click on Path
Path - Select source and destination
In the pop-up box
1 Click on the grey field below Source2 Type dba into the source field and DBAdmin-VM1 will appear3 Click on DBAdmin-VM1 to select it
HOL-1829-01-NET
Page 50HOL-1829-01-NET
Path - source and destination continued
After selecting the source machine the destination box will automatically appear
1 Type prod in the destination field and the list of available options willappear
2 Select Prod-Db-2
Note The destination could also be an ip-address or Internet but in this lab we aregoing to use a VM
HOL-1829-01-NET
Page 51HOL-1829-01-NET
Path - source and destination continued
1 Click on Submit
Searching for path
Based on the VMs we selected in the wizard in our previous steps the search field isnow pre-populated with a search string As an alternative to using the wizard we canalso do manual searches
Do not change any parameters in the search field and please continue to the nextstep
HOL-1829-01-NET
Page 52HOL-1829-01-NET
VM Path Topology and VM Underlay
The topology involves both Layer 3 and Layer 2 components and consists of twodetailed views
HOL-1829-01-NET
Page 53HOL-1829-01-NET
1 VM Path Topology This view details the routers Edges or Logical DistributedRouters (LDRs) that are involved in the VM to VM network path and provides thecomplete routing and NAT information
2 VM Underlay ( The VM Underlay section that is on the right side of the VM Pathtopology shows the underlay information of the VMs involved and theirconnectivity to the top of the rack switches and the ports involved)
In the field named VM Path Topology
1 Click on the three dots in the top right corner of the field2 Click Maximize
The view will change and the route will be drawn on the map
HOL-1829-01-NET
Page 54HOL-1829-01-NET
VM Path Topology - Path Details
In this view we will get a 360-degree view of both the physical and the virtual networkWe will see the path of the traffic between two virtual machines The black arrow at thetop of the map will indicate the flow direction of the traffic In this use case fromDBAdmin-VM1 to Prod-Db-2
On the right hand side path details indicates the steps we pass through in each hop ofthe path The logical flow includes both physical and virtual elements displaying bothoverlay and underlay components
1 Scroll through the path details on the right hand side to verify the differenthops in the path Notice that we have items such as VMs physical switchesvirtual switches routers and NICs in the list of details
HOL-1829-01-NET
Page 55HOL-1829-01-NET
Component Overview
On the VM topology map
1 Click on the top left icon marked with a red square - the Virtual MachineDBAdmin-VM1
Virtual Machine - Details
HOL-1829-01-NET
Page 56HOL-1829-01-NET
A pop-up box will appear with the Virtual Machine details in it This information includesa lot of details made available by VMware Tools We can for example see network-information and the physical host in these details
A - Please spend some time on getting an overview of the information available in thisview
B - Please note that the Firewall Status indicates Unknown In this scenario there is noNSX firewall utilized in the VM so vRealize Network Insight displays Unknown as thestatus If NSX components were utilized but they were malfunctioning an errormessage will appear
1 When done reviewing close the pop-up windows by clicking on the (X) in thetop right corner
Physical ESXi Hosts
We are now going to look at the physical host running ESXi The large green blocksindicate the ESXi hosts (A) and (B)
1 Click on the large green field on the left side of the map marked in thepicture with a red squareThis will select the host where DBAdmin-VM1 isrunning
HOL-1829-01-NET
Page 57HOL-1829-01-NET
Host - Details
A pop-up box will appear that contains the physical ESXi host
A - Spend some time to review what information is available from the host Please donot click on any of the links
B - Notice that we receive information from both the Chassis and the Blade that thisESXi host is running on In a real life environment we could click on the links to getdetailed information about the physical environment through the links
C - Note that there are no NSX components on the host For example we can see thatthe Control Plane Sync Status is unknown and the Number of VTEPs is 0
1 When done reviewing click on the (X) in the top right corner
HOL-1829-01-NET
Page 58HOL-1829-01-NET
DVPG on the map
We are now going to look at the DVPG (Distributed Virtual Port Group) the VM uses toconnect to the network
1 On the map click on the little blue box marked by a red square onvlan-629
DVPG
A pop-up box will appear that contains the DVPG details
A - Spend some time review what information is available from the object Please donot click on any of the links
HOL-1829-01-NET
Page 59HOL-1829-01-NET
B - Notice that IPFIX is enabled
1 When done reviewing click on the (X) in the top right corner
VLAN-629 on the map
This is a brownfield network as indicated by the physical network components currentlydisplayed on the map
1 On the map click on the grey line marked by a red square on vlan-629
VLAN Network
A pop-up box will appear that contains the physical VLAN details
HOL-1829-01-NET
Page 60HOL-1829-01-NET
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - Notice the VLAN ID This is the actual VLAN in use
C - VM Count states 12 This is the number of VMs located on this VLAN in the entireenvironment
D - Under Hosts we can see that this is 28 (27+1) This is the amount of hosts that hasa connection to this vlan in the entire environment
1 When done reviewing click on the (X) in the top right corner
Switch ports on the map
1 From the map click on the icon marked by a red square to select the SwitchPort for the VM
HOL-1829-01-NET
Page 61HOL-1829-01-NET
Switch Port
A pop-up box will appear that contains the Switch Port details
In this view we are purely are looking at layer 3 and the connectivity to those layer 3devices Later in this module we will see some of the layer 2 devices
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - In this view we can see the physical NIC the traffic is transmitted from and receivedto In this scenario it is a NIC on a UCS fabric We can also see the VLANs Interfacespeed port and other details on the NIC
1 When done reviewing click on the (X) in the top right corner of the pop up box
HOL-1829-01-NET
Page 62HOL-1829-01-NET
Physical VRF on the map
1 From the map click on the icon marked by a red square to access thePhysical VRF details
HOL-1829-01-NET
Page 63HOL-1829-01-NET
VRF - Physical Switch
A pop-up box will appear that contains the Physical VRF details
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - In this scenario the first hop in the physical network perspective happens to be aCisco Nexus 7000 We are gathering all of the configuration data routing tables androuting interface information from this device
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 64HOL-1829-01-NET
VRF - continued
1 From the map click on the icon marked by a red square to access the nextPhysical VRF in the path
HOL-1829-01-NET
Page 65HOL-1829-01-NET
VRF - Physical Router
A pop-up box will appear that contains the Physical VRF details
In this scenario the second hop in the physical network perspective is a Palo Alto routerIn this view we will see the routing table as well as firewall rules The vRealize NetworkInsight platform is so powerful that these firewall rules are the applicable firewall rulesbetween the two objects we searched for There is probably going to be thousands offirewall rules in a normal network but these are the firewalls affecting thecommunication between the two selected VMs
HOL-1829-01-NET
Page 66HOL-1829-01-NET
A - Spend some time to review what information is available from the object Please donot click on any of the links
1 When done reviewing click on the (X) in the top right corner of the pop up box
Note The Palo Alto integration showcased is in beta testing
VRF - continued
1 From the map click on the icon marked by a red square to access the nextPhysical VRF in the path
HOL-1829-01-NET
Page 67HOL-1829-01-NET
VRF - Physical Switch
A pop-up box will appear that contains the Physical VRF details
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - In this scenario the third hop in the physical network perspective is an Arista deviceThere is information available on routing gateways interfaces etc These detailsshowcase that we can monitor devices from a multitude of vendors in case we arechanging from one vendor to another
1 When done reviewing click on the (X) in the top right corner
HOL-1829-01-NET
Page 68HOL-1829-01-NET
Accessing the virtual infrastructure
The next two steps in the path (as shown by arrows) are the same as we looked atpreviously in this module We are not going to look at the details on them in thisscenario as they are similar to the ones previously discussed
A - Hovermove the mouse over the icons marked with red arrow A without clicking onthe icon Notice the descriptive name
B - Hovermove the mouse over the icons marked with red arrow B without clicking onthe icon Notice the descriptive name
1 From the map click on the icon marked by a red square to access the nextVRF in the path
HOL-1829-01-NET
Page 69HOL-1829-01-NET
VRF - NSX Provider Edge 1
A pop-up box will appear that contains the Physical VRF details
A - Please spend some time to review what information is available from the objectPlease do not click on any of the links
B - The components we are looking at after the Arista device (described in previoussteps) is an NSX Edge cluster or a host associated with an Edge cluster The componentwe have selected is the NSX Edge VM named Provider-Edge 1 It has an uplink overVLAN 10 from the physical network (as shown in the map)
C - In the details we can see the routing table and routing interface details for thisparticular VRF
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 70HOL-1829-01-NET
VXLAN on the map
1 On the map click on the blue line marked by a red square to access theVXLAN details
VXLAN Network
A pop-up box will appear that contains the VXLAN details
HOL-1829-01-NET
Page 71HOL-1829-01-NET
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - We can see the VXLAN number (Segment ID) Underlay VLAN IDs Subnet andUnderlay Subnet
C - We also have visibility into what Primary Controller it is utilizing Hosts and VTEPs
D - Hovermove the mouse cursor over the text [38 more] to see the hosts associatedwith this VXLAN Do not click on the blue text
E - Hovermove the mouse cursor over the text [82 more] to see the VTEPs associatedwith this VXLAN Do not click on the blue text
1 When done reviewing click on the X in the top right corner of the pop-up box
VRF - LDR
1 From the map click on the icon marked by a red square to access the VRFdetails
HOL-1829-01-NET
Page 72HOL-1829-01-NET
VRF - LDR-Corporate
A pop-up box will appear that contains the VRF details From here we hit our In-kernelnetwork
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - Notice the distributed router name We are using this device to access our corporatenetwork
C - This device is going to route for us to a different interface The interface is going toroute to the interface on the Prod-DB Network as the next step in the path (this will beillustrated in the next step)
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 73HOL-1829-01-NET
Routing - NSX Firewall
The traffic is routed through the VRF onto the Prod-DB network over to the next physicalhost (as shown with arrows)
The first device it will hit on the virtual network on the physical host is the FirewallPlease notice that there are two firewalls next to the VM One Firewall from Palo Alto andone Firewall from NSX
1 From the map click on the icon marked by a red square to access the NSXFirewall details (the top one of the two)
HOL-1829-01-NET
Page 74HOL-1829-01-NET
Firewall - NSX
A pop-up box will appear that contains the Firewall details
A - Spend some time to review what information is available from the object Please donot click on any of the links
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 75HOL-1829-01-NET
Redirect on the map - PAN Firewall
Please notice that there are two firewalls next to the VM One Firewall from Palo Alto andone Firewall from NSX We are now going to look into the details of the lower Firewall
1 From the map click on the icon marked by a red square to access the PaloAlto Firewall details (the lower one of the two)
Firewall - PAN
HOL-1829-01-NET
Page 76HOL-1829-01-NET
In this scenario we also have an Palo Alto VM based offloading firewall The redirectfeature allows firewall rules to be transferred between the NSX firewall and the PANFirewall
1 When done reviewing click on the (X) in the top right corner of the pop up box
Reversing the analysis
1 In the section marked by a red square in the picture click on the arrowpointing left
The route on the map will change
HOL-1829-01-NET
Page 77HOL-1829-01-NET
Reversing the analysis continued
A - The analysis will now be done in the opposite direction Please note that the pathnow changes Instead of going through Provider-Edge 3 the traffic is now routedthrough Provider-Edge 2 This is exactly as the traffic will work in the real life
Please continue to the next step to conclude this module
HOL-1829-01-NET
Page 78HOL-1829-01-NET
VM Underlay
Lets now focus on VM Underlay
1 The VMUnderlay section that is on the right side of the VM Path topology showsthe underlay information of the VMs involved and their connectivity to the top ofthe rack switches and the ports involved
2 The VM Underlay path topology is shown here3 The components are labeled under Path Details
HOL-1829-01-NET
Page 79HOL-1829-01-NET
HOL-1829-01-NET
Page 80HOL-1829-01-NET
1 In this section the drop-down list at the top shows the endpoint VMs and theactive VMs at the edges
2 For each edgeVM the neighbouring drop-down list shows the ingress and theegress interface IP addresses
1 From the previous step we selected the Prod-DB-2 Virtual Machine2 Which changes the focus to corresponding Interface IP Address (VNIC)3 Shows the visual map (Path topology) of all the path objects4 Path details shows the labels and list the components
This concludes this module Please continue to the next module
HOL-1829-01-NET
Page 81HOL-1829-01-NET
ConclusionCongratulations on completing Module 2
This module has shown us that vRealize Network Insight is capable of tracing the flow ofdata between two objects throughout the network vRealize Network Insight is providingus with a 360 degrees view of the virtual as well as the physical components in thepath With the map function and the details on the map it is very easy to get a quickoverview of the components utilized in network communication
All the components in the map is based on a snapshot of real life data Feel free to clickon other icons shown in the map in this module before continuing to the next module tohave a look at other components
For More Information
For additional information about the functionality showcased in this module visithttpwwwvmwarecomvrealize network insight
This concludes this module Please continue to the next module
If you are looking for additional information try one of these
bull Click on this linkbull Or use your smart device to scan the QRC Code
HOL-1829-01-NET
Page 82HOL-1829-01-NET
Proceed to any module below which interests you most
bull Module 1 - Micro-Segmentation and Security (30 minutes)bull Module 2 - 360 degree Visibility across Virtual and Physical Networks (45
minutes)bull Module 3 - Advanced NSX Management amp Operations (45 minutes)bull (30 minutes)
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 83HOL-1829-01-NET
Module 3 - Advanced NSXManagement amp
Operations (45 minutes)
HOL-1829-01-NET
Page 84HOL-1829-01-NET
IntroductionIntroduction
vRealize Network Insight ensures that we have full visibility from an overlay andunderlay perspective and in this module focus on advanced operations of NSX withvRealize Network Insight Its important to note that the vRealize Network Insightprovides a real time view and a historical view The integration is not a simple SNMPquery but advanced CLI and Metadata information gathered in real time for NSX
This Module contains the following lessons
bull Operational guidance for NSX Managerbull Advanced NSX Management amp Operations Interactive Simulation
HOL-1829-01-NET
Page 85HOL-1829-01-NET
NSX Advanced ManagementOperationsLab Status Check
1 Make sure the Lab Status displays Ready before continuing
Close browser sessions from previous modules
Open Google Chrome
1 Open Chrome on the Control Centre Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
HOL-1829-01-NET
Page 86HOL-1829-01-NET
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize Network Insightdid not load automatically)
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
Search Bar - NSX Manager
Using the search bar on the entry screen
HOL-1829-01-NET
Page 87HOL-1829-01-NET
1 Type NSX Manager (this will list three NSX Managers2 Click Search
NSX Manager Information
The result now shows the NSX Manager (1016128170) and we can immediately seethat we have 50 problems associated with this endpoint
1 Click on the NSX Manager address to expose the layout and detailedinformation
HOL-1829-01-NET
Page 88HOL-1829-01-NET
Timeline - Visual Build-up
Explore information only - Do not click
bull A - Starting with the Timeline we can manipulate the results by simply draggingthe slider but by default the current time results will be displayed on entry Theslider and drop down (next to 1 day) makes it easy to filter on demand
bull B - The Properties give a clear understanding of the NSX Managers currentconfiguration (vRealize Network Insight accommodate multiple NSX managers)
bull C - Looking at the NSX Checklist Rules - ALL we can scroll up and down toview each point in the checklist that is used to monitorvalidate against the NSXManager
bull D - Because vRealize Network Insight supports multiple NSX managers andmultiple NSX controllers this is an important visual understanding of theTopology Each object can be queried individually within the same screen
bull E - NSX Problems will be key to understanding the issues for NSX
HOL-1829-01-NET
Page 89HOL-1829-01-NET
Topology - Focus on the NSX Controller
The logical view of the NSX Topology provides live links to each component in theconstruct to be queried in real time Topology layout displays all the related NSXservices bound to the NSX Manager including Clusters and hosts The red triangle on allthree NSX controllers indicates possible issues that may impact the NSX environmenteither as a starting point or a result thereof We can now query each object for detailedinformation
1 Click on the NSX controller (Look at each controller until you find thecontroller starting with NSX_Controller_5b6c6c8d-4d71 as they do changeorder)
HOL-1829-01-NET
Page 90HOL-1829-01-NET
NSX Controller - Detail
A - The controller query displays detailed information about controller-1 and relevantconfiguration This screen will help identify the Status Version Upgrade Availability andmany other critical identifiers of the NSX Controller at a quick glance including anyissues
B - The immediate issue on this NSX controller is also pointed out with a red triangleindicating that we have a control plane sync issue Tracking the issue can be furtherinvestigated by expanding (clicking on the red triangle) to view detailed information Wewill not be investigating this problem further in this exercise
1 Click the close sign (x) to continue
HOL-1829-01-NET
Page 91HOL-1829-01-NET
Topology - Explained
Note The Topology for the NSX environment will not show any load balancing devicestatus information in this release
1 Click the edge VMs icon to see detailed information about the edge services
HOL-1829-01-NET
Page 92HOL-1829-01-NET
Provider Edge
Rendering a complete view of the provider edge services and the associations we caninvestigate all the edge related activities
1 Click the blue link Provider Edge 4 The problem Icon can be used to furtherobtain information about the Provider-Edge 4 This will highlight a criticalcondition due to a possible network disruption of this edge device as it is nolonger in a serving state
HOL-1829-01-NET
Page 93HOL-1829-01-NET
Routers Provider Edge 4
This section lays out detailed root cause analysis for Routers Provider Edge 4
Return to Search View - NSX Manager
1 Now use the Chrome Back button click once to return the the NSX Managerinformation screen step
HOL-1829-01-NET
Page 94HOL-1829-01-NET
Infrastructure Problems - Warning Moderate
bull Scroll down to Infrastructure Problems Section
1 Click and select the WarningModerate to view problem areas
WarningModerate Issues
1 Use the blue icon + to expand the detailed view of the Logical networking out ofsync between host and NSX Controller
HOL-1829-01-NET
Page 95HOL-1829-01-NET
WarningModerate Issues (Continued)
When you expand the details you can analyse full detail of warning
In this view vRealize Network Insight is also showing you recommendations on how youwould resolve this issue which makes troubleshooting and root cause analysis veryeasy
1 Click the close sign (x) to continue
HOL-1829-01-NET
Page 96HOL-1829-01-NET
Hands-on Labs Interactive SimulationAdvanced NSX Management ampOperationsThis part of the lab is presented as a Hands-on Labs Interactive Simulation This willallow you to experience steps which are too time-consuming or resource intensive to dolive in the lab environment In this simulation you can use the software interface as ifyou are interacting with a live environment
1 Click here to open the interactive simulation It will open in a new browserwindow or tab
2 When finished click the ldquoReturn to the labrdquo link to continue with this lab
HOL-1829-01-NET
Page 97HOL-1829-01-NET
ConclusionCongratulations on completing Module 3
This module demonstrated the vRealize Network Insight capability of advancedmanagement operations vRealize Network Insight provides an in-depth analysis of thevirtual as well as the physical components associated with NSX (underlay and overlay)
For More Information
If you are looking for additional information try one of these
bull Click on this linkbull Or use your smart device to scan the QRC Code
Proceed to any module below which interests you most
bull Module 1 - Micro-Segmentation and Security (30 minutes)bull Module 2 - 360 degree Visibility across Virtual and Physical Networks (45
minutes)bull Module 3 - Advanced NSX Management amp Operations (45 minutes)bull Module 4 - Manage Security for Public Clouds (AWS) (30 minutes)
HOL-1829-01-NET
Page 98HOL-1829-01-NET
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 99HOL-1829-01-NET
Module 4 - ManageSecurity for Public Clouds
(AWS) (30 Minutes)
HOL-1829-01-NET
Page 100HOL-1829-01-NET
IntroductionEnterprise IT needs visibility into the network and security status of their workloadswhether hosted on premises or within AWS While many AWS workloads are sandboxesfor application development teams (DevOps) it is important to analyze these workloadsIncreasingly public cloud workloads are also fulfilling mission critical production needsfor many organizations Enterprise IT must be ready to determine the best locationsecurity posture and bandwidth allocation when deploying workloads Having trafficpattern details as well as security analysis and recommendations readily availablehelps organizations make the ideal hosting decisions to meet their business needs
vRealize Network Insight (vRNI) Supports Amazon Web Services (AWS) PublicCloud The vRNI traffic monitoring features provide visibility into native AWS constructssuch as Virtual Private Clouds VMs Security Groups firewall rules and tags vRNI alsoanalyzes AWS traffic flows to provide security and micro-segmentation views of cloudworkloads This means youll be able to plan micro-segmentation and understand trafficpatterns using data collected from your AWS instances
This Module contains the following lessons
bull Introduction to Managing Security for Public Clouds (AWS)
HOL-1829-01-NET
Page 101HOL-1829-01-NET
Introduction to Managing Security forPublic Clouds (AWS)Lab Status Check
1 Make sure the Lab Status displays Ready before continuing
Close browser sessions from previous modules
Open Google Chrome
1 Open Chrome on the Control Centre Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize Network Insightdid not load automatically)
HOL-1829-01-NET
Page 102HOL-1829-01-NET
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
AWS Configuration
Lets review the AWS VPC setup for the purpose of this lab
1 We have an on premise instance of vRealize Network Insight managing AWS2 There are two VPCs ie CRM and Common Services
HOL-1829-01-NET
Page 103HOL-1829-01-NET
3 VPC CRM consists of CRM Application which comprises of 3 tiers ie Web APP andDB
4 Internal users of Company can access Web Tier of the CRM on 80 internally viaJump-box
5 Web tier talks to App tier on port 80806 App tier talks to DB tier on port 33067 Web tier is open for internal datacenters VM on 80 port8 From Jump-box in VPC CRM all virtual machines have ssh access on port 229 All tiers of VPCCRM talks to DNS server on 53 and LogServer on 514 on VPC
Common Services10 This means connection to DB to Log Server (used for backup services) must exist
as configured by the Administrator but this in fact is the problem area where ourfocus will be
Plan Security - AWS Cloud
vRealize Network Insight extends micro-segmentation planning to AWS constructs TheCRM Application in AWS VPC has already been created for you
Application creation steps have been discussed in Module 3
HOL-1829-01-NET
Page 104HOL-1829-01-NET
1 On the vRealize Network Insight Click on Plan Security
From Plan Security dialogue box under Entity select
HOL-1829-01-NET
Page 105HOL-1829-01-NET
1 Application2 CRM3 Click Analyze
We can now visualize the three tier lsquoCRMrsquo Application in AWS in one VPC We Shallexplore the three Tier System Logic in proceeding steps
1 Please note that Micro-Segments are already filtered by Tier2 Web (Web tier talks to App tier on port 8080 Internal users of organisation can
access Web Tier of the CRM Application on port 80 internally)3 App (App tier talks to DB tier on port 3306)4 DB ( DB tier talks to Log Servers ) - This is the problem area we are going to
explore
All tiers of first VPC talks to DNS server on port 53 and LogServer on port 514 of SecondVPC
HOL-1829-01-NET
Page 106HOL-1829-01-NET
Exploring the Three Tier Application - Step by Step
We shall now explore the three their application setup to understand the security andcommunication posture
HOL-1829-01-NET
Page 107HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Yellow line to explore the flows This will reveal flows from Web to
App
HOL-1829-01-NET
Page 108HOL-1829-01-NET
1 The App tier talks to DB tier on Port 33062 Click X to continue
HOL-1829-01-NET
Page 109HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to DB
HOL-1829-01-NET
Page 110HOL-1829-01-NET
1 The App tier talks to DB tier on Port 33062 Click X to continue
HOL-1829-01-NET
Page 111HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Yellow Line to explore the flows This will reveal flows from DC
Virtual to App
HOL-1829-01-NET
Page 112HOL-1829-01-NET
1 DC Virtual (jump box) talks to App tier on Port 222 Click X to continue
HOL-1829-01-NET
Page 113HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to
Shared Virtual
HOL-1829-01-NET
Page 114HOL-1829-01-NET
1 The App tier talks to Shared Virtual on Port 53 and 514 respectively2 Click X to continue
HOL-1829-01-NET
Page 115HOL-1829-01-NET
1 Hover over to DB Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from DB to
Shared Virtual
1 By design the DB should be pushing logs to aws-log-server ie on port 514(Syslog) but the flow reveals that there is only one service ie port 53 aws-DNS-Server Effectively no communication to syslog server (which is the back upservice)
2 Click X to continue
Firewall Queries for CRM Application
To further troubleshoot the issue the administrator executes three firewall queries toestablish why DB to Shared Virtual does not have flow(s) for port 514 (syslog)
HOL-1829-01-NET
Page 116HOL-1829-01-NET
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and type new search query firewall action of flows where dstvm = aws-log-server This will return 5 results ie 4 Allow (for web andmidtier) and 1 Deny (for DB)
2 Click Search3 click on the DENY checkbox so we can focus on the deny rule
We can see a DENY rule which is preventing crm-databse to communicate with aws-log-server on port 514 Which indicates that AWS Admin forgot to add rule to allowtraffic from (Database) crm-database to (syslog server) aws-log-Server
HOL-1829-01-NET
Page 117HOL-1829-01-NET
1 On Chrome web browser right click2 Select Duplicate from the the menu
HOL-1829-01-NET
Page 118HOL-1829-01-NET
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-web1 and dst vm = aws-log-server
2 Click Search3 This will return 3 results ie 1 Inbound and 2 Outbound rules The result of this
query validates the communication from crm-web1 to aws-log-server
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-database and dst vm = aws-log-server
2 Click Search3 This will return 2 results for Outbound rules further explaining the firewall rule
behaviour from crm-database to aws-log-server
HOL-1829-01-NET
Page 119HOL-1829-01-NET
ConclusionCongratulations on completing Module 4
This module demonstrated the vRealize Network Insight capability to understand trafficpatterns and plan micro-segmentation across your private and public cloudenvironments This capability offers unparalleled visibility into public and private cloudsfor micro-segmentation planning network visibility and management
For More Information
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 120HOL-1829-01-NET
ConclusionThank you for participating in the VMware Hands-on Labs Be sure to visithttpholvmwarecom to continue your lab experience online
Lab SKU HOL-1829-01-NET
Version 20171010-152226
HOL-1829-01-NET
Page 121HOL-1829-01-NET
1 Click on Services In this group - 50 Unique service endpoints or flows that arebeing communicated by or to potential security groups are mapped with trafficrates included
2 Click on External Services Accessed- This is a breakdown of the 16 Externalservice endpoints that communicate with Prod-Web and include the portinformation (DNS HTTPS etc)
3 Click on Recommended Firewall Rules - Based on the 50 unique serviceendpoints that have 17 External services with 425 flows we can use thisobservation metric to determine that 6 firewall rules are required This would bethe minimum recommended segmentation approach for the Prod-Web group
4 Click the close icon (x) to continue
Application-Centric Micro-Segmentation
HOL-1829-01-NET
Page 29HOL-1829-01-NET
An application is a collection of tiers Each tier in an application is a collection of VMsbased on the user-defined filter criteria The applications allow you to create ahierarchical group of VMs and visualize trafficflows between the tiers of the sameapplication The trafficflows can be visualized between applications
1 Under Micro-segments click on the dropdown which says by VLANVXLAN2 Click on by Application
1 Hover over Prod-App (47) (do not click at this stage)2 Click on Keep Focus
You can see as per previous micro-segmentaion planning exercise - you can viewOutgoing Incoming and Bidirectional flow bespoke to Prod-App Clicking on Prod-App micro-segment will reveal the services
HOL-1829-01-NET
Page 30HOL-1829-01-NET
We shall now explore how we can define an application
Define an Application
1 In the search bar type Application2 Click the Search button
1 The Application search will return 4 entities ie application already created inthe system for you
2 This page also lets you create new application - click on Add Application
HOL-1829-01-NET
Page 31HOL-1829-01-NET
1 Under the Application Name type HOL-Pre-Prod2 Under Tier type the Name as HOL-Pre-Prod3 Our search criteria will be based on VM Names under Virtual Machines IP
Addresses Type Admin-VM1 Admin-VM2 (The search will auto completethe names for you)
4 Do not Save Click Cancel which will take you to previous screen
1 Here you can see the number of entities has increased by 1 ie 5 entities2 You can also see Hol-Pre-Prod in the list
HOL-Pre-Prod will now appear in Application section under Plan Security (not covered inthis lab)
Security Group Prod_MidTier
Network administrators and architects face daily challenges in identifying securityparameters groups that are in-place requiring a lot more detail around containertopology before continuing to execute or plan Micro-segmentation Lets look at how thiswould be possible in a single view that has granular integration with over and underlaynetworks
1 Using the search bar type Nsx Security Group Prod_MidTier (the search baruses Auto Fill and predictive text will appear as you type)
2 Click search to continue
HOL-1829-01-NET
Page 32HOL-1829-01-NET
The Help screen may pop-up (in this lab setting) to ensure the user has an instantguide called the Security Group Pinboard The reason for this guide is to point out thedetail view and topology layout Read through the help guide and once completed
1 Click the close icon (x) to continue
Results - PROD_MIDTIER
The search results from the query will show Prod_Web at the top of the screen Theresult will also be displayed to include the Translated VM Count and any Rulesassociated
1 Click on Prod_MidTier to continue
Security Group Prod_MidTier - Timeline
Security Group View Explanation
HOL-1829-01-NET
Page 33HOL-1829-01-NET
The Security Group provides a detailed view of the selected Security Group and acomprehensive listing of key properties and events The Security Group Topologyprovides a visual overview of how the security group is associated with other containersTimeline slider at the top of the current view will enable the point in time state of theSecurity Group and filters can be used to further focus on a particular aspect of theobject
Security Group Firewall Topology
(A) The Security Group Firewall Topology on the left shows the topology for SecurityGroup Prod_MidTier
HOL-1829-01-NET
Page 34HOL-1829-01-NET
(B) The Security Group Container Topology on the right will show anyall Child andParent groups in relation to Prod_Web This will identify the nesting and hierarchy ofsecurity groups
HOL-1829-01-NET
Page 35HOL-1829-01-NET
1 Click and select Prod_Web to Prod_Midtier Rule (will launch a pop up screencovered in next step)
1 In the pop up screen we can immediately see what the Source and destinationservice flow looks like in this example This can be done for any and eachsegment attached to Prod_Web and will provide all the current security GroupFirewall Topology information Feel free to click through all the segments in orderto fully understand each related security group
2 Click the close icon (x) on any pop-up menus that you viewed during youranalysis to continue with the next exercise
HOL-1829-01-NET
Page 36HOL-1829-01-NET
Tracking Prod_MidTier
1 Within the same view when you scroll down (below the Security Groupfirewall Topology) you are able to see the following security event information forProd_Web
A Events - Showing any changes for Prod_MidTier (direct or indirect) and the impactthat these changes bring to this security group
B Current Security Group Configuration and Firewall Rules Count will also providefurther assistance to manage the endpoints
C Visibility of the Virtual Machines in Security Groups ensure that we manage ourworkloads and segmentation with the correct level of efficiency
D Making use of the Indirect Firewall Rules will ensure you understand the inheritedimpact and the relationship leading to Prod_Web
E Direct Firewall Rules - NOTE The blue links will expose further detail for eachfirewall segment
HOL-1829-01-NET
Page 37HOL-1829-01-NET
this module explained and followed the traffic flow between Subnets and or VLANVXLAN for Prod_MidTier and we understand the analysis that make up firewall rules Theinformation for a specific segmentation of a Virtual Machine in Prod_MidTier can beviewed using the the logical switch information for Prod_MidTier
2 Click on Lab-Midtier (VMs in Security GroupgtLogical SwitchesgtLab-Midtier) anew TAB will open at the top of the screen
Lab-Midtier
1 Hover (do not click) over (1) Lab-Midtier-1 to gain focus in order to generatethe path
Do not click on any of the bubbles as they are used for reference only This is thecomplete flow of Prod-Web-9 (Example) to see how a flow is tracked from overlay tounderlay across Prod-Web
HOL-1829-01-NET
Page 38HOL-1829-01-NET
bull A - The host details for Lab-Midtier-1 -ddc1-pod2esx035dmdemocompanynet
bull B - The machine name within Lab-Midtier - Lab-Midtier-1bull C - DVS Switchbull D - VXLAN - Lab-Midtierbull E - 1st VMKNIC for DDC-1 hostbull F - DVS Switch Portbull G - Finally showing the L3 Switch (Arista)
2 When you are done with the current view close this tab in Chrome and returnto the original view
Firewall Rule - Tracking
Using the search bar we will demonstrate how you can track any firewall rule in yourenvironment This is only one example of how we can search for security related objectsin one easy statement and also export the results
Port Search
1 Type into the search bar
Firewall rule where action =ALLOW and Port=443 (the search bar uses Auto Fill andpredictive text will appear as you type)
2 Click search to continue
As you type notice all the different permutations of queries that can be assembled
HOL-1829-01-NET
Page 39HOL-1829-01-NET
Export Firewall Rules
Take some time to understand and get familiar with Firewall Rule search possibilitiesand the insight this can offer
1 Do not click - The result is grouped for convenience and allows the user to queryeach rule individually This is a live link that will expose further information
2 Do not click - The entire report can be exported by using the Save as CSV optionat the top right hand corner of the screen but we will not export any informationat this point
3 For the next step we will return to the top search bar
Firewall Rule Membership Change
Using the vRealize Network Insight search bar at the top of the screen we will focus on atime based search to see what Firewall Membership Changes occurred during a selectedperiod This will point out any changes made directly or indirectly as a result ofmembership changes This is extremely useful for auditing and troubleshooting
HOL-1829-01-NET
Page 40HOL-1829-01-NET
1 Type
Firewall Rule Membership Change
2 Select the DateTime window3 Click Between Select Date range from June30 to Jul 31 (using static data this
will ensure you see all the changes)4 Click search
Audit Rule - Firewall Rule Membership Changes
The search now displays the result of all the changes made to firewall rule membershipduring the preset date range This is pivotal to the audit change tracking process tounderstand exactly why when and how Firewall rules changed
The changes can now easily be tracked audited and also exported following any of thelive links in blue
HOL-1829-01-NET
Page 41HOL-1829-01-NET
User-defined Event
Continuing within the same screen users can create alerts to notify internal andexternal entities of any changes The alert feature is available through any view thatdisplays the alert icon Although the alert can be configured for this lab the results willnot be actioned as this is static data only This section will show how easy it is to reporton any Firewall Rule memberships changes The option for alerting will be immediatelywithin 1 hour or as a daily digest
1 Click the Notifications icon to create an event The notifications screen will pop-up
2 Notification and parameters can be adjusted as required Populate them withyour own preference as we will need to have information in order to save thealert and view in later steps
3 Once completed click save
HOL-1829-01-NET
Page 42HOL-1829-01-NET
Settings
You can view any of your previously configured User-defined Events in order to edit oractivate the Event parameters by using the settings page Changes can be configured tonotify members of the event group based on the user preference The previous eventthat you created can now be tracked by using the search bar at the top of the screen
1 Click in the search bar and type Settings2 Click User-defined Events (your alert is noted in this section as it was based on
the original search and alert notification Firewall rule membership change)3 Info Only - Do not click - View Edit Activate any notifications
Note that we have 2 types of notification User-defined and System Events
4 Click the System Events
HOL-1829-01-NET
Page 43HOL-1829-01-NET
System Notifications
System Events consist of 103 default alerts that are pre-configured Scroll down the listto see all the options and what is deemed to be a standard system event notification
Each Notification can be used to alert administrators or users of that group By defaultall System Notifications are set to never notify (this can be changed to immediatelywithin 1 hour or as a daily digest)
This concludes this module Please continue to the next module
HOL-1829-01-NET
Page 44HOL-1829-01-NET
ConclusionCongratulations on completing Module 1
In this module we introduced the minimum required steps in order to facilitate Micro-segmentation This module further demonstrated how we achieve day zero readinesstrack report and alert on each individual object or group of objects in Real Time Usingthe East-West traffic in this module vRealize Network Insight highlighted the ease ofacquiring network analysis and using this to automatically generate firewall rules forboth Green or Brown field deployments
Key facts to remember as demonstrated in this module
bull Persistence Security must be consistent in the face of constant changebull Ubiquity Security must be available everywherebull Extensibility Security must adapt to new situations
For additional information about the functionality showcased in this module visitwwwvmwarecom
Please close the Chrome Web browser
This concludes this module please continue to the next module
For More Information
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 45HOL-1829-01-NET
Module 2 - 360 degreeVisibility across Virtualand Physical Networks
(45 minutes)
HOL-1829-01-NET
Page 46HOL-1829-01-NET
IntroductionvRealize Network Insight includes advanced analytics that can collect and displayconfiguration data from all the components involved in the overlay and underlay of thenetwork Data is collected in realtime
vRealize Network Insight presents this via a smart user interface and simplifies thedetermination of problems as well as the visibility of firewall and networkconfigurations
vRealize Network Insight presents this in a smart user interface and makes problemdetermination and visibility of the firewall and network configurations very easy
This Module contains the following lessons
bull 360 Network Visibility and Troubleshootingbull Natural language search
HOL-1829-01-NET
Page 47HOL-1829-01-NET
360 Network Visibility andTroubleshootingThis section contains the following lessons
bull 360-degree view of data flow between two VM objectsbull Natural language search
Open Google Chrome
1 Open Chrome on the Control Center Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize NetworkInsight did not load automatically)
HOL-1829-01-NET
Page 48HOL-1829-01-NET
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
Path and Topology
This module will utilize the Path and Topology feature in vRealize Network Insight toget a 360-degree visibility into our network scenario The Path and Topology view can
HOL-1829-01-NET
Page 49HOL-1829-01-NET
also extend to host L3 networks security groups etc but in this module we will only befocusing on the path
From the main console
1 Click on Path and Topology2 Click on Path
Path - Select source and destination
In the pop-up box
1 Click on the grey field below Source2 Type dba into the source field and DBAdmin-VM1 will appear3 Click on DBAdmin-VM1 to select it
HOL-1829-01-NET
Page 50HOL-1829-01-NET
Path - source and destination continued
After selecting the source machine the destination box will automatically appear
1 Type prod in the destination field and the list of available options willappear
2 Select Prod-Db-2
Note The destination could also be an ip-address or Internet but in this lab we aregoing to use a VM
HOL-1829-01-NET
Page 51HOL-1829-01-NET
Path - source and destination continued
1 Click on Submit
Searching for path
Based on the VMs we selected in the wizard in our previous steps the search field isnow pre-populated with a search string As an alternative to using the wizard we canalso do manual searches
Do not change any parameters in the search field and please continue to the nextstep
HOL-1829-01-NET
Page 52HOL-1829-01-NET
VM Path Topology and VM Underlay
The topology involves both Layer 3 and Layer 2 components and consists of twodetailed views
HOL-1829-01-NET
Page 53HOL-1829-01-NET
1 VM Path Topology This view details the routers Edges or Logical DistributedRouters (LDRs) that are involved in the VM to VM network path and provides thecomplete routing and NAT information
2 VM Underlay ( The VM Underlay section that is on the right side of the VM Pathtopology shows the underlay information of the VMs involved and theirconnectivity to the top of the rack switches and the ports involved)
In the field named VM Path Topology
1 Click on the three dots in the top right corner of the field2 Click Maximize
The view will change and the route will be drawn on the map
HOL-1829-01-NET
Page 54HOL-1829-01-NET
VM Path Topology - Path Details
In this view we will get a 360-degree view of both the physical and the virtual networkWe will see the path of the traffic between two virtual machines The black arrow at thetop of the map will indicate the flow direction of the traffic In this use case fromDBAdmin-VM1 to Prod-Db-2
On the right hand side path details indicates the steps we pass through in each hop ofthe path The logical flow includes both physical and virtual elements displaying bothoverlay and underlay components
1 Scroll through the path details on the right hand side to verify the differenthops in the path Notice that we have items such as VMs physical switchesvirtual switches routers and NICs in the list of details
HOL-1829-01-NET
Page 55HOL-1829-01-NET
Component Overview
On the VM topology map
1 Click on the top left icon marked with a red square - the Virtual MachineDBAdmin-VM1
Virtual Machine - Details
HOL-1829-01-NET
Page 56HOL-1829-01-NET
A pop-up box will appear with the Virtual Machine details in it This information includesa lot of details made available by VMware Tools We can for example see network-information and the physical host in these details
A - Please spend some time on getting an overview of the information available in thisview
B - Please note that the Firewall Status indicates Unknown In this scenario there is noNSX firewall utilized in the VM so vRealize Network Insight displays Unknown as thestatus If NSX components were utilized but they were malfunctioning an errormessage will appear
1 When done reviewing close the pop-up windows by clicking on the (X) in thetop right corner
Physical ESXi Hosts
We are now going to look at the physical host running ESXi The large green blocksindicate the ESXi hosts (A) and (B)
1 Click on the large green field on the left side of the map marked in thepicture with a red squareThis will select the host where DBAdmin-VM1 isrunning
HOL-1829-01-NET
Page 57HOL-1829-01-NET
Host - Details
A pop-up box will appear that contains the physical ESXi host
A - Spend some time to review what information is available from the host Please donot click on any of the links
B - Notice that we receive information from both the Chassis and the Blade that thisESXi host is running on In a real life environment we could click on the links to getdetailed information about the physical environment through the links
C - Note that there are no NSX components on the host For example we can see thatthe Control Plane Sync Status is unknown and the Number of VTEPs is 0
1 When done reviewing click on the (X) in the top right corner
HOL-1829-01-NET
Page 58HOL-1829-01-NET
DVPG on the map
We are now going to look at the DVPG (Distributed Virtual Port Group) the VM uses toconnect to the network
1 On the map click on the little blue box marked by a red square onvlan-629
DVPG
A pop-up box will appear that contains the DVPG details
A - Spend some time review what information is available from the object Please donot click on any of the links
HOL-1829-01-NET
Page 59HOL-1829-01-NET
B - Notice that IPFIX is enabled
1 When done reviewing click on the (X) in the top right corner
VLAN-629 on the map
This is a brownfield network as indicated by the physical network components currentlydisplayed on the map
1 On the map click on the grey line marked by a red square on vlan-629
VLAN Network
A pop-up box will appear that contains the physical VLAN details
HOL-1829-01-NET
Page 60HOL-1829-01-NET
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - Notice the VLAN ID This is the actual VLAN in use
C - VM Count states 12 This is the number of VMs located on this VLAN in the entireenvironment
D - Under Hosts we can see that this is 28 (27+1) This is the amount of hosts that hasa connection to this vlan in the entire environment
1 When done reviewing click on the (X) in the top right corner
Switch ports on the map
1 From the map click on the icon marked by a red square to select the SwitchPort for the VM
HOL-1829-01-NET
Page 61HOL-1829-01-NET
Switch Port
A pop-up box will appear that contains the Switch Port details
In this view we are purely are looking at layer 3 and the connectivity to those layer 3devices Later in this module we will see some of the layer 2 devices
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - In this view we can see the physical NIC the traffic is transmitted from and receivedto In this scenario it is a NIC on a UCS fabric We can also see the VLANs Interfacespeed port and other details on the NIC
1 When done reviewing click on the (X) in the top right corner of the pop up box
HOL-1829-01-NET
Page 62HOL-1829-01-NET
Physical VRF on the map
1 From the map click on the icon marked by a red square to access thePhysical VRF details
HOL-1829-01-NET
Page 63HOL-1829-01-NET
VRF - Physical Switch
A pop-up box will appear that contains the Physical VRF details
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - In this scenario the first hop in the physical network perspective happens to be aCisco Nexus 7000 We are gathering all of the configuration data routing tables androuting interface information from this device
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 64HOL-1829-01-NET
VRF - continued
1 From the map click on the icon marked by a red square to access the nextPhysical VRF in the path
HOL-1829-01-NET
Page 65HOL-1829-01-NET
VRF - Physical Router
A pop-up box will appear that contains the Physical VRF details
In this scenario the second hop in the physical network perspective is a Palo Alto routerIn this view we will see the routing table as well as firewall rules The vRealize NetworkInsight platform is so powerful that these firewall rules are the applicable firewall rulesbetween the two objects we searched for There is probably going to be thousands offirewall rules in a normal network but these are the firewalls affecting thecommunication between the two selected VMs
HOL-1829-01-NET
Page 66HOL-1829-01-NET
A - Spend some time to review what information is available from the object Please donot click on any of the links
1 When done reviewing click on the (X) in the top right corner of the pop up box
Note The Palo Alto integration showcased is in beta testing
VRF - continued
1 From the map click on the icon marked by a red square to access the nextPhysical VRF in the path
HOL-1829-01-NET
Page 67HOL-1829-01-NET
VRF - Physical Switch
A pop-up box will appear that contains the Physical VRF details
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - In this scenario the third hop in the physical network perspective is an Arista deviceThere is information available on routing gateways interfaces etc These detailsshowcase that we can monitor devices from a multitude of vendors in case we arechanging from one vendor to another
1 When done reviewing click on the (X) in the top right corner
HOL-1829-01-NET
Page 68HOL-1829-01-NET
Accessing the virtual infrastructure
The next two steps in the path (as shown by arrows) are the same as we looked atpreviously in this module We are not going to look at the details on them in thisscenario as they are similar to the ones previously discussed
A - Hovermove the mouse over the icons marked with red arrow A without clicking onthe icon Notice the descriptive name
B - Hovermove the mouse over the icons marked with red arrow B without clicking onthe icon Notice the descriptive name
1 From the map click on the icon marked by a red square to access the nextVRF in the path
HOL-1829-01-NET
Page 69HOL-1829-01-NET
VRF - NSX Provider Edge 1
A pop-up box will appear that contains the Physical VRF details
A - Please spend some time to review what information is available from the objectPlease do not click on any of the links
B - The components we are looking at after the Arista device (described in previoussteps) is an NSX Edge cluster or a host associated with an Edge cluster The componentwe have selected is the NSX Edge VM named Provider-Edge 1 It has an uplink overVLAN 10 from the physical network (as shown in the map)
C - In the details we can see the routing table and routing interface details for thisparticular VRF
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 70HOL-1829-01-NET
VXLAN on the map
1 On the map click on the blue line marked by a red square to access theVXLAN details
VXLAN Network
A pop-up box will appear that contains the VXLAN details
HOL-1829-01-NET
Page 71HOL-1829-01-NET
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - We can see the VXLAN number (Segment ID) Underlay VLAN IDs Subnet andUnderlay Subnet
C - We also have visibility into what Primary Controller it is utilizing Hosts and VTEPs
D - Hovermove the mouse cursor over the text [38 more] to see the hosts associatedwith this VXLAN Do not click on the blue text
E - Hovermove the mouse cursor over the text [82 more] to see the VTEPs associatedwith this VXLAN Do not click on the blue text
1 When done reviewing click on the X in the top right corner of the pop-up box
VRF - LDR
1 From the map click on the icon marked by a red square to access the VRFdetails
HOL-1829-01-NET
Page 72HOL-1829-01-NET
VRF - LDR-Corporate
A pop-up box will appear that contains the VRF details From here we hit our In-kernelnetwork
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - Notice the distributed router name We are using this device to access our corporatenetwork
C - This device is going to route for us to a different interface The interface is going toroute to the interface on the Prod-DB Network as the next step in the path (this will beillustrated in the next step)
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 73HOL-1829-01-NET
Routing - NSX Firewall
The traffic is routed through the VRF onto the Prod-DB network over to the next physicalhost (as shown with arrows)
The first device it will hit on the virtual network on the physical host is the FirewallPlease notice that there are two firewalls next to the VM One Firewall from Palo Alto andone Firewall from NSX
1 From the map click on the icon marked by a red square to access the NSXFirewall details (the top one of the two)
HOL-1829-01-NET
Page 74HOL-1829-01-NET
Firewall - NSX
A pop-up box will appear that contains the Firewall details
A - Spend some time to review what information is available from the object Please donot click on any of the links
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 75HOL-1829-01-NET
Redirect on the map - PAN Firewall
Please notice that there are two firewalls next to the VM One Firewall from Palo Alto andone Firewall from NSX We are now going to look into the details of the lower Firewall
1 From the map click on the icon marked by a red square to access the PaloAlto Firewall details (the lower one of the two)
Firewall - PAN
HOL-1829-01-NET
Page 76HOL-1829-01-NET
In this scenario we also have an Palo Alto VM based offloading firewall The redirectfeature allows firewall rules to be transferred between the NSX firewall and the PANFirewall
1 When done reviewing click on the (X) in the top right corner of the pop up box
Reversing the analysis
1 In the section marked by a red square in the picture click on the arrowpointing left
The route on the map will change
HOL-1829-01-NET
Page 77HOL-1829-01-NET
Reversing the analysis continued
A - The analysis will now be done in the opposite direction Please note that the pathnow changes Instead of going through Provider-Edge 3 the traffic is now routedthrough Provider-Edge 2 This is exactly as the traffic will work in the real life
Please continue to the next step to conclude this module
HOL-1829-01-NET
Page 78HOL-1829-01-NET
VM Underlay
Lets now focus on VM Underlay
1 The VMUnderlay section that is on the right side of the VM Path topology showsthe underlay information of the VMs involved and their connectivity to the top ofthe rack switches and the ports involved
2 The VM Underlay path topology is shown here3 The components are labeled under Path Details
HOL-1829-01-NET
Page 79HOL-1829-01-NET
HOL-1829-01-NET
Page 80HOL-1829-01-NET
1 In this section the drop-down list at the top shows the endpoint VMs and theactive VMs at the edges
2 For each edgeVM the neighbouring drop-down list shows the ingress and theegress interface IP addresses
1 From the previous step we selected the Prod-DB-2 Virtual Machine2 Which changes the focus to corresponding Interface IP Address (VNIC)3 Shows the visual map (Path topology) of all the path objects4 Path details shows the labels and list the components
This concludes this module Please continue to the next module
HOL-1829-01-NET
Page 81HOL-1829-01-NET
ConclusionCongratulations on completing Module 2
This module has shown us that vRealize Network Insight is capable of tracing the flow ofdata between two objects throughout the network vRealize Network Insight is providingus with a 360 degrees view of the virtual as well as the physical components in thepath With the map function and the details on the map it is very easy to get a quickoverview of the components utilized in network communication
All the components in the map is based on a snapshot of real life data Feel free to clickon other icons shown in the map in this module before continuing to the next module tohave a look at other components
For More Information
For additional information about the functionality showcased in this module visithttpwwwvmwarecomvrealize network insight
This concludes this module Please continue to the next module
If you are looking for additional information try one of these
bull Click on this linkbull Or use your smart device to scan the QRC Code
HOL-1829-01-NET
Page 82HOL-1829-01-NET
Proceed to any module below which interests you most
bull Module 1 - Micro-Segmentation and Security (30 minutes)bull Module 2 - 360 degree Visibility across Virtual and Physical Networks (45
minutes)bull Module 3 - Advanced NSX Management amp Operations (45 minutes)bull (30 minutes)
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 83HOL-1829-01-NET
Module 3 - Advanced NSXManagement amp
Operations (45 minutes)
HOL-1829-01-NET
Page 84HOL-1829-01-NET
IntroductionIntroduction
vRealize Network Insight ensures that we have full visibility from an overlay andunderlay perspective and in this module focus on advanced operations of NSX withvRealize Network Insight Its important to note that the vRealize Network Insightprovides a real time view and a historical view The integration is not a simple SNMPquery but advanced CLI and Metadata information gathered in real time for NSX
This Module contains the following lessons
bull Operational guidance for NSX Managerbull Advanced NSX Management amp Operations Interactive Simulation
HOL-1829-01-NET
Page 85HOL-1829-01-NET
NSX Advanced ManagementOperationsLab Status Check
1 Make sure the Lab Status displays Ready before continuing
Close browser sessions from previous modules
Open Google Chrome
1 Open Chrome on the Control Centre Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
HOL-1829-01-NET
Page 86HOL-1829-01-NET
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize Network Insightdid not load automatically)
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
Search Bar - NSX Manager
Using the search bar on the entry screen
HOL-1829-01-NET
Page 87HOL-1829-01-NET
1 Type NSX Manager (this will list three NSX Managers2 Click Search
NSX Manager Information
The result now shows the NSX Manager (1016128170) and we can immediately seethat we have 50 problems associated with this endpoint
1 Click on the NSX Manager address to expose the layout and detailedinformation
HOL-1829-01-NET
Page 88HOL-1829-01-NET
Timeline - Visual Build-up
Explore information only - Do not click
bull A - Starting with the Timeline we can manipulate the results by simply draggingthe slider but by default the current time results will be displayed on entry Theslider and drop down (next to 1 day) makes it easy to filter on demand
bull B - The Properties give a clear understanding of the NSX Managers currentconfiguration (vRealize Network Insight accommodate multiple NSX managers)
bull C - Looking at the NSX Checklist Rules - ALL we can scroll up and down toview each point in the checklist that is used to monitorvalidate against the NSXManager
bull D - Because vRealize Network Insight supports multiple NSX managers andmultiple NSX controllers this is an important visual understanding of theTopology Each object can be queried individually within the same screen
bull E - NSX Problems will be key to understanding the issues for NSX
HOL-1829-01-NET
Page 89HOL-1829-01-NET
Topology - Focus on the NSX Controller
The logical view of the NSX Topology provides live links to each component in theconstruct to be queried in real time Topology layout displays all the related NSXservices bound to the NSX Manager including Clusters and hosts The red triangle on allthree NSX controllers indicates possible issues that may impact the NSX environmenteither as a starting point or a result thereof We can now query each object for detailedinformation
1 Click on the NSX controller (Look at each controller until you find thecontroller starting with NSX_Controller_5b6c6c8d-4d71 as they do changeorder)
HOL-1829-01-NET
Page 90HOL-1829-01-NET
NSX Controller - Detail
A - The controller query displays detailed information about controller-1 and relevantconfiguration This screen will help identify the Status Version Upgrade Availability andmany other critical identifiers of the NSX Controller at a quick glance including anyissues
B - The immediate issue on this NSX controller is also pointed out with a red triangleindicating that we have a control plane sync issue Tracking the issue can be furtherinvestigated by expanding (clicking on the red triangle) to view detailed information Wewill not be investigating this problem further in this exercise
1 Click the close sign (x) to continue
HOL-1829-01-NET
Page 91HOL-1829-01-NET
Topology - Explained
Note The Topology for the NSX environment will not show any load balancing devicestatus information in this release
1 Click the edge VMs icon to see detailed information about the edge services
HOL-1829-01-NET
Page 92HOL-1829-01-NET
Provider Edge
Rendering a complete view of the provider edge services and the associations we caninvestigate all the edge related activities
1 Click the blue link Provider Edge 4 The problem Icon can be used to furtherobtain information about the Provider-Edge 4 This will highlight a criticalcondition due to a possible network disruption of this edge device as it is nolonger in a serving state
HOL-1829-01-NET
Page 93HOL-1829-01-NET
Routers Provider Edge 4
This section lays out detailed root cause analysis for Routers Provider Edge 4
Return to Search View - NSX Manager
1 Now use the Chrome Back button click once to return the the NSX Managerinformation screen step
HOL-1829-01-NET
Page 94HOL-1829-01-NET
Infrastructure Problems - Warning Moderate
bull Scroll down to Infrastructure Problems Section
1 Click and select the WarningModerate to view problem areas
WarningModerate Issues
1 Use the blue icon + to expand the detailed view of the Logical networking out ofsync between host and NSX Controller
HOL-1829-01-NET
Page 95HOL-1829-01-NET
WarningModerate Issues (Continued)
When you expand the details you can analyse full detail of warning
In this view vRealize Network Insight is also showing you recommendations on how youwould resolve this issue which makes troubleshooting and root cause analysis veryeasy
1 Click the close sign (x) to continue
HOL-1829-01-NET
Page 96HOL-1829-01-NET
Hands-on Labs Interactive SimulationAdvanced NSX Management ampOperationsThis part of the lab is presented as a Hands-on Labs Interactive Simulation This willallow you to experience steps which are too time-consuming or resource intensive to dolive in the lab environment In this simulation you can use the software interface as ifyou are interacting with a live environment
1 Click here to open the interactive simulation It will open in a new browserwindow or tab
2 When finished click the ldquoReturn to the labrdquo link to continue with this lab
HOL-1829-01-NET
Page 97HOL-1829-01-NET
ConclusionCongratulations on completing Module 3
This module demonstrated the vRealize Network Insight capability of advancedmanagement operations vRealize Network Insight provides an in-depth analysis of thevirtual as well as the physical components associated with NSX (underlay and overlay)
For More Information
If you are looking for additional information try one of these
bull Click on this linkbull Or use your smart device to scan the QRC Code
Proceed to any module below which interests you most
bull Module 1 - Micro-Segmentation and Security (30 minutes)bull Module 2 - 360 degree Visibility across Virtual and Physical Networks (45
minutes)bull Module 3 - Advanced NSX Management amp Operations (45 minutes)bull Module 4 - Manage Security for Public Clouds (AWS) (30 minutes)
HOL-1829-01-NET
Page 98HOL-1829-01-NET
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 99HOL-1829-01-NET
Module 4 - ManageSecurity for Public Clouds
(AWS) (30 Minutes)
HOL-1829-01-NET
Page 100HOL-1829-01-NET
IntroductionEnterprise IT needs visibility into the network and security status of their workloadswhether hosted on premises or within AWS While many AWS workloads are sandboxesfor application development teams (DevOps) it is important to analyze these workloadsIncreasingly public cloud workloads are also fulfilling mission critical production needsfor many organizations Enterprise IT must be ready to determine the best locationsecurity posture and bandwidth allocation when deploying workloads Having trafficpattern details as well as security analysis and recommendations readily availablehelps organizations make the ideal hosting decisions to meet their business needs
vRealize Network Insight (vRNI) Supports Amazon Web Services (AWS) PublicCloud The vRNI traffic monitoring features provide visibility into native AWS constructssuch as Virtual Private Clouds VMs Security Groups firewall rules and tags vRNI alsoanalyzes AWS traffic flows to provide security and micro-segmentation views of cloudworkloads This means youll be able to plan micro-segmentation and understand trafficpatterns using data collected from your AWS instances
This Module contains the following lessons
bull Introduction to Managing Security for Public Clouds (AWS)
HOL-1829-01-NET
Page 101HOL-1829-01-NET
Introduction to Managing Security forPublic Clouds (AWS)Lab Status Check
1 Make sure the Lab Status displays Ready before continuing
Close browser sessions from previous modules
Open Google Chrome
1 Open Chrome on the Control Centre Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize Network Insightdid not load automatically)
HOL-1829-01-NET
Page 102HOL-1829-01-NET
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
AWS Configuration
Lets review the AWS VPC setup for the purpose of this lab
1 We have an on premise instance of vRealize Network Insight managing AWS2 There are two VPCs ie CRM and Common Services
HOL-1829-01-NET
Page 103HOL-1829-01-NET
3 VPC CRM consists of CRM Application which comprises of 3 tiers ie Web APP andDB
4 Internal users of Company can access Web Tier of the CRM on 80 internally viaJump-box
5 Web tier talks to App tier on port 80806 App tier talks to DB tier on port 33067 Web tier is open for internal datacenters VM on 80 port8 From Jump-box in VPC CRM all virtual machines have ssh access on port 229 All tiers of VPCCRM talks to DNS server on 53 and LogServer on 514 on VPC
Common Services10 This means connection to DB to Log Server (used for backup services) must exist
as configured by the Administrator but this in fact is the problem area where ourfocus will be
Plan Security - AWS Cloud
vRealize Network Insight extends micro-segmentation planning to AWS constructs TheCRM Application in AWS VPC has already been created for you
Application creation steps have been discussed in Module 3
HOL-1829-01-NET
Page 104HOL-1829-01-NET
1 On the vRealize Network Insight Click on Plan Security
From Plan Security dialogue box under Entity select
HOL-1829-01-NET
Page 105HOL-1829-01-NET
1 Application2 CRM3 Click Analyze
We can now visualize the three tier lsquoCRMrsquo Application in AWS in one VPC We Shallexplore the three Tier System Logic in proceeding steps
1 Please note that Micro-Segments are already filtered by Tier2 Web (Web tier talks to App tier on port 8080 Internal users of organisation can
access Web Tier of the CRM Application on port 80 internally)3 App (App tier talks to DB tier on port 3306)4 DB ( DB tier talks to Log Servers ) - This is the problem area we are going to
explore
All tiers of first VPC talks to DNS server on port 53 and LogServer on port 514 of SecondVPC
HOL-1829-01-NET
Page 106HOL-1829-01-NET
Exploring the Three Tier Application - Step by Step
We shall now explore the three their application setup to understand the security andcommunication posture
HOL-1829-01-NET
Page 107HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Yellow line to explore the flows This will reveal flows from Web to
App
HOL-1829-01-NET
Page 108HOL-1829-01-NET
1 The App tier talks to DB tier on Port 33062 Click X to continue
HOL-1829-01-NET
Page 109HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to DB
HOL-1829-01-NET
Page 110HOL-1829-01-NET
1 The App tier talks to DB tier on Port 33062 Click X to continue
HOL-1829-01-NET
Page 111HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Yellow Line to explore the flows This will reveal flows from DC
Virtual to App
HOL-1829-01-NET
Page 112HOL-1829-01-NET
1 DC Virtual (jump box) talks to App tier on Port 222 Click X to continue
HOL-1829-01-NET
Page 113HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to
Shared Virtual
HOL-1829-01-NET
Page 114HOL-1829-01-NET
1 The App tier talks to Shared Virtual on Port 53 and 514 respectively2 Click X to continue
HOL-1829-01-NET
Page 115HOL-1829-01-NET
1 Hover over to DB Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from DB to
Shared Virtual
1 By design the DB should be pushing logs to aws-log-server ie on port 514(Syslog) but the flow reveals that there is only one service ie port 53 aws-DNS-Server Effectively no communication to syslog server (which is the back upservice)
2 Click X to continue
Firewall Queries for CRM Application
To further troubleshoot the issue the administrator executes three firewall queries toestablish why DB to Shared Virtual does not have flow(s) for port 514 (syslog)
HOL-1829-01-NET
Page 116HOL-1829-01-NET
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and type new search query firewall action of flows where dstvm = aws-log-server This will return 5 results ie 4 Allow (for web andmidtier) and 1 Deny (for DB)
2 Click Search3 click on the DENY checkbox so we can focus on the deny rule
We can see a DENY rule which is preventing crm-databse to communicate with aws-log-server on port 514 Which indicates that AWS Admin forgot to add rule to allowtraffic from (Database) crm-database to (syslog server) aws-log-Server
HOL-1829-01-NET
Page 117HOL-1829-01-NET
1 On Chrome web browser right click2 Select Duplicate from the the menu
HOL-1829-01-NET
Page 118HOL-1829-01-NET
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-web1 and dst vm = aws-log-server
2 Click Search3 This will return 3 results ie 1 Inbound and 2 Outbound rules The result of this
query validates the communication from crm-web1 to aws-log-server
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-database and dst vm = aws-log-server
2 Click Search3 This will return 2 results for Outbound rules further explaining the firewall rule
behaviour from crm-database to aws-log-server
HOL-1829-01-NET
Page 119HOL-1829-01-NET
ConclusionCongratulations on completing Module 4
This module demonstrated the vRealize Network Insight capability to understand trafficpatterns and plan micro-segmentation across your private and public cloudenvironments This capability offers unparalleled visibility into public and private cloudsfor micro-segmentation planning network visibility and management
For More Information
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 120HOL-1829-01-NET
ConclusionThank you for participating in the VMware Hands-on Labs Be sure to visithttpholvmwarecom to continue your lab experience online
Lab SKU HOL-1829-01-NET
Version 20171010-152226
HOL-1829-01-NET
Page 121HOL-1829-01-NET
An application is a collection of tiers Each tier in an application is a collection of VMsbased on the user-defined filter criteria The applications allow you to create ahierarchical group of VMs and visualize trafficflows between the tiers of the sameapplication The trafficflows can be visualized between applications
1 Under Micro-segments click on the dropdown which says by VLANVXLAN2 Click on by Application
1 Hover over Prod-App (47) (do not click at this stage)2 Click on Keep Focus
You can see as per previous micro-segmentaion planning exercise - you can viewOutgoing Incoming and Bidirectional flow bespoke to Prod-App Clicking on Prod-App micro-segment will reveal the services
HOL-1829-01-NET
Page 30HOL-1829-01-NET
We shall now explore how we can define an application
Define an Application
1 In the search bar type Application2 Click the Search button
1 The Application search will return 4 entities ie application already created inthe system for you
2 This page also lets you create new application - click on Add Application
HOL-1829-01-NET
Page 31HOL-1829-01-NET
1 Under the Application Name type HOL-Pre-Prod2 Under Tier type the Name as HOL-Pre-Prod3 Our search criteria will be based on VM Names under Virtual Machines IP
Addresses Type Admin-VM1 Admin-VM2 (The search will auto completethe names for you)
4 Do not Save Click Cancel which will take you to previous screen
1 Here you can see the number of entities has increased by 1 ie 5 entities2 You can also see Hol-Pre-Prod in the list
HOL-Pre-Prod will now appear in Application section under Plan Security (not covered inthis lab)
Security Group Prod_MidTier
Network administrators and architects face daily challenges in identifying securityparameters groups that are in-place requiring a lot more detail around containertopology before continuing to execute or plan Micro-segmentation Lets look at how thiswould be possible in a single view that has granular integration with over and underlaynetworks
1 Using the search bar type Nsx Security Group Prod_MidTier (the search baruses Auto Fill and predictive text will appear as you type)
2 Click search to continue
HOL-1829-01-NET
Page 32HOL-1829-01-NET
The Help screen may pop-up (in this lab setting) to ensure the user has an instantguide called the Security Group Pinboard The reason for this guide is to point out thedetail view and topology layout Read through the help guide and once completed
1 Click the close icon (x) to continue
Results - PROD_MIDTIER
The search results from the query will show Prod_Web at the top of the screen Theresult will also be displayed to include the Translated VM Count and any Rulesassociated
1 Click on Prod_MidTier to continue
Security Group Prod_MidTier - Timeline
Security Group View Explanation
HOL-1829-01-NET
Page 33HOL-1829-01-NET
The Security Group provides a detailed view of the selected Security Group and acomprehensive listing of key properties and events The Security Group Topologyprovides a visual overview of how the security group is associated with other containersTimeline slider at the top of the current view will enable the point in time state of theSecurity Group and filters can be used to further focus on a particular aspect of theobject
Security Group Firewall Topology
(A) The Security Group Firewall Topology on the left shows the topology for SecurityGroup Prod_MidTier
HOL-1829-01-NET
Page 34HOL-1829-01-NET
(B) The Security Group Container Topology on the right will show anyall Child andParent groups in relation to Prod_Web This will identify the nesting and hierarchy ofsecurity groups
HOL-1829-01-NET
Page 35HOL-1829-01-NET
1 Click and select Prod_Web to Prod_Midtier Rule (will launch a pop up screencovered in next step)
1 In the pop up screen we can immediately see what the Source and destinationservice flow looks like in this example This can be done for any and eachsegment attached to Prod_Web and will provide all the current security GroupFirewall Topology information Feel free to click through all the segments in orderto fully understand each related security group
2 Click the close icon (x) on any pop-up menus that you viewed during youranalysis to continue with the next exercise
HOL-1829-01-NET
Page 36HOL-1829-01-NET
Tracking Prod_MidTier
1 Within the same view when you scroll down (below the Security Groupfirewall Topology) you are able to see the following security event information forProd_Web
A Events - Showing any changes for Prod_MidTier (direct or indirect) and the impactthat these changes bring to this security group
B Current Security Group Configuration and Firewall Rules Count will also providefurther assistance to manage the endpoints
C Visibility of the Virtual Machines in Security Groups ensure that we manage ourworkloads and segmentation with the correct level of efficiency
D Making use of the Indirect Firewall Rules will ensure you understand the inheritedimpact and the relationship leading to Prod_Web
E Direct Firewall Rules - NOTE The blue links will expose further detail for eachfirewall segment
HOL-1829-01-NET
Page 37HOL-1829-01-NET
this module explained and followed the traffic flow between Subnets and or VLANVXLAN for Prod_MidTier and we understand the analysis that make up firewall rules Theinformation for a specific segmentation of a Virtual Machine in Prod_MidTier can beviewed using the the logical switch information for Prod_MidTier
2 Click on Lab-Midtier (VMs in Security GroupgtLogical SwitchesgtLab-Midtier) anew TAB will open at the top of the screen
Lab-Midtier
1 Hover (do not click) over (1) Lab-Midtier-1 to gain focus in order to generatethe path
Do not click on any of the bubbles as they are used for reference only This is thecomplete flow of Prod-Web-9 (Example) to see how a flow is tracked from overlay tounderlay across Prod-Web
HOL-1829-01-NET
Page 38HOL-1829-01-NET
bull A - The host details for Lab-Midtier-1 -ddc1-pod2esx035dmdemocompanynet
bull B - The machine name within Lab-Midtier - Lab-Midtier-1bull C - DVS Switchbull D - VXLAN - Lab-Midtierbull E - 1st VMKNIC for DDC-1 hostbull F - DVS Switch Portbull G - Finally showing the L3 Switch (Arista)
2 When you are done with the current view close this tab in Chrome and returnto the original view
Firewall Rule - Tracking
Using the search bar we will demonstrate how you can track any firewall rule in yourenvironment This is only one example of how we can search for security related objectsin one easy statement and also export the results
Port Search
1 Type into the search bar
Firewall rule where action =ALLOW and Port=443 (the search bar uses Auto Fill andpredictive text will appear as you type)
2 Click search to continue
As you type notice all the different permutations of queries that can be assembled
HOL-1829-01-NET
Page 39HOL-1829-01-NET
Export Firewall Rules
Take some time to understand and get familiar with Firewall Rule search possibilitiesand the insight this can offer
1 Do not click - The result is grouped for convenience and allows the user to queryeach rule individually This is a live link that will expose further information
2 Do not click - The entire report can be exported by using the Save as CSV optionat the top right hand corner of the screen but we will not export any informationat this point
3 For the next step we will return to the top search bar
Firewall Rule Membership Change
Using the vRealize Network Insight search bar at the top of the screen we will focus on atime based search to see what Firewall Membership Changes occurred during a selectedperiod This will point out any changes made directly or indirectly as a result ofmembership changes This is extremely useful for auditing and troubleshooting
HOL-1829-01-NET
Page 40HOL-1829-01-NET
1 Type
Firewall Rule Membership Change
2 Select the DateTime window3 Click Between Select Date range from June30 to Jul 31 (using static data this
will ensure you see all the changes)4 Click search
Audit Rule - Firewall Rule Membership Changes
The search now displays the result of all the changes made to firewall rule membershipduring the preset date range This is pivotal to the audit change tracking process tounderstand exactly why when and how Firewall rules changed
The changes can now easily be tracked audited and also exported following any of thelive links in blue
HOL-1829-01-NET
Page 41HOL-1829-01-NET
User-defined Event
Continuing within the same screen users can create alerts to notify internal andexternal entities of any changes The alert feature is available through any view thatdisplays the alert icon Although the alert can be configured for this lab the results willnot be actioned as this is static data only This section will show how easy it is to reporton any Firewall Rule memberships changes The option for alerting will be immediatelywithin 1 hour or as a daily digest
1 Click the Notifications icon to create an event The notifications screen will pop-up
2 Notification and parameters can be adjusted as required Populate them withyour own preference as we will need to have information in order to save thealert and view in later steps
3 Once completed click save
HOL-1829-01-NET
Page 42HOL-1829-01-NET
Settings
You can view any of your previously configured User-defined Events in order to edit oractivate the Event parameters by using the settings page Changes can be configured tonotify members of the event group based on the user preference The previous eventthat you created can now be tracked by using the search bar at the top of the screen
1 Click in the search bar and type Settings2 Click User-defined Events (your alert is noted in this section as it was based on
the original search and alert notification Firewall rule membership change)3 Info Only - Do not click - View Edit Activate any notifications
Note that we have 2 types of notification User-defined and System Events
4 Click the System Events
HOL-1829-01-NET
Page 43HOL-1829-01-NET
System Notifications
System Events consist of 103 default alerts that are pre-configured Scroll down the listto see all the options and what is deemed to be a standard system event notification
Each Notification can be used to alert administrators or users of that group By defaultall System Notifications are set to never notify (this can be changed to immediatelywithin 1 hour or as a daily digest)
This concludes this module Please continue to the next module
HOL-1829-01-NET
Page 44HOL-1829-01-NET
ConclusionCongratulations on completing Module 1
In this module we introduced the minimum required steps in order to facilitate Micro-segmentation This module further demonstrated how we achieve day zero readinesstrack report and alert on each individual object or group of objects in Real Time Usingthe East-West traffic in this module vRealize Network Insight highlighted the ease ofacquiring network analysis and using this to automatically generate firewall rules forboth Green or Brown field deployments
Key facts to remember as demonstrated in this module
bull Persistence Security must be consistent in the face of constant changebull Ubiquity Security must be available everywherebull Extensibility Security must adapt to new situations
For additional information about the functionality showcased in this module visitwwwvmwarecom
Please close the Chrome Web browser
This concludes this module please continue to the next module
For More Information
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 45HOL-1829-01-NET
Module 2 - 360 degreeVisibility across Virtualand Physical Networks
(45 minutes)
HOL-1829-01-NET
Page 46HOL-1829-01-NET
IntroductionvRealize Network Insight includes advanced analytics that can collect and displayconfiguration data from all the components involved in the overlay and underlay of thenetwork Data is collected in realtime
vRealize Network Insight presents this via a smart user interface and simplifies thedetermination of problems as well as the visibility of firewall and networkconfigurations
vRealize Network Insight presents this in a smart user interface and makes problemdetermination and visibility of the firewall and network configurations very easy
This Module contains the following lessons
bull 360 Network Visibility and Troubleshootingbull Natural language search
HOL-1829-01-NET
Page 47HOL-1829-01-NET
360 Network Visibility andTroubleshootingThis section contains the following lessons
bull 360-degree view of data flow between two VM objectsbull Natural language search
Open Google Chrome
1 Open Chrome on the Control Center Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize NetworkInsight did not load automatically)
HOL-1829-01-NET
Page 48HOL-1829-01-NET
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
Path and Topology
This module will utilize the Path and Topology feature in vRealize Network Insight toget a 360-degree visibility into our network scenario The Path and Topology view can
HOL-1829-01-NET
Page 49HOL-1829-01-NET
also extend to host L3 networks security groups etc but in this module we will only befocusing on the path
From the main console
1 Click on Path and Topology2 Click on Path
Path - Select source and destination
In the pop-up box
1 Click on the grey field below Source2 Type dba into the source field and DBAdmin-VM1 will appear3 Click on DBAdmin-VM1 to select it
HOL-1829-01-NET
Page 50HOL-1829-01-NET
Path - source and destination continued
After selecting the source machine the destination box will automatically appear
1 Type prod in the destination field and the list of available options willappear
2 Select Prod-Db-2
Note The destination could also be an ip-address or Internet but in this lab we aregoing to use a VM
HOL-1829-01-NET
Page 51HOL-1829-01-NET
Path - source and destination continued
1 Click on Submit
Searching for path
Based on the VMs we selected in the wizard in our previous steps the search field isnow pre-populated with a search string As an alternative to using the wizard we canalso do manual searches
Do not change any parameters in the search field and please continue to the nextstep
HOL-1829-01-NET
Page 52HOL-1829-01-NET
VM Path Topology and VM Underlay
The topology involves both Layer 3 and Layer 2 components and consists of twodetailed views
HOL-1829-01-NET
Page 53HOL-1829-01-NET
1 VM Path Topology This view details the routers Edges or Logical DistributedRouters (LDRs) that are involved in the VM to VM network path and provides thecomplete routing and NAT information
2 VM Underlay ( The VM Underlay section that is on the right side of the VM Pathtopology shows the underlay information of the VMs involved and theirconnectivity to the top of the rack switches and the ports involved)
In the field named VM Path Topology
1 Click on the three dots in the top right corner of the field2 Click Maximize
The view will change and the route will be drawn on the map
HOL-1829-01-NET
Page 54HOL-1829-01-NET
VM Path Topology - Path Details
In this view we will get a 360-degree view of both the physical and the virtual networkWe will see the path of the traffic between two virtual machines The black arrow at thetop of the map will indicate the flow direction of the traffic In this use case fromDBAdmin-VM1 to Prod-Db-2
On the right hand side path details indicates the steps we pass through in each hop ofthe path The logical flow includes both physical and virtual elements displaying bothoverlay and underlay components
1 Scroll through the path details on the right hand side to verify the differenthops in the path Notice that we have items such as VMs physical switchesvirtual switches routers and NICs in the list of details
HOL-1829-01-NET
Page 55HOL-1829-01-NET
Component Overview
On the VM topology map
1 Click on the top left icon marked with a red square - the Virtual MachineDBAdmin-VM1
Virtual Machine - Details
HOL-1829-01-NET
Page 56HOL-1829-01-NET
A pop-up box will appear with the Virtual Machine details in it This information includesa lot of details made available by VMware Tools We can for example see network-information and the physical host in these details
A - Please spend some time on getting an overview of the information available in thisview
B - Please note that the Firewall Status indicates Unknown In this scenario there is noNSX firewall utilized in the VM so vRealize Network Insight displays Unknown as thestatus If NSX components were utilized but they were malfunctioning an errormessage will appear
1 When done reviewing close the pop-up windows by clicking on the (X) in thetop right corner
Physical ESXi Hosts
We are now going to look at the physical host running ESXi The large green blocksindicate the ESXi hosts (A) and (B)
1 Click on the large green field on the left side of the map marked in thepicture with a red squareThis will select the host where DBAdmin-VM1 isrunning
HOL-1829-01-NET
Page 57HOL-1829-01-NET
Host - Details
A pop-up box will appear that contains the physical ESXi host
A - Spend some time to review what information is available from the host Please donot click on any of the links
B - Notice that we receive information from both the Chassis and the Blade that thisESXi host is running on In a real life environment we could click on the links to getdetailed information about the physical environment through the links
C - Note that there are no NSX components on the host For example we can see thatthe Control Plane Sync Status is unknown and the Number of VTEPs is 0
1 When done reviewing click on the (X) in the top right corner
HOL-1829-01-NET
Page 58HOL-1829-01-NET
DVPG on the map
We are now going to look at the DVPG (Distributed Virtual Port Group) the VM uses toconnect to the network
1 On the map click on the little blue box marked by a red square onvlan-629
DVPG
A pop-up box will appear that contains the DVPG details
A - Spend some time review what information is available from the object Please donot click on any of the links
HOL-1829-01-NET
Page 59HOL-1829-01-NET
B - Notice that IPFIX is enabled
1 When done reviewing click on the (X) in the top right corner
VLAN-629 on the map
This is a brownfield network as indicated by the physical network components currentlydisplayed on the map
1 On the map click on the grey line marked by a red square on vlan-629
VLAN Network
A pop-up box will appear that contains the physical VLAN details
HOL-1829-01-NET
Page 60HOL-1829-01-NET
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - Notice the VLAN ID This is the actual VLAN in use
C - VM Count states 12 This is the number of VMs located on this VLAN in the entireenvironment
D - Under Hosts we can see that this is 28 (27+1) This is the amount of hosts that hasa connection to this vlan in the entire environment
1 When done reviewing click on the (X) in the top right corner
Switch ports on the map
1 From the map click on the icon marked by a red square to select the SwitchPort for the VM
HOL-1829-01-NET
Page 61HOL-1829-01-NET
Switch Port
A pop-up box will appear that contains the Switch Port details
In this view we are purely are looking at layer 3 and the connectivity to those layer 3devices Later in this module we will see some of the layer 2 devices
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - In this view we can see the physical NIC the traffic is transmitted from and receivedto In this scenario it is a NIC on a UCS fabric We can also see the VLANs Interfacespeed port and other details on the NIC
1 When done reviewing click on the (X) in the top right corner of the pop up box
HOL-1829-01-NET
Page 62HOL-1829-01-NET
Physical VRF on the map
1 From the map click on the icon marked by a red square to access thePhysical VRF details
HOL-1829-01-NET
Page 63HOL-1829-01-NET
VRF - Physical Switch
A pop-up box will appear that contains the Physical VRF details
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - In this scenario the first hop in the physical network perspective happens to be aCisco Nexus 7000 We are gathering all of the configuration data routing tables androuting interface information from this device
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 64HOL-1829-01-NET
VRF - continued
1 From the map click on the icon marked by a red square to access the nextPhysical VRF in the path
HOL-1829-01-NET
Page 65HOL-1829-01-NET
VRF - Physical Router
A pop-up box will appear that contains the Physical VRF details
In this scenario the second hop in the physical network perspective is a Palo Alto routerIn this view we will see the routing table as well as firewall rules The vRealize NetworkInsight platform is so powerful that these firewall rules are the applicable firewall rulesbetween the two objects we searched for There is probably going to be thousands offirewall rules in a normal network but these are the firewalls affecting thecommunication between the two selected VMs
HOL-1829-01-NET
Page 66HOL-1829-01-NET
A - Spend some time to review what information is available from the object Please donot click on any of the links
1 When done reviewing click on the (X) in the top right corner of the pop up box
Note The Palo Alto integration showcased is in beta testing
VRF - continued
1 From the map click on the icon marked by a red square to access the nextPhysical VRF in the path
HOL-1829-01-NET
Page 67HOL-1829-01-NET
VRF - Physical Switch
A pop-up box will appear that contains the Physical VRF details
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - In this scenario the third hop in the physical network perspective is an Arista deviceThere is information available on routing gateways interfaces etc These detailsshowcase that we can monitor devices from a multitude of vendors in case we arechanging from one vendor to another
1 When done reviewing click on the (X) in the top right corner
HOL-1829-01-NET
Page 68HOL-1829-01-NET
Accessing the virtual infrastructure
The next two steps in the path (as shown by arrows) are the same as we looked atpreviously in this module We are not going to look at the details on them in thisscenario as they are similar to the ones previously discussed
A - Hovermove the mouse over the icons marked with red arrow A without clicking onthe icon Notice the descriptive name
B - Hovermove the mouse over the icons marked with red arrow B without clicking onthe icon Notice the descriptive name
1 From the map click on the icon marked by a red square to access the nextVRF in the path
HOL-1829-01-NET
Page 69HOL-1829-01-NET
VRF - NSX Provider Edge 1
A pop-up box will appear that contains the Physical VRF details
A - Please spend some time to review what information is available from the objectPlease do not click on any of the links
B - The components we are looking at after the Arista device (described in previoussteps) is an NSX Edge cluster or a host associated with an Edge cluster The componentwe have selected is the NSX Edge VM named Provider-Edge 1 It has an uplink overVLAN 10 from the physical network (as shown in the map)
C - In the details we can see the routing table and routing interface details for thisparticular VRF
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 70HOL-1829-01-NET
VXLAN on the map
1 On the map click on the blue line marked by a red square to access theVXLAN details
VXLAN Network
A pop-up box will appear that contains the VXLAN details
HOL-1829-01-NET
Page 71HOL-1829-01-NET
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - We can see the VXLAN number (Segment ID) Underlay VLAN IDs Subnet andUnderlay Subnet
C - We also have visibility into what Primary Controller it is utilizing Hosts and VTEPs
D - Hovermove the mouse cursor over the text [38 more] to see the hosts associatedwith this VXLAN Do not click on the blue text
E - Hovermove the mouse cursor over the text [82 more] to see the VTEPs associatedwith this VXLAN Do not click on the blue text
1 When done reviewing click on the X in the top right corner of the pop-up box
VRF - LDR
1 From the map click on the icon marked by a red square to access the VRFdetails
HOL-1829-01-NET
Page 72HOL-1829-01-NET
VRF - LDR-Corporate
A pop-up box will appear that contains the VRF details From here we hit our In-kernelnetwork
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - Notice the distributed router name We are using this device to access our corporatenetwork
C - This device is going to route for us to a different interface The interface is going toroute to the interface on the Prod-DB Network as the next step in the path (this will beillustrated in the next step)
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 73HOL-1829-01-NET
Routing - NSX Firewall
The traffic is routed through the VRF onto the Prod-DB network over to the next physicalhost (as shown with arrows)
The first device it will hit on the virtual network on the physical host is the FirewallPlease notice that there are two firewalls next to the VM One Firewall from Palo Alto andone Firewall from NSX
1 From the map click on the icon marked by a red square to access the NSXFirewall details (the top one of the two)
HOL-1829-01-NET
Page 74HOL-1829-01-NET
Firewall - NSX
A pop-up box will appear that contains the Firewall details
A - Spend some time to review what information is available from the object Please donot click on any of the links
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 75HOL-1829-01-NET
Redirect on the map - PAN Firewall
Please notice that there are two firewalls next to the VM One Firewall from Palo Alto andone Firewall from NSX We are now going to look into the details of the lower Firewall
1 From the map click on the icon marked by a red square to access the PaloAlto Firewall details (the lower one of the two)
Firewall - PAN
HOL-1829-01-NET
Page 76HOL-1829-01-NET
In this scenario we also have an Palo Alto VM based offloading firewall The redirectfeature allows firewall rules to be transferred between the NSX firewall and the PANFirewall
1 When done reviewing click on the (X) in the top right corner of the pop up box
Reversing the analysis
1 In the section marked by a red square in the picture click on the arrowpointing left
The route on the map will change
HOL-1829-01-NET
Page 77HOL-1829-01-NET
Reversing the analysis continued
A - The analysis will now be done in the opposite direction Please note that the pathnow changes Instead of going through Provider-Edge 3 the traffic is now routedthrough Provider-Edge 2 This is exactly as the traffic will work in the real life
Please continue to the next step to conclude this module
HOL-1829-01-NET
Page 78HOL-1829-01-NET
VM Underlay
Lets now focus on VM Underlay
1 The VMUnderlay section that is on the right side of the VM Path topology showsthe underlay information of the VMs involved and their connectivity to the top ofthe rack switches and the ports involved
2 The VM Underlay path topology is shown here3 The components are labeled under Path Details
HOL-1829-01-NET
Page 79HOL-1829-01-NET
HOL-1829-01-NET
Page 80HOL-1829-01-NET
1 In this section the drop-down list at the top shows the endpoint VMs and theactive VMs at the edges
2 For each edgeVM the neighbouring drop-down list shows the ingress and theegress interface IP addresses
1 From the previous step we selected the Prod-DB-2 Virtual Machine2 Which changes the focus to corresponding Interface IP Address (VNIC)3 Shows the visual map (Path topology) of all the path objects4 Path details shows the labels and list the components
This concludes this module Please continue to the next module
HOL-1829-01-NET
Page 81HOL-1829-01-NET
ConclusionCongratulations on completing Module 2
This module has shown us that vRealize Network Insight is capable of tracing the flow ofdata between two objects throughout the network vRealize Network Insight is providingus with a 360 degrees view of the virtual as well as the physical components in thepath With the map function and the details on the map it is very easy to get a quickoverview of the components utilized in network communication
All the components in the map is based on a snapshot of real life data Feel free to clickon other icons shown in the map in this module before continuing to the next module tohave a look at other components
For More Information
For additional information about the functionality showcased in this module visithttpwwwvmwarecomvrealize network insight
This concludes this module Please continue to the next module
If you are looking for additional information try one of these
bull Click on this linkbull Or use your smart device to scan the QRC Code
HOL-1829-01-NET
Page 82HOL-1829-01-NET
Proceed to any module below which interests you most
bull Module 1 - Micro-Segmentation and Security (30 minutes)bull Module 2 - 360 degree Visibility across Virtual and Physical Networks (45
minutes)bull Module 3 - Advanced NSX Management amp Operations (45 minutes)bull (30 minutes)
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 83HOL-1829-01-NET
Module 3 - Advanced NSXManagement amp
Operations (45 minutes)
HOL-1829-01-NET
Page 84HOL-1829-01-NET
IntroductionIntroduction
vRealize Network Insight ensures that we have full visibility from an overlay andunderlay perspective and in this module focus on advanced operations of NSX withvRealize Network Insight Its important to note that the vRealize Network Insightprovides a real time view and a historical view The integration is not a simple SNMPquery but advanced CLI and Metadata information gathered in real time for NSX
This Module contains the following lessons
bull Operational guidance for NSX Managerbull Advanced NSX Management amp Operations Interactive Simulation
HOL-1829-01-NET
Page 85HOL-1829-01-NET
NSX Advanced ManagementOperationsLab Status Check
1 Make sure the Lab Status displays Ready before continuing
Close browser sessions from previous modules
Open Google Chrome
1 Open Chrome on the Control Centre Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
HOL-1829-01-NET
Page 86HOL-1829-01-NET
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize Network Insightdid not load automatically)
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
Search Bar - NSX Manager
Using the search bar on the entry screen
HOL-1829-01-NET
Page 87HOL-1829-01-NET
1 Type NSX Manager (this will list three NSX Managers2 Click Search
NSX Manager Information
The result now shows the NSX Manager (1016128170) and we can immediately seethat we have 50 problems associated with this endpoint
1 Click on the NSX Manager address to expose the layout and detailedinformation
HOL-1829-01-NET
Page 88HOL-1829-01-NET
Timeline - Visual Build-up
Explore information only - Do not click
bull A - Starting with the Timeline we can manipulate the results by simply draggingthe slider but by default the current time results will be displayed on entry Theslider and drop down (next to 1 day) makes it easy to filter on demand
bull B - The Properties give a clear understanding of the NSX Managers currentconfiguration (vRealize Network Insight accommodate multiple NSX managers)
bull C - Looking at the NSX Checklist Rules - ALL we can scroll up and down toview each point in the checklist that is used to monitorvalidate against the NSXManager
bull D - Because vRealize Network Insight supports multiple NSX managers andmultiple NSX controllers this is an important visual understanding of theTopology Each object can be queried individually within the same screen
bull E - NSX Problems will be key to understanding the issues for NSX
HOL-1829-01-NET
Page 89HOL-1829-01-NET
Topology - Focus on the NSX Controller
The logical view of the NSX Topology provides live links to each component in theconstruct to be queried in real time Topology layout displays all the related NSXservices bound to the NSX Manager including Clusters and hosts The red triangle on allthree NSX controllers indicates possible issues that may impact the NSX environmenteither as a starting point or a result thereof We can now query each object for detailedinformation
1 Click on the NSX controller (Look at each controller until you find thecontroller starting with NSX_Controller_5b6c6c8d-4d71 as they do changeorder)
HOL-1829-01-NET
Page 90HOL-1829-01-NET
NSX Controller - Detail
A - The controller query displays detailed information about controller-1 and relevantconfiguration This screen will help identify the Status Version Upgrade Availability andmany other critical identifiers of the NSX Controller at a quick glance including anyissues
B - The immediate issue on this NSX controller is also pointed out with a red triangleindicating that we have a control plane sync issue Tracking the issue can be furtherinvestigated by expanding (clicking on the red triangle) to view detailed information Wewill not be investigating this problem further in this exercise
1 Click the close sign (x) to continue
HOL-1829-01-NET
Page 91HOL-1829-01-NET
Topology - Explained
Note The Topology for the NSX environment will not show any load balancing devicestatus information in this release
1 Click the edge VMs icon to see detailed information about the edge services
HOL-1829-01-NET
Page 92HOL-1829-01-NET
Provider Edge
Rendering a complete view of the provider edge services and the associations we caninvestigate all the edge related activities
1 Click the blue link Provider Edge 4 The problem Icon can be used to furtherobtain information about the Provider-Edge 4 This will highlight a criticalcondition due to a possible network disruption of this edge device as it is nolonger in a serving state
HOL-1829-01-NET
Page 93HOL-1829-01-NET
Routers Provider Edge 4
This section lays out detailed root cause analysis for Routers Provider Edge 4
Return to Search View - NSX Manager
1 Now use the Chrome Back button click once to return the the NSX Managerinformation screen step
HOL-1829-01-NET
Page 94HOL-1829-01-NET
Infrastructure Problems - Warning Moderate
bull Scroll down to Infrastructure Problems Section
1 Click and select the WarningModerate to view problem areas
WarningModerate Issues
1 Use the blue icon + to expand the detailed view of the Logical networking out ofsync between host and NSX Controller
HOL-1829-01-NET
Page 95HOL-1829-01-NET
WarningModerate Issues (Continued)
When you expand the details you can analyse full detail of warning
In this view vRealize Network Insight is also showing you recommendations on how youwould resolve this issue which makes troubleshooting and root cause analysis veryeasy
1 Click the close sign (x) to continue
HOL-1829-01-NET
Page 96HOL-1829-01-NET
Hands-on Labs Interactive SimulationAdvanced NSX Management ampOperationsThis part of the lab is presented as a Hands-on Labs Interactive Simulation This willallow you to experience steps which are too time-consuming or resource intensive to dolive in the lab environment In this simulation you can use the software interface as ifyou are interacting with a live environment
1 Click here to open the interactive simulation It will open in a new browserwindow or tab
2 When finished click the ldquoReturn to the labrdquo link to continue with this lab
HOL-1829-01-NET
Page 97HOL-1829-01-NET
ConclusionCongratulations on completing Module 3
This module demonstrated the vRealize Network Insight capability of advancedmanagement operations vRealize Network Insight provides an in-depth analysis of thevirtual as well as the physical components associated with NSX (underlay and overlay)
For More Information
If you are looking for additional information try one of these
bull Click on this linkbull Or use your smart device to scan the QRC Code
Proceed to any module below which interests you most
bull Module 1 - Micro-Segmentation and Security (30 minutes)bull Module 2 - 360 degree Visibility across Virtual and Physical Networks (45
minutes)bull Module 3 - Advanced NSX Management amp Operations (45 minutes)bull Module 4 - Manage Security for Public Clouds (AWS) (30 minutes)
HOL-1829-01-NET
Page 98HOL-1829-01-NET
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 99HOL-1829-01-NET
Module 4 - ManageSecurity for Public Clouds
(AWS) (30 Minutes)
HOL-1829-01-NET
Page 100HOL-1829-01-NET
IntroductionEnterprise IT needs visibility into the network and security status of their workloadswhether hosted on premises or within AWS While many AWS workloads are sandboxesfor application development teams (DevOps) it is important to analyze these workloadsIncreasingly public cloud workloads are also fulfilling mission critical production needsfor many organizations Enterprise IT must be ready to determine the best locationsecurity posture and bandwidth allocation when deploying workloads Having trafficpattern details as well as security analysis and recommendations readily availablehelps organizations make the ideal hosting decisions to meet their business needs
vRealize Network Insight (vRNI) Supports Amazon Web Services (AWS) PublicCloud The vRNI traffic monitoring features provide visibility into native AWS constructssuch as Virtual Private Clouds VMs Security Groups firewall rules and tags vRNI alsoanalyzes AWS traffic flows to provide security and micro-segmentation views of cloudworkloads This means youll be able to plan micro-segmentation and understand trafficpatterns using data collected from your AWS instances
This Module contains the following lessons
bull Introduction to Managing Security for Public Clouds (AWS)
HOL-1829-01-NET
Page 101HOL-1829-01-NET
Introduction to Managing Security forPublic Clouds (AWS)Lab Status Check
1 Make sure the Lab Status displays Ready before continuing
Close browser sessions from previous modules
Open Google Chrome
1 Open Chrome on the Control Centre Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize Network Insightdid not load automatically)
HOL-1829-01-NET
Page 102HOL-1829-01-NET
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
AWS Configuration
Lets review the AWS VPC setup for the purpose of this lab
1 We have an on premise instance of vRealize Network Insight managing AWS2 There are two VPCs ie CRM and Common Services
HOL-1829-01-NET
Page 103HOL-1829-01-NET
3 VPC CRM consists of CRM Application which comprises of 3 tiers ie Web APP andDB
4 Internal users of Company can access Web Tier of the CRM on 80 internally viaJump-box
5 Web tier talks to App tier on port 80806 App tier talks to DB tier on port 33067 Web tier is open for internal datacenters VM on 80 port8 From Jump-box in VPC CRM all virtual machines have ssh access on port 229 All tiers of VPCCRM talks to DNS server on 53 and LogServer on 514 on VPC
Common Services10 This means connection to DB to Log Server (used for backup services) must exist
as configured by the Administrator but this in fact is the problem area where ourfocus will be
Plan Security - AWS Cloud
vRealize Network Insight extends micro-segmentation planning to AWS constructs TheCRM Application in AWS VPC has already been created for you
Application creation steps have been discussed in Module 3
HOL-1829-01-NET
Page 104HOL-1829-01-NET
1 On the vRealize Network Insight Click on Plan Security
From Plan Security dialogue box under Entity select
HOL-1829-01-NET
Page 105HOL-1829-01-NET
1 Application2 CRM3 Click Analyze
We can now visualize the three tier lsquoCRMrsquo Application in AWS in one VPC We Shallexplore the three Tier System Logic in proceeding steps
1 Please note that Micro-Segments are already filtered by Tier2 Web (Web tier talks to App tier on port 8080 Internal users of organisation can
access Web Tier of the CRM Application on port 80 internally)3 App (App tier talks to DB tier on port 3306)4 DB ( DB tier talks to Log Servers ) - This is the problem area we are going to
explore
All tiers of first VPC talks to DNS server on port 53 and LogServer on port 514 of SecondVPC
HOL-1829-01-NET
Page 106HOL-1829-01-NET
Exploring the Three Tier Application - Step by Step
We shall now explore the three their application setup to understand the security andcommunication posture
HOL-1829-01-NET
Page 107HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Yellow line to explore the flows This will reveal flows from Web to
App
HOL-1829-01-NET
Page 108HOL-1829-01-NET
1 The App tier talks to DB tier on Port 33062 Click X to continue
HOL-1829-01-NET
Page 109HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to DB
HOL-1829-01-NET
Page 110HOL-1829-01-NET
1 The App tier talks to DB tier on Port 33062 Click X to continue
HOL-1829-01-NET
Page 111HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Yellow Line to explore the flows This will reveal flows from DC
Virtual to App
HOL-1829-01-NET
Page 112HOL-1829-01-NET
1 DC Virtual (jump box) talks to App tier on Port 222 Click X to continue
HOL-1829-01-NET
Page 113HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to
Shared Virtual
HOL-1829-01-NET
Page 114HOL-1829-01-NET
1 The App tier talks to Shared Virtual on Port 53 and 514 respectively2 Click X to continue
HOL-1829-01-NET
Page 115HOL-1829-01-NET
1 Hover over to DB Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from DB to
Shared Virtual
1 By design the DB should be pushing logs to aws-log-server ie on port 514(Syslog) but the flow reveals that there is only one service ie port 53 aws-DNS-Server Effectively no communication to syslog server (which is the back upservice)
2 Click X to continue
Firewall Queries for CRM Application
To further troubleshoot the issue the administrator executes three firewall queries toestablish why DB to Shared Virtual does not have flow(s) for port 514 (syslog)
HOL-1829-01-NET
Page 116HOL-1829-01-NET
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and type new search query firewall action of flows where dstvm = aws-log-server This will return 5 results ie 4 Allow (for web andmidtier) and 1 Deny (for DB)
2 Click Search3 click on the DENY checkbox so we can focus on the deny rule
We can see a DENY rule which is preventing crm-databse to communicate with aws-log-server on port 514 Which indicates that AWS Admin forgot to add rule to allowtraffic from (Database) crm-database to (syslog server) aws-log-Server
HOL-1829-01-NET
Page 117HOL-1829-01-NET
1 On Chrome web browser right click2 Select Duplicate from the the menu
HOL-1829-01-NET
Page 118HOL-1829-01-NET
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-web1 and dst vm = aws-log-server
2 Click Search3 This will return 3 results ie 1 Inbound and 2 Outbound rules The result of this
query validates the communication from crm-web1 to aws-log-server
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-database and dst vm = aws-log-server
2 Click Search3 This will return 2 results for Outbound rules further explaining the firewall rule
behaviour from crm-database to aws-log-server
HOL-1829-01-NET
Page 119HOL-1829-01-NET
ConclusionCongratulations on completing Module 4
This module demonstrated the vRealize Network Insight capability to understand trafficpatterns and plan micro-segmentation across your private and public cloudenvironments This capability offers unparalleled visibility into public and private cloudsfor micro-segmentation planning network visibility and management
For More Information
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 120HOL-1829-01-NET
ConclusionThank you for participating in the VMware Hands-on Labs Be sure to visithttpholvmwarecom to continue your lab experience online
Lab SKU HOL-1829-01-NET
Version 20171010-152226
HOL-1829-01-NET
Page 121HOL-1829-01-NET
We shall now explore how we can define an application
Define an Application
1 In the search bar type Application2 Click the Search button
1 The Application search will return 4 entities ie application already created inthe system for you
2 This page also lets you create new application - click on Add Application
HOL-1829-01-NET
Page 31HOL-1829-01-NET
1 Under the Application Name type HOL-Pre-Prod2 Under Tier type the Name as HOL-Pre-Prod3 Our search criteria will be based on VM Names under Virtual Machines IP
Addresses Type Admin-VM1 Admin-VM2 (The search will auto completethe names for you)
4 Do not Save Click Cancel which will take you to previous screen
1 Here you can see the number of entities has increased by 1 ie 5 entities2 You can also see Hol-Pre-Prod in the list
HOL-Pre-Prod will now appear in Application section under Plan Security (not covered inthis lab)
Security Group Prod_MidTier
Network administrators and architects face daily challenges in identifying securityparameters groups that are in-place requiring a lot more detail around containertopology before continuing to execute or plan Micro-segmentation Lets look at how thiswould be possible in a single view that has granular integration with over and underlaynetworks
1 Using the search bar type Nsx Security Group Prod_MidTier (the search baruses Auto Fill and predictive text will appear as you type)
2 Click search to continue
HOL-1829-01-NET
Page 32HOL-1829-01-NET
The Help screen may pop-up (in this lab setting) to ensure the user has an instantguide called the Security Group Pinboard The reason for this guide is to point out thedetail view and topology layout Read through the help guide and once completed
1 Click the close icon (x) to continue
Results - PROD_MIDTIER
The search results from the query will show Prod_Web at the top of the screen Theresult will also be displayed to include the Translated VM Count and any Rulesassociated
1 Click on Prod_MidTier to continue
Security Group Prod_MidTier - Timeline
Security Group View Explanation
HOL-1829-01-NET
Page 33HOL-1829-01-NET
The Security Group provides a detailed view of the selected Security Group and acomprehensive listing of key properties and events The Security Group Topologyprovides a visual overview of how the security group is associated with other containersTimeline slider at the top of the current view will enable the point in time state of theSecurity Group and filters can be used to further focus on a particular aspect of theobject
Security Group Firewall Topology
(A) The Security Group Firewall Topology on the left shows the topology for SecurityGroup Prod_MidTier
HOL-1829-01-NET
Page 34HOL-1829-01-NET
(B) The Security Group Container Topology on the right will show anyall Child andParent groups in relation to Prod_Web This will identify the nesting and hierarchy ofsecurity groups
HOL-1829-01-NET
Page 35HOL-1829-01-NET
1 Click and select Prod_Web to Prod_Midtier Rule (will launch a pop up screencovered in next step)
1 In the pop up screen we can immediately see what the Source and destinationservice flow looks like in this example This can be done for any and eachsegment attached to Prod_Web and will provide all the current security GroupFirewall Topology information Feel free to click through all the segments in orderto fully understand each related security group
2 Click the close icon (x) on any pop-up menus that you viewed during youranalysis to continue with the next exercise
HOL-1829-01-NET
Page 36HOL-1829-01-NET
Tracking Prod_MidTier
1 Within the same view when you scroll down (below the Security Groupfirewall Topology) you are able to see the following security event information forProd_Web
A Events - Showing any changes for Prod_MidTier (direct or indirect) and the impactthat these changes bring to this security group
B Current Security Group Configuration and Firewall Rules Count will also providefurther assistance to manage the endpoints
C Visibility of the Virtual Machines in Security Groups ensure that we manage ourworkloads and segmentation with the correct level of efficiency
D Making use of the Indirect Firewall Rules will ensure you understand the inheritedimpact and the relationship leading to Prod_Web
E Direct Firewall Rules - NOTE The blue links will expose further detail for eachfirewall segment
HOL-1829-01-NET
Page 37HOL-1829-01-NET
this module explained and followed the traffic flow between Subnets and or VLANVXLAN for Prod_MidTier and we understand the analysis that make up firewall rules Theinformation for a specific segmentation of a Virtual Machine in Prod_MidTier can beviewed using the the logical switch information for Prod_MidTier
2 Click on Lab-Midtier (VMs in Security GroupgtLogical SwitchesgtLab-Midtier) anew TAB will open at the top of the screen
Lab-Midtier
1 Hover (do not click) over (1) Lab-Midtier-1 to gain focus in order to generatethe path
Do not click on any of the bubbles as they are used for reference only This is thecomplete flow of Prod-Web-9 (Example) to see how a flow is tracked from overlay tounderlay across Prod-Web
HOL-1829-01-NET
Page 38HOL-1829-01-NET
bull A - The host details for Lab-Midtier-1 -ddc1-pod2esx035dmdemocompanynet
bull B - The machine name within Lab-Midtier - Lab-Midtier-1bull C - DVS Switchbull D - VXLAN - Lab-Midtierbull E - 1st VMKNIC for DDC-1 hostbull F - DVS Switch Portbull G - Finally showing the L3 Switch (Arista)
2 When you are done with the current view close this tab in Chrome and returnto the original view
Firewall Rule - Tracking
Using the search bar we will demonstrate how you can track any firewall rule in yourenvironment This is only one example of how we can search for security related objectsin one easy statement and also export the results
Port Search
1 Type into the search bar
Firewall rule where action =ALLOW and Port=443 (the search bar uses Auto Fill andpredictive text will appear as you type)
2 Click search to continue
As you type notice all the different permutations of queries that can be assembled
HOL-1829-01-NET
Page 39HOL-1829-01-NET
Export Firewall Rules
Take some time to understand and get familiar with Firewall Rule search possibilitiesand the insight this can offer
1 Do not click - The result is grouped for convenience and allows the user to queryeach rule individually This is a live link that will expose further information
2 Do not click - The entire report can be exported by using the Save as CSV optionat the top right hand corner of the screen but we will not export any informationat this point
3 For the next step we will return to the top search bar
Firewall Rule Membership Change
Using the vRealize Network Insight search bar at the top of the screen we will focus on atime based search to see what Firewall Membership Changes occurred during a selectedperiod This will point out any changes made directly or indirectly as a result ofmembership changes This is extremely useful for auditing and troubleshooting
HOL-1829-01-NET
Page 40HOL-1829-01-NET
1 Type
Firewall Rule Membership Change
2 Select the DateTime window3 Click Between Select Date range from June30 to Jul 31 (using static data this
will ensure you see all the changes)4 Click search
Audit Rule - Firewall Rule Membership Changes
The search now displays the result of all the changes made to firewall rule membershipduring the preset date range This is pivotal to the audit change tracking process tounderstand exactly why when and how Firewall rules changed
The changes can now easily be tracked audited and also exported following any of thelive links in blue
HOL-1829-01-NET
Page 41HOL-1829-01-NET
User-defined Event
Continuing within the same screen users can create alerts to notify internal andexternal entities of any changes The alert feature is available through any view thatdisplays the alert icon Although the alert can be configured for this lab the results willnot be actioned as this is static data only This section will show how easy it is to reporton any Firewall Rule memberships changes The option for alerting will be immediatelywithin 1 hour or as a daily digest
1 Click the Notifications icon to create an event The notifications screen will pop-up
2 Notification and parameters can be adjusted as required Populate them withyour own preference as we will need to have information in order to save thealert and view in later steps
3 Once completed click save
HOL-1829-01-NET
Page 42HOL-1829-01-NET
Settings
You can view any of your previously configured User-defined Events in order to edit oractivate the Event parameters by using the settings page Changes can be configured tonotify members of the event group based on the user preference The previous eventthat you created can now be tracked by using the search bar at the top of the screen
1 Click in the search bar and type Settings2 Click User-defined Events (your alert is noted in this section as it was based on
the original search and alert notification Firewall rule membership change)3 Info Only - Do not click - View Edit Activate any notifications
Note that we have 2 types of notification User-defined and System Events
4 Click the System Events
HOL-1829-01-NET
Page 43HOL-1829-01-NET
System Notifications
System Events consist of 103 default alerts that are pre-configured Scroll down the listto see all the options and what is deemed to be a standard system event notification
Each Notification can be used to alert administrators or users of that group By defaultall System Notifications are set to never notify (this can be changed to immediatelywithin 1 hour or as a daily digest)
This concludes this module Please continue to the next module
HOL-1829-01-NET
Page 44HOL-1829-01-NET
ConclusionCongratulations on completing Module 1
In this module we introduced the minimum required steps in order to facilitate Micro-segmentation This module further demonstrated how we achieve day zero readinesstrack report and alert on each individual object or group of objects in Real Time Usingthe East-West traffic in this module vRealize Network Insight highlighted the ease ofacquiring network analysis and using this to automatically generate firewall rules forboth Green or Brown field deployments
Key facts to remember as demonstrated in this module
bull Persistence Security must be consistent in the face of constant changebull Ubiquity Security must be available everywherebull Extensibility Security must adapt to new situations
For additional information about the functionality showcased in this module visitwwwvmwarecom
Please close the Chrome Web browser
This concludes this module please continue to the next module
For More Information
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 45HOL-1829-01-NET
Module 2 - 360 degreeVisibility across Virtualand Physical Networks
(45 minutes)
HOL-1829-01-NET
Page 46HOL-1829-01-NET
IntroductionvRealize Network Insight includes advanced analytics that can collect and displayconfiguration data from all the components involved in the overlay and underlay of thenetwork Data is collected in realtime
vRealize Network Insight presents this via a smart user interface and simplifies thedetermination of problems as well as the visibility of firewall and networkconfigurations
vRealize Network Insight presents this in a smart user interface and makes problemdetermination and visibility of the firewall and network configurations very easy
This Module contains the following lessons
bull 360 Network Visibility and Troubleshootingbull Natural language search
HOL-1829-01-NET
Page 47HOL-1829-01-NET
360 Network Visibility andTroubleshootingThis section contains the following lessons
bull 360-degree view of data flow between two VM objectsbull Natural language search
Open Google Chrome
1 Open Chrome on the Control Center Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize NetworkInsight did not load automatically)
HOL-1829-01-NET
Page 48HOL-1829-01-NET
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
Path and Topology
This module will utilize the Path and Topology feature in vRealize Network Insight toget a 360-degree visibility into our network scenario The Path and Topology view can
HOL-1829-01-NET
Page 49HOL-1829-01-NET
also extend to host L3 networks security groups etc but in this module we will only befocusing on the path
From the main console
1 Click on Path and Topology2 Click on Path
Path - Select source and destination
In the pop-up box
1 Click on the grey field below Source2 Type dba into the source field and DBAdmin-VM1 will appear3 Click on DBAdmin-VM1 to select it
HOL-1829-01-NET
Page 50HOL-1829-01-NET
Path - source and destination continued
After selecting the source machine the destination box will automatically appear
1 Type prod in the destination field and the list of available options willappear
2 Select Prod-Db-2
Note The destination could also be an ip-address or Internet but in this lab we aregoing to use a VM
HOL-1829-01-NET
Page 51HOL-1829-01-NET
Path - source and destination continued
1 Click on Submit
Searching for path
Based on the VMs we selected in the wizard in our previous steps the search field isnow pre-populated with a search string As an alternative to using the wizard we canalso do manual searches
Do not change any parameters in the search field and please continue to the nextstep
HOL-1829-01-NET
Page 52HOL-1829-01-NET
VM Path Topology and VM Underlay
The topology involves both Layer 3 and Layer 2 components and consists of twodetailed views
HOL-1829-01-NET
Page 53HOL-1829-01-NET
1 VM Path Topology This view details the routers Edges or Logical DistributedRouters (LDRs) that are involved in the VM to VM network path and provides thecomplete routing and NAT information
2 VM Underlay ( The VM Underlay section that is on the right side of the VM Pathtopology shows the underlay information of the VMs involved and theirconnectivity to the top of the rack switches and the ports involved)
In the field named VM Path Topology
1 Click on the three dots in the top right corner of the field2 Click Maximize
The view will change and the route will be drawn on the map
HOL-1829-01-NET
Page 54HOL-1829-01-NET
VM Path Topology - Path Details
In this view we will get a 360-degree view of both the physical and the virtual networkWe will see the path of the traffic between two virtual machines The black arrow at thetop of the map will indicate the flow direction of the traffic In this use case fromDBAdmin-VM1 to Prod-Db-2
On the right hand side path details indicates the steps we pass through in each hop ofthe path The logical flow includes both physical and virtual elements displaying bothoverlay and underlay components
1 Scroll through the path details on the right hand side to verify the differenthops in the path Notice that we have items such as VMs physical switchesvirtual switches routers and NICs in the list of details
HOL-1829-01-NET
Page 55HOL-1829-01-NET
Component Overview
On the VM topology map
1 Click on the top left icon marked with a red square - the Virtual MachineDBAdmin-VM1
Virtual Machine - Details
HOL-1829-01-NET
Page 56HOL-1829-01-NET
A pop-up box will appear with the Virtual Machine details in it This information includesa lot of details made available by VMware Tools We can for example see network-information and the physical host in these details
A - Please spend some time on getting an overview of the information available in thisview
B - Please note that the Firewall Status indicates Unknown In this scenario there is noNSX firewall utilized in the VM so vRealize Network Insight displays Unknown as thestatus If NSX components were utilized but they were malfunctioning an errormessage will appear
1 When done reviewing close the pop-up windows by clicking on the (X) in thetop right corner
Physical ESXi Hosts
We are now going to look at the physical host running ESXi The large green blocksindicate the ESXi hosts (A) and (B)
1 Click on the large green field on the left side of the map marked in thepicture with a red squareThis will select the host where DBAdmin-VM1 isrunning
HOL-1829-01-NET
Page 57HOL-1829-01-NET
Host - Details
A pop-up box will appear that contains the physical ESXi host
A - Spend some time to review what information is available from the host Please donot click on any of the links
B - Notice that we receive information from both the Chassis and the Blade that thisESXi host is running on In a real life environment we could click on the links to getdetailed information about the physical environment through the links
C - Note that there are no NSX components on the host For example we can see thatthe Control Plane Sync Status is unknown and the Number of VTEPs is 0
1 When done reviewing click on the (X) in the top right corner
HOL-1829-01-NET
Page 58HOL-1829-01-NET
DVPG on the map
We are now going to look at the DVPG (Distributed Virtual Port Group) the VM uses toconnect to the network
1 On the map click on the little blue box marked by a red square onvlan-629
DVPG
A pop-up box will appear that contains the DVPG details
A - Spend some time review what information is available from the object Please donot click on any of the links
HOL-1829-01-NET
Page 59HOL-1829-01-NET
B - Notice that IPFIX is enabled
1 When done reviewing click on the (X) in the top right corner
VLAN-629 on the map
This is a brownfield network as indicated by the physical network components currentlydisplayed on the map
1 On the map click on the grey line marked by a red square on vlan-629
VLAN Network
A pop-up box will appear that contains the physical VLAN details
HOL-1829-01-NET
Page 60HOL-1829-01-NET
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - Notice the VLAN ID This is the actual VLAN in use
C - VM Count states 12 This is the number of VMs located on this VLAN in the entireenvironment
D - Under Hosts we can see that this is 28 (27+1) This is the amount of hosts that hasa connection to this vlan in the entire environment
1 When done reviewing click on the (X) in the top right corner
Switch ports on the map
1 From the map click on the icon marked by a red square to select the SwitchPort for the VM
HOL-1829-01-NET
Page 61HOL-1829-01-NET
Switch Port
A pop-up box will appear that contains the Switch Port details
In this view we are purely are looking at layer 3 and the connectivity to those layer 3devices Later in this module we will see some of the layer 2 devices
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - In this view we can see the physical NIC the traffic is transmitted from and receivedto In this scenario it is a NIC on a UCS fabric We can also see the VLANs Interfacespeed port and other details on the NIC
1 When done reviewing click on the (X) in the top right corner of the pop up box
HOL-1829-01-NET
Page 62HOL-1829-01-NET
Physical VRF on the map
1 From the map click on the icon marked by a red square to access thePhysical VRF details
HOL-1829-01-NET
Page 63HOL-1829-01-NET
VRF - Physical Switch
A pop-up box will appear that contains the Physical VRF details
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - In this scenario the first hop in the physical network perspective happens to be aCisco Nexus 7000 We are gathering all of the configuration data routing tables androuting interface information from this device
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 64HOL-1829-01-NET
VRF - continued
1 From the map click on the icon marked by a red square to access the nextPhysical VRF in the path
HOL-1829-01-NET
Page 65HOL-1829-01-NET
VRF - Physical Router
A pop-up box will appear that contains the Physical VRF details
In this scenario the second hop in the physical network perspective is a Palo Alto routerIn this view we will see the routing table as well as firewall rules The vRealize NetworkInsight platform is so powerful that these firewall rules are the applicable firewall rulesbetween the two objects we searched for There is probably going to be thousands offirewall rules in a normal network but these are the firewalls affecting thecommunication between the two selected VMs
HOL-1829-01-NET
Page 66HOL-1829-01-NET
A - Spend some time to review what information is available from the object Please donot click on any of the links
1 When done reviewing click on the (X) in the top right corner of the pop up box
Note The Palo Alto integration showcased is in beta testing
VRF - continued
1 From the map click on the icon marked by a red square to access the nextPhysical VRF in the path
HOL-1829-01-NET
Page 67HOL-1829-01-NET
VRF - Physical Switch
A pop-up box will appear that contains the Physical VRF details
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - In this scenario the third hop in the physical network perspective is an Arista deviceThere is information available on routing gateways interfaces etc These detailsshowcase that we can monitor devices from a multitude of vendors in case we arechanging from one vendor to another
1 When done reviewing click on the (X) in the top right corner
HOL-1829-01-NET
Page 68HOL-1829-01-NET
Accessing the virtual infrastructure
The next two steps in the path (as shown by arrows) are the same as we looked atpreviously in this module We are not going to look at the details on them in thisscenario as they are similar to the ones previously discussed
A - Hovermove the mouse over the icons marked with red arrow A without clicking onthe icon Notice the descriptive name
B - Hovermove the mouse over the icons marked with red arrow B without clicking onthe icon Notice the descriptive name
1 From the map click on the icon marked by a red square to access the nextVRF in the path
HOL-1829-01-NET
Page 69HOL-1829-01-NET
VRF - NSX Provider Edge 1
A pop-up box will appear that contains the Physical VRF details
A - Please spend some time to review what information is available from the objectPlease do not click on any of the links
B - The components we are looking at after the Arista device (described in previoussteps) is an NSX Edge cluster or a host associated with an Edge cluster The componentwe have selected is the NSX Edge VM named Provider-Edge 1 It has an uplink overVLAN 10 from the physical network (as shown in the map)
C - In the details we can see the routing table and routing interface details for thisparticular VRF
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 70HOL-1829-01-NET
VXLAN on the map
1 On the map click on the blue line marked by a red square to access theVXLAN details
VXLAN Network
A pop-up box will appear that contains the VXLAN details
HOL-1829-01-NET
Page 71HOL-1829-01-NET
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - We can see the VXLAN number (Segment ID) Underlay VLAN IDs Subnet andUnderlay Subnet
C - We also have visibility into what Primary Controller it is utilizing Hosts and VTEPs
D - Hovermove the mouse cursor over the text [38 more] to see the hosts associatedwith this VXLAN Do not click on the blue text
E - Hovermove the mouse cursor over the text [82 more] to see the VTEPs associatedwith this VXLAN Do not click on the blue text
1 When done reviewing click on the X in the top right corner of the pop-up box
VRF - LDR
1 From the map click on the icon marked by a red square to access the VRFdetails
HOL-1829-01-NET
Page 72HOL-1829-01-NET
VRF - LDR-Corporate
A pop-up box will appear that contains the VRF details From here we hit our In-kernelnetwork
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - Notice the distributed router name We are using this device to access our corporatenetwork
C - This device is going to route for us to a different interface The interface is going toroute to the interface on the Prod-DB Network as the next step in the path (this will beillustrated in the next step)
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 73HOL-1829-01-NET
Routing - NSX Firewall
The traffic is routed through the VRF onto the Prod-DB network over to the next physicalhost (as shown with arrows)
The first device it will hit on the virtual network on the physical host is the FirewallPlease notice that there are two firewalls next to the VM One Firewall from Palo Alto andone Firewall from NSX
1 From the map click on the icon marked by a red square to access the NSXFirewall details (the top one of the two)
HOL-1829-01-NET
Page 74HOL-1829-01-NET
Firewall - NSX
A pop-up box will appear that contains the Firewall details
A - Spend some time to review what information is available from the object Please donot click on any of the links
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 75HOL-1829-01-NET
Redirect on the map - PAN Firewall
Please notice that there are two firewalls next to the VM One Firewall from Palo Alto andone Firewall from NSX We are now going to look into the details of the lower Firewall
1 From the map click on the icon marked by a red square to access the PaloAlto Firewall details (the lower one of the two)
Firewall - PAN
HOL-1829-01-NET
Page 76HOL-1829-01-NET
In this scenario we also have an Palo Alto VM based offloading firewall The redirectfeature allows firewall rules to be transferred between the NSX firewall and the PANFirewall
1 When done reviewing click on the (X) in the top right corner of the pop up box
Reversing the analysis
1 In the section marked by a red square in the picture click on the arrowpointing left
The route on the map will change
HOL-1829-01-NET
Page 77HOL-1829-01-NET
Reversing the analysis continued
A - The analysis will now be done in the opposite direction Please note that the pathnow changes Instead of going through Provider-Edge 3 the traffic is now routedthrough Provider-Edge 2 This is exactly as the traffic will work in the real life
Please continue to the next step to conclude this module
HOL-1829-01-NET
Page 78HOL-1829-01-NET
VM Underlay
Lets now focus on VM Underlay
1 The VMUnderlay section that is on the right side of the VM Path topology showsthe underlay information of the VMs involved and their connectivity to the top ofthe rack switches and the ports involved
2 The VM Underlay path topology is shown here3 The components are labeled under Path Details
HOL-1829-01-NET
Page 79HOL-1829-01-NET
HOL-1829-01-NET
Page 80HOL-1829-01-NET
1 In this section the drop-down list at the top shows the endpoint VMs and theactive VMs at the edges
2 For each edgeVM the neighbouring drop-down list shows the ingress and theegress interface IP addresses
1 From the previous step we selected the Prod-DB-2 Virtual Machine2 Which changes the focus to corresponding Interface IP Address (VNIC)3 Shows the visual map (Path topology) of all the path objects4 Path details shows the labels and list the components
This concludes this module Please continue to the next module
HOL-1829-01-NET
Page 81HOL-1829-01-NET
ConclusionCongratulations on completing Module 2
This module has shown us that vRealize Network Insight is capable of tracing the flow ofdata between two objects throughout the network vRealize Network Insight is providingus with a 360 degrees view of the virtual as well as the physical components in thepath With the map function and the details on the map it is very easy to get a quickoverview of the components utilized in network communication
All the components in the map is based on a snapshot of real life data Feel free to clickon other icons shown in the map in this module before continuing to the next module tohave a look at other components
For More Information
For additional information about the functionality showcased in this module visithttpwwwvmwarecomvrealize network insight
This concludes this module Please continue to the next module
If you are looking for additional information try one of these
bull Click on this linkbull Or use your smart device to scan the QRC Code
HOL-1829-01-NET
Page 82HOL-1829-01-NET
Proceed to any module below which interests you most
bull Module 1 - Micro-Segmentation and Security (30 minutes)bull Module 2 - 360 degree Visibility across Virtual and Physical Networks (45
minutes)bull Module 3 - Advanced NSX Management amp Operations (45 minutes)bull (30 minutes)
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 83HOL-1829-01-NET
Module 3 - Advanced NSXManagement amp
Operations (45 minutes)
HOL-1829-01-NET
Page 84HOL-1829-01-NET
IntroductionIntroduction
vRealize Network Insight ensures that we have full visibility from an overlay andunderlay perspective and in this module focus on advanced operations of NSX withvRealize Network Insight Its important to note that the vRealize Network Insightprovides a real time view and a historical view The integration is not a simple SNMPquery but advanced CLI and Metadata information gathered in real time for NSX
This Module contains the following lessons
bull Operational guidance for NSX Managerbull Advanced NSX Management amp Operations Interactive Simulation
HOL-1829-01-NET
Page 85HOL-1829-01-NET
NSX Advanced ManagementOperationsLab Status Check
1 Make sure the Lab Status displays Ready before continuing
Close browser sessions from previous modules
Open Google Chrome
1 Open Chrome on the Control Centre Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
HOL-1829-01-NET
Page 86HOL-1829-01-NET
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize Network Insightdid not load automatically)
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
Search Bar - NSX Manager
Using the search bar on the entry screen
HOL-1829-01-NET
Page 87HOL-1829-01-NET
1 Type NSX Manager (this will list three NSX Managers2 Click Search
NSX Manager Information
The result now shows the NSX Manager (1016128170) and we can immediately seethat we have 50 problems associated with this endpoint
1 Click on the NSX Manager address to expose the layout and detailedinformation
HOL-1829-01-NET
Page 88HOL-1829-01-NET
Timeline - Visual Build-up
Explore information only - Do not click
bull A - Starting with the Timeline we can manipulate the results by simply draggingthe slider but by default the current time results will be displayed on entry Theslider and drop down (next to 1 day) makes it easy to filter on demand
bull B - The Properties give a clear understanding of the NSX Managers currentconfiguration (vRealize Network Insight accommodate multiple NSX managers)
bull C - Looking at the NSX Checklist Rules - ALL we can scroll up and down toview each point in the checklist that is used to monitorvalidate against the NSXManager
bull D - Because vRealize Network Insight supports multiple NSX managers andmultiple NSX controllers this is an important visual understanding of theTopology Each object can be queried individually within the same screen
bull E - NSX Problems will be key to understanding the issues for NSX
HOL-1829-01-NET
Page 89HOL-1829-01-NET
Topology - Focus on the NSX Controller
The logical view of the NSX Topology provides live links to each component in theconstruct to be queried in real time Topology layout displays all the related NSXservices bound to the NSX Manager including Clusters and hosts The red triangle on allthree NSX controllers indicates possible issues that may impact the NSX environmenteither as a starting point or a result thereof We can now query each object for detailedinformation
1 Click on the NSX controller (Look at each controller until you find thecontroller starting with NSX_Controller_5b6c6c8d-4d71 as they do changeorder)
HOL-1829-01-NET
Page 90HOL-1829-01-NET
NSX Controller - Detail
A - The controller query displays detailed information about controller-1 and relevantconfiguration This screen will help identify the Status Version Upgrade Availability andmany other critical identifiers of the NSX Controller at a quick glance including anyissues
B - The immediate issue on this NSX controller is also pointed out with a red triangleindicating that we have a control plane sync issue Tracking the issue can be furtherinvestigated by expanding (clicking on the red triangle) to view detailed information Wewill not be investigating this problem further in this exercise
1 Click the close sign (x) to continue
HOL-1829-01-NET
Page 91HOL-1829-01-NET
Topology - Explained
Note The Topology for the NSX environment will not show any load balancing devicestatus information in this release
1 Click the edge VMs icon to see detailed information about the edge services
HOL-1829-01-NET
Page 92HOL-1829-01-NET
Provider Edge
Rendering a complete view of the provider edge services and the associations we caninvestigate all the edge related activities
1 Click the blue link Provider Edge 4 The problem Icon can be used to furtherobtain information about the Provider-Edge 4 This will highlight a criticalcondition due to a possible network disruption of this edge device as it is nolonger in a serving state
HOL-1829-01-NET
Page 93HOL-1829-01-NET
Routers Provider Edge 4
This section lays out detailed root cause analysis for Routers Provider Edge 4
Return to Search View - NSX Manager
1 Now use the Chrome Back button click once to return the the NSX Managerinformation screen step
HOL-1829-01-NET
Page 94HOL-1829-01-NET
Infrastructure Problems - Warning Moderate
bull Scroll down to Infrastructure Problems Section
1 Click and select the WarningModerate to view problem areas
WarningModerate Issues
1 Use the blue icon + to expand the detailed view of the Logical networking out ofsync between host and NSX Controller
HOL-1829-01-NET
Page 95HOL-1829-01-NET
WarningModerate Issues (Continued)
When you expand the details you can analyse full detail of warning
In this view vRealize Network Insight is also showing you recommendations on how youwould resolve this issue which makes troubleshooting and root cause analysis veryeasy
1 Click the close sign (x) to continue
HOL-1829-01-NET
Page 96HOL-1829-01-NET
Hands-on Labs Interactive SimulationAdvanced NSX Management ampOperationsThis part of the lab is presented as a Hands-on Labs Interactive Simulation This willallow you to experience steps which are too time-consuming or resource intensive to dolive in the lab environment In this simulation you can use the software interface as ifyou are interacting with a live environment
1 Click here to open the interactive simulation It will open in a new browserwindow or tab
2 When finished click the ldquoReturn to the labrdquo link to continue with this lab
HOL-1829-01-NET
Page 97HOL-1829-01-NET
ConclusionCongratulations on completing Module 3
This module demonstrated the vRealize Network Insight capability of advancedmanagement operations vRealize Network Insight provides an in-depth analysis of thevirtual as well as the physical components associated with NSX (underlay and overlay)
For More Information
If you are looking for additional information try one of these
bull Click on this linkbull Or use your smart device to scan the QRC Code
Proceed to any module below which interests you most
bull Module 1 - Micro-Segmentation and Security (30 minutes)bull Module 2 - 360 degree Visibility across Virtual and Physical Networks (45
minutes)bull Module 3 - Advanced NSX Management amp Operations (45 minutes)bull Module 4 - Manage Security for Public Clouds (AWS) (30 minutes)
HOL-1829-01-NET
Page 98HOL-1829-01-NET
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 99HOL-1829-01-NET
Module 4 - ManageSecurity for Public Clouds
(AWS) (30 Minutes)
HOL-1829-01-NET
Page 100HOL-1829-01-NET
IntroductionEnterprise IT needs visibility into the network and security status of their workloadswhether hosted on premises or within AWS While many AWS workloads are sandboxesfor application development teams (DevOps) it is important to analyze these workloadsIncreasingly public cloud workloads are also fulfilling mission critical production needsfor many organizations Enterprise IT must be ready to determine the best locationsecurity posture and bandwidth allocation when deploying workloads Having trafficpattern details as well as security analysis and recommendations readily availablehelps organizations make the ideal hosting decisions to meet their business needs
vRealize Network Insight (vRNI) Supports Amazon Web Services (AWS) PublicCloud The vRNI traffic monitoring features provide visibility into native AWS constructssuch as Virtual Private Clouds VMs Security Groups firewall rules and tags vRNI alsoanalyzes AWS traffic flows to provide security and micro-segmentation views of cloudworkloads This means youll be able to plan micro-segmentation and understand trafficpatterns using data collected from your AWS instances
This Module contains the following lessons
bull Introduction to Managing Security for Public Clouds (AWS)
HOL-1829-01-NET
Page 101HOL-1829-01-NET
Introduction to Managing Security forPublic Clouds (AWS)Lab Status Check
1 Make sure the Lab Status displays Ready before continuing
Close browser sessions from previous modules
Open Google Chrome
1 Open Chrome on the Control Centre Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize Network Insightdid not load automatically)
HOL-1829-01-NET
Page 102HOL-1829-01-NET
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
AWS Configuration
Lets review the AWS VPC setup for the purpose of this lab
1 We have an on premise instance of vRealize Network Insight managing AWS2 There are two VPCs ie CRM and Common Services
HOL-1829-01-NET
Page 103HOL-1829-01-NET
3 VPC CRM consists of CRM Application which comprises of 3 tiers ie Web APP andDB
4 Internal users of Company can access Web Tier of the CRM on 80 internally viaJump-box
5 Web tier talks to App tier on port 80806 App tier talks to DB tier on port 33067 Web tier is open for internal datacenters VM on 80 port8 From Jump-box in VPC CRM all virtual machines have ssh access on port 229 All tiers of VPCCRM talks to DNS server on 53 and LogServer on 514 on VPC
Common Services10 This means connection to DB to Log Server (used for backup services) must exist
as configured by the Administrator but this in fact is the problem area where ourfocus will be
Plan Security - AWS Cloud
vRealize Network Insight extends micro-segmentation planning to AWS constructs TheCRM Application in AWS VPC has already been created for you
Application creation steps have been discussed in Module 3
HOL-1829-01-NET
Page 104HOL-1829-01-NET
1 On the vRealize Network Insight Click on Plan Security
From Plan Security dialogue box under Entity select
HOL-1829-01-NET
Page 105HOL-1829-01-NET
1 Application2 CRM3 Click Analyze
We can now visualize the three tier lsquoCRMrsquo Application in AWS in one VPC We Shallexplore the three Tier System Logic in proceeding steps
1 Please note that Micro-Segments are already filtered by Tier2 Web (Web tier talks to App tier on port 8080 Internal users of organisation can
access Web Tier of the CRM Application on port 80 internally)3 App (App tier talks to DB tier on port 3306)4 DB ( DB tier talks to Log Servers ) - This is the problem area we are going to
explore
All tiers of first VPC talks to DNS server on port 53 and LogServer on port 514 of SecondVPC
HOL-1829-01-NET
Page 106HOL-1829-01-NET
Exploring the Three Tier Application - Step by Step
We shall now explore the three their application setup to understand the security andcommunication posture
HOL-1829-01-NET
Page 107HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Yellow line to explore the flows This will reveal flows from Web to
App
HOL-1829-01-NET
Page 108HOL-1829-01-NET
1 The App tier talks to DB tier on Port 33062 Click X to continue
HOL-1829-01-NET
Page 109HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to DB
HOL-1829-01-NET
Page 110HOL-1829-01-NET
1 The App tier talks to DB tier on Port 33062 Click X to continue
HOL-1829-01-NET
Page 111HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Yellow Line to explore the flows This will reveal flows from DC
Virtual to App
HOL-1829-01-NET
Page 112HOL-1829-01-NET
1 DC Virtual (jump box) talks to App tier on Port 222 Click X to continue
HOL-1829-01-NET
Page 113HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to
Shared Virtual
HOL-1829-01-NET
Page 114HOL-1829-01-NET
1 The App tier talks to Shared Virtual on Port 53 and 514 respectively2 Click X to continue
HOL-1829-01-NET
Page 115HOL-1829-01-NET
1 Hover over to DB Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from DB to
Shared Virtual
1 By design the DB should be pushing logs to aws-log-server ie on port 514(Syslog) but the flow reveals that there is only one service ie port 53 aws-DNS-Server Effectively no communication to syslog server (which is the back upservice)
2 Click X to continue
Firewall Queries for CRM Application
To further troubleshoot the issue the administrator executes three firewall queries toestablish why DB to Shared Virtual does not have flow(s) for port 514 (syslog)
HOL-1829-01-NET
Page 116HOL-1829-01-NET
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and type new search query firewall action of flows where dstvm = aws-log-server This will return 5 results ie 4 Allow (for web andmidtier) and 1 Deny (for DB)
2 Click Search3 click on the DENY checkbox so we can focus on the deny rule
We can see a DENY rule which is preventing crm-databse to communicate with aws-log-server on port 514 Which indicates that AWS Admin forgot to add rule to allowtraffic from (Database) crm-database to (syslog server) aws-log-Server
HOL-1829-01-NET
Page 117HOL-1829-01-NET
1 On Chrome web browser right click2 Select Duplicate from the the menu
HOL-1829-01-NET
Page 118HOL-1829-01-NET
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-web1 and dst vm = aws-log-server
2 Click Search3 This will return 3 results ie 1 Inbound and 2 Outbound rules The result of this
query validates the communication from crm-web1 to aws-log-server
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-database and dst vm = aws-log-server
2 Click Search3 This will return 2 results for Outbound rules further explaining the firewall rule
behaviour from crm-database to aws-log-server
HOL-1829-01-NET
Page 119HOL-1829-01-NET
ConclusionCongratulations on completing Module 4
This module demonstrated the vRealize Network Insight capability to understand trafficpatterns and plan micro-segmentation across your private and public cloudenvironments This capability offers unparalleled visibility into public and private cloudsfor micro-segmentation planning network visibility and management
For More Information
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 120HOL-1829-01-NET
ConclusionThank you for participating in the VMware Hands-on Labs Be sure to visithttpholvmwarecom to continue your lab experience online
Lab SKU HOL-1829-01-NET
Version 20171010-152226
HOL-1829-01-NET
Page 121HOL-1829-01-NET
1 Under the Application Name type HOL-Pre-Prod2 Under Tier type the Name as HOL-Pre-Prod3 Our search criteria will be based on VM Names under Virtual Machines IP
Addresses Type Admin-VM1 Admin-VM2 (The search will auto completethe names for you)
4 Do not Save Click Cancel which will take you to previous screen
1 Here you can see the number of entities has increased by 1 ie 5 entities2 You can also see Hol-Pre-Prod in the list
HOL-Pre-Prod will now appear in Application section under Plan Security (not covered inthis lab)
Security Group Prod_MidTier
Network administrators and architects face daily challenges in identifying securityparameters groups that are in-place requiring a lot more detail around containertopology before continuing to execute or plan Micro-segmentation Lets look at how thiswould be possible in a single view that has granular integration with over and underlaynetworks
1 Using the search bar type Nsx Security Group Prod_MidTier (the search baruses Auto Fill and predictive text will appear as you type)
2 Click search to continue
HOL-1829-01-NET
Page 32HOL-1829-01-NET
The Help screen may pop-up (in this lab setting) to ensure the user has an instantguide called the Security Group Pinboard The reason for this guide is to point out thedetail view and topology layout Read through the help guide and once completed
1 Click the close icon (x) to continue
Results - PROD_MIDTIER
The search results from the query will show Prod_Web at the top of the screen Theresult will also be displayed to include the Translated VM Count and any Rulesassociated
1 Click on Prod_MidTier to continue
Security Group Prod_MidTier - Timeline
Security Group View Explanation
HOL-1829-01-NET
Page 33HOL-1829-01-NET
The Security Group provides a detailed view of the selected Security Group and acomprehensive listing of key properties and events The Security Group Topologyprovides a visual overview of how the security group is associated with other containersTimeline slider at the top of the current view will enable the point in time state of theSecurity Group and filters can be used to further focus on a particular aspect of theobject
Security Group Firewall Topology
(A) The Security Group Firewall Topology on the left shows the topology for SecurityGroup Prod_MidTier
HOL-1829-01-NET
Page 34HOL-1829-01-NET
(B) The Security Group Container Topology on the right will show anyall Child andParent groups in relation to Prod_Web This will identify the nesting and hierarchy ofsecurity groups
HOL-1829-01-NET
Page 35HOL-1829-01-NET
1 Click and select Prod_Web to Prod_Midtier Rule (will launch a pop up screencovered in next step)
1 In the pop up screen we can immediately see what the Source and destinationservice flow looks like in this example This can be done for any and eachsegment attached to Prod_Web and will provide all the current security GroupFirewall Topology information Feel free to click through all the segments in orderto fully understand each related security group
2 Click the close icon (x) on any pop-up menus that you viewed during youranalysis to continue with the next exercise
HOL-1829-01-NET
Page 36HOL-1829-01-NET
Tracking Prod_MidTier
1 Within the same view when you scroll down (below the Security Groupfirewall Topology) you are able to see the following security event information forProd_Web
A Events - Showing any changes for Prod_MidTier (direct or indirect) and the impactthat these changes bring to this security group
B Current Security Group Configuration and Firewall Rules Count will also providefurther assistance to manage the endpoints
C Visibility of the Virtual Machines in Security Groups ensure that we manage ourworkloads and segmentation with the correct level of efficiency
D Making use of the Indirect Firewall Rules will ensure you understand the inheritedimpact and the relationship leading to Prod_Web
E Direct Firewall Rules - NOTE The blue links will expose further detail for eachfirewall segment
HOL-1829-01-NET
Page 37HOL-1829-01-NET
this module explained and followed the traffic flow between Subnets and or VLANVXLAN for Prod_MidTier and we understand the analysis that make up firewall rules Theinformation for a specific segmentation of a Virtual Machine in Prod_MidTier can beviewed using the the logical switch information for Prod_MidTier
2 Click on Lab-Midtier (VMs in Security GroupgtLogical SwitchesgtLab-Midtier) anew TAB will open at the top of the screen
Lab-Midtier
1 Hover (do not click) over (1) Lab-Midtier-1 to gain focus in order to generatethe path
Do not click on any of the bubbles as they are used for reference only This is thecomplete flow of Prod-Web-9 (Example) to see how a flow is tracked from overlay tounderlay across Prod-Web
HOL-1829-01-NET
Page 38HOL-1829-01-NET
bull A - The host details for Lab-Midtier-1 -ddc1-pod2esx035dmdemocompanynet
bull B - The machine name within Lab-Midtier - Lab-Midtier-1bull C - DVS Switchbull D - VXLAN - Lab-Midtierbull E - 1st VMKNIC for DDC-1 hostbull F - DVS Switch Portbull G - Finally showing the L3 Switch (Arista)
2 When you are done with the current view close this tab in Chrome and returnto the original view
Firewall Rule - Tracking
Using the search bar we will demonstrate how you can track any firewall rule in yourenvironment This is only one example of how we can search for security related objectsin one easy statement and also export the results
Port Search
1 Type into the search bar
Firewall rule where action =ALLOW and Port=443 (the search bar uses Auto Fill andpredictive text will appear as you type)
2 Click search to continue
As you type notice all the different permutations of queries that can be assembled
HOL-1829-01-NET
Page 39HOL-1829-01-NET
Export Firewall Rules
Take some time to understand and get familiar with Firewall Rule search possibilitiesand the insight this can offer
1 Do not click - The result is grouped for convenience and allows the user to queryeach rule individually This is a live link that will expose further information
2 Do not click - The entire report can be exported by using the Save as CSV optionat the top right hand corner of the screen but we will not export any informationat this point
3 For the next step we will return to the top search bar
Firewall Rule Membership Change
Using the vRealize Network Insight search bar at the top of the screen we will focus on atime based search to see what Firewall Membership Changes occurred during a selectedperiod This will point out any changes made directly or indirectly as a result ofmembership changes This is extremely useful for auditing and troubleshooting
HOL-1829-01-NET
Page 40HOL-1829-01-NET
1 Type
Firewall Rule Membership Change
2 Select the DateTime window3 Click Between Select Date range from June30 to Jul 31 (using static data this
will ensure you see all the changes)4 Click search
Audit Rule - Firewall Rule Membership Changes
The search now displays the result of all the changes made to firewall rule membershipduring the preset date range This is pivotal to the audit change tracking process tounderstand exactly why when and how Firewall rules changed
The changes can now easily be tracked audited and also exported following any of thelive links in blue
HOL-1829-01-NET
Page 41HOL-1829-01-NET
User-defined Event
Continuing within the same screen users can create alerts to notify internal andexternal entities of any changes The alert feature is available through any view thatdisplays the alert icon Although the alert can be configured for this lab the results willnot be actioned as this is static data only This section will show how easy it is to reporton any Firewall Rule memberships changes The option for alerting will be immediatelywithin 1 hour or as a daily digest
1 Click the Notifications icon to create an event The notifications screen will pop-up
2 Notification and parameters can be adjusted as required Populate them withyour own preference as we will need to have information in order to save thealert and view in later steps
3 Once completed click save
HOL-1829-01-NET
Page 42HOL-1829-01-NET
Settings
You can view any of your previously configured User-defined Events in order to edit oractivate the Event parameters by using the settings page Changes can be configured tonotify members of the event group based on the user preference The previous eventthat you created can now be tracked by using the search bar at the top of the screen
1 Click in the search bar and type Settings2 Click User-defined Events (your alert is noted in this section as it was based on
the original search and alert notification Firewall rule membership change)3 Info Only - Do not click - View Edit Activate any notifications
Note that we have 2 types of notification User-defined and System Events
4 Click the System Events
HOL-1829-01-NET
Page 43HOL-1829-01-NET
System Notifications
System Events consist of 103 default alerts that are pre-configured Scroll down the listto see all the options and what is deemed to be a standard system event notification
Each Notification can be used to alert administrators or users of that group By defaultall System Notifications are set to never notify (this can be changed to immediatelywithin 1 hour or as a daily digest)
This concludes this module Please continue to the next module
HOL-1829-01-NET
Page 44HOL-1829-01-NET
ConclusionCongratulations on completing Module 1
In this module we introduced the minimum required steps in order to facilitate Micro-segmentation This module further demonstrated how we achieve day zero readinesstrack report and alert on each individual object or group of objects in Real Time Usingthe East-West traffic in this module vRealize Network Insight highlighted the ease ofacquiring network analysis and using this to automatically generate firewall rules forboth Green or Brown field deployments
Key facts to remember as demonstrated in this module
bull Persistence Security must be consistent in the face of constant changebull Ubiquity Security must be available everywherebull Extensibility Security must adapt to new situations
For additional information about the functionality showcased in this module visitwwwvmwarecom
Please close the Chrome Web browser
This concludes this module please continue to the next module
For More Information
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 45HOL-1829-01-NET
Module 2 - 360 degreeVisibility across Virtualand Physical Networks
(45 minutes)
HOL-1829-01-NET
Page 46HOL-1829-01-NET
IntroductionvRealize Network Insight includes advanced analytics that can collect and displayconfiguration data from all the components involved in the overlay and underlay of thenetwork Data is collected in realtime
vRealize Network Insight presents this via a smart user interface and simplifies thedetermination of problems as well as the visibility of firewall and networkconfigurations
vRealize Network Insight presents this in a smart user interface and makes problemdetermination and visibility of the firewall and network configurations very easy
This Module contains the following lessons
bull 360 Network Visibility and Troubleshootingbull Natural language search
HOL-1829-01-NET
Page 47HOL-1829-01-NET
360 Network Visibility andTroubleshootingThis section contains the following lessons
bull 360-degree view of data flow between two VM objectsbull Natural language search
Open Google Chrome
1 Open Chrome on the Control Center Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize NetworkInsight did not load automatically)
HOL-1829-01-NET
Page 48HOL-1829-01-NET
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
Path and Topology
This module will utilize the Path and Topology feature in vRealize Network Insight toget a 360-degree visibility into our network scenario The Path and Topology view can
HOL-1829-01-NET
Page 49HOL-1829-01-NET
also extend to host L3 networks security groups etc but in this module we will only befocusing on the path
From the main console
1 Click on Path and Topology2 Click on Path
Path - Select source and destination
In the pop-up box
1 Click on the grey field below Source2 Type dba into the source field and DBAdmin-VM1 will appear3 Click on DBAdmin-VM1 to select it
HOL-1829-01-NET
Page 50HOL-1829-01-NET
Path - source and destination continued
After selecting the source machine the destination box will automatically appear
1 Type prod in the destination field and the list of available options willappear
2 Select Prod-Db-2
Note The destination could also be an ip-address or Internet but in this lab we aregoing to use a VM
HOL-1829-01-NET
Page 51HOL-1829-01-NET
Path - source and destination continued
1 Click on Submit
Searching for path
Based on the VMs we selected in the wizard in our previous steps the search field isnow pre-populated with a search string As an alternative to using the wizard we canalso do manual searches
Do not change any parameters in the search field and please continue to the nextstep
HOL-1829-01-NET
Page 52HOL-1829-01-NET
VM Path Topology and VM Underlay
The topology involves both Layer 3 and Layer 2 components and consists of twodetailed views
HOL-1829-01-NET
Page 53HOL-1829-01-NET
1 VM Path Topology This view details the routers Edges or Logical DistributedRouters (LDRs) that are involved in the VM to VM network path and provides thecomplete routing and NAT information
2 VM Underlay ( The VM Underlay section that is on the right side of the VM Pathtopology shows the underlay information of the VMs involved and theirconnectivity to the top of the rack switches and the ports involved)
In the field named VM Path Topology
1 Click on the three dots in the top right corner of the field2 Click Maximize
The view will change and the route will be drawn on the map
HOL-1829-01-NET
Page 54HOL-1829-01-NET
VM Path Topology - Path Details
In this view we will get a 360-degree view of both the physical and the virtual networkWe will see the path of the traffic between two virtual machines The black arrow at thetop of the map will indicate the flow direction of the traffic In this use case fromDBAdmin-VM1 to Prod-Db-2
On the right hand side path details indicates the steps we pass through in each hop ofthe path The logical flow includes both physical and virtual elements displaying bothoverlay and underlay components
1 Scroll through the path details on the right hand side to verify the differenthops in the path Notice that we have items such as VMs physical switchesvirtual switches routers and NICs in the list of details
HOL-1829-01-NET
Page 55HOL-1829-01-NET
Component Overview
On the VM topology map
1 Click on the top left icon marked with a red square - the Virtual MachineDBAdmin-VM1
Virtual Machine - Details
HOL-1829-01-NET
Page 56HOL-1829-01-NET
A pop-up box will appear with the Virtual Machine details in it This information includesa lot of details made available by VMware Tools We can for example see network-information and the physical host in these details
A - Please spend some time on getting an overview of the information available in thisview
B - Please note that the Firewall Status indicates Unknown In this scenario there is noNSX firewall utilized in the VM so vRealize Network Insight displays Unknown as thestatus If NSX components were utilized but they were malfunctioning an errormessage will appear
1 When done reviewing close the pop-up windows by clicking on the (X) in thetop right corner
Physical ESXi Hosts
We are now going to look at the physical host running ESXi The large green blocksindicate the ESXi hosts (A) and (B)
1 Click on the large green field on the left side of the map marked in thepicture with a red squareThis will select the host where DBAdmin-VM1 isrunning
HOL-1829-01-NET
Page 57HOL-1829-01-NET
Host - Details
A pop-up box will appear that contains the physical ESXi host
A - Spend some time to review what information is available from the host Please donot click on any of the links
B - Notice that we receive information from both the Chassis and the Blade that thisESXi host is running on In a real life environment we could click on the links to getdetailed information about the physical environment through the links
C - Note that there are no NSX components on the host For example we can see thatthe Control Plane Sync Status is unknown and the Number of VTEPs is 0
1 When done reviewing click on the (X) in the top right corner
HOL-1829-01-NET
Page 58HOL-1829-01-NET
DVPG on the map
We are now going to look at the DVPG (Distributed Virtual Port Group) the VM uses toconnect to the network
1 On the map click on the little blue box marked by a red square onvlan-629
DVPG
A pop-up box will appear that contains the DVPG details
A - Spend some time review what information is available from the object Please donot click on any of the links
HOL-1829-01-NET
Page 59HOL-1829-01-NET
B - Notice that IPFIX is enabled
1 When done reviewing click on the (X) in the top right corner
VLAN-629 on the map
This is a brownfield network as indicated by the physical network components currentlydisplayed on the map
1 On the map click on the grey line marked by a red square on vlan-629
VLAN Network
A pop-up box will appear that contains the physical VLAN details
HOL-1829-01-NET
Page 60HOL-1829-01-NET
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - Notice the VLAN ID This is the actual VLAN in use
C - VM Count states 12 This is the number of VMs located on this VLAN in the entireenvironment
D - Under Hosts we can see that this is 28 (27+1) This is the amount of hosts that hasa connection to this vlan in the entire environment
1 When done reviewing click on the (X) in the top right corner
Switch ports on the map
1 From the map click on the icon marked by a red square to select the SwitchPort for the VM
HOL-1829-01-NET
Page 61HOL-1829-01-NET
Switch Port
A pop-up box will appear that contains the Switch Port details
In this view we are purely are looking at layer 3 and the connectivity to those layer 3devices Later in this module we will see some of the layer 2 devices
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - In this view we can see the physical NIC the traffic is transmitted from and receivedto In this scenario it is a NIC on a UCS fabric We can also see the VLANs Interfacespeed port and other details on the NIC
1 When done reviewing click on the (X) in the top right corner of the pop up box
HOL-1829-01-NET
Page 62HOL-1829-01-NET
Physical VRF on the map
1 From the map click on the icon marked by a red square to access thePhysical VRF details
HOL-1829-01-NET
Page 63HOL-1829-01-NET
VRF - Physical Switch
A pop-up box will appear that contains the Physical VRF details
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - In this scenario the first hop in the physical network perspective happens to be aCisco Nexus 7000 We are gathering all of the configuration data routing tables androuting interface information from this device
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 64HOL-1829-01-NET
VRF - continued
1 From the map click on the icon marked by a red square to access the nextPhysical VRF in the path
HOL-1829-01-NET
Page 65HOL-1829-01-NET
VRF - Physical Router
A pop-up box will appear that contains the Physical VRF details
In this scenario the second hop in the physical network perspective is a Palo Alto routerIn this view we will see the routing table as well as firewall rules The vRealize NetworkInsight platform is so powerful that these firewall rules are the applicable firewall rulesbetween the two objects we searched for There is probably going to be thousands offirewall rules in a normal network but these are the firewalls affecting thecommunication between the two selected VMs
HOL-1829-01-NET
Page 66HOL-1829-01-NET
A - Spend some time to review what information is available from the object Please donot click on any of the links
1 When done reviewing click on the (X) in the top right corner of the pop up box
Note The Palo Alto integration showcased is in beta testing
VRF - continued
1 From the map click on the icon marked by a red square to access the nextPhysical VRF in the path
HOL-1829-01-NET
Page 67HOL-1829-01-NET
VRF - Physical Switch
A pop-up box will appear that contains the Physical VRF details
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - In this scenario the third hop in the physical network perspective is an Arista deviceThere is information available on routing gateways interfaces etc These detailsshowcase that we can monitor devices from a multitude of vendors in case we arechanging from one vendor to another
1 When done reviewing click on the (X) in the top right corner
HOL-1829-01-NET
Page 68HOL-1829-01-NET
Accessing the virtual infrastructure
The next two steps in the path (as shown by arrows) are the same as we looked atpreviously in this module We are not going to look at the details on them in thisscenario as they are similar to the ones previously discussed
A - Hovermove the mouse over the icons marked with red arrow A without clicking onthe icon Notice the descriptive name
B - Hovermove the mouse over the icons marked with red arrow B without clicking onthe icon Notice the descriptive name
1 From the map click on the icon marked by a red square to access the nextVRF in the path
HOL-1829-01-NET
Page 69HOL-1829-01-NET
VRF - NSX Provider Edge 1
A pop-up box will appear that contains the Physical VRF details
A - Please spend some time to review what information is available from the objectPlease do not click on any of the links
B - The components we are looking at after the Arista device (described in previoussteps) is an NSX Edge cluster or a host associated with an Edge cluster The componentwe have selected is the NSX Edge VM named Provider-Edge 1 It has an uplink overVLAN 10 from the physical network (as shown in the map)
C - In the details we can see the routing table and routing interface details for thisparticular VRF
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 70HOL-1829-01-NET
VXLAN on the map
1 On the map click on the blue line marked by a red square to access theVXLAN details
VXLAN Network
A pop-up box will appear that contains the VXLAN details
HOL-1829-01-NET
Page 71HOL-1829-01-NET
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - We can see the VXLAN number (Segment ID) Underlay VLAN IDs Subnet andUnderlay Subnet
C - We also have visibility into what Primary Controller it is utilizing Hosts and VTEPs
D - Hovermove the mouse cursor over the text [38 more] to see the hosts associatedwith this VXLAN Do not click on the blue text
E - Hovermove the mouse cursor over the text [82 more] to see the VTEPs associatedwith this VXLAN Do not click on the blue text
1 When done reviewing click on the X in the top right corner of the pop-up box
VRF - LDR
1 From the map click on the icon marked by a red square to access the VRFdetails
HOL-1829-01-NET
Page 72HOL-1829-01-NET
VRF - LDR-Corporate
A pop-up box will appear that contains the VRF details From here we hit our In-kernelnetwork
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - Notice the distributed router name We are using this device to access our corporatenetwork
C - This device is going to route for us to a different interface The interface is going toroute to the interface on the Prod-DB Network as the next step in the path (this will beillustrated in the next step)
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 73HOL-1829-01-NET
Routing - NSX Firewall
The traffic is routed through the VRF onto the Prod-DB network over to the next physicalhost (as shown with arrows)
The first device it will hit on the virtual network on the physical host is the FirewallPlease notice that there are two firewalls next to the VM One Firewall from Palo Alto andone Firewall from NSX
1 From the map click on the icon marked by a red square to access the NSXFirewall details (the top one of the two)
HOL-1829-01-NET
Page 74HOL-1829-01-NET
Firewall - NSX
A pop-up box will appear that contains the Firewall details
A - Spend some time to review what information is available from the object Please donot click on any of the links
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 75HOL-1829-01-NET
Redirect on the map - PAN Firewall
Please notice that there are two firewalls next to the VM One Firewall from Palo Alto andone Firewall from NSX We are now going to look into the details of the lower Firewall
1 From the map click on the icon marked by a red square to access the PaloAlto Firewall details (the lower one of the two)
Firewall - PAN
HOL-1829-01-NET
Page 76HOL-1829-01-NET
In this scenario we also have an Palo Alto VM based offloading firewall The redirectfeature allows firewall rules to be transferred between the NSX firewall and the PANFirewall
1 When done reviewing click on the (X) in the top right corner of the pop up box
Reversing the analysis
1 In the section marked by a red square in the picture click on the arrowpointing left
The route on the map will change
HOL-1829-01-NET
Page 77HOL-1829-01-NET
Reversing the analysis continued
A - The analysis will now be done in the opposite direction Please note that the pathnow changes Instead of going through Provider-Edge 3 the traffic is now routedthrough Provider-Edge 2 This is exactly as the traffic will work in the real life
Please continue to the next step to conclude this module
HOL-1829-01-NET
Page 78HOL-1829-01-NET
VM Underlay
Lets now focus on VM Underlay
1 The VMUnderlay section that is on the right side of the VM Path topology showsthe underlay information of the VMs involved and their connectivity to the top ofthe rack switches and the ports involved
2 The VM Underlay path topology is shown here3 The components are labeled under Path Details
HOL-1829-01-NET
Page 79HOL-1829-01-NET
HOL-1829-01-NET
Page 80HOL-1829-01-NET
1 In this section the drop-down list at the top shows the endpoint VMs and theactive VMs at the edges
2 For each edgeVM the neighbouring drop-down list shows the ingress and theegress interface IP addresses
1 From the previous step we selected the Prod-DB-2 Virtual Machine2 Which changes the focus to corresponding Interface IP Address (VNIC)3 Shows the visual map (Path topology) of all the path objects4 Path details shows the labels and list the components
This concludes this module Please continue to the next module
HOL-1829-01-NET
Page 81HOL-1829-01-NET
ConclusionCongratulations on completing Module 2
This module has shown us that vRealize Network Insight is capable of tracing the flow ofdata between two objects throughout the network vRealize Network Insight is providingus with a 360 degrees view of the virtual as well as the physical components in thepath With the map function and the details on the map it is very easy to get a quickoverview of the components utilized in network communication
All the components in the map is based on a snapshot of real life data Feel free to clickon other icons shown in the map in this module before continuing to the next module tohave a look at other components
For More Information
For additional information about the functionality showcased in this module visithttpwwwvmwarecomvrealize network insight
This concludes this module Please continue to the next module
If you are looking for additional information try one of these
bull Click on this linkbull Or use your smart device to scan the QRC Code
HOL-1829-01-NET
Page 82HOL-1829-01-NET
Proceed to any module below which interests you most
bull Module 1 - Micro-Segmentation and Security (30 minutes)bull Module 2 - 360 degree Visibility across Virtual and Physical Networks (45
minutes)bull Module 3 - Advanced NSX Management amp Operations (45 minutes)bull (30 minutes)
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 83HOL-1829-01-NET
Module 3 - Advanced NSXManagement amp
Operations (45 minutes)
HOL-1829-01-NET
Page 84HOL-1829-01-NET
IntroductionIntroduction
vRealize Network Insight ensures that we have full visibility from an overlay andunderlay perspective and in this module focus on advanced operations of NSX withvRealize Network Insight Its important to note that the vRealize Network Insightprovides a real time view and a historical view The integration is not a simple SNMPquery but advanced CLI and Metadata information gathered in real time for NSX
This Module contains the following lessons
bull Operational guidance for NSX Managerbull Advanced NSX Management amp Operations Interactive Simulation
HOL-1829-01-NET
Page 85HOL-1829-01-NET
NSX Advanced ManagementOperationsLab Status Check
1 Make sure the Lab Status displays Ready before continuing
Close browser sessions from previous modules
Open Google Chrome
1 Open Chrome on the Control Centre Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
HOL-1829-01-NET
Page 86HOL-1829-01-NET
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize Network Insightdid not load automatically)
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
Search Bar - NSX Manager
Using the search bar on the entry screen
HOL-1829-01-NET
Page 87HOL-1829-01-NET
1 Type NSX Manager (this will list three NSX Managers2 Click Search
NSX Manager Information
The result now shows the NSX Manager (1016128170) and we can immediately seethat we have 50 problems associated with this endpoint
1 Click on the NSX Manager address to expose the layout and detailedinformation
HOL-1829-01-NET
Page 88HOL-1829-01-NET
Timeline - Visual Build-up
Explore information only - Do not click
bull A - Starting with the Timeline we can manipulate the results by simply draggingthe slider but by default the current time results will be displayed on entry Theslider and drop down (next to 1 day) makes it easy to filter on demand
bull B - The Properties give a clear understanding of the NSX Managers currentconfiguration (vRealize Network Insight accommodate multiple NSX managers)
bull C - Looking at the NSX Checklist Rules - ALL we can scroll up and down toview each point in the checklist that is used to monitorvalidate against the NSXManager
bull D - Because vRealize Network Insight supports multiple NSX managers andmultiple NSX controllers this is an important visual understanding of theTopology Each object can be queried individually within the same screen
bull E - NSX Problems will be key to understanding the issues for NSX
HOL-1829-01-NET
Page 89HOL-1829-01-NET
Topology - Focus on the NSX Controller
The logical view of the NSX Topology provides live links to each component in theconstruct to be queried in real time Topology layout displays all the related NSXservices bound to the NSX Manager including Clusters and hosts The red triangle on allthree NSX controllers indicates possible issues that may impact the NSX environmenteither as a starting point or a result thereof We can now query each object for detailedinformation
1 Click on the NSX controller (Look at each controller until you find thecontroller starting with NSX_Controller_5b6c6c8d-4d71 as they do changeorder)
HOL-1829-01-NET
Page 90HOL-1829-01-NET
NSX Controller - Detail
A - The controller query displays detailed information about controller-1 and relevantconfiguration This screen will help identify the Status Version Upgrade Availability andmany other critical identifiers of the NSX Controller at a quick glance including anyissues
B - The immediate issue on this NSX controller is also pointed out with a red triangleindicating that we have a control plane sync issue Tracking the issue can be furtherinvestigated by expanding (clicking on the red triangle) to view detailed information Wewill not be investigating this problem further in this exercise
1 Click the close sign (x) to continue
HOL-1829-01-NET
Page 91HOL-1829-01-NET
Topology - Explained
Note The Topology for the NSX environment will not show any load balancing devicestatus information in this release
1 Click the edge VMs icon to see detailed information about the edge services
HOL-1829-01-NET
Page 92HOL-1829-01-NET
Provider Edge
Rendering a complete view of the provider edge services and the associations we caninvestigate all the edge related activities
1 Click the blue link Provider Edge 4 The problem Icon can be used to furtherobtain information about the Provider-Edge 4 This will highlight a criticalcondition due to a possible network disruption of this edge device as it is nolonger in a serving state
HOL-1829-01-NET
Page 93HOL-1829-01-NET
Routers Provider Edge 4
This section lays out detailed root cause analysis for Routers Provider Edge 4
Return to Search View - NSX Manager
1 Now use the Chrome Back button click once to return the the NSX Managerinformation screen step
HOL-1829-01-NET
Page 94HOL-1829-01-NET
Infrastructure Problems - Warning Moderate
bull Scroll down to Infrastructure Problems Section
1 Click and select the WarningModerate to view problem areas
WarningModerate Issues
1 Use the blue icon + to expand the detailed view of the Logical networking out ofsync between host and NSX Controller
HOL-1829-01-NET
Page 95HOL-1829-01-NET
WarningModerate Issues (Continued)
When you expand the details you can analyse full detail of warning
In this view vRealize Network Insight is also showing you recommendations on how youwould resolve this issue which makes troubleshooting and root cause analysis veryeasy
1 Click the close sign (x) to continue
HOL-1829-01-NET
Page 96HOL-1829-01-NET
Hands-on Labs Interactive SimulationAdvanced NSX Management ampOperationsThis part of the lab is presented as a Hands-on Labs Interactive Simulation This willallow you to experience steps which are too time-consuming or resource intensive to dolive in the lab environment In this simulation you can use the software interface as ifyou are interacting with a live environment
1 Click here to open the interactive simulation It will open in a new browserwindow or tab
2 When finished click the ldquoReturn to the labrdquo link to continue with this lab
HOL-1829-01-NET
Page 97HOL-1829-01-NET
ConclusionCongratulations on completing Module 3
This module demonstrated the vRealize Network Insight capability of advancedmanagement operations vRealize Network Insight provides an in-depth analysis of thevirtual as well as the physical components associated with NSX (underlay and overlay)
For More Information
If you are looking for additional information try one of these
bull Click on this linkbull Or use your smart device to scan the QRC Code
Proceed to any module below which interests you most
bull Module 1 - Micro-Segmentation and Security (30 minutes)bull Module 2 - 360 degree Visibility across Virtual and Physical Networks (45
minutes)bull Module 3 - Advanced NSX Management amp Operations (45 minutes)bull Module 4 - Manage Security for Public Clouds (AWS) (30 minutes)
HOL-1829-01-NET
Page 98HOL-1829-01-NET
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 99HOL-1829-01-NET
Module 4 - ManageSecurity for Public Clouds
(AWS) (30 Minutes)
HOL-1829-01-NET
Page 100HOL-1829-01-NET
IntroductionEnterprise IT needs visibility into the network and security status of their workloadswhether hosted on premises or within AWS While many AWS workloads are sandboxesfor application development teams (DevOps) it is important to analyze these workloadsIncreasingly public cloud workloads are also fulfilling mission critical production needsfor many organizations Enterprise IT must be ready to determine the best locationsecurity posture and bandwidth allocation when deploying workloads Having trafficpattern details as well as security analysis and recommendations readily availablehelps organizations make the ideal hosting decisions to meet their business needs
vRealize Network Insight (vRNI) Supports Amazon Web Services (AWS) PublicCloud The vRNI traffic monitoring features provide visibility into native AWS constructssuch as Virtual Private Clouds VMs Security Groups firewall rules and tags vRNI alsoanalyzes AWS traffic flows to provide security and micro-segmentation views of cloudworkloads This means youll be able to plan micro-segmentation and understand trafficpatterns using data collected from your AWS instances
This Module contains the following lessons
bull Introduction to Managing Security for Public Clouds (AWS)
HOL-1829-01-NET
Page 101HOL-1829-01-NET
Introduction to Managing Security forPublic Clouds (AWS)Lab Status Check
1 Make sure the Lab Status displays Ready before continuing
Close browser sessions from previous modules
Open Google Chrome
1 Open Chrome on the Control Centre Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize Network Insightdid not load automatically)
HOL-1829-01-NET
Page 102HOL-1829-01-NET
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
AWS Configuration
Lets review the AWS VPC setup for the purpose of this lab
1 We have an on premise instance of vRealize Network Insight managing AWS2 There are two VPCs ie CRM and Common Services
HOL-1829-01-NET
Page 103HOL-1829-01-NET
3 VPC CRM consists of CRM Application which comprises of 3 tiers ie Web APP andDB
4 Internal users of Company can access Web Tier of the CRM on 80 internally viaJump-box
5 Web tier talks to App tier on port 80806 App tier talks to DB tier on port 33067 Web tier is open for internal datacenters VM on 80 port8 From Jump-box in VPC CRM all virtual machines have ssh access on port 229 All tiers of VPCCRM talks to DNS server on 53 and LogServer on 514 on VPC
Common Services10 This means connection to DB to Log Server (used for backup services) must exist
as configured by the Administrator but this in fact is the problem area where ourfocus will be
Plan Security - AWS Cloud
vRealize Network Insight extends micro-segmentation planning to AWS constructs TheCRM Application in AWS VPC has already been created for you
Application creation steps have been discussed in Module 3
HOL-1829-01-NET
Page 104HOL-1829-01-NET
1 On the vRealize Network Insight Click on Plan Security
From Plan Security dialogue box under Entity select
HOL-1829-01-NET
Page 105HOL-1829-01-NET
1 Application2 CRM3 Click Analyze
We can now visualize the three tier lsquoCRMrsquo Application in AWS in one VPC We Shallexplore the three Tier System Logic in proceeding steps
1 Please note that Micro-Segments are already filtered by Tier2 Web (Web tier talks to App tier on port 8080 Internal users of organisation can
access Web Tier of the CRM Application on port 80 internally)3 App (App tier talks to DB tier on port 3306)4 DB ( DB tier talks to Log Servers ) - This is the problem area we are going to
explore
All tiers of first VPC talks to DNS server on port 53 and LogServer on port 514 of SecondVPC
HOL-1829-01-NET
Page 106HOL-1829-01-NET
Exploring the Three Tier Application - Step by Step
We shall now explore the three their application setup to understand the security andcommunication posture
HOL-1829-01-NET
Page 107HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Yellow line to explore the flows This will reveal flows from Web to
App
HOL-1829-01-NET
Page 108HOL-1829-01-NET
1 The App tier talks to DB tier on Port 33062 Click X to continue
HOL-1829-01-NET
Page 109HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to DB
HOL-1829-01-NET
Page 110HOL-1829-01-NET
1 The App tier talks to DB tier on Port 33062 Click X to continue
HOL-1829-01-NET
Page 111HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Yellow Line to explore the flows This will reveal flows from DC
Virtual to App
HOL-1829-01-NET
Page 112HOL-1829-01-NET
1 DC Virtual (jump box) talks to App tier on Port 222 Click X to continue
HOL-1829-01-NET
Page 113HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to
Shared Virtual
HOL-1829-01-NET
Page 114HOL-1829-01-NET
1 The App tier talks to Shared Virtual on Port 53 and 514 respectively2 Click X to continue
HOL-1829-01-NET
Page 115HOL-1829-01-NET
1 Hover over to DB Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from DB to
Shared Virtual
1 By design the DB should be pushing logs to aws-log-server ie on port 514(Syslog) but the flow reveals that there is only one service ie port 53 aws-DNS-Server Effectively no communication to syslog server (which is the back upservice)
2 Click X to continue
Firewall Queries for CRM Application
To further troubleshoot the issue the administrator executes three firewall queries toestablish why DB to Shared Virtual does not have flow(s) for port 514 (syslog)
HOL-1829-01-NET
Page 116HOL-1829-01-NET
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and type new search query firewall action of flows where dstvm = aws-log-server This will return 5 results ie 4 Allow (for web andmidtier) and 1 Deny (for DB)
2 Click Search3 click on the DENY checkbox so we can focus on the deny rule
We can see a DENY rule which is preventing crm-databse to communicate with aws-log-server on port 514 Which indicates that AWS Admin forgot to add rule to allowtraffic from (Database) crm-database to (syslog server) aws-log-Server
HOL-1829-01-NET
Page 117HOL-1829-01-NET
1 On Chrome web browser right click2 Select Duplicate from the the menu
HOL-1829-01-NET
Page 118HOL-1829-01-NET
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-web1 and dst vm = aws-log-server
2 Click Search3 This will return 3 results ie 1 Inbound and 2 Outbound rules The result of this
query validates the communication from crm-web1 to aws-log-server
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-database and dst vm = aws-log-server
2 Click Search3 This will return 2 results for Outbound rules further explaining the firewall rule
behaviour from crm-database to aws-log-server
HOL-1829-01-NET
Page 119HOL-1829-01-NET
ConclusionCongratulations on completing Module 4
This module demonstrated the vRealize Network Insight capability to understand trafficpatterns and plan micro-segmentation across your private and public cloudenvironments This capability offers unparalleled visibility into public and private cloudsfor micro-segmentation planning network visibility and management
For More Information
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 120HOL-1829-01-NET
ConclusionThank you for participating in the VMware Hands-on Labs Be sure to visithttpholvmwarecom to continue your lab experience online
Lab SKU HOL-1829-01-NET
Version 20171010-152226
HOL-1829-01-NET
Page 121HOL-1829-01-NET
The Help screen may pop-up (in this lab setting) to ensure the user has an instantguide called the Security Group Pinboard The reason for this guide is to point out thedetail view and topology layout Read through the help guide and once completed
1 Click the close icon (x) to continue
Results - PROD_MIDTIER
The search results from the query will show Prod_Web at the top of the screen Theresult will also be displayed to include the Translated VM Count and any Rulesassociated
1 Click on Prod_MidTier to continue
Security Group Prod_MidTier - Timeline
Security Group View Explanation
HOL-1829-01-NET
Page 33HOL-1829-01-NET
The Security Group provides a detailed view of the selected Security Group and acomprehensive listing of key properties and events The Security Group Topologyprovides a visual overview of how the security group is associated with other containersTimeline slider at the top of the current view will enable the point in time state of theSecurity Group and filters can be used to further focus on a particular aspect of theobject
Security Group Firewall Topology
(A) The Security Group Firewall Topology on the left shows the topology for SecurityGroup Prod_MidTier
HOL-1829-01-NET
Page 34HOL-1829-01-NET
(B) The Security Group Container Topology on the right will show anyall Child andParent groups in relation to Prod_Web This will identify the nesting and hierarchy ofsecurity groups
HOL-1829-01-NET
Page 35HOL-1829-01-NET
1 Click and select Prod_Web to Prod_Midtier Rule (will launch a pop up screencovered in next step)
1 In the pop up screen we can immediately see what the Source and destinationservice flow looks like in this example This can be done for any and eachsegment attached to Prod_Web and will provide all the current security GroupFirewall Topology information Feel free to click through all the segments in orderto fully understand each related security group
2 Click the close icon (x) on any pop-up menus that you viewed during youranalysis to continue with the next exercise
HOL-1829-01-NET
Page 36HOL-1829-01-NET
Tracking Prod_MidTier
1 Within the same view when you scroll down (below the Security Groupfirewall Topology) you are able to see the following security event information forProd_Web
A Events - Showing any changes for Prod_MidTier (direct or indirect) and the impactthat these changes bring to this security group
B Current Security Group Configuration and Firewall Rules Count will also providefurther assistance to manage the endpoints
C Visibility of the Virtual Machines in Security Groups ensure that we manage ourworkloads and segmentation with the correct level of efficiency
D Making use of the Indirect Firewall Rules will ensure you understand the inheritedimpact and the relationship leading to Prod_Web
E Direct Firewall Rules - NOTE The blue links will expose further detail for eachfirewall segment
HOL-1829-01-NET
Page 37HOL-1829-01-NET
this module explained and followed the traffic flow between Subnets and or VLANVXLAN for Prod_MidTier and we understand the analysis that make up firewall rules Theinformation for a specific segmentation of a Virtual Machine in Prod_MidTier can beviewed using the the logical switch information for Prod_MidTier
2 Click on Lab-Midtier (VMs in Security GroupgtLogical SwitchesgtLab-Midtier) anew TAB will open at the top of the screen
Lab-Midtier
1 Hover (do not click) over (1) Lab-Midtier-1 to gain focus in order to generatethe path
Do not click on any of the bubbles as they are used for reference only This is thecomplete flow of Prod-Web-9 (Example) to see how a flow is tracked from overlay tounderlay across Prod-Web
HOL-1829-01-NET
Page 38HOL-1829-01-NET
bull A - The host details for Lab-Midtier-1 -ddc1-pod2esx035dmdemocompanynet
bull B - The machine name within Lab-Midtier - Lab-Midtier-1bull C - DVS Switchbull D - VXLAN - Lab-Midtierbull E - 1st VMKNIC for DDC-1 hostbull F - DVS Switch Portbull G - Finally showing the L3 Switch (Arista)
2 When you are done with the current view close this tab in Chrome and returnto the original view
Firewall Rule - Tracking
Using the search bar we will demonstrate how you can track any firewall rule in yourenvironment This is only one example of how we can search for security related objectsin one easy statement and also export the results
Port Search
1 Type into the search bar
Firewall rule where action =ALLOW and Port=443 (the search bar uses Auto Fill andpredictive text will appear as you type)
2 Click search to continue
As you type notice all the different permutations of queries that can be assembled
HOL-1829-01-NET
Page 39HOL-1829-01-NET
Export Firewall Rules
Take some time to understand and get familiar with Firewall Rule search possibilitiesand the insight this can offer
1 Do not click - The result is grouped for convenience and allows the user to queryeach rule individually This is a live link that will expose further information
2 Do not click - The entire report can be exported by using the Save as CSV optionat the top right hand corner of the screen but we will not export any informationat this point
3 For the next step we will return to the top search bar
Firewall Rule Membership Change
Using the vRealize Network Insight search bar at the top of the screen we will focus on atime based search to see what Firewall Membership Changes occurred during a selectedperiod This will point out any changes made directly or indirectly as a result ofmembership changes This is extremely useful for auditing and troubleshooting
HOL-1829-01-NET
Page 40HOL-1829-01-NET
1 Type
Firewall Rule Membership Change
2 Select the DateTime window3 Click Between Select Date range from June30 to Jul 31 (using static data this
will ensure you see all the changes)4 Click search
Audit Rule - Firewall Rule Membership Changes
The search now displays the result of all the changes made to firewall rule membershipduring the preset date range This is pivotal to the audit change tracking process tounderstand exactly why when and how Firewall rules changed
The changes can now easily be tracked audited and also exported following any of thelive links in blue
HOL-1829-01-NET
Page 41HOL-1829-01-NET
User-defined Event
Continuing within the same screen users can create alerts to notify internal andexternal entities of any changes The alert feature is available through any view thatdisplays the alert icon Although the alert can be configured for this lab the results willnot be actioned as this is static data only This section will show how easy it is to reporton any Firewall Rule memberships changes The option for alerting will be immediatelywithin 1 hour or as a daily digest
1 Click the Notifications icon to create an event The notifications screen will pop-up
2 Notification and parameters can be adjusted as required Populate them withyour own preference as we will need to have information in order to save thealert and view in later steps
3 Once completed click save
HOL-1829-01-NET
Page 42HOL-1829-01-NET
Settings
You can view any of your previously configured User-defined Events in order to edit oractivate the Event parameters by using the settings page Changes can be configured tonotify members of the event group based on the user preference The previous eventthat you created can now be tracked by using the search bar at the top of the screen
1 Click in the search bar and type Settings2 Click User-defined Events (your alert is noted in this section as it was based on
the original search and alert notification Firewall rule membership change)3 Info Only - Do not click - View Edit Activate any notifications
Note that we have 2 types of notification User-defined and System Events
4 Click the System Events
HOL-1829-01-NET
Page 43HOL-1829-01-NET
System Notifications
System Events consist of 103 default alerts that are pre-configured Scroll down the listto see all the options and what is deemed to be a standard system event notification
Each Notification can be used to alert administrators or users of that group By defaultall System Notifications are set to never notify (this can be changed to immediatelywithin 1 hour or as a daily digest)
This concludes this module Please continue to the next module
HOL-1829-01-NET
Page 44HOL-1829-01-NET
ConclusionCongratulations on completing Module 1
In this module we introduced the minimum required steps in order to facilitate Micro-segmentation This module further demonstrated how we achieve day zero readinesstrack report and alert on each individual object or group of objects in Real Time Usingthe East-West traffic in this module vRealize Network Insight highlighted the ease ofacquiring network analysis and using this to automatically generate firewall rules forboth Green or Brown field deployments
Key facts to remember as demonstrated in this module
bull Persistence Security must be consistent in the face of constant changebull Ubiquity Security must be available everywherebull Extensibility Security must adapt to new situations
For additional information about the functionality showcased in this module visitwwwvmwarecom
Please close the Chrome Web browser
This concludes this module please continue to the next module
For More Information
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 45HOL-1829-01-NET
Module 2 - 360 degreeVisibility across Virtualand Physical Networks
(45 minutes)
HOL-1829-01-NET
Page 46HOL-1829-01-NET
IntroductionvRealize Network Insight includes advanced analytics that can collect and displayconfiguration data from all the components involved in the overlay and underlay of thenetwork Data is collected in realtime
vRealize Network Insight presents this via a smart user interface and simplifies thedetermination of problems as well as the visibility of firewall and networkconfigurations
vRealize Network Insight presents this in a smart user interface and makes problemdetermination and visibility of the firewall and network configurations very easy
This Module contains the following lessons
bull 360 Network Visibility and Troubleshootingbull Natural language search
HOL-1829-01-NET
Page 47HOL-1829-01-NET
360 Network Visibility andTroubleshootingThis section contains the following lessons
bull 360-degree view of data flow between two VM objectsbull Natural language search
Open Google Chrome
1 Open Chrome on the Control Center Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize NetworkInsight did not load automatically)
HOL-1829-01-NET
Page 48HOL-1829-01-NET
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
Path and Topology
This module will utilize the Path and Topology feature in vRealize Network Insight toget a 360-degree visibility into our network scenario The Path and Topology view can
HOL-1829-01-NET
Page 49HOL-1829-01-NET
also extend to host L3 networks security groups etc but in this module we will only befocusing on the path
From the main console
1 Click on Path and Topology2 Click on Path
Path - Select source and destination
In the pop-up box
1 Click on the grey field below Source2 Type dba into the source field and DBAdmin-VM1 will appear3 Click on DBAdmin-VM1 to select it
HOL-1829-01-NET
Page 50HOL-1829-01-NET
Path - source and destination continued
After selecting the source machine the destination box will automatically appear
1 Type prod in the destination field and the list of available options willappear
2 Select Prod-Db-2
Note The destination could also be an ip-address or Internet but in this lab we aregoing to use a VM
HOL-1829-01-NET
Page 51HOL-1829-01-NET
Path - source and destination continued
1 Click on Submit
Searching for path
Based on the VMs we selected in the wizard in our previous steps the search field isnow pre-populated with a search string As an alternative to using the wizard we canalso do manual searches
Do not change any parameters in the search field and please continue to the nextstep
HOL-1829-01-NET
Page 52HOL-1829-01-NET
VM Path Topology and VM Underlay
The topology involves both Layer 3 and Layer 2 components and consists of twodetailed views
HOL-1829-01-NET
Page 53HOL-1829-01-NET
1 VM Path Topology This view details the routers Edges or Logical DistributedRouters (LDRs) that are involved in the VM to VM network path and provides thecomplete routing and NAT information
2 VM Underlay ( The VM Underlay section that is on the right side of the VM Pathtopology shows the underlay information of the VMs involved and theirconnectivity to the top of the rack switches and the ports involved)
In the field named VM Path Topology
1 Click on the three dots in the top right corner of the field2 Click Maximize
The view will change and the route will be drawn on the map
HOL-1829-01-NET
Page 54HOL-1829-01-NET
VM Path Topology - Path Details
In this view we will get a 360-degree view of both the physical and the virtual networkWe will see the path of the traffic between two virtual machines The black arrow at thetop of the map will indicate the flow direction of the traffic In this use case fromDBAdmin-VM1 to Prod-Db-2
On the right hand side path details indicates the steps we pass through in each hop ofthe path The logical flow includes both physical and virtual elements displaying bothoverlay and underlay components
1 Scroll through the path details on the right hand side to verify the differenthops in the path Notice that we have items such as VMs physical switchesvirtual switches routers and NICs in the list of details
HOL-1829-01-NET
Page 55HOL-1829-01-NET
Component Overview
On the VM topology map
1 Click on the top left icon marked with a red square - the Virtual MachineDBAdmin-VM1
Virtual Machine - Details
HOL-1829-01-NET
Page 56HOL-1829-01-NET
A pop-up box will appear with the Virtual Machine details in it This information includesa lot of details made available by VMware Tools We can for example see network-information and the physical host in these details
A - Please spend some time on getting an overview of the information available in thisview
B - Please note that the Firewall Status indicates Unknown In this scenario there is noNSX firewall utilized in the VM so vRealize Network Insight displays Unknown as thestatus If NSX components were utilized but they were malfunctioning an errormessage will appear
1 When done reviewing close the pop-up windows by clicking on the (X) in thetop right corner
Physical ESXi Hosts
We are now going to look at the physical host running ESXi The large green blocksindicate the ESXi hosts (A) and (B)
1 Click on the large green field on the left side of the map marked in thepicture with a red squareThis will select the host where DBAdmin-VM1 isrunning
HOL-1829-01-NET
Page 57HOL-1829-01-NET
Host - Details
A pop-up box will appear that contains the physical ESXi host
A - Spend some time to review what information is available from the host Please donot click on any of the links
B - Notice that we receive information from both the Chassis and the Blade that thisESXi host is running on In a real life environment we could click on the links to getdetailed information about the physical environment through the links
C - Note that there are no NSX components on the host For example we can see thatthe Control Plane Sync Status is unknown and the Number of VTEPs is 0
1 When done reviewing click on the (X) in the top right corner
HOL-1829-01-NET
Page 58HOL-1829-01-NET
DVPG on the map
We are now going to look at the DVPG (Distributed Virtual Port Group) the VM uses toconnect to the network
1 On the map click on the little blue box marked by a red square onvlan-629
DVPG
A pop-up box will appear that contains the DVPG details
A - Spend some time review what information is available from the object Please donot click on any of the links
HOL-1829-01-NET
Page 59HOL-1829-01-NET
B - Notice that IPFIX is enabled
1 When done reviewing click on the (X) in the top right corner
VLAN-629 on the map
This is a brownfield network as indicated by the physical network components currentlydisplayed on the map
1 On the map click on the grey line marked by a red square on vlan-629
VLAN Network
A pop-up box will appear that contains the physical VLAN details
HOL-1829-01-NET
Page 60HOL-1829-01-NET
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - Notice the VLAN ID This is the actual VLAN in use
C - VM Count states 12 This is the number of VMs located on this VLAN in the entireenvironment
D - Under Hosts we can see that this is 28 (27+1) This is the amount of hosts that hasa connection to this vlan in the entire environment
1 When done reviewing click on the (X) in the top right corner
Switch ports on the map
1 From the map click on the icon marked by a red square to select the SwitchPort for the VM
HOL-1829-01-NET
Page 61HOL-1829-01-NET
Switch Port
A pop-up box will appear that contains the Switch Port details
In this view we are purely are looking at layer 3 and the connectivity to those layer 3devices Later in this module we will see some of the layer 2 devices
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - In this view we can see the physical NIC the traffic is transmitted from and receivedto In this scenario it is a NIC on a UCS fabric We can also see the VLANs Interfacespeed port and other details on the NIC
1 When done reviewing click on the (X) in the top right corner of the pop up box
HOL-1829-01-NET
Page 62HOL-1829-01-NET
Physical VRF on the map
1 From the map click on the icon marked by a red square to access thePhysical VRF details
HOL-1829-01-NET
Page 63HOL-1829-01-NET
VRF - Physical Switch
A pop-up box will appear that contains the Physical VRF details
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - In this scenario the first hop in the physical network perspective happens to be aCisco Nexus 7000 We are gathering all of the configuration data routing tables androuting interface information from this device
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 64HOL-1829-01-NET
VRF - continued
1 From the map click on the icon marked by a red square to access the nextPhysical VRF in the path
HOL-1829-01-NET
Page 65HOL-1829-01-NET
VRF - Physical Router
A pop-up box will appear that contains the Physical VRF details
In this scenario the second hop in the physical network perspective is a Palo Alto routerIn this view we will see the routing table as well as firewall rules The vRealize NetworkInsight platform is so powerful that these firewall rules are the applicable firewall rulesbetween the two objects we searched for There is probably going to be thousands offirewall rules in a normal network but these are the firewalls affecting thecommunication between the two selected VMs
HOL-1829-01-NET
Page 66HOL-1829-01-NET
A - Spend some time to review what information is available from the object Please donot click on any of the links
1 When done reviewing click on the (X) in the top right corner of the pop up box
Note The Palo Alto integration showcased is in beta testing
VRF - continued
1 From the map click on the icon marked by a red square to access the nextPhysical VRF in the path
HOL-1829-01-NET
Page 67HOL-1829-01-NET
VRF - Physical Switch
A pop-up box will appear that contains the Physical VRF details
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - In this scenario the third hop in the physical network perspective is an Arista deviceThere is information available on routing gateways interfaces etc These detailsshowcase that we can monitor devices from a multitude of vendors in case we arechanging from one vendor to another
1 When done reviewing click on the (X) in the top right corner
HOL-1829-01-NET
Page 68HOL-1829-01-NET
Accessing the virtual infrastructure
The next two steps in the path (as shown by arrows) are the same as we looked atpreviously in this module We are not going to look at the details on them in thisscenario as they are similar to the ones previously discussed
A - Hovermove the mouse over the icons marked with red arrow A without clicking onthe icon Notice the descriptive name
B - Hovermove the mouse over the icons marked with red arrow B without clicking onthe icon Notice the descriptive name
1 From the map click on the icon marked by a red square to access the nextVRF in the path
HOL-1829-01-NET
Page 69HOL-1829-01-NET
VRF - NSX Provider Edge 1
A pop-up box will appear that contains the Physical VRF details
A - Please spend some time to review what information is available from the objectPlease do not click on any of the links
B - The components we are looking at after the Arista device (described in previoussteps) is an NSX Edge cluster or a host associated with an Edge cluster The componentwe have selected is the NSX Edge VM named Provider-Edge 1 It has an uplink overVLAN 10 from the physical network (as shown in the map)
C - In the details we can see the routing table and routing interface details for thisparticular VRF
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 70HOL-1829-01-NET
VXLAN on the map
1 On the map click on the blue line marked by a red square to access theVXLAN details
VXLAN Network
A pop-up box will appear that contains the VXLAN details
HOL-1829-01-NET
Page 71HOL-1829-01-NET
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - We can see the VXLAN number (Segment ID) Underlay VLAN IDs Subnet andUnderlay Subnet
C - We also have visibility into what Primary Controller it is utilizing Hosts and VTEPs
D - Hovermove the mouse cursor over the text [38 more] to see the hosts associatedwith this VXLAN Do not click on the blue text
E - Hovermove the mouse cursor over the text [82 more] to see the VTEPs associatedwith this VXLAN Do not click on the blue text
1 When done reviewing click on the X in the top right corner of the pop-up box
VRF - LDR
1 From the map click on the icon marked by a red square to access the VRFdetails
HOL-1829-01-NET
Page 72HOL-1829-01-NET
VRF - LDR-Corporate
A pop-up box will appear that contains the VRF details From here we hit our In-kernelnetwork
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - Notice the distributed router name We are using this device to access our corporatenetwork
C - This device is going to route for us to a different interface The interface is going toroute to the interface on the Prod-DB Network as the next step in the path (this will beillustrated in the next step)
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 73HOL-1829-01-NET
Routing - NSX Firewall
The traffic is routed through the VRF onto the Prod-DB network over to the next physicalhost (as shown with arrows)
The first device it will hit on the virtual network on the physical host is the FirewallPlease notice that there are two firewalls next to the VM One Firewall from Palo Alto andone Firewall from NSX
1 From the map click on the icon marked by a red square to access the NSXFirewall details (the top one of the two)
HOL-1829-01-NET
Page 74HOL-1829-01-NET
Firewall - NSX
A pop-up box will appear that contains the Firewall details
A - Spend some time to review what information is available from the object Please donot click on any of the links
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 75HOL-1829-01-NET
Redirect on the map - PAN Firewall
Please notice that there are two firewalls next to the VM One Firewall from Palo Alto andone Firewall from NSX We are now going to look into the details of the lower Firewall
1 From the map click on the icon marked by a red square to access the PaloAlto Firewall details (the lower one of the two)
Firewall - PAN
HOL-1829-01-NET
Page 76HOL-1829-01-NET
In this scenario we also have an Palo Alto VM based offloading firewall The redirectfeature allows firewall rules to be transferred between the NSX firewall and the PANFirewall
1 When done reviewing click on the (X) in the top right corner of the pop up box
Reversing the analysis
1 In the section marked by a red square in the picture click on the arrowpointing left
The route on the map will change
HOL-1829-01-NET
Page 77HOL-1829-01-NET
Reversing the analysis continued
A - The analysis will now be done in the opposite direction Please note that the pathnow changes Instead of going through Provider-Edge 3 the traffic is now routedthrough Provider-Edge 2 This is exactly as the traffic will work in the real life
Please continue to the next step to conclude this module
HOL-1829-01-NET
Page 78HOL-1829-01-NET
VM Underlay
Lets now focus on VM Underlay
1 The VMUnderlay section that is on the right side of the VM Path topology showsthe underlay information of the VMs involved and their connectivity to the top ofthe rack switches and the ports involved
2 The VM Underlay path topology is shown here3 The components are labeled under Path Details
HOL-1829-01-NET
Page 79HOL-1829-01-NET
HOL-1829-01-NET
Page 80HOL-1829-01-NET
1 In this section the drop-down list at the top shows the endpoint VMs and theactive VMs at the edges
2 For each edgeVM the neighbouring drop-down list shows the ingress and theegress interface IP addresses
1 From the previous step we selected the Prod-DB-2 Virtual Machine2 Which changes the focus to corresponding Interface IP Address (VNIC)3 Shows the visual map (Path topology) of all the path objects4 Path details shows the labels and list the components
This concludes this module Please continue to the next module
HOL-1829-01-NET
Page 81HOL-1829-01-NET
ConclusionCongratulations on completing Module 2
This module has shown us that vRealize Network Insight is capable of tracing the flow ofdata between two objects throughout the network vRealize Network Insight is providingus with a 360 degrees view of the virtual as well as the physical components in thepath With the map function and the details on the map it is very easy to get a quickoverview of the components utilized in network communication
All the components in the map is based on a snapshot of real life data Feel free to clickon other icons shown in the map in this module before continuing to the next module tohave a look at other components
For More Information
For additional information about the functionality showcased in this module visithttpwwwvmwarecomvrealize network insight
This concludes this module Please continue to the next module
If you are looking for additional information try one of these
bull Click on this linkbull Or use your smart device to scan the QRC Code
HOL-1829-01-NET
Page 82HOL-1829-01-NET
Proceed to any module below which interests you most
bull Module 1 - Micro-Segmentation and Security (30 minutes)bull Module 2 - 360 degree Visibility across Virtual and Physical Networks (45
minutes)bull Module 3 - Advanced NSX Management amp Operations (45 minutes)bull (30 minutes)
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 83HOL-1829-01-NET
Module 3 - Advanced NSXManagement amp
Operations (45 minutes)
HOL-1829-01-NET
Page 84HOL-1829-01-NET
IntroductionIntroduction
vRealize Network Insight ensures that we have full visibility from an overlay andunderlay perspective and in this module focus on advanced operations of NSX withvRealize Network Insight Its important to note that the vRealize Network Insightprovides a real time view and a historical view The integration is not a simple SNMPquery but advanced CLI and Metadata information gathered in real time for NSX
