My Experience with the NSX 6.2 ICM On-Demand traning and the VCP-NV exam

For the people who are only interested in the result: today I passed the VCP-NV exam with 367 points. This after I followed the NSX Install, Configure, Manage (hence the ICM) On-Demand course in May. This training was provided through the Partner training funds that my employer TenICT/AnylinQ have been assigned by VMware.

About the NSX ICM On-Demand training.

For the people not familiar with the on-demand training possibilities from VMware: with these courses one has a month the time to follow a set of computer narrated lectures covering all the same subjects as the official classroom training provides. Besides this you have access to a digital book belonging to the training. You also have access to a lab environment during this month where you have to complete all the lab tasks during the training.

Personally, I prefer classroom training since this allows the trainer to deviate from the official training when possible or required. Think about explaining things in a bit different matter or diving deeper into some of the material. Also, the computer-generated voice gets boring pretty fast and the sound quality also went sub par during some of the chapters. Combine this with a price that is only a fraction lower than the official price and I wouldn’t really recommend it unless you have someone sponsoring it for you.

What the training did was provide a good base for the exam. After this it’s a question of reading blog posts, playing with it in the lab (or Hands on Labs) and maybe you might need to read a book.

About the exam

So I did the exam as almost usual at @TheAcademy in Eindhoven, The Netherlands. They have a new room setup since over a year that I hadn’t been into yet (doing SME jobs has its perks) equipped with what I believe to be 21″ full HD screens. While these don’t provide for a better experience for vcp exams they do for vcap’s so that’s good to know. There are 77 multiple choice questions and I had two hours to spend on these. This time I didn’t need, and I left the building after 45 minutes. I can read English just as fast or sometimes faster than my native Dutch. The questions where a bit easier than I expected so maybe that score of 367 should have been a bit higher.

What you need to know

  • What permission level is needed to know what (Enterprise admin, NSX Admin, Auditor, Security Admin)
  • Order of installing things or setting them up
  • Be able to read drawings to follow the packets
  • Be able to create those drawings in your head and follow the packets
  • Some basic command line stuff for example for the controller cluster (only that what can be found in the courseware!)
  • Know your Distributed switches and what they can do
  • VPN Types
  • Best practices
  • What vm/function related to NSX does what
  • Networking basics
  • Numbers & maximums i.e. how many of what can do what, what’s needed to do that, what numbers needs this to be, What’s the default number for this.

Study Materials Used

  • NSX ICM On-Demand training
  • the links in vmiss’s blog post here
  • The Official Cert guide. Be aware that the exam is for 6.2 and not the 6.1 of the book but most still applies.

Do I know NSX inside out now?

No, and do you want to know why? This exam only hits the top of the iceberg in NSX possibilities, for example it hardly touches any real configuration nor does it have a lot of load balancing or nerd knob settings. For those things you really need to have a lot more experience and do the vcap exam. I am not sure if I will be following that path but this training and exam at least gives me enough knowledge to break things in NSX.

And a Queen video for those still reading

The VMware Labs flings monthly for April 2018

It’s been a rather quiet month on the VMware flings front. No wonder with the vSphere 6.7 and other releases this month. Did you already test them? I have to say like vSphere 6.7 but it’s consider the numbering good as well, it wouldn’t have fit to be a 7.* release. One new fling with the PowerCLI for NSX-T Preview, two updated ones with the vSphere HTML5 Web Client and Cross vCenter VM Mobility – CLI. Another fling has gone GA in vSphere 6.7: VMFork for pyVmomi.

PowerCLI Preview for NSX-T

The one thing lacking for NSX-T was PowerCLI availability, this is solved with the release of the PowerCLI Preview for NSX-T fling. Please be aware that the fling still contains bugs and might even be considered an alpha release.

Cross vCenter VM Mobility – CLI

Cross vCenter VM Mobility – CLI is the go to tool when you want to move vm’s between vCenter servers and don’t want to use the GUI fling. The versioning is a bit weird since we already had 1.6 and now they released 1.6.0.

Version 1.6.0

  • Relocate is failing with validation error “cln is missing”.

vSphere HTML5 Web Client

Not sure what exact version of the html5 web client went into the vSphere 6.7 release but here you can find an overview of the functionality, don’t mind the url because the text clearly states it’s for 6.7. If you want an even more updated version or want to get used to it in vSphere 6.* then use the fling.

Fling 3.37 – Build 8313530

New Features

  • Add VM vApp option properties read-only view
  • SRIOV networking in clone wizard customize HW page

Improvements

  • Prevent the user from creating a GOSc spec with no specified timezone
  • Resize the migrate wizard to use the largest possible size based on VMware Clarity design standards

Bug Fixes

  • Drag and Drop VM to folder

 

 

NSX 6.2.3 release includes vShield license

Until now if you wanted agentless anti-malware but not owned full blown NSX you needed vShield that VMware had announced it to go EOL in september. As expected VMware announced today NSX 6.2.3 that includes a vshield License.Sadly it still only supports anti-malware so don’t expect a lot of ransomware protection to be done agentless.

