Wednesday, September 28, 2022

Migration from Classic env. to NSX-T env.

 The best way to migrate from a traditional VMware env. "doesn't contain NSX" to a new modern env. "contains NSX-T" id to change the IPs of the VMs and attache them to VxLAN LSWs . but in some situations, we will need to migrate the VMs with their current IPs. so we will need to do one of the following:

1. Bridge the VxLAN to VLAN.

2. Use VLAN LSW and rely on the physical network, but you will be still able to create FW, LB,...etc


In the below example we will use the VRO WF to do for us the second question:

The VRO Workflow in Github



var token = "Basic " + nsxBasicAuth
var nsxt
var vlanNumber
var lswName = "LSW-DCE-"+vlanNumber+"v"+"-01";



// Determine which NSX will be our endpoint
if(nsxt === "vxRailDR")
{
  var transport_zone_path = "/infra/sites/default/enforcement-points/default/transport-zones/1111ed4a-97f8-46b8-a6b1-d0a8f9591111";
  var vlan_transport_zone_path = "/infra/sites/default/enforcement-points/default/transport-zones/1111ac59-5195-4301-b4f5-f9e199811111";
  
}else if(nsxt === "vxRailnonDR")
{
  var transport_zone_path = "/infra/sites/default/enforcement-points/default/transport-zones/11115ddb-a726-4755-aa27-350fe29d1111";
  var vlan_transport_zone_path = "/infra/sites/default/enforcement-points/default/transport-zones/11118cca-aeb8-4ba8-8fe3-5324ed821111";
}


//LSW Creation
var url = "/policy/api/v1/infra/segments/" + lswName

var payload = {
    "type": "DISCONNECTED",
    "vlan_ids": [
        ""+vlanNumber+""
    ],
    "transport_zone_path": ""+vlan_transport_zone_path+"",
    "advanced_config": {
        "connectivity": "ON"
    },
    "admin_state": "UP",


       "tags": [
        {
            "scope": "LSW",
            "tag": ""+lswName+""
        }
    ]
}

//System.log(JSON.stringify(payload))


if(nsxt === "vxRailDR")
{
var response = restContent("PATCH",drNsxtHost,url,payload,token);
if (response.statusCode != 200) throw "HTTP status code :" + response.statusCode + "(" + response.serverMessage + ")";
}else if(nsxt === "vxRailnonDR")
{
var response = restContent("PATCH",nonDrNsxtHost,url,payload,token);
if (response.statusCode != 200) throw "HTTP status code :" + response.statusCode + "(" + response.serverMessage + ")";
}




//Security Group Creation 
var url = "/policy/api/v1/infra/domains/default/groups/" + "SG-LSW-DCE-"+vlanNumber+"v";

var payload = {
    "expression": [
        {
            "member_type": "Segment",
            "key": "Tag",
            "operator": "EQUALS",
            "value": "LSW|"+lswName+"",
            "resource_type": "Condition"

        }
    ],
    "extended_expression": [],
    "reference": false,
    "resource_type": "Group",

        "tags": [
        {
            "scope": "SG",
            "tag": "SG-"+lswName+""
        }
    ]

}


if(nsxt === "vxRailDR")
{
var response = restContent("PATCH",drNsxtHost,url,payload,token);
if (response.statusCode != 200) throw "HTTP status code :" + response.statusCode + "(" + response.serverMessage + ")";
}else if(nsxt === "vxRailnonDR")
{
var response = restContent("PATCH",nonDrNsxtHost,url,payload,token);
if (response.statusCode != 200) throw "HTTP status code :" + response.statusCode + "(" + response.serverMessage + ")";
}




var url = "/policy/api/v1/infra/domains/default/security-policies/" + "FWP-VPC-" + ""+vlanNumber+"" + "v"
var payload = {
    "rules": [
        {
            "action": "ALLOW",
            "resource_type": "Rule",
            "id": "FWR-"+vlanNumber+"v-Out",
            "display_name": "FWR-"+vlanNumber+"v-Out",
            "source_groups": [
                "/infra/domains/default/groups/SG-LSW-DCE-"+vlanNumber+"v"
            ],
            "destination_groups": [
                "ANY"
            ],
            "services": [
                "ANY"
            ],
            "profiles": [
                "ANY"
            ],
            "logged": false,
            "scope": [
                 "/infra/domains/default/groups/SG-LSW-DCE-"+vlanNumber+"v"
            ]
       
        },
        {
            "action": "ALLOW",
            "resource_type": "Rule",
            "id": "FWR-"+vlanNumber+"v-IN",
            "display_name": "FWR-"+vlanNumber+"v-IN",
            "source_groups": [
                "ANY"
            ],
            "destination_groups": [
                "/infra/domains/default/groups/SG-LSW-DCE-"+vlanNumber+"v"
            ],
            "services": [
                "ANY"
            ],
            "profiles": [
                "ANY"
            ],
            "logged": false,
            "scope": [
                "/infra/domains/default/groups/SG-LSW-DCE-"+vlanNumber+"v"
            ]
        }
    ],
    "logging_enabled": false,
    "resource_type": "SecurityPolicy",
    "scope": [
        "ANY"
    ]
}



if(nsxt === "vxRailDR")
{
var response = restContent("PATCH",drNsxtHost,url,payload,token);
if (response.statusCode != 200) throw "HTTP status code :" + response.statusCode + "(" + response.serverMessage + ")";
}else if(nsxt === "vxRailnonDR")
{
var response = restContent("PATCH",nonDrNsxtHost,url,payload,token);
if (response.statusCode != 200) throw "HTTP status code :" + response.statusCode + "(" + response.serverMessage + ")";
}




function restContent(method, host, url, payload, token) {
    //System.debug("**** Requesting endpoint data...");
    req = host.createRequest(method, url, payload ? JSON.stringify(payload) : null);
    req.setHeader("Accept", "application/json");
    req.setHeader("Content-Type", "application/json");
    if (token) { req.setHeader("Authorization", token); }
    return req.execute();
}

















































































































at No comments:
Labels: , , , , ,

Wednesday, September 14, 2022

Increase NSX-T API requests per second

 By default there are some limitations on how many API requests you can do per second on the NSX. and when you exceed this number, you will start to get this error message Client 'admin' exceeded request rate of 100 per second


Now we will increase these numbers 

  • SSH to your NSX-T manager
  • check your current limitations  get service http
  • by default you will find these numbers 
Service name: http
Service state: running
Logging level: info
Session timeout: 0
Connection timeout: 30
Client API rate limit: 100 requests/sec
Client API concurrency limit: 40 connections
Global API concurrency limit: 199 connections
Redirect host: (not configured)
Basic authentication: enabled
Cookie-based authentication: enabled


  • use the below three commands and choose your preferred limitations
set service http client-api-rate-limit 500
set service http client-api-concurrency-limit 200
set service http global-api-concurrency-limit 200

  • check your new limitations with this command  get service http
Service name:  http
Service state:   stopped
Logging level:  info
Session timeout:  0
Connection timeout: 30
Client API rate limit: 500 requests/sec
Client API concurrency limit:     200 connections
Global API concurrency limit:     200 connections
Redirect host: (not configured)
Basic authentication: enabled
Cookie-based authentication: enabled

























































at No comments:
Labels: , ,
Subscribe to: Posts (Atom)

NSX-T (local log in) with VIDM integration

We will explain how to log in with a local account to your NSX-T which integrated with VIDM. We integrated our NSX-T into the VIDM. We had a...