This Module contains the following lessons
bull Operational guidance for NSX Managerbull Advanced NSX Management amp Operations Interactive Simulation
HOL-1829-01-NET
Page 85HOL-1829-01-NET
NSX Advanced ManagementOperationsLab Status Check
1 Make sure the Lab Status displays Ready before continuing
Close browser sessions from previous modules
Open Google Chrome
1 Open Chrome on the Control Centre Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
HOL-1829-01-NET
Page 86HOL-1829-01-NET
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize Network Insightdid not load automatically)
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
Search Bar - NSX Manager
Using the search bar on the entry screen
HOL-1829-01-NET
Page 87HOL-1829-01-NET
1 Type NSX Manager (this will list three NSX Managers2 Click Search
NSX Manager Information
The result now shows the NSX Manager (1016128170) and we can immediately seethat we have 50 problems associated with this endpoint
1 Click on the NSX Manager address to expose the layout and detailedinformation
HOL-1829-01-NET
Page 88HOL-1829-01-NET
Timeline - Visual Build-up
Explore information only - Do not click
bull A - Starting with the Timeline we can manipulate the results by simply draggingthe slider but by default the current time results will be displayed on entry Theslider and drop down (next to 1 day) makes it easy to filter on demand
bull B - The Properties give a clear understanding of the NSX Managers currentconfiguration (vRealize Network Insight accommodate multiple NSX managers)
bull C - Looking at the NSX Checklist Rules - ALL we can scroll up and down toview each point in the checklist that is used to monitorvalidate against the NSXManager
bull D - Because vRealize Network Insight supports multiple NSX managers andmultiple NSX controllers this is an important visual understanding of theTopology Each object can be queried individually within the same screen
bull E - NSX Problems will be key to understanding the issues for NSX
HOL-1829-01-NET
Page 89HOL-1829-01-NET
Topology - Focus on the NSX Controller
The logical view of the NSX Topology provides live links to each component in theconstruct to be queried in real time Topology layout displays all the related NSXservices bound to the NSX Manager including Clusters and hosts The red triangle on allthree NSX controllers indicates possible issues that may impact the NSX environmenteither as a starting point or a result thereof We can now query each object for detailedinformation
1 Click on the NSX controller (Look at each controller until you find thecontroller starting with NSX_Controller_5b6c6c8d-4d71 as they do changeorder)
HOL-1829-01-NET
Page 90HOL-1829-01-NET
NSX Controller - Detail
A - The controller query displays detailed information about controller-1 and relevantconfiguration This screen will help identify the Status Version Upgrade Availability andmany other critical identifiers of the NSX Controller at a quick glance including anyissues
B - The immediate issue on this NSX controller is also pointed out with a red triangleindicating that we have a control plane sync issue Tracking the issue can be furtherinvestigated by expanding (clicking on the red triangle) to view detailed information Wewill not be investigating this problem further in this exercise
1 Click the close sign (x) to continue
HOL-1829-01-NET
Page 91HOL-1829-01-NET
Topology - Explained
Note The Topology for the NSX environment will not show any load balancing devicestatus information in this release
1 Click the edge VMs icon to see detailed information about the edge services
HOL-1829-01-NET
Page 92HOL-1829-01-NET
Provider Edge
Rendering a complete view of the provider edge services and the associations we caninvestigate all the edge related activities
1 Click the blue link Provider Edge 4 The problem Icon can be used to furtherobtain information about the Provider-Edge 4 This will highlight a criticalcondition due to a possible network disruption of this edge device as it is nolonger in a serving state
HOL-1829-01-NET
Page 93HOL-1829-01-NET
Routers Provider Edge 4
This section lays out detailed root cause analysis for Routers Provider Edge 4
Return to Search View - NSX Manager
1 Now use the Chrome Back button click once to return the the NSX Managerinformation screen step
HOL-1829-01-NET
Page 94HOL-1829-01-NET
Infrastructure Problems - Warning Moderate
bull Scroll down to Infrastructure Problems Section
1 Click and select the WarningModerate to view problem areas
WarningModerate Issues
1 Use the blue icon + to expand the detailed view of the Logical networking out ofsync between host and NSX Controller
HOL-1829-01-NET
Page 95HOL-1829-01-NET
WarningModerate Issues (Continued)
When you expand the details you can analyse full detail of warning
In this view vRealize Network Insight is also showing you recommendations on how youwould resolve this issue which makes troubleshooting and root cause analysis veryeasy
1 Click the close sign (x) to continue
HOL-1829-01-NET
Page 96HOL-1829-01-NET
Hands-on Labs Interactive SimulationAdvanced NSX Management ampOperationsThis part of the lab is presented as a Hands-on Labs Interactive Simulation This willallow you to experience steps which are too time-consuming or resource intensive to dolive in the lab environment In this simulation you can use the software interface as ifyou are interacting with a live environment
1 Click here to open the interactive simulation It will open in a new browserwindow or tab
2 When finished click the ldquoReturn to the labrdquo link to continue with this lab
HOL-1829-01-NET
Page 97HOL-1829-01-NET
ConclusionCongratulations on completing Module 3
This module demonstrated the vRealize Network Insight capability of advancedmanagement operations vRealize Network Insight provides an in-depth analysis of thevirtual as well as the physical components associated with NSX (underlay and overlay)
For More Information
If you are looking for additional information try one of these
bull Click on this linkbull Or use your smart device to scan the QRC Code
Proceed to any module below which interests you most
bull Module 1 - Micro-Segmentation and Security (30 minutes)bull Module 2 - 360 degree Visibility across Virtual and Physical Networks (45
minutes)bull Module 3 - Advanced NSX Management amp Operations (45 minutes)bull Module 4 - Manage Security for Public Clouds (AWS) (30 minutes)
HOL-1829-01-NET
Page 98HOL-1829-01-NET
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 99HOL-1829-01-NET
Module 4 - ManageSecurity for Public Clouds
(AWS) (30 Minutes)
HOL-1829-01-NET
Page 100HOL-1829-01-NET
IntroductionEnterprise IT needs visibility into the network and security status of their workloadswhether hosted on premises or within AWS While many AWS workloads are sandboxesfor application development teams (DevOps) it is important to analyze these workloadsIncreasingly public cloud workloads are also fulfilling mission critical production needsfor many organizations Enterprise IT must be ready to determine the best locationsecurity posture and bandwidth allocation when deploying workloads Having trafficpattern details as well as security analysis and recommendations readily availablehelps organizations make the ideal hosting decisions to meet their business needs
vRealize Network Insight (vRNI) Supports Amazon Web Services (AWS) PublicCloud The vRNI traffic monitoring features provide visibility into native AWS constructssuch as Virtual Private Clouds VMs Security Groups firewall rules and tags vRNI alsoanalyzes AWS traffic flows to provide security and micro-segmentation views of cloudworkloads This means youll be able to plan micro-segmentation and understand trafficpatterns using data collected from your AWS instances
This Module contains the following lessons
bull Introduction to Managing Security for Public Clouds (AWS)
HOL-1829-01-NET
Page 101HOL-1829-01-NET
Introduction to Managing Security forPublic Clouds (AWS)Lab Status Check
1 Make sure the Lab Status displays Ready before continuing
Close browser sessions from previous modules
Open Google Chrome
1 Open Chrome on the Control Centre Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize Network Insightdid not load automatically)
HOL-1829-01-NET
Page 102HOL-1829-01-NET
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
AWS Configuration
Lets review the AWS VPC setup for the purpose of this lab
1 We have an on premise instance of vRealize Network Insight managing AWS2 There are two VPCs ie CRM and Common Services
HOL-1829-01-NET
Page 103HOL-1829-01-NET
3 VPC CRM consists of CRM Application which comprises of 3 tiers ie Web APP andDB
4 Internal users of Company can access Web Tier of the CRM on 80 internally viaJump-box
5 Web tier talks to App tier on port 80806 App tier talks to DB tier on port 33067 Web tier is open for internal datacenters VM on 80 port8 From Jump-box in VPC CRM all virtual machines have ssh access on port 229 All tiers of VPCCRM talks to DNS server on 53 and LogServer on 514 on VPC
Common Services10 This means connection to DB to Log Server (used for backup services) must exist
as configured by the Administrator but this in fact is the problem area where ourfocus will be
Plan Security - AWS Cloud
vRealize Network Insight extends micro-segmentation planning to AWS constructs TheCRM Application in AWS VPC has already been created for you
Application creation steps have been discussed in Module 3
HOL-1829-01-NET
Page 104HOL-1829-01-NET
1 On the vRealize Network Insight Click on Plan Security
From Plan Security dialogue box under Entity select
HOL-1829-01-NET
Page 105HOL-1829-01-NET
1 Application2 CRM3 Click Analyze
We can now visualize the three tier lsquoCRMrsquo Application in AWS in one VPC We Shallexplore the three Tier System Logic in proceeding steps
1 Please note that Micro-Segments are already filtered by Tier2 Web (Web tier talks to App tier on port 8080 Internal users of organisation can
access Web Tier of the CRM Application on port 80 internally)3 App (App tier talks to DB tier on port 3306)4 DB ( DB tier talks to Log Servers ) - This is the problem area we are going to
explore
All tiers of first VPC talks to DNS server on port 53 and LogServer on port 514 of SecondVPC
HOL-1829-01-NET
Page 106HOL-1829-01-NET
Exploring the Three Tier Application - Step by Step
We shall now explore the three their application setup to understand the security andcommunication posture
HOL-1829-01-NET
Page 107HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Yellow line to explore the flows This will reveal flows from Web to
App
HOL-1829-01-NET
Page 108HOL-1829-01-NET
1 The App tier talks to DB tier on Port 33062 Click X to continue
HOL-1829-01-NET
Page 109HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to DB
HOL-1829-01-NET
Page 110HOL-1829-01-NET
1 The App tier talks to DB tier on Port 33062 Click X to continue
HOL-1829-01-NET
Page 111HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Yellow Line to explore the flows This will reveal flows from DC
Virtual to App
HOL-1829-01-NET
Page 112HOL-1829-01-NET
1 DC Virtual (jump box) talks to App tier on Port 222 Click X to continue
HOL-1829-01-NET
Page 113HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to
Shared Virtual
HOL-1829-01-NET
Page 114HOL-1829-01-NET
1 The App tier talks to Shared Virtual on Port 53 and 514 respectively2 Click X to continue
HOL-1829-01-NET
Page 115HOL-1829-01-NET
1 Hover over to DB Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from DB to
Shared Virtual
1 By design the DB should be pushing logs to aws-log-server ie on port 514(Syslog) but the flow reveals that there is only one service ie port 53 aws-DNS-Server Effectively no communication to syslog server (which is the back upservice)
2 Click X to continue
Firewall Queries for CRM Application
To further troubleshoot the issue the administrator executes three firewall queries toestablish why DB to Shared Virtual does not have flow(s) for port 514 (syslog)
HOL-1829-01-NET
Page 116HOL-1829-01-NET
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and type new search query firewall action of flows where dstvm = aws-log-server This will return 5 results ie 4 Allow (for web andmidtier) and 1 Deny (for DB)
2 Click Search3 click on the DENY checkbox so we can focus on the deny rule
We can see a DENY rule which is preventing crm-databse to communicate with aws-log-server on port 514 Which indicates that AWS Admin forgot to add rule to allowtraffic from (Database) crm-database to (syslog server) aws-log-Server
HOL-1829-01-NET
Page 117HOL-1829-01-NET
1 On Chrome web browser right click2 Select Duplicate from the the menu
HOL-1829-01-NET
Page 118HOL-1829-01-NET
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-web1 and dst vm = aws-log-server
2 Click Search3 This will return 3 results ie 1 Inbound and 2 Outbound rules The result of this
query validates the communication from crm-web1 to aws-log-server
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-database and dst vm = aws-log-server
2 Click Search3 This will return 2 results for Outbound rules further explaining the firewall rule
behaviour from crm-database to aws-log-server
HOL-1829-01-NET
Page 119HOL-1829-01-NET
ConclusionCongratulations on completing Module 4
This module demonstrated the vRealize Network Insight capability to understand trafficpatterns and plan micro-segmentation across your private and public cloudenvironments This capability offers unparalleled visibility into public and private cloudsfor micro-segmentation planning network visibility and management
For More Information
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 120HOL-1829-01-NET
ConclusionThank you for participating in the VMware Hands-on Labs Be sure to visithttpholvmwarecom to continue your lab experience online
Lab SKU HOL-1829-01-NET
Version 20171010-152226
HOL-1829-01-NET
Page 121HOL-1829-01-NET
The Security Group provides a detailed view of the selected Security Group and acomprehensive listing of key properties and events The Security Group Topologyprovides a visual overview of how the security group is associated with other containersTimeline slider at the top of the current view will enable the point in time state of theSecurity Group and filters can be used to further focus on a particular aspect of theobject
Security Group Firewall Topology
(A) The Security Group Firewall Topology on the left shows the topology for SecurityGroup Prod_MidTier
HOL-1829-01-NET
Page 34HOL-1829-01-NET
(B) The Security Group Container Topology on the right will show anyall Child andParent groups in relation to Prod_Web This will identify the nesting and hierarchy ofsecurity groups
HOL-1829-01-NET
Page 35HOL-1829-01-NET
1 Click and select Prod_Web to Prod_Midtier Rule (will launch a pop up screencovered in next step)
1 In the pop up screen we can immediately see what the Source and destinationservice flow looks like in this example This can be done for any and eachsegment attached to Prod_Web and will provide all the current security GroupFirewall Topology information Feel free to click through all the segments in orderto fully understand each related security group
2 Click the close icon (x) on any pop-up menus that you viewed during youranalysis to continue with the next exercise
HOL-1829-01-NET
Page 36HOL-1829-01-NET
Tracking Prod_MidTier
1 Within the same view when you scroll down (below the Security Groupfirewall Topology) you are able to see the following security event information forProd_Web
A Events - Showing any changes for Prod_MidTier (direct or indirect) and the impactthat these changes bring to this security group
B Current Security Group Configuration and Firewall Rules Count will also providefurther assistance to manage the endpoints
C Visibility of the Virtual Machines in Security Groups ensure that we manage ourworkloads and segmentation with the correct level of efficiency
D Making use of the Indirect Firewall Rules will ensure you understand the inheritedimpact and the relationship leading to Prod_Web
E Direct Firewall Rules - NOTE The blue links will expose further detail for eachfirewall segment
HOL-1829-01-NET
Page 37HOL-1829-01-NET
this module explained and followed the traffic flow between Subnets and or VLANVXLAN for Prod_MidTier and we understand the analysis that make up firewall rules Theinformation for a specific segmentation of a Virtual Machine in Prod_MidTier can beviewed using the the logical switch information for Prod_MidTier
2 Click on Lab-Midtier (VMs in Security GroupgtLogical SwitchesgtLab-Midtier) anew TAB will open at the top of the screen
Lab-Midtier
1 Hover (do not click) over (1) Lab-Midtier-1 to gain focus in order to generatethe path
Do not click on any of the bubbles as they are used for reference only This is thecomplete flow of Prod-Web-9 (Example) to see how a flow is tracked from overlay tounderlay across Prod-Web
HOL-1829-01-NET
Page 38HOL-1829-01-NET
bull A - The host details for Lab-Midtier-1 -ddc1-pod2esx035dmdemocompanynet
bull B - The machine name within Lab-Midtier - Lab-Midtier-1bull C - DVS Switchbull D - VXLAN - Lab-Midtierbull E - 1st VMKNIC for DDC-1 hostbull F - DVS Switch Portbull G - Finally showing the L3 Switch (Arista)
2 When you are done with the current view close this tab in Chrome and returnto the original view
Firewall Rule - Tracking
Using the search bar we will demonstrate how you can track any firewall rule in yourenvironment This is only one example of how we can search for security related objectsin one easy statement and also export the results
Port Search
1 Type into the search bar
Firewall rule where action =ALLOW and Port=443 (the search bar uses Auto Fill andpredictive text will appear as you type)
2 Click search to continue
As you type notice all the different permutations of queries that can be assembled
HOL-1829-01-NET
Page 39HOL-1829-01-NET
Export Firewall Rules
Take some time to understand and get familiar with Firewall Rule search possibilitiesand the insight this can offer
1 Do not click - The result is grouped for convenience and allows the user to queryeach rule individually This is a live link that will expose further information
2 Do not click - The entire report can be exported by using the Save as CSV optionat the top right hand corner of the screen but we will not export any informationat this point
3 For the next step we will return to the top search bar
Firewall Rule Membership Change
Using the vRealize Network Insight search bar at the top of the screen we will focus on atime based search to see what Firewall Membership Changes occurred during a selectedperiod This will point out any changes made directly or indirectly as a result ofmembership changes This is extremely useful for auditing and troubleshooting
HOL-1829-01-NET
Page 40HOL-1829-01-NET
1 Type
Firewall Rule Membership Change
2 Select the DateTime window3 Click Between Select Date range from June30 to Jul 31 (using static data this
will ensure you see all the changes)4 Click search
Audit Rule - Firewall Rule Membership Changes
The search now displays the result of all the changes made to firewall rule membershipduring the preset date range This is pivotal to the audit change tracking process tounderstand exactly why when and how Firewall rules changed
The changes can now easily be tracked audited and also exported following any of thelive links in blue
HOL-1829-01-NET
Page 41HOL-1829-01-NET
User-defined Event
Continuing within the same screen users can create alerts to notify internal andexternal entities of any changes The alert feature is available through any view thatdisplays the alert icon Although the alert can be configured for this lab the results willnot be actioned as this is static data only This section will show how easy it is to reporton any Firewall Rule memberships changes The option for alerting will be immediatelywithin 1 hour or as a daily digest
1 Click the Notifications icon to create an event The notifications screen will pop-up
2 Notification and parameters can be adjusted as required Populate them withyour own preference as we will need to have information in order to save thealert and view in later steps
3 Once completed click save
HOL-1829-01-NET
Page 42HOL-1829-01-NET
Settings
You can view any of your previously configured User-defined Events in order to edit oractivate the Event parameters by using the settings page Changes can be configured tonotify members of the event group based on the user preference The previous eventthat you created can now be tracked by using the search bar at the top of the screen
1 Click in the search bar and type Settings2 Click User-defined Events (your alert is noted in this section as it was based on
the original search and alert notification Firewall rule membership change)3 Info Only - Do not click - View Edit Activate any notifications
Note that we have 2 types of notification User-defined and System Events
4 Click the System Events
HOL-1829-01-NET
Page 43HOL-1829-01-NET
System Notifications
System Events consist of 103 default alerts that are pre-configured Scroll down the listto see all the options and what is deemed to be a standard system event notification
Each Notification can be used to alert administrators or users of that group By defaultall System Notifications are set to never notify (this can be changed to immediatelywithin 1 hour or as a daily digest)
This concludes this module Please continue to the next module
HOL-1829-01-NET
Page 44HOL-1829-01-NET
ConclusionCongratulations on completing Module 1
In this module we introduced the minimum required steps in order to facilitate Micro-segmentation This module further demonstrated how we achieve day zero readinesstrack report and alert on each individual object or group of objects in Real Time Usingthe East-West traffic in this module vRealize Network Insight highlighted the ease ofacquiring network analysis and using this to automatically generate firewall rules forboth Green or Brown field deployments
Key facts to remember as demonstrated in this module
bull Persistence Security must be consistent in the face of constant changebull Ubiquity Security must be available everywherebull Extensibility Security must adapt to new situations
For additional information about the functionality showcased in this module visitwwwvmwarecom
Please close the Chrome Web browser
This concludes this module please continue to the next module
For More Information
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 45HOL-1829-01-NET
Module 2 - 360 degreeVisibility across Virtualand Physical Networks
(45 minutes)
HOL-1829-01-NET
Page 46HOL-1829-01-NET
IntroductionvRealize Network Insight includes advanced analytics that can collect and displayconfiguration data from all the components involved in the overlay and underlay of thenetwork Data is collected in realtime
vRealize Network Insight presents this via a smart user interface and simplifies thedetermination of problems as well as the visibility of firewall and networkconfigurations
vRealize Network Insight presents this in a smart user interface and makes problemdetermination and visibility of the firewall and network configurations very easy
This Module contains the following lessons
bull 360 Network Visibility and Troubleshootingbull Natural language search
HOL-1829-01-NET
Page 47HOL-1829-01-NET
360 Network Visibility andTroubleshootingThis section contains the following lessons
bull 360-degree view of data flow between two VM objectsbull Natural language search
Open Google Chrome
1 Open Chrome on the Control Center Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize NetworkInsight did not load automatically)
HOL-1829-01-NET
Page 48HOL-1829-01-NET
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
Path and Topology
This module will utilize the Path and Topology feature in vRealize Network Insight toget a 360-degree visibility into our network scenario The Path and Topology view can
HOL-1829-01-NET
Page 49HOL-1829-01-NET
also extend to host L3 networks security groups etc but in this module we will only befocusing on the path
From the main console
1 Click on Path and Topology2 Click on Path
Path - Select source and destination
In the pop-up box
1 Click on the grey field below Source2 Type dba into the source field and DBAdmin-VM1 will appear3 Click on DBAdmin-VM1 to select it
HOL-1829-01-NET
Page 50HOL-1829-01-NET
Path - source and destination continued
After selecting the source machine the destination box will automatically appear
1 Type prod in the destination field and the list of available options willappear
2 Select Prod-Db-2
Note The destination could also be an ip-address or Internet but in this lab we aregoing to use a VM
HOL-1829-01-NET
Page 51HOL-1829-01-NET
Path - source and destination continued
1 Click on Submit
Searching for path
Based on the VMs we selected in the wizard in our previous steps the search field isnow pre-populated with a search string As an alternative to using the wizard we canalso do manual searches
Do not change any parameters in the search field and please continue to the nextstep
HOL-1829-01-NET
Page 52HOL-1829-01-NET
VM Path Topology and VM Underlay
The topology involves both Layer 3 and Layer 2 components and consists of twodetailed views
HOL-1829-01-NET
Page 53HOL-1829-01-NET
1 VM Path Topology This view details the routers Edges or Logical DistributedRouters (LDRs) that are involved in the VM to VM network path and provides thecomplete routing and NAT information
2 VM Underlay ( The VM Underlay section that is on the right side of the VM Pathtopology shows the underlay information of the VMs involved and theirconnectivity to the top of the rack switches and the ports involved)
In the field named VM Path Topology
1 Click on the three dots in the top right corner of the field2 Click Maximize
The view will change and the route will be drawn on the map
HOL-1829-01-NET
Page 54HOL-1829-01-NET
VM Path Topology - Path Details
In this view we will get a 360-degree view of both the physical and the virtual networkWe will see the path of the traffic between two virtual machines The black arrow at thetop of the map will indicate the flow direction of the traffic In this use case fromDBAdmin-VM1 to Prod-Db-2
On the right hand side path details indicates the steps we pass through in each hop ofthe path The logical flow includes both physical and virtual elements displaying bothoverlay and underlay components
1 Scroll through the path details on the right hand side to verify the differenthops in the path Notice that we have items such as VMs physical switchesvirtual switches routers and NICs in the list of details
HOL-1829-01-NET
Page 55HOL-1829-01-NET
Component Overview
On the VM topology map
1 Click on the top left icon marked with a red square - the Virtual MachineDBAdmin-VM1
Virtual Machine - Details
HOL-1829-01-NET
Page 56HOL-1829-01-NET
A pop-up box will appear with the Virtual Machine details in it This information includesa lot of details made available by VMware Tools We can for example see network-information and the physical host in these details
A - Please spend some time on getting an overview of the information available in thisview
B - Please note that the Firewall Status indicates Unknown In this scenario there is noNSX firewall utilized in the VM so vRealize Network Insight displays Unknown as thestatus If NSX components were utilized but they were malfunctioning an errormessage will appear
1 When done reviewing close the pop-up windows by clicking on the (X) in thetop right corner
Physical ESXi Hosts
We are now going to look at the physical host running ESXi The large green blocksindicate the ESXi hosts (A) and (B)
1 Click on the large green field on the left side of the map marked in thepicture with a red squareThis will select the host where DBAdmin-VM1 isrunning
HOL-1829-01-NET
Page 57HOL-1829-01-NET
Host - Details
A pop-up box will appear that contains the physical ESXi host
A - Spend some time to review what information is available from the host Please donot click on any of the links
B - Notice that we receive information from both the Chassis and the Blade that thisESXi host is running on In a real life environment we could click on the links to getdetailed information about the physical environment through the links
C - Note that there are no NSX components on the host For example we can see thatthe Control Plane Sync Status is unknown and the Number of VTEPs is 0
1 When done reviewing click on the (X) in the top right corner
HOL-1829-01-NET
Page 58HOL-1829-01-NET
DVPG on the map
We are now going to look at the DVPG (Distributed Virtual Port Group) the VM uses toconnect to the network
1 On the map click on the little blue box marked by a red square onvlan-629
DVPG
A pop-up box will appear that contains the DVPG details
A - Spend some time review what information is available from the object Please donot click on any of the links
HOL-1829-01-NET
Page 59HOL-1829-01-NET
B - Notice that IPFIX is enabled
1 When done reviewing click on the (X) in the top right corner
VLAN-629 on the map
This is a brownfield network as indicated by the physical network components currentlydisplayed on the map
1 On the map click on the grey line marked by a red square on vlan-629
VLAN Network
A pop-up box will appear that contains the physical VLAN details
HOL-1829-01-NET
Page 60HOL-1829-01-NET
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - Notice the VLAN ID This is the actual VLAN in use
C - VM Count states 12 This is the number of VMs located on this VLAN in the entireenvironment
D - Under Hosts we can see that this is 28 (27+1) This is the amount of hosts that hasa connection to this vlan in the entire environment
1 When done reviewing click on the (X) in the top right corner
Switch ports on the map
1 From the map click on the icon marked by a red square to select the SwitchPort for the VM
HOL-1829-01-NET
Page 61HOL-1829-01-NET
Switch Port
A pop-up box will appear that contains the Switch Port details
In this view we are purely are looking at layer 3 and the connectivity to those layer 3devices Later in this module we will see some of the layer 2 devices
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - In this view we can see the physical NIC the traffic is transmitted from and receivedto In this scenario it is a NIC on a UCS fabric We can also see the VLANs Interfacespeed port and other details on the NIC
1 When done reviewing click on the (X) in the top right corner of the pop up box
HOL-1829-01-NET
Page 62HOL-1829-01-NET
Physical VRF on the map
1 From the map click on the icon marked by a red square to access thePhysical VRF details
HOL-1829-01-NET
Page 63HOL-1829-01-NET
VRF - Physical Switch
A pop-up box will appear that contains the Physical VRF details
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - In this scenario the first hop in the physical network perspective happens to be aCisco Nexus 7000 We are gathering all of the configuration data routing tables androuting interface information from this device
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 64HOL-1829-01-NET
VRF - continued
1 From the map click on the icon marked by a red square to access the nextPhysical VRF in the path
HOL-1829-01-NET
Page 65HOL-1829-01-NET
VRF - Physical Router
A pop-up box will appear that contains the Physical VRF details
In this scenario the second hop in the physical network perspective is a Palo Alto routerIn this view we will see the routing table as well as firewall rules The vRealize NetworkInsight platform is so powerful that these firewall rules are the applicable firewall rulesbetween the two objects we searched for There is probably going to be thousands offirewall rules in a normal network but these are the firewalls affecting thecommunication between the two selected VMs
HOL-1829-01-NET
Page 66HOL-1829-01-NET
A - Spend some time to review what information is available from the object Please donot click on any of the links
1 When done reviewing click on the (X) in the top right corner of the pop up box
Note The Palo Alto integration showcased is in beta testing
VRF - continued
1 From the map click on the icon marked by a red square to access the nextPhysical VRF in the path
HOL-1829-01-NET
Page 67HOL-1829-01-NET
VRF - Physical Switch
A pop-up box will appear that contains the Physical VRF details
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - In this scenario the third hop in the physical network perspective is an Arista deviceThere is information available on routing gateways interfaces etc These detailsshowcase that we can monitor devices from a multitude of vendors in case we arechanging from one vendor to another
1 When done reviewing click on the (X) in the top right corner
HOL-1829-01-NET
Page 68HOL-1829-01-NET
Accessing the virtual infrastructure
The next two steps in the path (as shown by arrows) are the same as we looked atpreviously in this module We are not going to look at the details on them in thisscenario as they are similar to the ones previously discussed
A - Hovermove the mouse over the icons marked with red arrow A without clicking onthe icon Notice the descriptive name
B - Hovermove the mouse over the icons marked with red arrow B without clicking onthe icon Notice the descriptive name
1 From the map click on the icon marked by a red square to access the nextVRF in the path
HOL-1829-01-NET
Page 69HOL-1829-01-NET
VRF - NSX Provider Edge 1
A pop-up box will appear that contains the Physical VRF details
A - Please spend some time to review what information is available from the objectPlease do not click on any of the links
B - The components we are looking at after the Arista device (described in previoussteps) is an NSX Edge cluster or a host associated with an Edge cluster The componentwe have selected is the NSX Edge VM named Provider-Edge 1 It has an uplink overVLAN 10 from the physical network (as shown in the map)
C - In the details we can see the routing table and routing interface details for thisparticular VRF
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 70HOL-1829-01-NET
VXLAN on the map
1 On the map click on the blue line marked by a red square to access theVXLAN details
VXLAN Network
A pop-up box will appear that contains the VXLAN details
HOL-1829-01-NET
Page 71HOL-1829-01-NET
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - We can see the VXLAN number (Segment ID) Underlay VLAN IDs Subnet andUnderlay Subnet
C - We also have visibility into what Primary Controller it is utilizing Hosts and VTEPs
D - Hovermove the mouse cursor over the text [38 more] to see the hosts associatedwith this VXLAN Do not click on the blue text
E - Hovermove the mouse cursor over the text [82 more] to see the VTEPs associatedwith this VXLAN Do not click on the blue text
1 When done reviewing click on the X in the top right corner of the pop-up box
VRF - LDR
1 From the map click on the icon marked by a red square to access the VRFdetails
HOL-1829-01-NET
Page 72HOL-1829-01-NET
VRF - LDR-Corporate
A pop-up box will appear that contains the VRF details From here we hit our In-kernelnetwork
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - Notice the distributed router name We are using this device to access our corporatenetwork
C - This device is going to route for us to a different interface The interface is going toroute to the interface on the Prod-DB Network as the next step in the path (this will beillustrated in the next step)
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 73HOL-1829-01-NET
Routing - NSX Firewall
The traffic is routed through the VRF onto the Prod-DB network over to the next physicalhost (as shown with arrows)
The first device it will hit on the virtual network on the physical host is the FirewallPlease notice that there are two firewalls next to the VM One Firewall from Palo Alto andone Firewall from NSX
1 From the map click on the icon marked by a red square to access the NSXFirewall details (the top one of the two)
HOL-1829-01-NET
Page 74HOL-1829-01-NET
Firewall - NSX
A pop-up box will appear that contains the Firewall details
A - Spend some time to review what information is available from the object Please donot click on any of the links
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 75HOL-1829-01-NET
Redirect on the map - PAN Firewall
Please notice that there are two firewalls next to the VM One Firewall from Palo Alto andone Firewall from NSX We are now going to look into the details of the lower Firewall
1 From the map click on the icon marked by a red square to access the PaloAlto Firewall details (the lower one of the two)
Firewall - PAN
HOL-1829-01-NET
Page 76HOL-1829-01-NET
In this scenario we also have an Palo Alto VM based offloading firewall The redirectfeature allows firewall rules to be transferred between the NSX firewall and the PANFirewall
1 When done reviewing click on the (X) in the top right corner of the pop up box
Reversing the analysis
1 In the section marked by a red square in the picture click on the arrowpointing left
The route on the map will change
HOL-1829-01-NET
Page 77HOL-1829-01-NET
Reversing the analysis continued
A - The analysis will now be done in the opposite direction Please note that the pathnow changes Instead of going through Provider-Edge 3 the traffic is now routedthrough Provider-Edge 2 This is exactly as the traffic will work in the real life
Please continue to the next step to conclude this module
HOL-1829-01-NET
Page 78HOL-1829-01-NET
VM Underlay
Lets now focus on VM Underlay
1 The VMUnderlay section that is on the right side of the VM Path topology showsthe underlay information of the VMs involved and their connectivity to the top ofthe rack switches and the ports involved
2 The VM Underlay path topology is shown here3 The components are labeled under Path Details
HOL-1829-01-NET
Page 79HOL-1829-01-NET
HOL-1829-01-NET
Page 80HOL-1829-01-NET
1 In this section the drop-down list at the top shows the endpoint VMs and theactive VMs at the edges
2 For each edgeVM the neighbouring drop-down list shows the ingress and theegress interface IP addresses
1 From the previous step we selected the Prod-DB-2 Virtual Machine2 Which changes the focus to corresponding Interface IP Address (VNIC)3 Shows the visual map (Path topology) of all the path objects4 Path details shows the labels and list the components
This concludes this module Please continue to the next module
HOL-1829-01-NET
Page 81HOL-1829-01-NET
ConclusionCongratulations on completing Module 2
This module has shown us that vRealize Network Insight is capable of tracing the flow ofdata between two objects throughout the network vRealize Network Insight is providingus with a 360 degrees view of the virtual as well as the physical components in thepath With the map function and the details on the map it is very easy to get a quickoverview of the components utilized in network communication
All the components in the map is based on a snapshot of real life data Feel free to clickon other icons shown in the map in this module before continuing to the next module tohave a look at other components
For More Information
For additional information about the functionality showcased in this module visithttpwwwvmwarecomvrealize network insight
This concludes this module Please continue to the next module
If you are looking for additional information try one of these
bull Click on this linkbull Or use your smart device to scan the QRC Code
HOL-1829-01-NET
Page 82HOL-1829-01-NET
Proceed to any module below which interests you most
bull Module 1 - Micro-Segmentation and Security (30 minutes)bull Module 2 - 360 degree Visibility across Virtual and Physical Networks (45
minutes)bull Module 3 - Advanced NSX Management amp Operations (45 minutes)bull (30 minutes)
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 83HOL-1829-01-NET
Module 3 - Advanced NSXManagement amp
Operations (45 minutes)
HOL-1829-01-NET
Page 84HOL-1829-01-NET
IntroductionIntroduction
vRealize Network Insight ensures that we have full visibility from an overlay andunderlay perspective and in this module focus on advanced operations of NSX withvRealize Network Insight Its important to note that the vRealize Network Insightprovides a real time view and a historical view The integration is not a simple SNMPquery but advanced CLI and Metadata information gathered in real time for NSX
This Module contains the following lessons
bull Operational guidance for NSX Managerbull Advanced NSX Management amp Operations Interactive Simulation
HOL-1829-01-NET
Page 85HOL-1829-01-NET
NSX Advanced ManagementOperationsLab Status Check
1 Make sure the Lab Status displays Ready before continuing
Close browser sessions from previous modules
Open Google Chrome
1 Open Chrome on the Control Centre Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
HOL-1829-01-NET
Page 86HOL-1829-01-NET
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize Network Insightdid not load automatically)
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
Search Bar - NSX Manager
Using the search bar on the entry screen
HOL-1829-01-NET
Page 87HOL-1829-01-NET
1 Type NSX Manager (this will list three NSX Managers2 Click Search
NSX Manager Information
The result now shows the NSX Manager (1016128170) and we can immediately seethat we have 50 problems associated with this endpoint
1 Click on the NSX Manager address to expose the layout and detailedinformation
HOL-1829-01-NET
Page 88HOL-1829-01-NET
Timeline - Visual Build-up
Explore information only - Do not click
bull A - Starting with the Timeline we can manipulate the results by simply draggingthe slider but by default the current time results will be displayed on entry Theslider and drop down (next to 1 day) makes it easy to filter on demand
bull B - The Properties give a clear understanding of the NSX Managers currentconfiguration (vRealize Network Insight accommodate multiple NSX managers)
bull C - Looking at the NSX Checklist Rules - ALL we can scroll up and down toview each point in the checklist that is used to monitorvalidate against the NSXManager
bull D - Because vRealize Network Insight supports multiple NSX managers andmultiple NSX controllers this is an important visual understanding of theTopology Each object can be queried individually within the same screen
bull E - NSX Problems will be key to understanding the issues for NSX
HOL-1829-01-NET
Page 89HOL-1829-01-NET
Topology - Focus on the NSX Controller
The logical view of the NSX Topology provides live links to each component in theconstruct to be queried in real time Topology layout displays all the related NSXservices bound to the NSX Manager including Clusters and hosts The red triangle on allthree NSX controllers indicates possible issues that may impact the NSX environmenteither as a starting point or a result thereof We can now query each object for detailedinformation
1 Click on the NSX controller (Look at each controller until you find thecontroller starting with NSX_Controller_5b6c6c8d-4d71 as they do changeorder)
HOL-1829-01-NET
Page 90HOL-1829-01-NET
NSX Controller - Detail
A - The controller query displays detailed information about controller-1 and relevantconfiguration This screen will help identify the Status Version Upgrade Availability andmany other critical identifiers of the NSX Controller at a quick glance including anyissues
B - The immediate issue on this NSX controller is also pointed out with a red triangleindicating that we have a control plane sync issue Tracking the issue can be furtherinvestigated by expanding (clicking on the red triangle) to view detailed information Wewill not be investigating this problem further in this exercise
1 Click the close sign (x) to continue
HOL-1829-01-NET
Page 91HOL-1829-01-NET
Topology - Explained
Note The Topology for the NSX environment will not show any load balancing devicestatus information in this release
1 Click the edge VMs icon to see detailed information about the edge services
HOL-1829-01-NET
Page 92HOL-1829-01-NET
Provider Edge
Rendering a complete view of the provider edge services and the associations we caninvestigate all the edge related activities
1 Click the blue link Provider Edge 4 The problem Icon can be used to furtherobtain information about the Provider-Edge 4 This will highlight a criticalcondition due to a possible network disruption of this edge device as it is nolonger in a serving state
HOL-1829-01-NET
Page 93HOL-1829-01-NET
Routers Provider Edge 4
This section lays out detailed root cause analysis for Routers Provider Edge 4
Return to Search View - NSX Manager
1 Now use the Chrome Back button click once to return the the NSX Managerinformation screen step
HOL-1829-01-NET
Page 94HOL-1829-01-NET
Infrastructure Problems - Warning Moderate
bull Scroll down to Infrastructure Problems Section
1 Click and select the WarningModerate to view problem areas
WarningModerate Issues
1 Use the blue icon + to expand the detailed view of the Logical networking out ofsync between host and NSX Controller
HOL-1829-01-NET
Page 95HOL-1829-01-NET
WarningModerate Issues (Continued)
When you expand the details you can analyse full detail of warning
In this view vRealize Network Insight is also showing you recommendations on how youwould resolve this issue which makes troubleshooting and root cause analysis veryeasy
1 Click the close sign (x) to continue
HOL-1829-01-NET
Page 96HOL-1829-01-NET
Hands-on Labs Interactive SimulationAdvanced NSX Management ampOperationsThis part of the lab is presented as a Hands-on Labs Interactive Simulation This willallow you to experience steps which are too time-consuming or resource intensive to dolive in the lab environment In this simulation you can use the software interface as ifyou are interacting with a live environment
1 Click here to open the interactive simulation It will open in a new browserwindow or tab
2 When finished click the ldquoReturn to the labrdquo link to continue with this lab
HOL-1829-01-NET
Page 97HOL-1829-01-NET
ConclusionCongratulations on completing Module 3
This module demonstrated the vRealize Network Insight capability of advancedmanagement operations vRealize Network Insight provides an in-depth analysis of thevirtual as well as the physical components associated with NSX (underlay and overlay)
For More Information
If you are looking for additional information try one of these
bull Click on this linkbull Or use your smart device to scan the QRC Code
Proceed to any module below which interests you most
bull Module 1 - Micro-Segmentation and Security (30 minutes)bull Module 2 - 360 degree Visibility across Virtual and Physical Networks (45
minutes)bull Module 3 - Advanced NSX Management amp Operations (45 minutes)bull Module 4 - Manage Security for Public Clouds (AWS) (30 minutes)
HOL-1829-01-NET
Page 98HOL-1829-01-NET
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 99HOL-1829-01-NET
Module 4 - ManageSecurity for Public Clouds
(AWS) (30 Minutes)
HOL-1829-01-NET
Page 100HOL-1829-01-NET
IntroductionEnterprise IT needs visibility into the network and security status of their workloadswhether hosted on premises or within AWS While many AWS workloads are sandboxesfor application development teams (DevOps) it is important to analyze these workloadsIncreasingly public cloud workloads are also fulfilling mission critical production needsfor many organizations Enterprise IT must be ready to determine the best locationsecurity posture and bandwidth allocation when deploying workloads Having trafficpattern details as well as security analysis and recommendations readily availablehelps organizations make the ideal hosting decisions to meet their business needs
vRealize Network Insight (vRNI) Supports Amazon Web Services (AWS) PublicCloud The vRNI traffic monitoring features provide visibility into native AWS constructssuch as Virtual Private Clouds VMs Security Groups firewall rules and tags vRNI alsoanalyzes AWS traffic flows to provide security and micro-segmentation views of cloudworkloads This means youll be able to plan micro-segmentation and understand trafficpatterns using data collected from your AWS instances
This Module contains the following lessons
bull Introduction to Managing Security for Public Clouds (AWS)
HOL-1829-01-NET
Page 101HOL-1829-01-NET
Introduction to Managing Security forPublic Clouds (AWS)Lab Status Check
1 Make sure the Lab Status displays Ready before continuing
Close browser sessions from previous modules
Open Google Chrome
1 Open Chrome on the Control Centre Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize Network Insightdid not load automatically)
HOL-1829-01-NET
Page 102HOL-1829-01-NET
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
AWS Configuration
Lets review the AWS VPC setup for the purpose of this lab
1 We have an on premise instance of vRealize Network Insight managing AWS2 There are two VPCs ie CRM and Common Services
HOL-1829-01-NET
Page 103HOL-1829-01-NET
3 VPC CRM consists of CRM Application which comprises of 3 tiers ie Web APP andDB
4 Internal users of Company can access Web Tier of the CRM on 80 internally viaJump-box
5 Web tier talks to App tier on port 80806 App tier talks to DB tier on port 33067 Web tier is open for internal datacenters VM on 80 port8 From Jump-box in VPC CRM all virtual machines have ssh access on port 229 All tiers of VPCCRM talks to DNS server on 53 and LogServer on 514 on VPC
Common Services10 This means connection to DB to Log Server (used for backup services) must exist
as configured by the Administrator but this in fact is the problem area where ourfocus will be
Plan Security - AWS Cloud
vRealize Network Insight extends micro-segmentation planning to AWS constructs TheCRM Application in AWS VPC has already been created for you
Application creation steps have been discussed in Module 3
HOL-1829-01-NET
Page 104HOL-1829-01-NET
1 On the vRealize Network Insight Click on Plan Security
From Plan Security dialogue box under Entity select
HOL-1829-01-NET
Page 105HOL-1829-01-NET
1 Application2 CRM3 Click Analyze
We can now visualize the three tier lsquoCRMrsquo Application in AWS in one VPC We Shallexplore the three Tier System Logic in proceeding steps
1 Please note that Micro-Segments are already filtered by Tier2 Web (Web tier talks to App tier on port 8080 Internal users of organisation can
access Web Tier of the CRM Application on port 80 internally)3 App (App tier talks to DB tier on port 3306)4 DB ( DB tier talks to Log Servers ) - This is the problem area we are going to
explore
All tiers of first VPC talks to DNS server on port 53 and LogServer on port 514 of SecondVPC
HOL-1829-01-NET
Page 106HOL-1829-01-NET
Exploring the Three Tier Application - Step by Step
We shall now explore the three their application setup to understand the security andcommunication posture
HOL-1829-01-NET
Page 107HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Yellow line to explore the flows This will reveal flows from Web to
App
HOL-1829-01-NET
Page 108HOL-1829-01-NET
1 The App tier talks to DB tier on Port 33062 Click X to continue
HOL-1829-01-NET
Page 109HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to DB
HOL-1829-01-NET
Page 110HOL-1829-01-NET
1 The App tier talks to DB tier on Port 33062 Click X to continue
HOL-1829-01-NET
Page 111HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Yellow Line to explore the flows This will reveal flows from DC
Virtual to App
HOL-1829-01-NET
Page 112HOL-1829-01-NET
1 DC Virtual (jump box) talks to App tier on Port 222 Click X to continue
HOL-1829-01-NET
Page 113HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to
Shared Virtual
HOL-1829-01-NET
Page 114HOL-1829-01-NET
1 The App tier talks to Shared Virtual on Port 53 and 514 respectively2 Click X to continue
HOL-1829-01-NET
Page 115HOL-1829-01-NET
1 Hover over to DB Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from DB to
Shared Virtual
1 By design the DB should be pushing logs to aws-log-server ie on port 514(Syslog) but the flow reveals that there is only one service ie port 53 aws-DNS-Server Effectively no communication to syslog server (which is the back upservice)
2 Click X to continue
Firewall Queries for CRM Application
To further troubleshoot the issue the administrator executes three firewall queries toestablish why DB to Shared Virtual does not have flow(s) for port 514 (syslog)
HOL-1829-01-NET
Page 116HOL-1829-01-NET
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and type new search query firewall action of flows where dstvm = aws-log-server This will return 5 results ie 4 Allow (for web andmidtier) and 1 Deny (for DB)
2 Click Search3 click on the DENY checkbox so we can focus on the deny rule
We can see a DENY rule which is preventing crm-databse to communicate with aws-log-server on port 514 Which indicates that AWS Admin forgot to add rule to allowtraffic from (Database) crm-database to (syslog server) aws-log-Server
HOL-1829-01-NET
Page 117HOL-1829-01-NET
1 On Chrome web browser right click2 Select Duplicate from the the menu
HOL-1829-01-NET
Page 118HOL-1829-01-NET
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-web1 and dst vm = aws-log-server
2 Click Search3 This will return 3 results ie 1 Inbound and 2 Outbound rules The result of this
query validates the communication from crm-web1 to aws-log-server
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-database and dst vm = aws-log-server
2 Click Search3 This will return 2 results for Outbound rules further explaining the firewall rule
behaviour from crm-database to aws-log-server
HOL-1829-01-NET
Page 119HOL-1829-01-NET
ConclusionCongratulations on completing Module 4
This module demonstrated the vRealize Network Insight capability to understand trafficpatterns and plan micro-segmentation across your private and public cloudenvironments This capability offers unparalleled visibility into public and private cloudsfor micro-segmentation planning network visibility and management
For More Information
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 120HOL-1829-01-NET
ConclusionThank you for participating in the VMware Hands-on Labs Be sure to visithttpholvmwarecom to continue your lab experience online
Lab SKU HOL-1829-01-NET
Version 20171010-152226
HOL-1829-01-NET
Page 121HOL-1829-01-NET
(B) The Security Group Container Topology on the right will show anyall Child andParent groups in relation to Prod_Web This will identify the nesting and hierarchy ofsecurity groups
HOL-1829-01-NET
Page 35HOL-1829-01-NET
1 Click and select Prod_Web to Prod_Midtier Rule (will launch a pop up screencovered in next step)
1 In the pop up screen we can immediately see what the Source and destinationservice flow looks like in this example This can be done for any and eachsegment attached to Prod_Web and will provide all the current security GroupFirewall Topology information Feel free to click through all the segments in orderto fully understand each related security group
2 Click the close icon (x) on any pop-up menus that you viewed during youranalysis to continue with the next exercise
HOL-1829-01-NET
Page 36HOL-1829-01-NET
Tracking Prod_MidTier
1 Within the same view when you scroll down (below the Security Groupfirewall Topology) you are able to see the following security event information forProd_Web
A Events - Showing any changes for Prod_MidTier (direct or indirect) and the impactthat these changes bring to this security group
B Current Security Group Configuration and Firewall Rules Count will also providefurther assistance to manage the endpoints
C Visibility of the Virtual Machines in Security Groups ensure that we manage ourworkloads and segmentation with the correct level of efficiency
D Making use of the Indirect Firewall Rules will ensure you understand the inheritedimpact and the relationship leading to Prod_Web
E Direct Firewall Rules - NOTE The blue links will expose further detail for eachfirewall segment
HOL-1829-01-NET
Page 37HOL-1829-01-NET
this module explained and followed the traffic flow between Subnets and or VLANVXLAN for Prod_MidTier and we understand the analysis that make up firewall rules Theinformation for a specific segmentation of a Virtual Machine in Prod_MidTier can beviewed using the the logical switch information for Prod_MidTier
2 Click on Lab-Midtier (VMs in Security GroupgtLogical SwitchesgtLab-Midtier) anew TAB will open at the top of the screen
Lab-Midtier
1 Hover (do not click) over (1) Lab-Midtier-1 to gain focus in order to generatethe path
Do not click on any of the bubbles as they are used for reference only This is thecomplete flow of Prod-Web-9 (Example) to see how a flow is tracked from overlay tounderlay across Prod-Web
HOL-1829-01-NET
Page 38HOL-1829-01-NET
bull A - The host details for Lab-Midtier-1 -ddc1-pod2esx035dmdemocompanynet
bull B - The machine name within Lab-Midtier - Lab-Midtier-1bull C - DVS Switchbull D - VXLAN - Lab-Midtierbull E - 1st VMKNIC for DDC-1 hostbull F - DVS Switch Portbull G - Finally showing the L3 Switch (Arista)
2 When you are done with the current view close this tab in Chrome and returnto the original view
Firewall Rule - Tracking
Using the search bar we will demonstrate how you can track any firewall rule in yourenvironment This is only one example of how we can search for security related objectsin one easy statement and also export the results
Port Search
1 Type into the search bar
Firewall rule where action =ALLOW and Port=443 (the search bar uses Auto Fill andpredictive text will appear as you type)
2 Click search to continue
As you type notice all the different permutations of queries that can be assembled
HOL-1829-01-NET
Page 39HOL-1829-01-NET
Export Firewall Rules
Take some time to understand and get familiar with Firewall Rule search possibilitiesand the insight this can offer
1 Do not click - The result is grouped for convenience and allows the user to queryeach rule individually This is a live link that will expose further information
2 Do not click - The entire report can be exported by using the Save as CSV optionat the top right hand corner of the screen but we will not export any informationat this point
3 For the next step we will return to the top search bar
Firewall Rule Membership Change
Using the vRealize Network Insight search bar at the top of the screen we will focus on atime based search to see what Firewall Membership Changes occurred during a selectedperiod This will point out any changes made directly or indirectly as a result ofmembership changes This is extremely useful for auditing and troubleshooting
HOL-1829-01-NET
Page 40HOL-1829-01-NET
1 Type
Firewall Rule Membership Change
2 Select the DateTime window3 Click Between Select Date range from June30 to Jul 31 (using static data this
will ensure you see all the changes)4 Click search
Audit Rule - Firewall Rule Membership Changes
The search now displays the result of all the changes made to firewall rule membershipduring the preset date range This is pivotal to the audit change tracking process tounderstand exactly why when and how Firewall rules changed
The changes can now easily be tracked audited and also exported following any of thelive links in blue
HOL-1829-01-NET
Page 41HOL-1829-01-NET
User-defined Event
Continuing within the same screen users can create alerts to notify internal andexternal entities of any changes The alert feature is available through any view thatdisplays the alert icon Although the alert can be configured for this lab the results willnot be actioned as this is static data only This section will show how easy it is to reporton any Firewall Rule memberships changes The option for alerting will be immediatelywithin 1 hour or as a daily digest
1 Click the Notifications icon to create an event The notifications screen will pop-up
2 Notification and parameters can be adjusted as required Populate them withyour own preference as we will need to have information in order to save thealert and view in later steps
3 Once completed click save
HOL-1829-01-NET
Page 42HOL-1829-01-NET
Settings
You can view any of your previously configured User-defined Events in order to edit oractivate the Event parameters by using the settings page Changes can be configured tonotify members of the event group based on the user preference The previous eventthat you created can now be tracked by using the search bar at the top of the screen
1 Click in the search bar and type Settings2 Click User-defined Events (your alert is noted in this section as it was based on
the original search and alert notification Firewall rule membership change)3 Info Only - Do not click - View Edit Activate any notifications
Note that we have 2 types of notification User-defined and System Events
4 Click the System Events
HOL-1829-01-NET
Page 43HOL-1829-01-NET
System Notifications
System Events consist of 103 default alerts that are pre-configured Scroll down the listto see all the options and what is deemed to be a standard system event notification
Each Notification can be used to alert administrators or users of that group By defaultall System Notifications are set to never notify (this can be changed to immediatelywithin 1 hour or as a daily digest)
This concludes this module Please continue to the next module
HOL-1829-01-NET
Page 44HOL-1829-01-NET
ConclusionCongratulations on completing Module 1
In this module we introduced the minimum required steps in order to facilitate Micro-segmentation This module further demonstrated how we achieve day zero readinesstrack report and alert on each individual object or group of objects in Real Time Usingthe East-West traffic in this module vRealize Network Insight highlighted the ease ofacquiring network analysis and using this to automatically generate firewall rules forboth Green or Brown field deployments
Key facts to remember as demonstrated in this module
bull Persistence Security must be consistent in the face of constant changebull Ubiquity Security must be available everywherebull Extensibility Security must adapt to new situations
For additional information about the functionality showcased in this module visitwwwvmwarecom
Please close the Chrome Web browser
This concludes this module please continue to the next module
For More Information
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 45HOL-1829-01-NET
Module 2 - 360 degreeVisibility across Virtualand Physical Networks
(45 minutes)
HOL-1829-01-NET
Page 46HOL-1829-01-NET
IntroductionvRealize Network Insight includes advanced analytics that can collect and displayconfiguration data from all the components involved in the overlay and underlay of thenetwork Data is collected in realtime
vRealize Network Insight presents this via a smart user interface and simplifies thedetermination of problems as well as the visibility of firewall and networkconfigurations
vRealize Network Insight presents this in a smart user interface and makes problemdetermination and visibility of the firewall and network configurations very easy
This Module contains the following lessons
bull 360 Network Visibility and Troubleshootingbull Natural language search
HOL-1829-01-NET
Page 47HOL-1829-01-NET
360 Network Visibility andTroubleshootingThis section contains the following lessons
bull 360-degree view of data flow between two VM objectsbull Natural language search
Open Google Chrome
1 Open Chrome on the Control Center Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize NetworkInsight did not load automatically)
HOL-1829-01-NET
Page 48HOL-1829-01-NET
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
Path and Topology
This module will utilize the Path and Topology feature in vRealize Network Insight toget a 360-degree visibility into our network scenario The Path and Topology view can
HOL-1829-01-NET
Page 49HOL-1829-01-NET
also extend to host L3 networks security groups etc but in this module we will only befocusing on the path
From the main console
1 Click on Path and Topology2 Click on Path
Path - Select source and destination
In the pop-up box
1 Click on the grey field below Source2 Type dba into the source field and DBAdmin-VM1 will appear3 Click on DBAdmin-VM1 to select it
HOL-1829-01-NET
Page 50HOL-1829-01-NET
Path - source and destination continued
After selecting the source machine the destination box will automatically appear
1 Type prod in the destination field and the list of available options willappear
2 Select Prod-Db-2
Note The destination could also be an ip-address or Internet but in this lab we aregoing to use a VM
HOL-1829-01-NET
Page 51HOL-1829-01-NET
Path - source and destination continued
1 Click on Submit
Searching for path
Based on the VMs we selected in the wizard in our previous steps the search field isnow pre-populated with a search string As an alternative to using the wizard we canalso do manual searches
Do not change any parameters in the search field and please continue to the nextstep
HOL-1829-01-NET
Page 52HOL-1829-01-NET
VM Path Topology and VM Underlay
The topology involves both Layer 3 and Layer 2 components and consists of twodetailed views
HOL-1829-01-NET
Page 53HOL-1829-01-NET
1 VM Path Topology This view details the routers Edges or Logical DistributedRouters (LDRs) that are involved in the VM to VM network path and provides thecomplete routing and NAT information
2 VM Underlay ( The VM Underlay section that is on the right side of the VM Pathtopology shows the underlay information of the VMs involved and theirconnectivity to the top of the rack switches and the ports involved)
In the field named VM Path Topology
1 Click on the three dots in the top right corner of the field2 Click Maximize
The view will change and the route will be drawn on the map
HOL-1829-01-NET
Page 54HOL-1829-01-NET
VM Path Topology - Path Details
In this view we will get a 360-degree view of both the physical and the virtual networkWe will see the path of the traffic between two virtual machines The black arrow at thetop of the map will indicate the flow direction of the traffic In this use case fromDBAdmin-VM1 to Prod-Db-2
On the right hand side path details indicates the steps we pass through in each hop ofthe path The logical flow includes both physical and virtual elements displaying bothoverlay and underlay components
1 Scroll through the path details on the right hand side to verify the differenthops in the path Notice that we have items such as VMs physical switchesvirtual switches routers and NICs in the list of details
HOL-1829-01-NET
Page 55HOL-1829-01-NET
Component Overview
On the VM topology map
1 Click on the top left icon marked with a red square - the Virtual MachineDBAdmin-VM1
Virtual Machine - Details
HOL-1829-01-NET
Page 56HOL-1829-01-NET
A pop-up box will appear with the Virtual Machine details in it This information includesa lot of details made available by VMware Tools We can for example see network-information and the physical host in these details
A - Please spend some time on getting an overview of the information available in thisview
B - Please note that the Firewall Status indicates Unknown In this scenario there is noNSX firewall utilized in the VM so vRealize Network Insight displays Unknown as thestatus If NSX components were utilized but they were malfunctioning an errormessage will appear
1 When done reviewing close the pop-up windows by clicking on the (X) in thetop right corner
Physical ESXi Hosts
We are now going to look at the physical host running ESXi The large green blocksindicate the ESXi hosts (A) and (B)
1 Click on the large green field on the left side of the map marked in thepicture with a red squareThis will select the host where DBAdmin-VM1 isrunning
HOL-1829-01-NET
Page 57HOL-1829-01-NET
Host - Details
A pop-up box will appear that contains the physical ESXi host
A - Spend some time to review what information is available from the host Please donot click on any of the links
B - Notice that we receive information from both the Chassis and the Blade that thisESXi host is running on In a real life environment we could click on the links to getdetailed information about the physical environment through the links
C - Note that there are no NSX components on the host For example we can see thatthe Control Plane Sync Status is unknown and the Number of VTEPs is 0
1 When done reviewing click on the (X) in the top right corner
HOL-1829-01-NET
Page 58HOL-1829-01-NET
DVPG on the map
We are now going to look at the DVPG (Distributed Virtual Port Group) the VM uses toconnect to the network
1 On the map click on the little blue box marked by a red square onvlan-629
DVPG
A pop-up box will appear that contains the DVPG details
A - Spend some time review what information is available from the object Please donot click on any of the links
HOL-1829-01-NET
Page 59HOL-1829-01-NET
B - Notice that IPFIX is enabled
1 When done reviewing click on the (X) in the top right corner
VLAN-629 on the map
This is a brownfield network as indicated by the physical network components currentlydisplayed on the map
1 On the map click on the grey line marked by a red square on vlan-629
VLAN Network
A pop-up box will appear that contains the physical VLAN details
HOL-1829-01-NET
Page 60HOL-1829-01-NET
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - Notice the VLAN ID This is the actual VLAN in use
C - VM Count states 12 This is the number of VMs located on this VLAN in the entireenvironment
D - Under Hosts we can see that this is 28 (27+1) This is the amount of hosts that hasa connection to this vlan in the entire environment
1 When done reviewing click on the (X) in the top right corner
Switch ports on the map
1 From the map click on the icon marked by a red square to select the SwitchPort for the VM
HOL-1829-01-NET
Page 61HOL-1829-01-NET
Switch Port
A pop-up box will appear that contains the Switch Port details
In this view we are purely are looking at layer 3 and the connectivity to those layer 3devices Later in this module we will see some of the layer 2 devices
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - In this view we can see the physical NIC the traffic is transmitted from and receivedto In this scenario it is a NIC on a UCS fabric We can also see the VLANs Interfacespeed port and other details on the NIC
1 When done reviewing click on the (X) in the top right corner of the pop up box
HOL-1829-01-NET
Page 62HOL-1829-01-NET
Physical VRF on the map
1 From the map click on the icon marked by a red square to access thePhysical VRF details
HOL-1829-01-NET
Page 63HOL-1829-01-NET
VRF - Physical Switch
A pop-up box will appear that contains the Physical VRF details
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - In this scenario the first hop in the physical network perspective happens to be aCisco Nexus 7000 We are gathering all of the configuration data routing tables androuting interface information from this device
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 64HOL-1829-01-NET
VRF - continued
1 From the map click on the icon marked by a red square to access the nextPhysical VRF in the path
HOL-1829-01-NET
Page 65HOL-1829-01-NET
VRF - Physical Router
A pop-up box will appear that contains the Physical VRF details
In this scenario the second hop in the physical network perspective is a Palo Alto routerIn this view we will see the routing table as well as firewall rules The vRealize NetworkInsight platform is so powerful that these firewall rules are the applicable firewall rulesbetween the two objects we searched for There is probably going to be thousands offirewall rules in a normal network but these are the firewalls affecting thecommunication between the two selected VMs
HOL-1829-01-NET
Page 66HOL-1829-01-NET
A - Spend some time to review what information is available from the object Please donot click on any of the links
1 When done reviewing click on the (X) in the top right corner of the pop up box
Note The Palo Alto integration showcased is in beta testing
VRF - continued
1 From the map click on the icon marked by a red square to access the nextPhysical VRF in the path
HOL-1829-01-NET
Page 67HOL-1829-01-NET
VRF - Physical Switch
A pop-up box will appear that contains the Physical VRF details
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - In this scenario the third hop in the physical network perspective is an Arista deviceThere is information available on routing gateways interfaces etc These detailsshowcase that we can monitor devices from a multitude of vendors in case we arechanging from one vendor to another
1 When done reviewing click on the (X) in the top right corner
HOL-1829-01-NET
Page 68HOL-1829-01-NET
Accessing the virtual infrastructure
The next two steps in the path (as shown by arrows) are the same as we looked atpreviously in this module We are not going to look at the details on them in thisscenario as they are similar to the ones previously discussed
A - Hovermove the mouse over the icons marked with red arrow A without clicking onthe icon Notice the descriptive name
B - Hovermove the mouse over the icons marked with red arrow B without clicking onthe icon Notice the descriptive name
1 From the map click on the icon marked by a red square to access the nextVRF in the path
HOL-1829-01-NET
Page 69HOL-1829-01-NET
VRF - NSX Provider Edge 1
A pop-up box will appear that contains the Physical VRF details
A - Please spend some time to review what information is available from the objectPlease do not click on any of the links
B - The components we are looking at after the Arista device (described in previoussteps) is an NSX Edge cluster or a host associated with an Edge cluster The componentwe have selected is the NSX Edge VM named Provider-Edge 1 It has an uplink overVLAN 10 from the physical network (as shown in the map)
C - In the details we can see the routing table and routing interface details for thisparticular VRF
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 70HOL-1829-01-NET
VXLAN on the map
1 On the map click on the blue line marked by a red square to access theVXLAN details
VXLAN Network
A pop-up box will appear that contains the VXLAN details
HOL-1829-01-NET
Page 71HOL-1829-01-NET
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - We can see the VXLAN number (Segment ID) Underlay VLAN IDs Subnet andUnderlay Subnet
C - We also have visibility into what Primary Controller it is utilizing Hosts and VTEPs
D - Hovermove the mouse cursor over the text [38 more] to see the hosts associatedwith this VXLAN Do not click on the blue text
E - Hovermove the mouse cursor over the text [82 more] to see the VTEPs associatedwith this VXLAN Do not click on the blue text
1 When done reviewing click on the X in the top right corner of the pop-up box
VRF - LDR
1 From the map click on the icon marked by a red square to access the VRFdetails
HOL-1829-01-NET
Page 72HOL-1829-01-NET
VRF - LDR-Corporate
A pop-up box will appear that contains the VRF details From here we hit our In-kernelnetwork
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - Notice the distributed router name We are using this device to access our corporatenetwork
C - This device is going to route for us to a different interface The interface is going toroute to the interface on the Prod-DB Network as the next step in the path (this will beillustrated in the next step)
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 73HOL-1829-01-NET
Routing - NSX Firewall
The traffic is routed through the VRF onto the Prod-DB network over to the next physicalhost (as shown with arrows)
The first device it will hit on the virtual network on the physical host is the FirewallPlease notice that there are two firewalls next to the VM One Firewall from Palo Alto andone Firewall from NSX
1 From the map click on the icon marked by a red square to access the NSXFirewall details (the top one of the two)
HOL-1829-01-NET
Page 74HOL-1829-01-NET
Firewall - NSX
A pop-up box will appear that contains the Firewall details
A - Spend some time to review what information is available from the object Please donot click on any of the links
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 75HOL-1829-01-NET
Redirect on the map - PAN Firewall
Please notice that there are two firewalls next to the VM One Firewall from Palo Alto andone Firewall from NSX We are now going to look into the details of the lower Firewall
1 From the map click on the icon marked by a red square to access the PaloAlto Firewall details (the lower one of the two)
Firewall - PAN
HOL-1829-01-NET
Page 76HOL-1829-01-NET
In this scenario we also have an Palo Alto VM based offloading firewall The redirectfeature allows firewall rules to be transferred between the NSX firewall and the PANFirewall
1 When done reviewing click on the (X) in the top right corner of the pop up box
Reversing the analysis
1 In the section marked by a red square in the picture click on the arrowpointing left
The route on the map will change
HOL-1829-01-NET
Page 77HOL-1829-01-NET
Reversing the analysis continued
A - The analysis will now be done in the opposite direction Please note that the pathnow changes Instead of going through Provider-Edge 3 the traffic is now routedthrough Provider-Edge 2 This is exactly as the traffic will work in the real life
Please continue to the next step to conclude this module
HOL-1829-01-NET
Page 78HOL-1829-01-NET
VM Underlay
Lets now focus on VM Underlay
1 The VMUnderlay section that is on the right side of the VM Path topology showsthe underlay information of the VMs involved and their connectivity to the top ofthe rack switches and the ports involved
2 The VM Underlay path topology is shown here3 The components are labeled under Path Details
HOL-1829-01-NET
Page 79HOL-1829-01-NET
HOL-1829-01-NET
Page 80HOL-1829-01-NET
1 In this section the drop-down list at the top shows the endpoint VMs and theactive VMs at the edges
2 For each edgeVM the neighbouring drop-down list shows the ingress and theegress interface IP addresses
1 From the previous step we selected the Prod-DB-2 Virtual Machine2 Which changes the focus to corresponding Interface IP Address (VNIC)3 Shows the visual map (Path topology) of all the path objects4 Path details shows the labels and list the components
This concludes this module Please continue to the next module
HOL-1829-01-NET
Page 81HOL-1829-01-NET
ConclusionCongratulations on completing Module 2
This module has shown us that vRealize Network Insight is capable of tracing the flow ofdata between two objects throughout the network vRealize Network Insight is providingus with a 360 degrees view of the virtual as well as the physical components in thepath With the map function and the details on the map it is very easy to get a quickoverview of the components utilized in network communication
All the components in the map is based on a snapshot of real life data Feel free to clickon other icons shown in the map in this module before continuing to the next module tohave a look at other components
For More Information
For additional information about the functionality showcased in this module visithttpwwwvmwarecomvrealize network insight
This concludes this module Please continue to the next module
If you are looking for additional information try one of these
bull Click on this linkbull Or use your smart device to scan the QRC Code
HOL-1829-01-NET
Page 82HOL-1829-01-NET
Proceed to any module below which interests you most
bull Module 1 - Micro-Segmentation and Security (30 minutes)bull Module 2 - 360 degree Visibility across Virtual and Physical Networks (45
minutes)bull Module 3 - Advanced NSX Management amp Operations (45 minutes)bull (30 minutes)
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 83HOL-1829-01-NET
Module 3 - Advanced NSXManagement amp
Operations (45 minutes)
HOL-1829-01-NET
Page 84HOL-1829-01-NET
IntroductionIntroduction
vRealize Network Insight ensures that we have full visibility from an overlay andunderlay perspective and in this module focus on advanced operations of NSX withvRealize Network Insight Its important to note that the vRealize Network Insightprovides a real time view and a historical view The integration is not a simple SNMPquery but advanced CLI and Metadata information gathered in real time for NSX
This Module contains the following lessons
bull Operational guidance for NSX Managerbull Advanced NSX Management amp Operations Interactive Simulation
HOL-1829-01-NET
Page 85HOL-1829-01-NET
NSX Advanced ManagementOperationsLab Status Check
1 Make sure the Lab Status displays Ready before continuing
Close browser sessions from previous modules
Open Google Chrome
1 Open Chrome on the Control Centre Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
HOL-1829-01-NET
Page 86HOL-1829-01-NET
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize Network Insightdid not load automatically)
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
Search Bar - NSX Manager
Using the search bar on the entry screen
HOL-1829-01-NET
Page 87HOL-1829-01-NET
1 Type NSX Manager (this will list three NSX Managers2 Click Search
NSX Manager Information
The result now shows the NSX Manager (1016128170) and we can immediately seethat we have 50 problems associated with this endpoint
1 Click on the NSX Manager address to expose the layout and detailedinformation
HOL-1829-01-NET
Page 88HOL-1829-01-NET
Timeline - Visual Build-up
Explore information only - Do not click
bull A - Starting with the Timeline we can manipulate the results by simply draggingthe slider but by default the current time results will be displayed on entry Theslider and drop down (next to 1 day) makes it easy to filter on demand
bull B - The Properties give a clear understanding of the NSX Managers currentconfiguration (vRealize Network Insight accommodate multiple NSX managers)
bull C - Looking at the NSX Checklist Rules - ALL we can scroll up and down toview each point in the checklist that is used to monitorvalidate against the NSXManager
bull D - Because vRealize Network Insight supports multiple NSX managers andmultiple NSX controllers this is an important visual understanding of theTopology Each object can be queried individually within the same screen
bull E - NSX Problems will be key to understanding the issues for NSX
HOL-1829-01-NET
Page 89HOL-1829-01-NET
Topology - Focus on the NSX Controller
The logical view of the NSX Topology provides live links to each component in theconstruct to be queried in real time Topology layout displays all the related NSXservices bound to the NSX Manager including Clusters and hosts The red triangle on allthree NSX controllers indicates possible issues that may impact the NSX environmenteither as a starting point or a result thereof We can now query each object for detailedinformation
1 Click on the NSX controller (Look at each controller until you find thecontroller starting with NSX_Controller_5b6c6c8d-4d71 as they do changeorder)
HOL-1829-01-NET
Page 90HOL-1829-01-NET
NSX Controller - Detail
A - The controller query displays detailed information about controller-1 and relevantconfiguration This screen will help identify the Status Version Upgrade Availability andmany other critical identifiers of the NSX Controller at a quick glance including anyissues
B - The immediate issue on this NSX controller is also pointed out with a red triangleindicating that we have a control plane sync issue Tracking the issue can be furtherinvestigated by expanding (clicking on the red triangle) to view detailed information Wewill not be investigating this problem further in this exercise
1 Click the close sign (x) to continue
HOL-1829-01-NET
Page 91HOL-1829-01-NET
Topology - Explained
Note The Topology for the NSX environment will not show any load balancing devicestatus information in this release
1 Click the edge VMs icon to see detailed information about the edge services
HOL-1829-01-NET
Page 92HOL-1829-01-NET
Provider Edge
Rendering a complete view of the provider edge services and the associations we caninvestigate all the edge related activities
1 Click the blue link Provider Edge 4 The problem Icon can be used to furtherobtain information about the Provider-Edge 4 This will highlight a criticalcondition due to a possible network disruption of this edge device as it is nolonger in a serving state
HOL-1829-01-NET
Page 93HOL-1829-01-NET
Routers Provider Edge 4
This section lays out detailed root cause analysis for Routers Provider Edge 4
Return to Search View - NSX Manager
1 Now use the Chrome Back button click once to return the the NSX Managerinformation screen step
HOL-1829-01-NET
Page 94HOL-1829-01-NET
Infrastructure Problems - Warning Moderate
bull Scroll down to Infrastructure Problems Section
1 Click and select the WarningModerate to view problem areas
WarningModerate Issues
1 Use the blue icon + to expand the detailed view of the Logical networking out ofsync between host and NSX Controller
HOL-1829-01-NET
Page 95HOL-1829-01-NET
WarningModerate Issues (Continued)
When you expand the details you can analyse full detail of warning
In this view vRealize Network Insight is also showing you recommendations on how youwould resolve this issue which makes troubleshooting and root cause analysis veryeasy
1 Click the close sign (x) to continue
HOL-1829-01-NET
Page 96HOL-1829-01-NET
Hands-on Labs Interactive SimulationAdvanced NSX Management ampOperationsThis part of the lab is presented as a Hands-on Labs Interactive Simulation This willallow you to experience steps which are too time-consuming or resource intensive to dolive in the lab environment In this simulation you can use the software interface as ifyou are interacting with a live environment
1 Click here to open the interactive simulation It will open in a new browserwindow or tab
2 When finished click the ldquoReturn to the labrdquo link to continue with this lab
HOL-1829-01-NET
Page 97HOL-1829-01-NET
ConclusionCongratulations on completing Module 3
This module demonstrated the vRealize Network Insight capability of advancedmanagement operations vRealize Network Insight provides an in-depth analysis of thevirtual as well as the physical components associated with NSX (underlay and overlay)
For More Information
If you are looking for additional information try one of these
bull Click on this linkbull Or use your smart device to scan the QRC Code
Proceed to any module below which interests you most
bull Module 1 - Micro-Segmentation and Security (30 minutes)bull Module 2 - 360 degree Visibility across Virtual and Physical Networks (45
minutes)bull Module 3 - Advanced NSX Management amp Operations (45 minutes)bull Module 4 - Manage Security for Public Clouds (AWS) (30 minutes)
HOL-1829-01-NET
Page 98HOL-1829-01-NET
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 99HOL-1829-01-NET
Module 4 - ManageSecurity for Public Clouds
(AWS) (30 Minutes)
HOL-1829-01-NET
Page 100HOL-1829-01-NET
IntroductionEnterprise IT needs visibility into the network and security status of their workloadswhether hosted on premises or within AWS While many AWS workloads are sandboxesfor application development teams (DevOps) it is important to analyze these workloadsIncreasingly public cloud workloads are also fulfilling mission critical production needsfor many organizations Enterprise IT must be ready to determine the best locationsecurity posture and bandwidth allocation when deploying workloads Having trafficpattern details as well as security analysis and recommendations readily availablehelps organizations make the ideal hosting decisions to meet their business needs
vRealize Network Insight (vRNI) Supports Amazon Web Services (AWS) PublicCloud The vRNI traffic monitoring features provide visibility into native AWS constructssuch as Virtual Private Clouds VMs Security Groups firewall rules and tags vRNI alsoanalyzes AWS traffic flows to provide security and micro-segmentation views of cloudworkloads This means youll be able to plan micro-segmentation and understand trafficpatterns using data collected from your AWS instances
This Module contains the following lessons
bull Introduction to Managing Security for Public Clouds (AWS)
HOL-1829-01-NET
Page 101HOL-1829-01-NET
Introduction to Managing Security forPublic Clouds (AWS)Lab Status Check
1 Make sure the Lab Status displays Ready before continuing
Close browser sessions from previous modules
Open Google Chrome
1 Open Chrome on the Control Centre Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize Network Insightdid not load automatically)
HOL-1829-01-NET
Page 102HOL-1829-01-NET
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
AWS Configuration
Lets review the AWS VPC setup for the purpose of this lab
1 We have an on premise instance of vRealize Network Insight managing AWS2 There are two VPCs ie CRM and Common Services
HOL-1829-01-NET
Page 103HOL-1829-01-NET
3 VPC CRM consists of CRM Application which comprises of 3 tiers ie Web APP andDB
4 Internal users of Company can access Web Tier of the CRM on 80 internally viaJump-box
5 Web tier talks to App tier on port 80806 App tier talks to DB tier on port 33067 Web tier is open for internal datacenters VM on 80 port8 From Jump-box in VPC CRM all virtual machines have ssh access on port 229 All tiers of VPCCRM talks to DNS server on 53 and LogServer on 514 on VPC
Common Services10 This means connection to DB to Log Server (used for backup services) must exist
as configured by the Administrator but this in fact is the problem area where ourfocus will be
Plan Security - AWS Cloud
vRealize Network Insight extends micro-segmentation planning to AWS constructs TheCRM Application in AWS VPC has already been created for you
Application creation steps have been discussed in Module 3
HOL-1829-01-NET
Page 104HOL-1829-01-NET
1 On the vRealize Network Insight Click on Plan Security
From Plan Security dialogue box under Entity select
HOL-1829-01-NET
Page 105HOL-1829-01-NET
1 Application2 CRM3 Click Analyze
We can now visualize the three tier lsquoCRMrsquo Application in AWS in one VPC We Shallexplore the three Tier System Logic in proceeding steps
1 Please note that Micro-Segments are already filtered by Tier2 Web (Web tier talks to App tier on port 8080 Internal users of organisation can
access Web Tier of the CRM Application on port 80 internally)3 App (App tier talks to DB tier on port 3306)4 DB ( DB tier talks to Log Servers ) - This is the problem area we are going to
explore
All tiers of first VPC talks to DNS server on port 53 and LogServer on port 514 of SecondVPC
HOL-1829-01-NET
Page 106HOL-1829-01-NET
Exploring the Three Tier Application - Step by Step
We shall now explore the three their application setup to understand the security andcommunication posture
HOL-1829-01-NET
Page 107HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Yellow line to explore the flows This will reveal flows from Web to
App
HOL-1829-01-NET
Page 108HOL-1829-01-NET
1 The App tier talks to DB tier on Port 33062 Click X to continue
HOL-1829-01-NET
Page 109HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to DB
HOL-1829-01-NET
Page 110HOL-1829-01-NET
1 The App tier talks to DB tier on Port 33062 Click X to continue
HOL-1829-01-NET
Page 111HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Yellow Line to explore the flows This will reveal flows from DC
Virtual to App
HOL-1829-01-NET
Page 112HOL-1829-01-NET
1 DC Virtual (jump box) talks to App tier on Port 222 Click X to continue
HOL-1829-01-NET
Page 113HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to
Shared Virtual
HOL-1829-01-NET
Page 114HOL-1829-01-NET
1 The App tier talks to Shared Virtual on Port 53 and 514 respectively2 Click X to continue
HOL-1829-01-NET
Page 115HOL-1829-01-NET
1 Hover over to DB Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from DB to
Shared Virtual
1 By design the DB should be pushing logs to aws-log-server ie on port 514(Syslog) but the flow reveals that there is only one service ie port 53 aws-DNS-Server Effectively no communication to syslog server (which is the back upservice)
2 Click X to continue
Firewall Queries for CRM Application
To further troubleshoot the issue the administrator executes three firewall queries toestablish why DB to Shared Virtual does not have flow(s) for port 514 (syslog)
HOL-1829-01-NET
Page 116HOL-1829-01-NET
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and type new search query firewall action of flows where dstvm = aws-log-server This will return 5 results ie 4 Allow (for web andmidtier) and 1 Deny (for DB)
2 Click Search3 click on the DENY checkbox so we can focus on the deny rule
We can see a DENY rule which is preventing crm-databse to communicate with aws-log-server on port 514 Which indicates that AWS Admin forgot to add rule to allowtraffic from (Database) crm-database to (syslog server) aws-log-Server
HOL-1829-01-NET
Page 117HOL-1829-01-NET
1 On Chrome web browser right click2 Select Duplicate from the the menu
HOL-1829-01-NET
Page 118HOL-1829-01-NET
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-web1 and dst vm = aws-log-server
2 Click Search3 This will return 3 results ie 1 Inbound and 2 Outbound rules The result of this
query validates the communication from crm-web1 to aws-log-server
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-database and dst vm = aws-log-server
2 Click Search3 This will return 2 results for Outbound rules further explaining the firewall rule
behaviour from crm-database to aws-log-server
HOL-1829-01-NET
Page 119HOL-1829-01-NET
ConclusionCongratulations on completing Module 4
This module demonstrated the vRealize Network Insight capability to understand trafficpatterns and plan micro-segmentation across your private and public cloudenvironments This capability offers unparalleled visibility into public and private cloudsfor micro-segmentation planning network visibility and management
For More Information
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 120HOL-1829-01-NET
ConclusionThank you for participating in the VMware Hands-on Labs Be sure to visithttpholvmwarecom to continue your lab experience online
Lab SKU HOL-1829-01-NET
Version 20171010-152226
HOL-1829-01-NET
Page 121HOL-1829-01-NET
1 Click and select Prod_Web to Prod_Midtier Rule (will launch a pop up screencovered in next step)
1 In the pop up screen we can immediately see what the Source and destinationservice flow looks like in this example This can be done for any and eachsegment attached to Prod_Web and will provide all the current security GroupFirewall Topology information Feel free to click through all the segments in orderto fully understand each related security group
2 Click the close icon (x) on any pop-up menus that you viewed during youranalysis to continue with the next exercise
HOL-1829-01-NET
Page 36HOL-1829-01-NET
Tracking Prod_MidTier
1 Within the same view when you scroll down (below the Security Groupfirewall Topology) you are able to see the following security event information forProd_Web
A Events - Showing any changes for Prod_MidTier (direct or indirect) and the impactthat these changes bring to this security group
B Current Security Group Configuration and Firewall Rules Count will also providefurther assistance to manage the endpoints
C Visibility of the Virtual Machines in Security Groups ensure that we manage ourworkloads and segmentation with the correct level of efficiency
D Making use of the Indirect Firewall Rules will ensure you understand the inheritedimpact and the relationship leading to Prod_Web
E Direct Firewall Rules - NOTE The blue links will expose further detail for eachfirewall segment
HOL-1829-01-NET
Page 37HOL-1829-01-NET
this module explained and followed the traffic flow between Subnets and or VLANVXLAN for Prod_MidTier and we understand the analysis that make up firewall rules Theinformation for a specific segmentation of a Virtual Machine in Prod_MidTier can beviewed using the the logical switch information for Prod_MidTier
2 Click on Lab-Midtier (VMs in Security GroupgtLogical SwitchesgtLab-Midtier) anew TAB will open at the top of the screen
Lab-Midtier
1 Hover (do not click) over (1) Lab-Midtier-1 to gain focus in order to generatethe path
Do not click on any of the bubbles as they are used for reference only This is thecomplete flow of Prod-Web-9 (Example) to see how a flow is tracked from overlay tounderlay across Prod-Web
HOL-1829-01-NET
Page 38HOL-1829-01-NET
bull A - The host details for Lab-Midtier-1 -ddc1-pod2esx035dmdemocompanynet
bull B - The machine name within Lab-Midtier - Lab-Midtier-1bull C - DVS Switchbull D - VXLAN - Lab-Midtierbull E - 1st VMKNIC for DDC-1 hostbull F - DVS Switch Portbull G - Finally showing the L3 Switch (Arista)
2 When you are done with the current view close this tab in Chrome and returnto the original view
Firewall Rule - Tracking
Using the search bar we will demonstrate how you can track any firewall rule in yourenvironment This is only one example of how we can search for security related objectsin one easy statement and also export the results
Port Search
1 Type into the search bar
Firewall rule where action =ALLOW and Port=443 (the search bar uses Auto Fill andpredictive text will appear as you type)
2 Click search to continue
As you type notice all the different permutations of queries that can be assembled
HOL-1829-01-NET
Page 39HOL-1829-01-NET
Export Firewall Rules
Take some time to understand and get familiar with Firewall Rule search possibilitiesand the insight this can offer
1 Do not click - The result is grouped for convenience and allows the user to queryeach rule individually This is a live link that will expose further information
2 Do not click - The entire report can be exported by using the Save as CSV optionat the top right hand corner of the screen but we will not export any informationat this point
3 For the next step we will return to the top search bar
Firewall Rule Membership Change
Using the vRealize Network Insight search bar at the top of the screen we will focus on atime based search to see what Firewall Membership Changes occurred during a selectedperiod This will point out any changes made directly or indirectly as a result ofmembership changes This is extremely useful for auditing and troubleshooting
HOL-1829-01-NET
Page 40HOL-1829-01-NET
1 Type
Firewall Rule Membership Change
2 Select the DateTime window3 Click Between Select Date range from June30 to Jul 31 (using static data this
will ensure you see all the changes)4 Click search
Audit Rule - Firewall Rule Membership Changes
The search now displays the result of all the changes made to firewall rule membershipduring the preset date range This is pivotal to the audit change tracking process tounderstand exactly why when and how Firewall rules changed
The changes can now easily be tracked audited and also exported following any of thelive links in blue
HOL-1829-01-NET
Page 41HOL-1829-01-NET
User-defined Event
Continuing within the same screen users can create alerts to notify internal andexternal entities of any changes The alert feature is available through any view thatdisplays the alert icon Although the alert can be configured for this lab the results willnot be actioned as this is static data only This section will show how easy it is to reporton any Firewall Rule memberships changes The option for alerting will be immediatelywithin 1 hour or as a daily digest
1 Click the Notifications icon to create an event The notifications screen will pop-up
2 Notification and parameters can be adjusted as required Populate them withyour own preference as we will need to have information in order to save thealert and view in later steps
3 Once completed click save
HOL-1829-01-NET
Page 42HOL-1829-01-NET
Settings
You can view any of your previously configured User-defined Events in order to edit oractivate the Event parameters by using the settings page Changes can be configured tonotify members of the event group based on the user preference The previous eventthat you created can now be tracked by using the search bar at the top of the screen
1 Click in the search bar and type Settings2 Click User-defined Events (your alert is noted in this section as it was based on
the original search and alert notification Firewall rule membership change)3 Info Only - Do not click - View Edit Activate any notifications
Note that we have 2 types of notification User-defined and System Events
4 Click the System Events
HOL-1829-01-NET
Page 43HOL-1829-01-NET
System Notifications
System Events consist of 103 default alerts that are pre-configured Scroll down the listto see all the options and what is deemed to be a standard system event notification
Each Notification can be used to alert administrators or users of that group By defaultall System Notifications are set to never notify (this can be changed to immediatelywithin 1 hour or as a daily digest)
This concludes this module Please continue to the next module
HOL-1829-01-NET
Page 44HOL-1829-01-NET
ConclusionCongratulations on completing Module 1
In this module we introduced the minimum required steps in order to facilitate Micro-segmentation This module further demonstrated how we achieve day zero readinesstrack report and alert on each individual object or group of objects in Real Time Usingthe East-West traffic in this module vRealize Network Insight highlighted the ease ofacquiring network analysis and using this to automatically generate firewall rules forboth Green or Brown field deployments
Key facts to remember as demonstrated in this module
bull Persistence Security must be consistent in the face of constant changebull Ubiquity Security must be available everywherebull Extensibility Security must adapt to new situations
For additional information about the functionality showcased in this module visitwwwvmwarecom
Please close the Chrome Web browser
This concludes this module please continue to the next module
For More Information
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 45HOL-1829-01-NET
Module 2 - 360 degreeVisibility across Virtualand Physical Networks
(45 minutes)
HOL-1829-01-NET
Page 46HOL-1829-01-NET
IntroductionvRealize Network Insight includes advanced analytics that can collect and displayconfiguration data from all the components involved in the overlay and underlay of thenetwork Data is collected in realtime
vRealize Network Insight presents this via a smart user interface and simplifies thedetermination of problems as well as the visibility of firewall and networkconfigurations
vRealize Network Insight presents this in a smart user interface and makes problemdetermination and visibility of the firewall and network configurations very easy
This Module contains the following lessons
bull 360 Network Visibility and Troubleshootingbull Natural language search
HOL-1829-01-NET
Page 47HOL-1829-01-NET
360 Network Visibility andTroubleshootingThis section contains the following lessons
bull 360-degree view of data flow between two VM objectsbull Natural language search
Open Google Chrome
1 Open Chrome on the Control Center Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize NetworkInsight did not load automatically)
HOL-1829-01-NET
Page 48HOL-1829-01-NET
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
Path and Topology
This module will utilize the Path and Topology feature in vRealize Network Insight toget a 360-degree visibility into our network scenario The Path and Topology view can
HOL-1829-01-NET
Page 49HOL-1829-01-NET
also extend to host L3 networks security groups etc but in this module we will only befocusing on the path
From the main console
1 Click on Path and Topology2 Click on Path
Path - Select source and destination
In the pop-up box
1 Click on the grey field below Source2 Type dba into the source field and DBAdmin-VM1 will appear3 Click on DBAdmin-VM1 to select it
HOL-1829-01-NET
Page 50HOL-1829-01-NET
Path - source and destination continued
After selecting the source machine the destination box will automatically appear
1 Type prod in the destination field and the list of available options willappear
2 Select Prod-Db-2
Note The destination could also be an ip-address or Internet but in this lab we aregoing to use a VM
HOL-1829-01-NET
Page 51HOL-1829-01-NET
Path - source and destination continued
1 Click on Submit
Searching for path
Based on the VMs we selected in the wizard in our previous steps the search field isnow pre-populated with a search string As an alternative to using the wizard we canalso do manual searches
Do not change any parameters in the search field and please continue to the nextstep
HOL-1829-01-NET
Page 52HOL-1829-01-NET
VM Path Topology and VM Underlay
The topology involves both Layer 3 and Layer 2 components and consists of twodetailed views
HOL-1829-01-NET
Page 53HOL-1829-01-NET
1 VM Path Topology This view details the routers Edges or Logical DistributedRouters (LDRs) that are involved in the VM to VM network path and provides thecomplete routing and NAT information
2 VM Underlay ( The VM Underlay section that is on the right side of the VM Pathtopology shows the underlay information of the VMs involved and theirconnectivity to the top of the rack switches and the ports involved)
In the field named VM Path Topology
1 Click on the three dots in the top right corner of the field2 Click Maximize
The view will change and the route will be drawn on the map
HOL-1829-01-NET
Page 54HOL-1829-01-NET
VM Path Topology - Path Details
In this view we will get a 360-degree view of both the physical and the virtual networkWe will see the path of the traffic between two virtual machines The black arrow at thetop of the map will indicate the flow direction of the traffic In this use case fromDBAdmin-VM1 to Prod-Db-2
On the right hand side path details indicates the steps we pass through in each hop ofthe path The logical flow includes both physical and virtual elements displaying bothoverlay and underlay components
1 Scroll through the path details on the right hand side to verify the differenthops in the path Notice that we have items such as VMs physical switchesvirtual switches routers and NICs in the list of details
HOL-1829-01-NET
Page 55HOL-1829-01-NET
Component Overview
On the VM topology map
1 Click on the top left icon marked with a red square - the Virtual MachineDBAdmin-VM1
Virtual Machine - Details
HOL-1829-01-NET
Page 56HOL-1829-01-NET
A pop-up box will appear with the Virtual Machine details in it This information includesa lot of details made available by VMware Tools We can for example see network-information and the physical host in these details
A - Please spend some time on getting an overview of the information available in thisview
B - Please note that the Firewall Status indicates Unknown In this scenario there is noNSX firewall utilized in the VM so vRealize Network Insight displays Unknown as thestatus If NSX components were utilized but they were malfunctioning an errormessage will appear
1 When done reviewing close the pop-up windows by clicking on the (X) in thetop right corner
Physical ESXi Hosts
We are now going to look at the physical host running ESXi The large green blocksindicate the ESXi hosts (A) and (B)
1 Click on the large green field on the left side of the map marked in thepicture with a red squareThis will select the host where DBAdmin-VM1 isrunning
HOL-1829-01-NET
Page 57HOL-1829-01-NET
Host - Details
A pop-up box will appear that contains the physical ESXi host
A - Spend some time to review what information is available from the host Please donot click on any of the links
B - Notice that we receive information from both the Chassis and the Blade that thisESXi host is running on In a real life environment we could click on the links to getdetailed information about the physical environment through the links
C - Note that there are no NSX components on the host For example we can see thatthe Control Plane Sync Status is unknown and the Number of VTEPs is 0
1 When done reviewing click on the (X) in the top right corner
HOL-1829-01-NET
Page 58HOL-1829-01-NET
DVPG on the map
We are now going to look at the DVPG (Distributed Virtual Port Group) the VM uses toconnect to the network
1 On the map click on the little blue box marked by a red square onvlan-629
DVPG
A pop-up box will appear that contains the DVPG details
A - Spend some time review what information is available from the object Please donot click on any of the links
HOL-1829-01-NET
Page 59HOL-1829-01-NET
B - Notice that IPFIX is enabled
1 When done reviewing click on the (X) in the top right corner
VLAN-629 on the map
This is a brownfield network as indicated by the physical network components currentlydisplayed on the map
1 On the map click on the grey line marked by a red square on vlan-629
VLAN Network
A pop-up box will appear that contains the physical VLAN details
HOL-1829-01-NET
Page 60HOL-1829-01-NET
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - Notice the VLAN ID This is the actual VLAN in use
C - VM Count states 12 This is the number of VMs located on this VLAN in the entireenvironment
D - Under Hosts we can see that this is 28 (27+1) This is the amount of hosts that hasa connection to this vlan in the entire environment
1 When done reviewing click on the (X) in the top right corner
Switch ports on the map
1 From the map click on the icon marked by a red square to select the SwitchPort for the VM
HOL-1829-01-NET
Page 61HOL-1829-01-NET
Switch Port
A pop-up box will appear that contains the Switch Port details
In this view we are purely are looking at layer 3 and the connectivity to those layer 3devices Later in this module we will see some of the layer 2 devices
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - In this view we can see the physical NIC the traffic is transmitted from and receivedto In this scenario it is a NIC on a UCS fabric We can also see the VLANs Interfacespeed port and other details on the NIC
1 When done reviewing click on the (X) in the top right corner of the pop up box
HOL-1829-01-NET
Page 62HOL-1829-01-NET
Physical VRF on the map
1 From the map click on the icon marked by a red square to access thePhysical VRF details
HOL-1829-01-NET
Page 63HOL-1829-01-NET
VRF - Physical Switch
A pop-up box will appear that contains the Physical VRF details
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - In this scenario the first hop in the physical network perspective happens to be aCisco Nexus 7000 We are gathering all of the configuration data routing tables androuting interface information from this device
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 64HOL-1829-01-NET
VRF - continued
1 From the map click on the icon marked by a red square to access the nextPhysical VRF in the path
HOL-1829-01-NET
Page 65HOL-1829-01-NET
VRF - Physical Router
A pop-up box will appear that contains the Physical VRF details
In this scenario the second hop in the physical network perspective is a Palo Alto routerIn this view we will see the routing table as well as firewall rules The vRealize NetworkInsight platform is so powerful that these firewall rules are the applicable firewall rulesbetween the two objects we searched for There is probably going to be thousands offirewall rules in a normal network but these are the firewalls affecting thecommunication between the two selected VMs
HOL-1829-01-NET
Page 66HOL-1829-01-NET
A - Spend some time to review what information is available from the object Please donot click on any of the links
1 When done reviewing click on the (X) in the top right corner of the pop up box
Note The Palo Alto integration showcased is in beta testing
VRF - continued
1 From the map click on the icon marked by a red square to access the nextPhysical VRF in the path
HOL-1829-01-NET
Page 67HOL-1829-01-NET
VRF - Physical Switch
A pop-up box will appear that contains the Physical VRF details
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - In this scenario the third hop in the physical network perspective is an Arista deviceThere is information available on routing gateways interfaces etc These detailsshowcase that we can monitor devices from a multitude of vendors in case we arechanging from one vendor to another
1 When done reviewing click on the (X) in the top right corner
HOL-1829-01-NET
Page 68HOL-1829-01-NET
Accessing the virtual infrastructure
The next two steps in the path (as shown by arrows) are the same as we looked atpreviously in this module We are not going to look at the details on them in thisscenario as they are similar to the ones previously discussed
A - Hovermove the mouse over the icons marked with red arrow A without clicking onthe icon Notice the descriptive name
B - Hovermove the mouse over the icons marked with red arrow B without clicking onthe icon Notice the descriptive name
1 From the map click on the icon marked by a red square to access the nextVRF in the path
HOL-1829-01-NET
Page 69HOL-1829-01-NET
VRF - NSX Provider Edge 1
A pop-up box will appear that contains the Physical VRF details
A - Please spend some time to review what information is available from the objectPlease do not click on any of the links
B - The components we are looking at after the Arista device (described in previoussteps) is an NSX Edge cluster or a host associated with an Edge cluster The componentwe have selected is the NSX Edge VM named Provider-Edge 1 It has an uplink overVLAN 10 from the physical network (as shown in the map)
C - In the details we can see the routing table and routing interface details for thisparticular VRF
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 70HOL-1829-01-NET
VXLAN on the map
1 On the map click on the blue line marked by a red square to access theVXLAN details
VXLAN Network
A pop-up box will appear that contains the VXLAN details
HOL-1829-01-NET
Page 71HOL-1829-01-NET
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - We can see the VXLAN number (Segment ID) Underlay VLAN IDs Subnet andUnderlay Subnet
C - We also have visibility into what Primary Controller it is utilizing Hosts and VTEPs
D - Hovermove the mouse cursor over the text [38 more] to see the hosts associatedwith this VXLAN Do not click on the blue text
E - Hovermove the mouse cursor over the text [82 more] to see the VTEPs associatedwith this VXLAN Do not click on the blue text
1 When done reviewing click on the X in the top right corner of the pop-up box
VRF - LDR
1 From the map click on the icon marked by a red square to access the VRFdetails
HOL-1829-01-NET
Page 72HOL-1829-01-NET
VRF - LDR-Corporate
A pop-up box will appear that contains the VRF details From here we hit our In-kernelnetwork
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - Notice the distributed router name We are using this device to access our corporatenetwork
C - This device is going to route for us to a different interface The interface is going toroute to the interface on the Prod-DB Network as the next step in the path (this will beillustrated in the next step)
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 73HOL-1829-01-NET
Routing - NSX Firewall
The traffic is routed through the VRF onto the Prod-DB network over to the next physicalhost (as shown with arrows)
The first device it will hit on the virtual network on the physical host is the FirewallPlease notice that there are two firewalls next to the VM One Firewall from Palo Alto andone Firewall from NSX
1 From the map click on the icon marked by a red square to access the NSXFirewall details (the top one of the two)
HOL-1829-01-NET
Page 74HOL-1829-01-NET
Firewall - NSX
A pop-up box will appear that contains the Firewall details
A - Spend some time to review what information is available from the object Please donot click on any of the links
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 75HOL-1829-01-NET
Redirect on the map - PAN Firewall
Please notice that there are two firewalls next to the VM One Firewall from Palo Alto andone Firewall from NSX We are now going to look into the details of the lower Firewall
1 From the map click on the icon marked by a red square to access the PaloAlto Firewall details (the lower one of the two)
Firewall - PAN
HOL-1829-01-NET
Page 76HOL-1829-01-NET
In this scenario we also have an Palo Alto VM based offloading firewall The redirectfeature allows firewall rules to be transferred between the NSX firewall and the PANFirewall
1 When done reviewing click on the (X) in the top right corner of the pop up box
Reversing the analysis
1 In the section marked by a red square in the picture click on the arrowpointing left
The route on the map will change
HOL-1829-01-NET
Page 77HOL-1829-01-NET
Reversing the analysis continued
A - The analysis will now be done in the opposite direction Please note that the pathnow changes Instead of going through Provider-Edge 3 the traffic is now routedthrough Provider-Edge 2 This is exactly as the traffic will work in the real life
Please continue to the next step to conclude this module
HOL-1829-01-NET
Page 78HOL-1829-01-NET
VM Underlay
Lets now focus on VM Underlay
1 The VMUnderlay section that is on the right side of the VM Path topology showsthe underlay information of the VMs involved and their connectivity to the top ofthe rack switches and the ports involved
2 The VM Underlay path topology is shown here3 The components are labeled under Path Details
HOL-1829-01-NET
Page 79HOL-1829-01-NET
HOL-1829-01-NET
Page 80HOL-1829-01-NET
1 In this section the drop-down list at the top shows the endpoint VMs and theactive VMs at the edges
2 For each edgeVM the neighbouring drop-down list shows the ingress and theegress interface IP addresses
1 From the previous step we selected the Prod-DB-2 Virtual Machine2 Which changes the focus to corresponding Interface IP Address (VNIC)3 Shows the visual map (Path topology) of all the path objects4 Path details shows the labels and list the components
This concludes this module Please continue to the next module
HOL-1829-01-NET
Page 81HOL-1829-01-NET
ConclusionCongratulations on completing Module 2
This module has shown us that vRealize Network Insight is capable of tracing the flow ofdata between two objects throughout the network vRealize Network Insight is providingus with a 360 degrees view of the virtual as well as the physical components in thepath With the map function and the details on the map it is very easy to get a quickoverview of the components utilized in network communication
All the components in the map is based on a snapshot of real life data Feel free to clickon other icons shown in the map in this module before continuing to the next module tohave a look at other components
For More Information
For additional information about the functionality showcased in this module visithttpwwwvmwarecomvrealize network insight
This concludes this module Please continue to the next module
If you are looking for additional information try one of these
bull Click on this linkbull Or use your smart device to scan the QRC Code
HOL-1829-01-NET
Page 82HOL-1829-01-NET
Proceed to any module below which interests you most
bull Module 1 - Micro-Segmentation and Security (30 minutes)bull Module 2 - 360 degree Visibility across Virtual and Physical Networks (45
minutes)bull Module 3 - Advanced NSX Management amp Operations (45 minutes)bull (30 minutes)
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 83HOL-1829-01-NET
Module 3 - Advanced NSXManagement amp
Operations (45 minutes)
HOL-1829-01-NET
Page 84HOL-1829-01-NET
IntroductionIntroduction
vRealize Network Insight ensures that we have full visibility from an overlay andunderlay perspective and in this module focus on advanced operations of NSX withvRealize Network Insight Its important to note that the vRealize Network Insightprovides a real time view and a historical view The integration is not a simple SNMPquery but advanced CLI and Metadata information gathered in real time for NSX
This Module contains the following lessons
bull Operational guidance for NSX Managerbull Advanced NSX Management amp Operations Interactive Simulation
HOL-1829-01-NET
Page 85HOL-1829-01-NET
NSX Advanced ManagementOperationsLab Status Check
1 Make sure the Lab Status displays Ready before continuing
Close browser sessions from previous modules
Open Google Chrome
1 Open Chrome on the Control Centre Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
HOL-1829-01-NET
Page 86HOL-1829-01-NET
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize Network Insightdid not load automatically)
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
Search Bar - NSX Manager
Using the search bar on the entry screen
HOL-1829-01-NET
Page 87HOL-1829-01-NET
1 Type NSX Manager (this will list three NSX Managers2 Click Search
NSX Manager Information
The result now shows the NSX Manager (1016128170) and we can immediately seethat we have 50 problems associated with this endpoint
1 Click on the NSX Manager address to expose the layout and detailedinformation
HOL-1829-01-NET
Page 88HOL-1829-01-NET
Timeline - Visual Build-up
Explore information only - Do not click
bull A - Starting with the Timeline we can manipulate the results by simply draggingthe slider but by default the current time results will be displayed on entry Theslider and drop down (next to 1 day) makes it easy to filter on demand
bull B - The Properties give a clear understanding of the NSX Managers currentconfiguration (vRealize Network Insight accommodate multiple NSX managers)
bull C - Looking at the NSX Checklist Rules - ALL we can scroll up and down toview each point in the checklist that is used to monitorvalidate against the NSXManager
bull D - Because vRealize Network Insight supports multiple NSX managers andmultiple NSX controllers this is an important visual understanding of theTopology Each object can be queried individually within the same screen
bull E - NSX Problems will be key to understanding the issues for NSX
HOL-1829-01-NET
Page 89HOL-1829-01-NET
Topology - Focus on the NSX Controller
The logical view of the NSX Topology provides live links to each component in theconstruct to be queried in real time Topology layout displays all the related NSXservices bound to the NSX Manager including Clusters and hosts The red triangle on allthree NSX controllers indicates possible issues that may impact the NSX environmenteither as a starting point or a result thereof We can now query each object for detailedinformation
1 Click on the NSX controller (Look at each controller until you find thecontroller starting with NSX_Controller_5b6c6c8d-4d71 as they do changeorder)
HOL-1829-01-NET
Page 90HOL-1829-01-NET
NSX Controller - Detail
A - The controller query displays detailed information about controller-1 and relevantconfiguration This screen will help identify the Status Version Upgrade Availability andmany other critical identifiers of the NSX Controller at a quick glance including anyissues
B - The immediate issue on this NSX controller is also pointed out with a red triangleindicating that we have a control plane sync issue Tracking the issue can be furtherinvestigated by expanding (clicking on the red triangle) to view detailed information Wewill not be investigating this problem further in this exercise
1 Click the close sign (x) to continue
HOL-1829-01-NET
Page 91HOL-1829-01-NET
Topology - Explained
Note The Topology for the NSX environment will not show any load balancing devicestatus information in this release
1 Click the edge VMs icon to see detailed information about the edge services
HOL-1829-01-NET
Page 92HOL-1829-01-NET
Provider Edge
Rendering a complete view of the provider edge services and the associations we caninvestigate all the edge related activities
1 Click the blue link Provider Edge 4 The problem Icon can be used to furtherobtain information about the Provider-Edge 4 This will highlight a criticalcondition due to a possible network disruption of this edge device as it is nolonger in a serving state
HOL-1829-01-NET
Page 93HOL-1829-01-NET
Routers Provider Edge 4
This section lays out detailed root cause analysis for Routers Provider Edge 4
Return to Search View - NSX Manager
1 Now use the Chrome Back button click once to return the the NSX Managerinformation screen step
HOL-1829-01-NET
Page 94HOL-1829-01-NET
Infrastructure Problems - Warning Moderate
bull Scroll down to Infrastructure Problems Section
1 Click and select the WarningModerate to view problem areas
WarningModerate Issues
1 Use the blue icon + to expand the detailed view of the Logical networking out ofsync between host and NSX Controller
HOL-1829-01-NET
Page 95HOL-1829-01-NET
WarningModerate Issues (Continued)
When you expand the details you can analyse full detail of warning
In this view vRealize Network Insight is also showing you recommendations on how youwould resolve this issue which makes troubleshooting and root cause analysis veryeasy
1 Click the close sign (x) to continue
HOL-1829-01-NET
Page 96HOL-1829-01-NET
Hands-on Labs Interactive SimulationAdvanced NSX Management ampOperationsThis part of the lab is presented as a Hands-on Labs Interactive Simulation This willallow you to experience steps which are too time-consuming or resource intensive to dolive in the lab environment In this simulation you can use the software interface as ifyou are interacting with a live environment
1 Click here to open the interactive simulation It will open in a new browserwindow or tab
2 When finished click the ldquoReturn to the labrdquo link to continue with this lab
HOL-1829-01-NET
Page 97HOL-1829-01-NET
ConclusionCongratulations on completing Module 3
This module demonstrated the vRealize Network Insight capability of advancedmanagement operations vRealize Network Insight provides an in-depth analysis of thevirtual as well as the physical components associated with NSX (underlay and overlay)
For More Information
If you are looking for additional information try one of these
bull Click on this linkbull Or use your smart device to scan the QRC Code
Proceed to any module below which interests you most
bull Module 1 - Micro-Segmentation and Security (30 minutes)bull Module 2 - 360 degree Visibility across Virtual and Physical Networks (45
minutes)bull Module 3 - Advanced NSX Management amp Operations (45 minutes)bull Module 4 - Manage Security for Public Clouds (AWS) (30 minutes)
HOL-1829-01-NET
Page 98HOL-1829-01-NET
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 99HOL-1829-01-NET
Module 4 - ManageSecurity for Public Clouds
(AWS) (30 Minutes)
HOL-1829-01-NET
Page 100HOL-1829-01-NET
IntroductionEnterprise IT needs visibility into the network and security status of their workloadswhether hosted on premises or within AWS While many AWS workloads are sandboxesfor application development teams (DevOps) it is important to analyze these workloadsIncreasingly public cloud workloads are also fulfilling mission critical production needsfor many organizations Enterprise IT must be ready to determine the best locationsecurity posture and bandwidth allocation when deploying workloads Having trafficpattern details as well as security analysis and recommendations readily availablehelps organizations make the ideal hosting decisions to meet their business needs
vRealize Network Insight (vRNI) Supports Amazon Web Services (AWS) PublicCloud The vRNI traffic monitoring features provide visibility into native AWS constructssuch as Virtual Private Clouds VMs Security Groups firewall rules and tags vRNI alsoanalyzes AWS traffic flows to provide security and micro-segmentation views of cloudworkloads This means youll be able to plan micro-segmentation and understand trafficpatterns using data collected from your AWS instances
This Module contains the following lessons
bull Introduction to Managing Security for Public Clouds (AWS)
HOL-1829-01-NET
Page 101HOL-1829-01-NET
Introduction to Managing Security forPublic Clouds (AWS)Lab Status Check
1 Make sure the Lab Status displays Ready before continuing
Close browser sessions from previous modules
Open Google Chrome
1 Open Chrome on the Control Centre Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize Network Insightdid not load automatically)
HOL-1829-01-NET
Page 102HOL-1829-01-NET
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
AWS Configuration
Lets review the AWS VPC setup for the purpose of this lab
1 We have an on premise instance of vRealize Network Insight managing AWS2 There are two VPCs ie CRM and Common Services
HOL-1829-01-NET
Page 103HOL-1829-01-NET
3 VPC CRM consists of CRM Application which comprises of 3 tiers ie Web APP andDB
4 Internal users of Company can access Web Tier of the CRM on 80 internally viaJump-box
5 Web tier talks to App tier on port 80806 App tier talks to DB tier on port 33067 Web tier is open for internal datacenters VM on 80 port8 From Jump-box in VPC CRM all virtual machines have ssh access on port 229 All tiers of VPCCRM talks to DNS server on 53 and LogServer on 514 on VPC
Common Services10 This means connection to DB to Log Server (used for backup services) must exist
as configured by the Administrator but this in fact is the problem area where ourfocus will be
Plan Security - AWS Cloud
vRealize Network Insight extends micro-segmentation planning to AWS constructs TheCRM Application in AWS VPC has already been created for you
Application creation steps have been discussed in Module 3
HOL-1829-01-NET
Page 104HOL-1829-01-NET
1 On the vRealize Network Insight Click on Plan Security
From Plan Security dialogue box under Entity select
HOL-1829-01-NET
Page 105HOL-1829-01-NET
1 Application2 CRM3 Click Analyze
We can now visualize the three tier lsquoCRMrsquo Application in AWS in one VPC We Shallexplore the three Tier System Logic in proceeding steps
1 Please note that Micro-Segments are already filtered by Tier2 Web (Web tier talks to App tier on port 8080 Internal users of organisation can
access Web Tier of the CRM Application on port 80 internally)3 App (App tier talks to DB tier on port 3306)4 DB ( DB tier talks to Log Servers ) - This is the problem area we are going to
explore
All tiers of first VPC talks to DNS server on port 53 and LogServer on port 514 of SecondVPC
HOL-1829-01-NET
Page 106HOL-1829-01-NET
Exploring the Three Tier Application - Step by Step
We shall now explore the three their application setup to understand the security andcommunication posture
HOL-1829-01-NET
Page 107HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Yellow line to explore the flows This will reveal flows from Web to
App
HOL-1829-01-NET
Page 108HOL-1829-01-NET
1 The App tier talks to DB tier on Port 33062 Click X to continue
HOL-1829-01-NET
Page 109HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to DB
HOL-1829-01-NET
Page 110HOL-1829-01-NET
1 The App tier talks to DB tier on Port 33062 Click X to continue
HOL-1829-01-NET
Page 111HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Yellow Line to explore the flows This will reveal flows from DC
Virtual to App
HOL-1829-01-NET
Page 112HOL-1829-01-NET
1 DC Virtual (jump box) talks to App tier on Port 222 Click X to continue
HOL-1829-01-NET
Page 113HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to
Shared Virtual
HOL-1829-01-NET
Page 114HOL-1829-01-NET
1 The App tier talks to Shared Virtual on Port 53 and 514 respectively2 Click X to continue
HOL-1829-01-NET
Page 115HOL-1829-01-NET
1 Hover over to DB Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from DB to
Shared Virtual
1 By design the DB should be pushing logs to aws-log-server ie on port 514(Syslog) but the flow reveals that there is only one service ie port 53 aws-DNS-Server Effectively no communication to syslog server (which is the back upservice)
2 Click X to continue
Firewall Queries for CRM Application
To further troubleshoot the issue the administrator executes three firewall queries toestablish why DB to Shared Virtual does not have flow(s) for port 514 (syslog)
HOL-1829-01-NET
Page 116HOL-1829-01-NET
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and type new search query firewall action of flows where dstvm = aws-log-server This will return 5 results ie 4 Allow (for web andmidtier) and 1 Deny (for DB)
2 Click Search3 click on the DENY checkbox so we can focus on the deny rule
We can see a DENY rule which is preventing crm-databse to communicate with aws-log-server on port 514 Which indicates that AWS Admin forgot to add rule to allowtraffic from (Database) crm-database to (syslog server) aws-log-Server
HOL-1829-01-NET
Page 117HOL-1829-01-NET
1 On Chrome web browser right click2 Select Duplicate from the the menu
HOL-1829-01-NET
Page 118HOL-1829-01-NET
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-web1 and dst vm = aws-log-server
2 Click Search3 This will return 3 results ie 1 Inbound and 2 Outbound rules The result of this
query validates the communication from crm-web1 to aws-log-server
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-database and dst vm = aws-log-server
2 Click Search3 This will return 2 results for Outbound rules further explaining the firewall rule
behaviour from crm-database to aws-log-server
HOL-1829-01-NET
Page 119HOL-1829-01-NET
ConclusionCongratulations on completing Module 4
This module demonstrated the vRealize Network Insight capability to understand trafficpatterns and plan micro-segmentation across your private and public cloudenvironments This capability offers unparalleled visibility into public and private cloudsfor micro-segmentation planning network visibility and management
For More Information
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 120HOL-1829-01-NET
ConclusionThank you for participating in the VMware Hands-on Labs Be sure to visithttpholvmwarecom to continue your lab experience online
Lab SKU HOL-1829-01-NET
Version 20171010-152226
HOL-1829-01-NET
Page 121HOL-1829-01-NET
Tracking Prod_MidTier
1 Within the same view when you scroll down (below the Security Groupfirewall Topology) you are able to see the following security event information forProd_Web
A Events - Showing any changes for Prod_MidTier (direct or indirect) and the impactthat these changes bring to this security group
B Current Security Group Configuration and Firewall Rules Count will also providefurther assistance to manage the endpoints
C Visibility of the Virtual Machines in Security Groups ensure that we manage ourworkloads and segmentation with the correct level of efficiency
D Making use of the Indirect Firewall Rules will ensure you understand the inheritedimpact and the relationship leading to Prod_Web
E Direct Firewall Rules - NOTE The blue links will expose further detail for eachfirewall segment
HOL-1829-01-NET
Page 37HOL-1829-01-NET
this module explained and followed the traffic flow between Subnets and or VLANVXLAN for Prod_MidTier and we understand the analysis that make up firewall rules Theinformation for a specific segmentation of a Virtual Machine in Prod_MidTier can beviewed using the the logical switch information for Prod_MidTier
2 Click on Lab-Midtier (VMs in Security GroupgtLogical SwitchesgtLab-Midtier) anew TAB will open at the top of the screen
Lab-Midtier
1 Hover (do not click) over (1) Lab-Midtier-1 to gain focus in order to generatethe path
Do not click on any of the bubbles as they are used for reference only This is thecomplete flow of Prod-Web-9 (Example) to see how a flow is tracked from overlay tounderlay across Prod-Web
HOL-1829-01-NET
Page 38HOL-1829-01-NET
bull A - The host details for Lab-Midtier-1 -ddc1-pod2esx035dmdemocompanynet
bull B - The machine name within Lab-Midtier - Lab-Midtier-1bull C - DVS Switchbull D - VXLAN - Lab-Midtierbull E - 1st VMKNIC for DDC-1 hostbull F - DVS Switch Portbull G - Finally showing the L3 Switch (Arista)
2 When you are done with the current view close this tab in Chrome and returnto the original view
Firewall Rule - Tracking
Using the search bar we will demonstrate how you can track any firewall rule in yourenvironment This is only one example of how we can search for security related objectsin one easy statement and also export the results
Port Search
1 Type into the search bar
Firewall rule where action =ALLOW and Port=443 (the search bar uses Auto Fill andpredictive text will appear as you type)
2 Click search to continue
As you type notice all the different permutations of queries that can be assembled
HOL-1829-01-NET
Page 39HOL-1829-01-NET
Export Firewall Rules
Take some time to understand and get familiar with Firewall Rule search possibilitiesand the insight this can offer
1 Do not click - The result is grouped for convenience and allows the user to queryeach rule individually This is a live link that will expose further information
2 Do not click - The entire report can be exported by using the Save as CSV optionat the top right hand corner of the screen but we will not export any informationat this point
3 For the next step we will return to the top search bar
Firewall Rule Membership Change
Using the vRealize Network Insight search bar at the top of the screen we will focus on atime based search to see what Firewall Membership Changes occurred during a selectedperiod This will point out any changes made directly or indirectly as a result ofmembership changes This is extremely useful for auditing and troubleshooting
HOL-1829-01-NET
Page 40HOL-1829-01-NET
1 Type
Firewall Rule Membership Change
2 Select the DateTime window3 Click Between Select Date range from June30 to Jul 31 (using static data this
will ensure you see all the changes)4 Click search
Audit Rule - Firewall Rule Membership Changes
The search now displays the result of all the changes made to firewall rule membershipduring the preset date range This is pivotal to the audit change tracking process tounderstand exactly why when and how Firewall rules changed
The changes can now easily be tracked audited and also exported following any of thelive links in blue
HOL-1829-01-NET
Page 41HOL-1829-01-NET
User-defined Event
Continuing within the same screen users can create alerts to notify internal andexternal entities of any changes The alert feature is available through any view thatdisplays the alert icon Although the alert can be configured for this lab the results willnot be actioned as this is static data only This section will show how easy it is to reporton any Firewall Rule memberships changes The option for alerting will be immediatelywithin 1 hour or as a daily digest
1 Click the Notifications icon to create an event The notifications screen will pop-up
2 Notification and parameters can be adjusted as required Populate them withyour own preference as we will need to have information in order to save thealert and view in later steps
3 Once completed click save
HOL-1829-01-NET
Page 42HOL-1829-01-NET
Settings
You can view any of your previously configured User-defined Events in order to edit oractivate the Event parameters by using the settings page Changes can be configured tonotify members of the event group based on the user preference The previous eventthat you created can now be tracked by using the search bar at the top of the screen
1 Click in the search bar and type Settings2 Click User-defined Events (your alert is noted in this section as it was based on
the original search and alert notification Firewall rule membership change)3 Info Only - Do not click - View Edit Activate any notifications
Note that we have 2 types of notification User-defined and System Events
4 Click the System Events
HOL-1829-01-NET
Page 43HOL-1829-01-NET
System Notifications
System Events consist of 103 default alerts that are pre-configured Scroll down the listto see all the options and what is deemed to be a standard system event notification
Each Notification can be used to alert administrators or users of that group By defaultall System Notifications are set to never notify (this can be changed to immediatelywithin 1 hour or as a daily digest)
This concludes this module Please continue to the next module
HOL-1829-01-NET
Page 44HOL-1829-01-NET
ConclusionCongratulations on completing Module 1
In this module we introduced the minimum required steps in order to facilitate Micro-segmentation This module further demonstrated how we achieve day zero readinesstrack report and alert on each individual object or group of objects in Real Time Usingthe East-West traffic in this module vRealize Network Insight highlighted the ease ofacquiring network analysis and using this to automatically generate firewall rules forboth Green or Brown field deployments
Key facts to remember as demonstrated in this module
bull Persistence Security must be consistent in the face of constant changebull Ubiquity Security must be available everywherebull Extensibility Security must adapt to new situations
For additional information about the functionality showcased in this module visitwwwvmwarecom
Please close the Chrome Web browser
This concludes this module please continue to the next module
For More Information
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 45HOL-1829-01-NET
Module 2 - 360 degreeVisibility across Virtualand Physical Networks
(45 minutes)
HOL-1829-01-NET
Page 46HOL-1829-01-NET
IntroductionvRealize Network Insight includes advanced analytics that can collect and displayconfiguration data from all the components involved in the overlay and underlay of thenetwork Data is collected in realtime
vRealize Network Insight presents this via a smart user interface and simplifies thedetermination of problems as well as the visibility of firewall and networkconfigurations
vRealize Network Insight presents this in a smart user interface and makes problemdetermination and visibility of the firewall and network configurations very easy
This Module contains the following lessons
bull 360 Network Visibility and Troubleshootingbull Natural language search
HOL-1829-01-NET
Page 47HOL-1829-01-NET
360 Network Visibility andTroubleshootingThis section contains the following lessons
bull 360-degree view of data flow between two VM objectsbull Natural language search
Open Google Chrome
1 Open Chrome on the Control Center Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize NetworkInsight did not load automatically)
HOL-1829-01-NET
Page 48HOL-1829-01-NET
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
Path and Topology
This module will utilize the Path and Topology feature in vRealize Network Insight toget a 360-degree visibility into our network scenario The Path and Topology view can
HOL-1829-01-NET
Page 49HOL-1829-01-NET
also extend to host L3 networks security groups etc but in this module we will only befocusing on the path
From the main console
1 Click on Path and Topology2 Click on Path
Path - Select source and destination
In the pop-up box
1 Click on the grey field below Source2 Type dba into the source field and DBAdmin-VM1 will appear3 Click on DBAdmin-VM1 to select it
HOL-1829-01-NET
Page 50HOL-1829-01-NET
Path - source and destination continued
After selecting the source machine the destination box will automatically appear
1 Type prod in the destination field and the list of available options willappear
2 Select Prod-Db-2
Note The destination could also be an ip-address or Internet but in this lab we aregoing to use a VM
HOL-1829-01-NET
Page 51HOL-1829-01-NET
Path - source and destination continued
1 Click on Submit
Searching for path
Based on the VMs we selected in the wizard in our previous steps the search field isnow pre-populated with a search string As an alternative to using the wizard we canalso do manual searches
Do not change any parameters in the search field and please continue to the nextstep
HOL-1829-01-NET
Page 52HOL-1829-01-NET
VM Path Topology and VM Underlay
The topology involves both Layer 3 and Layer 2 components and consists of twodetailed views
HOL-1829-01-NET
Page 53HOL-1829-01-NET
1 VM Path Topology This view details the routers Edges or Logical DistributedRouters (LDRs) that are involved in the VM to VM network path and provides thecomplete routing and NAT information
2 VM Underlay ( The VM Underlay section that is on the right side of the VM Pathtopology shows the underlay information of the VMs involved and theirconnectivity to the top of the rack switches and the ports involved)
In the field named VM Path Topology
1 Click on the three dots in the top right corner of the field2 Click Maximize
The view will change and the route will be drawn on the map
HOL-1829-01-NET
Page 54HOL-1829-01-NET
VM Path Topology - Path Details
In this view we will get a 360-degree view of both the physical and the virtual networkWe will see the path of the traffic between two virtual machines The black arrow at thetop of the map will indicate the flow direction of the traffic In this use case fromDBAdmin-VM1 to Prod-Db-2
On the right hand side path details indicates the steps we pass through in each hop ofthe path The logical flow includes both physical and virtual elements displaying bothoverlay and underlay components
1 Scroll through the path details on the right hand side to verify the differenthops in the path Notice that we have items such as VMs physical switchesvirtual switches routers and NICs in the list of details
HOL-1829-01-NET
Page 55HOL-1829-01-NET
Component Overview
On the VM topology map
1 Click on the top left icon marked with a red square - the Virtual MachineDBAdmin-VM1
Virtual Machine - Details
HOL-1829-01-NET
Page 56HOL-1829-01-NET
A pop-up box will appear with the Virtual Machine details in it This information includesa lot of details made available by VMware Tools We can for example see network-information and the physical host in these details
A - Please spend some time on getting an overview of the information available in thisview
B - Please note that the Firewall Status indicates Unknown In this scenario there is noNSX firewall utilized in the VM so vRealize Network Insight displays Unknown as thestatus If NSX components were utilized but they were malfunctioning an errormessage will appear
1 When done reviewing close the pop-up windows by clicking on the (X) in thetop right corner
Physical ESXi Hosts
We are now going to look at the physical host running ESXi The large green blocksindicate the ESXi hosts (A) and (B)
1 Click on the large green field on the left side of the map marked in thepicture with a red squareThis will select the host where DBAdmin-VM1 isrunning
HOL-1829-01-NET
Page 57HOL-1829-01-NET
Host - Details
A pop-up box will appear that contains the physical ESXi host
A - Spend some time to review what information is available from the host Please donot click on any of the links
B - Notice that we receive information from both the Chassis and the Blade that thisESXi host is running on In a real life environment we could click on the links to getdetailed information about the physical environment through the links
C - Note that there are no NSX components on the host For example we can see thatthe Control Plane Sync Status is unknown and the Number of VTEPs is 0
1 When done reviewing click on the (X) in the top right corner
HOL-1829-01-NET
Page 58HOL-1829-01-NET
DVPG on the map
We are now going to look at the DVPG (Distributed Virtual Port Group) the VM uses toconnect to the network
1 On the map click on the little blue box marked by a red square onvlan-629
DVPG
A pop-up box will appear that contains the DVPG details
A - Spend some time review what information is available from the object Please donot click on any of the links
HOL-1829-01-NET
Page 59HOL-1829-01-NET
B - Notice that IPFIX is enabled
1 When done reviewing click on the (X) in the top right corner
VLAN-629 on the map
This is a brownfield network as indicated by the physical network components currentlydisplayed on the map
1 On the map click on the grey line marked by a red square on vlan-629
VLAN Network
A pop-up box will appear that contains the physical VLAN details
HOL-1829-01-NET
Page 60HOL-1829-01-NET
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - Notice the VLAN ID This is the actual VLAN in use
C - VM Count states 12 This is the number of VMs located on this VLAN in the entireenvironment
D - Under Hosts we can see that this is 28 (27+1) This is the amount of hosts that hasa connection to this vlan in the entire environment
1 When done reviewing click on the (X) in the top right corner
Switch ports on the map
1 From the map click on the icon marked by a red square to select the SwitchPort for the VM
HOL-1829-01-NET
Page 61HOL-1829-01-NET
Switch Port
A pop-up box will appear that contains the Switch Port details
In this view we are purely are looking at layer 3 and the connectivity to those layer 3devices Later in this module we will see some of the layer 2 devices
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - In this view we can see the physical NIC the traffic is transmitted from and receivedto In this scenario it is a NIC on a UCS fabric We can also see the VLANs Interfacespeed port and other details on the NIC
1 When done reviewing click on the (X) in the top right corner of the pop up box
HOL-1829-01-NET
Page 62HOL-1829-01-NET
Physical VRF on the map
1 From the map click on the icon marked by a red square to access thePhysical VRF details
HOL-1829-01-NET
Page 63HOL-1829-01-NET
VRF - Physical Switch
A pop-up box will appear that contains the Physical VRF details
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - In this scenario the first hop in the physical network perspective happens to be aCisco Nexus 7000 We are gathering all of the configuration data routing tables androuting interface information from this device
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 64HOL-1829-01-NET
VRF - continued
1 From the map click on the icon marked by a red square to access the nextPhysical VRF in the path
HOL-1829-01-NET
Page 65HOL-1829-01-NET
VRF - Physical Router
A pop-up box will appear that contains the Physical VRF details
In this scenario the second hop in the physical network perspective is a Palo Alto routerIn this view we will see the routing table as well as firewall rules The vRealize NetworkInsight platform is so powerful that these firewall rules are the applicable firewall rulesbetween the two objects we searched for There is probably going to be thousands offirewall rules in a normal network but these are the firewalls affecting thecommunication between the two selected VMs
HOL-1829-01-NET
Page 66HOL-1829-01-NET
A - Spend some time to review what information is available from the object Please donot click on any of the links
1 When done reviewing click on the (X) in the top right corner of the pop up box
Note The Palo Alto integration showcased is in beta testing
VRF - continued
1 From the map click on the icon marked by a red square to access the nextPhysical VRF in the path
HOL-1829-01-NET
Page 67HOL-1829-01-NET
VRF - Physical Switch
A pop-up box will appear that contains the Physical VRF details
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - In this scenario the third hop in the physical network perspective is an Arista deviceThere is information available on routing gateways interfaces etc These detailsshowcase that we can monitor devices from a multitude of vendors in case we arechanging from one vendor to another
1 When done reviewing click on the (X) in the top right corner
HOL-1829-01-NET
Page 68HOL-1829-01-NET
Accessing the virtual infrastructure
The next two steps in the path (as shown by arrows) are the same as we looked atpreviously in this module We are not going to look at the details on them in thisscenario as they are similar to the ones previously discussed
A - Hovermove the mouse over the icons marked with red arrow A without clicking onthe icon Notice the descriptive name
B - Hovermove the mouse over the icons marked with red arrow B without clicking onthe icon Notice the descriptive name
1 From the map click on the icon marked by a red square to access the nextVRF in the path
HOL-1829-01-NET
Page 69HOL-1829-01-NET
VRF - NSX Provider Edge 1
A pop-up box will appear that contains the Physical VRF details
A - Please spend some time to review what information is available from the objectPlease do not click on any of the links
B - The components we are looking at after the Arista device (described in previoussteps) is an NSX Edge cluster or a host associated with an Edge cluster The componentwe have selected is the NSX Edge VM named Provider-Edge 1 It has an uplink overVLAN 10 from the physical network (as shown in the map)
C - In the details we can see the routing table and routing interface details for thisparticular VRF
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 70HOL-1829-01-NET
VXLAN on the map
1 On the map click on the blue line marked by a red square to access theVXLAN details
VXLAN Network
A pop-up box will appear that contains the VXLAN details
HOL-1829-01-NET
Page 71HOL-1829-01-NET
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - We can see the VXLAN number (Segment ID) Underlay VLAN IDs Subnet andUnderlay Subnet
C - We also have visibility into what Primary Controller it is utilizing Hosts and VTEPs
D - Hovermove the mouse cursor over the text [38 more] to see the hosts associatedwith this VXLAN Do not click on the blue text
E - Hovermove the mouse cursor over the text [82 more] to see the VTEPs associatedwith this VXLAN Do not click on the blue text
1 When done reviewing click on the X in the top right corner of the pop-up box
VRF - LDR
1 From the map click on the icon marked by a red square to access the VRFdetails
HOL-1829-01-NET
Page 72HOL-1829-01-NET
VRF - LDR-Corporate
A pop-up box will appear that contains the VRF details From here we hit our In-kernelnetwork
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - Notice the distributed router name We are using this device to access our corporatenetwork
C - This device is going to route for us to a different interface The interface is going toroute to the interface on the Prod-DB Network as the next step in the path (this will beillustrated in the next step)
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 73HOL-1829-01-NET
Routing - NSX Firewall
The traffic is routed through the VRF onto the Prod-DB network over to the next physicalhost (as shown with arrows)
The first device it will hit on the virtual network on the physical host is the FirewallPlease notice that there are two firewalls next to the VM One Firewall from Palo Alto andone Firewall from NSX
1 From the map click on the icon marked by a red square to access the NSXFirewall details (the top one of the two)
HOL-1829-01-NET
Page 74HOL-1829-01-NET
Firewall - NSX
A pop-up box will appear that contains the Firewall details
A - Spend some time to review what information is available from the object Please donot click on any of the links
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 75HOL-1829-01-NET
Redirect on the map - PAN Firewall
Please notice that there are two firewalls next to the VM One Firewall from Palo Alto andone Firewall from NSX We are now going to look into the details of the lower Firewall
1 From the map click on the icon marked by a red square to access the PaloAlto Firewall details (the lower one of the two)
Firewall - PAN
HOL-1829-01-NET
Page 76HOL-1829-01-NET
In this scenario we also have an Palo Alto VM based offloading firewall The redirectfeature allows firewall rules to be transferred between the NSX firewall and the PANFirewall
1 When done reviewing click on the (X) in the top right corner of the pop up box
Reversing the analysis
1 In the section marked by a red square in the picture click on the arrowpointing left
The route on the map will change
HOL-1829-01-NET
Page 77HOL-1829-01-NET
Reversing the analysis continued
A - The analysis will now be done in the opposite direction Please note that the pathnow changes Instead of going through Provider-Edge 3 the traffic is now routedthrough Provider-Edge 2 This is exactly as the traffic will work in the real life
Please continue to the next step to conclude this module
HOL-1829-01-NET
Page 78HOL-1829-01-NET
VM Underlay
Lets now focus on VM Underlay
1 The VMUnderlay section that is on the right side of the VM Path topology showsthe underlay information of the VMs involved and their connectivity to the top ofthe rack switches and the ports involved
2 The VM Underlay path topology is shown here3 The components are labeled under Path Details
HOL-1829-01-NET
Page 79HOL-1829-01-NET
HOL-1829-01-NET
Page 80HOL-1829-01-NET
1 In this section the drop-down list at the top shows the endpoint VMs and theactive VMs at the edges
2 For each edgeVM the neighbouring drop-down list shows the ingress and theegress interface IP addresses
1 From the previous step we selected the Prod-DB-2 Virtual Machine2 Which changes the focus to corresponding Interface IP Address (VNIC)3 Shows the visual map (Path topology) of all the path objects4 Path details shows the labels and list the components
This concludes this module Please continue to the next module
HOL-1829-01-NET
Page 81HOL-1829-01-NET
ConclusionCongratulations on completing Module 2
This module has shown us that vRealize Network Insight is capable of tracing the flow ofdata between two objects throughout the network vRealize Network Insight is providingus with a 360 degrees view of the virtual as well as the physical components in thepath With the map function and the details on the map it is very easy to get a quickoverview of the components utilized in network communication
All the components in the map is based on a snapshot of real life data Feel free to clickon other icons shown in the map in this module before continuing to the next module tohave a look at other components
For More Information
For additional information about the functionality showcased in this module visithttpwwwvmwarecomvrealize network insight
This concludes this module Please continue to the next module
If you are looking for additional information try one of these
bull Click on this linkbull Or use your smart device to scan the QRC Code
HOL-1829-01-NET
Page 82HOL-1829-01-NET
Proceed to any module below which interests you most
bull Module 1 - Micro-Segmentation and Security (30 minutes)bull Module 2 - 360 degree Visibility across Virtual and Physical Networks (45
minutes)bull Module 3 - Advanced NSX Management amp Operations (45 minutes)bull (30 minutes)
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 83HOL-1829-01-NET
Module 3 - Advanced NSXManagement amp
Operations (45 minutes)
HOL-1829-01-NET
Page 84HOL-1829-01-NET
IntroductionIntroduction
vRealize Network Insight ensures that we have full visibility from an overlay andunderlay perspective and in this module focus on advanced operations of NSX withvRealize Network Insight Its important to note that the vRealize Network Insightprovides a real time view and a historical view The integration is not a simple SNMPquery but advanced CLI and Metadata information gathered in real time for NSX
This Module contains the following lessons
bull Operational guidance for NSX Managerbull Advanced NSX Management amp Operations Interactive Simulation
HOL-1829-01-NET
Page 85HOL-1829-01-NET
NSX Advanced ManagementOperationsLab Status Check
1 Make sure the Lab Status displays Ready before continuing
Close browser sessions from previous modules
Open Google Chrome
1 Open Chrome on the Control Centre Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
HOL-1829-01-NET
Page 86HOL-1829-01-NET
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize Network Insightdid not load automatically)
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
Search Bar - NSX Manager
Using the search bar on the entry screen
HOL-1829-01-NET
Page 87HOL-1829-01-NET
1 Type NSX Manager (this will list three NSX Managers2 Click Search
NSX Manager Information
The result now shows the NSX Manager (1016128170) and we can immediately seethat we have 50 problems associated with this endpoint
1 Click on the NSX Manager address to expose the layout and detailedinformation
HOL-1829-01-NET
Page 88HOL-1829-01-NET
Timeline - Visual Build-up
Explore information only - Do not click
bull A - Starting with the Timeline we can manipulate the results by simply draggingthe slider but by default the current time results will be displayed on entry Theslider and drop down (next to 1 day) makes it easy to filter on demand
bull B - The Properties give a clear understanding of the NSX Managers currentconfiguration (vRealize Network Insight accommodate multiple NSX managers)
bull C - Looking at the NSX Checklist Rules - ALL we can scroll up and down toview each point in the checklist that is used to monitorvalidate against the NSXManager
bull D - Because vRealize Network Insight supports multiple NSX managers andmultiple NSX controllers this is an important visual understanding of theTopology Each object can be queried individually within the same screen
bull E - NSX Problems will be key to understanding the issues for NSX
HOL-1829-01-NET
Page 89HOL-1829-01-NET
Topology - Focus on the NSX Controller
The logical view of the NSX Topology provides live links to each component in theconstruct to be queried in real time Topology layout displays all the related NSXservices bound to the NSX Manager including Clusters and hosts The red triangle on allthree NSX controllers indicates possible issues that may impact the NSX environmenteither as a starting point or a result thereof We can now query each object for detailedinformation
1 Click on the NSX controller (Look at each controller until you find thecontroller starting with NSX_Controller_5b6c6c8d-4d71 as they do changeorder)
HOL-1829-01-NET
Page 90HOL-1829-01-NET
NSX Controller - Detail
A - The controller query displays detailed information about controller-1 and relevantconfiguration This screen will help identify the Status Version Upgrade Availability andmany other critical identifiers of the NSX Controller at a quick glance including anyissues
B - The immediate issue on this NSX controller is also pointed out with a red triangleindicating that we have a control plane sync issue Tracking the issue can be furtherinvestigated by expanding (clicking on the red triangle) to view detailed information Wewill not be investigating this problem further in this exercise
1 Click the close sign (x) to continue
HOL-1829-01-NET
Page 91HOL-1829-01-NET
Topology - Explained
Note The Topology for the NSX environment will not show any load balancing devicestatus information in this release
1 Click the edge VMs icon to see detailed information about the edge services
HOL-1829-01-NET
Page 92HOL-1829-01-NET
Provider Edge
Rendering a complete view of the provider edge services and the associations we caninvestigate all the edge related activities
1 Click the blue link Provider Edge 4 The problem Icon can be used to furtherobtain information about the Provider-Edge 4 This will highlight a criticalcondition due to a possible network disruption of this edge device as it is nolonger in a serving state
HOL-1829-01-NET
Page 93HOL-1829-01-NET
Routers Provider Edge 4
This section lays out detailed root cause analysis for Routers Provider Edge 4
Return to Search View - NSX Manager
1 Now use the Chrome Back button click once to return the the NSX Managerinformation screen step
HOL-1829-01-NET
Page 94HOL-1829-01-NET
Infrastructure Problems - Warning Moderate
bull Scroll down to Infrastructure Problems Section
1 Click and select the WarningModerate to view problem areas
WarningModerate Issues
1 Use the blue icon + to expand the detailed view of the Logical networking out ofsync between host and NSX Controller
HOL-1829-01-NET
Page 95HOL-1829-01-NET
WarningModerate Issues (Continued)
When you expand the details you can analyse full detail of warning
In this view vRealize Network Insight is also showing you recommendations on how youwould resolve this issue which makes troubleshooting and root cause analysis veryeasy
1 Click the close sign (x) to continue
HOL-1829-01-NET
Page 96HOL-1829-01-NET
Hands-on Labs Interactive SimulationAdvanced NSX Management ampOperationsThis part of the lab is presented as a Hands-on Labs Interactive Simulation This willallow you to experience steps which are too time-consuming or resource intensive to dolive in the lab environment In this simulation you can use the software interface as ifyou are interacting with a live environment
1 Click here to open the interactive simulation It will open in a new browserwindow or tab
2 When finished click the ldquoReturn to the labrdquo link to continue with this lab
HOL-1829-01-NET
Page 97HOL-1829-01-NET
ConclusionCongratulations on completing Module 3
This module demonstrated the vRealize Network Insight capability of advancedmanagement operations vRealize Network Insight provides an in-depth analysis of thevirtual as well as the physical components associated with NSX (underlay and overlay)
For More Information
If you are looking for additional information try one of these
bull Click on this linkbull Or use your smart device to scan the QRC Code
Proceed to any module below which interests you most
bull Module 1 - Micro-Segmentation and Security (30 minutes)bull Module 2 - 360 degree Visibility across Virtual and Physical Networks (45
minutes)bull Module 3 - Advanced NSX Management amp Operations (45 minutes)bull Module 4 - Manage Security for Public Clouds (AWS) (30 minutes)
HOL-1829-01-NET
Page 98HOL-1829-01-NET
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 99HOL-1829-01-NET
Module 4 - ManageSecurity for Public Clouds
(AWS) (30 Minutes)
HOL-1829-01-NET
Page 100HOL-1829-01-NET
IntroductionEnterprise IT needs visibility into the network and security status of their workloadswhether hosted on premises or within AWS While many AWS workloads are sandboxesfor application development teams (DevOps) it is important to analyze these workloadsIncreasingly public cloud workloads are also fulfilling mission critical production needsfor many organizations Enterprise IT must be ready to determine the best locationsecurity posture and bandwidth allocation when deploying workloads Having trafficpattern details as well as security analysis and recommendations readily availablehelps organizations make the ideal hosting decisions to meet their business needs
vRealize Network Insight (vRNI) Supports Amazon Web Services (AWS) PublicCloud The vRNI traffic monitoring features provide visibility into native AWS constructssuch as Virtual Private Clouds VMs Security Groups firewall rules and tags vRNI alsoanalyzes AWS traffic flows to provide security and micro-segmentation views of cloudworkloads This means youll be able to plan micro-segmentation and understand trafficpatterns using data collected from your AWS instances
This Module contains the following lessons
bull Introduction to Managing Security for Public Clouds (AWS)
HOL-1829-01-NET
Page 101HOL-1829-01-NET
Introduction to Managing Security forPublic Clouds (AWS)Lab Status Check
1 Make sure the Lab Status displays Ready before continuing
Close browser sessions from previous modules
Open Google Chrome
1 Open Chrome on the Control Centre Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize Network Insightdid not load automatically)
HOL-1829-01-NET
Page 102HOL-1829-01-NET
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
AWS Configuration
Lets review the AWS VPC setup for the purpose of this lab
1 We have an on premise instance of vRealize Network Insight managing AWS2 There are two VPCs ie CRM and Common Services
HOL-1829-01-NET
Page 103HOL-1829-01-NET
3 VPC CRM consists of CRM Application which comprises of 3 tiers ie Web APP andDB
4 Internal users of Company can access Web Tier of the CRM on 80 internally viaJump-box
5 Web tier talks to App tier on port 80806 App tier talks to DB tier on port 33067 Web tier is open for internal datacenters VM on 80 port8 From Jump-box in VPC CRM all virtual machines have ssh access on port 229 All tiers of VPCCRM talks to DNS server on 53 and LogServer on 514 on VPC
Common Services10 This means connection to DB to Log Server (used for backup services) must exist
as configured by the Administrator but this in fact is the problem area where ourfocus will be
Plan Security - AWS Cloud
vRealize Network Insight extends micro-segmentation planning to AWS constructs TheCRM Application in AWS VPC has already been created for you
Application creation steps have been discussed in Module 3
HOL-1829-01-NET
Page 104HOL-1829-01-NET
1 On the vRealize Network Insight Click on Plan Security
From Plan Security dialogue box under Entity select
HOL-1829-01-NET
Page 105HOL-1829-01-NET
1 Application2 CRM3 Click Analyze
We can now visualize the three tier lsquoCRMrsquo Application in AWS in one VPC We Shallexplore the three Tier System Logic in proceeding steps
1 Please note that Micro-Segments are already filtered by Tier2 Web (Web tier talks to App tier on port 8080 Internal users of organisation can
access Web Tier of the CRM Application on port 80 internally)3 App (App tier talks to DB tier on port 3306)4 DB ( DB tier talks to Log Servers ) - This is the problem area we are going to
explore
All tiers of first VPC talks to DNS server on port 53 and LogServer on port 514 of SecondVPC
HOL-1829-01-NET
Page 106HOL-1829-01-NET
Exploring the Three Tier Application - Step by Step
We shall now explore the three their application setup to understand the security andcommunication posture
HOL-1829-01-NET
Page 107HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Yellow line to explore the flows This will reveal flows from Web to
App
HOL-1829-01-NET
Page 108HOL-1829-01-NET
1 The App tier talks to DB tier on Port 33062 Click X to continue
HOL-1829-01-NET
Page 109HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to DB
HOL-1829-01-NET
Page 110HOL-1829-01-NET
1 The App tier talks to DB tier on Port 33062 Click X to continue
HOL-1829-01-NET
Page 111HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Yellow Line to explore the flows This will reveal flows from DC
Virtual to App
HOL-1829-01-NET
Page 112HOL-1829-01-NET
1 DC Virtual (jump box) talks to App tier on Port 222 Click X to continue
HOL-1829-01-NET
Page 113HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to
Shared Virtual
HOL-1829-01-NET
Page 114HOL-1829-01-NET
1 The App tier talks to Shared Virtual on Port 53 and 514 respectively2 Click X to continue
HOL-1829-01-NET
Page 115HOL-1829-01-NET
1 Hover over to DB Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from DB to
Shared Virtual
1 By design the DB should be pushing logs to aws-log-server ie on port 514(Syslog) but the flow reveals that there is only one service ie port 53 aws-DNS-Server Effectively no communication to syslog server (which is the back upservice)
2 Click X to continue
Firewall Queries for CRM Application
To further troubleshoot the issue the administrator executes three firewall queries toestablish why DB to Shared Virtual does not have flow(s) for port 514 (syslog)
HOL-1829-01-NET
Page 116HOL-1829-01-NET
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and type new search query firewall action of flows where dstvm = aws-log-server This will return 5 results ie 4 Allow (for web andmidtier) and 1 Deny (for DB)
2 Click Search3 click on the DENY checkbox so we can focus on the deny rule
We can see a DENY rule which is preventing crm-databse to communicate with aws-log-server on port 514 Which indicates that AWS Admin forgot to add rule to allowtraffic from (Database) crm-database to (syslog server) aws-log-Server
HOL-1829-01-NET
Page 117HOL-1829-01-NET
1 On Chrome web browser right click2 Select Duplicate from the the menu
HOL-1829-01-NET
Page 118HOL-1829-01-NET
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-web1 and dst vm = aws-log-server
2 Click Search3 This will return 3 results ie 1 Inbound and 2 Outbound rules The result of this
query validates the communication from crm-web1 to aws-log-server
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-database and dst vm = aws-log-server
2 Click Search3 This will return 2 results for Outbound rules further explaining the firewall rule
behaviour from crm-database to aws-log-server
HOL-1829-01-NET
Page 119HOL-1829-01-NET
ConclusionCongratulations on completing Module 4
This module demonstrated the vRealize Network Insight capability to understand trafficpatterns and plan micro-segmentation across your private and public cloudenvironments This capability offers unparalleled visibility into public and private cloudsfor micro-segmentation planning network visibility and management
For More Information
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 120HOL-1829-01-NET
ConclusionThank you for participating in the VMware Hands-on Labs Be sure to visithttpholvmwarecom to continue your lab experience online
Lab SKU HOL-1829-01-NET
Version 20171010-152226
HOL-1829-01-NET
Page 121HOL-1829-01-NET
this module explained and followed the traffic flow between Subnets and or VLANVXLAN for Prod_MidTier and we understand the analysis that make up firewall rules Theinformation for a specific segmentation of a Virtual Machine in Prod_MidTier can beviewed using the the logical switch information for Prod_MidTier
2 Click on Lab-Midtier (VMs in Security GroupgtLogical SwitchesgtLab-Midtier) anew TAB will open at the top of the screen
Lab-Midtier
1 Hover (do not click) over (1) Lab-Midtier-1 to gain focus in order to generatethe path
Do not click on any of the bubbles as they are used for reference only This is thecomplete flow of Prod-Web-9 (Example) to see how a flow is tracked from overlay tounderlay across Prod-Web
HOL-1829-01-NET
Page 38HOL-1829-01-NET
bull A - The host details for Lab-Midtier-1 -ddc1-pod2esx035dmdemocompanynet
bull B - The machine name within Lab-Midtier - Lab-Midtier-1bull C - DVS Switchbull D - VXLAN - Lab-Midtierbull E - 1st VMKNIC for DDC-1 hostbull F - DVS Switch Portbull G - Finally showing the L3 Switch (Arista)
2 When you are done with the current view close this tab in Chrome and returnto the original view
Firewall Rule - Tracking
Using the search bar we will demonstrate how you can track any firewall rule in yourenvironment This is only one example of how we can search for security related objectsin one easy statement and also export the results
Port Search
1 Type into the search bar
Firewall rule where action =ALLOW and Port=443 (the search bar uses Auto Fill andpredictive text will appear as you type)
2 Click search to continue
As you type notice all the different permutations of queries that can be assembled
HOL-1829-01-NET
Page 39HOL-1829-01-NET
Export Firewall Rules
Take some time to understand and get familiar with Firewall Rule search possibilitiesand the insight this can offer
1 Do not click - The result is grouped for convenience and allows the user to queryeach rule individually This is a live link that will expose further information
2 Do not click - The entire report can be exported by using the Save as CSV optionat the top right hand corner of the screen but we will not export any informationat this point
3 For the next step we will return to the top search bar
Firewall Rule Membership Change
Using the vRealize Network Insight search bar at the top of the screen we will focus on atime based search to see what Firewall Membership Changes occurred during a selectedperiod This will point out any changes made directly or indirectly as a result ofmembership changes This is extremely useful for auditing and troubleshooting
HOL-1829-01-NET
Page 40HOL-1829-01-NET
1 Type
Firewall Rule Membership Change
2 Select the DateTime window3 Click Between Select Date range from June30 to Jul 31 (using static data this
will ensure you see all the changes)4 Click search
Audit Rule - Firewall Rule Membership Changes
The search now displays the result of all the changes made to firewall rule membershipduring the preset date range This is pivotal to the audit change tracking process tounderstand exactly why when and how Firewall rules changed
The changes can now easily be tracked audited and also exported following any of thelive links in blue
HOL-1829-01-NET
Page 41HOL-1829-01-NET
User-defined Event
Continuing within the same screen users can create alerts to notify internal andexternal entities of any changes The alert feature is available through any view thatdisplays the alert icon Although the alert can be configured for this lab the results willnot be actioned as this is static data only This section will show how easy it is to reporton any Firewall Rule memberships changes The option for alerting will be immediatelywithin 1 hour or as a daily digest
1 Click the Notifications icon to create an event The notifications screen will pop-up
2 Notification and parameters can be adjusted as required Populate them withyour own preference as we will need to have information in order to save thealert and view in later steps
3 Once completed click save
HOL-1829-01-NET
Page 42HOL-1829-01-NET
Settings
You can view any of your previously configured User-defined Events in order to edit oractivate the Event parameters by using the settings page Changes can be configured tonotify members of the event group based on the user preference The previous eventthat you created can now be tracked by using the search bar at the top of the screen
1 Click in the search bar and type Settings2 Click User-defined Events (your alert is noted in this section as it was based on
the original search and alert notification Firewall rule membership change)3 Info Only - Do not click - View Edit Activate any notifications
Note that we have 2 types of notification User-defined and System Events
4 Click the System Events
HOL-1829-01-NET
Page 43HOL-1829-01-NET
System Notifications
System Events consist of 103 default alerts that are pre-configured Scroll down the listto see all the options and what is deemed to be a standard system event notification
Each Notification can be used to alert administrators or users of that group By defaultall System Notifications are set to never notify (this can be changed to immediatelywithin 1 hour or as a daily digest)
This concludes this module Please continue to the next module
HOL-1829-01-NET
Page 44HOL-1829-01-NET
ConclusionCongratulations on completing Module 1
In this module we introduced the minimum required steps in order to facilitate Micro-segmentation This module further demonstrated how we achieve day zero readinesstrack report and alert on each individual object or group of objects in Real Time Usingthe East-West traffic in this module vRealize Network Insight highlighted the ease ofacquiring network analysis and using this to automatically generate firewall rules forboth Green or Brown field deployments
Key facts to remember as demonstrated in this module
bull Persistence Security must be consistent in the face of constant changebull Ubiquity Security must be available everywherebull Extensibility Security must adapt to new situations
For additional information about the functionality showcased in this module visitwwwvmwarecom
Please close the Chrome Web browser
This concludes this module please continue to the next module
For More Information
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 45HOL-1829-01-NET
Module 2 - 360 degreeVisibility across Virtualand Physical Networks
(45 minutes)
HOL-1829-01-NET
Page 46HOL-1829-01-NET
IntroductionvRealize Network Insight includes advanced analytics that can collect and displayconfiguration data from all the components involved in the overlay and underlay of thenetwork Data is collected in realtime
vRealize Network Insight presents this via a smart user interface and simplifies thedetermination of problems as well as the visibility of firewall and networkconfigurations
vRealize Network Insight presents this in a smart user interface and makes problemdetermination and visibility of the firewall and network configurations very easy
This Module contains the following lessons
bull 360 Network Visibility and Troubleshootingbull Natural language search
HOL-1829-01-NET
Page 47HOL-1829-01-NET
360 Network Visibility andTroubleshootingThis section contains the following lessons
bull 360-degree view of data flow between two VM objectsbull Natural language search
Open Google Chrome
1 Open Chrome on the Control Center Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize NetworkInsight did not load automatically)
HOL-1829-01-NET
Page 48HOL-1829-01-NET
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
Path and Topology
This module will utilize the Path and Topology feature in vRealize Network Insight toget a 360-degree visibility into our network scenario The Path and Topology view can
HOL-1829-01-NET
Page 49HOL-1829-01-NET
also extend to host L3 networks security groups etc but in this module we will only befocusing on the path
From the main console
1 Click on Path and Topology2 Click on Path
Path - Select source and destination
In the pop-up box
1 Click on the grey field below Source2 Type dba into the source field and DBAdmin-VM1 will appear3 Click on DBAdmin-VM1 to select it
HOL-1829-01-NET
Page 50HOL-1829-01-NET
Path - source and destination continued
After selecting the source machine the destination box will automatically appear
1 Type prod in the destination field and the list of available options willappear
2 Select Prod-Db-2
Note The destination could also be an ip-address or Internet but in this lab we aregoing to use a VM
HOL-1829-01-NET
Page 51HOL-1829-01-NET
Path - source and destination continued
1 Click on Submit
Searching for path
Based on the VMs we selected in the wizard in our previous steps the search field isnow pre-populated with a search string As an alternative to using the wizard we canalso do manual searches
Do not change any parameters in the search field and please continue to the nextstep
HOL-1829-01-NET
Page 52HOL-1829-01-NET
VM Path Topology and VM Underlay
The topology involves both Layer 3 and Layer 2 components and consists of twodetailed views
HOL-1829-01-NET
Page 53HOL-1829-01-NET
1 VM Path Topology This view details the routers Edges or Logical DistributedRouters (LDRs) that are involved in the VM to VM network path and provides thecomplete routing and NAT information
2 VM Underlay ( The VM Underlay section that is on the right side of the VM Pathtopology shows the underlay information of the VMs involved and theirconnectivity to the top of the rack switches and the ports involved)
In the field named VM Path Topology
1 Click on the three dots in the top right corner of the field2 Click Maximize
The view will change and the route will be drawn on the map
HOL-1829-01-NET
Page 54HOL-1829-01-NET
VM Path Topology - Path Details
In this view we will get a 360-degree view of both the physical and the virtual networkWe will see the path of the traffic between two virtual machines The black arrow at thetop of the map will indicate the flow direction of the traffic In this use case fromDBAdmin-VM1 to Prod-Db-2
On the right hand side path details indicates the steps we pass through in each hop ofthe path The logical flow includes both physical and virtual elements displaying bothoverlay and underlay components
1 Scroll through the path details on the right hand side to verify the differenthops in the path Notice that we have items such as VMs physical switchesvirtual switches routers and NICs in the list of details
HOL-1829-01-NET
Page 55HOL-1829-01-NET
Component Overview
On the VM topology map
1 Click on the top left icon marked with a red square - the Virtual MachineDBAdmin-VM1
Virtual Machine - Details
HOL-1829-01-NET
Page 56HOL-1829-01-NET
A pop-up box will appear with the Virtual Machine details in it This information includesa lot of details made available by VMware Tools We can for example see network-information and the physical host in these details
A - Please spend some time on getting an overview of the information available in thisview
B - Please note that the Firewall Status indicates Unknown In this scenario there is noNSX firewall utilized in the VM so vRealize Network Insight displays Unknown as thestatus If NSX components were utilized but they were malfunctioning an errormessage will appear
1 When done reviewing close the pop-up windows by clicking on the (X) in thetop right corner
Physical ESXi Hosts
We are now going to look at the physical host running ESXi The large green blocksindicate the ESXi hosts (A) and (B)
1 Click on the large green field on the left side of the map marked in thepicture with a red squareThis will select the host where DBAdmin-VM1 isrunning
HOL-1829-01-NET
Page 57HOL-1829-01-NET
Host - Details
A pop-up box will appear that contains the physical ESXi host
A - Spend some time to review what information is available from the host Please donot click on any of the links
B - Notice that we receive information from both the Chassis and the Blade that thisESXi host is running on In a real life environment we could click on the links to getdetailed information about the physical environment through the links
C - Note that there are no NSX components on the host For example we can see thatthe Control Plane Sync Status is unknown and the Number of VTEPs is 0
1 When done reviewing click on the (X) in the top right corner
HOL-1829-01-NET
Page 58HOL-1829-01-NET
DVPG on the map
We are now going to look at the DVPG (Distributed Virtual Port Group) the VM uses toconnect to the network
1 On the map click on the little blue box marked by a red square onvlan-629
DVPG
A pop-up box will appear that contains the DVPG details
A - Spend some time review what information is available from the object Please donot click on any of the links
HOL-1829-01-NET
Page 59HOL-1829-01-NET
B - Notice that IPFIX is enabled
1 When done reviewing click on the (X) in the top right corner
VLAN-629 on the map
This is a brownfield network as indicated by the physical network components currentlydisplayed on the map
1 On the map click on the grey line marked by a red square on vlan-629
VLAN Network
A pop-up box will appear that contains the physical VLAN details
HOL-1829-01-NET
Page 60HOL-1829-01-NET
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - Notice the VLAN ID This is the actual VLAN in use
C - VM Count states 12 This is the number of VMs located on this VLAN in the entireenvironment
D - Under Hosts we can see that this is 28 (27+1) This is the amount of hosts that hasa connection to this vlan in the entire environment
1 When done reviewing click on the (X) in the top right corner
Switch ports on the map
1 From the map click on the icon marked by a red square to select the SwitchPort for the VM
HOL-1829-01-NET
Page 61HOL-1829-01-NET
Switch Port
A pop-up box will appear that contains the Switch Port details
In this view we are purely are looking at layer 3 and the connectivity to those layer 3devices Later in this module we will see some of the layer 2 devices
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - In this view we can see the physical NIC the traffic is transmitted from and receivedto In this scenario it is a NIC on a UCS fabric We can also see the VLANs Interfacespeed port and other details on the NIC
1 When done reviewing click on the (X) in the top right corner of the pop up box
HOL-1829-01-NET
Page 62HOL-1829-01-NET
Physical VRF on the map
1 From the map click on the icon marked by a red square to access thePhysical VRF details
HOL-1829-01-NET
Page 63HOL-1829-01-NET
VRF - Physical Switch
A pop-up box will appear that contains the Physical VRF details
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - In this scenario the first hop in the physical network perspective happens to be aCisco Nexus 7000 We are gathering all of the configuration data routing tables androuting interface information from this device
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 64HOL-1829-01-NET
VRF - continued
1 From the map click on the icon marked by a red square to access the nextPhysical VRF in the path
HOL-1829-01-NET
Page 65HOL-1829-01-NET
VRF - Physical Router
A pop-up box will appear that contains the Physical VRF details
In this scenario the second hop in the physical network perspective is a Palo Alto routerIn this view we will see the routing table as well as firewall rules The vRealize NetworkInsight platform is so powerful that these firewall rules are the applicable firewall rulesbetween the two objects we searched for There is probably going to be thousands offirewall rules in a normal network but these are the firewalls affecting thecommunication between the two selected VMs
HOL-1829-01-NET
Page 66HOL-1829-01-NET
A - Spend some time to review what information is available from the object Please donot click on any of the links
1 When done reviewing click on the (X) in the top right corner of the pop up box
Note The Palo Alto integration showcased is in beta testing
VRF - continued
1 From the map click on the icon marked by a red square to access the nextPhysical VRF in the path
HOL-1829-01-NET
Page 67HOL-1829-01-NET
VRF - Physical Switch
A pop-up box will appear that contains the Physical VRF details
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - In this scenario the third hop in the physical network perspective is an Arista deviceThere is information available on routing gateways interfaces etc These detailsshowcase that we can monitor devices from a multitude of vendors in case we arechanging from one vendor to another
1 When done reviewing click on the (X) in the top right corner
HOL-1829-01-NET
Page 68HOL-1829-01-NET
Accessing the virtual infrastructure
The next two steps in the path (as shown by arrows) are the same as we looked atpreviously in this module We are not going to look at the details on them in thisscenario as they are similar to the ones previously discussed
A - Hovermove the mouse over the icons marked with red arrow A without clicking onthe icon Notice the descriptive name
B - Hovermove the mouse over the icons marked with red arrow B without clicking onthe icon Notice the descriptive name
1 From the map click on the icon marked by a red square to access the nextVRF in the path
HOL-1829-01-NET
Page 69HOL-1829-01-NET
VRF - NSX Provider Edge 1
A pop-up box will appear that contains the Physical VRF details
A - Please spend some time to review what information is available from the objectPlease do not click on any of the links
B - The components we are looking at after the Arista device (described in previoussteps) is an NSX Edge cluster or a host associated with an Edge cluster The componentwe have selected is the NSX Edge VM named Provider-Edge 1 It has an uplink overVLAN 10 from the physical network (as shown in the map)
C - In the details we can see the routing table and routing interface details for thisparticular VRF
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 70HOL-1829-01-NET
VXLAN on the map
1 On the map click on the blue line marked by a red square to access theVXLAN details
VXLAN Network
A pop-up box will appear that contains the VXLAN details
HOL-1829-01-NET
Page 71HOL-1829-01-NET
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - We can see the VXLAN number (Segment ID) Underlay VLAN IDs Subnet andUnderlay Subnet
C - We also have visibility into what Primary Controller it is utilizing Hosts and VTEPs
D - Hovermove the mouse cursor over the text [38 more] to see the hosts associatedwith this VXLAN Do not click on the blue text
E - Hovermove the mouse cursor over the text [82 more] to see the VTEPs associatedwith this VXLAN Do not click on the blue text
1 When done reviewing click on the X in the top right corner of the pop-up box
VRF - LDR
1 From the map click on the icon marked by a red square to access the VRFdetails
HOL-1829-01-NET
Page 72HOL-1829-01-NET
VRF - LDR-Corporate
A pop-up box will appear that contains the VRF details From here we hit our In-kernelnetwork
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - Notice the distributed router name We are using this device to access our corporatenetwork
C - This device is going to route for us to a different interface The interface is going toroute to the interface on the Prod-DB Network as the next step in the path (this will beillustrated in the next step)
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 73HOL-1829-01-NET
Routing - NSX Firewall
The traffic is routed through the VRF onto the Prod-DB network over to the next physicalhost (as shown with arrows)
The first device it will hit on the virtual network on the physical host is the FirewallPlease notice that there are two firewalls next to the VM One Firewall from Palo Alto andone Firewall from NSX
1 From the map click on the icon marked by a red square to access the NSXFirewall details (the top one of the two)
HOL-1829-01-NET
Page 74HOL-1829-01-NET
Firewall - NSX
A pop-up box will appear that contains the Firewall details
A - Spend some time to review what information is available from the object Please donot click on any of the links
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 75HOL-1829-01-NET
Redirect on the map - PAN Firewall
Please notice that there are two firewalls next to the VM One Firewall from Palo Alto andone Firewall from NSX We are now going to look into the details of the lower Firewall
1 From the map click on the icon marked by a red square to access the PaloAlto Firewall details (the lower one of the two)
Firewall - PAN
HOL-1829-01-NET
Page 76HOL-1829-01-NET
In this scenario we also have an Palo Alto VM based offloading firewall The redirectfeature allows firewall rules to be transferred between the NSX firewall and the PANFirewall
1 When done reviewing click on the (X) in the top right corner of the pop up box
Reversing the analysis
1 In the section marked by a red square in the picture click on the arrowpointing left
The route on the map will change
HOL-1829-01-NET
Page 77HOL-1829-01-NET
Reversing the analysis continued
A - The analysis will now be done in the opposite direction Please note that the pathnow changes Instead of going through Provider-Edge 3 the traffic is now routedthrough Provider-Edge 2 This is exactly as the traffic will work in the real life
Please continue to the next step to conclude this module
HOL-1829-01-NET
Page 78HOL-1829-01-NET
VM Underlay
Lets now focus on VM Underlay
1 The VMUnderlay section that is on the right side of the VM Path topology showsthe underlay information of the VMs involved and their connectivity to the top ofthe rack switches and the ports involved
2 The VM Underlay path topology is shown here3 The components are labeled under Path Details
HOL-1829-01-NET
Page 79HOL-1829-01-NET
HOL-1829-01-NET
Page 80HOL-1829-01-NET
1 In this section the drop-down list at the top shows the endpoint VMs and theactive VMs at the edges
2 For each edgeVM the neighbouring drop-down list shows the ingress and theegress interface IP addresses
1 From the previous step we selected the Prod-DB-2 Virtual Machine2 Which changes the focus to corresponding Interface IP Address (VNIC)3 Shows the visual map (Path topology) of all the path objects4 Path details shows the labels and list the components
This concludes this module Please continue to the next module
HOL-1829-01-NET
Page 81HOL-1829-01-NET
ConclusionCongratulations on completing Module 2
This module has shown us that vRealize Network Insight is capable of tracing the flow ofdata between two objects throughout the network vRealize Network Insight is providingus with a 360 degrees view of the virtual as well as the physical components in thepath With the map function and the details on the map it is very easy to get a quickoverview of the components utilized in network communication
All the components in the map is based on a snapshot of real life data Feel free to clickon other icons shown in the map in this module before continuing to the next module tohave a look at other components
For More Information
For additional information about the functionality showcased in this module visithttpwwwvmwarecomvrealize network insight
This concludes this module Please continue to the next module
If you are looking for additional information try one of these
bull Click on this linkbull Or use your smart device to scan the QRC Code
HOL-1829-01-NET
Page 82HOL-1829-01-NET
Proceed to any module below which interests you most
bull Module 1 - Micro-Segmentation and Security (30 minutes)bull Module 2 - 360 degree Visibility across Virtual and Physical Networks (45
minutes)bull Module 3 - Advanced NSX Management amp Operations (45 minutes)bull (30 minutes)
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 83HOL-1829-01-NET
Module 3 - Advanced NSXManagement amp
Operations (45 minutes)
HOL-1829-01-NET
Page 84HOL-1829-01-NET
IntroductionIntroduction
vRealize Network Insight ensures that we have full visibility from an overlay andunderlay perspective and in this module focus on advanced operations of NSX withvRealize Network Insight Its important to note that the vRealize Network Insightprovides a real time view and a historical view The integration is not a simple SNMPquery but advanced CLI and Metadata information gathered in real time for NSX
This Module contains the following lessons
bull Operational guidance for NSX Managerbull Advanced NSX Management amp Operations Interactive Simulation
HOL-1829-01-NET
Page 85HOL-1829-01-NET
NSX Advanced ManagementOperationsLab Status Check
1 Make sure the Lab Status displays Ready before continuing
Close browser sessions from previous modules
Open Google Chrome
1 Open Chrome on the Control Centre Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
HOL-1829-01-NET
Page 86HOL-1829-01-NET
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize Network Insightdid not load automatically)
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
Search Bar - NSX Manager
Using the search bar on the entry screen
HOL-1829-01-NET
Page 87HOL-1829-01-NET
1 Type NSX Manager (this will list three NSX Managers2 Click Search
NSX Manager Information
The result now shows the NSX Manager (1016128170) and we can immediately seethat we have 50 problems associated with this endpoint
1 Click on the NSX Manager address to expose the layout and detailedinformation
HOL-1829-01-NET
Page 88HOL-1829-01-NET
Timeline - Visual Build-up
Explore information only - Do not click
bull A - Starting with the Timeline we can manipulate the results by simply draggingthe slider but by default the current time results will be displayed on entry Theslider and drop down (next to 1 day) makes it easy to filter on demand
bull B - The Properties give a clear understanding of the NSX Managers currentconfiguration (vRealize Network Insight accommodate multiple NSX managers)
bull C - Looking at the NSX Checklist Rules - ALL we can scroll up and down toview each point in the checklist that is used to monitorvalidate against the NSXManager
bull D - Because vRealize Network Insight supports multiple NSX managers andmultiple NSX controllers this is an important visual understanding of theTopology Each object can be queried individually within the same screen
bull E - NSX Problems will be key to understanding the issues for NSX
HOL-1829-01-NET
Page 89HOL-1829-01-NET
Topology - Focus on the NSX Controller
The logical view of the NSX Topology provides live links to each component in theconstruct to be queried in real time Topology layout displays all the related NSXservices bound to the NSX Manager including Clusters and hosts The red triangle on allthree NSX controllers indicates possible issues that may impact the NSX environmenteither as a starting point or a result thereof We can now query each object for detailedinformation
1 Click on the NSX controller (Look at each controller until you find thecontroller starting with NSX_Controller_5b6c6c8d-4d71 as they do changeorder)
HOL-1829-01-NET
Page 90HOL-1829-01-NET
NSX Controller - Detail
A - The controller query displays detailed information about controller-1 and relevantconfiguration This screen will help identify the Status Version Upgrade Availability andmany other critical identifiers of the NSX Controller at a quick glance including anyissues
B - The immediate issue on this NSX controller is also pointed out with a red triangleindicating that we have a control plane sync issue Tracking the issue can be furtherinvestigated by expanding (clicking on the red triangle) to view detailed information Wewill not be investigating this problem further in this exercise
1 Click the close sign (x) to continue
HOL-1829-01-NET
Page 91HOL-1829-01-NET
Topology - Explained
Note The Topology for the NSX environment will not show any load balancing devicestatus information in this release
1 Click the edge VMs icon to see detailed information about the edge services
HOL-1829-01-NET
Page 92HOL-1829-01-NET
Provider Edge
Rendering a complete view of the provider edge services and the associations we caninvestigate all the edge related activities
1 Click the blue link Provider Edge 4 The problem Icon can be used to furtherobtain information about the Provider-Edge 4 This will highlight a criticalcondition due to a possible network disruption of this edge device as it is nolonger in a serving state
HOL-1829-01-NET
Page 93HOL-1829-01-NET
Routers Provider Edge 4
This section lays out detailed root cause analysis for Routers Provider Edge 4
Return to Search View - NSX Manager
1 Now use the Chrome Back button click once to return the the NSX Managerinformation screen step
HOL-1829-01-NET
Page 94HOL-1829-01-NET
Infrastructure Problems - Warning Moderate
bull Scroll down to Infrastructure Problems Section
1 Click and select the WarningModerate to view problem areas
WarningModerate Issues
1 Use the blue icon + to expand the detailed view of the Logical networking out ofsync between host and NSX Controller
HOL-1829-01-NET
Page 95HOL-1829-01-NET
WarningModerate Issues (Continued)
When you expand the details you can analyse full detail of warning
In this view vRealize Network Insight is also showing you recommendations on how youwould resolve this issue which makes troubleshooting and root cause analysis veryeasy
1 Click the close sign (x) to continue
HOL-1829-01-NET
Page 96HOL-1829-01-NET
Hands-on Labs Interactive SimulationAdvanced NSX Management ampOperationsThis part of the lab is presented as a Hands-on Labs Interactive Simulation This willallow you to experience steps which are too time-consuming or resource intensive to dolive in the lab environment In this simulation you can use the software interface as ifyou are interacting with a live environment
1 Click here to open the interactive simulation It will open in a new browserwindow or tab
2 When finished click the ldquoReturn to the labrdquo link to continue with this lab
HOL-1829-01-NET
Page 97HOL-1829-01-NET
ConclusionCongratulations on completing Module 3
This module demonstrated the vRealize Network Insight capability of advancedmanagement operations vRealize Network Insight provides an in-depth analysis of thevirtual as well as the physical components associated with NSX (underlay and overlay)
For More Information
If you are looking for additional information try one of these
bull Click on this linkbull Or use your smart device to scan the QRC Code
Proceed to any module below which interests you most
bull Module 1 - Micro-Segmentation and Security (30 minutes)bull Module 2 - 360 degree Visibility across Virtual and Physical Networks (45
minutes)bull Module 3 - Advanced NSX Management amp Operations (45 minutes)bull Module 4 - Manage Security for Public Clouds (AWS) (30 minutes)
HOL-1829-01-NET
Page 98HOL-1829-01-NET
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 99HOL-1829-01-NET
Module 4 - ManageSecurity for Public Clouds
(AWS) (30 Minutes)
HOL-1829-01-NET
Page 100HOL-1829-01-NET
IntroductionEnterprise IT needs visibility into the network and security status of their workloadswhether hosted on premises or within AWS While many AWS workloads are sandboxesfor application development teams (DevOps) it is important to analyze these workloadsIncreasingly public cloud workloads are also fulfilling mission critical production needsfor many organizations Enterprise IT must be ready to determine the best locationsecurity posture and bandwidth allocation when deploying workloads Having trafficpattern details as well as security analysis and recommendations readily availablehelps organizations make the ideal hosting decisions to meet their business needs
vRealize Network Insight (vRNI) Supports Amazon Web Services (AWS) PublicCloud The vRNI traffic monitoring features provide visibility into native AWS constructssuch as Virtual Private Clouds VMs Security Groups firewall rules and tags vRNI alsoanalyzes AWS traffic flows to provide security and micro-segmentation views of cloudworkloads This means youll be able to plan micro-segmentation and understand trafficpatterns using data collected from your AWS instances
This Module contains the following lessons
bull Introduction to Managing Security for Public Clouds (AWS)
HOL-1829-01-NET
Page 101HOL-1829-01-NET
Introduction to Managing Security forPublic Clouds (AWS)Lab Status Check
1 Make sure the Lab Status displays Ready before continuing
Close browser sessions from previous modules
Open Google Chrome
1 Open Chrome on the Control Centre Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize Network Insightdid not load automatically)
HOL-1829-01-NET
Page 102HOL-1829-01-NET
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
AWS Configuration
Lets review the AWS VPC setup for the purpose of this lab
1 We have an on premise instance of vRealize Network Insight managing AWS2 There are two VPCs ie CRM and Common Services
HOL-1829-01-NET
Page 103HOL-1829-01-NET
3 VPC CRM consists of CRM Application which comprises of 3 tiers ie Web APP andDB
4 Internal users of Company can access Web Tier of the CRM on 80 internally viaJump-box
5 Web tier talks to App tier on port 80806 App tier talks to DB tier on port 33067 Web tier is open for internal datacenters VM on 80 port8 From Jump-box in VPC CRM all virtual machines have ssh access on port 229 All tiers of VPCCRM talks to DNS server on 53 and LogServer on 514 on VPC
Common Services10 This means connection to DB to Log Server (used for backup services) must exist
as configured by the Administrator but this in fact is the problem area where ourfocus will be
Plan Security - AWS Cloud
vRealize Network Insight extends micro-segmentation planning to AWS constructs TheCRM Application in AWS VPC has already been created for you
Application creation steps have been discussed in Module 3
HOL-1829-01-NET
Page 104HOL-1829-01-NET
1 On the vRealize Network Insight Click on Plan Security
From Plan Security dialogue box under Entity select
HOL-1829-01-NET
Page 105HOL-1829-01-NET
1 Application2 CRM3 Click Analyze
We can now visualize the three tier lsquoCRMrsquo Application in AWS in one VPC We Shallexplore the three Tier System Logic in proceeding steps
1 Please note that Micro-Segments are already filtered by Tier2 Web (Web tier talks to App tier on port 8080 Internal users of organisation can
access Web Tier of the CRM Application on port 80 internally)3 App (App tier talks to DB tier on port 3306)4 DB ( DB tier talks to Log Servers ) - This is the problem area we are going to
explore
All tiers of first VPC talks to DNS server on port 53 and LogServer on port 514 of SecondVPC
HOL-1829-01-NET
Page 106HOL-1829-01-NET
Exploring the Three Tier Application - Step by Step
We shall now explore the three their application setup to understand the security andcommunication posture
HOL-1829-01-NET
Page 107HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Yellow line to explore the flows This will reveal flows from Web to
App
HOL-1829-01-NET
Page 108HOL-1829-01-NET
1 The App tier talks to DB tier on Port 33062 Click X to continue
HOL-1829-01-NET
Page 109HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to DB
HOL-1829-01-NET
Page 110HOL-1829-01-NET
1 The App tier talks to DB tier on Port 33062 Click X to continue
HOL-1829-01-NET
Page 111HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Yellow Line to explore the flows This will reveal flows from DC
Virtual to App
HOL-1829-01-NET
Page 112HOL-1829-01-NET
1 DC Virtual (jump box) talks to App tier on Port 222 Click X to continue
HOL-1829-01-NET
Page 113HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to
Shared Virtual
HOL-1829-01-NET
Page 114HOL-1829-01-NET
1 The App tier talks to Shared Virtual on Port 53 and 514 respectively2 Click X to continue
HOL-1829-01-NET
Page 115HOL-1829-01-NET
1 Hover over to DB Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from DB to
Shared Virtual
1 By design the DB should be pushing logs to aws-log-server ie on port 514(Syslog) but the flow reveals that there is only one service ie port 53 aws-DNS-Server Effectively no communication to syslog server (which is the back upservice)
2 Click X to continue
Firewall Queries for CRM Application
To further troubleshoot the issue the administrator executes three firewall queries toestablish why DB to Shared Virtual does not have flow(s) for port 514 (syslog)
HOL-1829-01-NET
Page 116HOL-1829-01-NET
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and type new search query firewall action of flows where dstvm = aws-log-server This will return 5 results ie 4 Allow (for web andmidtier) and 1 Deny (for DB)
2 Click Search3 click on the DENY checkbox so we can focus on the deny rule
We can see a DENY rule which is preventing crm-databse to communicate with aws-log-server on port 514 Which indicates that AWS Admin forgot to add rule to allowtraffic from (Database) crm-database to (syslog server) aws-log-Server
HOL-1829-01-NET
Page 117HOL-1829-01-NET
1 On Chrome web browser right click2 Select Duplicate from the the menu
HOL-1829-01-NET
Page 118HOL-1829-01-NET
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-web1 and dst vm = aws-log-server
2 Click Search3 This will return 3 results ie 1 Inbound and 2 Outbound rules The result of this
query validates the communication from crm-web1 to aws-log-server
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-database and dst vm = aws-log-server
2 Click Search3 This will return 2 results for Outbound rules further explaining the firewall rule
behaviour from crm-database to aws-log-server
HOL-1829-01-NET
Page 119HOL-1829-01-NET
ConclusionCongratulations on completing Module 4
This module demonstrated the vRealize Network Insight capability to understand trafficpatterns and plan micro-segmentation across your private and public cloudenvironments This capability offers unparalleled visibility into public and private cloudsfor micro-segmentation planning network visibility and management
For More Information
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 120HOL-1829-01-NET
ConclusionThank you for participating in the VMware Hands-on Labs Be sure to visithttpholvmwarecom to continue your lab experience online
Lab SKU HOL-1829-01-NET
Version 20171010-152226
HOL-1829-01-NET
Page 121HOL-1829-01-NET
bull A - The host details for Lab-Midtier-1 -ddc1-pod2esx035dmdemocompanynet
bull B - The machine name within Lab-Midtier - Lab-Midtier-1bull C - DVS Switchbull D - VXLAN - Lab-Midtierbull E - 1st VMKNIC for DDC-1 hostbull F - DVS Switch Portbull G - Finally showing the L3 Switch (Arista)
2 When you are done with the current view close this tab in Chrome and returnto the original view
Firewall Rule - Tracking
Using the search bar we will demonstrate how you can track any firewall rule in yourenvironment This is only one example of how we can search for security related objectsin one easy statement and also export the results
Port Search
1 Type into the search bar
Firewall rule where action =ALLOW and Port=443 (the search bar uses Auto Fill andpredictive text will appear as you type)
2 Click search to continue
As you type notice all the different permutations of queries that can be assembled
HOL-1829-01-NET
Page 39HOL-1829-01-NET
Export Firewall Rules
Take some time to understand and get familiar with Firewall Rule search possibilitiesand the insight this can offer
1 Do not click - The result is grouped for convenience and allows the user to queryeach rule individually This is a live link that will expose further information
2 Do not click - The entire report can be exported by using the Save as CSV optionat the top right hand corner of the screen but we will not export any informationat this point
3 For the next step we will return to the top search bar
Firewall Rule Membership Change
Using the vRealize Network Insight search bar at the top of the screen we will focus on atime based search to see what Firewall Membership Changes occurred during a selectedperiod This will point out any changes made directly or indirectly as a result ofmembership changes This is extremely useful for auditing and troubleshooting
HOL-1829-01-NET
Page 40HOL-1829-01-NET
1 Type
Firewall Rule Membership Change
2 Select the DateTime window3 Click Between Select Date range from June30 to Jul 31 (using static data this
will ensure you see all the changes)4 Click search
Audit Rule - Firewall Rule Membership Changes
The search now displays the result of all the changes made to firewall rule membershipduring the preset date range This is pivotal to the audit change tracking process tounderstand exactly why when and how Firewall rules changed
The changes can now easily be tracked audited and also exported following any of thelive links in blue
HOL-1829-01-NET
Page 41HOL-1829-01-NET
User-defined Event
Continuing within the same screen users can create alerts to notify internal andexternal entities of any changes The alert feature is available through any view thatdisplays the alert icon Although the alert can be configured for this lab the results willnot be actioned as this is static data only This section will show how easy it is to reporton any Firewall Rule memberships changes The option for alerting will be immediatelywithin 1 hour or as a daily digest
1 Click the Notifications icon to create an event The notifications screen will pop-up
2 Notification and parameters can be adjusted as required Populate them withyour own preference as we will need to have information in order to save thealert and view in later steps
3 Once completed click save
HOL-1829-01-NET
Page 42HOL-1829-01-NET
Settings
You can view any of your previously configured User-defined Events in order to edit oractivate the Event parameters by using the settings page Changes can be configured tonotify members of the event group based on the user preference The previous eventthat you created can now be tracked by using the search bar at the top of the screen
1 Click in the search bar and type Settings2 Click User-defined Events (your alert is noted in this section as it was based on
the original search and alert notification Firewall rule membership change)3 Info Only - Do not click - View Edit Activate any notifications
Note that we have 2 types of notification User-defined and System Events
4 Click the System Events
HOL-1829-01-NET
Page 43HOL-1829-01-NET
System Notifications
System Events consist of 103 default alerts that are pre-configured Scroll down the listto see all the options and what is deemed to be a standard system event notification
Each Notification can be used to alert administrators or users of that group By defaultall System Notifications are set to never notify (this can be changed to immediatelywithin 1 hour or as a daily digest)
This concludes this module Please continue to the next module
HOL-1829-01-NET
Page 44HOL-1829-01-NET
ConclusionCongratulations on completing Module 1
In this module we introduced the minimum required steps in order to facilitate Micro-segmentation This module further demonstrated how we achieve day zero readinesstrack report and alert on each individual object or group of objects in Real Time Usingthe East-West traffic in this module vRealize Network Insight highlighted the ease ofacquiring network analysis and using this to automatically generate firewall rules forboth Green or Brown field deployments
Key facts to remember as demonstrated in this module
bull Persistence Security must be consistent in the face of constant changebull Ubiquity Security must be available everywherebull Extensibility Security must adapt to new situations
For additional information about the functionality showcased in this module visitwwwvmwarecom
Please close the Chrome Web browser
This concludes this module please continue to the next module
For More Information
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 45HOL-1829-01-NET
Module 2 - 360 degreeVisibility across Virtualand Physical Networks
(45 minutes)
HOL-1829-01-NET
Page 46HOL-1829-01-NET
IntroductionvRealize Network Insight includes advanced analytics that can collect and displayconfiguration data from all the components involved in the overlay and underlay of thenetwork Data is collected in realtime
vRealize Network Insight presents this via a smart user interface and simplifies thedetermination of problems as well as the visibility of firewall and networkconfigurations
vRealize Network Insight presents this in a smart user interface and makes problemdetermination and visibility of the firewall and network configurations very easy
This Module contains the following lessons
bull 360 Network Visibility and Troubleshootingbull Natural language search
HOL-1829-01-NET
Page 47HOL-1829-01-NET
360 Network Visibility andTroubleshootingThis section contains the following lessons
bull 360-degree view of data flow between two VM objectsbull Natural language search
Open Google Chrome
1 Open Chrome on the Control Center Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize NetworkInsight did not load automatically)
HOL-1829-01-NET
Page 48HOL-1829-01-NET
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
Path and Topology
This module will utilize the Path and Topology feature in vRealize Network Insight toget a 360-degree visibility into our network scenario The Path and Topology view can
HOL-1829-01-NET
Page 49HOL-1829-01-NET
also extend to host L3 networks security groups etc but in this module we will only befocusing on the path
From the main console
1 Click on Path and Topology2 Click on Path
Path - Select source and destination
In the pop-up box
1 Click on the grey field below Source2 Type dba into the source field and DBAdmin-VM1 will appear3 Click on DBAdmin-VM1 to select it
HOL-1829-01-NET
Page 50HOL-1829-01-NET
Path - source and destination continued
After selecting the source machine the destination box will automatically appear
1 Type prod in the destination field and the list of available options willappear
2 Select Prod-Db-2
Note The destination could also be an ip-address or Internet but in this lab we aregoing to use a VM
HOL-1829-01-NET
Page 51HOL-1829-01-NET
Path - source and destination continued
1 Click on Submit
Searching for path
Based on the VMs we selected in the wizard in our previous steps the search field isnow pre-populated with a search string As an alternative to using the wizard we canalso do manual searches
Do not change any parameters in the search field and please continue to the nextstep
HOL-1829-01-NET
Page 52HOL-1829-01-NET
VM Path Topology and VM Underlay
The topology involves both Layer 3 and Layer 2 components and consists of twodetailed views
HOL-1829-01-NET
Page 53HOL-1829-01-NET
1 VM Path Topology This view details the routers Edges or Logical DistributedRouters (LDRs) that are involved in the VM to VM network path and provides thecomplete routing and NAT information
2 VM Underlay ( The VM Underlay section that is on the right side of the VM Pathtopology shows the underlay information of the VMs involved and theirconnectivity to the top of the rack switches and the ports involved)
In the field named VM Path Topology
1 Click on the three dots in the top right corner of the field2 Click Maximize
The view will change and the route will be drawn on the map
HOL-1829-01-NET
Page 54HOL-1829-01-NET
VM Path Topology - Path Details
In this view we will get a 360-degree view of both the physical and the virtual networkWe will see the path of the traffic between two virtual machines The black arrow at thetop of the map will indicate the flow direction of the traffic In this use case fromDBAdmin-VM1 to Prod-Db-2
On the right hand side path details indicates the steps we pass through in each hop ofthe path The logical flow includes both physical and virtual elements displaying bothoverlay and underlay components
1 Scroll through the path details on the right hand side to verify the differenthops in the path Notice that we have items such as VMs physical switchesvirtual switches routers and NICs in the list of details
HOL-1829-01-NET
Page 55HOL-1829-01-NET
Component Overview
On the VM topology map
1 Click on the top left icon marked with a red square - the Virtual MachineDBAdmin-VM1
Virtual Machine - Details
HOL-1829-01-NET
Page 56HOL-1829-01-NET
A pop-up box will appear with the Virtual Machine details in it This information includesa lot of details made available by VMware Tools We can for example see network-information and the physical host in these details
A - Please spend some time on getting an overview of the information available in thisview
B - Please note that the Firewall Status indicates Unknown In this scenario there is noNSX firewall utilized in the VM so vRealize Network Insight displays Unknown as thestatus If NSX components were utilized but they were malfunctioning an errormessage will appear
1 When done reviewing close the pop-up windows by clicking on the (X) in thetop right corner
Physical ESXi Hosts
We are now going to look at the physical host running ESXi The large green blocksindicate the ESXi hosts (A) and (B)
1 Click on the large green field on the left side of the map marked in thepicture with a red squareThis will select the host where DBAdmin-VM1 isrunning
HOL-1829-01-NET
Page 57HOL-1829-01-NET
Host - Details
A pop-up box will appear that contains the physical ESXi host
A - Spend some time to review what information is available from the host Please donot click on any of the links
B - Notice that we receive information from both the Chassis and the Blade that thisESXi host is running on In a real life environment we could click on the links to getdetailed information about the physical environment through the links
C - Note that there are no NSX components on the host For example we can see thatthe Control Plane Sync Status is unknown and the Number of VTEPs is 0
1 When done reviewing click on the (X) in the top right corner
HOL-1829-01-NET
Page 58HOL-1829-01-NET
DVPG on the map
We are now going to look at the DVPG (Distributed Virtual Port Group) the VM uses toconnect to the network
1 On the map click on the little blue box marked by a red square onvlan-629
DVPG
A pop-up box will appear that contains the DVPG details
A - Spend some time review what information is available from the object Please donot click on any of the links
HOL-1829-01-NET
Page 59HOL-1829-01-NET
B - Notice that IPFIX is enabled
1 When done reviewing click on the (X) in the top right corner
VLAN-629 on the map
This is a brownfield network as indicated by the physical network components currentlydisplayed on the map
1 On the map click on the grey line marked by a red square on vlan-629
VLAN Network
A pop-up box will appear that contains the physical VLAN details
HOL-1829-01-NET
Page 60HOL-1829-01-NET
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - Notice the VLAN ID This is the actual VLAN in use
C - VM Count states 12 This is the number of VMs located on this VLAN in the entireenvironment
D - Under Hosts we can see that this is 28 (27+1) This is the amount of hosts that hasa connection to this vlan in the entire environment
1 When done reviewing click on the (X) in the top right corner
Switch ports on the map
1 From the map click on the icon marked by a red square to select the SwitchPort for the VM
HOL-1829-01-NET
Page 61HOL-1829-01-NET
Switch Port
A pop-up box will appear that contains the Switch Port details
In this view we are purely are looking at layer 3 and the connectivity to those layer 3devices Later in this module we will see some of the layer 2 devices
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - In this view we can see the physical NIC the traffic is transmitted from and receivedto In this scenario it is a NIC on a UCS fabric We can also see the VLANs Interfacespeed port and other details on the NIC
1 When done reviewing click on the (X) in the top right corner of the pop up box
HOL-1829-01-NET
Page 62HOL-1829-01-NET
Physical VRF on the map
1 From the map click on the icon marked by a red square to access thePhysical VRF details
HOL-1829-01-NET
Page 63HOL-1829-01-NET
VRF - Physical Switch
A pop-up box will appear that contains the Physical VRF details
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - In this scenario the first hop in the physical network perspective happens to be aCisco Nexus 7000 We are gathering all of the configuration data routing tables androuting interface information from this device
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 64HOL-1829-01-NET
VRF - continued
1 From the map click on the icon marked by a red square to access the nextPhysical VRF in the path
HOL-1829-01-NET
Page 65HOL-1829-01-NET
VRF - Physical Router
A pop-up box will appear that contains the Physical VRF details
In this scenario the second hop in the physical network perspective is a Palo Alto routerIn this view we will see the routing table as well as firewall rules The vRealize NetworkInsight platform is so powerful that these firewall rules are the applicable firewall rulesbetween the two objects we searched for There is probably going to be thousands offirewall rules in a normal network but these are the firewalls affecting thecommunication between the two selected VMs
HOL-1829-01-NET
Page 66HOL-1829-01-NET
A - Spend some time to review what information is available from the object Please donot click on any of the links
1 When done reviewing click on the (X) in the top right corner of the pop up box
Note The Palo Alto integration showcased is in beta testing
VRF - continued
1 From the map click on the icon marked by a red square to access the nextPhysical VRF in the path
HOL-1829-01-NET
Page 67HOL-1829-01-NET
VRF - Physical Switch
A pop-up box will appear that contains the Physical VRF details
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - In this scenario the third hop in the physical network perspective is an Arista deviceThere is information available on routing gateways interfaces etc These detailsshowcase that we can monitor devices from a multitude of vendors in case we arechanging from one vendor to another
1 When done reviewing click on the (X) in the top right corner
HOL-1829-01-NET
Page 68HOL-1829-01-NET
Accessing the virtual infrastructure
The next two steps in the path (as shown by arrows) are the same as we looked atpreviously in this module We are not going to look at the details on them in thisscenario as they are similar to the ones previously discussed
A - Hovermove the mouse over the icons marked with red arrow A without clicking onthe icon Notice the descriptive name
B - Hovermove the mouse over the icons marked with red arrow B without clicking onthe icon Notice the descriptive name
1 From the map click on the icon marked by a red square to access the nextVRF in the path
HOL-1829-01-NET
Page 69HOL-1829-01-NET
VRF - NSX Provider Edge 1
A pop-up box will appear that contains the Physical VRF details
A - Please spend some time to review what information is available from the objectPlease do not click on any of the links
B - The components we are looking at after the Arista device (described in previoussteps) is an NSX Edge cluster or a host associated with an Edge cluster The componentwe have selected is the NSX Edge VM named Provider-Edge 1 It has an uplink overVLAN 10 from the physical network (as shown in the map)
C - In the details we can see the routing table and routing interface details for thisparticular VRF
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 70HOL-1829-01-NET
VXLAN on the map
1 On the map click on the blue line marked by a red square to access theVXLAN details
VXLAN Network
A pop-up box will appear that contains the VXLAN details
HOL-1829-01-NET
Page 71HOL-1829-01-NET
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - We can see the VXLAN number (Segment ID) Underlay VLAN IDs Subnet andUnderlay Subnet
C - We also have visibility into what Primary Controller it is utilizing Hosts and VTEPs
D - Hovermove the mouse cursor over the text [38 more] to see the hosts associatedwith this VXLAN Do not click on the blue text
E - Hovermove the mouse cursor over the text [82 more] to see the VTEPs associatedwith this VXLAN Do not click on the blue text
1 When done reviewing click on the X in the top right corner of the pop-up box
VRF - LDR
1 From the map click on the icon marked by a red square to access the VRFdetails
HOL-1829-01-NET
Page 72HOL-1829-01-NET
VRF - LDR-Corporate
A pop-up box will appear that contains the VRF details From here we hit our In-kernelnetwork