The rest of the changes:

 

Changes introduced in NSX vSphere 6.2.3:

Logical Switching and Routing

NSX Hardware Layer 2 Gateway Integration: expands physical connectivity options by integrating 3rd-party hardware gateway switches into the NSX logical network

New VXLAN Port 4789 in NSX 6.2.3 and later: Before version 6.2.3, the default VXLAN UDP port number was 8472. See the NSX Upgrade Guide for details.

Networking and Edge Services

New Edge DHCP Options: DHCP Option 121 supports static route option, which is used for DHCP server to publish static routes to DHCP client; DHCP Options 66, 67, 150 supports DHCP options for PXE Boot; and DHCP Option 26 supports configuration of DHCP client network interface MTU by DHCP server.

Increase in DHCP Pool, static binding limits: The following are the new limit numbers for various form factors: Compact: 2048; Large: 4096; Quad large: 4096; and X-large: 8192.

Edge Firewall adds SYN flood protection: Avoid service disruptions by enabling SYN flood protection for transit traffic. Feature is disabled by default, use the NSX REST API to enable it.

NSX Edge — On Demand Failover: Enables users to initiate on-demand failover when needed.

NSX Edge — Resource Reservation: Reserves CPU/Memory for NSX Edge during creation. Admin user can modify the CPU/Memory settings after NSX Edge deployment using REST API to configure VM appliances.

Change in NSX Edge Upgrade Behavior: Replacement NSX Edge VMs are deployed before upgrade or redeploy. The host must have sufficient resources for four NSX Edge VMs during the upgrade or redeploy of an Edge HA pair. Default value for TCP connection timeout is changed to 21600 seconds from the previous value of 3600 seconds.

Cross VC NSX — Universal Distributed Logical Router (DLR) Upgrade: Auto upgrade of Universal DLR on secondary NSX Manager, once upgraded on primary NSX Manager

Flexible SNAT / DNAT rule creation: vnicId no longer needed as an input parameter; removed requirement that the DNAT address must be the address of an NSX Edge VNIC.

NSX Edge VM (ESG, DLR) now shows both Live Location and Desired Location. NSX Manager and NSX APIs including GET api/4.0/edges//appliances now return configuredResourcePool and configuredDataStore in addition to current location.

Security Services

Distributed Firewall — TFTP ALG: enables use cases such as network boot for VMs.

Firewall — Granular Rule Filtering: simplifies troubleshooting by providing granular rule filters in UI, based on Source, Destination, Action, Enabled/Disabled, Logging, Name, Comments, Rule ID, Tag, Service, Protocol.

Guest Introspection — Windows 10 support

SSL VPN Client — Mac OS El Capitan support

Service Composer — Performance Improvements: enables faster startup/reboot of NSX Manager by optimizing synchronization between security policy and firewall service, and disabling auto-save of firewall drafts by default.

Service Composer — Status Alarms: raises system alarm if security policy is out-of-sync, and takes specific actions based on alarm code to resolve issue.

Operations and Troubleshooting

NSX Dashboard: Simplifies troubleshooting by providing visibility into the overall health of NSX components in one central view.

Traceflow Enhancement — Network Introspection Services: Enhances ability to trace a packet from source to destination, by identifying whether packets were forwarded to 3rd-party network introspection services, and whether the packet comes back from the 3rd-party service VM or not.

SNMP Support: Configure SNMP traps for events from NSX Manager, NSX Controller, and Edge.

Logging is now enabled by default for SSL VPN and L2 VPN. The default log level is notice.

Firewall rules UI now displays configured IP protocols and TCP/UDP port numbers associated with services.

NSX Edge technical support logs have been enhanced to report memory consumption per process.

Central CLI Enhancements

Central CLI for Host Health: Shows host health status, with 30+ checks in one command (including network config, VXLAN config, resource utilization, etc.)

Central CLI for Packet Capture: Provides ability to capture packet on the host and transfer the capture file to user’s remote server. This eliminates the need to open up hypervisor access to network administrators, when troubleshooting logical network issues.

Technical support bundle per host: Gathers per-host logs and creates a bundle that can be saved and submitted to VMware technical support for assistance.

Licensing Enhancements

Change in default license & evaluation key distribution: default license upon install is “NSX for vShield Endpoint”, which enables use of NSX for deploying and managing vShield Endpoint for anti-virus offload capability only. Evaluation license keys can be requested through VMware sales.

License usage reporting: NSX license usage counts are displayed on NSX Manager’s Summary UI and also retrievable via API. NSX license usage counts will no longer be reported through vCenter licensing service.

Solution Interoperability

Customer Experience Improvement Program: NSX supports reporting system statistics via the VMware Customer Experience Improvement Program (CEIP). Participation is optional and is configured in the vSphere Web Client.

VMware vRealize Log Insight 3.3.2 for NSX provides intelligent log analytics for NSX, with monitoring and troubleshooting capabilities and customizable dashboards for network virtualization, flow analysis and alerts. This version accepts NSX Standard/Advanced/Enterprise edition license keys issued for NSX 6.2.2+.