NSX-T

vSphere with Tanzu - Zero Trust with NSX-T DFW

To enable zero trust for the Supervisor Cluster and the guest cluster, you need to first define a default deny-all rule in the NSX-T distributed firewall. You can then allow the required ports as per https://ports.esp.vmware.com/home/vSphere-7 (Filter with the keyword “Tanzu “) The problem? vSphere with Tanzu expects to have a default allow-all rule. Specifically for egress (Source is Master VM Subnet and Destination is the whole cluster CIDR block) After enabling zero trust, the default deny-all rule blocks both ingress and egress traffic....

vSphere with Tanzu - Creating a Tanzu Kubernetes Cluster fails - Failed to deploy OVF package.

Creating a Tanzu Kubernetes Cluster fails. In vCenter server, the resource pool gets created under the namespace resource pool. However, the control/worker vms do not get created. The OVF deployment starts but fails and is in a constant loop with the error, “Failed to deploy OVF package” Looking at the vpxd logs in vCenter Server, the error was: info vpxd[63733] [Originator@6876 sub=Default opID=62236dfd] [VpxLRO] -- ERROR lro-43350730 -- task-637327 -- vim....

vSphere with Tanzu and NSX-T - Enable workload management - Stuck configuring

If you run into any issue where the config status is stuck in “configuring” state, one of the first things to check is the wcpsvc logs on the vCenter appliance here: /var/log/vmware/wcp/wcpsvc.log Interestingly I ran into an issue where the logs were complaining about authorization. You probably will see the following events in a loop: 2021-05-30T11:48:11.077Z error wcp [kubelifecycle/spherelet.go:923] [opID=domain-c8-host-28] **Failed to get Kubernetes cluster node list: Unauthorized** 2021-05-30T11:48:11.078Z error wcp [kubelifecycle/node\_controller....

NSX-T Edge Tunnels down

I ran into the same issue as described by Eric Sloof: https://www.ntpro.nl/blog/archives/3570-Edge-Tunnels-Down-when-hosting-NSX-T-on-the-same-DVS.html The problem I had was i did not have enough uplinks to create a new dvSwitch to get the tunnel to work. For the tunnel to work, the geneve traffic has to leave the host and get routed back in. I had a layer 3 physical switch and decided to make use of inter-vlan routing. Once logged into the switch:...

Creating a t0 edge in NSX-T to connect an internal physical network to an external physical network

Some notes from a recent lab I configured: My current lab looks like this - I have few production VMs in one VLAN segment External network access and Internet access is through another VLAN segment There is a jumpbox VM that is uplinked to both the VLAN segments. VMware vDS is currently being used and there are no free uplinks to make use of nvds. What do I want to accomplish?...