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - Notice the distributed router name We are using this device to access our corporatenetwork
C - This device is going to route for us to a different interface The interface is going toroute to the interface on the Prod-DB Network as the next step in the path (this will beillustrated in the next step)
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 73HOL-1829-01-NET
Routing - NSX Firewall
The traffic is routed through the VRF onto the Prod-DB network over to the next physicalhost (as shown with arrows)
The first device it will hit on the virtual network on the physical host is the FirewallPlease notice that there are two firewalls next to the VM One Firewall from Palo Alto andone Firewall from NSX
1 From the map click on the icon marked by a red square to access the NSXFirewall details (the top one of the two)
HOL-1829-01-NET
Page 74HOL-1829-01-NET
Firewall - NSX
A pop-up box will appear that contains the Firewall details
A - Spend some time to review what information is available from the object Please donot click on any of the links
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 75HOL-1829-01-NET
Redirect on the map - PAN Firewall
Please notice that there are two firewalls next to the VM One Firewall from Palo Alto andone Firewall from NSX We are now going to look into the details of the lower Firewall
1 From the map click on the icon marked by a red square to access the PaloAlto Firewall details (the lower one of the two)
Firewall - PAN
HOL-1829-01-NET
Page 76HOL-1829-01-NET
In this scenario we also have an Palo Alto VM based offloading firewall The redirectfeature allows firewall rules to be transferred between the NSX firewall and the PANFirewall
1 When done reviewing click on the (X) in the top right corner of the pop up box
Reversing the analysis
1 In the section marked by a red square in the picture click on the arrowpointing left
The route on the map will change
HOL-1829-01-NET
Page 77HOL-1829-01-NET
Reversing the analysis continued
A - The analysis will now be done in the opposite direction Please note that the pathnow changes Instead of going through Provider-Edge 3 the traffic is now routedthrough Provider-Edge 2 This is exactly as the traffic will work in the real life
Please continue to the next step to conclude this module
HOL-1829-01-NET
Page 78HOL-1829-01-NET
VM Underlay
Lets now focus on VM Underlay
1 The VMUnderlay section that is on the right side of the VM Path topology showsthe underlay information of the VMs involved and their connectivity to the top ofthe rack switches and the ports involved
2 The VM Underlay path topology is shown here3 The components are labeled under Path Details
HOL-1829-01-NET
Page 79HOL-1829-01-NET
HOL-1829-01-NET
Page 80HOL-1829-01-NET
1 In this section the drop-down list at the top shows the endpoint VMs and theactive VMs at the edges
2 For each edgeVM the neighbouring drop-down list shows the ingress and theegress interface IP addresses
1 From the previous step we selected the Prod-DB-2 Virtual Machine2 Which changes the focus to corresponding Interface IP Address (VNIC)3 Shows the visual map (Path topology) of all the path objects4 Path details shows the labels and list the components
This concludes this module Please continue to the next module
HOL-1829-01-NET
Page 81HOL-1829-01-NET
ConclusionCongratulations on completing Module 2
This module has shown us that vRealize Network Insight is capable of tracing the flow ofdata between two objects throughout the network vRealize Network Insight is providingus with a 360 degrees view of the virtual as well as the physical components in thepath With the map function and the details on the map it is very easy to get a quickoverview of the components utilized in network communication
All the components in the map is based on a snapshot of real life data Feel free to clickon other icons shown in the map in this module before continuing to the next module tohave a look at other components
For More Information
For additional information about the functionality showcased in this module visithttpwwwvmwarecomvrealize network insight
This concludes this module Please continue to the next module
If you are looking for additional information try one of these
bull Click on this linkbull Or use your smart device to scan the QRC Code
HOL-1829-01-NET
Page 82HOL-1829-01-NET
Proceed to any module below which interests you most
bull Module 1 - Micro-Segmentation and Security (30 minutes)bull Module 2 - 360 degree Visibility across Virtual and Physical Networks (45
minutes)bull Module 3 - Advanced NSX Management amp Operations (45 minutes)bull (30 minutes)
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 83HOL-1829-01-NET
Module 3 - Advanced NSXManagement amp
Operations (45 minutes)
HOL-1829-01-NET
Page 84HOL-1829-01-NET
IntroductionIntroduction
vRealize Network Insight ensures that we have full visibility from an overlay andunderlay perspective and in this module focus on advanced operations of NSX withvRealize Network Insight Its important to note that the vRealize Network Insightprovides a real time view and a historical view The integration is not a simple SNMPquery but advanced CLI and Metadata information gathered in real time for NSX
This Module contains the following lessons
bull Operational guidance for NSX Managerbull Advanced NSX Management amp Operations Interactive Simulation
HOL-1829-01-NET
Page 85HOL-1829-01-NET
NSX Advanced ManagementOperationsLab Status Check
1 Make sure the Lab Status displays Ready before continuing
Close browser sessions from previous modules
Open Google Chrome
1 Open Chrome on the Control Centre Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
HOL-1829-01-NET
Page 86HOL-1829-01-NET
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize Network Insightdid not load automatically)
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
Search Bar - NSX Manager
Using the search bar on the entry screen
HOL-1829-01-NET
Page 87HOL-1829-01-NET
1 Type NSX Manager (this will list three NSX Managers2 Click Search
NSX Manager Information
The result now shows the NSX Manager (1016128170) and we can immediately seethat we have 50 problems associated with this endpoint
1 Click on the NSX Manager address to expose the layout and detailedinformation
HOL-1829-01-NET
Page 88HOL-1829-01-NET
Timeline - Visual Build-up
Explore information only - Do not click
bull A - Starting with the Timeline we can manipulate the results by simply draggingthe slider but by default the current time results will be displayed on entry Theslider and drop down (next to 1 day) makes it easy to filter on demand
bull B - The Properties give a clear understanding of the NSX Managers currentconfiguration (vRealize Network Insight accommodate multiple NSX managers)
bull C - Looking at the NSX Checklist Rules - ALL we can scroll up and down toview each point in the checklist that is used to monitorvalidate against the NSXManager
bull D - Because vRealize Network Insight supports multiple NSX managers andmultiple NSX controllers this is an important visual understanding of theTopology Each object can be queried individually within the same screen
bull E - NSX Problems will be key to understanding the issues for NSX
HOL-1829-01-NET
Page 89HOL-1829-01-NET
Topology - Focus on the NSX Controller
The logical view of the NSX Topology provides live links to each component in theconstruct to be queried in real time Topology layout displays all the related NSXservices bound to the NSX Manager including Clusters and hosts The red triangle on allthree NSX controllers indicates possible issues that may impact the NSX environmenteither as a starting point or a result thereof We can now query each object for detailedinformation
1 Click on the NSX controller (Look at each controller until you find thecontroller starting with NSX_Controller_5b6c6c8d-4d71 as they do changeorder)
HOL-1829-01-NET
Page 90HOL-1829-01-NET
NSX Controller - Detail
A - The controller query displays detailed information about controller-1 and relevantconfiguration This screen will help identify the Status Version Upgrade Availability andmany other critical identifiers of the NSX Controller at a quick glance including anyissues
B - The immediate issue on this NSX controller is also pointed out with a red triangleindicating that we have a control plane sync issue Tracking the issue can be furtherinvestigated by expanding (clicking on the red triangle) to view detailed information Wewill not be investigating this problem further in this exercise
1 Click the close sign (x) to continue
HOL-1829-01-NET
Page 91HOL-1829-01-NET
Topology - Explained
Note The Topology for the NSX environment will not show any load balancing devicestatus information in this release
1 Click the edge VMs icon to see detailed information about the edge services
HOL-1829-01-NET
Page 92HOL-1829-01-NET
Provider Edge
Rendering a complete view of the provider edge services and the associations we caninvestigate all the edge related activities
1 Click the blue link Provider Edge 4 The problem Icon can be used to furtherobtain information about the Provider-Edge 4 This will highlight a criticalcondition due to a possible network disruption of this edge device as it is nolonger in a serving state
HOL-1829-01-NET
Page 93HOL-1829-01-NET
Routers Provider Edge 4
This section lays out detailed root cause analysis for Routers Provider Edge 4
Return to Search View - NSX Manager
1 Now use the Chrome Back button click once to return the the NSX Managerinformation screen step
HOL-1829-01-NET
Page 94HOL-1829-01-NET
Infrastructure Problems - Warning Moderate
bull Scroll down to Infrastructure Problems Section
1 Click and select the WarningModerate to view problem areas
WarningModerate Issues
1 Use the blue icon + to expand the detailed view of the Logical networking out ofsync between host and NSX Controller
HOL-1829-01-NET
Page 95HOL-1829-01-NET
WarningModerate Issues (Continued)
When you expand the details you can analyse full detail of warning
In this view vRealize Network Insight is also showing you recommendations on how youwould resolve this issue which makes troubleshooting and root cause analysis veryeasy
1 Click the close sign (x) to continue
HOL-1829-01-NET
Page 96HOL-1829-01-NET
Hands-on Labs Interactive SimulationAdvanced NSX Management ampOperationsThis part of the lab is presented as a Hands-on Labs Interactive Simulation This willallow you to experience steps which are too time-consuming or resource intensive to dolive in the lab environment In this simulation you can use the software interface as ifyou are interacting with a live environment
1 Click here to open the interactive simulation It will open in a new browserwindow or tab
2 When finished click the ldquoReturn to the labrdquo link to continue with this lab
HOL-1829-01-NET
Page 97HOL-1829-01-NET
ConclusionCongratulations on completing Module 3
This module demonstrated the vRealize Network Insight capability of advancedmanagement operations vRealize Network Insight provides an in-depth analysis of thevirtual as well as the physical components associated with NSX (underlay and overlay)
For More Information
If you are looking for additional information try one of these
bull Click on this linkbull Or use your smart device to scan the QRC Code
Proceed to any module below which interests you most
bull Module 1 - Micro-Segmentation and Security (30 minutes)bull Module 2 - 360 degree Visibility across Virtual and Physical Networks (45
minutes)bull Module 3 - Advanced NSX Management amp Operations (45 minutes)bull Module 4 - Manage Security for Public Clouds (AWS) (30 minutes)
HOL-1829-01-NET
Page 98HOL-1829-01-NET
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 99HOL-1829-01-NET
Module 4 - ManageSecurity for Public Clouds
(AWS) (30 Minutes)
HOL-1829-01-NET
Page 100HOL-1829-01-NET
IntroductionEnterprise IT needs visibility into the network and security status of their workloadswhether hosted on premises or within AWS While many AWS workloads are sandboxesfor application development teams (DevOps) it is important to analyze these workloadsIncreasingly public cloud workloads are also fulfilling mission critical production needsfor many organizations Enterprise IT must be ready to determine the best locationsecurity posture and bandwidth allocation when deploying workloads Having trafficpattern details as well as security analysis and recommendations readily availablehelps organizations make the ideal hosting decisions to meet their business needs
vRealize Network Insight (vRNI) Supports Amazon Web Services (AWS) PublicCloud The vRNI traffic monitoring features provide visibility into native AWS constructssuch as Virtual Private Clouds VMs Security Groups firewall rules and tags vRNI alsoanalyzes AWS traffic flows to provide security and micro-segmentation views of cloudworkloads This means youll be able to plan micro-segmentation and understand trafficpatterns using data collected from your AWS instances
This Module contains the following lessons
bull Introduction to Managing Security for Public Clouds (AWS)
HOL-1829-01-NET
Page 101HOL-1829-01-NET
Introduction to Managing Security forPublic Clouds (AWS)Lab Status Check
1 Make sure the Lab Status displays Ready before continuing
Close browser sessions from previous modules
Open Google Chrome
1 Open Chrome on the Control Centre Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize Network Insightdid not load automatically)
HOL-1829-01-NET
Page 102HOL-1829-01-NET
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
AWS Configuration
Lets review the AWS VPC setup for the purpose of this lab
1 We have an on premise instance of vRealize Network Insight managing AWS2 There are two VPCs ie CRM and Common Services
HOL-1829-01-NET
Page 103HOL-1829-01-NET
3 VPC CRM consists of CRM Application which comprises of 3 tiers ie Web APP andDB
4 Internal users of Company can access Web Tier of the CRM on 80 internally viaJump-box
5 Web tier talks to App tier on port 80806 App tier talks to DB tier on port 33067 Web tier is open for internal datacenters VM on 80 port8 From Jump-box in VPC CRM all virtual machines have ssh access on port 229 All tiers of VPCCRM talks to DNS server on 53 and LogServer on 514 on VPC
Common Services10 This means connection to DB to Log Server (used for backup services) must exist
as configured by the Administrator but this in fact is the problem area where ourfocus will be
Plan Security - AWS Cloud
vRealize Network Insight extends micro-segmentation planning to AWS constructs TheCRM Application in AWS VPC has already been created for you
Application creation steps have been discussed in Module 3
HOL-1829-01-NET
Page 104HOL-1829-01-NET
1 On the vRealize Network Insight Click on Plan Security
From Plan Security dialogue box under Entity select
HOL-1829-01-NET
Page 105HOL-1829-01-NET
1 Application2 CRM3 Click Analyze
We can now visualize the three tier lsquoCRMrsquo Application in AWS in one VPC We Shallexplore the three Tier System Logic in proceeding steps
1 Please note that Micro-Segments are already filtered by Tier2 Web (Web tier talks to App tier on port 8080 Internal users of organisation can
access Web Tier of the CRM Application on port 80 internally)3 App (App tier talks to DB tier on port 3306)4 DB ( DB tier talks to Log Servers ) - This is the problem area we are going to
explore
All tiers of first VPC talks to DNS server on port 53 and LogServer on port 514 of SecondVPC
HOL-1829-01-NET
Page 106HOL-1829-01-NET
Exploring the Three Tier Application - Step by Step
We shall now explore the three their application setup to understand the security andcommunication posture
HOL-1829-01-NET
Page 107HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Yellow line to explore the flows This will reveal flows from Web to
App
HOL-1829-01-NET
Page 108HOL-1829-01-NET
1 The App tier talks to DB tier on Port 33062 Click X to continue
HOL-1829-01-NET
Page 109HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to DB
HOL-1829-01-NET
Page 110HOL-1829-01-NET
1 The App tier talks to DB tier on Port 33062 Click X to continue
HOL-1829-01-NET
Page 111HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Yellow Line to explore the flows This will reveal flows from DC
Virtual to App
HOL-1829-01-NET
Page 112HOL-1829-01-NET
1 DC Virtual (jump box) talks to App tier on Port 222 Click X to continue
HOL-1829-01-NET
Page 113HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to
Shared Virtual
HOL-1829-01-NET
Page 114HOL-1829-01-NET
1 The App tier talks to Shared Virtual on Port 53 and 514 respectively2 Click X to continue
HOL-1829-01-NET
Page 115HOL-1829-01-NET
1 Hover over to DB Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from DB to
Shared Virtual
1 By design the DB should be pushing logs to aws-log-server ie on port 514(Syslog) but the flow reveals that there is only one service ie port 53 aws-DNS-Server Effectively no communication to syslog server (which is the back upservice)
2 Click X to continue
Firewall Queries for CRM Application
To further troubleshoot the issue the administrator executes three firewall queries toestablish why DB to Shared Virtual does not have flow(s) for port 514 (syslog)
HOL-1829-01-NET
Page 116HOL-1829-01-NET
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and type new search query firewall action of flows where dstvm = aws-log-server This will return 5 results ie 4 Allow (for web andmidtier) and 1 Deny (for DB)
2 Click Search3 click on the DENY checkbox so we can focus on the deny rule
We can see a DENY rule which is preventing crm-databse to communicate with aws-log-server on port 514 Which indicates that AWS Admin forgot to add rule to allowtraffic from (Database) crm-database to (syslog server) aws-log-Server
HOL-1829-01-NET
Page 117HOL-1829-01-NET
1 On Chrome web browser right click2 Select Duplicate from the the menu
HOL-1829-01-NET
Page 118HOL-1829-01-NET
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-web1 and dst vm = aws-log-server
2 Click Search3 This will return 3 results ie 1 Inbound and 2 Outbound rules The result of this
query validates the communication from crm-web1 to aws-log-server
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-database and dst vm = aws-log-server
2 Click Search3 This will return 2 results for Outbound rules further explaining the firewall rule
behaviour from crm-database to aws-log-server
HOL-1829-01-NET
Page 119HOL-1829-01-NET
ConclusionCongratulations on completing Module 4
This module demonstrated the vRealize Network Insight capability to understand trafficpatterns and plan micro-segmentation across your private and public cloudenvironments This capability offers unparalleled visibility into public and private cloudsfor micro-segmentation planning network visibility and management
For More Information
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 120HOL-1829-01-NET
ConclusionThank you for participating in the VMware Hands-on Labs Be sure to visithttpholvmwarecom to continue your lab experience online
Lab SKU HOL-1829-01-NET
Version 20171010-152226
HOL-1829-01-NET
Page 121HOL-1829-01-NET
Export Firewall Rules
Take some time to understand and get familiar with Firewall Rule search possibilitiesand the insight this can offer
1 Do not click - The result is grouped for convenience and allows the user to queryeach rule individually This is a live link that will expose further information
2 Do not click - The entire report can be exported by using the Save as CSV optionat the top right hand corner of the screen but we will not export any informationat this point
3 For the next step we will return to the top search bar
Firewall Rule Membership Change
Using the vRealize Network Insight search bar at the top of the screen we will focus on atime based search to see what Firewall Membership Changes occurred during a selectedperiod This will point out any changes made directly or indirectly as a result ofmembership changes This is extremely useful for auditing and troubleshooting
HOL-1829-01-NET
Page 40HOL-1829-01-NET
1 Type
Firewall Rule Membership Change
2 Select the DateTime window3 Click Between Select Date range from June30 to Jul 31 (using static data this
will ensure you see all the changes)4 Click search
Audit Rule - Firewall Rule Membership Changes
The search now displays the result of all the changes made to firewall rule membershipduring the preset date range This is pivotal to the audit change tracking process tounderstand exactly why when and how Firewall rules changed
The changes can now easily be tracked audited and also exported following any of thelive links in blue
HOL-1829-01-NET
Page 41HOL-1829-01-NET
User-defined Event
Continuing within the same screen users can create alerts to notify internal andexternal entities of any changes The alert feature is available through any view thatdisplays the alert icon Although the alert can be configured for this lab the results willnot be actioned as this is static data only This section will show how easy it is to reporton any Firewall Rule memberships changes The option for alerting will be immediatelywithin 1 hour or as a daily digest
1 Click the Notifications icon to create an event The notifications screen will pop-up
2 Notification and parameters can be adjusted as required Populate them withyour own preference as we will need to have information in order to save thealert and view in later steps
3 Once completed click save
HOL-1829-01-NET
Page 42HOL-1829-01-NET
Settings
You can view any of your previously configured User-defined Events in order to edit oractivate the Event parameters by using the settings page Changes can be configured tonotify members of the event group based on the user preference The previous eventthat you created can now be tracked by using the search bar at the top of the screen
1 Click in the search bar and type Settings2 Click User-defined Events (your alert is noted in this section as it was based on
the original search and alert notification Firewall rule membership change)3 Info Only - Do not click - View Edit Activate any notifications
Note that we have 2 types of notification User-defined and System Events
4 Click the System Events
HOL-1829-01-NET
Page 43HOL-1829-01-NET
System Notifications
System Events consist of 103 default alerts that are pre-configured Scroll down the listto see all the options and what is deemed to be a standard system event notification
Each Notification can be used to alert administrators or users of that group By defaultall System Notifications are set to never notify (this can be changed to immediatelywithin 1 hour or as a daily digest)
This concludes this module Please continue to the next module
HOL-1829-01-NET
Page 44HOL-1829-01-NET
ConclusionCongratulations on completing Module 1
In this module we introduced the minimum required steps in order to facilitate Micro-segmentation This module further demonstrated how we achieve day zero readinesstrack report and alert on each individual object or group of objects in Real Time Usingthe East-West traffic in this module vRealize Network Insight highlighted the ease ofacquiring network analysis and using this to automatically generate firewall rules forboth Green or Brown field deployments
Key facts to remember as demonstrated in this module
bull Persistence Security must be consistent in the face of constant changebull Ubiquity Security must be available everywherebull Extensibility Security must adapt to new situations
For additional information about the functionality showcased in this module visitwwwvmwarecom
Please close the Chrome Web browser
This concludes this module please continue to the next module
For More Information
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 45HOL-1829-01-NET
Module 2 - 360 degreeVisibility across Virtualand Physical Networks
(45 minutes)
HOL-1829-01-NET
Page 46HOL-1829-01-NET
IntroductionvRealize Network Insight includes advanced analytics that can collect and displayconfiguration data from all the components involved in the overlay and underlay of thenetwork Data is collected in realtime
vRealize Network Insight presents this via a smart user interface and simplifies thedetermination of problems as well as the visibility of firewall and networkconfigurations
vRealize Network Insight presents this in a smart user interface and makes problemdetermination and visibility of the firewall and network configurations very easy
This Module contains the following lessons
bull 360 Network Visibility and Troubleshootingbull Natural language search
HOL-1829-01-NET
Page 47HOL-1829-01-NET
360 Network Visibility andTroubleshootingThis section contains the following lessons
bull 360-degree view of data flow between two VM objectsbull Natural language search
Open Google Chrome
1 Open Chrome on the Control Center Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize NetworkInsight did not load automatically)
HOL-1829-01-NET
Page 48HOL-1829-01-NET
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
Path and Topology
This module will utilize the Path and Topology feature in vRealize Network Insight toget a 360-degree visibility into our network scenario The Path and Topology view can
HOL-1829-01-NET
Page 49HOL-1829-01-NET
also extend to host L3 networks security groups etc but in this module we will only befocusing on the path
From the main console
1 Click on Path and Topology2 Click on Path
Path - Select source and destination
In the pop-up box
1 Click on the grey field below Source2 Type dba into the source field and DBAdmin-VM1 will appear3 Click on DBAdmin-VM1 to select it
HOL-1829-01-NET
Page 50HOL-1829-01-NET
Path - source and destination continued
After selecting the source machine the destination box will automatically appear
1 Type prod in the destination field and the list of available options willappear
2 Select Prod-Db-2
Note The destination could also be an ip-address or Internet but in this lab we aregoing to use a VM
HOL-1829-01-NET
Page 51HOL-1829-01-NET
Path - source and destination continued
1 Click on Submit
Searching for path
Based on the VMs we selected in the wizard in our previous steps the search field isnow pre-populated with a search string As an alternative to using the wizard we canalso do manual searches
Do not change any parameters in the search field and please continue to the nextstep
HOL-1829-01-NET
Page 52HOL-1829-01-NET
VM Path Topology and VM Underlay
The topology involves both Layer 3 and Layer 2 components and consists of twodetailed views
HOL-1829-01-NET
Page 53HOL-1829-01-NET
1 VM Path Topology This view details the routers Edges or Logical DistributedRouters (LDRs) that are involved in the VM to VM network path and provides thecomplete routing and NAT information
2 VM Underlay ( The VM Underlay section that is on the right side of the VM Pathtopology shows the underlay information of the VMs involved and theirconnectivity to the top of the rack switches and the ports involved)
In the field named VM Path Topology
1 Click on the three dots in the top right corner of the field2 Click Maximize
The view will change and the route will be drawn on the map
HOL-1829-01-NET
Page 54HOL-1829-01-NET
VM Path Topology - Path Details
In this view we will get a 360-degree view of both the physical and the virtual networkWe will see the path of the traffic between two virtual machines The black arrow at thetop of the map will indicate the flow direction of the traffic In this use case fromDBAdmin-VM1 to Prod-Db-2
On the right hand side path details indicates the steps we pass through in each hop ofthe path The logical flow includes both physical and virtual elements displaying bothoverlay and underlay components
1 Scroll through the path details on the right hand side to verify the differenthops in the path Notice that we have items such as VMs physical switchesvirtual switches routers and NICs in the list of details
HOL-1829-01-NET
Page 55HOL-1829-01-NET
Component Overview
On the VM topology map
1 Click on the top left icon marked with a red square - the Virtual MachineDBAdmin-VM1
Virtual Machine - Details
HOL-1829-01-NET
Page 56HOL-1829-01-NET
A pop-up box will appear with the Virtual Machine details in it This information includesa lot of details made available by VMware Tools We can for example see network-information and the physical host in these details
A - Please spend some time on getting an overview of the information available in thisview
B - Please note that the Firewall Status indicates Unknown In this scenario there is noNSX firewall utilized in the VM so vRealize Network Insight displays Unknown as thestatus If NSX components were utilized but they were malfunctioning an errormessage will appear
1 When done reviewing close the pop-up windows by clicking on the (X) in thetop right corner
Physical ESXi Hosts
We are now going to look at the physical host running ESXi The large green blocksindicate the ESXi hosts (A) and (B)
1 Click on the large green field on the left side of the map marked in thepicture with a red squareThis will select the host where DBAdmin-VM1 isrunning
HOL-1829-01-NET
Page 57HOL-1829-01-NET
Host - Details
A pop-up box will appear that contains the physical ESXi host
A - Spend some time to review what information is available from the host Please donot click on any of the links
B - Notice that we receive information from both the Chassis and the Blade that thisESXi host is running on In a real life environment we could click on the links to getdetailed information about the physical environment through the links
C - Note that there are no NSX components on the host For example we can see thatthe Control Plane Sync Status is unknown and the Number of VTEPs is 0
1 When done reviewing click on the (X) in the top right corner
HOL-1829-01-NET
Page 58HOL-1829-01-NET
DVPG on the map
We are now going to look at the DVPG (Distributed Virtual Port Group) the VM uses toconnect to the network
1 On the map click on the little blue box marked by a red square onvlan-629
DVPG
A pop-up box will appear that contains the DVPG details
A - Spend some time review what information is available from the object Please donot click on any of the links
HOL-1829-01-NET
Page 59HOL-1829-01-NET
B - Notice that IPFIX is enabled
1 When done reviewing click on the (X) in the top right corner
VLAN-629 on the map
This is a brownfield network as indicated by the physical network components currentlydisplayed on the map
1 On the map click on the grey line marked by a red square on vlan-629
VLAN Network
A pop-up box will appear that contains the physical VLAN details
HOL-1829-01-NET
Page 60HOL-1829-01-NET
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - Notice the VLAN ID This is the actual VLAN in use
C - VM Count states 12 This is the number of VMs located on this VLAN in the entireenvironment
D - Under Hosts we can see that this is 28 (27+1) This is the amount of hosts that hasa connection to this vlan in the entire environment
1 When done reviewing click on the (X) in the top right corner
Switch ports on the map
1 From the map click on the icon marked by a red square to select the SwitchPort for the VM
HOL-1829-01-NET
Page 61HOL-1829-01-NET
Switch Port
A pop-up box will appear that contains the Switch Port details
In this view we are purely are looking at layer 3 and the connectivity to those layer 3devices Later in this module we will see some of the layer 2 devices
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - In this view we can see the physical NIC the traffic is transmitted from and receivedto In this scenario it is a NIC on a UCS fabric We can also see the VLANs Interfacespeed port and other details on the NIC
1 When done reviewing click on the (X) in the top right corner of the pop up box
HOL-1829-01-NET
Page 62HOL-1829-01-NET
Physical VRF on the map
1 From the map click on the icon marked by a red square to access thePhysical VRF details
HOL-1829-01-NET
Page 63HOL-1829-01-NET
VRF - Physical Switch
A pop-up box will appear that contains the Physical VRF details
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - In this scenario the first hop in the physical network perspective happens to be aCisco Nexus 7000 We are gathering all of the configuration data routing tables androuting interface information from this device
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 64HOL-1829-01-NET
VRF - continued
1 From the map click on the icon marked by a red square to access the nextPhysical VRF in the path
HOL-1829-01-NET
Page 65HOL-1829-01-NET
VRF - Physical Router
A pop-up box will appear that contains the Physical VRF details
In this scenario the second hop in the physical network perspective is a Palo Alto routerIn this view we will see the routing table as well as firewall rules The vRealize NetworkInsight platform is so powerful that these firewall rules are the applicable firewall rulesbetween the two objects we searched for There is probably going to be thousands offirewall rules in a normal network but these are the firewalls affecting thecommunication between the two selected VMs
HOL-1829-01-NET
Page 66HOL-1829-01-NET
A - Spend some time to review what information is available from the object Please donot click on any of the links
1 When done reviewing click on the (X) in the top right corner of the pop up box
Note The Palo Alto integration showcased is in beta testing
VRF - continued
1 From the map click on the icon marked by a red square to access the nextPhysical VRF in the path
HOL-1829-01-NET
Page 67HOL-1829-01-NET
VRF - Physical Switch
A pop-up box will appear that contains the Physical VRF details
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - In this scenario the third hop in the physical network perspective is an Arista deviceThere is information available on routing gateways interfaces etc These detailsshowcase that we can monitor devices from a multitude of vendors in case we arechanging from one vendor to another
1 When done reviewing click on the (X) in the top right corner
HOL-1829-01-NET
Page 68HOL-1829-01-NET
Accessing the virtual infrastructure
The next two steps in the path (as shown by arrows) are the same as we looked atpreviously in this module We are not going to look at the details on them in thisscenario as they are similar to the ones previously discussed
A - Hovermove the mouse over the icons marked with red arrow A without clicking onthe icon Notice the descriptive name
B - Hovermove the mouse over the icons marked with red arrow B without clicking onthe icon Notice the descriptive name
1 From the map click on the icon marked by a red square to access the nextVRF in the path
HOL-1829-01-NET
Page 69HOL-1829-01-NET
VRF - NSX Provider Edge 1
A pop-up box will appear that contains the Physical VRF details
A - Please spend some time to review what information is available from the objectPlease do not click on any of the links
B - The components we are looking at after the Arista device (described in previoussteps) is an NSX Edge cluster or a host associated with an Edge cluster The componentwe have selected is the NSX Edge VM named Provider-Edge 1 It has an uplink overVLAN 10 from the physical network (as shown in the map)
C - In the details we can see the routing table and routing interface details for thisparticular VRF
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 70HOL-1829-01-NET
VXLAN on the map
1 On the map click on the blue line marked by a red square to access theVXLAN details
VXLAN Network
A pop-up box will appear that contains the VXLAN details
HOL-1829-01-NET
Page 71HOL-1829-01-NET
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - We can see the VXLAN number (Segment ID) Underlay VLAN IDs Subnet andUnderlay Subnet
C - We also have visibility into what Primary Controller it is utilizing Hosts and VTEPs
D - Hovermove the mouse cursor over the text [38 more] to see the hosts associatedwith this VXLAN Do not click on the blue text
E - Hovermove the mouse cursor over the text [82 more] to see the VTEPs associatedwith this VXLAN Do not click on the blue text
1 When done reviewing click on the X in the top right corner of the pop-up box
VRF - LDR
1 From the map click on the icon marked by a red square to access the VRFdetails
HOL-1829-01-NET
Page 72HOL-1829-01-NET
VRF - LDR-Corporate
A pop-up box will appear that contains the VRF details From here we hit our In-kernelnetwork
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - Notice the distributed router name We are using this device to access our corporatenetwork
C - This device is going to route for us to a different interface The interface is going toroute to the interface on the Prod-DB Network as the next step in the path (this will beillustrated in the next step)
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 73HOL-1829-01-NET
Routing - NSX Firewall
The traffic is routed through the VRF onto the Prod-DB network over to the next physicalhost (as shown with arrows)
The first device it will hit on the virtual network on the physical host is the FirewallPlease notice that there are two firewalls next to the VM One Firewall from Palo Alto andone Firewall from NSX
1 From the map click on the icon marked by a red square to access the NSXFirewall details (the top one of the two)
HOL-1829-01-NET
Page 74HOL-1829-01-NET
Firewall - NSX
A pop-up box will appear that contains the Firewall details
A - Spend some time to review what information is available from the object Please donot click on any of the links
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 75HOL-1829-01-NET
Redirect on the map - PAN Firewall
Please notice that there are two firewalls next to the VM One Firewall from Palo Alto andone Firewall from NSX We are now going to look into the details of the lower Firewall
1 From the map click on the icon marked by a red square to access the PaloAlto Firewall details (the lower one of the two)
Firewall - PAN
HOL-1829-01-NET
Page 76HOL-1829-01-NET
In this scenario we also have an Palo Alto VM based offloading firewall The redirectfeature allows firewall rules to be transferred between the NSX firewall and the PANFirewall
1 When done reviewing click on the (X) in the top right corner of the pop up box
Reversing the analysis
1 In the section marked by a red square in the picture click on the arrowpointing left
The route on the map will change
HOL-1829-01-NET
Page 77HOL-1829-01-NET
Reversing the analysis continued
A - The analysis will now be done in the opposite direction Please note that the pathnow changes Instead of going through Provider-Edge 3 the traffic is now routedthrough Provider-Edge 2 This is exactly as the traffic will work in the real life
Please continue to the next step to conclude this module
HOL-1829-01-NET
Page 78HOL-1829-01-NET
VM Underlay
Lets now focus on VM Underlay
1 The VMUnderlay section that is on the right side of the VM Path topology showsthe underlay information of the VMs involved and their connectivity to the top ofthe rack switches and the ports involved
2 The VM Underlay path topology is shown here3 The components are labeled under Path Details
HOL-1829-01-NET
Page 79HOL-1829-01-NET
HOL-1829-01-NET
Page 80HOL-1829-01-NET
1 In this section the drop-down list at the top shows the endpoint VMs and theactive VMs at the edges
2 For each edgeVM the neighbouring drop-down list shows the ingress and theegress interface IP addresses
1 From the previous step we selected the Prod-DB-2 Virtual Machine2 Which changes the focus to corresponding Interface IP Address (VNIC)3 Shows the visual map (Path topology) of all the path objects4 Path details shows the labels and list the components
This concludes this module Please continue to the next module
HOL-1829-01-NET
Page 81HOL-1829-01-NET
ConclusionCongratulations on completing Module 2
This module has shown us that vRealize Network Insight is capable of tracing the flow ofdata between two objects throughout the network vRealize Network Insight is providingus with a 360 degrees view of the virtual as well as the physical components in thepath With the map function and the details on the map it is very easy to get a quickoverview of the components utilized in network communication
All the components in the map is based on a snapshot of real life data Feel free to clickon other icons shown in the map in this module before continuing to the next module tohave a look at other components
For More Information
For additional information about the functionality showcased in this module visithttpwwwvmwarecomvrealize network insight
This concludes this module Please continue to the next module
If you are looking for additional information try one of these
bull Click on this linkbull Or use your smart device to scan the QRC Code
HOL-1829-01-NET
Page 82HOL-1829-01-NET
Proceed to any module below which interests you most
bull Module 1 - Micro-Segmentation and Security (30 minutes)bull Module 2 - 360 degree Visibility across Virtual and Physical Networks (45
minutes)bull Module 3 - Advanced NSX Management amp Operations (45 minutes)bull (30 minutes)
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 83HOL-1829-01-NET
Module 3 - Advanced NSXManagement amp
Operations (45 minutes)
HOL-1829-01-NET
Page 84HOL-1829-01-NET
IntroductionIntroduction
vRealize Network Insight ensures that we have full visibility from an overlay andunderlay perspective and in this module focus on advanced operations of NSX withvRealize Network Insight Its important to note that the vRealize Network Insightprovides a real time view and a historical view The integration is not a simple SNMPquery but advanced CLI and Metadata information gathered in real time for NSX
This Module contains the following lessons
bull Operational guidance for NSX Managerbull Advanced NSX Management amp Operations Interactive Simulation
HOL-1829-01-NET
Page 85HOL-1829-01-NET
NSX Advanced ManagementOperationsLab Status Check
1 Make sure the Lab Status displays Ready before continuing
Close browser sessions from previous modules
Open Google Chrome
1 Open Chrome on the Control Centre Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
HOL-1829-01-NET
Page 86HOL-1829-01-NET
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize Network Insightdid not load automatically)
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
Search Bar - NSX Manager
Using the search bar on the entry screen
HOL-1829-01-NET
Page 87HOL-1829-01-NET
1 Type NSX Manager (this will list three NSX Managers2 Click Search
NSX Manager Information
The result now shows the NSX Manager (1016128170) and we can immediately seethat we have 50 problems associated with this endpoint
1 Click on the NSX Manager address to expose the layout and detailedinformation
HOL-1829-01-NET
Page 88HOL-1829-01-NET
Timeline - Visual Build-up
Explore information only - Do not click
bull A - Starting with the Timeline we can manipulate the results by simply draggingthe slider but by default the current time results will be displayed on entry Theslider and drop down (next to 1 day) makes it easy to filter on demand
bull B - The Properties give a clear understanding of the NSX Managers currentconfiguration (vRealize Network Insight accommodate multiple NSX managers)
bull C - Looking at the NSX Checklist Rules - ALL we can scroll up and down toview each point in the checklist that is used to monitorvalidate against the NSXManager
bull D - Because vRealize Network Insight supports multiple NSX managers andmultiple NSX controllers this is an important visual understanding of theTopology Each object can be queried individually within the same screen
bull E - NSX Problems will be key to understanding the issues for NSX
HOL-1829-01-NET
Page 89HOL-1829-01-NET
Topology - Focus on the NSX Controller
The logical view of the NSX Topology provides live links to each component in theconstruct to be queried in real time Topology layout displays all the related NSXservices bound to the NSX Manager including Clusters and hosts The red triangle on allthree NSX controllers indicates possible issues that may impact the NSX environmenteither as a starting point or a result thereof We can now query each object for detailedinformation
1 Click on the NSX controller (Look at each controller until you find thecontroller starting with NSX_Controller_5b6c6c8d-4d71 as they do changeorder)
HOL-1829-01-NET
Page 90HOL-1829-01-NET
NSX Controller - Detail
A - The controller query displays detailed information about controller-1 and relevantconfiguration This screen will help identify the Status Version Upgrade Availability andmany other critical identifiers of the NSX Controller at a quick glance including anyissues
B - The immediate issue on this NSX controller is also pointed out with a red triangleindicating that we have a control plane sync issue Tracking the issue can be furtherinvestigated by expanding (clicking on the red triangle) to view detailed information Wewill not be investigating this problem further in this exercise
1 Click the close sign (x) to continue
HOL-1829-01-NET
Page 91HOL-1829-01-NET
Topology - Explained
Note The Topology for the NSX environment will not show any load balancing devicestatus information in this release
1 Click the edge VMs icon to see detailed information about the edge services
HOL-1829-01-NET
Page 92HOL-1829-01-NET
Provider Edge
Rendering a complete view of the provider edge services and the associations we caninvestigate all the edge related activities
1 Click the blue link Provider Edge 4 The problem Icon can be used to furtherobtain information about the Provider-Edge 4 This will highlight a criticalcondition due to a possible network disruption of this edge device as it is nolonger in a serving state
HOL-1829-01-NET
Page 93HOL-1829-01-NET
Routers Provider Edge 4
This section lays out detailed root cause analysis for Routers Provider Edge 4
Return to Search View - NSX Manager
1 Now use the Chrome Back button click once to return the the NSX Managerinformation screen step
HOL-1829-01-NET
Page 94HOL-1829-01-NET
Infrastructure Problems - Warning Moderate
bull Scroll down to Infrastructure Problems Section
1 Click and select the WarningModerate to view problem areas
WarningModerate Issues
1 Use the blue icon + to expand the detailed view of the Logical networking out ofsync between host and NSX Controller
HOL-1829-01-NET
Page 95HOL-1829-01-NET
WarningModerate Issues (Continued)
When you expand the details you can analyse full detail of warning
In this view vRealize Network Insight is also showing you recommendations on how youwould resolve this issue which makes troubleshooting and root cause analysis veryeasy
1 Click the close sign (x) to continue
HOL-1829-01-NET
Page 96HOL-1829-01-NET
Hands-on Labs Interactive SimulationAdvanced NSX Management ampOperationsThis part of the lab is presented as a Hands-on Labs Interactive Simulation This willallow you to experience steps which are too time-consuming or resource intensive to dolive in the lab environment In this simulation you can use the software interface as ifyou are interacting with a live environment
1 Click here to open the interactive simulation It will open in a new browserwindow or tab
2 When finished click the ldquoReturn to the labrdquo link to continue with this lab
HOL-1829-01-NET
Page 97HOL-1829-01-NET
ConclusionCongratulations on completing Module 3
This module demonstrated the vRealize Network Insight capability of advancedmanagement operations vRealize Network Insight provides an in-depth analysis of thevirtual as well as the physical components associated with NSX (underlay and overlay)
For More Information
If you are looking for additional information try one of these
bull Click on this linkbull Or use your smart device to scan the QRC Code
Proceed to any module below which interests you most
bull Module 1 - Micro-Segmentation and Security (30 minutes)bull Module 2 - 360 degree Visibility across Virtual and Physical Networks (45
minutes)bull Module 3 - Advanced NSX Management amp Operations (45 minutes)bull Module 4 - Manage Security for Public Clouds (AWS) (30 minutes)
HOL-1829-01-NET
Page 98HOL-1829-01-NET
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 99HOL-1829-01-NET
Module 4 - ManageSecurity for Public Clouds
(AWS) (30 Minutes)
HOL-1829-01-NET
Page 100HOL-1829-01-NET
IntroductionEnterprise IT needs visibility into the network and security status of their workloadswhether hosted on premises or within AWS While many AWS workloads are sandboxesfor application development teams (DevOps) it is important to analyze these workloadsIncreasingly public cloud workloads are also fulfilling mission critical production needsfor many organizations Enterprise IT must be ready to determine the best locationsecurity posture and bandwidth allocation when deploying workloads Having trafficpattern details as well as security analysis and recommendations readily availablehelps organizations make the ideal hosting decisions to meet their business needs
vRealize Network Insight (vRNI) Supports Amazon Web Services (AWS) PublicCloud The vRNI traffic monitoring features provide visibility into native AWS constructssuch as Virtual Private Clouds VMs Security Groups firewall rules and tags vRNI alsoanalyzes AWS traffic flows to provide security and micro-segmentation views of cloudworkloads This means youll be able to plan micro-segmentation and understand trafficpatterns using data collected from your AWS instances
This Module contains the following lessons
bull Introduction to Managing Security for Public Clouds (AWS)
HOL-1829-01-NET
Page 101HOL-1829-01-NET
Introduction to Managing Security forPublic Clouds (AWS)Lab Status Check
1 Make sure the Lab Status displays Ready before continuing
Close browser sessions from previous modules
Open Google Chrome
1 Open Chrome on the Control Centre Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize Network Insightdid not load automatically)
HOL-1829-01-NET
Page 102HOL-1829-01-NET
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
AWS Configuration
Lets review the AWS VPC setup for the purpose of this lab
1 We have an on premise instance of vRealize Network Insight managing AWS2 There are two VPCs ie CRM and Common Services
HOL-1829-01-NET
Page 103HOL-1829-01-NET
3 VPC CRM consists of CRM Application which comprises of 3 tiers ie Web APP andDB
4 Internal users of Company can access Web Tier of the CRM on 80 internally viaJump-box
5 Web tier talks to App tier on port 80806 App tier talks to DB tier on port 33067 Web tier is open for internal datacenters VM on 80 port8 From Jump-box in VPC CRM all virtual machines have ssh access on port 229 All tiers of VPCCRM talks to DNS server on 53 and LogServer on 514 on VPC
Common Services10 This means connection to DB to Log Server (used for backup services) must exist
as configured by the Administrator but this in fact is the problem area where ourfocus will be
Plan Security - AWS Cloud
vRealize Network Insight extends micro-segmentation planning to AWS constructs TheCRM Application in AWS VPC has already been created for you
Application creation steps have been discussed in Module 3
HOL-1829-01-NET
Page 104HOL-1829-01-NET
1 On the vRealize Network Insight Click on Plan Security
From Plan Security dialogue box under Entity select
HOL-1829-01-NET
Page 105HOL-1829-01-NET
1 Application2 CRM3 Click Analyze
We can now visualize the three tier lsquoCRMrsquo Application in AWS in one VPC We Shallexplore the three Tier System Logic in proceeding steps
1 Please note that Micro-Segments are already filtered by Tier2 Web (Web tier talks to App tier on port 8080 Internal users of organisation can
access Web Tier of the CRM Application on port 80 internally)3 App (App tier talks to DB tier on port 3306)4 DB ( DB tier talks to Log Servers ) - This is the problem area we are going to
explore
All tiers of first VPC talks to DNS server on port 53 and LogServer on port 514 of SecondVPC
HOL-1829-01-NET
Page 106HOL-1829-01-NET
Exploring the Three Tier Application - Step by Step
We shall now explore the three their application setup to understand the security andcommunication posture
HOL-1829-01-NET
Page 107HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Yellow line to explore the flows This will reveal flows from Web to
App
HOL-1829-01-NET
Page 108HOL-1829-01-NET
1 The App tier talks to DB tier on Port 33062 Click X to continue
HOL-1829-01-NET
Page 109HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to DB
HOL-1829-01-NET
Page 110HOL-1829-01-NET
1 The App tier talks to DB tier on Port 33062 Click X to continue
HOL-1829-01-NET
Page 111HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Yellow Line to explore the flows This will reveal flows from DC
Virtual to App
HOL-1829-01-NET
Page 112HOL-1829-01-NET
1 DC Virtual (jump box) talks to App tier on Port 222 Click X to continue
HOL-1829-01-NET
Page 113HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to
Shared Virtual
HOL-1829-01-NET
Page 114HOL-1829-01-NET
1 The App tier talks to Shared Virtual on Port 53 and 514 respectively2 Click X to continue
HOL-1829-01-NET
Page 115HOL-1829-01-NET
1 Hover over to DB Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from DB to
Shared Virtual
1 By design the DB should be pushing logs to aws-log-server ie on port 514(Syslog) but the flow reveals that there is only one service ie port 53 aws-DNS-Server Effectively no communication to syslog server (which is the back upservice)
2 Click X to continue
Firewall Queries for CRM Application
To further troubleshoot the issue the administrator executes three firewall queries toestablish why DB to Shared Virtual does not have flow(s) for port 514 (syslog)
HOL-1829-01-NET
Page 116HOL-1829-01-NET
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and type new search query firewall action of flows where dstvm = aws-log-server This will return 5 results ie 4 Allow (for web andmidtier) and 1 Deny (for DB)
2 Click Search3 click on the DENY checkbox so we can focus on the deny rule
We can see a DENY rule which is preventing crm-databse to communicate with aws-log-server on port 514 Which indicates that AWS Admin forgot to add rule to allowtraffic from (Database) crm-database to (syslog server) aws-log-Server
HOL-1829-01-NET
Page 117HOL-1829-01-NET
1 On Chrome web browser right click2 Select Duplicate from the the menu
HOL-1829-01-NET
Page 118HOL-1829-01-NET
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-web1 and dst vm = aws-log-server
2 Click Search3 This will return 3 results ie 1 Inbound and 2 Outbound rules The result of this
query validates the communication from crm-web1 to aws-log-server
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-database and dst vm = aws-log-server
2 Click Search3 This will return 2 results for Outbound rules further explaining the firewall rule
behaviour from crm-database to aws-log-server
HOL-1829-01-NET
Page 119HOL-1829-01-NET
ConclusionCongratulations on completing Module 4
This module demonstrated the vRealize Network Insight capability to understand trafficpatterns and plan micro-segmentation across your private and public cloudenvironments This capability offers unparalleled visibility into public and private cloudsfor micro-segmentation planning network visibility and management
For More Information
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 120HOL-1829-01-NET
ConclusionThank you for participating in the VMware Hands-on Labs Be sure to visithttpholvmwarecom to continue your lab experience online
Lab SKU HOL-1829-01-NET
Version 20171010-152226
HOL-1829-01-NET
Page 121HOL-1829-01-NET
1 Type
Firewall Rule Membership Change
2 Select the DateTime window3 Click Between Select Date range from June30 to Jul 31 (using static data this
will ensure you see all the changes)4 Click search
Audit Rule - Firewall Rule Membership Changes
The search now displays the result of all the changes made to firewall rule membershipduring the preset date range This is pivotal to the audit change tracking process tounderstand exactly why when and how Firewall rules changed
The changes can now easily be tracked audited and also exported following any of thelive links in blue
HOL-1829-01-NET
Page 41HOL-1829-01-NET
User-defined Event
Continuing within the same screen users can create alerts to notify internal andexternal entities of any changes The alert feature is available through any view thatdisplays the alert icon Although the alert can be configured for this lab the results willnot be actioned as this is static data only This section will show how easy it is to reporton any Firewall Rule memberships changes The option for alerting will be immediatelywithin 1 hour or as a daily digest
1 Click the Notifications icon to create an event The notifications screen will pop-up
2 Notification and parameters can be adjusted as required Populate them withyour own preference as we will need to have information in order to save thealert and view in later steps
3 Once completed click save
HOL-1829-01-NET
Page 42HOL-1829-01-NET
Settings
You can view any of your previously configured User-defined Events in order to edit oractivate the Event parameters by using the settings page Changes can be configured tonotify members of the event group based on the user preference The previous eventthat you created can now be tracked by using the search bar at the top of the screen
1 Click in the search bar and type Settings2 Click User-defined Events (your alert is noted in this section as it was based on
the original search and alert notification Firewall rule membership change)3 Info Only - Do not click - View Edit Activate any notifications
Note that we have 2 types of notification User-defined and System Events
4 Click the System Events
HOL-1829-01-NET
Page 43HOL-1829-01-NET
System Notifications
System Events consist of 103 default alerts that are pre-configured Scroll down the listto see all the options and what is deemed to be a standard system event notification
Each Notification can be used to alert administrators or users of that group By defaultall System Notifications are set to never notify (this can be changed to immediatelywithin 1 hour or as a daily digest)
This concludes this module Please continue to the next module
HOL-1829-01-NET
Page 44HOL-1829-01-NET
ConclusionCongratulations on completing Module 1
In this module we introduced the minimum required steps in order to facilitate Micro-segmentation This module further demonstrated how we achieve day zero readinesstrack report and alert on each individual object or group of objects in Real Time Usingthe East-West traffic in this module vRealize Network Insight highlighted the ease ofacquiring network analysis and using this to automatically generate firewall rules forboth Green or Brown field deployments
Key facts to remember as demonstrated in this module
bull Persistence Security must be consistent in the face of constant changebull Ubiquity Security must be available everywherebull Extensibility Security must adapt to new situations
For additional information about the functionality showcased in this module visitwwwvmwarecom
Please close the Chrome Web browser
This concludes this module please continue to the next module
For More Information
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 45HOL-1829-01-NET
Module 2 - 360 degreeVisibility across Virtualand Physical Networks
(45 minutes)
HOL-1829-01-NET
Page 46HOL-1829-01-NET
IntroductionvRealize Network Insight includes advanced analytics that can collect and displayconfiguration data from all the components involved in the overlay and underlay of thenetwork Data is collected in realtime
vRealize Network Insight presents this via a smart user interface and simplifies thedetermination of problems as well as the visibility of firewall and networkconfigurations
vRealize Network Insight presents this in a smart user interface and makes problemdetermination and visibility of the firewall and network configurations very easy
This Module contains the following lessons
bull 360 Network Visibility and Troubleshootingbull Natural language search
HOL-1829-01-NET
Page 47HOL-1829-01-NET
360 Network Visibility andTroubleshootingThis section contains the following lessons
bull 360-degree view of data flow between two VM objectsbull Natural language search
Open Google Chrome
1 Open Chrome on the Control Center Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize NetworkInsight did not load automatically)
HOL-1829-01-NET
Page 48HOL-1829-01-NET
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
Path and Topology
This module will utilize the Path and Topology feature in vRealize Network Insight toget a 360-degree visibility into our network scenario The Path and Topology view can
HOL-1829-01-NET
Page 49HOL-1829-01-NET
also extend to host L3 networks security groups etc but in this module we will only befocusing on the path
From the main console
1 Click on Path and Topology2 Click on Path
Path - Select source and destination
In the pop-up box
1 Click on the grey field below Source2 Type dba into the source field and DBAdmin-VM1 will appear3 Click on DBAdmin-VM1 to select it
HOL-1829-01-NET
Page 50HOL-1829-01-NET
Path - source and destination continued
After selecting the source machine the destination box will automatically appear
1 Type prod in the destination field and the list of available options willappear
2 Select Prod-Db-2
Note The destination could also be an ip-address or Internet but in this lab we aregoing to use a VM
HOL-1829-01-NET
Page 51HOL-1829-01-NET
Path - source and destination continued
1 Click on Submit
Searching for path
Based on the VMs we selected in the wizard in our previous steps the search field isnow pre-populated with a search string As an alternative to using the wizard we canalso do manual searches
Do not change any parameters in the search field and please continue to the nextstep
HOL-1829-01-NET
Page 52HOL-1829-01-NET
VM Path Topology and VM Underlay
The topology involves both Layer 3 and Layer 2 components and consists of twodetailed views
HOL-1829-01-NET
Page 53HOL-1829-01-NET
1 VM Path Topology This view details the routers Edges or Logical DistributedRouters (LDRs) that are involved in the VM to VM network path and provides thecomplete routing and NAT information
2 VM Underlay ( The VM Underlay section that is on the right side of the VM Pathtopology shows the underlay information of the VMs involved and theirconnectivity to the top of the rack switches and the ports involved)
In the field named VM Path Topology
1 Click on the three dots in the top right corner of the field2 Click Maximize
The view will change and the route will be drawn on the map
HOL-1829-01-NET
Page 54HOL-1829-01-NET
VM Path Topology - Path Details
In this view we will get a 360-degree view of both the physical and the virtual networkWe will see the path of the traffic between two virtual machines The black arrow at thetop of the map will indicate the flow direction of the traffic In this use case fromDBAdmin-VM1 to Prod-Db-2
On the right hand side path details indicates the steps we pass through in each hop ofthe path The logical flow includes both physical and virtual elements displaying bothoverlay and underlay components
1 Scroll through the path details on the right hand side to verify the differenthops in the path Notice that we have items such as VMs physical switchesvirtual switches routers and NICs in the list of details
HOL-1829-01-NET
Page 55HOL-1829-01-NET
Component Overview
On the VM topology map
1 Click on the top left icon marked with a red square - the Virtual MachineDBAdmin-VM1
Virtual Machine - Details
HOL-1829-01-NET
Page 56HOL-1829-01-NET
A pop-up box will appear with the Virtual Machine details in it This information includesa lot of details made available by VMware Tools We can for example see network-information and the physical host in these details
A - Please spend some time on getting an overview of the information available in thisview
B - Please note that the Firewall Status indicates Unknown In this scenario there is noNSX firewall utilized in the VM so vRealize Network Insight displays Unknown as thestatus If NSX components were utilized but they were malfunctioning an errormessage will appear
1 When done reviewing close the pop-up windows by clicking on the (X) in thetop right corner
Physical ESXi Hosts
We are now going to look at the physical host running ESXi The large green blocksindicate the ESXi hosts (A) and (B)
1 Click on the large green field on the left side of the map marked in thepicture with a red squareThis will select the host where DBAdmin-VM1 isrunning
HOL-1829-01-NET
Page 57HOL-1829-01-NET
Host - Details
A pop-up box will appear that contains the physical ESXi host
A - Spend some time to review what information is available from the host Please donot click on any of the links
B - Notice that we receive information from both the Chassis and the Blade that thisESXi host is running on In a real life environment we could click on the links to getdetailed information about the physical environment through the links
C - Note that there are no NSX components on the host For example we can see thatthe Control Plane Sync Status is unknown and the Number of VTEPs is 0
1 When done reviewing click on the (X) in the top right corner
HOL-1829-01-NET
Page 58HOL-1829-01-NET
DVPG on the map
We are now going to look at the DVPG (Distributed Virtual Port Group) the VM uses toconnect to the network
1 On the map click on the little blue box marked by a red square onvlan-629
DVPG
A pop-up box will appear that contains the DVPG details
A - Spend some time review what information is available from the object Please donot click on any of the links
HOL-1829-01-NET
Page 59HOL-1829-01-NET
B - Notice that IPFIX is enabled
1 When done reviewing click on the (X) in the top right corner
VLAN-629 on the map
This is a brownfield network as indicated by the physical network components currentlydisplayed on the map
1 On the map click on the grey line marked by a red square on vlan-629
VLAN Network
A pop-up box will appear that contains the physical VLAN details
HOL-1829-01-NET
Page 60HOL-1829-01-NET
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - Notice the VLAN ID This is the actual VLAN in use
C - VM Count states 12 This is the number of VMs located on this VLAN in the entireenvironment
D - Under Hosts we can see that this is 28 (27+1) This is the amount of hosts that hasa connection to this vlan in the entire environment
1 When done reviewing click on the (X) in the top right corner
Switch ports on the map
1 From the map click on the icon marked by a red square to select the SwitchPort for the VM
HOL-1829-01-NET
Page 61HOL-1829-01-NET
Switch Port
A pop-up box will appear that contains the Switch Port details
In this view we are purely are looking at layer 3 and the connectivity to those layer 3devices Later in this module we will see some of the layer 2 devices
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - In this view we can see the physical NIC the traffic is transmitted from and receivedto In this scenario it is a NIC on a UCS fabric We can also see the VLANs Interfacespeed port and other details on the NIC
1 When done reviewing click on the (X) in the top right corner of the pop up box
HOL-1829-01-NET
Page 62HOL-1829-01-NET
Physical VRF on the map
1 From the map click on the icon marked by a red square to access thePhysical VRF details
HOL-1829-01-NET
Page 63HOL-1829-01-NET
VRF - Physical Switch
A pop-up box will appear that contains the Physical VRF details
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - In this scenario the first hop in the physical network perspective happens to be aCisco Nexus 7000 We are gathering all of the configuration data routing tables androuting interface information from this device
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 64HOL-1829-01-NET
VRF - continued
1 From the map click on the icon marked by a red square to access the nextPhysical VRF in the path
HOL-1829-01-NET
Page 65HOL-1829-01-NET
VRF - Physical Router
A pop-up box will appear that contains the Physical VRF details
In this scenario the second hop in the physical network perspective is a Palo Alto routerIn this view we will see the routing table as well as firewall rules The vRealize NetworkInsight platform is so powerful that these firewall rules are the applicable firewall rulesbetween the two objects we searched for There is probably going to be thousands offirewall rules in a normal network but these are the firewalls affecting thecommunication between the two selected VMs
HOL-1829-01-NET
Page 66HOL-1829-01-NET
A - Spend some time to review what information is available from the object Please donot click on any of the links
1 When done reviewing click on the (X) in the top right corner of the pop up box
Note The Palo Alto integration showcased is in beta testing
VRF - continued
1 From the map click on the icon marked by a red square to access the nextPhysical VRF in the path
HOL-1829-01-NET
Page 67HOL-1829-01-NET
VRF - Physical Switch
A pop-up box will appear that contains the Physical VRF details
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - In this scenario the third hop in the physical network perspective is an Arista deviceThere is information available on routing gateways interfaces etc These detailsshowcase that we can monitor devices from a multitude of vendors in case we arechanging from one vendor to another
1 When done reviewing click on the (X) in the top right corner
HOL-1829-01-NET
Page 68HOL-1829-01-NET
Accessing the virtual infrastructure
The next two steps in the path (as shown by arrows) are the same as we looked atpreviously in this module We are not going to look at the details on them in thisscenario as they are similar to the ones previously discussed
A - Hovermove the mouse over the icons marked with red arrow A without clicking onthe icon Notice the descriptive name
B - Hovermove the mouse over the icons marked with red arrow B without clicking onthe icon Notice the descriptive name
1 From the map click on the icon marked by a red square to access the nextVRF in the path
HOL-1829-01-NET
Page 69HOL-1829-01-NET
VRF - NSX Provider Edge 1
A pop-up box will appear that contains the Physical VRF details
A - Please spend some time to review what information is available from the objectPlease do not click on any of the links
B - The components we are looking at after the Arista device (described in previoussteps) is an NSX Edge cluster or a host associated with an Edge cluster The componentwe have selected is the NSX Edge VM named Provider-Edge 1 It has an uplink overVLAN 10 from the physical network (as shown in the map)
C - In the details we can see the routing table and routing interface details for thisparticular VRF
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 70HOL-1829-01-NET
VXLAN on the map
1 On the map click on the blue line marked by a red square to access theVXLAN details
VXLAN Network
A pop-up box will appear that contains the VXLAN details
HOL-1829-01-NET
Page 71HOL-1829-01-NET
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - We can see the VXLAN number (Segment ID) Underlay VLAN IDs Subnet andUnderlay Subnet
C - We also have visibility into what Primary Controller it is utilizing Hosts and VTEPs
D - Hovermove the mouse cursor over the text [38 more] to see the hosts associatedwith this VXLAN Do not click on the blue text
E - Hovermove the mouse cursor over the text [82 more] to see the VTEPs associatedwith this VXLAN Do not click on the blue text
1 When done reviewing click on the X in the top right corner of the pop-up box
VRF - LDR
1 From the map click on the icon marked by a red square to access the VRFdetails
HOL-1829-01-NET
Page 72HOL-1829-01-NET
VRF - LDR-Corporate
A pop-up box will appear that contains the VRF details From here we hit our In-kernelnetwork
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - Notice the distributed router name We are using this device to access our corporatenetwork
C - This device is going to route for us to a different interface The interface is going toroute to the interface on the Prod-DB Network as the next step in the path (this will beillustrated in the next step)
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 73HOL-1829-01-NET
Routing - NSX Firewall
The traffic is routed through the VRF onto the Prod-DB network over to the next physicalhost (as shown with arrows)
The first device it will hit on the virtual network on the physical host is the FirewallPlease notice that there are two firewalls next to the VM One Firewall from Palo Alto andone Firewall from NSX
1 From the map click on the icon marked by a red square to access the NSXFirewall details (the top one of the two)
HOL-1829-01-NET
Page 74HOL-1829-01-NET
Firewall - NSX
A pop-up box will appear that contains the Firewall details
A - Spend some time to review what information is available from the object Please donot click on any of the links
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 75HOL-1829-01-NET
Redirect on the map - PAN Firewall
Please notice that there are two firewalls next to the VM One Firewall from Palo Alto andone Firewall from NSX We are now going to look into the details of the lower Firewall
1 From the map click on the icon marked by a red square to access the PaloAlto Firewall details (the lower one of the two)
Firewall - PAN
HOL-1829-01-NET
Page 76HOL-1829-01-NET
In this scenario we also have an Palo Alto VM based offloading firewall The redirectfeature allows firewall rules to be transferred between the NSX firewall and the PANFirewall
1 When done reviewing click on the (X) in the top right corner of the pop up box
Reversing the analysis
1 In the section marked by a red square in the picture click on the arrowpointing left
The route on the map will change
HOL-1829-01-NET
Page 77HOL-1829-01-NET
Reversing the analysis continued
A - The analysis will now be done in the opposite direction Please note that the pathnow changes Instead of going through Provider-Edge 3 the traffic is now routedthrough Provider-Edge 2 This is exactly as the traffic will work in the real life
Please continue to the next step to conclude this module
HOL-1829-01-NET
Page 78HOL-1829-01-NET
VM Underlay
Lets now focus on VM Underlay
1 The VMUnderlay section that is on the right side of the VM Path topology showsthe underlay information of the VMs involved and their connectivity to the top ofthe rack switches and the ports involved
2 The VM Underlay path topology is shown here3 The components are labeled under Path Details
HOL-1829-01-NET
Page 79HOL-1829-01-NET
HOL-1829-01-NET
Page 80HOL-1829-01-NET
1 In this section the drop-down list at the top shows the endpoint VMs and theactive VMs at the edges
2 For each edgeVM the neighbouring drop-down list shows the ingress and theegress interface IP addresses
1 From the previous step we selected the Prod-DB-2 Virtual Machine2 Which changes the focus to corresponding Interface IP Address (VNIC)3 Shows the visual map (Path topology) of all the path objects4 Path details shows the labels and list the components
This concludes this module Please continue to the next module
HOL-1829-01-NET
Page 81HOL-1829-01-NET
ConclusionCongratulations on completing Module 2
This module has shown us that vRealize Network Insight is capable of tracing the flow ofdata between two objects throughout the network vRealize Network Insight is providingus with a 360 degrees view of the virtual as well as the physical components in thepath With the map function and the details on the map it is very easy to get a quickoverview of the components utilized in network communication
All the components in the map is based on a snapshot of real life data Feel free to clickon other icons shown in the map in this module before continuing to the next module tohave a look at other components
For More Information
For additional information about the functionality showcased in this module visithttpwwwvmwarecomvrealize network insight
This concludes this module Please continue to the next module
If you are looking for additional information try one of these
bull Click on this linkbull Or use your smart device to scan the QRC Code
HOL-1829-01-NET
Page 82HOL-1829-01-NET
Proceed to any module below which interests you most
bull Module 1 - Micro-Segmentation and Security (30 minutes)bull Module 2 - 360 degree Visibility across Virtual and Physical Networks (45
minutes)bull Module 3 - Advanced NSX Management amp Operations (45 minutes)bull (30 minutes)
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 83HOL-1829-01-NET
Module 3 - Advanced NSXManagement amp
Operations (45 minutes)
HOL-1829-01-NET
Page 84HOL-1829-01-NET
IntroductionIntroduction
vRealize Network Insight ensures that we have full visibility from an overlay andunderlay perspective and in this module focus on advanced operations of NSX withvRealize Network Insight Its important to note that the vRealize Network Insightprovides a real time view and a historical view The integration is not a simple SNMPquery but advanced CLI and Metadata information gathered in real time for NSX
This Module contains the following lessons
bull Operational guidance for NSX Managerbull Advanced NSX Management amp Operations Interactive Simulation
HOL-1829-01-NET
Page 85HOL-1829-01-NET
NSX Advanced ManagementOperationsLab Status Check
1 Make sure the Lab Status displays Ready before continuing
Close browser sessions from previous modules
Open Google Chrome
1 Open Chrome on the Control Centre Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
HOL-1829-01-NET
Page 86HOL-1829-01-NET
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize Network Insightdid not load automatically)
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
Search Bar - NSX Manager
Using the search bar on the entry screen
HOL-1829-01-NET
Page 87HOL-1829-01-NET
1 Type NSX Manager (this will list three NSX Managers2 Click Search
NSX Manager Information
The result now shows the NSX Manager (1016128170) and we can immediately seethat we have 50 problems associated with this endpoint
1 Click on the NSX Manager address to expose the layout and detailedinformation
HOL-1829-01-NET
Page 88HOL-1829-01-NET
Timeline - Visual Build-up
Explore information only - Do not click
bull A - Starting with the Timeline we can manipulate the results by simply draggingthe slider but by default the current time results will be displayed on entry Theslider and drop down (next to 1 day) makes it easy to filter on demand
bull B - The Properties give a clear understanding of the NSX Managers currentconfiguration (vRealize Network Insight accommodate multiple NSX managers)
bull C - Looking at the NSX Checklist Rules - ALL we can scroll up and down toview each point in the checklist that is used to monitorvalidate against the NSXManager
bull D - Because vRealize Network Insight supports multiple NSX managers andmultiple NSX controllers this is an important visual understanding of theTopology Each object can be queried individually within the same screen
bull E - NSX Problems will be key to understanding the issues for NSX
HOL-1829-01-NET
Page 89HOL-1829-01-NET
Topology - Focus on the NSX Controller
The logical view of the NSX Topology provides live links to each component in theconstruct to be queried in real time Topology layout displays all the related NSXservices bound to the NSX Manager including Clusters and hosts The red triangle on allthree NSX controllers indicates possible issues that may impact the NSX environmenteither as a starting point or a result thereof We can now query each object for detailedinformation
1 Click on the NSX controller (Look at each controller until you find thecontroller starting with NSX_Controller_5b6c6c8d-4d71 as they do changeorder)
HOL-1829-01-NET
Page 90HOL-1829-01-NET
NSX Controller - Detail
A - The controller query displays detailed information about controller-1 and relevantconfiguration This screen will help identify the Status Version Upgrade Availability andmany other critical identifiers of the NSX Controller at a quick glance including anyissues
B - The immediate issue on this NSX controller is also pointed out with a red triangleindicating that we have a control plane sync issue Tracking the issue can be furtherinvestigated by expanding (clicking on the red triangle) to view detailed information Wewill not be investigating this problem further in this exercise
1 Click the close sign (x) to continue
HOL-1829-01-NET
Page 91HOL-1829-01-NET
Topology - Explained
Note The Topology for the NSX environment will not show any load balancing devicestatus information in this release
1 Click the edge VMs icon to see detailed information about the edge services
HOL-1829-01-NET
Page 92HOL-1829-01-NET
Provider Edge
Rendering a complete view of the provider edge services and the associations we caninvestigate all the edge related activities
1 Click the blue link Provider Edge 4 The problem Icon can be used to furtherobtain information about the Provider-Edge 4 This will highlight a criticalcondition due to a possible network disruption of this edge device as it is nolonger in a serving state
HOL-1829-01-NET
Page 93HOL-1829-01-NET
Routers Provider Edge 4
This section lays out detailed root cause analysis for Routers Provider Edge 4
Return to Search View - NSX Manager
1 Now use the Chrome Back button click once to return the the NSX Managerinformation screen step
HOL-1829-01-NET
Page 94HOL-1829-01-NET
Infrastructure Problems - Warning Moderate
bull Scroll down to Infrastructure Problems Section
1 Click and select the WarningModerate to view problem areas
WarningModerate Issues
1 Use the blue icon + to expand the detailed view of the Logical networking out ofsync between host and NSX Controller
HOL-1829-01-NET
Page 95HOL-1829-01-NET
WarningModerate Issues (Continued)
When you expand the details you can analyse full detail of warning
In this view vRealize Network Insight is also showing you recommendations on how youwould resolve this issue which makes troubleshooting and root cause analysis veryeasy
1 Click the close sign (x) to continue
HOL-1829-01-NET
Page 96HOL-1829-01-NET
Hands-on Labs Interactive SimulationAdvanced NSX Management ampOperationsThis part of the lab is presented as a Hands-on Labs Interactive Simulation This willallow you to experience steps which are too time-consuming or resource intensive to dolive in the lab environment In this simulation you can use the software interface as ifyou are interacting with a live environment
1 Click here to open the interactive simulation It will open in a new browserwindow or tab
2 When finished click the ldquoReturn to the labrdquo link to continue with this lab
HOL-1829-01-NET
Page 97HOL-1829-01-NET
ConclusionCongratulations on completing Module 3
This module demonstrated the vRealize Network Insight capability of advancedmanagement operations vRealize Network Insight provides an in-depth analysis of thevirtual as well as the physical components associated with NSX (underlay and overlay)
For More Information
If you are looking for additional information try one of these
bull Click on this linkbull Or use your smart device to scan the QRC Code
Proceed to any module below which interests you most
bull Module 1 - Micro-Segmentation and Security (30 minutes)bull Module 2 - 360 degree Visibility across Virtual and Physical Networks (45
minutes)bull Module 3 - Advanced NSX Management amp Operations (45 minutes)bull Module 4 - Manage Security for Public Clouds (AWS) (30 minutes)
HOL-1829-01-NET
Page 98HOL-1829-01-NET
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 99HOL-1829-01-NET
Module 4 - ManageSecurity for Public Clouds
(AWS) (30 Minutes)
HOL-1829-01-NET
Page 100HOL-1829-01-NET
IntroductionEnterprise IT needs visibility into the network and security status of their workloadswhether hosted on premises or within AWS While many AWS workloads are sandboxesfor application development teams (DevOps) it is important to analyze these workloadsIncreasingly public cloud workloads are also fulfilling mission critical production needsfor many organizations Enterprise IT must be ready to determine the best locationsecurity posture and bandwidth allocation when deploying workloads Having trafficpattern details as well as security analysis and recommendations readily availablehelps organizations make the ideal hosting decisions to meet their business needs
vRealize Network Insight (vRNI) Supports Amazon Web Services (AWS) PublicCloud The vRNI traffic monitoring features provide visibility into native AWS constructssuch as Virtual Private Clouds VMs Security Groups firewall rules and tags vRNI alsoanalyzes AWS traffic flows to provide security and micro-segmentation views of cloudworkloads This means youll be able to plan micro-segmentation and understand trafficpatterns using data collected from your AWS instances
This Module contains the following lessons
bull Introduction to Managing Security for Public Clouds (AWS)
HOL-1829-01-NET
Page 101HOL-1829-01-NET
Introduction to Managing Security forPublic Clouds (AWS)Lab Status Check
1 Make sure the Lab Status displays Ready before continuing
Close browser sessions from previous modules
Open Google Chrome
1 Open Chrome on the Control Centre Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize Network Insightdid not load automatically)
HOL-1829-01-NET
Page 102HOL-1829-01-NET
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
AWS Configuration
Lets review the AWS VPC setup for the purpose of this lab
1 We have an on premise instance of vRealize Network Insight managing AWS2 There are two VPCs ie CRM and Common Services
HOL-1829-01-NET
Page 103HOL-1829-01-NET
3 VPC CRM consists of CRM Application which comprises of 3 tiers ie Web APP andDB
4 Internal users of Company can access Web Tier of the CRM on 80 internally viaJump-box
5 Web tier talks to App tier on port 80806 App tier talks to DB tier on port 33067 Web tier is open for internal datacenters VM on 80 port8 From Jump-box in VPC CRM all virtual machines have ssh access on port 229 All tiers of VPCCRM talks to DNS server on 53 and LogServer on 514 on VPC
Common Services10 This means connection to DB to Log Server (used for backup services) must exist
as configured by the Administrator but this in fact is the problem area where ourfocus will be
Plan Security - AWS Cloud
vRealize Network Insight extends micro-segmentation planning to AWS constructs TheCRM Application in AWS VPC has already been created for you
Application creation steps have been discussed in Module 3
HOL-1829-01-NET
Page 104HOL-1829-01-NET
1 On the vRealize Network Insight Click on Plan Security
From Plan Security dialogue box under Entity select
HOL-1829-01-NET
Page 105HOL-1829-01-NET
1 Application2 CRM3 Click Analyze
We can now visualize the three tier lsquoCRMrsquo Application in AWS in one VPC We Shallexplore the three Tier System Logic in proceeding steps
1 Please note that Micro-Segments are already filtered by Tier2 Web (Web tier talks to App tier on port 8080 Internal users of organisation can
access Web Tier of the CRM Application on port 80 internally)3 App (App tier talks to DB tier on port 3306)4 DB ( DB tier talks to Log Servers ) - This is the problem area we are going to
explore
All tiers of first VPC talks to DNS server on port 53 and LogServer on port 514 of SecondVPC
HOL-1829-01-NET
Page 106HOL-1829-01-NET
Exploring the Three Tier Application - Step by Step
We shall now explore the three their application setup to understand the security andcommunication posture
HOL-1829-01-NET
Page 107HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Yellow line to explore the flows This will reveal flows from Web to
App
HOL-1829-01-NET
Page 108HOL-1829-01-NET
1 The App tier talks to DB tier on Port 33062 Click X to continue
HOL-1829-01-NET
Page 109HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to DB
HOL-1829-01-NET
Page 110HOL-1829-01-NET
1 The App tier talks to DB tier on Port 33062 Click X to continue
HOL-1829-01-NET
Page 111HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Yellow Line to explore the flows This will reveal flows from DC
Virtual to App
HOL-1829-01-NET
Page 112HOL-1829-01-NET
1 DC Virtual (jump box) talks to App tier on Port 222 Click X to continue
HOL-1829-01-NET
Page 113HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to
Shared Virtual
HOL-1829-01-NET
Page 114HOL-1829-01-NET
1 The App tier talks to Shared Virtual on Port 53 and 514 respectively2 Click X to continue
HOL-1829-01-NET
Page 115HOL-1829-01-NET
1 Hover over to DB Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from DB to
Shared Virtual
1 By design the DB should be pushing logs to aws-log-server ie on port 514(Syslog) but the flow reveals that there is only one service ie port 53 aws-DNS-Server Effectively no communication to syslog server (which is the back upservice)
2 Click X to continue
Firewall Queries for CRM Application
To further troubleshoot the issue the administrator executes three firewall queries toestablish why DB to Shared Virtual does not have flow(s) for port 514 (syslog)
HOL-1829-01-NET
Page 116HOL-1829-01-NET
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and type new search query firewall action of flows where dstvm = aws-log-server This will return 5 results ie 4 Allow (for web andmidtier) and 1 Deny (for DB)
2 Click Search3 click on the DENY checkbox so we can focus on the deny rule
We can see a DENY rule which is preventing crm-databse to communicate with aws-log-server on port 514 Which indicates that AWS Admin forgot to add rule to allowtraffic from (Database) crm-database to (syslog server) aws-log-Server
HOL-1829-01-NET
Page 117HOL-1829-01-NET
1 On Chrome web browser right click2 Select Duplicate from the the menu
HOL-1829-01-NET
Page 118HOL-1829-01-NET
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-web1 and dst vm = aws-log-server
2 Click Search3 This will return 3 results ie 1 Inbound and 2 Outbound rules The result of this
query validates the communication from crm-web1 to aws-log-server
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-database and dst vm = aws-log-server
2 Click Search3 This will return 2 results for Outbound rules further explaining the firewall rule
behaviour from crm-database to aws-log-server
HOL-1829-01-NET
Page 119HOL-1829-01-NET
ConclusionCongratulations on completing Module 4
This module demonstrated the vRealize Network Insight capability to understand trafficpatterns and plan micro-segmentation across your private and public cloudenvironments This capability offers unparalleled visibility into public and private cloudsfor micro-segmentation planning network visibility and management
For More Information
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 120HOL-1829-01-NET
ConclusionThank you for participating in the VMware Hands-on Labs Be sure to visithttpholvmwarecom to continue your lab experience online
Lab SKU HOL-1829-01-NET
Version 20171010-152226
HOL-1829-01-NET
Page 121HOL-1829-01-NET
User-defined Event
Continuing within the same screen users can create alerts to notify internal andexternal entities of any changes The alert feature is available through any view thatdisplays the alert icon Although the alert can be configured for this lab the results willnot be actioned as this is static data only This section will show how easy it is to reporton any Firewall Rule memberships changes The option for alerting will be immediatelywithin 1 hour or as a daily digest
1 Click the Notifications icon to create an event The notifications screen will pop-up
2 Notification and parameters can be adjusted as required Populate them withyour own preference as we will need to have information in order to save thealert and view in later steps
3 Once completed click save
HOL-1829-01-NET
Page 42HOL-1829-01-NET
Settings
You can view any of your previously configured User-defined Events in order to edit oractivate the Event parameters by using the settings page Changes can be configured tonotify members of the event group based on the user preference The previous eventthat you created can now be tracked by using the search bar at the top of the screen
1 Click in the search bar and type Settings2 Click User-defined Events (your alert is noted in this section as it was based on
the original search and alert notification Firewall rule membership change)3 Info Only - Do not click - View Edit Activate any notifications
Note that we have 2 types of notification User-defined and System Events
4 Click the System Events
HOL-1829-01-NET
Page 43HOL-1829-01-NET
System Notifications
System Events consist of 103 default alerts that are pre-configured Scroll down the listto see all the options and what is deemed to be a standard system event notification
Each Notification can be used to alert administrators or users of that group By defaultall System Notifications are set to never notify (this can be changed to immediatelywithin 1 hour or as a daily digest)
This concludes this module Please continue to the next module
HOL-1829-01-NET
Page 44HOL-1829-01-NET
ConclusionCongratulations on completing Module 1
In this module we introduced the minimum required steps in order to facilitate Micro-segmentation This module further demonstrated how we achieve day zero readinesstrack report and alert on each individual object or group of objects in Real Time Usingthe East-West traffic in this module vRealize Network Insight highlighted the ease ofacquiring network analysis and using this to automatically generate firewall rules forboth Green or Brown field deployments
Key facts to remember as demonstrated in this module
bull Persistence Security must be consistent in the face of constant changebull Ubiquity Security must be available everywherebull Extensibility Security must adapt to new situations
For additional information about the functionality showcased in this module visitwwwvmwarecom
Please close the Chrome Web browser
This concludes this module please continue to the next module
For More Information
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 45HOL-1829-01-NET
Module 2 - 360 degreeVisibility across Virtualand Physical Networks
(45 minutes)
HOL-1829-01-NET
Page 46HOL-1829-01-NET
IntroductionvRealize Network Insight includes advanced analytics that can collect and displayconfiguration data from all the components involved in the overlay and underlay of thenetwork Data is collected in realtime
vRealize Network Insight presents this via a smart user interface and simplifies thedetermination of problems as well as the visibility of firewall and networkconfigurations
vRealize Network Insight presents this in a smart user interface and makes problemdetermination and visibility of the firewall and network configurations very easy
This Module contains the following lessons
bull 360 Network Visibility and Troubleshootingbull Natural language search
HOL-1829-01-NET
Page 47HOL-1829-01-NET
360 Network Visibility andTroubleshootingThis section contains the following lessons
bull 360-degree view of data flow between two VM objectsbull Natural language search
Open Google Chrome
1 Open Chrome on the Control Center Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize NetworkInsight did not load automatically)
HOL-1829-01-NET
Page 48HOL-1829-01-NET
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
Path and Topology
This module will utilize the Path and Topology feature in vRealize Network Insight toget a 360-degree visibility into our network scenario The Path and Topology view can
HOL-1829-01-NET
Page 49HOL-1829-01-NET
also extend to host L3 networks security groups etc but in this module we will only befocusing on the path
From the main console
1 Click on Path and Topology2 Click on Path
Path - Select source and destination
In the pop-up box
1 Click on the grey field below Source2 Type dba into the source field and DBAdmin-VM1 will appear3 Click on DBAdmin-VM1 to select it
HOL-1829-01-NET
Page 50HOL-1829-01-NET
Path - source and destination continued
After selecting the source machine the destination box will automatically appear
1 Type prod in the destination field and the list of available options willappear
2 Select Prod-Db-2
Note The destination could also be an ip-address or Internet but in this lab we aregoing to use a VM
HOL-1829-01-NET
Page 51HOL-1829-01-NET
Path - source and destination continued
1 Click on Submit
Searching for path
Based on the VMs we selected in the wizard in our previous steps the search field isnow pre-populated with a search string As an alternative to using the wizard we canalso do manual searches
Do not change any parameters in the search field and please continue to the nextstep
HOL-1829-01-NET
Page 52HOL-1829-01-NET
VM Path Topology and VM Underlay
The topology involves both Layer 3 and Layer 2 components and consists of twodetailed views
HOL-1829-01-NET
Page 53HOL-1829-01-NET
1 VM Path Topology This view details the routers Edges or Logical DistributedRouters (LDRs) that are involved in the VM to VM network path and provides thecomplete routing and NAT information
2 VM Underlay ( The VM Underlay section that is on the right side of the VM Pathtopology shows the underlay information of the VMs involved and theirconnectivity to the top of the rack switches and the ports involved)
In the field named VM Path Topology
1 Click on the three dots in the top right corner of the field2 Click Maximize
The view will change and the route will be drawn on the map
HOL-1829-01-NET
Page 54HOL-1829-01-NET
VM Path Topology - Path Details
In this view we will get a 360-degree view of both the physical and the virtual networkWe will see the path of the traffic between two virtual machines The black arrow at thetop of the map will indicate the flow direction of the traffic In this use case fromDBAdmin-VM1 to Prod-Db-2
On the right hand side path details indicates the steps we pass through in each hop ofthe path The logical flow includes both physical and virtual elements displaying bothoverlay and underlay components
1 Scroll through the path details on the right hand side to verify the differenthops in the path Notice that we have items such as VMs physical switchesvirtual switches routers and NICs in the list of details
HOL-1829-01-NET
Page 55HOL-1829-01-NET
Component Overview
On the VM topology map
1 Click on the top left icon marked with a red square - the Virtual MachineDBAdmin-VM1
Virtual Machine - Details
HOL-1829-01-NET
Page 56HOL-1829-01-NET
A pop-up box will appear with the Virtual Machine details in it This information includesa lot of details made available by VMware Tools We can for example see network-information and the physical host in these details
A - Please spend some time on getting an overview of the information available in thisview
B - Please note that the Firewall Status indicates Unknown In this scenario there is noNSX firewall utilized in the VM so vRealize Network Insight displays Unknown as thestatus If NSX components were utilized but they were malfunctioning an errormessage will appear
1 When done reviewing close the pop-up windows by clicking on the (X) in thetop right corner
Physical ESXi Hosts
We are now going to look at the physical host running ESXi The large green blocksindicate the ESXi hosts (A) and (B)
1 Click on the large green field on the left side of the map marked in thepicture with a red squareThis will select the host where DBAdmin-VM1 isrunning
HOL-1829-01-NET
Page 57HOL-1829-01-NET
Host - Details
A pop-up box will appear that contains the physical ESXi host
A - Spend some time to review what information is available from the host Please donot click on any of the links
B - Notice that we receive information from both the Chassis and the Blade that thisESXi host is running on In a real life environment we could click on the links to getdetailed information about the physical environment through the links
C - Note that there are no NSX components on the host For example we can see thatthe Control Plane Sync Status is unknown and the Number of VTEPs is 0
1 When done reviewing click on the (X) in the top right corner
HOL-1829-01-NET
Page 58HOL-1829-01-NET
DVPG on the map
We are now going to look at the DVPG (Distributed Virtual Port Group) the VM uses toconnect to the network
1 On the map click on the little blue box marked by a red square onvlan-629
DVPG
A pop-up box will appear that contains the DVPG details
A - Spend some time review what information is available from the object Please donot click on any of the links
HOL-1829-01-NET
Page 59HOL-1829-01-NET
B - Notice that IPFIX is enabled
1 When done reviewing click on the (X) in the top right corner
VLAN-629 on the map
This is a brownfield network as indicated by the physical network components currentlydisplayed on the map
1 On the map click on the grey line marked by a red square on vlan-629
VLAN Network
A pop-up box will appear that contains the physical VLAN details
HOL-1829-01-NET
Page 60HOL-1829-01-NET
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - Notice the VLAN ID This is the actual VLAN in use
C - VM Count states 12 This is the number of VMs located on this VLAN in the entireenvironment
D - Under Hosts we can see that this is 28 (27+1) This is the amount of hosts that hasa connection to this vlan in the entire environment
1 When done reviewing click on the (X) in the top right corner
Switch ports on the map
1 From the map click on the icon marked by a red square to select the SwitchPort for the VM
HOL-1829-01-NET
Page 61HOL-1829-01-NET
Switch Port
A pop-up box will appear that contains the Switch Port details
In this view we are purely are looking at layer 3 and the connectivity to those layer 3devices Later in this module we will see some of the layer 2 devices
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - In this view we can see the physical NIC the traffic is transmitted from and receivedto In this scenario it is a NIC on a UCS fabric We can also see the VLANs Interfacespeed port and other details on the NIC
1 When done reviewing click on the (X) in the top right corner of the pop up box
HOL-1829-01-NET
Page 62HOL-1829-01-NET
Physical VRF on the map
1 From the map click on the icon marked by a red square to access thePhysical VRF details
HOL-1829-01-NET
Page 63HOL-1829-01-NET
VRF - Physical Switch
A pop-up box will appear that contains the Physical VRF details
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - In this scenario the first hop in the physical network perspective happens to be aCisco Nexus 7000 We are gathering all of the configuration data routing tables androuting interface information from this device
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 64HOL-1829-01-NET
VRF - continued
1 From the map click on the icon marked by a red square to access the nextPhysical VRF in the path
HOL-1829-01-NET
Page 65HOL-1829-01-NET
VRF - Physical Router
A pop-up box will appear that contains the Physical VRF details
In this scenario the second hop in the physical network perspective is a Palo Alto routerIn this view we will see the routing table as well as firewall rules The vRealize NetworkInsight platform is so powerful that these firewall rules are the applicable firewall rulesbetween the two objects we searched for There is probably going to be thousands offirewall rules in a normal network but these are the firewalls affecting thecommunication between the two selected VMs
HOL-1829-01-NET
Page 66HOL-1829-01-NET
A - Spend some time to review what information is available from the object Please donot click on any of the links
1 When done reviewing click on the (X) in the top right corner of the pop up box
Note The Palo Alto integration showcased is in beta testing
VRF - continued
1 From the map click on the icon marked by a red square to access the nextPhysical VRF in the path
HOL-1829-01-NET
Page 67HOL-1829-01-NET
VRF - Physical Switch
A pop-up box will appear that contains the Physical VRF details
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - In this scenario the third hop in the physical network perspective is an Arista deviceThere is information available on routing gateways interfaces etc These detailsshowcase that we can monitor devices from a multitude of vendors in case we arechanging from one vendor to another
1 When done reviewing click on the (X) in the top right corner
HOL-1829-01-NET
Page 68HOL-1829-01-NET
Accessing the virtual infrastructure
The next two steps in the path (as shown by arrows) are the same as we looked atpreviously in this module We are not going to look at the details on them in thisscenario as they are similar to the ones previously discussed
A - Hovermove the mouse over the icons marked with red arrow A without clicking onthe icon Notice the descriptive name
B - Hovermove the mouse over the icons marked with red arrow B without clicking onthe icon Notice the descriptive name
1 From the map click on the icon marked by a red square to access the nextVRF in the path
HOL-1829-01-NET
Page 69HOL-1829-01-NET
VRF - NSX Provider Edge 1
A pop-up box will appear that contains the Physical VRF details
A - Please spend some time to review what information is available from the objectPlease do not click on any of the links
B - The components we are looking at after the Arista device (described in previoussteps) is an NSX Edge cluster or a host associated with an Edge cluster The componentwe have selected is the NSX Edge VM named Provider-Edge 1 It has an uplink overVLAN 10 from the physical network (as shown in the map)
C - In the details we can see the routing table and routing interface details for thisparticular VRF
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 70HOL-1829-01-NET
VXLAN on the map
1 On the map click on the blue line marked by a red square to access theVXLAN details
VXLAN Network
A pop-up box will appear that contains the VXLAN details
HOL-1829-01-NET
Page 71HOL-1829-01-NET
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - We can see the VXLAN number (Segment ID) Underlay VLAN IDs Subnet andUnderlay Subnet
C - We also have visibility into what Primary Controller it is utilizing Hosts and VTEPs
D - Hovermove the mouse cursor over the text [38 more] to see the hosts associatedwith this VXLAN Do not click on the blue text
E - Hovermove the mouse cursor over the text [82 more] to see the VTEPs associatedwith this VXLAN Do not click on the blue text
1 When done reviewing click on the X in the top right corner of the pop-up box
VRF - LDR
1 From the map click on the icon marked by a red square to access the VRFdetails
HOL-1829-01-NET
Page 72HOL-1829-01-NET
VRF - LDR-Corporate
A pop-up box will appear that contains the VRF details From here we hit our In-kernelnetwork
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - Notice the distributed router name We are using this device to access our corporatenetwork
C - This device is going to route for us to a different interface The interface is going toroute to the interface on the Prod-DB Network as the next step in the path (this will beillustrated in the next step)
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 73HOL-1829-01-NET
Routing - NSX Firewall
The traffic is routed through the VRF onto the Prod-DB network over to the next physicalhost (as shown with arrows)
The first device it will hit on the virtual network on the physical host is the FirewallPlease notice that there are two firewalls next to the VM One Firewall from Palo Alto andone Firewall from NSX
1 From the map click on the icon marked by a red square to access the NSXFirewall details (the top one of the two)
HOL-1829-01-NET
Page 74HOL-1829-01-NET
Firewall - NSX
A pop-up box will appear that contains the Firewall details
A - Spend some time to review what information is available from the object Please donot click on any of the links
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 75HOL-1829-01-NET
Redirect on the map - PAN Firewall
Please notice that there are two firewalls next to the VM One Firewall from Palo Alto andone Firewall from NSX We are now going to look into the details of the lower Firewall
1 From the map click on the icon marked by a red square to access the PaloAlto Firewall details (the lower one of the two)
Firewall - PAN
HOL-1829-01-NET
Page 76HOL-1829-01-NET
In this scenario we also have an Palo Alto VM based offloading firewall The redirectfeature allows firewall rules to be transferred between the NSX firewall and the PANFirewall
1 When done reviewing click on the (X) in the top right corner of the pop up box
Reversing the analysis
1 In the section marked by a red square in the picture click on the arrowpointing left
The route on the map will change
HOL-1829-01-NET
Page 77HOL-1829-01-NET
Reversing the analysis continued
A - The analysis will now be done in the opposite direction Please note that the pathnow changes Instead of going through Provider-Edge 3 the traffic is now routedthrough Provider-Edge 2 This is exactly as the traffic will work in the real life
Please continue to the next step to conclude this module
HOL-1829-01-NET
Page 78HOL-1829-01-NET
VM Underlay
Lets now focus on VM Underlay
1 The VMUnderlay section that is on the right side of the VM Path topology showsthe underlay information of the VMs involved and their connectivity to the top ofthe rack switches and the ports involved
2 The VM Underlay path topology is shown here3 The components are labeled under Path Details
HOL-1829-01-NET
Page 79HOL-1829-01-NET
HOL-1829-01-NET
Page 80HOL-1829-01-NET
1 In this section the drop-down list at the top shows the endpoint VMs and theactive VMs at the edges
2 For each edgeVM the neighbouring drop-down list shows the ingress and theegress interface IP addresses
1 From the previous step we selected the Prod-DB-2 Virtual Machine2 Which changes the focus to corresponding Interface IP Address (VNIC)3 Shows the visual map (Path topology) of all the path objects4 Path details shows the labels and list the components
This concludes this module Please continue to the next module
HOL-1829-01-NET
Page 81HOL-1829-01-NET
ConclusionCongratulations on completing Module 2
This module has shown us that vRealize Network Insight is capable of tracing the flow ofdata between two objects throughout the network vRealize Network Insight is providingus with a 360 degrees view of the virtual as well as the physical components in thepath With the map function and the details on the map it is very easy to get a quickoverview of the components utilized in network communication
All the components in the map is based on a snapshot of real life data Feel free to clickon other icons shown in the map in this module before continuing to the next module tohave a look at other components
For More Information
For additional information about the functionality showcased in this module visithttpwwwvmwarecomvrealize network insight
This concludes this module Please continue to the next module
If you are looking for additional information try one of these
bull Click on this linkbull Or use your smart device to scan the QRC Code
HOL-1829-01-NET
Page 82HOL-1829-01-NET
Proceed to any module below which interests you most
bull Module 1 - Micro-Segmentation and Security (30 minutes)bull Module 2 - 360 degree Visibility across Virtual and Physical Networks (45
minutes)bull Module 3 - Advanced NSX Management amp Operations (45 minutes)bull (30 minutes)
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 83HOL-1829-01-NET
Module 3 - Advanced NSXManagement amp
Operations (45 minutes)
HOL-1829-01-NET
Page 84HOL-1829-01-NET
IntroductionIntroduction
vRealize Network Insight ensures that we have full visibility from an overlay andunderlay perspective and in this module focus on advanced operations of NSX withvRealize Network Insight Its important to note that the vRealize Network Insightprovides a real time view and a historical view The integration is not a simple SNMPquery but advanced CLI and Metadata information gathered in real time for NSX
This Module contains the following lessons
bull Operational guidance for NSX Managerbull Advanced NSX Management amp Operations Interactive Simulation
HOL-1829-01-NET
Page 85HOL-1829-01-NET
NSX Advanced ManagementOperationsLab Status Check
1 Make sure the Lab Status displays Ready before continuing
Close browser sessions from previous modules
Open Google Chrome
1 Open Chrome on the Control Centre Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
HOL-1829-01-NET
Page 86HOL-1829-01-NET
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize Network Insightdid not load automatically)
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
Search Bar - NSX Manager
Using the search bar on the entry screen
HOL-1829-01-NET
Page 87HOL-1829-01-NET
1 Type NSX Manager (this will list three NSX Managers2 Click Search
NSX Manager Information
The result now shows the NSX Manager (1016128170) and we can immediately seethat we have 50 problems associated with this endpoint
1 Click on the NSX Manager address to expose the layout and detailedinformation
HOL-1829-01-NET
Page 88HOL-1829-01-NET
Timeline - Visual Build-up
Explore information only - Do not click
bull A - Starting with the Timeline we can manipulate the results by simply draggingthe slider but by default the current time results will be displayed on entry Theslider and drop down (next to 1 day) makes it easy to filter on demand
bull B - The Properties give a clear understanding of the NSX Managers currentconfiguration (vRealize Network Insight accommodate multiple NSX managers)
bull C - Looking at the NSX Checklist Rules - ALL we can scroll up and down toview each point in the checklist that is used to monitorvalidate against the NSXManager
bull D - Because vRealize Network Insight supports multiple NSX managers andmultiple NSX controllers this is an important visual understanding of theTopology Each object can be queried individually within the same screen
bull E - NSX Problems will be key to understanding the issues for NSX
HOL-1829-01-NET
Page 89HOL-1829-01-NET
Topology - Focus on the NSX Controller
The logical view of the NSX Topology provides live links to each component in theconstruct to be queried in real time Topology layout displays all the related NSXservices bound to the NSX Manager including Clusters and hosts The red triangle on allthree NSX controllers indicates possible issues that may impact the NSX environmenteither as a starting point or a result thereof We can now query each object for detailedinformation
1 Click on the NSX controller (Look at each controller until you find thecontroller starting with NSX_Controller_5b6c6c8d-4d71 as they do changeorder)
HOL-1829-01-NET
Page 90HOL-1829-01-NET
NSX Controller - Detail
A - The controller query displays detailed information about controller-1 and relevantconfiguration This screen will help identify the Status Version Upgrade Availability andmany other critical identifiers of the NSX Controller at a quick glance including anyissues
B - The immediate issue on this NSX controller is also pointed out with a red triangleindicating that we have a control plane sync issue Tracking the issue can be furtherinvestigated by expanding (clicking on the red triangle) to view detailed information Wewill not be investigating this problem further in this exercise
1 Click the close sign (x) to continue
HOL-1829-01-NET
Page 91HOL-1829-01-NET
Topology - Explained
Note The Topology for the NSX environment will not show any load balancing devicestatus information in this release
1 Click the edge VMs icon to see detailed information about the edge services
HOL-1829-01-NET
Page 92HOL-1829-01-NET
Provider Edge
Rendering a complete view of the provider edge services and the associations we caninvestigate all the edge related activities
1 Click the blue link Provider Edge 4 The problem Icon can be used to furtherobtain information about the Provider-Edge 4 This will highlight a criticalcondition due to a possible network disruption of this edge device as it is nolonger in a serving state
HOL-1829-01-NET
Page 93HOL-1829-01-NET
Routers Provider Edge 4
This section lays out detailed root cause analysis for Routers Provider Edge 4
Return to Search View - NSX Manager
1 Now use the Chrome Back button click once to return the the NSX Managerinformation screen step
HOL-1829-01-NET
Page 94HOL-1829-01-NET
Infrastructure Problems - Warning Moderate
bull Scroll down to Infrastructure Problems Section
1 Click and select the WarningModerate to view problem areas
WarningModerate Issues
1 Use the blue icon + to expand the detailed view of the Logical networking out ofsync between host and NSX Controller
HOL-1829-01-NET
Page 95HOL-1829-01-NET
WarningModerate Issues (Continued)
When you expand the details you can analyse full detail of warning
In this view vRealize Network Insight is also showing you recommendations on how youwould resolve this issue which makes troubleshooting and root cause analysis veryeasy
1 Click the close sign (x) to continue
HOL-1829-01-NET
Page 96HOL-1829-01-NET
Hands-on Labs Interactive SimulationAdvanced NSX Management ampOperationsThis part of the lab is presented as a Hands-on Labs Interactive Simulation This willallow you to experience steps which are too time-consuming or resource intensive to dolive in the lab environment In this simulation you can use the software interface as ifyou are interacting with a live environment
1 Click here to open the interactive simulation It will open in a new browserwindow or tab
2 When finished click the ldquoReturn to the labrdquo link to continue with this lab
HOL-1829-01-NET
Page 97HOL-1829-01-NET
ConclusionCongratulations on completing Module 3
This module demonstrated the vRealize Network Insight capability of advancedmanagement operations vRealize Network Insight provides an in-depth analysis of thevirtual as well as the physical components associated with NSX (underlay and overlay)
For More Information
If you are looking for additional information try one of these
bull Click on this linkbull Or use your smart device to scan the QRC Code
Proceed to any module below which interests you most
bull Module 1 - Micro-Segmentation and Security (30 minutes)bull Module 2 - 360 degree Visibility across Virtual and Physical Networks (45
minutes)bull Module 3 - Advanced NSX Management amp Operations (45 minutes)bull Module 4 - Manage Security for Public Clouds (AWS) (30 minutes)
HOL-1829-01-NET
Page 98HOL-1829-01-NET
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 99HOL-1829-01-NET
Module 4 - ManageSecurity for Public Clouds
(AWS) (30 Minutes)
HOL-1829-01-NET
Page 100HOL-1829-01-NET
IntroductionEnterprise IT needs visibility into the network and security status of their workloadswhether hosted on premises or within AWS While many AWS workloads are sandboxesfor application development teams (DevOps) it is important to analyze these workloadsIncreasingly public cloud workloads are also fulfilling mission critical production needsfor many organizations Enterprise IT must be ready to determine the best locationsecurity posture and bandwidth allocation when deploying workloads Having trafficpattern details as well as security analysis and recommendations readily availablehelps organizations make the ideal hosting decisions to meet their business needs
vRealize Network Insight (vRNI) Supports Amazon Web Services (AWS) PublicCloud The vRNI traffic monitoring features provide visibility into native AWS constructssuch as Virtual Private Clouds VMs Security Groups firewall rules and tags vRNI alsoanalyzes AWS traffic flows to provide security and micro-segmentation views of cloudworkloads This means youll be able to plan micro-segmentation and understand trafficpatterns using data collected from your AWS instances
This Module contains the following lessons
bull Introduction to Managing Security for Public Clouds (AWS)
HOL-1829-01-NET
Page 101HOL-1829-01-NET
Introduction to Managing Security forPublic Clouds (AWS)Lab Status Check
1 Make sure the Lab Status displays Ready before continuing
Close browser sessions from previous modules
Open Google Chrome
1 Open Chrome on the Control Centre Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize Network Insightdid not load automatically)
HOL-1829-01-NET
Page 102HOL-1829-01-NET
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
AWS Configuration
Lets review the AWS VPC setup for the purpose of this lab
1 We have an on premise instance of vRealize Network Insight managing AWS2 There are two VPCs ie CRM and Common Services
HOL-1829-01-NET
Page 103HOL-1829-01-NET
3 VPC CRM consists of CRM Application which comprises of 3 tiers ie Web APP andDB
4 Internal users of Company can access Web Tier of the CRM on 80 internally viaJump-box
5 Web tier talks to App tier on port 80806 App tier talks to DB tier on port 33067 Web tier is open for internal datacenters VM on 80 port8 From Jump-box in VPC CRM all virtual machines have ssh access on port 229 All tiers of VPCCRM talks to DNS server on 53 and LogServer on 514 on VPC
Common Services10 This means connection to DB to Log Server (used for backup services) must exist
as configured by the Administrator but this in fact is the problem area where ourfocus will be
Plan Security - AWS Cloud
vRealize Network Insight extends micro-segmentation planning to AWS constructs TheCRM Application in AWS VPC has already been created for you
Application creation steps have been discussed in Module 3
HOL-1829-01-NET
Page 104HOL-1829-01-NET
1 On the vRealize Network Insight Click on Plan Security
From Plan Security dialogue box under Entity select
HOL-1829-01-NET
Page 105HOL-1829-01-NET
1 Application2 CRM3 Click Analyze
We can now visualize the three tier lsquoCRMrsquo Application in AWS in one VPC We Shallexplore the three Tier System Logic in proceeding steps
1 Please note that Micro-Segments are already filtered by Tier2 Web (Web tier talks to App tier on port 8080 Internal users of organisation can
access Web Tier of the CRM Application on port 80 internally)3 App (App tier talks to DB tier on port 3306)4 DB ( DB tier talks to Log Servers ) - This is the problem area we are going to
explore
All tiers of first VPC talks to DNS server on port 53 and LogServer on port 514 of SecondVPC
HOL-1829-01-NET
Page 106HOL-1829-01-NET
Exploring the Three Tier Application - Step by Step
We shall now explore the three their application setup to understand the security andcommunication posture
HOL-1829-01-NET
Page 107HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Yellow line to explore the flows This will reveal flows from Web to
App
HOL-1829-01-NET
Page 108HOL-1829-01-NET
1 The App tier talks to DB tier on Port 33062 Click X to continue
HOL-1829-01-NET
Page 109HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to DB
HOL-1829-01-NET
Page 110HOL-1829-01-NET
1 The App tier talks to DB tier on Port 33062 Click X to continue
HOL-1829-01-NET
Page 111HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Yellow Line to explore the flows This will reveal flows from DC
Virtual to App
HOL-1829-01-NET
Page 112HOL-1829-01-NET
1 DC Virtual (jump box) talks to App tier on Port 222 Click X to continue
HOL-1829-01-NET
Page 113HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to
Shared Virtual
HOL-1829-01-NET
Page 114HOL-1829-01-NET
1 The App tier talks to Shared Virtual on Port 53 and 514 respectively2 Click X to continue
HOL-1829-01-NET
Page 115HOL-1829-01-NET
1 Hover over to DB Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from DB to
Shared Virtual
1 By design the DB should be pushing logs to aws-log-server ie on port 514(Syslog) but the flow reveals that there is only one service ie port 53 aws-DNS-Server Effectively no communication to syslog server (which is the back upservice)
2 Click X to continue
Firewall Queries for CRM Application
To further troubleshoot the issue the administrator executes three firewall queries toestablish why DB to Shared Virtual does not have flow(s) for port 514 (syslog)
HOL-1829-01-NET
Page 116HOL-1829-01-NET
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and type new search query firewall action of flows where dstvm = aws-log-server This will return 5 results ie 4 Allow (for web andmidtier) and 1 Deny (for DB)
2 Click Search3 click on the DENY checkbox so we can focus on the deny rule
We can see a DENY rule which is preventing crm-databse to communicate with aws-log-server on port 514 Which indicates that AWS Admin forgot to add rule to allowtraffic from (Database) crm-database to (syslog server) aws-log-Server
HOL-1829-01-NET
Page 117HOL-1829-01-NET
1 On Chrome web browser right click2 Select Duplicate from the the menu
HOL-1829-01-NET
Page 118HOL-1829-01-NET
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-web1 and dst vm = aws-log-server
2 Click Search3 This will return 3 results ie 1 Inbound and 2 Outbound rules The result of this
query validates the communication from crm-web1 to aws-log-server
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-database and dst vm = aws-log-server
2 Click Search3 This will return 2 results for Outbound rules further explaining the firewall rule
behaviour from crm-database to aws-log-server
HOL-1829-01-NET
Page 119HOL-1829-01-NET
ConclusionCongratulations on completing Module 4
This module demonstrated the vRealize Network Insight capability to understand trafficpatterns and plan micro-segmentation across your private and public cloudenvironments This capability offers unparalleled visibility into public and private cloudsfor micro-segmentation planning network visibility and management
For More Information
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 120HOL-1829-01-NET
ConclusionThank you for participating in the VMware Hands-on Labs Be sure to visithttpholvmwarecom to continue your lab experience online
Lab SKU HOL-1829-01-NET
Version 20171010-152226
HOL-1829-01-NET
Page 121HOL-1829-01-NET
Settings
You can view any of your previously configured User-defined Events in order to edit oractivate the Event parameters by using the settings page Changes can be configured tonotify members of the event group based on the user preference The previous eventthat you created can now be tracked by using the search bar at the top of the screen
1 Click in the search bar and type Settings2 Click User-defined Events (your alert is noted in this section as it was based on
the original search and alert notification Firewall rule membership change)3 Info Only - Do not click - View Edit Activate any notifications
Note that we have 2 types of notification User-defined and System Events
4 Click the System Events
HOL-1829-01-NET
Page 43HOL-1829-01-NET
System Notifications
System Events consist of 103 default alerts that are pre-configured Scroll down the listto see all the options and what is deemed to be a standard system event notification
Each Notification can be used to alert administrators or users of that group By defaultall System Notifications are set to never notify (this can be changed to immediatelywithin 1 hour or as a daily digest)
This concludes this module Please continue to the next module
HOL-1829-01-NET
Page 44HOL-1829-01-NET
ConclusionCongratulations on completing Module 1
In this module we introduced the minimum required steps in order to facilitate Micro-segmentation This module further demonstrated how we achieve day zero readinesstrack report and alert on each individual object or group of objects in Real Time Usingthe East-West traffic in this module vRealize Network Insight highlighted the ease ofacquiring network analysis and using this to automatically generate firewall rules forboth Green or Brown field deployments
Key facts to remember as demonstrated in this module
bull Persistence Security must be consistent in the face of constant changebull Ubiquity Security must be available everywherebull Extensibility Security must adapt to new situations
For additional information about the functionality showcased in this module visitwwwvmwarecom
Please close the Chrome Web browser
This concludes this module please continue to the next module
For More Information
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 45HOL-1829-01-NET
Module 2 - 360 degreeVisibility across Virtualand Physical Networks
(45 minutes)
HOL-1829-01-NET
Page 46HOL-1829-01-NET
IntroductionvRealize Network Insight includes advanced analytics that can collect and displayconfiguration data from all the components involved in the overlay and underlay of thenetwork Data is collected in realtime
vRealize Network Insight presents this via a smart user interface and simplifies thedetermination of problems as well as the visibility of firewall and networkconfigurations
vRealize Network Insight presents this in a smart user interface and makes problemdetermination and visibility of the firewall and network configurations very easy
This Module contains the following lessons
bull 360 Network Visibility and Troubleshootingbull Natural language search
HOL-1829-01-NET
Page 47HOL-1829-01-NET
360 Network Visibility andTroubleshootingThis section contains the following lessons
bull 360-degree view of data flow between two VM objectsbull Natural language search
Open Google Chrome
1 Open Chrome on the Control Center Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize NetworkInsight did not load automatically)
HOL-1829-01-NET
Page 48HOL-1829-01-NET
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
Path and Topology
This module will utilize the Path and Topology feature in vRealize Network Insight toget a 360-degree visibility into our network scenario The Path and Topology view can
HOL-1829-01-NET
Page 49HOL-1829-01-NET
also extend to host L3 networks security groups etc but in this module we will only befocusing on the path
From the main console
1 Click on Path and Topology2 Click on Path
Path - Select source and destination
In the pop-up box
1 Click on the grey field below Source2 Type dba into the source field and DBAdmin-VM1 will appear3 Click on DBAdmin-VM1 to select it
HOL-1829-01-NET
Page 50HOL-1829-01-NET
Path - source and destination continued
After selecting the source machine the destination box will automatically appear
1 Type prod in the destination field and the list of available options willappear
2 Select Prod-Db-2
Note The destination could also be an ip-address or Internet but in this lab we aregoing to use a VM
HOL-1829-01-NET
Page 51HOL-1829-01-NET
Path - source and destination continued
1 Click on Submit
Searching for path
Based on the VMs we selected in the wizard in our previous steps the search field isnow pre-populated with a search string As an alternative to using the wizard we canalso do manual searches
Do not change any parameters in the search field and please continue to the nextstep
HOL-1829-01-NET
Page 52HOL-1829-01-NET
VM Path Topology and VM Underlay
The topology involves both Layer 3 and Layer 2 components and consists of twodetailed views
HOL-1829-01-NET
Page 53HOL-1829-01-NET
1 VM Path Topology This view details the routers Edges or Logical DistributedRouters (LDRs) that are involved in the VM to VM network path and provides thecomplete routing and NAT information
2 VM Underlay ( The VM Underlay section that is on the right side of the VM Pathtopology shows the underlay information of the VMs involved and theirconnectivity to the top of the rack switches and the ports involved)
In the field named VM Path Topology
1 Click on the three dots in the top right corner of the field2 Click Maximize
The view will change and the route will be drawn on the map
HOL-1829-01-NET
Page 54HOL-1829-01-NET
VM Path Topology - Path Details
In this view we will get a 360-degree view of both the physical and the virtual networkWe will see the path of the traffic between two virtual machines The black arrow at thetop of the map will indicate the flow direction of the traffic In this use case fromDBAdmin-VM1 to Prod-Db-2
On the right hand side path details indicates the steps we pass through in each hop ofthe path The logical flow includes both physical and virtual elements displaying bothoverlay and underlay components
1 Scroll through the path details on the right hand side to verify the differenthops in the path Notice that we have items such as VMs physical switchesvirtual switches routers and NICs in the list of details
HOL-1829-01-NET
Page 55HOL-1829-01-NET
Component Overview
On the VM topology map
1 Click on the top left icon marked with a red square - the Virtual MachineDBAdmin-VM1
Virtual Machine - Details
HOL-1829-01-NET
Page 56HOL-1829-01-NET
A pop-up box will appear with the Virtual Machine details in it This information includesa lot of details made available by VMware Tools We can for example see network-information and the physical host in these details
A - Please spend some time on getting an overview of the information available in thisview
B - Please note that the Firewall Status indicates Unknown In this scenario there is noNSX firewall utilized in the VM so vRealize Network Insight displays Unknown as thestatus If NSX components were utilized but they were malfunctioning an errormessage will appear
1 When done reviewing close the pop-up windows by clicking on the (X) in thetop right corner
Physical ESXi Hosts
We are now going to look at the physical host running ESXi The large green blocksindicate the ESXi hosts (A) and (B)
1 Click on the large green field on the left side of the map marked in thepicture with a red squareThis will select the host where DBAdmin-VM1 isrunning
HOL-1829-01-NET
Page 57HOL-1829-01-NET
Host - Details
A pop-up box will appear that contains the physical ESXi host
A - Spend some time to review what information is available from the host Please donot click on any of the links
B - Notice that we receive information from both the Chassis and the Blade that thisESXi host is running on In a real life environment we could click on the links to getdetailed information about the physical environment through the links
C - Note that there are no NSX components on the host For example we can see thatthe Control Plane Sync Status is unknown and the Number of VTEPs is 0
1 When done reviewing click on the (X) in the top right corner
HOL-1829-01-NET
Page 58HOL-1829-01-NET
DVPG on the map
We are now going to look at the DVPG (Distributed Virtual Port Group) the VM uses toconnect to the network
1 On the map click on the little blue box marked by a red square onvlan-629
DVPG
A pop-up box will appear that contains the DVPG details
A - Spend some time review what information is available from the object Please donot click on any of the links
HOL-1829-01-NET
Page 59HOL-1829-01-NET
B - Notice that IPFIX is enabled
1 When done reviewing click on the (X) in the top right corner
VLAN-629 on the map
This is a brownfield network as indicated by the physical network components currentlydisplayed on the map
1 On the map click on the grey line marked by a red square on vlan-629
VLAN Network
A pop-up box will appear that contains the physical VLAN details
HOL-1829-01-NET
Page 60HOL-1829-01-NET
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - Notice the VLAN ID This is the actual VLAN in use
C - VM Count states 12 This is the number of VMs located on this VLAN in the entireenvironment
D - Under Hosts we can see that this is 28 (27+1) This is the amount of hosts that hasa connection to this vlan in the entire environment
1 When done reviewing click on the (X) in the top right corner
Switch ports on the map
1 From the map click on the icon marked by a red square to select the SwitchPort for the VM
HOL-1829-01-NET
Page 61HOL-1829-01-NET
Switch Port
A pop-up box will appear that contains the Switch Port details
In this view we are purely are looking at layer 3 and the connectivity to those layer 3devices Later in this module we will see some of the layer 2 devices
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - In this view we can see the physical NIC the traffic is transmitted from and receivedto In this scenario it is a NIC on a UCS fabric We can also see the VLANs Interfacespeed port and other details on the NIC
1 When done reviewing click on the (X) in the top right corner of the pop up box
HOL-1829-01-NET
Page 62HOL-1829-01-NET
Physical VRF on the map
1 From the map click on the icon marked by a red square to access thePhysical VRF details
HOL-1829-01-NET
Page 63HOL-1829-01-NET
VRF - Physical Switch
A pop-up box will appear that contains the Physical VRF details
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - In this scenario the first hop in the physical network perspective happens to be aCisco Nexus 7000 We are gathering all of the configuration data routing tables androuting interface information from this device
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 64HOL-1829-01-NET
VRF - continued
1 From the map click on the icon marked by a red square to access the nextPhysical VRF in the path
HOL-1829-01-NET
Page 65HOL-1829-01-NET
VRF - Physical Router
A pop-up box will appear that contains the Physical VRF details
In this scenario the second hop in the physical network perspective is a Palo Alto routerIn this view we will see the routing table as well as firewall rules The vRealize NetworkInsight platform is so powerful that these firewall rules are the applicable firewall rulesbetween the two objects we searched for There is probably going to be thousands offirewall rules in a normal network but these are the firewalls affecting thecommunication between the two selected VMs
HOL-1829-01-NET
Page 66HOL-1829-01-NET
A - Spend some time to review what information is available from the object Please donot click on any of the links
1 When done reviewing click on the (X) in the top right corner of the pop up box
Note The Palo Alto integration showcased is in beta testing
VRF - continued
1 From the map click on the icon marked by a red square to access the nextPhysical VRF in the path
HOL-1829-01-NET
Page 67HOL-1829-01-NET
VRF - Physical Switch
A pop-up box will appear that contains the Physical VRF details
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - In this scenario the third hop in the physical network perspective is an Arista deviceThere is information available on routing gateways interfaces etc These detailsshowcase that we can monitor devices from a multitude of vendors in case we arechanging from one vendor to another
1 When done reviewing click on the (X) in the top right corner
HOL-1829-01-NET
Page 68HOL-1829-01-NET
Accessing the virtual infrastructure
The next two steps in the path (as shown by arrows) are the same as we looked atpreviously in this module We are not going to look at the details on them in thisscenario as they are similar to the ones previously discussed
A - Hovermove the mouse over the icons marked with red arrow A without clicking onthe icon Notice the descriptive name
B - Hovermove the mouse over the icons marked with red arrow B without clicking onthe icon Notice the descriptive name
1 From the map click on the icon marked by a red square to access the nextVRF in the path
HOL-1829-01-NET
Page 69HOL-1829-01-NET
VRF - NSX Provider Edge 1
A pop-up box will appear that contains the Physical VRF details
A - Please spend some time to review what information is available from the objectPlease do not click on any of the links
B - The components we are looking at after the Arista device (described in previoussteps) is an NSX Edge cluster or a host associated with an Edge cluster The componentwe have selected is the NSX Edge VM named Provider-Edge 1 It has an uplink overVLAN 10 from the physical network (as shown in the map)
C - In the details we can see the routing table and routing interface details for thisparticular VRF
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 70HOL-1829-01-NET
VXLAN on the map
1 On the map click on the blue line marked by a red square to access theVXLAN details
VXLAN Network
A pop-up box will appear that contains the VXLAN details
HOL-1829-01-NET
Page 71HOL-1829-01-NET
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - We can see the VXLAN number (Segment ID) Underlay VLAN IDs Subnet andUnderlay Subnet
C - We also have visibility into what Primary Controller it is utilizing Hosts and VTEPs
D - Hovermove the mouse cursor over the text [38 more] to see the hosts associatedwith this VXLAN Do not click on the blue text
E - Hovermove the mouse cursor over the text [82 more] to see the VTEPs associatedwith this VXLAN Do not click on the blue text
1 When done reviewing click on the X in the top right corner of the pop-up box
VRF - LDR
1 From the map click on the icon marked by a red square to access the VRFdetails
HOL-1829-01-NET
Page 72HOL-1829-01-NET
VRF - LDR-Corporate
A pop-up box will appear that contains the VRF details From here we hit our In-kernelnetwork
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - Notice the distributed router name We are using this device to access our corporatenetwork
C - This device is going to route for us to a different interface The interface is going toroute to the interface on the Prod-DB Network as the next step in the path (this will beillustrated in the next step)
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 73HOL-1829-01-NET
Routing - NSX Firewall
The traffic is routed through the VRF onto the Prod-DB network over to the next physicalhost (as shown with arrows)
The first device it will hit on the virtual network on the physical host is the FirewallPlease notice that there are two firewalls next to the VM One Firewall from Palo Alto andone Firewall from NSX
1 From the map click on the icon marked by a red square to access the NSXFirewall details (the top one of the two)
HOL-1829-01-NET
Page 74HOL-1829-01-NET
Firewall - NSX
A pop-up box will appear that contains the Firewall details
A - Spend some time to review what information is available from the object Please donot click on any of the links
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 75HOL-1829-01-NET
Redirect on the map - PAN Firewall
Please notice that there are two firewalls next to the VM One Firewall from Palo Alto andone Firewall from NSX We are now going to look into the details of the lower Firewall
1 From the map click on the icon marked by a red square to access the PaloAlto Firewall details (the lower one of the two)
Firewall - PAN
HOL-1829-01-NET
Page 76HOL-1829-01-NET
In this scenario we also have an Palo Alto VM based offloading firewall The redirectfeature allows firewall rules to be transferred between the NSX firewall and the PANFirewall
1 When done reviewing click on the (X) in the top right corner of the pop up box
Reversing the analysis
1 In the section marked by a red square in the picture click on the arrowpointing left
The route on the map will change
HOL-1829-01-NET
Page 77HOL-1829-01-NET
Reversing the analysis continued
A - The analysis will now be done in the opposite direction Please note that the pathnow changes Instead of going through Provider-Edge 3 the traffic is now routedthrough Provider-Edge 2 This is exactly as the traffic will work in the real life
Please continue to the next step to conclude this module
HOL-1829-01-NET
Page 78HOL-1829-01-NET
VM Underlay
Lets now focus on VM Underlay
1 The VMUnderlay section that is on the right side of the VM Path topology showsthe underlay information of the VMs involved and their connectivity to the top ofthe rack switches and the ports involved
2 The VM Underlay path topology is shown here3 The components are labeled under Path Details
HOL-1829-01-NET
Page 79HOL-1829-01-NET
HOL-1829-01-NET
Page 80HOL-1829-01-NET
1 In this section the drop-down list at the top shows the endpoint VMs and theactive VMs at the edges
2 For each edgeVM the neighbouring drop-down list shows the ingress and theegress interface IP addresses
1 From the previous step we selected the Prod-DB-2 Virtual Machine2 Which changes the focus to corresponding Interface IP Address (VNIC)3 Shows the visual map (Path topology) of all the path objects4 Path details shows the labels and list the components
This concludes this module Please continue to the next module
HOL-1829-01-NET
Page 81HOL-1829-01-NET
ConclusionCongratulations on completing Module 2
This module has shown us that vRealize Network Insight is capable of tracing the flow ofdata between two objects throughout the network vRealize Network Insight is providingus with a 360 degrees view of the virtual as well as the physical components in thepath With the map function and the details on the map it is very easy to get a quickoverview of the components utilized in network communication
All the components in the map is based on a snapshot of real life data Feel free to clickon other icons shown in the map in this module before continuing to the next module tohave a look at other components
For More Information
For additional information about the functionality showcased in this module visithttpwwwvmwarecomvrealize network insight
This concludes this module Please continue to the next module
If you are looking for additional information try one of these
bull Click on this linkbull Or use your smart device to scan the QRC Code
HOL-1829-01-NET
Page 82HOL-1829-01-NET
Proceed to any module below which interests you most
bull Module 1 - Micro-Segmentation and Security (30 minutes)bull Module 2 - 360 degree Visibility across Virtual and Physical Networks (45
minutes)bull Module 3 - Advanced NSX Management amp Operations (45 minutes)bull (30 minutes)
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 83HOL-1829-01-NET
Module 3 - Advanced NSXManagement amp
Operations (45 minutes)
HOL-1829-01-NET
Page 84HOL-1829-01-NET
IntroductionIntroduction
vRealize Network Insight ensures that we have full visibility from an overlay andunderlay perspective and in this module focus on advanced operations of NSX withvRealize Network Insight Its important to note that the vRealize Network Insightprovides a real time view and a historical view The integration is not a simple SNMPquery but advanced CLI and Metadata information gathered in real time for NSX
This Module contains the following lessons
bull Operational guidance for NSX Managerbull Advanced NSX Management amp Operations Interactive Simulation
HOL-1829-01-NET
Page 85HOL-1829-01-NET
NSX Advanced ManagementOperationsLab Status Check
1 Make sure the Lab Status displays Ready before continuing
Close browser sessions from previous modules
Open Google Chrome
1 Open Chrome on the Control Centre Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
HOL-1829-01-NET
Page 86HOL-1829-01-NET
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize Network Insightdid not load automatically)
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
Search Bar - NSX Manager
Using the search bar on the entry screen
HOL-1829-01-NET
Page 87HOL-1829-01-NET
1 Type NSX Manager (this will list three NSX Managers2 Click Search
NSX Manager Information
The result now shows the NSX Manager (1016128170) and we can immediately seethat we have 50 problems associated with this endpoint
1 Click on the NSX Manager address to expose the layout and detailedinformation
HOL-1829-01-NET
Page 88HOL-1829-01-NET
Timeline - Visual Build-up
Explore information only - Do not click
bull A - Starting with the Timeline we can manipulate the results by simply draggingthe slider but by default the current time results will be displayed on entry Theslider and drop down (next to 1 day) makes it easy to filter on demand
bull B - The Properties give a clear understanding of the NSX Managers currentconfiguration (vRealize Network Insight accommodate multiple NSX managers)
bull C - Looking at the NSX Checklist Rules - ALL we can scroll up and down toview each point in the checklist that is used to monitorvalidate against the NSXManager
bull D - Because vRealize Network Insight supports multiple NSX managers andmultiple NSX controllers this is an important visual understanding of theTopology Each object can be queried individually within the same screen
bull E - NSX Problems will be key to understanding the issues for NSX
HOL-1829-01-NET
Page 89HOL-1829-01-NET
Topology - Focus on the NSX Controller
The logical view of the NSX Topology provides live links to each component in theconstruct to be queried in real time Topology layout displays all the related NSXservices bound to the NSX Manager including Clusters and hosts The red triangle on allthree NSX controllers indicates possible issues that may impact the NSX environmenteither as a starting point or a result thereof We can now query each object for detailedinformation
1 Click on the NSX controller (Look at each controller until you find thecontroller starting with NSX_Controller_5b6c6c8d-4d71 as they do changeorder)
HOL-1829-01-NET
Page 90HOL-1829-01-NET
NSX Controller - Detail
A - The controller query displays detailed information about controller-1 and relevantconfiguration This screen will help identify the Status Version Upgrade Availability andmany other critical identifiers of the NSX Controller at a quick glance including anyissues
B - The immediate issue on this NSX controller is also pointed out with a red triangleindicating that we have a control plane sync issue Tracking the issue can be furtherinvestigated by expanding (clicking on the red triangle) to view detailed information Wewill not be investigating this problem further in this exercise
1 Click the close sign (x) to continue
HOL-1829-01-NET
Page 91HOL-1829-01-NET
Topology - Explained
Note The Topology for the NSX environment will not show any load balancing devicestatus information in this release
1 Click the edge VMs icon to see detailed information about the edge services
HOL-1829-01-NET
Page 92HOL-1829-01-NET
Provider Edge
Rendering a complete view of the provider edge services and the associations we caninvestigate all the edge related activities
1 Click the blue link Provider Edge 4 The problem Icon can be used to furtherobtain information about the Provider-Edge 4 This will highlight a criticalcondition due to a possible network disruption of this edge device as it is nolonger in a serving state
HOL-1829-01-NET
Page 93HOL-1829-01-NET
Routers Provider Edge 4
This section lays out detailed root cause analysis for Routers Provider Edge 4
Return to Search View - NSX Manager
1 Now use the Chrome Back button click once to return the the NSX Managerinformation screen step
HOL-1829-01-NET
Page 94HOL-1829-01-NET
Infrastructure Problems - Warning Moderate
bull Scroll down to Infrastructure Problems Section
1 Click and select the WarningModerate to view problem areas
WarningModerate Issues
1 Use the blue icon + to expand the detailed view of the Logical networking out ofsync between host and NSX Controller
HOL-1829-01-NET
Page 95HOL-1829-01-NET
WarningModerate Issues (Continued)
When you expand the details you can analyse full detail of warning
In this view vRealize Network Insight is also showing you recommendations on how youwould resolve this issue which makes troubleshooting and root cause analysis veryeasy
1 Click the close sign (x) to continue
HOL-1829-01-NET
Page 96HOL-1829-01-NET
Hands-on Labs Interactive SimulationAdvanced NSX Management ampOperationsThis part of the lab is presented as a Hands-on Labs Interactive Simulation This willallow you to experience steps which are too time-consuming or resource intensive to dolive in the lab environment In this simulation you can use the software interface as ifyou are interacting with a live environment
1 Click here to open the interactive simulation It will open in a new browserwindow or tab
2 When finished click the ldquoReturn to the labrdquo link to continue with this lab
HOL-1829-01-NET
Page 97HOL-1829-01-NET
ConclusionCongratulations on completing Module 3
This module demonstrated the vRealize Network Insight capability of advancedmanagement operations vRealize Network Insight provides an in-depth analysis of thevirtual as well as the physical components associated with NSX (underlay and overlay)
For More Information
If you are looking for additional information try one of these
bull Click on this linkbull Or use your smart device to scan the QRC Code
Proceed to any module below which interests you most
bull Module 1 - Micro-Segmentation and Security (30 minutes)bull Module 2 - 360 degree Visibility across Virtual and Physical Networks (45
minutes)bull Module 3 - Advanced NSX Management amp Operations (45 minutes)bull Module 4 - Manage Security for Public Clouds (AWS) (30 minutes)
HOL-1829-01-NET
Page 98HOL-1829-01-NET
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 99HOL-1829-01-NET
Module 4 - ManageSecurity for Public Clouds
(AWS) (30 Minutes)
HOL-1829-01-NET
Page 100HOL-1829-01-NET
IntroductionEnterprise IT needs visibility into the network and security status of their workloadswhether hosted on premises or within AWS While many AWS workloads are sandboxesfor application development teams (DevOps) it is important to analyze these workloadsIncreasingly public cloud workloads are also fulfilling mission critical production needsfor many organizations Enterprise IT must be ready to determine the best locationsecurity posture and bandwidth allocation when deploying workloads Having trafficpattern details as well as security analysis and recommendations readily availablehelps organizations make the ideal hosting decisions to meet their business needs
vRealize Network Insight (vRNI) Supports Amazon Web Services (AWS) PublicCloud The vRNI traffic monitoring features provide visibility into native AWS constructssuch as Virtual Private Clouds VMs Security Groups firewall rules and tags vRNI alsoanalyzes AWS traffic flows to provide security and micro-segmentation views of cloudworkloads This means youll be able to plan micro-segmentation and understand trafficpatterns using data collected from your AWS instances
This Module contains the following lessons
bull Introduction to Managing Security for Public Clouds (AWS)
HOL-1829-01-NET
Page 101HOL-1829-01-NET
Introduction to Managing Security forPublic Clouds (AWS)Lab Status Check
1 Make sure the Lab Status displays Ready before continuing
Close browser sessions from previous modules
Open Google Chrome
1 Open Chrome on the Control Centre Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize Network Insightdid not load automatically)
HOL-1829-01-NET
Page 102HOL-1829-01-NET
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
AWS Configuration
Lets review the AWS VPC setup for the purpose of this lab
1 We have an on premise instance of vRealize Network Insight managing AWS2 There are two VPCs ie CRM and Common Services
HOL-1829-01-NET
Page 103HOL-1829-01-NET
3 VPC CRM consists of CRM Application which comprises of 3 tiers ie Web APP andDB
4 Internal users of Company can access Web Tier of the CRM on 80 internally viaJump-box
5 Web tier talks to App tier on port 80806 App tier talks to DB tier on port 33067 Web tier is open for internal datacenters VM on 80 port8 From Jump-box in VPC CRM all virtual machines have ssh access on port 229 All tiers of VPCCRM talks to DNS server on 53 and LogServer on 514 on VPC
Common Services10 This means connection to DB to Log Server (used for backup services) must exist
as configured by the Administrator but this in fact is the problem area where ourfocus will be
Plan Security - AWS Cloud
vRealize Network Insight extends micro-segmentation planning to AWS constructs TheCRM Application in AWS VPC has already been created for you
Application creation steps have been discussed in Module 3
HOL-1829-01-NET
Page 104HOL-1829-01-NET
1 On the vRealize Network Insight Click on Plan Security
From Plan Security dialogue box under Entity select
HOL-1829-01-NET
Page 105HOL-1829-01-NET
1 Application2 CRM3 Click Analyze
We can now visualize the three tier lsquoCRMrsquo Application in AWS in one VPC We Shallexplore the three Tier System Logic in proceeding steps
1 Please note that Micro-Segments are already filtered by Tier2 Web (Web tier talks to App tier on port 8080 Internal users of organisation can
access Web Tier of the CRM Application on port 80 internally)3 App (App tier talks to DB tier on port 3306)4 DB ( DB tier talks to Log Servers ) - This is the problem area we are going to
explore
All tiers of first VPC talks to DNS server on port 53 and LogServer on port 514 of SecondVPC
HOL-1829-01-NET
Page 106HOL-1829-01-NET
Exploring the Three Tier Application - Step by Step
We shall now explore the three their application setup to understand the security andcommunication posture
HOL-1829-01-NET
Page 107HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Yellow line to explore the flows This will reveal flows from Web to
App
HOL-1829-01-NET
Page 108HOL-1829-01-NET
1 The App tier talks to DB tier on Port 33062 Click X to continue
HOL-1829-01-NET
Page 109HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to DB
HOL-1829-01-NET
Page 110HOL-1829-01-NET
1 The App tier talks to DB tier on Port 33062 Click X to continue
HOL-1829-01-NET
Page 111HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Yellow Line to explore the flows This will reveal flows from DC
Virtual to App
HOL-1829-01-NET
Page 112HOL-1829-01-NET
1 DC Virtual (jump box) talks to App tier on Port 222 Click X to continue
HOL-1829-01-NET
Page 113HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to
Shared Virtual
HOL-1829-01-NET
Page 114HOL-1829-01-NET
1 The App tier talks to Shared Virtual on Port 53 and 514 respectively2 Click X to continue
HOL-1829-01-NET
Page 115HOL-1829-01-NET
1 Hover over to DB Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from DB to
Shared Virtual
1 By design the DB should be pushing logs to aws-log-server ie on port 514(Syslog) but the flow reveals that there is only one service ie port 53 aws-DNS-Server Effectively no communication to syslog server (which is the back upservice)
2 Click X to continue
Firewall Queries for CRM Application
To further troubleshoot the issue the administrator executes three firewall queries toestablish why DB to Shared Virtual does not have flow(s) for port 514 (syslog)
HOL-1829-01-NET
Page 116HOL-1829-01-NET
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and type new search query firewall action of flows where dstvm = aws-log-server This will return 5 results ie 4 Allow (for web andmidtier) and 1 Deny (for DB)
2 Click Search3 click on the DENY checkbox so we can focus on the deny rule
We can see a DENY rule which is preventing crm-databse to communicate with aws-log-server on port 514 Which indicates that AWS Admin forgot to add rule to allowtraffic from (Database) crm-database to (syslog server) aws-log-Server
HOL-1829-01-NET
Page 117HOL-1829-01-NET
1 On Chrome web browser right click2 Select Duplicate from the the menu
HOL-1829-01-NET
Page 118HOL-1829-01-NET
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-web1 and dst vm = aws-log-server
2 Click Search3 This will return 3 results ie 1 Inbound and 2 Outbound rules The result of this
query validates the communication from crm-web1 to aws-log-server
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-database and dst vm = aws-log-server
2 Click Search3 This will return 2 results for Outbound rules further explaining the firewall rule
behaviour from crm-database to aws-log-server
HOL-1829-01-NET
Page 119HOL-1829-01-NET
ConclusionCongratulations on completing Module 4
This module demonstrated the vRealize Network Insight capability to understand trafficpatterns and plan micro-segmentation across your private and public cloudenvironments This capability offers unparalleled visibility into public and private cloudsfor micro-segmentation planning network visibility and management
For More Information
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 120HOL-1829-01-NET
ConclusionThank you for participating in the VMware Hands-on Labs Be sure to visithttpholvmwarecom to continue your lab experience online
Lab SKU HOL-1829-01-NET
Version 20171010-152226
HOL-1829-01-NET
Page 121HOL-1829-01-NET
System Notifications
System Events consist of 103 default alerts that are pre-configured Scroll down the listto see all the options and what is deemed to be a standard system event notification
Each Notification can be used to alert administrators or users of that group By defaultall System Notifications are set to never notify (this can be changed to immediatelywithin 1 hour or as a daily digest)
This concludes this module Please continue to the next module
HOL-1829-01-NET
Page 44HOL-1829-01-NET
ConclusionCongratulations on completing Module 1
In this module we introduced the minimum required steps in order to facilitate Micro-segmentation This module further demonstrated how we achieve day zero readinesstrack report and alert on each individual object or group of objects in Real Time Usingthe East-West traffic in this module vRealize Network Insight highlighted the ease ofacquiring network analysis and using this to automatically generate firewall rules forboth Green or Brown field deployments
Key facts to remember as demonstrated in this module
bull Persistence Security must be consistent in the face of constant changebull Ubiquity Security must be available everywherebull Extensibility Security must adapt to new situations
For additional information about the functionality showcased in this module visitwwwvmwarecom
Please close the Chrome Web browser
This concludes this module please continue to the next module
For More Information
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 45HOL-1829-01-NET
Module 2 - 360 degreeVisibility across Virtualand Physical Networks
(45 minutes)
HOL-1829-01-NET
Page 46HOL-1829-01-NET
IntroductionvRealize Network Insight includes advanced analytics that can collect and displayconfiguration data from all the components involved in the overlay and underlay of thenetwork Data is collected in realtime
vRealize Network Insight presents this via a smart user interface and simplifies thedetermination of problems as well as the visibility of firewall and networkconfigurations
vRealize Network Insight presents this in a smart user interface and makes problemdetermination and visibility of the firewall and network configurations very easy
This Module contains the following lessons
bull 360 Network Visibility and Troubleshootingbull Natural language search
HOL-1829-01-NET
Page 47HOL-1829-01-NET
360 Network Visibility andTroubleshootingThis section contains the following lessons
bull 360-degree view of data flow between two VM objectsbull Natural language search
Open Google Chrome
1 Open Chrome on the Control Center Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize NetworkInsight did not load automatically)
HOL-1829-01-NET
Page 48HOL-1829-01-NET
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
Path and Topology
This module will utilize the Path and Topology feature in vRealize Network Insight toget a 360-degree visibility into our network scenario The Path and Topology view can
HOL-1829-01-NET
Page 49HOL-1829-01-NET
also extend to host L3 networks security groups etc but in this module we will only befocusing on the path
From the main console
1 Click on Path and Topology2 Click on Path
Path - Select source and destination
In the pop-up box
1 Click on the grey field below Source2 Type dba into the source field and DBAdmin-VM1 will appear3 Click on DBAdmin-VM1 to select it
HOL-1829-01-NET
Page 50HOL-1829-01-NET
Path - source and destination continued
After selecting the source machine the destination box will automatically appear
1 Type prod in the destination field and the list of available options willappear
2 Select Prod-Db-2
Note The destination could also be an ip-address or Internet but in this lab we aregoing to use a VM
HOL-1829-01-NET
Page 51HOL-1829-01-NET
Path - source and destination continued
1 Click on Submit
Searching for path
Based on the VMs we selected in the wizard in our previous steps the search field isnow pre-populated with a search string As an alternative to using the wizard we canalso do manual searches
Do not change any parameters in the search field and please continue to the nextstep
HOL-1829-01-NET
Page 52HOL-1829-01-NET
VM Path Topology and VM Underlay
The topology involves both Layer 3 and Layer 2 components and consists of twodetailed views
HOL-1829-01-NET
Page 53HOL-1829-01-NET
1 VM Path Topology This view details the routers Edges or Logical DistributedRouters (LDRs) that are involved in the VM to VM network path and provides thecomplete routing and NAT information
2 VM Underlay ( The VM Underlay section that is on the right side of the VM Pathtopology shows the underlay information of the VMs involved and theirconnectivity to the top of the rack switches and the ports involved)
In the field named VM Path Topology
1 Click on the three dots in the top right corner of the field2 Click Maximize
The view will change and the route will be drawn on the map
HOL-1829-01-NET
Page 54HOL-1829-01-NET
VM Path Topology - Path Details
In this view we will get a 360-degree view of both the physical and the virtual networkWe will see the path of the traffic between two virtual machines The black arrow at thetop of the map will indicate the flow direction of the traffic In this use case fromDBAdmin-VM1 to Prod-Db-2
On the right hand side path details indicates the steps we pass through in each hop ofthe path The logical flow includes both physical and virtual elements displaying bothoverlay and underlay components
1 Scroll through the path details on the right hand side to verify the differenthops in the path Notice that we have items such as VMs physical switchesvirtual switches routers and NICs in the list of details
HOL-1829-01-NET
Page 55HOL-1829-01-NET
Component Overview
On the VM topology map
1 Click on the top left icon marked with a red square - the Virtual MachineDBAdmin-VM1
Virtual Machine - Details
HOL-1829-01-NET
Page 56HOL-1829-01-NET
A pop-up box will appear with the Virtual Machine details in it This information includesa lot of details made available by VMware Tools We can for example see network-information and the physical host in these details
A - Please spend some time on getting an overview of the information available in thisview
B - Please note that the Firewall Status indicates Unknown In this scenario there is noNSX firewall utilized in the VM so vRealize Network Insight displays Unknown as thestatus If NSX components were utilized but they were malfunctioning an errormessage will appear
1 When done reviewing close the pop-up windows by clicking on the (X) in thetop right corner
Physical ESXi Hosts
We are now going to look at the physical host running ESXi The large green blocksindicate the ESXi hosts (A) and (B)
1 Click on the large green field on the left side of the map marked in thepicture with a red squareThis will select the host where DBAdmin-VM1 isrunning
HOL-1829-01-NET
Page 57HOL-1829-01-NET
Host - Details
A pop-up box will appear that contains the physical ESXi host
A - Spend some time to review what information is available from the host Please donot click on any of the links
B - Notice that we receive information from both the Chassis and the Blade that thisESXi host is running on In a real life environment we could click on the links to getdetailed information about the physical environment through the links
C - Note that there are no NSX components on the host For example we can see thatthe Control Plane Sync Status is unknown and the Number of VTEPs is 0
1 When done reviewing click on the (X) in the top right corner
HOL-1829-01-NET
Page 58HOL-1829-01-NET
DVPG on the map
We are now going to look at the DVPG (Distributed Virtual Port Group) the VM uses toconnect to the network
1 On the map click on the little blue box marked by a red square onvlan-629
DVPG
A pop-up box will appear that contains the DVPG details
A - Spend some time review what information is available from the object Please donot click on any of the links
HOL-1829-01-NET
Page 59HOL-1829-01-NET
B - Notice that IPFIX is enabled
1 When done reviewing click on the (X) in the top right corner
VLAN-629 on the map
This is a brownfield network as indicated by the physical network components currentlydisplayed on the map
1 On the map click on the grey line marked by a red square on vlan-629
VLAN Network
A pop-up box will appear that contains the physical VLAN details
HOL-1829-01-NET
Page 60HOL-1829-01-NET
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - Notice the VLAN ID This is the actual VLAN in use
C - VM Count states 12 This is the number of VMs located on this VLAN in the entireenvironment
D - Under Hosts we can see that this is 28 (27+1) This is the amount of hosts that hasa connection to this vlan in the entire environment
1 When done reviewing click on the (X) in the top right corner
Switch ports on the map
1 From the map click on the icon marked by a red square to select the SwitchPort for the VM
HOL-1829-01-NET
Page 61HOL-1829-01-NET
Switch Port
A pop-up box will appear that contains the Switch Port details
In this view we are purely are looking at layer 3 and the connectivity to those layer 3devices Later in this module we will see some of the layer 2 devices
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - In this view we can see the physical NIC the traffic is transmitted from and receivedto In this scenario it is a NIC on a UCS fabric We can also see the VLANs Interfacespeed port and other details on the NIC
1 When done reviewing click on the (X) in the top right corner of the pop up box
HOL-1829-01-NET
Page 62HOL-1829-01-NET
Physical VRF on the map
1 From the map click on the icon marked by a red square to access thePhysical VRF details
HOL-1829-01-NET
Page 63HOL-1829-01-NET
VRF - Physical Switch
A pop-up box will appear that contains the Physical VRF details
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - In this scenario the first hop in the physical network perspective happens to be aCisco Nexus 7000 We are gathering all of the configuration data routing tables androuting interface information from this device
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 64HOL-1829-01-NET
VRF - continued
1 From the map click on the icon marked by a red square to access the nextPhysical VRF in the path
HOL-1829-01-NET
Page 65HOL-1829-01-NET
VRF - Physical Router
A pop-up box will appear that contains the Physical VRF details
In this scenario the second hop in the physical network perspective is a Palo Alto routerIn this view we will see the routing table as well as firewall rules The vRealize NetworkInsight platform is so powerful that these firewall rules are the applicable firewall rulesbetween the two objects we searched for There is probably going to be thousands offirewall rules in a normal network but these are the firewalls affecting thecommunication between the two selected VMs
HOL-1829-01-NET
Page 66HOL-1829-01-NET
A - Spend some time to review what information is available from the object Please donot click on any of the links
1 When done reviewing click on the (X) in the top right corner of the pop up box
Note The Palo Alto integration showcased is in beta testing
VRF - continued
1 From the map click on the icon marked by a red square to access the nextPhysical VRF in the path
HOL-1829-01-NET
Page 67HOL-1829-01-NET
VRF - Physical Switch
A pop-up box will appear that contains the Physical VRF details
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - In this scenario the third hop in the physical network perspective is an Arista deviceThere is information available on routing gateways interfaces etc These detailsshowcase that we can monitor devices from a multitude of vendors in case we arechanging from one vendor to another
1 When done reviewing click on the (X) in the top right corner
HOL-1829-01-NET
Page 68HOL-1829-01-NET
Accessing the virtual infrastructure
The next two steps in the path (as shown by arrows) are the same as we looked atpreviously in this module We are not going to look at the details on them in thisscenario as they are similar to the ones previously discussed
A - Hovermove the mouse over the icons marked with red arrow A without clicking onthe icon Notice the descriptive name
B - Hovermove the mouse over the icons marked with red arrow B without clicking onthe icon Notice the descriptive name
1 From the map click on the icon marked by a red square to access the nextVRF in the path
HOL-1829-01-NET
Page 69HOL-1829-01-NET
VRF - NSX Provider Edge 1
A pop-up box will appear that contains the Physical VRF details
A - Please spend some time to review what information is available from the objectPlease do not click on any of the links
B - The components we are looking at after the Arista device (described in previoussteps) is an NSX Edge cluster or a host associated with an Edge cluster The componentwe have selected is the NSX Edge VM named Provider-Edge 1 It has an uplink overVLAN 10 from the physical network (as shown in the map)
C - In the details we can see the routing table and routing interface details for thisparticular VRF
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 70HOL-1829-01-NET
VXLAN on the map
1 On the map click on the blue line marked by a red square to access theVXLAN details
VXLAN Network
A pop-up box will appear that contains the VXLAN details
HOL-1829-01-NET
Page 71HOL-1829-01-NET
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - We can see the VXLAN number (Segment ID) Underlay VLAN IDs Subnet andUnderlay Subnet
C - We also have visibility into what Primary Controller it is utilizing Hosts and VTEPs
D - Hovermove the mouse cursor over the text [38 more] to see the hosts associatedwith this VXLAN Do not click on the blue text
E - Hovermove the mouse cursor over the text [82 more] to see the VTEPs associatedwith this VXLAN Do not click on the blue text
1 When done reviewing click on the X in the top right corner of the pop-up box
VRF - LDR
1 From the map click on the icon marked by a red square to access the VRFdetails
HOL-1829-01-NET
Page 72HOL-1829-01-NET
VRF - LDR-Corporate
A pop-up box will appear that contains the VRF details From here we hit our In-kernelnetwork
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - Notice the distributed router name We are using this device to access our corporatenetwork
C - This device is going to route for us to a different interface The interface is going toroute to the interface on the Prod-DB Network as the next step in the path (this will beillustrated in the next step)
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 73HOL-1829-01-NET
Routing - NSX Firewall
The traffic is routed through the VRF onto the Prod-DB network over to the next physicalhost (as shown with arrows)
The first device it will hit on the virtual network on the physical host is the FirewallPlease notice that there are two firewalls next to the VM One Firewall from Palo Alto andone Firewall from NSX
1 From the map click on the icon marked by a red square to access the NSXFirewall details (the top one of the two)
HOL-1829-01-NET
Page 74HOL-1829-01-NET
Firewall - NSX
A pop-up box will appear that contains the Firewall details
A - Spend some time to review what information is available from the object Please donot click on any of the links
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 75HOL-1829-01-NET
Redirect on the map - PAN Firewall
Please notice that there are two firewalls next to the VM One Firewall from Palo Alto andone Firewall from NSX We are now going to look into the details of the lower Firewall
1 From the map click on the icon marked by a red square to access the PaloAlto Firewall details (the lower one of the two)
Firewall - PAN
HOL-1829-01-NET
Page 76HOL-1829-01-NET
In this scenario we also have an Palo Alto VM based offloading firewall The redirectfeature allows firewall rules to be transferred between the NSX firewall and the PANFirewall
1 When done reviewing click on the (X) in the top right corner of the pop up box
Reversing the analysis
1 In the section marked by a red square in the picture click on the arrowpointing left
The route on the map will change
HOL-1829-01-NET
Page 77HOL-1829-01-NET
Reversing the analysis continued
A - The analysis will now be done in the opposite direction Please note that the pathnow changes Instead of going through Provider-Edge 3 the traffic is now routedthrough Provider-Edge 2 This is exactly as the traffic will work in the real life
Please continue to the next step to conclude this module
HOL-1829-01-NET
Page 78HOL-1829-01-NET
VM Underlay
Lets now focus on VM Underlay
1 The VMUnderlay section that is on the right side of the VM Path topology showsthe underlay information of the VMs involved and their connectivity to the top ofthe rack switches and the ports involved
2 The VM Underlay path topology is shown here3 The components are labeled under Path Details
HOL-1829-01-NET
Page 79HOL-1829-01-NET
HOL-1829-01-NET
Page 80HOL-1829-01-NET
1 In this section the drop-down list at the top shows the endpoint VMs and theactive VMs at the edges
2 For each edgeVM the neighbouring drop-down list shows the ingress and theegress interface IP addresses
1 From the previous step we selected the Prod-DB-2 Virtual Machine2 Which changes the focus to corresponding Interface IP Address (VNIC)3 Shows the visual map (Path topology) of all the path objects4 Path details shows the labels and list the components
This concludes this module Please continue to the next module
HOL-1829-01-NET
Page 81HOL-1829-01-NET
ConclusionCongratulations on completing Module 2
This module has shown us that vRealize Network Insight is capable of tracing the flow ofdata between two objects throughout the network vRealize Network Insight is providingus with a 360 degrees view of the virtual as well as the physical components in thepath With the map function and the details on the map it is very easy to get a quickoverview of the components utilized in network communication
All the components in the map is based on a snapshot of real life data Feel free to clickon other icons shown in the map in this module before continuing to the next module tohave a look at other components
For More Information
For additional information about the functionality showcased in this module visithttpwwwvmwarecomvrealize network insight
This concludes this module Please continue to the next module
If you are looking for additional information try one of these
bull Click on this linkbull Or use your smart device to scan the QRC Code
HOL-1829-01-NET
Page 82HOL-1829-01-NET
Proceed to any module below which interests you most
bull Module 1 - Micro-Segmentation and Security (30 minutes)bull Module 2 - 360 degree Visibility across Virtual and Physical Networks (45
minutes)bull Module 3 - Advanced NSX Management amp Operations (45 minutes)bull (30 minutes)
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 83HOL-1829-01-NET
Module 3 - Advanced NSXManagement amp
Operations (45 minutes)
HOL-1829-01-NET
Page 84HOL-1829-01-NET
IntroductionIntroduction
vRealize Network Insight ensures that we have full visibility from an overlay andunderlay perspective and in this module focus on advanced operations of NSX withvRealize Network Insight Its important to note that the vRealize Network Insightprovides a real time view and a historical view The integration is not a simple SNMPquery but advanced CLI and Metadata information gathered in real time for NSX
This Module contains the following lessons
bull Operational guidance for NSX Managerbull Advanced NSX Management amp Operations Interactive Simulation
HOL-1829-01-NET
Page 85HOL-1829-01-NET
NSX Advanced ManagementOperationsLab Status Check
1 Make sure the Lab Status displays Ready before continuing
Close browser sessions from previous modules
Open Google Chrome
1 Open Chrome on the Control Centre Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
HOL-1829-01-NET
Page 86HOL-1829-01-NET
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize Network Insightdid not load automatically)
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
Search Bar - NSX Manager
Using the search bar on the entry screen
HOL-1829-01-NET
Page 87HOL-1829-01-NET
1 Type NSX Manager (this will list three NSX Managers2 Click Search
NSX Manager Information
The result now shows the NSX Manager (1016128170) and we can immediately seethat we have 50 problems associated with this endpoint
1 Click on the NSX Manager address to expose the layout and detailedinformation
HOL-1829-01-NET
Page 88HOL-1829-01-NET
Timeline - Visual Build-up
Explore information only - Do not click
bull A - Starting with the Timeline we can manipulate the results by simply draggingthe slider but by default the current time results will be displayed on entry Theslider and drop down (next to 1 day) makes it easy to filter on demand
bull B - The Properties give a clear understanding of the NSX Managers currentconfiguration (vRealize Network Insight accommodate multiple NSX managers)
bull C - Looking at the NSX Checklist Rules - ALL we can scroll up and down toview each point in the checklist that is used to monitorvalidate against the NSXManager
bull D - Because vRealize Network Insight supports multiple NSX managers andmultiple NSX controllers this is an important visual understanding of theTopology Each object can be queried individually within the same screen
bull E - NSX Problems will be key to understanding the issues for NSX
HOL-1829-01-NET
Page 89HOL-1829-01-NET
Topology - Focus on the NSX Controller
The logical view of the NSX Topology provides live links to each component in theconstruct to be queried in real time Topology layout displays all the related NSXservices bound to the NSX Manager including Clusters and hosts The red triangle on allthree NSX controllers indicates possible issues that may impact the NSX environmenteither as a starting point or a result thereof We can now query each object for detailedinformation
1 Click on the NSX controller (Look at each controller until you find thecontroller starting with NSX_Controller_5b6c6c8d-4d71 as they do changeorder)
HOL-1829-01-NET
Page 90HOL-1829-01-NET
NSX Controller - Detail
A - The controller query displays detailed information about controller-1 and relevantconfiguration This screen will help identify the Status Version Upgrade Availability andmany other critical identifiers of the NSX Controller at a quick glance including anyissues
B - The immediate issue on this NSX controller is also pointed out with a red triangleindicating that we have a control plane sync issue Tracking the issue can be furtherinvestigated by expanding (clicking on the red triangle) to view detailed information Wewill not be investigating this problem further in this exercise
1 Click the close sign (x) to continue
HOL-1829-01-NET
Page 91HOL-1829-01-NET
Topology - Explained
Note The Topology for the NSX environment will not show any load balancing devicestatus information in this release
1 Click the edge VMs icon to see detailed information about the edge services
HOL-1829-01-NET
Page 92HOL-1829-01-NET
Provider Edge
Rendering a complete view of the provider edge services and the associations we caninvestigate all the edge related activities
1 Click the blue link Provider Edge 4 The problem Icon can be used to furtherobtain information about the Provider-Edge 4 This will highlight a criticalcondition due to a possible network disruption of this edge device as it is nolonger in a serving state
HOL-1829-01-NET
Page 93HOL-1829-01-NET
Routers Provider Edge 4
This section lays out detailed root cause analysis for Routers Provider Edge 4
Return to Search View - NSX Manager
1 Now use the Chrome Back button click once to return the the NSX Managerinformation screen step
HOL-1829-01-NET
Page 94HOL-1829-01-NET
Infrastructure Problems - Warning Moderate
bull Scroll down to Infrastructure Problems Section
1 Click and select the WarningModerate to view problem areas
WarningModerate Issues
1 Use the blue icon + to expand the detailed view of the Logical networking out ofsync between host and NSX Controller
HOL-1829-01-NET
Page 95HOL-1829-01-NET
WarningModerate Issues (Continued)
When you expand the details you can analyse full detail of warning
In this view vRealize Network Insight is also showing you recommendations on how youwould resolve this issue which makes troubleshooting and root cause analysis veryeasy
1 Click the close sign (x) to continue
HOL-1829-01-NET
Page 96HOL-1829-01-NET
Hands-on Labs Interactive SimulationAdvanced NSX Management ampOperationsThis part of the lab is presented as a Hands-on Labs Interactive Simulation This willallow you to experience steps which are too time-consuming or resource intensive to dolive in the lab environment In this simulation you can use the software interface as ifyou are interacting with a live environment
1 Click here to open the interactive simulation It will open in a new browserwindow or tab
2 When finished click the ldquoReturn to the labrdquo link to continue with this lab
HOL-1829-01-NET
Page 97HOL-1829-01-NET
ConclusionCongratulations on completing Module 3
This module demonstrated the vRealize Network Insight capability of advancedmanagement operations vRealize Network Insight provides an in-depth analysis of thevirtual as well as the physical components associated with NSX (underlay and overlay)
For More Information
If you are looking for additional information try one of these
bull Click on this linkbull Or use your smart device to scan the QRC Code
Proceed to any module below which interests you most
bull Module 1 - Micro-Segmentation and Security (30 minutes)bull Module 2 - 360 degree Visibility across Virtual and Physical Networks (45
minutes)bull Module 3 - Advanced NSX Management amp Operations (45 minutes)bull Module 4 - Manage Security for Public Clouds (AWS) (30 minutes)
HOL-1829-01-NET
Page 98HOL-1829-01-NET
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 99HOL-1829-01-NET
Module 4 - ManageSecurity for Public Clouds
(AWS) (30 Minutes)
HOL-1829-01-NET
Page 100HOL-1829-01-NET
IntroductionEnterprise IT needs visibility into the network and security status of their workloadswhether hosted on premises or within AWS While many AWS workloads are sandboxesfor application development teams (DevOps) it is important to analyze these workloadsIncreasingly public cloud workloads are also fulfilling mission critical production needsfor many organizations Enterprise IT must be ready to determine the best locationsecurity posture and bandwidth allocation when deploying workloads Having trafficpattern details as well as security analysis and recommendations readily availablehelps organizations make the ideal hosting decisions to meet their business needs
vRealize Network Insight (vRNI) Supports Amazon Web Services (AWS) PublicCloud The vRNI traffic monitoring features provide visibility into native AWS constructssuch as Virtual Private Clouds VMs Security Groups firewall rules and tags vRNI alsoanalyzes AWS traffic flows to provide security and micro-segmentation views of cloudworkloads This means youll be able to plan micro-segmentation and understand trafficpatterns using data collected from your AWS instances
This Module contains the following lessons
bull Introduction to Managing Security for Public Clouds (AWS)
HOL-1829-01-NET
Page 101HOL-1829-01-NET
Introduction to Managing Security forPublic Clouds (AWS)Lab Status Check
1 Make sure the Lab Status displays Ready before continuing
Close browser sessions from previous modules
Open Google Chrome
1 Open Chrome on the Control Centre Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize Network Insightdid not load automatically)
HOL-1829-01-NET
Page 102HOL-1829-01-NET
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
AWS Configuration
Lets review the AWS VPC setup for the purpose of this lab
1 We have an on premise instance of vRealize Network Insight managing AWS2 There are two VPCs ie CRM and Common Services
HOL-1829-01-NET
Page 103HOL-1829-01-NET
3 VPC CRM consists of CRM Application which comprises of 3 tiers ie Web APP andDB
4 Internal users of Company can access Web Tier of the CRM on 80 internally viaJump-box
5 Web tier talks to App tier on port 80806 App tier talks to DB tier on port 33067 Web tier is open for internal datacenters VM on 80 port8 From Jump-box in VPC CRM all virtual machines have ssh access on port 229 All tiers of VPCCRM talks to DNS server on 53 and LogServer on 514 on VPC
Common Services10 This means connection to DB to Log Server (used for backup services) must exist
as configured by the Administrator but this in fact is the problem area where ourfocus will be
Plan Security - AWS Cloud
vRealize Network Insight extends micro-segmentation planning to AWS constructs TheCRM Application in AWS VPC has already been created for you
Application creation steps have been discussed in Module 3
HOL-1829-01-NET
Page 104HOL-1829-01-NET
1 On the vRealize Network Insight Click on Plan Security
From Plan Security dialogue box under Entity select
HOL-1829-01-NET
Page 105HOL-1829-01-NET
1 Application2 CRM3 Click Analyze
We can now visualize the three tier lsquoCRMrsquo Application in AWS in one VPC We Shallexplore the three Tier System Logic in proceeding steps
1 Please note that Micro-Segments are already filtered by Tier2 Web (Web tier talks to App tier on port 8080 Internal users of organisation can
access Web Tier of the CRM Application on port 80 internally)3 App (App tier talks to DB tier on port 3306)4 DB ( DB tier talks to Log Servers ) - This is the problem area we are going to
explore
All tiers of first VPC talks to DNS server on port 53 and LogServer on port 514 of SecondVPC
HOL-1829-01-NET
Page 106HOL-1829-01-NET
Exploring the Three Tier Application - Step by Step
We shall now explore the three their application setup to understand the security andcommunication posture
HOL-1829-01-NET
Page 107HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Yellow line to explore the flows This will reveal flows from Web to
App
HOL-1829-01-NET
Page 108HOL-1829-01-NET
1 The App tier talks to DB tier on Port 33062 Click X to continue
HOL-1829-01-NET
Page 109HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to DB
HOL-1829-01-NET
Page 110HOL-1829-01-NET
1 The App tier talks to DB tier on Port 33062 Click X to continue
HOL-1829-01-NET
Page 111HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Yellow Line to explore the flows This will reveal flows from DC
Virtual to App
HOL-1829-01-NET
Page 112HOL-1829-01-NET
1 DC Virtual (jump box) talks to App tier on Port 222 Click X to continue
HOL-1829-01-NET
Page 113HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to
Shared Virtual
HOL-1829-01-NET
Page 114HOL-1829-01-NET
1 The App tier talks to Shared Virtual on Port 53 and 514 respectively2 Click X to continue
HOL-1829-01-NET
Page 115HOL-1829-01-NET
1 Hover over to DB Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from DB to
Shared Virtual
1 By design the DB should be pushing logs to aws-log-server ie on port 514(Syslog) but the flow reveals that there is only one service ie port 53 aws-DNS-Server Effectively no communication to syslog server (which is the back upservice)
2 Click X to continue
Firewall Queries for CRM Application
To further troubleshoot the issue the administrator executes three firewall queries toestablish why DB to Shared Virtual does not have flow(s) for port 514 (syslog)
HOL-1829-01-NET
Page 116HOL-1829-01-NET
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and type new search query firewall action of flows where dstvm = aws-log-server This will return 5 results ie 4 Allow (for web andmidtier) and 1 Deny (for DB)
2 Click Search3 click on the DENY checkbox so we can focus on the deny rule
We can see a DENY rule which is preventing crm-databse to communicate with aws-log-server on port 514 Which indicates that AWS Admin forgot to add rule to allowtraffic from (Database) crm-database to (syslog server) aws-log-Server
HOL-1829-01-NET
Page 117HOL-1829-01-NET
1 On Chrome web browser right click2 Select Duplicate from the the menu
HOL-1829-01-NET
Page 118HOL-1829-01-NET
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-web1 and dst vm = aws-log-server
2 Click Search3 This will return 3 results ie 1 Inbound and 2 Outbound rules The result of this
query validates the communication from crm-web1 to aws-log-server
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-database and dst vm = aws-log-server
2 Click Search3 This will return 2 results for Outbound rules further explaining the firewall rule
behaviour from crm-database to aws-log-server
HOL-1829-01-NET
Page 119HOL-1829-01-NET
ConclusionCongratulations on completing Module 4
This module demonstrated the vRealize Network Insight capability to understand trafficpatterns and plan micro-segmentation across your private and public cloudenvironments This capability offers unparalleled visibility into public and private cloudsfor micro-segmentation planning network visibility and management
For More Information
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 120HOL-1829-01-NET
ConclusionThank you for participating in the VMware Hands-on Labs Be sure to visithttpholvmwarecom to continue your lab experience online
Lab SKU HOL-1829-01-NET
Version 20171010-152226
HOL-1829-01-NET
Page 121HOL-1829-01-NET
ConclusionCongratulations on completing Module 1
In this module we introduced the minimum required steps in order to facilitate Micro-segmentation This module further demonstrated how we achieve day zero readinesstrack report and alert on each individual object or group of objects in Real Time Usingthe East-West traffic in this module vRealize Network Insight highlighted the ease ofacquiring network analysis and using this to automatically generate firewall rules forboth Green or Brown field deployments
Key facts to remember as demonstrated in this module
bull Persistence Security must be consistent in the face of constant changebull Ubiquity Security must be available everywherebull Extensibility Security must adapt to new situations
For additional information about the functionality showcased in this module visitwwwvmwarecom
Please close the Chrome Web browser
This concludes this module please continue to the next module
For More Information
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 45HOL-1829-01-NET
Module 2 - 360 degreeVisibility across Virtualand Physical Networks
(45 minutes)
HOL-1829-01-NET
Page 46HOL-1829-01-NET
IntroductionvRealize Network Insight includes advanced analytics that can collect and displayconfiguration data from all the components involved in the overlay and underlay of thenetwork Data is collected in realtime
vRealize Network Insight presents this via a smart user interface and simplifies thedetermination of problems as well as the visibility of firewall and networkconfigurations
vRealize Network Insight presents this in a smart user interface and makes problemdetermination and visibility of the firewall and network configurations very easy
This Module contains the following lessons
bull 360 Network Visibility and Troubleshootingbull Natural language search
HOL-1829-01-NET
Page 47HOL-1829-01-NET
360 Network Visibility andTroubleshootingThis section contains the following lessons
bull 360-degree view of data flow between two VM objectsbull Natural language search
Open Google Chrome
1 Open Chrome on the Control Center Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize NetworkInsight did not load automatically)
HOL-1829-01-NET
Page 48HOL-1829-01-NET
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
Path and Topology
This module will utilize the Path and Topology feature in vRealize Network Insight toget a 360-degree visibility into our network scenario The Path and Topology view can
HOL-1829-01-NET
Page 49HOL-1829-01-NET
also extend to host L3 networks security groups etc but in this module we will only befocusing on the path
From the main console
1 Click on Path and Topology2 Click on Path
Path - Select source and destination
In the pop-up box
1 Click on the grey field below Source2 Type dba into the source field and DBAdmin-VM1 will appear3 Click on DBAdmin-VM1 to select it
HOL-1829-01-NET
Page 50HOL-1829-01-NET
Path - source and destination continued
After selecting the source machine the destination box will automatically appear
1 Type prod in the destination field and the list of available options willappear
2 Select Prod-Db-2
Note The destination could also be an ip-address or Internet but in this lab we aregoing to use a VM
HOL-1829-01-NET
Page 51HOL-1829-01-NET
Path - source and destination continued
1 Click on Submit
Searching for path
Based on the VMs we selected in the wizard in our previous steps the search field isnow pre-populated with a search string As an alternative to using the wizard we canalso do manual searches
Do not change any parameters in the search field and please continue to the nextstep
HOL-1829-01-NET
Page 52HOL-1829-01-NET
VM Path Topology and VM Underlay
The topology involves both Layer 3 and Layer 2 components and consists of twodetailed views
HOL-1829-01-NET
Page 53HOL-1829-01-NET
1 VM Path Topology This view details the routers Edges or Logical DistributedRouters (LDRs) that are involved in the VM to VM network path and provides thecomplete routing and NAT information
2 VM Underlay ( The VM Underlay section that is on the right side of the VM Pathtopology shows the underlay information of the VMs involved and theirconnectivity to the top of the rack switches and the ports involved)
In the field named VM Path Topology
1 Click on the three dots in the top right corner of the field2 Click Maximize
The view will change and the route will be drawn on the map
HOL-1829-01-NET
Page 54HOL-1829-01-NET
VM Path Topology - Path Details
In this view we will get a 360-degree view of both the physical and the virtual networkWe will see the path of the traffic between two virtual machines The black arrow at thetop of the map will indicate the flow direction of the traffic In this use case fromDBAdmin-VM1 to Prod-Db-2
On the right hand side path details indicates the steps we pass through in each hop ofthe path The logical flow includes both physical and virtual elements displaying bothoverlay and underlay components
1 Scroll through the path details on the right hand side to verify the differenthops in the path Notice that we have items such as VMs physical switchesvirtual switches routers and NICs in the list of details
HOL-1829-01-NET
Page 55HOL-1829-01-NET
Component Overview
On the VM topology map
1 Click on the top left icon marked with a red square - the Virtual MachineDBAdmin-VM1
Virtual Machine - Details
HOL-1829-01-NET
Page 56HOL-1829-01-NET
A pop-up box will appear with the Virtual Machine details in it This information includesa lot of details made available by VMware Tools We can for example see network-information and the physical host in these details
A - Please spend some time on getting an overview of the information available in thisview
B - Please note that the Firewall Status indicates Unknown In this scenario there is noNSX firewall utilized in the VM so vRealize Network Insight displays Unknown as thestatus If NSX components were utilized but they were malfunctioning an errormessage will appear
1 When done reviewing close the pop-up windows by clicking on the (X) in thetop right corner
Physical ESXi Hosts
We are now going to look at the physical host running ESXi The large green blocksindicate the ESXi hosts (A) and (B)
1 Click on the large green field on the left side of the map marked in thepicture with a red squareThis will select the host where DBAdmin-VM1 isrunning
HOL-1829-01-NET
Page 57HOL-1829-01-NET
Host - Details
A pop-up box will appear that contains the physical ESXi host
A - Spend some time to review what information is available from the host Please donot click on any of the links
B - Notice that we receive information from both the Chassis and the Blade that thisESXi host is running on In a real life environment we could click on the links to getdetailed information about the physical environment through the links
C - Note that there are no NSX components on the host For example we can see thatthe Control Plane Sync Status is unknown and the Number of VTEPs is 0
1 When done reviewing click on the (X) in the top right corner
HOL-1829-01-NET
Page 58HOL-1829-01-NET
DVPG on the map
We are now going to look at the DVPG (Distributed Virtual Port Group) the VM uses toconnect to the network
1 On the map click on the little blue box marked by a red square onvlan-629
DVPG
A pop-up box will appear that contains the DVPG details
A - Spend some time review what information is available from the object Please donot click on any of the links
HOL-1829-01-NET
Page 59HOL-1829-01-NET
B - Notice that IPFIX is enabled
1 When done reviewing click on the (X) in the top right corner
VLAN-629 on the map
This is a brownfield network as indicated by the physical network components currentlydisplayed on the map
1 On the map click on the grey line marked by a red square on vlan-629
VLAN Network
A pop-up box will appear that contains the physical VLAN details
HOL-1829-01-NET
Page 60HOL-1829-01-NET
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - Notice the VLAN ID This is the actual VLAN in use
C - VM Count states 12 This is the number of VMs located on this VLAN in the entireenvironment
D - Under Hosts we can see that this is 28 (27+1) This is the amount of hosts that hasa connection to this vlan in the entire environment
1 When done reviewing click on the (X) in the top right corner
Switch ports on the map
1 From the map click on the icon marked by a red square to select the SwitchPort for the VM
HOL-1829-01-NET
Page 61HOL-1829-01-NET
Switch Port
A pop-up box will appear that contains the Switch Port details
In this view we are purely are looking at layer 3 and the connectivity to those layer 3devices Later in this module we will see some of the layer 2 devices
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - In this view we can see the physical NIC the traffic is transmitted from and receivedto In this scenario it is a NIC on a UCS fabric We can also see the VLANs Interfacespeed port and other details on the NIC
1 When done reviewing click on the (X) in the top right corner of the pop up box
HOL-1829-01-NET
Page 62HOL-1829-01-NET
Physical VRF on the map
1 From the map click on the icon marked by a red square to access thePhysical VRF details
HOL-1829-01-NET
Page 63HOL-1829-01-NET
VRF - Physical Switch
A pop-up box will appear that contains the Physical VRF details
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - In this scenario the first hop in the physical network perspective happens to be aCisco Nexus 7000 We are gathering all of the configuration data routing tables androuting interface information from this device
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 64HOL-1829-01-NET
VRF - continued
1 From the map click on the icon marked by a red square to access the nextPhysical VRF in the path
HOL-1829-01-NET
Page 65HOL-1829-01-NET
VRF - Physical Router
A pop-up box will appear that contains the Physical VRF details
In this scenario the second hop in the physical network perspective is a Palo Alto routerIn this view we will see the routing table as well as firewall rules The vRealize NetworkInsight platform is so powerful that these firewall rules are the applicable firewall rulesbetween the two objects we searched for There is probably going to be thousands offirewall rules in a normal network but these are the firewalls affecting thecommunication between the two selected VMs
HOL-1829-01-NET
Page 66HOL-1829-01-NET
A - Spend some time to review what information is available from the object Please donot click on any of the links
1 When done reviewing click on the (X) in the top right corner of the pop up box
Note The Palo Alto integration showcased is in beta testing
VRF - continued
1 From the map click on the icon marked by a red square to access the nextPhysical VRF in the path
HOL-1829-01-NET
Page 67HOL-1829-01-NET
VRF - Physical Switch
A pop-up box will appear that contains the Physical VRF details
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - In this scenario the third hop in the physical network perspective is an Arista deviceThere is information available on routing gateways interfaces etc These detailsshowcase that we can monitor devices from a multitude of vendors in case we arechanging from one vendor to another
1 When done reviewing click on the (X) in the top right corner
HOL-1829-01-NET
Page 68HOL-1829-01-NET
Accessing the virtual infrastructure
The next two steps in the path (as shown by arrows) are the same as we looked atpreviously in this module We are not going to look at the details on them in thisscenario as they are similar to the ones previously discussed
A - Hovermove the mouse over the icons marked with red arrow A without clicking onthe icon Notice the descriptive name
B - Hovermove the mouse over the icons marked with red arrow B without clicking onthe icon Notice the descriptive name
1 From the map click on the icon marked by a red square to access the nextVRF in the path
HOL-1829-01-NET
Page 69HOL-1829-01-NET
VRF - NSX Provider Edge 1
A pop-up box will appear that contains the Physical VRF details
A - Please spend some time to review what information is available from the objectPlease do not click on any of the links
B - The components we are looking at after the Arista device (described in previoussteps) is an NSX Edge cluster or a host associated with an Edge cluster The componentwe have selected is the NSX Edge VM named Provider-Edge 1 It has an uplink overVLAN 10 from the physical network (as shown in the map)
C - In the details we can see the routing table and routing interface details for thisparticular VRF
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 70HOL-1829-01-NET
VXLAN on the map
1 On the map click on the blue line marked by a red square to access theVXLAN details
VXLAN Network
A pop-up box will appear that contains the VXLAN details
HOL-1829-01-NET
Page 71HOL-1829-01-NET
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - We can see the VXLAN number (Segment ID) Underlay VLAN IDs Subnet andUnderlay Subnet
C - We also have visibility into what Primary Controller it is utilizing Hosts and VTEPs
D - Hovermove the mouse cursor over the text [38 more] to see the hosts associatedwith this VXLAN Do not click on the blue text
E - Hovermove the mouse cursor over the text [82 more] to see the VTEPs associatedwith this VXLAN Do not click on the blue text
1 When done reviewing click on the X in the top right corner of the pop-up box
VRF - LDR
1 From the map click on the icon marked by a red square to access the VRFdetails
HOL-1829-01-NET
Page 72HOL-1829-01-NET
VRF - LDR-Corporate
A pop-up box will appear that contains the VRF details From here we hit our In-kernelnetwork
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - Notice the distributed router name We are using this device to access our corporatenetwork
C - This device is going to route for us to a different interface The interface is going toroute to the interface on the Prod-DB Network as the next step in the path (this will beillustrated in the next step)
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 73HOL-1829-01-NET
Routing - NSX Firewall
The traffic is routed through the VRF onto the Prod-DB network over to the next physicalhost (as shown with arrows)
The first device it will hit on the virtual network on the physical host is the FirewallPlease notice that there are two firewalls next to the VM One Firewall from Palo Alto andone Firewall from NSX
1 From the map click on the icon marked by a red square to access the NSXFirewall details (the top one of the two)
HOL-1829-01-NET
Page 74HOL-1829-01-NET
Firewall - NSX
A pop-up box will appear that contains the Firewall details
A - Spend some time to review what information is available from the object Please donot click on any of the links
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 75HOL-1829-01-NET
Redirect on the map - PAN Firewall
Please notice that there are two firewalls next to the VM One Firewall from Palo Alto andone Firewall from NSX We are now going to look into the details of the lower Firewall
1 From the map click on the icon marked by a red square to access the PaloAlto Firewall details (the lower one of the two)
Firewall - PAN
HOL-1829-01-NET
Page 76HOL-1829-01-NET
In this scenario we also have an Palo Alto VM based offloading firewall The redirectfeature allows firewall rules to be transferred between the NSX firewall and the PANFirewall
1 When done reviewing click on the (X) in the top right corner of the pop up box
Reversing the analysis
1 In the section marked by a red square in the picture click on the arrowpointing left
The route on the map will change
HOL-1829-01-NET
Page 77HOL-1829-01-NET
Reversing the analysis continued
A - The analysis will now be done in the opposite direction Please note that the pathnow changes Instead of going through Provider-Edge 3 the traffic is now routedthrough Provider-Edge 2 This is exactly as the traffic will work in the real life
Please continue to the next step to conclude this module
HOL-1829-01-NET
Page 78HOL-1829-01-NET
VM Underlay
Lets now focus on VM Underlay
1 The VMUnderlay section that is on the right side of the VM Path topology showsthe underlay information of the VMs involved and their connectivity to the top ofthe rack switches and the ports involved
2 The VM Underlay path topology is shown here3 The components are labeled under Path Details
HOL-1829-01-NET
Page 79HOL-1829-01-NET
HOL-1829-01-NET
Page 80HOL-1829-01-NET
1 In this section the drop-down list at the top shows the endpoint VMs and theactive VMs at the edges
2 For each edgeVM the neighbouring drop-down list shows the ingress and theegress interface IP addresses
1 From the previous step we selected the Prod-DB-2 Virtual Machine2 Which changes the focus to corresponding Interface IP Address (VNIC)3 Shows the visual map (Path topology) of all the path objects4 Path details shows the labels and list the components
This concludes this module Please continue to the next module
HOL-1829-01-NET
Page 81HOL-1829-01-NET
ConclusionCongratulations on completing Module 2
This module has shown us that vRealize Network Insight is capable of tracing the flow ofdata between two objects throughout the network vRealize Network Insight is providingus with a 360 degrees view of the virtual as well as the physical components in thepath With the map function and the details on the map it is very easy to get a quickoverview of the components utilized in network communication
All the components in the map is based on a snapshot of real life data Feel free to clickon other icons shown in the map in this module before continuing to the next module tohave a look at other components
For More Information
For additional information about the functionality showcased in this module visithttpwwwvmwarecomvrealize network insight
This concludes this module Please continue to the next module
If you are looking for additional information try one of these
bull Click on this linkbull Or use your smart device to scan the QRC Code
HOL-1829-01-NET
Page 82HOL-1829-01-NET
Proceed to any module below which interests you most
bull Module 1 - Micro-Segmentation and Security (30 minutes)bull Module 2 - 360 degree Visibility across Virtual and Physical Networks (45
minutes)bull Module 3 - Advanced NSX Management amp Operations (45 minutes)bull (30 minutes)
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 83HOL-1829-01-NET
Module 3 - Advanced NSXManagement amp
Operations (45 minutes)
HOL-1829-01-NET
Page 84HOL-1829-01-NET
IntroductionIntroduction
vRealize Network Insight ensures that we have full visibility from an overlay andunderlay perspective and in this module focus on advanced operations of NSX withvRealize Network Insight Its important to note that the vRealize Network Insightprovides a real time view and a historical view The integration is not a simple SNMPquery but advanced CLI and Metadata information gathered in real time for NSX
This Module contains the following lessons
bull Operational guidance for NSX Managerbull Advanced NSX Management amp Operations Interactive Simulation
HOL-1829-01-NET
Page 85HOL-1829-01-NET
NSX Advanced ManagementOperationsLab Status Check
1 Make sure the Lab Status displays Ready before continuing
Close browser sessions from previous modules
Open Google Chrome
1 Open Chrome on the Control Centre Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
HOL-1829-01-NET
Page 86HOL-1829-01-NET
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize Network Insightdid not load automatically)
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
Search Bar - NSX Manager
Using the search bar on the entry screen
HOL-1829-01-NET
Page 87HOL-1829-01-NET
1 Type NSX Manager (this will list three NSX Managers2 Click Search
NSX Manager Information
The result now shows the NSX Manager (1016128170) and we can immediately seethat we have 50 problems associated with this endpoint
1 Click on the NSX Manager address to expose the layout and detailedinformation
HOL-1829-01-NET
Page 88HOL-1829-01-NET
Timeline - Visual Build-up
Explore information only - Do not click
bull A - Starting with the Timeline we can manipulate the results by simply draggingthe slider but by default the current time results will be displayed on entry Theslider and drop down (next to 1 day) makes it easy to filter on demand
bull B - The Properties give a clear understanding of the NSX Managers currentconfiguration (vRealize Network Insight accommodate multiple NSX managers)
bull C - Looking at the NSX Checklist Rules - ALL we can scroll up and down toview each point in the checklist that is used to monitorvalidate against the NSXManager
bull D - Because vRealize Network Insight supports multiple NSX managers andmultiple NSX controllers this is an important visual understanding of theTopology Each object can be queried individually within the same screen
bull E - NSX Problems will be key to understanding the issues for NSX
HOL-1829-01-NET
Page 89HOL-1829-01-NET
Topology - Focus on the NSX Controller
The logical view of the NSX Topology provides live links to each component in theconstruct to be queried in real time Topology layout displays all the related NSXservices bound to the NSX Manager including Clusters and hosts The red triangle on allthree NSX controllers indicates possible issues that may impact the NSX environmenteither as a starting point or a result thereof We can now query each object for detailedinformation
1 Click on the NSX controller (Look at each controller until you find thecontroller starting with NSX_Controller_5b6c6c8d-4d71 as they do changeorder)
HOL-1829-01-NET
Page 90HOL-1829-01-NET
NSX Controller - Detail
A - The controller query displays detailed information about controller-1 and relevantconfiguration This screen will help identify the Status Version Upgrade Availability andmany other critical identifiers of the NSX Controller at a quick glance including anyissues
B - The immediate issue on this NSX controller is also pointed out with a red triangleindicating that we have a control plane sync issue Tracking the issue can be furtherinvestigated by expanding (clicking on the red triangle) to view detailed information Wewill not be investigating this problem further in this exercise
1 Click the close sign (x) to continue
HOL-1829-01-NET
Page 91HOL-1829-01-NET
Topology - Explained
Note The Topology for the NSX environment will not show any load balancing devicestatus information in this release
1 Click the edge VMs icon to see detailed information about the edge services
HOL-1829-01-NET
Page 92HOL-1829-01-NET
Provider Edge
Rendering a complete view of the provider edge services and the associations we caninvestigate all the edge related activities
1 Click the blue link Provider Edge 4 The problem Icon can be used to furtherobtain information about the Provider-Edge 4 This will highlight a criticalcondition due to a possible network disruption of this edge device as it is nolonger in a serving state
HOL-1829-01-NET
Page 93HOL-1829-01-NET
Routers Provider Edge 4
This section lays out detailed root cause analysis for Routers Provider Edge 4
Return to Search View - NSX Manager
1 Now use the Chrome Back button click once to return the the NSX Managerinformation screen step
HOL-1829-01-NET
Page 94HOL-1829-01-NET
Infrastructure Problems - Warning Moderate
bull Scroll down to Infrastructure Problems Section
1 Click and select the WarningModerate to view problem areas
WarningModerate Issues
1 Use the blue icon + to expand the detailed view of the Logical networking out ofsync between host and NSX Controller
HOL-1829-01-NET
Page 95HOL-1829-01-NET
WarningModerate Issues (Continued)
When you expand the details you can analyse full detail of warning
In this view vRealize Network Insight is also showing you recommendations on how youwould resolve this issue which makes troubleshooting and root cause analysis veryeasy
1 Click the close sign (x) to continue
HOL-1829-01-NET
Page 96HOL-1829-01-NET
Hands-on Labs Interactive SimulationAdvanced NSX Management ampOperationsThis part of the lab is presented as a Hands-on Labs Interactive Simulation This willallow you to experience steps which are too time-consuming or resource intensive to dolive in the lab environment In this simulation you can use the software interface as ifyou are interacting with a live environment
1 Click here to open the interactive simulation It will open in a new browserwindow or tab
2 When finished click the ldquoReturn to the labrdquo link to continue with this lab
HOL-1829-01-NET
Page 97HOL-1829-01-NET
ConclusionCongratulations on completing Module 3
This module demonstrated the vRealize Network Insight capability of advancedmanagement operations vRealize Network Insight provides an in-depth analysis of thevirtual as well as the physical components associated with NSX (underlay and overlay)
For More Information
If you are looking for additional information try one of these
bull Click on this linkbull Or use your smart device to scan the QRC Code
Proceed to any module below which interests you most
bull Module 1 - Micro-Segmentation and Security (30 minutes)bull Module 2 - 360 degree Visibility across Virtual and Physical Networks (45
minutes)bull Module 3 - Advanced NSX Management amp Operations (45 minutes)bull Module 4 - Manage Security for Public Clouds (AWS) (30 minutes)
HOL-1829-01-NET
Page 98HOL-1829-01-NET
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 99HOL-1829-01-NET
Module 4 - ManageSecurity for Public Clouds
(AWS) (30 Minutes)
HOL-1829-01-NET
Page 100HOL-1829-01-NET
IntroductionEnterprise IT needs visibility into the network and security status of their workloadswhether hosted on premises or within AWS While many AWS workloads are sandboxesfor application development teams (DevOps) it is important to analyze these workloadsIncreasingly public cloud workloads are also fulfilling mission critical production needsfor many organizations Enterprise IT must be ready to determine the best locationsecurity posture and bandwidth allocation when deploying workloads Having trafficpattern details as well as security analysis and recommendations readily availablehelps organizations make the ideal hosting decisions to meet their business needs
vRealize Network Insight (vRNI) Supports Amazon Web Services (AWS) PublicCloud The vRNI traffic monitoring features provide visibility into native AWS constructssuch as Virtual Private Clouds VMs Security Groups firewall rules and tags vRNI alsoanalyzes AWS traffic flows to provide security and micro-segmentation views of cloudworkloads This means youll be able to plan micro-segmentation and understand trafficpatterns using data collected from your AWS instances
This Module contains the following lessons
bull Introduction to Managing Security for Public Clouds (AWS)
HOL-1829-01-NET
Page 101HOL-1829-01-NET
Introduction to Managing Security forPublic Clouds (AWS)Lab Status Check
1 Make sure the Lab Status displays Ready before continuing
Close browser sessions from previous modules
Open Google Chrome
1 Open Chrome on the Control Centre Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize Network Insightdid not load automatically)
HOL-1829-01-NET
Page 102HOL-1829-01-NET
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
AWS Configuration
Lets review the AWS VPC setup for the purpose of this lab
1 We have an on premise instance of vRealize Network Insight managing AWS2 There are two VPCs ie CRM and Common Services
HOL-1829-01-NET
Page 103HOL-1829-01-NET
3 VPC CRM consists of CRM Application which comprises of 3 tiers ie Web APP andDB
4 Internal users of Company can access Web Tier of the CRM on 80 internally viaJump-box
5 Web tier talks to App tier on port 80806 App tier talks to DB tier on port 33067 Web tier is open for internal datacenters VM on 80 port8 From Jump-box in VPC CRM all virtual machines have ssh access on port 229 All tiers of VPCCRM talks to DNS server on 53 and LogServer on 514 on VPC
Common Services10 This means connection to DB to Log Server (used for backup services) must exist
as configured by the Administrator but this in fact is the problem area where ourfocus will be
Plan Security - AWS Cloud
vRealize Network Insight extends micro-segmentation planning to AWS constructs TheCRM Application in AWS VPC has already been created for you
Application creation steps have been discussed in Module 3
HOL-1829-01-NET
Page 104HOL-1829-01-NET
1 On the vRealize Network Insight Click on Plan Security
From Plan Security dialogue box under Entity select
HOL-1829-01-NET
Page 105HOL-1829-01-NET
1 Application2 CRM3 Click Analyze
We can now visualize the three tier lsquoCRMrsquo Application in AWS in one VPC We Shallexplore the three Tier System Logic in proceeding steps
1 Please note that Micro-Segments are already filtered by Tier2 Web (Web tier talks to App tier on port 8080 Internal users of organisation can
access Web Tier of the CRM Application on port 80 internally)3 App (App tier talks to DB tier on port 3306)4 DB ( DB tier talks to Log Servers ) - This is the problem area we are going to
explore
All tiers of first VPC talks to DNS server on port 53 and LogServer on port 514 of SecondVPC
HOL-1829-01-NET
Page 106HOL-1829-01-NET
Exploring the Three Tier Application - Step by Step
We shall now explore the three their application setup to understand the security andcommunication posture
HOL-1829-01-NET
Page 107HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Yellow line to explore the flows This will reveal flows from Web to
App
HOL-1829-01-NET
Page 108HOL-1829-01-NET
1 The App tier talks to DB tier on Port 33062 Click X to continue
HOL-1829-01-NET
Page 109HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to DB
HOL-1829-01-NET
Page 110HOL-1829-01-NET
1 The App tier talks to DB tier on Port 33062 Click X to continue
HOL-1829-01-NET
Page 111HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Yellow Line to explore the flows This will reveal flows from DC
Virtual to App
HOL-1829-01-NET
Page 112HOL-1829-01-NET
1 DC Virtual (jump box) talks to App tier on Port 222 Click X to continue
HOL-1829-01-NET
Page 113HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to
Shared Virtual
HOL-1829-01-NET
Page 114HOL-1829-01-NET
1 The App tier talks to Shared Virtual on Port 53 and 514 respectively2 Click X to continue
HOL-1829-01-NET
Page 115HOL-1829-01-NET
1 Hover over to DB Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from DB to
Shared Virtual
1 By design the DB should be pushing logs to aws-log-server ie on port 514(Syslog) but the flow reveals that there is only one service ie port 53 aws-DNS-Server Effectively no communication to syslog server (which is the back upservice)
2 Click X to continue
Firewall Queries for CRM Application
To further troubleshoot the issue the administrator executes three firewall queries toestablish why DB to Shared Virtual does not have flow(s) for port 514 (syslog)
HOL-1829-01-NET
Page 116HOL-1829-01-NET
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and type new search query firewall action of flows where dstvm = aws-log-server This will return 5 results ie 4 Allow (for web andmidtier) and 1 Deny (for DB)
2 Click Search3 click on the DENY checkbox so we can focus on the deny rule
We can see a DENY rule which is preventing crm-databse to communicate with aws-log-server on port 514 Which indicates that AWS Admin forgot to add rule to allowtraffic from (Database) crm-database to (syslog server) aws-log-Server
HOL-1829-01-NET
Page 117HOL-1829-01-NET
1 On Chrome web browser right click2 Select Duplicate from the the menu
HOL-1829-01-NET
Page 118HOL-1829-01-NET
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-web1 and dst vm = aws-log-server
2 Click Search3 This will return 3 results ie 1 Inbound and 2 Outbound rules The result of this
query validates the communication from crm-web1 to aws-log-server
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-database and dst vm = aws-log-server
2 Click Search3 This will return 2 results for Outbound rules further explaining the firewall rule
behaviour from crm-database to aws-log-server
HOL-1829-01-NET
Page 119HOL-1829-01-NET
ConclusionCongratulations on completing Module 4
This module demonstrated the vRealize Network Insight capability to understand trafficpatterns and plan micro-segmentation across your private and public cloudenvironments This capability offers unparalleled visibility into public and private cloudsfor micro-segmentation planning network visibility and management
For More Information
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 120HOL-1829-01-NET
ConclusionThank you for participating in the VMware Hands-on Labs Be sure to visithttpholvmwarecom to continue your lab experience online
Lab SKU HOL-1829-01-NET
Version 20171010-152226
HOL-1829-01-NET
Page 121HOL-1829-01-NET
Module 2 - 360 degreeVisibility across Virtualand Physical Networks
(45 minutes)
HOL-1829-01-NET
Page 46HOL-1829-01-NET
IntroductionvRealize Network Insight includes advanced analytics that can collect and displayconfiguration data from all the components involved in the overlay and underlay of thenetwork Data is collected in realtime
vRealize Network Insight presents this via a smart user interface and simplifies thedetermination of problems as well as the visibility of firewall and networkconfigurations
vRealize Network Insight presents this in a smart user interface and makes problemdetermination and visibility of the firewall and network configurations very easy
This Module contains the following lessons
bull 360 Network Visibility and Troubleshootingbull Natural language search
HOL-1829-01-NET
Page 47HOL-1829-01-NET
360 Network Visibility andTroubleshootingThis section contains the following lessons
bull 360-degree view of data flow between two VM objectsbull Natural language search
Open Google Chrome
1 Open Chrome on the Control Center Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize NetworkInsight did not load automatically)
HOL-1829-01-NET
Page 48HOL-1829-01-NET
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
Path and Topology
This module will utilize the Path and Topology feature in vRealize Network Insight toget a 360-degree visibility into our network scenario The Path and Topology view can
HOL-1829-01-NET
Page 49HOL-1829-01-NET
also extend to host L3 networks security groups etc but in this module we will only befocusing on the path
From the main console
1 Click on Path and Topology2 Click on Path
Path - Select source and destination
In the pop-up box
1 Click on the grey field below Source2 Type dba into the source field and DBAdmin-VM1 will appear3 Click on DBAdmin-VM1 to select it
HOL-1829-01-NET
Page 50HOL-1829-01-NET
Path - source and destination continued
After selecting the source machine the destination box will automatically appear
1 Type prod in the destination field and the list of available options willappear
2 Select Prod-Db-2
Note The destination could also be an ip-address or Internet but in this lab we aregoing to use a VM
HOL-1829-01-NET
Page 51HOL-1829-01-NET
Path - source and destination continued
1 Click on Submit
Searching for path
Based on the VMs we selected in the wizard in our previous steps the search field isnow pre-populated with a search string As an alternative to using the wizard we canalso do manual searches
Do not change any parameters in the search field and please continue to the nextstep
HOL-1829-01-NET
Page 52HOL-1829-01-NET
VM Path Topology and VM Underlay
The topology involves both Layer 3 and Layer 2 components and consists of twodetailed views
HOL-1829-01-NET
Page 53HOL-1829-01-NET
