Browse Category

VMware NSX

How long does it take to upgrade VMware NSX?

Estimating the time needed for NSX upgrades and maintenance windows has been a topic that’s needed attention for some time now. Many of the VMware NSX field engineers know from experience how long an NSX upgrade may take based on environment size, but I’ve found that there’s little documentation around how to determine the time required to perform an upgrade, based the size of the environment.

VMware NSX-v upgrades are performed in order of NSX Managers, then Controllers, onto Edge Gateways and then the vSphere hosts themselves. So, a good method of determining how long an upgrade will take, is by calculating all the individual component upgrade times, adding some buffer for the unexpected and then summing it all up. I’ve detailed the NSX upgrade process here in a previous blog post, with step-by-step screenshots, to provide you with what to expect. Official VMware NSX documentation should be used to perform the actual upgrade.

*As a special note, NSX-t upgrades are done in reverse order, starting with hosts / transport node first and then on to Edge Gateways, Controllers and then NSX Manager

After performing a fair amount of upgrades in the field, NSX Managers and Controllers have been very reliable in terms of component upgrades. Edge Service Gateways in an HA pair, on occasion, will fail an NSX component upgrade, but the resolution of powering the VM off, powering it back on, waiting for services to start and then retrying the upgrade, has been fairly quick remediation.

NSX component upgrade times as follows:

  • NSX Manager – 30 minutes
  • NSX Controller – 5-10 minutes (each)
  • NSX Edge Service Gateway – 15 minutes (each)
  • NSX vSphere Host – 15 minutes (each)

*Ensure to add time for DRS evacuations and reboot to each host time if applicable. NSX host upgrades after 6.3 are reboot-less, but evacuation still applies.

Each of these times have a small buffer for testing return to service of each component. Conditions can vary based on load and scale. If you have a test NSX deployment, you’ll be better able to see how your environment performs and tune in times a bit closer doing a dry run there. Disk I/O and performance on the Manager and Edge VMs take a fair amount of time, but the number of NSX vSphere upgrades are usually the biggest single factor in upgrade times. Remember, host density and host memory have a lot to do with estimating NSX vSphere upgrade times. Hosts with high VM densities can take in excess of an hour to evacuate and physical servers with >1TB of memory take quite a bit of time to “count up” at BIOS boot. All things to consider and add in to your estimate.

Here’s an example time estimate calculation for an NSX 6.3 upgrade on a five (5) host cluster:

  • NSX Manager (1) – 30 minutes
  • NSX Controller (3) – 30 minutes
  • NSX Edge Service Gateway HA Pair (2) – 30 minutes
  • NSX vSphere Hosts (5) – 75 minutes

The estimated time for this example would be 165 minutes or 2 hours and 45 minutes, which is very close to the actual 2.5 hours it took to perform the upgrade in this lab. As I mentioned, make sure to check out the preview of the upgrade and (please) use the official documentation to create your upgrade “runbook”. As always, opening a support ticket with VMware support containing the version details of your upgrade, number of components, and an architectural drawing will greatly reduce the time needed to engage support, should you need it.

Why does vCenter show 0 NSX licenses in use? – How to determine VMware NSX licensing

Why does vCenter show 0 (zero) VMware NSX licenses in use?

This question comes up with clients and coworkers alike all the time, so I figured I’d do my best to disseminate the information a bit further into the “inter-webs”.

The question of why vCenter shows 0 (zero) NSX licenses in use is greatly due to the fact that VMware NSX is not tied to vCenter in all versions, like NSX-T or NSX-MH, versus NSX-V. VMware NSX-V is of course the vSphere based version of NSX, MH the “multi-hypervisor” version and “T”, “Transformers” for bare-metal or cloud-based container environments and the like.

VMware NSX Editions

With the release of NSX 6.2.2, VMware introduced 3 different license editions; Standard, Advanced, and Enterprise. These license editions allow you align NSX with your company’s use case.

Standard Edition: Automates IT workflows, bringing agility to the data center network and reducing network operating costs and complexity.

Advanced Edition: Standard Edition plus a fundamentally more secure data center with micro-segmentation. Helps secure the data center to the highest levels, while automating IT provisioning of security.

