This post is part of my VMware VCIX-NV Study Guide and is about a collection of services on the NSX Edge Services Gateway: DHCP, DNS and NAT.

Documentation

Index

 

DHCP, DNS and NAT services
An edge router/firewall wouldn’t be complete with services like DHCP, DNS and NAT (source and destination), so the NSX Edge Services Gateway has these services to complement your virtual network. There’s not much to tell about these services, as these functionalities should be will on your resume, so I’ll dive into the configuration.

 

Add/Modify/Delete a DHCP IP Pool

Requirements:

  • Existing NSX Edge Services Gateway.

VMware Documentation: Add a DHCP IP Pool

The ESG can provision IP addresses for virtual machines, or it can relay DHCP requests to another DHCP service. This is how to configure an IP Pool for DHCP to use.

Add a DHCP IP Pool

  • Login to your vSphere Web Client.
  • Navigate to “Networking & Security” and select the “NSX Edges” menu.
  • Choose the NSX Edge you want to modify and select the “Manage” tab.
  • Then select the “DHCP” sub-tab and select the “Pools” sub-menu.
  • Click the “+” icon to add a DHCP IP Pool.
  • In the popup window, enter the “Start IP” and “End IP” to create the pool. Optionally enter other details to give to the DHCP requestor; a domain name, primary and secondary DNS server, a default gateway and a lease time. For the lease time, you can tick “Lease Never Expires” or give an expiration time in seconds. The “Auto Configure DNS” option will use the DNS service configuration on the ESG for DNS on the DHCP client.
  • Click “OK” when you’re done and click the “Publish Changes” button when it appears.

 

Enable/Disable the DHCP service

Requirements:

  • Existing NSX Edge Services Gateway.
  • DHCP IP Pool is configured.

VMware Documentation: Enable the DHCP Service

To start the DHCP service, first configure the DHCP IP Pool as we did in the previous chapter and then simply enable the DHCP service.

Enable DHCP Service

  • Login to your vSphere Web Client.
  • Navigate to “Networking & Security” and select the “NSX Edges” menu.
  • Choose the NSX Edge you want to modify and select the “Manage” tab.
  • Then select the “DHCP” sub-tab and select the “Pools” sub-menu.
  • Click the “Enable” button and determine whether you want to log the DHCP requests.
  • Click the “Publish Changes” button that appears.

 

Add/Remove a DHCP static binding

Requirements:

  • Existing NSX Edge Services Gateway.

VMware Documentation: Add a DHCP Static Binding

As with other DHCP services, it is possible to create static bindings (reservations) for statically binding MAC addresses to IP addresses when those MAC addresses send out a DHCP request. NSX event makes it a lot easier by allowing you to select a specific virtual machines network interface as the binding source, which means the binding will follow the virtual machine, even if the MAC address changes. You can just use a static MAC address as well. Here’s how we do this:

Add a DHCP static binding

  • Login to your vSphere Web Client.
  • Navigate to “Networking & Security” and select the “NSX Edges” menu.
  • Choose the NSX Edge you want to modify and select the “Manage” tab.
  • Then select the “DHCP” sub-tab and select the “Bindings” sub-menu.
  • Click the “+” icon to add a binding. In the popup window, select “Use VM NIC Binding” or “Use MAC Binding” to choose whether to make the binding on a VM NIC basis or a static MAC address.
  • Once you’ve made your selection, fill out the details. In case of a VM NIC binding, select the ESG interface, the VM itself and its NIC, enter the hostname and IP address and optional domain name, DNS servers and default gateway that the VM will receive.
  • In case of a static MAC address binding, enter the MAC address, hostname and IP address and optionally enter a domain name, DNS servers and a default gateway.
  • Click “OK” when you’re done and click “Publish Changes” when it appears.

 

Enable/Disable DNS services & Configure DNS Services

Requirements:

  • Existing NSX Edge Services Gateway.

VMware Documentation: Configure DNS Servers

NSXs Edge Services Gateway can act as a DNS request relay service for the virtual machines inside the local network of the ESG. The ESG uses a DNS cache (by default 16MB) to cache DNS requests and keep them from going outside the network and prevent extra network traffic.

Configuring the DNS Service

  • Login to your vSphere Web Client.
  • Navigate to “Networking & Security” and select the “NSX Edges” menu.
  • Choose the NSX Edge you want to modify and select the “Manage” tab.
  • Then select the “Settings” sub-tab and select the “Configuration” sub-menu.
  • In the “DNS Configuration” table, click the “Change” link.
  • In the popup window, tick “Enable DNS service” and enter the DNS servers to which to forward the DNS requests to and a cache size in MB. Optionally enable logging.
  • Click “OK” when you’re done.

 

Add/Modify/Delete a Source NAT (SNAT) rule

Requirements:

  • Existing NSX Edge Services Gateway.

VMware Documentation: Add an SNAT Rule

To transition from an internal network to an external network, source NAT is usually used to mask the IP addresses in the internal network to the external IP address of the router that’s between the internal and external network. The ESG can perform this function as well, which allows the ESG to be used for internet connections or simply to mask certain networks (for example in case of overlapping subnets). Here’s how to mask an internal network:

Adding a SNAT rule

  • Then select the “NAT” sub-tab.
  • Click the “+” icon and select “Add SNAT Rule”.
  • In the popup window, select the external interface where this translation should apply, enter the original source IP address (or range) and enter the translated IP address (or range). Tick “Enabled” and optionally tick “Enable logging” and click “OK” when you’re done.
  • The “IP/Range” can have a few different value formats: Single IP: 192.168.0.135, IP Range: 192.168.0.135-192.168.0.136 or an IP Subnet: 192.168.0.0/24
  • Click “Publish Changes” to activate the source nat rule.

 

Add/Modify/Delete a Destination NAT (DNAT) rule

Requirements:

  • Existing NSX Edge Services Gateway.

VMware Documentation: Add a DNAT Rule

If your virtual network is closed off by the ESG by using source NAT to mask the internal IP addresses to the outside, destination NAT is a way to open up certain ports from the outside to the inside of the network. Usually used for services that need to be reachable from the public, such as mail servers, web applications, etc.

Adding a DNAT rule

  • Login to your vSphere Web Client.
  • Navigate to “Networking & Security” and select the “NSX Edges” menu.
  • Choose the NSX Edge you want to modify and select the “Manage” tab.
  • Then select the “NAT” sub-tab.
  • Click the “+” icon and select “Add DNAT Rule”.
  • In the popup window, select the outside interface in “Applied On:”, enter the outside IP address in “Original IP”, select the protocol (TCP, UDP, IP and a lot more), the destination port (or any port), then enter the destination IP address and port. Give the rule an optional description and tick “Enabled” and optionally tick “Enable logging” to log connections to this rule.
  • Click “OK” when you’re done and click “Publish Changes” when it appears.

 



Share the wealth!