1 VM Path Topology This view details the routers Edges or Logical DistributedRouters (LDRs) that are involved in the VM to VM network path and provides thecomplete routing and NAT information
2 VM Underlay ( The VM Underlay section that is on the right side of the VM Pathtopology shows the underlay information of the VMs involved and theirconnectivity to the top of the rack switches and the ports involved)
In the field named VM Path Topology
1 Click on the three dots in the top right corner of the field2 Click Maximize
The view will change and the route will be drawn on the map
HOL-1829-01-NET
Page 54HOL-1829-01-NET
VM Path Topology - Path Details
In this view we will get a 360-degree view of both the physical and the virtual networkWe will see the path of the traffic between two virtual machines The black arrow at thetop of the map will indicate the flow direction of the traffic In this use case fromDBAdmin-VM1 to Prod-Db-2
On the right hand side path details indicates the steps we pass through in each hop ofthe path The logical flow includes both physical and virtual elements displaying bothoverlay and underlay components
1 Scroll through the path details on the right hand side to verify the differenthops in the path Notice that we have items such as VMs physical switchesvirtual switches routers and NICs in the list of details
HOL-1829-01-NET
Page 55HOL-1829-01-NET
Component Overview
On the VM topology map
1 Click on the top left icon marked with a red square - the Virtual MachineDBAdmin-VM1
Virtual Machine - Details
HOL-1829-01-NET
Page 56HOL-1829-01-NET
A pop-up box will appear with the Virtual Machine details in it This information includesa lot of details made available by VMware Tools We can for example see network-information and the physical host in these details
A - Please spend some time on getting an overview of the information available in thisview
B - Please note that the Firewall Status indicates Unknown In this scenario there is noNSX firewall utilized in the VM so vRealize Network Insight displays Unknown as thestatus If NSX components were utilized but they were malfunctioning an errormessage will appear
1 When done reviewing close the pop-up windows by clicking on the (X) in thetop right corner
Physical ESXi Hosts
We are now going to look at the physical host running ESXi The large green blocksindicate the ESXi hosts (A) and (B)
1 Click on the large green field on the left side of the map marked in thepicture with a red squareThis will select the host where DBAdmin-VM1 isrunning
HOL-1829-01-NET
Page 57HOL-1829-01-NET
Host - Details
A pop-up box will appear that contains the physical ESXi host
A - Spend some time to review what information is available from the host Please donot click on any of the links
B - Notice that we receive information from both the Chassis and the Blade that thisESXi host is running on In a real life environment we could click on the links to getdetailed information about the physical environment through the links
C - Note that there are no NSX components on the host For example we can see thatthe Control Plane Sync Status is unknown and the Number of VTEPs is 0
1 When done reviewing click on the (X) in the top right corner
HOL-1829-01-NET
Page 58HOL-1829-01-NET
DVPG on the map
We are now going to look at the DVPG (Distributed Virtual Port Group) the VM uses toconnect to the network
1 On the map click on the little blue box marked by a red square onvlan-629
DVPG
A pop-up box will appear that contains the DVPG details
A - Spend some time review what information is available from the object Please donot click on any of the links
HOL-1829-01-NET
Page 59HOL-1829-01-NET
B - Notice that IPFIX is enabled
1 When done reviewing click on the (X) in the top right corner
VLAN-629 on the map
This is a brownfield network as indicated by the physical network components currentlydisplayed on the map
1 On the map click on the grey line marked by a red square on vlan-629
VLAN Network
A pop-up box will appear that contains the physical VLAN details
HOL-1829-01-NET
Page 60HOL-1829-01-NET
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - Notice the VLAN ID This is the actual VLAN in use
C - VM Count states 12 This is the number of VMs located on this VLAN in the entireenvironment
D - Under Hosts we can see that this is 28 (27+1) This is the amount of hosts that hasa connection to this vlan in the entire environment
1 When done reviewing click on the (X) in the top right corner
Switch ports on the map
1 From the map click on the icon marked by a red square to select the SwitchPort for the VM
HOL-1829-01-NET
Page 61HOL-1829-01-NET
Switch Port
A pop-up box will appear that contains the Switch Port details
In this view we are purely are looking at layer 3 and the connectivity to those layer 3devices Later in this module we will see some of the layer 2 devices
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - In this view we can see the physical NIC the traffic is transmitted from and receivedto In this scenario it is a NIC on a UCS fabric We can also see the VLANs Interfacespeed port and other details on the NIC
1 When done reviewing click on the (X) in the top right corner of the pop up box
HOL-1829-01-NET
Page 62HOL-1829-01-NET
Physical VRF on the map
1 From the map click on the icon marked by a red square to access thePhysical VRF details
HOL-1829-01-NET
Page 63HOL-1829-01-NET
VRF - Physical Switch
A pop-up box will appear that contains the Physical VRF details
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - In this scenario the first hop in the physical network perspective happens to be aCisco Nexus 7000 We are gathering all of the configuration data routing tables androuting interface information from this device
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 64HOL-1829-01-NET
VRF - continued
1 From the map click on the icon marked by a red square to access the nextPhysical VRF in the path
HOL-1829-01-NET
Page 65HOL-1829-01-NET
VRF - Physical Router
A pop-up box will appear that contains the Physical VRF details
In this scenario the second hop in the physical network perspective is a Palo Alto routerIn this view we will see the routing table as well as firewall rules The vRealize NetworkInsight platform is so powerful that these firewall rules are the applicable firewall rulesbetween the two objects we searched for There is probably going to be thousands offirewall rules in a normal network but these are the firewalls affecting thecommunication between the two selected VMs
HOL-1829-01-NET
Page 66HOL-1829-01-NET
A - Spend some time to review what information is available from the object Please donot click on any of the links
1 When done reviewing click on the (X) in the top right corner of the pop up box
Note The Palo Alto integration showcased is in beta testing
VRF - continued
1 From the map click on the icon marked by a red square to access the nextPhysical VRF in the path
HOL-1829-01-NET
Page 67HOL-1829-01-NET
VRF - Physical Switch
A pop-up box will appear that contains the Physical VRF details
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - In this scenario the third hop in the physical network perspective is an Arista deviceThere is information available on routing gateways interfaces etc These detailsshowcase that we can monitor devices from a multitude of vendors in case we arechanging from one vendor to another
1 When done reviewing click on the (X) in the top right corner
HOL-1829-01-NET
Page 68HOL-1829-01-NET
Accessing the virtual infrastructure
The next two steps in the path (as shown by arrows) are the same as we looked atpreviously in this module We are not going to look at the details on them in thisscenario as they are similar to the ones previously discussed
A - Hovermove the mouse over the icons marked with red arrow A without clicking onthe icon Notice the descriptive name
B - Hovermove the mouse over the icons marked with red arrow B without clicking onthe icon Notice the descriptive name
1 From the map click on the icon marked by a red square to access the nextVRF in the path
HOL-1829-01-NET
Page 69HOL-1829-01-NET
VRF - NSX Provider Edge 1
A pop-up box will appear that contains the Physical VRF details
A - Please spend some time to review what information is available from the objectPlease do not click on any of the links
B - The components we are looking at after the Arista device (described in previoussteps) is an NSX Edge cluster or a host associated with an Edge cluster The componentwe have selected is the NSX Edge VM named Provider-Edge 1 It has an uplink overVLAN 10 from the physical network (as shown in the map)
C - In the details we can see the routing table and routing interface details for thisparticular VRF
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 70HOL-1829-01-NET
VXLAN on the map
1 On the map click on the blue line marked by a red square to access theVXLAN details
VXLAN Network
A pop-up box will appear that contains the VXLAN details
HOL-1829-01-NET
Page 71HOL-1829-01-NET
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - We can see the VXLAN number (Segment ID) Underlay VLAN IDs Subnet andUnderlay Subnet
C - We also have visibility into what Primary Controller it is utilizing Hosts and VTEPs
D - Hovermove the mouse cursor over the text [38 more] to see the hosts associatedwith this VXLAN Do not click on the blue text
E - Hovermove the mouse cursor over the text [82 more] to see the VTEPs associatedwith this VXLAN Do not click on the blue text
1 When done reviewing click on the X in the top right corner of the pop-up box
VRF - LDR
1 From the map click on the icon marked by a red square to access the VRFdetails
HOL-1829-01-NET
Page 72HOL-1829-01-NET
VRF - LDR-Corporate
A pop-up box will appear that contains the VRF details From here we hit our In-kernelnetwork
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - Notice the distributed router name We are using this device to access our corporatenetwork
C - This device is going to route for us to a different interface The interface is going toroute to the interface on the Prod-DB Network as the next step in the path (this will beillustrated in the next step)
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 73HOL-1829-01-NET
Routing - NSX Firewall
The traffic is routed through the VRF onto the Prod-DB network over to the next physicalhost (as shown with arrows)
The first device it will hit on the virtual network on the physical host is the FirewallPlease notice that there are two firewalls next to the VM One Firewall from Palo Alto andone Firewall from NSX
1 From the map click on the icon marked by a red square to access the NSXFirewall details (the top one of the two)
HOL-1829-01-NET
Page 74HOL-1829-01-NET
Firewall - NSX
A pop-up box will appear that contains the Firewall details
A - Spend some time to review what information is available from the object Please donot click on any of the links
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 75HOL-1829-01-NET
Redirect on the map - PAN Firewall
Please notice that there are two firewalls next to the VM One Firewall from Palo Alto andone Firewall from NSX We are now going to look into the details of the lower Firewall
1 From the map click on the icon marked by a red square to access the PaloAlto Firewall details (the lower one of the two)
Firewall - PAN
HOL-1829-01-NET
Page 76HOL-1829-01-NET
In this scenario we also have an Palo Alto VM based offloading firewall The redirectfeature allows firewall rules to be transferred between the NSX firewall and the PANFirewall
1 When done reviewing click on the (X) in the top right corner of the pop up box
Reversing the analysis
1 In the section marked by a red square in the picture click on the arrowpointing left
The route on the map will change
HOL-1829-01-NET
Page 77HOL-1829-01-NET
Reversing the analysis continued
A - The analysis will now be done in the opposite direction Please note that the pathnow changes Instead of going through Provider-Edge 3 the traffic is now routedthrough Provider-Edge 2 This is exactly as the traffic will work in the real life
Please continue to the next step to conclude this module
HOL-1829-01-NET
Page 78HOL-1829-01-NET
VM Underlay
Lets now focus on VM Underlay
1 The VMUnderlay section that is on the right side of the VM Path topology showsthe underlay information of the VMs involved and their connectivity to the top ofthe rack switches and the ports involved
2 The VM Underlay path topology is shown here3 The components are labeled under Path Details
HOL-1829-01-NET
Page 79HOL-1829-01-NET
HOL-1829-01-NET
Page 80HOL-1829-01-NET
1 In this section the drop-down list at the top shows the endpoint VMs and theactive VMs at the edges
2 For each edgeVM the neighbouring drop-down list shows the ingress and theegress interface IP addresses
1 From the previous step we selected the Prod-DB-2 Virtual Machine2 Which changes the focus to corresponding Interface IP Address (VNIC)3 Shows the visual map (Path topology) of all the path objects4 Path details shows the labels and list the components
This concludes this module Please continue to the next module
HOL-1829-01-NET
Page 81HOL-1829-01-NET
ConclusionCongratulations on completing Module 2
This module has shown us that vRealize Network Insight is capable of tracing the flow ofdata between two objects throughout the network vRealize Network Insight is providingus with a 360 degrees view of the virtual as well as the physical components in thepath With the map function and the details on the map it is very easy to get a quickoverview of the components utilized in network communication
All the components in the map is based on a snapshot of real life data Feel free to clickon other icons shown in the map in this module before continuing to the next module tohave a look at other components
For More Information
For additional information about the functionality showcased in this module visithttpwwwvmwarecomvrealize network insight
This concludes this module Please continue to the next module
If you are looking for additional information try one of these
bull Click on this linkbull Or use your smart device to scan the QRC Code
HOL-1829-01-NET
Page 82HOL-1829-01-NET
Proceed to any module below which interests you most
bull Module 1 - Micro-Segmentation and Security (30 minutes)bull Module 2 - 360 degree Visibility across Virtual and Physical Networks (45
minutes)bull Module 3 - Advanced NSX Management amp Operations (45 minutes)bull (30 minutes)
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 83HOL-1829-01-NET
Module 3 - Advanced NSXManagement amp
Operations (45 minutes)
HOL-1829-01-NET
Page 84HOL-1829-01-NET
IntroductionIntroduction
vRealize Network Insight ensures that we have full visibility from an overlay andunderlay perspective and in this module focus on advanced operations of NSX withvRealize Network Insight Its important to note that the vRealize Network Insightprovides a real time view and a historical view The integration is not a simple SNMPquery but advanced CLI and Metadata information gathered in real time for NSX
This Module contains the following lessons
bull Operational guidance for NSX Managerbull Advanced NSX Management amp Operations Interactive Simulation
HOL-1829-01-NET
Page 85HOL-1829-01-NET
NSX Advanced ManagementOperationsLab Status Check
1 Make sure the Lab Status displays Ready before continuing
Close browser sessions from previous modules
Open Google Chrome
1 Open Chrome on the Control Centre Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
HOL-1829-01-NET
Page 86HOL-1829-01-NET
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize Network Insightdid not load automatically)
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
Search Bar - NSX Manager
Using the search bar on the entry screen
HOL-1829-01-NET
Page 87HOL-1829-01-NET
1 Type NSX Manager (this will list three NSX Managers2 Click Search
NSX Manager Information
The result now shows the NSX Manager (1016128170) and we can immediately seethat we have 50 problems associated with this endpoint
1 Click on the NSX Manager address to expose the layout and detailedinformation
HOL-1829-01-NET
Page 88HOL-1829-01-NET
Timeline - Visual Build-up
Explore information only - Do not click
bull A - Starting with the Timeline we can manipulate the results by simply draggingthe slider but by default the current time results will be displayed on entry Theslider and drop down (next to 1 day) makes it easy to filter on demand
bull B - The Properties give a clear understanding of the NSX Managers currentconfiguration (vRealize Network Insight accommodate multiple NSX managers)
bull C - Looking at the NSX Checklist Rules - ALL we can scroll up and down toview each point in the checklist that is used to monitorvalidate against the NSXManager
bull D - Because vRealize Network Insight supports multiple NSX managers andmultiple NSX controllers this is an important visual understanding of theTopology Each object can be queried individually within the same screen
bull E - NSX Problems will be key to understanding the issues for NSX
HOL-1829-01-NET
Page 89HOL-1829-01-NET
Topology - Focus on the NSX Controller
The logical view of the NSX Topology provides live links to each component in theconstruct to be queried in real time Topology layout displays all the related NSXservices bound to the NSX Manager including Clusters and hosts The red triangle on allthree NSX controllers indicates possible issues that may impact the NSX environmenteither as a starting point or a result thereof We can now query each object for detailedinformation
1 Click on the NSX controller (Look at each controller until you find thecontroller starting with NSX_Controller_5b6c6c8d-4d71 as they do changeorder)
HOL-1829-01-NET
Page 90HOL-1829-01-NET
NSX Controller - Detail
A - The controller query displays detailed information about controller-1 and relevantconfiguration This screen will help identify the Status Version Upgrade Availability andmany other critical identifiers of the NSX Controller at a quick glance including anyissues
B - The immediate issue on this NSX controller is also pointed out with a red triangleindicating that we have a control plane sync issue Tracking the issue can be furtherinvestigated by expanding (clicking on the red triangle) to view detailed information Wewill not be investigating this problem further in this exercise
1 Click the close sign (x) to continue
HOL-1829-01-NET
Page 91HOL-1829-01-NET
Topology - Explained
Note The Topology for the NSX environment will not show any load balancing devicestatus information in this release
1 Click the edge VMs icon to see detailed information about the edge services
HOL-1829-01-NET
Page 92HOL-1829-01-NET
Provider Edge
Rendering a complete view of the provider edge services and the associations we caninvestigate all the edge related activities
1 Click the blue link Provider Edge 4 The problem Icon can be used to furtherobtain information about the Provider-Edge 4 This will highlight a criticalcondition due to a possible network disruption of this edge device as it is nolonger in a serving state
HOL-1829-01-NET
Page 93HOL-1829-01-NET
Routers Provider Edge 4
This section lays out detailed root cause analysis for Routers Provider Edge 4
Return to Search View - NSX Manager
1 Now use the Chrome Back button click once to return the the NSX Managerinformation screen step
HOL-1829-01-NET
Page 94HOL-1829-01-NET
Infrastructure Problems - Warning Moderate
bull Scroll down to Infrastructure Problems Section
1 Click and select the WarningModerate to view problem areas
WarningModerate Issues
1 Use the blue icon + to expand the detailed view of the Logical networking out ofsync between host and NSX Controller
HOL-1829-01-NET
Page 95HOL-1829-01-NET
WarningModerate Issues (Continued)
When you expand the details you can analyse full detail of warning
In this view vRealize Network Insight is also showing you recommendations on how youwould resolve this issue which makes troubleshooting and root cause analysis veryeasy
1 Click the close sign (x) to continue
HOL-1829-01-NET
Page 96HOL-1829-01-NET
Hands-on Labs Interactive SimulationAdvanced NSX Management ampOperationsThis part of the lab is presented as a Hands-on Labs Interactive Simulation This willallow you to experience steps which are too time-consuming or resource intensive to dolive in the lab environment In this simulation you can use the software interface as ifyou are interacting with a live environment
1 Click here to open the interactive simulation It will open in a new browserwindow or tab
2 When finished click the ldquoReturn to the labrdquo link to continue with this lab
HOL-1829-01-NET
Page 97HOL-1829-01-NET
ConclusionCongratulations on completing Module 3
This module demonstrated the vRealize Network Insight capability of advancedmanagement operations vRealize Network Insight provides an in-depth analysis of thevirtual as well as the physical components associated with NSX (underlay and overlay)
For More Information
If you are looking for additional information try one of these
bull Click on this linkbull Or use your smart device to scan the QRC Code
Proceed to any module below which interests you most
bull Module 1 - Micro-Segmentation and Security (30 minutes)bull Module 2 - 360 degree Visibility across Virtual and Physical Networks (45
minutes)bull Module 3 - Advanced NSX Management amp Operations (45 minutes)bull Module 4 - Manage Security for Public Clouds (AWS) (30 minutes)
HOL-1829-01-NET
Page 98HOL-1829-01-NET
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 99HOL-1829-01-NET
Module 4 - ManageSecurity for Public Clouds
(AWS) (30 Minutes)
HOL-1829-01-NET
Page 100HOL-1829-01-NET
IntroductionEnterprise IT needs visibility into the network and security status of their workloadswhether hosted on premises or within AWS While many AWS workloads are sandboxesfor application development teams (DevOps) it is important to analyze these workloadsIncreasingly public cloud workloads are also fulfilling mission critical production needsfor many organizations Enterprise IT must be ready to determine the best locationsecurity posture and bandwidth allocation when deploying workloads Having trafficpattern details as well as security analysis and recommendations readily availablehelps organizations make the ideal hosting decisions to meet their business needs
vRealize Network Insight (vRNI) Supports Amazon Web Services (AWS) PublicCloud The vRNI traffic monitoring features provide visibility into native AWS constructssuch as Virtual Private Clouds VMs Security Groups firewall rules and tags vRNI alsoanalyzes AWS traffic flows to provide security and micro-segmentation views of cloudworkloads This means youll be able to plan micro-segmentation and understand trafficpatterns using data collected from your AWS instances
This Module contains the following lessons
bull Introduction to Managing Security for Public Clouds (AWS)
HOL-1829-01-NET
Page 101HOL-1829-01-NET
Introduction to Managing Security forPublic Clouds (AWS)Lab Status Check
1 Make sure the Lab Status displays Ready before continuing
Close browser sessions from previous modules
Open Google Chrome
1 Open Chrome on the Control Centre Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize Network Insightdid not load automatically)
HOL-1829-01-NET
Page 102HOL-1829-01-NET
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
AWS Configuration
Lets review the AWS VPC setup for the purpose of this lab
1 We have an on premise instance of vRealize Network Insight managing AWS2 There are two VPCs ie CRM and Common Services
HOL-1829-01-NET
Page 103HOL-1829-01-NET
3 VPC CRM consists of CRM Application which comprises of 3 tiers ie Web APP andDB
4 Internal users of Company can access Web Tier of the CRM on 80 internally viaJump-box
5 Web tier talks to App tier on port 80806 App tier talks to DB tier on port 33067 Web tier is open for internal datacenters VM on 80 port8 From Jump-box in VPC CRM all virtual machines have ssh access on port 229 All tiers of VPCCRM talks to DNS server on 53 and LogServer on 514 on VPC
Common Services10 This means connection to DB to Log Server (used for backup services) must exist
as configured by the Administrator but this in fact is the problem area where ourfocus will be
Plan Security - AWS Cloud
vRealize Network Insight extends micro-segmentation planning to AWS constructs TheCRM Application in AWS VPC has already been created for you
Application creation steps have been discussed in Module 3
HOL-1829-01-NET
Page 104HOL-1829-01-NET
1 On the vRealize Network Insight Click on Plan Security
From Plan Security dialogue box under Entity select
HOL-1829-01-NET
Page 105HOL-1829-01-NET
1 Application2 CRM3 Click Analyze
We can now visualize the three tier lsquoCRMrsquo Application in AWS in one VPC We Shallexplore the three Tier System Logic in proceeding steps
1 Please note that Micro-Segments are already filtered by Tier2 Web (Web tier talks to App tier on port 8080 Internal users of organisation can
access Web Tier of the CRM Application on port 80 internally)3 App (App tier talks to DB tier on port 3306)4 DB ( DB tier talks to Log Servers ) - This is the problem area we are going to
explore
All tiers of first VPC talks to DNS server on port 53 and LogServer on port 514 of SecondVPC
HOL-1829-01-NET
Page 106HOL-1829-01-NET
Exploring the Three Tier Application - Step by Step
We shall now explore the three their application setup to understand the security andcommunication posture
HOL-1829-01-NET
Page 107HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Yellow line to explore the flows This will reveal flows from Web to
App
HOL-1829-01-NET
Page 108HOL-1829-01-NET
1 The App tier talks to DB tier on Port 33062 Click X to continue
HOL-1829-01-NET
Page 109HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to DB
HOL-1829-01-NET
Page 110HOL-1829-01-NET
1 The App tier talks to DB tier on Port 33062 Click X to continue
HOL-1829-01-NET
Page 111HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Yellow Line to explore the flows This will reveal flows from DC
Virtual to App
HOL-1829-01-NET
Page 112HOL-1829-01-NET
1 DC Virtual (jump box) talks to App tier on Port 222 Click X to continue
HOL-1829-01-NET
Page 113HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to
Shared Virtual
HOL-1829-01-NET
Page 114HOL-1829-01-NET
1 The App tier talks to Shared Virtual on Port 53 and 514 respectively2 Click X to continue
HOL-1829-01-NET
Page 115HOL-1829-01-NET
1 Hover over to DB Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from DB to
Shared Virtual
1 By design the DB should be pushing logs to aws-log-server ie on port 514(Syslog) but the flow reveals that there is only one service ie port 53 aws-DNS-Server Effectively no communication to syslog server (which is the back upservice)
2 Click X to continue
Firewall Queries for CRM Application
To further troubleshoot the issue the administrator executes three firewall queries toestablish why DB to Shared Virtual does not have flow(s) for port 514 (syslog)
HOL-1829-01-NET
Page 116HOL-1829-01-NET
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and type new search query firewall action of flows where dstvm = aws-log-server This will return 5 results ie 4 Allow (for web andmidtier) and 1 Deny (for DB)
2 Click Search3 click on the DENY checkbox so we can focus on the deny rule
We can see a DENY rule which is preventing crm-databse to communicate with aws-log-server on port 514 Which indicates that AWS Admin forgot to add rule to allowtraffic from (Database) crm-database to (syslog server) aws-log-Server
HOL-1829-01-NET
Page 117HOL-1829-01-NET
1 On Chrome web browser right click2 Select Duplicate from the the menu
HOL-1829-01-NET
Page 118HOL-1829-01-NET
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-web1 and dst vm = aws-log-server
2 Click Search3 This will return 3 results ie 1 Inbound and 2 Outbound rules The result of this
query validates the communication from crm-web1 to aws-log-server
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-database and dst vm = aws-log-server
2 Click Search3 This will return 2 results for Outbound rules further explaining the firewall rule
behaviour from crm-database to aws-log-server
HOL-1829-01-NET
Page 119HOL-1829-01-NET
ConclusionCongratulations on completing Module 4
This module demonstrated the vRealize Network Insight capability to understand trafficpatterns and plan micro-segmentation across your private and public cloudenvironments This capability offers unparalleled visibility into public and private cloudsfor micro-segmentation planning network visibility and management
For More Information
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 120HOL-1829-01-NET
ConclusionThank you for participating in the VMware Hands-on Labs Be sure to visithttpholvmwarecom to continue your lab experience online
Lab SKU HOL-1829-01-NET
Version 20171010-152226
HOL-1829-01-NET
Page 121HOL-1829-01-NET
IntroductionvRealize Network Insight includes advanced analytics that can collect and displayconfiguration data from all the components involved in the overlay and underlay of thenetwork Data is collected in realtime
vRealize Network Insight presents this via a smart user interface and simplifies thedetermination of problems as well as the visibility of firewall and networkconfigurations
vRealize Network Insight presents this in a smart user interface and makes problemdetermination and visibility of the firewall and network configurations very easy
This Module contains the following lessons
bull 360 Network Visibility and Troubleshootingbull Natural language search
HOL-1829-01-NET
Page 47HOL-1829-01-NET
360 Network Visibility andTroubleshootingThis section contains the following lessons
bull 360-degree view of data flow between two VM objectsbull Natural language search
Open Google Chrome
1 Open Chrome on the Control Center Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize NetworkInsight did not load automatically)
HOL-1829-01-NET
Page 48HOL-1829-01-NET
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
Path and Topology
This module will utilize the Path and Topology feature in vRealize Network Insight toget a 360-degree visibility into our network scenario The Path and Topology view can
HOL-1829-01-NET
Page 49HOL-1829-01-NET
also extend to host L3 networks security groups etc but in this module we will only befocusing on the path
From the main console
1 Click on Path and Topology2 Click on Path
Path - Select source and destination
In the pop-up box
1 Click on the grey field below Source2 Type dba into the source field and DBAdmin-VM1 will appear3 Click on DBAdmin-VM1 to select it
HOL-1829-01-NET
Page 50HOL-1829-01-NET
Path - source and destination continued
After selecting the source machine the destination box will automatically appear
1 Type prod in the destination field and the list of available options willappear
2 Select Prod-Db-2
Note The destination could also be an ip-address or Internet but in this lab we aregoing to use a VM
HOL-1829-01-NET
Page 51HOL-1829-01-NET
Path - source and destination continued
1 Click on Submit
Searching for path
Based on the VMs we selected in the wizard in our previous steps the search field isnow pre-populated with a search string As an alternative to using the wizard we canalso do manual searches
Do not change any parameters in the search field and please continue to the nextstep
HOL-1829-01-NET
Page 52HOL-1829-01-NET
VM Path Topology and VM Underlay
The topology involves both Layer 3 and Layer 2 components and consists of twodetailed views
HOL-1829-01-NET
Page 53HOL-1829-01-NET
1 VM Path Topology This view details the routers Edges or Logical DistributedRouters (LDRs) that are involved in the VM to VM network path and provides thecomplete routing and NAT information
2 VM Underlay ( The VM Underlay section that is on the right side of the VM Pathtopology shows the underlay information of the VMs involved and theirconnectivity to the top of the rack switches and the ports involved)
In the field named VM Path Topology
1 Click on the three dots in the top right corner of the field2 Click Maximize
The view will change and the route will be drawn on the map
HOL-1829-01-NET
Page 54HOL-1829-01-NET
VM Path Topology - Path Details
In this view we will get a 360-degree view of both the physical and the virtual networkWe will see the path of the traffic between two virtual machines The black arrow at thetop of the map will indicate the flow direction of the traffic In this use case fromDBAdmin-VM1 to Prod-Db-2
On the right hand side path details indicates the steps we pass through in each hop ofthe path The logical flow includes both physical and virtual elements displaying bothoverlay and underlay components
1 Scroll through the path details on the right hand side to verify the differenthops in the path Notice that we have items such as VMs physical switchesvirtual switches routers and NICs in the list of details
HOL-1829-01-NET
Page 55HOL-1829-01-NET
Component Overview
On the VM topology map
1 Click on the top left icon marked with a red square - the Virtual MachineDBAdmin-VM1
Virtual Machine - Details
HOL-1829-01-NET
Page 56HOL-1829-01-NET
A pop-up box will appear with the Virtual Machine details in it This information includesa lot of details made available by VMware Tools We can for example see network-information and the physical host in these details
A - Please spend some time on getting an overview of the information available in thisview
B - Please note that the Firewall Status indicates Unknown In this scenario there is noNSX firewall utilized in the VM so vRealize Network Insight displays Unknown as thestatus If NSX components were utilized but they were malfunctioning an errormessage will appear
1 When done reviewing close the pop-up windows by clicking on the (X) in thetop right corner
Physical ESXi Hosts
We are now going to look at the physical host running ESXi The large green blocksindicate the ESXi hosts (A) and (B)
1 Click on the large green field on the left side of the map marked in thepicture with a red squareThis will select the host where DBAdmin-VM1 isrunning
HOL-1829-01-NET
Page 57HOL-1829-01-NET
Host - Details
A pop-up box will appear that contains the physical ESXi host
A - Spend some time to review what information is available from the host Please donot click on any of the links
B - Notice that we receive information from both the Chassis and the Blade that thisESXi host is running on In a real life environment we could click on the links to getdetailed information about the physical environment through the links
C - Note that there are no NSX components on the host For example we can see thatthe Control Plane Sync Status is unknown and the Number of VTEPs is 0
1 When done reviewing click on the (X) in the top right corner
HOL-1829-01-NET
Page 58HOL-1829-01-NET
DVPG on the map
We are now going to look at the DVPG (Distributed Virtual Port Group) the VM uses toconnect to the network
1 On the map click on the little blue box marked by a red square onvlan-629
DVPG
A pop-up box will appear that contains the DVPG details
A - Spend some time review what information is available from the object Please donot click on any of the links
HOL-1829-01-NET
Page 59HOL-1829-01-NET
B - Notice that IPFIX is enabled
1 When done reviewing click on the (X) in the top right corner
VLAN-629 on the map
This is a brownfield network as indicated by the physical network components currentlydisplayed on the map
1 On the map click on the grey line marked by a red square on vlan-629
VLAN Network
A pop-up box will appear that contains the physical VLAN details
HOL-1829-01-NET
Page 60HOL-1829-01-NET
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - Notice the VLAN ID This is the actual VLAN in use
C - VM Count states 12 This is the number of VMs located on this VLAN in the entireenvironment
D - Under Hosts we can see that this is 28 (27+1) This is the amount of hosts that hasa connection to this vlan in the entire environment
1 When done reviewing click on the (X) in the top right corner
Switch ports on the map
1 From the map click on the icon marked by a red square to select the SwitchPort for the VM
HOL-1829-01-NET
Page 61HOL-1829-01-NET
Switch Port
A pop-up box will appear that contains the Switch Port details
In this view we are purely are looking at layer 3 and the connectivity to those layer 3devices Later in this module we will see some of the layer 2 devices
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - In this view we can see the physical NIC the traffic is transmitted from and receivedto In this scenario it is a NIC on a UCS fabric We can also see the VLANs Interfacespeed port and other details on the NIC
1 When done reviewing click on the (X) in the top right corner of the pop up box
HOL-1829-01-NET
Page 62HOL-1829-01-NET
Physical VRF on the map
1 From the map click on the icon marked by a red square to access thePhysical VRF details
HOL-1829-01-NET
Page 63HOL-1829-01-NET
VRF - Physical Switch
A pop-up box will appear that contains the Physical VRF details
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - In this scenario the first hop in the physical network perspective happens to be aCisco Nexus 7000 We are gathering all of the configuration data routing tables androuting interface information from this device
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 64HOL-1829-01-NET
VRF - continued
1 From the map click on the icon marked by a red square to access the nextPhysical VRF in the path
HOL-1829-01-NET
Page 65HOL-1829-01-NET
VRF - Physical Router
A pop-up box will appear that contains the Physical VRF details
In this scenario the second hop in the physical network perspective is a Palo Alto routerIn this view we will see the routing table as well as firewall rules The vRealize NetworkInsight platform is so powerful that these firewall rules are the applicable firewall rulesbetween the two objects we searched for There is probably going to be thousands offirewall rules in a normal network but these are the firewalls affecting thecommunication between the two selected VMs
HOL-1829-01-NET
Page 66HOL-1829-01-NET
A - Spend some time to review what information is available from the object Please donot click on any of the links
1 When done reviewing click on the (X) in the top right corner of the pop up box
Note The Palo Alto integration showcased is in beta testing
VRF - continued
1 From the map click on the icon marked by a red square to access the nextPhysical VRF in the path
HOL-1829-01-NET
Page 67HOL-1829-01-NET
VRF - Physical Switch
A pop-up box will appear that contains the Physical VRF details
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - In this scenario the third hop in the physical network perspective is an Arista deviceThere is information available on routing gateways interfaces etc These detailsshowcase that we can monitor devices from a multitude of vendors in case we arechanging from one vendor to another
1 When done reviewing click on the (X) in the top right corner
HOL-1829-01-NET
Page 68HOL-1829-01-NET
Accessing the virtual infrastructure
The next two steps in the path (as shown by arrows) are the same as we looked atpreviously in this module We are not going to look at the details on them in thisscenario as they are similar to the ones previously discussed
A - Hovermove the mouse over the icons marked with red arrow A without clicking onthe icon Notice the descriptive name
B - Hovermove the mouse over the icons marked with red arrow B without clicking onthe icon Notice the descriptive name
1 From the map click on the icon marked by a red square to access the nextVRF in the path
HOL-1829-01-NET
Page 69HOL-1829-01-NET
VRF - NSX Provider Edge 1
A pop-up box will appear that contains the Physical VRF details
A - Please spend some time to review what information is available from the objectPlease do not click on any of the links
B - The components we are looking at after the Arista device (described in previoussteps) is an NSX Edge cluster or a host associated with an Edge cluster The componentwe have selected is the NSX Edge VM named Provider-Edge 1 It has an uplink overVLAN 10 from the physical network (as shown in the map)
C - In the details we can see the routing table and routing interface details for thisparticular VRF
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 70HOL-1829-01-NET
VXLAN on the map
1 On the map click on the blue line marked by a red square to access theVXLAN details
VXLAN Network
A pop-up box will appear that contains the VXLAN details
HOL-1829-01-NET
Page 71HOL-1829-01-NET
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - We can see the VXLAN number (Segment ID) Underlay VLAN IDs Subnet andUnderlay Subnet
C - We also have visibility into what Primary Controller it is utilizing Hosts and VTEPs
D - Hovermove the mouse cursor over the text [38 more] to see the hosts associatedwith this VXLAN Do not click on the blue text
E - Hovermove the mouse cursor over the text [82 more] to see the VTEPs associatedwith this VXLAN Do not click on the blue text
1 When done reviewing click on the X in the top right corner of the pop-up box
VRF - LDR
1 From the map click on the icon marked by a red square to access the VRFdetails
HOL-1829-01-NET
Page 72HOL-1829-01-NET
VRF - LDR-Corporate
A pop-up box will appear that contains the VRF details From here we hit our In-kernelnetwork
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - Notice the distributed router name We are using this device to access our corporatenetwork
C - This device is going to route for us to a different interface The interface is going toroute to the interface on the Prod-DB Network as the next step in the path (this will beillustrated in the next step)
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 73HOL-1829-01-NET
Routing - NSX Firewall
The traffic is routed through the VRF onto the Prod-DB network over to the next physicalhost (as shown with arrows)
The first device it will hit on the virtual network on the physical host is the FirewallPlease notice that there are two firewalls next to the VM One Firewall from Palo Alto andone Firewall from NSX
1 From the map click on the icon marked by a red square to access the NSXFirewall details (the top one of the two)
HOL-1829-01-NET
Page 74HOL-1829-01-NET
Firewall - NSX
A pop-up box will appear that contains the Firewall details
A - Spend some time to review what information is available from the object Please donot click on any of the links
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 75HOL-1829-01-NET
Redirect on the map - PAN Firewall
Please notice that there are two firewalls next to the VM One Firewall from Palo Alto andone Firewall from NSX We are now going to look into the details of the lower Firewall
1 From the map click on the icon marked by a red square to access the PaloAlto Firewall details (the lower one of the two)
Firewall - PAN
HOL-1829-01-NET
Page 76HOL-1829-01-NET
In this scenario we also have an Palo Alto VM based offloading firewall The redirectfeature allows firewall rules to be transferred between the NSX firewall and the PANFirewall
1 When done reviewing click on the (X) in the top right corner of the pop up box
Reversing the analysis
1 In the section marked by a red square in the picture click on the arrowpointing left
The route on the map will change
HOL-1829-01-NET
Page 77HOL-1829-01-NET
Reversing the analysis continued
A - The analysis will now be done in the opposite direction Please note that the pathnow changes Instead of going through Provider-Edge 3 the traffic is now routedthrough Provider-Edge 2 This is exactly as the traffic will work in the real life
Please continue to the next step to conclude this module
HOL-1829-01-NET
Page 78HOL-1829-01-NET
VM Underlay
Lets now focus on VM Underlay
1 The VMUnderlay section that is on the right side of the VM Path topology showsthe underlay information of the VMs involved and their connectivity to the top ofthe rack switches and the ports involved
2 The VM Underlay path topology is shown here3 The components are labeled under Path Details
HOL-1829-01-NET
Page 79HOL-1829-01-NET
HOL-1829-01-NET
Page 80HOL-1829-01-NET
1 In this section the drop-down list at the top shows the endpoint VMs and theactive VMs at the edges
2 For each edgeVM the neighbouring drop-down list shows the ingress and theegress interface IP addresses
1 From the previous step we selected the Prod-DB-2 Virtual Machine2 Which changes the focus to corresponding Interface IP Address (VNIC)3 Shows the visual map (Path topology) of all the path objects4 Path details shows the labels and list the components
This concludes this module Please continue to the next module
HOL-1829-01-NET
Page 81HOL-1829-01-NET
ConclusionCongratulations on completing Module 2
This module has shown us that vRealize Network Insight is capable of tracing the flow ofdata between two objects throughout the network vRealize Network Insight is providingus with a 360 degrees view of the virtual as well as the physical components in thepath With the map function and the details on the map it is very easy to get a quickoverview of the components utilized in network communication
All the components in the map is based on a snapshot of real life data Feel free to clickon other icons shown in the map in this module before continuing to the next module tohave a look at other components
For More Information
For additional information about the functionality showcased in this module visithttpwwwvmwarecomvrealize network insight
This concludes this module Please continue to the next module
If you are looking for additional information try one of these
bull Click on this linkbull Or use your smart device to scan the QRC Code
HOL-1829-01-NET
Page 82HOL-1829-01-NET
Proceed to any module below which interests you most
bull Module 1 - Micro-Segmentation and Security (30 minutes)bull Module 2 - 360 degree Visibility across Virtual and Physical Networks (45
minutes)bull Module 3 - Advanced NSX Management amp Operations (45 minutes)bull (30 minutes)
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 83HOL-1829-01-NET
Module 3 - Advanced NSXManagement amp
Operations (45 minutes)
HOL-1829-01-NET
Page 84HOL-1829-01-NET
IntroductionIntroduction
vRealize Network Insight ensures that we have full visibility from an overlay andunderlay perspective and in this module focus on advanced operations of NSX withvRealize Network Insight Its important to note that the vRealize Network Insightprovides a real time view and a historical view The integration is not a simple SNMPquery but advanced CLI and Metadata information gathered in real time for NSX
This Module contains the following lessons
bull Operational guidance for NSX Managerbull Advanced NSX Management amp Operations Interactive Simulation
HOL-1829-01-NET
Page 85HOL-1829-01-NET
NSX Advanced ManagementOperationsLab Status Check
1 Make sure the Lab Status displays Ready before continuing
Close browser sessions from previous modules
Open Google Chrome
1 Open Chrome on the Control Centre Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
HOL-1829-01-NET
Page 86HOL-1829-01-NET
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize Network Insightdid not load automatically)
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
Search Bar - NSX Manager
Using the search bar on the entry screen
HOL-1829-01-NET
Page 87HOL-1829-01-NET
1 Type NSX Manager (this will list three NSX Managers2 Click Search
NSX Manager Information
The result now shows the NSX Manager (1016128170) and we can immediately seethat we have 50 problems associated with this endpoint
1 Click on the NSX Manager address to expose the layout and detailedinformation
HOL-1829-01-NET
Page 88HOL-1829-01-NET
Timeline - Visual Build-up
Explore information only - Do not click
bull A - Starting with the Timeline we can manipulate the results by simply draggingthe slider but by default the current time results will be displayed on entry Theslider and drop down (next to 1 day) makes it easy to filter on demand
bull B - The Properties give a clear understanding of the NSX Managers currentconfiguration (vRealize Network Insight accommodate multiple NSX managers)
bull C - Looking at the NSX Checklist Rules - ALL we can scroll up and down toview each point in the checklist that is used to monitorvalidate against the NSXManager
bull D - Because vRealize Network Insight supports multiple NSX managers andmultiple NSX controllers this is an important visual understanding of theTopology Each object can be queried individually within the same screen
bull E - NSX Problems will be key to understanding the issues for NSX
HOL-1829-01-NET
Page 89HOL-1829-01-NET
Topology - Focus on the NSX Controller
The logical view of the NSX Topology provides live links to each component in theconstruct to be queried in real time Topology layout displays all the related NSXservices bound to the NSX Manager including Clusters and hosts The red triangle on allthree NSX controllers indicates possible issues that may impact the NSX environmenteither as a starting point or a result thereof We can now query each object for detailedinformation
1 Click on the NSX controller (Look at each controller until you find thecontroller starting with NSX_Controller_5b6c6c8d-4d71 as they do changeorder)
HOL-1829-01-NET
Page 90HOL-1829-01-NET
NSX Controller - Detail
A - The controller query displays detailed information about controller-1 and relevantconfiguration This screen will help identify the Status Version Upgrade Availability andmany other critical identifiers of the NSX Controller at a quick glance including anyissues
B - The immediate issue on this NSX controller is also pointed out with a red triangleindicating that we have a control plane sync issue Tracking the issue can be furtherinvestigated by expanding (clicking on the red triangle) to view detailed information Wewill not be investigating this problem further in this exercise
1 Click the close sign (x) to continue
HOL-1829-01-NET
Page 91HOL-1829-01-NET
Topology - Explained
Note The Topology for the NSX environment will not show any load balancing devicestatus information in this release
1 Click the edge VMs icon to see detailed information about the edge services
HOL-1829-01-NET
Page 92HOL-1829-01-NET
Provider Edge
Rendering a complete view of the provider edge services and the associations we caninvestigate all the edge related activities
1 Click the blue link Provider Edge 4 The problem Icon can be used to furtherobtain information about the Provider-Edge 4 This will highlight a criticalcondition due to a possible network disruption of this edge device as it is nolonger in a serving state
HOL-1829-01-NET
Page 93HOL-1829-01-NET
Routers Provider Edge 4
This section lays out detailed root cause analysis for Routers Provider Edge 4
Return to Search View - NSX Manager
1 Now use the Chrome Back button click once to return the the NSX Managerinformation screen step
HOL-1829-01-NET
Page 94HOL-1829-01-NET
Infrastructure Problems - Warning Moderate
bull Scroll down to Infrastructure Problems Section
1 Click and select the WarningModerate to view problem areas
WarningModerate Issues
1 Use the blue icon + to expand the detailed view of the Logical networking out ofsync between host and NSX Controller
HOL-1829-01-NET
Page 95HOL-1829-01-NET
WarningModerate Issues (Continued)
When you expand the details you can analyse full detail of warning
In this view vRealize Network Insight is also showing you recommendations on how youwould resolve this issue which makes troubleshooting and root cause analysis veryeasy
1 Click the close sign (x) to continue
HOL-1829-01-NET
Page 96HOL-1829-01-NET
Hands-on Labs Interactive SimulationAdvanced NSX Management ampOperationsThis part of the lab is presented as a Hands-on Labs Interactive Simulation This willallow you to experience steps which are too time-consuming or resource intensive to dolive in the lab environment In this simulation you can use the software interface as ifyou are interacting with a live environment
1 Click here to open the interactive simulation It will open in a new browserwindow or tab
2 When finished click the ldquoReturn to the labrdquo link to continue with this lab
HOL-1829-01-NET
Page 97HOL-1829-01-NET
ConclusionCongratulations on completing Module 3
This module demonstrated the vRealize Network Insight capability of advancedmanagement operations vRealize Network Insight provides an in-depth analysis of thevirtual as well as the physical components associated with NSX (underlay and overlay)
For More Information
If you are looking for additional information try one of these
bull Click on this linkbull Or use your smart device to scan the QRC Code
Proceed to any module below which interests you most
bull Module 1 - Micro-Segmentation and Security (30 minutes)bull Module 2 - 360 degree Visibility across Virtual and Physical Networks (45
minutes)bull Module 3 - Advanced NSX Management amp Operations (45 minutes)bull Module 4 - Manage Security for Public Clouds (AWS) (30 minutes)
HOL-1829-01-NET
Page 98HOL-1829-01-NET
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 99HOL-1829-01-NET
Module 4 - ManageSecurity for Public Clouds
(AWS) (30 Minutes)
HOL-1829-01-NET
Page 100HOL-1829-01-NET
IntroductionEnterprise IT needs visibility into the network and security status of their workloadswhether hosted on premises or within AWS While many AWS workloads are sandboxesfor application development teams (DevOps) it is important to analyze these workloadsIncreasingly public cloud workloads are also fulfilling mission critical production needsfor many organizations Enterprise IT must be ready to determine the best locationsecurity posture and bandwidth allocation when deploying workloads Having trafficpattern details as well as security analysis and recommendations readily availablehelps organizations make the ideal hosting decisions to meet their business needs
vRealize Network Insight (vRNI) Supports Amazon Web Services (AWS) PublicCloud The vRNI traffic monitoring features provide visibility into native AWS constructssuch as Virtual Private Clouds VMs Security Groups firewall rules and tags vRNI alsoanalyzes AWS traffic flows to provide security and micro-segmentation views of cloudworkloads This means youll be able to plan micro-segmentation and understand trafficpatterns using data collected from your AWS instances
This Module contains the following lessons
bull Introduction to Managing Security for Public Clouds (AWS)
HOL-1829-01-NET
Page 101HOL-1829-01-NET
Introduction to Managing Security forPublic Clouds (AWS)Lab Status Check
1 Make sure the Lab Status displays Ready before continuing
Close browser sessions from previous modules
Open Google Chrome
1 Open Chrome on the Control Centre Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize Network Insightdid not load automatically)
HOL-1829-01-NET
Page 102HOL-1829-01-NET
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
AWS Configuration
Lets review the AWS VPC setup for the purpose of this lab
1 We have an on premise instance of vRealize Network Insight managing AWS2 There are two VPCs ie CRM and Common Services
HOL-1829-01-NET
Page 103HOL-1829-01-NET
3 VPC CRM consists of CRM Application which comprises of 3 tiers ie Web APP andDB
4 Internal users of Company can access Web Tier of the CRM on 80 internally viaJump-box
5 Web tier talks to App tier on port 80806 App tier talks to DB tier on port 33067 Web tier is open for internal datacenters VM on 80 port8 From Jump-box in VPC CRM all virtual machines have ssh access on port 229 All tiers of VPCCRM talks to DNS server on 53 and LogServer on 514 on VPC
Common Services10 This means connection to DB to Log Server (used for backup services) must exist
as configured by the Administrator but this in fact is the problem area where ourfocus will be
Plan Security - AWS Cloud
vRealize Network Insight extends micro-segmentation planning to AWS constructs TheCRM Application in AWS VPC has already been created for you
Application creation steps have been discussed in Module 3
HOL-1829-01-NET
Page 104HOL-1829-01-NET
1 On the vRealize Network Insight Click on Plan Security
From Plan Security dialogue box under Entity select
HOL-1829-01-NET
Page 105HOL-1829-01-NET
1 Application2 CRM3 Click Analyze
We can now visualize the three tier lsquoCRMrsquo Application in AWS in one VPC We Shallexplore the three Tier System Logic in proceeding steps
1 Please note that Micro-Segments are already filtered by Tier2 Web (Web tier talks to App tier on port 8080 Internal users of organisation can
access Web Tier of the CRM Application on port 80 internally)3 App (App tier talks to DB tier on port 3306)4 DB ( DB tier talks to Log Servers ) - This is the problem area we are going to
explore
All tiers of first VPC talks to DNS server on port 53 and LogServer on port 514 of SecondVPC
HOL-1829-01-NET
Page 106HOL-1829-01-NET
Exploring the Three Tier Application - Step by Step
We shall now explore the three their application setup to understand the security andcommunication posture
HOL-1829-01-NET
Page 107HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Yellow line to explore the flows This will reveal flows from Web to
App
HOL-1829-01-NET
Page 108HOL-1829-01-NET
1 The App tier talks to DB tier on Port 33062 Click X to continue
HOL-1829-01-NET
Page 109HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to DB
HOL-1829-01-NET
Page 110HOL-1829-01-NET
1 The App tier talks to DB tier on Port 33062 Click X to continue
HOL-1829-01-NET
Page 111HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Yellow Line to explore the flows This will reveal flows from DC
Virtual to App
HOL-1829-01-NET
Page 112HOL-1829-01-NET
1 DC Virtual (jump box) talks to App tier on Port 222 Click X to continue
HOL-1829-01-NET
Page 113HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to
Shared Virtual
HOL-1829-01-NET
Page 114HOL-1829-01-NET
1 The App tier talks to Shared Virtual on Port 53 and 514 respectively2 Click X to continue
HOL-1829-01-NET
Page 115HOL-1829-01-NET
1 Hover over to DB Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from DB to
Shared Virtual
1 By design the DB should be pushing logs to aws-log-server ie on port 514(Syslog) but the flow reveals that there is only one service ie port 53 aws-DNS-Server Effectively no communication to syslog server (which is the back upservice)
2 Click X to continue
Firewall Queries for CRM Application
To further troubleshoot the issue the administrator executes three firewall queries toestablish why DB to Shared Virtual does not have flow(s) for port 514 (syslog)
HOL-1829-01-NET
Page 116HOL-1829-01-NET
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and type new search query firewall action of flows where dstvm = aws-log-server This will return 5 results ie 4 Allow (for web andmidtier) and 1 Deny (for DB)
2 Click Search3 click on the DENY checkbox so we can focus on the deny rule
We can see a DENY rule which is preventing crm-databse to communicate with aws-log-server on port 514 Which indicates that AWS Admin forgot to add rule to allowtraffic from (Database) crm-database to (syslog server) aws-log-Server
HOL-1829-01-NET
Page 117HOL-1829-01-NET
1 On Chrome web browser right click2 Select Duplicate from the the menu
HOL-1829-01-NET
Page 118HOL-1829-01-NET
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-web1 and dst vm = aws-log-server
2 Click Search3 This will return 3 results ie 1 Inbound and 2 Outbound rules The result of this
query validates the communication from crm-web1 to aws-log-server
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-database and dst vm = aws-log-server
2 Click Search3 This will return 2 results for Outbound rules further explaining the firewall rule
behaviour from crm-database to aws-log-server
HOL-1829-01-NET
Page 119HOL-1829-01-NET
ConclusionCongratulations on completing Module 4
This module demonstrated the vRealize Network Insight capability to understand trafficpatterns and plan micro-segmentation across your private and public cloudenvironments This capability offers unparalleled visibility into public and private cloudsfor micro-segmentation planning network visibility and management
For More Information
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 120HOL-1829-01-NET
ConclusionThank you for participating in the VMware Hands-on Labs Be sure to visithttpholvmwarecom to continue your lab experience online
Lab SKU HOL-1829-01-NET
Version 20171010-152226
HOL-1829-01-NET
Page 121HOL-1829-01-NET
360 Network Visibility andTroubleshootingThis section contains the following lessons
bull 360-degree view of data flow between two VM objectsbull Natural language search
Open Google Chrome
1 Open Chrome on the Control Center Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize NetworkInsight did not load automatically)
HOL-1829-01-NET
Page 48HOL-1829-01-NET
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
Path and Topology
This module will utilize the Path and Topology feature in vRealize Network Insight toget a 360-degree visibility into our network scenario The Path and Topology view can
HOL-1829-01-NET
Page 49HOL-1829-01-NET
also extend to host L3 networks security groups etc but in this module we will only befocusing on the path
From the main console
1 Click on Path and Topology2 Click on Path
Path - Select source and destination
In the pop-up box
1 Click on the grey field below Source2 Type dba into the source field and DBAdmin-VM1 will appear3 Click on DBAdmin-VM1 to select it
HOL-1829-01-NET
Page 50HOL-1829-01-NET
Path - source and destination continued
After selecting the source machine the destination box will automatically appear
1 Type prod in the destination field and the list of available options willappear
2 Select Prod-Db-2
Note The destination could also be an ip-address or Internet but in this lab we aregoing to use a VM
HOL-1829-01-NET
Page 51HOL-1829-01-NET
Path - source and destination continued
1 Click on Submit
Searching for path
Based on the VMs we selected in the wizard in our previous steps the search field isnow pre-populated with a search string As an alternative to using the wizard we canalso do manual searches
Do not change any parameters in the search field and please continue to the nextstep
HOL-1829-01-NET
Page 52HOL-1829-01-NET
VM Path Topology and VM Underlay
The topology involves both Layer 3 and Layer 2 components and consists of twodetailed views
HOL-1829-01-NET
Page 53HOL-1829-01-NET
1 VM Path Topology This view details the routers Edges or Logical DistributedRouters (LDRs) that are involved in the VM to VM network path and provides thecomplete routing and NAT information
2 VM Underlay ( The VM Underlay section that is on the right side of the VM Pathtopology shows the underlay information of the VMs involved and theirconnectivity to the top of the rack switches and the ports involved)
In the field named VM Path Topology
1 Click on the three dots in the top right corner of the field2 Click Maximize
The view will change and the route will be drawn on the map
HOL-1829-01-NET
Page 54HOL-1829-01-NET
VM Path Topology - Path Details
In this view we will get a 360-degree view of both the physical and the virtual networkWe will see the path of the traffic between two virtual machines The black arrow at thetop of the map will indicate the flow direction of the traffic In this use case fromDBAdmin-VM1 to Prod-Db-2
On the right hand side path details indicates the steps we pass through in each hop ofthe path The logical flow includes both physical and virtual elements displaying bothoverlay and underlay components
1 Scroll through the path details on the right hand side to verify the differenthops in the path Notice that we have items such as VMs physical switchesvirtual switches routers and NICs in the list of details
HOL-1829-01-NET
Page 55HOL-1829-01-NET
Component Overview
On the VM topology map
1 Click on the top left icon marked with a red square - the Virtual MachineDBAdmin-VM1
Virtual Machine - Details
HOL-1829-01-NET
Page 56HOL-1829-01-NET
A pop-up box will appear with the Virtual Machine details in it This information includesa lot of details made available by VMware Tools We can for example see network-information and the physical host in these details
A - Please spend some time on getting an overview of the information available in thisview
B - Please note that the Firewall Status indicates Unknown In this scenario there is noNSX firewall utilized in the VM so vRealize Network Insight displays Unknown as thestatus If NSX components were utilized but they were malfunctioning an errormessage will appear
1 When done reviewing close the pop-up windows by clicking on the (X) in thetop right corner
Physical ESXi Hosts
We are now going to look at the physical host running ESXi The large green blocksindicate the ESXi hosts (A) and (B)
1 Click on the large green field on the left side of the map marked in thepicture with a red squareThis will select the host where DBAdmin-VM1 isrunning
HOL-1829-01-NET
Page 57HOL-1829-01-NET
Host - Details
A pop-up box will appear that contains the physical ESXi host
A - Spend some time to review what information is available from the host Please donot click on any of the links
B - Notice that we receive information from both the Chassis and the Blade that thisESXi host is running on In a real life environment we could click on the links to getdetailed information about the physical environment through the links
C - Note that there are no NSX components on the host For example we can see thatthe Control Plane Sync Status is unknown and the Number of VTEPs is 0
1 When done reviewing click on the (X) in the top right corner
HOL-1829-01-NET
Page 58HOL-1829-01-NET
DVPG on the map
We are now going to look at the DVPG (Distributed Virtual Port Group) the VM uses toconnect to the network
1 On the map click on the little blue box marked by a red square onvlan-629
DVPG
A pop-up box will appear that contains the DVPG details
A - Spend some time review what information is available from the object Please donot click on any of the links
HOL-1829-01-NET
Page 59HOL-1829-01-NET
B - Notice that IPFIX is enabled
1 When done reviewing click on the (X) in the top right corner
VLAN-629 on the map
This is a brownfield network as indicated by the physical network components currentlydisplayed on the map
1 On the map click on the grey line marked by a red square on vlan-629
VLAN Network
A pop-up box will appear that contains the physical VLAN details
HOL-1829-01-NET
Page 60HOL-1829-01-NET
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - Notice the VLAN ID This is the actual VLAN in use
C - VM Count states 12 This is the number of VMs located on this VLAN in the entireenvironment
D - Under Hosts we can see that this is 28 (27+1) This is the amount of hosts that hasa connection to this vlan in the entire environment
1 When done reviewing click on the (X) in the top right corner
Switch ports on the map
1 From the map click on the icon marked by a red square to select the SwitchPort for the VM
HOL-1829-01-NET
Page 61HOL-1829-01-NET
Switch Port
A pop-up box will appear that contains the Switch Port details
In this view we are purely are looking at layer 3 and the connectivity to those layer 3devices Later in this module we will see some of the layer 2 devices
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - In this view we can see the physical NIC the traffic is transmitted from and receivedto In this scenario it is a NIC on a UCS fabric We can also see the VLANs Interfacespeed port and other details on the NIC
1 When done reviewing click on the (X) in the top right corner of the pop up box
HOL-1829-01-NET
Page 62HOL-1829-01-NET
Physical VRF on the map
1 From the map click on the icon marked by a red square to access thePhysical VRF details
HOL-1829-01-NET
Page 63HOL-1829-01-NET
VRF - Physical Switch
A pop-up box will appear that contains the Physical VRF details
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - In this scenario the first hop in the physical network perspective happens to be aCisco Nexus 7000 We are gathering all of the configuration data routing tables androuting interface information from this device
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 64HOL-1829-01-NET
VRF - continued
1 From the map click on the icon marked by a red square to access the nextPhysical VRF in the path
HOL-1829-01-NET
Page 65HOL-1829-01-NET
VRF - Physical Router
A pop-up box will appear that contains the Physical VRF details
In this scenario the second hop in the physical network perspective is a Palo Alto routerIn this view we will see the routing table as well as firewall rules The vRealize NetworkInsight platform is so powerful that these firewall rules are the applicable firewall rulesbetween the two objects we searched for There is probably going to be thousands offirewall rules in a normal network but these are the firewalls affecting thecommunication between the two selected VMs
HOL-1829-01-NET
Page 66HOL-1829-01-NET
A - Spend some time to review what information is available from the object Please donot click on any of the links
1 When done reviewing click on the (X) in the top right corner of the pop up box
Note The Palo Alto integration showcased is in beta testing
VRF - continued
1 From the map click on the icon marked by a red square to access the nextPhysical VRF in the path
HOL-1829-01-NET
Page 67HOL-1829-01-NET
VRF - Physical Switch
A pop-up box will appear that contains the Physical VRF details
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - In this scenario the third hop in the physical network perspective is an Arista deviceThere is information available on routing gateways interfaces etc These detailsshowcase that we can monitor devices from a multitude of vendors in case we arechanging from one vendor to another
1 When done reviewing click on the (X) in the top right corner
HOL-1829-01-NET
Page 68HOL-1829-01-NET
Accessing the virtual infrastructure
The next two steps in the path (as shown by arrows) are the same as we looked atpreviously in this module We are not going to look at the details on them in thisscenario as they are similar to the ones previously discussed
A - Hovermove the mouse over the icons marked with red arrow A without clicking onthe icon Notice the descriptive name
B - Hovermove the mouse over the icons marked with red arrow B without clicking onthe icon Notice the descriptive name
1 From the map click on the icon marked by a red square to access the nextVRF in the path
HOL-1829-01-NET
Page 69HOL-1829-01-NET
VRF - NSX Provider Edge 1
A pop-up box will appear that contains the Physical VRF details
A - Please spend some time to review what information is available from the objectPlease do not click on any of the links
B - The components we are looking at after the Arista device (described in previoussteps) is an NSX Edge cluster or a host associated with an Edge cluster The componentwe have selected is the NSX Edge VM named Provider-Edge 1 It has an uplink overVLAN 10 from the physical network (as shown in the map)
C - In the details we can see the routing table and routing interface details for thisparticular VRF
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 70HOL-1829-01-NET
VXLAN on the map
1 On the map click on the blue line marked by a red square to access theVXLAN details
VXLAN Network
A pop-up box will appear that contains the VXLAN details
HOL-1829-01-NET
Page 71HOL-1829-01-NET
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - We can see the VXLAN number (Segment ID) Underlay VLAN IDs Subnet andUnderlay Subnet
C - We also have visibility into what Primary Controller it is utilizing Hosts and VTEPs
D - Hovermove the mouse cursor over the text [38 more] to see the hosts associatedwith this VXLAN Do not click on the blue text
E - Hovermove the mouse cursor over the text [82 more] to see the VTEPs associatedwith this VXLAN Do not click on the blue text
1 When done reviewing click on the X in the top right corner of the pop-up box
VRF - LDR
1 From the map click on the icon marked by a red square to access the VRFdetails
HOL-1829-01-NET
Page 72HOL-1829-01-NET
VRF - LDR-Corporate
A pop-up box will appear that contains the VRF details From here we hit our In-kernelnetwork
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - Notice the distributed router name We are using this device to access our corporatenetwork
C - This device is going to route for us to a different interface The interface is going toroute to the interface on the Prod-DB Network as the next step in the path (this will beillustrated in the next step)
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 73HOL-1829-01-NET
Routing - NSX Firewall
The traffic is routed through the VRF onto the Prod-DB network over to the next physicalhost (as shown with arrows)
The first device it will hit on the virtual network on the physical host is the FirewallPlease notice that there are two firewalls next to the VM One Firewall from Palo Alto andone Firewall from NSX
1 From the map click on the icon marked by a red square to access the NSXFirewall details (the top one of the two)
HOL-1829-01-NET
Page 74HOL-1829-01-NET
Firewall - NSX
A pop-up box will appear that contains the Firewall details
A - Spend some time to review what information is available from the object Please donot click on any of the links
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 75HOL-1829-01-NET
Redirect on the map - PAN Firewall
Please notice that there are two firewalls next to the VM One Firewall from Palo Alto andone Firewall from NSX We are now going to look into the details of the lower Firewall
1 From the map click on the icon marked by a red square to access the PaloAlto Firewall details (the lower one of the two)
Firewall - PAN
HOL-1829-01-NET
Page 76HOL-1829-01-NET
In this scenario we also have an Palo Alto VM based offloading firewall The redirectfeature allows firewall rules to be transferred between the NSX firewall and the PANFirewall
1 When done reviewing click on the (X) in the top right corner of the pop up box
Reversing the analysis
1 In the section marked by a red square in the picture click on the arrowpointing left
The route on the map will change
HOL-1829-01-NET
Page 77HOL-1829-01-NET
Reversing the analysis continued
A - The analysis will now be done in the opposite direction Please note that the pathnow changes Instead of going through Provider-Edge 3 the traffic is now routedthrough Provider-Edge 2 This is exactly as the traffic will work in the real life
Please continue to the next step to conclude this module
HOL-1829-01-NET
Page 78HOL-1829-01-NET
VM Underlay
Lets now focus on VM Underlay
1 The VMUnderlay section that is on the right side of the VM Path topology showsthe underlay information of the VMs involved and their connectivity to the top ofthe rack switches and the ports involved
2 The VM Underlay path topology is shown here3 The components are labeled under Path Details
HOL-1829-01-NET
Page 79HOL-1829-01-NET
HOL-1829-01-NET
Page 80HOL-1829-01-NET
1 In this section the drop-down list at the top shows the endpoint VMs and theactive VMs at the edges
2 For each edgeVM the neighbouring drop-down list shows the ingress and theegress interface IP addresses
1 From the previous step we selected the Prod-DB-2 Virtual Machine2 Which changes the focus to corresponding Interface IP Address (VNIC)3 Shows the visual map (Path topology) of all the path objects4 Path details shows the labels and list the components
This concludes this module Please continue to the next module
HOL-1829-01-NET
Page 81HOL-1829-01-NET
ConclusionCongratulations on completing Module 2
This module has shown us that vRealize Network Insight is capable of tracing the flow ofdata between two objects throughout the network vRealize Network Insight is providingus with a 360 degrees view of the virtual as well as the physical components in thepath With the map function and the details on the map it is very easy to get a quickoverview of the components utilized in network communication
All the components in the map is based on a snapshot of real life data Feel free to clickon other icons shown in the map in this module before continuing to the next module tohave a look at other components
For More Information
For additional information about the functionality showcased in this module visithttpwwwvmwarecomvrealize network insight
This concludes this module Please continue to the next module
If you are looking for additional information try one of these
bull Click on this linkbull Or use your smart device to scan the QRC Code
HOL-1829-01-NET
Page 82HOL-1829-01-NET
Proceed to any module below which interests you most
bull Module 1 - Micro-Segmentation and Security (30 minutes)bull Module 2 - 360 degree Visibility across Virtual and Physical Networks (45
minutes)bull Module 3 - Advanced NSX Management amp Operations (45 minutes)bull (30 minutes)
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 83HOL-1829-01-NET
Module 3 - Advanced NSXManagement amp
Operations (45 minutes)
HOL-1829-01-NET
Page 84HOL-1829-01-NET
IntroductionIntroduction
vRealize Network Insight ensures that we have full visibility from an overlay andunderlay perspective and in this module focus on advanced operations of NSX withvRealize Network Insight Its important to note that the vRealize Network Insightprovides a real time view and a historical view The integration is not a simple SNMPquery but advanced CLI and Metadata information gathered in real time for NSX
This Module contains the following lessons
bull Operational guidance for NSX Managerbull Advanced NSX Management amp Operations Interactive Simulation
HOL-1829-01-NET
Page 85HOL-1829-01-NET
NSX Advanced ManagementOperationsLab Status Check
1 Make sure the Lab Status displays Ready before continuing
Close browser sessions from previous modules
Open Google Chrome
1 Open Chrome on the Control Centre Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
HOL-1829-01-NET
Page 86HOL-1829-01-NET
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize Network Insightdid not load automatically)
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
Search Bar - NSX Manager
Using the search bar on the entry screen
HOL-1829-01-NET
Page 87HOL-1829-01-NET
1 Type NSX Manager (this will list three NSX Managers2 Click Search
NSX Manager Information
The result now shows the NSX Manager (1016128170) and we can immediately seethat we have 50 problems associated with this endpoint
1 Click on the NSX Manager address to expose the layout and detailedinformation
HOL-1829-01-NET
Page 88HOL-1829-01-NET
Timeline - Visual Build-up
Explore information only - Do not click
bull A - Starting with the Timeline we can manipulate the results by simply draggingthe slider but by default the current time results will be displayed on entry Theslider and drop down (next to 1 day) makes it easy to filter on demand
bull B - The Properties give a clear understanding of the NSX Managers currentconfiguration (vRealize Network Insight accommodate multiple NSX managers)
bull C - Looking at the NSX Checklist Rules - ALL we can scroll up and down toview each point in the checklist that is used to monitorvalidate against the NSXManager
bull D - Because vRealize Network Insight supports multiple NSX managers andmultiple NSX controllers this is an important visual understanding of theTopology Each object can be queried individually within the same screen
bull E - NSX Problems will be key to understanding the issues for NSX
HOL-1829-01-NET
Page 89HOL-1829-01-NET
Topology - Focus on the NSX Controller
The logical view of the NSX Topology provides live links to each component in theconstruct to be queried in real time Topology layout displays all the related NSXservices bound to the NSX Manager including Clusters and hosts The red triangle on allthree NSX controllers indicates possible issues that may impact the NSX environmenteither as a starting point or a result thereof We can now query each object for detailedinformation
1 Click on the NSX controller (Look at each controller until you find thecontroller starting with NSX_Controller_5b6c6c8d-4d71 as they do changeorder)
HOL-1829-01-NET
Page 90HOL-1829-01-NET
NSX Controller - Detail
A - The controller query displays detailed information about controller-1 and relevantconfiguration This screen will help identify the Status Version Upgrade Availability andmany other critical identifiers of the NSX Controller at a quick glance including anyissues
B - The immediate issue on this NSX controller is also pointed out with a red triangleindicating that we have a control plane sync issue Tracking the issue can be furtherinvestigated by expanding (clicking on the red triangle) to view detailed information Wewill not be investigating this problem further in this exercise
1 Click the close sign (x) to continue
HOL-1829-01-NET
Page 91HOL-1829-01-NET
Topology - Explained
Note The Topology for the NSX environment will not show any load balancing devicestatus information in this release
1 Click the edge VMs icon to see detailed information about the edge services
HOL-1829-01-NET
Page 92HOL-1829-01-NET
Provider Edge
Rendering a complete view of the provider edge services and the associations we caninvestigate all the edge related activities
1 Click the blue link Provider Edge 4 The problem Icon can be used to furtherobtain information about the Provider-Edge 4 This will highlight a criticalcondition due to a possible network disruption of this edge device as it is nolonger in a serving state
HOL-1829-01-NET
Page 93HOL-1829-01-NET
Routers Provider Edge 4
This section lays out detailed root cause analysis for Routers Provider Edge 4
Return to Search View - NSX Manager
1 Now use the Chrome Back button click once to return the the NSX Managerinformation screen step
HOL-1829-01-NET
Page 94HOL-1829-01-NET
Infrastructure Problems - Warning Moderate
bull Scroll down to Infrastructure Problems Section
1 Click and select the WarningModerate to view problem areas
WarningModerate Issues
1 Use the blue icon + to expand the detailed view of the Logical networking out ofsync between host and NSX Controller
HOL-1829-01-NET
Page 95HOL-1829-01-NET
WarningModerate Issues (Continued)
When you expand the details you can analyse full detail of warning
In this view vRealize Network Insight is also showing you recommendations on how youwould resolve this issue which makes troubleshooting and root cause analysis veryeasy
1 Click the close sign (x) to continue
HOL-1829-01-NET
Page 96HOL-1829-01-NET
Hands-on Labs Interactive SimulationAdvanced NSX Management ampOperationsThis part of the lab is presented as a Hands-on Labs Interactive Simulation This willallow you to experience steps which are too time-consuming or resource intensive to dolive in the lab environment In this simulation you can use the software interface as ifyou are interacting with a live environment
1 Click here to open the interactive simulation It will open in a new browserwindow or tab
2 When finished click the ldquoReturn to the labrdquo link to continue with this lab
HOL-1829-01-NET
Page 97HOL-1829-01-NET
ConclusionCongratulations on completing Module 3
This module demonstrated the vRealize Network Insight capability of advancedmanagement operations vRealize Network Insight provides an in-depth analysis of thevirtual as well as the physical components associated with NSX (underlay and overlay)
For More Information
If you are looking for additional information try one of these
bull Click on this linkbull Or use your smart device to scan the QRC Code
Proceed to any module below which interests you most
bull Module 1 - Micro-Segmentation and Security (30 minutes)bull Module 2 - 360 degree Visibility across Virtual and Physical Networks (45
minutes)bull Module 3 - Advanced NSX Management amp Operations (45 minutes)bull Module 4 - Manage Security for Public Clouds (AWS) (30 minutes)
HOL-1829-01-NET
Page 98HOL-1829-01-NET
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 99HOL-1829-01-NET
Module 4 - ManageSecurity for Public Clouds
(AWS) (30 Minutes)
HOL-1829-01-NET
Page 100HOL-1829-01-NET
IntroductionEnterprise IT needs visibility into the network and security status of their workloadswhether hosted on premises or within AWS While many AWS workloads are sandboxesfor application development teams (DevOps) it is important to analyze these workloadsIncreasingly public cloud workloads are also fulfilling mission critical production needsfor many organizations Enterprise IT must be ready to determine the best locationsecurity posture and bandwidth allocation when deploying workloads Having trafficpattern details as well as security analysis and recommendations readily availablehelps organizations make the ideal hosting decisions to meet their business needs
vRealize Network Insight (vRNI) Supports Amazon Web Services (AWS) PublicCloud The vRNI traffic monitoring features provide visibility into native AWS constructssuch as Virtual Private Clouds VMs Security Groups firewall rules and tags vRNI alsoanalyzes AWS traffic flows to provide security and micro-segmentation views of cloudworkloads This means youll be able to plan micro-segmentation and understand trafficpatterns using data collected from your AWS instances
This Module contains the following lessons
bull Introduction to Managing Security for Public Clouds (AWS)
HOL-1829-01-NET
Page 101HOL-1829-01-NET
Introduction to Managing Security forPublic Clouds (AWS)Lab Status Check
1 Make sure the Lab Status displays Ready before continuing
Close browser sessions from previous modules
Open Google Chrome
1 Open Chrome on the Control Centre Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize Network Insightdid not load automatically)
HOL-1829-01-NET
Page 102HOL-1829-01-NET
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
AWS Configuration
Lets review the AWS VPC setup for the purpose of this lab
1 We have an on premise instance of vRealize Network Insight managing AWS2 There are two VPCs ie CRM and Common Services
HOL-1829-01-NET
Page 103HOL-1829-01-NET
3 VPC CRM consists of CRM Application which comprises of 3 tiers ie Web APP andDB
4 Internal users of Company can access Web Tier of the CRM on 80 internally viaJump-box
5 Web tier talks to App tier on port 80806 App tier talks to DB tier on port 33067 Web tier is open for internal datacenters VM on 80 port8 From Jump-box in VPC CRM all virtual machines have ssh access on port 229 All tiers of VPCCRM talks to DNS server on 53 and LogServer on 514 on VPC
Common Services10 This means connection to DB to Log Server (used for backup services) must exist
as configured by the Administrator but this in fact is the problem area where ourfocus will be
Plan Security - AWS Cloud
vRealize Network Insight extends micro-segmentation planning to AWS constructs TheCRM Application in AWS VPC has already been created for you
Application creation steps have been discussed in Module 3
HOL-1829-01-NET
Page 104HOL-1829-01-NET
1 On the vRealize Network Insight Click on Plan Security
From Plan Security dialogue box under Entity select
HOL-1829-01-NET
Page 105HOL-1829-01-NET
1 Application2 CRM3 Click Analyze
We can now visualize the three tier lsquoCRMrsquo Application in AWS in one VPC We Shallexplore the three Tier System Logic in proceeding steps
1 Please note that Micro-Segments are already filtered by Tier2 Web (Web tier talks to App tier on port 8080 Internal users of organisation can
access Web Tier of the CRM Application on port 80 internally)3 App (App tier talks to DB tier on port 3306)4 DB ( DB tier talks to Log Servers ) - This is the problem area we are going to
explore
All tiers of first VPC talks to DNS server on port 53 and LogServer on port 514 of SecondVPC
HOL-1829-01-NET
Page 106HOL-1829-01-NET
Exploring the Three Tier Application - Step by Step
We shall now explore the three their application setup to understand the security andcommunication posture
HOL-1829-01-NET
Page 107HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Yellow line to explore the flows This will reveal flows from Web to
App
HOL-1829-01-NET
Page 108HOL-1829-01-NET
1 The App tier talks to DB tier on Port 33062 Click X to continue
HOL-1829-01-NET
Page 109HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to DB
HOL-1829-01-NET
Page 110HOL-1829-01-NET
1 The App tier talks to DB tier on Port 33062 Click X to continue
HOL-1829-01-NET
Page 111HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Yellow Line to explore the flows This will reveal flows from DC
Virtual to App
HOL-1829-01-NET
Page 112HOL-1829-01-NET
1 DC Virtual (jump box) talks to App tier on Port 222 Click X to continue
HOL-1829-01-NET
Page 113HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to
Shared Virtual
HOL-1829-01-NET
Page 114HOL-1829-01-NET
1 The App tier talks to Shared Virtual on Port 53 and 514 respectively2 Click X to continue
HOL-1829-01-NET
Page 115HOL-1829-01-NET
1 Hover over to DB Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from DB to
Shared Virtual
1 By design the DB should be pushing logs to aws-log-server ie on port 514(Syslog) but the flow reveals that there is only one service ie port 53 aws-DNS-Server Effectively no communication to syslog server (which is the back upservice)
2 Click X to continue
Firewall Queries for CRM Application
To further troubleshoot the issue the administrator executes three firewall queries toestablish why DB to Shared Virtual does not have flow(s) for port 514 (syslog)
HOL-1829-01-NET
Page 116HOL-1829-01-NET
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and type new search query firewall action of flows where dstvm = aws-log-server This will return 5 results ie 4 Allow (for web andmidtier) and 1 Deny (for DB)
2 Click Search3 click on the DENY checkbox so we can focus on the deny rule
We can see a DENY rule which is preventing crm-databse to communicate with aws-log-server on port 514 Which indicates that AWS Admin forgot to add rule to allowtraffic from (Database) crm-database to (syslog server) aws-log-Server
HOL-1829-01-NET
Page 117HOL-1829-01-NET
1 On Chrome web browser right click2 Select Duplicate from the the menu
HOL-1829-01-NET
Page 118HOL-1829-01-NET
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-web1 and dst vm = aws-log-server
2 Click Search3 This will return 3 results ie 1 Inbound and 2 Outbound rules The result of this
query validates the communication from crm-web1 to aws-log-server
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-database and dst vm = aws-log-server
2 Click Search3 This will return 2 results for Outbound rules further explaining the firewall rule
behaviour from crm-database to aws-log-server
HOL-1829-01-NET
Page 119HOL-1829-01-NET
ConclusionCongratulations on completing Module 4
This module demonstrated the vRealize Network Insight capability to understand trafficpatterns and plan micro-segmentation across your private and public cloudenvironments This capability offers unparalleled visibility into public and private cloudsfor micro-segmentation planning network visibility and management
For More Information
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 120HOL-1829-01-NET
ConclusionThank you for participating in the VMware Hands-on Labs Be sure to visithttpholvmwarecom to continue your lab experience online
Lab SKU HOL-1829-01-NET
Version 20171010-152226
HOL-1829-01-NET
Page 121HOL-1829-01-NET
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
Path and Topology
This module will utilize the Path and Topology feature in vRealize Network Insight toget a 360-degree visibility into our network scenario The Path and Topology view can
HOL-1829-01-NET
Page 49HOL-1829-01-NET
also extend to host L3 networks security groups etc but in this module we will only befocusing on the path
From the main console
1 Click on Path and Topology2 Click on Path
Path - Select source and destination
In the pop-up box
1 Click on the grey field below Source2 Type dba into the source field and DBAdmin-VM1 will appear3 Click on DBAdmin-VM1 to select it
HOL-1829-01-NET
Page 50HOL-1829-01-NET
Path - source and destination continued
After selecting the source machine the destination box will automatically appear
1 Type prod in the destination field and the list of available options willappear
2 Select Prod-Db-2
Note The destination could also be an ip-address or Internet but in this lab we aregoing to use a VM
HOL-1829-01-NET
Page 51HOL-1829-01-NET
Path - source and destination continued
1 Click on Submit
Searching for path
Based on the VMs we selected in the wizard in our previous steps the search field isnow pre-populated with a search string As an alternative to using the wizard we canalso do manual searches
Do not change any parameters in the search field and please continue to the nextstep
HOL-1829-01-NET
Page 52HOL-1829-01-NET
VM Path Topology and VM Underlay
The topology involves both Layer 3 and Layer 2 components and consists of twodetailed views
HOL-1829-01-NET
Page 53HOL-1829-01-NET
1 VM Path Topology This view details the routers Edges or Logical DistributedRouters (LDRs) that are involved in the VM to VM network path and provides thecomplete routing and NAT information
2 VM Underlay ( The VM Underlay section that is on the right side of the VM Pathtopology shows the underlay information of the VMs involved and theirconnectivity to the top of the rack switches and the ports involved)
In the field named VM Path Topology
1 Click on the three dots in the top right corner of the field2 Click Maximize
The view will change and the route will be drawn on the map
HOL-1829-01-NET
Page 54HOL-1829-01-NET
VM Path Topology - Path Details
In this view we will get a 360-degree view of both the physical and the virtual networkWe will see the path of the traffic between two virtual machines The black arrow at thetop of the map will indicate the flow direction of the traffic In this use case fromDBAdmin-VM1 to Prod-Db-2
On the right hand side path details indicates the steps we pass through in each hop ofthe path The logical flow includes both physical and virtual elements displaying bothoverlay and underlay components
1 Scroll through the path details on the right hand side to verify the differenthops in the path Notice that we have items such as VMs physical switchesvirtual switches routers and NICs in the list of details
HOL-1829-01-NET
Page 55HOL-1829-01-NET
Component Overview
On the VM topology map
1 Click on the top left icon marked with a red square - the Virtual MachineDBAdmin-VM1
Virtual Machine - Details
HOL-1829-01-NET
Page 56HOL-1829-01-NET
A pop-up box will appear with the Virtual Machine details in it This information includesa lot of details made available by VMware Tools We can for example see network-information and the physical host in these details
A - Please spend some time on getting an overview of the information available in thisview
B - Please note that the Firewall Status indicates Unknown In this scenario there is noNSX firewall utilized in the VM so vRealize Network Insight displays Unknown as thestatus If NSX components were utilized but they were malfunctioning an errormessage will appear
1 When done reviewing close the pop-up windows by clicking on the (X) in thetop right corner
Physical ESXi Hosts
We are now going to look at the physical host running ESXi The large green blocksindicate the ESXi hosts (A) and (B)
1 Click on the large green field on the left side of the map marked in thepicture with a red squareThis will select the host where DBAdmin-VM1 isrunning
HOL-1829-01-NET
Page 57HOL-1829-01-NET
Host - Details
A pop-up box will appear that contains the physical ESXi host
A - Spend some time to review what information is available from the host Please donot click on any of the links
B - Notice that we receive information from both the Chassis and the Blade that thisESXi host is running on In a real life environment we could click on the links to getdetailed information about the physical environment through the links
C - Note that there are no NSX components on the host For example we can see thatthe Control Plane Sync Status is unknown and the Number of VTEPs is 0
1 When done reviewing click on the (X) in the top right corner
HOL-1829-01-NET
Page 58HOL-1829-01-NET
DVPG on the map
We are now going to look at the DVPG (Distributed Virtual Port Group) the VM uses toconnect to the network
1 On the map click on the little blue box marked by a red square onvlan-629
DVPG
A pop-up box will appear that contains the DVPG details
A - Spend some time review what information is available from the object Please donot click on any of the links
HOL-1829-01-NET
Page 59HOL-1829-01-NET
B - Notice that IPFIX is enabled
1 When done reviewing click on the (X) in the top right corner
VLAN-629 on the map
This is a brownfield network as indicated by the physical network components currentlydisplayed on the map
1 On the map click on the grey line marked by a red square on vlan-629
VLAN Network
A pop-up box will appear that contains the physical VLAN details
HOL-1829-01-NET
Page 60HOL-1829-01-NET
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - Notice the VLAN ID This is the actual VLAN in use
C - VM Count states 12 This is the number of VMs located on this VLAN in the entireenvironment
D - Under Hosts we can see that this is 28 (27+1) This is the amount of hosts that hasa connection to this vlan in the entire environment
1 When done reviewing click on the (X) in the top right corner
Switch ports on the map
1 From the map click on the icon marked by a red square to select the SwitchPort for the VM
HOL-1829-01-NET
Page 61HOL-1829-01-NET
Switch Port
A pop-up box will appear that contains the Switch Port details
In this view we are purely are looking at layer 3 and the connectivity to those layer 3devices Later in this module we will see some of the layer 2 devices
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - In this view we can see the physical NIC the traffic is transmitted from and receivedto In this scenario it is a NIC on a UCS fabric We can also see the VLANs Interfacespeed port and other details on the NIC
1 When done reviewing click on the (X) in the top right corner of the pop up box
HOL-1829-01-NET
Page 62HOL-1829-01-NET
Physical VRF on the map
1 From the map click on the icon marked by a red square to access thePhysical VRF details
HOL-1829-01-NET
Page 63HOL-1829-01-NET
VRF - Physical Switch
A pop-up box will appear that contains the Physical VRF details
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - In this scenario the first hop in the physical network perspective happens to be aCisco Nexus 7000 We are gathering all of the configuration data routing tables androuting interface information from this device
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 64HOL-1829-01-NET
VRF - continued
1 From the map click on the icon marked by a red square to access the nextPhysical VRF in the path
HOL-1829-01-NET
Page 65HOL-1829-01-NET
VRF - Physical Router
A pop-up box will appear that contains the Physical VRF details
In this scenario the second hop in the physical network perspective is a Palo Alto routerIn this view we will see the routing table as well as firewall rules The vRealize NetworkInsight platform is so powerful that these firewall rules are the applicable firewall rulesbetween the two objects we searched for There is probably going to be thousands offirewall rules in a normal network but these are the firewalls affecting thecommunication between the two selected VMs
HOL-1829-01-NET
Page 66HOL-1829-01-NET
A - Spend some time to review what information is available from the object Please donot click on any of the links
1 When done reviewing click on the (X) in the top right corner of the pop up box
Note The Palo Alto integration showcased is in beta testing
VRF - continued
1 From the map click on the icon marked by a red square to access the nextPhysical VRF in the path
HOL-1829-01-NET
Page 67HOL-1829-01-NET
VRF - Physical Switch
A pop-up box will appear that contains the Physical VRF details
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - In this scenario the third hop in the physical network perspective is an Arista deviceThere is information available on routing gateways interfaces etc These detailsshowcase that we can monitor devices from a multitude of vendors in case we arechanging from one vendor to another
1 When done reviewing click on the (X) in the top right corner
HOL-1829-01-NET
Page 68HOL-1829-01-NET
Accessing the virtual infrastructure
The next two steps in the path (as shown by arrows) are the same as we looked atpreviously in this module We are not going to look at the details on them in thisscenario as they are similar to the ones previously discussed
A - Hovermove the mouse over the icons marked with red arrow A without clicking onthe icon Notice the descriptive name
B - Hovermove the mouse over the icons marked with red arrow B without clicking onthe icon Notice the descriptive name
1 From the map click on the icon marked by a red square to access the nextVRF in the path
HOL-1829-01-NET
Page 69HOL-1829-01-NET
VRF - NSX Provider Edge 1
A pop-up box will appear that contains the Physical VRF details
A - Please spend some time to review what information is available from the objectPlease do not click on any of the links
B - The components we are looking at after the Arista device (described in previoussteps) is an NSX Edge cluster or a host associated with an Edge cluster The componentwe have selected is the NSX Edge VM named Provider-Edge 1 It has an uplink overVLAN 10 from the physical network (as shown in the map)
C - In the details we can see the routing table and routing interface details for thisparticular VRF
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 70HOL-1829-01-NET
VXLAN on the map
1 On the map click on the blue line marked by a red square to access theVXLAN details
VXLAN Network
A pop-up box will appear that contains the VXLAN details
HOL-1829-01-NET
Page 71HOL-1829-01-NET
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - We can see the VXLAN number (Segment ID) Underlay VLAN IDs Subnet andUnderlay Subnet
C - We also have visibility into what Primary Controller it is utilizing Hosts and VTEPs
D - Hovermove the mouse cursor over the text [38 more] to see the hosts associatedwith this VXLAN Do not click on the blue text
E - Hovermove the mouse cursor over the text [82 more] to see the VTEPs associatedwith this VXLAN Do not click on the blue text
1 When done reviewing click on the X in the top right corner of the pop-up box
VRF - LDR
1 From the map click on the icon marked by a red square to access the VRFdetails
HOL-1829-01-NET
Page 72HOL-1829-01-NET
VRF - LDR-Corporate
A pop-up box will appear that contains the VRF details From here we hit our In-kernelnetwork
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - Notice the distributed router name We are using this device to access our corporatenetwork
C - This device is going to route for us to a different interface The interface is going toroute to the interface on the Prod-DB Network as the next step in the path (this will beillustrated in the next step)
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 73HOL-1829-01-NET
Routing - NSX Firewall
The traffic is routed through the VRF onto the Prod-DB network over to the next physicalhost (as shown with arrows)
The first device it will hit on the virtual network on the physical host is the FirewallPlease notice that there are two firewalls next to the VM One Firewall from Palo Alto andone Firewall from NSX
1 From the map click on the icon marked by a red square to access the NSXFirewall details (the top one of the two)
HOL-1829-01-NET
Page 74HOL-1829-01-NET
Firewall - NSX
A pop-up box will appear that contains the Firewall details
A - Spend some time to review what information is available from the object Please donot click on any of the links
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 75HOL-1829-01-NET
Redirect on the map - PAN Firewall
Please notice that there are two firewalls next to the VM One Firewall from Palo Alto andone Firewall from NSX We are now going to look into the details of the lower Firewall
1 From the map click on the icon marked by a red square to access the PaloAlto Firewall details (the lower one of the two)
Firewall - PAN
HOL-1829-01-NET
Page 76HOL-1829-01-NET
In this scenario we also have an Palo Alto VM based offloading firewall The redirectfeature allows firewall rules to be transferred between the NSX firewall and the PANFirewall
1 When done reviewing click on the (X) in the top right corner of the pop up box
Reversing the analysis
1 In the section marked by a red square in the picture click on the arrowpointing left
The route on the map will change
HOL-1829-01-NET
Page 77HOL-1829-01-NET
Reversing the analysis continued
A - The analysis will now be done in the opposite direction Please note that the pathnow changes Instead of going through Provider-Edge 3 the traffic is now routedthrough Provider-Edge 2 This is exactly as the traffic will work in the real life
Please continue to the next step to conclude this module
HOL-1829-01-NET
Page 78HOL-1829-01-NET
VM Underlay
Lets now focus on VM Underlay
1 The VMUnderlay section that is on the right side of the VM Path topology showsthe underlay information of the VMs involved and their connectivity to the top ofthe rack switches and the ports involved
2 The VM Underlay path topology is shown here3 The components are labeled under Path Details
HOL-1829-01-NET
Page 79HOL-1829-01-NET
HOL-1829-01-NET
Page 80HOL-1829-01-NET
1 In this section the drop-down list at the top shows the endpoint VMs and theactive VMs at the edges
2 For each edgeVM the neighbouring drop-down list shows the ingress and theegress interface IP addresses
1 From the previous step we selected the Prod-DB-2 Virtual Machine2 Which changes the focus to corresponding Interface IP Address (VNIC)3 Shows the visual map (Path topology) of all the path objects4 Path details shows the labels and list the components
This concludes this module Please continue to the next module
HOL-1829-01-NET
Page 81HOL-1829-01-NET
ConclusionCongratulations on completing Module 2
This module has shown us that vRealize Network Insight is capable of tracing the flow ofdata between two objects throughout the network vRealize Network Insight is providingus with a 360 degrees view of the virtual as well as the physical components in thepath With the map function and the details on the map it is very easy to get a quickoverview of the components utilized in network communication
All the components in the map is based on a snapshot of real life data Feel free to clickon other icons shown in the map in this module before continuing to the next module tohave a look at other components
For More Information
For additional information about the functionality showcased in this module visithttpwwwvmwarecomvrealize network insight
This concludes this module Please continue to the next module
If you are looking for additional information try one of these
bull Click on this linkbull Or use your smart device to scan the QRC Code
HOL-1829-01-NET
Page 82HOL-1829-01-NET
Proceed to any module below which interests you most
bull Module 1 - Micro-Segmentation and Security (30 minutes)bull Module 2 - 360 degree Visibility across Virtual and Physical Networks (45
minutes)bull Module 3 - Advanced NSX Management amp Operations (45 minutes)bull (30 minutes)
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 83HOL-1829-01-NET
Module 3 - Advanced NSXManagement amp
Operations (45 minutes)
HOL-1829-01-NET
Page 84HOL-1829-01-NET
IntroductionIntroduction
vRealize Network Insight ensures that we have full visibility from an overlay andunderlay perspective and in this module focus on advanced operations of NSX withvRealize Network Insight Its important to note that the vRealize Network Insightprovides a real time view and a historical view The integration is not a simple SNMPquery but advanced CLI and Metadata information gathered in real time for NSX
This Module contains the following lessons
bull Operational guidance for NSX Managerbull Advanced NSX Management amp Operations Interactive Simulation
HOL-1829-01-NET
Page 85HOL-1829-01-NET
NSX Advanced ManagementOperationsLab Status Check
1 Make sure the Lab Status displays Ready before continuing
Close browser sessions from previous modules
Open Google Chrome
1 Open Chrome on the Control Centre Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
HOL-1829-01-NET
Page 86HOL-1829-01-NET
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize Network Insightdid not load automatically)
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
Search Bar - NSX Manager
Using the search bar on the entry screen
HOL-1829-01-NET
Page 87HOL-1829-01-NET
1 Type NSX Manager (this will list three NSX Managers2 Click Search
NSX Manager Information
The result now shows the NSX Manager (1016128170) and we can immediately seethat we have 50 problems associated with this endpoint
1 Click on the NSX Manager address to expose the layout and detailedinformation
HOL-1829-01-NET
Page 88HOL-1829-01-NET
Timeline - Visual Build-up
Explore information only - Do not click
bull A - Starting with the Timeline we can manipulate the results by simply draggingthe slider but by default the current time results will be displayed on entry Theslider and drop down (next to 1 day) makes it easy to filter on demand
bull B - The Properties give a clear understanding of the NSX Managers currentconfiguration (vRealize Network Insight accommodate multiple NSX managers)
bull C - Looking at the NSX Checklist Rules - ALL we can scroll up and down toview each point in the checklist that is used to monitorvalidate against the NSXManager
bull D - Because vRealize Network Insight supports multiple NSX managers andmultiple NSX controllers this is an important visual understanding of theTopology Each object can be queried individually within the same screen
bull E - NSX Problems will be key to understanding the issues for NSX
HOL-1829-01-NET
Page 89HOL-1829-01-NET
Topology - Focus on the NSX Controller
The logical view of the NSX Topology provides live links to each component in theconstruct to be queried in real time Topology layout displays all the related NSXservices bound to the NSX Manager including Clusters and hosts The red triangle on allthree NSX controllers indicates possible issues that may impact the NSX environmenteither as a starting point or a result thereof We can now query each object for detailedinformation
1 Click on the NSX controller (Look at each controller until you find thecontroller starting with NSX_Controller_5b6c6c8d-4d71 as they do changeorder)
HOL-1829-01-NET
Page 90HOL-1829-01-NET
NSX Controller - Detail
A - The controller query displays detailed information about controller-1 and relevantconfiguration This screen will help identify the Status Version Upgrade Availability andmany other critical identifiers of the NSX Controller at a quick glance including anyissues
B - The immediate issue on this NSX controller is also pointed out with a red triangleindicating that we have a control plane sync issue Tracking the issue can be furtherinvestigated by expanding (clicking on the red triangle) to view detailed information Wewill not be investigating this problem further in this exercise
1 Click the close sign (x) to continue
HOL-1829-01-NET
Page 91HOL-1829-01-NET
Topology - Explained
Note The Topology for the NSX environment will not show any load balancing devicestatus information in this release
1 Click the edge VMs icon to see detailed information about the edge services
HOL-1829-01-NET
Page 92HOL-1829-01-NET
Provider Edge
Rendering a complete view of the provider edge services and the associations we caninvestigate all the edge related activities
1 Click the blue link Provider Edge 4 The problem Icon can be used to furtherobtain information about the Provider-Edge 4 This will highlight a criticalcondition due to a possible network disruption of this edge device as it is nolonger in a serving state
HOL-1829-01-NET
Page 93HOL-1829-01-NET
Routers Provider Edge 4
This section lays out detailed root cause analysis for Routers Provider Edge 4
Return to Search View - NSX Manager
1 Now use the Chrome Back button click once to return the the NSX Managerinformation screen step
HOL-1829-01-NET
Page 94HOL-1829-01-NET
Infrastructure Problems - Warning Moderate
bull Scroll down to Infrastructure Problems Section
1 Click and select the WarningModerate to view problem areas
WarningModerate Issues
1 Use the blue icon + to expand the detailed view of the Logical networking out ofsync between host and NSX Controller
HOL-1829-01-NET
Page 95HOL-1829-01-NET
WarningModerate Issues (Continued)
When you expand the details you can analyse full detail of warning
In this view vRealize Network Insight is also showing you recommendations on how youwould resolve this issue which makes troubleshooting and root cause analysis veryeasy
1 Click the close sign (x) to continue
HOL-1829-01-NET
Page 96HOL-1829-01-NET
Hands-on Labs Interactive SimulationAdvanced NSX Management ampOperationsThis part of the lab is presented as a Hands-on Labs Interactive Simulation This willallow you to experience steps which are too time-consuming or resource intensive to dolive in the lab environment In this simulation you can use the software interface as ifyou are interacting with a live environment
1 Click here to open the interactive simulation It will open in a new browserwindow or tab
2 When finished click the ldquoReturn to the labrdquo link to continue with this lab
HOL-1829-01-NET
Page 97HOL-1829-01-NET
ConclusionCongratulations on completing Module 3
This module demonstrated the vRealize Network Insight capability of advancedmanagement operations vRealize Network Insight provides an in-depth analysis of thevirtual as well as the physical components associated with NSX (underlay and overlay)
For More Information
If you are looking for additional information try one of these
bull Click on this linkbull Or use your smart device to scan the QRC Code
Proceed to any module below which interests you most
bull Module 1 - Micro-Segmentation and Security (30 minutes)bull Module 2 - 360 degree Visibility across Virtual and Physical Networks (45
minutes)bull Module 3 - Advanced NSX Management amp Operations (45 minutes)bull Module 4 - Manage Security for Public Clouds (AWS) (30 minutes)
HOL-1829-01-NET
Page 98HOL-1829-01-NET
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 99HOL-1829-01-NET
Module 4 - ManageSecurity for Public Clouds
(AWS) (30 Minutes)
HOL-1829-01-NET
Page 100HOL-1829-01-NET
IntroductionEnterprise IT needs visibility into the network and security status of their workloadswhether hosted on premises or within AWS While many AWS workloads are sandboxesfor application development teams (DevOps) it is important to analyze these workloadsIncreasingly public cloud workloads are also fulfilling mission critical production needsfor many organizations Enterprise IT must be ready to determine the best locationsecurity posture and bandwidth allocation when deploying workloads Having trafficpattern details as well as security analysis and recommendations readily availablehelps organizations make the ideal hosting decisions to meet their business needs
vRealize Network Insight (vRNI) Supports Amazon Web Services (AWS) PublicCloud The vRNI traffic monitoring features provide visibility into native AWS constructssuch as Virtual Private Clouds VMs Security Groups firewall rules and tags vRNI alsoanalyzes AWS traffic flows to provide security and micro-segmentation views of cloudworkloads This means youll be able to plan micro-segmentation and understand trafficpatterns using data collected from your AWS instances
This Module contains the following lessons
bull Introduction to Managing Security for Public Clouds (AWS)
HOL-1829-01-NET
Page 101HOL-1829-01-NET
Introduction to Managing Security forPublic Clouds (AWS)Lab Status Check
1 Make sure the Lab Status displays Ready before continuing
Close browser sessions from previous modules
Open Google Chrome
1 Open Chrome on the Control Centre Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize Network Insightdid not load automatically)
HOL-1829-01-NET
Page 102HOL-1829-01-NET
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
AWS Configuration
Lets review the AWS VPC setup for the purpose of this lab
1 We have an on premise instance of vRealize Network Insight managing AWS2 There are two VPCs ie CRM and Common Services
HOL-1829-01-NET
Page 103HOL-1829-01-NET
3 VPC CRM consists of CRM Application which comprises of 3 tiers ie Web APP andDB
4 Internal users of Company can access Web Tier of the CRM on 80 internally viaJump-box
5 Web tier talks to App tier on port 80806 App tier talks to DB tier on port 33067 Web tier is open for internal datacenters VM on 80 port8 From Jump-box in VPC CRM all virtual machines have ssh access on port 229 All tiers of VPCCRM talks to DNS server on 53 and LogServer on 514 on VPC
Common Services10 This means connection to DB to Log Server (used for backup services) must exist
as configured by the Administrator but this in fact is the problem area where ourfocus will be
Plan Security - AWS Cloud
vRealize Network Insight extends micro-segmentation planning to AWS constructs TheCRM Application in AWS VPC has already been created for you
Application creation steps have been discussed in Module 3
HOL-1829-01-NET
Page 104HOL-1829-01-NET
1 On the vRealize Network Insight Click on Plan Security
From Plan Security dialogue box under Entity select
HOL-1829-01-NET
Page 105HOL-1829-01-NET
1 Application2 CRM3 Click Analyze
We can now visualize the three tier lsquoCRMrsquo Application in AWS in one VPC We Shallexplore the three Tier System Logic in proceeding steps
1 Please note that Micro-Segments are already filtered by Tier2 Web (Web tier talks to App tier on port 8080 Internal users of organisation can
access Web Tier of the CRM Application on port 80 internally)3 App (App tier talks to DB tier on port 3306)4 DB ( DB tier talks to Log Servers ) - This is the problem area we are going to
explore
All tiers of first VPC talks to DNS server on port 53 and LogServer on port 514 of SecondVPC
HOL-1829-01-NET
Page 106HOL-1829-01-NET
Exploring the Three Tier Application - Step by Step
We shall now explore the three their application setup to understand the security andcommunication posture
HOL-1829-01-NET
Page 107HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Yellow line to explore the flows This will reveal flows from Web to
App
HOL-1829-01-NET
Page 108HOL-1829-01-NET
1 The App tier talks to DB tier on Port 33062 Click X to continue
HOL-1829-01-NET
Page 109HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to DB
HOL-1829-01-NET
Page 110HOL-1829-01-NET
1 The App tier talks to DB tier on Port 33062 Click X to continue
HOL-1829-01-NET
Page 111HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Yellow Line to explore the flows This will reveal flows from DC
Virtual to App
HOL-1829-01-NET
Page 112HOL-1829-01-NET
1 DC Virtual (jump box) talks to App tier on Port 222 Click X to continue
HOL-1829-01-NET
Page 113HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to
Shared Virtual
HOL-1829-01-NET
Page 114HOL-1829-01-NET
1 The App tier talks to Shared Virtual on Port 53 and 514 respectively2 Click X to continue
HOL-1829-01-NET
Page 115HOL-1829-01-NET
1 Hover over to DB Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from DB to
Shared Virtual
1 By design the DB should be pushing logs to aws-log-server ie on port 514(Syslog) but the flow reveals that there is only one service ie port 53 aws-DNS-Server Effectively no communication to syslog server (which is the back upservice)
2 Click X to continue
Firewall Queries for CRM Application
To further troubleshoot the issue the administrator executes three firewall queries toestablish why DB to Shared Virtual does not have flow(s) for port 514 (syslog)
HOL-1829-01-NET
Page 116HOL-1829-01-NET
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and type new search query firewall action of flows where dstvm = aws-log-server This will return 5 results ie 4 Allow (for web andmidtier) and 1 Deny (for DB)
2 Click Search3 click on the DENY checkbox so we can focus on the deny rule
We can see a DENY rule which is preventing crm-databse to communicate with aws-log-server on port 514 Which indicates that AWS Admin forgot to add rule to allowtraffic from (Database) crm-database to (syslog server) aws-log-Server
HOL-1829-01-NET
Page 117HOL-1829-01-NET
1 On Chrome web browser right click2 Select Duplicate from the the menu
HOL-1829-01-NET
Page 118HOL-1829-01-NET
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-web1 and dst vm = aws-log-server
2 Click Search3 This will return 3 results ie 1 Inbound and 2 Outbound rules The result of this
query validates the communication from crm-web1 to aws-log-server
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-database and dst vm = aws-log-server
2 Click Search3 This will return 2 results for Outbound rules further explaining the firewall rule
behaviour from crm-database to aws-log-server
HOL-1829-01-NET
Page 119HOL-1829-01-NET
ConclusionCongratulations on completing Module 4
This module demonstrated the vRealize Network Insight capability to understand trafficpatterns and plan micro-segmentation across your private and public cloudenvironments This capability offers unparalleled visibility into public and private cloudsfor micro-segmentation planning network visibility and management
For More Information
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 120HOL-1829-01-NET
ConclusionThank you for participating in the VMware Hands-on Labs Be sure to visithttpholvmwarecom to continue your lab experience online
Lab SKU HOL-1829-01-NET
Version 20171010-152226
HOL-1829-01-NET
Page 121HOL-1829-01-NET
also extend to host L3 networks security groups etc but in this module we will only befocusing on the path
From the main console
1 Click on Path and Topology2 Click on Path
Path - Select source and destination
In the pop-up box
1 Click on the grey field below Source2 Type dba into the source field and DBAdmin-VM1 will appear3 Click on DBAdmin-VM1 to select it
HOL-1829-01-NET
Page 50HOL-1829-01-NET
Path - source and destination continued
After selecting the source machine the destination box will automatically appear
1 Type prod in the destination field and the list of available options willappear
2 Select Prod-Db-2
Note The destination could also be an ip-address or Internet but in this lab we aregoing to use a VM
HOL-1829-01-NET
Page 51HOL-1829-01-NET
Path - source and destination continued
1 Click on Submit
Searching for path
Based on the VMs we selected in the wizard in our previous steps the search field isnow pre-populated with a search string As an alternative to using the wizard we canalso do manual searches
Do not change any parameters in the search field and please continue to the nextstep
HOL-1829-01-NET
Page 52HOL-1829-01-NET
VM Path Topology and VM Underlay
The topology involves both Layer 3 and Layer 2 components and consists of twodetailed views
HOL-1829-01-NET
Page 53HOL-1829-01-NET
1 VM Path Topology This view details the routers Edges or Logical DistributedRouters (LDRs) that are involved in the VM to VM network path and provides thecomplete routing and NAT information
2 VM Underlay ( The VM Underlay section that is on the right side of the VM Pathtopology shows the underlay information of the VMs involved and theirconnectivity to the top of the rack switches and the ports involved)
In the field named VM Path Topology
1 Click on the three dots in the top right corner of the field2 Click Maximize
The view will change and the route will be drawn on the map
HOL-1829-01-NET
Page 54HOL-1829-01-NET
VM Path Topology - Path Details
In this view we will get a 360-degree view of both the physical and the virtual networkWe will see the path of the traffic between two virtual machines The black arrow at thetop of the map will indicate the flow direction of the traffic In this use case fromDBAdmin-VM1 to Prod-Db-2
On the right hand side path details indicates the steps we pass through in each hop ofthe path The logical flow includes both physical and virtual elements displaying bothoverlay and underlay components
1 Scroll through the path details on the right hand side to verify the differenthops in the path Notice that we have items such as VMs physical switchesvirtual switches routers and NICs in the list of details
HOL-1829-01-NET
Page 55HOL-1829-01-NET
Component Overview
On the VM topology map
1 Click on the top left icon marked with a red square - the Virtual MachineDBAdmin-VM1
Virtual Machine - Details
HOL-1829-01-NET
Page 56HOL-1829-01-NET
A pop-up box will appear with the Virtual Machine details in it This information includesa lot of details made available by VMware Tools We can for example see network-information and the physical host in these details
A - Please spend some time on getting an overview of the information available in thisview
B - Please note that the Firewall Status indicates Unknown In this scenario there is noNSX firewall utilized in the VM so vRealize Network Insight displays Unknown as thestatus If NSX components were utilized but they were malfunctioning an errormessage will appear
1 When done reviewing close the pop-up windows by clicking on the (X) in thetop right corner
Physical ESXi Hosts
We are now going to look at the physical host running ESXi The large green blocksindicate the ESXi hosts (A) and (B)
1 Click on the large green field on the left side of the map marked in thepicture with a red squareThis will select the host where DBAdmin-VM1 isrunning
HOL-1829-01-NET
Page 57HOL-1829-01-NET
Host - Details
A pop-up box will appear that contains the physical ESXi host
A - Spend some time to review what information is available from the host Please donot click on any of the links
B - Notice that we receive information from both the Chassis and the Blade that thisESXi host is running on In a real life environment we could click on the links to getdetailed information about the physical environment through the links
C - Note that there are no NSX components on the host For example we can see thatthe Control Plane Sync Status is unknown and the Number of VTEPs is 0
1 When done reviewing click on the (X) in the top right corner
HOL-1829-01-NET
Page 58HOL-1829-01-NET
DVPG on the map
We are now going to look at the DVPG (Distributed Virtual Port Group) the VM uses toconnect to the network
1 On the map click on the little blue box marked by a red square onvlan-629
DVPG
A pop-up box will appear that contains the DVPG details
A - Spend some time review what information is available from the object Please donot click on any of the links
HOL-1829-01-NET
Page 59HOL-1829-01-NET
B - Notice that IPFIX is enabled
1 When done reviewing click on the (X) in the top right corner
VLAN-629 on the map
This is a brownfield network as indicated by the physical network components currentlydisplayed on the map
1 On the map click on the grey line marked by a red square on vlan-629
VLAN Network
A pop-up box will appear that contains the physical VLAN details
HOL-1829-01-NET
Page 60HOL-1829-01-NET
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - Notice the VLAN ID This is the actual VLAN in use
C - VM Count states 12 This is the number of VMs located on this VLAN in the entireenvironment
D - Under Hosts we can see that this is 28 (27+1) This is the amount of hosts that hasa connection to this vlan in the entire environment
1 When done reviewing click on the (X) in the top right corner
Switch ports on the map
1 From the map click on the icon marked by a red square to select the SwitchPort for the VM
HOL-1829-01-NET
Page 61HOL-1829-01-NET
Switch Port
A pop-up box will appear that contains the Switch Port details
In this view we are purely are looking at layer 3 and the connectivity to those layer 3devices Later in this module we will see some of the layer 2 devices
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - In this view we can see the physical NIC the traffic is transmitted from and receivedto In this scenario it is a NIC on a UCS fabric We can also see the VLANs Interfacespeed port and other details on the NIC
1 When done reviewing click on the (X) in the top right corner of the pop up box
HOL-1829-01-NET
Page 62HOL-1829-01-NET
Physical VRF on the map
1 From the map click on the icon marked by a red square to access thePhysical VRF details
HOL-1829-01-NET
Page 63HOL-1829-01-NET
VRF - Physical Switch
A pop-up box will appear that contains the Physical VRF details
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - In this scenario the first hop in the physical network perspective happens to be aCisco Nexus 7000 We are gathering all of the configuration data routing tables androuting interface information from this device
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 64HOL-1829-01-NET
VRF - continued
1 From the map click on the icon marked by a red square to access the nextPhysical VRF in the path
HOL-1829-01-NET
Page 65HOL-1829-01-NET
VRF - Physical Router
A pop-up box will appear that contains the Physical VRF details
In this scenario the second hop in the physical network perspective is a Palo Alto routerIn this view we will see the routing table as well as firewall rules The vRealize NetworkInsight platform is so powerful that these firewall rules are the applicable firewall rulesbetween the two objects we searched for There is probably going to be thousands offirewall rules in a normal network but these are the firewalls affecting thecommunication between the two selected VMs
HOL-1829-01-NET
Page 66HOL-1829-01-NET
A - Spend some time to review what information is available from the object Please donot click on any of the links
1 When done reviewing click on the (X) in the top right corner of the pop up box
Note The Palo Alto integration showcased is in beta testing
VRF - continued
1 From the map click on the icon marked by a red square to access the nextPhysical VRF in the path
HOL-1829-01-NET
Page 67HOL-1829-01-NET
VRF - Physical Switch
A pop-up box will appear that contains the Physical VRF details
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - In this scenario the third hop in the physical network perspective is an Arista deviceThere is information available on routing gateways interfaces etc These detailsshowcase that we can monitor devices from a multitude of vendors in case we arechanging from one vendor to another
1 When done reviewing click on the (X) in the top right corner
HOL-1829-01-NET
Page 68HOL-1829-01-NET
Accessing the virtual infrastructure
The next two steps in the path (as shown by arrows) are the same as we looked atpreviously in this module We are not going to look at the details on them in thisscenario as they are similar to the ones previously discussed
A - Hovermove the mouse over the icons marked with red arrow A without clicking onthe icon Notice the descriptive name
B - Hovermove the mouse over the icons marked with red arrow B without clicking onthe icon Notice the descriptive name
1 From the map click on the icon marked by a red square to access the nextVRF in the path
HOL-1829-01-NET
Page 69HOL-1829-01-NET
VRF - NSX Provider Edge 1
A pop-up box will appear that contains the Physical VRF details
A - Please spend some time to review what information is available from the objectPlease do not click on any of the links
B - The components we are looking at after the Arista device (described in previoussteps) is an NSX Edge cluster or a host associated with an Edge cluster The componentwe have selected is the NSX Edge VM named Provider-Edge 1 It has an uplink overVLAN 10 from the physical network (as shown in the map)
C - In the details we can see the routing table and routing interface details for thisparticular VRF
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 70HOL-1829-01-NET
VXLAN on the map
1 On the map click on the blue line marked by a red square to access theVXLAN details
VXLAN Network
A pop-up box will appear that contains the VXLAN details
HOL-1829-01-NET
Page 71HOL-1829-01-NET
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - We can see the VXLAN number (Segment ID) Underlay VLAN IDs Subnet andUnderlay Subnet
C - We also have visibility into what Primary Controller it is utilizing Hosts and VTEPs
D - Hovermove the mouse cursor over the text [38 more] to see the hosts associatedwith this VXLAN Do not click on the blue text
E - Hovermove the mouse cursor over the text [82 more] to see the VTEPs associatedwith this VXLAN Do not click on the blue text
1 When done reviewing click on the X in the top right corner of the pop-up box
VRF - LDR
1 From the map click on the icon marked by a red square to access the VRFdetails
HOL-1829-01-NET
Page 72HOL-1829-01-NET
VRF - LDR-Corporate
A pop-up box will appear that contains the VRF details From here we hit our In-kernelnetwork
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - Notice the distributed router name We are using this device to access our corporatenetwork
C - This device is going to route for us to a different interface The interface is going toroute to the interface on the Prod-DB Network as the next step in the path (this will beillustrated in the next step)
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 73HOL-1829-01-NET
Routing - NSX Firewall
The traffic is routed through the VRF onto the Prod-DB network over to the next physicalhost (as shown with arrows)
The first device it will hit on the virtual network on the physical host is the FirewallPlease notice that there are two firewalls next to the VM One Firewall from Palo Alto andone Firewall from NSX
1 From the map click on the icon marked by a red square to access the NSXFirewall details (the top one of the two)
HOL-1829-01-NET
Page 74HOL-1829-01-NET
Firewall - NSX
A pop-up box will appear that contains the Firewall details
A - Spend some time to review what information is available from the object Please donot click on any of the links
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 75HOL-1829-01-NET
Redirect on the map - PAN Firewall
Please notice that there are two firewalls next to the VM One Firewall from Palo Alto andone Firewall from NSX We are now going to look into the details of the lower Firewall
1 From the map click on the icon marked by a red square to access the PaloAlto Firewall details (the lower one of the two)
Firewall - PAN
HOL-1829-01-NET
Page 76HOL-1829-01-NET
In this scenario we also have an Palo Alto VM based offloading firewall The redirectfeature allows firewall rules to be transferred between the NSX firewall and the PANFirewall
1 When done reviewing click on the (X) in the top right corner of the pop up box
Reversing the analysis
1 In the section marked by a red square in the picture click on the arrowpointing left
The route on the map will change
HOL-1829-01-NET
Page 77HOL-1829-01-NET
Reversing the analysis continued
A - The analysis will now be done in the opposite direction Please note that the pathnow changes Instead of going through Provider-Edge 3 the traffic is now routedthrough Provider-Edge 2 This is exactly as the traffic will work in the real life
Please continue to the next step to conclude this module
HOL-1829-01-NET
Page 78HOL-1829-01-NET
VM Underlay
Lets now focus on VM Underlay
1 The VMUnderlay section that is on the right side of the VM Path topology showsthe underlay information of the VMs involved and their connectivity to the top ofthe rack switches and the ports involved
2 The VM Underlay path topology is shown here3 The components are labeled under Path Details
HOL-1829-01-NET
Page 79HOL-1829-01-NET
HOL-1829-01-NET
Page 80HOL-1829-01-NET
1 In this section the drop-down list at the top shows the endpoint VMs and theactive VMs at the edges
2 For each edgeVM the neighbouring drop-down list shows the ingress and theegress interface IP addresses
1 From the previous step we selected the Prod-DB-2 Virtual Machine2 Which changes the focus to corresponding Interface IP Address (VNIC)3 Shows the visual map (Path topology) of all the path objects4 Path details shows the labels and list the components
This concludes this module Please continue to the next module
HOL-1829-01-NET
Page 81HOL-1829-01-NET
ConclusionCongratulations on completing Module 2
This module has shown us that vRealize Network Insight is capable of tracing the flow ofdata between two objects throughout the network vRealize Network Insight is providingus with a 360 degrees view of the virtual as well as the physical components in thepath With the map function and the details on the map it is very easy to get a quickoverview of the components utilized in network communication
All the components in the map is based on a snapshot of real life data Feel free to clickon other icons shown in the map in this module before continuing to the next module tohave a look at other components
For More Information
For additional information about the functionality showcased in this module visithttpwwwvmwarecomvrealize network insight
This concludes this module Please continue to the next module
If you are looking for additional information try one of these
bull Click on this linkbull Or use your smart device to scan the QRC Code
HOL-1829-01-NET
Page 82HOL-1829-01-NET
Proceed to any module below which interests you most
bull Module 1 - Micro-Segmentation and Security (30 minutes)bull Module 2 - 360 degree Visibility across Virtual and Physical Networks (45
minutes)bull Module 3 - Advanced NSX Management amp Operations (45 minutes)bull (30 minutes)
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 83HOL-1829-01-NET
Module 3 - Advanced NSXManagement amp
Operations (45 minutes)
HOL-1829-01-NET
Page 84HOL-1829-01-NET
IntroductionIntroduction
vRealize Network Insight ensures that we have full visibility from an overlay andunderlay perspective and in this module focus on advanced operations of NSX withvRealize Network Insight Its important to note that the vRealize Network Insightprovides a real time view and a historical view The integration is not a simple SNMPquery but advanced CLI and Metadata information gathered in real time for NSX
This Module contains the following lessons
bull Operational guidance for NSX Managerbull Advanced NSX Management amp Operations Interactive Simulation
HOL-1829-01-NET
Page 85HOL-1829-01-NET
NSX Advanced ManagementOperationsLab Status Check
1 Make sure the Lab Status displays Ready before continuing
Close browser sessions from previous modules
Open Google Chrome
1 Open Chrome on the Control Centre Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
HOL-1829-01-NET
Page 86HOL-1829-01-NET
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize Network Insightdid not load automatically)
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
Search Bar - NSX Manager
Using the search bar on the entry screen
HOL-1829-01-NET
Page 87HOL-1829-01-NET
1 Type NSX Manager (this will list three NSX Managers2 Click Search
NSX Manager Information
The result now shows the NSX Manager (1016128170) and we can immediately seethat we have 50 problems associated with this endpoint
1 Click on the NSX Manager address to expose the layout and detailedinformation
HOL-1829-01-NET
Page 88HOL-1829-01-NET
Timeline - Visual Build-up
Explore information only - Do not click
bull A - Starting with the Timeline we can manipulate the results by simply draggingthe slider but by default the current time results will be displayed on entry Theslider and drop down (next to 1 day) makes it easy to filter on demand
bull B - The Properties give a clear understanding of the NSX Managers currentconfiguration (vRealize Network Insight accommodate multiple NSX managers)
bull C - Looking at the NSX Checklist Rules - ALL we can scroll up and down toview each point in the checklist that is used to monitorvalidate against the NSXManager
bull D - Because vRealize Network Insight supports multiple NSX managers andmultiple NSX controllers this is an important visual understanding of theTopology Each object can be queried individually within the same screen
bull E - NSX Problems will be key to understanding the issues for NSX
HOL-1829-01-NET
Page 89HOL-1829-01-NET
Topology - Focus on the NSX Controller
The logical view of the NSX Topology provides live links to each component in theconstruct to be queried in real time Topology layout displays all the related NSXservices bound to the NSX Manager including Clusters and hosts The red triangle on allthree NSX controllers indicates possible issues that may impact the NSX environmenteither as a starting point or a result thereof We can now query each object for detailedinformation
1 Click on the NSX controller (Look at each controller until you find thecontroller starting with NSX_Controller_5b6c6c8d-4d71 as they do changeorder)
HOL-1829-01-NET
Page 90HOL-1829-01-NET
NSX Controller - Detail
A - The controller query displays detailed information about controller-1 and relevantconfiguration This screen will help identify the Status Version Upgrade Availability andmany other critical identifiers of the NSX Controller at a quick glance including anyissues
B - The immediate issue on this NSX controller is also pointed out with a red triangleindicating that we have a control plane sync issue Tracking the issue can be furtherinvestigated by expanding (clicking on the red triangle) to view detailed information Wewill not be investigating this problem further in this exercise
1 Click the close sign (x) to continue
HOL-1829-01-NET
Page 91HOL-1829-01-NET
Topology - Explained
Note The Topology for the NSX environment will not show any load balancing devicestatus information in this release
1 Click the edge VMs icon to see detailed information about the edge services
HOL-1829-01-NET
Page 92HOL-1829-01-NET
Provider Edge
Rendering a complete view of the provider edge services and the associations we caninvestigate all the edge related activities
1 Click the blue link Provider Edge 4 The problem Icon can be used to furtherobtain information about the Provider-Edge 4 This will highlight a criticalcondition due to a possible network disruption of this edge device as it is nolonger in a serving state
HOL-1829-01-NET
Page 93HOL-1829-01-NET
Routers Provider Edge 4
This section lays out detailed root cause analysis for Routers Provider Edge 4
Return to Search View - NSX Manager
1 Now use the Chrome Back button click once to return the the NSX Managerinformation screen step
HOL-1829-01-NET
Page 94HOL-1829-01-NET
Infrastructure Problems - Warning Moderate
bull Scroll down to Infrastructure Problems Section
1 Click and select the WarningModerate to view problem areas
WarningModerate Issues
1 Use the blue icon + to expand the detailed view of the Logical networking out ofsync between host and NSX Controller
HOL-1829-01-NET
Page 95HOL-1829-01-NET
WarningModerate Issues (Continued)
When you expand the details you can analyse full detail of warning
In this view vRealize Network Insight is also showing you recommendations on how youwould resolve this issue which makes troubleshooting and root cause analysis veryeasy
1 Click the close sign (x) to continue
HOL-1829-01-NET
Page 96HOL-1829-01-NET
Hands-on Labs Interactive SimulationAdvanced NSX Management ampOperationsThis part of the lab is presented as a Hands-on Labs Interactive Simulation This willallow you to experience steps which are too time-consuming or resource intensive to dolive in the lab environment In this simulation you can use the software interface as ifyou are interacting with a live environment
1 Click here to open the interactive simulation It will open in a new browserwindow or tab
2 When finished click the ldquoReturn to the labrdquo link to continue with this lab
HOL-1829-01-NET
Page 97HOL-1829-01-NET
ConclusionCongratulations on completing Module 3
This module demonstrated the vRealize Network Insight capability of advancedmanagement operations vRealize Network Insight provides an in-depth analysis of thevirtual as well as the physical components associated with NSX (underlay and overlay)
For More Information
If you are looking for additional information try one of these
bull Click on this linkbull Or use your smart device to scan the QRC Code
Proceed to any module below which interests you most
bull Module 1 - Micro-Segmentation and Security (30 minutes)bull Module 2 - 360 degree Visibility across Virtual and Physical Networks (45
minutes)bull Module 3 - Advanced NSX Management amp Operations (45 minutes)bull Module 4 - Manage Security for Public Clouds (AWS) (30 minutes)
HOL-1829-01-NET
Page 98HOL-1829-01-NET
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 99HOL-1829-01-NET
Module 4 - ManageSecurity for Public Clouds
(AWS) (30 Minutes)
HOL-1829-01-NET
Page 100HOL-1829-01-NET
IntroductionEnterprise IT needs visibility into the network and security status of their workloadswhether hosted on premises or within AWS While many AWS workloads are sandboxesfor application development teams (DevOps) it is important to analyze these workloadsIncreasingly public cloud workloads are also fulfilling mission critical production needsfor many organizations Enterprise IT must be ready to determine the best locationsecurity posture and bandwidth allocation when deploying workloads Having trafficpattern details as well as security analysis and recommendations readily availablehelps organizations make the ideal hosting decisions to meet their business needs
vRealize Network Insight (vRNI) Supports Amazon Web Services (AWS) PublicCloud The vRNI traffic monitoring features provide visibility into native AWS constructssuch as Virtual Private Clouds VMs Security Groups firewall rules and tags vRNI alsoanalyzes AWS traffic flows to provide security and micro-segmentation views of cloudworkloads This means youll be able to plan micro-segmentation and understand trafficpatterns using data collected from your AWS instances
This Module contains the following lessons
bull Introduction to Managing Security for Public Clouds (AWS)
HOL-1829-01-NET
Page 101HOL-1829-01-NET
Introduction to Managing Security forPublic Clouds (AWS)Lab Status Check
1 Make sure the Lab Status displays Ready before continuing
Close browser sessions from previous modules
Open Google Chrome
1 Open Chrome on the Control Centre Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize Network Insightdid not load automatically)
HOL-1829-01-NET
Page 102HOL-1829-01-NET
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
AWS Configuration
Lets review the AWS VPC setup for the purpose of this lab
1 We have an on premise instance of vRealize Network Insight managing AWS2 There are two VPCs ie CRM and Common Services
HOL-1829-01-NET
Page 103HOL-1829-01-NET
3 VPC CRM consists of CRM Application which comprises of 3 tiers ie Web APP andDB
4 Internal users of Company can access Web Tier of the CRM on 80 internally viaJump-box
5 Web tier talks to App tier on port 80806 App tier talks to DB tier on port 33067 Web tier is open for internal datacenters VM on 80 port8 From Jump-box in VPC CRM all virtual machines have ssh access on port 229 All tiers of VPCCRM talks to DNS server on 53 and LogServer on 514 on VPC
Common Services10 This means connection to DB to Log Server (used for backup services) must exist
as configured by the Administrator but this in fact is the problem area where ourfocus will be
Plan Security - AWS Cloud
vRealize Network Insight extends micro-segmentation planning to AWS constructs TheCRM Application in AWS VPC has already been created for you
Application creation steps have been discussed in Module 3
HOL-1829-01-NET
Page 104HOL-1829-01-NET
1 On the vRealize Network Insight Click on Plan Security
From Plan Security dialogue box under Entity select
HOL-1829-01-NET
Page 105HOL-1829-01-NET
1 Application2 CRM3 Click Analyze
We can now visualize the three tier lsquoCRMrsquo Application in AWS in one VPC We Shallexplore the three Tier System Logic in proceeding steps
1 Please note that Micro-Segments are already filtered by Tier2 Web (Web tier talks to App tier on port 8080 Internal users of organisation can
access Web Tier of the CRM Application on port 80 internally)3 App (App tier talks to DB tier on port 3306)4 DB ( DB tier talks to Log Servers ) - This is the problem area we are going to
explore
All tiers of first VPC talks to DNS server on port 53 and LogServer on port 514 of SecondVPC
HOL-1829-01-NET
Page 106HOL-1829-01-NET
Exploring the Three Tier Application - Step by Step
We shall now explore the three their application setup to understand the security andcommunication posture
HOL-1829-01-NET
Page 107HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Yellow line to explore the flows This will reveal flows from Web to
App
HOL-1829-01-NET
Page 108HOL-1829-01-NET
1 The App tier talks to DB tier on Port 33062 Click X to continue
HOL-1829-01-NET
Page 109HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to DB
HOL-1829-01-NET
Page 110HOL-1829-01-NET
1 The App tier talks to DB tier on Port 33062 Click X to continue
HOL-1829-01-NET
Page 111HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Yellow Line to explore the flows This will reveal flows from DC
Virtual to App
HOL-1829-01-NET
Page 112HOL-1829-01-NET
1 DC Virtual (jump box) talks to App tier on Port 222 Click X to continue
HOL-1829-01-NET
Page 113HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to
Shared Virtual
HOL-1829-01-NET
Page 114HOL-1829-01-NET
1 The App tier talks to Shared Virtual on Port 53 and 514 respectively2 Click X to continue
HOL-1829-01-NET
Page 115HOL-1829-01-NET
1 Hover over to DB Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from DB to
Shared Virtual
1 By design the DB should be pushing logs to aws-log-server ie on port 514(Syslog) but the flow reveals that there is only one service ie port 53 aws-DNS-Server Effectively no communication to syslog server (which is the back upservice)
2 Click X to continue
Firewall Queries for CRM Application
To further troubleshoot the issue the administrator executes three firewall queries toestablish why DB to Shared Virtual does not have flow(s) for port 514 (syslog)
HOL-1829-01-NET
Page 116HOL-1829-01-NET
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and type new search query firewall action of flows where dstvm = aws-log-server This will return 5 results ie 4 Allow (for web andmidtier) and 1 Deny (for DB)
2 Click Search3 click on the DENY checkbox so we can focus on the deny rule
We can see a DENY rule which is preventing crm-databse to communicate with aws-log-server on port 514 Which indicates that AWS Admin forgot to add rule to allowtraffic from (Database) crm-database to (syslog server) aws-log-Server
HOL-1829-01-NET
Page 117HOL-1829-01-NET
1 On Chrome web browser right click2 Select Duplicate from the the menu
HOL-1829-01-NET
Page 118HOL-1829-01-NET
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-web1 and dst vm = aws-log-server
2 Click Search3 This will return 3 results ie 1 Inbound and 2 Outbound rules The result of this
query validates the communication from crm-web1 to aws-log-server
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-database and dst vm = aws-log-server
2 Click Search3 This will return 2 results for Outbound rules further explaining the firewall rule
behaviour from crm-database to aws-log-server
HOL-1829-01-NET
Page 119HOL-1829-01-NET
ConclusionCongratulations on completing Module 4
This module demonstrated the vRealize Network Insight capability to understand trafficpatterns and plan micro-segmentation across your private and public cloudenvironments This capability offers unparalleled visibility into public and private cloudsfor micro-segmentation planning network visibility and management
For More Information
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 120HOL-1829-01-NET
ConclusionThank you for participating in the VMware Hands-on Labs Be sure to visithttpholvmwarecom to continue your lab experience online
Lab SKU HOL-1829-01-NET
Version 20171010-152226
HOL-1829-01-NET
Page 121HOL-1829-01-NET
Path - source and destination continued
After selecting the source machine the destination box will automatically appear
1 Type prod in the destination field and the list of available options willappear
2 Select Prod-Db-2
Note The destination could also be an ip-address or Internet but in this lab we aregoing to use a VM
HOL-1829-01-NET
Page 51HOL-1829-01-NET
Path - source and destination continued
1 Click on Submit
Searching for path
Based on the VMs we selected in the wizard in our previous steps the search field isnow pre-populated with a search string As an alternative to using the wizard we canalso do manual searches
Do not change any parameters in the search field and please continue to the nextstep
HOL-1829-01-NET
Page 52HOL-1829-01-NET
VM Path Topology and VM Underlay
The topology involves both Layer 3 and Layer 2 components and consists of twodetailed views
HOL-1829-01-NET
Page 53HOL-1829-01-NET
1 VM Path Topology This view details the routers Edges or Logical DistributedRouters (LDRs) that are involved in the VM to VM network path and provides thecomplete routing and NAT information
2 VM Underlay ( The VM Underlay section that is on the right side of the VM Pathtopology shows the underlay information of the VMs involved and theirconnectivity to the top of the rack switches and the ports involved)
In the field named VM Path Topology
1 Click on the three dots in the top right corner of the field2 Click Maximize
The view will change and the route will be drawn on the map
HOL-1829-01-NET
Page 54HOL-1829-01-NET
VM Path Topology - Path Details
In this view we will get a 360-degree view of both the physical and the virtual networkWe will see the path of the traffic between two virtual machines The black arrow at thetop of the map will indicate the flow direction of the traffic In this use case fromDBAdmin-VM1 to Prod-Db-2
On the right hand side path details indicates the steps we pass through in each hop ofthe path The logical flow includes both physical and virtual elements displaying bothoverlay and underlay components
1 Scroll through the path details on the right hand side to verify the differenthops in the path Notice that we have items such as VMs physical switchesvirtual switches routers and NICs in the list of details
HOL-1829-01-NET
Page 55HOL-1829-01-NET
Component Overview
On the VM topology map
1 Click on the top left icon marked with a red square - the Virtual MachineDBAdmin-VM1
Virtual Machine - Details
HOL-1829-01-NET
Page 56HOL-1829-01-NET
A pop-up box will appear with the Virtual Machine details in it This information includesa lot of details made available by VMware Tools We can for example see network-information and the physical host in these details
A - Please spend some time on getting an overview of the information available in thisview
B - Please note that the Firewall Status indicates Unknown In this scenario there is noNSX firewall utilized in the VM so vRealize Network Insight displays Unknown as thestatus If NSX components were utilized but they were malfunctioning an errormessage will appear
1 When done reviewing close the pop-up windows by clicking on the (X) in thetop right corner
Physical ESXi Hosts
We are now going to look at the physical host running ESXi The large green blocksindicate the ESXi hosts (A) and (B)
1 Click on the large green field on the left side of the map marked in thepicture with a red squareThis will select the host where DBAdmin-VM1 isrunning
HOL-1829-01-NET
Page 57HOL-1829-01-NET
Host - Details
A pop-up box will appear that contains the physical ESXi host
A - Spend some time to review what information is available from the host Please donot click on any of the links
B - Notice that we receive information from both the Chassis and the Blade that thisESXi host is running on In a real life environment we could click on the links to getdetailed information about the physical environment through the links
C - Note that there are no NSX components on the host For example we can see thatthe Control Plane Sync Status is unknown and the Number of VTEPs is 0
1 When done reviewing click on the (X) in the top right corner
HOL-1829-01-NET
Page 58HOL-1829-01-NET
DVPG on the map
We are now going to look at the DVPG (Distributed Virtual Port Group) the VM uses toconnect to the network
1 On the map click on the little blue box marked by a red square onvlan-629
DVPG
A pop-up box will appear that contains the DVPG details
A - Spend some time review what information is available from the object Please donot click on any of the links
HOL-1829-01-NET
Page 59HOL-1829-01-NET
B - Notice that IPFIX is enabled
1 When done reviewing click on the (X) in the top right corner
VLAN-629 on the map
This is a brownfield network as indicated by the physical network components currentlydisplayed on the map
1 On the map click on the grey line marked by a red square on vlan-629
VLAN Network
A pop-up box will appear that contains the physical VLAN details
HOL-1829-01-NET
Page 60HOL-1829-01-NET
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - Notice the VLAN ID This is the actual VLAN in use
C - VM Count states 12 This is the number of VMs located on this VLAN in the entireenvironment
D - Under Hosts we can see that this is 28 (27+1) This is the amount of hosts that hasa connection to this vlan in the entire environment
1 When done reviewing click on the (X) in the top right corner
Switch ports on the map
1 From the map click on the icon marked by a red square to select the SwitchPort for the VM
HOL-1829-01-NET
Page 61HOL-1829-01-NET
Switch Port
A pop-up box will appear that contains the Switch Port details
In this view we are purely are looking at layer 3 and the connectivity to those layer 3devices Later in this module we will see some of the layer 2 devices
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - In this view we can see the physical NIC the traffic is transmitted from and receivedto In this scenario it is a NIC on a UCS fabric We can also see the VLANs Interfacespeed port and other details on the NIC
1 When done reviewing click on the (X) in the top right corner of the pop up box
HOL-1829-01-NET
Page 62HOL-1829-01-NET
Physical VRF on the map
1 From the map click on the icon marked by a red square to access thePhysical VRF details
HOL-1829-01-NET
Page 63HOL-1829-01-NET
VRF - Physical Switch
A pop-up box will appear that contains the Physical VRF details
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - In this scenario the first hop in the physical network perspective happens to be aCisco Nexus 7000 We are gathering all of the configuration data routing tables androuting interface information from this device
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 64HOL-1829-01-NET
VRF - continued
1 From the map click on the icon marked by a red square to access the nextPhysical VRF in the path
HOL-1829-01-NET
Page 65HOL-1829-01-NET
VRF - Physical Router
A pop-up box will appear that contains the Physical VRF details
In this scenario the second hop in the physical network perspective is a Palo Alto routerIn this view we will see the routing table as well as firewall rules The vRealize NetworkInsight platform is so powerful that these firewall rules are the applicable firewall rulesbetween the two objects we searched for There is probably going to be thousands offirewall rules in a normal network but these are the firewalls affecting thecommunication between the two selected VMs
HOL-1829-01-NET
Page 66HOL-1829-01-NET
A - Spend some time to review what information is available from the object Please donot click on any of the links
1 When done reviewing click on the (X) in the top right corner of the pop up box
Note The Palo Alto integration showcased is in beta testing
VRF - continued
1 From the map click on the icon marked by a red square to access the nextPhysical VRF in the path
HOL-1829-01-NET
Page 67HOL-1829-01-NET
VRF - Physical Switch
A pop-up box will appear that contains the Physical VRF details
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - In this scenario the third hop in the physical network perspective is an Arista deviceThere is information available on routing gateways interfaces etc These detailsshowcase that we can monitor devices from a multitude of vendors in case we arechanging from one vendor to another
1 When done reviewing click on the (X) in the top right corner
HOL-1829-01-NET
Page 68HOL-1829-01-NET
Accessing the virtual infrastructure
The next two steps in the path (as shown by arrows) are the same as we looked atpreviously in this module We are not going to look at the details on them in thisscenario as they are similar to the ones previously discussed
A - Hovermove the mouse over the icons marked with red arrow A without clicking onthe icon Notice the descriptive name
B - Hovermove the mouse over the icons marked with red arrow B without clicking onthe icon Notice the descriptive name
1 From the map click on the icon marked by a red square to access the nextVRF in the path
HOL-1829-01-NET
Page 69HOL-1829-01-NET
VRF - NSX Provider Edge 1
A pop-up box will appear that contains the Physical VRF details
A - Please spend some time to review what information is available from the objectPlease do not click on any of the links
B - The components we are looking at after the Arista device (described in previoussteps) is an NSX Edge cluster or a host associated with an Edge cluster The componentwe have selected is the NSX Edge VM named Provider-Edge 1 It has an uplink overVLAN 10 from the physical network (as shown in the map)
C - In the details we can see the routing table and routing interface details for thisparticular VRF
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 70HOL-1829-01-NET
VXLAN on the map
1 On the map click on the blue line marked by a red square to access theVXLAN details
VXLAN Network
A pop-up box will appear that contains the VXLAN details
HOL-1829-01-NET
Page 71HOL-1829-01-NET
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - We can see the VXLAN number (Segment ID) Underlay VLAN IDs Subnet andUnderlay Subnet
C - We also have visibility into what Primary Controller it is utilizing Hosts and VTEPs
D - Hovermove the mouse cursor over the text [38 more] to see the hosts associatedwith this VXLAN Do not click on the blue text
E - Hovermove the mouse cursor over the text [82 more] to see the VTEPs associatedwith this VXLAN Do not click on the blue text
1 When done reviewing click on the X in the top right corner of the pop-up box
VRF - LDR
1 From the map click on the icon marked by a red square to access the VRFdetails
HOL-1829-01-NET
Page 72HOL-1829-01-NET
VRF - LDR-Corporate
A pop-up box will appear that contains the VRF details From here we hit our In-kernelnetwork
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - Notice the distributed router name We are using this device to access our corporatenetwork
C - This device is going to route for us to a different interface The interface is going toroute to the interface on the Prod-DB Network as the next step in the path (this will beillustrated in the next step)
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 73HOL-1829-01-NET
Routing - NSX Firewall
The traffic is routed through the VRF onto the Prod-DB network over to the next physicalhost (as shown with arrows)
The first device it will hit on the virtual network on the physical host is the FirewallPlease notice that there are two firewalls next to the VM One Firewall from Palo Alto andone Firewall from NSX
1 From the map click on the icon marked by a red square to access the NSXFirewall details (the top one of the two)
HOL-1829-01-NET
Page 74HOL-1829-01-NET
Firewall - NSX
A pop-up box will appear that contains the Firewall details
A - Spend some time to review what information is available from the object Please donot click on any of the links
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 75HOL-1829-01-NET
Redirect on the map - PAN Firewall
Please notice that there are two firewalls next to the VM One Firewall from Palo Alto andone Firewall from NSX We are now going to look into the details of the lower Firewall
1 From the map click on the icon marked by a red square to access the PaloAlto Firewall details (the lower one of the two)
Firewall - PAN
HOL-1829-01-NET
Page 76HOL-1829-01-NET
In this scenario we also have an Palo Alto VM based offloading firewall The redirectfeature allows firewall rules to be transferred between the NSX firewall and the PANFirewall
1 When done reviewing click on the (X) in the top right corner of the pop up box
Reversing the analysis
1 In the section marked by a red square in the picture click on the arrowpointing left
The route on the map will change
HOL-1829-01-NET
Page 77HOL-1829-01-NET
Reversing the analysis continued
A - The analysis will now be done in the opposite direction Please note that the pathnow changes Instead of going through Provider-Edge 3 the traffic is now routedthrough Provider-Edge 2 This is exactly as the traffic will work in the real life
Please continue to the next step to conclude this module
HOL-1829-01-NET
Page 78HOL-1829-01-NET
VM Underlay
Lets now focus on VM Underlay
1 The VMUnderlay section that is on the right side of the VM Path topology showsthe underlay information of the VMs involved and their connectivity to the top ofthe rack switches and the ports involved
2 The VM Underlay path topology is shown here3 The components are labeled under Path Details
HOL-1829-01-NET
Page 79HOL-1829-01-NET
HOL-1829-01-NET
Page 80HOL-1829-01-NET
1 In this section the drop-down list at the top shows the endpoint VMs and theactive VMs at the edges
2 For each edgeVM the neighbouring drop-down list shows the ingress and theegress interface IP addresses
1 From the previous step we selected the Prod-DB-2 Virtual Machine2 Which changes the focus to corresponding Interface IP Address (VNIC)3 Shows the visual map (Path topology) of all the path objects4 Path details shows the labels and list the components
This concludes this module Please continue to the next module
HOL-1829-01-NET
Page 81HOL-1829-01-NET
ConclusionCongratulations on completing Module 2
This module has shown us that vRealize Network Insight is capable of tracing the flow ofdata between two objects throughout the network vRealize Network Insight is providingus with a 360 degrees view of the virtual as well as the physical components in thepath With the map function and the details on the map it is very easy to get a quickoverview of the components utilized in network communication
All the components in the map is based on a snapshot of real life data Feel free to clickon other icons shown in the map in this module before continuing to the next module tohave a look at other components
For More Information
For additional information about the functionality showcased in this module visithttpwwwvmwarecomvrealize network insight
This concludes this module Please continue to the next module
If you are looking for additional information try one of these
bull Click on this linkbull Or use your smart device to scan the QRC Code
HOL-1829-01-NET
Page 82HOL-1829-01-NET
Proceed to any module below which interests you most
bull Module 1 - Micro-Segmentation and Security (30 minutes)bull Module 2 - 360 degree Visibility across Virtual and Physical Networks (45
minutes)bull Module 3 - Advanced NSX Management amp Operations (45 minutes)bull (30 minutes)
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 83HOL-1829-01-NET
Module 3 - Advanced NSXManagement amp
Operations (45 minutes)
HOL-1829-01-NET
Page 84HOL-1829-01-NET
IntroductionIntroduction
vRealize Network Insight ensures that we have full visibility from an overlay andunderlay perspective and in this module focus on advanced operations of NSX withvRealize Network Insight Its important to note that the vRealize Network Insightprovides a real time view and a historical view The integration is not a simple SNMPquery but advanced CLI and Metadata information gathered in real time for NSX
This Module contains the following lessons
bull Operational guidance for NSX Managerbull Advanced NSX Management amp Operations Interactive Simulation
HOL-1829-01-NET
Page 85HOL-1829-01-NET
NSX Advanced ManagementOperationsLab Status Check
1 Make sure the Lab Status displays Ready before continuing
Close browser sessions from previous modules
Open Google Chrome
1 Open Chrome on the Control Centre Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
HOL-1829-01-NET
Page 86HOL-1829-01-NET
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize Network Insightdid not load automatically)
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
Search Bar - NSX Manager
Using the search bar on the entry screen
HOL-1829-01-NET
Page 87HOL-1829-01-NET
1 Type NSX Manager (this will list three NSX Managers2 Click Search
NSX Manager Information
The result now shows the NSX Manager (1016128170) and we can immediately seethat we have 50 problems associated with this endpoint
1 Click on the NSX Manager address to expose the layout and detailedinformation
HOL-1829-01-NET
Page 88HOL-1829-01-NET
Timeline - Visual Build-up
Explore information only - Do not click
bull A - Starting with the Timeline we can manipulate the results by simply draggingthe slider but by default the current time results will be displayed on entry Theslider and drop down (next to 1 day) makes it easy to filter on demand
bull B - The Properties give a clear understanding of the NSX Managers currentconfiguration (vRealize Network Insight accommodate multiple NSX managers)
bull C - Looking at the NSX Checklist Rules - ALL we can scroll up and down toview each point in the checklist that is used to monitorvalidate against the NSXManager
bull D - Because vRealize Network Insight supports multiple NSX managers andmultiple NSX controllers this is an important visual understanding of theTopology Each object can be queried individually within the same screen
bull E - NSX Problems will be key to understanding the issues for NSX
HOL-1829-01-NET
Page 89HOL-1829-01-NET
Topology - Focus on the NSX Controller
The logical view of the NSX Topology provides live links to each component in theconstruct to be queried in real time Topology layout displays all the related NSXservices bound to the NSX Manager including Clusters and hosts The red triangle on allthree NSX controllers indicates possible issues that may impact the NSX environmenteither as a starting point or a result thereof We can now query each object for detailedinformation
1 Click on the NSX controller (Look at each controller until you find thecontroller starting with NSX_Controller_5b6c6c8d-4d71 as they do changeorder)
HOL-1829-01-NET
Page 90HOL-1829-01-NET
NSX Controller - Detail
A - The controller query displays detailed information about controller-1 and relevantconfiguration This screen will help identify the Status Version Upgrade Availability andmany other critical identifiers of the NSX Controller at a quick glance including anyissues
B - The immediate issue on this NSX controller is also pointed out with a red triangleindicating that we have a control plane sync issue Tracking the issue can be furtherinvestigated by expanding (clicking on the red triangle) to view detailed information Wewill not be investigating this problem further in this exercise
1 Click the close sign (x) to continue
HOL-1829-01-NET
Page 91HOL-1829-01-NET
Topology - Explained
Note The Topology for the NSX environment will not show any load balancing devicestatus information in this release
1 Click the edge VMs icon to see detailed information about the edge services
HOL-1829-01-NET
Page 92HOL-1829-01-NET
Provider Edge
Rendering a complete view of the provider edge services and the associations we caninvestigate all the edge related activities
1 Click the blue link Provider Edge 4 The problem Icon can be used to furtherobtain information about the Provider-Edge 4 This will highlight a criticalcondition due to a possible network disruption of this edge device as it is nolonger in a serving state
HOL-1829-01-NET
Page 93HOL-1829-01-NET
Routers Provider Edge 4
This section lays out detailed root cause analysis for Routers Provider Edge 4
Return to Search View - NSX Manager
1 Now use the Chrome Back button click once to return the the NSX Managerinformation screen step
HOL-1829-01-NET
Page 94HOL-1829-01-NET
Infrastructure Problems - Warning Moderate
bull Scroll down to Infrastructure Problems Section
1 Click and select the WarningModerate to view problem areas
WarningModerate Issues
1 Use the blue icon + to expand the detailed view of the Logical networking out ofsync between host and NSX Controller
HOL-1829-01-NET
Page 95HOL-1829-01-NET
WarningModerate Issues (Continued)
When you expand the details you can analyse full detail of warning
In this view vRealize Network Insight is also showing you recommendations on how youwould resolve this issue which makes troubleshooting and root cause analysis veryeasy
1 Click the close sign (x) to continue
HOL-1829-01-NET
Page 96HOL-1829-01-NET
Hands-on Labs Interactive SimulationAdvanced NSX Management ampOperationsThis part of the lab is presented as a Hands-on Labs Interactive Simulation This willallow you to experience steps which are too time-consuming or resource intensive to dolive in the lab environment In this simulation you can use the software interface as ifyou are interacting with a live environment
1 Click here to open the interactive simulation It will open in a new browserwindow or tab
2 When finished click the ldquoReturn to the labrdquo link to continue with this lab
HOL-1829-01-NET
Page 97HOL-1829-01-NET
ConclusionCongratulations on completing Module 3
This module demonstrated the vRealize Network Insight capability of advancedmanagement operations vRealize Network Insight provides an in-depth analysis of thevirtual as well as the physical components associated with NSX (underlay and overlay)
For More Information
If you are looking for additional information try one of these
bull Click on this linkbull Or use your smart device to scan the QRC Code
Proceed to any module below which interests you most
bull Module 1 - Micro-Segmentation and Security (30 minutes)bull Module 2 - 360 degree Visibility across Virtual and Physical Networks (45
minutes)bull Module 3 - Advanced NSX Management amp Operations (45 minutes)bull Module 4 - Manage Security for Public Clouds (AWS) (30 minutes)
HOL-1829-01-NET
Page 98HOL-1829-01-NET
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 99HOL-1829-01-NET
Module 4 - ManageSecurity for Public Clouds
(AWS) (30 Minutes)
HOL-1829-01-NET
Page 100HOL-1829-01-NET
IntroductionEnterprise IT needs visibility into the network and security status of their workloadswhether hosted on premises or within AWS While many AWS workloads are sandboxesfor application development teams (DevOps) it is important to analyze these workloadsIncreasingly public cloud workloads are also fulfilling mission critical production needsfor many organizations Enterprise IT must be ready to determine the best locationsecurity posture and bandwidth allocation when deploying workloads Having trafficpattern details as well as security analysis and recommendations readily availablehelps organizations make the ideal hosting decisions to meet their business needs
vRealize Network Insight (vRNI) Supports Amazon Web Services (AWS) PublicCloud The vRNI traffic monitoring features provide visibility into native AWS constructssuch as Virtual Private Clouds VMs Security Groups firewall rules and tags vRNI alsoanalyzes AWS traffic flows to provide security and micro-segmentation views of cloudworkloads This means youll be able to plan micro-segmentation and understand trafficpatterns using data collected from your AWS instances
This Module contains the following lessons
bull Introduction to Managing Security for Public Clouds (AWS)
HOL-1829-01-NET
Page 101HOL-1829-01-NET
Introduction to Managing Security forPublic Clouds (AWS)Lab Status Check
1 Make sure the Lab Status displays Ready before continuing
Close browser sessions from previous modules
Open Google Chrome
1 Open Chrome on the Control Centre Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize Network Insightdid not load automatically)
HOL-1829-01-NET
Page 102HOL-1829-01-NET
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
AWS Configuration
Lets review the AWS VPC setup for the purpose of this lab
1 We have an on premise instance of vRealize Network Insight managing AWS2 There are two VPCs ie CRM and Common Services
HOL-1829-01-NET
Page 103HOL-1829-01-NET
3 VPC CRM consists of CRM Application which comprises of 3 tiers ie Web APP andDB
4 Internal users of Company can access Web Tier of the CRM on 80 internally viaJump-box
5 Web tier talks to App tier on port 80806 App tier talks to DB tier on port 33067 Web tier is open for internal datacenters VM on 80 port8 From Jump-box in VPC CRM all virtual machines have ssh access on port 229 All tiers of VPCCRM talks to DNS server on 53 and LogServer on 514 on VPC
Common Services10 This means connection to DB to Log Server (used for backup services) must exist
as configured by the Administrator but this in fact is the problem area where ourfocus will be
Plan Security - AWS Cloud
vRealize Network Insight extends micro-segmentation planning to AWS constructs TheCRM Application in AWS VPC has already been created for you
Application creation steps have been discussed in Module 3
HOL-1829-01-NET
Page 104HOL-1829-01-NET
1 On the vRealize Network Insight Click on Plan Security
From Plan Security dialogue box under Entity select
HOL-1829-01-NET
Page 105HOL-1829-01-NET
1 Application2 CRM3 Click Analyze
We can now visualize the three tier lsquoCRMrsquo Application in AWS in one VPC We Shallexplore the three Tier System Logic in proceeding steps
1 Please note that Micro-Segments are already filtered by Tier2 Web (Web tier talks to App tier on port 8080 Internal users of organisation can
access Web Tier of the CRM Application on port 80 internally)3 App (App tier talks to DB tier on port 3306)4 DB ( DB tier talks to Log Servers ) - This is the problem area we are going to
explore
All tiers of first VPC talks to DNS server on port 53 and LogServer on port 514 of SecondVPC
HOL-1829-01-NET
Page 106HOL-1829-01-NET
Exploring the Three Tier Application - Step by Step
We shall now explore the three their application setup to understand the security andcommunication posture
HOL-1829-01-NET
Page 107HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Yellow line to explore the flows This will reveal flows from Web to
App
HOL-1829-01-NET
Page 108HOL-1829-01-NET
1 The App tier talks to DB tier on Port 33062 Click X to continue
HOL-1829-01-NET
Page 109HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to DB
HOL-1829-01-NET
Page 110HOL-1829-01-NET
1 The App tier talks to DB tier on Port 33062 Click X to continue
HOL-1829-01-NET
Page 111HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Yellow Line to explore the flows This will reveal flows from DC
Virtual to App
HOL-1829-01-NET
Page 112HOL-1829-01-NET
1 DC Virtual (jump box) talks to App tier on Port 222 Click X to continue
HOL-1829-01-NET
Page 113HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to
Shared Virtual
HOL-1829-01-NET
Page 114HOL-1829-01-NET
1 The App tier talks to Shared Virtual on Port 53 and 514 respectively2 Click X to continue
HOL-1829-01-NET
Page 115HOL-1829-01-NET
1 Hover over to DB Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from DB to
Shared Virtual
1 By design the DB should be pushing logs to aws-log-server ie on port 514(Syslog) but the flow reveals that there is only one service ie port 53 aws-DNS-Server Effectively no communication to syslog server (which is the back upservice)
2 Click X to continue
Firewall Queries for CRM Application
To further troubleshoot the issue the administrator executes three firewall queries toestablish why DB to Shared Virtual does not have flow(s) for port 514 (syslog)
HOL-1829-01-NET
Page 116HOL-1829-01-NET
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and type new search query firewall action of flows where dstvm = aws-log-server This will return 5 results ie 4 Allow (for web andmidtier) and 1 Deny (for DB)
2 Click Search3 click on the DENY checkbox so we can focus on the deny rule
We can see a DENY rule which is preventing crm-databse to communicate with aws-log-server on port 514 Which indicates that AWS Admin forgot to add rule to allowtraffic from (Database) crm-database to (syslog server) aws-log-Server
HOL-1829-01-NET
Page 117HOL-1829-01-NET
1 On Chrome web browser right click2 Select Duplicate from the the menu
HOL-1829-01-NET
Page 118HOL-1829-01-NET
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-web1 and dst vm = aws-log-server
2 Click Search3 This will return 3 results ie 1 Inbound and 2 Outbound rules The result of this
query validates the communication from crm-web1 to aws-log-server
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-database and dst vm = aws-log-server
2 Click Search3 This will return 2 results for Outbound rules further explaining the firewall rule
behaviour from crm-database to aws-log-server
HOL-1829-01-NET
Page 119HOL-1829-01-NET
ConclusionCongratulations on completing Module 4
This module demonstrated the vRealize Network Insight capability to understand trafficpatterns and plan micro-segmentation across your private and public cloudenvironments This capability offers unparalleled visibility into public and private cloudsfor micro-segmentation planning network visibility and management
For More Information
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 120HOL-1829-01-NET
ConclusionThank you for participating in the VMware Hands-on Labs Be sure to visithttpholvmwarecom to continue your lab experience online
Lab SKU HOL-1829-01-NET
Version 20171010-152226
HOL-1829-01-NET
Page 121HOL-1829-01-NET
Path - source and destination continued
1 Click on Submit
Searching for path
Based on the VMs we selected in the wizard in our previous steps the search field isnow pre-populated with a search string As an alternative to using the wizard we canalso do manual searches
Do not change any parameters in the search field and please continue to the nextstep
HOL-1829-01-NET
Page 52HOL-1829-01-NET
VM Path Topology and VM Underlay
The topology involves both Layer 3 and Layer 2 components and consists of twodetailed views
HOL-1829-01-NET
Page 53HOL-1829-01-NET
1 VM Path Topology This view details the routers Edges or Logical DistributedRouters (LDRs) that are involved in the VM to VM network path and provides thecomplete routing and NAT information
2 VM Underlay ( The VM Underlay section that is on the right side of the VM Pathtopology shows the underlay information of the VMs involved and theirconnectivity to the top of the rack switches and the ports involved)
In the field named VM Path Topology
1 Click on the three dots in the top right corner of the field2 Click Maximize
The view will change and the route will be drawn on the map
HOL-1829-01-NET
Page 54HOL-1829-01-NET
VM Path Topology - Path Details
In this view we will get a 360-degree view of both the physical and the virtual networkWe will see the path of the traffic between two virtual machines The black arrow at thetop of the map will indicate the flow direction of the traffic In this use case fromDBAdmin-VM1 to Prod-Db-2
On the right hand side path details indicates the steps we pass through in each hop ofthe path The logical flow includes both physical and virtual elements displaying bothoverlay and underlay components
1 Scroll through the path details on the right hand side to verify the differenthops in the path Notice that we have items such as VMs physical switchesvirtual switches routers and NICs in the list of details
HOL-1829-01-NET
Page 55HOL-1829-01-NET
Component Overview
On the VM topology map
1 Click on the top left icon marked with a red square - the Virtual MachineDBAdmin-VM1
Virtual Machine - Details
HOL-1829-01-NET
Page 56HOL-1829-01-NET
A pop-up box will appear with the Virtual Machine details in it This information includesa lot of details made available by VMware Tools We can for example see network-information and the physical host in these details
A - Please spend some time on getting an overview of the information available in thisview
B - Please note that the Firewall Status indicates Unknown In this scenario there is noNSX firewall utilized in the VM so vRealize Network Insight displays Unknown as thestatus If NSX components were utilized but they were malfunctioning an errormessage will appear
1 When done reviewing close the pop-up windows by clicking on the (X) in thetop right corner
Physical ESXi Hosts
We are now going to look at the physical host running ESXi The large green blocksindicate the ESXi hosts (A) and (B)
1 Click on the large green field on the left side of the map marked in thepicture with a red squareThis will select the host where DBAdmin-VM1 isrunning
HOL-1829-01-NET
Page 57HOL-1829-01-NET
Host - Details
A pop-up box will appear that contains the physical ESXi host
A - Spend some time to review what information is available from the host Please donot click on any of the links
B - Notice that we receive information from both the Chassis and the Blade that thisESXi host is running on In a real life environment we could click on the links to getdetailed information about the physical environment through the links
C - Note that there are no NSX components on the host For example we can see thatthe Control Plane Sync Status is unknown and the Number of VTEPs is 0
1 When done reviewing click on the (X) in the top right corner
HOL-1829-01-NET
Page 58HOL-1829-01-NET
DVPG on the map
We are now going to look at the DVPG (Distributed Virtual Port Group) the VM uses toconnect to the network
1 On the map click on the little blue box marked by a red square onvlan-629
DVPG
A pop-up box will appear that contains the DVPG details
A - Spend some time review what information is available from the object Please donot click on any of the links
HOL-1829-01-NET
Page 59HOL-1829-01-NET
B - Notice that IPFIX is enabled
1 When done reviewing click on the (X) in the top right corner
VLAN-629 on the map
This is a brownfield network as indicated by the physical network components currentlydisplayed on the map
1 On the map click on the grey line marked by a red square on vlan-629
VLAN Network
A pop-up box will appear that contains the physical VLAN details
HOL-1829-01-NET
Page 60HOL-1829-01-NET
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - Notice the VLAN ID This is the actual VLAN in use
C - VM Count states 12 This is the number of VMs located on this VLAN in the entireenvironment
D - Under Hosts we can see that this is 28 (27+1) This is the amount of hosts that hasa connection to this vlan in the entire environment
1 When done reviewing click on the (X) in the top right corner
Switch ports on the map
1 From the map click on the icon marked by a red square to select the SwitchPort for the VM
HOL-1829-01-NET
Page 61HOL-1829-01-NET
Switch Port
A pop-up box will appear that contains the Switch Port details
In this view we are purely are looking at layer 3 and the connectivity to those layer 3devices Later in this module we will see some of the layer 2 devices
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - In this view we can see the physical NIC the traffic is transmitted from and receivedto In this scenario it is a NIC on a UCS fabric We can also see the VLANs Interfacespeed port and other details on the NIC
1 When done reviewing click on the (X) in the top right corner of the pop up box
HOL-1829-01-NET
Page 62HOL-1829-01-NET
Physical VRF on the map
1 From the map click on the icon marked by a red square to access thePhysical VRF details
HOL-1829-01-NET
Page 63HOL-1829-01-NET
VRF - Physical Switch
A pop-up box will appear that contains the Physical VRF details
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - In this scenario the first hop in the physical network perspective happens to be aCisco Nexus 7000 We are gathering all of the configuration data routing tables androuting interface information from this device
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 64HOL-1829-01-NET
VRF - continued
1 From the map click on the icon marked by a red square to access the nextPhysical VRF in the path
HOL-1829-01-NET
Page 65HOL-1829-01-NET
VRF - Physical Router
A pop-up box will appear that contains the Physical VRF details
In this scenario the second hop in the physical network perspective is a Palo Alto routerIn this view we will see the routing table as well as firewall rules The vRealize NetworkInsight platform is so powerful that these firewall rules are the applicable firewall rulesbetween the two objects we searched for There is probably going to be thousands offirewall rules in a normal network but these are the firewalls affecting thecommunication between the two selected VMs
HOL-1829-01-NET
Page 66HOL-1829-01-NET
A - Spend some time to review what information is available from the object Please donot click on any of the links
1 When done reviewing click on the (X) in the top right corner of the pop up box
Note The Palo Alto integration showcased is in beta testing
VRF - continued
1 From the map click on the icon marked by a red square to access the nextPhysical VRF in the path
HOL-1829-01-NET
Page 67HOL-1829-01-NET
VRF - Physical Switch
A pop-up box will appear that contains the Physical VRF details
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - In this scenario the third hop in the physical network perspective is an Arista deviceThere is information available on routing gateways interfaces etc These detailsshowcase that we can monitor devices from a multitude of vendors in case we arechanging from one vendor to another
1 When done reviewing click on the (X) in the top right corner
HOL-1829-01-NET
Page 68HOL-1829-01-NET
Accessing the virtual infrastructure
The next two steps in the path (as shown by arrows) are the same as we looked atpreviously in this module We are not going to look at the details on them in thisscenario as they are similar to the ones previously discussed
A - Hovermove the mouse over the icons marked with red arrow A without clicking onthe icon Notice the descriptive name
B - Hovermove the mouse over the icons marked with red arrow B without clicking onthe icon Notice the descriptive name
1 From the map click on the icon marked by a red square to access the nextVRF in the path
HOL-1829-01-NET
Page 69HOL-1829-01-NET
VRF - NSX Provider Edge 1
A pop-up box will appear that contains the Physical VRF details
A - Please spend some time to review what information is available from the objectPlease do not click on any of the links
B - The components we are looking at after the Arista device (described in previoussteps) is an NSX Edge cluster or a host associated with an Edge cluster The componentwe have selected is the NSX Edge VM named Provider-Edge 1 It has an uplink overVLAN 10 from the physical network (as shown in the map)
C - In the details we can see the routing table and routing interface details for thisparticular VRF
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 70HOL-1829-01-NET
VXLAN on the map
1 On the map click on the blue line marked by a red square to access theVXLAN details
VXLAN Network
A pop-up box will appear that contains the VXLAN details
HOL-1829-01-NET
Page 71HOL-1829-01-NET
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - We can see the VXLAN number (Segment ID) Underlay VLAN IDs Subnet andUnderlay Subnet
C - We also have visibility into what Primary Controller it is utilizing Hosts and VTEPs
D - Hovermove the mouse cursor over the text [38 more] to see the hosts associatedwith this VXLAN Do not click on the blue text
E - Hovermove the mouse cursor over the text [82 more] to see the VTEPs associatedwith this VXLAN Do not click on the blue text
1 When done reviewing click on the X in the top right corner of the pop-up box
VRF - LDR
1 From the map click on the icon marked by a red square to access the VRFdetails
HOL-1829-01-NET
Page 72HOL-1829-01-NET
VRF - LDR-Corporate
A pop-up box will appear that contains the VRF details From here we hit our In-kernelnetwork
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - Notice the distributed router name We are using this device to access our corporatenetwork
C - This device is going to route for us to a different interface The interface is going toroute to the interface on the Prod-DB Network as the next step in the path (this will beillustrated in the next step)
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 73HOL-1829-01-NET
Routing - NSX Firewall
The traffic is routed through the VRF onto the Prod-DB network over to the next physicalhost (as shown with arrows)
The first device it will hit on the virtual network on the physical host is the FirewallPlease notice that there are two firewalls next to the VM One Firewall from Palo Alto andone Firewall from NSX
1 From the map click on the icon marked by a red square to access the NSXFirewall details (the top one of the two)
HOL-1829-01-NET
Page 74HOL-1829-01-NET
Firewall - NSX
A pop-up box will appear that contains the Firewall details
A - Spend some time to review what information is available from the object Please donot click on any of the links
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 75HOL-1829-01-NET
Redirect on the map - PAN Firewall
Please notice that there are two firewalls next to the VM One Firewall from Palo Alto andone Firewall from NSX We are now going to look into the details of the lower Firewall
1 From the map click on the icon marked by a red square to access the PaloAlto Firewall details (the lower one of the two)
Firewall - PAN
HOL-1829-01-NET
Page 76HOL-1829-01-NET
In this scenario we also have an Palo Alto VM based offloading firewall The redirectfeature allows firewall rules to be transferred between the NSX firewall and the PANFirewall
1 When done reviewing click on the (X) in the top right corner of the pop up box
Reversing the analysis
1 In the section marked by a red square in the picture click on the arrowpointing left
The route on the map will change
HOL-1829-01-NET
Page 77HOL-1829-01-NET
Reversing the analysis continued
A - The analysis will now be done in the opposite direction Please note that the pathnow changes Instead of going through Provider-Edge 3 the traffic is now routedthrough Provider-Edge 2 This is exactly as the traffic will work in the real life
Please continue to the next step to conclude this module
HOL-1829-01-NET
Page 78HOL-1829-01-NET
VM Underlay
Lets now focus on VM Underlay
1 The VMUnderlay section that is on the right side of the VM Path topology showsthe underlay information of the VMs involved and their connectivity to the top ofthe rack switches and the ports involved
2 The VM Underlay path topology is shown here3 The components are labeled under Path Details
HOL-1829-01-NET
Page 79HOL-1829-01-NET
HOL-1829-01-NET
Page 80HOL-1829-01-NET
1 In this section the drop-down list at the top shows the endpoint VMs and theactive VMs at the edges
2 For each edgeVM the neighbouring drop-down list shows the ingress and theegress interface IP addresses
1 From the previous step we selected the Prod-DB-2 Virtual Machine2 Which changes the focus to corresponding Interface IP Address (VNIC)3 Shows the visual map (Path topology) of all the path objects4 Path details shows the labels and list the components
This concludes this module Please continue to the next module
HOL-1829-01-NET
Page 81HOL-1829-01-NET
ConclusionCongratulations on completing Module 2
This module has shown us that vRealize Network Insight is capable of tracing the flow ofdata between two objects throughout the network vRealize Network Insight is providingus with a 360 degrees view of the virtual as well as the physical components in thepath With the map function and the details on the map it is very easy to get a quickoverview of the components utilized in network communication
All the components in the map is based on a snapshot of real life data Feel free to clickon other icons shown in the map in this module before continuing to the next module tohave a look at other components
For More Information
For additional information about the functionality showcased in this module visithttpwwwvmwarecomvrealize network insight
This concludes this module Please continue to the next module
If you are looking for additional information try one of these
bull Click on this linkbull Or use your smart device to scan the QRC Code
HOL-1829-01-NET
Page 82HOL-1829-01-NET
Proceed to any module below which interests you most
bull Module 1 - Micro-Segmentation and Security (30 minutes)bull Module 2 - 360 degree Visibility across Virtual and Physical Networks (45
minutes)bull Module 3 - Advanced NSX Management amp Operations (45 minutes)bull (30 minutes)
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 83HOL-1829-01-NET
Module 3 - Advanced NSXManagement amp
Operations (45 minutes)
HOL-1829-01-NET
Page 84HOL-1829-01-NET
IntroductionIntroduction
vRealize Network Insight ensures that we have full visibility from an overlay andunderlay perspective and in this module focus on advanced operations of NSX withvRealize Network Insight Its important to note that the vRealize Network Insightprovides a real time view and a historical view The integration is not a simple SNMPquery but advanced CLI and Metadata information gathered in real time for NSX
This Module contains the following lessons
bull Operational guidance for NSX Managerbull Advanced NSX Management amp Operations Interactive Simulation
HOL-1829-01-NET
Page 85HOL-1829-01-NET
NSX Advanced ManagementOperationsLab Status Check
1 Make sure the Lab Status displays Ready before continuing
Close browser sessions from previous modules
Open Google Chrome
1 Open Chrome on the Control Centre Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
HOL-1829-01-NET
Page 86HOL-1829-01-NET
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize Network Insightdid not load automatically)
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
Search Bar - NSX Manager
Using the search bar on the entry screen
HOL-1829-01-NET
Page 87HOL-1829-01-NET
1 Type NSX Manager (this will list three NSX Managers2 Click Search
NSX Manager Information
The result now shows the NSX Manager (1016128170) and we can immediately seethat we have 50 problems associated with this endpoint
1 Click on the NSX Manager address to expose the layout and detailedinformation
HOL-1829-01-NET
Page 88HOL-1829-01-NET
Timeline - Visual Build-up
Explore information only - Do not click
bull A - Starting with the Timeline we can manipulate the results by simply draggingthe slider but by default the current time results will be displayed on entry Theslider and drop down (next to 1 day) makes it easy to filter on demand
bull B - The Properties give a clear understanding of the NSX Managers currentconfiguration (vRealize Network Insight accommodate multiple NSX managers)
bull C - Looking at the NSX Checklist Rules - ALL we can scroll up and down toview each point in the checklist that is used to monitorvalidate against the NSXManager
bull D - Because vRealize Network Insight supports multiple NSX managers andmultiple NSX controllers this is an important visual understanding of theTopology Each object can be queried individually within the same screen
bull E - NSX Problems will be key to understanding the issues for NSX
HOL-1829-01-NET
Page 89HOL-1829-01-NET
Topology - Focus on the NSX Controller
The logical view of the NSX Topology provides live links to each component in theconstruct to be queried in real time Topology layout displays all the related NSXservices bound to the NSX Manager including Clusters and hosts The red triangle on allthree NSX controllers indicates possible issues that may impact the NSX environmenteither as a starting point or a result thereof We can now query each object for detailedinformation
1 Click on the NSX controller (Look at each controller until you find thecontroller starting with NSX_Controller_5b6c6c8d-4d71 as they do changeorder)
HOL-1829-01-NET
Page 90HOL-1829-01-NET
NSX Controller - Detail
A - The controller query displays detailed information about controller-1 and relevantconfiguration This screen will help identify the Status Version Upgrade Availability andmany other critical identifiers of the NSX Controller at a quick glance including anyissues
B - The immediate issue on this NSX controller is also pointed out with a red triangleindicating that we have a control plane sync issue Tracking the issue can be furtherinvestigated by expanding (clicking on the red triangle) to view detailed information Wewill not be investigating this problem further in this exercise
1 Click the close sign (x) to continue
HOL-1829-01-NET
Page 91HOL-1829-01-NET
Topology - Explained
Note The Topology for the NSX environment will not show any load balancing devicestatus information in this release
1 Click the edge VMs icon to see detailed information about the edge services
HOL-1829-01-NET
Page 92HOL-1829-01-NET
Provider Edge
Rendering a complete view of the provider edge services and the associations we caninvestigate all the edge related activities
1 Click the blue link Provider Edge 4 The problem Icon can be used to furtherobtain information about the Provider-Edge 4 This will highlight a criticalcondition due to a possible network disruption of this edge device as it is nolonger in a serving state
HOL-1829-01-NET
Page 93HOL-1829-01-NET
Routers Provider Edge 4
This section lays out detailed root cause analysis for Routers Provider Edge 4
Return to Search View - NSX Manager
1 Now use the Chrome Back button click once to return the the NSX Managerinformation screen step
HOL-1829-01-NET
Page 94HOL-1829-01-NET
Infrastructure Problems - Warning Moderate
bull Scroll down to Infrastructure Problems Section
1 Click and select the WarningModerate to view problem areas
WarningModerate Issues
1 Use the blue icon + to expand the detailed view of the Logical networking out ofsync between host and NSX Controller
HOL-1829-01-NET
Page 95HOL-1829-01-NET
WarningModerate Issues (Continued)
When you expand the details you can analyse full detail of warning
In this view vRealize Network Insight is also showing you recommendations on how youwould resolve this issue which makes troubleshooting and root cause analysis veryeasy
1 Click the close sign (x) to continue
HOL-1829-01-NET
Page 96HOL-1829-01-NET
Hands-on Labs Interactive SimulationAdvanced NSX Management ampOperationsThis part of the lab is presented as a Hands-on Labs Interactive Simulation This willallow you to experience steps which are too time-consuming or resource intensive to dolive in the lab environment In this simulation you can use the software interface as ifyou are interacting with a live environment
1 Click here to open the interactive simulation It will open in a new browserwindow or tab
2 When finished click the ldquoReturn to the labrdquo link to continue with this lab
HOL-1829-01-NET
Page 97HOL-1829-01-NET
ConclusionCongratulations on completing Module 3
This module demonstrated the vRealize Network Insight capability of advancedmanagement operations vRealize Network Insight provides an in-depth analysis of thevirtual as well as the physical components associated with NSX (underlay and overlay)
For More Information
If you are looking for additional information try one of these
bull Click on this linkbull Or use your smart device to scan the QRC Code
Proceed to any module below which interests you most
bull Module 1 - Micro-Segmentation and Security (30 minutes)bull Module 2 - 360 degree Visibility across Virtual and Physical Networks (45
minutes)bull Module 3 - Advanced NSX Management amp Operations (45 minutes)bull Module 4 - Manage Security for Public Clouds (AWS) (30 minutes)
HOL-1829-01-NET
Page 98HOL-1829-01-NET
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 99HOL-1829-01-NET
Module 4 - ManageSecurity for Public Clouds
(AWS) (30 Minutes)
HOL-1829-01-NET
Page 100HOL-1829-01-NET
IntroductionEnterprise IT needs visibility into the network and security status of their workloadswhether hosted on premises or within AWS While many AWS workloads are sandboxesfor application development teams (DevOps) it is important to analyze these workloadsIncreasingly public cloud workloads are also fulfilling mission critical production needsfor many organizations Enterprise IT must be ready to determine the best locationsecurity posture and bandwidth allocation when deploying workloads Having trafficpattern details as well as security analysis and recommendations readily availablehelps organizations make the ideal hosting decisions to meet their business needs
vRealize Network Insight (vRNI) Supports Amazon Web Services (AWS) PublicCloud The vRNI traffic monitoring features provide visibility into native AWS constructssuch as Virtual Private Clouds VMs Security Groups firewall rules and tags vRNI alsoanalyzes AWS traffic flows to provide security and micro-segmentation views of cloudworkloads This means youll be able to plan micro-segmentation and understand trafficpatterns using data collected from your AWS instances
This Module contains the following lessons
bull Introduction to Managing Security for Public Clouds (AWS)
HOL-1829-01-NET
Page 101HOL-1829-01-NET
Introduction to Managing Security forPublic Clouds (AWS)Lab Status Check
1 Make sure the Lab Status displays Ready before continuing
Close browser sessions from previous modules
Open Google Chrome
1 Open Chrome on the Control Centre Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize Network Insightdid not load automatically)
HOL-1829-01-NET
Page 102HOL-1829-01-NET
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
AWS Configuration
Lets review the AWS VPC setup for the purpose of this lab
1 We have an on premise instance of vRealize Network Insight managing AWS2 There are two VPCs ie CRM and Common Services
HOL-1829-01-NET
Page 103HOL-1829-01-NET
3 VPC CRM consists of CRM Application which comprises of 3 tiers ie Web APP andDB
4 Internal users of Company can access Web Tier of the CRM on 80 internally viaJump-box
5 Web tier talks to App tier on port 80806 App tier talks to DB tier on port 33067 Web tier is open for internal datacenters VM on 80 port8 From Jump-box in VPC CRM all virtual machines have ssh access on port 229 All tiers of VPCCRM talks to DNS server on 53 and LogServer on 514 on VPC
Common Services10 This means connection to DB to Log Server (used for backup services) must exist
as configured by the Administrator but this in fact is the problem area where ourfocus will be
Plan Security - AWS Cloud
vRealize Network Insight extends micro-segmentation planning to AWS constructs TheCRM Application in AWS VPC has already been created for you
Application creation steps have been discussed in Module 3
HOL-1829-01-NET
Page 104HOL-1829-01-NET
1 On the vRealize Network Insight Click on Plan Security
From Plan Security dialogue box under Entity select
HOL-1829-01-NET
Page 105HOL-1829-01-NET
1 Application2 CRM3 Click Analyze
We can now visualize the three tier lsquoCRMrsquo Application in AWS in one VPC We Shallexplore the three Tier System Logic in proceeding steps
1 Please note that Micro-Segments are already filtered by Tier2 Web (Web tier talks to App tier on port 8080 Internal users of organisation can
access Web Tier of the CRM Application on port 80 internally)3 App (App tier talks to DB tier on port 3306)4 DB ( DB tier talks to Log Servers ) - This is the problem area we are going to
explore
All tiers of first VPC talks to DNS server on port 53 and LogServer on port 514 of SecondVPC
HOL-1829-01-NET
Page 106HOL-1829-01-NET
Exploring the Three Tier Application - Step by Step
We shall now explore the three their application setup to understand the security andcommunication posture
HOL-1829-01-NET
Page 107HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Yellow line to explore the flows This will reveal flows from Web to
App
HOL-1829-01-NET
Page 108HOL-1829-01-NET
1 The App tier talks to DB tier on Port 33062 Click X to continue
HOL-1829-01-NET
Page 109HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to DB
HOL-1829-01-NET
Page 110HOL-1829-01-NET
1 The App tier talks to DB tier on Port 33062 Click X to continue
HOL-1829-01-NET
Page 111HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Yellow Line to explore the flows This will reveal flows from DC
Virtual to App
HOL-1829-01-NET
Page 112HOL-1829-01-NET
1 DC Virtual (jump box) talks to App tier on Port 222 Click X to continue
HOL-1829-01-NET
Page 113HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to
Shared Virtual
HOL-1829-01-NET
Page 114HOL-1829-01-NET
1 The App tier talks to Shared Virtual on Port 53 and 514 respectively2 Click X to continue
HOL-1829-01-NET
Page 115HOL-1829-01-NET
1 Hover over to DB Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from DB to
Shared Virtual
1 By design the DB should be pushing logs to aws-log-server ie on port 514(Syslog) but the flow reveals that there is only one service ie port 53 aws-DNS-Server Effectively no communication to syslog server (which is the back upservice)
2 Click X to continue
Firewall Queries for CRM Application
To further troubleshoot the issue the administrator executes three firewall queries toestablish why DB to Shared Virtual does not have flow(s) for port 514 (syslog)
HOL-1829-01-NET
Page 116HOL-1829-01-NET
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and type new search query firewall action of flows where dstvm = aws-log-server This will return 5 results ie 4 Allow (for web andmidtier) and 1 Deny (for DB)
2 Click Search3 click on the DENY checkbox so we can focus on the deny rule
We can see a DENY rule which is preventing crm-databse to communicate with aws-log-server on port 514 Which indicates that AWS Admin forgot to add rule to allowtraffic from (Database) crm-database to (syslog server) aws-log-Server
HOL-1829-01-NET
Page 117HOL-1829-01-NET
1 On Chrome web browser right click2 Select Duplicate from the the menu
HOL-1829-01-NET
Page 118HOL-1829-01-NET
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-web1 and dst vm = aws-log-server
2 Click Search3 This will return 3 results ie 1 Inbound and 2 Outbound rules The result of this
query validates the communication from crm-web1 to aws-log-server
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-database and dst vm = aws-log-server
2 Click Search3 This will return 2 results for Outbound rules further explaining the firewall rule
behaviour from crm-database to aws-log-server
HOL-1829-01-NET
Page 119HOL-1829-01-NET
ConclusionCongratulations on completing Module 4
This module demonstrated the vRealize Network Insight capability to understand trafficpatterns and plan micro-segmentation across your private and public cloudenvironments This capability offers unparalleled visibility into public and private cloudsfor micro-segmentation planning network visibility and management
For More Information
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 120HOL-1829-01-NET
ConclusionThank you for participating in the VMware Hands-on Labs Be sure to visithttpholvmwarecom to continue your lab experience online
Lab SKU HOL-1829-01-NET
Version 20171010-152226
HOL-1829-01-NET
Page 121HOL-1829-01-NET
VM Path Topology and VM Underlay
The topology involves both Layer 3 and Layer 2 components and consists of twodetailed views
HOL-1829-01-NET
Page 53HOL-1829-01-NET
1 VM Path Topology This view details the routers Edges or Logical DistributedRouters (LDRs) that are involved in the VM to VM network path and provides thecomplete routing and NAT information
2 VM Underlay ( The VM Underlay section that is on the right side of the VM Pathtopology shows the underlay information of the VMs involved and theirconnectivity to the top of the rack switches and the ports involved)
In the field named VM Path Topology
1 Click on the three dots in the top right corner of the field2 Click Maximize
The view will change and the route will be drawn on the map
HOL-1829-01-NET
Page 54HOL-1829-01-NET
VM Path Topology - Path Details
In this view we will get a 360-degree view of both the physical and the virtual networkWe will see the path of the traffic between two virtual machines The black arrow at thetop of the map will indicate the flow direction of the traffic In this use case fromDBAdmin-VM1 to Prod-Db-2
On the right hand side path details indicates the steps we pass through in each hop ofthe path The logical flow includes both physical and virtual elements displaying bothoverlay and underlay components
1 Scroll through the path details on the right hand side to verify the differenthops in the path Notice that we have items such as VMs physical switchesvirtual switches routers and NICs in the list of details
HOL-1829-01-NET
Page 55HOL-1829-01-NET
Component Overview
On the VM topology map
1 Click on the top left icon marked with a red square - the Virtual MachineDBAdmin-VM1
Virtual Machine - Details
HOL-1829-01-NET
Page 56HOL-1829-01-NET
A pop-up box will appear with the Virtual Machine details in it This information includesa lot of details made available by VMware Tools We can for example see network-information and the physical host in these details
A - Please spend some time on getting an overview of the information available in thisview
B - Please note that the Firewall Status indicates Unknown In this scenario there is noNSX firewall utilized in the VM so vRealize Network Insight displays Unknown as thestatus If NSX components were utilized but they were malfunctioning an errormessage will appear
1 When done reviewing close the pop-up windows by clicking on the (X) in thetop right corner
Physical ESXi Hosts
We are now going to look at the physical host running ESXi The large green blocksindicate the ESXi hosts (A) and (B)
1 Click on the large green field on the left side of the map marked in thepicture with a red squareThis will select the host where DBAdmin-VM1 isrunning
HOL-1829-01-NET
Page 57HOL-1829-01-NET
Host - Details
A pop-up box will appear that contains the physical ESXi host
A - Spend some time to review what information is available from the host Please donot click on any of the links
B - Notice that we receive information from both the Chassis and the Blade that thisESXi host is running on In a real life environment we could click on the links to getdetailed information about the physical environment through the links
C - Note that there are no NSX components on the host For example we can see thatthe Control Plane Sync Status is unknown and the Number of VTEPs is 0
1 When done reviewing click on the (X) in the top right corner
HOL-1829-01-NET
Page 58HOL-1829-01-NET
DVPG on the map
We are now going to look at the DVPG (Distributed Virtual Port Group) the VM uses toconnect to the network
1 On the map click on the little blue box marked by a red square onvlan-629
DVPG
A pop-up box will appear that contains the DVPG details
A - Spend some time review what information is available from the object Please donot click on any of the links
HOL-1829-01-NET
Page 59HOL-1829-01-NET
B - Notice that IPFIX is enabled
1 When done reviewing click on the (X) in the top right corner
VLAN-629 on the map
This is a brownfield network as indicated by the physical network components currentlydisplayed on the map
1 On the map click on the grey line marked by a red square on vlan-629
VLAN Network
A pop-up box will appear that contains the physical VLAN details
HOL-1829-01-NET
Page 60HOL-1829-01-NET
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - Notice the VLAN ID This is the actual VLAN in use
C - VM Count states 12 This is the number of VMs located on this VLAN in the entireenvironment
D - Under Hosts we can see that this is 28 (27+1) This is the amount of hosts that hasa connection to this vlan in the entire environment
1 When done reviewing click on the (X) in the top right corner
Switch ports on the map
1 From the map click on the icon marked by a red square to select the SwitchPort for the VM
HOL-1829-01-NET
Page 61HOL-1829-01-NET
Switch Port
A pop-up box will appear that contains the Switch Port details
In this view we are purely are looking at layer 3 and the connectivity to those layer 3devices Later in this module we will see some of the layer 2 devices
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - In this view we can see the physical NIC the traffic is transmitted from and receivedto In this scenario it is a NIC on a UCS fabric We can also see the VLANs Interfacespeed port and other details on the NIC
1 When done reviewing click on the (X) in the top right corner of the pop up box
HOL-1829-01-NET
Page 62HOL-1829-01-NET
Physical VRF on the map
1 From the map click on the icon marked by a red square to access thePhysical VRF details
HOL-1829-01-NET
Page 63HOL-1829-01-NET
VRF - Physical Switch
A pop-up box will appear that contains the Physical VRF details
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - In this scenario the first hop in the physical network perspective happens to be aCisco Nexus 7000 We are gathering all of the configuration data routing tables androuting interface information from this device
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 64HOL-1829-01-NET
VRF - continued
1 From the map click on the icon marked by a red square to access the nextPhysical VRF in the path
HOL-1829-01-NET
Page 65HOL-1829-01-NET
VRF - Physical Router
A pop-up box will appear that contains the Physical VRF details
In this scenario the second hop in the physical network perspective is a Palo Alto routerIn this view we will see the routing table as well as firewall rules The vRealize NetworkInsight platform is so powerful that these firewall rules are the applicable firewall rulesbetween the two objects we searched for There is probably going to be thousands offirewall rules in a normal network but these are the firewalls affecting thecommunication between the two selected VMs
HOL-1829-01-NET
Page 66HOL-1829-01-NET
A - Spend some time to review what information is available from the object Please donot click on any of the links
1 When done reviewing click on the (X) in the top right corner of the pop up box
Note The Palo Alto integration showcased is in beta testing
VRF - continued
1 From the map click on the icon marked by a red square to access the nextPhysical VRF in the path
HOL-1829-01-NET
Page 67HOL-1829-01-NET
VRF - Physical Switch
A pop-up box will appear that contains the Physical VRF details
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - In this scenario the third hop in the physical network perspective is an Arista deviceThere is information available on routing gateways interfaces etc These detailsshowcase that we can monitor devices from a multitude of vendors in case we arechanging from one vendor to another
1 When done reviewing click on the (X) in the top right corner
HOL-1829-01-NET
Page 68HOL-1829-01-NET
Accessing the virtual infrastructure
The next two steps in the path (as shown by arrows) are the same as we looked atpreviously in this module We are not going to look at the details on them in thisscenario as they are similar to the ones previously discussed
A - Hovermove the mouse over the icons marked with red arrow A without clicking onthe icon Notice the descriptive name
B - Hovermove the mouse over the icons marked with red arrow B without clicking onthe icon Notice the descriptive name
1 From the map click on the icon marked by a red square to access the nextVRF in the path
HOL-1829-01-NET
Page 69HOL-1829-01-NET
VRF - NSX Provider Edge 1
A pop-up box will appear that contains the Physical VRF details
A - Please spend some time to review what information is available from the objectPlease do not click on any of the links
B - The components we are looking at after the Arista device (described in previoussteps) is an NSX Edge cluster or a host associated with an Edge cluster The componentwe have selected is the NSX Edge VM named Provider-Edge 1 It has an uplink overVLAN 10 from the physical network (as shown in the map)
C - In the details we can see the routing table and routing interface details for thisparticular VRF
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 70HOL-1829-01-NET
VXLAN on the map
1 On the map click on the blue line marked by a red square to access theVXLAN details
VXLAN Network
A pop-up box will appear that contains the VXLAN details
HOL-1829-01-NET
Page 71HOL-1829-01-NET
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - We can see the VXLAN number (Segment ID) Underlay VLAN IDs Subnet andUnderlay Subnet
C - We also have visibility into what Primary Controller it is utilizing Hosts and VTEPs
D - Hovermove the mouse cursor over the text [38 more] to see the hosts associatedwith this VXLAN Do not click on the blue text
E - Hovermove the mouse cursor over the text [82 more] to see the VTEPs associatedwith this VXLAN Do not click on the blue text
1 When done reviewing click on the X in the top right corner of the pop-up box
VRF - LDR
1 From the map click on the icon marked by a red square to access the VRFdetails
HOL-1829-01-NET
Page 72HOL-1829-01-NET
VRF - LDR-Corporate
A pop-up box will appear that contains the VRF details From here we hit our In-kernelnetwork
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - Notice the distributed router name We are using this device to access our corporatenetwork
C - This device is going to route for us to a different interface The interface is going toroute to the interface on the Prod-DB Network as the next step in the path (this will beillustrated in the next step)
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 73HOL-1829-01-NET
Routing - NSX Firewall
The traffic is routed through the VRF onto the Prod-DB network over to the next physicalhost (as shown with arrows)
The first device it will hit on the virtual network on the physical host is the FirewallPlease notice that there are two firewalls next to the VM One Firewall from Palo Alto andone Firewall from NSX
1 From the map click on the icon marked by a red square to access the NSXFirewall details (the top one of the two)
HOL-1829-01-NET
Page 74HOL-1829-01-NET
Firewall - NSX
A pop-up box will appear that contains the Firewall details
A - Spend some time to review what information is available from the object Please donot click on any of the links
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 75HOL-1829-01-NET
Redirect on the map - PAN Firewall
Please notice that there are two firewalls next to the VM One Firewall from Palo Alto andone Firewall from NSX We are now going to look into the details of the lower Firewall
1 From the map click on the icon marked by a red square to access the PaloAlto Firewall details (the lower one of the two)
Firewall - PAN
HOL-1829-01-NET
Page 76HOL-1829-01-NET
In this scenario we also have an Palo Alto VM based offloading firewall The redirectfeature allows firewall rules to be transferred between the NSX firewall and the PANFirewall
1 When done reviewing click on the (X) in the top right corner of the pop up box
Reversing the analysis
1 In the section marked by a red square in the picture click on the arrowpointing left
The route on the map will change
HOL-1829-01-NET
Page 77HOL-1829-01-NET
Reversing the analysis continued
A - The analysis will now be done in the opposite direction Please note that the pathnow changes Instead of going through Provider-Edge 3 the traffic is now routedthrough Provider-Edge 2 This is exactly as the traffic will work in the real life
Please continue to the next step to conclude this module
HOL-1829-01-NET
Page 78HOL-1829-01-NET
VM Underlay
Lets now focus on VM Underlay
1 The VMUnderlay section that is on the right side of the VM Path topology showsthe underlay information of the VMs involved and their connectivity to the top ofthe rack switches and the ports involved
2 The VM Underlay path topology is shown here3 The components are labeled under Path Details
HOL-1829-01-NET
Page 79HOL-1829-01-NET
HOL-1829-01-NET
Page 80HOL-1829-01-NET
1 In this section the drop-down list at the top shows the endpoint VMs and theactive VMs at the edges
2 For each edgeVM the neighbouring drop-down list shows the ingress and theegress interface IP addresses
1 From the previous step we selected the Prod-DB-2 Virtual Machine2 Which changes the focus to corresponding Interface IP Address (VNIC)3 Shows the visual map (Path topology) of all the path objects4 Path details shows the labels and list the components
This concludes this module Please continue to the next module
HOL-1829-01-NET
Page 81HOL-1829-01-NET
ConclusionCongratulations on completing Module 2
This module has shown us that vRealize Network Insight is capable of tracing the flow ofdata between two objects throughout the network vRealize Network Insight is providingus with a 360 degrees view of the virtual as well as the physical components in thepath With the map function and the details on the map it is very easy to get a quickoverview of the components utilized in network communication
All the components in the map is based on a snapshot of real life data Feel free to clickon other icons shown in the map in this module before continuing to the next module tohave a look at other components
For More Information
For additional information about the functionality showcased in this module visithttpwwwvmwarecomvrealize network insight
This concludes this module Please continue to the next module
If you are looking for additional information try one of these
bull Click on this linkbull Or use your smart device to scan the QRC Code
HOL-1829-01-NET
Page 82HOL-1829-01-NET
Proceed to any module below which interests you most
bull Module 1 - Micro-Segmentation and Security (30 minutes)bull Module 2 - 360 degree Visibility across Virtual and Physical Networks (45
minutes)bull Module 3 - Advanced NSX Management amp Operations (45 minutes)bull (30 minutes)
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 83HOL-1829-01-NET
Module 3 - Advanced NSXManagement amp
Operations (45 minutes)
HOL-1829-01-NET
Page 84HOL-1829-01-NET
IntroductionIntroduction
vRealize Network Insight ensures that we have full visibility from an overlay andunderlay perspective and in this module focus on advanced operations of NSX withvRealize Network Insight Its important to note that the vRealize Network Insightprovides a real time view and a historical view The integration is not a simple SNMPquery but advanced CLI and Metadata information gathered in real time for NSX
This Module contains the following lessons
bull Operational guidance for NSX Managerbull Advanced NSX Management amp Operations Interactive Simulation
HOL-1829-01-NET
Page 85HOL-1829-01-NET
NSX Advanced ManagementOperationsLab Status Check
1 Make sure the Lab Status displays Ready before continuing
Close browser sessions from previous modules
Open Google Chrome
1 Open Chrome on the Control Centre Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
HOL-1829-01-NET
Page 86HOL-1829-01-NET
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize Network Insightdid not load automatically)
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
Search Bar - NSX Manager
Using the search bar on the entry screen
HOL-1829-01-NET
Page 87HOL-1829-01-NET
1 Type NSX Manager (this will list three NSX Managers2 Click Search
NSX Manager Information
The result now shows the NSX Manager (1016128170) and we can immediately seethat we have 50 problems associated with this endpoint
1 Click on the NSX Manager address to expose the layout and detailedinformation
HOL-1829-01-NET
Page 88HOL-1829-01-NET
Timeline - Visual Build-up
Explore information only - Do not click
bull A - Starting with the Timeline we can manipulate the results by simply draggingthe slider but by default the current time results will be displayed on entry Theslider and drop down (next to 1 day) makes it easy to filter on demand
bull B - The Properties give a clear understanding of the NSX Managers currentconfiguration (vRealize Network Insight accommodate multiple NSX managers)
bull C - Looking at the NSX Checklist Rules - ALL we can scroll up and down toview each point in the checklist that is used to monitorvalidate against the NSXManager
bull D - Because vRealize Network Insight supports multiple NSX managers andmultiple NSX controllers this is an important visual understanding of theTopology Each object can be queried individually within the same screen