Enterprise Edition: Advanced Edition plus networking and security across multiple domains. Enables the data center network to extend across multiple sites and connect to high-throughput physical workloads.

VMware NSX License Capacity Usage

Since there are many versions of VMware NSX that are not vCenter-based, the use of vCenter licensing is inherently useless. Thus, VMware NSX licensing is displayed in the VMware NSX Manager interface.

Per the documentation, the NSX capacity usage calculation method only reports for clusters prepared and enabled with DFW and VXLAN. CPU count is number of CPUs (sockets) of all prepared hosts. VM count and Concurrent Users is the count of all powered on VMs in the cluster. This VM count does not include system VMs (service VMs, partner VMs, edge appliances, etc).

NSX usage is reported correctly under the NSX Manager in NSX vSphere Webclient Plugin. **Please note under license management in VC the NSX license will report Usage as ZERO**

vShield Endpoint License in NSX 6.2.4

vShield Endpoint is a component of vCloud Network and Security (vCNS). This component allows you to offload antivirus and anti-malware agent processing to a dedicated secure virtual appliance. With the release of NSX 6.2.4, the default license is NSX for vShield Endpoint allowing you to manage your vShield Endpoint environment with NSX. Customers who purchased vSphere with vShield Endpoint (Essential Plus and above) will be able to download NSX. This means that NSX will appear on the vSphere download site, just like vCNS does today. To ensure customers do not use any other unlicensed NSX features (eg. VXLAN, DFW, Edge services), the license key will have hard enforcement to prevent NSX host preparation and block Edge creation. If you require an evaluation license key, please request this through VMware sales.

If you have questions regarding VMware NSX licensing, auditing of licensing or the like, please contact your VMware account team or NSX Technical Account Specialist.

VMware NSX 6.3.5 Upgrade Process with Step-by-Step

The VMware NSX 6.3.5 upgrade is fairly straightforward. The NSX Manager does most of the heavy lifting with a little bit of instruction from us and there’s only a small amount of manual interaction to ensure component upgrades are performed at your discretion, in order to maintain edge connectivity during the process. Please use the official VMware NSX 6.3 Upgrade Guide documentation for your efforts. My intentions with this post are for preview purposes only, so you can know what to expect.

As always, ensure your backups are current for NSX Manager before beginning. If you have support, a proactive support ticket to seed the details of your upgrade plan with versions and components greatly speeds up support, should you hit a snag.

VMware NSX 6.3.5 Upgrade Process

Determine the current version of VMware NSX by navigating to the “Installation” section in “Networking & Security”.

Verify that your NSX version is compatible with the latest upgrade in the VMware Interoperability Matrix – Upgrade Path. NSX versions from 6.2 forward are compatible with 6.3.5, as you’ll see below.

Log into the NSX Manager with admin credentials and click “Upgrade” on the home screen. The upgrade process takes about 30-60 minutes overall, so make sure you’ve got the time you need.

Click the “Upgrade” button in the upper right corner of the screen. From here on out, it’s critical that we let the following stages run without interruption.

Click on “Choose File” and navigate to the NSX upgrade bundle that ends in tar.gz. The upgrade bundle is a separate download from the appliance, so make sure you’ve got the correct bits before continuing.

Select the NSX upgrade bundle and click “Open” and then “Continue”. Upon clicking “Continue”, NSX Manager uploads the upgrade bundle and stages it. After staging the build, NSX Manager verifies the upgrade bundle to validate authenticity and payload.

After the verification is complete, you’re presented with the upgrade dialog summary. Ensure you have selected your desired SSH mode and if you wish to participate in the VMware Customer Experience Program. Once you’re prepared to continue, click the “Upgrade” button and the upgrade will begin.

Once the NSX upgrade has begun, you’ll see the status of running.

After verifying the post upgrade version of NSX Manager, log into vCenter, navigate to “Networking & Security”, “Installation” and ensure other NSX Controllers have been upgraded as well.

Finally, navigate to “NSX Edges”, select each Edge, right click and select “Upgrade” to upgrade your NSX Edge nodes.

Verify that the NSX Edge nodes have been upgraded to the correct version.

