Network Security Blog

Topology Diagram:


NSX Edge:
It is the communication between NSX world and physical world.
NSX Edge is a gateway service that provides access to physical and virtual networks for VMs. NSX Edge can be installed as a distributed virtual router or as a services gateway.
It can be used as DHCP server , VPN , Loadbalancer , NAT, Firewall.

Following are the Steps to Install NSX Edge:

Step1:Use Installation Type as Edge Service Gateway. for quick installation you can uncheck "Deploy NSX Edge" if this is checked you need to manually configure each settings.


Step3:Specify the Installation host details. here Im Installing in ESXi Host1 through shared datastore via iSCSI interface.



Step4: Create Internal and uplinks
Internal links are links which are connected to virtual world, with interface ip address: 192.168.10.1/29

Step5:  You can enable or disable firewall policies with action as accept or deny.


Final Step: Verify the configuration and click on Finish option to complete the installation

Installation is in Progress:-












Logical Router:
It is the communication within NSX world. via Logical switches.

Following are the Steps to Install NSX Logical Router:

Step2:Specify the Installation host details. here Im Installing in ESXi Host1 through shared datastore via iSCSI interface.


Step3: Create Internal and uplinks
Internal links are links which are connected to virtual world server side, with interface ip address:
a)WEB Servers:172.16.60.0/24 ------------>INTERNAL
b)Windows O.S : 172.16.70.0/24----------->INTERNAL
c)Transit link: 192.168.10.0/29  ----------->UPLINK

Step4:  Since we created uplink we can specify default gateway which acts as default route to that ip address. Here our NSX Edge router will be our default gateway.




















VERIFICATION:-

From windows PC(172.16.70.0/24)  we are able to ping to fin-web01(172.16.60.20) and fin-db01(172.16.60.22)




ISSUE:
From fin-db01(172.16.60.22) we are able to ping 192.168.10.2 however we are unable to ping  192.168.10.1. 

From fin-db01(172.16.60.22) we are able to ping 192.168.10.1  Successfully!!

we can also use our NSX edge as inbuilt Load balancer. Following is the sample topology diagram:

Source is my windows XP meachine IP address: 172.16.70.11 and there are two destination servers
a)fin-web01a(172.16.60.20)
b)hr-web01a(172.16.60.10)

Now we are going to loadbalance the traffic between these to servers.

Step1: Create a vNIC IP address to the NSX edge. in this case i used 172.16.99.99 as my Virtual IP address.

Step2: Goto NSX Edge>Manage>Loadbalancer>
enable LoadBalance option as shown

Step3: Create Server PoolFarm with service port:443, with ROUNDROBIN Algorithm
a)fin-web01a(172.16.60.20)
b)hr-web01a(172.16.60.10)


Step4: Now create Virtual Server IP address with the above Pool.

TESTING:- 
Browse: https://172.16.99.99/

The NSX Distributed firewall is a stateful firewall, meaning it monitors the state of active connections and uses this information to determine which network packets to allow through the firewall.
A flow is identified by the following:
Source address
Source port
Destination address
Destination port
Protocol

Lets consider following topology:


Source: 172.16.70.11
Destination: 172.16.60.20

Now by default NSX Distributed firewall allows all the traffic. Im creating a rule to block above traffic.

Firewall source/destinations can be defined in following ways:
1)Cluster
2)Datacenter
3)IP Sets
4)Logical Switch
5)Port Group
6)Distributed Virtual Port Group

Security Groups:
1)Dynamic Inclusion:
Example: Computer OS name, Computer Name, VM Name, Security TAG.

2)Static Inclusion/Exclusion:
Example:Cluster,Datacenter,IP Sets,Logical Switch,AD Groups,MAC Sets,DVS Port Groups,vNIC.

From NSX 6.1 onwards we have a new feature called "Partner Security Services"
here we can redirect the policy to 3rd party firewalls like PaloAlto.

In our example Im using source as Static Inclusion(Logical Switch Name) and destination as Static Inclusion(IP sets)

Before Block Rule : -
Im able to access the webserver as shown below:


Create Source, here Im using Logical switch name:Windows_Tier as my source address.
Any VM which is connected to this logical switch will be acting as my source.