bull E - NSX Problems will be key to understanding the issues for NSX
HOL-1829-01-NET
Page 89HOL-1829-01-NET
Topology - Focus on the NSX Controller
The logical view of the NSX Topology provides live links to each component in theconstruct to be queried in real time Topology layout displays all the related NSXservices bound to the NSX Manager including Clusters and hosts The red triangle on allthree NSX controllers indicates possible issues that may impact the NSX environmenteither as a starting point or a result thereof We can now query each object for detailedinformation
1 Click on the NSX controller (Look at each controller until you find thecontroller starting with NSX_Controller_5b6c6c8d-4d71 as they do changeorder)
HOL-1829-01-NET
Page 90HOL-1829-01-NET
NSX Controller - Detail
A - The controller query displays detailed information about controller-1 and relevantconfiguration This screen will help identify the Status Version Upgrade Availability andmany other critical identifiers of the NSX Controller at a quick glance including anyissues
B - The immediate issue on this NSX controller is also pointed out with a red triangleindicating that we have a control plane sync issue Tracking the issue can be furtherinvestigated by expanding (clicking on the red triangle) to view detailed information Wewill not be investigating this problem further in this exercise
1 Click the close sign (x) to continue
HOL-1829-01-NET
Page 91HOL-1829-01-NET
Topology - Explained
Note The Topology for the NSX environment will not show any load balancing devicestatus information in this release
1 Click the edge VMs icon to see detailed information about the edge services
HOL-1829-01-NET
Page 92HOL-1829-01-NET
Provider Edge
Rendering a complete view of the provider edge services and the associations we caninvestigate all the edge related activities
1 Click the blue link Provider Edge 4 The problem Icon can be used to furtherobtain information about the Provider-Edge 4 This will highlight a criticalcondition due to a possible network disruption of this edge device as it is nolonger in a serving state
HOL-1829-01-NET
Page 93HOL-1829-01-NET
Routers Provider Edge 4
This section lays out detailed root cause analysis for Routers Provider Edge 4
Return to Search View - NSX Manager
1 Now use the Chrome Back button click once to return the the NSX Managerinformation screen step
HOL-1829-01-NET
Page 94HOL-1829-01-NET
Infrastructure Problems - Warning Moderate
bull Scroll down to Infrastructure Problems Section
1 Click and select the WarningModerate to view problem areas
WarningModerate Issues
1 Use the blue icon + to expand the detailed view of the Logical networking out ofsync between host and NSX Controller
HOL-1829-01-NET
Page 95HOL-1829-01-NET
WarningModerate Issues (Continued)
When you expand the details you can analyse full detail of warning
In this view vRealize Network Insight is also showing you recommendations on how youwould resolve this issue which makes troubleshooting and root cause analysis veryeasy
1 Click the close sign (x) to continue
HOL-1829-01-NET
Page 96HOL-1829-01-NET
Hands-on Labs Interactive SimulationAdvanced NSX Management ampOperationsThis part of the lab is presented as a Hands-on Labs Interactive Simulation This willallow you to experience steps which are too time-consuming or resource intensive to dolive in the lab environment In this simulation you can use the software interface as ifyou are interacting with a live environment
1 Click here to open the interactive simulation It will open in a new browserwindow or tab
2 When finished click the ldquoReturn to the labrdquo link to continue with this lab
HOL-1829-01-NET
Page 97HOL-1829-01-NET
ConclusionCongratulations on completing Module 3
This module demonstrated the vRealize Network Insight capability of advancedmanagement operations vRealize Network Insight provides an in-depth analysis of thevirtual as well as the physical components associated with NSX (underlay and overlay)
For More Information
If you are looking for additional information try one of these
bull Click on this linkbull Or use your smart device to scan the QRC Code
Proceed to any module below which interests you most
bull Module 1 - Micro-Segmentation and Security (30 minutes)bull Module 2 - 360 degree Visibility across Virtual and Physical Networks (45
minutes)bull Module 3 - Advanced NSX Management amp Operations (45 minutes)bull Module 4 - Manage Security for Public Clouds (AWS) (30 minutes)
HOL-1829-01-NET
Page 98HOL-1829-01-NET
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 99HOL-1829-01-NET
Module 4 - ManageSecurity for Public Clouds
(AWS) (30 Minutes)
HOL-1829-01-NET
Page 100HOL-1829-01-NET
IntroductionEnterprise IT needs visibility into the network and security status of their workloadswhether hosted on premises or within AWS While many AWS workloads are sandboxesfor application development teams (DevOps) it is important to analyze these workloadsIncreasingly public cloud workloads are also fulfilling mission critical production needsfor many organizations Enterprise IT must be ready to determine the best locationsecurity posture and bandwidth allocation when deploying workloads Having trafficpattern details as well as security analysis and recommendations readily availablehelps organizations make the ideal hosting decisions to meet their business needs
vRealize Network Insight (vRNI) Supports Amazon Web Services (AWS) PublicCloud The vRNI traffic monitoring features provide visibility into native AWS constructssuch as Virtual Private Clouds VMs Security Groups firewall rules and tags vRNI alsoanalyzes AWS traffic flows to provide security and micro-segmentation views of cloudworkloads This means youll be able to plan micro-segmentation and understand trafficpatterns using data collected from your AWS instances
This Module contains the following lessons
bull Introduction to Managing Security for Public Clouds (AWS)
HOL-1829-01-NET
Page 101HOL-1829-01-NET
Introduction to Managing Security forPublic Clouds (AWS)Lab Status Check
1 Make sure the Lab Status displays Ready before continuing
Close browser sessions from previous modules
Open Google Chrome
1 Open Chrome on the Control Centre Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize Network Insightdid not load automatically)
HOL-1829-01-NET
Page 102HOL-1829-01-NET
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
AWS Configuration
Lets review the AWS VPC setup for the purpose of this lab
1 We have an on premise instance of vRealize Network Insight managing AWS2 There are two VPCs ie CRM and Common Services
HOL-1829-01-NET
Page 103HOL-1829-01-NET
3 VPC CRM consists of CRM Application which comprises of 3 tiers ie Web APP andDB
4 Internal users of Company can access Web Tier of the CRM on 80 internally viaJump-box
5 Web tier talks to App tier on port 80806 App tier talks to DB tier on port 33067 Web tier is open for internal datacenters VM on 80 port8 From Jump-box in VPC CRM all virtual machines have ssh access on port 229 All tiers of VPCCRM talks to DNS server on 53 and LogServer on 514 on VPC
Common Services10 This means connection to DB to Log Server (used for backup services) must exist
as configured by the Administrator but this in fact is the problem area where ourfocus will be
Plan Security - AWS Cloud
vRealize Network Insight extends micro-segmentation planning to AWS constructs TheCRM Application in AWS VPC has already been created for you
Application creation steps have been discussed in Module 3
HOL-1829-01-NET
Page 104HOL-1829-01-NET
1 On the vRealize Network Insight Click on Plan Security
From Plan Security dialogue box under Entity select
HOL-1829-01-NET
Page 105HOL-1829-01-NET
1 Application2 CRM3 Click Analyze
We can now visualize the three tier lsquoCRMrsquo Application in AWS in one VPC We Shallexplore the three Tier System Logic in proceeding steps
1 Please note that Micro-Segments are already filtered by Tier2 Web (Web tier talks to App tier on port 8080 Internal users of organisation can
access Web Tier of the CRM Application on port 80 internally)3 App (App tier talks to DB tier on port 3306)4 DB ( DB tier talks to Log Servers ) - This is the problem area we are going to
explore
All tiers of first VPC talks to DNS server on port 53 and LogServer on port 514 of SecondVPC
HOL-1829-01-NET
Page 106HOL-1829-01-NET
Exploring the Three Tier Application - Step by Step
We shall now explore the three their application setup to understand the security andcommunication posture
HOL-1829-01-NET
Page 107HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Yellow line to explore the flows This will reveal flows from Web to
App
HOL-1829-01-NET
Page 108HOL-1829-01-NET
1 The App tier talks to DB tier on Port 33062 Click X to continue
HOL-1829-01-NET
Page 109HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to DB
HOL-1829-01-NET
Page 110HOL-1829-01-NET
1 The App tier talks to DB tier on Port 33062 Click X to continue
HOL-1829-01-NET
Page 111HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Yellow Line to explore the flows This will reveal flows from DC
Virtual to App
HOL-1829-01-NET
Page 112HOL-1829-01-NET
1 DC Virtual (jump box) talks to App tier on Port 222 Click X to continue
HOL-1829-01-NET
Page 113HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to
Shared Virtual
HOL-1829-01-NET
Page 114HOL-1829-01-NET
1 The App tier talks to Shared Virtual on Port 53 and 514 respectively2 Click X to continue
HOL-1829-01-NET
Page 115HOL-1829-01-NET
1 Hover over to DB Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from DB to
Shared Virtual
1 By design the DB should be pushing logs to aws-log-server ie on port 514(Syslog) but the flow reveals that there is only one service ie port 53 aws-DNS-Server Effectively no communication to syslog server (which is the back upservice)
2 Click X to continue
Firewall Queries for CRM Application
To further troubleshoot the issue the administrator executes three firewall queries toestablish why DB to Shared Virtual does not have flow(s) for port 514 (syslog)
HOL-1829-01-NET
Page 116HOL-1829-01-NET
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and type new search query firewall action of flows where dstvm = aws-log-server This will return 5 results ie 4 Allow (for web andmidtier) and 1 Deny (for DB)
2 Click Search3 click on the DENY checkbox so we can focus on the deny rule
We can see a DENY rule which is preventing crm-databse to communicate with aws-log-server on port 514 Which indicates that AWS Admin forgot to add rule to allowtraffic from (Database) crm-database to (syslog server) aws-log-Server
HOL-1829-01-NET
Page 117HOL-1829-01-NET
1 On Chrome web browser right click2 Select Duplicate from the the menu
HOL-1829-01-NET
Page 118HOL-1829-01-NET
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-web1 and dst vm = aws-log-server
2 Click Search3 This will return 3 results ie 1 Inbound and 2 Outbound rules The result of this
query validates the communication from crm-web1 to aws-log-server
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-database and dst vm = aws-log-server
2 Click Search3 This will return 2 results for Outbound rules further explaining the firewall rule
behaviour from crm-database to aws-log-server
HOL-1829-01-NET
Page 119HOL-1829-01-NET
ConclusionCongratulations on completing Module 4
This module demonstrated the vRealize Network Insight capability to understand trafficpatterns and plan micro-segmentation across your private and public cloudenvironments This capability offers unparalleled visibility into public and private cloudsfor micro-segmentation planning network visibility and management
For More Information
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 120HOL-1829-01-NET
ConclusionThank you for participating in the VMware Hands-on Labs Be sure to visithttpholvmwarecom to continue your lab experience online
Lab SKU HOL-1829-01-NET
Version 20171010-152226
HOL-1829-01-NET
Page 121HOL-1829-01-NET
1 VM Path Topology This view details the routers Edges or Logical DistributedRouters (LDRs) that are involved in the VM to VM network path and provides thecomplete routing and NAT information
2 VM Underlay ( The VM Underlay section that is on the right side of the VM Pathtopology shows the underlay information of the VMs involved and theirconnectivity to the top of the rack switches and the ports involved)
In the field named VM Path Topology
1 Click on the three dots in the top right corner of the field2 Click Maximize
The view will change and the route will be drawn on the map
HOL-1829-01-NET
Page 54HOL-1829-01-NET
VM Path Topology - Path Details
In this view we will get a 360-degree view of both the physical and the virtual networkWe will see the path of the traffic between two virtual machines The black arrow at thetop of the map will indicate the flow direction of the traffic In this use case fromDBAdmin-VM1 to Prod-Db-2
On the right hand side path details indicates the steps we pass through in each hop ofthe path The logical flow includes both physical and virtual elements displaying bothoverlay and underlay components
1 Scroll through the path details on the right hand side to verify the differenthops in the path Notice that we have items such as VMs physical switchesvirtual switches routers and NICs in the list of details
HOL-1829-01-NET
Page 55HOL-1829-01-NET
Component Overview
On the VM topology map
1 Click on the top left icon marked with a red square - the Virtual MachineDBAdmin-VM1
Virtual Machine - Details
HOL-1829-01-NET
Page 56HOL-1829-01-NET
A pop-up box will appear with the Virtual Machine details in it This information includesa lot of details made available by VMware Tools We can for example see network-information and the physical host in these details
A - Please spend some time on getting an overview of the information available in thisview
B - Please note that the Firewall Status indicates Unknown In this scenario there is noNSX firewall utilized in the VM so vRealize Network Insight displays Unknown as thestatus If NSX components were utilized but they were malfunctioning an errormessage will appear
1 When done reviewing close the pop-up windows by clicking on the (X) in thetop right corner
Physical ESXi Hosts
We are now going to look at the physical host running ESXi The large green blocksindicate the ESXi hosts (A) and (B)
1 Click on the large green field on the left side of the map marked in thepicture with a red squareThis will select the host where DBAdmin-VM1 isrunning
HOL-1829-01-NET
Page 57HOL-1829-01-NET
Host - Details
A pop-up box will appear that contains the physical ESXi host
A - Spend some time to review what information is available from the host Please donot click on any of the links
B - Notice that we receive information from both the Chassis and the Blade that thisESXi host is running on In a real life environment we could click on the links to getdetailed information about the physical environment through the links
C - Note that there are no NSX components on the host For example we can see thatthe Control Plane Sync Status is unknown and the Number of VTEPs is 0
1 When done reviewing click on the (X) in the top right corner
HOL-1829-01-NET
Page 58HOL-1829-01-NET
DVPG on the map
We are now going to look at the DVPG (Distributed Virtual Port Group) the VM uses toconnect to the network
1 On the map click on the little blue box marked by a red square onvlan-629
DVPG
A pop-up box will appear that contains the DVPG details
A - Spend some time review what information is available from the object Please donot click on any of the links
HOL-1829-01-NET
Page 59HOL-1829-01-NET
B - Notice that IPFIX is enabled
1 When done reviewing click on the (X) in the top right corner
VLAN-629 on the map
This is a brownfield network as indicated by the physical network components currentlydisplayed on the map
1 On the map click on the grey line marked by a red square on vlan-629
VLAN Network
A pop-up box will appear that contains the physical VLAN details
HOL-1829-01-NET
Page 60HOL-1829-01-NET
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - Notice the VLAN ID This is the actual VLAN in use
C - VM Count states 12 This is the number of VMs located on this VLAN in the entireenvironment
D - Under Hosts we can see that this is 28 (27+1) This is the amount of hosts that hasa connection to this vlan in the entire environment
1 When done reviewing click on the (X) in the top right corner
Switch ports on the map
1 From the map click on the icon marked by a red square to select the SwitchPort for the VM
HOL-1829-01-NET
Page 61HOL-1829-01-NET
Switch Port
A pop-up box will appear that contains the Switch Port details
In this view we are purely are looking at layer 3 and the connectivity to those layer 3devices Later in this module we will see some of the layer 2 devices
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - In this view we can see the physical NIC the traffic is transmitted from and receivedto In this scenario it is a NIC on a UCS fabric We can also see the VLANs Interfacespeed port and other details on the NIC
1 When done reviewing click on the (X) in the top right corner of the pop up box
HOL-1829-01-NET
Page 62HOL-1829-01-NET
Physical VRF on the map
1 From the map click on the icon marked by a red square to access thePhysical VRF details
HOL-1829-01-NET
Page 63HOL-1829-01-NET
VRF - Physical Switch
A pop-up box will appear that contains the Physical VRF details
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - In this scenario the first hop in the physical network perspective happens to be aCisco Nexus 7000 We are gathering all of the configuration data routing tables androuting interface information from this device
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 64HOL-1829-01-NET
VRF - continued
1 From the map click on the icon marked by a red square to access the nextPhysical VRF in the path
HOL-1829-01-NET
Page 65HOL-1829-01-NET
VRF - Physical Router
A pop-up box will appear that contains the Physical VRF details
In this scenario the second hop in the physical network perspective is a Palo Alto routerIn this view we will see the routing table as well as firewall rules The vRealize NetworkInsight platform is so powerful that these firewall rules are the applicable firewall rulesbetween the two objects we searched for There is probably going to be thousands offirewall rules in a normal network but these are the firewalls affecting thecommunication between the two selected VMs
HOL-1829-01-NET
Page 66HOL-1829-01-NET
A - Spend some time to review what information is available from the object Please donot click on any of the links
1 When done reviewing click on the (X) in the top right corner of the pop up box
Note The Palo Alto integration showcased is in beta testing
VRF - continued
1 From the map click on the icon marked by a red square to access the nextPhysical VRF in the path
HOL-1829-01-NET
Page 67HOL-1829-01-NET
VRF - Physical Switch
A pop-up box will appear that contains the Physical VRF details
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - In this scenario the third hop in the physical network perspective is an Arista deviceThere is information available on routing gateways interfaces etc These detailsshowcase that we can monitor devices from a multitude of vendors in case we arechanging from one vendor to another
1 When done reviewing click on the (X) in the top right corner
HOL-1829-01-NET
Page 68HOL-1829-01-NET
Accessing the virtual infrastructure
The next two steps in the path (as shown by arrows) are the same as we looked atpreviously in this module We are not going to look at the details on them in thisscenario as they are similar to the ones previously discussed
A - Hovermove the mouse over the icons marked with red arrow A without clicking onthe icon Notice the descriptive name
B - Hovermove the mouse over the icons marked with red arrow B without clicking onthe icon Notice the descriptive name
1 From the map click on the icon marked by a red square to access the nextVRF in the path
HOL-1829-01-NET
Page 69HOL-1829-01-NET
VRF - NSX Provider Edge 1
A pop-up box will appear that contains the Physical VRF details
A - Please spend some time to review what information is available from the objectPlease do not click on any of the links
B - The components we are looking at after the Arista device (described in previoussteps) is an NSX Edge cluster or a host associated with an Edge cluster The componentwe have selected is the NSX Edge VM named Provider-Edge 1 It has an uplink overVLAN 10 from the physical network (as shown in the map)
C - In the details we can see the routing table and routing interface details for thisparticular VRF
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 70HOL-1829-01-NET
VXLAN on the map
1 On the map click on the blue line marked by a red square to access theVXLAN details
VXLAN Network
A pop-up box will appear that contains the VXLAN details
HOL-1829-01-NET
Page 71HOL-1829-01-NET
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - We can see the VXLAN number (Segment ID) Underlay VLAN IDs Subnet andUnderlay Subnet
C - We also have visibility into what Primary Controller it is utilizing Hosts and VTEPs
D - Hovermove the mouse cursor over the text [38 more] to see the hosts associatedwith this VXLAN Do not click on the blue text
E - Hovermove the mouse cursor over the text [82 more] to see the VTEPs associatedwith this VXLAN Do not click on the blue text
1 When done reviewing click on the X in the top right corner of the pop-up box
VRF - LDR
1 From the map click on the icon marked by a red square to access the VRFdetails
HOL-1829-01-NET
Page 72HOL-1829-01-NET
VRF - LDR-Corporate
A pop-up box will appear that contains the VRF details From here we hit our In-kernelnetwork
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - Notice the distributed router name We are using this device to access our corporatenetwork
C - This device is going to route for us to a different interface The interface is going toroute to the interface on the Prod-DB Network as the next step in the path (this will beillustrated in the next step)
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 73HOL-1829-01-NET
Routing - NSX Firewall
The traffic is routed through the VRF onto the Prod-DB network over to the next physicalhost (as shown with arrows)
The first device it will hit on the virtual network on the physical host is the FirewallPlease notice that there are two firewalls next to the VM One Firewall from Palo Alto andone Firewall from NSX
1 From the map click on the icon marked by a red square to access the NSXFirewall details (the top one of the two)
HOL-1829-01-NET
Page 74HOL-1829-01-NET
Firewall - NSX
A pop-up box will appear that contains the Firewall details
A - Spend some time to review what information is available from the object Please donot click on any of the links
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 75HOL-1829-01-NET
Redirect on the map - PAN Firewall
Please notice that there are two firewalls next to the VM One Firewall from Palo Alto andone Firewall from NSX We are now going to look into the details of the lower Firewall
1 From the map click on the icon marked by a red square to access the PaloAlto Firewall details (the lower one of the two)
Firewall - PAN
HOL-1829-01-NET
Page 76HOL-1829-01-NET
In this scenario we also have an Palo Alto VM based offloading firewall The redirectfeature allows firewall rules to be transferred between the NSX firewall and the PANFirewall
1 When done reviewing click on the (X) in the top right corner of the pop up box
Reversing the analysis
1 In the section marked by a red square in the picture click on the arrowpointing left
The route on the map will change
HOL-1829-01-NET
Page 77HOL-1829-01-NET
Reversing the analysis continued
A - The analysis will now be done in the opposite direction Please note that the pathnow changes Instead of going through Provider-Edge 3 the traffic is now routedthrough Provider-Edge 2 This is exactly as the traffic will work in the real life
Please continue to the next step to conclude this module
HOL-1829-01-NET
Page 78HOL-1829-01-NET
VM Underlay
Lets now focus on VM Underlay
1 The VMUnderlay section that is on the right side of the VM Path topology showsthe underlay information of the VMs involved and their connectivity to the top ofthe rack switches and the ports involved
2 The VM Underlay path topology is shown here3 The components are labeled under Path Details
HOL-1829-01-NET
Page 79HOL-1829-01-NET
HOL-1829-01-NET
Page 80HOL-1829-01-NET
1 In this section the drop-down list at the top shows the endpoint VMs and theactive VMs at the edges
2 For each edgeVM the neighbouring drop-down list shows the ingress and theegress interface IP addresses
1 From the previous step we selected the Prod-DB-2 Virtual Machine2 Which changes the focus to corresponding Interface IP Address (VNIC)3 Shows the visual map (Path topology) of all the path objects4 Path details shows the labels and list the components
This concludes this module Please continue to the next module
HOL-1829-01-NET
Page 81HOL-1829-01-NET
ConclusionCongratulations on completing Module 2
This module has shown us that vRealize Network Insight is capable of tracing the flow ofdata between two objects throughout the network vRealize Network Insight is providingus with a 360 degrees view of the virtual as well as the physical components in thepath With the map function and the details on the map it is very easy to get a quickoverview of the components utilized in network communication
All the components in the map is based on a snapshot of real life data Feel free to clickon other icons shown in the map in this module before continuing to the next module tohave a look at other components
For More Information
For additional information about the functionality showcased in this module visithttpwwwvmwarecomvrealize network insight
This concludes this module Please continue to the next module
If you are looking for additional information try one of these
bull Click on this linkbull Or use your smart device to scan the QRC Code
HOL-1829-01-NET
Page 82HOL-1829-01-NET
Proceed to any module below which interests you most
bull Module 1 - Micro-Segmentation and Security (30 minutes)bull Module 2 - 360 degree Visibility across Virtual and Physical Networks (45
minutes)bull Module 3 - Advanced NSX Management amp Operations (45 minutes)bull (30 minutes)
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 83HOL-1829-01-NET
Module 3 - Advanced NSXManagement amp
Operations (45 minutes)
HOL-1829-01-NET
Page 84HOL-1829-01-NET
IntroductionIntroduction
vRealize Network Insight ensures that we have full visibility from an overlay andunderlay perspective and in this module focus on advanced operations of NSX withvRealize Network Insight Its important to note that the vRealize Network Insightprovides a real time view and a historical view The integration is not a simple SNMPquery but advanced CLI and Metadata information gathered in real time for NSX
This Module contains the following lessons
bull Operational guidance for NSX Managerbull Advanced NSX Management amp Operations Interactive Simulation
HOL-1829-01-NET
Page 85HOL-1829-01-NET
NSX Advanced ManagementOperationsLab Status Check
1 Make sure the Lab Status displays Ready before continuing
Close browser sessions from previous modules
Open Google Chrome
1 Open Chrome on the Control Centre Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
HOL-1829-01-NET
Page 86HOL-1829-01-NET
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize Network Insightdid not load automatically)
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
Search Bar - NSX Manager
Using the search bar on the entry screen
HOL-1829-01-NET
Page 87HOL-1829-01-NET
1 Type NSX Manager (this will list three NSX Managers2 Click Search
NSX Manager Information
The result now shows the NSX Manager (1016128170) and we can immediately seethat we have 50 problems associated with this endpoint
1 Click on the NSX Manager address to expose the layout and detailedinformation
HOL-1829-01-NET
Page 88HOL-1829-01-NET
Timeline - Visual Build-up
Explore information only - Do not click
bull A - Starting with the Timeline we can manipulate the results by simply draggingthe slider but by default the current time results will be displayed on entry Theslider and drop down (next to 1 day) makes it easy to filter on demand
bull B - The Properties give a clear understanding of the NSX Managers currentconfiguration (vRealize Network Insight accommodate multiple NSX managers)
bull C - Looking at the NSX Checklist Rules - ALL we can scroll up and down toview each point in the checklist that is used to monitorvalidate against the NSXManager
bull D - Because vRealize Network Insight supports multiple NSX managers andmultiple NSX controllers this is an important visual understanding of theTopology Each object can be queried individually within the same screen
bull E - NSX Problems will be key to understanding the issues for NSX
HOL-1829-01-NET
Page 89HOL-1829-01-NET
Topology - Focus on the NSX Controller
The logical view of the NSX Topology provides live links to each component in theconstruct to be queried in real time Topology layout displays all the related NSXservices bound to the NSX Manager including Clusters and hosts The red triangle on allthree NSX controllers indicates possible issues that may impact the NSX environmenteither as a starting point or a result thereof We can now query each object for detailedinformation
1 Click on the NSX controller (Look at each controller until you find thecontroller starting with NSX_Controller_5b6c6c8d-4d71 as they do changeorder)
HOL-1829-01-NET
Page 90HOL-1829-01-NET
NSX Controller - Detail
A - The controller query displays detailed information about controller-1 and relevantconfiguration This screen will help identify the Status Version Upgrade Availability andmany other critical identifiers of the NSX Controller at a quick glance including anyissues
B - The immediate issue on this NSX controller is also pointed out with a red triangleindicating that we have a control plane sync issue Tracking the issue can be furtherinvestigated by expanding (clicking on the red triangle) to view detailed information Wewill not be investigating this problem further in this exercise
1 Click the close sign (x) to continue
HOL-1829-01-NET
Page 91HOL-1829-01-NET
Topology - Explained
Note The Topology for the NSX environment will not show any load balancing devicestatus information in this release
1 Click the edge VMs icon to see detailed information about the edge services
HOL-1829-01-NET
Page 92HOL-1829-01-NET
Provider Edge
Rendering a complete view of the provider edge services and the associations we caninvestigate all the edge related activities
1 Click the blue link Provider Edge 4 The problem Icon can be used to furtherobtain information about the Provider-Edge 4 This will highlight a criticalcondition due to a possible network disruption of this edge device as it is nolonger in a serving state
HOL-1829-01-NET
Page 93HOL-1829-01-NET
Routers Provider Edge 4
This section lays out detailed root cause analysis for Routers Provider Edge 4
Return to Search View - NSX Manager
1 Now use the Chrome Back button click once to return the the NSX Managerinformation screen step
HOL-1829-01-NET
Page 94HOL-1829-01-NET
Infrastructure Problems - Warning Moderate
bull Scroll down to Infrastructure Problems Section
1 Click and select the WarningModerate to view problem areas
WarningModerate Issues
1 Use the blue icon + to expand the detailed view of the Logical networking out ofsync between host and NSX Controller
HOL-1829-01-NET
Page 95HOL-1829-01-NET
WarningModerate Issues (Continued)
When you expand the details you can analyse full detail of warning
In this view vRealize Network Insight is also showing you recommendations on how youwould resolve this issue which makes troubleshooting and root cause analysis veryeasy
1 Click the close sign (x) to continue
HOL-1829-01-NET
Page 96HOL-1829-01-NET
Hands-on Labs Interactive SimulationAdvanced NSX Management ampOperationsThis part of the lab is presented as a Hands-on Labs Interactive Simulation This willallow you to experience steps which are too time-consuming or resource intensive to dolive in the lab environment In this simulation you can use the software interface as ifyou are interacting with a live environment
1 Click here to open the interactive simulation It will open in a new browserwindow or tab
2 When finished click the ldquoReturn to the labrdquo link to continue with this lab
HOL-1829-01-NET
Page 97HOL-1829-01-NET
ConclusionCongratulations on completing Module 3
This module demonstrated the vRealize Network Insight capability of advancedmanagement operations vRealize Network Insight provides an in-depth analysis of thevirtual as well as the physical components associated with NSX (underlay and overlay)
For More Information
If you are looking for additional information try one of these
bull Click on this linkbull Or use your smart device to scan the QRC Code
Proceed to any module below which interests you most
bull Module 1 - Micro-Segmentation and Security (30 minutes)bull Module 2 - 360 degree Visibility across Virtual and Physical Networks (45
minutes)bull Module 3 - Advanced NSX Management amp Operations (45 minutes)bull Module 4 - Manage Security for Public Clouds (AWS) (30 minutes)
HOL-1829-01-NET
Page 98HOL-1829-01-NET
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 99HOL-1829-01-NET
Module 4 - ManageSecurity for Public Clouds
(AWS) (30 Minutes)
HOL-1829-01-NET
Page 100HOL-1829-01-NET
IntroductionEnterprise IT needs visibility into the network and security status of their workloadswhether hosted on premises or within AWS While many AWS workloads are sandboxesfor application development teams (DevOps) it is important to analyze these workloadsIncreasingly public cloud workloads are also fulfilling mission critical production needsfor many organizations Enterprise IT must be ready to determine the best locationsecurity posture and bandwidth allocation when deploying workloads Having trafficpattern details as well as security analysis and recommendations readily availablehelps organizations make the ideal hosting decisions to meet their business needs
vRealize Network Insight (vRNI) Supports Amazon Web Services (AWS) PublicCloud The vRNI traffic monitoring features provide visibility into native AWS constructssuch as Virtual Private Clouds VMs Security Groups firewall rules and tags vRNI alsoanalyzes AWS traffic flows to provide security and micro-segmentation views of cloudworkloads This means youll be able to plan micro-segmentation and understand trafficpatterns using data collected from your AWS instances
This Module contains the following lessons
bull Introduction to Managing Security for Public Clouds (AWS)
HOL-1829-01-NET
Page 101HOL-1829-01-NET
Introduction to Managing Security forPublic Clouds (AWS)Lab Status Check
1 Make sure the Lab Status displays Ready before continuing
Close browser sessions from previous modules
Open Google Chrome
1 Open Chrome on the Control Centre Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize Network Insightdid not load automatically)
HOL-1829-01-NET
Page 102HOL-1829-01-NET
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
AWS Configuration
Lets review the AWS VPC setup for the purpose of this lab
1 We have an on premise instance of vRealize Network Insight managing AWS2 There are two VPCs ie CRM and Common Services
HOL-1829-01-NET
Page 103HOL-1829-01-NET
3 VPC CRM consists of CRM Application which comprises of 3 tiers ie Web APP andDB
4 Internal users of Company can access Web Tier of the CRM on 80 internally viaJump-box
5 Web tier talks to App tier on port 80806 App tier talks to DB tier on port 33067 Web tier is open for internal datacenters VM on 80 port8 From Jump-box in VPC CRM all virtual machines have ssh access on port 229 All tiers of VPCCRM talks to DNS server on 53 and LogServer on 514 on VPC
Common Services10 This means connection to DB to Log Server (used for backup services) must exist
as configured by the Administrator but this in fact is the problem area where ourfocus will be
Plan Security - AWS Cloud
vRealize Network Insight extends micro-segmentation planning to AWS constructs TheCRM Application in AWS VPC has already been created for you
Application creation steps have been discussed in Module 3
HOL-1829-01-NET
Page 104HOL-1829-01-NET
1 On the vRealize Network Insight Click on Plan Security
From Plan Security dialogue box under Entity select
HOL-1829-01-NET
Page 105HOL-1829-01-NET
1 Application2 CRM3 Click Analyze
We can now visualize the three tier lsquoCRMrsquo Application in AWS in one VPC We Shallexplore the three Tier System Logic in proceeding steps
1 Please note that Micro-Segments are already filtered by Tier2 Web (Web tier talks to App tier on port 8080 Internal users of organisation can
access Web Tier of the CRM Application on port 80 internally)3 App (App tier talks to DB tier on port 3306)4 DB ( DB tier talks to Log Servers ) - This is the problem area we are going to
explore
All tiers of first VPC talks to DNS server on port 53 and LogServer on port 514 of SecondVPC
HOL-1829-01-NET
Page 106HOL-1829-01-NET
Exploring the Three Tier Application - Step by Step
We shall now explore the three their application setup to understand the security andcommunication posture
HOL-1829-01-NET
Page 107HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Yellow line to explore the flows This will reveal flows from Web to
App
HOL-1829-01-NET
Page 108HOL-1829-01-NET
1 The App tier talks to DB tier on Port 33062 Click X to continue
HOL-1829-01-NET
Page 109HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to DB
HOL-1829-01-NET
Page 110HOL-1829-01-NET
1 The App tier talks to DB tier on Port 33062 Click X to continue
HOL-1829-01-NET
Page 111HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Yellow Line to explore the flows This will reveal flows from DC
Virtual to App
HOL-1829-01-NET
Page 112HOL-1829-01-NET
1 DC Virtual (jump box) talks to App tier on Port 222 Click X to continue
HOL-1829-01-NET
Page 113HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to
Shared Virtual
HOL-1829-01-NET
Page 114HOL-1829-01-NET
1 The App tier talks to Shared Virtual on Port 53 and 514 respectively2 Click X to continue
HOL-1829-01-NET
Page 115HOL-1829-01-NET
1 Hover over to DB Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from DB to
Shared Virtual
1 By design the DB should be pushing logs to aws-log-server ie on port 514(Syslog) but the flow reveals that there is only one service ie port 53 aws-DNS-Server Effectively no communication to syslog server (which is the back upservice)
2 Click X to continue
Firewall Queries for CRM Application
To further troubleshoot the issue the administrator executes three firewall queries toestablish why DB to Shared Virtual does not have flow(s) for port 514 (syslog)
HOL-1829-01-NET
Page 116HOL-1829-01-NET
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and type new search query firewall action of flows where dstvm = aws-log-server This will return 5 results ie 4 Allow (for web andmidtier) and 1 Deny (for DB)
2 Click Search3 click on the DENY checkbox so we can focus on the deny rule
We can see a DENY rule which is preventing crm-databse to communicate with aws-log-server on port 514 Which indicates that AWS Admin forgot to add rule to allowtraffic from (Database) crm-database to (syslog server) aws-log-Server
HOL-1829-01-NET
Page 117HOL-1829-01-NET
1 On Chrome web browser right click2 Select Duplicate from the the menu
HOL-1829-01-NET
Page 118HOL-1829-01-NET
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-web1 and dst vm = aws-log-server
2 Click Search3 This will return 3 results ie 1 Inbound and 2 Outbound rules The result of this
query validates the communication from crm-web1 to aws-log-server
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-database and dst vm = aws-log-server
2 Click Search3 This will return 2 results for Outbound rules further explaining the firewall rule
behaviour from crm-database to aws-log-server
HOL-1829-01-NET
Page 119HOL-1829-01-NET
ConclusionCongratulations on completing Module 4
This module demonstrated the vRealize Network Insight capability to understand trafficpatterns and plan micro-segmentation across your private and public cloudenvironments This capability offers unparalleled visibility into public and private cloudsfor micro-segmentation planning network visibility and management
For More Information
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 120HOL-1829-01-NET
ConclusionThank you for participating in the VMware Hands-on Labs Be sure to visithttpholvmwarecom to continue your lab experience online
Lab SKU HOL-1829-01-NET
Version 20171010-152226
HOL-1829-01-NET
Page 121HOL-1829-01-NET
VM Path Topology - Path Details
In this view we will get a 360-degree view of both the physical and the virtual networkWe will see the path of the traffic between two virtual machines The black arrow at thetop of the map will indicate the flow direction of the traffic In this use case fromDBAdmin-VM1 to Prod-Db-2
On the right hand side path details indicates the steps we pass through in each hop ofthe path The logical flow includes both physical and virtual elements displaying bothoverlay and underlay components
1 Scroll through the path details on the right hand side to verify the differenthops in the path Notice that we have items such as VMs physical switchesvirtual switches routers and NICs in the list of details
HOL-1829-01-NET
Page 55HOL-1829-01-NET
Component Overview
On the VM topology map
1 Click on the top left icon marked with a red square - the Virtual MachineDBAdmin-VM1
Virtual Machine - Details
HOL-1829-01-NET
Page 56HOL-1829-01-NET
A pop-up box will appear with the Virtual Machine details in it This information includesa lot of details made available by VMware Tools We can for example see network-information and the physical host in these details
A - Please spend some time on getting an overview of the information available in thisview
B - Please note that the Firewall Status indicates Unknown In this scenario there is noNSX firewall utilized in the VM so vRealize Network Insight displays Unknown as thestatus If NSX components were utilized but they were malfunctioning an errormessage will appear
1 When done reviewing close the pop-up windows by clicking on the (X) in thetop right corner
Physical ESXi Hosts
We are now going to look at the physical host running ESXi The large green blocksindicate the ESXi hosts (A) and (B)
1 Click on the large green field on the left side of the map marked in thepicture with a red squareThis will select the host where DBAdmin-VM1 isrunning
HOL-1829-01-NET
Page 57HOL-1829-01-NET
Host - Details
A pop-up box will appear that contains the physical ESXi host
A - Spend some time to review what information is available from the host Please donot click on any of the links
B - Notice that we receive information from both the Chassis and the Blade that thisESXi host is running on In a real life environment we could click on the links to getdetailed information about the physical environment through the links
C - Note that there are no NSX components on the host For example we can see thatthe Control Plane Sync Status is unknown and the Number of VTEPs is 0
1 When done reviewing click on the (X) in the top right corner
HOL-1829-01-NET
Page 58HOL-1829-01-NET
DVPG on the map
We are now going to look at the DVPG (Distributed Virtual Port Group) the VM uses toconnect to the network
1 On the map click on the little blue box marked by a red square onvlan-629
DVPG
A pop-up box will appear that contains the DVPG details
A - Spend some time review what information is available from the object Please donot click on any of the links
HOL-1829-01-NET
Page 59HOL-1829-01-NET
B - Notice that IPFIX is enabled
1 When done reviewing click on the (X) in the top right corner
VLAN-629 on the map
This is a brownfield network as indicated by the physical network components currentlydisplayed on the map
1 On the map click on the grey line marked by a red square on vlan-629
VLAN Network
A pop-up box will appear that contains the physical VLAN details
HOL-1829-01-NET
Page 60HOL-1829-01-NET
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - Notice the VLAN ID This is the actual VLAN in use
C - VM Count states 12 This is the number of VMs located on this VLAN in the entireenvironment
D - Under Hosts we can see that this is 28 (27+1) This is the amount of hosts that hasa connection to this vlan in the entire environment
1 When done reviewing click on the (X) in the top right corner
Switch ports on the map
1 From the map click on the icon marked by a red square to select the SwitchPort for the VM
HOL-1829-01-NET
Page 61HOL-1829-01-NET
Switch Port
A pop-up box will appear that contains the Switch Port details
In this view we are purely are looking at layer 3 and the connectivity to those layer 3devices Later in this module we will see some of the layer 2 devices
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - In this view we can see the physical NIC the traffic is transmitted from and receivedto In this scenario it is a NIC on a UCS fabric We can also see the VLANs Interfacespeed port and other details on the NIC
1 When done reviewing click on the (X) in the top right corner of the pop up box
HOL-1829-01-NET
Page 62HOL-1829-01-NET
Physical VRF on the map
1 From the map click on the icon marked by a red square to access thePhysical VRF details
HOL-1829-01-NET
Page 63HOL-1829-01-NET
VRF - Physical Switch
A pop-up box will appear that contains the Physical VRF details
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - In this scenario the first hop in the physical network perspective happens to be aCisco Nexus 7000 We are gathering all of the configuration data routing tables androuting interface information from this device
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 64HOL-1829-01-NET
VRF - continued
1 From the map click on the icon marked by a red square to access the nextPhysical VRF in the path
HOL-1829-01-NET
Page 65HOL-1829-01-NET
VRF - Physical Router
A pop-up box will appear that contains the Physical VRF details
In this scenario the second hop in the physical network perspective is a Palo Alto routerIn this view we will see the routing table as well as firewall rules The vRealize NetworkInsight platform is so powerful that these firewall rules are the applicable firewall rulesbetween the two objects we searched for There is probably going to be thousands offirewall rules in a normal network but these are the firewalls affecting thecommunication between the two selected VMs
HOL-1829-01-NET
Page 66HOL-1829-01-NET
A - Spend some time to review what information is available from the object Please donot click on any of the links
1 When done reviewing click on the (X) in the top right corner of the pop up box
Note The Palo Alto integration showcased is in beta testing
VRF - continued
1 From the map click on the icon marked by a red square to access the nextPhysical VRF in the path
HOL-1829-01-NET
Page 67HOL-1829-01-NET
VRF - Physical Switch
A pop-up box will appear that contains the Physical VRF details
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - In this scenario the third hop in the physical network perspective is an Arista deviceThere is information available on routing gateways interfaces etc These detailsshowcase that we can monitor devices from a multitude of vendors in case we arechanging from one vendor to another
1 When done reviewing click on the (X) in the top right corner
HOL-1829-01-NET
Page 68HOL-1829-01-NET
Accessing the virtual infrastructure
The next two steps in the path (as shown by arrows) are the same as we looked atpreviously in this module We are not going to look at the details on them in thisscenario as they are similar to the ones previously discussed
A - Hovermove the mouse over the icons marked with red arrow A without clicking onthe icon Notice the descriptive name
B - Hovermove the mouse over the icons marked with red arrow B without clicking onthe icon Notice the descriptive name
1 From the map click on the icon marked by a red square to access the nextVRF in the path
HOL-1829-01-NET
Page 69HOL-1829-01-NET
VRF - NSX Provider Edge 1
A pop-up box will appear that contains the Physical VRF details
A - Please spend some time to review what information is available from the objectPlease do not click on any of the links
B - The components we are looking at after the Arista device (described in previoussteps) is an NSX Edge cluster or a host associated with an Edge cluster The componentwe have selected is the NSX Edge VM named Provider-Edge 1 It has an uplink overVLAN 10 from the physical network (as shown in the map)
C - In the details we can see the routing table and routing interface details for thisparticular VRF
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 70HOL-1829-01-NET
VXLAN on the map
1 On the map click on the blue line marked by a red square to access theVXLAN details
VXLAN Network
A pop-up box will appear that contains the VXLAN details
HOL-1829-01-NET
Page 71HOL-1829-01-NET
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - We can see the VXLAN number (Segment ID) Underlay VLAN IDs Subnet andUnderlay Subnet
C - We also have visibility into what Primary Controller it is utilizing Hosts and VTEPs
D - Hovermove the mouse cursor over the text [38 more] to see the hosts associatedwith this VXLAN Do not click on the blue text
E - Hovermove the mouse cursor over the text [82 more] to see the VTEPs associatedwith this VXLAN Do not click on the blue text
1 When done reviewing click on the X in the top right corner of the pop-up box
VRF - LDR
1 From the map click on the icon marked by a red square to access the VRFdetails
HOL-1829-01-NET
Page 72HOL-1829-01-NET
VRF - LDR-Corporate
A pop-up box will appear that contains the VRF details From here we hit our In-kernelnetwork
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - Notice the distributed router name We are using this device to access our corporatenetwork
C - This device is going to route for us to a different interface The interface is going toroute to the interface on the Prod-DB Network as the next step in the path (this will beillustrated in the next step)
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 73HOL-1829-01-NET
Routing - NSX Firewall
The traffic is routed through the VRF onto the Prod-DB network over to the next physicalhost (as shown with arrows)
The first device it will hit on the virtual network on the physical host is the FirewallPlease notice that there are two firewalls next to the VM One Firewall from Palo Alto andone Firewall from NSX
1 From the map click on the icon marked by a red square to access the NSXFirewall details (the top one of the two)
HOL-1829-01-NET
Page 74HOL-1829-01-NET
Firewall - NSX
A pop-up box will appear that contains the Firewall details
A - Spend some time to review what information is available from the object Please donot click on any of the links
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 75HOL-1829-01-NET
Redirect on the map - PAN Firewall
Please notice that there are two firewalls next to the VM One Firewall from Palo Alto andone Firewall from NSX We are now going to look into the details of the lower Firewall
1 From the map click on the icon marked by a red square to access the PaloAlto Firewall details (the lower one of the two)
Firewall - PAN
HOL-1829-01-NET
Page 76HOL-1829-01-NET
In this scenario we also have an Palo Alto VM based offloading firewall The redirectfeature allows firewall rules to be transferred between the NSX firewall and the PANFirewall
1 When done reviewing click on the (X) in the top right corner of the pop up box
Reversing the analysis
1 In the section marked by a red square in the picture click on the arrowpointing left
The route on the map will change
HOL-1829-01-NET
Page 77HOL-1829-01-NET
Reversing the analysis continued
A - The analysis will now be done in the opposite direction Please note that the pathnow changes Instead of going through Provider-Edge 3 the traffic is now routedthrough Provider-Edge 2 This is exactly as the traffic will work in the real life
Please continue to the next step to conclude this module
HOL-1829-01-NET
Page 78HOL-1829-01-NET
VM Underlay
Lets now focus on VM Underlay
1 The VMUnderlay section that is on the right side of the VM Path topology showsthe underlay information of the VMs involved and their connectivity to the top ofthe rack switches and the ports involved
2 The VM Underlay path topology is shown here3 The components are labeled under Path Details
HOL-1829-01-NET
Page 79HOL-1829-01-NET
HOL-1829-01-NET
Page 80HOL-1829-01-NET
1 In this section the drop-down list at the top shows the endpoint VMs and theactive VMs at the edges
2 For each edgeVM the neighbouring drop-down list shows the ingress and theegress interface IP addresses
1 From the previous step we selected the Prod-DB-2 Virtual Machine2 Which changes the focus to corresponding Interface IP Address (VNIC)3 Shows the visual map (Path topology) of all the path objects4 Path details shows the labels and list the components
This concludes this module Please continue to the next module
HOL-1829-01-NET
Page 81HOL-1829-01-NET
ConclusionCongratulations on completing Module 2
This module has shown us that vRealize Network Insight is capable of tracing the flow ofdata between two objects throughout the network vRealize Network Insight is providingus with a 360 degrees view of the virtual as well as the physical components in thepath With the map function and the details on the map it is very easy to get a quickoverview of the components utilized in network communication
All the components in the map is based on a snapshot of real life data Feel free to clickon other icons shown in the map in this module before continuing to the next module tohave a look at other components
For More Information
For additional information about the functionality showcased in this module visithttpwwwvmwarecomvrealize network insight
This concludes this module Please continue to the next module
If you are looking for additional information try one of these
bull Click on this linkbull Or use your smart device to scan the QRC Code
HOL-1829-01-NET
Page 82HOL-1829-01-NET
Proceed to any module below which interests you most
bull Module 1 - Micro-Segmentation and Security (30 minutes)bull Module 2 - 360 degree Visibility across Virtual and Physical Networks (45
minutes)bull Module 3 - Advanced NSX Management amp Operations (45 minutes)bull (30 minutes)
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 83HOL-1829-01-NET
Module 3 - Advanced NSXManagement amp
Operations (45 minutes)
HOL-1829-01-NET
Page 84HOL-1829-01-NET
IntroductionIntroduction
vRealize Network Insight ensures that we have full visibility from an overlay andunderlay perspective and in this module focus on advanced operations of NSX withvRealize Network Insight Its important to note that the vRealize Network Insightprovides a real time view and a historical view The integration is not a simple SNMPquery but advanced CLI and Metadata information gathered in real time for NSX
This Module contains the following lessons
bull Operational guidance for NSX Managerbull Advanced NSX Management amp Operations Interactive Simulation
HOL-1829-01-NET
Page 85HOL-1829-01-NET
NSX Advanced ManagementOperationsLab Status Check
1 Make sure the Lab Status displays Ready before continuing
Close browser sessions from previous modules
Open Google Chrome
1 Open Chrome on the Control Centre Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
HOL-1829-01-NET
Page 86HOL-1829-01-NET
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize Network Insightdid not load automatically)
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
Search Bar - NSX Manager
Using the search bar on the entry screen
HOL-1829-01-NET
Page 87HOL-1829-01-NET
1 Type NSX Manager (this will list three NSX Managers2 Click Search
NSX Manager Information
The result now shows the NSX Manager (1016128170) and we can immediately seethat we have 50 problems associated with this endpoint
1 Click on the NSX Manager address to expose the layout and detailedinformation
HOL-1829-01-NET
Page 88HOL-1829-01-NET
Timeline - Visual Build-up
Explore information only - Do not click
bull A - Starting with the Timeline we can manipulate the results by simply draggingthe slider but by default the current time results will be displayed on entry Theslider and drop down (next to 1 day) makes it easy to filter on demand
bull B - The Properties give a clear understanding of the NSX Managers currentconfiguration (vRealize Network Insight accommodate multiple NSX managers)
bull C - Looking at the NSX Checklist Rules - ALL we can scroll up and down toview each point in the checklist that is used to monitorvalidate against the NSXManager
bull D - Because vRealize Network Insight supports multiple NSX managers andmultiple NSX controllers this is an important visual understanding of theTopology Each object can be queried individually within the same screen
bull E - NSX Problems will be key to understanding the issues for NSX
HOL-1829-01-NET
Page 89HOL-1829-01-NET
Topology - Focus on the NSX Controller
The logical view of the NSX Topology provides live links to each component in theconstruct to be queried in real time Topology layout displays all the related NSXservices bound to the NSX Manager including Clusters and hosts The red triangle on allthree NSX controllers indicates possible issues that may impact the NSX environmenteither as a starting point or a result thereof We can now query each object for detailedinformation
1 Click on the NSX controller (Look at each controller until you find thecontroller starting with NSX_Controller_5b6c6c8d-4d71 as they do changeorder)
HOL-1829-01-NET
Page 90HOL-1829-01-NET
NSX Controller - Detail
A - The controller query displays detailed information about controller-1 and relevantconfiguration This screen will help identify the Status Version Upgrade Availability andmany other critical identifiers of the NSX Controller at a quick glance including anyissues
B - The immediate issue on this NSX controller is also pointed out with a red triangleindicating that we have a control plane sync issue Tracking the issue can be furtherinvestigated by expanding (clicking on the red triangle) to view detailed information Wewill not be investigating this problem further in this exercise
1 Click the close sign (x) to continue
HOL-1829-01-NET
Page 91HOL-1829-01-NET
Topology - Explained
Note The Topology for the NSX environment will not show any load balancing devicestatus information in this release
1 Click the edge VMs icon to see detailed information about the edge services
HOL-1829-01-NET
Page 92HOL-1829-01-NET
Provider Edge
Rendering a complete view of the provider edge services and the associations we caninvestigate all the edge related activities
1 Click the blue link Provider Edge 4 The problem Icon can be used to furtherobtain information about the Provider-Edge 4 This will highlight a criticalcondition due to a possible network disruption of this edge device as it is nolonger in a serving state
HOL-1829-01-NET
Page 93HOL-1829-01-NET
Routers Provider Edge 4
This section lays out detailed root cause analysis for Routers Provider Edge 4
Return to Search View - NSX Manager
1 Now use the Chrome Back button click once to return the the NSX Managerinformation screen step
HOL-1829-01-NET
Page 94HOL-1829-01-NET
Infrastructure Problems - Warning Moderate
bull Scroll down to Infrastructure Problems Section
1 Click and select the WarningModerate to view problem areas
WarningModerate Issues
1 Use the blue icon + to expand the detailed view of the Logical networking out ofsync between host and NSX Controller
HOL-1829-01-NET
Page 95HOL-1829-01-NET
WarningModerate Issues (Continued)
When you expand the details you can analyse full detail of warning
In this view vRealize Network Insight is also showing you recommendations on how youwould resolve this issue which makes troubleshooting and root cause analysis veryeasy
1 Click the close sign (x) to continue
HOL-1829-01-NET
Page 96HOL-1829-01-NET
Hands-on Labs Interactive SimulationAdvanced NSX Management ampOperationsThis part of the lab is presented as a Hands-on Labs Interactive Simulation This willallow you to experience steps which are too time-consuming or resource intensive to dolive in the lab environment In this simulation you can use the software interface as ifyou are interacting with a live environment
1 Click here to open the interactive simulation It will open in a new browserwindow or tab
2 When finished click the ldquoReturn to the labrdquo link to continue with this lab
HOL-1829-01-NET
Page 97HOL-1829-01-NET
ConclusionCongratulations on completing Module 3
This module demonstrated the vRealize Network Insight capability of advancedmanagement operations vRealize Network Insight provides an in-depth analysis of thevirtual as well as the physical components associated with NSX (underlay and overlay)
For More Information
If you are looking for additional information try one of these
bull Click on this linkbull Or use your smart device to scan the QRC Code
Proceed to any module below which interests you most
bull Module 1 - Micro-Segmentation and Security (30 minutes)bull Module 2 - 360 degree Visibility across Virtual and Physical Networks (45
minutes)bull Module 3 - Advanced NSX Management amp Operations (45 minutes)bull Module 4 - Manage Security for Public Clouds (AWS) (30 minutes)
HOL-1829-01-NET
Page 98HOL-1829-01-NET
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 99HOL-1829-01-NET
Module 4 - ManageSecurity for Public Clouds
(AWS) (30 Minutes)
HOL-1829-01-NET
Page 100HOL-1829-01-NET
IntroductionEnterprise IT needs visibility into the network and security status of their workloadswhether hosted on premises or within AWS While many AWS workloads are sandboxesfor application development teams (DevOps) it is important to analyze these workloadsIncreasingly public cloud workloads are also fulfilling mission critical production needsfor many organizations Enterprise IT must be ready to determine the best locationsecurity posture and bandwidth allocation when deploying workloads Having trafficpattern details as well as security analysis and recommendations readily availablehelps organizations make the ideal hosting decisions to meet their business needs
vRealize Network Insight (vRNI) Supports Amazon Web Services (AWS) PublicCloud The vRNI traffic monitoring features provide visibility into native AWS constructssuch as Virtual Private Clouds VMs Security Groups firewall rules and tags vRNI alsoanalyzes AWS traffic flows to provide security and micro-segmentation views of cloudworkloads This means youll be able to plan micro-segmentation and understand trafficpatterns using data collected from your AWS instances
This Module contains the following lessons
bull Introduction to Managing Security for Public Clouds (AWS)
HOL-1829-01-NET
Page 101HOL-1829-01-NET
Introduction to Managing Security forPublic Clouds (AWS)Lab Status Check
1 Make sure the Lab Status displays Ready before continuing
Close browser sessions from previous modules
Open Google Chrome
1 Open Chrome on the Control Centre Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize Network Insightdid not load automatically)
HOL-1829-01-NET
Page 102HOL-1829-01-NET
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
AWS Configuration
Lets review the AWS VPC setup for the purpose of this lab
1 We have an on premise instance of vRealize Network Insight managing AWS2 There are two VPCs ie CRM and Common Services
HOL-1829-01-NET
Page 103HOL-1829-01-NET
3 VPC CRM consists of CRM Application which comprises of 3 tiers ie Web APP andDB
4 Internal users of Company can access Web Tier of the CRM on 80 internally viaJump-box
5 Web tier talks to App tier on port 80806 App tier talks to DB tier on port 33067 Web tier is open for internal datacenters VM on 80 port8 From Jump-box in VPC CRM all virtual machines have ssh access on port 229 All tiers of VPCCRM talks to DNS server on 53 and LogServer on 514 on VPC
Common Services10 This means connection to DB to Log Server (used for backup services) must exist
as configured by the Administrator but this in fact is the problem area where ourfocus will be
Plan Security - AWS Cloud
vRealize Network Insight extends micro-segmentation planning to AWS constructs TheCRM Application in AWS VPC has already been created for you
Application creation steps have been discussed in Module 3
HOL-1829-01-NET
Page 104HOL-1829-01-NET
1 On the vRealize Network Insight Click on Plan Security
From Plan Security dialogue box under Entity select
HOL-1829-01-NET
Page 105HOL-1829-01-NET
1 Application2 CRM3 Click Analyze
We can now visualize the three tier lsquoCRMrsquo Application in AWS in one VPC We Shallexplore the three Tier System Logic in proceeding steps
1 Please note that Micro-Segments are already filtered by Tier2 Web (Web tier talks to App tier on port 8080 Internal users of organisation can
access Web Tier of the CRM Application on port 80 internally)3 App (App tier talks to DB tier on port 3306)4 DB ( DB tier talks to Log Servers ) - This is the problem area we are going to
explore
All tiers of first VPC talks to DNS server on port 53 and LogServer on port 514 of SecondVPC
HOL-1829-01-NET
Page 106HOL-1829-01-NET
Exploring the Three Tier Application - Step by Step
We shall now explore the three their application setup to understand the security andcommunication posture
HOL-1829-01-NET
Page 107HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Yellow line to explore the flows This will reveal flows from Web to
App
HOL-1829-01-NET
Page 108HOL-1829-01-NET
1 The App tier talks to DB tier on Port 33062 Click X to continue
HOL-1829-01-NET
Page 109HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to DB
HOL-1829-01-NET
Page 110HOL-1829-01-NET
1 The App tier talks to DB tier on Port 33062 Click X to continue
HOL-1829-01-NET
Page 111HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Yellow Line to explore the flows This will reveal flows from DC
Virtual to App
HOL-1829-01-NET
Page 112HOL-1829-01-NET
1 DC Virtual (jump box) talks to App tier on Port 222 Click X to continue
HOL-1829-01-NET
Page 113HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to
Shared Virtual
HOL-1829-01-NET
Page 114HOL-1829-01-NET
1 The App tier talks to Shared Virtual on Port 53 and 514 respectively2 Click X to continue
HOL-1829-01-NET
Page 115HOL-1829-01-NET
1 Hover over to DB Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from DB to
Shared Virtual
1 By design the DB should be pushing logs to aws-log-server ie on port 514(Syslog) but the flow reveals that there is only one service ie port 53 aws-DNS-Server Effectively no communication to syslog server (which is the back upservice)
2 Click X to continue
Firewall Queries for CRM Application
To further troubleshoot the issue the administrator executes three firewall queries toestablish why DB to Shared Virtual does not have flow(s) for port 514 (syslog)
HOL-1829-01-NET
Page 116HOL-1829-01-NET
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and type new search query firewall action of flows where dstvm = aws-log-server This will return 5 results ie 4 Allow (for web andmidtier) and 1 Deny (for DB)
2 Click Search3 click on the DENY checkbox so we can focus on the deny rule
We can see a DENY rule which is preventing crm-databse to communicate with aws-log-server on port 514 Which indicates that AWS Admin forgot to add rule to allowtraffic from (Database) crm-database to (syslog server) aws-log-Server
HOL-1829-01-NET
Page 117HOL-1829-01-NET
1 On Chrome web browser right click2 Select Duplicate from the the menu
HOL-1829-01-NET
Page 118HOL-1829-01-NET
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-web1 and dst vm = aws-log-server
2 Click Search3 This will return 3 results ie 1 Inbound and 2 Outbound rules The result of this
query validates the communication from crm-web1 to aws-log-server
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-database and dst vm = aws-log-server
2 Click Search3 This will return 2 results for Outbound rules further explaining the firewall rule
behaviour from crm-database to aws-log-server
HOL-1829-01-NET
Page 119HOL-1829-01-NET
ConclusionCongratulations on completing Module 4
This module demonstrated the vRealize Network Insight capability to understand trafficpatterns and plan micro-segmentation across your private and public cloudenvironments This capability offers unparalleled visibility into public and private cloudsfor micro-segmentation planning network visibility and management
For More Information
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 120HOL-1829-01-NET
ConclusionThank you for participating in the VMware Hands-on Labs Be sure to visithttpholvmwarecom to continue your lab experience online
Lab SKU HOL-1829-01-NET
Version 20171010-152226
HOL-1829-01-NET
Page 121HOL-1829-01-NET
Component Overview
On the VM topology map
1 Click on the top left icon marked with a red square - the Virtual MachineDBAdmin-VM1
Virtual Machine - Details
HOL-1829-01-NET
Page 56HOL-1829-01-NET
A pop-up box will appear with the Virtual Machine details in it This information includesa lot of details made available by VMware Tools We can for example see network-information and the physical host in these details
A - Please spend some time on getting an overview of the information available in thisview
B - Please note that the Firewall Status indicates Unknown In this scenario there is noNSX firewall utilized in the VM so vRealize Network Insight displays Unknown as thestatus If NSX components were utilized but they were malfunctioning an errormessage will appear
1 When done reviewing close the pop-up windows by clicking on the (X) in thetop right corner
Physical ESXi Hosts
We are now going to look at the physical host running ESXi The large green blocksindicate the ESXi hosts (A) and (B)
1 Click on the large green field on the left side of the map marked in thepicture with a red squareThis will select the host where DBAdmin-VM1 isrunning
HOL-1829-01-NET
Page 57HOL-1829-01-NET
Host - Details
A pop-up box will appear that contains the physical ESXi host
A - Spend some time to review what information is available from the host Please donot click on any of the links
B - Notice that we receive information from both the Chassis and the Blade that thisESXi host is running on In a real life environment we could click on the links to getdetailed information about the physical environment through the links
C - Note that there are no NSX components on the host For example we can see thatthe Control Plane Sync Status is unknown and the Number of VTEPs is 0
1 When done reviewing click on the (X) in the top right corner
HOL-1829-01-NET
Page 58HOL-1829-01-NET
DVPG on the map
We are now going to look at the DVPG (Distributed Virtual Port Group) the VM uses toconnect to the network
1 On the map click on the little blue box marked by a red square onvlan-629
DVPG
A pop-up box will appear that contains the DVPG details
A - Spend some time review what information is available from the object Please donot click on any of the links
HOL-1829-01-NET
Page 59HOL-1829-01-NET
B - Notice that IPFIX is enabled
1 When done reviewing click on the (X) in the top right corner
VLAN-629 on the map
This is a brownfield network as indicated by the physical network components currentlydisplayed on the map
1 On the map click on the grey line marked by a red square on vlan-629
VLAN Network
A pop-up box will appear that contains the physical VLAN details
HOL-1829-01-NET
Page 60HOL-1829-01-NET
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - Notice the VLAN ID This is the actual VLAN in use
C - VM Count states 12 This is the number of VMs located on this VLAN in the entireenvironment
D - Under Hosts we can see that this is 28 (27+1) This is the amount of hosts that hasa connection to this vlan in the entire environment
1 When done reviewing click on the (X) in the top right corner
Switch ports on the map
1 From the map click on the icon marked by a red square to select the SwitchPort for the VM
HOL-1829-01-NET
Page 61HOL-1829-01-NET
Switch Port
A pop-up box will appear that contains the Switch Port details
In this view we are purely are looking at layer 3 and the connectivity to those layer 3devices Later in this module we will see some of the layer 2 devices
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - In this view we can see the physical NIC the traffic is transmitted from and receivedto In this scenario it is a NIC on a UCS fabric We can also see the VLANs Interfacespeed port and other details on the NIC
1 When done reviewing click on the (X) in the top right corner of the pop up box
HOL-1829-01-NET
Page 62HOL-1829-01-NET
Physical VRF on the map
1 From the map click on the icon marked by a red square to access thePhysical VRF details
HOL-1829-01-NET
Page 63HOL-1829-01-NET
VRF - Physical Switch
A pop-up box will appear that contains the Physical VRF details
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - In this scenario the first hop in the physical network perspective happens to be aCisco Nexus 7000 We are gathering all of the configuration data routing tables androuting interface information from this device
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 64HOL-1829-01-NET
VRF - continued
1 From the map click on the icon marked by a red square to access the nextPhysical VRF in the path
HOL-1829-01-NET
Page 65HOL-1829-01-NET
VRF - Physical Router
A pop-up box will appear that contains the Physical VRF details
In this scenario the second hop in the physical network perspective is a Palo Alto routerIn this view we will see the routing table as well as firewall rules The vRealize NetworkInsight platform is so powerful that these firewall rules are the applicable firewall rulesbetween the two objects we searched for There is probably going to be thousands offirewall rules in a normal network but these are the firewalls affecting thecommunication between the two selected VMs
HOL-1829-01-NET
Page 66HOL-1829-01-NET
A - Spend some time to review what information is available from the object Please donot click on any of the links
1 When done reviewing click on the (X) in the top right corner of the pop up box
Note The Palo Alto integration showcased is in beta testing
VRF - continued
1 From the map click on the icon marked by a red square to access the nextPhysical VRF in the path
HOL-1829-01-NET
Page 67HOL-1829-01-NET
VRF - Physical Switch
A pop-up box will appear that contains the Physical VRF details
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - In this scenario the third hop in the physical network perspective is an Arista deviceThere is information available on routing gateways interfaces etc These detailsshowcase that we can monitor devices from a multitude of vendors in case we arechanging from one vendor to another
1 When done reviewing click on the (X) in the top right corner
HOL-1829-01-NET
Page 68HOL-1829-01-NET
Accessing the virtual infrastructure
The next two steps in the path (as shown by arrows) are the same as we looked atpreviously in this module We are not going to look at the details on them in thisscenario as they are similar to the ones previously discussed
A - Hovermove the mouse over the icons marked with red arrow A without clicking onthe icon Notice the descriptive name
B - Hovermove the mouse over the icons marked with red arrow B without clicking onthe icon Notice the descriptive name
1 From the map click on the icon marked by a red square to access the nextVRF in the path
HOL-1829-01-NET
Page 69HOL-1829-01-NET
VRF - NSX Provider Edge 1
A pop-up box will appear that contains the Physical VRF details
A - Please spend some time to review what information is available from the objectPlease do not click on any of the links
B - The components we are looking at after the Arista device (described in previoussteps) is an NSX Edge cluster or a host associated with an Edge cluster The componentwe have selected is the NSX Edge VM named Provider-Edge 1 It has an uplink overVLAN 10 from the physical network (as shown in the map)
C - In the details we can see the routing table and routing interface details for thisparticular VRF
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 70HOL-1829-01-NET
VXLAN on the map
1 On the map click on the blue line marked by a red square to access theVXLAN details
VXLAN Network
A pop-up box will appear that contains the VXLAN details
HOL-1829-01-NET
Page 71HOL-1829-01-NET
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - We can see the VXLAN number (Segment ID) Underlay VLAN IDs Subnet andUnderlay Subnet
C - We also have visibility into what Primary Controller it is utilizing Hosts and VTEPs
D - Hovermove the mouse cursor over the text [38 more] to see the hosts associatedwith this VXLAN Do not click on the blue text
E - Hovermove the mouse cursor over the text [82 more] to see the VTEPs associatedwith this VXLAN Do not click on the blue text
1 When done reviewing click on the X in the top right corner of the pop-up box
VRF - LDR
1 From the map click on the icon marked by a red square to access the VRFdetails
HOL-1829-01-NET
Page 72HOL-1829-01-NET
VRF - LDR-Corporate
A pop-up box will appear that contains the VRF details From here we hit our In-kernelnetwork
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - Notice the distributed router name We are using this device to access our corporatenetwork
C - This device is going to route for us to a different interface The interface is going toroute to the interface on the Prod-DB Network as the next step in the path (this will beillustrated in the next step)
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 73HOL-1829-01-NET
Routing - NSX Firewall
The traffic is routed through the VRF onto the Prod-DB network over to the next physicalhost (as shown with arrows)
The first device it will hit on the virtual network on the physical host is the FirewallPlease notice that there are two firewalls next to the VM One Firewall from Palo Alto andone Firewall from NSX
1 From the map click on the icon marked by a red square to access the NSXFirewall details (the top one of the two)
HOL-1829-01-NET
Page 74HOL-1829-01-NET
Firewall - NSX
A pop-up box will appear that contains the Firewall details
A - Spend some time to review what information is available from the object Please donot click on any of the links
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 75HOL-1829-01-NET
Redirect on the map - PAN Firewall
Please notice that there are two firewalls next to the VM One Firewall from Palo Alto andone Firewall from NSX We are now going to look into the details of the lower Firewall
1 From the map click on the icon marked by a red square to access the PaloAlto Firewall details (the lower one of the two)
Firewall - PAN
HOL-1829-01-NET
Page 76HOL-1829-01-NET
In this scenario we also have an Palo Alto VM based offloading firewall The redirectfeature allows firewall rules to be transferred between the NSX firewall and the PANFirewall
1 When done reviewing click on the (X) in the top right corner of the pop up box
Reversing the analysis
1 In the section marked by a red square in the picture click on the arrowpointing left
The route on the map will change
HOL-1829-01-NET
Page 77HOL-1829-01-NET
Reversing the analysis continued
A - The analysis will now be done in the opposite direction Please note that the pathnow changes Instead of going through Provider-Edge 3 the traffic is now routedthrough Provider-Edge 2 This is exactly as the traffic will work in the real life
Please continue to the next step to conclude this module
HOL-1829-01-NET
Page 78HOL-1829-01-NET
VM Underlay
Lets now focus on VM Underlay
1 The VMUnderlay section that is on the right side of the VM Path topology showsthe underlay information of the VMs involved and their connectivity to the top ofthe rack switches and the ports involved
2 The VM Underlay path topology is shown here3 The components are labeled under Path Details
HOL-1829-01-NET
Page 79HOL-1829-01-NET
HOL-1829-01-NET
Page 80HOL-1829-01-NET
1 In this section the drop-down list at the top shows the endpoint VMs and theactive VMs at the edges
2 For each edgeVM the neighbouring drop-down list shows the ingress and theegress interface IP addresses
1 From the previous step we selected the Prod-DB-2 Virtual Machine2 Which changes the focus to corresponding Interface IP Address (VNIC)3 Shows the visual map (Path topology) of all the path objects4 Path details shows the labels and list the components
This concludes this module Please continue to the next module
HOL-1829-01-NET
Page 81HOL-1829-01-NET
ConclusionCongratulations on completing Module 2
This module has shown us that vRealize Network Insight is capable of tracing the flow ofdata between two objects throughout the network vRealize Network Insight is providingus with a 360 degrees view of the virtual as well as the physical components in thepath With the map function and the details on the map it is very easy to get a quickoverview of the components utilized in network communication
All the components in the map is based on a snapshot of real life data Feel free to clickon other icons shown in the map in this module before continuing to the next module tohave a look at other components
For More Information
For additional information about the functionality showcased in this module visithttpwwwvmwarecomvrealize network insight
This concludes this module Please continue to the next module
If you are looking for additional information try one of these
bull Click on this linkbull Or use your smart device to scan the QRC Code
HOL-1829-01-NET
Page 82HOL-1829-01-NET
Proceed to any module below which interests you most
bull Module 1 - Micro-Segmentation and Security (30 minutes)bull Module 2 - 360 degree Visibility across Virtual and Physical Networks (45
minutes)bull Module 3 - Advanced NSX Management amp Operations (45 minutes)bull (30 minutes)
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 83HOL-1829-01-NET
Module 3 - Advanced NSXManagement amp
Operations (45 minutes)
HOL-1829-01-NET
Page 84HOL-1829-01-NET
IntroductionIntroduction
vRealize Network Insight ensures that we have full visibility from an overlay andunderlay perspective and in this module focus on advanced operations of NSX withvRealize Network Insight Its important to note that the vRealize Network Insightprovides a real time view and a historical view The integration is not a simple SNMPquery but advanced CLI and Metadata information gathered in real time for NSX
This Module contains the following lessons
bull Operational guidance for NSX Managerbull Advanced NSX Management amp Operations Interactive Simulation
HOL-1829-01-NET
Page 85HOL-1829-01-NET
NSX Advanced ManagementOperationsLab Status Check
1 Make sure the Lab Status displays Ready before continuing
Close browser sessions from previous modules
Open Google Chrome
1 Open Chrome on the Control Centre Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
HOL-1829-01-NET
Page 86HOL-1829-01-NET
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize Network Insightdid not load automatically)
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
Search Bar - NSX Manager
Using the search bar on the entry screen
HOL-1829-01-NET
Page 87HOL-1829-01-NET
1 Type NSX Manager (this will list three NSX Managers2 Click Search
NSX Manager Information
The result now shows the NSX Manager (1016128170) and we can immediately seethat we have 50 problems associated with this endpoint
1 Click on the NSX Manager address to expose the layout and detailedinformation
HOL-1829-01-NET
Page 88HOL-1829-01-NET
Timeline - Visual Build-up
Explore information only - Do not click
bull A - Starting with the Timeline we can manipulate the results by simply draggingthe slider but by default the current time results will be displayed on entry Theslider and drop down (next to 1 day) makes it easy to filter on demand
bull B - The Properties give a clear understanding of the NSX Managers currentconfiguration (vRealize Network Insight accommodate multiple NSX managers)
bull C - Looking at the NSX Checklist Rules - ALL we can scroll up and down toview each point in the checklist that is used to monitorvalidate against the NSXManager
bull D - Because vRealize Network Insight supports multiple NSX managers andmultiple NSX controllers this is an important visual understanding of theTopology Each object can be queried individually within the same screen
bull E - NSX Problems will be key to understanding the issues for NSX
HOL-1829-01-NET
Page 89HOL-1829-01-NET
Topology - Focus on the NSX Controller
The logical view of the NSX Topology provides live links to each component in theconstruct to be queried in real time Topology layout displays all the related NSXservices bound to the NSX Manager including Clusters and hosts The red triangle on allthree NSX controllers indicates possible issues that may impact the NSX environmenteither as a starting point or a result thereof We can now query each object for detailedinformation
1 Click on the NSX controller (Look at each controller until you find thecontroller starting with NSX_Controller_5b6c6c8d-4d71 as they do changeorder)
HOL-1829-01-NET
Page 90HOL-1829-01-NET
NSX Controller - Detail
A - The controller query displays detailed information about controller-1 and relevantconfiguration This screen will help identify the Status Version Upgrade Availability andmany other critical identifiers of the NSX Controller at a quick glance including anyissues
B - The immediate issue on this NSX controller is also pointed out with a red triangleindicating that we have a control plane sync issue Tracking the issue can be furtherinvestigated by expanding (clicking on the red triangle) to view detailed information Wewill not be investigating this problem further in this exercise
1 Click the close sign (x) to continue
HOL-1829-01-NET
Page 91HOL-1829-01-NET
Topology - Explained
Note The Topology for the NSX environment will not show any load balancing devicestatus information in this release
1 Click the edge VMs icon to see detailed information about the edge services
HOL-1829-01-NET
Page 92HOL-1829-01-NET
Provider Edge
Rendering a complete view of the provider edge services and the associations we caninvestigate all the edge related activities
1 Click the blue link Provider Edge 4 The problem Icon can be used to furtherobtain information about the Provider-Edge 4 This will highlight a criticalcondition due to a possible network disruption of this edge device as it is nolonger in a serving state
HOL-1829-01-NET
Page 93HOL-1829-01-NET
Routers Provider Edge 4
This section lays out detailed root cause analysis for Routers Provider Edge 4
Return to Search View - NSX Manager
1 Now use the Chrome Back button click once to return the the NSX Managerinformation screen step
HOL-1829-01-NET
Page 94HOL-1829-01-NET
Infrastructure Problems - Warning Moderate
bull Scroll down to Infrastructure Problems Section
1 Click and select the WarningModerate to view problem areas
WarningModerate Issues
1 Use the blue icon + to expand the detailed view of the Logical networking out ofsync between host and NSX Controller
HOL-1829-01-NET
Page 95HOL-1829-01-NET
WarningModerate Issues (Continued)
When you expand the details you can analyse full detail of warning
In this view vRealize Network Insight is also showing you recommendations on how youwould resolve this issue which makes troubleshooting and root cause analysis veryeasy
1 Click the close sign (x) to continue
HOL-1829-01-NET
Page 96HOL-1829-01-NET
Hands-on Labs Interactive SimulationAdvanced NSX Management ampOperationsThis part of the lab is presented as a Hands-on Labs Interactive Simulation This willallow you to experience steps which are too time-consuming or resource intensive to dolive in the lab environment In this simulation you can use the software interface as ifyou are interacting with a live environment
1 Click here to open the interactive simulation It will open in a new browserwindow or tab
2 When finished click the ldquoReturn to the labrdquo link to continue with this lab
HOL-1829-01-NET
Page 97HOL-1829-01-NET
ConclusionCongratulations on completing Module 3
This module demonstrated the vRealize Network Insight capability of advancedmanagement operations vRealize Network Insight provides an in-depth analysis of thevirtual as well as the physical components associated with NSX (underlay and overlay)
For More Information
If you are looking for additional information try one of these
bull Click on this linkbull Or use your smart device to scan the QRC Code
Proceed to any module below which interests you most
bull Module 1 - Micro-Segmentation and Security (30 minutes)bull Module 2 - 360 degree Visibility across Virtual and Physical Networks (45
minutes)bull Module 3 - Advanced NSX Management amp Operations (45 minutes)bull Module 4 - Manage Security for Public Clouds (AWS) (30 minutes)
HOL-1829-01-NET
Page 98HOL-1829-01-NET
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 99HOL-1829-01-NET
Module 4 - ManageSecurity for Public Clouds
(AWS) (30 Minutes)
HOL-1829-01-NET
Page 100HOL-1829-01-NET
IntroductionEnterprise IT needs visibility into the network and security status of their workloadswhether hosted on premises or within AWS While many AWS workloads are sandboxesfor application development teams (DevOps) it is important to analyze these workloadsIncreasingly public cloud workloads are also fulfilling mission critical production needsfor many organizations Enterprise IT must be ready to determine the best locationsecurity posture and bandwidth allocation when deploying workloads Having trafficpattern details as well as security analysis and recommendations readily availablehelps organizations make the ideal hosting decisions to meet their business needs
vRealize Network Insight (vRNI) Supports Amazon Web Services (AWS) PublicCloud The vRNI traffic monitoring features provide visibility into native AWS constructssuch as Virtual Private Clouds VMs Security Groups firewall rules and tags vRNI alsoanalyzes AWS traffic flows to provide security and micro-segmentation views of cloudworkloads This means youll be able to plan micro-segmentation and understand trafficpatterns using data collected from your AWS instances
This Module contains the following lessons
bull Introduction to Managing Security for Public Clouds (AWS)
HOL-1829-01-NET
Page 101HOL-1829-01-NET
Introduction to Managing Security forPublic Clouds (AWS)Lab Status Check
1 Make sure the Lab Status displays Ready before continuing
Close browser sessions from previous modules
Open Google Chrome
1 Open Chrome on the Control Centre Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize Network Insightdid not load automatically)
HOL-1829-01-NET
Page 102HOL-1829-01-NET
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
AWS Configuration
Lets review the AWS VPC setup for the purpose of this lab
1 We have an on premise instance of vRealize Network Insight managing AWS2 There are two VPCs ie CRM and Common Services
HOL-1829-01-NET
Page 103HOL-1829-01-NET
3 VPC CRM consists of CRM Application which comprises of 3 tiers ie Web APP andDB
4 Internal users of Company can access Web Tier of the CRM on 80 internally viaJump-box
5 Web tier talks to App tier on port 80806 App tier talks to DB tier on port 33067 Web tier is open for internal datacenters VM on 80 port8 From Jump-box in VPC CRM all virtual machines have ssh access on port 229 All tiers of VPCCRM talks to DNS server on 53 and LogServer on 514 on VPC
Common Services10 This means connection to DB to Log Server (used for backup services) must exist
as configured by the Administrator but this in fact is the problem area where ourfocus will be
Plan Security - AWS Cloud
vRealize Network Insight extends micro-segmentation planning to AWS constructs TheCRM Application in AWS VPC has already been created for you
Application creation steps have been discussed in Module 3
HOL-1829-01-NET
Page 104HOL-1829-01-NET
1 On the vRealize Network Insight Click on Plan Security
From Plan Security dialogue box under Entity select
HOL-1829-01-NET
Page 105HOL-1829-01-NET
1 Application2 CRM3 Click Analyze
We can now visualize the three tier lsquoCRMrsquo Application in AWS in one VPC We Shallexplore the three Tier System Logic in proceeding steps
1 Please note that Micro-Segments are already filtered by Tier2 Web (Web tier talks to App tier on port 8080 Internal users of organisation can
access Web Tier of the CRM Application on port 80 internally)3 App (App tier talks to DB tier on port 3306)4 DB ( DB tier talks to Log Servers ) - This is the problem area we are going to
explore
All tiers of first VPC talks to DNS server on port 53 and LogServer on port 514 of SecondVPC
HOL-1829-01-NET
Page 106HOL-1829-01-NET
Exploring the Three Tier Application - Step by Step
We shall now explore the three their application setup to understand the security andcommunication posture
HOL-1829-01-NET
Page 107HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Yellow line to explore the flows This will reveal flows from Web to
App
HOL-1829-01-NET
Page 108HOL-1829-01-NET
1 The App tier talks to DB tier on Port 33062 Click X to continue
HOL-1829-01-NET
Page 109HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to DB
HOL-1829-01-NET
Page 110HOL-1829-01-NET
1 The App tier talks to DB tier on Port 33062 Click X to continue
HOL-1829-01-NET
Page 111HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Yellow Line to explore the flows This will reveal flows from DC
Virtual to App
HOL-1829-01-NET
Page 112HOL-1829-01-NET
1 DC Virtual (jump box) talks to App tier on Port 222 Click X to continue
HOL-1829-01-NET
Page 113HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to
Shared Virtual
HOL-1829-01-NET
Page 114HOL-1829-01-NET
1 The App tier talks to Shared Virtual on Port 53 and 514 respectively2 Click X to continue
HOL-1829-01-NET
Page 115HOL-1829-01-NET
1 Hover over to DB Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from DB to
Shared Virtual
1 By design the DB should be pushing logs to aws-log-server ie on port 514(Syslog) but the flow reveals that there is only one service ie port 53 aws-DNS-Server Effectively no communication to syslog server (which is the back upservice)
2 Click X to continue
Firewall Queries for CRM Application
To further troubleshoot the issue the administrator executes three firewall queries toestablish why DB to Shared Virtual does not have flow(s) for port 514 (syslog)
HOL-1829-01-NET
Page 116HOL-1829-01-NET
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and type new search query firewall action of flows where dstvm = aws-log-server This will return 5 results ie 4 Allow (for web andmidtier) and 1 Deny (for DB)
2 Click Search3 click on the DENY checkbox so we can focus on the deny rule
We can see a DENY rule which is preventing crm-databse to communicate with aws-log-server on port 514 Which indicates that AWS Admin forgot to add rule to allowtraffic from (Database) crm-database to (syslog server) aws-log-Server
HOL-1829-01-NET
Page 117HOL-1829-01-NET
1 On Chrome web browser right click2 Select Duplicate from the the menu
HOL-1829-01-NET
Page 118HOL-1829-01-NET
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-web1 and dst vm = aws-log-server
2 Click Search3 This will return 3 results ie 1 Inbound and 2 Outbound rules The result of this
query validates the communication from crm-web1 to aws-log-server
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-database and dst vm = aws-log-server
2 Click Search3 This will return 2 results for Outbound rules further explaining the firewall rule
behaviour from crm-database to aws-log-server
HOL-1829-01-NET
Page 119HOL-1829-01-NET
ConclusionCongratulations on completing Module 4
This module demonstrated the vRealize Network Insight capability to understand trafficpatterns and plan micro-segmentation across your private and public cloudenvironments This capability offers unparalleled visibility into public and private cloudsfor micro-segmentation planning network visibility and management
For More Information
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 120HOL-1829-01-NET
ConclusionThank you for participating in the VMware Hands-on Labs Be sure to visithttpholvmwarecom to continue your lab experience online
Lab SKU HOL-1829-01-NET
Version 20171010-152226
HOL-1829-01-NET
Page 121HOL-1829-01-NET
A pop-up box will appear with the Virtual Machine details in it This information includesa lot of details made available by VMware Tools We can for example see network-information and the physical host in these details
A - Please spend some time on getting an overview of the information available in thisview
B - Please note that the Firewall Status indicates Unknown In this scenario there is noNSX firewall utilized in the VM so vRealize Network Insight displays Unknown as thestatus If NSX components were utilized but they were malfunctioning an errormessage will appear
1 When done reviewing close the pop-up windows by clicking on the (X) in thetop right corner
Physical ESXi Hosts
We are now going to look at the physical host running ESXi The large green blocksindicate the ESXi hosts (A) and (B)
1 Click on the large green field on the left side of the map marked in thepicture with a red squareThis will select the host where DBAdmin-VM1 isrunning
HOL-1829-01-NET
Page 57HOL-1829-01-NET
Host - Details
A pop-up box will appear that contains the physical ESXi host
A - Spend some time to review what information is available from the host Please donot click on any of the links
B - Notice that we receive information from both the Chassis and the Blade that thisESXi host is running on In a real life environment we could click on the links to getdetailed information about the physical environment through the links
C - Note that there are no NSX components on the host For example we can see thatthe Control Plane Sync Status is unknown and the Number of VTEPs is 0
1 When done reviewing click on the (X) in the top right corner
HOL-1829-01-NET
Page 58HOL-1829-01-NET
DVPG on the map
We are now going to look at the DVPG (Distributed Virtual Port Group) the VM uses toconnect to the network
1 On the map click on the little blue box marked by a red square onvlan-629
DVPG
A pop-up box will appear that contains the DVPG details
A - Spend some time review what information is available from the object Please donot click on any of the links
HOL-1829-01-NET
Page 59HOL-1829-01-NET
B - Notice that IPFIX is enabled
1 When done reviewing click on the (X) in the top right corner
VLAN-629 on the map
This is a brownfield network as indicated by the physical network components currentlydisplayed on the map
1 On the map click on the grey line marked by a red square on vlan-629
VLAN Network
A pop-up box will appear that contains the physical VLAN details
HOL-1829-01-NET
Page 60HOL-1829-01-NET
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - Notice the VLAN ID This is the actual VLAN in use
C - VM Count states 12 This is the number of VMs located on this VLAN in the entireenvironment
D - Under Hosts we can see that this is 28 (27+1) This is the amount of hosts that hasa connection to this vlan in the entire environment
1 When done reviewing click on the (X) in the top right corner
Switch ports on the map
1 From the map click on the icon marked by a red square to select the SwitchPort for the VM
HOL-1829-01-NET
Page 61HOL-1829-01-NET
Switch Port
A pop-up box will appear that contains the Switch Port details
In this view we are purely are looking at layer 3 and the connectivity to those layer 3devices Later in this module we will see some of the layer 2 devices
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - In this view we can see the physical NIC the traffic is transmitted from and receivedto In this scenario it is a NIC on a UCS fabric We can also see the VLANs Interfacespeed port and other details on the NIC
1 When done reviewing click on the (X) in the top right corner of the pop up box
HOL-1829-01-NET
Page 62HOL-1829-01-NET
Physical VRF on the map
1 From the map click on the icon marked by a red square to access thePhysical VRF details
HOL-1829-01-NET
Page 63HOL-1829-01-NET
VRF - Physical Switch
A pop-up box will appear that contains the Physical VRF details
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - In this scenario the first hop in the physical network perspective happens to be aCisco Nexus 7000 We are gathering all of the configuration data routing tables androuting interface information from this device
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 64HOL-1829-01-NET
VRF - continued
1 From the map click on the icon marked by a red square to access the nextPhysical VRF in the path
HOL-1829-01-NET
Page 65HOL-1829-01-NET
VRF - Physical Router
A pop-up box will appear that contains the Physical VRF details
In this scenario the second hop in the physical network perspective is a Palo Alto routerIn this view we will see the routing table as well as firewall rules The vRealize NetworkInsight platform is so powerful that these firewall rules are the applicable firewall rulesbetween the two objects we searched for There is probably going to be thousands offirewall rules in a normal network but these are the firewalls affecting thecommunication between the two selected VMs
HOL-1829-01-NET
Page 66HOL-1829-01-NET
A - Spend some time to review what information is available from the object Please donot click on any of the links
1 When done reviewing click on the (X) in the top right corner of the pop up box
Note The Palo Alto integration showcased is in beta testing
VRF - continued
1 From the map click on the icon marked by a red square to access the nextPhysical VRF in the path
HOL-1829-01-NET
Page 67HOL-1829-01-NET
VRF - Physical Switch
A pop-up box will appear that contains the Physical VRF details
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - In this scenario the third hop in the physical network perspective is an Arista deviceThere is information available on routing gateways interfaces etc These detailsshowcase that we can monitor devices from a multitude of vendors in case we arechanging from one vendor to another
1 When done reviewing click on the (X) in the top right corner
HOL-1829-01-NET
Page 68HOL-1829-01-NET
Accessing the virtual infrastructure
The next two steps in the path (as shown by arrows) are the same as we looked atpreviously in this module We are not going to look at the details on them in thisscenario as they are similar to the ones previously discussed
A - Hovermove the mouse over the icons marked with red arrow A without clicking onthe icon Notice the descriptive name
B - Hovermove the mouse over the icons marked with red arrow B without clicking onthe icon Notice the descriptive name
1 From the map click on the icon marked by a red square to access the nextVRF in the path
HOL-1829-01-NET
Page 69HOL-1829-01-NET
VRF - NSX Provider Edge 1
A pop-up box will appear that contains the Physical VRF details
A - Please spend some time to review what information is available from the objectPlease do not click on any of the links
B - The components we are looking at after the Arista device (described in previoussteps) is an NSX Edge cluster or a host associated with an Edge cluster The componentwe have selected is the NSX Edge VM named Provider-Edge 1 It has an uplink overVLAN 10 from the physical network (as shown in the map)
C - In the details we can see the routing table and routing interface details for thisparticular VRF
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 70HOL-1829-01-NET
VXLAN on the map
1 On the map click on the blue line marked by a red square to access theVXLAN details
VXLAN Network
A pop-up box will appear that contains the VXLAN details
HOL-1829-01-NET
Page 71HOL-1829-01-NET
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - We can see the VXLAN number (Segment ID) Underlay VLAN IDs Subnet andUnderlay Subnet
C - We also have visibility into what Primary Controller it is utilizing Hosts and VTEPs
D - Hovermove the mouse cursor over the text [38 more] to see the hosts associatedwith this VXLAN Do not click on the blue text
E - Hovermove the mouse cursor over the text [82 more] to see the VTEPs associatedwith this VXLAN Do not click on the blue text
1 When done reviewing click on the X in the top right corner of the pop-up box
VRF - LDR
1 From the map click on the icon marked by a red square to access the VRFdetails
HOL-1829-01-NET
Page 72HOL-1829-01-NET
VRF - LDR-Corporate
A pop-up box will appear that contains the VRF details From here we hit our In-kernelnetwork
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - Notice the distributed router name We are using this device to access our corporatenetwork
C - This device is going to route for us to a different interface The interface is going toroute to the interface on the Prod-DB Network as the next step in the path (this will beillustrated in the next step)
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 73HOL-1829-01-NET
Routing - NSX Firewall
The traffic is routed through the VRF onto the Prod-DB network over to the next physicalhost (as shown with arrows)
The first device it will hit on the virtual network on the physical host is the FirewallPlease notice that there are two firewalls next to the VM One Firewall from Palo Alto andone Firewall from NSX
1 From the map click on the icon marked by a red square to access the NSXFirewall details (the top one of the two)
HOL-1829-01-NET
Page 74HOL-1829-01-NET
Firewall - NSX
A pop-up box will appear that contains the Firewall details
A - Spend some time to review what information is available from the object Please donot click on any of the links
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 75HOL-1829-01-NET
Redirect on the map - PAN Firewall
Please notice that there are two firewalls next to the VM One Firewall from Palo Alto andone Firewall from NSX We are now going to look into the details of the lower Firewall
1 From the map click on the icon marked by a red square to access the PaloAlto Firewall details (the lower one of the two)
Firewall - PAN
HOL-1829-01-NET
Page 76HOL-1829-01-NET
In this scenario we also have an Palo Alto VM based offloading firewall The redirectfeature allows firewall rules to be transferred between the NSX firewall and the PANFirewall
1 When done reviewing click on the (X) in the top right corner of the pop up box
Reversing the analysis
1 In the section marked by a red square in the picture click on the arrowpointing left
The route on the map will change
HOL-1829-01-NET
Page 77HOL-1829-01-NET
Reversing the analysis continued
A - The analysis will now be done in the opposite direction Please note that the pathnow changes Instead of going through Provider-Edge 3 the traffic is now routedthrough Provider-Edge 2 This is exactly as the traffic will work in the real life
Please continue to the next step to conclude this module
HOL-1829-01-NET
Page 78HOL-1829-01-NET
VM Underlay
Lets now focus on VM Underlay
1 The VMUnderlay section that is on the right side of the VM Path topology showsthe underlay information of the VMs involved and their connectivity to the top ofthe rack switches and the ports involved
2 The VM Underlay path topology is shown here3 The components are labeled under Path Details
HOL-1829-01-NET
Page 79HOL-1829-01-NET
HOL-1829-01-NET
Page 80HOL-1829-01-NET
1 In this section the drop-down list at the top shows the endpoint VMs and theactive VMs at the edges
2 For each edgeVM the neighbouring drop-down list shows the ingress and theegress interface IP addresses
1 From the previous step we selected the Prod-DB-2 Virtual Machine2 Which changes the focus to corresponding Interface IP Address (VNIC)3 Shows the visual map (Path topology) of all the path objects4 Path details shows the labels and list the components
This concludes this module Please continue to the next module
HOL-1829-01-NET
Page 81HOL-1829-01-NET
ConclusionCongratulations on completing Module 2
This module has shown us that vRealize Network Insight is capable of tracing the flow ofdata between two objects throughout the network vRealize Network Insight is providingus with a 360 degrees view of the virtual as well as the physical components in thepath With the map function and the details on the map it is very easy to get a quickoverview of the components utilized in network communication
All the components in the map is based on a snapshot of real life data Feel free to clickon other icons shown in the map in this module before continuing to the next module tohave a look at other components
For More Information
For additional information about the functionality showcased in this module visithttpwwwvmwarecomvrealize network insight
This concludes this module Please continue to the next module
If you are looking for additional information try one of these
bull Click on this linkbull Or use your smart device to scan the QRC Code
HOL-1829-01-NET
Page 82HOL-1829-01-NET
Proceed to any module below which interests you most
bull Module 1 - Micro-Segmentation and Security (30 minutes)bull Module 2 - 360 degree Visibility across Virtual and Physical Networks (45
minutes)bull Module 3 - Advanced NSX Management amp Operations (45 minutes)bull (30 minutes)
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 83HOL-1829-01-NET
Module 3 - Advanced NSXManagement amp
Operations (45 minutes)
HOL-1829-01-NET
Page 84HOL-1829-01-NET
IntroductionIntroduction
vRealize Network Insight ensures that we have full visibility from an overlay andunderlay perspective and in this module focus on advanced operations of NSX withvRealize Network Insight Its important to note that the vRealize Network Insightprovides a real time view and a historical view The integration is not a simple SNMPquery but advanced CLI and Metadata information gathered in real time for NSX
This Module contains the following lessons
bull Operational guidance for NSX Managerbull Advanced NSX Management amp Operations Interactive Simulation
HOL-1829-01-NET
Page 85HOL-1829-01-NET
NSX Advanced ManagementOperationsLab Status Check
1 Make sure the Lab Status displays Ready before continuing
Close browser sessions from previous modules
Open Google Chrome
1 Open Chrome on the Control Centre Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
HOL-1829-01-NET
Page 86HOL-1829-01-NET
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize Network Insightdid not load automatically)
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
Search Bar - NSX Manager
Using the search bar on the entry screen
HOL-1829-01-NET
Page 87HOL-1829-01-NET
1 Type NSX Manager (this will list three NSX Managers2 Click Search
NSX Manager Information
The result now shows the NSX Manager (1016128170) and we can immediately seethat we have 50 problems associated with this endpoint
1 Click on the NSX Manager address to expose the layout and detailedinformation
HOL-1829-01-NET
Page 88HOL-1829-01-NET
Timeline - Visual Build-up
Explore information only - Do not click
bull A - Starting with the Timeline we can manipulate the results by simply draggingthe slider but by default the current time results will be displayed on entry Theslider and drop down (next to 1 day) makes it easy to filter on demand
bull B - The Properties give a clear understanding of the NSX Managers currentconfiguration (vRealize Network Insight accommodate multiple NSX managers)
bull C - Looking at the NSX Checklist Rules - ALL we can scroll up and down toview each point in the checklist that is used to monitorvalidate against the NSXManager
bull D - Because vRealize Network Insight supports multiple NSX managers andmultiple NSX controllers this is an important visual understanding of theTopology Each object can be queried individually within the same screen
bull E - NSX Problems will be key to understanding the issues for NSX
HOL-1829-01-NET
Page 89HOL-1829-01-NET
Topology - Focus on the NSX Controller
The logical view of the NSX Topology provides live links to each component in theconstruct to be queried in real time Topology layout displays all the related NSXservices bound to the NSX Manager including Clusters and hosts The red triangle on allthree NSX controllers indicates possible issues that may impact the NSX environmenteither as a starting point or a result thereof We can now query each object for detailedinformation
1 Click on the NSX controller (Look at each controller until you find thecontroller starting with NSX_Controller_5b6c6c8d-4d71 as they do changeorder)
HOL-1829-01-NET
Page 90HOL-1829-01-NET
NSX Controller - Detail
A - The controller query displays detailed information about controller-1 and relevantconfiguration This screen will help identify the Status Version Upgrade Availability andmany other critical identifiers of the NSX Controller at a quick glance including anyissues
B - The immediate issue on this NSX controller is also pointed out with a red triangleindicating that we have a control plane sync issue Tracking the issue can be furtherinvestigated by expanding (clicking on the red triangle) to view detailed information Wewill not be investigating this problem further in this exercise
1 Click the close sign (x) to continue
HOL-1829-01-NET
Page 91HOL-1829-01-NET
Topology - Explained
Note The Topology for the NSX environment will not show any load balancing devicestatus information in this release
1 Click the edge VMs icon to see detailed information about the edge services
HOL-1829-01-NET
Page 92HOL-1829-01-NET
Provider Edge
Rendering a complete view of the provider edge services and the associations we caninvestigate all the edge related activities
1 Click the blue link Provider Edge 4 The problem Icon can be used to furtherobtain information about the Provider-Edge 4 This will highlight a criticalcondition due to a possible network disruption of this edge device as it is nolonger in a serving state
HOL-1829-01-NET
Page 93HOL-1829-01-NET
Routers Provider Edge 4
This section lays out detailed root cause analysis for Routers Provider Edge 4
Return to Search View - NSX Manager
1 Now use the Chrome Back button click once to return the the NSX Managerinformation screen step
HOL-1829-01-NET
Page 94HOL-1829-01-NET
Infrastructure Problems - Warning Moderate
bull Scroll down to Infrastructure Problems Section
1 Click and select the WarningModerate to view problem areas
WarningModerate Issues
1 Use the blue icon + to expand the detailed view of the Logical networking out ofsync between host and NSX Controller
HOL-1829-01-NET
Page 95HOL-1829-01-NET
WarningModerate Issues (Continued)
When you expand the details you can analyse full detail of warning
In this view vRealize Network Insight is also showing you recommendations on how youwould resolve this issue which makes troubleshooting and root cause analysis veryeasy
1 Click the close sign (x) to continue
HOL-1829-01-NET
Page 96HOL-1829-01-NET
Hands-on Labs Interactive SimulationAdvanced NSX Management ampOperationsThis part of the lab is presented as a Hands-on Labs Interactive Simulation This willallow you to experience steps which are too time-consuming or resource intensive to dolive in the lab environment In this simulation you can use the software interface as ifyou are interacting with a live environment
1 Click here to open the interactive simulation It will open in a new browserwindow or tab
2 When finished click the ldquoReturn to the labrdquo link to continue with this lab
HOL-1829-01-NET
Page 97HOL-1829-01-NET
ConclusionCongratulations on completing Module 3
This module demonstrated the vRealize Network Insight capability of advancedmanagement operations vRealize Network Insight provides an in-depth analysis of thevirtual as well as the physical components associated with NSX (underlay and overlay)
For More Information
If you are looking for additional information try one of these
bull Click on this linkbull Or use your smart device to scan the QRC Code
Proceed to any module below which interests you most
bull Module 1 - Micro-Segmentation and Security (30 minutes)bull Module 2 - 360 degree Visibility across Virtual and Physical Networks (45
minutes)bull Module 3 - Advanced NSX Management amp Operations (45 minutes)bull Module 4 - Manage Security for Public Clouds (AWS) (30 minutes)
HOL-1829-01-NET
Page 98HOL-1829-01-NET
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 99HOL-1829-01-NET
Module 4 - ManageSecurity for Public Clouds
(AWS) (30 Minutes)
HOL-1829-01-NET
Page 100HOL-1829-01-NET
IntroductionEnterprise IT needs visibility into the network and security status of their workloadswhether hosted on premises or within AWS While many AWS workloads are sandboxesfor application development teams (DevOps) it is important to analyze these workloadsIncreasingly public cloud workloads are also fulfilling mission critical production needsfor many organizations Enterprise IT must be ready to determine the best locationsecurity posture and bandwidth allocation when deploying workloads Having trafficpattern details as well as security analysis and recommendations readily availablehelps organizations make the ideal hosting decisions to meet their business needs
vRealize Network Insight (vRNI) Supports Amazon Web Services (AWS) PublicCloud The vRNI traffic monitoring features provide visibility into native AWS constructssuch as Virtual Private Clouds VMs Security Groups firewall rules and tags vRNI alsoanalyzes AWS traffic flows to provide security and micro-segmentation views of cloudworkloads This means youll be able to plan micro-segmentation and understand trafficpatterns using data collected from your AWS instances
This Module contains the following lessons
bull Introduction to Managing Security for Public Clouds (AWS)
HOL-1829-01-NET
Page 101HOL-1829-01-NET
Introduction to Managing Security forPublic Clouds (AWS)Lab Status Check
1 Make sure the Lab Status displays Ready before continuing
Close browser sessions from previous modules
Open Google Chrome
1 Open Chrome on the Control Centre Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize Network Insightdid not load automatically)
HOL-1829-01-NET
Page 102HOL-1829-01-NET
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
AWS Configuration
Lets review the AWS VPC setup for the purpose of this lab
1 We have an on premise instance of vRealize Network Insight managing AWS2 There are two VPCs ie CRM and Common Services
HOL-1829-01-NET
Page 103HOL-1829-01-NET
3 VPC CRM consists of CRM Application which comprises of 3 tiers ie Web APP andDB
4 Internal users of Company can access Web Tier of the CRM on 80 internally viaJump-box
5 Web tier talks to App tier on port 80806 App tier talks to DB tier on port 33067 Web tier is open for internal datacenters VM on 80 port8 From Jump-box in VPC CRM all virtual machines have ssh access on port 229 All tiers of VPCCRM talks to DNS server on 53 and LogServer on 514 on VPC
Common Services10 This means connection to DB to Log Server (used for backup services) must exist
as configured by the Administrator but this in fact is the problem area where ourfocus will be
Plan Security - AWS Cloud
vRealize Network Insight extends micro-segmentation planning to AWS constructs TheCRM Application in AWS VPC has already been created for you
Application creation steps have been discussed in Module 3
HOL-1829-01-NET
Page 104HOL-1829-01-NET
1 On the vRealize Network Insight Click on Plan Security
From Plan Security dialogue box under Entity select
HOL-1829-01-NET
Page 105HOL-1829-01-NET
1 Application2 CRM3 Click Analyze
We can now visualize the three tier lsquoCRMrsquo Application in AWS in one VPC We Shallexplore the three Tier System Logic in proceeding steps
1 Please note that Micro-Segments are already filtered by Tier2 Web (Web tier talks to App tier on port 8080 Internal users of organisation can
access Web Tier of the CRM Application on port 80 internally)3 App (App tier talks to DB tier on port 3306)4 DB ( DB tier talks to Log Servers ) - This is the problem area we are going to
explore
All tiers of first VPC talks to DNS server on port 53 and LogServer on port 514 of SecondVPC
HOL-1829-01-NET
Page 106HOL-1829-01-NET
Exploring the Three Tier Application - Step by Step
We shall now explore the three their application setup to understand the security andcommunication posture
HOL-1829-01-NET
Page 107HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Yellow line to explore the flows This will reveal flows from Web to
App
HOL-1829-01-NET
Page 108HOL-1829-01-NET
1 The App tier talks to DB tier on Port 33062 Click X to continue
HOL-1829-01-NET
Page 109HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to DB
HOL-1829-01-NET
Page 110HOL-1829-01-NET
1 The App tier talks to DB tier on Port 33062 Click X to continue
HOL-1829-01-NET
Page 111HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Yellow Line to explore the flows This will reveal flows from DC
Virtual to App
HOL-1829-01-NET
Page 112HOL-1829-01-NET
1 DC Virtual (jump box) talks to App tier on Port 222 Click X to continue
HOL-1829-01-NET
Page 113HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to
Shared Virtual
HOL-1829-01-NET
Page 114HOL-1829-01-NET
1 The App tier talks to Shared Virtual on Port 53 and 514 respectively2 Click X to continue
HOL-1829-01-NET
Page 115HOL-1829-01-NET
1 Hover over to DB Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from DB to
Shared Virtual
1 By design the DB should be pushing logs to aws-log-server ie on port 514(Syslog) but the flow reveals that there is only one service ie port 53 aws-DNS-Server Effectively no communication to syslog server (which is the back upservice)
2 Click X to continue
Firewall Queries for CRM Application
To further troubleshoot the issue the administrator executes three firewall queries toestablish why DB to Shared Virtual does not have flow(s) for port 514 (syslog)
HOL-1829-01-NET
Page 116HOL-1829-01-NET
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and type new search query firewall action of flows where dstvm = aws-log-server This will return 5 results ie 4 Allow (for web andmidtier) and 1 Deny (for DB)
2 Click Search3 click on the DENY checkbox so we can focus on the deny rule
We can see a DENY rule which is preventing crm-databse to communicate with aws-log-server on port 514 Which indicates that AWS Admin forgot to add rule to allowtraffic from (Database) crm-database to (syslog server) aws-log-Server
HOL-1829-01-NET
Page 117HOL-1829-01-NET
1 On Chrome web browser right click2 Select Duplicate from the the menu
HOL-1829-01-NET
Page 118HOL-1829-01-NET
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-web1 and dst vm = aws-log-server
2 Click Search3 This will return 3 results ie 1 Inbound and 2 Outbound rules The result of this
query validates the communication from crm-web1 to aws-log-server
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-database and dst vm = aws-log-server
2 Click Search3 This will return 2 results for Outbound rules further explaining the firewall rule
behaviour from crm-database to aws-log-server
HOL-1829-01-NET
Page 119HOL-1829-01-NET
ConclusionCongratulations on completing Module 4
This module demonstrated the vRealize Network Insight capability to understand trafficpatterns and plan micro-segmentation across your private and public cloudenvironments This capability offers unparalleled visibility into public and private cloudsfor micro-segmentation planning network visibility and management
For More Information
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 120HOL-1829-01-NET
ConclusionThank you for participating in the VMware Hands-on Labs Be sure to visithttpholvmwarecom to continue your lab experience online
Lab SKU HOL-1829-01-NET
Version 20171010-152226
HOL-1829-01-NET
Page 121HOL-1829-01-NET
Host - Details
A pop-up box will appear that contains the physical ESXi host
A - Spend some time to review what information is available from the host Please donot click on any of the links
B - Notice that we receive information from both the Chassis and the Blade that thisESXi host is running on In a real life environment we could click on the links to getdetailed information about the physical environment through the links
C - Note that there are no NSX components on the host For example we can see thatthe Control Plane Sync Status is unknown and the Number of VTEPs is 0
1 When done reviewing click on the (X) in the top right corner
HOL-1829-01-NET
Page 58HOL-1829-01-NET
DVPG on the map
We are now going to look at the DVPG (Distributed Virtual Port Group) the VM uses toconnect to the network
1 On the map click on the little blue box marked by a red square onvlan-629
DVPG
A pop-up box will appear that contains the DVPG details
A - Spend some time review what information is available from the object Please donot click on any of the links
HOL-1829-01-NET
Page 59HOL-1829-01-NET
B - Notice that IPFIX is enabled
1 When done reviewing click on the (X) in the top right corner
VLAN-629 on the map
This is a brownfield network as indicated by the physical network components currentlydisplayed on the map
1 On the map click on the grey line marked by a red square on vlan-629
VLAN Network
A pop-up box will appear that contains the physical VLAN details
HOL-1829-01-NET
Page 60HOL-1829-01-NET
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - Notice the VLAN ID This is the actual VLAN in use
C - VM Count states 12 This is the number of VMs located on this VLAN in the entireenvironment
D - Under Hosts we can see that this is 28 (27+1) This is the amount of hosts that hasa connection to this vlan in the entire environment
1 When done reviewing click on the (X) in the top right corner
Switch ports on the map
1 From the map click on the icon marked by a red square to select the SwitchPort for the VM
HOL-1829-01-NET
Page 61HOL-1829-01-NET
Switch Port
A pop-up box will appear that contains the Switch Port details
In this view we are purely are looking at layer 3 and the connectivity to those layer 3devices Later in this module we will see some of the layer 2 devices
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - In this view we can see the physical NIC the traffic is transmitted from and receivedto In this scenario it is a NIC on a UCS fabric We can also see the VLANs Interfacespeed port and other details on the NIC
1 When done reviewing click on the (X) in the top right corner of the pop up box
HOL-1829-01-NET
Page 62HOL-1829-01-NET
Physical VRF on the map
1 From the map click on the icon marked by a red square to access thePhysical VRF details
HOL-1829-01-NET
Page 63HOL-1829-01-NET
VRF - Physical Switch
A pop-up box will appear that contains the Physical VRF details
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - In this scenario the first hop in the physical network perspective happens to be aCisco Nexus 7000 We are gathering all of the configuration data routing tables androuting interface information from this device
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 64HOL-1829-01-NET
VRF - continued
1 From the map click on the icon marked by a red square to access the nextPhysical VRF in the path
HOL-1829-01-NET
Page 65HOL-1829-01-NET
VRF - Physical Router
A pop-up box will appear that contains the Physical VRF details
In this scenario the second hop in the physical network perspective is a Palo Alto routerIn this view we will see the routing table as well as firewall rules The vRealize NetworkInsight platform is so powerful that these firewall rules are the applicable firewall rulesbetween the two objects we searched for There is probably going to be thousands offirewall rules in a normal network but these are the firewalls affecting thecommunication between the two selected VMs
HOL-1829-01-NET
Page 66HOL-1829-01-NET
A - Spend some time to review what information is available from the object Please donot click on any of the links
1 When done reviewing click on the (X) in the top right corner of the pop up box
Note The Palo Alto integration showcased is in beta testing
VRF - continued
1 From the map click on the icon marked by a red square to access the nextPhysical VRF in the path
HOL-1829-01-NET
Page 67HOL-1829-01-NET
VRF - Physical Switch
A pop-up box will appear that contains the Physical VRF details
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - In this scenario the third hop in the physical network perspective is an Arista deviceThere is information available on routing gateways interfaces etc These detailsshowcase that we can monitor devices from a multitude of vendors in case we arechanging from one vendor to another
1 When done reviewing click on the (X) in the top right corner
HOL-1829-01-NET
Page 68HOL-1829-01-NET
Accessing the virtual infrastructure
The next two steps in the path (as shown by arrows) are the same as we looked atpreviously in this module We are not going to look at the details on them in thisscenario as they are similar to the ones previously discussed
A - Hovermove the mouse over the icons marked with red arrow A without clicking onthe icon Notice the descriptive name
B - Hovermove the mouse over the icons marked with red arrow B without clicking onthe icon Notice the descriptive name
1 From the map click on the icon marked by a red square to access the nextVRF in the path
HOL-1829-01-NET
Page 69HOL-1829-01-NET
VRF - NSX Provider Edge 1
A pop-up box will appear that contains the Physical VRF details
A - Please spend some time to review what information is available from the objectPlease do not click on any of the links
B - The components we are looking at after the Arista device (described in previoussteps) is an NSX Edge cluster or a host associated with an Edge cluster The componentwe have selected is the NSX Edge VM named Provider-Edge 1 It has an uplink overVLAN 10 from the physical network (as shown in the map)
C - In the details we can see the routing table and routing interface details for thisparticular VRF
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 70HOL-1829-01-NET
VXLAN on the map
1 On the map click on the blue line marked by a red square to access theVXLAN details
VXLAN Network
A pop-up box will appear that contains the VXLAN details
HOL-1829-01-NET
Page 71HOL-1829-01-NET
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - We can see the VXLAN number (Segment ID) Underlay VLAN IDs Subnet andUnderlay Subnet
C - We also have visibility into what Primary Controller it is utilizing Hosts and VTEPs
D - Hovermove the mouse cursor over the text [38 more] to see the hosts associatedwith this VXLAN Do not click on the blue text
E - Hovermove the mouse cursor over the text [82 more] to see the VTEPs associatedwith this VXLAN Do not click on the blue text
1 When done reviewing click on the X in the top right corner of the pop-up box
VRF - LDR
1 From the map click on the icon marked by a red square to access the VRFdetails
HOL-1829-01-NET
Page 72HOL-1829-01-NET
VRF - LDR-Corporate
A pop-up box will appear that contains the VRF details From here we hit our In-kernelnetwork
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - Notice the distributed router name We are using this device to access our corporatenetwork
C - This device is going to route for us to a different interface The interface is going toroute to the interface on the Prod-DB Network as the next step in the path (this will beillustrated in the next step)
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 73HOL-1829-01-NET
Routing - NSX Firewall
The traffic is routed through the VRF onto the Prod-DB network over to the next physicalhost (as shown with arrows)
The first device it will hit on the virtual network on the physical host is the FirewallPlease notice that there are two firewalls next to the VM One Firewall from Palo Alto andone Firewall from NSX
1 From the map click on the icon marked by a red square to access the NSXFirewall details (the top one of the two)
HOL-1829-01-NET
Page 74HOL-1829-01-NET
Firewall - NSX
A pop-up box will appear that contains the Firewall details
A - Spend some time to review what information is available from the object Please donot click on any of the links
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 75HOL-1829-01-NET
Redirect on the map - PAN Firewall
Please notice that there are two firewalls next to the VM One Firewall from Palo Alto andone Firewall from NSX We are now going to look into the details of the lower Firewall
1 From the map click on the icon marked by a red square to access the PaloAlto Firewall details (the lower one of the two)
Firewall - PAN
HOL-1829-01-NET
Page 76HOL-1829-01-NET
In this scenario we also have an Palo Alto VM based offloading firewall The redirectfeature allows firewall rules to be transferred between the NSX firewall and the PANFirewall
1 When done reviewing click on the (X) in the top right corner of the pop up box
Reversing the analysis
1 In the section marked by a red square in the picture click on the arrowpointing left
The route on the map will change
HOL-1829-01-NET
Page 77HOL-1829-01-NET
Reversing the analysis continued
A - The analysis will now be done in the opposite direction Please note that the pathnow changes Instead of going through Provider-Edge 3 the traffic is now routedthrough Provider-Edge 2 This is exactly as the traffic will work in the real life
Please continue to the next step to conclude this module
HOL-1829-01-NET
Page 78HOL-1829-01-NET
VM Underlay
Lets now focus on VM Underlay
1 The VMUnderlay section that is on the right side of the VM Path topology showsthe underlay information of the VMs involved and their connectivity to the top ofthe rack switches and the ports involved
2 The VM Underlay path topology is shown here3 The components are labeled under Path Details
HOL-1829-01-NET
Page 79HOL-1829-01-NET
HOL-1829-01-NET
Page 80HOL-1829-01-NET
1 In this section the drop-down list at the top shows the endpoint VMs and theactive VMs at the edges
2 For each edgeVM the neighbouring drop-down list shows the ingress and theegress interface IP addresses
1 From the previous step we selected the Prod-DB-2 Virtual Machine2 Which changes the focus to corresponding Interface IP Address (VNIC)3 Shows the visual map (Path topology) of all the path objects4 Path details shows the labels and list the components
This concludes this module Please continue to the next module
HOL-1829-01-NET
Page 81HOL-1829-01-NET
ConclusionCongratulations on completing Module 2
This module has shown us that vRealize Network Insight is capable of tracing the flow ofdata between two objects throughout the network vRealize Network Insight is providingus with a 360 degrees view of the virtual as well as the physical components in thepath With the map function and the details on the map it is very easy to get a quickoverview of the components utilized in network communication
All the components in the map is based on a snapshot of real life data Feel free to clickon other icons shown in the map in this module before continuing to the next module tohave a look at other components
For More Information
For additional information about the functionality showcased in this module visithttpwwwvmwarecomvrealize network insight
This concludes this module Please continue to the next module
If you are looking for additional information try one of these
bull Click on this linkbull Or use your smart device to scan the QRC Code
HOL-1829-01-NET
Page 82HOL-1829-01-NET
Proceed to any module below which interests you most
bull Module 1 - Micro-Segmentation and Security (30 minutes)bull Module 2 - 360 degree Visibility across Virtual and Physical Networks (45
minutes)bull Module 3 - Advanced NSX Management amp Operations (45 minutes)bull (30 minutes)
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 83HOL-1829-01-NET
Module 3 - Advanced NSXManagement amp
Operations (45 minutes)
HOL-1829-01-NET
Page 84HOL-1829-01-NET
IntroductionIntroduction
vRealize Network Insight ensures that we have full visibility from an overlay andunderlay perspective and in this module focus on advanced operations of NSX withvRealize Network Insight Its important to note that the vRealize Network Insightprovides a real time view and a historical view The integration is not a simple SNMPquery but advanced CLI and Metadata information gathered in real time for NSX
This Module contains the following lessons
bull Operational guidance for NSX Managerbull Advanced NSX Management amp Operations Interactive Simulation
HOL-1829-01-NET
Page 85HOL-1829-01-NET
NSX Advanced ManagementOperationsLab Status Check
1 Make sure the Lab Status displays Ready before continuing
Close browser sessions from previous modules
Open Google Chrome
1 Open Chrome on the Control Centre Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
HOL-1829-01-NET
Page 86HOL-1829-01-NET
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize Network Insightdid not load automatically)
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
Search Bar - NSX Manager
Using the search bar on the entry screen
HOL-1829-01-NET
Page 87HOL-1829-01-NET
1 Type NSX Manager (this will list three NSX Managers2 Click Search
NSX Manager Information
The result now shows the NSX Manager (1016128170) and we can immediately seethat we have 50 problems associated with this endpoint
1 Click on the NSX Manager address to expose the layout and detailedinformation
HOL-1829-01-NET
Page 88HOL-1829-01-NET
Timeline - Visual Build-up
Explore information only - Do not click
bull A - Starting with the Timeline we can manipulate the results by simply draggingthe slider but by default the current time results will be displayed on entry Theslider and drop down (next to 1 day) makes it easy to filter on demand
bull B - The Properties give a clear understanding of the NSX Managers currentconfiguration (vRealize Network Insight accommodate multiple NSX managers)
bull C - Looking at the NSX Checklist Rules - ALL we can scroll up and down toview each point in the checklist that is used to monitorvalidate against the NSXManager
bull D - Because vRealize Network Insight supports multiple NSX managers andmultiple NSX controllers this is an important visual understanding of theTopology Each object can be queried individually within the same screen
bull E - NSX Problems will be key to understanding the issues for NSX
HOL-1829-01-NET
Page 89HOL-1829-01-NET
Topology - Focus on the NSX Controller
The logical view of the NSX Topology provides live links to each component in theconstruct to be queried in real time Topology layout displays all the related NSXservices bound to the NSX Manager including Clusters and hosts The red triangle on allthree NSX controllers indicates possible issues that may impact the NSX environmenteither as a starting point or a result thereof We can now query each object for detailedinformation
1 Click on the NSX controller (Look at each controller until you find thecontroller starting with NSX_Controller_5b6c6c8d-4d71 as they do changeorder)
HOL-1829-01-NET
Page 90HOL-1829-01-NET
NSX Controller - Detail
A - The controller query displays detailed information about controller-1 and relevantconfiguration This screen will help identify the Status Version Upgrade Availability andmany other critical identifiers of the NSX Controller at a quick glance including anyissues
B - The immediate issue on this NSX controller is also pointed out with a red triangleindicating that we have a control plane sync issue Tracking the issue can be furtherinvestigated by expanding (clicking on the red triangle) to view detailed information Wewill not be investigating this problem further in this exercise
1 Click the close sign (x) to continue
HOL-1829-01-NET
Page 91HOL-1829-01-NET
Topology - Explained
Note The Topology for the NSX environment will not show any load balancing devicestatus information in this release
1 Click the edge VMs icon to see detailed information about the edge services
HOL-1829-01-NET
Page 92HOL-1829-01-NET
Provider Edge
Rendering a complete view of the provider edge services and the associations we caninvestigate all the edge related activities
1 Click the blue link Provider Edge 4 The problem Icon can be used to furtherobtain information about the Provider-Edge 4 This will highlight a criticalcondition due to a possible network disruption of this edge device as it is nolonger in a serving state
HOL-1829-01-NET
Page 93HOL-1829-01-NET
Routers Provider Edge 4
This section lays out detailed root cause analysis for Routers Provider Edge 4
Return to Search View - NSX Manager
1 Now use the Chrome Back button click once to return the the NSX Managerinformation screen step
HOL-1829-01-NET
Page 94HOL-1829-01-NET
Infrastructure Problems - Warning Moderate
bull Scroll down to Infrastructure Problems Section
1 Click and select the WarningModerate to view problem areas
WarningModerate Issues
1 Use the blue icon + to expand the detailed view of the Logical networking out ofsync between host and NSX Controller
HOL-1829-01-NET
Page 95HOL-1829-01-NET
WarningModerate Issues (Continued)
When you expand the details you can analyse full detail of warning
In this view vRealize Network Insight is also showing you recommendations on how youwould resolve this issue which makes troubleshooting and root cause analysis veryeasy
1 Click the close sign (x) to continue
HOL-1829-01-NET
Page 96HOL-1829-01-NET
Hands-on Labs Interactive SimulationAdvanced NSX Management ampOperationsThis part of the lab is presented as a Hands-on Labs Interactive Simulation This willallow you to experience steps which are too time-consuming or resource intensive to dolive in the lab environment In this simulation you can use the software interface as ifyou are interacting with a live environment
1 Click here to open the interactive simulation It will open in a new browserwindow or tab
2 When finished click the ldquoReturn to the labrdquo link to continue with this lab
HOL-1829-01-NET
Page 97HOL-1829-01-NET
ConclusionCongratulations on completing Module 3
This module demonstrated the vRealize Network Insight capability of advancedmanagement operations vRealize Network Insight provides an in-depth analysis of thevirtual as well as the physical components associated with NSX (underlay and overlay)
For More Information
If you are looking for additional information try one of these
bull Click on this linkbull Or use your smart device to scan the QRC Code
Proceed to any module below which interests you most
bull Module 1 - Micro-Segmentation and Security (30 minutes)bull Module 2 - 360 degree Visibility across Virtual and Physical Networks (45
minutes)bull Module 3 - Advanced NSX Management amp Operations (45 minutes)bull Module 4 - Manage Security for Public Clouds (AWS) (30 minutes)
HOL-1829-01-NET
Page 98HOL-1829-01-NET
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 99HOL-1829-01-NET
Module 4 - ManageSecurity for Public Clouds
(AWS) (30 Minutes)
HOL-1829-01-NET
Page 100HOL-1829-01-NET
IntroductionEnterprise IT needs visibility into the network and security status of their workloadswhether hosted on premises or within AWS While many AWS workloads are sandboxesfor application development teams (DevOps) it is important to analyze these workloadsIncreasingly public cloud workloads are also fulfilling mission critical production needsfor many organizations Enterprise IT must be ready to determine the best locationsecurity posture and bandwidth allocation when deploying workloads Having trafficpattern details as well as security analysis and recommendations readily availablehelps organizations make the ideal hosting decisions to meet their business needs
vRealize Network Insight (vRNI) Supports Amazon Web Services (AWS) PublicCloud The vRNI traffic monitoring features provide visibility into native AWS constructssuch as Virtual Private Clouds VMs Security Groups firewall rules and tags vRNI alsoanalyzes AWS traffic flows to provide security and micro-segmentation views of cloudworkloads This means youll be able to plan micro-segmentation and understand trafficpatterns using data collected from your AWS instances
This Module contains the following lessons
bull Introduction to Managing Security for Public Clouds (AWS)
HOL-1829-01-NET
Page 101HOL-1829-01-NET
Introduction to Managing Security forPublic Clouds (AWS)Lab Status Check
1 Make sure the Lab Status displays Ready before continuing
Close browser sessions from previous modules
Open Google Chrome
1 Open Chrome on the Control Centre Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize Network Insightdid not load automatically)
HOL-1829-01-NET
Page 102HOL-1829-01-NET
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
AWS Configuration
Lets review the AWS VPC setup for the purpose of this lab
1 We have an on premise instance of vRealize Network Insight managing AWS2 There are two VPCs ie CRM and Common Services
HOL-1829-01-NET
Page 103HOL-1829-01-NET
3 VPC CRM consists of CRM Application which comprises of 3 tiers ie Web APP andDB
4 Internal users of Company can access Web Tier of the CRM on 80 internally viaJump-box
5 Web tier talks to App tier on port 80806 App tier talks to DB tier on port 33067 Web tier is open for internal datacenters VM on 80 port8 From Jump-box in VPC CRM all virtual machines have ssh access on port 229 All tiers of VPCCRM talks to DNS server on 53 and LogServer on 514 on VPC
Common Services10 This means connection to DB to Log Server (used for backup services) must exist
as configured by the Administrator but this in fact is the problem area where ourfocus will be
Plan Security - AWS Cloud
vRealize Network Insight extends micro-segmentation planning to AWS constructs TheCRM Application in AWS VPC has already been created for you
Application creation steps have been discussed in Module 3
HOL-1829-01-NET
Page 104HOL-1829-01-NET
1 On the vRealize Network Insight Click on Plan Security
From Plan Security dialogue box under Entity select
HOL-1829-01-NET
Page 105HOL-1829-01-NET
1 Application2 CRM3 Click Analyze
We can now visualize the three tier lsquoCRMrsquo Application in AWS in one VPC We Shallexplore the three Tier System Logic in proceeding steps
1 Please note that Micro-Segments are already filtered by Tier2 Web (Web tier talks to App tier on port 8080 Internal users of organisation can
access Web Tier of the CRM Application on port 80 internally)3 App (App tier talks to DB tier on port 3306)4 DB ( DB tier talks to Log Servers ) - This is the problem area we are going to
explore
All tiers of first VPC talks to DNS server on port 53 and LogServer on port 514 of SecondVPC
HOL-1829-01-NET
Page 106HOL-1829-01-NET
Exploring the Three Tier Application - Step by Step
We shall now explore the three their application setup to understand the security andcommunication posture
HOL-1829-01-NET
Page 107HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Yellow line to explore the flows This will reveal flows from Web to
App
HOL-1829-01-NET
Page 108HOL-1829-01-NET
1 The App tier talks to DB tier on Port 33062 Click X to continue
HOL-1829-01-NET
Page 109HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to DB
HOL-1829-01-NET
Page 110HOL-1829-01-NET
1 The App tier talks to DB tier on Port 33062 Click X to continue
HOL-1829-01-NET
Page 111HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Yellow Line to explore the flows This will reveal flows from DC
Virtual to App
HOL-1829-01-NET
Page 112HOL-1829-01-NET
1 DC Virtual (jump box) talks to App tier on Port 222 Click X to continue
HOL-1829-01-NET
Page 113HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to
Shared Virtual
HOL-1829-01-NET
Page 114HOL-1829-01-NET
1 The App tier talks to Shared Virtual on Port 53 and 514 respectively2 Click X to continue
HOL-1829-01-NET
Page 115HOL-1829-01-NET
1 Hover over to DB Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from DB to
Shared Virtual
1 By design the DB should be pushing logs to aws-log-server ie on port 514(Syslog) but the flow reveals that there is only one service ie port 53 aws-DNS-Server Effectively no communication to syslog server (which is the back upservice)
2 Click X to continue
Firewall Queries for CRM Application
To further troubleshoot the issue the administrator executes three firewall queries toestablish why DB to Shared Virtual does not have flow(s) for port 514 (syslog)
HOL-1829-01-NET
Page 116HOL-1829-01-NET
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and type new search query firewall action of flows where dstvm = aws-log-server This will return 5 results ie 4 Allow (for web andmidtier) and 1 Deny (for DB)
2 Click Search3 click on the DENY checkbox so we can focus on the deny rule
We can see a DENY rule which is preventing crm-databse to communicate with aws-log-server on port 514 Which indicates that AWS Admin forgot to add rule to allowtraffic from (Database) crm-database to (syslog server) aws-log-Server
HOL-1829-01-NET
Page 117HOL-1829-01-NET
1 On Chrome web browser right click2 Select Duplicate from the the menu
HOL-1829-01-NET
Page 118HOL-1829-01-NET
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-web1 and dst vm = aws-log-server
2 Click Search3 This will return 3 results ie 1 Inbound and 2 Outbound rules The result of this
query validates the communication from crm-web1 to aws-log-server
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-database and dst vm = aws-log-server
2 Click Search3 This will return 2 results for Outbound rules further explaining the firewall rule
behaviour from crm-database to aws-log-server
HOL-1829-01-NET
Page 119HOL-1829-01-NET
ConclusionCongratulations on completing Module 4
This module demonstrated the vRealize Network Insight capability to understand trafficpatterns and plan micro-segmentation across your private and public cloudenvironments This capability offers unparalleled visibility into public and private cloudsfor micro-segmentation planning network visibility and management
For More Information
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 120HOL-1829-01-NET
ConclusionThank you for participating in the VMware Hands-on Labs Be sure to visithttpholvmwarecom to continue your lab experience online
Lab SKU HOL-1829-01-NET
Version 20171010-152226
HOL-1829-01-NET
Page 121HOL-1829-01-NET
DVPG on the map
We are now going to look at the DVPG (Distributed Virtual Port Group) the VM uses toconnect to the network
1 On the map click on the little blue box marked by a red square onvlan-629
DVPG
A pop-up box will appear that contains the DVPG details
A - Spend some time review what information is available from the object Please donot click on any of the links
HOL-1829-01-NET
Page 59HOL-1829-01-NET
B - Notice that IPFIX is enabled
1 When done reviewing click on the (X) in the top right corner
VLAN-629 on the map
This is a brownfield network as indicated by the physical network components currentlydisplayed on the map
1 On the map click on the grey line marked by a red square on vlan-629
VLAN Network
A pop-up box will appear that contains the physical VLAN details
HOL-1829-01-NET
Page 60HOL-1829-01-NET
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - Notice the VLAN ID This is the actual VLAN in use
C - VM Count states 12 This is the number of VMs located on this VLAN in the entireenvironment
D - Under Hosts we can see that this is 28 (27+1) This is the amount of hosts that hasa connection to this vlan in the entire environment
1 When done reviewing click on the (X) in the top right corner
Switch ports on the map
1 From the map click on the icon marked by a red square to select the SwitchPort for the VM
HOL-1829-01-NET
Page 61HOL-1829-01-NET
Switch Port
A pop-up box will appear that contains the Switch Port details
In this view we are purely are looking at layer 3 and the connectivity to those layer 3devices Later in this module we will see some of the layer 2 devices
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - In this view we can see the physical NIC the traffic is transmitted from and receivedto In this scenario it is a NIC on a UCS fabric We can also see the VLANs Interfacespeed port and other details on the NIC
1 When done reviewing click on the (X) in the top right corner of the pop up box
HOL-1829-01-NET
Page 62HOL-1829-01-NET
Physical VRF on the map
1 From the map click on the icon marked by a red square to access thePhysical VRF details
HOL-1829-01-NET
Page 63HOL-1829-01-NET
VRF - Physical Switch
A pop-up box will appear that contains the Physical VRF details
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - In this scenario the first hop in the physical network perspective happens to be aCisco Nexus 7000 We are gathering all of the configuration data routing tables androuting interface information from this device
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 64HOL-1829-01-NET
VRF - continued
1 From the map click on the icon marked by a red square to access the nextPhysical VRF in the path
HOL-1829-01-NET
Page 65HOL-1829-01-NET
VRF - Physical Router
A pop-up box will appear that contains the Physical VRF details
In this scenario the second hop in the physical network perspective is a Palo Alto routerIn this view we will see the routing table as well as firewall rules The vRealize NetworkInsight platform is so powerful that these firewall rules are the applicable firewall rulesbetween the two objects we searched for There is probably going to be thousands offirewall rules in a normal network but these are the firewalls affecting thecommunication between the two selected VMs
HOL-1829-01-NET
Page 66HOL-1829-01-NET
A - Spend some time to review what information is available from the object Please donot click on any of the links
1 When done reviewing click on the (X) in the top right corner of the pop up box
Note The Palo Alto integration showcased is in beta testing
VRF - continued
1 From the map click on the icon marked by a red square to access the nextPhysical VRF in the path
HOL-1829-01-NET
Page 67HOL-1829-01-NET
VRF - Physical Switch
A pop-up box will appear that contains the Physical VRF details
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - In this scenario the third hop in the physical network perspective is an Arista deviceThere is information available on routing gateways interfaces etc These detailsshowcase that we can monitor devices from a multitude of vendors in case we arechanging from one vendor to another
1 When done reviewing click on the (X) in the top right corner
HOL-1829-01-NET
Page 68HOL-1829-01-NET
Accessing the virtual infrastructure
The next two steps in the path (as shown by arrows) are the same as we looked atpreviously in this module We are not going to look at the details on them in thisscenario as they are similar to the ones previously discussed
A - Hovermove the mouse over the icons marked with red arrow A without clicking onthe icon Notice the descriptive name
B - Hovermove the mouse over the icons marked with red arrow B without clicking onthe icon Notice the descriptive name
1 From the map click on the icon marked by a red square to access the nextVRF in the path
HOL-1829-01-NET
Page 69HOL-1829-01-NET
VRF - NSX Provider Edge 1
A pop-up box will appear that contains the Physical VRF details
A - Please spend some time to review what information is available from the objectPlease do not click on any of the links
B - The components we are looking at after the Arista device (described in previoussteps) is an NSX Edge cluster or a host associated with an Edge cluster The componentwe have selected is the NSX Edge VM named Provider-Edge 1 It has an uplink overVLAN 10 from the physical network (as shown in the map)
C - In the details we can see the routing table and routing interface details for thisparticular VRF
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 70HOL-1829-01-NET
VXLAN on the map
1 On the map click on the blue line marked by a red square to access theVXLAN details
VXLAN Network
A pop-up box will appear that contains the VXLAN details
HOL-1829-01-NET
Page 71HOL-1829-01-NET
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - We can see the VXLAN number (Segment ID) Underlay VLAN IDs Subnet andUnderlay Subnet
C - We also have visibility into what Primary Controller it is utilizing Hosts and VTEPs
D - Hovermove the mouse cursor over the text [38 more] to see the hosts associatedwith this VXLAN Do not click on the blue text
E - Hovermove the mouse cursor over the text [82 more] to see the VTEPs associatedwith this VXLAN Do not click on the blue text
1 When done reviewing click on the X in the top right corner of the pop-up box
VRF - LDR
1 From the map click on the icon marked by a red square to access the VRFdetails
HOL-1829-01-NET
Page 72HOL-1829-01-NET
VRF - LDR-Corporate
A pop-up box will appear that contains the VRF details From here we hit our In-kernelnetwork
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - Notice the distributed router name We are using this device to access our corporatenetwork
C - This device is going to route for us to a different interface The interface is going toroute to the interface on the Prod-DB Network as the next step in the path (this will beillustrated in the next step)
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 73HOL-1829-01-NET
Routing - NSX Firewall
The traffic is routed through the VRF onto the Prod-DB network over to the next physicalhost (as shown with arrows)
The first device it will hit on the virtual network on the physical host is the FirewallPlease notice that there are two firewalls next to the VM One Firewall from Palo Alto andone Firewall from NSX
1 From the map click on the icon marked by a red square to access the NSXFirewall details (the top one of the two)
HOL-1829-01-NET
Page 74HOL-1829-01-NET
Firewall - NSX
A pop-up box will appear that contains the Firewall details
A - Spend some time to review what information is available from the object Please donot click on any of the links
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 75HOL-1829-01-NET
Redirect on the map - PAN Firewall
Please notice that there are two firewalls next to the VM One Firewall from Palo Alto andone Firewall from NSX We are now going to look into the details of the lower Firewall
1 From the map click on the icon marked by a red square to access the PaloAlto Firewall details (the lower one of the two)
Firewall - PAN
HOL-1829-01-NET
Page 76HOL-1829-01-NET
In this scenario we also have an Palo Alto VM based offloading firewall The redirectfeature allows firewall rules to be transferred between the NSX firewall and the PANFirewall
1 When done reviewing click on the (X) in the top right corner of the pop up box
Reversing the analysis
1 In the section marked by a red square in the picture click on the arrowpointing left
The route on the map will change
HOL-1829-01-NET
Page 77HOL-1829-01-NET
Reversing the analysis continued
A - The analysis will now be done in the opposite direction Please note that the pathnow changes Instead of going through Provider-Edge 3 the traffic is now routedthrough Provider-Edge 2 This is exactly as the traffic will work in the real life
Please continue to the next step to conclude this module
HOL-1829-01-NET
Page 78HOL-1829-01-NET
VM Underlay
Lets now focus on VM Underlay
1 The VMUnderlay section that is on the right side of the VM Path topology showsthe underlay information of the VMs involved and their connectivity to the top ofthe rack switches and the ports involved
2 The VM Underlay path topology is shown here3 The components are labeled under Path Details
HOL-1829-01-NET
Page 79HOL-1829-01-NET
HOL-1829-01-NET
Page 80HOL-1829-01-NET
1 In this section the drop-down list at the top shows the endpoint VMs and theactive VMs at the edges
2 For each edgeVM the neighbouring drop-down list shows the ingress and theegress interface IP addresses
1 From the previous step we selected the Prod-DB-2 Virtual Machine2 Which changes the focus to corresponding Interface IP Address (VNIC)3 Shows the visual map (Path topology) of all the path objects4 Path details shows the labels and list the components
This concludes this module Please continue to the next module
HOL-1829-01-NET
Page 81HOL-1829-01-NET
ConclusionCongratulations on completing Module 2
This module has shown us that vRealize Network Insight is capable of tracing the flow ofdata between two objects throughout the network vRealize Network Insight is providingus with a 360 degrees view of the virtual as well as the physical components in thepath With the map function and the details on the map it is very easy to get a quickoverview of the components utilized in network communication
All the components in the map is based on a snapshot of real life data Feel free to clickon other icons shown in the map in this module before continuing to the next module tohave a look at other components
For More Information
For additional information about the functionality showcased in this module visithttpwwwvmwarecomvrealize network insight
This concludes this module Please continue to the next module
If you are looking for additional information try one of these
bull Click on this linkbull Or use your smart device to scan the QRC Code
HOL-1829-01-NET
Page 82HOL-1829-01-NET
Proceed to any module below which interests you most
bull Module 1 - Micro-Segmentation and Security (30 minutes)bull Module 2 - 360 degree Visibility across Virtual and Physical Networks (45
minutes)bull Module 3 - Advanced NSX Management amp Operations (45 minutes)bull (30 minutes)
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 83HOL-1829-01-NET
Module 3 - Advanced NSXManagement amp
Operations (45 minutes)
HOL-1829-01-NET
Page 84HOL-1829-01-NET
IntroductionIntroduction
vRealize Network Insight ensures that we have full visibility from an overlay andunderlay perspective and in this module focus on advanced operations of NSX withvRealize Network Insight Its important to note that the vRealize Network Insightprovides a real time view and a historical view The integration is not a simple SNMPquery but advanced CLI and Metadata information gathered in real time for NSX
This Module contains the following lessons
bull Operational guidance for NSX Managerbull Advanced NSX Management amp Operations Interactive Simulation
HOL-1829-01-NET
Page 85HOL-1829-01-NET
NSX Advanced ManagementOperationsLab Status Check
1 Make sure the Lab Status displays Ready before continuing
Close browser sessions from previous modules
Open Google Chrome
1 Open Chrome on the Control Centre Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
HOL-1829-01-NET
Page 86HOL-1829-01-NET
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize Network Insightdid not load automatically)
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
Search Bar - NSX Manager
Using the search bar on the entry screen
HOL-1829-01-NET
Page 87HOL-1829-01-NET
1 Type NSX Manager (this will list three NSX Managers2 Click Search
NSX Manager Information
The result now shows the NSX Manager (1016128170) and we can immediately seethat we have 50 problems associated with this endpoint
1 Click on the NSX Manager address to expose the layout and detailedinformation
HOL-1829-01-NET
Page 88HOL-1829-01-NET
Timeline - Visual Build-up
Explore information only - Do not click
bull A - Starting with the Timeline we can manipulate the results by simply draggingthe slider but by default the current time results will be displayed on entry Theslider and drop down (next to 1 day) makes it easy to filter on demand
bull B - The Properties give a clear understanding of the NSX Managers currentconfiguration (vRealize Network Insight accommodate multiple NSX managers)
bull C - Looking at the NSX Checklist Rules - ALL we can scroll up and down toview each point in the checklist that is used to monitorvalidate against the NSXManager
bull D - Because vRealize Network Insight supports multiple NSX managers andmultiple NSX controllers this is an important visual understanding of theTopology Each object can be queried individually within the same screen
bull E - NSX Problems will be key to understanding the issues for NSX
HOL-1829-01-NET
Page 89HOL-1829-01-NET
Topology - Focus on the NSX Controller
The logical view of the NSX Topology provides live links to each component in theconstruct to be queried in real time Topology layout displays all the related NSXservices bound to the NSX Manager including Clusters and hosts The red triangle on allthree NSX controllers indicates possible issues that may impact the NSX environmenteither as a starting point or a result thereof We can now query each object for detailedinformation
1 Click on the NSX controller (Look at each controller until you find thecontroller starting with NSX_Controller_5b6c6c8d-4d71 as they do changeorder)
HOL-1829-01-NET
Page 90HOL-1829-01-NET
NSX Controller - Detail
A - The controller query displays detailed information about controller-1 and relevantconfiguration This screen will help identify the Status Version Upgrade Availability andmany other critical identifiers of the NSX Controller at a quick glance including anyissues
B - The immediate issue on this NSX controller is also pointed out with a red triangleindicating that we have a control plane sync issue Tracking the issue can be furtherinvestigated by expanding (clicking on the red triangle) to view detailed information Wewill not be investigating this problem further in this exercise
1 Click the close sign (x) to continue
HOL-1829-01-NET
Page 91HOL-1829-01-NET
Topology - Explained
Note The Topology for the NSX environment will not show any load balancing devicestatus information in this release
1 Click the edge VMs icon to see detailed information about the edge services
HOL-1829-01-NET
Page 92HOL-1829-01-NET
Provider Edge
Rendering a complete view of the provider edge services and the associations we caninvestigate all the edge related activities
1 Click the blue link Provider Edge 4 The problem Icon can be used to furtherobtain information about the Provider-Edge 4 This will highlight a criticalcondition due to a possible network disruption of this edge device as it is nolonger in a serving state
HOL-1829-01-NET
Page 93HOL-1829-01-NET
Routers Provider Edge 4
This section lays out detailed root cause analysis for Routers Provider Edge 4
Return to Search View - NSX Manager
1 Now use the Chrome Back button click once to return the the NSX Managerinformation screen step
HOL-1829-01-NET
Page 94HOL-1829-01-NET
Infrastructure Problems - Warning Moderate
bull Scroll down to Infrastructure Problems Section
1 Click and select the WarningModerate to view problem areas
WarningModerate Issues
1 Use the blue icon + to expand the detailed view of the Logical networking out ofsync between host and NSX Controller
HOL-1829-01-NET
Page 95HOL-1829-01-NET
WarningModerate Issues (Continued)
When you expand the details you can analyse full detail of warning
In this view vRealize Network Insight is also showing you recommendations on how youwould resolve this issue which makes troubleshooting and root cause analysis veryeasy
1 Click the close sign (x) to continue
HOL-1829-01-NET
Page 96HOL-1829-01-NET
Hands-on Labs Interactive SimulationAdvanced NSX Management ampOperationsThis part of the lab is presented as a Hands-on Labs Interactive Simulation This willallow you to experience steps which are too time-consuming or resource intensive to dolive in the lab environment In this simulation you can use the software interface as ifyou are interacting with a live environment
1 Click here to open the interactive simulation It will open in a new browserwindow or tab
2 When finished click the ldquoReturn to the labrdquo link to continue with this lab
HOL-1829-01-NET
Page 97HOL-1829-01-NET
ConclusionCongratulations on completing Module 3
This module demonstrated the vRealize Network Insight capability of advancedmanagement operations vRealize Network Insight provides an in-depth analysis of thevirtual as well as the physical components associated with NSX (underlay and overlay)
For More Information
If you are looking for additional information try one of these
bull Click on this linkbull Or use your smart device to scan the QRC Code
Proceed to any module below which interests you most
bull Module 1 - Micro-Segmentation and Security (30 minutes)bull Module 2 - 360 degree Visibility across Virtual and Physical Networks (45
minutes)bull Module 3 - Advanced NSX Management amp Operations (45 minutes)bull Module 4 - Manage Security for Public Clouds (AWS) (30 minutes)
HOL-1829-01-NET
Page 98HOL-1829-01-NET
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 99HOL-1829-01-NET
Module 4 - ManageSecurity for Public Clouds
(AWS) (30 Minutes)
HOL-1829-01-NET
Page 100HOL-1829-01-NET
IntroductionEnterprise IT needs visibility into the network and security status of their workloadswhether hosted on premises or within AWS While many AWS workloads are sandboxesfor application development teams (DevOps) it is important to analyze these workloadsIncreasingly public cloud workloads are also fulfilling mission critical production needsfor many organizations Enterprise IT must be ready to determine the best locationsecurity posture and bandwidth allocation when deploying workloads Having trafficpattern details as well as security analysis and recommendations readily availablehelps organizations make the ideal hosting decisions to meet their business needs
vRealize Network Insight (vRNI) Supports Amazon Web Services (AWS) PublicCloud The vRNI traffic monitoring features provide visibility into native AWS constructssuch as Virtual Private Clouds VMs Security Groups firewall rules and tags vRNI alsoanalyzes AWS traffic flows to provide security and micro-segmentation views of cloudworkloads This means youll be able to plan micro-segmentation and understand trafficpatterns using data collected from your AWS instances
This Module contains the following lessons
bull Introduction to Managing Security for Public Clouds (AWS)
HOL-1829-01-NET
Page 101HOL-1829-01-NET
Introduction to Managing Security forPublic Clouds (AWS)Lab Status Check
1 Make sure the Lab Status displays Ready before continuing
Close browser sessions from previous modules
Open Google Chrome
1 Open Chrome on the Control Centre Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize Network Insightdid not load automatically)
HOL-1829-01-NET
Page 102HOL-1829-01-NET
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
AWS Configuration
Lets review the AWS VPC setup for the purpose of this lab
1 We have an on premise instance of vRealize Network Insight managing AWS2 There are two VPCs ie CRM and Common Services
HOL-1829-01-NET
Page 103HOL-1829-01-NET
3 VPC CRM consists of CRM Application which comprises of 3 tiers ie Web APP andDB
4 Internal users of Company can access Web Tier of the CRM on 80 internally viaJump-box
5 Web tier talks to App tier on port 80806 App tier talks to DB tier on port 33067 Web tier is open for internal datacenters VM on 80 port8 From Jump-box in VPC CRM all virtual machines have ssh access on port 229 All tiers of VPCCRM talks to DNS server on 53 and LogServer on 514 on VPC
Common Services10 This means connection to DB to Log Server (used for backup services) must exist
as configured by the Administrator but this in fact is the problem area where ourfocus will be
Plan Security - AWS Cloud
vRealize Network Insight extends micro-segmentation planning to AWS constructs TheCRM Application in AWS VPC has already been created for you
Application creation steps have been discussed in Module 3
HOL-1829-01-NET
Page 104HOL-1829-01-NET
1 On the vRealize Network Insight Click on Plan Security
From Plan Security dialogue box under Entity select
HOL-1829-01-NET
Page 105HOL-1829-01-NET
1 Application2 CRM3 Click Analyze
We can now visualize the three tier lsquoCRMrsquo Application in AWS in one VPC We Shallexplore the three Tier System Logic in proceeding steps
1 Please note that Micro-Segments are already filtered by Tier2 Web (Web tier talks to App tier on port 8080 Internal users of organisation can
access Web Tier of the CRM Application on port 80 internally)3 App (App tier talks to DB tier on port 3306)4 DB ( DB tier talks to Log Servers ) - This is the problem area we are going to
explore
All tiers of first VPC talks to DNS server on port 53 and LogServer on port 514 of SecondVPC
HOL-1829-01-NET
Page 106HOL-1829-01-NET
Exploring the Three Tier Application - Step by Step
We shall now explore the three their application setup to understand the security andcommunication posture
HOL-1829-01-NET
Page 107HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Yellow line to explore the flows This will reveal flows from Web to
App
HOL-1829-01-NET
Page 108HOL-1829-01-NET
1 The App tier talks to DB tier on Port 33062 Click X to continue
HOL-1829-01-NET
Page 109HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to DB
HOL-1829-01-NET
Page 110HOL-1829-01-NET
1 The App tier talks to DB tier on Port 33062 Click X to continue
HOL-1829-01-NET
Page 111HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Yellow Line to explore the flows This will reveal flows from DC
Virtual to App
HOL-1829-01-NET
Page 112HOL-1829-01-NET
1 DC Virtual (jump box) talks to App tier on Port 222 Click X to continue
HOL-1829-01-NET
Page 113HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to
Shared Virtual
HOL-1829-01-NET
Page 114HOL-1829-01-NET
1 The App tier talks to Shared Virtual on Port 53 and 514 respectively2 Click X to continue
HOL-1829-01-NET
Page 115HOL-1829-01-NET
1 Hover over to DB Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from DB to
Shared Virtual
1 By design the DB should be pushing logs to aws-log-server ie on port 514(Syslog) but the flow reveals that there is only one service ie port 53 aws-DNS-Server Effectively no communication to syslog server (which is the back upservice)
2 Click X to continue
Firewall Queries for CRM Application
To further troubleshoot the issue the administrator executes three firewall queries toestablish why DB to Shared Virtual does not have flow(s) for port 514 (syslog)
HOL-1829-01-NET
Page 116HOL-1829-01-NET
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and type new search query firewall action of flows where dstvm = aws-log-server This will return 5 results ie 4 Allow (for web andmidtier) and 1 Deny (for DB)
2 Click Search3 click on the DENY checkbox so we can focus on the deny rule
We can see a DENY rule which is preventing crm-databse to communicate with aws-log-server on port 514 Which indicates that AWS Admin forgot to add rule to allowtraffic from (Database) crm-database to (syslog server) aws-log-Server
HOL-1829-01-NET
Page 117HOL-1829-01-NET
1 On Chrome web browser right click2 Select Duplicate from the the menu
HOL-1829-01-NET
Page 118HOL-1829-01-NET
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-web1 and dst vm = aws-log-server
2 Click Search3 This will return 3 results ie 1 Inbound and 2 Outbound rules The result of this
query validates the communication from crm-web1 to aws-log-server
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-database and dst vm = aws-log-server
2 Click Search3 This will return 2 results for Outbound rules further explaining the firewall rule
behaviour from crm-database to aws-log-server
HOL-1829-01-NET
Page 119HOL-1829-01-NET
ConclusionCongratulations on completing Module 4
This module demonstrated the vRealize Network Insight capability to understand trafficpatterns and plan micro-segmentation across your private and public cloudenvironments This capability offers unparalleled visibility into public and private cloudsfor micro-segmentation planning network visibility and management
For More Information
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 120HOL-1829-01-NET
ConclusionThank you for participating in the VMware Hands-on Labs Be sure to visithttpholvmwarecom to continue your lab experience online
Lab SKU HOL-1829-01-NET
Version 20171010-152226
HOL-1829-01-NET
Page 121HOL-1829-01-NET
B - Notice that IPFIX is enabled
1 When done reviewing click on the (X) in the top right corner
VLAN-629 on the map
This is a brownfield network as indicated by the physical network components currentlydisplayed on the map
1 On the map click on the grey line marked by a red square on vlan-629
VLAN Network
A pop-up box will appear that contains the physical VLAN details
HOL-1829-01-NET
Page 60HOL-1829-01-NET
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - Notice the VLAN ID This is the actual VLAN in use
C - VM Count states 12 This is the number of VMs located on this VLAN in the entireenvironment
D - Under Hosts we can see that this is 28 (27+1) This is the amount of hosts that hasa connection to this vlan in the entire environment
1 When done reviewing click on the (X) in the top right corner
Switch ports on the map
1 From the map click on the icon marked by a red square to select the SwitchPort for the VM
HOL-1829-01-NET
Page 61HOL-1829-01-NET
Switch Port
A pop-up box will appear that contains the Switch Port details
In this view we are purely are looking at layer 3 and the connectivity to those layer 3devices Later in this module we will see some of the layer 2 devices
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - In this view we can see the physical NIC the traffic is transmitted from and receivedto In this scenario it is a NIC on a UCS fabric We can also see the VLANs Interfacespeed port and other details on the NIC
1 When done reviewing click on the (X) in the top right corner of the pop up box
HOL-1829-01-NET
Page 62HOL-1829-01-NET
Physical VRF on the map
1 From the map click on the icon marked by a red square to access thePhysical VRF details
HOL-1829-01-NET
Page 63HOL-1829-01-NET
VRF - Physical Switch
A pop-up box will appear that contains the Physical VRF details
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - In this scenario the first hop in the physical network perspective happens to be aCisco Nexus 7000 We are gathering all of the configuration data routing tables androuting interface information from this device
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 64HOL-1829-01-NET
VRF - continued
1 From the map click on the icon marked by a red square to access the nextPhysical VRF in the path
HOL-1829-01-NET
Page 65HOL-1829-01-NET
VRF - Physical Router
A pop-up box will appear that contains the Physical VRF details
In this scenario the second hop in the physical network perspective is a Palo Alto routerIn this view we will see the routing table as well as firewall rules The vRealize NetworkInsight platform is so powerful that these firewall rules are the applicable firewall rulesbetween the two objects we searched for There is probably going to be thousands offirewall rules in a normal network but these are the firewalls affecting thecommunication between the two selected VMs
HOL-1829-01-NET
Page 66HOL-1829-01-NET
A - Spend some time to review what information is available from the object Please donot click on any of the links
1 When done reviewing click on the (X) in the top right corner of the pop up box
Note The Palo Alto integration showcased is in beta testing
VRF - continued
1 From the map click on the icon marked by a red square to access the nextPhysical VRF in the path
HOL-1829-01-NET
Page 67HOL-1829-01-NET
VRF - Physical Switch
A pop-up box will appear that contains the Physical VRF details
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - In this scenario the third hop in the physical network perspective is an Arista deviceThere is information available on routing gateways interfaces etc These detailsshowcase that we can monitor devices from a multitude of vendors in case we arechanging from one vendor to another
1 When done reviewing click on the (X) in the top right corner
HOL-1829-01-NET
Page 68HOL-1829-01-NET
Accessing the virtual infrastructure
The next two steps in the path (as shown by arrows) are the same as we looked atpreviously in this module We are not going to look at the details on them in thisscenario as they are similar to the ones previously discussed
A - Hovermove the mouse over the icons marked with red arrow A without clicking onthe icon Notice the descriptive name
B - Hovermove the mouse over the icons marked with red arrow B without clicking onthe icon Notice the descriptive name
1 From the map click on the icon marked by a red square to access the nextVRF in the path
HOL-1829-01-NET
Page 69HOL-1829-01-NET
VRF - NSX Provider Edge 1
A pop-up box will appear that contains the Physical VRF details
A - Please spend some time to review what information is available from the objectPlease do not click on any of the links
B - The components we are looking at after the Arista device (described in previoussteps) is an NSX Edge cluster or a host associated with an Edge cluster The componentwe have selected is the NSX Edge VM named Provider-Edge 1 It has an uplink overVLAN 10 from the physical network (as shown in the map)
C - In the details we can see the routing table and routing interface details for thisparticular VRF
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 70HOL-1829-01-NET
VXLAN on the map
1 On the map click on the blue line marked by a red square to access theVXLAN details
VXLAN Network
A pop-up box will appear that contains the VXLAN details
HOL-1829-01-NET
Page 71HOL-1829-01-NET
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - We can see the VXLAN number (Segment ID) Underlay VLAN IDs Subnet andUnderlay Subnet
C - We also have visibility into what Primary Controller it is utilizing Hosts and VTEPs
D - Hovermove the mouse cursor over the text [38 more] to see the hosts associatedwith this VXLAN Do not click on the blue text
E - Hovermove the mouse cursor over the text [82 more] to see the VTEPs associatedwith this VXLAN Do not click on the blue text
1 When done reviewing click on the X in the top right corner of the pop-up box
VRF - LDR
1 From the map click on the icon marked by a red square to access the VRFdetails
HOL-1829-01-NET
Page 72HOL-1829-01-NET
VRF - LDR-Corporate
A pop-up box will appear that contains the VRF details From here we hit our In-kernelnetwork
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - Notice the distributed router name We are using this device to access our corporatenetwork
C - This device is going to route for us to a different interface The interface is going toroute to the interface on the Prod-DB Network as the next step in the path (this will beillustrated in the next step)
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 73HOL-1829-01-NET
Routing - NSX Firewall
The traffic is routed through the VRF onto the Prod-DB network over to the next physicalhost (as shown with arrows)
The first device it will hit on the virtual network on the physical host is the FirewallPlease notice that there are two firewalls next to the VM One Firewall from Palo Alto andone Firewall from NSX
1 From the map click on the icon marked by a red square to access the NSXFirewall details (the top one of the two)
HOL-1829-01-NET
Page 74HOL-1829-01-NET
Firewall - NSX
A pop-up box will appear that contains the Firewall details
A - Spend some time to review what information is available from the object Please donot click on any of the links
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 75HOL-1829-01-NET
Redirect on the map - PAN Firewall
Please notice that there are two firewalls next to the VM One Firewall from Palo Alto andone Firewall from NSX We are now going to look into the details of the lower Firewall
1 From the map click on the icon marked by a red square to access the PaloAlto Firewall details (the lower one of the two)
Firewall - PAN
HOL-1829-01-NET
Page 76HOL-1829-01-NET
In this scenario we also have an Palo Alto VM based offloading firewall The redirectfeature allows firewall rules to be transferred between the NSX firewall and the PANFirewall
1 When done reviewing click on the (X) in the top right corner of the pop up box
Reversing the analysis
1 In the section marked by a red square in the picture click on the arrowpointing left
The route on the map will change
HOL-1829-01-NET
Page 77HOL-1829-01-NET
Reversing the analysis continued
A - The analysis will now be done in the opposite direction Please note that the pathnow changes Instead of going through Provider-Edge 3 the traffic is now routedthrough Provider-Edge 2 This is exactly as the traffic will work in the real life
Please continue to the next step to conclude this module
HOL-1829-01-NET
Page 78HOL-1829-01-NET
VM Underlay
Lets now focus on VM Underlay
1 The VMUnderlay section that is on the right side of the VM Path topology showsthe underlay information of the VMs involved and their connectivity to the top ofthe rack switches and the ports involved
2 The VM Underlay path topology is shown here3 The components are labeled under Path Details
HOL-1829-01-NET
Page 79HOL-1829-01-NET
HOL-1829-01-NET
Page 80HOL-1829-01-NET
1 In this section the drop-down list at the top shows the endpoint VMs and theactive VMs at the edges
2 For each edgeVM the neighbouring drop-down list shows the ingress and theegress interface IP addresses
1 From the previous step we selected the Prod-DB-2 Virtual Machine2 Which changes the focus to corresponding Interface IP Address (VNIC)3 Shows the visual map (Path topology) of all the path objects4 Path details shows the labels and list the components
This concludes this module Please continue to the next module
HOL-1829-01-NET
Page 81HOL-1829-01-NET
ConclusionCongratulations on completing Module 2
This module has shown us that vRealize Network Insight is capable of tracing the flow ofdata between two objects throughout the network vRealize Network Insight is providingus with a 360 degrees view of the virtual as well as the physical components in thepath With the map function and the details on the map it is very easy to get a quickoverview of the components utilized in network communication
All the components in the map is based on a snapshot of real life data Feel free to clickon other icons shown in the map in this module before continuing to the next module tohave a look at other components
For More Information
For additional information about the functionality showcased in this module visithttpwwwvmwarecomvrealize network insight
This concludes this module Please continue to the next module
If you are looking for additional information try one of these
bull Click on this linkbull Or use your smart device to scan the QRC Code
HOL-1829-01-NET
Page 82HOL-1829-01-NET
Proceed to any module below which interests you most
bull Module 1 - Micro-Segmentation and Security (30 minutes)bull Module 2 - 360 degree Visibility across Virtual and Physical Networks (45
minutes)bull Module 3 - Advanced NSX Management amp Operations (45 minutes)bull (30 minutes)
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 83HOL-1829-01-NET
Module 3 - Advanced NSXManagement amp
Operations (45 minutes)
HOL-1829-01-NET
Page 84HOL-1829-01-NET
IntroductionIntroduction
vRealize Network Insight ensures that we have full visibility from an overlay andunderlay perspective and in this module focus on advanced operations of NSX withvRealize Network Insight Its important to note that the vRealize Network Insightprovides a real time view and a historical view The integration is not a simple SNMPquery but advanced CLI and Metadata information gathered in real time for NSX
This Module contains the following lessons
bull Operational guidance for NSX Managerbull Advanced NSX Management amp Operations Interactive Simulation
HOL-1829-01-NET
Page 85HOL-1829-01-NET
NSX Advanced ManagementOperationsLab Status Check
1 Make sure the Lab Status displays Ready before continuing
Close browser sessions from previous modules
Open Google Chrome
1 Open Chrome on the Control Centre Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
HOL-1829-01-NET
Page 86HOL-1829-01-NET
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize Network Insightdid not load automatically)
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
Search Bar - NSX Manager
Using the search bar on the entry screen
HOL-1829-01-NET
Page 87HOL-1829-01-NET
1 Type NSX Manager (this will list three NSX Managers2 Click Search
NSX Manager Information
The result now shows the NSX Manager (1016128170) and we can immediately seethat we have 50 problems associated with this endpoint
1 Click on the NSX Manager address to expose the layout and detailedinformation
HOL-1829-01-NET
Page 88HOL-1829-01-NET
Timeline - Visual Build-up
Explore information only - Do not click
bull A - Starting with the Timeline we can manipulate the results by simply draggingthe slider but by default the current time results will be displayed on entry Theslider and drop down (next to 1 day) makes it easy to filter on demand
bull B - The Properties give a clear understanding of the NSX Managers currentconfiguration (vRealize Network Insight accommodate multiple NSX managers)
bull C - Looking at the NSX Checklist Rules - ALL we can scroll up and down toview each point in the checklist that is used to monitorvalidate against the NSXManager
bull D - Because vRealize Network Insight supports multiple NSX managers andmultiple NSX controllers this is an important visual understanding of theTopology Each object can be queried individually within the same screen
bull E - NSX Problems will be key to understanding the issues for NSX
HOL-1829-01-NET
Page 89HOL-1829-01-NET
Topology - Focus on the NSX Controller
The logical view of the NSX Topology provides live links to each component in theconstruct to be queried in real time Topology layout displays all the related NSXservices bound to the NSX Manager including Clusters and hosts The red triangle on allthree NSX controllers indicates possible issues that may impact the NSX environmenteither as a starting point or a result thereof We can now query each object for detailedinformation
1 Click on the NSX controller (Look at each controller until you find thecontroller starting with NSX_Controller_5b6c6c8d-4d71 as they do changeorder)
HOL-1829-01-NET
Page 90HOL-1829-01-NET
NSX Controller - Detail
A - The controller query displays detailed information about controller-1 and relevantconfiguration This screen will help identify the Status Version Upgrade Availability andmany other critical identifiers of the NSX Controller at a quick glance including anyissues
B - The immediate issue on this NSX controller is also pointed out with a red triangleindicating that we have a control plane sync issue Tracking the issue can be furtherinvestigated by expanding (clicking on the red triangle) to view detailed information Wewill not be investigating this problem further in this exercise
1 Click the close sign (x) to continue
HOL-1829-01-NET
Page 91HOL-1829-01-NET
Topology - Explained
Note The Topology for the NSX environment will not show any load balancing devicestatus information in this release
1 Click the edge VMs icon to see detailed information about the edge services
HOL-1829-01-NET
Page 92HOL-1829-01-NET
Provider Edge
Rendering a complete view of the provider edge services and the associations we caninvestigate all the edge related activities
1 Click the blue link Provider Edge 4 The problem Icon can be used to furtherobtain information about the Provider-Edge 4 This will highlight a criticalcondition due to a possible network disruption of this edge device as it is nolonger in a serving state
HOL-1829-01-NET
Page 93HOL-1829-01-NET
Routers Provider Edge 4
This section lays out detailed root cause analysis for Routers Provider Edge 4
Return to Search View - NSX Manager
1 Now use the Chrome Back button click once to return the the NSX Managerinformation screen step
HOL-1829-01-NET
Page 94HOL-1829-01-NET
Infrastructure Problems - Warning Moderate
bull Scroll down to Infrastructure Problems Section
1 Click and select the WarningModerate to view problem areas
WarningModerate Issues
1 Use the blue icon + to expand the detailed view of the Logical networking out ofsync between host and NSX Controller
HOL-1829-01-NET
Page 95HOL-1829-01-NET
WarningModerate Issues (Continued)
When you expand the details you can analyse full detail of warning
In this view vRealize Network Insight is also showing you recommendations on how youwould resolve this issue which makes troubleshooting and root cause analysis veryeasy
1 Click the close sign (x) to continue
HOL-1829-01-NET
Page 96HOL-1829-01-NET
Hands-on Labs Interactive SimulationAdvanced NSX Management ampOperationsThis part of the lab is presented as a Hands-on Labs Interactive Simulation This willallow you to experience steps which are too time-consuming or resource intensive to dolive in the lab environment In this simulation you can use the software interface as ifyou are interacting with a live environment
1 Click here to open the interactive simulation It will open in a new browserwindow or tab
2 When finished click the ldquoReturn to the labrdquo link to continue with this lab
HOL-1829-01-NET
Page 97HOL-1829-01-NET
ConclusionCongratulations on completing Module 3
This module demonstrated the vRealize Network Insight capability of advancedmanagement operations vRealize Network Insight provides an in-depth analysis of thevirtual as well as the physical components associated with NSX (underlay and overlay)
For More Information
If you are looking for additional information try one of these
bull Click on this linkbull Or use your smart device to scan the QRC Code
Proceed to any module below which interests you most
bull Module 1 - Micro-Segmentation and Security (30 minutes)bull Module 2 - 360 degree Visibility across Virtual and Physical Networks (45
minutes)bull Module 3 - Advanced NSX Management amp Operations (45 minutes)bull Module 4 - Manage Security for Public Clouds (AWS) (30 minutes)
HOL-1829-01-NET
Page 98HOL-1829-01-NET
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 99HOL-1829-01-NET
Module 4 - ManageSecurity for Public Clouds
(AWS) (30 Minutes)
HOL-1829-01-NET
Page 100HOL-1829-01-NET
IntroductionEnterprise IT needs visibility into the network and security status of their workloadswhether hosted on premises or within AWS While many AWS workloads are sandboxesfor application development teams (DevOps) it is important to analyze these workloadsIncreasingly public cloud workloads are also fulfilling mission critical production needsfor many organizations Enterprise IT must be ready to determine the best locationsecurity posture and bandwidth allocation when deploying workloads Having trafficpattern details as well as security analysis and recommendations readily availablehelps organizations make the ideal hosting decisions to meet their business needs
vRealize Network Insight (vRNI) Supports Amazon Web Services (AWS) PublicCloud The vRNI traffic monitoring features provide visibility into native AWS constructssuch as Virtual Private Clouds VMs Security Groups firewall rules and tags vRNI alsoanalyzes AWS traffic flows to provide security and micro-segmentation views of cloudworkloads This means youll be able to plan micro-segmentation and understand trafficpatterns using data collected from your AWS instances
This Module contains the following lessons
bull Introduction to Managing Security for Public Clouds (AWS)
HOL-1829-01-NET
Page 101HOL-1829-01-NET
Introduction to Managing Security forPublic Clouds (AWS)Lab Status Check
1 Make sure the Lab Status displays Ready before continuing
Close browser sessions from previous modules
Open Google Chrome
1 Open Chrome on the Control Centre Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize Network Insightdid not load automatically)
HOL-1829-01-NET
Page 102HOL-1829-01-NET
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
AWS Configuration
Lets review the AWS VPC setup for the purpose of this lab
1 We have an on premise instance of vRealize Network Insight managing AWS2 There are two VPCs ie CRM and Common Services
HOL-1829-01-NET
Page 103HOL-1829-01-NET
3 VPC CRM consists of CRM Application which comprises of 3 tiers ie Web APP andDB
4 Internal users of Company can access Web Tier of the CRM on 80 internally viaJump-box
5 Web tier talks to App tier on port 80806 App tier talks to DB tier on port 33067 Web tier is open for internal datacenters VM on 80 port8 From Jump-box in VPC CRM all virtual machines have ssh access on port 229 All tiers of VPCCRM talks to DNS server on 53 and LogServer on 514 on VPC
Common Services10 This means connection to DB to Log Server (used for backup services) must exist
as configured by the Administrator but this in fact is the problem area where ourfocus will be
Plan Security - AWS Cloud
vRealize Network Insight extends micro-segmentation planning to AWS constructs TheCRM Application in AWS VPC has already been created for you
Application creation steps have been discussed in Module 3
HOL-1829-01-NET
Page 104HOL-1829-01-NET
1 On the vRealize Network Insight Click on Plan Security
From Plan Security dialogue box under Entity select
HOL-1829-01-NET
Page 105HOL-1829-01-NET
1 Application2 CRM3 Click Analyze
We can now visualize the three tier lsquoCRMrsquo Application in AWS in one VPC We Shallexplore the three Tier System Logic in proceeding steps
1 Please note that Micro-Segments are already filtered by Tier2 Web (Web tier talks to App tier on port 8080 Internal users of organisation can
access Web Tier of the CRM Application on port 80 internally)3 App (App tier talks to DB tier on port 3306)4 DB ( DB tier talks to Log Servers ) - This is the problem area we are going to
explore
All tiers of first VPC talks to DNS server on port 53 and LogServer on port 514 of SecondVPC
HOL-1829-01-NET
Page 106HOL-1829-01-NET
Exploring the Three Tier Application - Step by Step
We shall now explore the three their application setup to understand the security andcommunication posture
HOL-1829-01-NET
Page 107HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Yellow line to explore the flows This will reveal flows from Web to
App
HOL-1829-01-NET
Page 108HOL-1829-01-NET
1 The App tier talks to DB tier on Port 33062 Click X to continue
HOL-1829-01-NET
Page 109HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to DB
HOL-1829-01-NET
Page 110HOL-1829-01-NET
1 The App tier talks to DB tier on Port 33062 Click X to continue
HOL-1829-01-NET
Page 111HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Yellow Line to explore the flows This will reveal flows from DC
Virtual to App
HOL-1829-01-NET
Page 112HOL-1829-01-NET
1 DC Virtual (jump box) talks to App tier on Port 222 Click X to continue
HOL-1829-01-NET
Page 113HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to
Shared Virtual
HOL-1829-01-NET
Page 114HOL-1829-01-NET
1 The App tier talks to Shared Virtual on Port 53 and 514 respectively2 Click X to continue
HOL-1829-01-NET
Page 115HOL-1829-01-NET
1 Hover over to DB Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from DB to
Shared Virtual
1 By design the DB should be pushing logs to aws-log-server ie on port 514(Syslog) but the flow reveals that there is only one service ie port 53 aws-DNS-Server Effectively no communication to syslog server (which is the back upservice)
2 Click X to continue
Firewall Queries for CRM Application
To further troubleshoot the issue the administrator executes three firewall queries toestablish why DB to Shared Virtual does not have flow(s) for port 514 (syslog)
HOL-1829-01-NET
Page 116HOL-1829-01-NET
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and type new search query firewall action of flows where dstvm = aws-log-server This will return 5 results ie 4 Allow (for web andmidtier) and 1 Deny (for DB)
2 Click Search3 click on the DENY checkbox so we can focus on the deny rule
We can see a DENY rule which is preventing crm-databse to communicate with aws-log-server on port 514 Which indicates that AWS Admin forgot to add rule to allowtraffic from (Database) crm-database to (syslog server) aws-log-Server
HOL-1829-01-NET
Page 117HOL-1829-01-NET
1 On Chrome web browser right click2 Select Duplicate from the the menu
HOL-1829-01-NET
Page 118HOL-1829-01-NET
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-web1 and dst vm = aws-log-server
2 Click Search3 This will return 3 results ie 1 Inbound and 2 Outbound rules The result of this
query validates the communication from crm-web1 to aws-log-server
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-database and dst vm = aws-log-server
2 Click Search3 This will return 2 results for Outbound rules further explaining the firewall rule
behaviour from crm-database to aws-log-server
HOL-1829-01-NET
Page 119HOL-1829-01-NET
ConclusionCongratulations on completing Module 4
This module demonstrated the vRealize Network Insight capability to understand trafficpatterns and plan micro-segmentation across your private and public cloudenvironments This capability offers unparalleled visibility into public and private cloudsfor micro-segmentation planning network visibility and management
For More Information
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 120HOL-1829-01-NET
ConclusionThank you for participating in the VMware Hands-on Labs Be sure to visithttpholvmwarecom to continue your lab experience online
Lab SKU HOL-1829-01-NET
Version 20171010-152226
HOL-1829-01-NET
Page 121HOL-1829-01-NET
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - Notice the VLAN ID This is the actual VLAN in use
C - VM Count states 12 This is the number of VMs located on this VLAN in the entireenvironment
D - Under Hosts we can see that this is 28 (27+1) This is the amount of hosts that hasa connection to this vlan in the entire environment
1 When done reviewing click on the (X) in the top right corner
Switch ports on the map
1 From the map click on the icon marked by a red square to select the SwitchPort for the VM
HOL-1829-01-NET
Page 61HOL-1829-01-NET
Switch Port
A pop-up box will appear that contains the Switch Port details
In this view we are purely are looking at layer 3 and the connectivity to those layer 3devices Later in this module we will see some of the layer 2 devices
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - In this view we can see the physical NIC the traffic is transmitted from and receivedto In this scenario it is a NIC on a UCS fabric We can also see the VLANs Interfacespeed port and other details on the NIC
1 When done reviewing click on the (X) in the top right corner of the pop up box
HOL-1829-01-NET
Page 62HOL-1829-01-NET
Physical VRF on the map
1 From the map click on the icon marked by a red square to access thePhysical VRF details
HOL-1829-01-NET
Page 63HOL-1829-01-NET
VRF - Physical Switch
A pop-up box will appear that contains the Physical VRF details
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - In this scenario the first hop in the physical network perspective happens to be aCisco Nexus 7000 We are gathering all of the configuration data routing tables androuting interface information from this device
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 64HOL-1829-01-NET
VRF - continued
1 From the map click on the icon marked by a red square to access the nextPhysical VRF in the path
HOL-1829-01-NET
Page 65HOL-1829-01-NET
VRF - Physical Router
A pop-up box will appear that contains the Physical VRF details
In this scenario the second hop in the physical network perspective is a Palo Alto routerIn this view we will see the routing table as well as firewall rules The vRealize NetworkInsight platform is so powerful that these firewall rules are the applicable firewall rulesbetween the two objects we searched for There is probably going to be thousands offirewall rules in a normal network but these are the firewalls affecting thecommunication between the two selected VMs
HOL-1829-01-NET
Page 66HOL-1829-01-NET
A - Spend some time to review what information is available from the object Please donot click on any of the links
1 When done reviewing click on the (X) in the top right corner of the pop up box
Note The Palo Alto integration showcased is in beta testing
VRF - continued
1 From the map click on the icon marked by a red square to access the nextPhysical VRF in the path
HOL-1829-01-NET
Page 67HOL-1829-01-NET
VRF - Physical Switch
A pop-up box will appear that contains the Physical VRF details
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - In this scenario the third hop in the physical network perspective is an Arista deviceThere is information available on routing gateways interfaces etc These detailsshowcase that we can monitor devices from a multitude of vendors in case we arechanging from one vendor to another
1 When done reviewing click on the (X) in the top right corner
HOL-1829-01-NET
Page 68HOL-1829-01-NET
Accessing the virtual infrastructure
The next two steps in the path (as shown by arrows) are the same as we looked atpreviously in this module We are not going to look at the details on them in thisscenario as they are similar to the ones previously discussed
A - Hovermove the mouse over the icons marked with red arrow A without clicking onthe icon Notice the descriptive name
B - Hovermove the mouse over the icons marked with red arrow B without clicking onthe icon Notice the descriptive name
1 From the map click on the icon marked by a red square to access the nextVRF in the path
HOL-1829-01-NET
Page 69HOL-1829-01-NET
VRF - NSX Provider Edge 1
A pop-up box will appear that contains the Physical VRF details
A - Please spend some time to review what information is available from the objectPlease do not click on any of the links
B - The components we are looking at after the Arista device (described in previoussteps) is an NSX Edge cluster or a host associated with an Edge cluster The componentwe have selected is the NSX Edge VM named Provider-Edge 1 It has an uplink overVLAN 10 from the physical network (as shown in the map)
C - In the details we can see the routing table and routing interface details for thisparticular VRF
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 70HOL-1829-01-NET
VXLAN on the map
1 On the map click on the blue line marked by a red square to access theVXLAN details
VXLAN Network
A pop-up box will appear that contains the VXLAN details
HOL-1829-01-NET
Page 71HOL-1829-01-NET
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - We can see the VXLAN number (Segment ID) Underlay VLAN IDs Subnet andUnderlay Subnet
C - We also have visibility into what Primary Controller it is utilizing Hosts and VTEPs
D - Hovermove the mouse cursor over the text [38 more] to see the hosts associatedwith this VXLAN Do not click on the blue text
E - Hovermove the mouse cursor over the text [82 more] to see the VTEPs associatedwith this VXLAN Do not click on the blue text
1 When done reviewing click on the X in the top right corner of the pop-up box
VRF - LDR
1 From the map click on the icon marked by a red square to access the VRFdetails
HOL-1829-01-NET
Page 72HOL-1829-01-NET
VRF - LDR-Corporate
A pop-up box will appear that contains the VRF details From here we hit our In-kernelnetwork
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - Notice the distributed router name We are using this device to access our corporatenetwork
C - This device is going to route for us to a different interface The interface is going toroute to the interface on the Prod-DB Network as the next step in the path (this will beillustrated in the next step)
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 73HOL-1829-01-NET
Routing - NSX Firewall
The traffic is routed through the VRF onto the Prod-DB network over to the next physicalhost (as shown with arrows)
The first device it will hit on the virtual network on the physical host is the FirewallPlease notice that there are two firewalls next to the VM One Firewall from Palo Alto andone Firewall from NSX
1 From the map click on the icon marked by a red square to access the NSXFirewall details (the top one of the two)
HOL-1829-01-NET
Page 74HOL-1829-01-NET
Firewall - NSX
A pop-up box will appear that contains the Firewall details
A - Spend some time to review what information is available from the object Please donot click on any of the links
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 75HOL-1829-01-NET
Redirect on the map - PAN Firewall
Please notice that there are two firewalls next to the VM One Firewall from Palo Alto andone Firewall from NSX We are now going to look into the details of the lower Firewall
1 From the map click on the icon marked by a red square to access the PaloAlto Firewall details (the lower one of the two)
Firewall - PAN
HOL-1829-01-NET
Page 76HOL-1829-01-NET
In this scenario we also have an Palo Alto VM based offloading firewall The redirectfeature allows firewall rules to be transferred between the NSX firewall and the PANFirewall
1 When done reviewing click on the (X) in the top right corner of the pop up box
Reversing the analysis
1 In the section marked by a red square in the picture click on the arrowpointing left
The route on the map will change
HOL-1829-01-NET
Page 77HOL-1829-01-NET
Reversing the analysis continued
A - The analysis will now be done in the opposite direction Please note that the pathnow changes Instead of going through Provider-Edge 3 the traffic is now routedthrough Provider-Edge 2 This is exactly as the traffic will work in the real life
Please continue to the next step to conclude this module
HOL-1829-01-NET
Page 78HOL-1829-01-NET
VM Underlay
Lets now focus on VM Underlay
1 The VMUnderlay section that is on the right side of the VM Path topology showsthe underlay information of the VMs involved and their connectivity to the top ofthe rack switches and the ports involved
2 The VM Underlay path topology is shown here3 The components are labeled under Path Details
HOL-1829-01-NET
Page 79HOL-1829-01-NET
HOL-1829-01-NET
Page 80HOL-1829-01-NET
1 In this section the drop-down list at the top shows the endpoint VMs and theactive VMs at the edges
2 For each edgeVM the neighbouring drop-down list shows the ingress and theegress interface IP addresses
1 From the previous step we selected the Prod-DB-2 Virtual Machine2 Which changes the focus to corresponding Interface IP Address (VNIC)3 Shows the visual map (Path topology) of all the path objects4 Path details shows the labels and list the components
This concludes this module Please continue to the next module
HOL-1829-01-NET
Page 81HOL-1829-01-NET
ConclusionCongratulations on completing Module 2
This module has shown us that vRealize Network Insight is capable of tracing the flow ofdata between two objects throughout the network vRealize Network Insight is providingus with a 360 degrees view of the virtual as well as the physical components in thepath With the map function and the details on the map it is very easy to get a quickoverview of the components utilized in network communication
All the components in the map is based on a snapshot of real life data Feel free to clickon other icons shown in the map in this module before continuing to the next module tohave a look at other components
For More Information
For additional information about the functionality showcased in this module visithttpwwwvmwarecomvrealize network insight
This concludes this module Please continue to the next module
If you are looking for additional information try one of these
bull Click on this linkbull Or use your smart device to scan the QRC Code
HOL-1829-01-NET
Page 82HOL-1829-01-NET
Proceed to any module below which interests you most
bull Module 1 - Micro-Segmentation and Security (30 minutes)bull Module 2 - 360 degree Visibility across Virtual and Physical Networks (45
minutes)bull Module 3 - Advanced NSX Management amp Operations (45 minutes)bull (30 minutes)
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 83HOL-1829-01-NET
Module 3 - Advanced NSXManagement amp
Operations (45 minutes)
HOL-1829-01-NET
Page 84HOL-1829-01-NET
IntroductionIntroduction
vRealize Network Insight ensures that we have full visibility from an overlay andunderlay perspective and in this module focus on advanced operations of NSX withvRealize Network Insight Its important to note that the vRealize Network Insightprovides a real time view and a historical view The integration is not a simple SNMPquery but advanced CLI and Metadata information gathered in real time for NSX
This Module contains the following lessons
bull Operational guidance for NSX Managerbull Advanced NSX Management amp Operations Interactive Simulation
HOL-1829-01-NET
Page 85HOL-1829-01-NET
NSX Advanced ManagementOperationsLab Status Check
1 Make sure the Lab Status displays Ready before continuing
Close browser sessions from previous modules
Open Google Chrome
1 Open Chrome on the Control Centre Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
HOL-1829-01-NET
Page 86HOL-1829-01-NET
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize Network Insightdid not load automatically)
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
Search Bar - NSX Manager
Using the search bar on the entry screen
HOL-1829-01-NET
Page 87HOL-1829-01-NET
1 Type NSX Manager (this will list three NSX Managers2 Click Search
NSX Manager Information
The result now shows the NSX Manager (1016128170) and we can immediately seethat we have 50 problems associated with this endpoint
1 Click on the NSX Manager address to expose the layout and detailedinformation
HOL-1829-01-NET
Page 88HOL-1829-01-NET
Timeline - Visual Build-up
Explore information only - Do not click
bull A - Starting with the Timeline we can manipulate the results by simply draggingthe slider but by default the current time results will be displayed on entry Theslider and drop down (next to 1 day) makes it easy to filter on demand
bull B - The Properties give a clear understanding of the NSX Managers currentconfiguration (vRealize Network Insight accommodate multiple NSX managers)
bull C - Looking at the NSX Checklist Rules - ALL we can scroll up and down toview each point in the checklist that is used to monitorvalidate against the NSXManager
bull D - Because vRealize Network Insight supports multiple NSX managers andmultiple NSX controllers this is an important visual understanding of theTopology Each object can be queried individually within the same screen
bull E - NSX Problems will be key to understanding the issues for NSX
HOL-1829-01-NET
Page 89HOL-1829-01-NET
Topology - Focus on the NSX Controller
The logical view of the NSX Topology provides live links to each component in theconstruct to be queried in real time Topology layout displays all the related NSXservices bound to the NSX Manager including Clusters and hosts The red triangle on allthree NSX controllers indicates possible issues that may impact the NSX environmenteither as a starting point or a result thereof We can now query each object for detailedinformation
1 Click on the NSX controller (Look at each controller until you find thecontroller starting with NSX_Controller_5b6c6c8d-4d71 as they do changeorder)
HOL-1829-01-NET
Page 90HOL-1829-01-NET
NSX Controller - Detail
A - The controller query displays detailed information about controller-1 and relevantconfiguration This screen will help identify the Status Version Upgrade Availability andmany other critical identifiers of the NSX Controller at a quick glance including anyissues
B - The immediate issue on this NSX controller is also pointed out with a red triangleindicating that we have a control plane sync issue Tracking the issue can be furtherinvestigated by expanding (clicking on the red triangle) to view detailed information Wewill not be investigating this problem further in this exercise
1 Click the close sign (x) to continue
HOL-1829-01-NET
Page 91HOL-1829-01-NET
Topology - Explained
Note The Topology for the NSX environment will not show any load balancing devicestatus information in this release
1 Click the edge VMs icon to see detailed information about the edge services
HOL-1829-01-NET
Page 92HOL-1829-01-NET
Provider Edge
Rendering a complete view of the provider edge services and the associations we caninvestigate all the edge related activities
1 Click the blue link Provider Edge 4 The problem Icon can be used to furtherobtain information about the Provider-Edge 4 This will highlight a criticalcondition due to a possible network disruption of this edge device as it is nolonger in a serving state
HOL-1829-01-NET
Page 93HOL-1829-01-NET
Routers Provider Edge 4
This section lays out detailed root cause analysis for Routers Provider Edge 4
Return to Search View - NSX Manager
1 Now use the Chrome Back button click once to return the the NSX Managerinformation screen step
HOL-1829-01-NET
Page 94HOL-1829-01-NET
Infrastructure Problems - Warning Moderate
bull Scroll down to Infrastructure Problems Section
1 Click and select the WarningModerate to view problem areas
WarningModerate Issues
1 Use the blue icon + to expand the detailed view of the Logical networking out ofsync between host and NSX Controller
HOL-1829-01-NET
Page 95HOL-1829-01-NET
WarningModerate Issues (Continued)
When you expand the details you can analyse full detail of warning
In this view vRealize Network Insight is also showing you recommendations on how youwould resolve this issue which makes troubleshooting and root cause analysis veryeasy
1 Click the close sign (x) to continue
HOL-1829-01-NET
Page 96HOL-1829-01-NET
Hands-on Labs Interactive SimulationAdvanced NSX Management ampOperationsThis part of the lab is presented as a Hands-on Labs Interactive Simulation This willallow you to experience steps which are too time-consuming or resource intensive to dolive in the lab environment In this simulation you can use the software interface as ifyou are interacting with a live environment
1 Click here to open the interactive simulation It will open in a new browserwindow or tab
2 When finished click the ldquoReturn to the labrdquo link to continue with this lab
HOL-1829-01-NET
Page 97HOL-1829-01-NET
ConclusionCongratulations on completing Module 3
This module demonstrated the vRealize Network Insight capability of advancedmanagement operations vRealize Network Insight provides an in-depth analysis of thevirtual as well as the physical components associated with NSX (underlay and overlay)
For More Information
If you are looking for additional information try one of these
bull Click on this linkbull Or use your smart device to scan the QRC Code
Proceed to any module below which interests you most
bull Module 1 - Micro-Segmentation and Security (30 minutes)bull Module 2 - 360 degree Visibility across Virtual and Physical Networks (45
minutes)bull Module 3 - Advanced NSX Management amp Operations (45 minutes)bull Module 4 - Manage Security for Public Clouds (AWS) (30 minutes)
HOL-1829-01-NET
Page 98HOL-1829-01-NET
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 99HOL-1829-01-NET
Module 4 - ManageSecurity for Public Clouds
(AWS) (30 Minutes)
HOL-1829-01-NET
Page 100HOL-1829-01-NET
IntroductionEnterprise IT needs visibility into the network and security status of their workloadswhether hosted on premises or within AWS While many AWS workloads are sandboxesfor application development teams (DevOps) it is important to analyze these workloadsIncreasingly public cloud workloads are also fulfilling mission critical production needsfor many organizations Enterprise IT must be ready to determine the best locationsecurity posture and bandwidth allocation when deploying workloads Having trafficpattern details as well as security analysis and recommendations readily availablehelps organizations make the ideal hosting decisions to meet their business needs
vRealize Network Insight (vRNI) Supports Amazon Web Services (AWS) PublicCloud The vRNI traffic monitoring features provide visibility into native AWS constructssuch as Virtual Private Clouds VMs Security Groups firewall rules and tags vRNI alsoanalyzes AWS traffic flows to provide security and micro-segmentation views of cloudworkloads This means youll be able to plan micro-segmentation and understand trafficpatterns using data collected from your AWS instances
This Module contains the following lessons
bull Introduction to Managing Security for Public Clouds (AWS)
HOL-1829-01-NET
Page 101HOL-1829-01-NET
Introduction to Managing Security forPublic Clouds (AWS)Lab Status Check
1 Make sure the Lab Status displays Ready before continuing
Close browser sessions from previous modules
Open Google Chrome
1 Open Chrome on the Control Centre Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize Network Insightdid not load automatically)
HOL-1829-01-NET
Page 102HOL-1829-01-NET
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
AWS Configuration
Lets review the AWS VPC setup for the purpose of this lab
1 We have an on premise instance of vRealize Network Insight managing AWS2 There are two VPCs ie CRM and Common Services
HOL-1829-01-NET
Page 103HOL-1829-01-NET
3 VPC CRM consists of CRM Application which comprises of 3 tiers ie Web APP andDB
4 Internal users of Company can access Web Tier of the CRM on 80 internally viaJump-box
5 Web tier talks to App tier on port 80806 App tier talks to DB tier on port 33067 Web tier is open for internal datacenters VM on 80 port8 From Jump-box in VPC CRM all virtual machines have ssh access on port 229 All tiers of VPCCRM talks to DNS server on 53 and LogServer on 514 on VPC
Common Services10 This means connection to DB to Log Server (used for backup services) must exist
as configured by the Administrator but this in fact is the problem area where ourfocus will be
Plan Security - AWS Cloud
vRealize Network Insight extends micro-segmentation planning to AWS constructs TheCRM Application in AWS VPC has already been created for you
Application creation steps have been discussed in Module 3
HOL-1829-01-NET
Page 104HOL-1829-01-NET
1 On the vRealize Network Insight Click on Plan Security
From Plan Security dialogue box under Entity select
HOL-1829-01-NET
Page 105HOL-1829-01-NET
1 Application2 CRM3 Click Analyze
We can now visualize the three tier lsquoCRMrsquo Application in AWS in one VPC We Shallexplore the three Tier System Logic in proceeding steps
1 Please note that Micro-Segments are already filtered by Tier2 Web (Web tier talks to App tier on port 8080 Internal users of organisation can
access Web Tier of the CRM Application on port 80 internally)3 App (App tier talks to DB tier on port 3306)4 DB ( DB tier talks to Log Servers ) - This is the problem area we are going to
explore
All tiers of first VPC talks to DNS server on port 53 and LogServer on port 514 of SecondVPC
HOL-1829-01-NET
Page 106HOL-1829-01-NET
Exploring the Three Tier Application - Step by Step
We shall now explore the three their application setup to understand the security andcommunication posture
HOL-1829-01-NET
Page 107HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Yellow line to explore the flows This will reveal flows from Web to
App
HOL-1829-01-NET
Page 108HOL-1829-01-NET
1 The App tier talks to DB tier on Port 33062 Click X to continue
HOL-1829-01-NET
Page 109HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to DB
HOL-1829-01-NET
Page 110HOL-1829-01-NET
1 The App tier talks to DB tier on Port 33062 Click X to continue
HOL-1829-01-NET
Page 111HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Yellow Line to explore the flows This will reveal flows from DC
Virtual to App
HOL-1829-01-NET
Page 112HOL-1829-01-NET
1 DC Virtual (jump box) talks to App tier on Port 222 Click X to continue
HOL-1829-01-NET
Page 113HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to
Shared Virtual
HOL-1829-01-NET
Page 114HOL-1829-01-NET
1 The App tier talks to Shared Virtual on Port 53 and 514 respectively2 Click X to continue
HOL-1829-01-NET
Page 115HOL-1829-01-NET
1 Hover over to DB Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from DB to
Shared Virtual
1 By design the DB should be pushing logs to aws-log-server ie on port 514(Syslog) but the flow reveals that there is only one service ie port 53 aws-DNS-Server Effectively no communication to syslog server (which is the back upservice)
2 Click X to continue
Firewall Queries for CRM Application
To further troubleshoot the issue the administrator executes three firewall queries toestablish why DB to Shared Virtual does not have flow(s) for port 514 (syslog)
HOL-1829-01-NET
Page 116HOL-1829-01-NET
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and type new search query firewall action of flows where dstvm = aws-log-server This will return 5 results ie 4 Allow (for web andmidtier) and 1 Deny (for DB)
2 Click Search3 click on the DENY checkbox so we can focus on the deny rule
We can see a DENY rule which is preventing crm-databse to communicate with aws-log-server on port 514 Which indicates that AWS Admin forgot to add rule to allowtraffic from (Database) crm-database to (syslog server) aws-log-Server
HOL-1829-01-NET
Page 117HOL-1829-01-NET
1 On Chrome web browser right click2 Select Duplicate from the the menu
HOL-1829-01-NET
Page 118HOL-1829-01-NET
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-web1 and dst vm = aws-log-server
2 Click Search3 This will return 3 results ie 1 Inbound and 2 Outbound rules The result of this
query validates the communication from crm-web1 to aws-log-server
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-database and dst vm = aws-log-server
2 Click Search3 This will return 2 results for Outbound rules further explaining the firewall rule
behaviour from crm-database to aws-log-server
HOL-1829-01-NET
Page 119HOL-1829-01-NET
ConclusionCongratulations on completing Module 4
This module demonstrated the vRealize Network Insight capability to understand trafficpatterns and plan micro-segmentation across your private and public cloudenvironments This capability offers unparalleled visibility into public and private cloudsfor micro-segmentation planning network visibility and management
For More Information
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 120HOL-1829-01-NET
ConclusionThank you for participating in the VMware Hands-on Labs Be sure to visithttpholvmwarecom to continue your lab experience online
Lab SKU HOL-1829-01-NET
Version 20171010-152226
HOL-1829-01-NET
Page 121HOL-1829-01-NET
Switch Port
A pop-up box will appear that contains the Switch Port details
In this view we are purely are looking at layer 3 and the connectivity to those layer 3devices Later in this module we will see some of the layer 2 devices
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - In this view we can see the physical NIC the traffic is transmitted from and receivedto In this scenario it is a NIC on a UCS fabric We can also see the VLANs Interfacespeed port and other details on the NIC
1 When done reviewing click on the (X) in the top right corner of the pop up box
HOL-1829-01-NET
Page 62HOL-1829-01-NET
Physical VRF on the map
1 From the map click on the icon marked by a red square to access thePhysical VRF details
HOL-1829-01-NET
Page 63HOL-1829-01-NET
VRF - Physical Switch
A pop-up box will appear that contains the Physical VRF details
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - In this scenario the first hop in the physical network perspective happens to be aCisco Nexus 7000 We are gathering all of the configuration data routing tables androuting interface information from this device
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 64HOL-1829-01-NET
VRF - continued
1 From the map click on the icon marked by a red square to access the nextPhysical VRF in the path
HOL-1829-01-NET
Page 65HOL-1829-01-NET
VRF - Physical Router
A pop-up box will appear that contains the Physical VRF details
In this scenario the second hop in the physical network perspective is a Palo Alto routerIn this view we will see the routing table as well as firewall rules The vRealize NetworkInsight platform is so powerful that these firewall rules are the applicable firewall rulesbetween the two objects we searched for There is probably going to be thousands offirewall rules in a normal network but these are the firewalls affecting thecommunication between the two selected VMs
HOL-1829-01-NET
Page 66HOL-1829-01-NET
A - Spend some time to review what information is available from the object Please donot click on any of the links
1 When done reviewing click on the (X) in the top right corner of the pop up box
Note The Palo Alto integration showcased is in beta testing
VRF - continued