Once you’ve completed the NSX Edge upgrades the NSX vSphere host upgrades need to be run. Click the “Upgrade available” in NSX Component Installation on Hosts.

After host upgrades, perform a NSX backup and do some general connectivity tests to ensure operation. Having a scripted ping test that pings to and from different components on the network makes testing quite a bit quicker, so it’s not a bad idea to spend some time on that beforehand.

As always, feel free to hit me up with questions and whatever you do, #runNSX.

What’s New in VMware NSX 6.3.5?

With the last few NSX releases, our overall focus has been on compliance and product parity. VMware NSX 6.3.5 primarily delivers improvements and enhancements in Guest Introspection, L2 VPN and the remediation of 32 defects.

VMware NSX 6.3.5 provides improvements in Guest Introspection VM’s, that on deployment, are named Guest Introspection (XX.XX.XX.XX), where XX.XX.XX.XX is the IPv4 address of the host on which the GI machine resides and occurs during the initial deployment of GI. Naming the GI VM with the IP address of it’s host, will provide VMware admins some much needed information, at a glance.

The L2 VPN service now supports changing and/or enabling logging on the fly – without a process restart, enhanced logging, tunnel state and statistics, events for tunnel status changes and a number of CLI enhancements. This provides for greater troubleshooting capabilities for L2 VPN configurations and the like.

Of the 32 defects fixed, Resolved Issue 19879763 that causes NSX Controllers to expire root passwords 90 days after build, is the most notable. The issue is detailed in KB000051144 – Deploying NSX Controller fails in NSX-v 6.3.3 and 6.3.4.

The NSX 6.3.5 Release Notes do not contain the Resolved Issue, as VMware development re-released 6.3.3 and 6.3.4, adding it to the Resolved Issue in those product release notes respectively. Details on the rest of the defects can be found in the release notes as usual, so check there for more details.

As for requirements, they are vSphere 5.5U3, vSphere 6.0U3, as well as, vSphere 6.5U1 and later. All versions of VMware Tools are supported. Some Guest Introspection-based features require newer VMware Tools versions, so see the release notes. As for version compatibility with other VMware products, like vRealize Network Insight and Log Insight, see the VMware Product Interoperability Matrix.

For more information, as always, make sure you read the release notes, contact your VMware account team and engage VMware support proactively.

ADD A VMWARE NSX SECURITY TAG TO A VM IN THE SECONDARY NSX MANAGER VIA API

I recently had a coworker ask how to add a VMware NSX Security Tag to a VM that was under management of the secondary VMware NSX Manager. While NSX provides the ability to create and manage NSX Security Tags via the UI (GUI), only the API can manage Security Tags on VMs managed by the secondary NSX Manager.

After a bit of reading documentation and poking at the API, here’s the how-to:

 

ADD A VMWARE NSX SECURITY TAG TO A VM IN THE SECONDARY NSX MANAGER VIA API

API command:
POST /api/2.0/services/securitytags/tag/{tagId}/vm

*with a BODY REQUST: application.xml replacing the value for the vmname

<securityTagAssignment>
<tagParameter>
<key>vmname</key>
<value>myvmserver1</value>
</tagParameter>
</securityTagAssignment>

*don’t forget to change the solution criteria to vmname from uuid

Source: https://docs.vmware.com/en/VMware-NSX-for-vSphere/6.3/nsx_63_api.pdf (pages 75 and 76)

New VMware NSX Visio Diagramming Tool Released – Create NSX Diagrams Automatically

At VMworld US and Europe this year, Nick Bradford and Anthony Burke presented a PowerNSX session. PowerNSX provides a PowerShell module featuring a substantial number of cmdlets that cover the NSX API. Working in concert with PowerCLI it becomes possible to interact via a command line or programmatically with the NSX for vSphere API.

Nick showed off the Visio Diagramming tool and when asked if this was something that was “needed” to the audience, all hands were up and people were out of their seats. Claps and Cheers went up! Well – now here it is – ready for anyone to use.

NSX Visio Diagramming Tool

screenshot-2016-10-20-16-07-47

As always, reach out if you have any questions. Enjoy!