Following are the list of object Types we can use, here Im using IPSETS as my destination


Create New IP set as my destination IP address in format <IP address/subnetmask> or range


After creating IP sets, select and bring it to right side and click on SAVE.


Below is the Rule created with source as Logical switch: Windows_Tier and destination address: 172.16.60.20 with service: https and Action:BLOCK


After Enabling the Block Rule:

Create a Segment ID, A Segment ID in NSX means number of Logical switches that can be created. Segment ID's are like VLAN ID.
but VLAN can be from 1 to 4094, whereas Segment ID can be from 1 to 16,777,215. here we are using 5000 to 6000

1. Log in to the vSphere Web Client.
2. Navigate to Home > Networking & Security > Logical Switches.
3. Click Add or the New Logical Switch ( + ) icon.
4. Type a name and optional description for the logical switch.
5. Select the transport zone in which you want to create the logical switch.
   By default, the logical switch inherits the control plane replication mode from the transport zone.

As you can see in above diagram, we have 3 different VM's connected to same Logical switch.
Which means All the 3 VM's has to be in same Network and All these 3VM's will be communicated via Logical switch.

++A transport zone controls to which hosts a logical switch can reach. It can span one or more vSphere clusters. Transport zones dictate which clusters and, therefore, which VMs can participate in the use of a particular network.
Here Im using Global transport zone with replication mode as Unicast.

Multicast: Multicast will send a single packet from a source device to multiple destinations. This option requires Protocol Independent Multicast (PIM) to be enabled on your environment as well as IGMP. The documentation states it’s only recommended when you are upgrading from older VXLAN deployments.
&nbsp
Unicast: The NSX controller handles the control plane.
Hybrid: Hybrid is a combination of both multicast and unicast.

Once the Logical Switch is added, double click the newly created logical switch and start assigning the Virtual Machines to it as shown below.
Example: Logical switch Name: Windows_Tier

Each logical switch that you create receives an ID from the segment ID pool, and a virtual wire is created. The virtual wire descriptor contains the name of the logical switch and the logical switch's segment ID.

NOTE: You need a PC running with atleast 32GB of RAM which can be divided into following

Things required are
1.VMware Workstation 15.0 or above.
2.Windows server 2012 R2 used as DNS and AD server in it (2GB RAM enough)
3.vCenter Server installed in Vmware workstation directly with minimum 10GB RAM, Total Processors cores=2
4.ESXi Host1 installed in VMware Workstation directly with 16GB RAM and total Processors cores=12
5.ESXi Host2  installed in VMware Workstation directly with 6GB RAM and total Processors cores=2
6.NSX Manager will be installed in ESXi Host 1 with 4GB RAM while deploying .ova.
7.NSX Controller will also be installed in ESXi Host1 with 2.5GB RAM.
8.For testing purposes you can install Windows O.S or  Linux O.S in both ESXi Host1 and Host2

We will be working with shell mode, for shell mode type “tmsh” and hit enter. You will go to BIG IP shell mode.
Below are few cli commands used to perform basic troubleshooting in LTM to check Client-Server Connections.

Step1:
root@rajiv(Active)(/Common)(tmos)#ping <Server ip address>  -I <source_self_IP>

Step2:
root@rajiv(Active)(/Common)(tmos)#telnet <Server ip address>  <portnumber>

Step3:
Try to access server directly from your local PC  using direct server/Node ip address, this is just to check if there is any issue with the server or not.