1 From the map click on the icon marked by a red square to access the nextPhysical VRF in the path
HOL-1829-01-NET
Page 67HOL-1829-01-NET
VRF - Physical Switch
A pop-up box will appear that contains the Physical VRF details
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - In this scenario the third hop in the physical network perspective is an Arista deviceThere is information available on routing gateways interfaces etc These detailsshowcase that we can monitor devices from a multitude of vendors in case we arechanging from one vendor to another
1 When done reviewing click on the (X) in the top right corner
HOL-1829-01-NET
Page 68HOL-1829-01-NET
Accessing the virtual infrastructure
The next two steps in the path (as shown by arrows) are the same as we looked atpreviously in this module We are not going to look at the details on them in thisscenario as they are similar to the ones previously discussed
A - Hovermove the mouse over the icons marked with red arrow A without clicking onthe icon Notice the descriptive name
B - Hovermove the mouse over the icons marked with red arrow B without clicking onthe icon Notice the descriptive name
1 From the map click on the icon marked by a red square to access the nextVRF in the path
HOL-1829-01-NET
Page 69HOL-1829-01-NET
VRF - NSX Provider Edge 1
A pop-up box will appear that contains the Physical VRF details
A - Please spend some time to review what information is available from the objectPlease do not click on any of the links
B - The components we are looking at after the Arista device (described in previoussteps) is an NSX Edge cluster or a host associated with an Edge cluster The componentwe have selected is the NSX Edge VM named Provider-Edge 1 It has an uplink overVLAN 10 from the physical network (as shown in the map)
C - In the details we can see the routing table and routing interface details for thisparticular VRF
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 70HOL-1829-01-NET
VXLAN on the map
1 On the map click on the blue line marked by a red square to access theVXLAN details
VXLAN Network
A pop-up box will appear that contains the VXLAN details
HOL-1829-01-NET
Page 71HOL-1829-01-NET
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - We can see the VXLAN number (Segment ID) Underlay VLAN IDs Subnet andUnderlay Subnet
C - We also have visibility into what Primary Controller it is utilizing Hosts and VTEPs
D - Hovermove the mouse cursor over the text [38 more] to see the hosts associatedwith this VXLAN Do not click on the blue text
E - Hovermove the mouse cursor over the text [82 more] to see the VTEPs associatedwith this VXLAN Do not click on the blue text
1 When done reviewing click on the X in the top right corner of the pop-up box
VRF - LDR
1 From the map click on the icon marked by a red square to access the VRFdetails
HOL-1829-01-NET
Page 72HOL-1829-01-NET
VRF - LDR-Corporate
A pop-up box will appear that contains the VRF details From here we hit our In-kernelnetwork
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - Notice the distributed router name We are using this device to access our corporatenetwork
C - This device is going to route for us to a different interface The interface is going toroute to the interface on the Prod-DB Network as the next step in the path (this will beillustrated in the next step)
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 73HOL-1829-01-NET
Routing - NSX Firewall
The traffic is routed through the VRF onto the Prod-DB network over to the next physicalhost (as shown with arrows)
The first device it will hit on the virtual network on the physical host is the FirewallPlease notice that there are two firewalls next to the VM One Firewall from Palo Alto andone Firewall from NSX
1 From the map click on the icon marked by a red square to access the NSXFirewall details (the top one of the two)
HOL-1829-01-NET
Page 74HOL-1829-01-NET
Firewall - NSX
A pop-up box will appear that contains the Firewall details
A - Spend some time to review what information is available from the object Please donot click on any of the links
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 75HOL-1829-01-NET
Redirect on the map - PAN Firewall
Please notice that there are two firewalls next to the VM One Firewall from Palo Alto andone Firewall from NSX We are now going to look into the details of the lower Firewall
1 From the map click on the icon marked by a red square to access the PaloAlto Firewall details (the lower one of the two)
Firewall - PAN
HOL-1829-01-NET
Page 76HOL-1829-01-NET
In this scenario we also have an Palo Alto VM based offloading firewall The redirectfeature allows firewall rules to be transferred between the NSX firewall and the PANFirewall
1 When done reviewing click on the (X) in the top right corner of the pop up box
Reversing the analysis
1 In the section marked by a red square in the picture click on the arrowpointing left
The route on the map will change
HOL-1829-01-NET
Page 77HOL-1829-01-NET
Reversing the analysis continued
A - The analysis will now be done in the opposite direction Please note that the pathnow changes Instead of going through Provider-Edge 3 the traffic is now routedthrough Provider-Edge 2 This is exactly as the traffic will work in the real life
Please continue to the next step to conclude this module
HOL-1829-01-NET
Page 78HOL-1829-01-NET
VM Underlay
Lets now focus on VM Underlay
1 The VMUnderlay section that is on the right side of the VM Path topology showsthe underlay information of the VMs involved and their connectivity to the top ofthe rack switches and the ports involved
2 The VM Underlay path topology is shown here3 The components are labeled under Path Details
HOL-1829-01-NET
Page 79HOL-1829-01-NET
HOL-1829-01-NET
Page 80HOL-1829-01-NET
1 In this section the drop-down list at the top shows the endpoint VMs and theactive VMs at the edges
2 For each edgeVM the neighbouring drop-down list shows the ingress and theegress interface IP addresses
1 From the previous step we selected the Prod-DB-2 Virtual Machine2 Which changes the focus to corresponding Interface IP Address (VNIC)3 Shows the visual map (Path topology) of all the path objects4 Path details shows the labels and list the components
This concludes this module Please continue to the next module
HOL-1829-01-NET
Page 81HOL-1829-01-NET
ConclusionCongratulations on completing Module 2
This module has shown us that vRealize Network Insight is capable of tracing the flow ofdata between two objects throughout the network vRealize Network Insight is providingus with a 360 degrees view of the virtual as well as the physical components in thepath With the map function and the details on the map it is very easy to get a quickoverview of the components utilized in network communication
All the components in the map is based on a snapshot of real life data Feel free to clickon other icons shown in the map in this module before continuing to the next module tohave a look at other components
For More Information
For additional information about the functionality showcased in this module visithttpwwwvmwarecomvrealize network insight
This concludes this module Please continue to the next module
If you are looking for additional information try one of these
bull Click on this linkbull Or use your smart device to scan the QRC Code
HOL-1829-01-NET
Page 82HOL-1829-01-NET
Proceed to any module below which interests you most
bull Module 1 - Micro-Segmentation and Security (30 minutes)bull Module 2 - 360 degree Visibility across Virtual and Physical Networks (45
minutes)bull Module 3 - Advanced NSX Management amp Operations (45 minutes)bull (30 minutes)
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 83HOL-1829-01-NET
Module 3 - Advanced NSXManagement amp
Operations (45 minutes)
HOL-1829-01-NET
Page 84HOL-1829-01-NET
IntroductionIntroduction
vRealize Network Insight ensures that we have full visibility from an overlay andunderlay perspective and in this module focus on advanced operations of NSX withvRealize Network Insight Its important to note that the vRealize Network Insightprovides a real time view and a historical view The integration is not a simple SNMPquery but advanced CLI and Metadata information gathered in real time for NSX
This Module contains the following lessons
bull Operational guidance for NSX Managerbull Advanced NSX Management amp Operations Interactive Simulation
HOL-1829-01-NET
Page 85HOL-1829-01-NET
NSX Advanced ManagementOperationsLab Status Check
1 Make sure the Lab Status displays Ready before continuing
Close browser sessions from previous modules
Open Google Chrome
1 Open Chrome on the Control Centre Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
HOL-1829-01-NET
Page 86HOL-1829-01-NET
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize Network Insightdid not load automatically)
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
Search Bar - NSX Manager
Using the search bar on the entry screen
HOL-1829-01-NET
Page 87HOL-1829-01-NET
1 Type NSX Manager (this will list three NSX Managers2 Click Search
NSX Manager Information
The result now shows the NSX Manager (1016128170) and we can immediately seethat we have 50 problems associated with this endpoint
1 Click on the NSX Manager address to expose the layout and detailedinformation
HOL-1829-01-NET
Page 88HOL-1829-01-NET
Timeline - Visual Build-up
Explore information only - Do not click
bull A - Starting with the Timeline we can manipulate the results by simply draggingthe slider but by default the current time results will be displayed on entry Theslider and drop down (next to 1 day) makes it easy to filter on demand
bull B - The Properties give a clear understanding of the NSX Managers currentconfiguration (vRealize Network Insight accommodate multiple NSX managers)
bull C - Looking at the NSX Checklist Rules - ALL we can scroll up and down toview each point in the checklist that is used to monitorvalidate against the NSXManager
bull D - Because vRealize Network Insight supports multiple NSX managers andmultiple NSX controllers this is an important visual understanding of theTopology Each object can be queried individually within the same screen
bull E - NSX Problems will be key to understanding the issues for NSX
HOL-1829-01-NET
Page 89HOL-1829-01-NET
Topology - Focus on the NSX Controller
The logical view of the NSX Topology provides live links to each component in theconstruct to be queried in real time Topology layout displays all the related NSXservices bound to the NSX Manager including Clusters and hosts The red triangle on allthree NSX controllers indicates possible issues that may impact the NSX environmenteither as a starting point or a result thereof We can now query each object for detailedinformation
1 Click on the NSX controller (Look at each controller until you find thecontroller starting with NSX_Controller_5b6c6c8d-4d71 as they do changeorder)
HOL-1829-01-NET
Page 90HOL-1829-01-NET
NSX Controller - Detail
A - The controller query displays detailed information about controller-1 and relevantconfiguration This screen will help identify the Status Version Upgrade Availability andmany other critical identifiers of the NSX Controller at a quick glance including anyissues
B - The immediate issue on this NSX controller is also pointed out with a red triangleindicating that we have a control plane sync issue Tracking the issue can be furtherinvestigated by expanding (clicking on the red triangle) to view detailed information Wewill not be investigating this problem further in this exercise
1 Click the close sign (x) to continue
HOL-1829-01-NET
Page 91HOL-1829-01-NET
Topology - Explained
Note The Topology for the NSX environment will not show any load balancing devicestatus information in this release
1 Click the edge VMs icon to see detailed information about the edge services
HOL-1829-01-NET
Page 92HOL-1829-01-NET
Provider Edge
Rendering a complete view of the provider edge services and the associations we caninvestigate all the edge related activities
1 Click the blue link Provider Edge 4 The problem Icon can be used to furtherobtain information about the Provider-Edge 4 This will highlight a criticalcondition due to a possible network disruption of this edge device as it is nolonger in a serving state
HOL-1829-01-NET
Page 93HOL-1829-01-NET
Routers Provider Edge 4
This section lays out detailed root cause analysis for Routers Provider Edge 4
Return to Search View - NSX Manager
1 Now use the Chrome Back button click once to return the the NSX Managerinformation screen step
HOL-1829-01-NET
Page 94HOL-1829-01-NET
Infrastructure Problems - Warning Moderate
bull Scroll down to Infrastructure Problems Section
1 Click and select the WarningModerate to view problem areas
WarningModerate Issues
1 Use the blue icon + to expand the detailed view of the Logical networking out ofsync between host and NSX Controller
HOL-1829-01-NET
Page 95HOL-1829-01-NET
WarningModerate Issues (Continued)
When you expand the details you can analyse full detail of warning
In this view vRealize Network Insight is also showing you recommendations on how youwould resolve this issue which makes troubleshooting and root cause analysis veryeasy
1 Click the close sign (x) to continue
HOL-1829-01-NET
Page 96HOL-1829-01-NET
Hands-on Labs Interactive SimulationAdvanced NSX Management ampOperationsThis part of the lab is presented as a Hands-on Labs Interactive Simulation This willallow you to experience steps which are too time-consuming or resource intensive to dolive in the lab environment In this simulation you can use the software interface as ifyou are interacting with a live environment
1 Click here to open the interactive simulation It will open in a new browserwindow or tab
2 When finished click the ldquoReturn to the labrdquo link to continue with this lab
HOL-1829-01-NET
Page 97HOL-1829-01-NET
ConclusionCongratulations on completing Module 3
This module demonstrated the vRealize Network Insight capability of advancedmanagement operations vRealize Network Insight provides an in-depth analysis of thevirtual as well as the physical components associated with NSX (underlay and overlay)
For More Information
If you are looking for additional information try one of these
bull Click on this linkbull Or use your smart device to scan the QRC Code
Proceed to any module below which interests you most
bull Module 1 - Micro-Segmentation and Security (30 minutes)bull Module 2 - 360 degree Visibility across Virtual and Physical Networks (45
minutes)bull Module 3 - Advanced NSX Management amp Operations (45 minutes)bull Module 4 - Manage Security for Public Clouds (AWS) (30 minutes)
HOL-1829-01-NET
Page 98HOL-1829-01-NET
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 99HOL-1829-01-NET
Module 4 - ManageSecurity for Public Clouds
(AWS) (30 Minutes)
HOL-1829-01-NET
Page 100HOL-1829-01-NET
IntroductionEnterprise IT needs visibility into the network and security status of their workloadswhether hosted on premises or within AWS While many AWS workloads are sandboxesfor application development teams (DevOps) it is important to analyze these workloadsIncreasingly public cloud workloads are also fulfilling mission critical production needsfor many organizations Enterprise IT must be ready to determine the best locationsecurity posture and bandwidth allocation when deploying workloads Having trafficpattern details as well as security analysis and recommendations readily availablehelps organizations make the ideal hosting decisions to meet their business needs
vRealize Network Insight (vRNI) Supports Amazon Web Services (AWS) PublicCloud The vRNI traffic monitoring features provide visibility into native AWS constructssuch as Virtual Private Clouds VMs Security Groups firewall rules and tags vRNI alsoanalyzes AWS traffic flows to provide security and micro-segmentation views of cloudworkloads This means youll be able to plan micro-segmentation and understand trafficpatterns using data collected from your AWS instances
This Module contains the following lessons
bull Introduction to Managing Security for Public Clouds (AWS)
HOL-1829-01-NET
Page 101HOL-1829-01-NET
Introduction to Managing Security forPublic Clouds (AWS)Lab Status Check
1 Make sure the Lab Status displays Ready before continuing
Close browser sessions from previous modules
Open Google Chrome
1 Open Chrome on the Control Centre Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize Network Insightdid not load automatically)
HOL-1829-01-NET
Page 102HOL-1829-01-NET
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
AWS Configuration
Lets review the AWS VPC setup for the purpose of this lab
1 We have an on premise instance of vRealize Network Insight managing AWS2 There are two VPCs ie CRM and Common Services
HOL-1829-01-NET
Page 103HOL-1829-01-NET
3 VPC CRM consists of CRM Application which comprises of 3 tiers ie Web APP andDB
4 Internal users of Company can access Web Tier of the CRM on 80 internally viaJump-box
5 Web tier talks to App tier on port 80806 App tier talks to DB tier on port 33067 Web tier is open for internal datacenters VM on 80 port8 From Jump-box in VPC CRM all virtual machines have ssh access on port 229 All tiers of VPCCRM talks to DNS server on 53 and LogServer on 514 on VPC
Common Services10 This means connection to DB to Log Server (used for backup services) must exist
as configured by the Administrator but this in fact is the problem area where ourfocus will be
Plan Security - AWS Cloud
vRealize Network Insight extends micro-segmentation planning to AWS constructs TheCRM Application in AWS VPC has already been created for you
Application creation steps have been discussed in Module 3
HOL-1829-01-NET
Page 104HOL-1829-01-NET
1 On the vRealize Network Insight Click on Plan Security
From Plan Security dialogue box under Entity select
HOL-1829-01-NET
Page 105HOL-1829-01-NET
1 Application2 CRM3 Click Analyze
We can now visualize the three tier lsquoCRMrsquo Application in AWS in one VPC We Shallexplore the three Tier System Logic in proceeding steps
1 Please note that Micro-Segments are already filtered by Tier2 Web (Web tier talks to App tier on port 8080 Internal users of organisation can
access Web Tier of the CRM Application on port 80 internally)3 App (App tier talks to DB tier on port 3306)4 DB ( DB tier talks to Log Servers ) - This is the problem area we are going to
explore
All tiers of first VPC talks to DNS server on port 53 and LogServer on port 514 of SecondVPC
HOL-1829-01-NET
Page 106HOL-1829-01-NET
Exploring the Three Tier Application - Step by Step
We shall now explore the three their application setup to understand the security andcommunication posture
HOL-1829-01-NET
Page 107HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Yellow line to explore the flows This will reveal flows from Web to
App
HOL-1829-01-NET
Page 108HOL-1829-01-NET
1 The App tier talks to DB tier on Port 33062 Click X to continue
HOL-1829-01-NET
Page 109HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to DB
HOL-1829-01-NET
Page 110HOL-1829-01-NET
1 The App tier talks to DB tier on Port 33062 Click X to continue
HOL-1829-01-NET
Page 111HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Yellow Line to explore the flows This will reveal flows from DC
Virtual to App
HOL-1829-01-NET
Page 112HOL-1829-01-NET
1 DC Virtual (jump box) talks to App tier on Port 222 Click X to continue
HOL-1829-01-NET
Page 113HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to
Shared Virtual
HOL-1829-01-NET
Page 114HOL-1829-01-NET
1 The App tier talks to Shared Virtual on Port 53 and 514 respectively2 Click X to continue
HOL-1829-01-NET
Page 115HOL-1829-01-NET
1 Hover over to DB Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from DB to
Shared Virtual
1 By design the DB should be pushing logs to aws-log-server ie on port 514(Syslog) but the flow reveals that there is only one service ie port 53 aws-DNS-Server Effectively no communication to syslog server (which is the back upservice)
2 Click X to continue
Firewall Queries for CRM Application
To further troubleshoot the issue the administrator executes three firewall queries toestablish why DB to Shared Virtual does not have flow(s) for port 514 (syslog)
HOL-1829-01-NET
Page 116HOL-1829-01-NET
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and type new search query firewall action of flows where dstvm = aws-log-server This will return 5 results ie 4 Allow (for web andmidtier) and 1 Deny (for DB)
2 Click Search3 click on the DENY checkbox so we can focus on the deny rule
We can see a DENY rule which is preventing crm-databse to communicate with aws-log-server on port 514 Which indicates that AWS Admin forgot to add rule to allowtraffic from (Database) crm-database to (syslog server) aws-log-Server
HOL-1829-01-NET
Page 117HOL-1829-01-NET
1 On Chrome web browser right click2 Select Duplicate from the the menu
HOL-1829-01-NET
Page 118HOL-1829-01-NET
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-web1 and dst vm = aws-log-server
2 Click Search3 This will return 3 results ie 1 Inbound and 2 Outbound rules The result of this
query validates the communication from crm-web1 to aws-log-server
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-database and dst vm = aws-log-server
2 Click Search3 This will return 2 results for Outbound rules further explaining the firewall rule
behaviour from crm-database to aws-log-server
HOL-1829-01-NET
Page 119HOL-1829-01-NET
ConclusionCongratulations on completing Module 4
This module demonstrated the vRealize Network Insight capability to understand trafficpatterns and plan micro-segmentation across your private and public cloudenvironments This capability offers unparalleled visibility into public and private cloudsfor micro-segmentation planning network visibility and management
For More Information
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 120HOL-1829-01-NET
ConclusionThank you for participating in the VMware Hands-on Labs Be sure to visithttpholvmwarecom to continue your lab experience online
Lab SKU HOL-1829-01-NET
Version 20171010-152226
HOL-1829-01-NET
Page 121HOL-1829-01-NET
Physical VRF on the map
1 From the map click on the icon marked by a red square to access thePhysical VRF details
HOL-1829-01-NET
Page 63HOL-1829-01-NET
VRF - Physical Switch
A pop-up box will appear that contains the Physical VRF details
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - In this scenario the first hop in the physical network perspective happens to be aCisco Nexus 7000 We are gathering all of the configuration data routing tables androuting interface information from this device
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 64HOL-1829-01-NET
VRF - continued
1 From the map click on the icon marked by a red square to access the nextPhysical VRF in the path
HOL-1829-01-NET
Page 65HOL-1829-01-NET
VRF - Physical Router
A pop-up box will appear that contains the Physical VRF details
In this scenario the second hop in the physical network perspective is a Palo Alto routerIn this view we will see the routing table as well as firewall rules The vRealize NetworkInsight platform is so powerful that these firewall rules are the applicable firewall rulesbetween the two objects we searched for There is probably going to be thousands offirewall rules in a normal network but these are the firewalls affecting thecommunication between the two selected VMs
HOL-1829-01-NET
Page 66HOL-1829-01-NET
A - Spend some time to review what information is available from the object Please donot click on any of the links
1 When done reviewing click on the (X) in the top right corner of the pop up box
Note The Palo Alto integration showcased is in beta testing
VRF - continued
1 From the map click on the icon marked by a red square to access the nextPhysical VRF in the path
HOL-1829-01-NET
Page 67HOL-1829-01-NET
VRF - Physical Switch
A pop-up box will appear that contains the Physical VRF details
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - In this scenario the third hop in the physical network perspective is an Arista deviceThere is information available on routing gateways interfaces etc These detailsshowcase that we can monitor devices from a multitude of vendors in case we arechanging from one vendor to another
1 When done reviewing click on the (X) in the top right corner
HOL-1829-01-NET
Page 68HOL-1829-01-NET
Accessing the virtual infrastructure
The next two steps in the path (as shown by arrows) are the same as we looked atpreviously in this module We are not going to look at the details on them in thisscenario as they are similar to the ones previously discussed
A - Hovermove the mouse over the icons marked with red arrow A without clicking onthe icon Notice the descriptive name
B - Hovermove the mouse over the icons marked with red arrow B without clicking onthe icon Notice the descriptive name
1 From the map click on the icon marked by a red square to access the nextVRF in the path
HOL-1829-01-NET
Page 69HOL-1829-01-NET
VRF - NSX Provider Edge 1
A pop-up box will appear that contains the Physical VRF details
A - Please spend some time to review what information is available from the objectPlease do not click on any of the links
B - The components we are looking at after the Arista device (described in previoussteps) is an NSX Edge cluster or a host associated with an Edge cluster The componentwe have selected is the NSX Edge VM named Provider-Edge 1 It has an uplink overVLAN 10 from the physical network (as shown in the map)
C - In the details we can see the routing table and routing interface details for thisparticular VRF
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 70HOL-1829-01-NET
VXLAN on the map
1 On the map click on the blue line marked by a red square to access theVXLAN details
VXLAN Network
A pop-up box will appear that contains the VXLAN details
HOL-1829-01-NET
Page 71HOL-1829-01-NET
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - We can see the VXLAN number (Segment ID) Underlay VLAN IDs Subnet andUnderlay Subnet
C - We also have visibility into what Primary Controller it is utilizing Hosts and VTEPs
D - Hovermove the mouse cursor over the text [38 more] to see the hosts associatedwith this VXLAN Do not click on the blue text
E - Hovermove the mouse cursor over the text [82 more] to see the VTEPs associatedwith this VXLAN Do not click on the blue text
1 When done reviewing click on the X in the top right corner of the pop-up box
VRF - LDR
1 From the map click on the icon marked by a red square to access the VRFdetails
HOL-1829-01-NET
Page 72HOL-1829-01-NET
VRF - LDR-Corporate
A pop-up box will appear that contains the VRF details From here we hit our In-kernelnetwork
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - Notice the distributed router name We are using this device to access our corporatenetwork
C - This device is going to route for us to a different interface The interface is going toroute to the interface on the Prod-DB Network as the next step in the path (this will beillustrated in the next step)
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 73HOL-1829-01-NET
Routing - NSX Firewall
The traffic is routed through the VRF onto the Prod-DB network over to the next physicalhost (as shown with arrows)
The first device it will hit on the virtual network on the physical host is the FirewallPlease notice that there are two firewalls next to the VM One Firewall from Palo Alto andone Firewall from NSX
1 From the map click on the icon marked by a red square to access the NSXFirewall details (the top one of the two)
HOL-1829-01-NET
Page 74HOL-1829-01-NET
Firewall - NSX
A pop-up box will appear that contains the Firewall details
A - Spend some time to review what information is available from the object Please donot click on any of the links
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 75HOL-1829-01-NET
Redirect on the map - PAN Firewall
Please notice that there are two firewalls next to the VM One Firewall from Palo Alto andone Firewall from NSX We are now going to look into the details of the lower Firewall
1 From the map click on the icon marked by a red square to access the PaloAlto Firewall details (the lower one of the two)
Firewall - PAN
HOL-1829-01-NET
Page 76HOL-1829-01-NET
In this scenario we also have an Palo Alto VM based offloading firewall The redirectfeature allows firewall rules to be transferred between the NSX firewall and the PANFirewall
1 When done reviewing click on the (X) in the top right corner of the pop up box
Reversing the analysis
1 In the section marked by a red square in the picture click on the arrowpointing left
The route on the map will change
HOL-1829-01-NET
Page 77HOL-1829-01-NET
Reversing the analysis continued
A - The analysis will now be done in the opposite direction Please note that the pathnow changes Instead of going through Provider-Edge 3 the traffic is now routedthrough Provider-Edge 2 This is exactly as the traffic will work in the real life
Please continue to the next step to conclude this module
HOL-1829-01-NET
Page 78HOL-1829-01-NET
VM Underlay
Lets now focus on VM Underlay
1 The VMUnderlay section that is on the right side of the VM Path topology showsthe underlay information of the VMs involved and their connectivity to the top ofthe rack switches and the ports involved
2 The VM Underlay path topology is shown here3 The components are labeled under Path Details
HOL-1829-01-NET
Page 79HOL-1829-01-NET
HOL-1829-01-NET
Page 80HOL-1829-01-NET
1 In this section the drop-down list at the top shows the endpoint VMs and theactive VMs at the edges
2 For each edgeVM the neighbouring drop-down list shows the ingress and theegress interface IP addresses
1 From the previous step we selected the Prod-DB-2 Virtual Machine2 Which changes the focus to corresponding Interface IP Address (VNIC)3 Shows the visual map (Path topology) of all the path objects4 Path details shows the labels and list the components
This concludes this module Please continue to the next module
HOL-1829-01-NET
Page 81HOL-1829-01-NET
ConclusionCongratulations on completing Module 2
This module has shown us that vRealize Network Insight is capable of tracing the flow ofdata between two objects throughout the network vRealize Network Insight is providingus with a 360 degrees view of the virtual as well as the physical components in thepath With the map function and the details on the map it is very easy to get a quickoverview of the components utilized in network communication
All the components in the map is based on a snapshot of real life data Feel free to clickon other icons shown in the map in this module before continuing to the next module tohave a look at other components
For More Information
For additional information about the functionality showcased in this module visithttpwwwvmwarecomvrealize network insight
This concludes this module Please continue to the next module
If you are looking for additional information try one of these
bull Click on this linkbull Or use your smart device to scan the QRC Code
HOL-1829-01-NET
Page 82HOL-1829-01-NET
Proceed to any module below which interests you most
bull Module 1 - Micro-Segmentation and Security (30 minutes)bull Module 2 - 360 degree Visibility across Virtual and Physical Networks (45
minutes)bull Module 3 - Advanced NSX Management amp Operations (45 minutes)bull (30 minutes)
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 83HOL-1829-01-NET
Module 3 - Advanced NSXManagement amp
Operations (45 minutes)
HOL-1829-01-NET
Page 84HOL-1829-01-NET
IntroductionIntroduction
vRealize Network Insight ensures that we have full visibility from an overlay andunderlay perspective and in this module focus on advanced operations of NSX withvRealize Network Insight Its important to note that the vRealize Network Insightprovides a real time view and a historical view The integration is not a simple SNMPquery but advanced CLI and Metadata information gathered in real time for NSX
This Module contains the following lessons
bull Operational guidance for NSX Managerbull Advanced NSX Management amp Operations Interactive Simulation
HOL-1829-01-NET
Page 85HOL-1829-01-NET
NSX Advanced ManagementOperationsLab Status Check
1 Make sure the Lab Status displays Ready before continuing
Close browser sessions from previous modules
Open Google Chrome
1 Open Chrome on the Control Centre Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
HOL-1829-01-NET
Page 86HOL-1829-01-NET
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize Network Insightdid not load automatically)
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
Search Bar - NSX Manager
Using the search bar on the entry screen
HOL-1829-01-NET
Page 87HOL-1829-01-NET
1 Type NSX Manager (this will list three NSX Managers2 Click Search
NSX Manager Information
The result now shows the NSX Manager (1016128170) and we can immediately seethat we have 50 problems associated with this endpoint
1 Click on the NSX Manager address to expose the layout and detailedinformation
HOL-1829-01-NET
Page 88HOL-1829-01-NET
Timeline - Visual Build-up
Explore information only - Do not click
bull A - Starting with the Timeline we can manipulate the results by simply draggingthe slider but by default the current time results will be displayed on entry Theslider and drop down (next to 1 day) makes it easy to filter on demand
bull B - The Properties give a clear understanding of the NSX Managers currentconfiguration (vRealize Network Insight accommodate multiple NSX managers)
bull C - Looking at the NSX Checklist Rules - ALL we can scroll up and down toview each point in the checklist that is used to monitorvalidate against the NSXManager
bull D - Because vRealize Network Insight supports multiple NSX managers andmultiple NSX controllers this is an important visual understanding of theTopology Each object can be queried individually within the same screen
bull E - NSX Problems will be key to understanding the issues for NSX
HOL-1829-01-NET
Page 89HOL-1829-01-NET
Topology - Focus on the NSX Controller
The logical view of the NSX Topology provides live links to each component in theconstruct to be queried in real time Topology layout displays all the related NSXservices bound to the NSX Manager including Clusters and hosts The red triangle on allthree NSX controllers indicates possible issues that may impact the NSX environmenteither as a starting point or a result thereof We can now query each object for detailedinformation
1 Click on the NSX controller (Look at each controller until you find thecontroller starting with NSX_Controller_5b6c6c8d-4d71 as they do changeorder)
HOL-1829-01-NET
Page 90HOL-1829-01-NET
NSX Controller - Detail
A - The controller query displays detailed information about controller-1 and relevantconfiguration This screen will help identify the Status Version Upgrade Availability andmany other critical identifiers of the NSX Controller at a quick glance including anyissues
B - The immediate issue on this NSX controller is also pointed out with a red triangleindicating that we have a control plane sync issue Tracking the issue can be furtherinvestigated by expanding (clicking on the red triangle) to view detailed information Wewill not be investigating this problem further in this exercise
1 Click the close sign (x) to continue
HOL-1829-01-NET
Page 91HOL-1829-01-NET
Topology - Explained
Note The Topology for the NSX environment will not show any load balancing devicestatus information in this release
1 Click the edge VMs icon to see detailed information about the edge services
HOL-1829-01-NET
Page 92HOL-1829-01-NET
Provider Edge
Rendering a complete view of the provider edge services and the associations we caninvestigate all the edge related activities
1 Click the blue link Provider Edge 4 The problem Icon can be used to furtherobtain information about the Provider-Edge 4 This will highlight a criticalcondition due to a possible network disruption of this edge device as it is nolonger in a serving state
HOL-1829-01-NET
Page 93HOL-1829-01-NET
Routers Provider Edge 4
This section lays out detailed root cause analysis for Routers Provider Edge 4
Return to Search View - NSX Manager
1 Now use the Chrome Back button click once to return the the NSX Managerinformation screen step
HOL-1829-01-NET
Page 94HOL-1829-01-NET
Infrastructure Problems - Warning Moderate
bull Scroll down to Infrastructure Problems Section
1 Click and select the WarningModerate to view problem areas
WarningModerate Issues
1 Use the blue icon + to expand the detailed view of the Logical networking out ofsync between host and NSX Controller
HOL-1829-01-NET
Page 95HOL-1829-01-NET
WarningModerate Issues (Continued)
When you expand the details you can analyse full detail of warning
In this view vRealize Network Insight is also showing you recommendations on how youwould resolve this issue which makes troubleshooting and root cause analysis veryeasy
1 Click the close sign (x) to continue
HOL-1829-01-NET
Page 96HOL-1829-01-NET
Hands-on Labs Interactive SimulationAdvanced NSX Management ampOperationsThis part of the lab is presented as a Hands-on Labs Interactive Simulation This willallow you to experience steps which are too time-consuming or resource intensive to dolive in the lab environment In this simulation you can use the software interface as ifyou are interacting with a live environment
1 Click here to open the interactive simulation It will open in a new browserwindow or tab
2 When finished click the ldquoReturn to the labrdquo link to continue with this lab
HOL-1829-01-NET
Page 97HOL-1829-01-NET
ConclusionCongratulations on completing Module 3
This module demonstrated the vRealize Network Insight capability of advancedmanagement operations vRealize Network Insight provides an in-depth analysis of thevirtual as well as the physical components associated with NSX (underlay and overlay)
For More Information
If you are looking for additional information try one of these
bull Click on this linkbull Or use your smart device to scan the QRC Code
Proceed to any module below which interests you most
bull Module 1 - Micro-Segmentation and Security (30 minutes)bull Module 2 - 360 degree Visibility across Virtual and Physical Networks (45
minutes)bull Module 3 - Advanced NSX Management amp Operations (45 minutes)bull Module 4 - Manage Security for Public Clouds (AWS) (30 minutes)
HOL-1829-01-NET
Page 98HOL-1829-01-NET
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 99HOL-1829-01-NET
Module 4 - ManageSecurity for Public Clouds
(AWS) (30 Minutes)
HOL-1829-01-NET
Page 100HOL-1829-01-NET
IntroductionEnterprise IT needs visibility into the network and security status of their workloadswhether hosted on premises or within AWS While many AWS workloads are sandboxesfor application development teams (DevOps) it is important to analyze these workloadsIncreasingly public cloud workloads are also fulfilling mission critical production needsfor many organizations Enterprise IT must be ready to determine the best locationsecurity posture and bandwidth allocation when deploying workloads Having trafficpattern details as well as security analysis and recommendations readily availablehelps organizations make the ideal hosting decisions to meet their business needs
vRealize Network Insight (vRNI) Supports Amazon Web Services (AWS) PublicCloud The vRNI traffic monitoring features provide visibility into native AWS constructssuch as Virtual Private Clouds VMs Security Groups firewall rules and tags vRNI alsoanalyzes AWS traffic flows to provide security and micro-segmentation views of cloudworkloads This means youll be able to plan micro-segmentation and understand trafficpatterns using data collected from your AWS instances
This Module contains the following lessons
bull Introduction to Managing Security for Public Clouds (AWS)
HOL-1829-01-NET
Page 101HOL-1829-01-NET
Introduction to Managing Security forPublic Clouds (AWS)Lab Status Check
1 Make sure the Lab Status displays Ready before continuing
Close browser sessions from previous modules
Open Google Chrome
1 Open Chrome on the Control Centre Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize Network Insightdid not load automatically)
HOL-1829-01-NET
Page 102HOL-1829-01-NET
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
AWS Configuration
Lets review the AWS VPC setup for the purpose of this lab
1 We have an on premise instance of vRealize Network Insight managing AWS2 There are two VPCs ie CRM and Common Services
HOL-1829-01-NET
Page 103HOL-1829-01-NET
3 VPC CRM consists of CRM Application which comprises of 3 tiers ie Web APP andDB
4 Internal users of Company can access Web Tier of the CRM on 80 internally viaJump-box
5 Web tier talks to App tier on port 80806 App tier talks to DB tier on port 33067 Web tier is open for internal datacenters VM on 80 port8 From Jump-box in VPC CRM all virtual machines have ssh access on port 229 All tiers of VPCCRM talks to DNS server on 53 and LogServer on 514 on VPC
Common Services10 This means connection to DB to Log Server (used for backup services) must exist
as configured by the Administrator but this in fact is the problem area where ourfocus will be
Plan Security - AWS Cloud
vRealize Network Insight extends micro-segmentation planning to AWS constructs TheCRM Application in AWS VPC has already been created for you
Application creation steps have been discussed in Module 3
HOL-1829-01-NET
Page 104HOL-1829-01-NET
1 On the vRealize Network Insight Click on Plan Security
From Plan Security dialogue box under Entity select
HOL-1829-01-NET
Page 105HOL-1829-01-NET
1 Application2 CRM3 Click Analyze
We can now visualize the three tier lsquoCRMrsquo Application in AWS in one VPC We Shallexplore the three Tier System Logic in proceeding steps
1 Please note that Micro-Segments are already filtered by Tier2 Web (Web tier talks to App tier on port 8080 Internal users of organisation can
access Web Tier of the CRM Application on port 80 internally)3 App (App tier talks to DB tier on port 3306)4 DB ( DB tier talks to Log Servers ) - This is the problem area we are going to
explore
All tiers of first VPC talks to DNS server on port 53 and LogServer on port 514 of SecondVPC
HOL-1829-01-NET
Page 106HOL-1829-01-NET
Exploring the Three Tier Application - Step by Step
We shall now explore the three their application setup to understand the security andcommunication posture
HOL-1829-01-NET
Page 107HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Yellow line to explore the flows This will reveal flows from Web to
App
HOL-1829-01-NET
Page 108HOL-1829-01-NET
1 The App tier talks to DB tier on Port 33062 Click X to continue
HOL-1829-01-NET
Page 109HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to DB
HOL-1829-01-NET
Page 110HOL-1829-01-NET
1 The App tier talks to DB tier on Port 33062 Click X to continue
HOL-1829-01-NET
Page 111HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Yellow Line to explore the flows This will reveal flows from DC
Virtual to App
HOL-1829-01-NET
Page 112HOL-1829-01-NET
1 DC Virtual (jump box) talks to App tier on Port 222 Click X to continue
HOL-1829-01-NET
Page 113HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to
Shared Virtual
HOL-1829-01-NET
Page 114HOL-1829-01-NET
1 The App tier talks to Shared Virtual on Port 53 and 514 respectively2 Click X to continue
HOL-1829-01-NET
Page 115HOL-1829-01-NET
1 Hover over to DB Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from DB to
Shared Virtual
1 By design the DB should be pushing logs to aws-log-server ie on port 514(Syslog) but the flow reveals that there is only one service ie port 53 aws-DNS-Server Effectively no communication to syslog server (which is the back upservice)
2 Click X to continue
Firewall Queries for CRM Application
To further troubleshoot the issue the administrator executes three firewall queries toestablish why DB to Shared Virtual does not have flow(s) for port 514 (syslog)
HOL-1829-01-NET
Page 116HOL-1829-01-NET
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and type new search query firewall action of flows where dstvm = aws-log-server This will return 5 results ie 4 Allow (for web andmidtier) and 1 Deny (for DB)
2 Click Search3 click on the DENY checkbox so we can focus on the deny rule
We can see a DENY rule which is preventing crm-databse to communicate with aws-log-server on port 514 Which indicates that AWS Admin forgot to add rule to allowtraffic from (Database) crm-database to (syslog server) aws-log-Server
HOL-1829-01-NET
Page 117HOL-1829-01-NET
1 On Chrome web browser right click2 Select Duplicate from the the menu
HOL-1829-01-NET
Page 118HOL-1829-01-NET
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-web1 and dst vm = aws-log-server
2 Click Search3 This will return 3 results ie 1 Inbound and 2 Outbound rules The result of this
query validates the communication from crm-web1 to aws-log-server
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-database and dst vm = aws-log-server
2 Click Search3 This will return 2 results for Outbound rules further explaining the firewall rule
behaviour from crm-database to aws-log-server
HOL-1829-01-NET
Page 119HOL-1829-01-NET
ConclusionCongratulations on completing Module 4
This module demonstrated the vRealize Network Insight capability to understand trafficpatterns and plan micro-segmentation across your private and public cloudenvironments This capability offers unparalleled visibility into public and private cloudsfor micro-segmentation planning network visibility and management
For More Information
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 120HOL-1829-01-NET
ConclusionThank you for participating in the VMware Hands-on Labs Be sure to visithttpholvmwarecom to continue your lab experience online
Lab SKU HOL-1829-01-NET
Version 20171010-152226
HOL-1829-01-NET
Page 121HOL-1829-01-NET
VRF - Physical Switch
A pop-up box will appear that contains the Physical VRF details
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - In this scenario the first hop in the physical network perspective happens to be aCisco Nexus 7000 We are gathering all of the configuration data routing tables androuting interface information from this device
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 64HOL-1829-01-NET
VRF - continued
1 From the map click on the icon marked by a red square to access the nextPhysical VRF in the path
HOL-1829-01-NET
Page 65HOL-1829-01-NET
VRF - Physical Router
A pop-up box will appear that contains the Physical VRF details
In this scenario the second hop in the physical network perspective is a Palo Alto routerIn this view we will see the routing table as well as firewall rules The vRealize NetworkInsight platform is so powerful that these firewall rules are the applicable firewall rulesbetween the two objects we searched for There is probably going to be thousands offirewall rules in a normal network but these are the firewalls affecting thecommunication between the two selected VMs
HOL-1829-01-NET
Page 66HOL-1829-01-NET
A - Spend some time to review what information is available from the object Please donot click on any of the links
1 When done reviewing click on the (X) in the top right corner of the pop up box
Note The Palo Alto integration showcased is in beta testing
VRF - continued
1 From the map click on the icon marked by a red square to access the nextPhysical VRF in the path
HOL-1829-01-NET
Page 67HOL-1829-01-NET
VRF - Physical Switch
A pop-up box will appear that contains the Physical VRF details
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - In this scenario the third hop in the physical network perspective is an Arista deviceThere is information available on routing gateways interfaces etc These detailsshowcase that we can monitor devices from a multitude of vendors in case we arechanging from one vendor to another
1 When done reviewing click on the (X) in the top right corner
HOL-1829-01-NET
Page 68HOL-1829-01-NET
Accessing the virtual infrastructure
The next two steps in the path (as shown by arrows) are the same as we looked atpreviously in this module We are not going to look at the details on them in thisscenario as they are similar to the ones previously discussed
A - Hovermove the mouse over the icons marked with red arrow A without clicking onthe icon Notice the descriptive name
B - Hovermove the mouse over the icons marked with red arrow B without clicking onthe icon Notice the descriptive name
1 From the map click on the icon marked by a red square to access the nextVRF in the path
HOL-1829-01-NET
Page 69HOL-1829-01-NET
VRF - NSX Provider Edge 1
A pop-up box will appear that contains the Physical VRF details
A - Please spend some time to review what information is available from the objectPlease do not click on any of the links
B - The components we are looking at after the Arista device (described in previoussteps) is an NSX Edge cluster or a host associated with an Edge cluster The componentwe have selected is the NSX Edge VM named Provider-Edge 1 It has an uplink overVLAN 10 from the physical network (as shown in the map)
C - In the details we can see the routing table and routing interface details for thisparticular VRF
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 70HOL-1829-01-NET
VXLAN on the map
1 On the map click on the blue line marked by a red square to access theVXLAN details
VXLAN Network
A pop-up box will appear that contains the VXLAN details
HOL-1829-01-NET
Page 71HOL-1829-01-NET
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - We can see the VXLAN number (Segment ID) Underlay VLAN IDs Subnet andUnderlay Subnet
C - We also have visibility into what Primary Controller it is utilizing Hosts and VTEPs
D - Hovermove the mouse cursor over the text [38 more] to see the hosts associatedwith this VXLAN Do not click on the blue text
E - Hovermove the mouse cursor over the text [82 more] to see the VTEPs associatedwith this VXLAN Do not click on the blue text
1 When done reviewing click on the X in the top right corner of the pop-up box
VRF - LDR
1 From the map click on the icon marked by a red square to access the VRFdetails
HOL-1829-01-NET
Page 72HOL-1829-01-NET
VRF - LDR-Corporate
A pop-up box will appear that contains the VRF details From here we hit our In-kernelnetwork
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - Notice the distributed router name We are using this device to access our corporatenetwork
C - This device is going to route for us to a different interface The interface is going toroute to the interface on the Prod-DB Network as the next step in the path (this will beillustrated in the next step)
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 73HOL-1829-01-NET
Routing - NSX Firewall
The traffic is routed through the VRF onto the Prod-DB network over to the next physicalhost (as shown with arrows)
The first device it will hit on the virtual network on the physical host is the FirewallPlease notice that there are two firewalls next to the VM One Firewall from Palo Alto andone Firewall from NSX
1 From the map click on the icon marked by a red square to access the NSXFirewall details (the top one of the two)
HOL-1829-01-NET
Page 74HOL-1829-01-NET
Firewall - NSX
A pop-up box will appear that contains the Firewall details
A - Spend some time to review what information is available from the object Please donot click on any of the links
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 75HOL-1829-01-NET
Redirect on the map - PAN Firewall
Please notice that there are two firewalls next to the VM One Firewall from Palo Alto andone Firewall from NSX We are now going to look into the details of the lower Firewall
1 From the map click on the icon marked by a red square to access the PaloAlto Firewall details (the lower one of the two)
Firewall - PAN
HOL-1829-01-NET
Page 76HOL-1829-01-NET
In this scenario we also have an Palo Alto VM based offloading firewall The redirectfeature allows firewall rules to be transferred between the NSX firewall and the PANFirewall
1 When done reviewing click on the (X) in the top right corner of the pop up box
Reversing the analysis
1 In the section marked by a red square in the picture click on the arrowpointing left
The route on the map will change
HOL-1829-01-NET
Page 77HOL-1829-01-NET
Reversing the analysis continued
A - The analysis will now be done in the opposite direction Please note that the pathnow changes Instead of going through Provider-Edge 3 the traffic is now routedthrough Provider-Edge 2 This is exactly as the traffic will work in the real life
Please continue to the next step to conclude this module
HOL-1829-01-NET
Page 78HOL-1829-01-NET
VM Underlay
Lets now focus on VM Underlay
1 The VMUnderlay section that is on the right side of the VM Path topology showsthe underlay information of the VMs involved and their connectivity to the top ofthe rack switches and the ports involved
2 The VM Underlay path topology is shown here3 The components are labeled under Path Details
HOL-1829-01-NET
Page 79HOL-1829-01-NET
HOL-1829-01-NET
Page 80HOL-1829-01-NET
1 In this section the drop-down list at the top shows the endpoint VMs and theactive VMs at the edges
2 For each edgeVM the neighbouring drop-down list shows the ingress and theegress interface IP addresses
1 From the previous step we selected the Prod-DB-2 Virtual Machine2 Which changes the focus to corresponding Interface IP Address (VNIC)3 Shows the visual map (Path topology) of all the path objects4 Path details shows the labels and list the components
This concludes this module Please continue to the next module
HOL-1829-01-NET
Page 81HOL-1829-01-NET
ConclusionCongratulations on completing Module 2
This module has shown us that vRealize Network Insight is capable of tracing the flow ofdata between two objects throughout the network vRealize Network Insight is providingus with a 360 degrees view of the virtual as well as the physical components in thepath With the map function and the details on the map it is very easy to get a quickoverview of the components utilized in network communication
All the components in the map is based on a snapshot of real life data Feel free to clickon other icons shown in the map in this module before continuing to the next module tohave a look at other components
For More Information
For additional information about the functionality showcased in this module visithttpwwwvmwarecomvrealize network insight
This concludes this module Please continue to the next module
If you are looking for additional information try one of these
bull Click on this linkbull Or use your smart device to scan the QRC Code
HOL-1829-01-NET
Page 82HOL-1829-01-NET
Proceed to any module below which interests you most
bull Module 1 - Micro-Segmentation and Security (30 minutes)bull Module 2 - 360 degree Visibility across Virtual and Physical Networks (45
minutes)bull Module 3 - Advanced NSX Management amp Operations (45 minutes)bull (30 minutes)
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 83HOL-1829-01-NET
Module 3 - Advanced NSXManagement amp
Operations (45 minutes)
HOL-1829-01-NET
Page 84HOL-1829-01-NET
IntroductionIntroduction
vRealize Network Insight ensures that we have full visibility from an overlay andunderlay perspective and in this module focus on advanced operations of NSX withvRealize Network Insight Its important to note that the vRealize Network Insightprovides a real time view and a historical view The integration is not a simple SNMPquery but advanced CLI and Metadata information gathered in real time for NSX
This Module contains the following lessons
bull Operational guidance for NSX Managerbull Advanced NSX Management amp Operations Interactive Simulation
HOL-1829-01-NET
Page 85HOL-1829-01-NET
NSX Advanced ManagementOperationsLab Status Check
1 Make sure the Lab Status displays Ready before continuing
Close browser sessions from previous modules
Open Google Chrome
1 Open Chrome on the Control Centre Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
HOL-1829-01-NET
Page 86HOL-1829-01-NET
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize Network Insightdid not load automatically)
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
Search Bar - NSX Manager
Using the search bar on the entry screen
HOL-1829-01-NET
Page 87HOL-1829-01-NET
1 Type NSX Manager (this will list three NSX Managers2 Click Search
NSX Manager Information
The result now shows the NSX Manager (1016128170) and we can immediately seethat we have 50 problems associated with this endpoint
1 Click on the NSX Manager address to expose the layout and detailedinformation
HOL-1829-01-NET
Page 88HOL-1829-01-NET
Timeline - Visual Build-up
Explore information only - Do not click
bull A - Starting with the Timeline we can manipulate the results by simply draggingthe slider but by default the current time results will be displayed on entry Theslider and drop down (next to 1 day) makes it easy to filter on demand
bull B - The Properties give a clear understanding of the NSX Managers currentconfiguration (vRealize Network Insight accommodate multiple NSX managers)
bull C - Looking at the NSX Checklist Rules - ALL we can scroll up and down toview each point in the checklist that is used to monitorvalidate against the NSXManager
bull D - Because vRealize Network Insight supports multiple NSX managers andmultiple NSX controllers this is an important visual understanding of theTopology Each object can be queried individually within the same screen
bull E - NSX Problems will be key to understanding the issues for NSX
HOL-1829-01-NET
Page 89HOL-1829-01-NET
Topology - Focus on the NSX Controller
The logical view of the NSX Topology provides live links to each component in theconstruct to be queried in real time Topology layout displays all the related NSXservices bound to the NSX Manager including Clusters and hosts The red triangle on allthree NSX controllers indicates possible issues that may impact the NSX environmenteither as a starting point or a result thereof We can now query each object for detailedinformation
1 Click on the NSX controller (Look at each controller until you find thecontroller starting with NSX_Controller_5b6c6c8d-4d71 as they do changeorder)
HOL-1829-01-NET
Page 90HOL-1829-01-NET
NSX Controller - Detail
A - The controller query displays detailed information about controller-1 and relevantconfiguration This screen will help identify the Status Version Upgrade Availability andmany other critical identifiers of the NSX Controller at a quick glance including anyissues
B - The immediate issue on this NSX controller is also pointed out with a red triangleindicating that we have a control plane sync issue Tracking the issue can be furtherinvestigated by expanding (clicking on the red triangle) to view detailed information Wewill not be investigating this problem further in this exercise
1 Click the close sign (x) to continue
HOL-1829-01-NET
Page 91HOL-1829-01-NET
Topology - Explained
Note The Topology for the NSX environment will not show any load balancing devicestatus information in this release
1 Click the edge VMs icon to see detailed information about the edge services
HOL-1829-01-NET
Page 92HOL-1829-01-NET
Provider Edge
Rendering a complete view of the provider edge services and the associations we caninvestigate all the edge related activities
1 Click the blue link Provider Edge 4 The problem Icon can be used to furtherobtain information about the Provider-Edge 4 This will highlight a criticalcondition due to a possible network disruption of this edge device as it is nolonger in a serving state
HOL-1829-01-NET
Page 93HOL-1829-01-NET
Routers Provider Edge 4
This section lays out detailed root cause analysis for Routers Provider Edge 4
Return to Search View - NSX Manager
1 Now use the Chrome Back button click once to return the the NSX Managerinformation screen step
HOL-1829-01-NET
Page 94HOL-1829-01-NET
Infrastructure Problems - Warning Moderate
bull Scroll down to Infrastructure Problems Section
1 Click and select the WarningModerate to view problem areas
WarningModerate Issues
1 Use the blue icon + to expand the detailed view of the Logical networking out ofsync between host and NSX Controller
HOL-1829-01-NET
Page 95HOL-1829-01-NET
WarningModerate Issues (Continued)
When you expand the details you can analyse full detail of warning
In this view vRealize Network Insight is also showing you recommendations on how youwould resolve this issue which makes troubleshooting and root cause analysis veryeasy
1 Click the close sign (x) to continue
HOL-1829-01-NET
Page 96HOL-1829-01-NET
Hands-on Labs Interactive SimulationAdvanced NSX Management ampOperationsThis part of the lab is presented as a Hands-on Labs Interactive Simulation This willallow you to experience steps which are too time-consuming or resource intensive to dolive in the lab environment In this simulation you can use the software interface as ifyou are interacting with a live environment
1 Click here to open the interactive simulation It will open in a new browserwindow or tab
2 When finished click the ldquoReturn to the labrdquo link to continue with this lab
HOL-1829-01-NET
Page 97HOL-1829-01-NET
ConclusionCongratulations on completing Module 3
This module demonstrated the vRealize Network Insight capability of advancedmanagement operations vRealize Network Insight provides an in-depth analysis of thevirtual as well as the physical components associated with NSX (underlay and overlay)
For More Information
If you are looking for additional information try one of these
bull Click on this linkbull Or use your smart device to scan the QRC Code
Proceed to any module below which interests you most
bull Module 1 - Micro-Segmentation and Security (30 minutes)bull Module 2 - 360 degree Visibility across Virtual and Physical Networks (45
minutes)bull Module 3 - Advanced NSX Management amp Operations (45 minutes)bull Module 4 - Manage Security for Public Clouds (AWS) (30 minutes)
HOL-1829-01-NET
Page 98HOL-1829-01-NET
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 99HOL-1829-01-NET
Module 4 - ManageSecurity for Public Clouds
(AWS) (30 Minutes)
HOL-1829-01-NET
Page 100HOL-1829-01-NET
IntroductionEnterprise IT needs visibility into the network and security status of their workloadswhether hosted on premises or within AWS While many AWS workloads are sandboxesfor application development teams (DevOps) it is important to analyze these workloadsIncreasingly public cloud workloads are also fulfilling mission critical production needsfor many organizations Enterprise IT must be ready to determine the best locationsecurity posture and bandwidth allocation when deploying workloads Having trafficpattern details as well as security analysis and recommendations readily availablehelps organizations make the ideal hosting decisions to meet their business needs
vRealize Network Insight (vRNI) Supports Amazon Web Services (AWS) PublicCloud The vRNI traffic monitoring features provide visibility into native AWS constructssuch as Virtual Private Clouds VMs Security Groups firewall rules and tags vRNI alsoanalyzes AWS traffic flows to provide security and micro-segmentation views of cloudworkloads This means youll be able to plan micro-segmentation and understand trafficpatterns using data collected from your AWS instances
This Module contains the following lessons
bull Introduction to Managing Security for Public Clouds (AWS)
HOL-1829-01-NET
Page 101HOL-1829-01-NET
Introduction to Managing Security forPublic Clouds (AWS)Lab Status Check
1 Make sure the Lab Status displays Ready before continuing
Close browser sessions from previous modules
Open Google Chrome
1 Open Chrome on the Control Centre Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize Network Insightdid not load automatically)
HOL-1829-01-NET
Page 102HOL-1829-01-NET
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
AWS Configuration
Lets review the AWS VPC setup for the purpose of this lab
1 We have an on premise instance of vRealize Network Insight managing AWS2 There are two VPCs ie CRM and Common Services
HOL-1829-01-NET
Page 103HOL-1829-01-NET
3 VPC CRM consists of CRM Application which comprises of 3 tiers ie Web APP andDB
4 Internal users of Company can access Web Tier of the CRM on 80 internally viaJump-box
5 Web tier talks to App tier on port 80806 App tier talks to DB tier on port 33067 Web tier is open for internal datacenters VM on 80 port8 From Jump-box in VPC CRM all virtual machines have ssh access on port 229 All tiers of VPCCRM talks to DNS server on 53 and LogServer on 514 on VPC
Common Services10 This means connection to DB to Log Server (used for backup services) must exist
as configured by the Administrator but this in fact is the problem area where ourfocus will be
Plan Security - AWS Cloud
vRealize Network Insight extends micro-segmentation planning to AWS constructs TheCRM Application in AWS VPC has already been created for you
Application creation steps have been discussed in Module 3
HOL-1829-01-NET
Page 104HOL-1829-01-NET
1 On the vRealize Network Insight Click on Plan Security
From Plan Security dialogue box under Entity select
HOL-1829-01-NET
Page 105HOL-1829-01-NET
1 Application2 CRM3 Click Analyze
We can now visualize the three tier lsquoCRMrsquo Application in AWS in one VPC We Shallexplore the three Tier System Logic in proceeding steps
1 Please note that Micro-Segments are already filtered by Tier2 Web (Web tier talks to App tier on port 8080 Internal users of organisation can
access Web Tier of the CRM Application on port 80 internally)3 App (App tier talks to DB tier on port 3306)4 DB ( DB tier talks to Log Servers ) - This is the problem area we are going to
explore
All tiers of first VPC talks to DNS server on port 53 and LogServer on port 514 of SecondVPC
HOL-1829-01-NET
Page 106HOL-1829-01-NET
Exploring the Three Tier Application - Step by Step
We shall now explore the three their application setup to understand the security andcommunication posture
HOL-1829-01-NET
Page 107HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Yellow line to explore the flows This will reveal flows from Web to
App
HOL-1829-01-NET
Page 108HOL-1829-01-NET
1 The App tier talks to DB tier on Port 33062 Click X to continue
HOL-1829-01-NET
Page 109HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to DB
HOL-1829-01-NET
Page 110HOL-1829-01-NET
1 The App tier talks to DB tier on Port 33062 Click X to continue
HOL-1829-01-NET
Page 111HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Yellow Line to explore the flows This will reveal flows from DC
Virtual to App
HOL-1829-01-NET
Page 112HOL-1829-01-NET
1 DC Virtual (jump box) talks to App tier on Port 222 Click X to continue
HOL-1829-01-NET
Page 113HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to
Shared Virtual
HOL-1829-01-NET
Page 114HOL-1829-01-NET
1 The App tier talks to Shared Virtual on Port 53 and 514 respectively2 Click X to continue
HOL-1829-01-NET
Page 115HOL-1829-01-NET
1 Hover over to DB Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from DB to
Shared Virtual
1 By design the DB should be pushing logs to aws-log-server ie on port 514(Syslog) but the flow reveals that there is only one service ie port 53 aws-DNS-Server Effectively no communication to syslog server (which is the back upservice)
2 Click X to continue
Firewall Queries for CRM Application
To further troubleshoot the issue the administrator executes three firewall queries toestablish why DB to Shared Virtual does not have flow(s) for port 514 (syslog)
HOL-1829-01-NET
Page 116HOL-1829-01-NET
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and type new search query firewall action of flows where dstvm = aws-log-server This will return 5 results ie 4 Allow (for web andmidtier) and 1 Deny (for DB)
2 Click Search3 click on the DENY checkbox so we can focus on the deny rule
We can see a DENY rule which is preventing crm-databse to communicate with aws-log-server on port 514 Which indicates that AWS Admin forgot to add rule to allowtraffic from (Database) crm-database to (syslog server) aws-log-Server
HOL-1829-01-NET
Page 117HOL-1829-01-NET
1 On Chrome web browser right click2 Select Duplicate from the the menu
HOL-1829-01-NET
Page 118HOL-1829-01-NET
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-web1 and dst vm = aws-log-server
2 Click Search3 This will return 3 results ie 1 Inbound and 2 Outbound rules The result of this
query validates the communication from crm-web1 to aws-log-server
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-database and dst vm = aws-log-server
2 Click Search3 This will return 2 results for Outbound rules further explaining the firewall rule
behaviour from crm-database to aws-log-server
HOL-1829-01-NET
Page 119HOL-1829-01-NET
ConclusionCongratulations on completing Module 4
This module demonstrated the vRealize Network Insight capability to understand trafficpatterns and plan micro-segmentation across your private and public cloudenvironments This capability offers unparalleled visibility into public and private cloudsfor micro-segmentation planning network visibility and management
For More Information
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 120HOL-1829-01-NET
ConclusionThank you for participating in the VMware Hands-on Labs Be sure to visithttpholvmwarecom to continue your lab experience online
Lab SKU HOL-1829-01-NET
Version 20171010-152226
HOL-1829-01-NET
Page 121HOL-1829-01-NET
VRF - continued
1 From the map click on the icon marked by a red square to access the nextPhysical VRF in the path
HOL-1829-01-NET
Page 65HOL-1829-01-NET
VRF - Physical Router
A pop-up box will appear that contains the Physical VRF details
In this scenario the second hop in the physical network perspective is a Palo Alto routerIn this view we will see the routing table as well as firewall rules The vRealize NetworkInsight platform is so powerful that these firewall rules are the applicable firewall rulesbetween the two objects we searched for There is probably going to be thousands offirewall rules in a normal network but these are the firewalls affecting thecommunication between the two selected VMs
HOL-1829-01-NET
Page 66HOL-1829-01-NET
A - Spend some time to review what information is available from the object Please donot click on any of the links
1 When done reviewing click on the (X) in the top right corner of the pop up box
Note The Palo Alto integration showcased is in beta testing
VRF - continued
1 From the map click on the icon marked by a red square to access the nextPhysical VRF in the path
HOL-1829-01-NET
Page 67HOL-1829-01-NET
VRF - Physical Switch
A pop-up box will appear that contains the Physical VRF details
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - In this scenario the third hop in the physical network perspective is an Arista deviceThere is information available on routing gateways interfaces etc These detailsshowcase that we can monitor devices from a multitude of vendors in case we arechanging from one vendor to another
1 When done reviewing click on the (X) in the top right corner
HOL-1829-01-NET
Page 68HOL-1829-01-NET
Accessing the virtual infrastructure
The next two steps in the path (as shown by arrows) are the same as we looked atpreviously in this module We are not going to look at the details on them in thisscenario as they are similar to the ones previously discussed
A - Hovermove the mouse over the icons marked with red arrow A without clicking onthe icon Notice the descriptive name
B - Hovermove the mouse over the icons marked with red arrow B without clicking onthe icon Notice the descriptive name
1 From the map click on the icon marked by a red square to access the nextVRF in the path
HOL-1829-01-NET
Page 69HOL-1829-01-NET
VRF - NSX Provider Edge 1
A pop-up box will appear that contains the Physical VRF details
A - Please spend some time to review what information is available from the objectPlease do not click on any of the links
B - The components we are looking at after the Arista device (described in previoussteps) is an NSX Edge cluster or a host associated with an Edge cluster The componentwe have selected is the NSX Edge VM named Provider-Edge 1 It has an uplink overVLAN 10 from the physical network (as shown in the map)
C - In the details we can see the routing table and routing interface details for thisparticular VRF
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 70HOL-1829-01-NET
VXLAN on the map
1 On the map click on the blue line marked by a red square to access theVXLAN details
VXLAN Network
A pop-up box will appear that contains the VXLAN details
HOL-1829-01-NET
Page 71HOL-1829-01-NET
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - We can see the VXLAN number (Segment ID) Underlay VLAN IDs Subnet andUnderlay Subnet
C - We also have visibility into what Primary Controller it is utilizing Hosts and VTEPs
D - Hovermove the mouse cursor over the text [38 more] to see the hosts associatedwith this VXLAN Do not click on the blue text
E - Hovermove the mouse cursor over the text [82 more] to see the VTEPs associatedwith this VXLAN Do not click on the blue text
1 When done reviewing click on the X in the top right corner of the pop-up box
VRF - LDR
1 From the map click on the icon marked by a red square to access the VRFdetails
HOL-1829-01-NET
Page 72HOL-1829-01-NET
VRF - LDR-Corporate
A pop-up box will appear that contains the VRF details From here we hit our In-kernelnetwork
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - Notice the distributed router name We are using this device to access our corporatenetwork
C - This device is going to route for us to a different interface The interface is going toroute to the interface on the Prod-DB Network as the next step in the path (this will beillustrated in the next step)
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 73HOL-1829-01-NET
Routing - NSX Firewall
The traffic is routed through the VRF onto the Prod-DB network over to the next physicalhost (as shown with arrows)
The first device it will hit on the virtual network on the physical host is the FirewallPlease notice that there are two firewalls next to the VM One Firewall from Palo Alto andone Firewall from NSX
1 From the map click on the icon marked by a red square to access the NSXFirewall details (the top one of the two)
HOL-1829-01-NET
Page 74HOL-1829-01-NET
Firewall - NSX
A pop-up box will appear that contains the Firewall details
A - Spend some time to review what information is available from the object Please donot click on any of the links
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 75HOL-1829-01-NET
Redirect on the map - PAN Firewall
Please notice that there are two firewalls next to the VM One Firewall from Palo Alto andone Firewall from NSX We are now going to look into the details of the lower Firewall
1 From the map click on the icon marked by a red square to access the PaloAlto Firewall details (the lower one of the two)
Firewall - PAN
HOL-1829-01-NET
Page 76HOL-1829-01-NET
In this scenario we also have an Palo Alto VM based offloading firewall The redirectfeature allows firewall rules to be transferred between the NSX firewall and the PANFirewall
1 When done reviewing click on the (X) in the top right corner of the pop up box
Reversing the analysis
1 In the section marked by a red square in the picture click on the arrowpointing left
The route on the map will change
HOL-1829-01-NET
Page 77HOL-1829-01-NET
Reversing the analysis continued
A - The analysis will now be done in the opposite direction Please note that the pathnow changes Instead of going through Provider-Edge 3 the traffic is now routedthrough Provider-Edge 2 This is exactly as the traffic will work in the real life
Please continue to the next step to conclude this module
HOL-1829-01-NET
Page 78HOL-1829-01-NET
VM Underlay
Lets now focus on VM Underlay
1 The VMUnderlay section that is on the right side of the VM Path topology showsthe underlay information of the VMs involved and their connectivity to the top ofthe rack switches and the ports involved
2 The VM Underlay path topology is shown here3 The components are labeled under Path Details
HOL-1829-01-NET
Page 79HOL-1829-01-NET
HOL-1829-01-NET
Page 80HOL-1829-01-NET
1 In this section the drop-down list at the top shows the endpoint VMs and theactive VMs at the edges
2 For each edgeVM the neighbouring drop-down list shows the ingress and theegress interface IP addresses
1 From the previous step we selected the Prod-DB-2 Virtual Machine2 Which changes the focus to corresponding Interface IP Address (VNIC)3 Shows the visual map (Path topology) of all the path objects4 Path details shows the labels and list the components
This concludes this module Please continue to the next module
HOL-1829-01-NET
Page 81HOL-1829-01-NET
ConclusionCongratulations on completing Module 2
This module has shown us that vRealize Network Insight is capable of tracing the flow ofdata between two objects throughout the network vRealize Network Insight is providingus with a 360 degrees view of the virtual as well as the physical components in thepath With the map function and the details on the map it is very easy to get a quickoverview of the components utilized in network communication
All the components in the map is based on a snapshot of real life data Feel free to clickon other icons shown in the map in this module before continuing to the next module tohave a look at other components
For More Information
For additional information about the functionality showcased in this module visithttpwwwvmwarecomvrealize network insight
This concludes this module Please continue to the next module
If you are looking for additional information try one of these
bull Click on this linkbull Or use your smart device to scan the QRC Code
HOL-1829-01-NET
Page 82HOL-1829-01-NET
Proceed to any module below which interests you most
bull Module 1 - Micro-Segmentation and Security (30 minutes)bull Module 2 - 360 degree Visibility across Virtual and Physical Networks (45
minutes)bull Module 3 - Advanced NSX Management amp Operations (45 minutes)bull (30 minutes)
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 83HOL-1829-01-NET
Module 3 - Advanced NSXManagement amp
Operations (45 minutes)
HOL-1829-01-NET
Page 84HOL-1829-01-NET
IntroductionIntroduction
vRealize Network Insight ensures that we have full visibility from an overlay andunderlay perspective and in this module focus on advanced operations of NSX withvRealize Network Insight Its important to note that the vRealize Network Insightprovides a real time view and a historical view The integration is not a simple SNMPquery but advanced CLI and Metadata information gathered in real time for NSX
This Module contains the following lessons
bull Operational guidance for NSX Managerbull Advanced NSX Management amp Operations Interactive Simulation
HOL-1829-01-NET
Page 85HOL-1829-01-NET
NSX Advanced ManagementOperationsLab Status Check
1 Make sure the Lab Status displays Ready before continuing
Close browser sessions from previous modules
Open Google Chrome
1 Open Chrome on the Control Centre Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
HOL-1829-01-NET
Page 86HOL-1829-01-NET
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize Network Insightdid not load automatically)
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
Search Bar - NSX Manager
Using the search bar on the entry screen
HOL-1829-01-NET
Page 87HOL-1829-01-NET
1 Type NSX Manager (this will list three NSX Managers2 Click Search
NSX Manager Information
The result now shows the NSX Manager (1016128170) and we can immediately seethat we have 50 problems associated with this endpoint
1 Click on the NSX Manager address to expose the layout and detailedinformation
HOL-1829-01-NET
Page 88HOL-1829-01-NET
Timeline - Visual Build-up
Explore information only - Do not click
bull A - Starting with the Timeline we can manipulate the results by simply draggingthe slider but by default the current time results will be displayed on entry Theslider and drop down (next to 1 day) makes it easy to filter on demand
bull B - The Properties give a clear understanding of the NSX Managers currentconfiguration (vRealize Network Insight accommodate multiple NSX managers)
bull C - Looking at the NSX Checklist Rules - ALL we can scroll up and down toview each point in the checklist that is used to monitorvalidate against the NSXManager
bull D - Because vRealize Network Insight supports multiple NSX managers andmultiple NSX controllers this is an important visual understanding of theTopology Each object can be queried individually within the same screen
bull E - NSX Problems will be key to understanding the issues for NSX
HOL-1829-01-NET
Page 89HOL-1829-01-NET
Topology - Focus on the NSX Controller
The logical view of the NSX Topology provides live links to each component in theconstruct to be queried in real time Topology layout displays all the related NSXservices bound to the NSX Manager including Clusters and hosts The red triangle on allthree NSX controllers indicates possible issues that may impact the NSX environmenteither as a starting point or a result thereof We can now query each object for detailedinformation
1 Click on the NSX controller (Look at each controller until you find thecontroller starting with NSX_Controller_5b6c6c8d-4d71 as they do changeorder)
HOL-1829-01-NET
Page 90HOL-1829-01-NET
NSX Controller - Detail
A - The controller query displays detailed information about controller-1 and relevantconfiguration This screen will help identify the Status Version Upgrade Availability andmany other critical identifiers of the NSX Controller at a quick glance including anyissues
B - The immediate issue on this NSX controller is also pointed out with a red triangleindicating that we have a control plane sync issue Tracking the issue can be furtherinvestigated by expanding (clicking on the red triangle) to view detailed information Wewill not be investigating this problem further in this exercise
1 Click the close sign (x) to continue
HOL-1829-01-NET
Page 91HOL-1829-01-NET
Topology - Explained
Note The Topology for the NSX environment will not show any load balancing devicestatus information in this release
1 Click the edge VMs icon to see detailed information about the edge services
HOL-1829-01-NET
Page 92HOL-1829-01-NET
Provider Edge
Rendering a complete view of the provider edge services and the associations we caninvestigate all the edge related activities
1 Click the blue link Provider Edge 4 The problem Icon can be used to furtherobtain information about the Provider-Edge 4 This will highlight a criticalcondition due to a possible network disruption of this edge device as it is nolonger in a serving state
HOL-1829-01-NET
Page 93HOL-1829-01-NET
Routers Provider Edge 4
This section lays out detailed root cause analysis for Routers Provider Edge 4
Return to Search View - NSX Manager
1 Now use the Chrome Back button click once to return the the NSX Managerinformation screen step
HOL-1829-01-NET
Page 94HOL-1829-01-NET
Infrastructure Problems - Warning Moderate
bull Scroll down to Infrastructure Problems Section
1 Click and select the WarningModerate to view problem areas
WarningModerate Issues
1 Use the blue icon + to expand the detailed view of the Logical networking out ofsync between host and NSX Controller
HOL-1829-01-NET
Page 95HOL-1829-01-NET
WarningModerate Issues (Continued)
When you expand the details you can analyse full detail of warning
In this view vRealize Network Insight is also showing you recommendations on how youwould resolve this issue which makes troubleshooting and root cause analysis veryeasy
1 Click the close sign (x) to continue
HOL-1829-01-NET
Page 96HOL-1829-01-NET
Hands-on Labs Interactive SimulationAdvanced NSX Management ampOperationsThis part of the lab is presented as a Hands-on Labs Interactive Simulation This willallow you to experience steps which are too time-consuming or resource intensive to dolive in the lab environment In this simulation you can use the software interface as ifyou are interacting with a live environment
1 Click here to open the interactive simulation It will open in a new browserwindow or tab
2 When finished click the ldquoReturn to the labrdquo link to continue with this lab
HOL-1829-01-NET
Page 97HOL-1829-01-NET
ConclusionCongratulations on completing Module 3
This module demonstrated the vRealize Network Insight capability of advancedmanagement operations vRealize Network Insight provides an in-depth analysis of thevirtual as well as the physical components associated with NSX (underlay and overlay)
For More Information
If you are looking for additional information try one of these
bull Click on this linkbull Or use your smart device to scan the QRC Code
Proceed to any module below which interests you most
bull Module 1 - Micro-Segmentation and Security (30 minutes)bull Module 2 - 360 degree Visibility across Virtual and Physical Networks (45
minutes)bull Module 3 - Advanced NSX Management amp Operations (45 minutes)bull Module 4 - Manage Security for Public Clouds (AWS) (30 minutes)
HOL-1829-01-NET
Page 98HOL-1829-01-NET
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 99HOL-1829-01-NET
Module 4 - ManageSecurity for Public Clouds
(AWS) (30 Minutes)
HOL-1829-01-NET
Page 100HOL-1829-01-NET
IntroductionEnterprise IT needs visibility into the network and security status of their workloadswhether hosted on premises or within AWS While many AWS workloads are sandboxesfor application development teams (DevOps) it is important to analyze these workloadsIncreasingly public cloud workloads are also fulfilling mission critical production needsfor many organizations Enterprise IT must be ready to determine the best locationsecurity posture and bandwidth allocation when deploying workloads Having trafficpattern details as well as security analysis and recommendations readily availablehelps organizations make the ideal hosting decisions to meet their business needs
vRealize Network Insight (vRNI) Supports Amazon Web Services (AWS) PublicCloud The vRNI traffic monitoring features provide visibility into native AWS constructssuch as Virtual Private Clouds VMs Security Groups firewall rules and tags vRNI alsoanalyzes AWS traffic flows to provide security and micro-segmentation views of cloudworkloads This means youll be able to plan micro-segmentation and understand trafficpatterns using data collected from your AWS instances
This Module contains the following lessons
bull Introduction to Managing Security for Public Clouds (AWS)
HOL-1829-01-NET
Page 101HOL-1829-01-NET
Introduction to Managing Security forPublic Clouds (AWS)Lab Status Check
1 Make sure the Lab Status displays Ready before continuing
Close browser sessions from previous modules
Open Google Chrome
1 Open Chrome on the Control Centre Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize Network Insightdid not load automatically)
HOL-1829-01-NET
Page 102HOL-1829-01-NET
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
AWS Configuration
Lets review the AWS VPC setup for the purpose of this lab
1 We have an on premise instance of vRealize Network Insight managing AWS2 There are two VPCs ie CRM and Common Services
HOL-1829-01-NET
Page 103HOL-1829-01-NET
3 VPC CRM consists of CRM Application which comprises of 3 tiers ie Web APP andDB
4 Internal users of Company can access Web Tier of the CRM on 80 internally viaJump-box
5 Web tier talks to App tier on port 80806 App tier talks to DB tier on port 33067 Web tier is open for internal datacenters VM on 80 port8 From Jump-box in VPC CRM all virtual machines have ssh access on port 229 All tiers of VPCCRM talks to DNS server on 53 and LogServer on 514 on VPC
Common Services10 This means connection to DB to Log Server (used for backup services) must exist
as configured by the Administrator but this in fact is the problem area where ourfocus will be
Plan Security - AWS Cloud
vRealize Network Insight extends micro-segmentation planning to AWS constructs TheCRM Application in AWS VPC has already been created for you
Application creation steps have been discussed in Module 3
HOL-1829-01-NET
Page 104HOL-1829-01-NET
1 On the vRealize Network Insight Click on Plan Security
From Plan Security dialogue box under Entity select
HOL-1829-01-NET
Page 105HOL-1829-01-NET
1 Application2 CRM3 Click Analyze
We can now visualize the three tier lsquoCRMrsquo Application in AWS in one VPC We Shallexplore the three Tier System Logic in proceeding steps
1 Please note that Micro-Segments are already filtered by Tier2 Web (Web tier talks to App tier on port 8080 Internal users of organisation can
access Web Tier of the CRM Application on port 80 internally)3 App (App tier talks to DB tier on port 3306)4 DB ( DB tier talks to Log Servers ) - This is the problem area we are going to
explore
All tiers of first VPC talks to DNS server on port 53 and LogServer on port 514 of SecondVPC
HOL-1829-01-NET
Page 106HOL-1829-01-NET
Exploring the Three Tier Application - Step by Step
We shall now explore the three their application setup to understand the security andcommunication posture
HOL-1829-01-NET
Page 107HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Yellow line to explore the flows This will reveal flows from Web to
App
HOL-1829-01-NET
Page 108HOL-1829-01-NET
1 The App tier talks to DB tier on Port 33062 Click X to continue
HOL-1829-01-NET
Page 109HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to DB
HOL-1829-01-NET
Page 110HOL-1829-01-NET
1 The App tier talks to DB tier on Port 33062 Click X to continue
HOL-1829-01-NET
Page 111HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Yellow Line to explore the flows This will reveal flows from DC
Virtual to App
HOL-1829-01-NET
Page 112HOL-1829-01-NET
1 DC Virtual (jump box) talks to App tier on Port 222 Click X to continue
HOL-1829-01-NET
Page 113HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to
Shared Virtual
HOL-1829-01-NET
Page 114HOL-1829-01-NET
1 The App tier talks to Shared Virtual on Port 53 and 514 respectively2 Click X to continue
HOL-1829-01-NET
Page 115HOL-1829-01-NET
1 Hover over to DB Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from DB to
Shared Virtual
1 By design the DB should be pushing logs to aws-log-server ie on port 514(Syslog) but the flow reveals that there is only one service ie port 53 aws-DNS-Server Effectively no communication to syslog server (which is the back upservice)
2 Click X to continue
Firewall Queries for CRM Application
To further troubleshoot the issue the administrator executes three firewall queries toestablish why DB to Shared Virtual does not have flow(s) for port 514 (syslog)
HOL-1829-01-NET
Page 116HOL-1829-01-NET
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and type new search query firewall action of flows where dstvm = aws-log-server This will return 5 results ie 4 Allow (for web andmidtier) and 1 Deny (for DB)
2 Click Search3 click on the DENY checkbox so we can focus on the deny rule
We can see a DENY rule which is preventing crm-databse to communicate with aws-log-server on port 514 Which indicates that AWS Admin forgot to add rule to allowtraffic from (Database) crm-database to (syslog server) aws-log-Server
HOL-1829-01-NET
Page 117HOL-1829-01-NET
1 On Chrome web browser right click2 Select Duplicate from the the menu
HOL-1829-01-NET
Page 118HOL-1829-01-NET
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-web1 and dst vm = aws-log-server
2 Click Search3 This will return 3 results ie 1 Inbound and 2 Outbound rules The result of this
query validates the communication from crm-web1 to aws-log-server
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-database and dst vm = aws-log-server
2 Click Search3 This will return 2 results for Outbound rules further explaining the firewall rule
behaviour from crm-database to aws-log-server
HOL-1829-01-NET
Page 119HOL-1829-01-NET
ConclusionCongratulations on completing Module 4
This module demonstrated the vRealize Network Insight capability to understand trafficpatterns and plan micro-segmentation across your private and public cloudenvironments This capability offers unparalleled visibility into public and private cloudsfor micro-segmentation planning network visibility and management
For More Information
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 120HOL-1829-01-NET
ConclusionThank you for participating in the VMware Hands-on Labs Be sure to visithttpholvmwarecom to continue your lab experience online
Lab SKU HOL-1829-01-NET
Version 20171010-152226
HOL-1829-01-NET
Page 121HOL-1829-01-NET
VRF - Physical Router
A pop-up box will appear that contains the Physical VRF details
In this scenario the second hop in the physical network perspective is a Palo Alto routerIn this view we will see the routing table as well as firewall rules The vRealize NetworkInsight platform is so powerful that these firewall rules are the applicable firewall rulesbetween the two objects we searched for There is probably going to be thousands offirewall rules in a normal network but these are the firewalls affecting thecommunication between the two selected VMs
HOL-1829-01-NET
Page 66HOL-1829-01-NET
A - Spend some time to review what information is available from the object Please donot click on any of the links
1 When done reviewing click on the (X) in the top right corner of the pop up box
Note The Palo Alto integration showcased is in beta testing
VRF - continued
1 From the map click on the icon marked by a red square to access the nextPhysical VRF in the path
HOL-1829-01-NET
Page 67HOL-1829-01-NET
VRF - Physical Switch
A pop-up box will appear that contains the Physical VRF details
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - In this scenario the third hop in the physical network perspective is an Arista deviceThere is information available on routing gateways interfaces etc These detailsshowcase that we can monitor devices from a multitude of vendors in case we arechanging from one vendor to another
1 When done reviewing click on the (X) in the top right corner
HOL-1829-01-NET
Page 68HOL-1829-01-NET
Accessing the virtual infrastructure
The next two steps in the path (as shown by arrows) are the same as we looked atpreviously in this module We are not going to look at the details on them in thisscenario as they are similar to the ones previously discussed
A - Hovermove the mouse over the icons marked with red arrow A without clicking onthe icon Notice the descriptive name
B - Hovermove the mouse over the icons marked with red arrow B without clicking onthe icon Notice the descriptive name
1 From the map click on the icon marked by a red square to access the nextVRF in the path
HOL-1829-01-NET
Page 69HOL-1829-01-NET
VRF - NSX Provider Edge 1
A pop-up box will appear that contains the Physical VRF details
A - Please spend some time to review what information is available from the objectPlease do not click on any of the links
B - The components we are looking at after the Arista device (described in previoussteps) is an NSX Edge cluster or a host associated with an Edge cluster The componentwe have selected is the NSX Edge VM named Provider-Edge 1 It has an uplink overVLAN 10 from the physical network (as shown in the map)
C - In the details we can see the routing table and routing interface details for thisparticular VRF
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 70HOL-1829-01-NET
VXLAN on the map
1 On the map click on the blue line marked by a red square to access theVXLAN details
VXLAN Network
A pop-up box will appear that contains the VXLAN details
HOL-1829-01-NET
Page 71HOL-1829-01-NET
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - We can see the VXLAN number (Segment ID) Underlay VLAN IDs Subnet andUnderlay Subnet
C - We also have visibility into what Primary Controller it is utilizing Hosts and VTEPs
D - Hovermove the mouse cursor over the text [38 more] to see the hosts associatedwith this VXLAN Do not click on the blue text
E - Hovermove the mouse cursor over the text [82 more] to see the VTEPs associatedwith this VXLAN Do not click on the blue text
1 When done reviewing click on the X in the top right corner of the pop-up box
VRF - LDR
1 From the map click on the icon marked by a red square to access the VRFdetails
HOL-1829-01-NET
Page 72HOL-1829-01-NET
VRF - LDR-Corporate
A pop-up box will appear that contains the VRF details From here we hit our In-kernelnetwork
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - Notice the distributed router name We are using this device to access our corporatenetwork
C - This device is going to route for us to a different interface The interface is going toroute to the interface on the Prod-DB Network as the next step in the path (this will beillustrated in the next step)
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 73HOL-1829-01-NET
Routing - NSX Firewall
The traffic is routed through the VRF onto the Prod-DB network over to the next physicalhost (as shown with arrows)
The first device it will hit on the virtual network on the physical host is the FirewallPlease notice that there are two firewalls next to the VM One Firewall from Palo Alto andone Firewall from NSX
1 From the map click on the icon marked by a red square to access the NSXFirewall details (the top one of the two)
HOL-1829-01-NET
Page 74HOL-1829-01-NET
Firewall - NSX
A pop-up box will appear that contains the Firewall details
A - Spend some time to review what information is available from the object Please donot click on any of the links
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 75HOL-1829-01-NET
Redirect on the map - PAN Firewall
Please notice that there are two firewalls next to the VM One Firewall from Palo Alto andone Firewall from NSX We are now going to look into the details of the lower Firewall
1 From the map click on the icon marked by a red square to access the PaloAlto Firewall details (the lower one of the two)
Firewall - PAN
HOL-1829-01-NET
Page 76HOL-1829-01-NET
In this scenario we also have an Palo Alto VM based offloading firewall The redirectfeature allows firewall rules to be transferred between the NSX firewall and the PANFirewall
1 When done reviewing click on the (X) in the top right corner of the pop up box
Reversing the analysis
1 In the section marked by a red square in the picture click on the arrowpointing left
The route on the map will change
HOL-1829-01-NET
Page 77HOL-1829-01-NET
Reversing the analysis continued
A - The analysis will now be done in the opposite direction Please note that the pathnow changes Instead of going through Provider-Edge 3 the traffic is now routedthrough Provider-Edge 2 This is exactly as the traffic will work in the real life
Please continue to the next step to conclude this module
HOL-1829-01-NET
Page 78HOL-1829-01-NET
VM Underlay
Lets now focus on VM Underlay
1 The VMUnderlay section that is on the right side of the VM Path topology showsthe underlay information of the VMs involved and their connectivity to the top ofthe rack switches and the ports involved
2 The VM Underlay path topology is shown here3 The components are labeled under Path Details
HOL-1829-01-NET
Page 79HOL-1829-01-NET
HOL-1829-01-NET
Page 80HOL-1829-01-NET
1 In this section the drop-down list at the top shows the endpoint VMs and theactive VMs at the edges
2 For each edgeVM the neighbouring drop-down list shows the ingress and theegress interface IP addresses
1 From the previous step we selected the Prod-DB-2 Virtual Machine2 Which changes the focus to corresponding Interface IP Address (VNIC)3 Shows the visual map (Path topology) of all the path objects4 Path details shows the labels and list the components
This concludes this module Please continue to the next module
HOL-1829-01-NET
Page 81HOL-1829-01-NET
ConclusionCongratulations on completing Module 2
This module has shown us that vRealize Network Insight is capable of tracing the flow ofdata between two objects throughout the network vRealize Network Insight is providingus with a 360 degrees view of the virtual as well as the physical components in thepath With the map function and the details on the map it is very easy to get a quickoverview of the components utilized in network communication
All the components in the map is based on a snapshot of real life data Feel free to clickon other icons shown in the map in this module before continuing to the next module tohave a look at other components
For More Information
For additional information about the functionality showcased in this module visithttpwwwvmwarecomvrealize network insight
This concludes this module Please continue to the next module
If you are looking for additional information try one of these
bull Click on this linkbull Or use your smart device to scan the QRC Code
HOL-1829-01-NET
Page 82HOL-1829-01-NET
Proceed to any module below which interests you most
bull Module 1 - Micro-Segmentation and Security (30 minutes)bull Module 2 - 360 degree Visibility across Virtual and Physical Networks (45
minutes)bull Module 3 - Advanced NSX Management amp Operations (45 minutes)bull (30 minutes)
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 83HOL-1829-01-NET
Module 3 - Advanced NSXManagement amp
Operations (45 minutes)
HOL-1829-01-NET
Page 84HOL-1829-01-NET
IntroductionIntroduction
vRealize Network Insight ensures that we have full visibility from an overlay andunderlay perspective and in this module focus on advanced operations of NSX withvRealize Network Insight Its important to note that the vRealize Network Insightprovides a real time view and a historical view The integration is not a simple SNMPquery but advanced CLI and Metadata information gathered in real time for NSX
This Module contains the following lessons
bull Operational guidance for NSX Managerbull Advanced NSX Management amp Operations Interactive Simulation
HOL-1829-01-NET
Page 85HOL-1829-01-NET
NSX Advanced ManagementOperationsLab Status Check
1 Make sure the Lab Status displays Ready before continuing
Close browser sessions from previous modules
Open Google Chrome
1 Open Chrome on the Control Centre Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
HOL-1829-01-NET
Page 86HOL-1829-01-NET
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize Network Insightdid not load automatically)
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
Search Bar - NSX Manager
Using the search bar on the entry screen
HOL-1829-01-NET
Page 87HOL-1829-01-NET
1 Type NSX Manager (this will list three NSX Managers2 Click Search
NSX Manager Information
The result now shows the NSX Manager (1016128170) and we can immediately seethat we have 50 problems associated with this endpoint
1 Click on the NSX Manager address to expose the layout and detailedinformation
HOL-1829-01-NET
Page 88HOL-1829-01-NET
Timeline - Visual Build-up
Explore information only - Do not click
bull A - Starting with the Timeline we can manipulate the results by simply draggingthe slider but by default the current time results will be displayed on entry Theslider and drop down (next to 1 day) makes it easy to filter on demand
bull B - The Properties give a clear understanding of the NSX Managers currentconfiguration (vRealize Network Insight accommodate multiple NSX managers)
bull C - Looking at the NSX Checklist Rules - ALL we can scroll up and down toview each point in the checklist that is used to monitorvalidate against the NSXManager
bull D - Because vRealize Network Insight supports multiple NSX managers andmultiple NSX controllers this is an important visual understanding of theTopology Each object can be queried individually within the same screen
bull E - NSX Problems will be key to understanding the issues for NSX
HOL-1829-01-NET
Page 89HOL-1829-01-NET
Topology - Focus on the NSX Controller
The logical view of the NSX Topology provides live links to each component in theconstruct to be queried in real time Topology layout displays all the related NSXservices bound to the NSX Manager including Clusters and hosts The red triangle on allthree NSX controllers indicates possible issues that may impact the NSX environmenteither as a starting point or a result thereof We can now query each object for detailedinformation
1 Click on the NSX controller (Look at each controller until you find thecontroller starting with NSX_Controller_5b6c6c8d-4d71 as they do changeorder)
HOL-1829-01-NET
Page 90HOL-1829-01-NET
NSX Controller - Detail
A - The controller query displays detailed information about controller-1 and relevantconfiguration This screen will help identify the Status Version Upgrade Availability andmany other critical identifiers of the NSX Controller at a quick glance including anyissues
B - The immediate issue on this NSX controller is also pointed out with a red triangleindicating that we have a control plane sync issue Tracking the issue can be furtherinvestigated by expanding (clicking on the red triangle) to view detailed information Wewill not be investigating this problem further in this exercise
1 Click the close sign (x) to continue
HOL-1829-01-NET
Page 91HOL-1829-01-NET
Topology - Explained
Note The Topology for the NSX environment will not show any load balancing devicestatus information in this release
1 Click the edge VMs icon to see detailed information about the edge services
HOL-1829-01-NET
Page 92HOL-1829-01-NET
Provider Edge
Rendering a complete view of the provider edge services and the associations we caninvestigate all the edge related activities
1 Click the blue link Provider Edge 4 The problem Icon can be used to furtherobtain information about the Provider-Edge 4 This will highlight a criticalcondition due to a possible network disruption of this edge device as it is nolonger in a serving state
HOL-1829-01-NET
Page 93HOL-1829-01-NET
Routers Provider Edge 4
This section lays out detailed root cause analysis for Routers Provider Edge 4
Return to Search View - NSX Manager
1 Now use the Chrome Back button click once to return the the NSX Managerinformation screen step
HOL-1829-01-NET
Page 94HOL-1829-01-NET
Infrastructure Problems - Warning Moderate
bull Scroll down to Infrastructure Problems Section
1 Click and select the WarningModerate to view problem areas
WarningModerate Issues
1 Use the blue icon + to expand the detailed view of the Logical networking out ofsync between host and NSX Controller
HOL-1829-01-NET
Page 95HOL-1829-01-NET
WarningModerate Issues (Continued)
When you expand the details you can analyse full detail of warning
In this view vRealize Network Insight is also showing you recommendations on how youwould resolve this issue which makes troubleshooting and root cause analysis veryeasy
1 Click the close sign (x) to continue
HOL-1829-01-NET
Page 96HOL-1829-01-NET
Hands-on Labs Interactive SimulationAdvanced NSX Management ampOperationsThis part of the lab is presented as a Hands-on Labs Interactive Simulation This willallow you to experience steps which are too time-consuming or resource intensive to dolive in the lab environment In this simulation you can use the software interface as ifyou are interacting with a live environment
1 Click here to open the interactive simulation It will open in a new browserwindow or tab
2 When finished click the ldquoReturn to the labrdquo link to continue with this lab
HOL-1829-01-NET
Page 97HOL-1829-01-NET
ConclusionCongratulations on completing Module 3
This module demonstrated the vRealize Network Insight capability of advancedmanagement operations vRealize Network Insight provides an in-depth analysis of thevirtual as well as the physical components associated with NSX (underlay and overlay)
For More Information
If you are looking for additional information try one of these
bull Click on this linkbull Or use your smart device to scan the QRC Code
Proceed to any module below which interests you most
bull Module 1 - Micro-Segmentation and Security (30 minutes)bull Module 2 - 360 degree Visibility across Virtual and Physical Networks (45
minutes)bull Module 3 - Advanced NSX Management amp Operations (45 minutes)bull Module 4 - Manage Security for Public Clouds (AWS) (30 minutes)
HOL-1829-01-NET
Page 98HOL-1829-01-NET
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 99HOL-1829-01-NET
Module 4 - ManageSecurity for Public Clouds
(AWS) (30 Minutes)
HOL-1829-01-NET
Page 100HOL-1829-01-NET
IntroductionEnterprise IT needs visibility into the network and security status of their workloadswhether hosted on premises or within AWS While many AWS workloads are sandboxesfor application development teams (DevOps) it is important to analyze these workloadsIncreasingly public cloud workloads are also fulfilling mission critical production needsfor many organizations Enterprise IT must be ready to determine the best locationsecurity posture and bandwidth allocation when deploying workloads Having trafficpattern details as well as security analysis and recommendations readily availablehelps organizations make the ideal hosting decisions to meet their business needs
vRealize Network Insight (vRNI) Supports Amazon Web Services (AWS) PublicCloud The vRNI traffic monitoring features provide visibility into native AWS constructssuch as Virtual Private Clouds VMs Security Groups firewall rules and tags vRNI alsoanalyzes AWS traffic flows to provide security and micro-segmentation views of cloudworkloads This means youll be able to plan micro-segmentation and understand trafficpatterns using data collected from your AWS instances
This Module contains the following lessons
bull Introduction to Managing Security for Public Clouds (AWS)
HOL-1829-01-NET
Page 101HOL-1829-01-NET
Introduction to Managing Security forPublic Clouds (AWS)Lab Status Check
1 Make sure the Lab Status displays Ready before continuing
Close browser sessions from previous modules
Open Google Chrome
1 Open Chrome on the Control Centre Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize Network Insightdid not load automatically)
HOL-1829-01-NET
Page 102HOL-1829-01-NET
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
AWS Configuration
Lets review the AWS VPC setup for the purpose of this lab
1 We have an on premise instance of vRealize Network Insight managing AWS2 There are two VPCs ie CRM and Common Services
HOL-1829-01-NET
Page 103HOL-1829-01-NET
3 VPC CRM consists of CRM Application which comprises of 3 tiers ie Web APP andDB
4 Internal users of Company can access Web Tier of the CRM on 80 internally viaJump-box
5 Web tier talks to App tier on port 80806 App tier talks to DB tier on port 33067 Web tier is open for internal datacenters VM on 80 port8 From Jump-box in VPC CRM all virtual machines have ssh access on port 229 All tiers of VPCCRM talks to DNS server on 53 and LogServer on 514 on VPC
Common Services10 This means connection to DB to Log Server (used for backup services) must exist
as configured by the Administrator but this in fact is the problem area where ourfocus will be
Plan Security - AWS Cloud
vRealize Network Insight extends micro-segmentation planning to AWS constructs TheCRM Application in AWS VPC has already been created for you
Application creation steps have been discussed in Module 3
HOL-1829-01-NET
Page 104HOL-1829-01-NET
1 On the vRealize Network Insight Click on Plan Security
From Plan Security dialogue box under Entity select
HOL-1829-01-NET
Page 105HOL-1829-01-NET
1 Application2 CRM3 Click Analyze
We can now visualize the three tier lsquoCRMrsquo Application in AWS in one VPC We Shallexplore the three Tier System Logic in proceeding steps
1 Please note that Micro-Segments are already filtered by Tier2 Web (Web tier talks to App tier on port 8080 Internal users of organisation can
access Web Tier of the CRM Application on port 80 internally)3 App (App tier talks to DB tier on port 3306)4 DB ( DB tier talks to Log Servers ) - This is the problem area we are going to
explore
All tiers of first VPC talks to DNS server on port 53 and LogServer on port 514 of SecondVPC
HOL-1829-01-NET
Page 106HOL-1829-01-NET
Exploring the Three Tier Application - Step by Step
We shall now explore the three their application setup to understand the security andcommunication posture
HOL-1829-01-NET
Page 107HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Yellow line to explore the flows This will reveal flows from Web to
App
HOL-1829-01-NET
Page 108HOL-1829-01-NET
1 The App tier talks to DB tier on Port 33062 Click X to continue
HOL-1829-01-NET
Page 109HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to DB
HOL-1829-01-NET
Page 110HOL-1829-01-NET
1 The App tier talks to DB tier on Port 33062 Click X to continue
HOL-1829-01-NET
Page 111HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Yellow Line to explore the flows This will reveal flows from DC
Virtual to App
HOL-1829-01-NET
Page 112HOL-1829-01-NET
1 DC Virtual (jump box) talks to App tier on Port 222 Click X to continue
HOL-1829-01-NET
Page 113HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to
Shared Virtual
HOL-1829-01-NET
Page 114HOL-1829-01-NET
1 The App tier talks to Shared Virtual on Port 53 and 514 respectively2 Click X to continue
HOL-1829-01-NET
Page 115HOL-1829-01-NET
1 Hover over to DB Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from DB to
Shared Virtual
1 By design the DB should be pushing logs to aws-log-server ie on port 514(Syslog) but the flow reveals that there is only one service ie port 53 aws-DNS-Server Effectively no communication to syslog server (which is the back upservice)
2 Click X to continue
Firewall Queries for CRM Application
To further troubleshoot the issue the administrator executes three firewall queries toestablish why DB to Shared Virtual does not have flow(s) for port 514 (syslog)
HOL-1829-01-NET
Page 116HOL-1829-01-NET
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and type new search query firewall action of flows where dstvm = aws-log-server This will return 5 results ie 4 Allow (for web andmidtier) and 1 Deny (for DB)
2 Click Search3 click on the DENY checkbox so we can focus on the deny rule
We can see a DENY rule which is preventing crm-databse to communicate with aws-log-server on port 514 Which indicates that AWS Admin forgot to add rule to allowtraffic from (Database) crm-database to (syslog server) aws-log-Server
HOL-1829-01-NET
Page 117HOL-1829-01-NET
1 On Chrome web browser right click2 Select Duplicate from the the menu
HOL-1829-01-NET
Page 118HOL-1829-01-NET
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-web1 and dst vm = aws-log-server
2 Click Search3 This will return 3 results ie 1 Inbound and 2 Outbound rules The result of this
query validates the communication from crm-web1 to aws-log-server
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-database and dst vm = aws-log-server
2 Click Search3 This will return 2 results for Outbound rules further explaining the firewall rule
behaviour from crm-database to aws-log-server
HOL-1829-01-NET
Page 119HOL-1829-01-NET
ConclusionCongratulations on completing Module 4
This module demonstrated the vRealize Network Insight capability to understand trafficpatterns and plan micro-segmentation across your private and public cloudenvironments This capability offers unparalleled visibility into public and private cloudsfor micro-segmentation planning network visibility and management
For More Information
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 120HOL-1829-01-NET
ConclusionThank you for participating in the VMware Hands-on Labs Be sure to visithttpholvmwarecom to continue your lab experience online
Lab SKU HOL-1829-01-NET
Version 20171010-152226
HOL-1829-01-NET
Page 121HOL-1829-01-NET
A - Spend some time to review what information is available from the object Please donot click on any of the links
1 When done reviewing click on the (X) in the top right corner of the pop up box
Note The Palo Alto integration showcased is in beta testing
VRF - continued
1 From the map click on the icon marked by a red square to access the nextPhysical VRF in the path
HOL-1829-01-NET
Page 67HOL-1829-01-NET
VRF - Physical Switch
A pop-up box will appear that contains the Physical VRF details
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - In this scenario the third hop in the physical network perspective is an Arista deviceThere is information available on routing gateways interfaces etc These detailsshowcase that we can monitor devices from a multitude of vendors in case we arechanging from one vendor to another
1 When done reviewing click on the (X) in the top right corner
HOL-1829-01-NET
Page 68HOL-1829-01-NET
Accessing the virtual infrastructure
The next two steps in the path (as shown by arrows) are the same as we looked atpreviously in this module We are not going to look at the details on them in thisscenario as they are similar to the ones previously discussed
A - Hovermove the mouse over the icons marked with red arrow A without clicking onthe icon Notice the descriptive name
B - Hovermove the mouse over the icons marked with red arrow B without clicking onthe icon Notice the descriptive name
1 From the map click on the icon marked by a red square to access the nextVRF in the path
HOL-1829-01-NET
Page 69HOL-1829-01-NET
VRF - NSX Provider Edge 1
A pop-up box will appear that contains the Physical VRF details
A - Please spend some time to review what information is available from the objectPlease do not click on any of the links
B - The components we are looking at after the Arista device (described in previoussteps) is an NSX Edge cluster or a host associated with an Edge cluster The componentwe have selected is the NSX Edge VM named Provider-Edge 1 It has an uplink overVLAN 10 from the physical network (as shown in the map)
C - In the details we can see the routing table and routing interface details for thisparticular VRF
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 70HOL-1829-01-NET
VXLAN on the map
1 On the map click on the blue line marked by a red square to access theVXLAN details
VXLAN Network
A pop-up box will appear that contains the VXLAN details
HOL-1829-01-NET
Page 71HOL-1829-01-NET
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - We can see the VXLAN number (Segment ID) Underlay VLAN IDs Subnet andUnderlay Subnet
C - We also have visibility into what Primary Controller it is utilizing Hosts and VTEPs
D - Hovermove the mouse cursor over the text [38 more] to see the hosts associatedwith this VXLAN Do not click on the blue text
E - Hovermove the mouse cursor over the text [82 more] to see the VTEPs associatedwith this VXLAN Do not click on the blue text
1 When done reviewing click on the X in the top right corner of the pop-up box
VRF - LDR
1 From the map click on the icon marked by a red square to access the VRFdetails
HOL-1829-01-NET
Page 72HOL-1829-01-NET
VRF - LDR-Corporate
A pop-up box will appear that contains the VRF details From here we hit our In-kernelnetwork
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - Notice the distributed router name We are using this device to access our corporatenetwork
C - This device is going to route for us to a different interface The interface is going toroute to the interface on the Prod-DB Network as the next step in the path (this will beillustrated in the next step)
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 73HOL-1829-01-NET
Routing - NSX Firewall
The traffic is routed through the VRF onto the Prod-DB network over to the next physicalhost (as shown with arrows)
The first device it will hit on the virtual network on the physical host is the FirewallPlease notice that there are two firewalls next to the VM One Firewall from Palo Alto andone Firewall from NSX
1 From the map click on the icon marked by a red square to access the NSXFirewall details (the top one of the two)
HOL-1829-01-NET
Page 74HOL-1829-01-NET
Firewall - NSX
A pop-up box will appear that contains the Firewall details
A - Spend some time to review what information is available from the object Please donot click on any of the links
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 75HOL-1829-01-NET
Redirect on the map - PAN Firewall
Please notice that there are two firewalls next to the VM One Firewall from Palo Alto andone Firewall from NSX We are now going to look into the details of the lower Firewall
1 From the map click on the icon marked by a red square to access the PaloAlto Firewall details (the lower one of the two)
Firewall - PAN
HOL-1829-01-NET
Page 76HOL-1829-01-NET
In this scenario we also have an Palo Alto VM based offloading firewall The redirectfeature allows firewall rules to be transferred between the NSX firewall and the PANFirewall
1 When done reviewing click on the (X) in the top right corner of the pop up box
Reversing the analysis
1 In the section marked by a red square in the picture click on the arrowpointing left
The route on the map will change
HOL-1829-01-NET
Page 77HOL-1829-01-NET
Reversing the analysis continued
A - The analysis will now be done in the opposite direction Please note that the pathnow changes Instead of going through Provider-Edge 3 the traffic is now routedthrough Provider-Edge 2 This is exactly as the traffic will work in the real life
Please continue to the next step to conclude this module
HOL-1829-01-NET
Page 78HOL-1829-01-NET
VM Underlay
Lets now focus on VM Underlay
1 The VMUnderlay section that is on the right side of the VM Path topology showsthe underlay information of the VMs involved and their connectivity to the top ofthe rack switches and the ports involved
2 The VM Underlay path topology is shown here3 The components are labeled under Path Details
HOL-1829-01-NET
Page 79HOL-1829-01-NET
HOL-1829-01-NET
Page 80HOL-1829-01-NET
1 In this section the drop-down list at the top shows the endpoint VMs and theactive VMs at the edges
2 For each edgeVM the neighbouring drop-down list shows the ingress and theegress interface IP addresses
1 From the previous step we selected the Prod-DB-2 Virtual Machine2 Which changes the focus to corresponding Interface IP Address (VNIC)3 Shows the visual map (Path topology) of all the path objects4 Path details shows the labels and list the components
This concludes this module Please continue to the next module
HOL-1829-01-NET
Page 81HOL-1829-01-NET
ConclusionCongratulations on completing Module 2
This module has shown us that vRealize Network Insight is capable of tracing the flow ofdata between two objects throughout the network vRealize Network Insight is providingus with a 360 degrees view of the virtual as well as the physical components in thepath With the map function and the details on the map it is very easy to get a quickoverview of the components utilized in network communication
All the components in the map is based on a snapshot of real life data Feel free to clickon other icons shown in the map in this module before continuing to the next module tohave a look at other components
For More Information
For additional information about the functionality showcased in this module visithttpwwwvmwarecomvrealize network insight
This concludes this module Please continue to the next module
If you are looking for additional information try one of these
bull Click on this linkbull Or use your smart device to scan the QRC Code
HOL-1829-01-NET
Page 82HOL-1829-01-NET
Proceed to any module below which interests you most
bull Module 1 - Micro-Segmentation and Security (30 minutes)bull Module 2 - 360 degree Visibility across Virtual and Physical Networks (45
minutes)bull Module 3 - Advanced NSX Management amp Operations (45 minutes)bull (30 minutes)
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 83HOL-1829-01-NET
Module 3 - Advanced NSXManagement amp
Operations (45 minutes)
HOL-1829-01-NET
Page 84HOL-1829-01-NET
IntroductionIntroduction
vRealize Network Insight ensures that we have full visibility from an overlay andunderlay perspective and in this module focus on advanced operations of NSX withvRealize Network Insight Its important to note that the vRealize Network Insightprovides a real time view and a historical view The integration is not a simple SNMPquery but advanced CLI and Metadata information gathered in real time for NSX
This Module contains the following lessons
bull Operational guidance for NSX Managerbull Advanced NSX Management amp Operations Interactive Simulation
HOL-1829-01-NET
Page 85HOL-1829-01-NET
NSX Advanced ManagementOperationsLab Status Check
1 Make sure the Lab Status displays Ready before continuing
Close browser sessions from previous modules
Open Google Chrome
1 Open Chrome on the Control Centre Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
HOL-1829-01-NET
Page 86HOL-1829-01-NET
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize Network Insightdid not load automatically)
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
Search Bar - NSX Manager
Using the search bar on the entry screen
HOL-1829-01-NET
Page 87HOL-1829-01-NET
1 Type NSX Manager (this will list three NSX Managers2 Click Search
NSX Manager Information
The result now shows the NSX Manager (1016128170) and we can immediately seethat we have 50 problems associated with this endpoint
1 Click on the NSX Manager address to expose the layout and detailedinformation
HOL-1829-01-NET
Page 88HOL-1829-01-NET
Timeline - Visual Build-up
Explore information only - Do not click
bull A - Starting with the Timeline we can manipulate the results by simply draggingthe slider but by default the current time results will be displayed on entry Theslider and drop down (next to 1 day) makes it easy to filter on demand
bull B - The Properties give a clear understanding of the NSX Managers currentconfiguration (vRealize Network Insight accommodate multiple NSX managers)
bull C - Looking at the NSX Checklist Rules - ALL we can scroll up and down toview each point in the checklist that is used to monitorvalidate against the NSXManager
bull D - Because vRealize Network Insight supports multiple NSX managers andmultiple NSX controllers this is an important visual understanding of theTopology Each object can be queried individually within the same screen
bull E - NSX Problems will be key to understanding the issues for NSX
HOL-1829-01-NET
Page 89HOL-1829-01-NET
Topology - Focus on the NSX Controller
The logical view of the NSX Topology provides live links to each component in theconstruct to be queried in real time Topology layout displays all the related NSXservices bound to the NSX Manager including Clusters and hosts The red triangle on allthree NSX controllers indicates possible issues that may impact the NSX environmenteither as a starting point or a result thereof We can now query each object for detailedinformation
1 Click on the NSX controller (Look at each controller until you find thecontroller starting with NSX_Controller_5b6c6c8d-4d71 as they do changeorder)
HOL-1829-01-NET
Page 90HOL-1829-01-NET
NSX Controller - Detail
A - The controller query displays detailed information about controller-1 and relevantconfiguration This screen will help identify the Status Version Upgrade Availability andmany other critical identifiers of the NSX Controller at a quick glance including anyissues
B - The immediate issue on this NSX controller is also pointed out with a red triangleindicating that we have a control plane sync issue Tracking the issue can be furtherinvestigated by expanding (clicking on the red triangle) to view detailed information Wewill not be investigating this problem further in this exercise
1 Click the close sign (x) to continue
HOL-1829-01-NET
Page 91HOL-1829-01-NET
Topology - Explained
Note The Topology for the NSX environment will not show any load balancing devicestatus information in this release
1 Click the edge VMs icon to see detailed information about the edge services
HOL-1829-01-NET
Page 92HOL-1829-01-NET
Provider Edge
Rendering a complete view of the provider edge services and the associations we caninvestigate all the edge related activities
1 Click the blue link Provider Edge 4 The problem Icon can be used to furtherobtain information about the Provider-Edge 4 This will highlight a criticalcondition due to a possible network disruption of this edge device as it is nolonger in a serving state
HOL-1829-01-NET
Page 93HOL-1829-01-NET
Routers Provider Edge 4
This section lays out detailed root cause analysis for Routers Provider Edge 4
Return to Search View - NSX Manager
1 Now use the Chrome Back button click once to return the the NSX Managerinformation screen step
HOL-1829-01-NET
Page 94HOL-1829-01-NET
Infrastructure Problems - Warning Moderate
bull Scroll down to Infrastructure Problems Section
1 Click and select the WarningModerate to view problem areas
WarningModerate Issues
1 Use the blue icon + to expand the detailed view of the Logical networking out ofsync between host and NSX Controller
HOL-1829-01-NET
Page 95HOL-1829-01-NET
WarningModerate Issues (Continued)
When you expand the details you can analyse full detail of warning
In this view vRealize Network Insight is also showing you recommendations on how youwould resolve this issue which makes troubleshooting and root cause analysis veryeasy
1 Click the close sign (x) to continue
HOL-1829-01-NET
Page 96HOL-1829-01-NET
Hands-on Labs Interactive SimulationAdvanced NSX Management ampOperationsThis part of the lab is presented as a Hands-on Labs Interactive Simulation This willallow you to experience steps which are too time-consuming or resource intensive to dolive in the lab environment In this simulation you can use the software interface as ifyou are interacting with a live environment
1 Click here to open the interactive simulation It will open in a new browserwindow or tab
2 When finished click the ldquoReturn to the labrdquo link to continue with this lab
HOL-1829-01-NET
Page 97HOL-1829-01-NET
ConclusionCongratulations on completing Module 3
This module demonstrated the vRealize Network Insight capability of advancedmanagement operations vRealize Network Insight provides an in-depth analysis of thevirtual as well as the physical components associated with NSX (underlay and overlay)
For More Information
If you are looking for additional information try one of these
bull Click on this linkbull Or use your smart device to scan the QRC Code
Proceed to any module below which interests you most
bull Module 1 - Micro-Segmentation and Security (30 minutes)bull Module 2 - 360 degree Visibility across Virtual and Physical Networks (45
minutes)bull Module 3 - Advanced NSX Management amp Operations (45 minutes)bull Module 4 - Manage Security for Public Clouds (AWS) (30 minutes)
HOL-1829-01-NET
Page 98HOL-1829-01-NET
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 99HOL-1829-01-NET
Module 4 - ManageSecurity for Public Clouds
(AWS) (30 Minutes)
HOL-1829-01-NET
Page 100HOL-1829-01-NET
IntroductionEnterprise IT needs visibility into the network and security status of their workloadswhether hosted on premises or within AWS While many AWS workloads are sandboxesfor application development teams (DevOps) it is important to analyze these workloadsIncreasingly public cloud workloads are also fulfilling mission critical production needsfor many organizations Enterprise IT must be ready to determine the best locationsecurity posture and bandwidth allocation when deploying workloads Having trafficpattern details as well as security analysis and recommendations readily availablehelps organizations make the ideal hosting decisions to meet their business needs
vRealize Network Insight (vRNI) Supports Amazon Web Services (AWS) PublicCloud The vRNI traffic monitoring features provide visibility into native AWS constructssuch as Virtual Private Clouds VMs Security Groups firewall rules and tags vRNI alsoanalyzes AWS traffic flows to provide security and micro-segmentation views of cloudworkloads This means youll be able to plan micro-segmentation and understand trafficpatterns using data collected from your AWS instances
This Module contains the following lessons
bull Introduction to Managing Security for Public Clouds (AWS)
HOL-1829-01-NET
Page 101HOL-1829-01-NET
Introduction to Managing Security forPublic Clouds (AWS)Lab Status Check
1 Make sure the Lab Status displays Ready before continuing
Close browser sessions from previous modules
Open Google Chrome
1 Open Chrome on the Control Centre Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize Network Insightdid not load automatically)
HOL-1829-01-NET
Page 102HOL-1829-01-NET
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
AWS Configuration
Lets review the AWS VPC setup for the purpose of this lab
1 We have an on premise instance of vRealize Network Insight managing AWS2 There are two VPCs ie CRM and Common Services
HOL-1829-01-NET
Page 103HOL-1829-01-NET
3 VPC CRM consists of CRM Application which comprises of 3 tiers ie Web APP andDB
4 Internal users of Company can access Web Tier of the CRM on 80 internally viaJump-box
5 Web tier talks to App tier on port 80806 App tier talks to DB tier on port 33067 Web tier is open for internal datacenters VM on 80 port8 From Jump-box in VPC CRM all virtual machines have ssh access on port 229 All tiers of VPCCRM talks to DNS server on 53 and LogServer on 514 on VPC
Common Services10 This means connection to DB to Log Server (used for backup services) must exist
as configured by the Administrator but this in fact is the problem area where ourfocus will be
Plan Security - AWS Cloud
vRealize Network Insight extends micro-segmentation planning to AWS constructs TheCRM Application in AWS VPC has already been created for you
Application creation steps have been discussed in Module 3
HOL-1829-01-NET
Page 104HOL-1829-01-NET
1 On the vRealize Network Insight Click on Plan Security
From Plan Security dialogue box under Entity select
HOL-1829-01-NET
Page 105HOL-1829-01-NET
1 Application2 CRM3 Click Analyze
We can now visualize the three tier lsquoCRMrsquo Application in AWS in one VPC We Shallexplore the three Tier System Logic in proceeding steps
1 Please note that Micro-Segments are already filtered by Tier2 Web (Web tier talks to App tier on port 8080 Internal users of organisation can
access Web Tier of the CRM Application on port 80 internally)3 App (App tier talks to DB tier on port 3306)4 DB ( DB tier talks to Log Servers ) - This is the problem area we are going to
explore
All tiers of first VPC talks to DNS server on port 53 and LogServer on port 514 of SecondVPC
HOL-1829-01-NET
Page 106HOL-1829-01-NET
Exploring the Three Tier Application - Step by Step
We shall now explore the three their application setup to understand the security andcommunication posture
HOL-1829-01-NET
Page 107HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Yellow line to explore the flows This will reveal flows from Web to
App
HOL-1829-01-NET
Page 108HOL-1829-01-NET
1 The App tier talks to DB tier on Port 33062 Click X to continue
HOL-1829-01-NET
Page 109HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to DB
HOL-1829-01-NET
Page 110HOL-1829-01-NET
1 The App tier talks to DB tier on Port 33062 Click X to continue
HOL-1829-01-NET
Page 111HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Yellow Line to explore the flows This will reveal flows from DC
Virtual to App
HOL-1829-01-NET
Page 112HOL-1829-01-NET
1 DC Virtual (jump box) talks to App tier on Port 222 Click X to continue
HOL-1829-01-NET
Page 113HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to
Shared Virtual
HOL-1829-01-NET
Page 114HOL-1829-01-NET
1 The App tier talks to Shared Virtual on Port 53 and 514 respectively2 Click X to continue
HOL-1829-01-NET
Page 115HOL-1829-01-NET
1 Hover over to DB Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from DB to
Shared Virtual
1 By design the DB should be pushing logs to aws-log-server ie on port 514(Syslog) but the flow reveals that there is only one service ie port 53 aws-DNS-Server Effectively no communication to syslog server (which is the back upservice)
2 Click X to continue
Firewall Queries for CRM Application
To further troubleshoot the issue the administrator executes three firewall queries toestablish why DB to Shared Virtual does not have flow(s) for port 514 (syslog)
HOL-1829-01-NET
Page 116HOL-1829-01-NET
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and type new search query firewall action of flows where dstvm = aws-log-server This will return 5 results ie 4 Allow (for web andmidtier) and 1 Deny (for DB)
2 Click Search3 click on the DENY checkbox so we can focus on the deny rule
We can see a DENY rule which is preventing crm-databse to communicate with aws-log-server on port 514 Which indicates that AWS Admin forgot to add rule to allowtraffic from (Database) crm-database to (syslog server) aws-log-Server
HOL-1829-01-NET
Page 117HOL-1829-01-NET
1 On Chrome web browser right click2 Select Duplicate from the the menu
HOL-1829-01-NET
Page 118HOL-1829-01-NET
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-web1 and dst vm = aws-log-server
2 Click Search3 This will return 3 results ie 1 Inbound and 2 Outbound rules The result of this
query validates the communication from crm-web1 to aws-log-server
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-database and dst vm = aws-log-server
2 Click Search3 This will return 2 results for Outbound rules further explaining the firewall rule
behaviour from crm-database to aws-log-server
HOL-1829-01-NET
Page 119HOL-1829-01-NET
ConclusionCongratulations on completing Module 4
This module demonstrated the vRealize Network Insight capability to understand trafficpatterns and plan micro-segmentation across your private and public cloudenvironments This capability offers unparalleled visibility into public and private cloudsfor micro-segmentation planning network visibility and management
For More Information
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 120HOL-1829-01-NET
ConclusionThank you for participating in the VMware Hands-on Labs Be sure to visithttpholvmwarecom to continue your lab experience online
Lab SKU HOL-1829-01-NET
Version 20171010-152226
HOL-1829-01-NET
Page 121HOL-1829-01-NET
VRF - Physical Switch
A pop-up box will appear that contains the Physical VRF details
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - In this scenario the third hop in the physical network perspective is an Arista deviceThere is information available on routing gateways interfaces etc These detailsshowcase that we can monitor devices from a multitude of vendors in case we arechanging from one vendor to another
1 When done reviewing click on the (X) in the top right corner
HOL-1829-01-NET
Page 68HOL-1829-01-NET
Accessing the virtual infrastructure
The next two steps in the path (as shown by arrows) are the same as we looked atpreviously in this module We are not going to look at the details on them in thisscenario as they are similar to the ones previously discussed
A - Hovermove the mouse over the icons marked with red arrow A without clicking onthe icon Notice the descriptive name
B - Hovermove the mouse over the icons marked with red arrow B without clicking onthe icon Notice the descriptive name
1 From the map click on the icon marked by a red square to access the nextVRF in the path
HOL-1829-01-NET
Page 69HOL-1829-01-NET
VRF - NSX Provider Edge 1
A pop-up box will appear that contains the Physical VRF details
A - Please spend some time to review what information is available from the objectPlease do not click on any of the links
B - The components we are looking at after the Arista device (described in previoussteps) is an NSX Edge cluster or a host associated with an Edge cluster The componentwe have selected is the NSX Edge VM named Provider-Edge 1 It has an uplink overVLAN 10 from the physical network (as shown in the map)
C - In the details we can see the routing table and routing interface details for thisparticular VRF
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 70HOL-1829-01-NET
VXLAN on the map
1 On the map click on the blue line marked by a red square to access theVXLAN details
VXLAN Network
A pop-up box will appear that contains the VXLAN details
HOL-1829-01-NET
Page 71HOL-1829-01-NET
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - We can see the VXLAN number (Segment ID) Underlay VLAN IDs Subnet andUnderlay Subnet
C - We also have visibility into what Primary Controller it is utilizing Hosts and VTEPs
D - Hovermove the mouse cursor over the text [38 more] to see the hosts associatedwith this VXLAN Do not click on the blue text
E - Hovermove the mouse cursor over the text [82 more] to see the VTEPs associatedwith this VXLAN Do not click on the blue text
1 When done reviewing click on the X in the top right corner of the pop-up box
VRF - LDR
1 From the map click on the icon marked by a red square to access the VRFdetails
HOL-1829-01-NET
Page 72HOL-1829-01-NET
VRF - LDR-Corporate
A pop-up box will appear that contains the VRF details From here we hit our In-kernelnetwork
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - Notice the distributed router name We are using this device to access our corporatenetwork
C - This device is going to route for us to a different interface The interface is going toroute to the interface on the Prod-DB Network as the next step in the path (this will beillustrated in the next step)
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 73HOL-1829-01-NET
Routing - NSX Firewall
The traffic is routed through the VRF onto the Prod-DB network over to the next physicalhost (as shown with arrows)
The first device it will hit on the virtual network on the physical host is the FirewallPlease notice that there are two firewalls next to the VM One Firewall from Palo Alto andone Firewall from NSX
1 From the map click on the icon marked by a red square to access the NSXFirewall details (the top one of the two)
HOL-1829-01-NET
Page 74HOL-1829-01-NET
Firewall - NSX
A pop-up box will appear that contains the Firewall details
A - Spend some time to review what information is available from the object Please donot click on any of the links
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 75HOL-1829-01-NET
Redirect on the map - PAN Firewall
Please notice that there are two firewalls next to the VM One Firewall from Palo Alto andone Firewall from NSX We are now going to look into the details of the lower Firewall
1 From the map click on the icon marked by a red square to access the PaloAlto Firewall details (the lower one of the two)
Firewall - PAN
HOL-1829-01-NET
Page 76HOL-1829-01-NET
In this scenario we also have an Palo Alto VM based offloading firewall The redirectfeature allows firewall rules to be transferred between the NSX firewall and the PANFirewall
1 When done reviewing click on the (X) in the top right corner of the pop up box
Reversing the analysis
1 In the section marked by a red square in the picture click on the arrowpointing left
The route on the map will change
HOL-1829-01-NET
Page 77HOL-1829-01-NET
Reversing the analysis continued
A - The analysis will now be done in the opposite direction Please note that the pathnow changes Instead of going through Provider-Edge 3 the traffic is now routedthrough Provider-Edge 2 This is exactly as the traffic will work in the real life
Please continue to the next step to conclude this module
HOL-1829-01-NET
Page 78HOL-1829-01-NET
VM Underlay
Lets now focus on VM Underlay
1 The VMUnderlay section that is on the right side of the VM Path topology showsthe underlay information of the VMs involved and their connectivity to the top ofthe rack switches and the ports involved
2 The VM Underlay path topology is shown here3 The components are labeled under Path Details
HOL-1829-01-NET
Page 79HOL-1829-01-NET
HOL-1829-01-NET
Page 80HOL-1829-01-NET
1 In this section the drop-down list at the top shows the endpoint VMs and theactive VMs at the edges
2 For each edgeVM the neighbouring drop-down list shows the ingress and theegress interface IP addresses
1 From the previous step we selected the Prod-DB-2 Virtual Machine2 Which changes the focus to corresponding Interface IP Address (VNIC)3 Shows the visual map (Path topology) of all the path objects4 Path details shows the labels and list the components
This concludes this module Please continue to the next module
HOL-1829-01-NET
Page 81HOL-1829-01-NET
ConclusionCongratulations on completing Module 2
This module has shown us that vRealize Network Insight is capable of tracing the flow ofdata between two objects throughout the network vRealize Network Insight is providingus with a 360 degrees view of the virtual as well as the physical components in thepath With the map function and the details on the map it is very easy to get a quickoverview of the components utilized in network communication
All the components in the map is based on a snapshot of real life data Feel free to clickon other icons shown in the map in this module before continuing to the next module tohave a look at other components
For More Information
For additional information about the functionality showcased in this module visithttpwwwvmwarecomvrealize network insight
This concludes this module Please continue to the next module
If you are looking for additional information try one of these
bull Click on this linkbull Or use your smart device to scan the QRC Code
HOL-1829-01-NET
Page 82HOL-1829-01-NET
Proceed to any module below which interests you most
bull Module 1 - Micro-Segmentation and Security (30 minutes)bull Module 2 - 360 degree Visibility across Virtual and Physical Networks (45
minutes)bull Module 3 - Advanced NSX Management amp Operations (45 minutes)bull (30 minutes)
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 83HOL-1829-01-NET
Module 3 - Advanced NSXManagement amp
Operations (45 minutes)
HOL-1829-01-NET
Page 84HOL-1829-01-NET
IntroductionIntroduction
vRealize Network Insight ensures that we have full visibility from an overlay andunderlay perspective and in this module focus on advanced operations of NSX withvRealize Network Insight Its important to note that the vRealize Network Insightprovides a real time view and a historical view The integration is not a simple SNMPquery but advanced CLI and Metadata information gathered in real time for NSX
This Module contains the following lessons
bull Operational guidance for NSX Managerbull Advanced NSX Management amp Operations Interactive Simulation
HOL-1829-01-NET
Page 85HOL-1829-01-NET
NSX Advanced ManagementOperationsLab Status Check
1 Make sure the Lab Status displays Ready before continuing
Close browser sessions from previous modules
Open Google Chrome
1 Open Chrome on the Control Centre Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
HOL-1829-01-NET
Page 86HOL-1829-01-NET
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize Network Insightdid not load automatically)
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
Search Bar - NSX Manager
Using the search bar on the entry screen
HOL-1829-01-NET
Page 87HOL-1829-01-NET
1 Type NSX Manager (this will list three NSX Managers2 Click Search
NSX Manager Information
The result now shows the NSX Manager (1016128170) and we can immediately seethat we have 50 problems associated with this endpoint
1 Click on the NSX Manager address to expose the layout and detailedinformation
HOL-1829-01-NET
Page 88HOL-1829-01-NET
Timeline - Visual Build-up
Explore information only - Do not click
bull A - Starting with the Timeline we can manipulate the results by simply draggingthe slider but by default the current time results will be displayed on entry Theslider and drop down (next to 1 day) makes it easy to filter on demand
bull B - The Properties give a clear understanding of the NSX Managers currentconfiguration (vRealize Network Insight accommodate multiple NSX managers)
bull C - Looking at the NSX Checklist Rules - ALL we can scroll up and down toview each point in the checklist that is used to monitorvalidate against the NSXManager
bull D - Because vRealize Network Insight supports multiple NSX managers andmultiple NSX controllers this is an important visual understanding of theTopology Each object can be queried individually within the same screen
bull E - NSX Problems will be key to understanding the issues for NSX
HOL-1829-01-NET
Page 89HOL-1829-01-NET
Topology - Focus on the NSX Controller
The logical view of the NSX Topology provides live links to each component in theconstruct to be queried in real time Topology layout displays all the related NSXservices bound to the NSX Manager including Clusters and hosts The red triangle on allthree NSX controllers indicates possible issues that may impact the NSX environmenteither as a starting point or a result thereof We can now query each object for detailedinformation
1 Click on the NSX controller (Look at each controller until you find thecontroller starting with NSX_Controller_5b6c6c8d-4d71 as they do changeorder)
HOL-1829-01-NET
Page 90HOL-1829-01-NET
NSX Controller - Detail
A - The controller query displays detailed information about controller-1 and relevantconfiguration This screen will help identify the Status Version Upgrade Availability andmany other critical identifiers of the NSX Controller at a quick glance including anyissues
B - The immediate issue on this NSX controller is also pointed out with a red triangleindicating that we have a control plane sync issue Tracking the issue can be furtherinvestigated by expanding (clicking on the red triangle) to view detailed information Wewill not be investigating this problem further in this exercise
1 Click the close sign (x) to continue
HOL-1829-01-NET
Page 91HOL-1829-01-NET
Topology - Explained
Note The Topology for the NSX environment will not show any load balancing devicestatus information in this release
1 Click the edge VMs icon to see detailed information about the edge services
HOL-1829-01-NET
Page 92HOL-1829-01-NET
Provider Edge
Rendering a complete view of the provider edge services and the associations we caninvestigate all the edge related activities
1 Click the blue link Provider Edge 4 The problem Icon can be used to furtherobtain information about the Provider-Edge 4 This will highlight a criticalcondition due to a possible network disruption of this edge device as it is nolonger in a serving state
HOL-1829-01-NET
Page 93HOL-1829-01-NET
Routers Provider Edge 4
This section lays out detailed root cause analysis for Routers Provider Edge 4
Return to Search View - NSX Manager
1 Now use the Chrome Back button click once to return the the NSX Managerinformation screen step
HOL-1829-01-NET
Page 94HOL-1829-01-NET
Infrastructure Problems - Warning Moderate
bull Scroll down to Infrastructure Problems Section
1 Click and select the WarningModerate to view problem areas
WarningModerate Issues
1 Use the blue icon + to expand the detailed view of the Logical networking out ofsync between host and NSX Controller
HOL-1829-01-NET
Page 95HOL-1829-01-NET
WarningModerate Issues (Continued)
When you expand the details you can analyse full detail of warning
In this view vRealize Network Insight is also showing you recommendations on how youwould resolve this issue which makes troubleshooting and root cause analysis veryeasy
1 Click the close sign (x) to continue
HOL-1829-01-NET
Page 96HOL-1829-01-NET
Hands-on Labs Interactive SimulationAdvanced NSX Management ampOperationsThis part of the lab is presented as a Hands-on Labs Interactive Simulation This willallow you to experience steps which are too time-consuming or resource intensive to dolive in the lab environment In this simulation you can use the software interface as ifyou are interacting with a live environment
1 Click here to open the interactive simulation It will open in a new browserwindow or tab
2 When finished click the ldquoReturn to the labrdquo link to continue with this lab
HOL-1829-01-NET
Page 97HOL-1829-01-NET
ConclusionCongratulations on completing Module 3
This module demonstrated the vRealize Network Insight capability of advancedmanagement operations vRealize Network Insight provides an in-depth analysis of thevirtual as well as the physical components associated with NSX (underlay and overlay)
For More Information
If you are looking for additional information try one of these
bull Click on this linkbull Or use your smart device to scan the QRC Code
Proceed to any module below which interests you most
bull Module 1 - Micro-Segmentation and Security (30 minutes)bull Module 2 - 360 degree Visibility across Virtual and Physical Networks (45
minutes)bull Module 3 - Advanced NSX Management amp Operations (45 minutes)bull Module 4 - Manage Security for Public Clouds (AWS) (30 minutes)
HOL-1829-01-NET
Page 98HOL-1829-01-NET
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 99HOL-1829-01-NET
Module 4 - ManageSecurity for Public Clouds
(AWS) (30 Minutes)
HOL-1829-01-NET
Page 100HOL-1829-01-NET
IntroductionEnterprise IT needs visibility into the network and security status of their workloadswhether hosted on premises or within AWS While many AWS workloads are sandboxesfor application development teams (DevOps) it is important to analyze these workloadsIncreasingly public cloud workloads are also fulfilling mission critical production needsfor many organizations Enterprise IT must be ready to determine the best locationsecurity posture and bandwidth allocation when deploying workloads Having trafficpattern details as well as security analysis and recommendations readily availablehelps organizations make the ideal hosting decisions to meet their business needs
vRealize Network Insight (vRNI) Supports Amazon Web Services (AWS) PublicCloud The vRNI traffic monitoring features provide visibility into native AWS constructssuch as Virtual Private Clouds VMs Security Groups firewall rules and tags vRNI alsoanalyzes AWS traffic flows to provide security and micro-segmentation views of cloudworkloads This means youll be able to plan micro-segmentation and understand trafficpatterns using data collected from your AWS instances
This Module contains the following lessons
bull Introduction to Managing Security for Public Clouds (AWS)
HOL-1829-01-NET
Page 101HOL-1829-01-NET
Introduction to Managing Security forPublic Clouds (AWS)Lab Status Check
1 Make sure the Lab Status displays Ready before continuing
Close browser sessions from previous modules
Open Google Chrome
1 Open Chrome on the Control Centre Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize Network Insightdid not load automatically)
HOL-1829-01-NET
Page 102HOL-1829-01-NET
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
AWS Configuration
Lets review the AWS VPC setup for the purpose of this lab
1 We have an on premise instance of vRealize Network Insight managing AWS2 There are two VPCs ie CRM and Common Services
HOL-1829-01-NET
Page 103HOL-1829-01-NET
3 VPC CRM consists of CRM Application which comprises of 3 tiers ie Web APP andDB
4 Internal users of Company can access Web Tier of the CRM on 80 internally viaJump-box
5 Web tier talks to App tier on port 80806 App tier talks to DB tier on port 33067 Web tier is open for internal datacenters VM on 80 port8 From Jump-box in VPC CRM all virtual machines have ssh access on port 229 All tiers of VPCCRM talks to DNS server on 53 and LogServer on 514 on VPC
Common Services10 This means connection to DB to Log Server (used for backup services) must exist
as configured by the Administrator but this in fact is the problem area where ourfocus will be
Plan Security - AWS Cloud
vRealize Network Insight extends micro-segmentation planning to AWS constructs TheCRM Application in AWS VPC has already been created for you
Application creation steps have been discussed in Module 3
HOL-1829-01-NET
Page 104HOL-1829-01-NET
1 On the vRealize Network Insight Click on Plan Security
From Plan Security dialogue box under Entity select
HOL-1829-01-NET
Page 105HOL-1829-01-NET
1 Application2 CRM3 Click Analyze
We can now visualize the three tier lsquoCRMrsquo Application in AWS in one VPC We Shallexplore the three Tier System Logic in proceeding steps
1 Please note that Micro-Segments are already filtered by Tier2 Web (Web tier talks to App tier on port 8080 Internal users of organisation can
access Web Tier of the CRM Application on port 80 internally)3 App (App tier talks to DB tier on port 3306)4 DB ( DB tier talks to Log Servers ) - This is the problem area we are going to
explore
All tiers of first VPC talks to DNS server on port 53 and LogServer on port 514 of SecondVPC
HOL-1829-01-NET
Page 106HOL-1829-01-NET
Exploring the Three Tier Application - Step by Step
We shall now explore the three their application setup to understand the security andcommunication posture
HOL-1829-01-NET
Page 107HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Yellow line to explore the flows This will reveal flows from Web to
App
HOL-1829-01-NET
Page 108HOL-1829-01-NET
1 The App tier talks to DB tier on Port 33062 Click X to continue
HOL-1829-01-NET
Page 109HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to DB
HOL-1829-01-NET
Page 110HOL-1829-01-NET
1 The App tier talks to DB tier on Port 33062 Click X to continue
HOL-1829-01-NET
Page 111HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Yellow Line to explore the flows This will reveal flows from DC
Virtual to App
HOL-1829-01-NET
Page 112HOL-1829-01-NET
1 DC Virtual (jump box) talks to App tier on Port 222 Click X to continue
HOL-1829-01-NET
Page 113HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to
Shared Virtual
HOL-1829-01-NET
Page 114HOL-1829-01-NET
1 The App tier talks to Shared Virtual on Port 53 and 514 respectively2 Click X to continue
HOL-1829-01-NET
Page 115HOL-1829-01-NET
1 Hover over to DB Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from DB to
Shared Virtual
1 By design the DB should be pushing logs to aws-log-server ie on port 514(Syslog) but the flow reveals that there is only one service ie port 53 aws-DNS-Server Effectively no communication to syslog server (which is the back upservice)
2 Click X to continue
Firewall Queries for CRM Application
To further troubleshoot the issue the administrator executes three firewall queries toestablish why DB to Shared Virtual does not have flow(s) for port 514 (syslog)
HOL-1829-01-NET
Page 116HOL-1829-01-NET
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and type new search query firewall action of flows where dstvm = aws-log-server This will return 5 results ie 4 Allow (for web andmidtier) and 1 Deny (for DB)
2 Click Search3 click on the DENY checkbox so we can focus on the deny rule
We can see a DENY rule which is preventing crm-databse to communicate with aws-log-server on port 514 Which indicates that AWS Admin forgot to add rule to allowtraffic from (Database) crm-database to (syslog server) aws-log-Server
HOL-1829-01-NET
Page 117HOL-1829-01-NET
1 On Chrome web browser right click2 Select Duplicate from the the menu
HOL-1829-01-NET
Page 118HOL-1829-01-NET
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-web1 and dst vm = aws-log-server
2 Click Search3 This will return 3 results ie 1 Inbound and 2 Outbound rules The result of this
query validates the communication from crm-web1 to aws-log-server
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-database and dst vm = aws-log-server
2 Click Search3 This will return 2 results for Outbound rules further explaining the firewall rule
behaviour from crm-database to aws-log-server
HOL-1829-01-NET
Page 119HOL-1829-01-NET
ConclusionCongratulations on completing Module 4
This module demonstrated the vRealize Network Insight capability to understand trafficpatterns and plan micro-segmentation across your private and public cloudenvironments This capability offers unparalleled visibility into public and private cloudsfor micro-segmentation planning network visibility and management
For More Information
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 120HOL-1829-01-NET
ConclusionThank you for participating in the VMware Hands-on Labs Be sure to visithttpholvmwarecom to continue your lab experience online
Lab SKU HOL-1829-01-NET
Version 20171010-152226
HOL-1829-01-NET
Page 121HOL-1829-01-NET
Accessing the virtual infrastructure
The next two steps in the path (as shown by arrows) are the same as we looked atpreviously in this module We are not going to look at the details on them in thisscenario as they are similar to the ones previously discussed
A - Hovermove the mouse over the icons marked with red arrow A without clicking onthe icon Notice the descriptive name
B - Hovermove the mouse over the icons marked with red arrow B without clicking onthe icon Notice the descriptive name
1 From the map click on the icon marked by a red square to access the nextVRF in the path
HOL-1829-01-NET
Page 69HOL-1829-01-NET
VRF - NSX Provider Edge 1
A pop-up box will appear that contains the Physical VRF details
A - Please spend some time to review what information is available from the objectPlease do not click on any of the links
B - The components we are looking at after the Arista device (described in previoussteps) is an NSX Edge cluster or a host associated with an Edge cluster The componentwe have selected is the NSX Edge VM named Provider-Edge 1 It has an uplink overVLAN 10 from the physical network (as shown in the map)
C - In the details we can see the routing table and routing interface details for thisparticular VRF
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 70HOL-1829-01-NET
VXLAN on the map
1 On the map click on the blue line marked by a red square to access theVXLAN details
VXLAN Network
A pop-up box will appear that contains the VXLAN details
HOL-1829-01-NET
Page 71HOL-1829-01-NET
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - We can see the VXLAN number (Segment ID) Underlay VLAN IDs Subnet andUnderlay Subnet
C - We also have visibility into what Primary Controller it is utilizing Hosts and VTEPs
D - Hovermove the mouse cursor over the text [38 more] to see the hosts associatedwith this VXLAN Do not click on the blue text
E - Hovermove the mouse cursor over the text [82 more] to see the VTEPs associatedwith this VXLAN Do not click on the blue text
1 When done reviewing click on the X in the top right corner of the pop-up box
VRF - LDR
1 From the map click on the icon marked by a red square to access the VRFdetails
HOL-1829-01-NET
Page 72HOL-1829-01-NET
VRF - LDR-Corporate
A pop-up box will appear that contains the VRF details From here we hit our In-kernelnetwork
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - Notice the distributed router name We are using this device to access our corporatenetwork
C - This device is going to route for us to a different interface The interface is going toroute to the interface on the Prod-DB Network as the next step in the path (this will beillustrated in the next step)
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 73HOL-1829-01-NET
Routing - NSX Firewall
The traffic is routed through the VRF onto the Prod-DB network over to the next physicalhost (as shown with arrows)
The first device it will hit on the virtual network on the physical host is the FirewallPlease notice that there are two firewalls next to the VM One Firewall from Palo Alto andone Firewall from NSX
1 From the map click on the icon marked by a red square to access the NSXFirewall details (the top one of the two)
HOL-1829-01-NET
Page 74HOL-1829-01-NET
Firewall - NSX
A pop-up box will appear that contains the Firewall details
A - Spend some time to review what information is available from the object Please donot click on any of the links
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 75HOL-1829-01-NET
Redirect on the map - PAN Firewall
Please notice that there are two firewalls next to the VM One Firewall from Palo Alto andone Firewall from NSX We are now going to look into the details of the lower Firewall
1 From the map click on the icon marked by a red square to access the PaloAlto Firewall details (the lower one of the two)
Firewall - PAN
HOL-1829-01-NET
Page 76HOL-1829-01-NET
In this scenario we also have an Palo Alto VM based offloading firewall The redirectfeature allows firewall rules to be transferred between the NSX firewall and the PANFirewall
1 When done reviewing click on the (X) in the top right corner of the pop up box
Reversing the analysis
1 In the section marked by a red square in the picture click on the arrowpointing left
The route on the map will change
HOL-1829-01-NET
Page 77HOL-1829-01-NET
Reversing the analysis continued
A - The analysis will now be done in the opposite direction Please note that the pathnow changes Instead of going through Provider-Edge 3 the traffic is now routedthrough Provider-Edge 2 This is exactly as the traffic will work in the real life
Please continue to the next step to conclude this module
HOL-1829-01-NET
Page 78HOL-1829-01-NET
VM Underlay
Lets now focus on VM Underlay
1 The VMUnderlay section that is on the right side of the VM Path topology showsthe underlay information of the VMs involved and their connectivity to the top ofthe rack switches and the ports involved
2 The VM Underlay path topology is shown here3 The components are labeled under Path Details
HOL-1829-01-NET
Page 79HOL-1829-01-NET
HOL-1829-01-NET
Page 80HOL-1829-01-NET
1 In this section the drop-down list at the top shows the endpoint VMs and theactive VMs at the edges
2 For each edgeVM the neighbouring drop-down list shows the ingress and theegress interface IP addresses
1 From the previous step we selected the Prod-DB-2 Virtual Machine2 Which changes the focus to corresponding Interface IP Address (VNIC)3 Shows the visual map (Path topology) of all the path objects4 Path details shows the labels and list the components
This concludes this module Please continue to the next module
HOL-1829-01-NET
Page 81HOL-1829-01-NET
ConclusionCongratulations on completing Module 2
This module has shown us that vRealize Network Insight is capable of tracing the flow ofdata between two objects throughout the network vRealize Network Insight is providingus with a 360 degrees view of the virtual as well as the physical components in thepath With the map function and the details on the map it is very easy to get a quickoverview of the components utilized in network communication
All the components in the map is based on a snapshot of real life data Feel free to clickon other icons shown in the map in this module before continuing to the next module tohave a look at other components
For More Information
For additional information about the functionality showcased in this module visithttpwwwvmwarecomvrealize network insight
This concludes this module Please continue to the next module
If you are looking for additional information try one of these
bull Click on this linkbull Or use your smart device to scan the QRC Code
HOL-1829-01-NET
Page 82HOL-1829-01-NET
Proceed to any module below which interests you most
bull Module 1 - Micro-Segmentation and Security (30 minutes)bull Module 2 - 360 degree Visibility across Virtual and Physical Networks (45
minutes)bull Module 3 - Advanced NSX Management amp Operations (45 minutes)bull (30 minutes)
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 83HOL-1829-01-NET
Module 3 - Advanced NSXManagement amp
Operations (45 minutes)
HOL-1829-01-NET
Page 84HOL-1829-01-NET
IntroductionIntroduction
vRealize Network Insight ensures that we have full visibility from an overlay andunderlay perspective and in this module focus on advanced operations of NSX withvRealize Network Insight Its important to note that the vRealize Network Insightprovides a real time view and a historical view The integration is not a simple SNMPquery but advanced CLI and Metadata information gathered in real time for NSX
This Module contains the following lessons
bull Operational guidance for NSX Managerbull Advanced NSX Management amp Operations Interactive Simulation
HOL-1829-01-NET
Page 85HOL-1829-01-NET
NSX Advanced ManagementOperationsLab Status Check
1 Make sure the Lab Status displays Ready before continuing
Close browser sessions from previous modules
Open Google Chrome
1 Open Chrome on the Control Centre Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
HOL-1829-01-NET
Page 86HOL-1829-01-NET
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize Network Insightdid not load automatically)
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
Search Bar - NSX Manager
Using the search bar on the entry screen
HOL-1829-01-NET
Page 87HOL-1829-01-NET
1 Type NSX Manager (this will list three NSX Managers2 Click Search
NSX Manager Information
The result now shows the NSX Manager (1016128170) and we can immediately seethat we have 50 problems associated with this endpoint
1 Click on the NSX Manager address to expose the layout and detailedinformation
HOL-1829-01-NET
Page 88HOL-1829-01-NET
Timeline - Visual Build-up
Explore information only - Do not click
bull A - Starting with the Timeline we can manipulate the results by simply draggingthe slider but by default the current time results will be displayed on entry Theslider and drop down (next to 1 day) makes it easy to filter on demand
bull B - The Properties give a clear understanding of the NSX Managers currentconfiguration (vRealize Network Insight accommodate multiple NSX managers)
bull C - Looking at the NSX Checklist Rules - ALL we can scroll up and down toview each point in the checklist that is used to monitorvalidate against the NSXManager
bull D - Because vRealize Network Insight supports multiple NSX managers andmultiple NSX controllers this is an important visual understanding of theTopology Each object can be queried individually within the same screen
bull E - NSX Problems will be key to understanding the issues for NSX
HOL-1829-01-NET
Page 89HOL-1829-01-NET
Topology - Focus on the NSX Controller
The logical view of the NSX Topology provides live links to each component in theconstruct to be queried in real time Topology layout displays all the related NSXservices bound to the NSX Manager including Clusters and hosts The red triangle on allthree NSX controllers indicates possible issues that may impact the NSX environmenteither as a starting point or a result thereof We can now query each object for detailedinformation
1 Click on the NSX controller (Look at each controller until you find thecontroller starting with NSX_Controller_5b6c6c8d-4d71 as they do changeorder)
HOL-1829-01-NET
Page 90HOL-1829-01-NET
NSX Controller - Detail
A - The controller query displays detailed information about controller-1 and relevantconfiguration This screen will help identify the Status Version Upgrade Availability andmany other critical identifiers of the NSX Controller at a quick glance including anyissues
B - The immediate issue on this NSX controller is also pointed out with a red triangleindicating that we have a control plane sync issue Tracking the issue can be furtherinvestigated by expanding (clicking on the red triangle) to view detailed information Wewill not be investigating this problem further in this exercise
1 Click the close sign (x) to continue
HOL-1829-01-NET
Page 91HOL-1829-01-NET
Topology - Explained
Note The Topology for the NSX environment will not show any load balancing devicestatus information in this release
1 Click the edge VMs icon to see detailed information about the edge services
HOL-1829-01-NET
Page 92HOL-1829-01-NET
Provider Edge
Rendering a complete view of the provider edge services and the associations we caninvestigate all the edge related activities
1 Click the blue link Provider Edge 4 The problem Icon can be used to furtherobtain information about the Provider-Edge 4 This will highlight a criticalcondition due to a possible network disruption of this edge device as it is nolonger in a serving state
HOL-1829-01-NET
Page 93HOL-1829-01-NET
Routers Provider Edge 4
This section lays out detailed root cause analysis for Routers Provider Edge 4
Return to Search View - NSX Manager
1 Now use the Chrome Back button click once to return the the NSX Managerinformation screen step
HOL-1829-01-NET
Page 94HOL-1829-01-NET
Infrastructure Problems - Warning Moderate
bull Scroll down to Infrastructure Problems Section
1 Click and select the WarningModerate to view problem areas
WarningModerate Issues
1 Use the blue icon + to expand the detailed view of the Logical networking out ofsync between host and NSX Controller
HOL-1829-01-NET
Page 95HOL-1829-01-NET
WarningModerate Issues (Continued)
When you expand the details you can analyse full detail of warning
In this view vRealize Network Insight is also showing you recommendations on how youwould resolve this issue which makes troubleshooting and root cause analysis veryeasy
1 Click the close sign (x) to continue
HOL-1829-01-NET
Page 96HOL-1829-01-NET
Hands-on Labs Interactive SimulationAdvanced NSX Management ampOperationsThis part of the lab is presented as a Hands-on Labs Interactive Simulation This willallow you to experience steps which are too time-consuming or resource intensive to dolive in the lab environment In this simulation you can use the software interface as ifyou are interacting with a live environment
1 Click here to open the interactive simulation It will open in a new browserwindow or tab
2 When finished click the ldquoReturn to the labrdquo link to continue with this lab
HOL-1829-01-NET
Page 97HOL-1829-01-NET
ConclusionCongratulations on completing Module 3
This module demonstrated the vRealize Network Insight capability of advancedmanagement operations vRealize Network Insight provides an in-depth analysis of thevirtual as well as the physical components associated with NSX (underlay and overlay)
For More Information
If you are looking for additional information try one of these
bull Click on this linkbull Or use your smart device to scan the QRC Code
Proceed to any module below which interests you most
bull Module 1 - Micro-Segmentation and Security (30 minutes)bull Module 2 - 360 degree Visibility across Virtual and Physical Networks (45
minutes)bull Module 3 - Advanced NSX Management amp Operations (45 minutes)bull Module 4 - Manage Security for Public Clouds (AWS) (30 minutes)
HOL-1829-01-NET
Page 98HOL-1829-01-NET
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 99HOL-1829-01-NET
Module 4 - ManageSecurity for Public Clouds
(AWS) (30 Minutes)
HOL-1829-01-NET
Page 100HOL-1829-01-NET
IntroductionEnterprise IT needs visibility into the network and security status of their workloadswhether hosted on premises or within AWS While many AWS workloads are sandboxesfor application development teams (DevOps) it is important to analyze these workloadsIncreasingly public cloud workloads are also fulfilling mission critical production needsfor many organizations Enterprise IT must be ready to determine the best locationsecurity posture and bandwidth allocation when deploying workloads Having trafficpattern details as well as security analysis and recommendations readily availablehelps organizations make the ideal hosting decisions to meet their business needs
vRealize Network Insight (vRNI) Supports Amazon Web Services (AWS) PublicCloud The vRNI traffic monitoring features provide visibility into native AWS constructssuch as Virtual Private Clouds VMs Security Groups firewall rules and tags vRNI alsoanalyzes AWS traffic flows to provide security and micro-segmentation views of cloudworkloads This means youll be able to plan micro-segmentation and understand trafficpatterns using data collected from your AWS instances
This Module contains the following lessons
bull Introduction to Managing Security for Public Clouds (AWS)
HOL-1829-01-NET
Page 101HOL-1829-01-NET
Introduction to Managing Security forPublic Clouds (AWS)Lab Status Check
1 Make sure the Lab Status displays Ready before continuing
Close browser sessions from previous modules
Open Google Chrome
1 Open Chrome on the Control Centre Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize Network Insightdid not load automatically)
HOL-1829-01-NET
Page 102HOL-1829-01-NET
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
AWS Configuration
Lets review the AWS VPC setup for the purpose of this lab
1 We have an on premise instance of vRealize Network Insight managing AWS2 There are two VPCs ie CRM and Common Services
HOL-1829-01-NET
Page 103HOL-1829-01-NET
3 VPC CRM consists of CRM Application which comprises of 3 tiers ie Web APP andDB
4 Internal users of Company can access Web Tier of the CRM on 80 internally viaJump-box
5 Web tier talks to App tier on port 80806 App tier talks to DB tier on port 33067 Web tier is open for internal datacenters VM on 80 port8 From Jump-box in VPC CRM all virtual machines have ssh access on port 229 All tiers of VPCCRM talks to DNS server on 53 and LogServer on 514 on VPC
Common Services10 This means connection to DB to Log Server (used for backup services) must exist
as configured by the Administrator but this in fact is the problem area where ourfocus will be
Plan Security - AWS Cloud
vRealize Network Insight extends micro-segmentation planning to AWS constructs TheCRM Application in AWS VPC has already been created for you
Application creation steps have been discussed in Module 3
HOL-1829-01-NET
Page 104HOL-1829-01-NET
1 On the vRealize Network Insight Click on Plan Security
From Plan Security dialogue box under Entity select
HOL-1829-01-NET
Page 105HOL-1829-01-NET
1 Application2 CRM3 Click Analyze
We can now visualize the three tier lsquoCRMrsquo Application in AWS in one VPC We Shallexplore the three Tier System Logic in proceeding steps
1 Please note that Micro-Segments are already filtered by Tier2 Web (Web tier talks to App tier on port 8080 Internal users of organisation can
access Web Tier of the CRM Application on port 80 internally)3 App (App tier talks to DB tier on port 3306)4 DB ( DB tier talks to Log Servers ) - This is the problem area we are going to
explore
All tiers of first VPC talks to DNS server on port 53 and LogServer on port 514 of SecondVPC
HOL-1829-01-NET
Page 106HOL-1829-01-NET
Exploring the Three Tier Application - Step by Step
We shall now explore the three their application setup to understand the security andcommunication posture
HOL-1829-01-NET
Page 107HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Yellow line to explore the flows This will reveal flows from Web to
App
HOL-1829-01-NET
Page 108HOL-1829-01-NET
1 The App tier talks to DB tier on Port 33062 Click X to continue
HOL-1829-01-NET
Page 109HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to DB
HOL-1829-01-NET
Page 110HOL-1829-01-NET
1 The App tier talks to DB tier on Port 33062 Click X to continue
HOL-1829-01-NET
Page 111HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Yellow Line to explore the flows This will reveal flows from DC
Virtual to App
HOL-1829-01-NET
Page 112HOL-1829-01-NET
1 DC Virtual (jump box) talks to App tier on Port 222 Click X to continue
HOL-1829-01-NET
Page 113HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to
Shared Virtual
HOL-1829-01-NET
Page 114HOL-1829-01-NET
1 The App tier talks to Shared Virtual on Port 53 and 514 respectively2 Click X to continue
HOL-1829-01-NET
Page 115HOL-1829-01-NET
1 Hover over to DB Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from DB to
Shared Virtual
1 By design the DB should be pushing logs to aws-log-server ie on port 514(Syslog) but the flow reveals that there is only one service ie port 53 aws-DNS-Server Effectively no communication to syslog server (which is the back upservice)
2 Click X to continue
Firewall Queries for CRM Application
To further troubleshoot the issue the administrator executes three firewall queries toestablish why DB to Shared Virtual does not have flow(s) for port 514 (syslog)
HOL-1829-01-NET
Page 116HOL-1829-01-NET
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and type new search query firewall action of flows where dstvm = aws-log-server This will return 5 results ie 4 Allow (for web andmidtier) and 1 Deny (for DB)
2 Click Search3 click on the DENY checkbox so we can focus on the deny rule
We can see a DENY rule which is preventing crm-databse to communicate with aws-log-server on port 514 Which indicates that AWS Admin forgot to add rule to allowtraffic from (Database) crm-database to (syslog server) aws-log-Server
HOL-1829-01-NET
Page 117HOL-1829-01-NET
1 On Chrome web browser right click2 Select Duplicate from the the menu
HOL-1829-01-NET
Page 118HOL-1829-01-NET
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-web1 and dst vm = aws-log-server
2 Click Search3 This will return 3 results ie 1 Inbound and 2 Outbound rules The result of this
query validates the communication from crm-web1 to aws-log-server
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-database and dst vm = aws-log-server
2 Click Search3 This will return 2 results for Outbound rules further explaining the firewall rule
behaviour from crm-database to aws-log-server
HOL-1829-01-NET
Page 119HOL-1829-01-NET
ConclusionCongratulations on completing Module 4
This module demonstrated the vRealize Network Insight capability to understand trafficpatterns and plan micro-segmentation across your private and public cloudenvironments This capability offers unparalleled visibility into public and private cloudsfor micro-segmentation planning network visibility and management
For More Information
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 120HOL-1829-01-NET
ConclusionThank you for participating in the VMware Hands-on Labs Be sure to visithttpholvmwarecom to continue your lab experience online
Lab SKU HOL-1829-01-NET
Version 20171010-152226
HOL-1829-01-NET
Page 121HOL-1829-01-NET
VRF - NSX Provider Edge 1
A pop-up box will appear that contains the Physical VRF details
A - Please spend some time to review what information is available from the objectPlease do not click on any of the links
B - The components we are looking at after the Arista device (described in previoussteps) is an NSX Edge cluster or a host associated with an Edge cluster The componentwe have selected is the NSX Edge VM named Provider-Edge 1 It has an uplink overVLAN 10 from the physical network (as shown in the map)
C - In the details we can see the routing table and routing interface details for thisparticular VRF
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 70HOL-1829-01-NET
VXLAN on the map
1 On the map click on the blue line marked by a red square to access theVXLAN details
VXLAN Network
A pop-up box will appear that contains the VXLAN details
HOL-1829-01-NET
Page 71HOL-1829-01-NET
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - We can see the VXLAN number (Segment ID) Underlay VLAN IDs Subnet andUnderlay Subnet
C - We also have visibility into what Primary Controller it is utilizing Hosts and VTEPs
D - Hovermove the mouse cursor over the text [38 more] to see the hosts associatedwith this VXLAN Do not click on the blue text
E - Hovermove the mouse cursor over the text [82 more] to see the VTEPs associatedwith this VXLAN Do not click on the blue text
1 When done reviewing click on the X in the top right corner of the pop-up box
VRF - LDR
1 From the map click on the icon marked by a red square to access the VRFdetails
HOL-1829-01-NET
Page 72HOL-1829-01-NET
VRF - LDR-Corporate
A pop-up box will appear that contains the VRF details From here we hit our In-kernelnetwork
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - Notice the distributed router name We are using this device to access our corporatenetwork
C - This device is going to route for us to a different interface The interface is going toroute to the interface on the Prod-DB Network as the next step in the path (this will beillustrated in the next step)
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 73HOL-1829-01-NET
Routing - NSX Firewall
The traffic is routed through the VRF onto the Prod-DB network over to the next physicalhost (as shown with arrows)
The first device it will hit on the virtual network on the physical host is the FirewallPlease notice that there are two firewalls next to the VM One Firewall from Palo Alto andone Firewall from NSX
1 From the map click on the icon marked by a red square to access the NSXFirewall details (the top one of the two)
HOL-1829-01-NET
Page 74HOL-1829-01-NET
Firewall - NSX
A pop-up box will appear that contains the Firewall details
A - Spend some time to review what information is available from the object Please donot click on any of the links
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 75HOL-1829-01-NET
Redirect on the map - PAN Firewall
Please notice that there are two firewalls next to the VM One Firewall from Palo Alto andone Firewall from NSX We are now going to look into the details of the lower Firewall
1 From the map click on the icon marked by a red square to access the PaloAlto Firewall details (the lower one of the two)
Firewall - PAN
HOL-1829-01-NET
Page 76HOL-1829-01-NET
In this scenario we also have an Palo Alto VM based offloading firewall The redirectfeature allows firewall rules to be transferred between the NSX firewall and the PANFirewall
1 When done reviewing click on the (X) in the top right corner of the pop up box
Reversing the analysis
1 In the section marked by a red square in the picture click on the arrowpointing left
The route on the map will change
HOL-1829-01-NET
Page 77HOL-1829-01-NET
Reversing the analysis continued
A - The analysis will now be done in the opposite direction Please note that the pathnow changes Instead of going through Provider-Edge 3 the traffic is now routedthrough Provider-Edge 2 This is exactly as the traffic will work in the real life
Please continue to the next step to conclude this module
HOL-1829-01-NET
Page 78HOL-1829-01-NET
VM Underlay
Lets now focus on VM Underlay
1 The VMUnderlay section that is on the right side of the VM Path topology showsthe underlay information of the VMs involved and their connectivity to the top ofthe rack switches and the ports involved
2 The VM Underlay path topology is shown here3 The components are labeled under Path Details
HOL-1829-01-NET
Page 79HOL-1829-01-NET
HOL-1829-01-NET
Page 80HOL-1829-01-NET
1 In this section the drop-down list at the top shows the endpoint VMs and theactive VMs at the edges
2 For each edgeVM the neighbouring drop-down list shows the ingress and theegress interface IP addresses
1 From the previous step we selected the Prod-DB-2 Virtual Machine2 Which changes the focus to corresponding Interface IP Address (VNIC)3 Shows the visual map (Path topology) of all the path objects4 Path details shows the labels and list the components
This concludes this module Please continue to the next module
HOL-1829-01-NET
Page 81HOL-1829-01-NET
ConclusionCongratulations on completing Module 2
This module has shown us that vRealize Network Insight is capable of tracing the flow ofdata between two objects throughout the network vRealize Network Insight is providingus with a 360 degrees view of the virtual as well as the physical components in thepath With the map function and the details on the map it is very easy to get a quickoverview of the components utilized in network communication
All the components in the map is based on a snapshot of real life data Feel free to clickon other icons shown in the map in this module before continuing to the next module tohave a look at other components
For More Information
For additional information about the functionality showcased in this module visithttpwwwvmwarecomvrealize network insight
This concludes this module Please continue to the next module
If you are looking for additional information try one of these
bull Click on this linkbull Or use your smart device to scan the QRC Code
HOL-1829-01-NET
Page 82HOL-1829-01-NET
Proceed to any module below which interests you most
bull Module 1 - Micro-Segmentation and Security (30 minutes)bull Module 2 - 360 degree Visibility across Virtual and Physical Networks (45
minutes)bull Module 3 - Advanced NSX Management amp Operations (45 minutes)bull (30 minutes)
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 83HOL-1829-01-NET
Module 3 - Advanced NSXManagement amp
Operations (45 minutes)
HOL-1829-01-NET
Page 84HOL-1829-01-NET
IntroductionIntroduction
vRealize Network Insight ensures that we have full visibility from an overlay andunderlay perspective and in this module focus on advanced operations of NSX withvRealize Network Insight Its important to note that the vRealize Network Insightprovides a real time view and a historical view The integration is not a simple SNMPquery but advanced CLI and Metadata information gathered in real time for NSX
This Module contains the following lessons
bull Operational guidance for NSX Managerbull Advanced NSX Management amp Operations Interactive Simulation
HOL-1829-01-NET
Page 85HOL-1829-01-NET
NSX Advanced ManagementOperationsLab Status Check
1 Make sure the Lab Status displays Ready before continuing
Close browser sessions from previous modules
Open Google Chrome
1 Open Chrome on the Control Centre Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
HOL-1829-01-NET
Page 86HOL-1829-01-NET
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize Network Insightdid not load automatically)
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
Search Bar - NSX Manager
Using the search bar on the entry screen
HOL-1829-01-NET
Page 87HOL-1829-01-NET
1 Type NSX Manager (this will list three NSX Managers2 Click Search
NSX Manager Information
The result now shows the NSX Manager (1016128170) and we can immediately seethat we have 50 problems associated with this endpoint
1 Click on the NSX Manager address to expose the layout and detailedinformation
HOL-1829-01-NET
Page 88HOL-1829-01-NET
Timeline - Visual Build-up
Explore information only - Do not click
bull A - Starting with the Timeline we can manipulate the results by simply draggingthe slider but by default the current time results will be displayed on entry Theslider and drop down (next to 1 day) makes it easy to filter on demand
bull B - The Properties give a clear understanding of the NSX Managers currentconfiguration (vRealize Network Insight accommodate multiple NSX managers)
bull C - Looking at the NSX Checklist Rules - ALL we can scroll up and down toview each point in the checklist that is used to monitorvalidate against the NSXManager
bull D - Because vRealize Network Insight supports multiple NSX managers andmultiple NSX controllers this is an important visual understanding of theTopology Each object can be queried individually within the same screen
bull E - NSX Problems will be key to understanding the issues for NSX
HOL-1829-01-NET
Page 89HOL-1829-01-NET
Topology - Focus on the NSX Controller
The logical view of the NSX Topology provides live links to each component in theconstruct to be queried in real time Topology layout displays all the related NSXservices bound to the NSX Manager including Clusters and hosts The red triangle on allthree NSX controllers indicates possible issues that may impact the NSX environmenteither as a starting point or a result thereof We can now query each object for detailedinformation
1 Click on the NSX controller (Look at each controller until you find thecontroller starting with NSX_Controller_5b6c6c8d-4d71 as they do changeorder)
HOL-1829-01-NET
Page 90HOL-1829-01-NET
NSX Controller - Detail
A - The controller query displays detailed information about controller-1 and relevantconfiguration This screen will help identify the Status Version Upgrade Availability andmany other critical identifiers of the NSX Controller at a quick glance including anyissues
B - The immediate issue on this NSX controller is also pointed out with a red triangleindicating that we have a control plane sync issue Tracking the issue can be furtherinvestigated by expanding (clicking on the red triangle) to view detailed information Wewill not be investigating this problem further in this exercise
1 Click the close sign (x) to continue
HOL-1829-01-NET
Page 91HOL-1829-01-NET
Topology - Explained
Note The Topology for the NSX environment will not show any load balancing devicestatus information in this release
1 Click the edge VMs icon to see detailed information about the edge services
HOL-1829-01-NET
Page 92HOL-1829-01-NET
Provider Edge
Rendering a complete view of the provider edge services and the associations we caninvestigate all the edge related activities
1 Click the blue link Provider Edge 4 The problem Icon can be used to furtherobtain information about the Provider-Edge 4 This will highlight a criticalcondition due to a possible network disruption of this edge device as it is nolonger in a serving state
HOL-1829-01-NET
Page 93HOL-1829-01-NET
Routers Provider Edge 4
This section lays out detailed root cause analysis for Routers Provider Edge 4
Return to Search View - NSX Manager
1 Now use the Chrome Back button click once to return the the NSX Managerinformation screen step
HOL-1829-01-NET
Page 94HOL-1829-01-NET
Infrastructure Problems - Warning Moderate
bull Scroll down to Infrastructure Problems Section
1 Click and select the WarningModerate to view problem areas
WarningModerate Issues
1 Use the blue icon + to expand the detailed view of the Logical networking out ofsync between host and NSX Controller
HOL-1829-01-NET
Page 95HOL-1829-01-NET
WarningModerate Issues (Continued)
When you expand the details you can analyse full detail of warning
In this view vRealize Network Insight is also showing you recommendations on how youwould resolve this issue which makes troubleshooting and root cause analysis veryeasy
1 Click the close sign (x) to continue
HOL-1829-01-NET
Page 96HOL-1829-01-NET
Hands-on Labs Interactive SimulationAdvanced NSX Management ampOperationsThis part of the lab is presented as a Hands-on Labs Interactive Simulation This willallow you to experience steps which are too time-consuming or resource intensive to dolive in the lab environment In this simulation you can use the software interface as ifyou are interacting with a live environment
1 Click here to open the interactive simulation It will open in a new browserwindow or tab
2 When finished click the ldquoReturn to the labrdquo link to continue with this lab
HOL-1829-01-NET
Page 97HOL-1829-01-NET
ConclusionCongratulations on completing Module 3
This module demonstrated the vRealize Network Insight capability of advancedmanagement operations vRealize Network Insight provides an in-depth analysis of thevirtual as well as the physical components associated with NSX (underlay and overlay)
For More Information
If you are looking for additional information try one of these
bull Click on this linkbull Or use your smart device to scan the QRC Code
Proceed to any module below which interests you most
bull Module 1 - Micro-Segmentation and Security (30 minutes)bull Module 2 - 360 degree Visibility across Virtual and Physical Networks (45
minutes)bull Module 3 - Advanced NSX Management amp Operations (45 minutes)bull Module 4 - Manage Security for Public Clouds (AWS) (30 minutes)
HOL-1829-01-NET
Page 98HOL-1829-01-NET
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 99HOL-1829-01-NET
Module 4 - ManageSecurity for Public Clouds
(AWS) (30 Minutes)
HOL-1829-01-NET
Page 100HOL-1829-01-NET
IntroductionEnterprise IT needs visibility into the network and security status of their workloadswhether hosted on premises or within AWS While many AWS workloads are sandboxesfor application development teams (DevOps) it is important to analyze these workloadsIncreasingly public cloud workloads are also fulfilling mission critical production needsfor many organizations Enterprise IT must be ready to determine the best locationsecurity posture and bandwidth allocation when deploying workloads Having trafficpattern details as well as security analysis and recommendations readily availablehelps organizations make the ideal hosting decisions to meet their business needs
vRealize Network Insight (vRNI) Supports Amazon Web Services (AWS) PublicCloud The vRNI traffic monitoring features provide visibility into native AWS constructssuch as Virtual Private Clouds VMs Security Groups firewall rules and tags vRNI alsoanalyzes AWS traffic flows to provide security and micro-segmentation views of cloudworkloads This means youll be able to plan micro-segmentation and understand trafficpatterns using data collected from your AWS instances
This Module contains the following lessons
bull Introduction to Managing Security for Public Clouds (AWS)
HOL-1829-01-NET
Page 101HOL-1829-01-NET
Introduction to Managing Security forPublic Clouds (AWS)Lab Status Check
1 Make sure the Lab Status displays Ready before continuing
Close browser sessions from previous modules
Open Google Chrome
1 Open Chrome on the Control Centre Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize Network Insightdid not load automatically)
HOL-1829-01-NET
Page 102HOL-1829-01-NET
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
AWS Configuration
Lets review the AWS VPC setup for the purpose of this lab
1 We have an on premise instance of vRealize Network Insight managing AWS2 There are two VPCs ie CRM and Common Services
HOL-1829-01-NET
Page 103HOL-1829-01-NET
3 VPC CRM consists of CRM Application which comprises of 3 tiers ie Web APP andDB
4 Internal users of Company can access Web Tier of the CRM on 80 internally viaJump-box
5 Web tier talks to App tier on port 80806 App tier talks to DB tier on port 33067 Web tier is open for internal datacenters VM on 80 port8 From Jump-box in VPC CRM all virtual machines have ssh access on port 229 All tiers of VPCCRM talks to DNS server on 53 and LogServer on 514 on VPC
Common Services10 This means connection to DB to Log Server (used for backup services) must exist
as configured by the Administrator but this in fact is the problem area where ourfocus will be
Plan Security - AWS Cloud
vRealize Network Insight extends micro-segmentation planning to AWS constructs TheCRM Application in AWS VPC has already been created for you
Application creation steps have been discussed in Module 3
HOL-1829-01-NET
Page 104HOL-1829-01-NET
1 On the vRealize Network Insight Click on Plan Security
From Plan Security dialogue box under Entity select
HOL-1829-01-NET
Page 105HOL-1829-01-NET
1 Application2 CRM3 Click Analyze
We can now visualize the three tier lsquoCRMrsquo Application in AWS in one VPC We Shallexplore the three Tier System Logic in proceeding steps
1 Please note that Micro-Segments are already filtered by Tier2 Web (Web tier talks to App tier on port 8080 Internal users of organisation can
access Web Tier of the CRM Application on port 80 internally)3 App (App tier talks to DB tier on port 3306)4 DB ( DB tier talks to Log Servers ) - This is the problem area we are going to
explore
All tiers of first VPC talks to DNS server on port 53 and LogServer on port 514 of SecondVPC
HOL-1829-01-NET
Page 106HOL-1829-01-NET
Exploring the Three Tier Application - Step by Step
We shall now explore the three their application setup to understand the security andcommunication posture
HOL-1829-01-NET
Page 107HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Yellow line to explore the flows This will reveal flows from Web to
App
HOL-1829-01-NET
Page 108HOL-1829-01-NET
1 The App tier talks to DB tier on Port 33062 Click X to continue
HOL-1829-01-NET
Page 109HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to DB
HOL-1829-01-NET
Page 110HOL-1829-01-NET
1 The App tier talks to DB tier on Port 33062 Click X to continue
HOL-1829-01-NET
Page 111HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Yellow Line to explore the flows This will reveal flows from DC
Virtual to App
HOL-1829-01-NET
Page 112HOL-1829-01-NET
1 DC Virtual (jump box) talks to App tier on Port 222 Click X to continue
HOL-1829-01-NET
Page 113HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to
Shared Virtual
HOL-1829-01-NET
Page 114HOL-1829-01-NET
1 The App tier talks to Shared Virtual on Port 53 and 514 respectively2 Click X to continue
HOL-1829-01-NET
Page 115HOL-1829-01-NET
1 Hover over to DB Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from DB to
Shared Virtual
1 By design the DB should be pushing logs to aws-log-server ie on port 514(Syslog) but the flow reveals that there is only one service ie port 53 aws-DNS-Server Effectively no communication to syslog server (which is the back upservice)
2 Click X to continue
Firewall Queries for CRM Application
To further troubleshoot the issue the administrator executes three firewall queries toestablish why DB to Shared Virtual does not have flow(s) for port 514 (syslog)
HOL-1829-01-NET
Page 116HOL-1829-01-NET
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and type new search query firewall action of flows where dstvm = aws-log-server This will return 5 results ie 4 Allow (for web andmidtier) and 1 Deny (for DB)
2 Click Search3 click on the DENY checkbox so we can focus on the deny rule
We can see a DENY rule which is preventing crm-databse to communicate with aws-log-server on port 514 Which indicates that AWS Admin forgot to add rule to allowtraffic from (Database) crm-database to (syslog server) aws-log-Server
HOL-1829-01-NET
Page 117HOL-1829-01-NET
1 On Chrome web browser right click2 Select Duplicate from the the menu
HOL-1829-01-NET
Page 118HOL-1829-01-NET
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-web1 and dst vm = aws-log-server
2 Click Search3 This will return 3 results ie 1 Inbound and 2 Outbound rules The result of this
query validates the communication from crm-web1 to aws-log-server
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-database and dst vm = aws-log-server
2 Click Search3 This will return 2 results for Outbound rules further explaining the firewall rule
behaviour from crm-database to aws-log-server
HOL-1829-01-NET
Page 119HOL-1829-01-NET
ConclusionCongratulations on completing Module 4
This module demonstrated the vRealize Network Insight capability to understand trafficpatterns and plan micro-segmentation across your private and public cloudenvironments This capability offers unparalleled visibility into public and private cloudsfor micro-segmentation planning network visibility and management
For More Information
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 120HOL-1829-01-NET
ConclusionThank you for participating in the VMware Hands-on Labs Be sure to visithttpholvmwarecom to continue your lab experience online
Lab SKU HOL-1829-01-NET
Version 20171010-152226
HOL-1829-01-NET
Page 121HOL-1829-01-NET
VXLAN on the map
1 On the map click on the blue line marked by a red square to access theVXLAN details
VXLAN Network
A pop-up box will appear that contains the VXLAN details
HOL-1829-01-NET
Page 71HOL-1829-01-NET
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - We can see the VXLAN number (Segment ID) Underlay VLAN IDs Subnet andUnderlay Subnet
C - We also have visibility into what Primary Controller it is utilizing Hosts and VTEPs
D - Hovermove the mouse cursor over the text [38 more] to see the hosts associatedwith this VXLAN Do not click on the blue text
E - Hovermove the mouse cursor over the text [82 more] to see the VTEPs associatedwith this VXLAN Do not click on the blue text
1 When done reviewing click on the X in the top right corner of the pop-up box
VRF - LDR
1 From the map click on the icon marked by a red square to access the VRFdetails
HOL-1829-01-NET
Page 72HOL-1829-01-NET
VRF - LDR-Corporate
A pop-up box will appear that contains the VRF details From here we hit our In-kernelnetwork
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - Notice the distributed router name We are using this device to access our corporatenetwork
C - This device is going to route for us to a different interface The interface is going toroute to the interface on the Prod-DB Network as the next step in the path (this will beillustrated in the next step)
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 73HOL-1829-01-NET
Routing - NSX Firewall
The traffic is routed through the VRF onto the Prod-DB network over to the next physicalhost (as shown with arrows)
The first device it will hit on the virtual network on the physical host is the FirewallPlease notice that there are two firewalls next to the VM One Firewall from Palo Alto andone Firewall from NSX
1 From the map click on the icon marked by a red square to access the NSXFirewall details (the top one of the two)
HOL-1829-01-NET
Page 74HOL-1829-01-NET
Firewall - NSX
A pop-up box will appear that contains the Firewall details
A - Spend some time to review what information is available from the object Please donot click on any of the links
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 75HOL-1829-01-NET
Redirect on the map - PAN Firewall
Please notice that there are two firewalls next to the VM One Firewall from Palo Alto andone Firewall from NSX We are now going to look into the details of the lower Firewall
1 From the map click on the icon marked by a red square to access the PaloAlto Firewall details (the lower one of the two)
Firewall - PAN
HOL-1829-01-NET
Page 76HOL-1829-01-NET
In this scenario we also have an Palo Alto VM based offloading firewall The redirectfeature allows firewall rules to be transferred between the NSX firewall and the PANFirewall
1 When done reviewing click on the (X) in the top right corner of the pop up box
Reversing the analysis
1 In the section marked by a red square in the picture click on the arrowpointing left
The route on the map will change
HOL-1829-01-NET
Page 77HOL-1829-01-NET
Reversing the analysis continued
A - The analysis will now be done in the opposite direction Please note that the pathnow changes Instead of going through Provider-Edge 3 the traffic is now routedthrough Provider-Edge 2 This is exactly as the traffic will work in the real life
Please continue to the next step to conclude this module
HOL-1829-01-NET
Page 78HOL-1829-01-NET
VM Underlay
Lets now focus on VM Underlay
1 The VMUnderlay section that is on the right side of the VM Path topology showsthe underlay information of the VMs involved and their connectivity to the top ofthe rack switches and the ports involved
2 The VM Underlay path topology is shown here3 The components are labeled under Path Details
HOL-1829-01-NET
Page 79HOL-1829-01-NET
HOL-1829-01-NET
Page 80HOL-1829-01-NET
1 In this section the drop-down list at the top shows the endpoint VMs and theactive VMs at the edges
2 For each edgeVM the neighbouring drop-down list shows the ingress and theegress interface IP addresses
1 From the previous step we selected the Prod-DB-2 Virtual Machine2 Which changes the focus to corresponding Interface IP Address (VNIC)3 Shows the visual map (Path topology) of all the path objects4 Path details shows the labels and list the components
This concludes this module Please continue to the next module
HOL-1829-01-NET
Page 81HOL-1829-01-NET
ConclusionCongratulations on completing Module 2
This module has shown us that vRealize Network Insight is capable of tracing the flow ofdata between two objects throughout the network vRealize Network Insight is providingus with a 360 degrees view of the virtual as well as the physical components in thepath With the map function and the details on the map it is very easy to get a quickoverview of the components utilized in network communication
All the components in the map is based on a snapshot of real life data Feel free to clickon other icons shown in the map in this module before continuing to the next module tohave a look at other components
For More Information
For additional information about the functionality showcased in this module visithttpwwwvmwarecomvrealize network insight
This concludes this module Please continue to the next module
If you are looking for additional information try one of these
bull Click on this linkbull Or use your smart device to scan the QRC Code
HOL-1829-01-NET
Page 82HOL-1829-01-NET
Proceed to any module below which interests you most
bull Module 1 - Micro-Segmentation and Security (30 minutes)bull Module 2 - 360 degree Visibility across Virtual and Physical Networks (45
minutes)bull Module 3 - Advanced NSX Management amp Operations (45 minutes)bull (30 minutes)
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 83HOL-1829-01-NET
Module 3 - Advanced NSXManagement amp
Operations (45 minutes)
HOL-1829-01-NET
Page 84HOL-1829-01-NET
IntroductionIntroduction
vRealize Network Insight ensures that we have full visibility from an overlay andunderlay perspective and in this module focus on advanced operations of NSX withvRealize Network Insight Its important to note that the vRealize Network Insightprovides a real time view and a historical view The integration is not a simple SNMPquery but advanced CLI and Metadata information gathered in real time for NSX
This Module contains the following lessons
bull Operational guidance for NSX Managerbull Advanced NSX Management amp Operations Interactive Simulation
HOL-1829-01-NET
Page 85HOL-1829-01-NET
NSX Advanced ManagementOperationsLab Status Check
1 Make sure the Lab Status displays Ready before continuing
Close browser sessions from previous modules
Open Google Chrome
1 Open Chrome on the Control Centre Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
HOL-1829-01-NET
Page 86HOL-1829-01-NET
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize Network Insightdid not load automatically)
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
Search Bar - NSX Manager
Using the search bar on the entry screen
HOL-1829-01-NET
Page 87HOL-1829-01-NET
1 Type NSX Manager (this will list three NSX Managers2 Click Search
NSX Manager Information
The result now shows the NSX Manager (1016128170) and we can immediately seethat we have 50 problems associated with this endpoint
1 Click on the NSX Manager address to expose the layout and detailedinformation
HOL-1829-01-NET
Page 88HOL-1829-01-NET
Timeline - Visual Build-up
Explore information only - Do not click
bull A - Starting with the Timeline we can manipulate the results by simply draggingthe slider but by default the current time results will be displayed on entry Theslider and drop down (next to 1 day) makes it easy to filter on demand
bull B - The Properties give a clear understanding of the NSX Managers currentconfiguration (vRealize Network Insight accommodate multiple NSX managers)
bull C - Looking at the NSX Checklist Rules - ALL we can scroll up and down toview each point in the checklist that is used to monitorvalidate against the NSXManager
bull D - Because vRealize Network Insight supports multiple NSX managers andmultiple NSX controllers this is an important visual understanding of theTopology Each object can be queried individually within the same screen
bull E - NSX Problems will be key to understanding the issues for NSX
HOL-1829-01-NET
Page 89HOL-1829-01-NET
Topology - Focus on the NSX Controller
The logical view of the NSX Topology provides live links to each component in theconstruct to be queried in real time Topology layout displays all the related NSXservices bound to the NSX Manager including Clusters and hosts The red triangle on allthree NSX controllers indicates possible issues that may impact the NSX environmenteither as a starting point or a result thereof We can now query each object for detailedinformation
1 Click on the NSX controller (Look at each controller until you find thecontroller starting with NSX_Controller_5b6c6c8d-4d71 as they do changeorder)
HOL-1829-01-NET
Page 90HOL-1829-01-NET
NSX Controller - Detail
A - The controller query displays detailed information about controller-1 and relevantconfiguration This screen will help identify the Status Version Upgrade Availability andmany other critical identifiers of the NSX Controller at a quick glance including anyissues
B - The immediate issue on this NSX controller is also pointed out with a red triangleindicating that we have a control plane sync issue Tracking the issue can be furtherinvestigated by expanding (clicking on the red triangle) to view detailed information Wewill not be investigating this problem further in this exercise
1 Click the close sign (x) to continue
HOL-1829-01-NET
Page 91HOL-1829-01-NET
Topology - Explained
Note The Topology for the NSX environment will not show any load balancing devicestatus information in this release
1 Click the edge VMs icon to see detailed information about the edge services
HOL-1829-01-NET
Page 92HOL-1829-01-NET
Provider Edge
Rendering a complete view of the provider edge services and the associations we caninvestigate all the edge related activities
1 Click the blue link Provider Edge 4 The problem Icon can be used to furtherobtain information about the Provider-Edge 4 This will highlight a criticalcondition due to a possible network disruption of this edge device as it is nolonger in a serving state
HOL-1829-01-NET
Page 93HOL-1829-01-NET
Routers Provider Edge 4
This section lays out detailed root cause analysis for Routers Provider Edge 4
Return to Search View - NSX Manager
1 Now use the Chrome Back button click once to return the the NSX Managerinformation screen step
HOL-1829-01-NET
Page 94HOL-1829-01-NET
Infrastructure Problems - Warning Moderate
bull Scroll down to Infrastructure Problems Section
1 Click and select the WarningModerate to view problem areas
WarningModerate Issues
1 Use the blue icon + to expand the detailed view of the Logical networking out ofsync between host and NSX Controller
HOL-1829-01-NET
Page 95HOL-1829-01-NET
WarningModerate Issues (Continued)
When you expand the details you can analyse full detail of warning
In this view vRealize Network Insight is also showing you recommendations on how youwould resolve this issue which makes troubleshooting and root cause analysis veryeasy
1 Click the close sign (x) to continue
HOL-1829-01-NET
Page 96HOL-1829-01-NET
Hands-on Labs Interactive SimulationAdvanced NSX Management ampOperationsThis part of the lab is presented as a Hands-on Labs Interactive Simulation This willallow you to experience steps which are too time-consuming or resource intensive to dolive in the lab environment In this simulation you can use the software interface as ifyou are interacting with a live environment
1 Click here to open the interactive simulation It will open in a new browserwindow or tab
2 When finished click the ldquoReturn to the labrdquo link to continue with this lab
HOL-1829-01-NET
Page 97HOL-1829-01-NET
ConclusionCongratulations on completing Module 3
This module demonstrated the vRealize Network Insight capability of advancedmanagement operations vRealize Network Insight provides an in-depth analysis of thevirtual as well as the physical components associated with NSX (underlay and overlay)
For More Information
If you are looking for additional information try one of these
bull Click on this linkbull Or use your smart device to scan the QRC Code
Proceed to any module below which interests you most
bull Module 1 - Micro-Segmentation and Security (30 minutes)bull Module 2 - 360 degree Visibility across Virtual and Physical Networks (45
minutes)bull Module 3 - Advanced NSX Management amp Operations (45 minutes)bull Module 4 - Manage Security for Public Clouds (AWS) (30 minutes)
HOL-1829-01-NET
Page 98HOL-1829-01-NET
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 99HOL-1829-01-NET
Module 4 - ManageSecurity for Public Clouds
(AWS) (30 Minutes)
HOL-1829-01-NET
Page 100HOL-1829-01-NET
IntroductionEnterprise IT needs visibility into the network and security status of their workloadswhether hosted on premises or within AWS While many AWS workloads are sandboxesfor application development teams (DevOps) it is important to analyze these workloadsIncreasingly public cloud workloads are also fulfilling mission critical production needsfor many organizations Enterprise IT must be ready to determine the best locationsecurity posture and bandwidth allocation when deploying workloads Having trafficpattern details as well as security analysis and recommendations readily availablehelps organizations make the ideal hosting decisions to meet their business needs
vRealize Network Insight (vRNI) Supports Amazon Web Services (AWS) PublicCloud The vRNI traffic monitoring features provide visibility into native AWS constructssuch as Virtual Private Clouds VMs Security Groups firewall rules and tags vRNI alsoanalyzes AWS traffic flows to provide security and micro-segmentation views of cloudworkloads This means youll be able to plan micro-segmentation and understand trafficpatterns using data collected from your AWS instances
This Module contains the following lessons
bull Introduction to Managing Security for Public Clouds (AWS)
HOL-1829-01-NET
Page 101HOL-1829-01-NET
Introduction to Managing Security forPublic Clouds (AWS)Lab Status Check
1 Make sure the Lab Status displays Ready before continuing
Close browser sessions from previous modules
Open Google Chrome
1 Open Chrome on the Control Centre Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize Network Insightdid not load automatically)
HOL-1829-01-NET
Page 102HOL-1829-01-NET
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
AWS Configuration
Lets review the AWS VPC setup for the purpose of this lab
1 We have an on premise instance of vRealize Network Insight managing AWS2 There are two VPCs ie CRM and Common Services
HOL-1829-01-NET
Page 103HOL-1829-01-NET
3 VPC CRM consists of CRM Application which comprises of 3 tiers ie Web APP andDB
4 Internal users of Company can access Web Tier of the CRM on 80 internally viaJump-box
5 Web tier talks to App tier on port 80806 App tier talks to DB tier on port 33067 Web tier is open for internal datacenters VM on 80 port8 From Jump-box in VPC CRM all virtual machines have ssh access on port 229 All tiers of VPCCRM talks to DNS server on 53 and LogServer on 514 on VPC
Common Services10 This means connection to DB to Log Server (used for backup services) must exist
as configured by the Administrator but this in fact is the problem area where ourfocus will be
Plan Security - AWS Cloud
vRealize Network Insight extends micro-segmentation planning to AWS constructs TheCRM Application in AWS VPC has already been created for you
Application creation steps have been discussed in Module 3
HOL-1829-01-NET
Page 104HOL-1829-01-NET
1 On the vRealize Network Insight Click on Plan Security
From Plan Security dialogue box under Entity select
HOL-1829-01-NET
Page 105HOL-1829-01-NET
1 Application2 CRM3 Click Analyze
We can now visualize the three tier lsquoCRMrsquo Application in AWS in one VPC We Shallexplore the three Tier System Logic in proceeding steps
1 Please note that Micro-Segments are already filtered by Tier2 Web (Web tier talks to App tier on port 8080 Internal users of organisation can
access Web Tier of the CRM Application on port 80 internally)3 App (App tier talks to DB tier on port 3306)4 DB ( DB tier talks to Log Servers ) - This is the problem area we are going to
explore
All tiers of first VPC talks to DNS server on port 53 and LogServer on port 514 of SecondVPC
HOL-1829-01-NET
Page 106HOL-1829-01-NET
Exploring the Three Tier Application - Step by Step
We shall now explore the three their application setup to understand the security andcommunication posture
HOL-1829-01-NET
Page 107HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Yellow line to explore the flows This will reveal flows from Web to
App
HOL-1829-01-NET
Page 108HOL-1829-01-NET
1 The App tier talks to DB tier on Port 33062 Click X to continue
HOL-1829-01-NET
Page 109HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to DB
HOL-1829-01-NET
Page 110HOL-1829-01-NET
1 The App tier talks to DB tier on Port 33062 Click X to continue
HOL-1829-01-NET
Page 111HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Yellow Line to explore the flows This will reveal flows from DC
Virtual to App
HOL-1829-01-NET
Page 112HOL-1829-01-NET
1 DC Virtual (jump box) talks to App tier on Port 222 Click X to continue
HOL-1829-01-NET
Page 113HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to
Shared Virtual
HOL-1829-01-NET
Page 114HOL-1829-01-NET
1 The App tier talks to Shared Virtual on Port 53 and 514 respectively2 Click X to continue
HOL-1829-01-NET
Page 115HOL-1829-01-NET
1 Hover over to DB Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from DB to
Shared Virtual
1 By design the DB should be pushing logs to aws-log-server ie on port 514(Syslog) but the flow reveals that there is only one service ie port 53 aws-DNS-Server Effectively no communication to syslog server (which is the back upservice)
2 Click X to continue
Firewall Queries for CRM Application
To further troubleshoot the issue the administrator executes three firewall queries toestablish why DB to Shared Virtual does not have flow(s) for port 514 (syslog)
HOL-1829-01-NET
Page 116HOL-1829-01-NET
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and type new search query firewall action of flows where dstvm = aws-log-server This will return 5 results ie 4 Allow (for web andmidtier) and 1 Deny (for DB)
2 Click Search3 click on the DENY checkbox so we can focus on the deny rule
We can see a DENY rule which is preventing crm-databse to communicate with aws-log-server on port 514 Which indicates that AWS Admin forgot to add rule to allowtraffic from (Database) crm-database to (syslog server) aws-log-Server
HOL-1829-01-NET
Page 117HOL-1829-01-NET
1 On Chrome web browser right click2 Select Duplicate from the the menu
HOL-1829-01-NET
Page 118HOL-1829-01-NET
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-web1 and dst vm = aws-log-server
2 Click Search3 This will return 3 results ie 1 Inbound and 2 Outbound rules The result of this
query validates the communication from crm-web1 to aws-log-server
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-database and dst vm = aws-log-server
2 Click Search3 This will return 2 results for Outbound rules further explaining the firewall rule
behaviour from crm-database to aws-log-server
HOL-1829-01-NET
Page 119HOL-1829-01-NET
ConclusionCongratulations on completing Module 4
This module demonstrated the vRealize Network Insight capability to understand trafficpatterns and plan micro-segmentation across your private and public cloudenvironments This capability offers unparalleled visibility into public and private cloudsfor micro-segmentation planning network visibility and management
For More Information
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 120HOL-1829-01-NET
ConclusionThank you for participating in the VMware Hands-on Labs Be sure to visithttpholvmwarecom to continue your lab experience online
Lab SKU HOL-1829-01-NET
Version 20171010-152226
HOL-1829-01-NET
Page 121HOL-1829-01-NET
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - We can see the VXLAN number (Segment ID) Underlay VLAN IDs Subnet andUnderlay Subnet
C - We also have visibility into what Primary Controller it is utilizing Hosts and VTEPs
D - Hovermove the mouse cursor over the text [38 more] to see the hosts associatedwith this VXLAN Do not click on the blue text
E - Hovermove the mouse cursor over the text [82 more] to see the VTEPs associatedwith this VXLAN Do not click on the blue text
1 When done reviewing click on the X in the top right corner of the pop-up box
VRF - LDR
1 From the map click on the icon marked by a red square to access the VRFdetails
HOL-1829-01-NET
Page 72HOL-1829-01-NET
VRF - LDR-Corporate
A pop-up box will appear that contains the VRF details From here we hit our In-kernelnetwork
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - Notice the distributed router name We are using this device to access our corporatenetwork
C - This device is going to route for us to a different interface The interface is going toroute to the interface on the Prod-DB Network as the next step in the path (this will beillustrated in the next step)
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 73HOL-1829-01-NET
Routing - NSX Firewall
The traffic is routed through the VRF onto the Prod-DB network over to the next physicalhost (as shown with arrows)
The first device it will hit on the virtual network on the physical host is the FirewallPlease notice that there are two firewalls next to the VM One Firewall from Palo Alto andone Firewall from NSX
1 From the map click on the icon marked by a red square to access the NSXFirewall details (the top one of the two)
HOL-1829-01-NET
Page 74HOL-1829-01-NET
Firewall - NSX
A pop-up box will appear that contains the Firewall details
A - Spend some time to review what information is available from the object Please donot click on any of the links
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 75HOL-1829-01-NET
Redirect on the map - PAN Firewall
Please notice that there are two firewalls next to the VM One Firewall from Palo Alto andone Firewall from NSX We are now going to look into the details of the lower Firewall
1 From the map click on the icon marked by a red square to access the PaloAlto Firewall details (the lower one of the two)
Firewall - PAN
HOL-1829-01-NET
Page 76HOL-1829-01-NET
In this scenario we also have an Palo Alto VM based offloading firewall The redirectfeature allows firewall rules to be transferred between the NSX firewall and the PANFirewall
1 When done reviewing click on the (X) in the top right corner of the pop up box
Reversing the analysis
1 In the section marked by a red square in the picture click on the arrowpointing left
The route on the map will change
HOL-1829-01-NET
Page 77HOL-1829-01-NET
Reversing the analysis continued
A - The analysis will now be done in the opposite direction Please note that the pathnow changes Instead of going through Provider-Edge 3 the traffic is now routedthrough Provider-Edge 2 This is exactly as the traffic will work in the real life
Please continue to the next step to conclude this module
HOL-1829-01-NET
Page 78HOL-1829-01-NET
VM Underlay
Lets now focus on VM Underlay
1 The VMUnderlay section that is on the right side of the VM Path topology showsthe underlay information of the VMs involved and their connectivity to the top ofthe rack switches and the ports involved
2 The VM Underlay path topology is shown here3 The components are labeled under Path Details
HOL-1829-01-NET
Page 79HOL-1829-01-NET
HOL-1829-01-NET
Page 80HOL-1829-01-NET
1 In this section the drop-down list at the top shows the endpoint VMs and theactive VMs at the edges
2 For each edgeVM the neighbouring drop-down list shows the ingress and theegress interface IP addresses
1 From the previous step we selected the Prod-DB-2 Virtual Machine2 Which changes the focus to corresponding Interface IP Address (VNIC)3 Shows the visual map (Path topology) of all the path objects4 Path details shows the labels and list the components
This concludes this module Please continue to the next module
HOL-1829-01-NET
Page 81HOL-1829-01-NET
ConclusionCongratulations on completing Module 2
This module has shown us that vRealize Network Insight is capable of tracing the flow ofdata between two objects throughout the network vRealize Network Insight is providingus with a 360 degrees view of the virtual as well as the physical components in thepath With the map function and the details on the map it is very easy to get a quickoverview of the components utilized in network communication
All the components in the map is based on a snapshot of real life data Feel free to clickon other icons shown in the map in this module before continuing to the next module tohave a look at other components
For More Information
For additional information about the functionality showcased in this module visithttpwwwvmwarecomvrealize network insight
This concludes this module Please continue to the next module
If you are looking for additional information try one of these
bull Click on this linkbull Or use your smart device to scan the QRC Code
HOL-1829-01-NET
Page 82HOL-1829-01-NET
Proceed to any module below which interests you most
bull Module 1 - Micro-Segmentation and Security (30 minutes)bull Module 2 - 360 degree Visibility across Virtual and Physical Networks (45
minutes)bull Module 3 - Advanced NSX Management amp Operations (45 minutes)bull (30 minutes)
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 83HOL-1829-01-NET
Module 3 - Advanced NSXManagement amp
Operations (45 minutes)
HOL-1829-01-NET
Page 84HOL-1829-01-NET
IntroductionIntroduction
vRealize Network Insight ensures that we have full visibility from an overlay andunderlay perspective and in this module focus on advanced operations of NSX withvRealize Network Insight Its important to note that the vRealize Network Insightprovides a real time view and a historical view The integration is not a simple SNMPquery but advanced CLI and Metadata information gathered in real time for NSX
This Module contains the following lessons
bull Operational guidance for NSX Managerbull Advanced NSX Management amp Operations Interactive Simulation
HOL-1829-01-NET
Page 85HOL-1829-01-NET
NSX Advanced ManagementOperationsLab Status Check
1 Make sure the Lab Status displays Ready before continuing
Close browser sessions from previous modules
Open Google Chrome
1 Open Chrome on the Control Centre Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
HOL-1829-01-NET
Page 86HOL-1829-01-NET
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize Network Insightdid not load automatically)
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
Search Bar - NSX Manager
Using the search bar on the entry screen
HOL-1829-01-NET
Page 87HOL-1829-01-NET
1 Type NSX Manager (this will list three NSX Managers2 Click Search
NSX Manager Information
The result now shows the NSX Manager (1016128170) and we can immediately seethat we have 50 problems associated with this endpoint
1 Click on the NSX Manager address to expose the layout and detailedinformation
HOL-1829-01-NET
Page 88HOL-1829-01-NET
Timeline - Visual Build-up
Explore information only - Do not click
bull A - Starting with the Timeline we can manipulate the results by simply draggingthe slider but by default the current time results will be displayed on entry Theslider and drop down (next to 1 day) makes it easy to filter on demand
bull B - The Properties give a clear understanding of the NSX Managers currentconfiguration (vRealize Network Insight accommodate multiple NSX managers)
bull C - Looking at the NSX Checklist Rules - ALL we can scroll up and down toview each point in the checklist that is used to monitorvalidate against the NSXManager
bull D - Because vRealize Network Insight supports multiple NSX managers andmultiple NSX controllers this is an important visual understanding of theTopology Each object can be queried individually within the same screen
bull E - NSX Problems will be key to understanding the issues for NSX
HOL-1829-01-NET
Page 89HOL-1829-01-NET
Topology - Focus on the NSX Controller
The logical view of the NSX Topology provides live links to each component in theconstruct to be queried in real time Topology layout displays all the related NSXservices bound to the NSX Manager including Clusters and hosts The red triangle on allthree NSX controllers indicates possible issues that may impact the NSX environmenteither as a starting point or a result thereof We can now query each object for detailedinformation
1 Click on the NSX controller (Look at each controller until you find thecontroller starting with NSX_Controller_5b6c6c8d-4d71 as they do changeorder)
HOL-1829-01-NET
Page 90HOL-1829-01-NET
NSX Controller - Detail
A - The controller query displays detailed information about controller-1 and relevantconfiguration This screen will help identify the Status Version Upgrade Availability andmany other critical identifiers of the NSX Controller at a quick glance including anyissues
B - The immediate issue on this NSX controller is also pointed out with a red triangleindicating that we have a control plane sync issue Tracking the issue can be furtherinvestigated by expanding (clicking on the red triangle) to view detailed information Wewill not be investigating this problem further in this exercise
1 Click the close sign (x) to continue
HOL-1829-01-NET
Page 91HOL-1829-01-NET
Topology - Explained
Note The Topology for the NSX environment will not show any load balancing devicestatus information in this release
1 Click the edge VMs icon to see detailed information about the edge services
HOL-1829-01-NET
Page 92HOL-1829-01-NET
Provider Edge
Rendering a complete view of the provider edge services and the associations we caninvestigate all the edge related activities
1 Click the blue link Provider Edge 4 The problem Icon can be used to furtherobtain information about the Provider-Edge 4 This will highlight a criticalcondition due to a possible network disruption of this edge device as it is nolonger in a serving state
HOL-1829-01-NET
Page 93HOL-1829-01-NET
Routers Provider Edge 4
This section lays out detailed root cause analysis for Routers Provider Edge 4
Return to Search View - NSX Manager
1 Now use the Chrome Back button click once to return the the NSX Managerinformation screen step
HOL-1829-01-NET
Page 94HOL-1829-01-NET
Infrastructure Problems - Warning Moderate
bull Scroll down to Infrastructure Problems Section
1 Click and select the WarningModerate to view problem areas
WarningModerate Issues
1 Use the blue icon + to expand the detailed view of the Logical networking out ofsync between host and NSX Controller
HOL-1829-01-NET
Page 95HOL-1829-01-NET
WarningModerate Issues (Continued)
When you expand the details you can analyse full detail of warning
In this view vRealize Network Insight is also showing you recommendations on how youwould resolve this issue which makes troubleshooting and root cause analysis veryeasy
1 Click the close sign (x) to continue
HOL-1829-01-NET
Page 96HOL-1829-01-NET
Hands-on Labs Interactive SimulationAdvanced NSX Management ampOperationsThis part of the lab is presented as a Hands-on Labs Interactive Simulation This willallow you to experience steps which are too time-consuming or resource intensive to dolive in the lab environment In this simulation you can use the software interface as ifyou are interacting with a live environment
1 Click here to open the interactive simulation It will open in a new browserwindow or tab
2 When finished click the ldquoReturn to the labrdquo link to continue with this lab
HOL-1829-01-NET
Page 97HOL-1829-01-NET
ConclusionCongratulations on completing Module 3
This module demonstrated the vRealize Network Insight capability of advancedmanagement operations vRealize Network Insight provides an in-depth analysis of thevirtual as well as the physical components associated with NSX (underlay and overlay)
For More Information
If you are looking for additional information try one of these
bull Click on this linkbull Or use your smart device to scan the QRC Code
Proceed to any module below which interests you most
bull Module 1 - Micro-Segmentation and Security (30 minutes)bull Module 2 - 360 degree Visibility across Virtual and Physical Networks (45
minutes)bull Module 3 - Advanced NSX Management amp Operations (45 minutes)bull Module 4 - Manage Security for Public Clouds (AWS) (30 minutes)
HOL-1829-01-NET
Page 98HOL-1829-01-NET
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 99HOL-1829-01-NET
Module 4 - ManageSecurity for Public Clouds
(AWS) (30 Minutes)
HOL-1829-01-NET
Page 100HOL-1829-01-NET
IntroductionEnterprise IT needs visibility into the network and security status of their workloadswhether hosted on premises or within AWS While many AWS workloads are sandboxesfor application development teams (DevOps) it is important to analyze these workloadsIncreasingly public cloud workloads are also fulfilling mission critical production needsfor many organizations Enterprise IT must be ready to determine the best locationsecurity posture and bandwidth allocation when deploying workloads Having trafficpattern details as well as security analysis and recommendations readily availablehelps organizations make the ideal hosting decisions to meet their business needs
vRealize Network Insight (vRNI) Supports Amazon Web Services (AWS) PublicCloud The vRNI traffic monitoring features provide visibility into native AWS constructssuch as Virtual Private Clouds VMs Security Groups firewall rules and tags vRNI alsoanalyzes AWS traffic flows to provide security and micro-segmentation views of cloudworkloads This means youll be able to plan micro-segmentation and understand trafficpatterns using data collected from your AWS instances
This Module contains the following lessons
bull Introduction to Managing Security for Public Clouds (AWS)
HOL-1829-01-NET
Page 101HOL-1829-01-NET
Introduction to Managing Security forPublic Clouds (AWS)Lab Status Check
1 Make sure the Lab Status displays Ready before continuing
Close browser sessions from previous modules
Open Google Chrome
1 Open Chrome on the Control Centre Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize Network Insightdid not load automatically)
HOL-1829-01-NET
Page 102HOL-1829-01-NET
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
AWS Configuration
Lets review the AWS VPC setup for the purpose of this lab
1 We have an on premise instance of vRealize Network Insight managing AWS2 There are two VPCs ie CRM and Common Services
HOL-1829-01-NET
Page 103HOL-1829-01-NET
3 VPC CRM consists of CRM Application which comprises of 3 tiers ie Web APP andDB
4 Internal users of Company can access Web Tier of the CRM on 80 internally viaJump-box
5 Web tier talks to App tier on port 80806 App tier talks to DB tier on port 33067 Web tier is open for internal datacenters VM on 80 port8 From Jump-box in VPC CRM all virtual machines have ssh access on port 229 All tiers of VPCCRM talks to DNS server on 53 and LogServer on 514 on VPC
Common Services10 This means connection to DB to Log Server (used for backup services) must exist
as configured by the Administrator but this in fact is the problem area where ourfocus will be
Plan Security - AWS Cloud
vRealize Network Insight extends micro-segmentation planning to AWS constructs TheCRM Application in AWS VPC has already been created for you
Application creation steps have been discussed in Module 3
HOL-1829-01-NET
Page 104HOL-1829-01-NET
1 On the vRealize Network Insight Click on Plan Security
From Plan Security dialogue box under Entity select
HOL-1829-01-NET
Page 105HOL-1829-01-NET
1 Application2 CRM3 Click Analyze
We can now visualize the three tier lsquoCRMrsquo Application in AWS in one VPC We Shallexplore the three Tier System Logic in proceeding steps
1 Please note that Micro-Segments are already filtered by Tier2 Web (Web tier talks to App tier on port 8080 Internal users of organisation can
access Web Tier of the CRM Application on port 80 internally)3 App (App tier talks to DB tier on port 3306)4 DB ( DB tier talks to Log Servers ) - This is the problem area we are going to
explore
All tiers of first VPC talks to DNS server on port 53 and LogServer on port 514 of SecondVPC
HOL-1829-01-NET
Page 106HOL-1829-01-NET
Exploring the Three Tier Application - Step by Step
We shall now explore the three their application setup to understand the security andcommunication posture
HOL-1829-01-NET
Page 107HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Yellow line to explore the flows This will reveal flows from Web to
App
HOL-1829-01-NET
Page 108HOL-1829-01-NET
1 The App tier talks to DB tier on Port 33062 Click X to continue
HOL-1829-01-NET
Page 109HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to DB
HOL-1829-01-NET
Page 110HOL-1829-01-NET
1 The App tier talks to DB tier on Port 33062 Click X to continue
HOL-1829-01-NET
Page 111HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Yellow Line to explore the flows This will reveal flows from DC
Virtual to App
HOL-1829-01-NET
Page 112HOL-1829-01-NET
1 DC Virtual (jump box) talks to App tier on Port 222 Click X to continue
HOL-1829-01-NET
Page 113HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to
Shared Virtual
HOL-1829-01-NET
Page 114HOL-1829-01-NET
1 The App tier talks to Shared Virtual on Port 53 and 514 respectively2 Click X to continue
HOL-1829-01-NET
Page 115HOL-1829-01-NET
1 Hover over to DB Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from DB to
Shared Virtual
1 By design the DB should be pushing logs to aws-log-server ie on port 514(Syslog) but the flow reveals that there is only one service ie port 53 aws-DNS-Server Effectively no communication to syslog server (which is the back upservice)
2 Click X to continue
Firewall Queries for CRM Application
To further troubleshoot the issue the administrator executes three firewall queries toestablish why DB to Shared Virtual does not have flow(s) for port 514 (syslog)
HOL-1829-01-NET
Page 116HOL-1829-01-NET
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and type new search query firewall action of flows where dstvm = aws-log-server This will return 5 results ie 4 Allow (for web andmidtier) and 1 Deny (for DB)
2 Click Search3 click on the DENY checkbox so we can focus on the deny rule
We can see a DENY rule which is preventing crm-databse to communicate with aws-log-server on port 514 Which indicates that AWS Admin forgot to add rule to allowtraffic from (Database) crm-database to (syslog server) aws-log-Server
HOL-1829-01-NET
Page 117HOL-1829-01-NET
1 On Chrome web browser right click2 Select Duplicate from the the menu
HOL-1829-01-NET
Page 118HOL-1829-01-NET
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-web1 and dst vm = aws-log-server
2 Click Search3 This will return 3 results ie 1 Inbound and 2 Outbound rules The result of this
query validates the communication from crm-web1 to aws-log-server
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-database and dst vm = aws-log-server
2 Click Search3 This will return 2 results for Outbound rules further explaining the firewall rule
behaviour from crm-database to aws-log-server
HOL-1829-01-NET
Page 119HOL-1829-01-NET
ConclusionCongratulations on completing Module 4
This module demonstrated the vRealize Network Insight capability to understand trafficpatterns and plan micro-segmentation across your private and public cloudenvironments This capability offers unparalleled visibility into public and private cloudsfor micro-segmentation planning network visibility and management
For More Information
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 120HOL-1829-01-NET
ConclusionThank you for participating in the VMware Hands-on Labs Be sure to visithttpholvmwarecom to continue your lab experience online
Lab SKU HOL-1829-01-NET
Version 20171010-152226
HOL-1829-01-NET
Page 121HOL-1829-01-NET
VRF - LDR-Corporate
A pop-up box will appear that contains the VRF details From here we hit our In-kernelnetwork
A - Spend some time to review what information is available from the object Please donot click on any of the links
B - Notice the distributed router name We are using this device to access our corporatenetwork
C - This device is going to route for us to a different interface The interface is going toroute to the interface on the Prod-DB Network as the next step in the path (this will beillustrated in the next step)
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 73HOL-1829-01-NET
Routing - NSX Firewall
The traffic is routed through the VRF onto the Prod-DB network over to the next physicalhost (as shown with arrows)
The first device it will hit on the virtual network on the physical host is the FirewallPlease notice that there are two firewalls next to the VM One Firewall from Palo Alto andone Firewall from NSX
1 From the map click on the icon marked by a red square to access the NSXFirewall details (the top one of the two)
HOL-1829-01-NET
Page 74HOL-1829-01-NET
Firewall - NSX
A pop-up box will appear that contains the Firewall details
A - Spend some time to review what information is available from the object Please donot click on any of the links
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 75HOL-1829-01-NET
Redirect on the map - PAN Firewall
Please notice that there are two firewalls next to the VM One Firewall from Palo Alto andone Firewall from NSX We are now going to look into the details of the lower Firewall
1 From the map click on the icon marked by a red square to access the PaloAlto Firewall details (the lower one of the two)
Firewall - PAN
HOL-1829-01-NET
Page 76HOL-1829-01-NET
In this scenario we also have an Palo Alto VM based offloading firewall The redirectfeature allows firewall rules to be transferred between the NSX firewall and the PANFirewall
1 When done reviewing click on the (X) in the top right corner of the pop up box
Reversing the analysis
1 In the section marked by a red square in the picture click on the arrowpointing left
The route on the map will change
HOL-1829-01-NET
Page 77HOL-1829-01-NET
Reversing the analysis continued
A - The analysis will now be done in the opposite direction Please note that the pathnow changes Instead of going through Provider-Edge 3 the traffic is now routedthrough Provider-Edge 2 This is exactly as the traffic will work in the real life
Please continue to the next step to conclude this module
HOL-1829-01-NET
Page 78HOL-1829-01-NET
VM Underlay
Lets now focus on VM Underlay
1 The VMUnderlay section that is on the right side of the VM Path topology showsthe underlay information of the VMs involved and their connectivity to the top ofthe rack switches and the ports involved
2 The VM Underlay path topology is shown here3 The components are labeled under Path Details
HOL-1829-01-NET
Page 79HOL-1829-01-NET
HOL-1829-01-NET
Page 80HOL-1829-01-NET
1 In this section the drop-down list at the top shows the endpoint VMs and theactive VMs at the edges
2 For each edgeVM the neighbouring drop-down list shows the ingress and theegress interface IP addresses
1 From the previous step we selected the Prod-DB-2 Virtual Machine2 Which changes the focus to corresponding Interface IP Address (VNIC)3 Shows the visual map (Path topology) of all the path objects4 Path details shows the labels and list the components
This concludes this module Please continue to the next module
HOL-1829-01-NET
Page 81HOL-1829-01-NET
ConclusionCongratulations on completing Module 2
This module has shown us that vRealize Network Insight is capable of tracing the flow ofdata between two objects throughout the network vRealize Network Insight is providingus with a 360 degrees view of the virtual as well as the physical components in thepath With the map function and the details on the map it is very easy to get a quickoverview of the components utilized in network communication
All the components in the map is based on a snapshot of real life data Feel free to clickon other icons shown in the map in this module before continuing to the next module tohave a look at other components
For More Information
For additional information about the functionality showcased in this module visithttpwwwvmwarecomvrealize network insight
This concludes this module Please continue to the next module
If you are looking for additional information try one of these
bull Click on this linkbull Or use your smart device to scan the QRC Code
HOL-1829-01-NET
Page 82HOL-1829-01-NET
Proceed to any module below which interests you most
bull Module 1 - Micro-Segmentation and Security (30 minutes)bull Module 2 - 360 degree Visibility across Virtual and Physical Networks (45
minutes)bull Module 3 - Advanced NSX Management amp Operations (45 minutes)bull (30 minutes)
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 83HOL-1829-01-NET
Module 3 - Advanced NSXManagement amp
Operations (45 minutes)
HOL-1829-01-NET
Page 84HOL-1829-01-NET
IntroductionIntroduction
vRealize Network Insight ensures that we have full visibility from an overlay andunderlay perspective and in this module focus on advanced operations of NSX withvRealize Network Insight Its important to note that the vRealize Network Insightprovides a real time view and a historical view The integration is not a simple SNMPquery but advanced CLI and Metadata information gathered in real time for NSX
This Module contains the following lessons
bull Operational guidance for NSX Managerbull Advanced NSX Management amp Operations Interactive Simulation
HOL-1829-01-NET
Page 85HOL-1829-01-NET
NSX Advanced ManagementOperationsLab Status Check
1 Make sure the Lab Status displays Ready before continuing
Close browser sessions from previous modules
Open Google Chrome
1 Open Chrome on the Control Centre Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
HOL-1829-01-NET
Page 86HOL-1829-01-NET
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize Network Insightdid not load automatically)
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
Search Bar - NSX Manager
Using the search bar on the entry screen
HOL-1829-01-NET
Page 87HOL-1829-01-NET
1 Type NSX Manager (this will list three NSX Managers2 Click Search
NSX Manager Information
The result now shows the NSX Manager (1016128170) and we can immediately seethat we have 50 problems associated with this endpoint
1 Click on the NSX Manager address to expose the layout and detailedinformation
HOL-1829-01-NET
Page 88HOL-1829-01-NET
Timeline - Visual Build-up
Explore information only - Do not click
bull A - Starting with the Timeline we can manipulate the results by simply draggingthe slider but by default the current time results will be displayed on entry Theslider and drop down (next to 1 day) makes it easy to filter on demand
bull B - The Properties give a clear understanding of the NSX Managers currentconfiguration (vRealize Network Insight accommodate multiple NSX managers)
bull C - Looking at the NSX Checklist Rules - ALL we can scroll up and down toview each point in the checklist that is used to monitorvalidate against the NSXManager
bull D - Because vRealize Network Insight supports multiple NSX managers andmultiple NSX controllers this is an important visual understanding of theTopology Each object can be queried individually within the same screen
bull E - NSX Problems will be key to understanding the issues for NSX
HOL-1829-01-NET
Page 89HOL-1829-01-NET
Topology - Focus on the NSX Controller
The logical view of the NSX Topology provides live links to each component in theconstruct to be queried in real time Topology layout displays all the related NSXservices bound to the NSX Manager including Clusters and hosts The red triangle on allthree NSX controllers indicates possible issues that may impact the NSX environmenteither as a starting point or a result thereof We can now query each object for detailedinformation
1 Click on the NSX controller (Look at each controller until you find thecontroller starting with NSX_Controller_5b6c6c8d-4d71 as they do changeorder)
HOL-1829-01-NET
Page 90HOL-1829-01-NET
NSX Controller - Detail
A - The controller query displays detailed information about controller-1 and relevantconfiguration This screen will help identify the Status Version Upgrade Availability andmany other critical identifiers of the NSX Controller at a quick glance including anyissues
B - The immediate issue on this NSX controller is also pointed out with a red triangleindicating that we have a control plane sync issue Tracking the issue can be furtherinvestigated by expanding (clicking on the red triangle) to view detailed information Wewill not be investigating this problem further in this exercise
1 Click the close sign (x) to continue
HOL-1829-01-NET
Page 91HOL-1829-01-NET
Topology - Explained
Note The Topology for the NSX environment will not show any load balancing devicestatus information in this release
1 Click the edge VMs icon to see detailed information about the edge services
HOL-1829-01-NET
Page 92HOL-1829-01-NET
Provider Edge
Rendering a complete view of the provider edge services and the associations we caninvestigate all the edge related activities
1 Click the blue link Provider Edge 4 The problem Icon can be used to furtherobtain information about the Provider-Edge 4 This will highlight a criticalcondition due to a possible network disruption of this edge device as it is nolonger in a serving state
HOL-1829-01-NET
Page 93HOL-1829-01-NET
Routers Provider Edge 4
This section lays out detailed root cause analysis for Routers Provider Edge 4
Return to Search View - NSX Manager
1 Now use the Chrome Back button click once to return the the NSX Managerinformation screen step
HOL-1829-01-NET
Page 94HOL-1829-01-NET
Infrastructure Problems - Warning Moderate
bull Scroll down to Infrastructure Problems Section
1 Click and select the WarningModerate to view problem areas
WarningModerate Issues
1 Use the blue icon + to expand the detailed view of the Logical networking out ofsync between host and NSX Controller
HOL-1829-01-NET
Page 95HOL-1829-01-NET
WarningModerate Issues (Continued)
When you expand the details you can analyse full detail of warning
In this view vRealize Network Insight is also showing you recommendations on how youwould resolve this issue which makes troubleshooting and root cause analysis veryeasy
1 Click the close sign (x) to continue
HOL-1829-01-NET
Page 96HOL-1829-01-NET
Hands-on Labs Interactive SimulationAdvanced NSX Management ampOperationsThis part of the lab is presented as a Hands-on Labs Interactive Simulation This willallow you to experience steps which are too time-consuming or resource intensive to dolive in the lab environment In this simulation you can use the software interface as ifyou are interacting with a live environment
1 Click here to open the interactive simulation It will open in a new browserwindow or tab
2 When finished click the ldquoReturn to the labrdquo link to continue with this lab
HOL-1829-01-NET
Page 97HOL-1829-01-NET
ConclusionCongratulations on completing Module 3
This module demonstrated the vRealize Network Insight capability of advancedmanagement operations vRealize Network Insight provides an in-depth analysis of thevirtual as well as the physical components associated with NSX (underlay and overlay)
For More Information
If you are looking for additional information try one of these
bull Click on this linkbull Or use your smart device to scan the QRC Code
Proceed to any module below which interests you most
bull Module 1 - Micro-Segmentation and Security (30 minutes)bull Module 2 - 360 degree Visibility across Virtual and Physical Networks (45
minutes)bull Module 3 - Advanced NSX Management amp Operations (45 minutes)bull Module 4 - Manage Security for Public Clouds (AWS) (30 minutes)
HOL-1829-01-NET
Page 98HOL-1829-01-NET
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 99HOL-1829-01-NET
Module 4 - ManageSecurity for Public Clouds
(AWS) (30 Minutes)
HOL-1829-01-NET
Page 100HOL-1829-01-NET
IntroductionEnterprise IT needs visibility into the network and security status of their workloadswhether hosted on premises or within AWS While many AWS workloads are sandboxesfor application development teams (DevOps) it is important to analyze these workloadsIncreasingly public cloud workloads are also fulfilling mission critical production needsfor many organizations Enterprise IT must be ready to determine the best locationsecurity posture and bandwidth allocation when deploying workloads Having trafficpattern details as well as security analysis and recommendations readily availablehelps organizations make the ideal hosting decisions to meet their business needs
vRealize Network Insight (vRNI) Supports Amazon Web Services (AWS) PublicCloud The vRNI traffic monitoring features provide visibility into native AWS constructssuch as Virtual Private Clouds VMs Security Groups firewall rules and tags vRNI alsoanalyzes AWS traffic flows to provide security and micro-segmentation views of cloudworkloads This means youll be able to plan micro-segmentation and understand trafficpatterns using data collected from your AWS instances
This Module contains the following lessons
bull Introduction to Managing Security for Public Clouds (AWS)
HOL-1829-01-NET
Page 101HOL-1829-01-NET
Introduction to Managing Security forPublic Clouds (AWS)Lab Status Check
1 Make sure the Lab Status displays Ready before continuing
Close browser sessions from previous modules
Open Google Chrome
1 Open Chrome on the Control Centre Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize Network Insightdid not load automatically)
HOL-1829-01-NET
Page 102HOL-1829-01-NET
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
AWS Configuration
Lets review the AWS VPC setup for the purpose of this lab
1 We have an on premise instance of vRealize Network Insight managing AWS2 There are two VPCs ie CRM and Common Services
HOL-1829-01-NET
Page 103HOL-1829-01-NET
3 VPC CRM consists of CRM Application which comprises of 3 tiers ie Web APP andDB
4 Internal users of Company can access Web Tier of the CRM on 80 internally viaJump-box
5 Web tier talks to App tier on port 80806 App tier talks to DB tier on port 33067 Web tier is open for internal datacenters VM on 80 port8 From Jump-box in VPC CRM all virtual machines have ssh access on port 229 All tiers of VPCCRM talks to DNS server on 53 and LogServer on 514 on VPC
Common Services10 This means connection to DB to Log Server (used for backup services) must exist
as configured by the Administrator but this in fact is the problem area where ourfocus will be
Plan Security - AWS Cloud
vRealize Network Insight extends micro-segmentation planning to AWS constructs TheCRM Application in AWS VPC has already been created for you
Application creation steps have been discussed in Module 3
HOL-1829-01-NET
Page 104HOL-1829-01-NET
1 On the vRealize Network Insight Click on Plan Security
From Plan Security dialogue box under Entity select
HOL-1829-01-NET
Page 105HOL-1829-01-NET
1 Application2 CRM3 Click Analyze
We can now visualize the three tier lsquoCRMrsquo Application in AWS in one VPC We Shallexplore the three Tier System Logic in proceeding steps
1 Please note that Micro-Segments are already filtered by Tier2 Web (Web tier talks to App tier on port 8080 Internal users of organisation can
access Web Tier of the CRM Application on port 80 internally)3 App (App tier talks to DB tier on port 3306)4 DB ( DB tier talks to Log Servers ) - This is the problem area we are going to
explore
All tiers of first VPC talks to DNS server on port 53 and LogServer on port 514 of SecondVPC
HOL-1829-01-NET
Page 106HOL-1829-01-NET
Exploring the Three Tier Application - Step by Step
We shall now explore the three their application setup to understand the security andcommunication posture
HOL-1829-01-NET
Page 107HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Yellow line to explore the flows This will reveal flows from Web to
App
HOL-1829-01-NET
Page 108HOL-1829-01-NET
1 The App tier talks to DB tier on Port 33062 Click X to continue
HOL-1829-01-NET
Page 109HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to DB
HOL-1829-01-NET
Page 110HOL-1829-01-NET
1 The App tier talks to DB tier on Port 33062 Click X to continue
HOL-1829-01-NET
Page 111HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Yellow Line to explore the flows This will reveal flows from DC
Virtual to App
HOL-1829-01-NET
Page 112HOL-1829-01-NET
1 DC Virtual (jump box) talks to App tier on Port 222 Click X to continue
HOL-1829-01-NET
Page 113HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to
Shared Virtual
HOL-1829-01-NET
Page 114HOL-1829-01-NET
1 The App tier talks to Shared Virtual on Port 53 and 514 respectively2 Click X to continue
HOL-1829-01-NET
Page 115HOL-1829-01-NET
1 Hover over to DB Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from DB to
Shared Virtual
1 By design the DB should be pushing logs to aws-log-server ie on port 514(Syslog) but the flow reveals that there is only one service ie port 53 aws-DNS-Server Effectively no communication to syslog server (which is the back upservice)
2 Click X to continue
Firewall Queries for CRM Application
To further troubleshoot the issue the administrator executes three firewall queries toestablish why DB to Shared Virtual does not have flow(s) for port 514 (syslog)
HOL-1829-01-NET
Page 116HOL-1829-01-NET
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and type new search query firewall action of flows where dstvm = aws-log-server This will return 5 results ie 4 Allow (for web andmidtier) and 1 Deny (for DB)
2 Click Search3 click on the DENY checkbox so we can focus on the deny rule
We can see a DENY rule which is preventing crm-databse to communicate with aws-log-server on port 514 Which indicates that AWS Admin forgot to add rule to allowtraffic from (Database) crm-database to (syslog server) aws-log-Server
HOL-1829-01-NET
Page 117HOL-1829-01-NET
1 On Chrome web browser right click2 Select Duplicate from the the menu
HOL-1829-01-NET
Page 118HOL-1829-01-NET
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-web1 and dst vm = aws-log-server
2 Click Search3 This will return 3 results ie 1 Inbound and 2 Outbound rules The result of this
query validates the communication from crm-web1 to aws-log-server
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-database and dst vm = aws-log-server
2 Click Search3 This will return 2 results for Outbound rules further explaining the firewall rule
behaviour from crm-database to aws-log-server
HOL-1829-01-NET
Page 119HOL-1829-01-NET
ConclusionCongratulations on completing Module 4
This module demonstrated the vRealize Network Insight capability to understand trafficpatterns and plan micro-segmentation across your private and public cloudenvironments This capability offers unparalleled visibility into public and private cloudsfor micro-segmentation planning network visibility and management
For More Information
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 120HOL-1829-01-NET
ConclusionThank you for participating in the VMware Hands-on Labs Be sure to visithttpholvmwarecom to continue your lab experience online
Lab SKU HOL-1829-01-NET
Version 20171010-152226
HOL-1829-01-NET
Page 121HOL-1829-01-NET
Routing - NSX Firewall
The traffic is routed through the VRF onto the Prod-DB network over to the next physicalhost (as shown with arrows)
The first device it will hit on the virtual network on the physical host is the FirewallPlease notice that there are two firewalls next to the VM One Firewall from Palo Alto andone Firewall from NSX
1 From the map click on the icon marked by a red square to access the NSXFirewall details (the top one of the two)
HOL-1829-01-NET
Page 74HOL-1829-01-NET
Firewall - NSX
A pop-up box will appear that contains the Firewall details
A - Spend some time to review what information is available from the object Please donot click on any of the links
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 75HOL-1829-01-NET
Redirect on the map - PAN Firewall
Please notice that there are two firewalls next to the VM One Firewall from Palo Alto andone Firewall from NSX We are now going to look into the details of the lower Firewall
1 From the map click on the icon marked by a red square to access the PaloAlto Firewall details (the lower one of the two)
Firewall - PAN
HOL-1829-01-NET
Page 76HOL-1829-01-NET
In this scenario we also have an Palo Alto VM based offloading firewall The redirectfeature allows firewall rules to be transferred between the NSX firewall and the PANFirewall
1 When done reviewing click on the (X) in the top right corner of the pop up box
Reversing the analysis
1 In the section marked by a red square in the picture click on the arrowpointing left
The route on the map will change
HOL-1829-01-NET
Page 77HOL-1829-01-NET
Reversing the analysis continued
A - The analysis will now be done in the opposite direction Please note that the pathnow changes Instead of going through Provider-Edge 3 the traffic is now routedthrough Provider-Edge 2 This is exactly as the traffic will work in the real life
Please continue to the next step to conclude this module
HOL-1829-01-NET
Page 78HOL-1829-01-NET
VM Underlay
Lets now focus on VM Underlay
1 The VMUnderlay section that is on the right side of the VM Path topology showsthe underlay information of the VMs involved and their connectivity to the top ofthe rack switches and the ports involved
2 The VM Underlay path topology is shown here3 The components are labeled under Path Details
HOL-1829-01-NET
Page 79HOL-1829-01-NET
HOL-1829-01-NET
Page 80HOL-1829-01-NET
1 In this section the drop-down list at the top shows the endpoint VMs and theactive VMs at the edges
2 For each edgeVM the neighbouring drop-down list shows the ingress and theegress interface IP addresses
1 From the previous step we selected the Prod-DB-2 Virtual Machine2 Which changes the focus to corresponding Interface IP Address (VNIC)3 Shows the visual map (Path topology) of all the path objects4 Path details shows the labels and list the components
This concludes this module Please continue to the next module
HOL-1829-01-NET
Page 81HOL-1829-01-NET
ConclusionCongratulations on completing Module 2
This module has shown us that vRealize Network Insight is capable of tracing the flow ofdata between two objects throughout the network vRealize Network Insight is providingus with a 360 degrees view of the virtual as well as the physical components in thepath With the map function and the details on the map it is very easy to get a quickoverview of the components utilized in network communication
All the components in the map is based on a snapshot of real life data Feel free to clickon other icons shown in the map in this module before continuing to the next module tohave a look at other components
For More Information
For additional information about the functionality showcased in this module visithttpwwwvmwarecomvrealize network insight
This concludes this module Please continue to the next module
If you are looking for additional information try one of these
bull Click on this linkbull Or use your smart device to scan the QRC Code
HOL-1829-01-NET
Page 82HOL-1829-01-NET
Proceed to any module below which interests you most
bull Module 1 - Micro-Segmentation and Security (30 minutes)bull Module 2 - 360 degree Visibility across Virtual and Physical Networks (45
minutes)bull Module 3 - Advanced NSX Management amp Operations (45 minutes)bull (30 minutes)
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 83HOL-1829-01-NET
Module 3 - Advanced NSXManagement amp
Operations (45 minutes)
HOL-1829-01-NET
Page 84HOL-1829-01-NET
IntroductionIntroduction
vRealize Network Insight ensures that we have full visibility from an overlay andunderlay perspective and in this module focus on advanced operations of NSX withvRealize Network Insight Its important to note that the vRealize Network Insightprovides a real time view and a historical view The integration is not a simple SNMPquery but advanced CLI and Metadata information gathered in real time for NSX
This Module contains the following lessons
bull Operational guidance for NSX Managerbull Advanced NSX Management amp Operations Interactive Simulation
HOL-1829-01-NET
Page 85HOL-1829-01-NET
NSX Advanced ManagementOperationsLab Status Check
1 Make sure the Lab Status displays Ready before continuing
Close browser sessions from previous modules
Open Google Chrome
1 Open Chrome on the Control Centre Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
HOL-1829-01-NET
Page 86HOL-1829-01-NET
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize Network Insightdid not load automatically)
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
Search Bar - NSX Manager
Using the search bar on the entry screen
HOL-1829-01-NET
Page 87HOL-1829-01-NET
1 Type NSX Manager (this will list three NSX Managers2 Click Search
NSX Manager Information
The result now shows the NSX Manager (1016128170) and we can immediately seethat we have 50 problems associated with this endpoint
1 Click on the NSX Manager address to expose the layout and detailedinformation
HOL-1829-01-NET
Page 88HOL-1829-01-NET
Timeline - Visual Build-up
Explore information only - Do not click
bull A - Starting with the Timeline we can manipulate the results by simply draggingthe slider but by default the current time results will be displayed on entry Theslider and drop down (next to 1 day) makes it easy to filter on demand
bull B - The Properties give a clear understanding of the NSX Managers currentconfiguration (vRealize Network Insight accommodate multiple NSX managers)
bull C - Looking at the NSX Checklist Rules - ALL we can scroll up and down toview each point in the checklist that is used to monitorvalidate against the NSXManager
bull D - Because vRealize Network Insight supports multiple NSX managers andmultiple NSX controllers this is an important visual understanding of theTopology Each object can be queried individually within the same screen
bull E - NSX Problems will be key to understanding the issues for NSX
HOL-1829-01-NET
Page 89HOL-1829-01-NET
Topology - Focus on the NSX Controller
The logical view of the NSX Topology provides live links to each component in theconstruct to be queried in real time Topology layout displays all the related NSXservices bound to the NSX Manager including Clusters and hosts The red triangle on allthree NSX controllers indicates possible issues that may impact the NSX environmenteither as a starting point or a result thereof We can now query each object for detailedinformation
1 Click on the NSX controller (Look at each controller until you find thecontroller starting with NSX_Controller_5b6c6c8d-4d71 as they do changeorder)
HOL-1829-01-NET
Page 90HOL-1829-01-NET
NSX Controller - Detail
A - The controller query displays detailed information about controller-1 and relevantconfiguration This screen will help identify the Status Version Upgrade Availability andmany other critical identifiers of the NSX Controller at a quick glance including anyissues
B - The immediate issue on this NSX controller is also pointed out with a red triangleindicating that we have a control plane sync issue Tracking the issue can be furtherinvestigated by expanding (clicking on the red triangle) to view detailed information Wewill not be investigating this problem further in this exercise
1 Click the close sign (x) to continue
HOL-1829-01-NET
Page 91HOL-1829-01-NET
Topology - Explained
Note The Topology for the NSX environment will not show any load balancing devicestatus information in this release
1 Click the edge VMs icon to see detailed information about the edge services
HOL-1829-01-NET
Page 92HOL-1829-01-NET
Provider Edge
Rendering a complete view of the provider edge services and the associations we caninvestigate all the edge related activities
1 Click the blue link Provider Edge 4 The problem Icon can be used to furtherobtain information about the Provider-Edge 4 This will highlight a criticalcondition due to a possible network disruption of this edge device as it is nolonger in a serving state
HOL-1829-01-NET
Page 93HOL-1829-01-NET
Routers Provider Edge 4
This section lays out detailed root cause analysis for Routers Provider Edge 4
Return to Search View - NSX Manager
1 Now use the Chrome Back button click once to return the the NSX Managerinformation screen step
HOL-1829-01-NET
Page 94HOL-1829-01-NET
Infrastructure Problems - Warning Moderate
bull Scroll down to Infrastructure Problems Section
1 Click and select the WarningModerate to view problem areas
WarningModerate Issues
1 Use the blue icon + to expand the detailed view of the Logical networking out ofsync between host and NSX Controller
HOL-1829-01-NET
Page 95HOL-1829-01-NET
WarningModerate Issues (Continued)
When you expand the details you can analyse full detail of warning
In this view vRealize Network Insight is also showing you recommendations on how youwould resolve this issue which makes troubleshooting and root cause analysis veryeasy
1 Click the close sign (x) to continue
HOL-1829-01-NET
Page 96HOL-1829-01-NET
Hands-on Labs Interactive SimulationAdvanced NSX Management ampOperationsThis part of the lab is presented as a Hands-on Labs Interactive Simulation This willallow you to experience steps which are too time-consuming or resource intensive to dolive in the lab environment In this simulation you can use the software interface as ifyou are interacting with a live environment
1 Click here to open the interactive simulation It will open in a new browserwindow or tab
2 When finished click the ldquoReturn to the labrdquo link to continue with this lab
HOL-1829-01-NET
Page 97HOL-1829-01-NET
ConclusionCongratulations on completing Module 3
This module demonstrated the vRealize Network Insight capability of advancedmanagement operations vRealize Network Insight provides an in-depth analysis of thevirtual as well as the physical components associated with NSX (underlay and overlay)
For More Information
If you are looking for additional information try one of these
bull Click on this linkbull Or use your smart device to scan the QRC Code
Proceed to any module below which interests you most
bull Module 1 - Micro-Segmentation and Security (30 minutes)bull Module 2 - 360 degree Visibility across Virtual and Physical Networks (45
minutes)bull Module 3 - Advanced NSX Management amp Operations (45 minutes)bull Module 4 - Manage Security for Public Clouds (AWS) (30 minutes)
HOL-1829-01-NET
Page 98HOL-1829-01-NET
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 99HOL-1829-01-NET
Module 4 - ManageSecurity for Public Clouds
(AWS) (30 Minutes)
HOL-1829-01-NET
Page 100HOL-1829-01-NET
IntroductionEnterprise IT needs visibility into the network and security status of their workloadswhether hosted on premises or within AWS While many AWS workloads are sandboxesfor application development teams (DevOps) it is important to analyze these workloadsIncreasingly public cloud workloads are also fulfilling mission critical production needsfor many organizations Enterprise IT must be ready to determine the best locationsecurity posture and bandwidth allocation when deploying workloads Having trafficpattern details as well as security analysis and recommendations readily availablehelps organizations make the ideal hosting decisions to meet their business needs
vRealize Network Insight (vRNI) Supports Amazon Web Services (AWS) PublicCloud The vRNI traffic monitoring features provide visibility into native AWS constructssuch as Virtual Private Clouds VMs Security Groups firewall rules and tags vRNI alsoanalyzes AWS traffic flows to provide security and micro-segmentation views of cloudworkloads This means youll be able to plan micro-segmentation and understand trafficpatterns using data collected from your AWS instances
This Module contains the following lessons
bull Introduction to Managing Security for Public Clouds (AWS)
HOL-1829-01-NET
Page 101HOL-1829-01-NET
Introduction to Managing Security forPublic Clouds (AWS)Lab Status Check
1 Make sure the Lab Status displays Ready before continuing
Close browser sessions from previous modules
Open Google Chrome
1 Open Chrome on the Control Centre Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize Network Insightdid not load automatically)
HOL-1829-01-NET
Page 102HOL-1829-01-NET
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
AWS Configuration
Lets review the AWS VPC setup for the purpose of this lab
1 We have an on premise instance of vRealize Network Insight managing AWS2 There are two VPCs ie CRM and Common Services
HOL-1829-01-NET
Page 103HOL-1829-01-NET
3 VPC CRM consists of CRM Application which comprises of 3 tiers ie Web APP andDB
4 Internal users of Company can access Web Tier of the CRM on 80 internally viaJump-box
5 Web tier talks to App tier on port 80806 App tier talks to DB tier on port 33067 Web tier is open for internal datacenters VM on 80 port8 From Jump-box in VPC CRM all virtual machines have ssh access on port 229 All tiers of VPCCRM talks to DNS server on 53 and LogServer on 514 on VPC
Common Services10 This means connection to DB to Log Server (used for backup services) must exist
as configured by the Administrator but this in fact is the problem area where ourfocus will be
Plan Security - AWS Cloud
vRealize Network Insight extends micro-segmentation planning to AWS constructs TheCRM Application in AWS VPC has already been created for you
Application creation steps have been discussed in Module 3
HOL-1829-01-NET
Page 104HOL-1829-01-NET
1 On the vRealize Network Insight Click on Plan Security
From Plan Security dialogue box under Entity select
HOL-1829-01-NET
Page 105HOL-1829-01-NET
1 Application2 CRM3 Click Analyze
We can now visualize the three tier lsquoCRMrsquo Application in AWS in one VPC We Shallexplore the three Tier System Logic in proceeding steps
1 Please note that Micro-Segments are already filtered by Tier2 Web (Web tier talks to App tier on port 8080 Internal users of organisation can
access Web Tier of the CRM Application on port 80 internally)3 App (App tier talks to DB tier on port 3306)4 DB ( DB tier talks to Log Servers ) - This is the problem area we are going to
explore
All tiers of first VPC talks to DNS server on port 53 and LogServer on port 514 of SecondVPC
HOL-1829-01-NET
Page 106HOL-1829-01-NET
Exploring the Three Tier Application - Step by Step
We shall now explore the three their application setup to understand the security andcommunication posture
HOL-1829-01-NET
Page 107HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Yellow line to explore the flows This will reveal flows from Web to
App
HOL-1829-01-NET
Page 108HOL-1829-01-NET
1 The App tier talks to DB tier on Port 33062 Click X to continue
HOL-1829-01-NET
Page 109HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to DB
HOL-1829-01-NET
Page 110HOL-1829-01-NET
1 The App tier talks to DB tier on Port 33062 Click X to continue
HOL-1829-01-NET
Page 111HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Yellow Line to explore the flows This will reveal flows from DC
Virtual to App
HOL-1829-01-NET
Page 112HOL-1829-01-NET
1 DC Virtual (jump box) talks to App tier on Port 222 Click X to continue
HOL-1829-01-NET
Page 113HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to
Shared Virtual
HOL-1829-01-NET
Page 114HOL-1829-01-NET
1 The App tier talks to Shared Virtual on Port 53 and 514 respectively2 Click X to continue
HOL-1829-01-NET
Page 115HOL-1829-01-NET
1 Hover over to DB Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from DB to
Shared Virtual
1 By design the DB should be pushing logs to aws-log-server ie on port 514(Syslog) but the flow reveals that there is only one service ie port 53 aws-DNS-Server Effectively no communication to syslog server (which is the back upservice)
2 Click X to continue
Firewall Queries for CRM Application
To further troubleshoot the issue the administrator executes three firewall queries toestablish why DB to Shared Virtual does not have flow(s) for port 514 (syslog)
HOL-1829-01-NET
Page 116HOL-1829-01-NET
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and type new search query firewall action of flows where dstvm = aws-log-server This will return 5 results ie 4 Allow (for web andmidtier) and 1 Deny (for DB)
2 Click Search3 click on the DENY checkbox so we can focus on the deny rule
We can see a DENY rule which is preventing crm-databse to communicate with aws-log-server on port 514 Which indicates that AWS Admin forgot to add rule to allowtraffic from (Database) crm-database to (syslog server) aws-log-Server
HOL-1829-01-NET
Page 117HOL-1829-01-NET
1 On Chrome web browser right click2 Select Duplicate from the the menu
HOL-1829-01-NET
Page 118HOL-1829-01-NET
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-web1 and dst vm = aws-log-server
2 Click Search3 This will return 3 results ie 1 Inbound and 2 Outbound rules The result of this
query validates the communication from crm-web1 to aws-log-server
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-database and dst vm = aws-log-server
2 Click Search3 This will return 2 results for Outbound rules further explaining the firewall rule
behaviour from crm-database to aws-log-server
HOL-1829-01-NET
Page 119HOL-1829-01-NET
ConclusionCongratulations on completing Module 4
This module demonstrated the vRealize Network Insight capability to understand trafficpatterns and plan micro-segmentation across your private and public cloudenvironments This capability offers unparalleled visibility into public and private cloudsfor micro-segmentation planning network visibility and management
For More Information
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 120HOL-1829-01-NET
ConclusionThank you for participating in the VMware Hands-on Labs Be sure to visithttpholvmwarecom to continue your lab experience online
Lab SKU HOL-1829-01-NET
Version 20171010-152226
HOL-1829-01-NET
Page 121HOL-1829-01-NET
Firewall - NSX
A pop-up box will appear that contains the Firewall details
A - Spend some time to review what information is available from the object Please donot click on any of the links
1 When done reviewing click on the (X) in the top right corner of the pop-up box
HOL-1829-01-NET
Page 75HOL-1829-01-NET
Redirect on the map - PAN Firewall
Please notice that there are two firewalls next to the VM One Firewall from Palo Alto andone Firewall from NSX We are now going to look into the details of the lower Firewall
1 From the map click on the icon marked by a red square to access the PaloAlto Firewall details (the lower one of the two)
Firewall - PAN
HOL-1829-01-NET
Page 76HOL-1829-01-NET
In this scenario we also have an Palo Alto VM based offloading firewall The redirectfeature allows firewall rules to be transferred between the NSX firewall and the PANFirewall
1 When done reviewing click on the (X) in the top right corner of the pop up box
Reversing the analysis
1 In the section marked by a red square in the picture click on the arrowpointing left
The route on the map will change
HOL-1829-01-NET
Page 77HOL-1829-01-NET
Reversing the analysis continued
A - The analysis will now be done in the opposite direction Please note that the pathnow changes Instead of going through Provider-Edge 3 the traffic is now routedthrough Provider-Edge 2 This is exactly as the traffic will work in the real life
Please continue to the next step to conclude this module
HOL-1829-01-NET
Page 78HOL-1829-01-NET
VM Underlay
Lets now focus on VM Underlay
1 The VMUnderlay section that is on the right side of the VM Path topology showsthe underlay information of the VMs involved and their connectivity to the top ofthe rack switches and the ports involved
2 The VM Underlay path topology is shown here3 The components are labeled under Path Details
HOL-1829-01-NET
Page 79HOL-1829-01-NET
HOL-1829-01-NET
Page 80HOL-1829-01-NET
1 In this section the drop-down list at the top shows the endpoint VMs and theactive VMs at the edges
2 For each edgeVM the neighbouring drop-down list shows the ingress and theegress interface IP addresses
1 From the previous step we selected the Prod-DB-2 Virtual Machine2 Which changes the focus to corresponding Interface IP Address (VNIC)3 Shows the visual map (Path topology) of all the path objects4 Path details shows the labels and list the components
This concludes this module Please continue to the next module
HOL-1829-01-NET
Page 81HOL-1829-01-NET
ConclusionCongratulations on completing Module 2
This module has shown us that vRealize Network Insight is capable of tracing the flow ofdata between two objects throughout the network vRealize Network Insight is providingus with a 360 degrees view of the virtual as well as the physical components in thepath With the map function and the details on the map it is very easy to get a quickoverview of the components utilized in network communication
All the components in the map is based on a snapshot of real life data Feel free to clickon other icons shown in the map in this module before continuing to the next module tohave a look at other components
For More Information
For additional information about the functionality showcased in this module visithttpwwwvmwarecomvrealize network insight
This concludes this module Please continue to the next module
If you are looking for additional information try one of these
bull Click on this linkbull Or use your smart device to scan the QRC Code
HOL-1829-01-NET
Page 82HOL-1829-01-NET
Proceed to any module below which interests you most
bull Module 1 - Micro-Segmentation and Security (30 minutes)bull Module 2 - 360 degree Visibility across Virtual and Physical Networks (45
minutes)bull Module 3 - Advanced NSX Management amp Operations (45 minutes)bull (30 minutes)
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 83HOL-1829-01-NET
Module 3 - Advanced NSXManagement amp
Operations (45 minutes)
HOL-1829-01-NET
Page 84HOL-1829-01-NET
IntroductionIntroduction
vRealize Network Insight ensures that we have full visibility from an overlay andunderlay perspective and in this module focus on advanced operations of NSX withvRealize Network Insight Its important to note that the vRealize Network Insightprovides a real time view and a historical view The integration is not a simple SNMPquery but advanced CLI and Metadata information gathered in real time for NSX
This Module contains the following lessons
bull Operational guidance for NSX Managerbull Advanced NSX Management amp Operations Interactive Simulation
HOL-1829-01-NET
Page 85HOL-1829-01-NET
NSX Advanced ManagementOperationsLab Status Check
1 Make sure the Lab Status displays Ready before continuing
Close browser sessions from previous modules
Open Google Chrome
1 Open Chrome on the Control Centre Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
HOL-1829-01-NET
Page 86HOL-1829-01-NET
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize Network Insightdid not load automatically)
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
Search Bar - NSX Manager
Using the search bar on the entry screen
HOL-1829-01-NET
Page 87HOL-1829-01-NET
1 Type NSX Manager (this will list three NSX Managers2 Click Search
NSX Manager Information
The result now shows the NSX Manager (1016128170) and we can immediately seethat we have 50 problems associated with this endpoint
1 Click on the NSX Manager address to expose the layout and detailedinformation
HOL-1829-01-NET
Page 88HOL-1829-01-NET
Timeline - Visual Build-up
Explore information only - Do not click
bull A - Starting with the Timeline we can manipulate the results by simply draggingthe slider but by default the current time results will be displayed on entry Theslider and drop down (next to 1 day) makes it easy to filter on demand
bull B - The Properties give a clear understanding of the NSX Managers currentconfiguration (vRealize Network Insight accommodate multiple NSX managers)
bull C - Looking at the NSX Checklist Rules - ALL we can scroll up and down toview each point in the checklist that is used to monitorvalidate against the NSXManager
bull D - Because vRealize Network Insight supports multiple NSX managers andmultiple NSX controllers this is an important visual understanding of theTopology Each object can be queried individually within the same screen
bull E - NSX Problems will be key to understanding the issues for NSX
HOL-1829-01-NET
Page 89HOL-1829-01-NET
Topology - Focus on the NSX Controller
The logical view of the NSX Topology provides live links to each component in theconstruct to be queried in real time Topology layout displays all the related NSXservices bound to the NSX Manager including Clusters and hosts The red triangle on allthree NSX controllers indicates possible issues that may impact the NSX environmenteither as a starting point or a result thereof We can now query each object for detailedinformation
1 Click on the NSX controller (Look at each controller until you find thecontroller starting with NSX_Controller_5b6c6c8d-4d71 as they do changeorder)
HOL-1829-01-NET
Page 90HOL-1829-01-NET
NSX Controller - Detail
A - The controller query displays detailed information about controller-1 and relevantconfiguration This screen will help identify the Status Version Upgrade Availability andmany other critical identifiers of the NSX Controller at a quick glance including anyissues
B - The immediate issue on this NSX controller is also pointed out with a red triangleindicating that we have a control plane sync issue Tracking the issue can be furtherinvestigated by expanding (clicking on the red triangle) to view detailed information Wewill not be investigating this problem further in this exercise
1 Click the close sign (x) to continue
HOL-1829-01-NET
Page 91HOL-1829-01-NET
Topology - Explained
Note The Topology for the NSX environment will not show any load balancing devicestatus information in this release
1 Click the edge VMs icon to see detailed information about the edge services
HOL-1829-01-NET
Page 92HOL-1829-01-NET
Provider Edge
Rendering a complete view of the provider edge services and the associations we caninvestigate all the edge related activities
1 Click the blue link Provider Edge 4 The problem Icon can be used to furtherobtain information about the Provider-Edge 4 This will highlight a criticalcondition due to a possible network disruption of this edge device as it is nolonger in a serving state
HOL-1829-01-NET
Page 93HOL-1829-01-NET
Routers Provider Edge 4
This section lays out detailed root cause analysis for Routers Provider Edge 4
Return to Search View - NSX Manager
1 Now use the Chrome Back button click once to return the the NSX Managerinformation screen step
HOL-1829-01-NET
Page 94HOL-1829-01-NET
Infrastructure Problems - Warning Moderate
bull Scroll down to Infrastructure Problems Section
1 Click and select the WarningModerate to view problem areas
WarningModerate Issues
1 Use the blue icon + to expand the detailed view of the Logical networking out ofsync between host and NSX Controller
HOL-1829-01-NET
Page 95HOL-1829-01-NET
WarningModerate Issues (Continued)
When you expand the details you can analyse full detail of warning
In this view vRealize Network Insight is also showing you recommendations on how youwould resolve this issue which makes troubleshooting and root cause analysis veryeasy
1 Click the close sign (x) to continue
HOL-1829-01-NET
Page 96HOL-1829-01-NET
Hands-on Labs Interactive SimulationAdvanced NSX Management ampOperationsThis part of the lab is presented as a Hands-on Labs Interactive Simulation This willallow you to experience steps which are too time-consuming or resource intensive to dolive in the lab environment In this simulation you can use the software interface as ifyou are interacting with a live environment
1 Click here to open the interactive simulation It will open in a new browserwindow or tab
2 When finished click the ldquoReturn to the labrdquo link to continue with this lab
HOL-1829-01-NET
Page 97HOL-1829-01-NET
ConclusionCongratulations on completing Module 3
This module demonstrated the vRealize Network Insight capability of advancedmanagement operations vRealize Network Insight provides an in-depth analysis of thevirtual as well as the physical components associated with NSX (underlay and overlay)
For More Information
If you are looking for additional information try one of these
bull Click on this linkbull Or use your smart device to scan the QRC Code
Proceed to any module below which interests you most
bull Module 1 - Micro-Segmentation and Security (30 minutes)bull Module 2 - 360 degree Visibility across Virtual and Physical Networks (45
minutes)bull Module 3 - Advanced NSX Management amp Operations (45 minutes)bull Module 4 - Manage Security for Public Clouds (AWS) (30 minutes)
HOL-1829-01-NET
Page 98HOL-1829-01-NET
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 99HOL-1829-01-NET
Module 4 - ManageSecurity for Public Clouds
(AWS) (30 Minutes)
HOL-1829-01-NET
Page 100HOL-1829-01-NET
IntroductionEnterprise IT needs visibility into the network and security status of their workloadswhether hosted on premises or within AWS While many AWS workloads are sandboxesfor application development teams (DevOps) it is important to analyze these workloadsIncreasingly public cloud workloads are also fulfilling mission critical production needsfor many organizations Enterprise IT must be ready to determine the best locationsecurity posture and bandwidth allocation when deploying workloads Having trafficpattern details as well as security analysis and recommendations readily availablehelps organizations make the ideal hosting decisions to meet their business needs
vRealize Network Insight (vRNI) Supports Amazon Web Services (AWS) PublicCloud The vRNI traffic monitoring features provide visibility into native AWS constructssuch as Virtual Private Clouds VMs Security Groups firewall rules and tags vRNI alsoanalyzes AWS traffic flows to provide security and micro-segmentation views of cloudworkloads This means youll be able to plan micro-segmentation and understand trafficpatterns using data collected from your AWS instances
This Module contains the following lessons
bull Introduction to Managing Security for Public Clouds (AWS)
HOL-1829-01-NET
Page 101HOL-1829-01-NET
Introduction to Managing Security forPublic Clouds (AWS)Lab Status Check
1 Make sure the Lab Status displays Ready before continuing
Close browser sessions from previous modules
Open Google Chrome
1 Open Chrome on the Control Centre Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize Network Insightdid not load automatically)
HOL-1829-01-NET
Page 102HOL-1829-01-NET
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
AWS Configuration
Lets review the AWS VPC setup for the purpose of this lab
1 We have an on premise instance of vRealize Network Insight managing AWS2 There are two VPCs ie CRM and Common Services
HOL-1829-01-NET
Page 103HOL-1829-01-NET
3 VPC CRM consists of CRM Application which comprises of 3 tiers ie Web APP andDB
4 Internal users of Company can access Web Tier of the CRM on 80 internally viaJump-box
5 Web tier talks to App tier on port 80806 App tier talks to DB tier on port 33067 Web tier is open for internal datacenters VM on 80 port8 From Jump-box in VPC CRM all virtual machines have ssh access on port 229 All tiers of VPCCRM talks to DNS server on 53 and LogServer on 514 on VPC
Common Services10 This means connection to DB to Log Server (used for backup services) must exist
as configured by the Administrator but this in fact is the problem area where ourfocus will be
Plan Security - AWS Cloud
vRealize Network Insight extends micro-segmentation planning to AWS constructs TheCRM Application in AWS VPC has already been created for you
Application creation steps have been discussed in Module 3
HOL-1829-01-NET
Page 104HOL-1829-01-NET
1 On the vRealize Network Insight Click on Plan Security
From Plan Security dialogue box under Entity select
HOL-1829-01-NET
Page 105HOL-1829-01-NET
1 Application2 CRM3 Click Analyze
We can now visualize the three tier lsquoCRMrsquo Application in AWS in one VPC We Shallexplore the three Tier System Logic in proceeding steps
1 Please note that Micro-Segments are already filtered by Tier2 Web (Web tier talks to App tier on port 8080 Internal users of organisation can
access Web Tier of the CRM Application on port 80 internally)3 App (App tier talks to DB tier on port 3306)4 DB ( DB tier talks to Log Servers ) - This is the problem area we are going to
explore
All tiers of first VPC talks to DNS server on port 53 and LogServer on port 514 of SecondVPC
HOL-1829-01-NET
Page 106HOL-1829-01-NET
Exploring the Three Tier Application - Step by Step
We shall now explore the three their application setup to understand the security andcommunication posture
HOL-1829-01-NET
Page 107HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Yellow line to explore the flows This will reveal flows from Web to
App
HOL-1829-01-NET
Page 108HOL-1829-01-NET
1 The App tier talks to DB tier on Port 33062 Click X to continue
HOL-1829-01-NET
Page 109HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to DB
HOL-1829-01-NET
Page 110HOL-1829-01-NET
1 The App tier talks to DB tier on Port 33062 Click X to continue
HOL-1829-01-NET
Page 111HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Yellow Line to explore the flows This will reveal flows from DC
Virtual to App
HOL-1829-01-NET
Page 112HOL-1829-01-NET
1 DC Virtual (jump box) talks to App tier on Port 222 Click X to continue
HOL-1829-01-NET
Page 113HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to
Shared Virtual
HOL-1829-01-NET
Page 114HOL-1829-01-NET
1 The App tier talks to Shared Virtual on Port 53 and 514 respectively2 Click X to continue
HOL-1829-01-NET
Page 115HOL-1829-01-NET
1 Hover over to DB Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from DB to
Shared Virtual
1 By design the DB should be pushing logs to aws-log-server ie on port 514(Syslog) but the flow reveals that there is only one service ie port 53 aws-DNS-Server Effectively no communication to syslog server (which is the back upservice)
2 Click X to continue
Firewall Queries for CRM Application
To further troubleshoot the issue the administrator executes three firewall queries toestablish why DB to Shared Virtual does not have flow(s) for port 514 (syslog)
HOL-1829-01-NET
Page 116HOL-1829-01-NET
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and type new search query firewall action of flows where dstvm = aws-log-server This will return 5 results ie 4 Allow (for web andmidtier) and 1 Deny (for DB)
2 Click Search3 click on the DENY checkbox so we can focus on the deny rule
We can see a DENY rule which is preventing crm-databse to communicate with aws-log-server on port 514 Which indicates that AWS Admin forgot to add rule to allowtraffic from (Database) crm-database to (syslog server) aws-log-Server
HOL-1829-01-NET
Page 117HOL-1829-01-NET
1 On Chrome web browser right click2 Select Duplicate from the the menu
HOL-1829-01-NET
Page 118HOL-1829-01-NET
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-web1 and dst vm = aws-log-server
2 Click Search3 This will return 3 results ie 1 Inbound and 2 Outbound rules The result of this
query validates the communication from crm-web1 to aws-log-server
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-database and dst vm = aws-log-server
2 Click Search3 This will return 2 results for Outbound rules further explaining the firewall rule
behaviour from crm-database to aws-log-server
HOL-1829-01-NET
Page 119HOL-1829-01-NET
ConclusionCongratulations on completing Module 4
This module demonstrated the vRealize Network Insight capability to understand trafficpatterns and plan micro-segmentation across your private and public cloudenvironments This capability offers unparalleled visibility into public and private cloudsfor micro-segmentation planning network visibility and management
For More Information
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 120HOL-1829-01-NET
ConclusionThank you for participating in the VMware Hands-on Labs Be sure to visithttpholvmwarecom to continue your lab experience online
Lab SKU HOL-1829-01-NET
Version 20171010-152226
HOL-1829-01-NET
Page 121HOL-1829-01-NET
Redirect on the map - PAN Firewall
Please notice that there are two firewalls next to the VM One Firewall from Palo Alto andone Firewall from NSX We are now going to look into the details of the lower Firewall
1 From the map click on the icon marked by a red square to access the PaloAlto Firewall details (the lower one of the two)
Firewall - PAN
HOL-1829-01-NET
Page 76HOL-1829-01-NET
In this scenario we also have an Palo Alto VM based offloading firewall The redirectfeature allows firewall rules to be transferred between the NSX firewall and the PANFirewall
1 When done reviewing click on the (X) in the top right corner of the pop up box
Reversing the analysis
1 In the section marked by a red square in the picture click on the arrowpointing left
The route on the map will change
HOL-1829-01-NET
Page 77HOL-1829-01-NET
Reversing the analysis continued
A - The analysis will now be done in the opposite direction Please note that the pathnow changes Instead of going through Provider-Edge 3 the traffic is now routedthrough Provider-Edge 2 This is exactly as the traffic will work in the real life
Please continue to the next step to conclude this module
HOL-1829-01-NET
Page 78HOL-1829-01-NET
VM Underlay
Lets now focus on VM Underlay
1 The VMUnderlay section that is on the right side of the VM Path topology showsthe underlay information of the VMs involved and their connectivity to the top ofthe rack switches and the ports involved
2 The VM Underlay path topology is shown here3 The components are labeled under Path Details
HOL-1829-01-NET
Page 79HOL-1829-01-NET
HOL-1829-01-NET
Page 80HOL-1829-01-NET
1 In this section the drop-down list at the top shows the endpoint VMs and theactive VMs at the edges
2 For each edgeVM the neighbouring drop-down list shows the ingress and theegress interface IP addresses
1 From the previous step we selected the Prod-DB-2 Virtual Machine2 Which changes the focus to corresponding Interface IP Address (VNIC)3 Shows the visual map (Path topology) of all the path objects4 Path details shows the labels and list the components
This concludes this module Please continue to the next module
HOL-1829-01-NET
Page 81HOL-1829-01-NET
ConclusionCongratulations on completing Module 2
This module has shown us that vRealize Network Insight is capable of tracing the flow ofdata between two objects throughout the network vRealize Network Insight is providingus with a 360 degrees view of the virtual as well as the physical components in thepath With the map function and the details on the map it is very easy to get a quickoverview of the components utilized in network communication
All the components in the map is based on a snapshot of real life data Feel free to clickon other icons shown in the map in this module before continuing to the next module tohave a look at other components
For More Information
For additional information about the functionality showcased in this module visithttpwwwvmwarecomvrealize network insight
This concludes this module Please continue to the next module
If you are looking for additional information try one of these
bull Click on this linkbull Or use your smart device to scan the QRC Code
HOL-1829-01-NET
Page 82HOL-1829-01-NET
Proceed to any module below which interests you most
bull Module 1 - Micro-Segmentation and Security (30 minutes)bull Module 2 - 360 degree Visibility across Virtual and Physical Networks (45
minutes)bull Module 3 - Advanced NSX Management amp Operations (45 minutes)bull (30 minutes)
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 83HOL-1829-01-NET
Module 3 - Advanced NSXManagement amp
Operations (45 minutes)
HOL-1829-01-NET
Page 84HOL-1829-01-NET
IntroductionIntroduction
vRealize Network Insight ensures that we have full visibility from an overlay andunderlay perspective and in this module focus on advanced operations of NSX withvRealize Network Insight Its important to note that the vRealize Network Insightprovides a real time view and a historical view The integration is not a simple SNMPquery but advanced CLI and Metadata information gathered in real time for NSX
This Module contains the following lessons
bull Operational guidance for NSX Managerbull Advanced NSX Management amp Operations Interactive Simulation
HOL-1829-01-NET
Page 85HOL-1829-01-NET
NSX Advanced ManagementOperationsLab Status Check
1 Make sure the Lab Status displays Ready before continuing
Close browser sessions from previous modules
Open Google Chrome
1 Open Chrome on the Control Centre Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
HOL-1829-01-NET
Page 86HOL-1829-01-NET
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize Network Insightdid not load automatically)
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
Search Bar - NSX Manager
Using the search bar on the entry screen
HOL-1829-01-NET
Page 87HOL-1829-01-NET
1 Type NSX Manager (this will list three NSX Managers2 Click Search
NSX Manager Information
The result now shows the NSX Manager (1016128170) and we can immediately seethat we have 50 problems associated with this endpoint
1 Click on the NSX Manager address to expose the layout and detailedinformation
HOL-1829-01-NET
Page 88HOL-1829-01-NET
Timeline - Visual Build-up
Explore information only - Do not click
bull A - Starting with the Timeline we can manipulate the results by simply draggingthe slider but by default the current time results will be displayed on entry Theslider and drop down (next to 1 day) makes it easy to filter on demand
bull B - The Properties give a clear understanding of the NSX Managers currentconfiguration (vRealize Network Insight accommodate multiple NSX managers)
bull C - Looking at the NSX Checklist Rules - ALL we can scroll up and down toview each point in the checklist that is used to monitorvalidate against the NSXManager
bull D - Because vRealize Network Insight supports multiple NSX managers andmultiple NSX controllers this is an important visual understanding of theTopology Each object can be queried individually within the same screen
bull E - NSX Problems will be key to understanding the issues for NSX
HOL-1829-01-NET
Page 89HOL-1829-01-NET
Topology - Focus on the NSX Controller
The logical view of the NSX Topology provides live links to each component in theconstruct to be queried in real time Topology layout displays all the related NSXservices bound to the NSX Manager including Clusters and hosts The red triangle on allthree NSX controllers indicates possible issues that may impact the NSX environmenteither as a starting point or a result thereof We can now query each object for detailedinformation
1 Click on the NSX controller (Look at each controller until you find thecontroller starting with NSX_Controller_5b6c6c8d-4d71 as they do changeorder)
HOL-1829-01-NET
Page 90HOL-1829-01-NET
NSX Controller - Detail
A - The controller query displays detailed information about controller-1 and relevantconfiguration This screen will help identify the Status Version Upgrade Availability andmany other critical identifiers of the NSX Controller at a quick glance including anyissues
B - The immediate issue on this NSX controller is also pointed out with a red triangleindicating that we have a control plane sync issue Tracking the issue can be furtherinvestigated by expanding (clicking on the red triangle) to view detailed information Wewill not be investigating this problem further in this exercise
1 Click the close sign (x) to continue
HOL-1829-01-NET
Page 91HOL-1829-01-NET
Topology - Explained
Note The Topology for the NSX environment will not show any load balancing devicestatus information in this release
1 Click the edge VMs icon to see detailed information about the edge services
HOL-1829-01-NET
Page 92HOL-1829-01-NET
Provider Edge
Rendering a complete view of the provider edge services and the associations we caninvestigate all the edge related activities
1 Click the blue link Provider Edge 4 The problem Icon can be used to furtherobtain information about the Provider-Edge 4 This will highlight a criticalcondition due to a possible network disruption of this edge device as it is nolonger in a serving state
HOL-1829-01-NET
Page 93HOL-1829-01-NET
Routers Provider Edge 4
This section lays out detailed root cause analysis for Routers Provider Edge 4
Return to Search View - NSX Manager
1 Now use the Chrome Back button click once to return the the NSX Managerinformation screen step
HOL-1829-01-NET
Page 94HOL-1829-01-NET
Infrastructure Problems - Warning Moderate
bull Scroll down to Infrastructure Problems Section
1 Click and select the WarningModerate to view problem areas
WarningModerate Issues
1 Use the blue icon + to expand the detailed view of the Logical networking out ofsync between host and NSX Controller
HOL-1829-01-NET
Page 95HOL-1829-01-NET
WarningModerate Issues (Continued)
When you expand the details you can analyse full detail of warning
In this view vRealize Network Insight is also showing you recommendations on how youwould resolve this issue which makes troubleshooting and root cause analysis veryeasy
1 Click the close sign (x) to continue
HOL-1829-01-NET
Page 96HOL-1829-01-NET
Hands-on Labs Interactive SimulationAdvanced NSX Management ampOperationsThis part of the lab is presented as a Hands-on Labs Interactive Simulation This willallow you to experience steps which are too time-consuming or resource intensive to dolive in the lab environment In this simulation you can use the software interface as ifyou are interacting with a live environment
1 Click here to open the interactive simulation It will open in a new browserwindow or tab
2 When finished click the ldquoReturn to the labrdquo link to continue with this lab
HOL-1829-01-NET
Page 97HOL-1829-01-NET
ConclusionCongratulations on completing Module 3
This module demonstrated the vRealize Network Insight capability of advancedmanagement operations vRealize Network Insight provides an in-depth analysis of thevirtual as well as the physical components associated with NSX (underlay and overlay)
For More Information
If you are looking for additional information try one of these
bull Click on this linkbull Or use your smart device to scan the QRC Code
Proceed to any module below which interests you most
bull Module 1 - Micro-Segmentation and Security (30 minutes)bull Module 2 - 360 degree Visibility across Virtual and Physical Networks (45
minutes)bull Module 3 - Advanced NSX Management amp Operations (45 minutes)bull Module 4 - Manage Security for Public Clouds (AWS) (30 minutes)
HOL-1829-01-NET
Page 98HOL-1829-01-NET
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 99HOL-1829-01-NET
Module 4 - ManageSecurity for Public Clouds
(AWS) (30 Minutes)
HOL-1829-01-NET
Page 100HOL-1829-01-NET
IntroductionEnterprise IT needs visibility into the network and security status of their workloadswhether hosted on premises or within AWS While many AWS workloads are sandboxesfor application development teams (DevOps) it is important to analyze these workloadsIncreasingly public cloud workloads are also fulfilling mission critical production needsfor many organizations Enterprise IT must be ready to determine the best locationsecurity posture and bandwidth allocation when deploying workloads Having trafficpattern details as well as security analysis and recommendations readily availablehelps organizations make the ideal hosting decisions to meet their business needs
vRealize Network Insight (vRNI) Supports Amazon Web Services (AWS) PublicCloud The vRNI traffic monitoring features provide visibility into native AWS constructssuch as Virtual Private Clouds VMs Security Groups firewall rules and tags vRNI alsoanalyzes AWS traffic flows to provide security and micro-segmentation views of cloudworkloads This means youll be able to plan micro-segmentation and understand trafficpatterns using data collected from your AWS instances
This Module contains the following lessons
bull Introduction to Managing Security for Public Clouds (AWS)
HOL-1829-01-NET
Page 101HOL-1829-01-NET
Introduction to Managing Security forPublic Clouds (AWS)Lab Status Check
1 Make sure the Lab Status displays Ready before continuing
Close browser sessions from previous modules
Open Google Chrome
1 Open Chrome on the Control Centre Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize Network Insightdid not load automatically)
HOL-1829-01-NET
Page 102HOL-1829-01-NET
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
AWS Configuration
Lets review the AWS VPC setup for the purpose of this lab
1 We have an on premise instance of vRealize Network Insight managing AWS2 There are two VPCs ie CRM and Common Services
HOL-1829-01-NET
Page 103HOL-1829-01-NET
3 VPC CRM consists of CRM Application which comprises of 3 tiers ie Web APP andDB
4 Internal users of Company can access Web Tier of the CRM on 80 internally viaJump-box
5 Web tier talks to App tier on port 80806 App tier talks to DB tier on port 33067 Web tier is open for internal datacenters VM on 80 port8 From Jump-box in VPC CRM all virtual machines have ssh access on port 229 All tiers of VPCCRM talks to DNS server on 53 and LogServer on 514 on VPC
Common Services10 This means connection to DB to Log Server (used for backup services) must exist
as configured by the Administrator but this in fact is the problem area where ourfocus will be
Plan Security - AWS Cloud
vRealize Network Insight extends micro-segmentation planning to AWS constructs TheCRM Application in AWS VPC has already been created for you
Application creation steps have been discussed in Module 3
HOL-1829-01-NET
Page 104HOL-1829-01-NET
1 On the vRealize Network Insight Click on Plan Security
From Plan Security dialogue box under Entity select
HOL-1829-01-NET
Page 105HOL-1829-01-NET
1 Application2 CRM3 Click Analyze
We can now visualize the three tier lsquoCRMrsquo Application in AWS in one VPC We Shallexplore the three Tier System Logic in proceeding steps
1 Please note that Micro-Segments are already filtered by Tier2 Web (Web tier talks to App tier on port 8080 Internal users of organisation can
access Web Tier of the CRM Application on port 80 internally)3 App (App tier talks to DB tier on port 3306)4 DB ( DB tier talks to Log Servers ) - This is the problem area we are going to
explore
All tiers of first VPC talks to DNS server on port 53 and LogServer on port 514 of SecondVPC
HOL-1829-01-NET
Page 106HOL-1829-01-NET
Exploring the Three Tier Application - Step by Step
We shall now explore the three their application setup to understand the security andcommunication posture
HOL-1829-01-NET
Page 107HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Yellow line to explore the flows This will reveal flows from Web to
App
HOL-1829-01-NET
Page 108HOL-1829-01-NET
1 The App tier talks to DB tier on Port 33062 Click X to continue
HOL-1829-01-NET
Page 109HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to DB
HOL-1829-01-NET
Page 110HOL-1829-01-NET
1 The App tier talks to DB tier on Port 33062 Click X to continue
HOL-1829-01-NET
Page 111HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Yellow Line to explore the flows This will reveal flows from DC
Virtual to App
HOL-1829-01-NET
Page 112HOL-1829-01-NET
1 DC Virtual (jump box) talks to App tier on Port 222 Click X to continue
HOL-1829-01-NET
Page 113HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to
Shared Virtual
HOL-1829-01-NET
Page 114HOL-1829-01-NET
1 The App tier talks to Shared Virtual on Port 53 and 514 respectively2 Click X to continue
HOL-1829-01-NET
Page 115HOL-1829-01-NET
1 Hover over to DB Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from DB to
Shared Virtual
1 By design the DB should be pushing logs to aws-log-server ie on port 514(Syslog) but the flow reveals that there is only one service ie port 53 aws-DNS-Server Effectively no communication to syslog server (which is the back upservice)
2 Click X to continue
Firewall Queries for CRM Application
To further troubleshoot the issue the administrator executes three firewall queries toestablish why DB to Shared Virtual does not have flow(s) for port 514 (syslog)
HOL-1829-01-NET
Page 116HOL-1829-01-NET
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and type new search query firewall action of flows where dstvm = aws-log-server This will return 5 results ie 4 Allow (for web andmidtier) and 1 Deny (for DB)
2 Click Search3 click on the DENY checkbox so we can focus on the deny rule
We can see a DENY rule which is preventing crm-databse to communicate with aws-log-server on port 514 Which indicates that AWS Admin forgot to add rule to allowtraffic from (Database) crm-database to (syslog server) aws-log-Server
HOL-1829-01-NET
Page 117HOL-1829-01-NET
1 On Chrome web browser right click2 Select Duplicate from the the menu
HOL-1829-01-NET
Page 118HOL-1829-01-NET
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-web1 and dst vm = aws-log-server
2 Click Search3 This will return 3 results ie 1 Inbound and 2 Outbound rules The result of this
query validates the communication from crm-web1 to aws-log-server
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-database and dst vm = aws-log-server
2 Click Search3 This will return 2 results for Outbound rules further explaining the firewall rule
behaviour from crm-database to aws-log-server
HOL-1829-01-NET
Page 119HOL-1829-01-NET
ConclusionCongratulations on completing Module 4
This module demonstrated the vRealize Network Insight capability to understand trafficpatterns and plan micro-segmentation across your private and public cloudenvironments This capability offers unparalleled visibility into public and private cloudsfor micro-segmentation planning network visibility and management
For More Information
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 120HOL-1829-01-NET
ConclusionThank you for participating in the VMware Hands-on Labs Be sure to visithttpholvmwarecom to continue your lab experience online
Lab SKU HOL-1829-01-NET
Version 20171010-152226
HOL-1829-01-NET
Page 121HOL-1829-01-NET
In this scenario we also have an Palo Alto VM based offloading firewall The redirectfeature allows firewall rules to be transferred between the NSX firewall and the PANFirewall
1 When done reviewing click on the (X) in the top right corner of the pop up box
Reversing the analysis
1 In the section marked by a red square in the picture click on the arrowpointing left
The route on the map will change
HOL-1829-01-NET
Page 77HOL-1829-01-NET
Reversing the analysis continued
A - The analysis will now be done in the opposite direction Please note that the pathnow changes Instead of going through Provider-Edge 3 the traffic is now routedthrough Provider-Edge 2 This is exactly as the traffic will work in the real life
Please continue to the next step to conclude this module
HOL-1829-01-NET
Page 78HOL-1829-01-NET
VM Underlay
Lets now focus on VM Underlay
1 The VMUnderlay section that is on the right side of the VM Path topology showsthe underlay information of the VMs involved and their connectivity to the top ofthe rack switches and the ports involved
2 The VM Underlay path topology is shown here3 The components are labeled under Path Details
HOL-1829-01-NET
Page 79HOL-1829-01-NET
HOL-1829-01-NET
Page 80HOL-1829-01-NET
1 In this section the drop-down list at the top shows the endpoint VMs and theactive VMs at the edges
2 For each edgeVM the neighbouring drop-down list shows the ingress and theegress interface IP addresses
1 From the previous step we selected the Prod-DB-2 Virtual Machine2 Which changes the focus to corresponding Interface IP Address (VNIC)3 Shows the visual map (Path topology) of all the path objects4 Path details shows the labels and list the components
This concludes this module Please continue to the next module
HOL-1829-01-NET
Page 81HOL-1829-01-NET
ConclusionCongratulations on completing Module 2
This module has shown us that vRealize Network Insight is capable of tracing the flow ofdata between two objects throughout the network vRealize Network Insight is providingus with a 360 degrees view of the virtual as well as the physical components in thepath With the map function and the details on the map it is very easy to get a quickoverview of the components utilized in network communication
All the components in the map is based on a snapshot of real life data Feel free to clickon other icons shown in the map in this module before continuing to the next module tohave a look at other components
For More Information
For additional information about the functionality showcased in this module visithttpwwwvmwarecomvrealize network insight
This concludes this module Please continue to the next module
If you are looking for additional information try one of these
bull Click on this linkbull Or use your smart device to scan the QRC Code
HOL-1829-01-NET
Page 82HOL-1829-01-NET
Proceed to any module below which interests you most
bull Module 1 - Micro-Segmentation and Security (30 minutes)bull Module 2 - 360 degree Visibility across Virtual and Physical Networks (45
minutes)bull Module 3 - Advanced NSX Management amp Operations (45 minutes)bull (30 minutes)
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 83HOL-1829-01-NET
Module 3 - Advanced NSXManagement amp
Operations (45 minutes)
HOL-1829-01-NET
Page 84HOL-1829-01-NET
IntroductionIntroduction
vRealize Network Insight ensures that we have full visibility from an overlay andunderlay perspective and in this module focus on advanced operations of NSX withvRealize Network Insight Its important to note that the vRealize Network Insightprovides a real time view and a historical view The integration is not a simple SNMPquery but advanced CLI and Metadata information gathered in real time for NSX
This Module contains the following lessons
bull Operational guidance for NSX Managerbull Advanced NSX Management amp Operations Interactive Simulation
HOL-1829-01-NET
Page 85HOL-1829-01-NET
NSX Advanced ManagementOperationsLab Status Check
1 Make sure the Lab Status displays Ready before continuing
Close browser sessions from previous modules
Open Google Chrome
1 Open Chrome on the Control Centre Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
HOL-1829-01-NET
Page 86HOL-1829-01-NET
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize Network Insightdid not load automatically)
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
Search Bar - NSX Manager
Using the search bar on the entry screen
HOL-1829-01-NET
Page 87HOL-1829-01-NET
1 Type NSX Manager (this will list three NSX Managers2 Click Search
NSX Manager Information
The result now shows the NSX Manager (1016128170) and we can immediately seethat we have 50 problems associated with this endpoint
1 Click on the NSX Manager address to expose the layout and detailedinformation
HOL-1829-01-NET
Page 88HOL-1829-01-NET
Timeline - Visual Build-up
Explore information only - Do not click
bull A - Starting with the Timeline we can manipulate the results by simply draggingthe slider but by default the current time results will be displayed on entry Theslider and drop down (next to 1 day) makes it easy to filter on demand
bull B - The Properties give a clear understanding of the NSX Managers currentconfiguration (vRealize Network Insight accommodate multiple NSX managers)
bull C - Looking at the NSX Checklist Rules - ALL we can scroll up and down toview each point in the checklist that is used to monitorvalidate against the NSXManager
bull D - Because vRealize Network Insight supports multiple NSX managers andmultiple NSX controllers this is an important visual understanding of theTopology Each object can be queried individually within the same screen
bull E - NSX Problems will be key to understanding the issues for NSX
HOL-1829-01-NET
Page 89HOL-1829-01-NET
Topology - Focus on the NSX Controller
The logical view of the NSX Topology provides live links to each component in theconstruct to be queried in real time Topology layout displays all the related NSXservices bound to the NSX Manager including Clusters and hosts The red triangle on allthree NSX controllers indicates possible issues that may impact the NSX environmenteither as a starting point or a result thereof We can now query each object for detailedinformation
1 Click on the NSX controller (Look at each controller until you find thecontroller starting with NSX_Controller_5b6c6c8d-4d71 as they do changeorder)
HOL-1829-01-NET
Page 90HOL-1829-01-NET
NSX Controller - Detail
A - The controller query displays detailed information about controller-1 and relevantconfiguration This screen will help identify the Status Version Upgrade Availability andmany other critical identifiers of the NSX Controller at a quick glance including anyissues
B - The immediate issue on this NSX controller is also pointed out with a red triangleindicating that we have a control plane sync issue Tracking the issue can be furtherinvestigated by expanding (clicking on the red triangle) to view detailed information Wewill not be investigating this problem further in this exercise
1 Click the close sign (x) to continue
HOL-1829-01-NET
Page 91HOL-1829-01-NET
Topology - Explained
Note The Topology for the NSX environment will not show any load balancing devicestatus information in this release
1 Click the edge VMs icon to see detailed information about the edge services
HOL-1829-01-NET
Page 92HOL-1829-01-NET
Provider Edge
Rendering a complete view of the provider edge services and the associations we caninvestigate all the edge related activities
1 Click the blue link Provider Edge 4 The problem Icon can be used to furtherobtain information about the Provider-Edge 4 This will highlight a criticalcondition due to a possible network disruption of this edge device as it is nolonger in a serving state
HOL-1829-01-NET
Page 93HOL-1829-01-NET
Routers Provider Edge 4
This section lays out detailed root cause analysis for Routers Provider Edge 4
Return to Search View - NSX Manager
1 Now use the Chrome Back button click once to return the the NSX Managerinformation screen step
HOL-1829-01-NET
Page 94HOL-1829-01-NET
Infrastructure Problems - Warning Moderate
bull Scroll down to Infrastructure Problems Section
1 Click and select the WarningModerate to view problem areas
WarningModerate Issues
1 Use the blue icon + to expand the detailed view of the Logical networking out ofsync between host and NSX Controller
HOL-1829-01-NET
Page 95HOL-1829-01-NET
WarningModerate Issues (Continued)
When you expand the details you can analyse full detail of warning
In this view vRealize Network Insight is also showing you recommendations on how youwould resolve this issue which makes troubleshooting and root cause analysis veryeasy
1 Click the close sign (x) to continue
HOL-1829-01-NET
Page 96HOL-1829-01-NET
Hands-on Labs Interactive SimulationAdvanced NSX Management ampOperationsThis part of the lab is presented as a Hands-on Labs Interactive Simulation This willallow you to experience steps which are too time-consuming or resource intensive to dolive in the lab environment In this simulation you can use the software interface as ifyou are interacting with a live environment
1 Click here to open the interactive simulation It will open in a new browserwindow or tab
2 When finished click the ldquoReturn to the labrdquo link to continue with this lab
HOL-1829-01-NET
Page 97HOL-1829-01-NET
ConclusionCongratulations on completing Module 3
This module demonstrated the vRealize Network Insight capability of advancedmanagement operations vRealize Network Insight provides an in-depth analysis of thevirtual as well as the physical components associated with NSX (underlay and overlay)
For More Information
If you are looking for additional information try one of these
bull Click on this linkbull Or use your smart device to scan the QRC Code
Proceed to any module below which interests you most
bull Module 1 - Micro-Segmentation and Security (30 minutes)bull Module 2 - 360 degree Visibility across Virtual and Physical Networks (45
minutes)bull Module 3 - Advanced NSX Management amp Operations (45 minutes)bull Module 4 - Manage Security for Public Clouds (AWS) (30 minutes)
HOL-1829-01-NET
Page 98HOL-1829-01-NET
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 99HOL-1829-01-NET
Module 4 - ManageSecurity for Public Clouds
(AWS) (30 Minutes)
HOL-1829-01-NET
Page 100HOL-1829-01-NET
IntroductionEnterprise IT needs visibility into the network and security status of their workloadswhether hosted on premises or within AWS While many AWS workloads are sandboxesfor application development teams (DevOps) it is important to analyze these workloadsIncreasingly public cloud workloads are also fulfilling mission critical production needsfor many organizations Enterprise IT must be ready to determine the best locationsecurity posture and bandwidth allocation when deploying workloads Having trafficpattern details as well as security analysis and recommendations readily availablehelps organizations make the ideal hosting decisions to meet their business needs
vRealize Network Insight (vRNI) Supports Amazon Web Services (AWS) PublicCloud The vRNI traffic monitoring features provide visibility into native AWS constructssuch as Virtual Private Clouds VMs Security Groups firewall rules and tags vRNI alsoanalyzes AWS traffic flows to provide security and micro-segmentation views of cloudworkloads This means youll be able to plan micro-segmentation and understand trafficpatterns using data collected from your AWS instances
This Module contains the following lessons
bull Introduction to Managing Security for Public Clouds (AWS)
HOL-1829-01-NET
Page 101HOL-1829-01-NET
Introduction to Managing Security forPublic Clouds (AWS)Lab Status Check
1 Make sure the Lab Status displays Ready before continuing
Close browser sessions from previous modules
Open Google Chrome
1 Open Chrome on the Control Centre Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize Network Insightdid not load automatically)
HOL-1829-01-NET
Page 102HOL-1829-01-NET
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
AWS Configuration
Lets review the AWS VPC setup for the purpose of this lab
1 We have an on premise instance of vRealize Network Insight managing AWS2 There are two VPCs ie CRM and Common Services
HOL-1829-01-NET
Page 103HOL-1829-01-NET
3 VPC CRM consists of CRM Application which comprises of 3 tiers ie Web APP andDB
4 Internal users of Company can access Web Tier of the CRM on 80 internally viaJump-box
5 Web tier talks to App tier on port 80806 App tier talks to DB tier on port 33067 Web tier is open for internal datacenters VM on 80 port8 From Jump-box in VPC CRM all virtual machines have ssh access on port 229 All tiers of VPCCRM talks to DNS server on 53 and LogServer on 514 on VPC
Common Services10 This means connection to DB to Log Server (used for backup services) must exist
as configured by the Administrator but this in fact is the problem area where ourfocus will be
Plan Security - AWS Cloud
vRealize Network Insight extends micro-segmentation planning to AWS constructs TheCRM Application in AWS VPC has already been created for you
Application creation steps have been discussed in Module 3
HOL-1829-01-NET
Page 104HOL-1829-01-NET
1 On the vRealize Network Insight Click on Plan Security
From Plan Security dialogue box under Entity select
HOL-1829-01-NET
Page 105HOL-1829-01-NET
1 Application2 CRM3 Click Analyze
We can now visualize the three tier lsquoCRMrsquo Application in AWS in one VPC We Shallexplore the three Tier System Logic in proceeding steps
1 Please note that Micro-Segments are already filtered by Tier2 Web (Web tier talks to App tier on port 8080 Internal users of organisation can
access Web Tier of the CRM Application on port 80 internally)3 App (App tier talks to DB tier on port 3306)4 DB ( DB tier talks to Log Servers ) - This is the problem area we are going to
explore
All tiers of first VPC talks to DNS server on port 53 and LogServer on port 514 of SecondVPC
HOL-1829-01-NET
Page 106HOL-1829-01-NET
Exploring the Three Tier Application - Step by Step
We shall now explore the three their application setup to understand the security andcommunication posture
HOL-1829-01-NET
Page 107HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Yellow line to explore the flows This will reveal flows from Web to
App
HOL-1829-01-NET
Page 108HOL-1829-01-NET
1 The App tier talks to DB tier on Port 33062 Click X to continue
HOL-1829-01-NET
Page 109HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to DB
HOL-1829-01-NET
Page 110HOL-1829-01-NET
1 The App tier talks to DB tier on Port 33062 Click X to continue
HOL-1829-01-NET
Page 111HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Yellow Line to explore the flows This will reveal flows from DC
Virtual to App
HOL-1829-01-NET
Page 112HOL-1829-01-NET
1 DC Virtual (jump box) talks to App tier on Port 222 Click X to continue
HOL-1829-01-NET
Page 113HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to
Shared Virtual
HOL-1829-01-NET
Page 114HOL-1829-01-NET
1 The App tier talks to Shared Virtual on Port 53 and 514 respectively2 Click X to continue
HOL-1829-01-NET
Page 115HOL-1829-01-NET
1 Hover over to DB Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from DB to
Shared Virtual
1 By design the DB should be pushing logs to aws-log-server ie on port 514(Syslog) but the flow reveals that there is only one service ie port 53 aws-DNS-Server Effectively no communication to syslog server (which is the back upservice)
2 Click X to continue
Firewall Queries for CRM Application
To further troubleshoot the issue the administrator executes three firewall queries toestablish why DB to Shared Virtual does not have flow(s) for port 514 (syslog)
HOL-1829-01-NET
Page 116HOL-1829-01-NET
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and type new search query firewall action of flows where dstvm = aws-log-server This will return 5 results ie 4 Allow (for web andmidtier) and 1 Deny (for DB)
2 Click Search3 click on the DENY checkbox so we can focus on the deny rule
We can see a DENY rule which is preventing crm-databse to communicate with aws-log-server on port 514 Which indicates that AWS Admin forgot to add rule to allowtraffic from (Database) crm-database to (syslog server) aws-log-Server
HOL-1829-01-NET
Page 117HOL-1829-01-NET
1 On Chrome web browser right click2 Select Duplicate from the the menu
HOL-1829-01-NET
Page 118HOL-1829-01-NET
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-web1 and dst vm = aws-log-server
2 Click Search3 This will return 3 results ie 1 Inbound and 2 Outbound rules The result of this
query validates the communication from crm-web1 to aws-log-server
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-database and dst vm = aws-log-server
2 Click Search3 This will return 2 results for Outbound rules further explaining the firewall rule
behaviour from crm-database to aws-log-server
HOL-1829-01-NET
Page 119HOL-1829-01-NET
ConclusionCongratulations on completing Module 4
This module demonstrated the vRealize Network Insight capability to understand trafficpatterns and plan micro-segmentation across your private and public cloudenvironments This capability offers unparalleled visibility into public and private cloudsfor micro-segmentation planning network visibility and management
For More Information
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 120HOL-1829-01-NET
ConclusionThank you for participating in the VMware Hands-on Labs Be sure to visithttpholvmwarecom to continue your lab experience online
Lab SKU HOL-1829-01-NET
Version 20171010-152226
HOL-1829-01-NET
Page 121HOL-1829-01-NET
Reversing the analysis continued
A - The analysis will now be done in the opposite direction Please note that the pathnow changes Instead of going through Provider-Edge 3 the traffic is now routedthrough Provider-Edge 2 This is exactly as the traffic will work in the real life
Please continue to the next step to conclude this module
HOL-1829-01-NET
Page 78HOL-1829-01-NET
VM Underlay
Lets now focus on VM Underlay
1 The VMUnderlay section that is on the right side of the VM Path topology showsthe underlay information of the VMs involved and their connectivity to the top ofthe rack switches and the ports involved
2 The VM Underlay path topology is shown here3 The components are labeled under Path Details
HOL-1829-01-NET
Page 79HOL-1829-01-NET
HOL-1829-01-NET
Page 80HOL-1829-01-NET
1 In this section the drop-down list at the top shows the endpoint VMs and theactive VMs at the edges
2 For each edgeVM the neighbouring drop-down list shows the ingress and theegress interface IP addresses
1 From the previous step we selected the Prod-DB-2 Virtual Machine2 Which changes the focus to corresponding Interface IP Address (VNIC)3 Shows the visual map (Path topology) of all the path objects4 Path details shows the labels and list the components
This concludes this module Please continue to the next module
HOL-1829-01-NET
Page 81HOL-1829-01-NET
ConclusionCongratulations on completing Module 2
This module has shown us that vRealize Network Insight is capable of tracing the flow ofdata between two objects throughout the network vRealize Network Insight is providingus with a 360 degrees view of the virtual as well as the physical components in thepath With the map function and the details on the map it is very easy to get a quickoverview of the components utilized in network communication
All the components in the map is based on a snapshot of real life data Feel free to clickon other icons shown in the map in this module before continuing to the next module tohave a look at other components
For More Information
For additional information about the functionality showcased in this module visithttpwwwvmwarecomvrealize network insight
This concludes this module Please continue to the next module
If you are looking for additional information try one of these
bull Click on this linkbull Or use your smart device to scan the QRC Code
HOL-1829-01-NET
Page 82HOL-1829-01-NET
Proceed to any module below which interests you most
bull Module 1 - Micro-Segmentation and Security (30 minutes)bull Module 2 - 360 degree Visibility across Virtual and Physical Networks (45
minutes)bull Module 3 - Advanced NSX Management amp Operations (45 minutes)bull (30 minutes)
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 83HOL-1829-01-NET
Module 3 - Advanced NSXManagement amp
Operations (45 minutes)
HOL-1829-01-NET
Page 84HOL-1829-01-NET
IntroductionIntroduction
vRealize Network Insight ensures that we have full visibility from an overlay andunderlay perspective and in this module focus on advanced operations of NSX withvRealize Network Insight Its important to note that the vRealize Network Insightprovides a real time view and a historical view The integration is not a simple SNMPquery but advanced CLI and Metadata information gathered in real time for NSX
This Module contains the following lessons
bull Operational guidance for NSX Managerbull Advanced NSX Management amp Operations Interactive Simulation
HOL-1829-01-NET
Page 85HOL-1829-01-NET
NSX Advanced ManagementOperationsLab Status Check
1 Make sure the Lab Status displays Ready before continuing
Close browser sessions from previous modules
Open Google Chrome
1 Open Chrome on the Control Centre Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
HOL-1829-01-NET
Page 86HOL-1829-01-NET
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize Network Insightdid not load automatically)
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
Search Bar - NSX Manager
Using the search bar on the entry screen
HOL-1829-01-NET
Page 87HOL-1829-01-NET
1 Type NSX Manager (this will list three NSX Managers2 Click Search
NSX Manager Information
The result now shows the NSX Manager (1016128170) and we can immediately seethat we have 50 problems associated with this endpoint
1 Click on the NSX Manager address to expose the layout and detailedinformation
HOL-1829-01-NET
Page 88HOL-1829-01-NET
Timeline - Visual Build-up
Explore information only - Do not click
bull A - Starting with the Timeline we can manipulate the results by simply draggingthe slider but by default the current time results will be displayed on entry Theslider and drop down (next to 1 day) makes it easy to filter on demand
bull B - The Properties give a clear understanding of the NSX Managers currentconfiguration (vRealize Network Insight accommodate multiple NSX managers)
bull C - Looking at the NSX Checklist Rules - ALL we can scroll up and down toview each point in the checklist that is used to monitorvalidate against the NSXManager
bull D - Because vRealize Network Insight supports multiple NSX managers andmultiple NSX controllers this is an important visual understanding of theTopology Each object can be queried individually within the same screen
bull E - NSX Problems will be key to understanding the issues for NSX
HOL-1829-01-NET
Page 89HOL-1829-01-NET
Topology - Focus on the NSX Controller
The logical view of the NSX Topology provides live links to each component in theconstruct to be queried in real time Topology layout displays all the related NSXservices bound to the NSX Manager including Clusters and hosts The red triangle on allthree NSX controllers indicates possible issues that may impact the NSX environmenteither as a starting point or a result thereof We can now query each object for detailedinformation
1 Click on the NSX controller (Look at each controller until you find thecontroller starting with NSX_Controller_5b6c6c8d-4d71 as they do changeorder)
HOL-1829-01-NET
Page 90HOL-1829-01-NET
NSX Controller - Detail
A - The controller query displays detailed information about controller-1 and relevantconfiguration This screen will help identify the Status Version Upgrade Availability andmany other critical identifiers of the NSX Controller at a quick glance including anyissues
B - The immediate issue on this NSX controller is also pointed out with a red triangleindicating that we have a control plane sync issue Tracking the issue can be furtherinvestigated by expanding (clicking on the red triangle) to view detailed information Wewill not be investigating this problem further in this exercise
1 Click the close sign (x) to continue
HOL-1829-01-NET
Page 91HOL-1829-01-NET
Topology - Explained
Note The Topology for the NSX environment will not show any load balancing devicestatus information in this release
1 Click the edge VMs icon to see detailed information about the edge services
HOL-1829-01-NET
Page 92HOL-1829-01-NET
Provider Edge
Rendering a complete view of the provider edge services and the associations we caninvestigate all the edge related activities
1 Click the blue link Provider Edge 4 The problem Icon can be used to furtherobtain information about the Provider-Edge 4 This will highlight a criticalcondition due to a possible network disruption of this edge device as it is nolonger in a serving state
HOL-1829-01-NET
Page 93HOL-1829-01-NET
Routers Provider Edge 4
This section lays out detailed root cause analysis for Routers Provider Edge 4
Return to Search View - NSX Manager
1 Now use the Chrome Back button click once to return the the NSX Managerinformation screen step
HOL-1829-01-NET
Page 94HOL-1829-01-NET
Infrastructure Problems - Warning Moderate
bull Scroll down to Infrastructure Problems Section
1 Click and select the WarningModerate to view problem areas
WarningModerate Issues
1 Use the blue icon + to expand the detailed view of the Logical networking out ofsync between host and NSX Controller
HOL-1829-01-NET
Page 95HOL-1829-01-NET
WarningModerate Issues (Continued)
When you expand the details you can analyse full detail of warning
In this view vRealize Network Insight is also showing you recommendations on how youwould resolve this issue which makes troubleshooting and root cause analysis veryeasy
1 Click the close sign (x) to continue
HOL-1829-01-NET
Page 96HOL-1829-01-NET
Hands-on Labs Interactive SimulationAdvanced NSX Management ampOperationsThis part of the lab is presented as a Hands-on Labs Interactive Simulation This willallow you to experience steps which are too time-consuming or resource intensive to dolive in the lab environment In this simulation you can use the software interface as ifyou are interacting with a live environment
1 Click here to open the interactive simulation It will open in a new browserwindow or tab
2 When finished click the ldquoReturn to the labrdquo link to continue with this lab
HOL-1829-01-NET
Page 97HOL-1829-01-NET
ConclusionCongratulations on completing Module 3
This module demonstrated the vRealize Network Insight capability of advancedmanagement operations vRealize Network Insight provides an in-depth analysis of thevirtual as well as the physical components associated with NSX (underlay and overlay)
For More Information
If you are looking for additional information try one of these
bull Click on this linkbull Or use your smart device to scan the QRC Code
Proceed to any module below which interests you most
bull Module 1 - Micro-Segmentation and Security (30 minutes)bull Module 2 - 360 degree Visibility across Virtual and Physical Networks (45
minutes)bull Module 3 - Advanced NSX Management amp Operations (45 minutes)bull Module 4 - Manage Security for Public Clouds (AWS) (30 minutes)
HOL-1829-01-NET
Page 98HOL-1829-01-NET
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 99HOL-1829-01-NET
Module 4 - ManageSecurity for Public Clouds
(AWS) (30 Minutes)
HOL-1829-01-NET
Page 100HOL-1829-01-NET
IntroductionEnterprise IT needs visibility into the network and security status of their workloadswhether hosted on premises or within AWS While many AWS workloads are sandboxesfor application development teams (DevOps) it is important to analyze these workloadsIncreasingly public cloud workloads are also fulfilling mission critical production needsfor many organizations Enterprise IT must be ready to determine the best locationsecurity posture and bandwidth allocation when deploying workloads Having trafficpattern details as well as security analysis and recommendations readily availablehelps organizations make the ideal hosting decisions to meet their business needs
vRealize Network Insight (vRNI) Supports Amazon Web Services (AWS) PublicCloud The vRNI traffic monitoring features provide visibility into native AWS constructssuch as Virtual Private Clouds VMs Security Groups firewall rules and tags vRNI alsoanalyzes AWS traffic flows to provide security and micro-segmentation views of cloudworkloads This means youll be able to plan micro-segmentation and understand trafficpatterns using data collected from your AWS instances
This Module contains the following lessons
bull Introduction to Managing Security for Public Clouds (AWS)
HOL-1829-01-NET
Page 101HOL-1829-01-NET
Introduction to Managing Security forPublic Clouds (AWS)Lab Status Check
1 Make sure the Lab Status displays Ready before continuing
Close browser sessions from previous modules
Open Google Chrome
1 Open Chrome on the Control Centre Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize Network Insightdid not load automatically)
HOL-1829-01-NET
Page 102HOL-1829-01-NET
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
AWS Configuration
Lets review the AWS VPC setup for the purpose of this lab
1 We have an on premise instance of vRealize Network Insight managing AWS2 There are two VPCs ie CRM and Common Services
HOL-1829-01-NET
Page 103HOL-1829-01-NET
3 VPC CRM consists of CRM Application which comprises of 3 tiers ie Web APP andDB
4 Internal users of Company can access Web Tier of the CRM on 80 internally viaJump-box
5 Web tier talks to App tier on port 80806 App tier talks to DB tier on port 33067 Web tier is open for internal datacenters VM on 80 port8 From Jump-box in VPC CRM all virtual machines have ssh access on port 229 All tiers of VPCCRM talks to DNS server on 53 and LogServer on 514 on VPC
Common Services10 This means connection to DB to Log Server (used for backup services) must exist
as configured by the Administrator but this in fact is the problem area where ourfocus will be
Plan Security - AWS Cloud
vRealize Network Insight extends micro-segmentation planning to AWS constructs TheCRM Application in AWS VPC has already been created for you
Application creation steps have been discussed in Module 3
HOL-1829-01-NET
Page 104HOL-1829-01-NET
1 On the vRealize Network Insight Click on Plan Security
From Plan Security dialogue box under Entity select
HOL-1829-01-NET
Page 105HOL-1829-01-NET
1 Application2 CRM3 Click Analyze
We can now visualize the three tier lsquoCRMrsquo Application in AWS in one VPC We Shallexplore the three Tier System Logic in proceeding steps
1 Please note that Micro-Segments are already filtered by Tier2 Web (Web tier talks to App tier on port 8080 Internal users of organisation can
access Web Tier of the CRM Application on port 80 internally)3 App (App tier talks to DB tier on port 3306)4 DB ( DB tier talks to Log Servers ) - This is the problem area we are going to
explore
All tiers of first VPC talks to DNS server on port 53 and LogServer on port 514 of SecondVPC
HOL-1829-01-NET
Page 106HOL-1829-01-NET
Exploring the Three Tier Application - Step by Step
We shall now explore the three their application setup to understand the security andcommunication posture
HOL-1829-01-NET
Page 107HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Yellow line to explore the flows This will reveal flows from Web to
App
HOL-1829-01-NET
Page 108HOL-1829-01-NET
1 The App tier talks to DB tier on Port 33062 Click X to continue
HOL-1829-01-NET
Page 109HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to DB
HOL-1829-01-NET
Page 110HOL-1829-01-NET
1 The App tier talks to DB tier on Port 33062 Click X to continue
HOL-1829-01-NET
Page 111HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Yellow Line to explore the flows This will reveal flows from DC
Virtual to App
HOL-1829-01-NET
Page 112HOL-1829-01-NET
1 DC Virtual (jump box) talks to App tier on Port 222 Click X to continue
HOL-1829-01-NET
Page 113HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to
Shared Virtual
HOL-1829-01-NET
Page 114HOL-1829-01-NET
1 The App tier talks to Shared Virtual on Port 53 and 514 respectively2 Click X to continue
HOL-1829-01-NET
Page 115HOL-1829-01-NET
1 Hover over to DB Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from DB to
Shared Virtual
1 By design the DB should be pushing logs to aws-log-server ie on port 514(Syslog) but the flow reveals that there is only one service ie port 53 aws-DNS-Server Effectively no communication to syslog server (which is the back upservice)
2 Click X to continue
Firewall Queries for CRM Application
To further troubleshoot the issue the administrator executes three firewall queries toestablish why DB to Shared Virtual does not have flow(s) for port 514 (syslog)
HOL-1829-01-NET
Page 116HOL-1829-01-NET
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and type new search query firewall action of flows where dstvm = aws-log-server This will return 5 results ie 4 Allow (for web andmidtier) and 1 Deny (for DB)
2 Click Search3 click on the DENY checkbox so we can focus on the deny rule
We can see a DENY rule which is preventing crm-databse to communicate with aws-log-server on port 514 Which indicates that AWS Admin forgot to add rule to allowtraffic from (Database) crm-database to (syslog server) aws-log-Server
HOL-1829-01-NET
Page 117HOL-1829-01-NET
1 On Chrome web browser right click2 Select Duplicate from the the menu
HOL-1829-01-NET
Page 118HOL-1829-01-NET
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-web1 and dst vm = aws-log-server
2 Click Search3 This will return 3 results ie 1 Inbound and 2 Outbound rules The result of this
query validates the communication from crm-web1 to aws-log-server
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-database and dst vm = aws-log-server
2 Click Search3 This will return 2 results for Outbound rules further explaining the firewall rule
behaviour from crm-database to aws-log-server
HOL-1829-01-NET
Page 119HOL-1829-01-NET
ConclusionCongratulations on completing Module 4
This module demonstrated the vRealize Network Insight capability to understand trafficpatterns and plan micro-segmentation across your private and public cloudenvironments This capability offers unparalleled visibility into public and private cloudsfor micro-segmentation planning network visibility and management
For More Information
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 120HOL-1829-01-NET
ConclusionThank you for participating in the VMware Hands-on Labs Be sure to visithttpholvmwarecom to continue your lab experience online
Lab SKU HOL-1829-01-NET
Version 20171010-152226
HOL-1829-01-NET
Page 121HOL-1829-01-NET
VM Underlay
Lets now focus on VM Underlay
1 The VMUnderlay section that is on the right side of the VM Path topology showsthe underlay information of the VMs involved and their connectivity to the top ofthe rack switches and the ports involved
2 The VM Underlay path topology is shown here3 The components are labeled under Path Details
HOL-1829-01-NET
Page 79HOL-1829-01-NET
HOL-1829-01-NET
Page 80HOL-1829-01-NET
1 In this section the drop-down list at the top shows the endpoint VMs and theactive VMs at the edges
2 For each edgeVM the neighbouring drop-down list shows the ingress and theegress interface IP addresses
1 From the previous step we selected the Prod-DB-2 Virtual Machine2 Which changes the focus to corresponding Interface IP Address (VNIC)3 Shows the visual map (Path topology) of all the path objects4 Path details shows the labels and list the components
This concludes this module Please continue to the next module
HOL-1829-01-NET
Page 81HOL-1829-01-NET
ConclusionCongratulations on completing Module 2
This module has shown us that vRealize Network Insight is capable of tracing the flow ofdata between two objects throughout the network vRealize Network Insight is providingus with a 360 degrees view of the virtual as well as the physical components in thepath With the map function and the details on the map it is very easy to get a quickoverview of the components utilized in network communication
All the components in the map is based on a snapshot of real life data Feel free to clickon other icons shown in the map in this module before continuing to the next module tohave a look at other components
For More Information
For additional information about the functionality showcased in this module visithttpwwwvmwarecomvrealize network insight
This concludes this module Please continue to the next module
If you are looking for additional information try one of these
bull Click on this linkbull Or use your smart device to scan the QRC Code
HOL-1829-01-NET
Page 82HOL-1829-01-NET
Proceed to any module below which interests you most
bull Module 1 - Micro-Segmentation and Security (30 minutes)bull Module 2 - 360 degree Visibility across Virtual and Physical Networks (45
minutes)bull Module 3 - Advanced NSX Management amp Operations (45 minutes)bull (30 minutes)
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 83HOL-1829-01-NET
Module 3 - Advanced NSXManagement amp
Operations (45 minutes)
HOL-1829-01-NET
Page 84HOL-1829-01-NET
IntroductionIntroduction
vRealize Network Insight ensures that we have full visibility from an overlay andunderlay perspective and in this module focus on advanced operations of NSX withvRealize Network Insight Its important to note that the vRealize Network Insightprovides a real time view and a historical view The integration is not a simple SNMPquery but advanced CLI and Metadata information gathered in real time for NSX
This Module contains the following lessons
bull Operational guidance for NSX Managerbull Advanced NSX Management amp Operations Interactive Simulation
HOL-1829-01-NET
Page 85HOL-1829-01-NET
NSX Advanced ManagementOperationsLab Status Check
1 Make sure the Lab Status displays Ready before continuing
Close browser sessions from previous modules
Open Google Chrome
1 Open Chrome on the Control Centre Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
HOL-1829-01-NET
Page 86HOL-1829-01-NET
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize Network Insightdid not load automatically)
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
Search Bar - NSX Manager
Using the search bar on the entry screen
HOL-1829-01-NET
Page 87HOL-1829-01-NET
1 Type NSX Manager (this will list three NSX Managers2 Click Search
NSX Manager Information
The result now shows the NSX Manager (1016128170) and we can immediately seethat we have 50 problems associated with this endpoint
1 Click on the NSX Manager address to expose the layout and detailedinformation
HOL-1829-01-NET
Page 88HOL-1829-01-NET
Timeline - Visual Build-up
Explore information only - Do not click
bull A - Starting with the Timeline we can manipulate the results by simply draggingthe slider but by default the current time results will be displayed on entry Theslider and drop down (next to 1 day) makes it easy to filter on demand
bull B - The Properties give a clear understanding of the NSX Managers currentconfiguration (vRealize Network Insight accommodate multiple NSX managers)
bull C - Looking at the NSX Checklist Rules - ALL we can scroll up and down toview each point in the checklist that is used to monitorvalidate against the NSXManager
bull D - Because vRealize Network Insight supports multiple NSX managers andmultiple NSX controllers this is an important visual understanding of theTopology Each object can be queried individually within the same screen
bull E - NSX Problems will be key to understanding the issues for NSX
HOL-1829-01-NET
Page 89HOL-1829-01-NET
Topology - Focus on the NSX Controller
The logical view of the NSX Topology provides live links to each component in theconstruct to be queried in real time Topology layout displays all the related NSXservices bound to the NSX Manager including Clusters and hosts The red triangle on allthree NSX controllers indicates possible issues that may impact the NSX environmenteither as a starting point or a result thereof We can now query each object for detailedinformation
1 Click on the NSX controller (Look at each controller until you find thecontroller starting with NSX_Controller_5b6c6c8d-4d71 as they do changeorder)
HOL-1829-01-NET
Page 90HOL-1829-01-NET
NSX Controller - Detail
A - The controller query displays detailed information about controller-1 and relevantconfiguration This screen will help identify the Status Version Upgrade Availability andmany other critical identifiers of the NSX Controller at a quick glance including anyissues
B - The immediate issue on this NSX controller is also pointed out with a red triangleindicating that we have a control plane sync issue Tracking the issue can be furtherinvestigated by expanding (clicking on the red triangle) to view detailed information Wewill not be investigating this problem further in this exercise
1 Click the close sign (x) to continue
HOL-1829-01-NET
Page 91HOL-1829-01-NET
Topology - Explained
Note The Topology for the NSX environment will not show any load balancing devicestatus information in this release
1 Click the edge VMs icon to see detailed information about the edge services
HOL-1829-01-NET
Page 92HOL-1829-01-NET
Provider Edge
Rendering a complete view of the provider edge services and the associations we caninvestigate all the edge related activities
1 Click the blue link Provider Edge 4 The problem Icon can be used to furtherobtain information about the Provider-Edge 4 This will highlight a criticalcondition due to a possible network disruption of this edge device as it is nolonger in a serving state
HOL-1829-01-NET
Page 93HOL-1829-01-NET
Routers Provider Edge 4
This section lays out detailed root cause analysis for Routers Provider Edge 4
Return to Search View - NSX Manager
1 Now use the Chrome Back button click once to return the the NSX Managerinformation screen step
HOL-1829-01-NET
Page 94HOL-1829-01-NET
Infrastructure Problems - Warning Moderate
bull Scroll down to Infrastructure Problems Section
1 Click and select the WarningModerate to view problem areas
WarningModerate Issues
1 Use the blue icon + to expand the detailed view of the Logical networking out ofsync between host and NSX Controller
HOL-1829-01-NET
Page 95HOL-1829-01-NET
WarningModerate Issues (Continued)
When you expand the details you can analyse full detail of warning
In this view vRealize Network Insight is also showing you recommendations on how youwould resolve this issue which makes troubleshooting and root cause analysis veryeasy
1 Click the close sign (x) to continue
HOL-1829-01-NET
Page 96HOL-1829-01-NET
Hands-on Labs Interactive SimulationAdvanced NSX Management ampOperationsThis part of the lab is presented as a Hands-on Labs Interactive Simulation This willallow you to experience steps which are too time-consuming or resource intensive to dolive in the lab environment In this simulation you can use the software interface as ifyou are interacting with a live environment
1 Click here to open the interactive simulation It will open in a new browserwindow or tab
2 When finished click the ldquoReturn to the labrdquo link to continue with this lab
HOL-1829-01-NET
Page 97HOL-1829-01-NET
ConclusionCongratulations on completing Module 3
This module demonstrated the vRealize Network Insight capability of advancedmanagement operations vRealize Network Insight provides an in-depth analysis of thevirtual as well as the physical components associated with NSX (underlay and overlay)
For More Information
If you are looking for additional information try one of these
bull Click on this linkbull Or use your smart device to scan the QRC Code
Proceed to any module below which interests you most
bull Module 1 - Micro-Segmentation and Security (30 minutes)bull Module 2 - 360 degree Visibility across Virtual and Physical Networks (45
minutes)bull Module 3 - Advanced NSX Management amp Operations (45 minutes)bull Module 4 - Manage Security for Public Clouds (AWS) (30 minutes)
HOL-1829-01-NET
Page 98HOL-1829-01-NET
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 99HOL-1829-01-NET
Module 4 - ManageSecurity for Public Clouds
(AWS) (30 Minutes)
HOL-1829-01-NET
Page 100HOL-1829-01-NET
IntroductionEnterprise IT needs visibility into the network and security status of their workloadswhether hosted on premises or within AWS While many AWS workloads are sandboxesfor application development teams (DevOps) it is important to analyze these workloadsIncreasingly public cloud workloads are also fulfilling mission critical production needsfor many organizations Enterprise IT must be ready to determine the best locationsecurity posture and bandwidth allocation when deploying workloads Having trafficpattern details as well as security analysis and recommendations readily availablehelps organizations make the ideal hosting decisions to meet their business needs
vRealize Network Insight (vRNI) Supports Amazon Web Services (AWS) PublicCloud The vRNI traffic monitoring features provide visibility into native AWS constructssuch as Virtual Private Clouds VMs Security Groups firewall rules and tags vRNI alsoanalyzes AWS traffic flows to provide security and micro-segmentation views of cloudworkloads This means youll be able to plan micro-segmentation and understand trafficpatterns using data collected from your AWS instances
This Module contains the following lessons
bull Introduction to Managing Security for Public Clouds (AWS)
HOL-1829-01-NET
Page 101HOL-1829-01-NET
Introduction to Managing Security forPublic Clouds (AWS)Lab Status Check
1 Make sure the Lab Status displays Ready before continuing
Close browser sessions from previous modules
Open Google Chrome
1 Open Chrome on the Control Centre Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize Network Insightdid not load automatically)
HOL-1829-01-NET
Page 102HOL-1829-01-NET
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
AWS Configuration
Lets review the AWS VPC setup for the purpose of this lab
1 We have an on premise instance of vRealize Network Insight managing AWS2 There are two VPCs ie CRM and Common Services
HOL-1829-01-NET
Page 103HOL-1829-01-NET
3 VPC CRM consists of CRM Application which comprises of 3 tiers ie Web APP andDB
4 Internal users of Company can access Web Tier of the CRM on 80 internally viaJump-box
5 Web tier talks to App tier on port 80806 App tier talks to DB tier on port 33067 Web tier is open for internal datacenters VM on 80 port8 From Jump-box in VPC CRM all virtual machines have ssh access on port 229 All tiers of VPCCRM talks to DNS server on 53 and LogServer on 514 on VPC
Common Services10 This means connection to DB to Log Server (used for backup services) must exist
as configured by the Administrator but this in fact is the problem area where ourfocus will be
Plan Security - AWS Cloud
vRealize Network Insight extends micro-segmentation planning to AWS constructs TheCRM Application in AWS VPC has already been created for you
Application creation steps have been discussed in Module 3
HOL-1829-01-NET
Page 104HOL-1829-01-NET
1 On the vRealize Network Insight Click on Plan Security
From Plan Security dialogue box under Entity select
HOL-1829-01-NET
Page 105HOL-1829-01-NET
1 Application2 CRM3 Click Analyze
We can now visualize the three tier lsquoCRMrsquo Application in AWS in one VPC We Shallexplore the three Tier System Logic in proceeding steps
1 Please note that Micro-Segments are already filtered by Tier2 Web (Web tier talks to App tier on port 8080 Internal users of organisation can
access Web Tier of the CRM Application on port 80 internally)3 App (App tier talks to DB tier on port 3306)4 DB ( DB tier talks to Log Servers ) - This is the problem area we are going to
explore
All tiers of first VPC talks to DNS server on port 53 and LogServer on port 514 of SecondVPC
HOL-1829-01-NET
Page 106HOL-1829-01-NET
Exploring the Three Tier Application - Step by Step
We shall now explore the three their application setup to understand the security andcommunication posture
HOL-1829-01-NET
Page 107HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Yellow line to explore the flows This will reveal flows from Web to
App
HOL-1829-01-NET
Page 108HOL-1829-01-NET
1 The App tier talks to DB tier on Port 33062 Click X to continue
HOL-1829-01-NET
Page 109HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to DB
HOL-1829-01-NET
Page 110HOL-1829-01-NET
1 The App tier talks to DB tier on Port 33062 Click X to continue
HOL-1829-01-NET
Page 111HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Yellow Line to explore the flows This will reveal flows from DC
Virtual to App
HOL-1829-01-NET
Page 112HOL-1829-01-NET
1 DC Virtual (jump box) talks to App tier on Port 222 Click X to continue
HOL-1829-01-NET
Page 113HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to
Shared Virtual
HOL-1829-01-NET
Page 114HOL-1829-01-NET
1 The App tier talks to Shared Virtual on Port 53 and 514 respectively2 Click X to continue
HOL-1829-01-NET
Page 115HOL-1829-01-NET
1 Hover over to DB Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from DB to
Shared Virtual
1 By design the DB should be pushing logs to aws-log-server ie on port 514(Syslog) but the flow reveals that there is only one service ie port 53 aws-DNS-Server Effectively no communication to syslog server (which is the back upservice)
2 Click X to continue
Firewall Queries for CRM Application
To further troubleshoot the issue the administrator executes three firewall queries toestablish why DB to Shared Virtual does not have flow(s) for port 514 (syslog)
HOL-1829-01-NET
Page 116HOL-1829-01-NET
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and type new search query firewall action of flows where dstvm = aws-log-server This will return 5 results ie 4 Allow (for web andmidtier) and 1 Deny (for DB)
2 Click Search3 click on the DENY checkbox so we can focus on the deny rule
We can see a DENY rule which is preventing crm-databse to communicate with aws-log-server on port 514 Which indicates that AWS Admin forgot to add rule to allowtraffic from (Database) crm-database to (syslog server) aws-log-Server
HOL-1829-01-NET
Page 117HOL-1829-01-NET
1 On Chrome web browser right click2 Select Duplicate from the the menu
HOL-1829-01-NET
Page 118HOL-1829-01-NET
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-web1 and dst vm = aws-log-server
2 Click Search3 This will return 3 results ie 1 Inbound and 2 Outbound rules The result of this
query validates the communication from crm-web1 to aws-log-server
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-database and dst vm = aws-log-server
2 Click Search3 This will return 2 results for Outbound rules further explaining the firewall rule
behaviour from crm-database to aws-log-server
HOL-1829-01-NET
Page 119HOL-1829-01-NET
ConclusionCongratulations on completing Module 4
This module demonstrated the vRealize Network Insight capability to understand trafficpatterns and plan micro-segmentation across your private and public cloudenvironments This capability offers unparalleled visibility into public and private cloudsfor micro-segmentation planning network visibility and management
For More Information
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 120HOL-1829-01-NET
ConclusionThank you for participating in the VMware Hands-on Labs Be sure to visithttpholvmwarecom to continue your lab experience online
Lab SKU HOL-1829-01-NET
Version 20171010-152226
HOL-1829-01-NET
Page 121HOL-1829-01-NET
HOL-1829-01-NET
Page 80HOL-1829-01-NET
1 In this section the drop-down list at the top shows the endpoint VMs and theactive VMs at the edges
2 For each edgeVM the neighbouring drop-down list shows the ingress and theegress interface IP addresses
1 From the previous step we selected the Prod-DB-2 Virtual Machine2 Which changes the focus to corresponding Interface IP Address (VNIC)3 Shows the visual map (Path topology) of all the path objects4 Path details shows the labels and list the components
This concludes this module Please continue to the next module
HOL-1829-01-NET
Page 81HOL-1829-01-NET
ConclusionCongratulations on completing Module 2
This module has shown us that vRealize Network Insight is capable of tracing the flow ofdata between two objects throughout the network vRealize Network Insight is providingus with a 360 degrees view of the virtual as well as the physical components in thepath With the map function and the details on the map it is very easy to get a quickoverview of the components utilized in network communication
All the components in the map is based on a snapshot of real life data Feel free to clickon other icons shown in the map in this module before continuing to the next module tohave a look at other components
For More Information
For additional information about the functionality showcased in this module visithttpwwwvmwarecomvrealize network insight
This concludes this module Please continue to the next module
If you are looking for additional information try one of these
bull Click on this linkbull Or use your smart device to scan the QRC Code
HOL-1829-01-NET
Page 82HOL-1829-01-NET
Proceed to any module below which interests you most
bull Module 1 - Micro-Segmentation and Security (30 minutes)bull Module 2 - 360 degree Visibility across Virtual and Physical Networks (45
minutes)bull Module 3 - Advanced NSX Management amp Operations (45 minutes)bull (30 minutes)
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 83HOL-1829-01-NET
Module 3 - Advanced NSXManagement amp
Operations (45 minutes)
HOL-1829-01-NET
Page 84HOL-1829-01-NET
IntroductionIntroduction
vRealize Network Insight ensures that we have full visibility from an overlay andunderlay perspective and in this module focus on advanced operations of NSX withvRealize Network Insight Its important to note that the vRealize Network Insightprovides a real time view and a historical view The integration is not a simple SNMPquery but advanced CLI and Metadata information gathered in real time for NSX
This Module contains the following lessons
bull Operational guidance for NSX Managerbull Advanced NSX Management amp Operations Interactive Simulation
HOL-1829-01-NET
Page 85HOL-1829-01-NET
NSX Advanced ManagementOperationsLab Status Check
1 Make sure the Lab Status displays Ready before continuing
Close browser sessions from previous modules
Open Google Chrome
1 Open Chrome on the Control Centre Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
HOL-1829-01-NET
Page 86HOL-1829-01-NET
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize Network Insightdid not load automatically)
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
Search Bar - NSX Manager
Using the search bar on the entry screen
HOL-1829-01-NET
Page 87HOL-1829-01-NET
1 Type NSX Manager (this will list three NSX Managers2 Click Search
NSX Manager Information
The result now shows the NSX Manager (1016128170) and we can immediately seethat we have 50 problems associated with this endpoint
1 Click on the NSX Manager address to expose the layout and detailedinformation
HOL-1829-01-NET
Page 88HOL-1829-01-NET
Timeline - Visual Build-up
Explore information only - Do not click
bull A - Starting with the Timeline we can manipulate the results by simply draggingthe slider but by default the current time results will be displayed on entry Theslider and drop down (next to 1 day) makes it easy to filter on demand
bull B - The Properties give a clear understanding of the NSX Managers currentconfiguration (vRealize Network Insight accommodate multiple NSX managers)
bull C - Looking at the NSX Checklist Rules - ALL we can scroll up and down toview each point in the checklist that is used to monitorvalidate against the NSXManager
bull D - Because vRealize Network Insight supports multiple NSX managers andmultiple NSX controllers this is an important visual understanding of theTopology Each object can be queried individually within the same screen
bull E - NSX Problems will be key to understanding the issues for NSX
HOL-1829-01-NET
Page 89HOL-1829-01-NET
Topology - Focus on the NSX Controller
The logical view of the NSX Topology provides live links to each component in theconstruct to be queried in real time Topology layout displays all the related NSXservices bound to the NSX Manager including Clusters and hosts The red triangle on allthree NSX controllers indicates possible issues that may impact the NSX environmenteither as a starting point or a result thereof We can now query each object for detailedinformation
1 Click on the NSX controller (Look at each controller until you find thecontroller starting with NSX_Controller_5b6c6c8d-4d71 as they do changeorder)
HOL-1829-01-NET
Page 90HOL-1829-01-NET
NSX Controller - Detail
A - The controller query displays detailed information about controller-1 and relevantconfiguration This screen will help identify the Status Version Upgrade Availability andmany other critical identifiers of the NSX Controller at a quick glance including anyissues
B - The immediate issue on this NSX controller is also pointed out with a red triangleindicating that we have a control plane sync issue Tracking the issue can be furtherinvestigated by expanding (clicking on the red triangle) to view detailed information Wewill not be investigating this problem further in this exercise
1 Click the close sign (x) to continue
HOL-1829-01-NET
Page 91HOL-1829-01-NET
Topology - Explained
Note The Topology for the NSX environment will not show any load balancing devicestatus information in this release
1 Click the edge VMs icon to see detailed information about the edge services
HOL-1829-01-NET
Page 92HOL-1829-01-NET
Provider Edge
Rendering a complete view of the provider edge services and the associations we caninvestigate all the edge related activities
1 Click the blue link Provider Edge 4 The problem Icon can be used to furtherobtain information about the Provider-Edge 4 This will highlight a criticalcondition due to a possible network disruption of this edge device as it is nolonger in a serving state
HOL-1829-01-NET
Page 93HOL-1829-01-NET
Routers Provider Edge 4
This section lays out detailed root cause analysis for Routers Provider Edge 4
Return to Search View - NSX Manager
1 Now use the Chrome Back button click once to return the the NSX Managerinformation screen step
HOL-1829-01-NET
Page 94HOL-1829-01-NET
Infrastructure Problems - Warning Moderate
bull Scroll down to Infrastructure Problems Section
1 Click and select the WarningModerate to view problem areas
WarningModerate Issues
1 Use the blue icon + to expand the detailed view of the Logical networking out ofsync between host and NSX Controller
HOL-1829-01-NET
Page 95HOL-1829-01-NET
WarningModerate Issues (Continued)
When you expand the details you can analyse full detail of warning
In this view vRealize Network Insight is also showing you recommendations on how youwould resolve this issue which makes troubleshooting and root cause analysis veryeasy
1 Click the close sign (x) to continue
HOL-1829-01-NET
Page 96HOL-1829-01-NET
Hands-on Labs Interactive SimulationAdvanced NSX Management ampOperationsThis part of the lab is presented as a Hands-on Labs Interactive Simulation This willallow you to experience steps which are too time-consuming or resource intensive to dolive in the lab environment In this simulation you can use the software interface as ifyou are interacting with a live environment
1 Click here to open the interactive simulation It will open in a new browserwindow or tab
2 When finished click the ldquoReturn to the labrdquo link to continue with this lab
HOL-1829-01-NET
Page 97HOL-1829-01-NET
ConclusionCongratulations on completing Module 3
This module demonstrated the vRealize Network Insight capability of advancedmanagement operations vRealize Network Insight provides an in-depth analysis of thevirtual as well as the physical components associated with NSX (underlay and overlay)
For More Information
If you are looking for additional information try one of these
bull Click on this linkbull Or use your smart device to scan the QRC Code
Proceed to any module below which interests you most
bull Module 1 - Micro-Segmentation and Security (30 minutes)bull Module 2 - 360 degree Visibility across Virtual and Physical Networks (45
minutes)bull Module 3 - Advanced NSX Management amp Operations (45 minutes)bull Module 4 - Manage Security for Public Clouds (AWS) (30 minutes)
HOL-1829-01-NET
Page 98HOL-1829-01-NET
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 99HOL-1829-01-NET
Module 4 - ManageSecurity for Public Clouds
(AWS) (30 Minutes)
HOL-1829-01-NET
Page 100HOL-1829-01-NET
IntroductionEnterprise IT needs visibility into the network and security status of their workloadswhether hosted on premises or within AWS While many AWS workloads are sandboxesfor application development teams (DevOps) it is important to analyze these workloadsIncreasingly public cloud workloads are also fulfilling mission critical production needsfor many organizations Enterprise IT must be ready to determine the best locationsecurity posture and bandwidth allocation when deploying workloads Having trafficpattern details as well as security analysis and recommendations readily availablehelps organizations make the ideal hosting decisions to meet their business needs
vRealize Network Insight (vRNI) Supports Amazon Web Services (AWS) PublicCloud The vRNI traffic monitoring features provide visibility into native AWS constructssuch as Virtual Private Clouds VMs Security Groups firewall rules and tags vRNI alsoanalyzes AWS traffic flows to provide security and micro-segmentation views of cloudworkloads This means youll be able to plan micro-segmentation and understand trafficpatterns using data collected from your AWS instances
This Module contains the following lessons
bull Introduction to Managing Security for Public Clouds (AWS)
HOL-1829-01-NET
Page 101HOL-1829-01-NET
Introduction to Managing Security forPublic Clouds (AWS)Lab Status Check
1 Make sure the Lab Status displays Ready before continuing
Close browser sessions from previous modules
Open Google Chrome
1 Open Chrome on the Control Centre Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize Network Insightdid not load automatically)
HOL-1829-01-NET
Page 102HOL-1829-01-NET
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
AWS Configuration
Lets review the AWS VPC setup for the purpose of this lab
1 We have an on premise instance of vRealize Network Insight managing AWS2 There are two VPCs ie CRM and Common Services
HOL-1829-01-NET
Page 103HOL-1829-01-NET
3 VPC CRM consists of CRM Application which comprises of 3 tiers ie Web APP andDB
4 Internal users of Company can access Web Tier of the CRM on 80 internally viaJump-box
5 Web tier talks to App tier on port 80806 App tier talks to DB tier on port 33067 Web tier is open for internal datacenters VM on 80 port8 From Jump-box in VPC CRM all virtual machines have ssh access on port 229 All tiers of VPCCRM talks to DNS server on 53 and LogServer on 514 on VPC
Common Services10 This means connection to DB to Log Server (used for backup services) must exist
as configured by the Administrator but this in fact is the problem area where ourfocus will be
Plan Security - AWS Cloud
vRealize Network Insight extends micro-segmentation planning to AWS constructs TheCRM Application in AWS VPC has already been created for you
Application creation steps have been discussed in Module 3
HOL-1829-01-NET
Page 104HOL-1829-01-NET
1 On the vRealize Network Insight Click on Plan Security
From Plan Security dialogue box under Entity select
HOL-1829-01-NET
Page 105HOL-1829-01-NET
1 Application2 CRM3 Click Analyze
We can now visualize the three tier lsquoCRMrsquo Application in AWS in one VPC We Shallexplore the three Tier System Logic in proceeding steps
1 Please note that Micro-Segments are already filtered by Tier2 Web (Web tier talks to App tier on port 8080 Internal users of organisation can
access Web Tier of the CRM Application on port 80 internally)3 App (App tier talks to DB tier on port 3306)4 DB ( DB tier talks to Log Servers ) - This is the problem area we are going to
explore
All tiers of first VPC talks to DNS server on port 53 and LogServer on port 514 of SecondVPC
HOL-1829-01-NET
Page 106HOL-1829-01-NET
Exploring the Three Tier Application - Step by Step
We shall now explore the three their application setup to understand the security andcommunication posture
HOL-1829-01-NET
Page 107HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Yellow line to explore the flows This will reveal flows from Web to
App
HOL-1829-01-NET
Page 108HOL-1829-01-NET
1 The App tier talks to DB tier on Port 33062 Click X to continue
HOL-1829-01-NET
Page 109HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to DB
HOL-1829-01-NET
Page 110HOL-1829-01-NET
1 The App tier talks to DB tier on Port 33062 Click X to continue
HOL-1829-01-NET
Page 111HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Yellow Line to explore the flows This will reveal flows from DC
Virtual to App
HOL-1829-01-NET
Page 112HOL-1829-01-NET
1 DC Virtual (jump box) talks to App tier on Port 222 Click X to continue
HOL-1829-01-NET
Page 113HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to
Shared Virtual
HOL-1829-01-NET
Page 114HOL-1829-01-NET
1 The App tier talks to Shared Virtual on Port 53 and 514 respectively2 Click X to continue
HOL-1829-01-NET
Page 115HOL-1829-01-NET
1 Hover over to DB Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from DB to
Shared Virtual
1 By design the DB should be pushing logs to aws-log-server ie on port 514(Syslog) but the flow reveals that there is only one service ie port 53 aws-DNS-Server Effectively no communication to syslog server (which is the back upservice)
2 Click X to continue
Firewall Queries for CRM Application
To further troubleshoot the issue the administrator executes three firewall queries toestablish why DB to Shared Virtual does not have flow(s) for port 514 (syslog)
HOL-1829-01-NET
Page 116HOL-1829-01-NET
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and type new search query firewall action of flows where dstvm = aws-log-server This will return 5 results ie 4 Allow (for web andmidtier) and 1 Deny (for DB)
2 Click Search3 click on the DENY checkbox so we can focus on the deny rule
We can see a DENY rule which is preventing crm-databse to communicate with aws-log-server on port 514 Which indicates that AWS Admin forgot to add rule to allowtraffic from (Database) crm-database to (syslog server) aws-log-Server
HOL-1829-01-NET
Page 117HOL-1829-01-NET
1 On Chrome web browser right click2 Select Duplicate from the the menu
HOL-1829-01-NET
Page 118HOL-1829-01-NET
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-web1 and dst vm = aws-log-server
2 Click Search3 This will return 3 results ie 1 Inbound and 2 Outbound rules The result of this
query validates the communication from crm-web1 to aws-log-server
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-database and dst vm = aws-log-server
2 Click Search3 This will return 2 results for Outbound rules further explaining the firewall rule
behaviour from crm-database to aws-log-server
HOL-1829-01-NET
Page 119HOL-1829-01-NET
ConclusionCongratulations on completing Module 4
This module demonstrated the vRealize Network Insight capability to understand trafficpatterns and plan micro-segmentation across your private and public cloudenvironments This capability offers unparalleled visibility into public and private cloudsfor micro-segmentation planning network visibility and management
For More Information
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 120HOL-1829-01-NET
ConclusionThank you for participating in the VMware Hands-on Labs Be sure to visithttpholvmwarecom to continue your lab experience online
Lab SKU HOL-1829-01-NET
Version 20171010-152226
HOL-1829-01-NET
Page 121HOL-1829-01-NET
1 In this section the drop-down list at the top shows the endpoint VMs and theactive VMs at the edges
2 For each edgeVM the neighbouring drop-down list shows the ingress and theegress interface IP addresses
1 From the previous step we selected the Prod-DB-2 Virtual Machine2 Which changes the focus to corresponding Interface IP Address (VNIC)3 Shows the visual map (Path topology) of all the path objects4 Path details shows the labels and list the components
This concludes this module Please continue to the next module
HOL-1829-01-NET
Page 81HOL-1829-01-NET
ConclusionCongratulations on completing Module 2
This module has shown us that vRealize Network Insight is capable of tracing the flow ofdata between two objects throughout the network vRealize Network Insight is providingus with a 360 degrees view of the virtual as well as the physical components in thepath With the map function and the details on the map it is very easy to get a quickoverview of the components utilized in network communication
All the components in the map is based on a snapshot of real life data Feel free to clickon other icons shown in the map in this module before continuing to the next module tohave a look at other components
For More Information
For additional information about the functionality showcased in this module visithttpwwwvmwarecomvrealize network insight
This concludes this module Please continue to the next module
If you are looking for additional information try one of these
bull Click on this linkbull Or use your smart device to scan the QRC Code
HOL-1829-01-NET
Page 82HOL-1829-01-NET
Proceed to any module below which interests you most
bull Module 1 - Micro-Segmentation and Security (30 minutes)bull Module 2 - 360 degree Visibility across Virtual and Physical Networks (45
minutes)bull Module 3 - Advanced NSX Management amp Operations (45 minutes)bull (30 minutes)
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 83HOL-1829-01-NET
Module 3 - Advanced NSXManagement amp
Operations (45 minutes)
HOL-1829-01-NET
Page 84HOL-1829-01-NET
IntroductionIntroduction
vRealize Network Insight ensures that we have full visibility from an overlay andunderlay perspective and in this module focus on advanced operations of NSX withvRealize Network Insight Its important to note that the vRealize Network Insightprovides a real time view and a historical view The integration is not a simple SNMPquery but advanced CLI and Metadata information gathered in real time for NSX
This Module contains the following lessons
bull Operational guidance for NSX Managerbull Advanced NSX Management amp Operations Interactive Simulation
HOL-1829-01-NET
Page 85HOL-1829-01-NET
NSX Advanced ManagementOperationsLab Status Check
1 Make sure the Lab Status displays Ready before continuing
Close browser sessions from previous modules
Open Google Chrome
1 Open Chrome on the Control Centre Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
HOL-1829-01-NET
Page 86HOL-1829-01-NET
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize Network Insightdid not load automatically)
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
Search Bar - NSX Manager
Using the search bar on the entry screen
HOL-1829-01-NET
Page 87HOL-1829-01-NET
1 Type NSX Manager (this will list three NSX Managers2 Click Search
NSX Manager Information
The result now shows the NSX Manager (1016128170) and we can immediately seethat we have 50 problems associated with this endpoint
1 Click on the NSX Manager address to expose the layout and detailedinformation
HOL-1829-01-NET
Page 88HOL-1829-01-NET
Timeline - Visual Build-up
Explore information only - Do not click
bull A - Starting with the Timeline we can manipulate the results by simply draggingthe slider but by default the current time results will be displayed on entry Theslider and drop down (next to 1 day) makes it easy to filter on demand
bull B - The Properties give a clear understanding of the NSX Managers currentconfiguration (vRealize Network Insight accommodate multiple NSX managers)
bull C - Looking at the NSX Checklist Rules - ALL we can scroll up and down toview each point in the checklist that is used to monitorvalidate against the NSXManager
bull D - Because vRealize Network Insight supports multiple NSX managers andmultiple NSX controllers this is an important visual understanding of theTopology Each object can be queried individually within the same screen
bull E - NSX Problems will be key to understanding the issues for NSX
HOL-1829-01-NET
Page 89HOL-1829-01-NET
Topology - Focus on the NSX Controller
The logical view of the NSX Topology provides live links to each component in theconstruct to be queried in real time Topology layout displays all the related NSXservices bound to the NSX Manager including Clusters and hosts The red triangle on allthree NSX controllers indicates possible issues that may impact the NSX environmenteither as a starting point or a result thereof We can now query each object for detailedinformation
1 Click on the NSX controller (Look at each controller until you find thecontroller starting with NSX_Controller_5b6c6c8d-4d71 as they do changeorder)
HOL-1829-01-NET
Page 90HOL-1829-01-NET
NSX Controller - Detail
A - The controller query displays detailed information about controller-1 and relevantconfiguration This screen will help identify the Status Version Upgrade Availability andmany other critical identifiers of the NSX Controller at a quick glance including anyissues
B - The immediate issue on this NSX controller is also pointed out with a red triangleindicating that we have a control plane sync issue Tracking the issue can be furtherinvestigated by expanding (clicking on the red triangle) to view detailed information Wewill not be investigating this problem further in this exercise
1 Click the close sign (x) to continue
HOL-1829-01-NET
Page 91HOL-1829-01-NET
Topology - Explained
Note The Topology for the NSX environment will not show any load balancing devicestatus information in this release
1 Click the edge VMs icon to see detailed information about the edge services
HOL-1829-01-NET
Page 92HOL-1829-01-NET
Provider Edge
Rendering a complete view of the provider edge services and the associations we caninvestigate all the edge related activities
1 Click the blue link Provider Edge 4 The problem Icon can be used to furtherobtain information about the Provider-Edge 4 This will highlight a criticalcondition due to a possible network disruption of this edge device as it is nolonger in a serving state
HOL-1829-01-NET
Page 93HOL-1829-01-NET
Routers Provider Edge 4
This section lays out detailed root cause analysis for Routers Provider Edge 4
Return to Search View - NSX Manager
1 Now use the Chrome Back button click once to return the the NSX Managerinformation screen step
HOL-1829-01-NET
Page 94HOL-1829-01-NET
Infrastructure Problems - Warning Moderate
bull Scroll down to Infrastructure Problems Section
1 Click and select the WarningModerate to view problem areas
WarningModerate Issues
1 Use the blue icon + to expand the detailed view of the Logical networking out ofsync between host and NSX Controller
HOL-1829-01-NET
Page 95HOL-1829-01-NET
WarningModerate Issues (Continued)
When you expand the details you can analyse full detail of warning
In this view vRealize Network Insight is also showing you recommendations on how youwould resolve this issue which makes troubleshooting and root cause analysis veryeasy
1 Click the close sign (x) to continue
HOL-1829-01-NET
Page 96HOL-1829-01-NET
Hands-on Labs Interactive SimulationAdvanced NSX Management ampOperationsThis part of the lab is presented as a Hands-on Labs Interactive Simulation This willallow you to experience steps which are too time-consuming or resource intensive to dolive in the lab environment In this simulation you can use the software interface as ifyou are interacting with a live environment
1 Click here to open the interactive simulation It will open in a new browserwindow or tab
2 When finished click the ldquoReturn to the labrdquo link to continue with this lab
HOL-1829-01-NET
Page 97HOL-1829-01-NET
ConclusionCongratulations on completing Module 3
This module demonstrated the vRealize Network Insight capability of advancedmanagement operations vRealize Network Insight provides an in-depth analysis of thevirtual as well as the physical components associated with NSX (underlay and overlay)
For More Information
If you are looking for additional information try one of these
bull Click on this linkbull Or use your smart device to scan the QRC Code
Proceed to any module below which interests you most
bull Module 1 - Micro-Segmentation and Security (30 minutes)bull Module 2 - 360 degree Visibility across Virtual and Physical Networks (45
minutes)bull Module 3 - Advanced NSX Management amp Operations (45 minutes)bull Module 4 - Manage Security for Public Clouds (AWS) (30 minutes)
HOL-1829-01-NET
Page 98HOL-1829-01-NET
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 99HOL-1829-01-NET
Module 4 - ManageSecurity for Public Clouds
(AWS) (30 Minutes)
HOL-1829-01-NET
Page 100HOL-1829-01-NET
IntroductionEnterprise IT needs visibility into the network and security status of their workloadswhether hosted on premises or within AWS While many AWS workloads are sandboxesfor application development teams (DevOps) it is important to analyze these workloadsIncreasingly public cloud workloads are also fulfilling mission critical production needsfor many organizations Enterprise IT must be ready to determine the best locationsecurity posture and bandwidth allocation when deploying workloads Having trafficpattern details as well as security analysis and recommendations readily availablehelps organizations make the ideal hosting decisions to meet their business needs
vRealize Network Insight (vRNI) Supports Amazon Web Services (AWS) PublicCloud The vRNI traffic monitoring features provide visibility into native AWS constructssuch as Virtual Private Clouds VMs Security Groups firewall rules and tags vRNI alsoanalyzes AWS traffic flows to provide security and micro-segmentation views of cloudworkloads This means youll be able to plan micro-segmentation and understand trafficpatterns using data collected from your AWS instances
This Module contains the following lessons
bull Introduction to Managing Security for Public Clouds (AWS)
HOL-1829-01-NET
Page 101HOL-1829-01-NET
Introduction to Managing Security forPublic Clouds (AWS)Lab Status Check
1 Make sure the Lab Status displays Ready before continuing
Close browser sessions from previous modules
Open Google Chrome
1 Open Chrome on the Control Centre Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize Network Insightdid not load automatically)
HOL-1829-01-NET
Page 102HOL-1829-01-NET
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
AWS Configuration
Lets review the AWS VPC setup for the purpose of this lab
1 We have an on premise instance of vRealize Network Insight managing AWS2 There are two VPCs ie CRM and Common Services
HOL-1829-01-NET
Page 103HOL-1829-01-NET
3 VPC CRM consists of CRM Application which comprises of 3 tiers ie Web APP andDB
4 Internal users of Company can access Web Tier of the CRM on 80 internally viaJump-box
5 Web tier talks to App tier on port 80806 App tier talks to DB tier on port 33067 Web tier is open for internal datacenters VM on 80 port8 From Jump-box in VPC CRM all virtual machines have ssh access on port 229 All tiers of VPCCRM talks to DNS server on 53 and LogServer on 514 on VPC
Common Services10 This means connection to DB to Log Server (used for backup services) must exist
as configured by the Administrator but this in fact is the problem area where ourfocus will be
Plan Security - AWS Cloud
vRealize Network Insight extends micro-segmentation planning to AWS constructs TheCRM Application in AWS VPC has already been created for you
Application creation steps have been discussed in Module 3
HOL-1829-01-NET
Page 104HOL-1829-01-NET
1 On the vRealize Network Insight Click on Plan Security
From Plan Security dialogue box under Entity select
HOL-1829-01-NET
Page 105HOL-1829-01-NET
1 Application2 CRM3 Click Analyze
We can now visualize the three tier lsquoCRMrsquo Application in AWS in one VPC We Shallexplore the three Tier System Logic in proceeding steps
1 Please note that Micro-Segments are already filtered by Tier2 Web (Web tier talks to App tier on port 8080 Internal users of organisation can
access Web Tier of the CRM Application on port 80 internally)3 App (App tier talks to DB tier on port 3306)4 DB ( DB tier talks to Log Servers ) - This is the problem area we are going to
explore
All tiers of first VPC talks to DNS server on port 53 and LogServer on port 514 of SecondVPC
HOL-1829-01-NET
Page 106HOL-1829-01-NET
Exploring the Three Tier Application - Step by Step
We shall now explore the three their application setup to understand the security andcommunication posture
HOL-1829-01-NET
Page 107HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Yellow line to explore the flows This will reveal flows from Web to
App
HOL-1829-01-NET
Page 108HOL-1829-01-NET
1 The App tier talks to DB tier on Port 33062 Click X to continue
HOL-1829-01-NET
Page 109HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to DB
HOL-1829-01-NET
Page 110HOL-1829-01-NET
1 The App tier talks to DB tier on Port 33062 Click X to continue
HOL-1829-01-NET
Page 111HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Yellow Line to explore the flows This will reveal flows from DC
Virtual to App
HOL-1829-01-NET
Page 112HOL-1829-01-NET
1 DC Virtual (jump box) talks to App tier on Port 222 Click X to continue
HOL-1829-01-NET
Page 113HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to
Shared Virtual
HOL-1829-01-NET
Page 114HOL-1829-01-NET
1 The App tier talks to Shared Virtual on Port 53 and 514 respectively2 Click X to continue
HOL-1829-01-NET
Page 115HOL-1829-01-NET
1 Hover over to DB Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from DB to
Shared Virtual
1 By design the DB should be pushing logs to aws-log-server ie on port 514(Syslog) but the flow reveals that there is only one service ie port 53 aws-DNS-Server Effectively no communication to syslog server (which is the back upservice)
2 Click X to continue
Firewall Queries for CRM Application
To further troubleshoot the issue the administrator executes three firewall queries toestablish why DB to Shared Virtual does not have flow(s) for port 514 (syslog)
HOL-1829-01-NET
Page 116HOL-1829-01-NET
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and type new search query firewall action of flows where dstvm = aws-log-server This will return 5 results ie 4 Allow (for web andmidtier) and 1 Deny (for DB)
2 Click Search3 click on the DENY checkbox so we can focus on the deny rule
We can see a DENY rule which is preventing crm-databse to communicate with aws-log-server on port 514 Which indicates that AWS Admin forgot to add rule to allowtraffic from (Database) crm-database to (syslog server) aws-log-Server
HOL-1829-01-NET
Page 117HOL-1829-01-NET
1 On Chrome web browser right click2 Select Duplicate from the the menu
HOL-1829-01-NET
Page 118HOL-1829-01-NET
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-web1 and dst vm = aws-log-server
2 Click Search3 This will return 3 results ie 1 Inbound and 2 Outbound rules The result of this
query validates the communication from crm-web1 to aws-log-server
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-database and dst vm = aws-log-server
2 Click Search3 This will return 2 results for Outbound rules further explaining the firewall rule
behaviour from crm-database to aws-log-server
HOL-1829-01-NET
Page 119HOL-1829-01-NET
ConclusionCongratulations on completing Module 4
This module demonstrated the vRealize Network Insight capability to understand trafficpatterns and plan micro-segmentation across your private and public cloudenvironments This capability offers unparalleled visibility into public and private cloudsfor micro-segmentation planning network visibility and management
For More Information
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 120HOL-1829-01-NET
ConclusionThank you for participating in the VMware Hands-on Labs Be sure to visithttpholvmwarecom to continue your lab experience online
Lab SKU HOL-1829-01-NET
Version 20171010-152226
HOL-1829-01-NET
Page 121HOL-1829-01-NET
ConclusionCongratulations on completing Module 2
This module has shown us that vRealize Network Insight is capable of tracing the flow ofdata between two objects throughout the network vRealize Network Insight is providingus with a 360 degrees view of the virtual as well as the physical components in thepath With the map function and the details on the map it is very easy to get a quickoverview of the components utilized in network communication
All the components in the map is based on a snapshot of real life data Feel free to clickon other icons shown in the map in this module before continuing to the next module tohave a look at other components
For More Information
For additional information about the functionality showcased in this module visithttpwwwvmwarecomvrealize network insight
This concludes this module Please continue to the next module
If you are looking for additional information try one of these
bull Click on this linkbull Or use your smart device to scan the QRC Code
HOL-1829-01-NET
Page 82HOL-1829-01-NET
Proceed to any module below which interests you most
bull Module 1 - Micro-Segmentation and Security (30 minutes)bull Module 2 - 360 degree Visibility across Virtual and Physical Networks (45
minutes)bull Module 3 - Advanced NSX Management amp Operations (45 minutes)bull (30 minutes)
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 83HOL-1829-01-NET
Module 3 - Advanced NSXManagement amp
Operations (45 minutes)
HOL-1829-01-NET
Page 84HOL-1829-01-NET
IntroductionIntroduction
vRealize Network Insight ensures that we have full visibility from an overlay andunderlay perspective and in this module focus on advanced operations of NSX withvRealize Network Insight Its important to note that the vRealize Network Insightprovides a real time view and a historical view The integration is not a simple SNMPquery but advanced CLI and Metadata information gathered in real time for NSX
This Module contains the following lessons
bull Operational guidance for NSX Managerbull Advanced NSX Management amp Operations Interactive Simulation
HOL-1829-01-NET
Page 85HOL-1829-01-NET
NSX Advanced ManagementOperationsLab Status Check
1 Make sure the Lab Status displays Ready before continuing
Close browser sessions from previous modules
Open Google Chrome
1 Open Chrome on the Control Centre Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
HOL-1829-01-NET
Page 86HOL-1829-01-NET
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize Network Insightdid not load automatically)
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
Search Bar - NSX Manager
Using the search bar on the entry screen
HOL-1829-01-NET
Page 87HOL-1829-01-NET
1 Type NSX Manager (this will list three NSX Managers2 Click Search
NSX Manager Information
The result now shows the NSX Manager (1016128170) and we can immediately seethat we have 50 problems associated with this endpoint
1 Click on the NSX Manager address to expose the layout and detailedinformation
HOL-1829-01-NET
Page 88HOL-1829-01-NET
Timeline - Visual Build-up
Explore information only - Do not click
bull A - Starting with the Timeline we can manipulate the results by simply draggingthe slider but by default the current time results will be displayed on entry Theslider and drop down (next to 1 day) makes it easy to filter on demand
bull B - The Properties give a clear understanding of the NSX Managers currentconfiguration (vRealize Network Insight accommodate multiple NSX managers)
bull C - Looking at the NSX Checklist Rules - ALL we can scroll up and down toview each point in the checklist that is used to monitorvalidate against the NSXManager
bull D - Because vRealize Network Insight supports multiple NSX managers andmultiple NSX controllers this is an important visual understanding of theTopology Each object can be queried individually within the same screen
bull E - NSX Problems will be key to understanding the issues for NSX
HOL-1829-01-NET
Page 89HOL-1829-01-NET
Topology - Focus on the NSX Controller
The logical view of the NSX Topology provides live links to each component in theconstruct to be queried in real time Topology layout displays all the related NSXservices bound to the NSX Manager including Clusters and hosts The red triangle on allthree NSX controllers indicates possible issues that may impact the NSX environmenteither as a starting point or a result thereof We can now query each object for detailedinformation
1 Click on the NSX controller (Look at each controller until you find thecontroller starting with NSX_Controller_5b6c6c8d-4d71 as they do changeorder)
HOL-1829-01-NET
Page 90HOL-1829-01-NET
NSX Controller - Detail
A - The controller query displays detailed information about controller-1 and relevantconfiguration This screen will help identify the Status Version Upgrade Availability andmany other critical identifiers of the NSX Controller at a quick glance including anyissues
B - The immediate issue on this NSX controller is also pointed out with a red triangleindicating that we have a control plane sync issue Tracking the issue can be furtherinvestigated by expanding (clicking on the red triangle) to view detailed information Wewill not be investigating this problem further in this exercise
1 Click the close sign (x) to continue
HOL-1829-01-NET
Page 91HOL-1829-01-NET
Topology - Explained
Note The Topology for the NSX environment will not show any load balancing devicestatus information in this release
1 Click the edge VMs icon to see detailed information about the edge services
HOL-1829-01-NET
Page 92HOL-1829-01-NET
Provider Edge
Rendering a complete view of the provider edge services and the associations we caninvestigate all the edge related activities
1 Click the blue link Provider Edge 4 The problem Icon can be used to furtherobtain information about the Provider-Edge 4 This will highlight a criticalcondition due to a possible network disruption of this edge device as it is nolonger in a serving state
HOL-1829-01-NET
Page 93HOL-1829-01-NET
Routers Provider Edge 4
This section lays out detailed root cause analysis for Routers Provider Edge 4
Return to Search View - NSX Manager
1 Now use the Chrome Back button click once to return the the NSX Managerinformation screen step
HOL-1829-01-NET
Page 94HOL-1829-01-NET
Infrastructure Problems - Warning Moderate
bull Scroll down to Infrastructure Problems Section
1 Click and select the WarningModerate to view problem areas
WarningModerate Issues
1 Use the blue icon + to expand the detailed view of the Logical networking out ofsync between host and NSX Controller
HOL-1829-01-NET
Page 95HOL-1829-01-NET
WarningModerate Issues (Continued)
When you expand the details you can analyse full detail of warning
In this view vRealize Network Insight is also showing you recommendations on how youwould resolve this issue which makes troubleshooting and root cause analysis veryeasy
1 Click the close sign (x) to continue
HOL-1829-01-NET
Page 96HOL-1829-01-NET
Hands-on Labs Interactive SimulationAdvanced NSX Management ampOperationsThis part of the lab is presented as a Hands-on Labs Interactive Simulation This willallow you to experience steps which are too time-consuming or resource intensive to dolive in the lab environment In this simulation you can use the software interface as ifyou are interacting with a live environment
1 Click here to open the interactive simulation It will open in a new browserwindow or tab
2 When finished click the ldquoReturn to the labrdquo link to continue with this lab
HOL-1829-01-NET
Page 97HOL-1829-01-NET
ConclusionCongratulations on completing Module 3
This module demonstrated the vRealize Network Insight capability of advancedmanagement operations vRealize Network Insight provides an in-depth analysis of thevirtual as well as the physical components associated with NSX (underlay and overlay)
For More Information
If you are looking for additional information try one of these
bull Click on this linkbull Or use your smart device to scan the QRC Code
Proceed to any module below which interests you most
bull Module 1 - Micro-Segmentation and Security (30 minutes)bull Module 2 - 360 degree Visibility across Virtual and Physical Networks (45
minutes)bull Module 3 - Advanced NSX Management amp Operations (45 minutes)bull Module 4 - Manage Security for Public Clouds (AWS) (30 minutes)
HOL-1829-01-NET
Page 98HOL-1829-01-NET
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 99HOL-1829-01-NET
Module 4 - ManageSecurity for Public Clouds
(AWS) (30 Minutes)
HOL-1829-01-NET
Page 100HOL-1829-01-NET
IntroductionEnterprise IT needs visibility into the network and security status of their workloadswhether hosted on premises or within AWS While many AWS workloads are sandboxesfor application development teams (DevOps) it is important to analyze these workloadsIncreasingly public cloud workloads are also fulfilling mission critical production needsfor many organizations Enterprise IT must be ready to determine the best locationsecurity posture and bandwidth allocation when deploying workloads Having trafficpattern details as well as security analysis and recommendations readily availablehelps organizations make the ideal hosting decisions to meet their business needs
vRealize Network Insight (vRNI) Supports Amazon Web Services (AWS) PublicCloud The vRNI traffic monitoring features provide visibility into native AWS constructssuch as Virtual Private Clouds VMs Security Groups firewall rules and tags vRNI alsoanalyzes AWS traffic flows to provide security and micro-segmentation views of cloudworkloads This means youll be able to plan micro-segmentation and understand trafficpatterns using data collected from your AWS instances
This Module contains the following lessons
bull Introduction to Managing Security for Public Clouds (AWS)
HOL-1829-01-NET
Page 101HOL-1829-01-NET
Introduction to Managing Security forPublic Clouds (AWS)Lab Status Check
1 Make sure the Lab Status displays Ready before continuing
Close browser sessions from previous modules
Open Google Chrome
1 Open Chrome on the Control Centre Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize Network Insightdid not load automatically)
HOL-1829-01-NET
Page 102HOL-1829-01-NET
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
AWS Configuration
Lets review the AWS VPC setup for the purpose of this lab
1 We have an on premise instance of vRealize Network Insight managing AWS2 There are two VPCs ie CRM and Common Services
HOL-1829-01-NET
Page 103HOL-1829-01-NET
3 VPC CRM consists of CRM Application which comprises of 3 tiers ie Web APP andDB
4 Internal users of Company can access Web Tier of the CRM on 80 internally viaJump-box
5 Web tier talks to App tier on port 80806 App tier talks to DB tier on port 33067 Web tier is open for internal datacenters VM on 80 port8 From Jump-box in VPC CRM all virtual machines have ssh access on port 229 All tiers of VPCCRM talks to DNS server on 53 and LogServer on 514 on VPC
Common Services10 This means connection to DB to Log Server (used for backup services) must exist
as configured by the Administrator but this in fact is the problem area where ourfocus will be
Plan Security - AWS Cloud
vRealize Network Insight extends micro-segmentation planning to AWS constructs TheCRM Application in AWS VPC has already been created for you
Application creation steps have been discussed in Module 3
HOL-1829-01-NET
Page 104HOL-1829-01-NET
1 On the vRealize Network Insight Click on Plan Security
From Plan Security dialogue box under Entity select
HOL-1829-01-NET
Page 105HOL-1829-01-NET
1 Application2 CRM3 Click Analyze
We can now visualize the three tier lsquoCRMrsquo Application in AWS in one VPC We Shallexplore the three Tier System Logic in proceeding steps
1 Please note that Micro-Segments are already filtered by Tier2 Web (Web tier talks to App tier on port 8080 Internal users of organisation can
access Web Tier of the CRM Application on port 80 internally)3 App (App tier talks to DB tier on port 3306)4 DB ( DB tier talks to Log Servers ) - This is the problem area we are going to
explore
All tiers of first VPC talks to DNS server on port 53 and LogServer on port 514 of SecondVPC
HOL-1829-01-NET
Page 106HOL-1829-01-NET
Exploring the Three Tier Application - Step by Step
We shall now explore the three their application setup to understand the security andcommunication posture
HOL-1829-01-NET
Page 107HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Yellow line to explore the flows This will reveal flows from Web to
App
HOL-1829-01-NET
Page 108HOL-1829-01-NET
1 The App tier talks to DB tier on Port 33062 Click X to continue
HOL-1829-01-NET
Page 109HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to DB
HOL-1829-01-NET
Page 110HOL-1829-01-NET
1 The App tier talks to DB tier on Port 33062 Click X to continue
HOL-1829-01-NET
Page 111HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Yellow Line to explore the flows This will reveal flows from DC
Virtual to App
HOL-1829-01-NET
Page 112HOL-1829-01-NET
1 DC Virtual (jump box) talks to App tier on Port 222 Click X to continue
HOL-1829-01-NET
Page 113HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to
Shared Virtual
HOL-1829-01-NET
Page 114HOL-1829-01-NET
1 The App tier talks to Shared Virtual on Port 53 and 514 respectively2 Click X to continue
HOL-1829-01-NET
Page 115HOL-1829-01-NET
1 Hover over to DB Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from DB to
Shared Virtual
1 By design the DB should be pushing logs to aws-log-server ie on port 514(Syslog) but the flow reveals that there is only one service ie port 53 aws-DNS-Server Effectively no communication to syslog server (which is the back upservice)
2 Click X to continue
Firewall Queries for CRM Application
To further troubleshoot the issue the administrator executes three firewall queries toestablish why DB to Shared Virtual does not have flow(s) for port 514 (syslog)
HOL-1829-01-NET
Page 116HOL-1829-01-NET
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and type new search query firewall action of flows where dstvm = aws-log-server This will return 5 results ie 4 Allow (for web andmidtier) and 1 Deny (for DB)
2 Click Search3 click on the DENY checkbox so we can focus on the deny rule
We can see a DENY rule which is preventing crm-databse to communicate with aws-log-server on port 514 Which indicates that AWS Admin forgot to add rule to allowtraffic from (Database) crm-database to (syslog server) aws-log-Server
HOL-1829-01-NET
Page 117HOL-1829-01-NET
1 On Chrome web browser right click2 Select Duplicate from the the menu
HOL-1829-01-NET
Page 118HOL-1829-01-NET
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-web1 and dst vm = aws-log-server
2 Click Search3 This will return 3 results ie 1 Inbound and 2 Outbound rules The result of this
query validates the communication from crm-web1 to aws-log-server
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-database and dst vm = aws-log-server
2 Click Search3 This will return 2 results for Outbound rules further explaining the firewall rule
behaviour from crm-database to aws-log-server
HOL-1829-01-NET
Page 119HOL-1829-01-NET
ConclusionCongratulations on completing Module 4
This module demonstrated the vRealize Network Insight capability to understand trafficpatterns and plan micro-segmentation across your private and public cloudenvironments This capability offers unparalleled visibility into public and private cloudsfor micro-segmentation planning network visibility and management
For More Information
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 120HOL-1829-01-NET
ConclusionThank you for participating in the VMware Hands-on Labs Be sure to visithttpholvmwarecom to continue your lab experience online
Lab SKU HOL-1829-01-NET
Version 20171010-152226
HOL-1829-01-NET
Page 121HOL-1829-01-NET
Proceed to any module below which interests you most
bull Module 1 - Micro-Segmentation and Security (30 minutes)bull Module 2 - 360 degree Visibility across Virtual and Physical Networks (45
minutes)bull Module 3 - Advanced NSX Management amp Operations (45 minutes)bull (30 minutes)
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 83HOL-1829-01-NET
Module 3 - Advanced NSXManagement amp
Operations (45 minutes)
HOL-1829-01-NET
Page 84HOL-1829-01-NET
IntroductionIntroduction
vRealize Network Insight ensures that we have full visibility from an overlay andunderlay perspective and in this module focus on advanced operations of NSX withvRealize Network Insight Its important to note that the vRealize Network Insightprovides a real time view and a historical view The integration is not a simple SNMPquery but advanced CLI and Metadata information gathered in real time for NSX
This Module contains the following lessons
bull Operational guidance for NSX Managerbull Advanced NSX Management amp Operations Interactive Simulation
HOL-1829-01-NET
Page 85HOL-1829-01-NET
NSX Advanced ManagementOperationsLab Status Check
1 Make sure the Lab Status displays Ready before continuing
Close browser sessions from previous modules
Open Google Chrome
1 Open Chrome on the Control Centre Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
HOL-1829-01-NET
Page 86HOL-1829-01-NET
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize Network Insightdid not load automatically)
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
Search Bar - NSX Manager
Using the search bar on the entry screen
HOL-1829-01-NET
Page 87HOL-1829-01-NET
1 Type NSX Manager (this will list three NSX Managers2 Click Search
NSX Manager Information
The result now shows the NSX Manager (1016128170) and we can immediately seethat we have 50 problems associated with this endpoint
1 Click on the NSX Manager address to expose the layout and detailedinformation
HOL-1829-01-NET
Page 88HOL-1829-01-NET
Timeline - Visual Build-up
Explore information only - Do not click
bull A - Starting with the Timeline we can manipulate the results by simply draggingthe slider but by default the current time results will be displayed on entry Theslider and drop down (next to 1 day) makes it easy to filter on demand
bull B - The Properties give a clear understanding of the NSX Managers currentconfiguration (vRealize Network Insight accommodate multiple NSX managers)
bull C - Looking at the NSX Checklist Rules - ALL we can scroll up and down toview each point in the checklist that is used to monitorvalidate against the NSXManager
bull D - Because vRealize Network Insight supports multiple NSX managers andmultiple NSX controllers this is an important visual understanding of theTopology Each object can be queried individually within the same screen
bull E - NSX Problems will be key to understanding the issues for NSX
HOL-1829-01-NET
Page 89HOL-1829-01-NET
Topology - Focus on the NSX Controller
The logical view of the NSX Topology provides live links to each component in theconstruct to be queried in real time Topology layout displays all the related NSXservices bound to the NSX Manager including Clusters and hosts The red triangle on allthree NSX controllers indicates possible issues that may impact the NSX environmenteither as a starting point or a result thereof We can now query each object for detailedinformation
1 Click on the NSX controller (Look at each controller until you find thecontroller starting with NSX_Controller_5b6c6c8d-4d71 as they do changeorder)
HOL-1829-01-NET
Page 90HOL-1829-01-NET
NSX Controller - Detail
A - The controller query displays detailed information about controller-1 and relevantconfiguration This screen will help identify the Status Version Upgrade Availability andmany other critical identifiers of the NSX Controller at a quick glance including anyissues
B - The immediate issue on this NSX controller is also pointed out with a red triangleindicating that we have a control plane sync issue Tracking the issue can be furtherinvestigated by expanding (clicking on the red triangle) to view detailed information Wewill not be investigating this problem further in this exercise
1 Click the close sign (x) to continue
HOL-1829-01-NET
Page 91HOL-1829-01-NET
Topology - Explained
Note The Topology for the NSX environment will not show any load balancing devicestatus information in this release
1 Click the edge VMs icon to see detailed information about the edge services
HOL-1829-01-NET
Page 92HOL-1829-01-NET
Provider Edge
Rendering a complete view of the provider edge services and the associations we caninvestigate all the edge related activities
1 Click the blue link Provider Edge 4 The problem Icon can be used to furtherobtain information about the Provider-Edge 4 This will highlight a criticalcondition due to a possible network disruption of this edge device as it is nolonger in a serving state
HOL-1829-01-NET
Page 93HOL-1829-01-NET
Routers Provider Edge 4
This section lays out detailed root cause analysis for Routers Provider Edge 4
Return to Search View - NSX Manager
1 Now use the Chrome Back button click once to return the the NSX Managerinformation screen step
HOL-1829-01-NET
Page 94HOL-1829-01-NET
Infrastructure Problems - Warning Moderate
bull Scroll down to Infrastructure Problems Section
1 Click and select the WarningModerate to view problem areas
WarningModerate Issues
1 Use the blue icon + to expand the detailed view of the Logical networking out ofsync between host and NSX Controller
HOL-1829-01-NET
Page 95HOL-1829-01-NET
WarningModerate Issues (Continued)
When you expand the details you can analyse full detail of warning
In this view vRealize Network Insight is also showing you recommendations on how youwould resolve this issue which makes troubleshooting and root cause analysis veryeasy
1 Click the close sign (x) to continue
HOL-1829-01-NET
Page 96HOL-1829-01-NET
Hands-on Labs Interactive SimulationAdvanced NSX Management ampOperationsThis part of the lab is presented as a Hands-on Labs Interactive Simulation This willallow you to experience steps which are too time-consuming or resource intensive to dolive in the lab environment In this simulation you can use the software interface as ifyou are interacting with a live environment
1 Click here to open the interactive simulation It will open in a new browserwindow or tab
2 When finished click the ldquoReturn to the labrdquo link to continue with this lab
HOL-1829-01-NET
Page 97HOL-1829-01-NET
ConclusionCongratulations on completing Module 3
This module demonstrated the vRealize Network Insight capability of advancedmanagement operations vRealize Network Insight provides an in-depth analysis of thevirtual as well as the physical components associated with NSX (underlay and overlay)
For More Information
If you are looking for additional information try one of these
bull Click on this linkbull Or use your smart device to scan the QRC Code
Proceed to any module below which interests you most
bull Module 1 - Micro-Segmentation and Security (30 minutes)bull Module 2 - 360 degree Visibility across Virtual and Physical Networks (45
minutes)bull Module 3 - Advanced NSX Management amp Operations (45 minutes)bull Module 4 - Manage Security for Public Clouds (AWS) (30 minutes)
HOL-1829-01-NET
Page 98HOL-1829-01-NET
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 99HOL-1829-01-NET
Module 4 - ManageSecurity for Public Clouds
(AWS) (30 Minutes)
HOL-1829-01-NET
Page 100HOL-1829-01-NET
IntroductionEnterprise IT needs visibility into the network and security status of their workloadswhether hosted on premises or within AWS While many AWS workloads are sandboxesfor application development teams (DevOps) it is important to analyze these workloadsIncreasingly public cloud workloads are also fulfilling mission critical production needsfor many organizations Enterprise IT must be ready to determine the best locationsecurity posture and bandwidth allocation when deploying workloads Having trafficpattern details as well as security analysis and recommendations readily availablehelps organizations make the ideal hosting decisions to meet their business needs
vRealize Network Insight (vRNI) Supports Amazon Web Services (AWS) PublicCloud The vRNI traffic monitoring features provide visibility into native AWS constructssuch as Virtual Private Clouds VMs Security Groups firewall rules and tags vRNI alsoanalyzes AWS traffic flows to provide security and micro-segmentation views of cloudworkloads This means youll be able to plan micro-segmentation and understand trafficpatterns using data collected from your AWS instances
This Module contains the following lessons
bull Introduction to Managing Security for Public Clouds (AWS)
HOL-1829-01-NET
Page 101HOL-1829-01-NET
Introduction to Managing Security forPublic Clouds (AWS)Lab Status Check
1 Make sure the Lab Status displays Ready before continuing
Close browser sessions from previous modules
Open Google Chrome
1 Open Chrome on the Control Centre Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize Network Insightdid not load automatically)
HOL-1829-01-NET
Page 102HOL-1829-01-NET
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
AWS Configuration
Lets review the AWS VPC setup for the purpose of this lab
1 We have an on premise instance of vRealize Network Insight managing AWS2 There are two VPCs ie CRM and Common Services
HOL-1829-01-NET
Page 103HOL-1829-01-NET
3 VPC CRM consists of CRM Application which comprises of 3 tiers ie Web APP andDB
4 Internal users of Company can access Web Tier of the CRM on 80 internally viaJump-box
5 Web tier talks to App tier on port 80806 App tier talks to DB tier on port 33067 Web tier is open for internal datacenters VM on 80 port8 From Jump-box in VPC CRM all virtual machines have ssh access on port 229 All tiers of VPCCRM talks to DNS server on 53 and LogServer on 514 on VPC
Common Services10 This means connection to DB to Log Server (used for backup services) must exist
as configured by the Administrator but this in fact is the problem area where ourfocus will be
Plan Security - AWS Cloud
vRealize Network Insight extends micro-segmentation planning to AWS constructs TheCRM Application in AWS VPC has already been created for you
Application creation steps have been discussed in Module 3
HOL-1829-01-NET
Page 104HOL-1829-01-NET
1 On the vRealize Network Insight Click on Plan Security
From Plan Security dialogue box under Entity select
HOL-1829-01-NET
Page 105HOL-1829-01-NET
1 Application2 CRM3 Click Analyze
We can now visualize the three tier lsquoCRMrsquo Application in AWS in one VPC We Shallexplore the three Tier System Logic in proceeding steps
1 Please note that Micro-Segments are already filtered by Tier2 Web (Web tier talks to App tier on port 8080 Internal users of organisation can
access Web Tier of the CRM Application on port 80 internally)3 App (App tier talks to DB tier on port 3306)4 DB ( DB tier talks to Log Servers ) - This is the problem area we are going to
explore
All tiers of first VPC talks to DNS server on port 53 and LogServer on port 514 of SecondVPC
HOL-1829-01-NET
Page 106HOL-1829-01-NET
Exploring the Three Tier Application - Step by Step
We shall now explore the three their application setup to understand the security andcommunication posture
HOL-1829-01-NET
Page 107HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Yellow line to explore the flows This will reveal flows from Web to
App
HOL-1829-01-NET
Page 108HOL-1829-01-NET
1 The App tier talks to DB tier on Port 33062 Click X to continue
HOL-1829-01-NET
Page 109HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to DB
HOL-1829-01-NET
Page 110HOL-1829-01-NET
1 The App tier talks to DB tier on Port 33062 Click X to continue
HOL-1829-01-NET
Page 111HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Yellow Line to explore the flows This will reveal flows from DC
Virtual to App
HOL-1829-01-NET
Page 112HOL-1829-01-NET
1 DC Virtual (jump box) talks to App tier on Port 222 Click X to continue
HOL-1829-01-NET
Page 113HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to
Shared Virtual
HOL-1829-01-NET
Page 114HOL-1829-01-NET
1 The App tier talks to Shared Virtual on Port 53 and 514 respectively2 Click X to continue
HOL-1829-01-NET
Page 115HOL-1829-01-NET
1 Hover over to DB Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from DB to
Shared Virtual
1 By design the DB should be pushing logs to aws-log-server ie on port 514(Syslog) but the flow reveals that there is only one service ie port 53 aws-DNS-Server Effectively no communication to syslog server (which is the back upservice)
2 Click X to continue
Firewall Queries for CRM Application
To further troubleshoot the issue the administrator executes three firewall queries toestablish why DB to Shared Virtual does not have flow(s) for port 514 (syslog)
HOL-1829-01-NET
Page 116HOL-1829-01-NET
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and type new search query firewall action of flows where dstvm = aws-log-server This will return 5 results ie 4 Allow (for web andmidtier) and 1 Deny (for DB)
2 Click Search3 click on the DENY checkbox so we can focus on the deny rule
We can see a DENY rule which is preventing crm-databse to communicate with aws-log-server on port 514 Which indicates that AWS Admin forgot to add rule to allowtraffic from (Database) crm-database to (syslog server) aws-log-Server
HOL-1829-01-NET
Page 117HOL-1829-01-NET
1 On Chrome web browser right click2 Select Duplicate from the the menu
HOL-1829-01-NET
Page 118HOL-1829-01-NET
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-web1 and dst vm = aws-log-server
2 Click Search3 This will return 3 results ie 1 Inbound and 2 Outbound rules The result of this
query validates the communication from crm-web1 to aws-log-server
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-database and dst vm = aws-log-server
2 Click Search3 This will return 2 results for Outbound rules further explaining the firewall rule
behaviour from crm-database to aws-log-server
HOL-1829-01-NET
Page 119HOL-1829-01-NET
ConclusionCongratulations on completing Module 4
This module demonstrated the vRealize Network Insight capability to understand trafficpatterns and plan micro-segmentation across your private and public cloudenvironments This capability offers unparalleled visibility into public and private cloudsfor micro-segmentation planning network visibility and management
For More Information
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 120HOL-1829-01-NET
ConclusionThank you for participating in the VMware Hands-on Labs Be sure to visithttpholvmwarecom to continue your lab experience online
Lab SKU HOL-1829-01-NET
Version 20171010-152226
HOL-1829-01-NET
Page 121HOL-1829-01-NET
Module 3 - Advanced NSXManagement amp
Operations (45 minutes)
HOL-1829-01-NET
Page 84HOL-1829-01-NET
IntroductionIntroduction
vRealize Network Insight ensures that we have full visibility from an overlay andunderlay perspective and in this module focus on advanced operations of NSX withvRealize Network Insight Its important to note that the vRealize Network Insightprovides a real time view and a historical view The integration is not a simple SNMPquery but advanced CLI and Metadata information gathered in real time for NSX
This Module contains the following lessons
bull Operational guidance for NSX Managerbull Advanced NSX Management amp Operations Interactive Simulation
HOL-1829-01-NET
Page 85HOL-1829-01-NET
NSX Advanced ManagementOperationsLab Status Check
1 Make sure the Lab Status displays Ready before continuing
Close browser sessions from previous modules
Open Google Chrome
1 Open Chrome on the Control Centre Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
HOL-1829-01-NET
Page 86HOL-1829-01-NET
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize Network Insightdid not load automatically)
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
Search Bar - NSX Manager
Using the search bar on the entry screen
HOL-1829-01-NET
Page 87HOL-1829-01-NET
1 Type NSX Manager (this will list three NSX Managers2 Click Search
NSX Manager Information
The result now shows the NSX Manager (1016128170) and we can immediately seethat we have 50 problems associated with this endpoint
1 Click on the NSX Manager address to expose the layout and detailedinformation
HOL-1829-01-NET
Page 88HOL-1829-01-NET
Timeline - Visual Build-up
Explore information only - Do not click
bull A - Starting with the Timeline we can manipulate the results by simply draggingthe slider but by default the current time results will be displayed on entry Theslider and drop down (next to 1 day) makes it easy to filter on demand
bull B - The Properties give a clear understanding of the NSX Managers currentconfiguration (vRealize Network Insight accommodate multiple NSX managers)
bull C - Looking at the NSX Checklist Rules - ALL we can scroll up and down toview each point in the checklist that is used to monitorvalidate against the NSXManager
bull D - Because vRealize Network Insight supports multiple NSX managers andmultiple NSX controllers this is an important visual understanding of theTopology Each object can be queried individually within the same screen
bull E - NSX Problems will be key to understanding the issues for NSX
HOL-1829-01-NET
Page 89HOL-1829-01-NET
Topology - Focus on the NSX Controller
The logical view of the NSX Topology provides live links to each component in theconstruct to be queried in real time Topology layout displays all the related NSXservices bound to the NSX Manager including Clusters and hosts The red triangle on allthree NSX controllers indicates possible issues that may impact the NSX environmenteither as a starting point or a result thereof We can now query each object for detailedinformation
1 Click on the NSX controller (Look at each controller until you find thecontroller starting with NSX_Controller_5b6c6c8d-4d71 as they do changeorder)
HOL-1829-01-NET
Page 90HOL-1829-01-NET
NSX Controller - Detail
A - The controller query displays detailed information about controller-1 and relevantconfiguration This screen will help identify the Status Version Upgrade Availability andmany other critical identifiers of the NSX Controller at a quick glance including anyissues
B - The immediate issue on this NSX controller is also pointed out with a red triangleindicating that we have a control plane sync issue Tracking the issue can be furtherinvestigated by expanding (clicking on the red triangle) to view detailed information Wewill not be investigating this problem further in this exercise
1 Click the close sign (x) to continue
HOL-1829-01-NET
Page 91HOL-1829-01-NET
Topology - Explained
Note The Topology for the NSX environment will not show any load balancing devicestatus information in this release
1 Click the edge VMs icon to see detailed information about the edge services
HOL-1829-01-NET
Page 92HOL-1829-01-NET
Provider Edge
Rendering a complete view of the provider edge services and the associations we caninvestigate all the edge related activities
1 Click the blue link Provider Edge 4 The problem Icon can be used to furtherobtain information about the Provider-Edge 4 This will highlight a criticalcondition due to a possible network disruption of this edge device as it is nolonger in a serving state
HOL-1829-01-NET
Page 93HOL-1829-01-NET
Routers Provider Edge 4
This section lays out detailed root cause analysis for Routers Provider Edge 4
Return to Search View - NSX Manager
1 Now use the Chrome Back button click once to return the the NSX Managerinformation screen step
HOL-1829-01-NET
Page 94HOL-1829-01-NET
Infrastructure Problems - Warning Moderate
bull Scroll down to Infrastructure Problems Section
1 Click and select the WarningModerate to view problem areas
WarningModerate Issues
1 Use the blue icon + to expand the detailed view of the Logical networking out ofsync between host and NSX Controller
HOL-1829-01-NET
Page 95HOL-1829-01-NET
WarningModerate Issues (Continued)
When you expand the details you can analyse full detail of warning
In this view vRealize Network Insight is also showing you recommendations on how youwould resolve this issue which makes troubleshooting and root cause analysis veryeasy
1 Click the close sign (x) to continue
HOL-1829-01-NET
Page 96HOL-1829-01-NET
Hands-on Labs Interactive SimulationAdvanced NSX Management ampOperationsThis part of the lab is presented as a Hands-on Labs Interactive Simulation This willallow you to experience steps which are too time-consuming or resource intensive to dolive in the lab environment In this simulation you can use the software interface as ifyou are interacting with a live environment
1 Click here to open the interactive simulation It will open in a new browserwindow or tab
2 When finished click the ldquoReturn to the labrdquo link to continue with this lab
HOL-1829-01-NET
Page 97HOL-1829-01-NET
ConclusionCongratulations on completing Module 3
This module demonstrated the vRealize Network Insight capability of advancedmanagement operations vRealize Network Insight provides an in-depth analysis of thevirtual as well as the physical components associated with NSX (underlay and overlay)
For More Information
If you are looking for additional information try one of these
bull Click on this linkbull Or use your smart device to scan the QRC Code
Proceed to any module below which interests you most
bull Module 1 - Micro-Segmentation and Security (30 minutes)bull Module 2 - 360 degree Visibility across Virtual and Physical Networks (45
minutes)bull Module 3 - Advanced NSX Management amp Operations (45 minutes)bull Module 4 - Manage Security for Public Clouds (AWS) (30 minutes)
HOL-1829-01-NET
Page 98HOL-1829-01-NET
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 99HOL-1829-01-NET
Module 4 - ManageSecurity for Public Clouds
(AWS) (30 Minutes)
HOL-1829-01-NET
Page 100HOL-1829-01-NET
IntroductionEnterprise IT needs visibility into the network and security status of their workloadswhether hosted on premises or within AWS While many AWS workloads are sandboxesfor application development teams (DevOps) it is important to analyze these workloadsIncreasingly public cloud workloads are also fulfilling mission critical production needsfor many organizations Enterprise IT must be ready to determine the best locationsecurity posture and bandwidth allocation when deploying workloads Having trafficpattern details as well as security analysis and recommendations readily availablehelps organizations make the ideal hosting decisions to meet their business needs
vRealize Network Insight (vRNI) Supports Amazon Web Services (AWS) PublicCloud The vRNI traffic monitoring features provide visibility into native AWS constructssuch as Virtual Private Clouds VMs Security Groups firewall rules and tags vRNI alsoanalyzes AWS traffic flows to provide security and micro-segmentation views of cloudworkloads This means youll be able to plan micro-segmentation and understand trafficpatterns using data collected from your AWS instances
This Module contains the following lessons
bull Introduction to Managing Security for Public Clouds (AWS)
HOL-1829-01-NET
Page 101HOL-1829-01-NET
Introduction to Managing Security forPublic Clouds (AWS)Lab Status Check
1 Make sure the Lab Status displays Ready before continuing
Close browser sessions from previous modules
Open Google Chrome
1 Open Chrome on the Control Centre Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize Network Insightdid not load automatically)
HOL-1829-01-NET
Page 102HOL-1829-01-NET
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
AWS Configuration
Lets review the AWS VPC setup for the purpose of this lab
1 We have an on premise instance of vRealize Network Insight managing AWS2 There are two VPCs ie CRM and Common Services
HOL-1829-01-NET
Page 103HOL-1829-01-NET
3 VPC CRM consists of CRM Application which comprises of 3 tiers ie Web APP andDB
4 Internal users of Company can access Web Tier of the CRM on 80 internally viaJump-box
5 Web tier talks to App tier on port 80806 App tier talks to DB tier on port 33067 Web tier is open for internal datacenters VM on 80 port8 From Jump-box in VPC CRM all virtual machines have ssh access on port 229 All tiers of VPCCRM talks to DNS server on 53 and LogServer on 514 on VPC
Common Services10 This means connection to DB to Log Server (used for backup services) must exist
as configured by the Administrator but this in fact is the problem area where ourfocus will be
Plan Security - AWS Cloud
vRealize Network Insight extends micro-segmentation planning to AWS constructs TheCRM Application in AWS VPC has already been created for you
Application creation steps have been discussed in Module 3
HOL-1829-01-NET
Page 104HOL-1829-01-NET
1 On the vRealize Network Insight Click on Plan Security
From Plan Security dialogue box under Entity select
HOL-1829-01-NET
Page 105HOL-1829-01-NET
1 Application2 CRM3 Click Analyze
We can now visualize the three tier lsquoCRMrsquo Application in AWS in one VPC We Shallexplore the three Tier System Logic in proceeding steps
1 Please note that Micro-Segments are already filtered by Tier2 Web (Web tier talks to App tier on port 8080 Internal users of organisation can
access Web Tier of the CRM Application on port 80 internally)3 App (App tier talks to DB tier on port 3306)4 DB ( DB tier talks to Log Servers ) - This is the problem area we are going to
explore
All tiers of first VPC talks to DNS server on port 53 and LogServer on port 514 of SecondVPC
HOL-1829-01-NET
Page 106HOL-1829-01-NET
Exploring the Three Tier Application - Step by Step
We shall now explore the three their application setup to understand the security andcommunication posture
HOL-1829-01-NET
Page 107HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Yellow line to explore the flows This will reveal flows from Web to
App
HOL-1829-01-NET
Page 108HOL-1829-01-NET
1 The App tier talks to DB tier on Port 33062 Click X to continue
HOL-1829-01-NET
Page 109HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to DB
HOL-1829-01-NET
Page 110HOL-1829-01-NET
1 The App tier talks to DB tier on Port 33062 Click X to continue
HOL-1829-01-NET
Page 111HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Yellow Line to explore the flows This will reveal flows from DC
Virtual to App
HOL-1829-01-NET
Page 112HOL-1829-01-NET
1 DC Virtual (jump box) talks to App tier on Port 222 Click X to continue
HOL-1829-01-NET
Page 113HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to
Shared Virtual
HOL-1829-01-NET
Page 114HOL-1829-01-NET
1 The App tier talks to Shared Virtual on Port 53 and 514 respectively2 Click X to continue
HOL-1829-01-NET
Page 115HOL-1829-01-NET
1 Hover over to DB Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from DB to
Shared Virtual
1 By design the DB should be pushing logs to aws-log-server ie on port 514(Syslog) but the flow reveals that there is only one service ie port 53 aws-DNS-Server Effectively no communication to syslog server (which is the back upservice)
2 Click X to continue
Firewall Queries for CRM Application
To further troubleshoot the issue the administrator executes three firewall queries toestablish why DB to Shared Virtual does not have flow(s) for port 514 (syslog)
HOL-1829-01-NET
Page 116HOL-1829-01-NET
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and type new search query firewall action of flows where dstvm = aws-log-server This will return 5 results ie 4 Allow (for web andmidtier) and 1 Deny (for DB)
2 Click Search3 click on the DENY checkbox so we can focus on the deny rule
We can see a DENY rule which is preventing crm-databse to communicate with aws-log-server on port 514 Which indicates that AWS Admin forgot to add rule to allowtraffic from (Database) crm-database to (syslog server) aws-log-Server
HOL-1829-01-NET
Page 117HOL-1829-01-NET
1 On Chrome web browser right click2 Select Duplicate from the the menu
HOL-1829-01-NET
Page 118HOL-1829-01-NET
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-web1 and dst vm = aws-log-server
2 Click Search3 This will return 3 results ie 1 Inbound and 2 Outbound rules The result of this
query validates the communication from crm-web1 to aws-log-server
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-database and dst vm = aws-log-server
2 Click Search3 This will return 2 results for Outbound rules further explaining the firewall rule
behaviour from crm-database to aws-log-server
HOL-1829-01-NET
Page 119HOL-1829-01-NET
ConclusionCongratulations on completing Module 4
This module demonstrated the vRealize Network Insight capability to understand trafficpatterns and plan micro-segmentation across your private and public cloudenvironments This capability offers unparalleled visibility into public and private cloudsfor micro-segmentation planning network visibility and management
For More Information
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 120HOL-1829-01-NET
ConclusionThank you for participating in the VMware Hands-on Labs Be sure to visithttpholvmwarecom to continue your lab experience online
Lab SKU HOL-1829-01-NET
Version 20171010-152226
HOL-1829-01-NET
Page 121HOL-1829-01-NET
IntroductionIntroduction
vRealize Network Insight ensures that we have full visibility from an overlay andunderlay perspective and in this module focus on advanced operations of NSX withvRealize Network Insight Its important to note that the vRealize Network Insightprovides a real time view and a historical view The integration is not a simple SNMPquery but advanced CLI and Metadata information gathered in real time for NSX
This Module contains the following lessons
bull Operational guidance for NSX Managerbull Advanced NSX Management amp Operations Interactive Simulation
HOL-1829-01-NET
Page 85HOL-1829-01-NET
NSX Advanced ManagementOperationsLab Status Check
1 Make sure the Lab Status displays Ready before continuing
Close browser sessions from previous modules
Open Google Chrome
1 Open Chrome on the Control Centre Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
HOL-1829-01-NET
Page 86HOL-1829-01-NET
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize Network Insightdid not load automatically)
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
Search Bar - NSX Manager
Using the search bar on the entry screen
HOL-1829-01-NET
Page 87HOL-1829-01-NET
1 Type NSX Manager (this will list three NSX Managers2 Click Search
NSX Manager Information
The result now shows the NSX Manager (1016128170) and we can immediately seethat we have 50 problems associated with this endpoint
1 Click on the NSX Manager address to expose the layout and detailedinformation
HOL-1829-01-NET
Page 88HOL-1829-01-NET
Timeline - Visual Build-up
Explore information only - Do not click
bull A - Starting with the Timeline we can manipulate the results by simply draggingthe slider but by default the current time results will be displayed on entry Theslider and drop down (next to 1 day) makes it easy to filter on demand
bull B - The Properties give a clear understanding of the NSX Managers currentconfiguration (vRealize Network Insight accommodate multiple NSX managers)
bull C - Looking at the NSX Checklist Rules - ALL we can scroll up and down toview each point in the checklist that is used to monitorvalidate against the NSXManager
bull D - Because vRealize Network Insight supports multiple NSX managers andmultiple NSX controllers this is an important visual understanding of theTopology Each object can be queried individually within the same screen
bull E - NSX Problems will be key to understanding the issues for NSX
HOL-1829-01-NET
Page 89HOL-1829-01-NET
Topology - Focus on the NSX Controller
The logical view of the NSX Topology provides live links to each component in theconstruct to be queried in real time Topology layout displays all the related NSXservices bound to the NSX Manager including Clusters and hosts The red triangle on allthree NSX controllers indicates possible issues that may impact the NSX environmenteither as a starting point or a result thereof We can now query each object for detailedinformation
1 Click on the NSX controller (Look at each controller until you find thecontroller starting with NSX_Controller_5b6c6c8d-4d71 as they do changeorder)
HOL-1829-01-NET
Page 90HOL-1829-01-NET
NSX Controller - Detail
A - The controller query displays detailed information about controller-1 and relevantconfiguration This screen will help identify the Status Version Upgrade Availability andmany other critical identifiers of the NSX Controller at a quick glance including anyissues
B - The immediate issue on this NSX controller is also pointed out with a red triangleindicating that we have a control plane sync issue Tracking the issue can be furtherinvestigated by expanding (clicking on the red triangle) to view detailed information Wewill not be investigating this problem further in this exercise
1 Click the close sign (x) to continue
HOL-1829-01-NET
Page 91HOL-1829-01-NET
Topology - Explained
Note The Topology for the NSX environment will not show any load balancing devicestatus information in this release
1 Click the edge VMs icon to see detailed information about the edge services
HOL-1829-01-NET
Page 92HOL-1829-01-NET
Provider Edge
Rendering a complete view of the provider edge services and the associations we caninvestigate all the edge related activities
1 Click the blue link Provider Edge 4 The problem Icon can be used to furtherobtain information about the Provider-Edge 4 This will highlight a criticalcondition due to a possible network disruption of this edge device as it is nolonger in a serving state
HOL-1829-01-NET
Page 93HOL-1829-01-NET
Routers Provider Edge 4
This section lays out detailed root cause analysis for Routers Provider Edge 4
Return to Search View - NSX Manager
1 Now use the Chrome Back button click once to return the the NSX Managerinformation screen step
HOL-1829-01-NET
Page 94HOL-1829-01-NET
Infrastructure Problems - Warning Moderate
bull Scroll down to Infrastructure Problems Section
1 Click and select the WarningModerate to view problem areas
WarningModerate Issues
1 Use the blue icon + to expand the detailed view of the Logical networking out ofsync between host and NSX Controller
HOL-1829-01-NET
Page 95HOL-1829-01-NET
WarningModerate Issues (Continued)
When you expand the details you can analyse full detail of warning
In this view vRealize Network Insight is also showing you recommendations on how youwould resolve this issue which makes troubleshooting and root cause analysis veryeasy
1 Click the close sign (x) to continue
HOL-1829-01-NET
Page 96HOL-1829-01-NET
Hands-on Labs Interactive SimulationAdvanced NSX Management ampOperationsThis part of the lab is presented as a Hands-on Labs Interactive Simulation This willallow you to experience steps which are too time-consuming or resource intensive to dolive in the lab environment In this simulation you can use the software interface as ifyou are interacting with a live environment
1 Click here to open the interactive simulation It will open in a new browserwindow or tab
2 When finished click the ldquoReturn to the labrdquo link to continue with this lab
HOL-1829-01-NET
Page 97HOL-1829-01-NET
ConclusionCongratulations on completing Module 3
This module demonstrated the vRealize Network Insight capability of advancedmanagement operations vRealize Network Insight provides an in-depth analysis of thevirtual as well as the physical components associated with NSX (underlay and overlay)
For More Information
If you are looking for additional information try one of these
bull Click on this linkbull Or use your smart device to scan the QRC Code
Proceed to any module below which interests you most
bull Module 1 - Micro-Segmentation and Security (30 minutes)bull Module 2 - 360 degree Visibility across Virtual and Physical Networks (45
minutes)bull Module 3 - Advanced NSX Management amp Operations (45 minutes)bull Module 4 - Manage Security for Public Clouds (AWS) (30 minutes)
HOL-1829-01-NET
Page 98HOL-1829-01-NET
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 99HOL-1829-01-NET
Module 4 - ManageSecurity for Public Clouds
(AWS) (30 Minutes)
HOL-1829-01-NET
Page 100HOL-1829-01-NET
IntroductionEnterprise IT needs visibility into the network and security status of their workloadswhether hosted on premises or within AWS While many AWS workloads are sandboxesfor application development teams (DevOps) it is important to analyze these workloadsIncreasingly public cloud workloads are also fulfilling mission critical production needsfor many organizations Enterprise IT must be ready to determine the best locationsecurity posture and bandwidth allocation when deploying workloads Having trafficpattern details as well as security analysis and recommendations readily availablehelps organizations make the ideal hosting decisions to meet their business needs
vRealize Network Insight (vRNI) Supports Amazon Web Services (AWS) PublicCloud The vRNI traffic monitoring features provide visibility into native AWS constructssuch as Virtual Private Clouds VMs Security Groups firewall rules and tags vRNI alsoanalyzes AWS traffic flows to provide security and micro-segmentation views of cloudworkloads This means youll be able to plan micro-segmentation and understand trafficpatterns using data collected from your AWS instances
This Module contains the following lessons
bull Introduction to Managing Security for Public Clouds (AWS)
HOL-1829-01-NET
Page 101HOL-1829-01-NET
Introduction to Managing Security forPublic Clouds (AWS)Lab Status Check
1 Make sure the Lab Status displays Ready before continuing
Close browser sessions from previous modules
Open Google Chrome
1 Open Chrome on the Control Centre Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize Network Insightdid not load automatically)
HOL-1829-01-NET
Page 102HOL-1829-01-NET
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
AWS Configuration
Lets review the AWS VPC setup for the purpose of this lab
1 We have an on premise instance of vRealize Network Insight managing AWS2 There are two VPCs ie CRM and Common Services
HOL-1829-01-NET
Page 103HOL-1829-01-NET
3 VPC CRM consists of CRM Application which comprises of 3 tiers ie Web APP andDB
4 Internal users of Company can access Web Tier of the CRM on 80 internally viaJump-box
5 Web tier talks to App tier on port 80806 App tier talks to DB tier on port 33067 Web tier is open for internal datacenters VM on 80 port8 From Jump-box in VPC CRM all virtual machines have ssh access on port 229 All tiers of VPCCRM talks to DNS server on 53 and LogServer on 514 on VPC
Common Services10 This means connection to DB to Log Server (used for backup services) must exist
as configured by the Administrator but this in fact is the problem area where ourfocus will be
Plan Security - AWS Cloud
vRealize Network Insight extends micro-segmentation planning to AWS constructs TheCRM Application in AWS VPC has already been created for you
Application creation steps have been discussed in Module 3
HOL-1829-01-NET
Page 104HOL-1829-01-NET
1 On the vRealize Network Insight Click on Plan Security
From Plan Security dialogue box under Entity select
HOL-1829-01-NET
Page 105HOL-1829-01-NET
1 Application2 CRM3 Click Analyze
We can now visualize the three tier lsquoCRMrsquo Application in AWS in one VPC We Shallexplore the three Tier System Logic in proceeding steps
1 Please note that Micro-Segments are already filtered by Tier2 Web (Web tier talks to App tier on port 8080 Internal users of organisation can
access Web Tier of the CRM Application on port 80 internally)3 App (App tier talks to DB tier on port 3306)4 DB ( DB tier talks to Log Servers ) - This is the problem area we are going to
explore
All tiers of first VPC talks to DNS server on port 53 and LogServer on port 514 of SecondVPC
HOL-1829-01-NET
Page 106HOL-1829-01-NET
Exploring the Three Tier Application - Step by Step
We shall now explore the three their application setup to understand the security andcommunication posture
HOL-1829-01-NET
Page 107HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Yellow line to explore the flows This will reveal flows from Web to
App
HOL-1829-01-NET
Page 108HOL-1829-01-NET
1 The App tier talks to DB tier on Port 33062 Click X to continue
HOL-1829-01-NET
Page 109HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to DB
HOL-1829-01-NET
Page 110HOL-1829-01-NET
1 The App tier talks to DB tier on Port 33062 Click X to continue
HOL-1829-01-NET
Page 111HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Yellow Line to explore the flows This will reveal flows from DC
Virtual to App
HOL-1829-01-NET
Page 112HOL-1829-01-NET
1 DC Virtual (jump box) talks to App tier on Port 222 Click X to continue
HOL-1829-01-NET