Step4:
Test access to servers from LTM CLI, do 'quit' to exit from tmos shell mode
[root@rajiv:Active:Standalone] log #curl -v http://<Virtual Server IP>
[root@rajiv:Active:Standalone] log #curl -v https://<Virtual Server IP>

Step5:
check the list of Active connections, if require you can also delete Existing/old connections using below commands.
root@rajiv(Active)(/Common)(tmos)# show /sys connection cs-server-addr <VIRTUAL-SERVER-IP-ADDRESS>
root@rajiv(Active)(/Common)(tmos)# delete /sys connection cs-server-addr <VIRTUAL-SERVER-IP-ADDRESS>
root@rajiv(Active)(/Common)(tmos)#show /sys connection cs-client-addr <CLIENT-IP-ADDRESS>
tmsh show /sys connection ss-server-addr <NODE-IP-ADDRESS> ss-server-port <NODE-PORT-NUMBER>

for Example:
client--->VIP(LTM)Selfip--------->SERVER

cs-client-addr----->client pc ip address
cs-server-addr----->LTM Virtual Server IP address
ss-client-addr------>LTM Self IP
ss-server-addr------>Server IP address
cs-client-port---->Clinet source port number
cs-server-port----->Client Destination port number
ss-client-port----->LTM source port
ss-server-port----->LTM destination port


Step6:
root@rajiv(Active)(/Common)(tmos)#tcpdump -i <vlanname> host <ipaddress> and port <portnumber> -w /var/tmp/capture1.pcap
OR
root@rajiv(Active)(/Common)(tmos)#tcpdump src host <ipaddress> and dst host <ipaddress>  and dst port <portnumber>

Optional:-
-i <interface number> --->Interface such as 1:1 ,2:1
-i <vlan name>
-i 0.0 ---->captures on all interfaces.
-ni ---->disables name resolution
-w <capture1.pcap>----->captures the traffic to a file.


Step7:
Check LTM logs you can find it in System››Logs : Local Traffic or
[root@rajiv:Active:Standalone] log #cd /var/log/
[root@rajiv:Active:Standalone] log #cat ltm
or
root@rajiv(Active)(/Common)(tmos)#show /sys log ltm
or
root@rajiv(Active)(/Common)(tmos)#show /sys log <log> range <date range>
For example, to view ltm logs from three days ago until now, type the following command:
root@rajiv(Active)(/Common)(tmos)#show /sys log ltm range now-3d

For example, to view all ltm logs from 2019-03-05, type the following command:
root@rajiv(Active)(/Common)(tmos)#show /sys log ltm range 2019-03-05

For example, to view ltm logs from two to four days ago, type the following command:
root@rajiv(Active)(/Common)(tmos)#show /sys log ltm range now-2d--now-4d

For example, to view ltm logs from 2019-03-02 through 2019-03-05, type the following command:
root@rajiv(Active)(/Common)(tmos)#show /sys log ltm range 2019-03-02--2019-03-05

Few Points to remember:

• In Simple terms, VSS is to combine multiple Cisco Catalyst switches into one virtual Switch.
• The data plane of both clustered switches is active at the same time in both chassis.
• For Control plane only one switch will be active and other will be standby.
• In VSS, If one Chassis fails, the other one will take overwithout any downtime.
• It eliminates STP.
• This is supported both in Catalyst 6500 and 4500 series switches.
• Need to make sure that peer VSS switch needs to be same hardware and software version..

Click here to know the Hardware requirements

Below Diagram shows the traditional method (Without VSS):
Here we are running PVSTP and HSRP on both the Layer3 switches, where traffic is load balanced.
Example: Vlan10, Switch1 is Root bridge and all traffic is sent to switch1.
after which Switch1 is Active for HSRP vlan:10, it will route accordingly

Use F5:BIGIP to Loadbalance Internet traffic:

Topology diagram:


In this example, We have Two different ISP's with public IP as follows:
ISP1: 50.1.1.1
ISP2: 100.1.1.1

In F5 BIGIP: we create two VIP's for both ISP's
VIP1 for ISP1:50.1.1.20
VIP2 for ISP2: 100.1.1.20

1.Configure ISP Vlan as shown:



2.Create Self IP's for two ISP's as shown:


3.Create Gateway pool by keeping both ISP in it member list.
under health monitors use gateway_icmp


4.Now create a default route pointing towards both the ISP's with next-hop as gateway pool



5.Create a Virtual server list with source address: <any or LAN subnets>
destination address: <any or 0.0.0.0> and apply the Pool to it.





Testing:-