Page 113HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to
Shared Virtual
HOL-1829-01-NET
Page 114HOL-1829-01-NET
1 The App tier talks to Shared Virtual on Port 53 and 514 respectively2 Click X to continue
HOL-1829-01-NET
Page 115HOL-1829-01-NET
1 Hover over to DB Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from DB to
Shared Virtual
1 By design the DB should be pushing logs to aws-log-server ie on port 514(Syslog) but the flow reveals that there is only one service ie port 53 aws-DNS-Server Effectively no communication to syslog server (which is the back upservice)
2 Click X to continue
Firewall Queries for CRM Application
To further troubleshoot the issue the administrator executes three firewall queries toestablish why DB to Shared Virtual does not have flow(s) for port 514 (syslog)
HOL-1829-01-NET
Page 116HOL-1829-01-NET
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and type new search query firewall action of flows where dstvm = aws-log-server This will return 5 results ie 4 Allow (for web andmidtier) and 1 Deny (for DB)
2 Click Search3 click on the DENY checkbox so we can focus on the deny rule
We can see a DENY rule which is preventing crm-databse to communicate with aws-log-server on port 514 Which indicates that AWS Admin forgot to add rule to allowtraffic from (Database) crm-database to (syslog server) aws-log-Server
HOL-1829-01-NET
Page 117HOL-1829-01-NET
1 On Chrome web browser right click2 Select Duplicate from the the menu
HOL-1829-01-NET
Page 118HOL-1829-01-NET
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-web1 and dst vm = aws-log-server
2 Click Search3 This will return 3 results ie 1 Inbound and 2 Outbound rules The result of this
query validates the communication from crm-web1 to aws-log-server
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-database and dst vm = aws-log-server
2 Click Search3 This will return 2 results for Outbound rules further explaining the firewall rule
behaviour from crm-database to aws-log-server
HOL-1829-01-NET
Page 119HOL-1829-01-NET
ConclusionCongratulations on completing Module 4
This module demonstrated the vRealize Network Insight capability to understand trafficpatterns and plan micro-segmentation across your private and public cloudenvironments This capability offers unparalleled visibility into public and private cloudsfor micro-segmentation planning network visibility and management
For More Information
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 120HOL-1829-01-NET
ConclusionThank you for participating in the VMware Hands-on Labs Be sure to visithttpholvmwarecom to continue your lab experience online
Lab SKU HOL-1829-01-NET
Version 20171010-152226
HOL-1829-01-NET
Page 121HOL-1829-01-NET
NSX Advanced ManagementOperationsLab Status Check
1 Make sure the Lab Status displays Ready before continuing
Close browser sessions from previous modules
Open Google Chrome
1 Open Chrome on the Control Centre Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
HOL-1829-01-NET
Page 86HOL-1829-01-NET
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize Network Insightdid not load automatically)
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
Search Bar - NSX Manager
Using the search bar on the entry screen
HOL-1829-01-NET
Page 87HOL-1829-01-NET
1 Type NSX Manager (this will list three NSX Managers2 Click Search
NSX Manager Information
The result now shows the NSX Manager (1016128170) and we can immediately seethat we have 50 problems associated with this endpoint
1 Click on the NSX Manager address to expose the layout and detailedinformation
HOL-1829-01-NET
Page 88HOL-1829-01-NET
Timeline - Visual Build-up
Explore information only - Do not click
bull A - Starting with the Timeline we can manipulate the results by simply draggingthe slider but by default the current time results will be displayed on entry Theslider and drop down (next to 1 day) makes it easy to filter on demand
bull B - The Properties give a clear understanding of the NSX Managers currentconfiguration (vRealize Network Insight accommodate multiple NSX managers)
bull C - Looking at the NSX Checklist Rules - ALL we can scroll up and down toview each point in the checklist that is used to monitorvalidate against the NSXManager
bull D - Because vRealize Network Insight supports multiple NSX managers andmultiple NSX controllers this is an important visual understanding of theTopology Each object can be queried individually within the same screen
bull E - NSX Problems will be key to understanding the issues for NSX
HOL-1829-01-NET
Page 89HOL-1829-01-NET
Topology - Focus on the NSX Controller
The logical view of the NSX Topology provides live links to each component in theconstruct to be queried in real time Topology layout displays all the related NSXservices bound to the NSX Manager including Clusters and hosts The red triangle on allthree NSX controllers indicates possible issues that may impact the NSX environmenteither as a starting point or a result thereof We can now query each object for detailedinformation
1 Click on the NSX controller (Look at each controller until you find thecontroller starting with NSX_Controller_5b6c6c8d-4d71 as they do changeorder)
HOL-1829-01-NET
Page 90HOL-1829-01-NET
NSX Controller - Detail
A - The controller query displays detailed information about controller-1 and relevantconfiguration This screen will help identify the Status Version Upgrade Availability andmany other critical identifiers of the NSX Controller at a quick glance including anyissues
B - The immediate issue on this NSX controller is also pointed out with a red triangleindicating that we have a control plane sync issue Tracking the issue can be furtherinvestigated by expanding (clicking on the red triangle) to view detailed information Wewill not be investigating this problem further in this exercise
1 Click the close sign (x) to continue
HOL-1829-01-NET
Page 91HOL-1829-01-NET
Topology - Explained
Note The Topology for the NSX environment will not show any load balancing devicestatus information in this release
1 Click the edge VMs icon to see detailed information about the edge services
HOL-1829-01-NET
Page 92HOL-1829-01-NET
Provider Edge
Rendering a complete view of the provider edge services and the associations we caninvestigate all the edge related activities
1 Click the blue link Provider Edge 4 The problem Icon can be used to furtherobtain information about the Provider-Edge 4 This will highlight a criticalcondition due to a possible network disruption of this edge device as it is nolonger in a serving state
HOL-1829-01-NET
Page 93HOL-1829-01-NET
Routers Provider Edge 4
This section lays out detailed root cause analysis for Routers Provider Edge 4
Return to Search View - NSX Manager
1 Now use the Chrome Back button click once to return the the NSX Managerinformation screen step
HOL-1829-01-NET
Page 94HOL-1829-01-NET
Infrastructure Problems - Warning Moderate
bull Scroll down to Infrastructure Problems Section
1 Click and select the WarningModerate to view problem areas
WarningModerate Issues
1 Use the blue icon + to expand the detailed view of the Logical networking out ofsync between host and NSX Controller
HOL-1829-01-NET
Page 95HOL-1829-01-NET
WarningModerate Issues (Continued)
When you expand the details you can analyse full detail of warning
In this view vRealize Network Insight is also showing you recommendations on how youwould resolve this issue which makes troubleshooting and root cause analysis veryeasy
1 Click the close sign (x) to continue
HOL-1829-01-NET
Page 96HOL-1829-01-NET
Hands-on Labs Interactive SimulationAdvanced NSX Management ampOperationsThis part of the lab is presented as a Hands-on Labs Interactive Simulation This willallow you to experience steps which are too time-consuming or resource intensive to dolive in the lab environment In this simulation you can use the software interface as ifyou are interacting with a live environment
1 Click here to open the interactive simulation It will open in a new browserwindow or tab
2 When finished click the ldquoReturn to the labrdquo link to continue with this lab
HOL-1829-01-NET
Page 97HOL-1829-01-NET
ConclusionCongratulations on completing Module 3
This module demonstrated the vRealize Network Insight capability of advancedmanagement operations vRealize Network Insight provides an in-depth analysis of thevirtual as well as the physical components associated with NSX (underlay and overlay)
For More Information
If you are looking for additional information try one of these
bull Click on this linkbull Or use your smart device to scan the QRC Code
Proceed to any module below which interests you most
bull Module 1 - Micro-Segmentation and Security (30 minutes)bull Module 2 - 360 degree Visibility across Virtual and Physical Networks (45
minutes)bull Module 3 - Advanced NSX Management amp Operations (45 minutes)bull Module 4 - Manage Security for Public Clouds (AWS) (30 minutes)
HOL-1829-01-NET
Page 98HOL-1829-01-NET
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 99HOL-1829-01-NET
Module 4 - ManageSecurity for Public Clouds
(AWS) (30 Minutes)
HOL-1829-01-NET
Page 100HOL-1829-01-NET
IntroductionEnterprise IT needs visibility into the network and security status of their workloadswhether hosted on premises or within AWS While many AWS workloads are sandboxesfor application development teams (DevOps) it is important to analyze these workloadsIncreasingly public cloud workloads are also fulfilling mission critical production needsfor many organizations Enterprise IT must be ready to determine the best locationsecurity posture and bandwidth allocation when deploying workloads Having trafficpattern details as well as security analysis and recommendations readily availablehelps organizations make the ideal hosting decisions to meet their business needs
vRealize Network Insight (vRNI) Supports Amazon Web Services (AWS) PublicCloud The vRNI traffic monitoring features provide visibility into native AWS constructssuch as Virtual Private Clouds VMs Security Groups firewall rules and tags vRNI alsoanalyzes AWS traffic flows to provide security and micro-segmentation views of cloudworkloads This means youll be able to plan micro-segmentation and understand trafficpatterns using data collected from your AWS instances
This Module contains the following lessons
bull Introduction to Managing Security for Public Clouds (AWS)
HOL-1829-01-NET
Page 101HOL-1829-01-NET
Introduction to Managing Security forPublic Clouds (AWS)Lab Status Check
1 Make sure the Lab Status displays Ready before continuing
Close browser sessions from previous modules
Open Google Chrome
1 Open Chrome on the Control Centre Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize Network Insightdid not load automatically)
HOL-1829-01-NET
Page 102HOL-1829-01-NET
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
AWS Configuration
Lets review the AWS VPC setup for the purpose of this lab
1 We have an on premise instance of vRealize Network Insight managing AWS2 There are two VPCs ie CRM and Common Services
HOL-1829-01-NET
Page 103HOL-1829-01-NET
3 VPC CRM consists of CRM Application which comprises of 3 tiers ie Web APP andDB
4 Internal users of Company can access Web Tier of the CRM on 80 internally viaJump-box
5 Web tier talks to App tier on port 80806 App tier talks to DB tier on port 33067 Web tier is open for internal datacenters VM on 80 port8 From Jump-box in VPC CRM all virtual machines have ssh access on port 229 All tiers of VPCCRM talks to DNS server on 53 and LogServer on 514 on VPC
Common Services10 This means connection to DB to Log Server (used for backup services) must exist
as configured by the Administrator but this in fact is the problem area where ourfocus will be
Plan Security - AWS Cloud
vRealize Network Insight extends micro-segmentation planning to AWS constructs TheCRM Application in AWS VPC has already been created for you
Application creation steps have been discussed in Module 3
HOL-1829-01-NET
Page 104HOL-1829-01-NET
1 On the vRealize Network Insight Click on Plan Security
From Plan Security dialogue box under Entity select
HOL-1829-01-NET
Page 105HOL-1829-01-NET
1 Application2 CRM3 Click Analyze
We can now visualize the three tier lsquoCRMrsquo Application in AWS in one VPC We Shallexplore the three Tier System Logic in proceeding steps
1 Please note that Micro-Segments are already filtered by Tier2 Web (Web tier talks to App tier on port 8080 Internal users of organisation can
access Web Tier of the CRM Application on port 80 internally)3 App (App tier talks to DB tier on port 3306)4 DB ( DB tier talks to Log Servers ) - This is the problem area we are going to
explore
All tiers of first VPC talks to DNS server on port 53 and LogServer on port 514 of SecondVPC
HOL-1829-01-NET
Page 106HOL-1829-01-NET
Exploring the Three Tier Application - Step by Step
We shall now explore the three their application setup to understand the security andcommunication posture
HOL-1829-01-NET
Page 107HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Yellow line to explore the flows This will reveal flows from Web to
App
HOL-1829-01-NET
Page 108HOL-1829-01-NET
1 The App tier talks to DB tier on Port 33062 Click X to continue
HOL-1829-01-NET
Page 109HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to DB
HOL-1829-01-NET
Page 110HOL-1829-01-NET
1 The App tier talks to DB tier on Port 33062 Click X to continue
HOL-1829-01-NET
Page 111HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Yellow Line to explore the flows This will reveal flows from DC
Virtual to App
HOL-1829-01-NET
Page 112HOL-1829-01-NET
1 DC Virtual (jump box) talks to App tier on Port 222 Click X to continue
HOL-1829-01-NET
Page 113HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to
Shared Virtual
HOL-1829-01-NET
Page 114HOL-1829-01-NET
1 The App tier talks to Shared Virtual on Port 53 and 514 respectively2 Click X to continue
HOL-1829-01-NET
Page 115HOL-1829-01-NET
1 Hover over to DB Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from DB to
Shared Virtual
1 By design the DB should be pushing logs to aws-log-server ie on port 514(Syslog) but the flow reveals that there is only one service ie port 53 aws-DNS-Server Effectively no communication to syslog server (which is the back upservice)
2 Click X to continue
Firewall Queries for CRM Application
To further troubleshoot the issue the administrator executes three firewall queries toestablish why DB to Shared Virtual does not have flow(s) for port 514 (syslog)
HOL-1829-01-NET
Page 116HOL-1829-01-NET
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and type new search query firewall action of flows where dstvm = aws-log-server This will return 5 results ie 4 Allow (for web andmidtier) and 1 Deny (for DB)
2 Click Search3 click on the DENY checkbox so we can focus on the deny rule
We can see a DENY rule which is preventing crm-databse to communicate with aws-log-server on port 514 Which indicates that AWS Admin forgot to add rule to allowtraffic from (Database) crm-database to (syslog server) aws-log-Server
HOL-1829-01-NET
Page 117HOL-1829-01-NET
1 On Chrome web browser right click2 Select Duplicate from the the menu
HOL-1829-01-NET
Page 118HOL-1829-01-NET
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-web1 and dst vm = aws-log-server
2 Click Search3 This will return 3 results ie 1 Inbound and 2 Outbound rules The result of this
query validates the communication from crm-web1 to aws-log-server
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-database and dst vm = aws-log-server
2 Click Search3 This will return 2 results for Outbound rules further explaining the firewall rule
behaviour from crm-database to aws-log-server
HOL-1829-01-NET
Page 119HOL-1829-01-NET
ConclusionCongratulations on completing Module 4
This module demonstrated the vRealize Network Insight capability to understand trafficpatterns and plan micro-segmentation across your private and public cloudenvironments This capability offers unparalleled visibility into public and private cloudsfor micro-segmentation planning network visibility and management
For More Information
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 120HOL-1829-01-NET
ConclusionThank you for participating in the VMware Hands-on Labs Be sure to visithttpholvmwarecom to continue your lab experience online
Lab SKU HOL-1829-01-NET
Version 20171010-152226
HOL-1829-01-NET
Page 121HOL-1829-01-NET
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize Network Insightdid not load automatically)
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
Search Bar - NSX Manager
Using the search bar on the entry screen
HOL-1829-01-NET
Page 87HOL-1829-01-NET
1 Type NSX Manager (this will list three NSX Managers2 Click Search
NSX Manager Information
The result now shows the NSX Manager (1016128170) and we can immediately seethat we have 50 problems associated with this endpoint
1 Click on the NSX Manager address to expose the layout and detailedinformation
HOL-1829-01-NET
Page 88HOL-1829-01-NET
Timeline - Visual Build-up
Explore information only - Do not click
bull A - Starting with the Timeline we can manipulate the results by simply draggingthe slider but by default the current time results will be displayed on entry Theslider and drop down (next to 1 day) makes it easy to filter on demand
bull B - The Properties give a clear understanding of the NSX Managers currentconfiguration (vRealize Network Insight accommodate multiple NSX managers)
bull C - Looking at the NSX Checklist Rules - ALL we can scroll up and down toview each point in the checklist that is used to monitorvalidate against the NSXManager
bull D - Because vRealize Network Insight supports multiple NSX managers andmultiple NSX controllers this is an important visual understanding of theTopology Each object can be queried individually within the same screen
bull E - NSX Problems will be key to understanding the issues for NSX
HOL-1829-01-NET
Page 89HOL-1829-01-NET
Topology - Focus on the NSX Controller
The logical view of the NSX Topology provides live links to each component in theconstruct to be queried in real time Topology layout displays all the related NSXservices bound to the NSX Manager including Clusters and hosts The red triangle on allthree NSX controllers indicates possible issues that may impact the NSX environmenteither as a starting point or a result thereof We can now query each object for detailedinformation
1 Click on the NSX controller (Look at each controller until you find thecontroller starting with NSX_Controller_5b6c6c8d-4d71 as they do changeorder)
HOL-1829-01-NET
Page 90HOL-1829-01-NET
NSX Controller - Detail
A - The controller query displays detailed information about controller-1 and relevantconfiguration This screen will help identify the Status Version Upgrade Availability andmany other critical identifiers of the NSX Controller at a quick glance including anyissues
B - The immediate issue on this NSX controller is also pointed out with a red triangleindicating that we have a control plane sync issue Tracking the issue can be furtherinvestigated by expanding (clicking on the red triangle) to view detailed information Wewill not be investigating this problem further in this exercise
1 Click the close sign (x) to continue
HOL-1829-01-NET
Page 91HOL-1829-01-NET
Topology - Explained
Note The Topology for the NSX environment will not show any load balancing devicestatus information in this release
1 Click the edge VMs icon to see detailed information about the edge services
HOL-1829-01-NET
Page 92HOL-1829-01-NET
Provider Edge
Rendering a complete view of the provider edge services and the associations we caninvestigate all the edge related activities
1 Click the blue link Provider Edge 4 The problem Icon can be used to furtherobtain information about the Provider-Edge 4 This will highlight a criticalcondition due to a possible network disruption of this edge device as it is nolonger in a serving state
HOL-1829-01-NET
Page 93HOL-1829-01-NET
Routers Provider Edge 4
This section lays out detailed root cause analysis for Routers Provider Edge 4
Return to Search View - NSX Manager
1 Now use the Chrome Back button click once to return the the NSX Managerinformation screen step
HOL-1829-01-NET
Page 94HOL-1829-01-NET
Infrastructure Problems - Warning Moderate
bull Scroll down to Infrastructure Problems Section
1 Click and select the WarningModerate to view problem areas
WarningModerate Issues
1 Use the blue icon + to expand the detailed view of the Logical networking out ofsync between host and NSX Controller
HOL-1829-01-NET
Page 95HOL-1829-01-NET
WarningModerate Issues (Continued)
When you expand the details you can analyse full detail of warning
In this view vRealize Network Insight is also showing you recommendations on how youwould resolve this issue which makes troubleshooting and root cause analysis veryeasy
1 Click the close sign (x) to continue
HOL-1829-01-NET
Page 96HOL-1829-01-NET
Hands-on Labs Interactive SimulationAdvanced NSX Management ampOperationsThis part of the lab is presented as a Hands-on Labs Interactive Simulation This willallow you to experience steps which are too time-consuming or resource intensive to dolive in the lab environment In this simulation you can use the software interface as ifyou are interacting with a live environment
1 Click here to open the interactive simulation It will open in a new browserwindow or tab
2 When finished click the ldquoReturn to the labrdquo link to continue with this lab
HOL-1829-01-NET
Page 97HOL-1829-01-NET
ConclusionCongratulations on completing Module 3
This module demonstrated the vRealize Network Insight capability of advancedmanagement operations vRealize Network Insight provides an in-depth analysis of thevirtual as well as the physical components associated with NSX (underlay and overlay)
For More Information
If you are looking for additional information try one of these
bull Click on this linkbull Or use your smart device to scan the QRC Code
Proceed to any module below which interests you most
bull Module 1 - Micro-Segmentation and Security (30 minutes)bull Module 2 - 360 degree Visibility across Virtual and Physical Networks (45
minutes)bull Module 3 - Advanced NSX Management amp Operations (45 minutes)bull Module 4 - Manage Security for Public Clouds (AWS) (30 minutes)
HOL-1829-01-NET
Page 98HOL-1829-01-NET
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 99HOL-1829-01-NET
Module 4 - ManageSecurity for Public Clouds
(AWS) (30 Minutes)
HOL-1829-01-NET
Page 100HOL-1829-01-NET
IntroductionEnterprise IT needs visibility into the network and security status of their workloadswhether hosted on premises or within AWS While many AWS workloads are sandboxesfor application development teams (DevOps) it is important to analyze these workloadsIncreasingly public cloud workloads are also fulfilling mission critical production needsfor many organizations Enterprise IT must be ready to determine the best locationsecurity posture and bandwidth allocation when deploying workloads Having trafficpattern details as well as security analysis and recommendations readily availablehelps organizations make the ideal hosting decisions to meet their business needs
vRealize Network Insight (vRNI) Supports Amazon Web Services (AWS) PublicCloud The vRNI traffic monitoring features provide visibility into native AWS constructssuch as Virtual Private Clouds VMs Security Groups firewall rules and tags vRNI alsoanalyzes AWS traffic flows to provide security and micro-segmentation views of cloudworkloads This means youll be able to plan micro-segmentation and understand trafficpatterns using data collected from your AWS instances
This Module contains the following lessons
bull Introduction to Managing Security for Public Clouds (AWS)
HOL-1829-01-NET
Page 101HOL-1829-01-NET
Introduction to Managing Security forPublic Clouds (AWS)Lab Status Check
1 Make sure the Lab Status displays Ready before continuing
Close browser sessions from previous modules
Open Google Chrome
1 Open Chrome on the Control Centre Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize Network Insightdid not load automatically)
HOL-1829-01-NET
Page 102HOL-1829-01-NET
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
AWS Configuration
Lets review the AWS VPC setup for the purpose of this lab
1 We have an on premise instance of vRealize Network Insight managing AWS2 There are two VPCs ie CRM and Common Services
HOL-1829-01-NET
Page 103HOL-1829-01-NET
3 VPC CRM consists of CRM Application which comprises of 3 tiers ie Web APP andDB
4 Internal users of Company can access Web Tier of the CRM on 80 internally viaJump-box
5 Web tier talks to App tier on port 80806 App tier talks to DB tier on port 33067 Web tier is open for internal datacenters VM on 80 port8 From Jump-box in VPC CRM all virtual machines have ssh access on port 229 All tiers of VPCCRM talks to DNS server on 53 and LogServer on 514 on VPC
Common Services10 This means connection to DB to Log Server (used for backup services) must exist
as configured by the Administrator but this in fact is the problem area where ourfocus will be
Plan Security - AWS Cloud
vRealize Network Insight extends micro-segmentation planning to AWS constructs TheCRM Application in AWS VPC has already been created for you
Application creation steps have been discussed in Module 3
HOL-1829-01-NET
Page 104HOL-1829-01-NET
1 On the vRealize Network Insight Click on Plan Security
From Plan Security dialogue box under Entity select
HOL-1829-01-NET
Page 105HOL-1829-01-NET
1 Application2 CRM3 Click Analyze
We can now visualize the three tier lsquoCRMrsquo Application in AWS in one VPC We Shallexplore the three Tier System Logic in proceeding steps
1 Please note that Micro-Segments are already filtered by Tier2 Web (Web tier talks to App tier on port 8080 Internal users of organisation can
access Web Tier of the CRM Application on port 80 internally)3 App (App tier talks to DB tier on port 3306)4 DB ( DB tier talks to Log Servers ) - This is the problem area we are going to
explore
All tiers of first VPC talks to DNS server on port 53 and LogServer on port 514 of SecondVPC
HOL-1829-01-NET
Page 106HOL-1829-01-NET
Exploring the Three Tier Application - Step by Step
We shall now explore the three their application setup to understand the security andcommunication posture
HOL-1829-01-NET
Page 107HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Yellow line to explore the flows This will reveal flows from Web to
App
HOL-1829-01-NET
Page 108HOL-1829-01-NET
1 The App tier talks to DB tier on Port 33062 Click X to continue
HOL-1829-01-NET
Page 109HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to DB
HOL-1829-01-NET
Page 110HOL-1829-01-NET
1 The App tier talks to DB tier on Port 33062 Click X to continue
HOL-1829-01-NET
Page 111HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Yellow Line to explore the flows This will reveal flows from DC
Virtual to App
HOL-1829-01-NET
Page 112HOL-1829-01-NET
1 DC Virtual (jump box) talks to App tier on Port 222 Click X to continue
HOL-1829-01-NET
Page 113HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to
Shared Virtual
HOL-1829-01-NET
Page 114HOL-1829-01-NET
1 The App tier talks to Shared Virtual on Port 53 and 514 respectively2 Click X to continue
HOL-1829-01-NET
Page 115HOL-1829-01-NET
1 Hover over to DB Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from DB to
Shared Virtual
1 By design the DB should be pushing logs to aws-log-server ie on port 514(Syslog) but the flow reveals that there is only one service ie port 53 aws-DNS-Server Effectively no communication to syslog server (which is the back upservice)
2 Click X to continue
Firewall Queries for CRM Application
To further troubleshoot the issue the administrator executes three firewall queries toestablish why DB to Shared Virtual does not have flow(s) for port 514 (syslog)
HOL-1829-01-NET
Page 116HOL-1829-01-NET
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and type new search query firewall action of flows where dstvm = aws-log-server This will return 5 results ie 4 Allow (for web andmidtier) and 1 Deny (for DB)
2 Click Search3 click on the DENY checkbox so we can focus on the deny rule
We can see a DENY rule which is preventing crm-databse to communicate with aws-log-server on port 514 Which indicates that AWS Admin forgot to add rule to allowtraffic from (Database) crm-database to (syslog server) aws-log-Server
HOL-1829-01-NET
Page 117HOL-1829-01-NET
1 On Chrome web browser right click2 Select Duplicate from the the menu
HOL-1829-01-NET
Page 118HOL-1829-01-NET
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-web1 and dst vm = aws-log-server
2 Click Search3 This will return 3 results ie 1 Inbound and 2 Outbound rules The result of this
query validates the communication from crm-web1 to aws-log-server
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-database and dst vm = aws-log-server
2 Click Search3 This will return 2 results for Outbound rules further explaining the firewall rule
behaviour from crm-database to aws-log-server
HOL-1829-01-NET
Page 119HOL-1829-01-NET
ConclusionCongratulations on completing Module 4
This module demonstrated the vRealize Network Insight capability to understand trafficpatterns and plan micro-segmentation across your private and public cloudenvironments This capability offers unparalleled visibility into public and private cloudsfor micro-segmentation planning network visibility and management
For More Information
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 120HOL-1829-01-NET
ConclusionThank you for participating in the VMware Hands-on Labs Be sure to visithttpholvmwarecom to continue your lab experience online
Lab SKU HOL-1829-01-NET
Version 20171010-152226
HOL-1829-01-NET
Page 121HOL-1829-01-NET
1 Type NSX Manager (this will list three NSX Managers2 Click Search
NSX Manager Information
The result now shows the NSX Manager (1016128170) and we can immediately seethat we have 50 problems associated with this endpoint
1 Click on the NSX Manager address to expose the layout and detailedinformation
HOL-1829-01-NET
Page 88HOL-1829-01-NET
Timeline - Visual Build-up
Explore information only - Do not click
bull A - Starting with the Timeline we can manipulate the results by simply draggingthe slider but by default the current time results will be displayed on entry Theslider and drop down (next to 1 day) makes it easy to filter on demand
bull B - The Properties give a clear understanding of the NSX Managers currentconfiguration (vRealize Network Insight accommodate multiple NSX managers)
bull C - Looking at the NSX Checklist Rules - ALL we can scroll up and down toview each point in the checklist that is used to monitorvalidate against the NSXManager
bull D - Because vRealize Network Insight supports multiple NSX managers andmultiple NSX controllers this is an important visual understanding of theTopology Each object can be queried individually within the same screen
bull E - NSX Problems will be key to understanding the issues for NSX
HOL-1829-01-NET
Page 89HOL-1829-01-NET
Topology - Focus on the NSX Controller
The logical view of the NSX Topology provides live links to each component in theconstruct to be queried in real time Topology layout displays all the related NSXservices bound to the NSX Manager including Clusters and hosts The red triangle on allthree NSX controllers indicates possible issues that may impact the NSX environmenteither as a starting point or a result thereof We can now query each object for detailedinformation
1 Click on the NSX controller (Look at each controller until you find thecontroller starting with NSX_Controller_5b6c6c8d-4d71 as they do changeorder)
HOL-1829-01-NET
Page 90HOL-1829-01-NET
NSX Controller - Detail
A - The controller query displays detailed information about controller-1 and relevantconfiguration This screen will help identify the Status Version Upgrade Availability andmany other critical identifiers of the NSX Controller at a quick glance including anyissues
B - The immediate issue on this NSX controller is also pointed out with a red triangleindicating that we have a control plane sync issue Tracking the issue can be furtherinvestigated by expanding (clicking on the red triangle) to view detailed information Wewill not be investigating this problem further in this exercise
1 Click the close sign (x) to continue
HOL-1829-01-NET
Page 91HOL-1829-01-NET
Topology - Explained
Note The Topology for the NSX environment will not show any load balancing devicestatus information in this release
1 Click the edge VMs icon to see detailed information about the edge services
HOL-1829-01-NET
Page 92HOL-1829-01-NET
Provider Edge
Rendering a complete view of the provider edge services and the associations we caninvestigate all the edge related activities
1 Click the blue link Provider Edge 4 The problem Icon can be used to furtherobtain information about the Provider-Edge 4 This will highlight a criticalcondition due to a possible network disruption of this edge device as it is nolonger in a serving state
HOL-1829-01-NET
Page 93HOL-1829-01-NET
Routers Provider Edge 4
This section lays out detailed root cause analysis for Routers Provider Edge 4
Return to Search View - NSX Manager
1 Now use the Chrome Back button click once to return the the NSX Managerinformation screen step
HOL-1829-01-NET
Page 94HOL-1829-01-NET
Infrastructure Problems - Warning Moderate
bull Scroll down to Infrastructure Problems Section
1 Click and select the WarningModerate to view problem areas
WarningModerate Issues
1 Use the blue icon + to expand the detailed view of the Logical networking out ofsync between host and NSX Controller
HOL-1829-01-NET
Page 95HOL-1829-01-NET
WarningModerate Issues (Continued)
When you expand the details you can analyse full detail of warning
In this view vRealize Network Insight is also showing you recommendations on how youwould resolve this issue which makes troubleshooting and root cause analysis veryeasy
1 Click the close sign (x) to continue
HOL-1829-01-NET
Page 96HOL-1829-01-NET
Hands-on Labs Interactive SimulationAdvanced NSX Management ampOperationsThis part of the lab is presented as a Hands-on Labs Interactive Simulation This willallow you to experience steps which are too time-consuming or resource intensive to dolive in the lab environment In this simulation you can use the software interface as ifyou are interacting with a live environment
1 Click here to open the interactive simulation It will open in a new browserwindow or tab
2 When finished click the ldquoReturn to the labrdquo link to continue with this lab
HOL-1829-01-NET
Page 97HOL-1829-01-NET
ConclusionCongratulations on completing Module 3
This module demonstrated the vRealize Network Insight capability of advancedmanagement operations vRealize Network Insight provides an in-depth analysis of thevirtual as well as the physical components associated with NSX (underlay and overlay)
For More Information
If you are looking for additional information try one of these
bull Click on this linkbull Or use your smart device to scan the QRC Code
Proceed to any module below which interests you most
bull Module 1 - Micro-Segmentation and Security (30 minutes)bull Module 2 - 360 degree Visibility across Virtual and Physical Networks (45
minutes)bull Module 3 - Advanced NSX Management amp Operations (45 minutes)bull Module 4 - Manage Security for Public Clouds (AWS) (30 minutes)
HOL-1829-01-NET
Page 98HOL-1829-01-NET
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 99HOL-1829-01-NET
Module 4 - ManageSecurity for Public Clouds
(AWS) (30 Minutes)
HOL-1829-01-NET
Page 100HOL-1829-01-NET
IntroductionEnterprise IT needs visibility into the network and security status of their workloadswhether hosted on premises or within AWS While many AWS workloads are sandboxesfor application development teams (DevOps) it is important to analyze these workloadsIncreasingly public cloud workloads are also fulfilling mission critical production needsfor many organizations Enterprise IT must be ready to determine the best locationsecurity posture and bandwidth allocation when deploying workloads Having trafficpattern details as well as security analysis and recommendations readily availablehelps organizations make the ideal hosting decisions to meet their business needs
vRealize Network Insight (vRNI) Supports Amazon Web Services (AWS) PublicCloud The vRNI traffic monitoring features provide visibility into native AWS constructssuch as Virtual Private Clouds VMs Security Groups firewall rules and tags vRNI alsoanalyzes AWS traffic flows to provide security and micro-segmentation views of cloudworkloads This means youll be able to plan micro-segmentation and understand trafficpatterns using data collected from your AWS instances
This Module contains the following lessons
bull Introduction to Managing Security for Public Clouds (AWS)
HOL-1829-01-NET
Page 101HOL-1829-01-NET
Introduction to Managing Security forPublic Clouds (AWS)Lab Status Check
1 Make sure the Lab Status displays Ready before continuing
Close browser sessions from previous modules
Open Google Chrome
1 Open Chrome on the Control Centre Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize Network Insightdid not load automatically)
HOL-1829-01-NET
Page 102HOL-1829-01-NET
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
AWS Configuration
Lets review the AWS VPC setup for the purpose of this lab
1 We have an on premise instance of vRealize Network Insight managing AWS2 There are two VPCs ie CRM and Common Services
HOL-1829-01-NET
Page 103HOL-1829-01-NET
3 VPC CRM consists of CRM Application which comprises of 3 tiers ie Web APP andDB
4 Internal users of Company can access Web Tier of the CRM on 80 internally viaJump-box
5 Web tier talks to App tier on port 80806 App tier talks to DB tier on port 33067 Web tier is open for internal datacenters VM on 80 port8 From Jump-box in VPC CRM all virtual machines have ssh access on port 229 All tiers of VPCCRM talks to DNS server on 53 and LogServer on 514 on VPC
Common Services10 This means connection to DB to Log Server (used for backup services) must exist
as configured by the Administrator but this in fact is the problem area where ourfocus will be
Plan Security - AWS Cloud
vRealize Network Insight extends micro-segmentation planning to AWS constructs TheCRM Application in AWS VPC has already been created for you
Application creation steps have been discussed in Module 3
HOL-1829-01-NET
Page 104HOL-1829-01-NET
1 On the vRealize Network Insight Click on Plan Security
From Plan Security dialogue box under Entity select
HOL-1829-01-NET
Page 105HOL-1829-01-NET
1 Application2 CRM3 Click Analyze
We can now visualize the three tier lsquoCRMrsquo Application in AWS in one VPC We Shallexplore the three Tier System Logic in proceeding steps
1 Please note that Micro-Segments are already filtered by Tier2 Web (Web tier talks to App tier on port 8080 Internal users of organisation can
access Web Tier of the CRM Application on port 80 internally)3 App (App tier talks to DB tier on port 3306)4 DB ( DB tier talks to Log Servers ) - This is the problem area we are going to
explore
All tiers of first VPC talks to DNS server on port 53 and LogServer on port 514 of SecondVPC
HOL-1829-01-NET
Page 106HOL-1829-01-NET
Exploring the Three Tier Application - Step by Step
We shall now explore the three their application setup to understand the security andcommunication posture
HOL-1829-01-NET
Page 107HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Yellow line to explore the flows This will reveal flows from Web to
App
HOL-1829-01-NET
Page 108HOL-1829-01-NET
1 The App tier talks to DB tier on Port 33062 Click X to continue
HOL-1829-01-NET
Page 109HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to DB
HOL-1829-01-NET
Page 110HOL-1829-01-NET
1 The App tier talks to DB tier on Port 33062 Click X to continue
HOL-1829-01-NET
Page 111HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Yellow Line to explore the flows This will reveal flows from DC
Virtual to App
HOL-1829-01-NET
Page 112HOL-1829-01-NET
1 DC Virtual (jump box) talks to App tier on Port 222 Click X to continue
HOL-1829-01-NET
Page 113HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to
Shared Virtual
HOL-1829-01-NET
Page 114HOL-1829-01-NET
1 The App tier talks to Shared Virtual on Port 53 and 514 respectively2 Click X to continue
HOL-1829-01-NET
Page 115HOL-1829-01-NET
1 Hover over to DB Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from DB to
Shared Virtual
1 By design the DB should be pushing logs to aws-log-server ie on port 514(Syslog) but the flow reveals that there is only one service ie port 53 aws-DNS-Server Effectively no communication to syslog server (which is the back upservice)
2 Click X to continue
Firewall Queries for CRM Application
To further troubleshoot the issue the administrator executes three firewall queries toestablish why DB to Shared Virtual does not have flow(s) for port 514 (syslog)
HOL-1829-01-NET
Page 116HOL-1829-01-NET
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and type new search query firewall action of flows where dstvm = aws-log-server This will return 5 results ie 4 Allow (for web andmidtier) and 1 Deny (for DB)
2 Click Search3 click on the DENY checkbox so we can focus on the deny rule
We can see a DENY rule which is preventing crm-databse to communicate with aws-log-server on port 514 Which indicates that AWS Admin forgot to add rule to allowtraffic from (Database) crm-database to (syslog server) aws-log-Server
HOL-1829-01-NET
Page 117HOL-1829-01-NET
1 On Chrome web browser right click2 Select Duplicate from the the menu
HOL-1829-01-NET
Page 118HOL-1829-01-NET
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-web1 and dst vm = aws-log-server
2 Click Search3 This will return 3 results ie 1 Inbound and 2 Outbound rules The result of this
query validates the communication from crm-web1 to aws-log-server
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-database and dst vm = aws-log-server
2 Click Search3 This will return 2 results for Outbound rules further explaining the firewall rule
behaviour from crm-database to aws-log-server
HOL-1829-01-NET
Page 119HOL-1829-01-NET
ConclusionCongratulations on completing Module 4
This module demonstrated the vRealize Network Insight capability to understand trafficpatterns and plan micro-segmentation across your private and public cloudenvironments This capability offers unparalleled visibility into public and private cloudsfor micro-segmentation planning network visibility and management
For More Information
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 120HOL-1829-01-NET
ConclusionThank you for participating in the VMware Hands-on Labs Be sure to visithttpholvmwarecom to continue your lab experience online
Lab SKU HOL-1829-01-NET
Version 20171010-152226
HOL-1829-01-NET
Page 121HOL-1829-01-NET
Timeline - Visual Build-up
Explore information only - Do not click
bull A - Starting with the Timeline we can manipulate the results by simply draggingthe slider but by default the current time results will be displayed on entry Theslider and drop down (next to 1 day) makes it easy to filter on demand
bull B - The Properties give a clear understanding of the NSX Managers currentconfiguration (vRealize Network Insight accommodate multiple NSX managers)
bull C - Looking at the NSX Checklist Rules - ALL we can scroll up and down toview each point in the checklist that is used to monitorvalidate against the NSXManager
bull D - Because vRealize Network Insight supports multiple NSX managers andmultiple NSX controllers this is an important visual understanding of theTopology Each object can be queried individually within the same screen
bull E - NSX Problems will be key to understanding the issues for NSX
HOL-1829-01-NET
Page 89HOL-1829-01-NET
Topology - Focus on the NSX Controller
The logical view of the NSX Topology provides live links to each component in theconstruct to be queried in real time Topology layout displays all the related NSXservices bound to the NSX Manager including Clusters and hosts The red triangle on allthree NSX controllers indicates possible issues that may impact the NSX environmenteither as a starting point or a result thereof We can now query each object for detailedinformation
1 Click on the NSX controller (Look at each controller until you find thecontroller starting with NSX_Controller_5b6c6c8d-4d71 as they do changeorder)
HOL-1829-01-NET
Page 90HOL-1829-01-NET
NSX Controller - Detail
A - The controller query displays detailed information about controller-1 and relevantconfiguration This screen will help identify the Status Version Upgrade Availability andmany other critical identifiers of the NSX Controller at a quick glance including anyissues
B - The immediate issue on this NSX controller is also pointed out with a red triangleindicating that we have a control plane sync issue Tracking the issue can be furtherinvestigated by expanding (clicking on the red triangle) to view detailed information Wewill not be investigating this problem further in this exercise
1 Click the close sign (x) to continue
HOL-1829-01-NET
Page 91HOL-1829-01-NET
Topology - Explained
Note The Topology for the NSX environment will not show any load balancing devicestatus information in this release
1 Click the edge VMs icon to see detailed information about the edge services
HOL-1829-01-NET
Page 92HOL-1829-01-NET
Provider Edge
Rendering a complete view of the provider edge services and the associations we caninvestigate all the edge related activities
1 Click the blue link Provider Edge 4 The problem Icon can be used to furtherobtain information about the Provider-Edge 4 This will highlight a criticalcondition due to a possible network disruption of this edge device as it is nolonger in a serving state
HOL-1829-01-NET
Page 93HOL-1829-01-NET
Routers Provider Edge 4
This section lays out detailed root cause analysis for Routers Provider Edge 4
Return to Search View - NSX Manager
1 Now use the Chrome Back button click once to return the the NSX Managerinformation screen step
HOL-1829-01-NET
Page 94HOL-1829-01-NET
Infrastructure Problems - Warning Moderate
bull Scroll down to Infrastructure Problems Section
1 Click and select the WarningModerate to view problem areas
WarningModerate Issues
1 Use the blue icon + to expand the detailed view of the Logical networking out ofsync between host and NSX Controller
HOL-1829-01-NET
Page 95HOL-1829-01-NET
WarningModerate Issues (Continued)
When you expand the details you can analyse full detail of warning
In this view vRealize Network Insight is also showing you recommendations on how youwould resolve this issue which makes troubleshooting and root cause analysis veryeasy
1 Click the close sign (x) to continue
HOL-1829-01-NET
Page 96HOL-1829-01-NET
Hands-on Labs Interactive SimulationAdvanced NSX Management ampOperationsThis part of the lab is presented as a Hands-on Labs Interactive Simulation This willallow you to experience steps which are too time-consuming or resource intensive to dolive in the lab environment In this simulation you can use the software interface as ifyou are interacting with a live environment
1 Click here to open the interactive simulation It will open in a new browserwindow or tab
2 When finished click the ldquoReturn to the labrdquo link to continue with this lab
HOL-1829-01-NET
Page 97HOL-1829-01-NET
ConclusionCongratulations on completing Module 3
This module demonstrated the vRealize Network Insight capability of advancedmanagement operations vRealize Network Insight provides an in-depth analysis of thevirtual as well as the physical components associated with NSX (underlay and overlay)
For More Information
If you are looking for additional information try one of these
bull Click on this linkbull Or use your smart device to scan the QRC Code
Proceed to any module below which interests you most
bull Module 1 - Micro-Segmentation and Security (30 minutes)bull Module 2 - 360 degree Visibility across Virtual and Physical Networks (45
minutes)bull Module 3 - Advanced NSX Management amp Operations (45 minutes)bull Module 4 - Manage Security for Public Clouds (AWS) (30 minutes)
HOL-1829-01-NET
Page 98HOL-1829-01-NET
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 99HOL-1829-01-NET
Module 4 - ManageSecurity for Public Clouds
(AWS) (30 Minutes)
HOL-1829-01-NET
Page 100HOL-1829-01-NET
IntroductionEnterprise IT needs visibility into the network and security status of their workloadswhether hosted on premises or within AWS While many AWS workloads are sandboxesfor application development teams (DevOps) it is important to analyze these workloadsIncreasingly public cloud workloads are also fulfilling mission critical production needsfor many organizations Enterprise IT must be ready to determine the best locationsecurity posture and bandwidth allocation when deploying workloads Having trafficpattern details as well as security analysis and recommendations readily availablehelps organizations make the ideal hosting decisions to meet their business needs
vRealize Network Insight (vRNI) Supports Amazon Web Services (AWS) PublicCloud The vRNI traffic monitoring features provide visibility into native AWS constructssuch as Virtual Private Clouds VMs Security Groups firewall rules and tags vRNI alsoanalyzes AWS traffic flows to provide security and micro-segmentation views of cloudworkloads This means youll be able to plan micro-segmentation and understand trafficpatterns using data collected from your AWS instances
This Module contains the following lessons
bull Introduction to Managing Security for Public Clouds (AWS)
HOL-1829-01-NET
Page 101HOL-1829-01-NET
Introduction to Managing Security forPublic Clouds (AWS)Lab Status Check
1 Make sure the Lab Status displays Ready before continuing
Close browser sessions from previous modules
Open Google Chrome
1 Open Chrome on the Control Centre Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize Network Insightdid not load automatically)
HOL-1829-01-NET
Page 102HOL-1829-01-NET
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
AWS Configuration
Lets review the AWS VPC setup for the purpose of this lab
1 We have an on premise instance of vRealize Network Insight managing AWS2 There are two VPCs ie CRM and Common Services
HOL-1829-01-NET
Page 103HOL-1829-01-NET
3 VPC CRM consists of CRM Application which comprises of 3 tiers ie Web APP andDB
4 Internal users of Company can access Web Tier of the CRM on 80 internally viaJump-box
5 Web tier talks to App tier on port 80806 App tier talks to DB tier on port 33067 Web tier is open for internal datacenters VM on 80 port8 From Jump-box in VPC CRM all virtual machines have ssh access on port 229 All tiers of VPCCRM talks to DNS server on 53 and LogServer on 514 on VPC
Common Services10 This means connection to DB to Log Server (used for backup services) must exist
as configured by the Administrator but this in fact is the problem area where ourfocus will be
Plan Security - AWS Cloud
vRealize Network Insight extends micro-segmentation planning to AWS constructs TheCRM Application in AWS VPC has already been created for you
Application creation steps have been discussed in Module 3
HOL-1829-01-NET
Page 104HOL-1829-01-NET
1 On the vRealize Network Insight Click on Plan Security
From Plan Security dialogue box under Entity select
HOL-1829-01-NET
Page 105HOL-1829-01-NET
1 Application2 CRM3 Click Analyze
We can now visualize the three tier lsquoCRMrsquo Application in AWS in one VPC We Shallexplore the three Tier System Logic in proceeding steps
1 Please note that Micro-Segments are already filtered by Tier2 Web (Web tier talks to App tier on port 8080 Internal users of organisation can
access Web Tier of the CRM Application on port 80 internally)3 App (App tier talks to DB tier on port 3306)4 DB ( DB tier talks to Log Servers ) - This is the problem area we are going to
explore
All tiers of first VPC talks to DNS server on port 53 and LogServer on port 514 of SecondVPC
HOL-1829-01-NET
Page 106HOL-1829-01-NET
Exploring the Three Tier Application - Step by Step
We shall now explore the three their application setup to understand the security andcommunication posture
HOL-1829-01-NET
Page 107HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Yellow line to explore the flows This will reveal flows from Web to
App
HOL-1829-01-NET
Page 108HOL-1829-01-NET
1 The App tier talks to DB tier on Port 33062 Click X to continue
HOL-1829-01-NET
Page 109HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to DB
HOL-1829-01-NET
Page 110HOL-1829-01-NET
1 The App tier talks to DB tier on Port 33062 Click X to continue
HOL-1829-01-NET
Page 111HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Yellow Line to explore the flows This will reveal flows from DC
Virtual to App
HOL-1829-01-NET
Page 112HOL-1829-01-NET
1 DC Virtual (jump box) talks to App tier on Port 222 Click X to continue
HOL-1829-01-NET
Page 113HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to
Shared Virtual
HOL-1829-01-NET
Page 114HOL-1829-01-NET
1 The App tier talks to Shared Virtual on Port 53 and 514 respectively2 Click X to continue
HOL-1829-01-NET
Page 115HOL-1829-01-NET
1 Hover over to DB Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from DB to
Shared Virtual
1 By design the DB should be pushing logs to aws-log-server ie on port 514(Syslog) but the flow reveals that there is only one service ie port 53 aws-DNS-Server Effectively no communication to syslog server (which is the back upservice)
2 Click X to continue
Firewall Queries for CRM Application
To further troubleshoot the issue the administrator executes three firewall queries toestablish why DB to Shared Virtual does not have flow(s) for port 514 (syslog)
HOL-1829-01-NET
Page 116HOL-1829-01-NET
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and type new search query firewall action of flows where dstvm = aws-log-server This will return 5 results ie 4 Allow (for web andmidtier) and 1 Deny (for DB)
2 Click Search3 click on the DENY checkbox so we can focus on the deny rule
We can see a DENY rule which is preventing crm-databse to communicate with aws-log-server on port 514 Which indicates that AWS Admin forgot to add rule to allowtraffic from (Database) crm-database to (syslog server) aws-log-Server
HOL-1829-01-NET
Page 117HOL-1829-01-NET
1 On Chrome web browser right click2 Select Duplicate from the the menu
HOL-1829-01-NET
Page 118HOL-1829-01-NET
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-web1 and dst vm = aws-log-server
2 Click Search3 This will return 3 results ie 1 Inbound and 2 Outbound rules The result of this
query validates the communication from crm-web1 to aws-log-server
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-database and dst vm = aws-log-server
2 Click Search3 This will return 2 results for Outbound rules further explaining the firewall rule
behaviour from crm-database to aws-log-server
HOL-1829-01-NET
Page 119HOL-1829-01-NET
ConclusionCongratulations on completing Module 4
This module demonstrated the vRealize Network Insight capability to understand trafficpatterns and plan micro-segmentation across your private and public cloudenvironments This capability offers unparalleled visibility into public and private cloudsfor micro-segmentation planning network visibility and management
For More Information
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 120HOL-1829-01-NET
ConclusionThank you for participating in the VMware Hands-on Labs Be sure to visithttpholvmwarecom to continue your lab experience online
Lab SKU HOL-1829-01-NET
Version 20171010-152226
HOL-1829-01-NET
Page 121HOL-1829-01-NET
Topology - Focus on the NSX Controller
The logical view of the NSX Topology provides live links to each component in theconstruct to be queried in real time Topology layout displays all the related NSXservices bound to the NSX Manager including Clusters and hosts The red triangle on allthree NSX controllers indicates possible issues that may impact the NSX environmenteither as a starting point or a result thereof We can now query each object for detailedinformation
1 Click on the NSX controller (Look at each controller until you find thecontroller starting with NSX_Controller_5b6c6c8d-4d71 as they do changeorder)
HOL-1829-01-NET
Page 90HOL-1829-01-NET
NSX Controller - Detail
A - The controller query displays detailed information about controller-1 and relevantconfiguration This screen will help identify the Status Version Upgrade Availability andmany other critical identifiers of the NSX Controller at a quick glance including anyissues
B - The immediate issue on this NSX controller is also pointed out with a red triangleindicating that we have a control plane sync issue Tracking the issue can be furtherinvestigated by expanding (clicking on the red triangle) to view detailed information Wewill not be investigating this problem further in this exercise
1 Click the close sign (x) to continue
HOL-1829-01-NET
Page 91HOL-1829-01-NET
Topology - Explained
Note The Topology for the NSX environment will not show any load balancing devicestatus information in this release
1 Click the edge VMs icon to see detailed information about the edge services
HOL-1829-01-NET
Page 92HOL-1829-01-NET
Provider Edge
Rendering a complete view of the provider edge services and the associations we caninvestigate all the edge related activities
1 Click the blue link Provider Edge 4 The problem Icon can be used to furtherobtain information about the Provider-Edge 4 This will highlight a criticalcondition due to a possible network disruption of this edge device as it is nolonger in a serving state
HOL-1829-01-NET
Page 93HOL-1829-01-NET
Routers Provider Edge 4
This section lays out detailed root cause analysis for Routers Provider Edge 4
Return to Search View - NSX Manager
1 Now use the Chrome Back button click once to return the the NSX Managerinformation screen step
HOL-1829-01-NET
Page 94HOL-1829-01-NET
Infrastructure Problems - Warning Moderate
bull Scroll down to Infrastructure Problems Section
1 Click and select the WarningModerate to view problem areas
WarningModerate Issues
1 Use the blue icon + to expand the detailed view of the Logical networking out ofsync between host and NSX Controller
HOL-1829-01-NET
Page 95HOL-1829-01-NET
WarningModerate Issues (Continued)
When you expand the details you can analyse full detail of warning
In this view vRealize Network Insight is also showing you recommendations on how youwould resolve this issue which makes troubleshooting and root cause analysis veryeasy
1 Click the close sign (x) to continue
HOL-1829-01-NET
Page 96HOL-1829-01-NET
Hands-on Labs Interactive SimulationAdvanced NSX Management ampOperationsThis part of the lab is presented as a Hands-on Labs Interactive Simulation This willallow you to experience steps which are too time-consuming or resource intensive to dolive in the lab environment In this simulation you can use the software interface as ifyou are interacting with a live environment
1 Click here to open the interactive simulation It will open in a new browserwindow or tab
2 When finished click the ldquoReturn to the labrdquo link to continue with this lab
HOL-1829-01-NET
Page 97HOL-1829-01-NET
ConclusionCongratulations on completing Module 3
This module demonstrated the vRealize Network Insight capability of advancedmanagement operations vRealize Network Insight provides an in-depth analysis of thevirtual as well as the physical components associated with NSX (underlay and overlay)
For More Information
If you are looking for additional information try one of these
bull Click on this linkbull Or use your smart device to scan the QRC Code
Proceed to any module below which interests you most
bull Module 1 - Micro-Segmentation and Security (30 minutes)bull Module 2 - 360 degree Visibility across Virtual and Physical Networks (45
minutes)bull Module 3 - Advanced NSX Management amp Operations (45 minutes)bull Module 4 - Manage Security for Public Clouds (AWS) (30 minutes)
HOL-1829-01-NET
Page 98HOL-1829-01-NET
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 99HOL-1829-01-NET
Module 4 - ManageSecurity for Public Clouds
(AWS) (30 Minutes)
HOL-1829-01-NET
Page 100HOL-1829-01-NET
IntroductionEnterprise IT needs visibility into the network and security status of their workloadswhether hosted on premises or within AWS While many AWS workloads are sandboxesfor application development teams (DevOps) it is important to analyze these workloadsIncreasingly public cloud workloads are also fulfilling mission critical production needsfor many organizations Enterprise IT must be ready to determine the best locationsecurity posture and bandwidth allocation when deploying workloads Having trafficpattern details as well as security analysis and recommendations readily availablehelps organizations make the ideal hosting decisions to meet their business needs
vRealize Network Insight (vRNI) Supports Amazon Web Services (AWS) PublicCloud The vRNI traffic monitoring features provide visibility into native AWS constructssuch as Virtual Private Clouds VMs Security Groups firewall rules and tags vRNI alsoanalyzes AWS traffic flows to provide security and micro-segmentation views of cloudworkloads This means youll be able to plan micro-segmentation and understand trafficpatterns using data collected from your AWS instances
This Module contains the following lessons
bull Introduction to Managing Security for Public Clouds (AWS)
HOL-1829-01-NET
Page 101HOL-1829-01-NET
Introduction to Managing Security forPublic Clouds (AWS)Lab Status Check
1 Make sure the Lab Status displays Ready before continuing
Close browser sessions from previous modules
Open Google Chrome
1 Open Chrome on the Control Centre Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize Network Insightdid not load automatically)
HOL-1829-01-NET
Page 102HOL-1829-01-NET
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
AWS Configuration
Lets review the AWS VPC setup for the purpose of this lab
1 We have an on premise instance of vRealize Network Insight managing AWS2 There are two VPCs ie CRM and Common Services
HOL-1829-01-NET
Page 103HOL-1829-01-NET
3 VPC CRM consists of CRM Application which comprises of 3 tiers ie Web APP andDB
4 Internal users of Company can access Web Tier of the CRM on 80 internally viaJump-box
5 Web tier talks to App tier on port 80806 App tier talks to DB tier on port 33067 Web tier is open for internal datacenters VM on 80 port8 From Jump-box in VPC CRM all virtual machines have ssh access on port 229 All tiers of VPCCRM talks to DNS server on 53 and LogServer on 514 on VPC
Common Services10 This means connection to DB to Log Server (used for backup services) must exist
as configured by the Administrator but this in fact is the problem area where ourfocus will be
Plan Security - AWS Cloud
vRealize Network Insight extends micro-segmentation planning to AWS constructs TheCRM Application in AWS VPC has already been created for you
Application creation steps have been discussed in Module 3
HOL-1829-01-NET
Page 104HOL-1829-01-NET
1 On the vRealize Network Insight Click on Plan Security
From Plan Security dialogue box under Entity select
HOL-1829-01-NET
Page 105HOL-1829-01-NET
1 Application2 CRM3 Click Analyze
We can now visualize the three tier lsquoCRMrsquo Application in AWS in one VPC We Shallexplore the three Tier System Logic in proceeding steps
1 Please note that Micro-Segments are already filtered by Tier2 Web (Web tier talks to App tier on port 8080 Internal users of organisation can
access Web Tier of the CRM Application on port 80 internally)3 App (App tier talks to DB tier on port 3306)4 DB ( DB tier talks to Log Servers ) - This is the problem area we are going to
explore
All tiers of first VPC talks to DNS server on port 53 and LogServer on port 514 of SecondVPC
HOL-1829-01-NET
Page 106HOL-1829-01-NET
Exploring the Three Tier Application - Step by Step
We shall now explore the three their application setup to understand the security andcommunication posture
HOL-1829-01-NET
Page 107HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Yellow line to explore the flows This will reveal flows from Web to
App
HOL-1829-01-NET
Page 108HOL-1829-01-NET
1 The App tier talks to DB tier on Port 33062 Click X to continue
HOL-1829-01-NET
Page 109HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to DB
HOL-1829-01-NET
Page 110HOL-1829-01-NET
1 The App tier talks to DB tier on Port 33062 Click X to continue
HOL-1829-01-NET
Page 111HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Yellow Line to explore the flows This will reveal flows from DC
Virtual to App
HOL-1829-01-NET
Page 112HOL-1829-01-NET
1 DC Virtual (jump box) talks to App tier on Port 222 Click X to continue
HOL-1829-01-NET
Page 113HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to
Shared Virtual
HOL-1829-01-NET
Page 114HOL-1829-01-NET
1 The App tier talks to Shared Virtual on Port 53 and 514 respectively2 Click X to continue
HOL-1829-01-NET
Page 115HOL-1829-01-NET
1 Hover over to DB Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from DB to
Shared Virtual
1 By design the DB should be pushing logs to aws-log-server ie on port 514(Syslog) but the flow reveals that there is only one service ie port 53 aws-DNS-Server Effectively no communication to syslog server (which is the back upservice)
2 Click X to continue
Firewall Queries for CRM Application
To further troubleshoot the issue the administrator executes three firewall queries toestablish why DB to Shared Virtual does not have flow(s) for port 514 (syslog)
HOL-1829-01-NET
Page 116HOL-1829-01-NET
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and type new search query firewall action of flows where dstvm = aws-log-server This will return 5 results ie 4 Allow (for web andmidtier) and 1 Deny (for DB)
2 Click Search3 click on the DENY checkbox so we can focus on the deny rule
We can see a DENY rule which is preventing crm-databse to communicate with aws-log-server on port 514 Which indicates that AWS Admin forgot to add rule to allowtraffic from (Database) crm-database to (syslog server) aws-log-Server
HOL-1829-01-NET
Page 117HOL-1829-01-NET
1 On Chrome web browser right click2 Select Duplicate from the the menu
HOL-1829-01-NET
Page 118HOL-1829-01-NET
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-web1 and dst vm = aws-log-server
2 Click Search3 This will return 3 results ie 1 Inbound and 2 Outbound rules The result of this
query validates the communication from crm-web1 to aws-log-server
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-database and dst vm = aws-log-server
2 Click Search3 This will return 2 results for Outbound rules further explaining the firewall rule
behaviour from crm-database to aws-log-server
HOL-1829-01-NET
Page 119HOL-1829-01-NET
ConclusionCongratulations on completing Module 4
This module demonstrated the vRealize Network Insight capability to understand trafficpatterns and plan micro-segmentation across your private and public cloudenvironments This capability offers unparalleled visibility into public and private cloudsfor micro-segmentation planning network visibility and management
For More Information
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 120HOL-1829-01-NET
ConclusionThank you for participating in the VMware Hands-on Labs Be sure to visithttpholvmwarecom to continue your lab experience online
Lab SKU HOL-1829-01-NET
Version 20171010-152226
HOL-1829-01-NET
Page 121HOL-1829-01-NET
NSX Controller - Detail
A - The controller query displays detailed information about controller-1 and relevantconfiguration This screen will help identify the Status Version Upgrade Availability andmany other critical identifiers of the NSX Controller at a quick glance including anyissues
B - The immediate issue on this NSX controller is also pointed out with a red triangleindicating that we have a control plane sync issue Tracking the issue can be furtherinvestigated by expanding (clicking on the red triangle) to view detailed information Wewill not be investigating this problem further in this exercise
1 Click the close sign (x) to continue
HOL-1829-01-NET
Page 91HOL-1829-01-NET
Topology - Explained
Note The Topology for the NSX environment will not show any load balancing devicestatus information in this release
1 Click the edge VMs icon to see detailed information about the edge services
HOL-1829-01-NET
Page 92HOL-1829-01-NET
Provider Edge
Rendering a complete view of the provider edge services and the associations we caninvestigate all the edge related activities
1 Click the blue link Provider Edge 4 The problem Icon can be used to furtherobtain information about the Provider-Edge 4 This will highlight a criticalcondition due to a possible network disruption of this edge device as it is nolonger in a serving state
HOL-1829-01-NET
Page 93HOL-1829-01-NET
Routers Provider Edge 4
This section lays out detailed root cause analysis for Routers Provider Edge 4
Return to Search View - NSX Manager
1 Now use the Chrome Back button click once to return the the NSX Managerinformation screen step
HOL-1829-01-NET
Page 94HOL-1829-01-NET
Infrastructure Problems - Warning Moderate
bull Scroll down to Infrastructure Problems Section
1 Click and select the WarningModerate to view problem areas
WarningModerate Issues
1 Use the blue icon + to expand the detailed view of the Logical networking out ofsync between host and NSX Controller
HOL-1829-01-NET
Page 95HOL-1829-01-NET
WarningModerate Issues (Continued)
When you expand the details you can analyse full detail of warning
In this view vRealize Network Insight is also showing you recommendations on how youwould resolve this issue which makes troubleshooting and root cause analysis veryeasy
1 Click the close sign (x) to continue
HOL-1829-01-NET
Page 96HOL-1829-01-NET
Hands-on Labs Interactive SimulationAdvanced NSX Management ampOperationsThis part of the lab is presented as a Hands-on Labs Interactive Simulation This willallow you to experience steps which are too time-consuming or resource intensive to dolive in the lab environment In this simulation you can use the software interface as ifyou are interacting with a live environment
1 Click here to open the interactive simulation It will open in a new browserwindow or tab
2 When finished click the ldquoReturn to the labrdquo link to continue with this lab
HOL-1829-01-NET
Page 97HOL-1829-01-NET
ConclusionCongratulations on completing Module 3
This module demonstrated the vRealize Network Insight capability of advancedmanagement operations vRealize Network Insight provides an in-depth analysis of thevirtual as well as the physical components associated with NSX (underlay and overlay)
For More Information
If you are looking for additional information try one of these
bull Click on this linkbull Or use your smart device to scan the QRC Code
Proceed to any module below which interests you most
bull Module 1 - Micro-Segmentation and Security (30 minutes)bull Module 2 - 360 degree Visibility across Virtual and Physical Networks (45
minutes)bull Module 3 - Advanced NSX Management amp Operations (45 minutes)bull Module 4 - Manage Security for Public Clouds (AWS) (30 minutes)
HOL-1829-01-NET
Page 98HOL-1829-01-NET
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 99HOL-1829-01-NET
Module 4 - ManageSecurity for Public Clouds
(AWS) (30 Minutes)
HOL-1829-01-NET
Page 100HOL-1829-01-NET
IntroductionEnterprise IT needs visibility into the network and security status of their workloadswhether hosted on premises or within AWS While many AWS workloads are sandboxesfor application development teams (DevOps) it is important to analyze these workloadsIncreasingly public cloud workloads are also fulfilling mission critical production needsfor many organizations Enterprise IT must be ready to determine the best locationsecurity posture and bandwidth allocation when deploying workloads Having trafficpattern details as well as security analysis and recommendations readily availablehelps organizations make the ideal hosting decisions to meet their business needs
vRealize Network Insight (vRNI) Supports Amazon Web Services (AWS) PublicCloud The vRNI traffic monitoring features provide visibility into native AWS constructssuch as Virtual Private Clouds VMs Security Groups firewall rules and tags vRNI alsoanalyzes AWS traffic flows to provide security and micro-segmentation views of cloudworkloads This means youll be able to plan micro-segmentation and understand trafficpatterns using data collected from your AWS instances
This Module contains the following lessons
bull Introduction to Managing Security for Public Clouds (AWS)
HOL-1829-01-NET
Page 101HOL-1829-01-NET
Introduction to Managing Security forPublic Clouds (AWS)Lab Status Check
1 Make sure the Lab Status displays Ready before continuing
Close browser sessions from previous modules
Open Google Chrome
1 Open Chrome on the Control Centre Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize Network Insightdid not load automatically)
HOL-1829-01-NET
Page 102HOL-1829-01-NET
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
AWS Configuration
Lets review the AWS VPC setup for the purpose of this lab
1 We have an on premise instance of vRealize Network Insight managing AWS2 There are two VPCs ie CRM and Common Services
HOL-1829-01-NET
Page 103HOL-1829-01-NET
3 VPC CRM consists of CRM Application which comprises of 3 tiers ie Web APP andDB
4 Internal users of Company can access Web Tier of the CRM on 80 internally viaJump-box
5 Web tier talks to App tier on port 80806 App tier talks to DB tier on port 33067 Web tier is open for internal datacenters VM on 80 port8 From Jump-box in VPC CRM all virtual machines have ssh access on port 229 All tiers of VPCCRM talks to DNS server on 53 and LogServer on 514 on VPC
Common Services10 This means connection to DB to Log Server (used for backup services) must exist
as configured by the Administrator but this in fact is the problem area where ourfocus will be
Plan Security - AWS Cloud
vRealize Network Insight extends micro-segmentation planning to AWS constructs TheCRM Application in AWS VPC has already been created for you
Application creation steps have been discussed in Module 3
HOL-1829-01-NET
Page 104HOL-1829-01-NET
1 On the vRealize Network Insight Click on Plan Security
From Plan Security dialogue box under Entity select
HOL-1829-01-NET
Page 105HOL-1829-01-NET
1 Application2 CRM3 Click Analyze
We can now visualize the three tier lsquoCRMrsquo Application in AWS in one VPC We Shallexplore the three Tier System Logic in proceeding steps
1 Please note that Micro-Segments are already filtered by Tier2 Web (Web tier talks to App tier on port 8080 Internal users of organisation can
access Web Tier of the CRM Application on port 80 internally)3 App (App tier talks to DB tier on port 3306)4 DB ( DB tier talks to Log Servers ) - This is the problem area we are going to
explore
All tiers of first VPC talks to DNS server on port 53 and LogServer on port 514 of SecondVPC
HOL-1829-01-NET
Page 106HOL-1829-01-NET
Exploring the Three Tier Application - Step by Step
We shall now explore the three their application setup to understand the security andcommunication posture
HOL-1829-01-NET
Page 107HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Yellow line to explore the flows This will reveal flows from Web to
App
HOL-1829-01-NET
Page 108HOL-1829-01-NET
1 The App tier talks to DB tier on Port 33062 Click X to continue
HOL-1829-01-NET
Page 109HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to DB
HOL-1829-01-NET
Page 110HOL-1829-01-NET
1 The App tier talks to DB tier on Port 33062 Click X to continue
HOL-1829-01-NET
Page 111HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Yellow Line to explore the flows This will reveal flows from DC
Virtual to App
HOL-1829-01-NET
Page 112HOL-1829-01-NET
1 DC Virtual (jump box) talks to App tier on Port 222 Click X to continue
HOL-1829-01-NET
Page 113HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to
Shared Virtual
HOL-1829-01-NET
Page 114HOL-1829-01-NET
1 The App tier talks to Shared Virtual on Port 53 and 514 respectively2 Click X to continue
HOL-1829-01-NET
Page 115HOL-1829-01-NET
1 Hover over to DB Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from DB to
Shared Virtual
1 By design the DB should be pushing logs to aws-log-server ie on port 514(Syslog) but the flow reveals that there is only one service ie port 53 aws-DNS-Server Effectively no communication to syslog server (which is the back upservice)
2 Click X to continue
Firewall Queries for CRM Application
To further troubleshoot the issue the administrator executes three firewall queries toestablish why DB to Shared Virtual does not have flow(s) for port 514 (syslog)
HOL-1829-01-NET
Page 116HOL-1829-01-NET
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and type new search query firewall action of flows where dstvm = aws-log-server This will return 5 results ie 4 Allow (for web andmidtier) and 1 Deny (for DB)
2 Click Search3 click on the DENY checkbox so we can focus on the deny rule
We can see a DENY rule which is preventing crm-databse to communicate with aws-log-server on port 514 Which indicates that AWS Admin forgot to add rule to allowtraffic from (Database) crm-database to (syslog server) aws-log-Server
HOL-1829-01-NET
Page 117HOL-1829-01-NET
1 On Chrome web browser right click2 Select Duplicate from the the menu
HOL-1829-01-NET
Page 118HOL-1829-01-NET
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-web1 and dst vm = aws-log-server
2 Click Search3 This will return 3 results ie 1 Inbound and 2 Outbound rules The result of this
query validates the communication from crm-web1 to aws-log-server
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-database and dst vm = aws-log-server
2 Click Search3 This will return 2 results for Outbound rules further explaining the firewall rule
behaviour from crm-database to aws-log-server
HOL-1829-01-NET
Page 119HOL-1829-01-NET
ConclusionCongratulations on completing Module 4
This module demonstrated the vRealize Network Insight capability to understand trafficpatterns and plan micro-segmentation across your private and public cloudenvironments This capability offers unparalleled visibility into public and private cloudsfor micro-segmentation planning network visibility and management
For More Information
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 120HOL-1829-01-NET
ConclusionThank you for participating in the VMware Hands-on Labs Be sure to visithttpholvmwarecom to continue your lab experience online
Lab SKU HOL-1829-01-NET
Version 20171010-152226
HOL-1829-01-NET
Page 121HOL-1829-01-NET
Topology - Explained
Note The Topology for the NSX environment will not show any load balancing devicestatus information in this release
1 Click the edge VMs icon to see detailed information about the edge services
HOL-1829-01-NET
Page 92HOL-1829-01-NET
Provider Edge
Rendering a complete view of the provider edge services and the associations we caninvestigate all the edge related activities
1 Click the blue link Provider Edge 4 The problem Icon can be used to furtherobtain information about the Provider-Edge 4 This will highlight a criticalcondition due to a possible network disruption of this edge device as it is nolonger in a serving state
HOL-1829-01-NET
Page 93HOL-1829-01-NET
Routers Provider Edge 4
This section lays out detailed root cause analysis for Routers Provider Edge 4
Return to Search View - NSX Manager
1 Now use the Chrome Back button click once to return the the NSX Managerinformation screen step
HOL-1829-01-NET
Page 94HOL-1829-01-NET
Infrastructure Problems - Warning Moderate
bull Scroll down to Infrastructure Problems Section
1 Click and select the WarningModerate to view problem areas
WarningModerate Issues
1 Use the blue icon + to expand the detailed view of the Logical networking out ofsync between host and NSX Controller
HOL-1829-01-NET
Page 95HOL-1829-01-NET
WarningModerate Issues (Continued)
When you expand the details you can analyse full detail of warning
In this view vRealize Network Insight is also showing you recommendations on how youwould resolve this issue which makes troubleshooting and root cause analysis veryeasy
1 Click the close sign (x) to continue
HOL-1829-01-NET
Page 96HOL-1829-01-NET
Hands-on Labs Interactive SimulationAdvanced NSX Management ampOperationsThis part of the lab is presented as a Hands-on Labs Interactive Simulation This willallow you to experience steps which are too time-consuming or resource intensive to dolive in the lab environment In this simulation you can use the software interface as ifyou are interacting with a live environment
1 Click here to open the interactive simulation It will open in a new browserwindow or tab
2 When finished click the ldquoReturn to the labrdquo link to continue with this lab
HOL-1829-01-NET
Page 97HOL-1829-01-NET
ConclusionCongratulations on completing Module 3
This module demonstrated the vRealize Network Insight capability of advancedmanagement operations vRealize Network Insight provides an in-depth analysis of thevirtual as well as the physical components associated with NSX (underlay and overlay)
For More Information
If you are looking for additional information try one of these
bull Click on this linkbull Or use your smart device to scan the QRC Code
Proceed to any module below which interests you most
bull Module 1 - Micro-Segmentation and Security (30 minutes)bull Module 2 - 360 degree Visibility across Virtual and Physical Networks (45
minutes)bull Module 3 - Advanced NSX Management amp Operations (45 minutes)bull Module 4 - Manage Security for Public Clouds (AWS) (30 minutes)
HOL-1829-01-NET
Page 98HOL-1829-01-NET
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 99HOL-1829-01-NET
Module 4 - ManageSecurity for Public Clouds
(AWS) (30 Minutes)
HOL-1829-01-NET
Page 100HOL-1829-01-NET
IntroductionEnterprise IT needs visibility into the network and security status of their workloadswhether hosted on premises or within AWS While many AWS workloads are sandboxesfor application development teams (DevOps) it is important to analyze these workloadsIncreasingly public cloud workloads are also fulfilling mission critical production needsfor many organizations Enterprise IT must be ready to determine the best locationsecurity posture and bandwidth allocation when deploying workloads Having trafficpattern details as well as security analysis and recommendations readily availablehelps organizations make the ideal hosting decisions to meet their business needs
vRealize Network Insight (vRNI) Supports Amazon Web Services (AWS) PublicCloud The vRNI traffic monitoring features provide visibility into native AWS constructssuch as Virtual Private Clouds VMs Security Groups firewall rules and tags vRNI alsoanalyzes AWS traffic flows to provide security and micro-segmentation views of cloudworkloads This means youll be able to plan micro-segmentation and understand trafficpatterns using data collected from your AWS instances
This Module contains the following lessons
bull Introduction to Managing Security for Public Clouds (AWS)
HOL-1829-01-NET
Page 101HOL-1829-01-NET
Introduction to Managing Security forPublic Clouds (AWS)Lab Status Check
1 Make sure the Lab Status displays Ready before continuing
Close browser sessions from previous modules
Open Google Chrome
1 Open Chrome on the Control Centre Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize Network Insightdid not load automatically)
HOL-1829-01-NET
Page 102HOL-1829-01-NET
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
AWS Configuration
Lets review the AWS VPC setup for the purpose of this lab
1 We have an on premise instance of vRealize Network Insight managing AWS2 There are two VPCs ie CRM and Common Services
HOL-1829-01-NET
Page 103HOL-1829-01-NET
3 VPC CRM consists of CRM Application which comprises of 3 tiers ie Web APP andDB
4 Internal users of Company can access Web Tier of the CRM on 80 internally viaJump-box
5 Web tier talks to App tier on port 80806 App tier talks to DB tier on port 33067 Web tier is open for internal datacenters VM on 80 port8 From Jump-box in VPC CRM all virtual machines have ssh access on port 229 All tiers of VPCCRM talks to DNS server on 53 and LogServer on 514 on VPC
Common Services10 This means connection to DB to Log Server (used for backup services) must exist
as configured by the Administrator but this in fact is the problem area where ourfocus will be
Plan Security - AWS Cloud
vRealize Network Insight extends micro-segmentation planning to AWS constructs TheCRM Application in AWS VPC has already been created for you
Application creation steps have been discussed in Module 3
HOL-1829-01-NET
Page 104HOL-1829-01-NET
1 On the vRealize Network Insight Click on Plan Security
From Plan Security dialogue box under Entity select
HOL-1829-01-NET
Page 105HOL-1829-01-NET
1 Application2 CRM3 Click Analyze
We can now visualize the three tier lsquoCRMrsquo Application in AWS in one VPC We Shallexplore the three Tier System Logic in proceeding steps
1 Please note that Micro-Segments are already filtered by Tier2 Web (Web tier talks to App tier on port 8080 Internal users of organisation can
access Web Tier of the CRM Application on port 80 internally)3 App (App tier talks to DB tier on port 3306)4 DB ( DB tier talks to Log Servers ) - This is the problem area we are going to
explore
All tiers of first VPC talks to DNS server on port 53 and LogServer on port 514 of SecondVPC
HOL-1829-01-NET
Page 106HOL-1829-01-NET
Exploring the Three Tier Application - Step by Step
We shall now explore the three their application setup to understand the security andcommunication posture
HOL-1829-01-NET
Page 107HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Yellow line to explore the flows This will reveal flows from Web to
App
HOL-1829-01-NET
Page 108HOL-1829-01-NET
1 The App tier talks to DB tier on Port 33062 Click X to continue
HOL-1829-01-NET
Page 109HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to DB
HOL-1829-01-NET
Page 110HOL-1829-01-NET
1 The App tier talks to DB tier on Port 33062 Click X to continue
HOL-1829-01-NET
Page 111HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Yellow Line to explore the flows This will reveal flows from DC
Virtual to App
HOL-1829-01-NET
Page 112HOL-1829-01-NET
1 DC Virtual (jump box) talks to App tier on Port 222 Click X to continue
HOL-1829-01-NET
Page 113HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to
Shared Virtual
HOL-1829-01-NET
Page 114HOL-1829-01-NET
1 The App tier talks to Shared Virtual on Port 53 and 514 respectively2 Click X to continue
HOL-1829-01-NET
Page 115HOL-1829-01-NET
1 Hover over to DB Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from DB to
Shared Virtual
1 By design the DB should be pushing logs to aws-log-server ie on port 514(Syslog) but the flow reveals that there is only one service ie port 53 aws-DNS-Server Effectively no communication to syslog server (which is the back upservice)
2 Click X to continue
Firewall Queries for CRM Application
To further troubleshoot the issue the administrator executes three firewall queries toestablish why DB to Shared Virtual does not have flow(s) for port 514 (syslog)
HOL-1829-01-NET
Page 116HOL-1829-01-NET
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and type new search query firewall action of flows where dstvm = aws-log-server This will return 5 results ie 4 Allow (for web andmidtier) and 1 Deny (for DB)
2 Click Search3 click on the DENY checkbox so we can focus on the deny rule
We can see a DENY rule which is preventing crm-databse to communicate with aws-log-server on port 514 Which indicates that AWS Admin forgot to add rule to allowtraffic from (Database) crm-database to (syslog server) aws-log-Server
HOL-1829-01-NET
Page 117HOL-1829-01-NET
1 On Chrome web browser right click2 Select Duplicate from the the menu
HOL-1829-01-NET
Page 118HOL-1829-01-NET
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-web1 and dst vm = aws-log-server
2 Click Search3 This will return 3 results ie 1 Inbound and 2 Outbound rules The result of this
query validates the communication from crm-web1 to aws-log-server
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-database and dst vm = aws-log-server
2 Click Search3 This will return 2 results for Outbound rules further explaining the firewall rule
behaviour from crm-database to aws-log-server
HOL-1829-01-NET
Page 119HOL-1829-01-NET
ConclusionCongratulations on completing Module 4
This module demonstrated the vRealize Network Insight capability to understand trafficpatterns and plan micro-segmentation across your private and public cloudenvironments This capability offers unparalleled visibility into public and private cloudsfor micro-segmentation planning network visibility and management
For More Information
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 120HOL-1829-01-NET
ConclusionThank you for participating in the VMware Hands-on Labs Be sure to visithttpholvmwarecom to continue your lab experience online
Lab SKU HOL-1829-01-NET
Version 20171010-152226
HOL-1829-01-NET
Page 121HOL-1829-01-NET
Provider Edge
Rendering a complete view of the provider edge services and the associations we caninvestigate all the edge related activities
1 Click the blue link Provider Edge 4 The problem Icon can be used to furtherobtain information about the Provider-Edge 4 This will highlight a criticalcondition due to a possible network disruption of this edge device as it is nolonger in a serving state
HOL-1829-01-NET
Page 93HOL-1829-01-NET
Routers Provider Edge 4
This section lays out detailed root cause analysis for Routers Provider Edge 4
Return to Search View - NSX Manager
1 Now use the Chrome Back button click once to return the the NSX Managerinformation screen step
HOL-1829-01-NET
Page 94HOL-1829-01-NET
Infrastructure Problems - Warning Moderate
bull Scroll down to Infrastructure Problems Section
1 Click and select the WarningModerate to view problem areas
WarningModerate Issues
1 Use the blue icon + to expand the detailed view of the Logical networking out ofsync between host and NSX Controller
HOL-1829-01-NET
Page 95HOL-1829-01-NET
WarningModerate Issues (Continued)
When you expand the details you can analyse full detail of warning
In this view vRealize Network Insight is also showing you recommendations on how youwould resolve this issue which makes troubleshooting and root cause analysis veryeasy
1 Click the close sign (x) to continue
HOL-1829-01-NET
Page 96HOL-1829-01-NET
Hands-on Labs Interactive SimulationAdvanced NSX Management ampOperationsThis part of the lab is presented as a Hands-on Labs Interactive Simulation This willallow you to experience steps which are too time-consuming or resource intensive to dolive in the lab environment In this simulation you can use the software interface as ifyou are interacting with a live environment
1 Click here to open the interactive simulation It will open in a new browserwindow or tab
2 When finished click the ldquoReturn to the labrdquo link to continue with this lab
HOL-1829-01-NET
Page 97HOL-1829-01-NET
ConclusionCongratulations on completing Module 3
This module demonstrated the vRealize Network Insight capability of advancedmanagement operations vRealize Network Insight provides an in-depth analysis of thevirtual as well as the physical components associated with NSX (underlay and overlay)
For More Information
If you are looking for additional information try one of these
bull Click on this linkbull Or use your smart device to scan the QRC Code
Proceed to any module below which interests you most
bull Module 1 - Micro-Segmentation and Security (30 minutes)bull Module 2 - 360 degree Visibility across Virtual and Physical Networks (45
minutes)bull Module 3 - Advanced NSX Management amp Operations (45 minutes)bull Module 4 - Manage Security for Public Clouds (AWS) (30 minutes)
HOL-1829-01-NET
Page 98HOL-1829-01-NET
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 99HOL-1829-01-NET
Module 4 - ManageSecurity for Public Clouds
(AWS) (30 Minutes)
HOL-1829-01-NET
Page 100HOL-1829-01-NET
IntroductionEnterprise IT needs visibility into the network and security status of their workloadswhether hosted on premises or within AWS While many AWS workloads are sandboxesfor application development teams (DevOps) it is important to analyze these workloadsIncreasingly public cloud workloads are also fulfilling mission critical production needsfor many organizations Enterprise IT must be ready to determine the best locationsecurity posture and bandwidth allocation when deploying workloads Having trafficpattern details as well as security analysis and recommendations readily availablehelps organizations make the ideal hosting decisions to meet their business needs
vRealize Network Insight (vRNI) Supports Amazon Web Services (AWS) PublicCloud The vRNI traffic monitoring features provide visibility into native AWS constructssuch as Virtual Private Clouds VMs Security Groups firewall rules and tags vRNI alsoanalyzes AWS traffic flows to provide security and micro-segmentation views of cloudworkloads This means youll be able to plan micro-segmentation and understand trafficpatterns using data collected from your AWS instances
This Module contains the following lessons
bull Introduction to Managing Security for Public Clouds (AWS)
HOL-1829-01-NET
Page 101HOL-1829-01-NET
Introduction to Managing Security forPublic Clouds (AWS)Lab Status Check
1 Make sure the Lab Status displays Ready before continuing
Close browser sessions from previous modules
Open Google Chrome
1 Open Chrome on the Control Centre Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize Network Insightdid not load automatically)
HOL-1829-01-NET
Page 102HOL-1829-01-NET
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
AWS Configuration
Lets review the AWS VPC setup for the purpose of this lab
1 We have an on premise instance of vRealize Network Insight managing AWS2 There are two VPCs ie CRM and Common Services
HOL-1829-01-NET
Page 103HOL-1829-01-NET
3 VPC CRM consists of CRM Application which comprises of 3 tiers ie Web APP andDB
4 Internal users of Company can access Web Tier of the CRM on 80 internally viaJump-box
5 Web tier talks to App tier on port 80806 App tier talks to DB tier on port 33067 Web tier is open for internal datacenters VM on 80 port8 From Jump-box in VPC CRM all virtual machines have ssh access on port 229 All tiers of VPCCRM talks to DNS server on 53 and LogServer on 514 on VPC
Common Services10 This means connection to DB to Log Server (used for backup services) must exist
as configured by the Administrator but this in fact is the problem area where ourfocus will be
Plan Security - AWS Cloud
vRealize Network Insight extends micro-segmentation planning to AWS constructs TheCRM Application in AWS VPC has already been created for you
Application creation steps have been discussed in Module 3
HOL-1829-01-NET
Page 104HOL-1829-01-NET
1 On the vRealize Network Insight Click on Plan Security
From Plan Security dialogue box under Entity select
HOL-1829-01-NET
Page 105HOL-1829-01-NET
1 Application2 CRM3 Click Analyze
We can now visualize the three tier lsquoCRMrsquo Application in AWS in one VPC We Shallexplore the three Tier System Logic in proceeding steps
1 Please note that Micro-Segments are already filtered by Tier2 Web (Web tier talks to App tier on port 8080 Internal users of organisation can
access Web Tier of the CRM Application on port 80 internally)3 App (App tier talks to DB tier on port 3306)4 DB ( DB tier talks to Log Servers ) - This is the problem area we are going to
explore
All tiers of first VPC talks to DNS server on port 53 and LogServer on port 514 of SecondVPC
HOL-1829-01-NET
Page 106HOL-1829-01-NET
Exploring the Three Tier Application - Step by Step
We shall now explore the three their application setup to understand the security andcommunication posture
HOL-1829-01-NET
Page 107HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Yellow line to explore the flows This will reveal flows from Web to
App
HOL-1829-01-NET
Page 108HOL-1829-01-NET
1 The App tier talks to DB tier on Port 33062 Click X to continue
HOL-1829-01-NET
Page 109HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to DB
HOL-1829-01-NET
Page 110HOL-1829-01-NET
1 The App tier talks to DB tier on Port 33062 Click X to continue
HOL-1829-01-NET
Page 111HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Yellow Line to explore the flows This will reveal flows from DC
Virtual to App
HOL-1829-01-NET
Page 112HOL-1829-01-NET
1 DC Virtual (jump box) talks to App tier on Port 222 Click X to continue
HOL-1829-01-NET
Page 113HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to
Shared Virtual
HOL-1829-01-NET
Page 114HOL-1829-01-NET
1 The App tier talks to Shared Virtual on Port 53 and 514 respectively2 Click X to continue
HOL-1829-01-NET
Page 115HOL-1829-01-NET
1 Hover over to DB Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from DB to
Shared Virtual
1 By design the DB should be pushing logs to aws-log-server ie on port 514(Syslog) but the flow reveals that there is only one service ie port 53 aws-DNS-Server Effectively no communication to syslog server (which is the back upservice)
2 Click X to continue
Firewall Queries for CRM Application
To further troubleshoot the issue the administrator executes three firewall queries toestablish why DB to Shared Virtual does not have flow(s) for port 514 (syslog)
HOL-1829-01-NET
Page 116HOL-1829-01-NET
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and type new search query firewall action of flows where dstvm = aws-log-server This will return 5 results ie 4 Allow (for web andmidtier) and 1 Deny (for DB)
2 Click Search3 click on the DENY checkbox so we can focus on the deny rule
We can see a DENY rule which is preventing crm-databse to communicate with aws-log-server on port 514 Which indicates that AWS Admin forgot to add rule to allowtraffic from (Database) crm-database to (syslog server) aws-log-Server
HOL-1829-01-NET
Page 117HOL-1829-01-NET
1 On Chrome web browser right click2 Select Duplicate from the the menu
HOL-1829-01-NET
Page 118HOL-1829-01-NET
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-web1 and dst vm = aws-log-server
2 Click Search3 This will return 3 results ie 1 Inbound and 2 Outbound rules The result of this
query validates the communication from crm-web1 to aws-log-server
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-database and dst vm = aws-log-server
2 Click Search3 This will return 2 results for Outbound rules further explaining the firewall rule
behaviour from crm-database to aws-log-server
HOL-1829-01-NET
Page 119HOL-1829-01-NET
ConclusionCongratulations on completing Module 4
This module demonstrated the vRealize Network Insight capability to understand trafficpatterns and plan micro-segmentation across your private and public cloudenvironments This capability offers unparalleled visibility into public and private cloudsfor micro-segmentation planning network visibility and management
For More Information
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 120HOL-1829-01-NET
ConclusionThank you for participating in the VMware Hands-on Labs Be sure to visithttpholvmwarecom to continue your lab experience online
Lab SKU HOL-1829-01-NET
Version 20171010-152226
HOL-1829-01-NET
Page 121HOL-1829-01-NET
Routers Provider Edge 4
This section lays out detailed root cause analysis for Routers Provider Edge 4
Return to Search View - NSX Manager
1 Now use the Chrome Back button click once to return the the NSX Managerinformation screen step
HOL-1829-01-NET
Page 94HOL-1829-01-NET
Infrastructure Problems - Warning Moderate
bull Scroll down to Infrastructure Problems Section
1 Click and select the WarningModerate to view problem areas
WarningModerate Issues
1 Use the blue icon + to expand the detailed view of the Logical networking out ofsync between host and NSX Controller
HOL-1829-01-NET
Page 95HOL-1829-01-NET
WarningModerate Issues (Continued)
When you expand the details you can analyse full detail of warning
In this view vRealize Network Insight is also showing you recommendations on how youwould resolve this issue which makes troubleshooting and root cause analysis veryeasy
1 Click the close sign (x) to continue
HOL-1829-01-NET
Page 96HOL-1829-01-NET
Hands-on Labs Interactive SimulationAdvanced NSX Management ampOperationsThis part of the lab is presented as a Hands-on Labs Interactive Simulation This willallow you to experience steps which are too time-consuming or resource intensive to dolive in the lab environment In this simulation you can use the software interface as ifyou are interacting with a live environment
1 Click here to open the interactive simulation It will open in a new browserwindow or tab
2 When finished click the ldquoReturn to the labrdquo link to continue with this lab
HOL-1829-01-NET
Page 97HOL-1829-01-NET
ConclusionCongratulations on completing Module 3
This module demonstrated the vRealize Network Insight capability of advancedmanagement operations vRealize Network Insight provides an in-depth analysis of thevirtual as well as the physical components associated with NSX (underlay and overlay)
For More Information
If you are looking for additional information try one of these
bull Click on this linkbull Or use your smart device to scan the QRC Code
Proceed to any module below which interests you most
bull Module 1 - Micro-Segmentation and Security (30 minutes)bull Module 2 - 360 degree Visibility across Virtual and Physical Networks (45
minutes)bull Module 3 - Advanced NSX Management amp Operations (45 minutes)bull Module 4 - Manage Security for Public Clouds (AWS) (30 minutes)
HOL-1829-01-NET
Page 98HOL-1829-01-NET
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 99HOL-1829-01-NET
Module 4 - ManageSecurity for Public Clouds
(AWS) (30 Minutes)
HOL-1829-01-NET
Page 100HOL-1829-01-NET
IntroductionEnterprise IT needs visibility into the network and security status of their workloadswhether hosted on premises or within AWS While many AWS workloads are sandboxesfor application development teams (DevOps) it is important to analyze these workloadsIncreasingly public cloud workloads are also fulfilling mission critical production needsfor many organizations Enterprise IT must be ready to determine the best locationsecurity posture and bandwidth allocation when deploying workloads Having trafficpattern details as well as security analysis and recommendations readily availablehelps organizations make the ideal hosting decisions to meet their business needs
vRealize Network Insight (vRNI) Supports Amazon Web Services (AWS) PublicCloud The vRNI traffic monitoring features provide visibility into native AWS constructssuch as Virtual Private Clouds VMs Security Groups firewall rules and tags vRNI alsoanalyzes AWS traffic flows to provide security and micro-segmentation views of cloudworkloads This means youll be able to plan micro-segmentation and understand trafficpatterns using data collected from your AWS instances
This Module contains the following lessons
bull Introduction to Managing Security for Public Clouds (AWS)
HOL-1829-01-NET
Page 101HOL-1829-01-NET
Introduction to Managing Security forPublic Clouds (AWS)Lab Status Check
1 Make sure the Lab Status displays Ready before continuing
Close browser sessions from previous modules
Open Google Chrome
1 Open Chrome on the Control Centre Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize Network Insightdid not load automatically)
HOL-1829-01-NET
Page 102HOL-1829-01-NET
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
AWS Configuration
Lets review the AWS VPC setup for the purpose of this lab
1 We have an on premise instance of vRealize Network Insight managing AWS2 There are two VPCs ie CRM and Common Services
HOL-1829-01-NET
Page 103HOL-1829-01-NET
3 VPC CRM consists of CRM Application which comprises of 3 tiers ie Web APP andDB
4 Internal users of Company can access Web Tier of the CRM on 80 internally viaJump-box
5 Web tier talks to App tier on port 80806 App tier talks to DB tier on port 33067 Web tier is open for internal datacenters VM on 80 port8 From Jump-box in VPC CRM all virtual machines have ssh access on port 229 All tiers of VPCCRM talks to DNS server on 53 and LogServer on 514 on VPC
Common Services10 This means connection to DB to Log Server (used for backup services) must exist
as configured by the Administrator but this in fact is the problem area where ourfocus will be
Plan Security - AWS Cloud
vRealize Network Insight extends micro-segmentation planning to AWS constructs TheCRM Application in AWS VPC has already been created for you
Application creation steps have been discussed in Module 3
HOL-1829-01-NET
Page 104HOL-1829-01-NET
1 On the vRealize Network Insight Click on Plan Security
From Plan Security dialogue box under Entity select
HOL-1829-01-NET
Page 105HOL-1829-01-NET
1 Application2 CRM3 Click Analyze
We can now visualize the three tier lsquoCRMrsquo Application in AWS in one VPC We Shallexplore the three Tier System Logic in proceeding steps
1 Please note that Micro-Segments are already filtered by Tier2 Web (Web tier talks to App tier on port 8080 Internal users of organisation can
access Web Tier of the CRM Application on port 80 internally)3 App (App tier talks to DB tier on port 3306)4 DB ( DB tier talks to Log Servers ) - This is the problem area we are going to
explore
All tiers of first VPC talks to DNS server on port 53 and LogServer on port 514 of SecondVPC
HOL-1829-01-NET
Page 106HOL-1829-01-NET
Exploring the Three Tier Application - Step by Step
We shall now explore the three their application setup to understand the security andcommunication posture
HOL-1829-01-NET
Page 107HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Yellow line to explore the flows This will reveal flows from Web to
App
HOL-1829-01-NET
Page 108HOL-1829-01-NET
1 The App tier talks to DB tier on Port 33062 Click X to continue
HOL-1829-01-NET
Page 109HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to DB
HOL-1829-01-NET
Page 110HOL-1829-01-NET
1 The App tier talks to DB tier on Port 33062 Click X to continue
HOL-1829-01-NET
Page 111HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Yellow Line to explore the flows This will reveal flows from DC
Virtual to App
HOL-1829-01-NET
Page 112HOL-1829-01-NET
1 DC Virtual (jump box) talks to App tier on Port 222 Click X to continue
HOL-1829-01-NET
Page 113HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to
Shared Virtual
HOL-1829-01-NET
Page 114HOL-1829-01-NET
1 The App tier talks to Shared Virtual on Port 53 and 514 respectively2 Click X to continue
HOL-1829-01-NET
Page 115HOL-1829-01-NET
1 Hover over to DB Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from DB to
Shared Virtual
1 By design the DB should be pushing logs to aws-log-server ie on port 514(Syslog) but the flow reveals that there is only one service ie port 53 aws-DNS-Server Effectively no communication to syslog server (which is the back upservice)
2 Click X to continue
Firewall Queries for CRM Application
To further troubleshoot the issue the administrator executes three firewall queries toestablish why DB to Shared Virtual does not have flow(s) for port 514 (syslog)
HOL-1829-01-NET
Page 116HOL-1829-01-NET
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and type new search query firewall action of flows where dstvm = aws-log-server This will return 5 results ie 4 Allow (for web andmidtier) and 1 Deny (for DB)
2 Click Search3 click on the DENY checkbox so we can focus on the deny rule
We can see a DENY rule which is preventing crm-databse to communicate with aws-log-server on port 514 Which indicates that AWS Admin forgot to add rule to allowtraffic from (Database) crm-database to (syslog server) aws-log-Server
HOL-1829-01-NET
Page 117HOL-1829-01-NET
1 On Chrome web browser right click2 Select Duplicate from the the menu
HOL-1829-01-NET
Page 118HOL-1829-01-NET
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-web1 and dst vm = aws-log-server
2 Click Search3 This will return 3 results ie 1 Inbound and 2 Outbound rules The result of this
query validates the communication from crm-web1 to aws-log-server
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-database and dst vm = aws-log-server
2 Click Search3 This will return 2 results for Outbound rules further explaining the firewall rule
behaviour from crm-database to aws-log-server
HOL-1829-01-NET
Page 119HOL-1829-01-NET
ConclusionCongratulations on completing Module 4
This module demonstrated the vRealize Network Insight capability to understand trafficpatterns and plan micro-segmentation across your private and public cloudenvironments This capability offers unparalleled visibility into public and private cloudsfor micro-segmentation planning network visibility and management
For More Information
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 120HOL-1829-01-NET
ConclusionThank you for participating in the VMware Hands-on Labs Be sure to visithttpholvmwarecom to continue your lab experience online
Lab SKU HOL-1829-01-NET
Version 20171010-152226
HOL-1829-01-NET
Page 121HOL-1829-01-NET
Infrastructure Problems - Warning Moderate
bull Scroll down to Infrastructure Problems Section
1 Click and select the WarningModerate to view problem areas
WarningModerate Issues
1 Use the blue icon + to expand the detailed view of the Logical networking out ofsync between host and NSX Controller
HOL-1829-01-NET
Page 95HOL-1829-01-NET
WarningModerate Issues (Continued)
When you expand the details you can analyse full detail of warning
In this view vRealize Network Insight is also showing you recommendations on how youwould resolve this issue which makes troubleshooting and root cause analysis veryeasy
1 Click the close sign (x) to continue
HOL-1829-01-NET
Page 96HOL-1829-01-NET
Hands-on Labs Interactive SimulationAdvanced NSX Management ampOperationsThis part of the lab is presented as a Hands-on Labs Interactive Simulation This willallow you to experience steps which are too time-consuming or resource intensive to dolive in the lab environment In this simulation you can use the software interface as ifyou are interacting with a live environment
1 Click here to open the interactive simulation It will open in a new browserwindow or tab
2 When finished click the ldquoReturn to the labrdquo link to continue with this lab
HOL-1829-01-NET
Page 97HOL-1829-01-NET
ConclusionCongratulations on completing Module 3
This module demonstrated the vRealize Network Insight capability of advancedmanagement operations vRealize Network Insight provides an in-depth analysis of thevirtual as well as the physical components associated with NSX (underlay and overlay)
For More Information
If you are looking for additional information try one of these
bull Click on this linkbull Or use your smart device to scan the QRC Code
Proceed to any module below which interests you most
bull Module 1 - Micro-Segmentation and Security (30 minutes)bull Module 2 - 360 degree Visibility across Virtual and Physical Networks (45
minutes)bull Module 3 - Advanced NSX Management amp Operations (45 minutes)bull Module 4 - Manage Security for Public Clouds (AWS) (30 minutes)
HOL-1829-01-NET
Page 98HOL-1829-01-NET
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 99HOL-1829-01-NET
Module 4 - ManageSecurity for Public Clouds
(AWS) (30 Minutes)
HOL-1829-01-NET
Page 100HOL-1829-01-NET
IntroductionEnterprise IT needs visibility into the network and security status of their workloadswhether hosted on premises or within AWS While many AWS workloads are sandboxesfor application development teams (DevOps) it is important to analyze these workloadsIncreasingly public cloud workloads are also fulfilling mission critical production needsfor many organizations Enterprise IT must be ready to determine the best locationsecurity posture and bandwidth allocation when deploying workloads Having trafficpattern details as well as security analysis and recommendations readily availablehelps organizations make the ideal hosting decisions to meet their business needs
vRealize Network Insight (vRNI) Supports Amazon Web Services (AWS) PublicCloud The vRNI traffic monitoring features provide visibility into native AWS constructssuch as Virtual Private Clouds VMs Security Groups firewall rules and tags vRNI alsoanalyzes AWS traffic flows to provide security and micro-segmentation views of cloudworkloads This means youll be able to plan micro-segmentation and understand trafficpatterns using data collected from your AWS instances
This Module contains the following lessons
bull Introduction to Managing Security for Public Clouds (AWS)
HOL-1829-01-NET
Page 101HOL-1829-01-NET
Introduction to Managing Security forPublic Clouds (AWS)Lab Status Check
1 Make sure the Lab Status displays Ready before continuing
Close browser sessions from previous modules
Open Google Chrome
1 Open Chrome on the Control Centre Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize Network Insightdid not load automatically)
HOL-1829-01-NET
Page 102HOL-1829-01-NET
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
AWS Configuration
Lets review the AWS VPC setup for the purpose of this lab
1 We have an on premise instance of vRealize Network Insight managing AWS2 There are two VPCs ie CRM and Common Services
HOL-1829-01-NET
Page 103HOL-1829-01-NET
3 VPC CRM consists of CRM Application which comprises of 3 tiers ie Web APP andDB
4 Internal users of Company can access Web Tier of the CRM on 80 internally viaJump-box
5 Web tier talks to App tier on port 80806 App tier talks to DB tier on port 33067 Web tier is open for internal datacenters VM on 80 port8 From Jump-box in VPC CRM all virtual machines have ssh access on port 229 All tiers of VPCCRM talks to DNS server on 53 and LogServer on 514 on VPC
Common Services10 This means connection to DB to Log Server (used for backup services) must exist
as configured by the Administrator but this in fact is the problem area where ourfocus will be
Plan Security - AWS Cloud
vRealize Network Insight extends micro-segmentation planning to AWS constructs TheCRM Application in AWS VPC has already been created for you
Application creation steps have been discussed in Module 3
HOL-1829-01-NET
Page 104HOL-1829-01-NET
1 On the vRealize Network Insight Click on Plan Security
From Plan Security dialogue box under Entity select
HOL-1829-01-NET
Page 105HOL-1829-01-NET
1 Application2 CRM3 Click Analyze
We can now visualize the three tier lsquoCRMrsquo Application in AWS in one VPC We Shallexplore the three Tier System Logic in proceeding steps
1 Please note that Micro-Segments are already filtered by Tier2 Web (Web tier talks to App tier on port 8080 Internal users of organisation can
access Web Tier of the CRM Application on port 80 internally)3 App (App tier talks to DB tier on port 3306)4 DB ( DB tier talks to Log Servers ) - This is the problem area we are going to
explore
All tiers of first VPC talks to DNS server on port 53 and LogServer on port 514 of SecondVPC
HOL-1829-01-NET
Page 106HOL-1829-01-NET
Exploring the Three Tier Application - Step by Step
We shall now explore the three their application setup to understand the security andcommunication posture
HOL-1829-01-NET
Page 107HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Yellow line to explore the flows This will reveal flows from Web to
App
HOL-1829-01-NET
Page 108HOL-1829-01-NET
1 The App tier talks to DB tier on Port 33062 Click X to continue
HOL-1829-01-NET
Page 109HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to DB
HOL-1829-01-NET
Page 110HOL-1829-01-NET
1 The App tier talks to DB tier on Port 33062 Click X to continue
HOL-1829-01-NET
Page 111HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Yellow Line to explore the flows This will reveal flows from DC
Virtual to App
HOL-1829-01-NET
Page 112HOL-1829-01-NET
1 DC Virtual (jump box) talks to App tier on Port 222 Click X to continue
HOL-1829-01-NET
Page 113HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to
Shared Virtual
HOL-1829-01-NET
Page 114HOL-1829-01-NET
1 The App tier talks to Shared Virtual on Port 53 and 514 respectively2 Click X to continue
HOL-1829-01-NET
Page 115HOL-1829-01-NET
1 Hover over to DB Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from DB to
Shared Virtual
1 By design the DB should be pushing logs to aws-log-server ie on port 514(Syslog) but the flow reveals that there is only one service ie port 53 aws-DNS-Server Effectively no communication to syslog server (which is the back upservice)
2 Click X to continue
Firewall Queries for CRM Application
To further troubleshoot the issue the administrator executes three firewall queries toestablish why DB to Shared Virtual does not have flow(s) for port 514 (syslog)
HOL-1829-01-NET
Page 116HOL-1829-01-NET
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and type new search query firewall action of flows where dstvm = aws-log-server This will return 5 results ie 4 Allow (for web andmidtier) and 1 Deny (for DB)
2 Click Search3 click on the DENY checkbox so we can focus on the deny rule
We can see a DENY rule which is preventing crm-databse to communicate with aws-log-server on port 514 Which indicates that AWS Admin forgot to add rule to allowtraffic from (Database) crm-database to (syslog server) aws-log-Server
HOL-1829-01-NET
Page 117HOL-1829-01-NET
1 On Chrome web browser right click2 Select Duplicate from the the menu
HOL-1829-01-NET
Page 118HOL-1829-01-NET
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-web1 and dst vm = aws-log-server
2 Click Search3 This will return 3 results ie 1 Inbound and 2 Outbound rules The result of this
query validates the communication from crm-web1 to aws-log-server
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-database and dst vm = aws-log-server
2 Click Search3 This will return 2 results for Outbound rules further explaining the firewall rule
behaviour from crm-database to aws-log-server
HOL-1829-01-NET
Page 119HOL-1829-01-NET
ConclusionCongratulations on completing Module 4
This module demonstrated the vRealize Network Insight capability to understand trafficpatterns and plan micro-segmentation across your private and public cloudenvironments This capability offers unparalleled visibility into public and private cloudsfor micro-segmentation planning network visibility and management
For More Information
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 120HOL-1829-01-NET
ConclusionThank you for participating in the VMware Hands-on Labs Be sure to visithttpholvmwarecom to continue your lab experience online
Lab SKU HOL-1829-01-NET
Version 20171010-152226
HOL-1829-01-NET
Page 121HOL-1829-01-NET
WarningModerate Issues (Continued)
When you expand the details you can analyse full detail of warning
In this view vRealize Network Insight is also showing you recommendations on how youwould resolve this issue which makes troubleshooting and root cause analysis veryeasy
1 Click the close sign (x) to continue
HOL-1829-01-NET
Page 96HOL-1829-01-NET
Hands-on Labs Interactive SimulationAdvanced NSX Management ampOperationsThis part of the lab is presented as a Hands-on Labs Interactive Simulation This willallow you to experience steps which are too time-consuming or resource intensive to dolive in the lab environment In this simulation you can use the software interface as ifyou are interacting with a live environment
1 Click here to open the interactive simulation It will open in a new browserwindow or tab
2 When finished click the ldquoReturn to the labrdquo link to continue with this lab
HOL-1829-01-NET
Page 97HOL-1829-01-NET
ConclusionCongratulations on completing Module 3
This module demonstrated the vRealize Network Insight capability of advancedmanagement operations vRealize Network Insight provides an in-depth analysis of thevirtual as well as the physical components associated with NSX (underlay and overlay)
For More Information
If you are looking for additional information try one of these
bull Click on this linkbull Or use your smart device to scan the QRC Code
Proceed to any module below which interests you most
bull Module 1 - Micro-Segmentation and Security (30 minutes)bull Module 2 - 360 degree Visibility across Virtual and Physical Networks (45
minutes)bull Module 3 - Advanced NSX Management amp Operations (45 minutes)bull Module 4 - Manage Security for Public Clouds (AWS) (30 minutes)
HOL-1829-01-NET
Page 98HOL-1829-01-NET
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 99HOL-1829-01-NET
Module 4 - ManageSecurity for Public Clouds
(AWS) (30 Minutes)
HOL-1829-01-NET
Page 100HOL-1829-01-NET
IntroductionEnterprise IT needs visibility into the network and security status of their workloadswhether hosted on premises or within AWS While many AWS workloads are sandboxesfor application development teams (DevOps) it is important to analyze these workloadsIncreasingly public cloud workloads are also fulfilling mission critical production needsfor many organizations Enterprise IT must be ready to determine the best locationsecurity posture and bandwidth allocation when deploying workloads Having trafficpattern details as well as security analysis and recommendations readily availablehelps organizations make the ideal hosting decisions to meet their business needs
vRealize Network Insight (vRNI) Supports Amazon Web Services (AWS) PublicCloud The vRNI traffic monitoring features provide visibility into native AWS constructssuch as Virtual Private Clouds VMs Security Groups firewall rules and tags vRNI alsoanalyzes AWS traffic flows to provide security and micro-segmentation views of cloudworkloads This means youll be able to plan micro-segmentation and understand trafficpatterns using data collected from your AWS instances
This Module contains the following lessons
bull Introduction to Managing Security for Public Clouds (AWS)
HOL-1829-01-NET
Page 101HOL-1829-01-NET
Introduction to Managing Security forPublic Clouds (AWS)Lab Status Check
1 Make sure the Lab Status displays Ready before continuing
Close browser sessions from previous modules
Open Google Chrome
1 Open Chrome on the Control Centre Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize Network Insightdid not load automatically)
HOL-1829-01-NET
Page 102HOL-1829-01-NET
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
AWS Configuration
Lets review the AWS VPC setup for the purpose of this lab
1 We have an on premise instance of vRealize Network Insight managing AWS2 There are two VPCs ie CRM and Common Services
HOL-1829-01-NET
Page 103HOL-1829-01-NET
3 VPC CRM consists of CRM Application which comprises of 3 tiers ie Web APP andDB
4 Internal users of Company can access Web Tier of the CRM on 80 internally viaJump-box
5 Web tier talks to App tier on port 80806 App tier talks to DB tier on port 33067 Web tier is open for internal datacenters VM on 80 port8 From Jump-box in VPC CRM all virtual machines have ssh access on port 229 All tiers of VPCCRM talks to DNS server on 53 and LogServer on 514 on VPC
Common Services10 This means connection to DB to Log Server (used for backup services) must exist
as configured by the Administrator but this in fact is the problem area where ourfocus will be
Plan Security - AWS Cloud
vRealize Network Insight extends micro-segmentation planning to AWS constructs TheCRM Application in AWS VPC has already been created for you
Application creation steps have been discussed in Module 3
HOL-1829-01-NET
Page 104HOL-1829-01-NET
1 On the vRealize Network Insight Click on Plan Security
From Plan Security dialogue box under Entity select
HOL-1829-01-NET
Page 105HOL-1829-01-NET
1 Application2 CRM3 Click Analyze
We can now visualize the three tier lsquoCRMrsquo Application in AWS in one VPC We Shallexplore the three Tier System Logic in proceeding steps
1 Please note that Micro-Segments are already filtered by Tier2 Web (Web tier talks to App tier on port 8080 Internal users of organisation can
access Web Tier of the CRM Application on port 80 internally)3 App (App tier talks to DB tier on port 3306)4 DB ( DB tier talks to Log Servers ) - This is the problem area we are going to
explore
All tiers of first VPC talks to DNS server on port 53 and LogServer on port 514 of SecondVPC
HOL-1829-01-NET
Page 106HOL-1829-01-NET
Exploring the Three Tier Application - Step by Step
We shall now explore the three their application setup to understand the security andcommunication posture
HOL-1829-01-NET
Page 107HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Yellow line to explore the flows This will reveal flows from Web to
App
HOL-1829-01-NET
Page 108HOL-1829-01-NET
1 The App tier talks to DB tier on Port 33062 Click X to continue
HOL-1829-01-NET
Page 109HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to DB
HOL-1829-01-NET
Page 110HOL-1829-01-NET
1 The App tier talks to DB tier on Port 33062 Click X to continue
HOL-1829-01-NET
Page 111HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Yellow Line to explore the flows This will reveal flows from DC
Virtual to App
HOL-1829-01-NET
Page 112HOL-1829-01-NET
1 DC Virtual (jump box) talks to App tier on Port 222 Click X to continue
HOL-1829-01-NET
Page 113HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to
Shared Virtual
HOL-1829-01-NET
Page 114HOL-1829-01-NET
1 The App tier talks to Shared Virtual on Port 53 and 514 respectively2 Click X to continue
HOL-1829-01-NET
Page 115HOL-1829-01-NET
1 Hover over to DB Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from DB to
Shared Virtual
1 By design the DB should be pushing logs to aws-log-server ie on port 514(Syslog) but the flow reveals that there is only one service ie port 53 aws-DNS-Server Effectively no communication to syslog server (which is the back upservice)
2 Click X to continue
Firewall Queries for CRM Application
To further troubleshoot the issue the administrator executes three firewall queries toestablish why DB to Shared Virtual does not have flow(s) for port 514 (syslog)
HOL-1829-01-NET
Page 116HOL-1829-01-NET
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and type new search query firewall action of flows where dstvm = aws-log-server This will return 5 results ie 4 Allow (for web andmidtier) and 1 Deny (for DB)
2 Click Search3 click on the DENY checkbox so we can focus on the deny rule
We can see a DENY rule which is preventing crm-databse to communicate with aws-log-server on port 514 Which indicates that AWS Admin forgot to add rule to allowtraffic from (Database) crm-database to (syslog server) aws-log-Server
HOL-1829-01-NET
Page 117HOL-1829-01-NET
1 On Chrome web browser right click2 Select Duplicate from the the menu
HOL-1829-01-NET
Page 118HOL-1829-01-NET
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-web1 and dst vm = aws-log-server
2 Click Search3 This will return 3 results ie 1 Inbound and 2 Outbound rules The result of this
query validates the communication from crm-web1 to aws-log-server
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-database and dst vm = aws-log-server
2 Click Search3 This will return 2 results for Outbound rules further explaining the firewall rule
behaviour from crm-database to aws-log-server
HOL-1829-01-NET
Page 119HOL-1829-01-NET
ConclusionCongratulations on completing Module 4
This module demonstrated the vRealize Network Insight capability to understand trafficpatterns and plan micro-segmentation across your private and public cloudenvironments This capability offers unparalleled visibility into public and private cloudsfor micro-segmentation planning network visibility and management
For More Information
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 120HOL-1829-01-NET
ConclusionThank you for participating in the VMware Hands-on Labs Be sure to visithttpholvmwarecom to continue your lab experience online
Lab SKU HOL-1829-01-NET
Version 20171010-152226
HOL-1829-01-NET
Page 121HOL-1829-01-NET
Hands-on Labs Interactive SimulationAdvanced NSX Management ampOperationsThis part of the lab is presented as a Hands-on Labs Interactive Simulation This willallow you to experience steps which are too time-consuming or resource intensive to dolive in the lab environment In this simulation you can use the software interface as ifyou are interacting with a live environment
1 Click here to open the interactive simulation It will open in a new browserwindow or tab
2 When finished click the ldquoReturn to the labrdquo link to continue with this lab
HOL-1829-01-NET
Page 97HOL-1829-01-NET
ConclusionCongratulations on completing Module 3
This module demonstrated the vRealize Network Insight capability of advancedmanagement operations vRealize Network Insight provides an in-depth analysis of thevirtual as well as the physical components associated with NSX (underlay and overlay)
For More Information
If you are looking for additional information try one of these
bull Click on this linkbull Or use your smart device to scan the QRC Code
Proceed to any module below which interests you most
bull Module 1 - Micro-Segmentation and Security (30 minutes)bull Module 2 - 360 degree Visibility across Virtual and Physical Networks (45
minutes)bull Module 3 - Advanced NSX Management amp Operations (45 minutes)bull Module 4 - Manage Security for Public Clouds (AWS) (30 minutes)
HOL-1829-01-NET
Page 98HOL-1829-01-NET
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 99HOL-1829-01-NET
Module 4 - ManageSecurity for Public Clouds
(AWS) (30 Minutes)
HOL-1829-01-NET
Page 100HOL-1829-01-NET
IntroductionEnterprise IT needs visibility into the network and security status of their workloadswhether hosted on premises or within AWS While many AWS workloads are sandboxesfor application development teams (DevOps) it is important to analyze these workloadsIncreasingly public cloud workloads are also fulfilling mission critical production needsfor many organizations Enterprise IT must be ready to determine the best locationsecurity posture and bandwidth allocation when deploying workloads Having trafficpattern details as well as security analysis and recommendations readily availablehelps organizations make the ideal hosting decisions to meet their business needs
vRealize Network Insight (vRNI) Supports Amazon Web Services (AWS) PublicCloud The vRNI traffic monitoring features provide visibility into native AWS constructssuch as Virtual Private Clouds VMs Security Groups firewall rules and tags vRNI alsoanalyzes AWS traffic flows to provide security and micro-segmentation views of cloudworkloads This means youll be able to plan micro-segmentation and understand trafficpatterns using data collected from your AWS instances
This Module contains the following lessons
bull Introduction to Managing Security for Public Clouds (AWS)
HOL-1829-01-NET
Page 101HOL-1829-01-NET
Introduction to Managing Security forPublic Clouds (AWS)Lab Status Check
1 Make sure the Lab Status displays Ready before continuing
Close browser sessions from previous modules
Open Google Chrome
1 Open Chrome on the Control Centre Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize Network Insightdid not load automatically)
HOL-1829-01-NET
Page 102HOL-1829-01-NET
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
AWS Configuration
Lets review the AWS VPC setup for the purpose of this lab
1 We have an on premise instance of vRealize Network Insight managing AWS2 There are two VPCs ie CRM and Common Services
HOL-1829-01-NET
Page 103HOL-1829-01-NET
3 VPC CRM consists of CRM Application which comprises of 3 tiers ie Web APP andDB
4 Internal users of Company can access Web Tier of the CRM on 80 internally viaJump-box
5 Web tier talks to App tier on port 80806 App tier talks to DB tier on port 33067 Web tier is open for internal datacenters VM on 80 port8 From Jump-box in VPC CRM all virtual machines have ssh access on port 229 All tiers of VPCCRM talks to DNS server on 53 and LogServer on 514 on VPC
Common Services10 This means connection to DB to Log Server (used for backup services) must exist
as configured by the Administrator but this in fact is the problem area where ourfocus will be
Plan Security - AWS Cloud
vRealize Network Insight extends micro-segmentation planning to AWS constructs TheCRM Application in AWS VPC has already been created for you
Application creation steps have been discussed in Module 3
HOL-1829-01-NET
Page 104HOL-1829-01-NET
1 On the vRealize Network Insight Click on Plan Security
From Plan Security dialogue box under Entity select
HOL-1829-01-NET
Page 105HOL-1829-01-NET
1 Application2 CRM3 Click Analyze
We can now visualize the three tier lsquoCRMrsquo Application in AWS in one VPC We Shallexplore the three Tier System Logic in proceeding steps
1 Please note that Micro-Segments are already filtered by Tier2 Web (Web tier talks to App tier on port 8080 Internal users of organisation can
access Web Tier of the CRM Application on port 80 internally)3 App (App tier talks to DB tier on port 3306)4 DB ( DB tier talks to Log Servers ) - This is the problem area we are going to
explore
All tiers of first VPC talks to DNS server on port 53 and LogServer on port 514 of SecondVPC
HOL-1829-01-NET
Page 106HOL-1829-01-NET
Exploring the Three Tier Application - Step by Step
We shall now explore the three their application setup to understand the security andcommunication posture
HOL-1829-01-NET
Page 107HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Yellow line to explore the flows This will reveal flows from Web to
App
HOL-1829-01-NET
Page 108HOL-1829-01-NET
1 The App tier talks to DB tier on Port 33062 Click X to continue
HOL-1829-01-NET
Page 109HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to DB
HOL-1829-01-NET
Page 110HOL-1829-01-NET
1 The App tier talks to DB tier on Port 33062 Click X to continue
HOL-1829-01-NET
Page 111HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Yellow Line to explore the flows This will reveal flows from DC
Virtual to App
HOL-1829-01-NET
Page 112HOL-1829-01-NET
1 DC Virtual (jump box) talks to App tier on Port 222 Click X to continue
HOL-1829-01-NET
Page 113HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to
Shared Virtual
HOL-1829-01-NET
Page 114HOL-1829-01-NET
1 The App tier talks to Shared Virtual on Port 53 and 514 respectively2 Click X to continue
HOL-1829-01-NET
Page 115HOL-1829-01-NET
1 Hover over to DB Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from DB to
Shared Virtual
1 By design the DB should be pushing logs to aws-log-server ie on port 514(Syslog) but the flow reveals that there is only one service ie port 53 aws-DNS-Server Effectively no communication to syslog server (which is the back upservice)
2 Click X to continue
Firewall Queries for CRM Application
To further troubleshoot the issue the administrator executes three firewall queries toestablish why DB to Shared Virtual does not have flow(s) for port 514 (syslog)
HOL-1829-01-NET
Page 116HOL-1829-01-NET
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and type new search query firewall action of flows where dstvm = aws-log-server This will return 5 results ie 4 Allow (for web andmidtier) and 1 Deny (for DB)
2 Click Search3 click on the DENY checkbox so we can focus on the deny rule
We can see a DENY rule which is preventing crm-databse to communicate with aws-log-server on port 514 Which indicates that AWS Admin forgot to add rule to allowtraffic from (Database) crm-database to (syslog server) aws-log-Server
HOL-1829-01-NET
Page 117HOL-1829-01-NET
1 On Chrome web browser right click2 Select Duplicate from the the menu
HOL-1829-01-NET
Page 118HOL-1829-01-NET
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-web1 and dst vm = aws-log-server
2 Click Search3 This will return 3 results ie 1 Inbound and 2 Outbound rules The result of this
query validates the communication from crm-web1 to aws-log-server
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-database and dst vm = aws-log-server
2 Click Search3 This will return 2 results for Outbound rules further explaining the firewall rule
behaviour from crm-database to aws-log-server
HOL-1829-01-NET
Page 119HOL-1829-01-NET
ConclusionCongratulations on completing Module 4
This module demonstrated the vRealize Network Insight capability to understand trafficpatterns and plan micro-segmentation across your private and public cloudenvironments This capability offers unparalleled visibility into public and private cloudsfor micro-segmentation planning network visibility and management
For More Information
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 120HOL-1829-01-NET
ConclusionThank you for participating in the VMware Hands-on Labs Be sure to visithttpholvmwarecom to continue your lab experience online
Lab SKU HOL-1829-01-NET
Version 20171010-152226
HOL-1829-01-NET
Page 121HOL-1829-01-NET
ConclusionCongratulations on completing Module 3
This module demonstrated the vRealize Network Insight capability of advancedmanagement operations vRealize Network Insight provides an in-depth analysis of thevirtual as well as the physical components associated with NSX (underlay and overlay)
For More Information
If you are looking for additional information try one of these
bull Click on this linkbull Or use your smart device to scan the QRC Code
Proceed to any module below which interests you most
bull Module 1 - Micro-Segmentation and Security (30 minutes)bull Module 2 - 360 degree Visibility across Virtual and Physical Networks (45
minutes)bull Module 3 - Advanced NSX Management amp Operations (45 minutes)bull Module 4 - Manage Security for Public Clouds (AWS) (30 minutes)
HOL-1829-01-NET
Page 98HOL-1829-01-NET
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 99HOL-1829-01-NET
Module 4 - ManageSecurity for Public Clouds
(AWS) (30 Minutes)
HOL-1829-01-NET
Page 100HOL-1829-01-NET
IntroductionEnterprise IT needs visibility into the network and security status of their workloadswhether hosted on premises or within AWS While many AWS workloads are sandboxesfor application development teams (DevOps) it is important to analyze these workloadsIncreasingly public cloud workloads are also fulfilling mission critical production needsfor many organizations Enterprise IT must be ready to determine the best locationsecurity posture and bandwidth allocation when deploying workloads Having trafficpattern details as well as security analysis and recommendations readily availablehelps organizations make the ideal hosting decisions to meet their business needs
vRealize Network Insight (vRNI) Supports Amazon Web Services (AWS) PublicCloud The vRNI traffic monitoring features provide visibility into native AWS constructssuch as Virtual Private Clouds VMs Security Groups firewall rules and tags vRNI alsoanalyzes AWS traffic flows to provide security and micro-segmentation views of cloudworkloads This means youll be able to plan micro-segmentation and understand trafficpatterns using data collected from your AWS instances
This Module contains the following lessons
bull Introduction to Managing Security for Public Clouds (AWS)
HOL-1829-01-NET
Page 101HOL-1829-01-NET
Introduction to Managing Security forPublic Clouds (AWS)Lab Status Check
1 Make sure the Lab Status displays Ready before continuing
Close browser sessions from previous modules
Open Google Chrome
1 Open Chrome on the Control Centre Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize Network Insightdid not load automatically)
HOL-1829-01-NET
Page 102HOL-1829-01-NET
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
AWS Configuration
Lets review the AWS VPC setup for the purpose of this lab
1 We have an on premise instance of vRealize Network Insight managing AWS2 There are two VPCs ie CRM and Common Services
HOL-1829-01-NET
Page 103HOL-1829-01-NET
3 VPC CRM consists of CRM Application which comprises of 3 tiers ie Web APP andDB
4 Internal users of Company can access Web Tier of the CRM on 80 internally viaJump-box
5 Web tier talks to App tier on port 80806 App tier talks to DB tier on port 33067 Web tier is open for internal datacenters VM on 80 port8 From Jump-box in VPC CRM all virtual machines have ssh access on port 229 All tiers of VPCCRM talks to DNS server on 53 and LogServer on 514 on VPC
Common Services10 This means connection to DB to Log Server (used for backup services) must exist
as configured by the Administrator but this in fact is the problem area where ourfocus will be
Plan Security - AWS Cloud
vRealize Network Insight extends micro-segmentation planning to AWS constructs TheCRM Application in AWS VPC has already been created for you
Application creation steps have been discussed in Module 3
HOL-1829-01-NET
Page 104HOL-1829-01-NET
1 On the vRealize Network Insight Click on Plan Security
From Plan Security dialogue box under Entity select
HOL-1829-01-NET
Page 105HOL-1829-01-NET
1 Application2 CRM3 Click Analyze
We can now visualize the three tier lsquoCRMrsquo Application in AWS in one VPC We Shallexplore the three Tier System Logic in proceeding steps
1 Please note that Micro-Segments are already filtered by Tier2 Web (Web tier talks to App tier on port 8080 Internal users of organisation can
access Web Tier of the CRM Application on port 80 internally)3 App (App tier talks to DB tier on port 3306)4 DB ( DB tier talks to Log Servers ) - This is the problem area we are going to
explore
All tiers of first VPC talks to DNS server on port 53 and LogServer on port 514 of SecondVPC
HOL-1829-01-NET
Page 106HOL-1829-01-NET
Exploring the Three Tier Application - Step by Step
We shall now explore the three their application setup to understand the security andcommunication posture
HOL-1829-01-NET
Page 107HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Yellow line to explore the flows This will reveal flows from Web to
App
HOL-1829-01-NET
Page 108HOL-1829-01-NET
1 The App tier talks to DB tier on Port 33062 Click X to continue
HOL-1829-01-NET
Page 109HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to DB
HOL-1829-01-NET
Page 110HOL-1829-01-NET
1 The App tier talks to DB tier on Port 33062 Click X to continue
HOL-1829-01-NET
Page 111HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Yellow Line to explore the flows This will reveal flows from DC
Virtual to App
HOL-1829-01-NET
Page 112HOL-1829-01-NET
1 DC Virtual (jump box) talks to App tier on Port 222 Click X to continue
HOL-1829-01-NET
Page 113HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to
Shared Virtual
HOL-1829-01-NET
Page 114HOL-1829-01-NET
1 The App tier talks to Shared Virtual on Port 53 and 514 respectively2 Click X to continue
HOL-1829-01-NET
Page 115HOL-1829-01-NET
1 Hover over to DB Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from DB to
Shared Virtual
1 By design the DB should be pushing logs to aws-log-server ie on port 514(Syslog) but the flow reveals that there is only one service ie port 53 aws-DNS-Server Effectively no communication to syslog server (which is the back upservice)
2 Click X to continue
Firewall Queries for CRM Application
To further troubleshoot the issue the administrator executes three firewall queries toestablish why DB to Shared Virtual does not have flow(s) for port 514 (syslog)
HOL-1829-01-NET
Page 116HOL-1829-01-NET
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and type new search query firewall action of flows where dstvm = aws-log-server This will return 5 results ie 4 Allow (for web andmidtier) and 1 Deny (for DB)
2 Click Search3 click on the DENY checkbox so we can focus on the deny rule
We can see a DENY rule which is preventing crm-databse to communicate with aws-log-server on port 514 Which indicates that AWS Admin forgot to add rule to allowtraffic from (Database) crm-database to (syslog server) aws-log-Server
HOL-1829-01-NET
Page 117HOL-1829-01-NET
1 On Chrome web browser right click2 Select Duplicate from the the menu
HOL-1829-01-NET
Page 118HOL-1829-01-NET
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-web1 and dst vm = aws-log-server
2 Click Search3 This will return 3 results ie 1 Inbound and 2 Outbound rules The result of this
query validates the communication from crm-web1 to aws-log-server
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-database and dst vm = aws-log-server
2 Click Search3 This will return 2 results for Outbound rules further explaining the firewall rule
behaviour from crm-database to aws-log-server
HOL-1829-01-NET
Page 119HOL-1829-01-NET
ConclusionCongratulations on completing Module 4
This module demonstrated the vRealize Network Insight capability to understand trafficpatterns and plan micro-segmentation across your private and public cloudenvironments This capability offers unparalleled visibility into public and private cloudsfor micro-segmentation planning network visibility and management
For More Information
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 120HOL-1829-01-NET
ConclusionThank you for participating in the VMware Hands-on Labs Be sure to visithttpholvmwarecom to continue your lab experience online
Lab SKU HOL-1829-01-NET
Version 20171010-152226
HOL-1829-01-NET
Page 121HOL-1829-01-NET
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 99HOL-1829-01-NET
Module 4 - ManageSecurity for Public Clouds
(AWS) (30 Minutes)
HOL-1829-01-NET
Page 100HOL-1829-01-NET
IntroductionEnterprise IT needs visibility into the network and security status of their workloadswhether hosted on premises or within AWS While many AWS workloads are sandboxesfor application development teams (DevOps) it is important to analyze these workloadsIncreasingly public cloud workloads are also fulfilling mission critical production needsfor many organizations Enterprise IT must be ready to determine the best locationsecurity posture and bandwidth allocation when deploying workloads Having trafficpattern details as well as security analysis and recommendations readily availablehelps organizations make the ideal hosting decisions to meet their business needs
vRealize Network Insight (vRNI) Supports Amazon Web Services (AWS) PublicCloud The vRNI traffic monitoring features provide visibility into native AWS constructssuch as Virtual Private Clouds VMs Security Groups firewall rules and tags vRNI alsoanalyzes AWS traffic flows to provide security and micro-segmentation views of cloudworkloads This means youll be able to plan micro-segmentation and understand trafficpatterns using data collected from your AWS instances
This Module contains the following lessons
bull Introduction to Managing Security for Public Clouds (AWS)
HOL-1829-01-NET
Page 101HOL-1829-01-NET
Introduction to Managing Security forPublic Clouds (AWS)Lab Status Check
1 Make sure the Lab Status displays Ready before continuing
Close browser sessions from previous modules
Open Google Chrome
1 Open Chrome on the Control Centre Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize Network Insightdid not load automatically)
HOL-1829-01-NET
Page 102HOL-1829-01-NET
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
AWS Configuration
Lets review the AWS VPC setup for the purpose of this lab
1 We have an on premise instance of vRealize Network Insight managing AWS2 There are two VPCs ie CRM and Common Services
HOL-1829-01-NET
Page 103HOL-1829-01-NET
3 VPC CRM consists of CRM Application which comprises of 3 tiers ie Web APP andDB
4 Internal users of Company can access Web Tier of the CRM on 80 internally viaJump-box
5 Web tier talks to App tier on port 80806 App tier talks to DB tier on port 33067 Web tier is open for internal datacenters VM on 80 port8 From Jump-box in VPC CRM all virtual machines have ssh access on port 229 All tiers of VPCCRM talks to DNS server on 53 and LogServer on 514 on VPC
Common Services10 This means connection to DB to Log Server (used for backup services) must exist
as configured by the Administrator but this in fact is the problem area where ourfocus will be
Plan Security - AWS Cloud
vRealize Network Insight extends micro-segmentation planning to AWS constructs TheCRM Application in AWS VPC has already been created for you
Application creation steps have been discussed in Module 3
HOL-1829-01-NET
Page 104HOL-1829-01-NET
1 On the vRealize Network Insight Click on Plan Security
From Plan Security dialogue box under Entity select
HOL-1829-01-NET
Page 105HOL-1829-01-NET
1 Application2 CRM3 Click Analyze
We can now visualize the three tier lsquoCRMrsquo Application in AWS in one VPC We Shallexplore the three Tier System Logic in proceeding steps
1 Please note that Micro-Segments are already filtered by Tier2 Web (Web tier talks to App tier on port 8080 Internal users of organisation can
access Web Tier of the CRM Application on port 80 internally)3 App (App tier talks to DB tier on port 3306)4 DB ( DB tier talks to Log Servers ) - This is the problem area we are going to
explore
All tiers of first VPC talks to DNS server on port 53 and LogServer on port 514 of SecondVPC
HOL-1829-01-NET
Page 106HOL-1829-01-NET
Exploring the Three Tier Application - Step by Step
We shall now explore the three their application setup to understand the security andcommunication posture
HOL-1829-01-NET
Page 107HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Yellow line to explore the flows This will reveal flows from Web to
App
HOL-1829-01-NET
Page 108HOL-1829-01-NET
1 The App tier talks to DB tier on Port 33062 Click X to continue
HOL-1829-01-NET
Page 109HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to DB
HOL-1829-01-NET
Page 110HOL-1829-01-NET
1 The App tier talks to DB tier on Port 33062 Click X to continue
HOL-1829-01-NET
Page 111HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Yellow Line to explore the flows This will reveal flows from DC
Virtual to App
HOL-1829-01-NET
Page 112HOL-1829-01-NET
1 DC Virtual (jump box) talks to App tier on Port 222 Click X to continue
HOL-1829-01-NET
Page 113HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to
Shared Virtual
HOL-1829-01-NET
Page 114HOL-1829-01-NET
1 The App tier talks to Shared Virtual on Port 53 and 514 respectively2 Click X to continue
HOL-1829-01-NET
Page 115HOL-1829-01-NET
1 Hover over to DB Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from DB to
Shared Virtual
1 By design the DB should be pushing logs to aws-log-server ie on port 514(Syslog) but the flow reveals that there is only one service ie port 53 aws-DNS-Server Effectively no communication to syslog server (which is the back upservice)
2 Click X to continue
Firewall Queries for CRM Application
To further troubleshoot the issue the administrator executes three firewall queries toestablish why DB to Shared Virtual does not have flow(s) for port 514 (syslog)
HOL-1829-01-NET
Page 116HOL-1829-01-NET
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and type new search query firewall action of flows where dstvm = aws-log-server This will return 5 results ie 4 Allow (for web andmidtier) and 1 Deny (for DB)
2 Click Search3 click on the DENY checkbox so we can focus on the deny rule
We can see a DENY rule which is preventing crm-databse to communicate with aws-log-server on port 514 Which indicates that AWS Admin forgot to add rule to allowtraffic from (Database) crm-database to (syslog server) aws-log-Server
HOL-1829-01-NET
Page 117HOL-1829-01-NET
1 On Chrome web browser right click2 Select Duplicate from the the menu
HOL-1829-01-NET
Page 118HOL-1829-01-NET
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-web1 and dst vm = aws-log-server
2 Click Search3 This will return 3 results ie 1 Inbound and 2 Outbound rules The result of this
query validates the communication from crm-web1 to aws-log-server
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-database and dst vm = aws-log-server
2 Click Search3 This will return 2 results for Outbound rules further explaining the firewall rule
behaviour from crm-database to aws-log-server
HOL-1829-01-NET
Page 119HOL-1829-01-NET
ConclusionCongratulations on completing Module 4
This module demonstrated the vRealize Network Insight capability to understand trafficpatterns and plan micro-segmentation across your private and public cloudenvironments This capability offers unparalleled visibility into public and private cloudsfor micro-segmentation planning network visibility and management
For More Information
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 120HOL-1829-01-NET
ConclusionThank you for participating in the VMware Hands-on Labs Be sure to visithttpholvmwarecom to continue your lab experience online
Lab SKU HOL-1829-01-NET
Version 20171010-152226
HOL-1829-01-NET
Page 121HOL-1829-01-NET
Module 4 - ManageSecurity for Public Clouds
(AWS) (30 Minutes)
HOL-1829-01-NET
Page 100HOL-1829-01-NET
IntroductionEnterprise IT needs visibility into the network and security status of their workloadswhether hosted on premises or within AWS While many AWS workloads are sandboxesfor application development teams (DevOps) it is important to analyze these workloadsIncreasingly public cloud workloads are also fulfilling mission critical production needsfor many organizations Enterprise IT must be ready to determine the best locationsecurity posture and bandwidth allocation when deploying workloads Having trafficpattern details as well as security analysis and recommendations readily availablehelps organizations make the ideal hosting decisions to meet their business needs
vRealize Network Insight (vRNI) Supports Amazon Web Services (AWS) PublicCloud The vRNI traffic monitoring features provide visibility into native AWS constructssuch as Virtual Private Clouds VMs Security Groups firewall rules and tags vRNI alsoanalyzes AWS traffic flows to provide security and micro-segmentation views of cloudworkloads This means youll be able to plan micro-segmentation and understand trafficpatterns using data collected from your AWS instances
This Module contains the following lessons
bull Introduction to Managing Security for Public Clouds (AWS)
HOL-1829-01-NET
Page 101HOL-1829-01-NET
Introduction to Managing Security forPublic Clouds (AWS)Lab Status Check
1 Make sure the Lab Status displays Ready before continuing
Close browser sessions from previous modules
Open Google Chrome
1 Open Chrome on the Control Centre Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize Network Insightdid not load automatically)
HOL-1829-01-NET
Page 102HOL-1829-01-NET
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
AWS Configuration
Lets review the AWS VPC setup for the purpose of this lab
1 We have an on premise instance of vRealize Network Insight managing AWS2 There are two VPCs ie CRM and Common Services
HOL-1829-01-NET
Page 103HOL-1829-01-NET
3 VPC CRM consists of CRM Application which comprises of 3 tiers ie Web APP andDB
4 Internal users of Company can access Web Tier of the CRM on 80 internally viaJump-box
5 Web tier talks to App tier on port 80806 App tier talks to DB tier on port 33067 Web tier is open for internal datacenters VM on 80 port8 From Jump-box in VPC CRM all virtual machines have ssh access on port 229 All tiers of VPCCRM talks to DNS server on 53 and LogServer on 514 on VPC
Common Services10 This means connection to DB to Log Server (used for backup services) must exist
as configured by the Administrator but this in fact is the problem area where ourfocus will be
Plan Security - AWS Cloud
vRealize Network Insight extends micro-segmentation planning to AWS constructs TheCRM Application in AWS VPC has already been created for you
Application creation steps have been discussed in Module 3
HOL-1829-01-NET
Page 104HOL-1829-01-NET
1 On the vRealize Network Insight Click on Plan Security
From Plan Security dialogue box under Entity select
HOL-1829-01-NET
Page 105HOL-1829-01-NET
1 Application2 CRM3 Click Analyze
We can now visualize the three tier lsquoCRMrsquo Application in AWS in one VPC We Shallexplore the three Tier System Logic in proceeding steps
1 Please note that Micro-Segments are already filtered by Tier2 Web (Web tier talks to App tier on port 8080 Internal users of organisation can
access Web Tier of the CRM Application on port 80 internally)3 App (App tier talks to DB tier on port 3306)4 DB ( DB tier talks to Log Servers ) - This is the problem area we are going to
explore
All tiers of first VPC talks to DNS server on port 53 and LogServer on port 514 of SecondVPC
HOL-1829-01-NET
Page 106HOL-1829-01-NET
Exploring the Three Tier Application - Step by Step
We shall now explore the three their application setup to understand the security andcommunication posture
HOL-1829-01-NET
Page 107HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Yellow line to explore the flows This will reveal flows from Web to
App
HOL-1829-01-NET
Page 108HOL-1829-01-NET
1 The App tier talks to DB tier on Port 33062 Click X to continue
HOL-1829-01-NET
Page 109HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to DB
HOL-1829-01-NET
Page 110HOL-1829-01-NET
1 The App tier talks to DB tier on Port 33062 Click X to continue
HOL-1829-01-NET
Page 111HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Yellow Line to explore the flows This will reveal flows from DC
Virtual to App
HOL-1829-01-NET
Page 112HOL-1829-01-NET
1 DC Virtual (jump box) talks to App tier on Port 222 Click X to continue
HOL-1829-01-NET
Page 113HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to
Shared Virtual
HOL-1829-01-NET
Page 114HOL-1829-01-NET
1 The App tier talks to Shared Virtual on Port 53 and 514 respectively2 Click X to continue
HOL-1829-01-NET
Page 115HOL-1829-01-NET
1 Hover over to DB Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from DB to
Shared Virtual
1 By design the DB should be pushing logs to aws-log-server ie on port 514(Syslog) but the flow reveals that there is only one service ie port 53 aws-DNS-Server Effectively no communication to syslog server (which is the back upservice)
2 Click X to continue
Firewall Queries for CRM Application
To further troubleshoot the issue the administrator executes three firewall queries toestablish why DB to Shared Virtual does not have flow(s) for port 514 (syslog)
HOL-1829-01-NET
Page 116HOL-1829-01-NET
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and type new search query firewall action of flows where dstvm = aws-log-server This will return 5 results ie 4 Allow (for web andmidtier) and 1 Deny (for DB)
2 Click Search3 click on the DENY checkbox so we can focus on the deny rule
We can see a DENY rule which is preventing crm-databse to communicate with aws-log-server on port 514 Which indicates that AWS Admin forgot to add rule to allowtraffic from (Database) crm-database to (syslog server) aws-log-Server
HOL-1829-01-NET
Page 117HOL-1829-01-NET
1 On Chrome web browser right click2 Select Duplicate from the the menu
HOL-1829-01-NET
Page 118HOL-1829-01-NET
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-web1 and dst vm = aws-log-server
2 Click Search3 This will return 3 results ie 1 Inbound and 2 Outbound rules The result of this
query validates the communication from crm-web1 to aws-log-server
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-database and dst vm = aws-log-server
2 Click Search3 This will return 2 results for Outbound rules further explaining the firewall rule
behaviour from crm-database to aws-log-server
HOL-1829-01-NET
Page 119HOL-1829-01-NET
ConclusionCongratulations on completing Module 4
This module demonstrated the vRealize Network Insight capability to understand trafficpatterns and plan micro-segmentation across your private and public cloudenvironments This capability offers unparalleled visibility into public and private cloudsfor micro-segmentation planning network visibility and management
For More Information
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 120HOL-1829-01-NET
ConclusionThank you for participating in the VMware Hands-on Labs Be sure to visithttpholvmwarecom to continue your lab experience online
Lab SKU HOL-1829-01-NET
Version 20171010-152226
HOL-1829-01-NET
Page 121HOL-1829-01-NET
IntroductionEnterprise IT needs visibility into the network and security status of their workloadswhether hosted on premises or within AWS While many AWS workloads are sandboxesfor application development teams (DevOps) it is important to analyze these workloadsIncreasingly public cloud workloads are also fulfilling mission critical production needsfor many organizations Enterprise IT must be ready to determine the best locationsecurity posture and bandwidth allocation when deploying workloads Having trafficpattern details as well as security analysis and recommendations readily availablehelps organizations make the ideal hosting decisions to meet their business needs
vRealize Network Insight (vRNI) Supports Amazon Web Services (AWS) PublicCloud The vRNI traffic monitoring features provide visibility into native AWS constructssuch as Virtual Private Clouds VMs Security Groups firewall rules and tags vRNI alsoanalyzes AWS traffic flows to provide security and micro-segmentation views of cloudworkloads This means youll be able to plan micro-segmentation and understand trafficpatterns using data collected from your AWS instances
This Module contains the following lessons
bull Introduction to Managing Security for Public Clouds (AWS)
HOL-1829-01-NET
Page 101HOL-1829-01-NET
Introduction to Managing Security forPublic Clouds (AWS)Lab Status Check
1 Make sure the Lab Status displays Ready before continuing
Close browser sessions from previous modules
Open Google Chrome
1 Open Chrome on the Control Centre Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize Network Insightdid not load automatically)
HOL-1829-01-NET
Page 102HOL-1829-01-NET
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
AWS Configuration
Lets review the AWS VPC setup for the purpose of this lab
1 We have an on premise instance of vRealize Network Insight managing AWS2 There are two VPCs ie CRM and Common Services
HOL-1829-01-NET
Page 103HOL-1829-01-NET
3 VPC CRM consists of CRM Application which comprises of 3 tiers ie Web APP andDB
4 Internal users of Company can access Web Tier of the CRM on 80 internally viaJump-box
5 Web tier talks to App tier on port 80806 App tier talks to DB tier on port 33067 Web tier is open for internal datacenters VM on 80 port8 From Jump-box in VPC CRM all virtual machines have ssh access on port 229 All tiers of VPCCRM talks to DNS server on 53 and LogServer on 514 on VPC
Common Services10 This means connection to DB to Log Server (used for backup services) must exist
as configured by the Administrator but this in fact is the problem area where ourfocus will be
Plan Security - AWS Cloud
vRealize Network Insight extends micro-segmentation planning to AWS constructs TheCRM Application in AWS VPC has already been created for you
Application creation steps have been discussed in Module 3
HOL-1829-01-NET
Page 104HOL-1829-01-NET
1 On the vRealize Network Insight Click on Plan Security
From Plan Security dialogue box under Entity select
HOL-1829-01-NET
Page 105HOL-1829-01-NET
1 Application2 CRM3 Click Analyze
We can now visualize the three tier lsquoCRMrsquo Application in AWS in one VPC We Shallexplore the three Tier System Logic in proceeding steps
1 Please note that Micro-Segments are already filtered by Tier2 Web (Web tier talks to App tier on port 8080 Internal users of organisation can
access Web Tier of the CRM Application on port 80 internally)3 App (App tier talks to DB tier on port 3306)4 DB ( DB tier talks to Log Servers ) - This is the problem area we are going to
explore
All tiers of first VPC talks to DNS server on port 53 and LogServer on port 514 of SecondVPC
HOL-1829-01-NET
Page 106HOL-1829-01-NET
Exploring the Three Tier Application - Step by Step
We shall now explore the three their application setup to understand the security andcommunication posture
HOL-1829-01-NET
Page 107HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Yellow line to explore the flows This will reveal flows from Web to
App
HOL-1829-01-NET
Page 108HOL-1829-01-NET
1 The App tier talks to DB tier on Port 33062 Click X to continue
HOL-1829-01-NET
Page 109HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to DB
HOL-1829-01-NET
Page 110HOL-1829-01-NET
1 The App tier talks to DB tier on Port 33062 Click X to continue
HOL-1829-01-NET
Page 111HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Yellow Line to explore the flows This will reveal flows from DC
Virtual to App
HOL-1829-01-NET
Page 112HOL-1829-01-NET
1 DC Virtual (jump box) talks to App tier on Port 222 Click X to continue
HOL-1829-01-NET
Page 113HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to
Shared Virtual
HOL-1829-01-NET
Page 114HOL-1829-01-NET
1 The App tier talks to Shared Virtual on Port 53 and 514 respectively2 Click X to continue
HOL-1829-01-NET
Page 115HOL-1829-01-NET
1 Hover over to DB Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from DB to
Shared Virtual
1 By design the DB should be pushing logs to aws-log-server ie on port 514(Syslog) but the flow reveals that there is only one service ie port 53 aws-DNS-Server Effectively no communication to syslog server (which is the back upservice)
2 Click X to continue
Firewall Queries for CRM Application
To further troubleshoot the issue the administrator executes three firewall queries toestablish why DB to Shared Virtual does not have flow(s) for port 514 (syslog)
HOL-1829-01-NET
Page 116HOL-1829-01-NET
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and type new search query firewall action of flows where dstvm = aws-log-server This will return 5 results ie 4 Allow (for web andmidtier) and 1 Deny (for DB)
2 Click Search3 click on the DENY checkbox so we can focus on the deny rule
We can see a DENY rule which is preventing crm-databse to communicate with aws-log-server on port 514 Which indicates that AWS Admin forgot to add rule to allowtraffic from (Database) crm-database to (syslog server) aws-log-Server
HOL-1829-01-NET
Page 117HOL-1829-01-NET
1 On Chrome web browser right click2 Select Duplicate from the the menu
HOL-1829-01-NET
Page 118HOL-1829-01-NET
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-web1 and dst vm = aws-log-server
2 Click Search3 This will return 3 results ie 1 Inbound and 2 Outbound rules The result of this
query validates the communication from crm-web1 to aws-log-server
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-database and dst vm = aws-log-server
2 Click Search3 This will return 2 results for Outbound rules further explaining the firewall rule
behaviour from crm-database to aws-log-server
HOL-1829-01-NET
Page 119HOL-1829-01-NET
ConclusionCongratulations on completing Module 4
This module demonstrated the vRealize Network Insight capability to understand trafficpatterns and plan micro-segmentation across your private and public cloudenvironments This capability offers unparalleled visibility into public and private cloudsfor micro-segmentation planning network visibility and management
For More Information
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 120HOL-1829-01-NET
ConclusionThank you for participating in the VMware Hands-on Labs Be sure to visithttpholvmwarecom to continue your lab experience online
Lab SKU HOL-1829-01-NET
Version 20171010-152226
HOL-1829-01-NET
Page 121HOL-1829-01-NET
Introduction to Managing Security forPublic Clouds (AWS)Lab Status Check
1 Make sure the Lab Status displays Ready before continuing
Close browser sessions from previous modules
Open Google Chrome
1 Open Chrome on the Control Centre Desktop
Note Internet Explorer will not work and is not certified to be used with vRealizeNetwork Insight at the time of this release
Select vRealize Network Insight Favorite
1 Select the vRNI Shortcut on the favorites Bar (if vRealize Network Insightdid not load automatically)
HOL-1829-01-NET
Page 102HOL-1829-01-NET
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
AWS Configuration
Lets review the AWS VPC setup for the purpose of this lab
1 We have an on premise instance of vRealize Network Insight managing AWS2 There are two VPCs ie CRM and Common Services
HOL-1829-01-NET
Page 103HOL-1829-01-NET
3 VPC CRM consists of CRM Application which comprises of 3 tiers ie Web APP andDB
4 Internal users of Company can access Web Tier of the CRM on 80 internally viaJump-box
5 Web tier talks to App tier on port 80806 App tier talks to DB tier on port 33067 Web tier is open for internal datacenters VM on 80 port8 From Jump-box in VPC CRM all virtual machines have ssh access on port 229 All tiers of VPCCRM talks to DNS server on 53 and LogServer on 514 on VPC
Common Services10 This means connection to DB to Log Server (used for backup services) must exist
as configured by the Administrator but this in fact is the problem area where ourfocus will be
Plan Security - AWS Cloud
vRealize Network Insight extends micro-segmentation planning to AWS constructs TheCRM Application in AWS VPC has already been created for you
Application creation steps have been discussed in Module 3
HOL-1829-01-NET
Page 104HOL-1829-01-NET
1 On the vRealize Network Insight Click on Plan Security
From Plan Security dialogue box under Entity select
HOL-1829-01-NET
Page 105HOL-1829-01-NET
1 Application2 CRM3 Click Analyze
We can now visualize the three tier lsquoCRMrsquo Application in AWS in one VPC We Shallexplore the three Tier System Logic in proceeding steps
1 Please note that Micro-Segments are already filtered by Tier2 Web (Web tier talks to App tier on port 8080 Internal users of organisation can
access Web Tier of the CRM Application on port 80 internally)3 App (App tier talks to DB tier on port 3306)4 DB ( DB tier talks to Log Servers ) - This is the problem area we are going to
explore
All tiers of first VPC talks to DNS server on port 53 and LogServer on port 514 of SecondVPC
HOL-1829-01-NET
Page 106HOL-1829-01-NET
Exploring the Three Tier Application - Step by Step
We shall now explore the three their application setup to understand the security andcommunication posture
HOL-1829-01-NET
Page 107HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Yellow line to explore the flows This will reveal flows from Web to
App
HOL-1829-01-NET
Page 108HOL-1829-01-NET
1 The App tier talks to DB tier on Port 33062 Click X to continue
HOL-1829-01-NET
Page 109HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to DB
HOL-1829-01-NET
Page 110HOL-1829-01-NET
1 The App tier talks to DB tier on Port 33062 Click X to continue
HOL-1829-01-NET
Page 111HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Yellow Line to explore the flows This will reveal flows from DC
Virtual to App
HOL-1829-01-NET
Page 112HOL-1829-01-NET
1 DC Virtual (jump box) talks to App tier on Port 222 Click X to continue
HOL-1829-01-NET
Page 113HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to
Shared Virtual
HOL-1829-01-NET
Page 114HOL-1829-01-NET
1 The App tier talks to Shared Virtual on Port 53 and 514 respectively2 Click X to continue
HOL-1829-01-NET
Page 115HOL-1829-01-NET
1 Hover over to DB Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from DB to
Shared Virtual
1 By design the DB should be pushing logs to aws-log-server ie on port 514(Syslog) but the flow reveals that there is only one service ie port 53 aws-DNS-Server Effectively no communication to syslog server (which is the back upservice)
2 Click X to continue
Firewall Queries for CRM Application
To further troubleshoot the issue the administrator executes three firewall queries toestablish why DB to Shared Virtual does not have flow(s) for port 514 (syslog)
HOL-1829-01-NET
Page 116HOL-1829-01-NET
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and type new search query firewall action of flows where dstvm = aws-log-server This will return 5 results ie 4 Allow (for web andmidtier) and 1 Deny (for DB)
2 Click Search3 click on the DENY checkbox so we can focus on the deny rule
We can see a DENY rule which is preventing crm-databse to communicate with aws-log-server on port 514 Which indicates that AWS Admin forgot to add rule to allowtraffic from (Database) crm-database to (syslog server) aws-log-Server
HOL-1829-01-NET
Page 117HOL-1829-01-NET
1 On Chrome web browser right click2 Select Duplicate from the the menu
HOL-1829-01-NET
Page 118HOL-1829-01-NET
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-web1 and dst vm = aws-log-server
2 Click Search3 This will return 3 results ie 1 Inbound and 2 Outbound rules The result of this
query validates the communication from crm-web1 to aws-log-server
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-database and dst vm = aws-log-server
2 Click Search3 This will return 2 results for Outbound rules further explaining the firewall rule
behaviour from crm-database to aws-log-server
HOL-1829-01-NET
Page 119HOL-1829-01-NET
ConclusionCongratulations on completing Module 4
This module demonstrated the vRealize Network Insight capability to understand trafficpatterns and plan micro-segmentation across your private and public cloudenvironments This capability offers unparalleled visibility into public and private cloudsfor micro-segmentation planning network visibility and management
For More Information
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 120HOL-1829-01-NET
ConclusionThank you for participating in the VMware Hands-on Labs Be sure to visithttpholvmwarecom to continue your lab experience online
Lab SKU HOL-1829-01-NET
Version 20171010-152226
HOL-1829-01-NET
Page 121HOL-1829-01-NET
vRealize Network Insight - Login Screen
Login to the portal
1 Username admincorplocal2 Password VMware13 Click Login to continue
AWS Configuration
Lets review the AWS VPC setup for the purpose of this lab
1 We have an on premise instance of vRealize Network Insight managing AWS2 There are two VPCs ie CRM and Common Services
HOL-1829-01-NET
Page 103HOL-1829-01-NET
3 VPC CRM consists of CRM Application which comprises of 3 tiers ie Web APP andDB
4 Internal users of Company can access Web Tier of the CRM on 80 internally viaJump-box
5 Web tier talks to App tier on port 80806 App tier talks to DB tier on port 33067 Web tier is open for internal datacenters VM on 80 port8 From Jump-box in VPC CRM all virtual machines have ssh access on port 229 All tiers of VPCCRM talks to DNS server on 53 and LogServer on 514 on VPC
Common Services10 This means connection to DB to Log Server (used for backup services) must exist
as configured by the Administrator but this in fact is the problem area where ourfocus will be
Plan Security - AWS Cloud
vRealize Network Insight extends micro-segmentation planning to AWS constructs TheCRM Application in AWS VPC has already been created for you
Application creation steps have been discussed in Module 3
HOL-1829-01-NET
Page 104HOL-1829-01-NET
1 On the vRealize Network Insight Click on Plan Security
From Plan Security dialogue box under Entity select
HOL-1829-01-NET
Page 105HOL-1829-01-NET
1 Application2 CRM3 Click Analyze
We can now visualize the three tier lsquoCRMrsquo Application in AWS in one VPC We Shallexplore the three Tier System Logic in proceeding steps
1 Please note that Micro-Segments are already filtered by Tier2 Web (Web tier talks to App tier on port 8080 Internal users of organisation can
access Web Tier of the CRM Application on port 80 internally)3 App (App tier talks to DB tier on port 3306)4 DB ( DB tier talks to Log Servers ) - This is the problem area we are going to
explore
All tiers of first VPC talks to DNS server on port 53 and LogServer on port 514 of SecondVPC
HOL-1829-01-NET
Page 106HOL-1829-01-NET
Exploring the Three Tier Application - Step by Step
We shall now explore the three their application setup to understand the security andcommunication posture
HOL-1829-01-NET
Page 107HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Yellow line to explore the flows This will reveal flows from Web to
App
HOL-1829-01-NET
Page 108HOL-1829-01-NET
1 The App tier talks to DB tier on Port 33062 Click X to continue
HOL-1829-01-NET
Page 109HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to DB
HOL-1829-01-NET
Page 110HOL-1829-01-NET
1 The App tier talks to DB tier on Port 33062 Click X to continue
HOL-1829-01-NET
Page 111HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Yellow Line to explore the flows This will reveal flows from DC
Virtual to App
HOL-1829-01-NET
Page 112HOL-1829-01-NET
1 DC Virtual (jump box) talks to App tier on Port 222 Click X to continue
HOL-1829-01-NET
Page 113HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to
Shared Virtual
HOL-1829-01-NET
Page 114HOL-1829-01-NET
1 The App tier talks to Shared Virtual on Port 53 and 514 respectively2 Click X to continue
HOL-1829-01-NET
Page 115HOL-1829-01-NET
1 Hover over to DB Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from DB to
Shared Virtual
1 By design the DB should be pushing logs to aws-log-server ie on port 514(Syslog) but the flow reveals that there is only one service ie port 53 aws-DNS-Server Effectively no communication to syslog server (which is the back upservice)
2 Click X to continue
Firewall Queries for CRM Application
To further troubleshoot the issue the administrator executes three firewall queries toestablish why DB to Shared Virtual does not have flow(s) for port 514 (syslog)
HOL-1829-01-NET
Page 116HOL-1829-01-NET
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and type new search query firewall action of flows where dstvm = aws-log-server This will return 5 results ie 4 Allow (for web andmidtier) and 1 Deny (for DB)
2 Click Search3 click on the DENY checkbox so we can focus on the deny rule
We can see a DENY rule which is preventing crm-databse to communicate with aws-log-server on port 514 Which indicates that AWS Admin forgot to add rule to allowtraffic from (Database) crm-database to (syslog server) aws-log-Server
HOL-1829-01-NET
Page 117HOL-1829-01-NET
1 On Chrome web browser right click2 Select Duplicate from the the menu
HOL-1829-01-NET
Page 118HOL-1829-01-NET
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-web1 and dst vm = aws-log-server
2 Click Search3 This will return 3 results ie 1 Inbound and 2 Outbound rules The result of this
query validates the communication from crm-web1 to aws-log-server
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-database and dst vm = aws-log-server
2 Click Search3 This will return 2 results for Outbound rules further explaining the firewall rule
behaviour from crm-database to aws-log-server
HOL-1829-01-NET
Page 119HOL-1829-01-NET
ConclusionCongratulations on completing Module 4
This module demonstrated the vRealize Network Insight capability to understand trafficpatterns and plan micro-segmentation across your private and public cloudenvironments This capability offers unparalleled visibility into public and private cloudsfor micro-segmentation planning network visibility and management
For More Information
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 120HOL-1829-01-NET
ConclusionThank you for participating in the VMware Hands-on Labs Be sure to visithttpholvmwarecom to continue your lab experience online
Lab SKU HOL-1829-01-NET
Version 20171010-152226
HOL-1829-01-NET
Page 121HOL-1829-01-NET
3 VPC CRM consists of CRM Application which comprises of 3 tiers ie Web APP andDB
4 Internal users of Company can access Web Tier of the CRM on 80 internally viaJump-box
5 Web tier talks to App tier on port 80806 App tier talks to DB tier on port 33067 Web tier is open for internal datacenters VM on 80 port8 From Jump-box in VPC CRM all virtual machines have ssh access on port 229 All tiers of VPCCRM talks to DNS server on 53 and LogServer on 514 on VPC
Common Services10 This means connection to DB to Log Server (used for backup services) must exist
as configured by the Administrator but this in fact is the problem area where ourfocus will be
Plan Security - AWS Cloud
vRealize Network Insight extends micro-segmentation planning to AWS constructs TheCRM Application in AWS VPC has already been created for you
Application creation steps have been discussed in Module 3
HOL-1829-01-NET
Page 104HOL-1829-01-NET
1 On the vRealize Network Insight Click on Plan Security
From Plan Security dialogue box under Entity select
HOL-1829-01-NET
Page 105HOL-1829-01-NET
1 Application2 CRM3 Click Analyze
We can now visualize the three tier lsquoCRMrsquo Application in AWS in one VPC We Shallexplore the three Tier System Logic in proceeding steps
1 Please note that Micro-Segments are already filtered by Tier2 Web (Web tier talks to App tier on port 8080 Internal users of organisation can
access Web Tier of the CRM Application on port 80 internally)3 App (App tier talks to DB tier on port 3306)4 DB ( DB tier talks to Log Servers ) - This is the problem area we are going to
explore
All tiers of first VPC talks to DNS server on port 53 and LogServer on port 514 of SecondVPC
HOL-1829-01-NET
Page 106HOL-1829-01-NET
Exploring the Three Tier Application - Step by Step
We shall now explore the three their application setup to understand the security andcommunication posture
HOL-1829-01-NET
Page 107HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Yellow line to explore the flows This will reveal flows from Web to
App
HOL-1829-01-NET
Page 108HOL-1829-01-NET
1 The App tier talks to DB tier on Port 33062 Click X to continue
HOL-1829-01-NET
Page 109HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to DB
HOL-1829-01-NET
Page 110HOL-1829-01-NET
1 The App tier talks to DB tier on Port 33062 Click X to continue
HOL-1829-01-NET
Page 111HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Yellow Line to explore the flows This will reveal flows from DC
Virtual to App
HOL-1829-01-NET
Page 112HOL-1829-01-NET
1 DC Virtual (jump box) talks to App tier on Port 222 Click X to continue
HOL-1829-01-NET
Page 113HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to
Shared Virtual
HOL-1829-01-NET
Page 114HOL-1829-01-NET
1 The App tier talks to Shared Virtual on Port 53 and 514 respectively2 Click X to continue
HOL-1829-01-NET
Page 115HOL-1829-01-NET
1 Hover over to DB Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from DB to
Shared Virtual
1 By design the DB should be pushing logs to aws-log-server ie on port 514(Syslog) but the flow reveals that there is only one service ie port 53 aws-DNS-Server Effectively no communication to syslog server (which is the back upservice)
2 Click X to continue
Firewall Queries for CRM Application
To further troubleshoot the issue the administrator executes three firewall queries toestablish why DB to Shared Virtual does not have flow(s) for port 514 (syslog)
HOL-1829-01-NET
Page 116HOL-1829-01-NET
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and type new search query firewall action of flows where dstvm = aws-log-server This will return 5 results ie 4 Allow (for web andmidtier) and 1 Deny (for DB)
2 Click Search3 click on the DENY checkbox so we can focus on the deny rule
We can see a DENY rule which is preventing crm-databse to communicate with aws-log-server on port 514 Which indicates that AWS Admin forgot to add rule to allowtraffic from (Database) crm-database to (syslog server) aws-log-Server
HOL-1829-01-NET
Page 117HOL-1829-01-NET
1 On Chrome web browser right click2 Select Duplicate from the the menu
HOL-1829-01-NET
Page 118HOL-1829-01-NET
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-web1 and dst vm = aws-log-server
2 Click Search3 This will return 3 results ie 1 Inbound and 2 Outbound rules The result of this
query validates the communication from crm-web1 to aws-log-server
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-database and dst vm = aws-log-server
2 Click Search3 This will return 2 results for Outbound rules further explaining the firewall rule
behaviour from crm-database to aws-log-server
HOL-1829-01-NET
Page 119HOL-1829-01-NET
ConclusionCongratulations on completing Module 4
This module demonstrated the vRealize Network Insight capability to understand trafficpatterns and plan micro-segmentation across your private and public cloudenvironments This capability offers unparalleled visibility into public and private cloudsfor micro-segmentation planning network visibility and management
For More Information
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 120HOL-1829-01-NET
ConclusionThank you for participating in the VMware Hands-on Labs Be sure to visithttpholvmwarecom to continue your lab experience online
Lab SKU HOL-1829-01-NET
Version 20171010-152226
HOL-1829-01-NET
Page 121HOL-1829-01-NET
1 On the vRealize Network Insight Click on Plan Security
From Plan Security dialogue box under Entity select
HOL-1829-01-NET
Page 105HOL-1829-01-NET
1 Application2 CRM3 Click Analyze
We can now visualize the three tier lsquoCRMrsquo Application in AWS in one VPC We Shallexplore the three Tier System Logic in proceeding steps
1 Please note that Micro-Segments are already filtered by Tier2 Web (Web tier talks to App tier on port 8080 Internal users of organisation can
access Web Tier of the CRM Application on port 80 internally)3 App (App tier talks to DB tier on port 3306)4 DB ( DB tier talks to Log Servers ) - This is the problem area we are going to
explore
All tiers of first VPC talks to DNS server on port 53 and LogServer on port 514 of SecondVPC
HOL-1829-01-NET
Page 106HOL-1829-01-NET
Exploring the Three Tier Application - Step by Step
We shall now explore the three their application setup to understand the security andcommunication posture
HOL-1829-01-NET
Page 107HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Yellow line to explore the flows This will reveal flows from Web to
App
HOL-1829-01-NET
Page 108HOL-1829-01-NET
1 The App tier talks to DB tier on Port 33062 Click X to continue
HOL-1829-01-NET
Page 109HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to DB
HOL-1829-01-NET
Page 110HOL-1829-01-NET
1 The App tier talks to DB tier on Port 33062 Click X to continue
HOL-1829-01-NET
Page 111HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Yellow Line to explore the flows This will reveal flows from DC
Virtual to App
HOL-1829-01-NET
Page 112HOL-1829-01-NET
1 DC Virtual (jump box) talks to App tier on Port 222 Click X to continue
HOL-1829-01-NET
Page 113HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to
Shared Virtual
HOL-1829-01-NET
Page 114HOL-1829-01-NET
1 The App tier talks to Shared Virtual on Port 53 and 514 respectively2 Click X to continue
HOL-1829-01-NET
Page 115HOL-1829-01-NET
1 Hover over to DB Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from DB to
Shared Virtual
1 By design the DB should be pushing logs to aws-log-server ie on port 514(Syslog) but the flow reveals that there is only one service ie port 53 aws-DNS-Server Effectively no communication to syslog server (which is the back upservice)
2 Click X to continue
Firewall Queries for CRM Application
To further troubleshoot the issue the administrator executes three firewall queries toestablish why DB to Shared Virtual does not have flow(s) for port 514 (syslog)
HOL-1829-01-NET
Page 116HOL-1829-01-NET
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and type new search query firewall action of flows where dstvm = aws-log-server This will return 5 results ie 4 Allow (for web andmidtier) and 1 Deny (for DB)
2 Click Search3 click on the DENY checkbox so we can focus on the deny rule
We can see a DENY rule which is preventing crm-databse to communicate with aws-log-server on port 514 Which indicates that AWS Admin forgot to add rule to allowtraffic from (Database) crm-database to (syslog server) aws-log-Server
HOL-1829-01-NET
Page 117HOL-1829-01-NET
1 On Chrome web browser right click2 Select Duplicate from the the menu
HOL-1829-01-NET
Page 118HOL-1829-01-NET
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-web1 and dst vm = aws-log-server
2 Click Search3 This will return 3 results ie 1 Inbound and 2 Outbound rules The result of this
query validates the communication from crm-web1 to aws-log-server
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-database and dst vm = aws-log-server
2 Click Search3 This will return 2 results for Outbound rules further explaining the firewall rule
behaviour from crm-database to aws-log-server
HOL-1829-01-NET
Page 119HOL-1829-01-NET
ConclusionCongratulations on completing Module 4
This module demonstrated the vRealize Network Insight capability to understand trafficpatterns and plan micro-segmentation across your private and public cloudenvironments This capability offers unparalleled visibility into public and private cloudsfor micro-segmentation planning network visibility and management
For More Information
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 120HOL-1829-01-NET
ConclusionThank you for participating in the VMware Hands-on Labs Be sure to visithttpholvmwarecom to continue your lab experience online
Lab SKU HOL-1829-01-NET
Version 20171010-152226
HOL-1829-01-NET
Page 121HOL-1829-01-NET
1 Application2 CRM3 Click Analyze
We can now visualize the three tier lsquoCRMrsquo Application in AWS in one VPC We Shallexplore the three Tier System Logic in proceeding steps
1 Please note that Micro-Segments are already filtered by Tier2 Web (Web tier talks to App tier on port 8080 Internal users of organisation can
access Web Tier of the CRM Application on port 80 internally)3 App (App tier talks to DB tier on port 3306)4 DB ( DB tier talks to Log Servers ) - This is the problem area we are going to
explore
All tiers of first VPC talks to DNS server on port 53 and LogServer on port 514 of SecondVPC
HOL-1829-01-NET
Page 106HOL-1829-01-NET
Exploring the Three Tier Application - Step by Step
We shall now explore the three their application setup to understand the security andcommunication posture
HOL-1829-01-NET
Page 107HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Yellow line to explore the flows This will reveal flows from Web to
App
HOL-1829-01-NET
Page 108HOL-1829-01-NET
1 The App tier talks to DB tier on Port 33062 Click X to continue
HOL-1829-01-NET
Page 109HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to DB
HOL-1829-01-NET
Page 110HOL-1829-01-NET
1 The App tier talks to DB tier on Port 33062 Click X to continue
HOL-1829-01-NET
Page 111HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Yellow Line to explore the flows This will reveal flows from DC
Virtual to App
HOL-1829-01-NET
Page 112HOL-1829-01-NET
1 DC Virtual (jump box) talks to App tier on Port 222 Click X to continue
HOL-1829-01-NET
Page 113HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to
Shared Virtual
HOL-1829-01-NET
Page 114HOL-1829-01-NET
1 The App tier talks to Shared Virtual on Port 53 and 514 respectively2 Click X to continue
HOL-1829-01-NET
Page 115HOL-1829-01-NET
1 Hover over to DB Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from DB to
Shared Virtual
1 By design the DB should be pushing logs to aws-log-server ie on port 514(Syslog) but the flow reveals that there is only one service ie port 53 aws-DNS-Server Effectively no communication to syslog server (which is the back upservice)
2 Click X to continue
Firewall Queries for CRM Application
To further troubleshoot the issue the administrator executes three firewall queries toestablish why DB to Shared Virtual does not have flow(s) for port 514 (syslog)
HOL-1829-01-NET
Page 116HOL-1829-01-NET
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and type new search query firewall action of flows where dstvm = aws-log-server This will return 5 results ie 4 Allow (for web andmidtier) and 1 Deny (for DB)
2 Click Search3 click on the DENY checkbox so we can focus on the deny rule
We can see a DENY rule which is preventing crm-databse to communicate with aws-log-server on port 514 Which indicates that AWS Admin forgot to add rule to allowtraffic from (Database) crm-database to (syslog server) aws-log-Server
HOL-1829-01-NET
Page 117HOL-1829-01-NET
1 On Chrome web browser right click2 Select Duplicate from the the menu
HOL-1829-01-NET
Page 118HOL-1829-01-NET
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-web1 and dst vm = aws-log-server
2 Click Search3 This will return 3 results ie 1 Inbound and 2 Outbound rules The result of this
query validates the communication from crm-web1 to aws-log-server
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-database and dst vm = aws-log-server
2 Click Search3 This will return 2 results for Outbound rules further explaining the firewall rule
behaviour from crm-database to aws-log-server
HOL-1829-01-NET
Page 119HOL-1829-01-NET
ConclusionCongratulations on completing Module 4
This module demonstrated the vRealize Network Insight capability to understand trafficpatterns and plan micro-segmentation across your private and public cloudenvironments This capability offers unparalleled visibility into public and private cloudsfor micro-segmentation planning network visibility and management
For More Information
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 120HOL-1829-01-NET
ConclusionThank you for participating in the VMware Hands-on Labs Be sure to visithttpholvmwarecom to continue your lab experience online
Lab SKU HOL-1829-01-NET
Version 20171010-152226
HOL-1829-01-NET
Page 121HOL-1829-01-NET
Exploring the Three Tier Application - Step by Step
We shall now explore the three their application setup to understand the security andcommunication posture
HOL-1829-01-NET
Page 107HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Yellow line to explore the flows This will reveal flows from Web to
App
HOL-1829-01-NET
Page 108HOL-1829-01-NET
1 The App tier talks to DB tier on Port 33062 Click X to continue
HOL-1829-01-NET
Page 109HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to DB
HOL-1829-01-NET
Page 110HOL-1829-01-NET
1 The App tier talks to DB tier on Port 33062 Click X to continue
HOL-1829-01-NET
Page 111HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Yellow Line to explore the flows This will reveal flows from DC
Virtual to App
HOL-1829-01-NET
Page 112HOL-1829-01-NET
1 DC Virtual (jump box) talks to App tier on Port 222 Click X to continue
HOL-1829-01-NET
Page 113HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to
Shared Virtual
HOL-1829-01-NET
Page 114HOL-1829-01-NET
1 The App tier talks to Shared Virtual on Port 53 and 514 respectively2 Click X to continue
HOL-1829-01-NET
Page 115HOL-1829-01-NET
1 Hover over to DB Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from DB to
Shared Virtual
1 By design the DB should be pushing logs to aws-log-server ie on port 514(Syslog) but the flow reveals that there is only one service ie port 53 aws-DNS-Server Effectively no communication to syslog server (which is the back upservice)
2 Click X to continue
Firewall Queries for CRM Application
To further troubleshoot the issue the administrator executes three firewall queries toestablish why DB to Shared Virtual does not have flow(s) for port 514 (syslog)
HOL-1829-01-NET
Page 116HOL-1829-01-NET
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and type new search query firewall action of flows where dstvm = aws-log-server This will return 5 results ie 4 Allow (for web andmidtier) and 1 Deny (for DB)
2 Click Search3 click on the DENY checkbox so we can focus on the deny rule
We can see a DENY rule which is preventing crm-databse to communicate with aws-log-server on port 514 Which indicates that AWS Admin forgot to add rule to allowtraffic from (Database) crm-database to (syslog server) aws-log-Server
HOL-1829-01-NET
Page 117HOL-1829-01-NET
1 On Chrome web browser right click2 Select Duplicate from the the menu
HOL-1829-01-NET
Page 118HOL-1829-01-NET
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-web1 and dst vm = aws-log-server
2 Click Search3 This will return 3 results ie 1 Inbound and 2 Outbound rules The result of this
query validates the communication from crm-web1 to aws-log-server
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-database and dst vm = aws-log-server
2 Click Search3 This will return 2 results for Outbound rules further explaining the firewall rule
behaviour from crm-database to aws-log-server
HOL-1829-01-NET
Page 119HOL-1829-01-NET
ConclusionCongratulations on completing Module 4
This module demonstrated the vRealize Network Insight capability to understand trafficpatterns and plan micro-segmentation across your private and public cloudenvironments This capability offers unparalleled visibility into public and private cloudsfor micro-segmentation planning network visibility and management
For More Information
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 120HOL-1829-01-NET
ConclusionThank you for participating in the VMware Hands-on Labs Be sure to visithttpholvmwarecom to continue your lab experience online
Lab SKU HOL-1829-01-NET
Version 20171010-152226
HOL-1829-01-NET
Page 121HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Yellow line to explore the flows This will reveal flows from Web to
App
HOL-1829-01-NET
Page 108HOL-1829-01-NET
1 The App tier talks to DB tier on Port 33062 Click X to continue
HOL-1829-01-NET
Page 109HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to DB
HOL-1829-01-NET
Page 110HOL-1829-01-NET
1 The App tier talks to DB tier on Port 33062 Click X to continue
HOL-1829-01-NET
Page 111HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Yellow Line to explore the flows This will reveal flows from DC
Virtual to App
HOL-1829-01-NET
Page 112HOL-1829-01-NET
1 DC Virtual (jump box) talks to App tier on Port 222 Click X to continue
HOL-1829-01-NET
Page 113HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to
Shared Virtual
HOL-1829-01-NET
Page 114HOL-1829-01-NET
1 The App tier talks to Shared Virtual on Port 53 and 514 respectively2 Click X to continue
HOL-1829-01-NET
Page 115HOL-1829-01-NET
1 Hover over to DB Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from DB to
Shared Virtual
1 By design the DB should be pushing logs to aws-log-server ie on port 514(Syslog) but the flow reveals that there is only one service ie port 53 aws-DNS-Server Effectively no communication to syslog server (which is the back upservice)
2 Click X to continue
Firewall Queries for CRM Application
To further troubleshoot the issue the administrator executes three firewall queries toestablish why DB to Shared Virtual does not have flow(s) for port 514 (syslog)
HOL-1829-01-NET
Page 116HOL-1829-01-NET
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and type new search query firewall action of flows where dstvm = aws-log-server This will return 5 results ie 4 Allow (for web andmidtier) and 1 Deny (for DB)
2 Click Search3 click on the DENY checkbox so we can focus on the deny rule
We can see a DENY rule which is preventing crm-databse to communicate with aws-log-server on port 514 Which indicates that AWS Admin forgot to add rule to allowtraffic from (Database) crm-database to (syslog server) aws-log-Server
HOL-1829-01-NET
Page 117HOL-1829-01-NET
1 On Chrome web browser right click2 Select Duplicate from the the menu
HOL-1829-01-NET
Page 118HOL-1829-01-NET
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-web1 and dst vm = aws-log-server
2 Click Search3 This will return 3 results ie 1 Inbound and 2 Outbound rules The result of this
query validates the communication from crm-web1 to aws-log-server
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-database and dst vm = aws-log-server
2 Click Search3 This will return 2 results for Outbound rules further explaining the firewall rule
behaviour from crm-database to aws-log-server
HOL-1829-01-NET
Page 119HOL-1829-01-NET
ConclusionCongratulations on completing Module 4
This module demonstrated the vRealize Network Insight capability to understand trafficpatterns and plan micro-segmentation across your private and public cloudenvironments This capability offers unparalleled visibility into public and private cloudsfor micro-segmentation planning network visibility and management
For More Information
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 120HOL-1829-01-NET
ConclusionThank you for participating in the VMware Hands-on Labs Be sure to visithttpholvmwarecom to continue your lab experience online
Lab SKU HOL-1829-01-NET
Version 20171010-152226
HOL-1829-01-NET
Page 121HOL-1829-01-NET
1 The App tier talks to DB tier on Port 33062 Click X to continue
HOL-1829-01-NET
Page 109HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to DB
HOL-1829-01-NET
Page 110HOL-1829-01-NET
1 The App tier talks to DB tier on Port 33062 Click X to continue
HOL-1829-01-NET
Page 111HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Yellow Line to explore the flows This will reveal flows from DC
Virtual to App
HOL-1829-01-NET
Page 112HOL-1829-01-NET
1 DC Virtual (jump box) talks to App tier on Port 222 Click X to continue
HOL-1829-01-NET
Page 113HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to
Shared Virtual
HOL-1829-01-NET
Page 114HOL-1829-01-NET
1 The App tier talks to Shared Virtual on Port 53 and 514 respectively2 Click X to continue
HOL-1829-01-NET
Page 115HOL-1829-01-NET
1 Hover over to DB Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from DB to
Shared Virtual
1 By design the DB should be pushing logs to aws-log-server ie on port 514(Syslog) but the flow reveals that there is only one service ie port 53 aws-DNS-Server Effectively no communication to syslog server (which is the back upservice)
2 Click X to continue
Firewall Queries for CRM Application
To further troubleshoot the issue the administrator executes three firewall queries toestablish why DB to Shared Virtual does not have flow(s) for port 514 (syslog)
HOL-1829-01-NET
Page 116HOL-1829-01-NET
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and type new search query firewall action of flows where dstvm = aws-log-server This will return 5 results ie 4 Allow (for web andmidtier) and 1 Deny (for DB)
2 Click Search3 click on the DENY checkbox so we can focus on the deny rule
We can see a DENY rule which is preventing crm-databse to communicate with aws-log-server on port 514 Which indicates that AWS Admin forgot to add rule to allowtraffic from (Database) crm-database to (syslog server) aws-log-Server
HOL-1829-01-NET
Page 117HOL-1829-01-NET
1 On Chrome web browser right click2 Select Duplicate from the the menu
HOL-1829-01-NET
Page 118HOL-1829-01-NET
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-web1 and dst vm = aws-log-server
2 Click Search3 This will return 3 results ie 1 Inbound and 2 Outbound rules The result of this
query validates the communication from crm-web1 to aws-log-server
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-database and dst vm = aws-log-server
2 Click Search3 This will return 2 results for Outbound rules further explaining the firewall rule
behaviour from crm-database to aws-log-server
HOL-1829-01-NET
Page 119HOL-1829-01-NET
ConclusionCongratulations on completing Module 4
This module demonstrated the vRealize Network Insight capability to understand trafficpatterns and plan micro-segmentation across your private and public cloudenvironments This capability offers unparalleled visibility into public and private cloudsfor micro-segmentation planning network visibility and management
For More Information
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 120HOL-1829-01-NET
ConclusionThank you for participating in the VMware Hands-on Labs Be sure to visithttpholvmwarecom to continue your lab experience online
Lab SKU HOL-1829-01-NET
Version 20171010-152226
HOL-1829-01-NET
Page 121HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to DB
HOL-1829-01-NET
Page 110HOL-1829-01-NET
1 The App tier talks to DB tier on Port 33062 Click X to continue
HOL-1829-01-NET
Page 111HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Yellow Line to explore the flows This will reveal flows from DC
Virtual to App
HOL-1829-01-NET
Page 112HOL-1829-01-NET
1 DC Virtual (jump box) talks to App tier on Port 222 Click X to continue
HOL-1829-01-NET
Page 113HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to
Shared Virtual
HOL-1829-01-NET
Page 114HOL-1829-01-NET
1 The App tier talks to Shared Virtual on Port 53 and 514 respectively2 Click X to continue
HOL-1829-01-NET
Page 115HOL-1829-01-NET
1 Hover over to DB Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from DB to
Shared Virtual
1 By design the DB should be pushing logs to aws-log-server ie on port 514(Syslog) but the flow reveals that there is only one service ie port 53 aws-DNS-Server Effectively no communication to syslog server (which is the back upservice)
2 Click X to continue
Firewall Queries for CRM Application
To further troubleshoot the issue the administrator executes three firewall queries toestablish why DB to Shared Virtual does not have flow(s) for port 514 (syslog)
HOL-1829-01-NET
Page 116HOL-1829-01-NET
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and type new search query firewall action of flows where dstvm = aws-log-server This will return 5 results ie 4 Allow (for web andmidtier) and 1 Deny (for DB)
2 Click Search3 click on the DENY checkbox so we can focus on the deny rule
We can see a DENY rule which is preventing crm-databse to communicate with aws-log-server on port 514 Which indicates that AWS Admin forgot to add rule to allowtraffic from (Database) crm-database to (syslog server) aws-log-Server
HOL-1829-01-NET
Page 117HOL-1829-01-NET
1 On Chrome web browser right click2 Select Duplicate from the the menu
HOL-1829-01-NET
Page 118HOL-1829-01-NET
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-web1 and dst vm = aws-log-server
2 Click Search3 This will return 3 results ie 1 Inbound and 2 Outbound rules The result of this
query validates the communication from crm-web1 to aws-log-server
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-database and dst vm = aws-log-server
2 Click Search3 This will return 2 results for Outbound rules further explaining the firewall rule
behaviour from crm-database to aws-log-server
HOL-1829-01-NET
Page 119HOL-1829-01-NET
ConclusionCongratulations on completing Module 4
This module demonstrated the vRealize Network Insight capability to understand trafficpatterns and plan micro-segmentation across your private and public cloudenvironments This capability offers unparalleled visibility into public and private cloudsfor micro-segmentation planning network visibility and management
For More Information
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 120HOL-1829-01-NET
ConclusionThank you for participating in the VMware Hands-on Labs Be sure to visithttpholvmwarecom to continue your lab experience online
Lab SKU HOL-1829-01-NET
Version 20171010-152226
HOL-1829-01-NET
Page 121HOL-1829-01-NET
1 The App tier talks to DB tier on Port 33062 Click X to continue
HOL-1829-01-NET
Page 111HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Yellow Line to explore the flows This will reveal flows from DC
Virtual to App
HOL-1829-01-NET
Page 112HOL-1829-01-NET
1 DC Virtual (jump box) talks to App tier on Port 222 Click X to continue
HOL-1829-01-NET
Page 113HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to
Shared Virtual
HOL-1829-01-NET
Page 114HOL-1829-01-NET
1 The App tier talks to Shared Virtual on Port 53 and 514 respectively2 Click X to continue
HOL-1829-01-NET
Page 115HOL-1829-01-NET
1 Hover over to DB Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from DB to
Shared Virtual
1 By design the DB should be pushing logs to aws-log-server ie on port 514(Syslog) but the flow reveals that there is only one service ie port 53 aws-DNS-Server Effectively no communication to syslog server (which is the back upservice)
2 Click X to continue
Firewall Queries for CRM Application
To further troubleshoot the issue the administrator executes three firewall queries toestablish why DB to Shared Virtual does not have flow(s) for port 514 (syslog)
HOL-1829-01-NET
Page 116HOL-1829-01-NET
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and type new search query firewall action of flows where dstvm = aws-log-server This will return 5 results ie 4 Allow (for web andmidtier) and 1 Deny (for DB)
2 Click Search3 click on the DENY checkbox so we can focus on the deny rule
We can see a DENY rule which is preventing crm-databse to communicate with aws-log-server on port 514 Which indicates that AWS Admin forgot to add rule to allowtraffic from (Database) crm-database to (syslog server) aws-log-Server
HOL-1829-01-NET
Page 117HOL-1829-01-NET
1 On Chrome web browser right click2 Select Duplicate from the the menu
HOL-1829-01-NET
Page 118HOL-1829-01-NET
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-web1 and dst vm = aws-log-server
2 Click Search3 This will return 3 results ie 1 Inbound and 2 Outbound rules The result of this
query validates the communication from crm-web1 to aws-log-server
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-database and dst vm = aws-log-server
2 Click Search3 This will return 2 results for Outbound rules further explaining the firewall rule
behaviour from crm-database to aws-log-server
HOL-1829-01-NET
Page 119HOL-1829-01-NET
ConclusionCongratulations on completing Module 4
This module demonstrated the vRealize Network Insight capability to understand trafficpatterns and plan micro-segmentation across your private and public cloudenvironments This capability offers unparalleled visibility into public and private cloudsfor micro-segmentation planning network visibility and management
For More Information
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 120HOL-1829-01-NET
ConclusionThank you for participating in the VMware Hands-on Labs Be sure to visithttpholvmwarecom to continue your lab experience online
Lab SKU HOL-1829-01-NET
Version 20171010-152226
HOL-1829-01-NET
Page 121HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Yellow Line to explore the flows This will reveal flows from DC
Virtual to App
HOL-1829-01-NET
Page 112HOL-1829-01-NET
1 DC Virtual (jump box) talks to App tier on Port 222 Click X to continue
HOL-1829-01-NET
Page 113HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to
Shared Virtual
HOL-1829-01-NET
Page 114HOL-1829-01-NET
1 The App tier talks to Shared Virtual on Port 53 and 514 respectively2 Click X to continue
HOL-1829-01-NET
Page 115HOL-1829-01-NET
1 Hover over to DB Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from DB to
Shared Virtual
1 By design the DB should be pushing logs to aws-log-server ie on port 514(Syslog) but the flow reveals that there is only one service ie port 53 aws-DNS-Server Effectively no communication to syslog server (which is the back upservice)
2 Click X to continue
Firewall Queries for CRM Application
To further troubleshoot the issue the administrator executes three firewall queries toestablish why DB to Shared Virtual does not have flow(s) for port 514 (syslog)
HOL-1829-01-NET
Page 116HOL-1829-01-NET
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and type new search query firewall action of flows where dstvm = aws-log-server This will return 5 results ie 4 Allow (for web andmidtier) and 1 Deny (for DB)
2 Click Search3 click on the DENY checkbox so we can focus on the deny rule
We can see a DENY rule which is preventing crm-databse to communicate with aws-log-server on port 514 Which indicates that AWS Admin forgot to add rule to allowtraffic from (Database) crm-database to (syslog server) aws-log-Server
HOL-1829-01-NET
Page 117HOL-1829-01-NET
1 On Chrome web browser right click2 Select Duplicate from the the menu
HOL-1829-01-NET
Page 118HOL-1829-01-NET
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-web1 and dst vm = aws-log-server
2 Click Search3 This will return 3 results ie 1 Inbound and 2 Outbound rules The result of this
query validates the communication from crm-web1 to aws-log-server
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-database and dst vm = aws-log-server
2 Click Search3 This will return 2 results for Outbound rules further explaining the firewall rule
behaviour from crm-database to aws-log-server
HOL-1829-01-NET
Page 119HOL-1829-01-NET
ConclusionCongratulations on completing Module 4
This module demonstrated the vRealize Network Insight capability to understand trafficpatterns and plan micro-segmentation across your private and public cloudenvironments This capability offers unparalleled visibility into public and private cloudsfor micro-segmentation planning network visibility and management
For More Information
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 120HOL-1829-01-NET
ConclusionThank you for participating in the VMware Hands-on Labs Be sure to visithttpholvmwarecom to continue your lab experience online
Lab SKU HOL-1829-01-NET
Version 20171010-152226
HOL-1829-01-NET
Page 121HOL-1829-01-NET
1 DC Virtual (jump box) talks to App tier on Port 222 Click X to continue
HOL-1829-01-NET
Page 113HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to
Shared Virtual
HOL-1829-01-NET
Page 114HOL-1829-01-NET
1 The App tier talks to Shared Virtual on Port 53 and 514 respectively2 Click X to continue
HOL-1829-01-NET
Page 115HOL-1829-01-NET
1 Hover over to DB Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from DB to
Shared Virtual
1 By design the DB should be pushing logs to aws-log-server ie on port 514(Syslog) but the flow reveals that there is only one service ie port 53 aws-DNS-Server Effectively no communication to syslog server (which is the back upservice)
2 Click X to continue
Firewall Queries for CRM Application
To further troubleshoot the issue the administrator executes three firewall queries toestablish why DB to Shared Virtual does not have flow(s) for port 514 (syslog)
HOL-1829-01-NET
Page 116HOL-1829-01-NET
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and type new search query firewall action of flows where dstvm = aws-log-server This will return 5 results ie 4 Allow (for web andmidtier) and 1 Deny (for DB)
2 Click Search3 click on the DENY checkbox so we can focus on the deny rule
We can see a DENY rule which is preventing crm-databse to communicate with aws-log-server on port 514 Which indicates that AWS Admin forgot to add rule to allowtraffic from (Database) crm-database to (syslog server) aws-log-Server
HOL-1829-01-NET
Page 117HOL-1829-01-NET
1 On Chrome web browser right click2 Select Duplicate from the the menu
HOL-1829-01-NET
Page 118HOL-1829-01-NET
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-web1 and dst vm = aws-log-server
2 Click Search3 This will return 3 results ie 1 Inbound and 2 Outbound rules The result of this
query validates the communication from crm-web1 to aws-log-server
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-database and dst vm = aws-log-server
2 Click Search3 This will return 2 results for Outbound rules further explaining the firewall rule
behaviour from crm-database to aws-log-server
HOL-1829-01-NET
Page 119HOL-1829-01-NET
ConclusionCongratulations on completing Module 4
This module demonstrated the vRealize Network Insight capability to understand trafficpatterns and plan micro-segmentation across your private and public cloudenvironments This capability offers unparalleled visibility into public and private cloudsfor micro-segmentation planning network visibility and management
For More Information
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 120HOL-1829-01-NET
ConclusionThank you for participating in the VMware Hands-on Labs Be sure to visithttpholvmwarecom to continue your lab experience online
Lab SKU HOL-1829-01-NET
Version 20171010-152226
HOL-1829-01-NET
Page 121HOL-1829-01-NET
1 Hover over to App Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from App to
Shared Virtual
HOL-1829-01-NET
Page 114HOL-1829-01-NET
1 The App tier talks to Shared Virtual on Port 53 and 514 respectively2 Click X to continue
HOL-1829-01-NET
Page 115HOL-1829-01-NET
1 Hover over to DB Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from DB to
Shared Virtual
1 By design the DB should be pushing logs to aws-log-server ie on port 514(Syslog) but the flow reveals that there is only one service ie port 53 aws-DNS-Server Effectively no communication to syslog server (which is the back upservice)
2 Click X to continue
Firewall Queries for CRM Application
To further troubleshoot the issue the administrator executes three firewall queries toestablish why DB to Shared Virtual does not have flow(s) for port 514 (syslog)
HOL-1829-01-NET
Page 116HOL-1829-01-NET
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and type new search query firewall action of flows where dstvm = aws-log-server This will return 5 results ie 4 Allow (for web andmidtier) and 1 Deny (for DB)
2 Click Search3 click on the DENY checkbox so we can focus on the deny rule
We can see a DENY rule which is preventing crm-databse to communicate with aws-log-server on port 514 Which indicates that AWS Admin forgot to add rule to allowtraffic from (Database) crm-database to (syslog server) aws-log-Server
HOL-1829-01-NET
Page 117HOL-1829-01-NET
1 On Chrome web browser right click2 Select Duplicate from the the menu
HOL-1829-01-NET
Page 118HOL-1829-01-NET
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-web1 and dst vm = aws-log-server
2 Click Search3 This will return 3 results ie 1 Inbound and 2 Outbound rules The result of this
query validates the communication from crm-web1 to aws-log-server
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-database and dst vm = aws-log-server
2 Click Search3 This will return 2 results for Outbound rules further explaining the firewall rule
behaviour from crm-database to aws-log-server
HOL-1829-01-NET
Page 119HOL-1829-01-NET
ConclusionCongratulations on completing Module 4
This module demonstrated the vRealize Network Insight capability to understand trafficpatterns and plan micro-segmentation across your private and public cloudenvironments This capability offers unparalleled visibility into public and private cloudsfor micro-segmentation planning network visibility and management
For More Information
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 120HOL-1829-01-NET
ConclusionThank you for participating in the VMware Hands-on Labs Be sure to visithttpholvmwarecom to continue your lab experience online
Lab SKU HOL-1829-01-NET
Version 20171010-152226
HOL-1829-01-NET
Page 121HOL-1829-01-NET
1 The App tier talks to Shared Virtual on Port 53 and 514 respectively2 Click X to continue
HOL-1829-01-NET
Page 115HOL-1829-01-NET
1 Hover over to DB Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from DB to
Shared Virtual
1 By design the DB should be pushing logs to aws-log-server ie on port 514(Syslog) but the flow reveals that there is only one service ie port 53 aws-DNS-Server Effectively no communication to syslog server (which is the back upservice)
2 Click X to continue
Firewall Queries for CRM Application
To further troubleshoot the issue the administrator executes three firewall queries toestablish why DB to Shared Virtual does not have flow(s) for port 514 (syslog)
HOL-1829-01-NET
Page 116HOL-1829-01-NET
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and type new search query firewall action of flows where dstvm = aws-log-server This will return 5 results ie 4 Allow (for web andmidtier) and 1 Deny (for DB)
2 Click Search3 click on the DENY checkbox so we can focus on the deny rule
We can see a DENY rule which is preventing crm-databse to communicate with aws-log-server on port 514 Which indicates that AWS Admin forgot to add rule to allowtraffic from (Database) crm-database to (syslog server) aws-log-Server
HOL-1829-01-NET
Page 117HOL-1829-01-NET
1 On Chrome web browser right click2 Select Duplicate from the the menu
HOL-1829-01-NET
Page 118HOL-1829-01-NET
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-web1 and dst vm = aws-log-server
2 Click Search3 This will return 3 results ie 1 Inbound and 2 Outbound rules The result of this
query validates the communication from crm-web1 to aws-log-server
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-database and dst vm = aws-log-server
2 Click Search3 This will return 2 results for Outbound rules further explaining the firewall rule
behaviour from crm-database to aws-log-server
HOL-1829-01-NET
Page 119HOL-1829-01-NET
ConclusionCongratulations on completing Module 4
This module demonstrated the vRealize Network Insight capability to understand trafficpatterns and plan micro-segmentation across your private and public cloudenvironments This capability offers unparalleled visibility into public and private cloudsfor micro-segmentation planning network visibility and management
For More Information
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 120HOL-1829-01-NET
ConclusionThank you for participating in the VMware Hands-on Labs Be sure to visithttpholvmwarecom to continue your lab experience online
Lab SKU HOL-1829-01-NET
Version 20171010-152226
HOL-1829-01-NET
Page 121HOL-1829-01-NET
1 Hover over to DB Micro-segment2 Click on Keep Focus3 Click on the Blue line to explore the flows This will reveal flows from DB to
Shared Virtual
1 By design the DB should be pushing logs to aws-log-server ie on port 514(Syslog) but the flow reveals that there is only one service ie port 53 aws-DNS-Server Effectively no communication to syslog server (which is the back upservice)
2 Click X to continue
Firewall Queries for CRM Application
To further troubleshoot the issue the administrator executes three firewall queries toestablish why DB to Shared Virtual does not have flow(s) for port 514 (syslog)
HOL-1829-01-NET
Page 116HOL-1829-01-NET
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and type new search query firewall action of flows where dstvm = aws-log-server This will return 5 results ie 4 Allow (for web andmidtier) and 1 Deny (for DB)
2 Click Search3 click on the DENY checkbox so we can focus on the deny rule
We can see a DENY rule which is preventing crm-databse to communicate with aws-log-server on port 514 Which indicates that AWS Admin forgot to add rule to allowtraffic from (Database) crm-database to (syslog server) aws-log-Server
HOL-1829-01-NET
Page 117HOL-1829-01-NET
1 On Chrome web browser right click2 Select Duplicate from the the menu
HOL-1829-01-NET
Page 118HOL-1829-01-NET
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-web1 and dst vm = aws-log-server
2 Click Search3 This will return 3 results ie 1 Inbound and 2 Outbound rules The result of this
query validates the communication from crm-web1 to aws-log-server
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-database and dst vm = aws-log-server
2 Click Search3 This will return 2 results for Outbound rules further explaining the firewall rule
behaviour from crm-database to aws-log-server
HOL-1829-01-NET
Page 119HOL-1829-01-NET
ConclusionCongratulations on completing Module 4
This module demonstrated the vRealize Network Insight capability to understand trafficpatterns and plan micro-segmentation across your private and public cloudenvironments This capability offers unparalleled visibility into public and private cloudsfor micro-segmentation planning network visibility and management
For More Information
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 120HOL-1829-01-NET
ConclusionThank you for participating in the VMware Hands-on Labs Be sure to visithttpholvmwarecom to continue your lab experience online
Lab SKU HOL-1829-01-NET
Version 20171010-152226
HOL-1829-01-NET
Page 121HOL-1829-01-NET
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and type new search query firewall action of flows where dstvm = aws-log-server This will return 5 results ie 4 Allow (for web andmidtier) and 1 Deny (for DB)
2 Click Search3 click on the DENY checkbox so we can focus on the deny rule
We can see a DENY rule which is preventing crm-databse to communicate with aws-log-server on port 514 Which indicates that AWS Admin forgot to add rule to allowtraffic from (Database) crm-database to (syslog server) aws-log-Server
HOL-1829-01-NET
Page 117HOL-1829-01-NET
1 On Chrome web browser right click2 Select Duplicate from the the menu
HOL-1829-01-NET
Page 118HOL-1829-01-NET
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-web1 and dst vm = aws-log-server
2 Click Search3 This will return 3 results ie 1 Inbound and 2 Outbound rules The result of this
query validates the communication from crm-web1 to aws-log-server
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-database and dst vm = aws-log-server
2 Click Search3 This will return 2 results for Outbound rules further explaining the firewall rule
behaviour from crm-database to aws-log-server
HOL-1829-01-NET
Page 119HOL-1829-01-NET
ConclusionCongratulations on completing Module 4
This module demonstrated the vRealize Network Insight capability to understand trafficpatterns and plan micro-segmentation across your private and public cloudenvironments This capability offers unparalleled visibility into public and private cloudsfor micro-segmentation planning network visibility and management
For More Information
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 120HOL-1829-01-NET
ConclusionThank you for participating in the VMware Hands-on Labs Be sure to visithttpholvmwarecom to continue your lab experience online
Lab SKU HOL-1829-01-NET
Version 20171010-152226
HOL-1829-01-NET
Page 121HOL-1829-01-NET
1 On Chrome web browser right click2 Select Duplicate from the the menu
HOL-1829-01-NET
Page 118HOL-1829-01-NET
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-web1 and dst vm = aws-log-server
2 Click Search3 This will return 3 results ie 1 Inbound and 2 Outbound rules The result of this
query validates the communication from crm-web1 to aws-log-server
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-database and dst vm = aws-log-server
2 Click Search3 This will return 2 results for Outbound rules further explaining the firewall rule
behaviour from crm-database to aws-log-server
HOL-1829-01-NET
Page 119HOL-1829-01-NET
ConclusionCongratulations on completing Module 4
This module demonstrated the vRealize Network Insight capability to understand trafficpatterns and plan micro-segmentation across your private and public cloudenvironments This capability offers unparalleled visibility into public and private cloudsfor micro-segmentation planning network visibility and management
For More Information
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 120HOL-1829-01-NET
ConclusionThank you for participating in the VMware Hands-on Labs Be sure to visithttpholvmwarecom to continue your lab experience online
Lab SKU HOL-1829-01-NET
Version 20171010-152226
HOL-1829-01-NET
Page 121HOL-1829-01-NET
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-web1 and dst vm = aws-log-server
2 Click Search3 This will return 3 results ie 1 Inbound and 2 Outbound rules The result of this
query validates the communication from crm-web1 to aws-log-server
1 On Chrome web browser right click2 Select duplicate from the the menu
1 Remove the current search string which has been copied when duplicatingprevious tab and replace it by typing new search string aws firewall rulewhere src vm = crm-database and dst vm = aws-log-server
2 Click Search3 This will return 2 results for Outbound rules further explaining the firewall rule
behaviour from crm-database to aws-log-server
HOL-1829-01-NET
Page 119HOL-1829-01-NET
ConclusionCongratulations on completing Module 4
This module demonstrated the vRealize Network Insight capability to understand trafficpatterns and plan micro-segmentation across your private and public cloudenvironments This capability offers unparalleled visibility into public and private cloudsfor micro-segmentation planning network visibility and management
For More Information
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 120HOL-1829-01-NET
ConclusionThank you for participating in the VMware Hands-on Labs Be sure to visithttpholvmwarecom to continue your lab experience online
Lab SKU HOL-1829-01-NET
Version 20171010-152226
HOL-1829-01-NET
Page 121HOL-1829-01-NET
ConclusionCongratulations on completing Module 4
This module demonstrated the vRealize Network Insight capability to understand trafficpatterns and plan micro-segmentation across your private and public cloudenvironments This capability offers unparalleled visibility into public and private cloudsfor micro-segmentation planning network visibility and management
For More Information
How to End Lab
To end your lab click on the END button else click on a module to from the list above tocontinue
HOL-1829-01-NET
Page 120HOL-1829-01-NET
ConclusionThank you for participating in the VMware Hands-on Labs Be sure to visithttpholvmwarecom to continue your lab experience online
Lab SKU HOL-1829-01-NET
Version 20171010-152226
HOL-1829-01-NET
Page 121HOL-1829-01-NET
ConclusionThank you for participating in the VMware Hands-on Labs Be sure to visithttpholvmwarecom to continue your lab experience online
Lab SKU HOL-1829-01-NET
Version 20171010-152226
HOL-1829-01-NET
Page 121HOL-1829-01-NET
