The VMware NSX Platform – Healthcare Series Part 1 – Intro

At VMware, I’m part of a dedicated team of professionals that are focused solely on Healthcare organizations.  My role is around providing NSX specialist support to my customers.  If you’re in the Healthcare field, you know that Healthcare has a vastly different approach when it comes to business goals than say Financial or Retail.  Healthcare customers are focused on patient care, driving down costs, security of patient information, and how fast they can innovate their services to their patients. Healthcare also brings up interesting and different challenges from a business and use case perspective.  We believe that the NSX platform can help organization with the business goals that matter to them, and more specifically we’re going to examine how Healthcare organizations can benefit.

The NSX platform is one of the three pillars in VMware’s Software-Defined Data Center (SDDC) approach.  When extended to our Compute virtualization platform, vSphere, and our Software Defined Storage platform, VSAN, the NSX platform provides the software networking portion of the infrastructure that allows an organization to drive Application-based policy through the entire infrastructure stack.


Similar to how vSphere disrupted the hardware compute business by removing dependency on specific hardware to run application workloads, the NSX platform is doing the same for the networking hardware layer. We’re not saying the hardware layer is not important and/or irrelevant, but driving application-based policies through hardware intelligence is something that can often times require specific and even proprietary hardware to accomplish.  With a software-defined approach, customers can choose the hardware of their choice and budget, and layer on the same hardware intelligence through software products and gain speed and agility, but not at the cost of security.  This means the focus of organizations moves to the application where it should be, and less on the hardware-based infrastructure.

When looking at a Healthcare organization and asking how the NSX platform can help achieve their goals, we need to examine the NSX use cases and find out how they apply to a Healthcare organization.  The NSX platform provides several outcomes for organizations:



As you can see, the NSX platform is truly a strategic platform, and not simply a tactical solution for one business goal a customer wishes to accomplish.  The NSX platform extends into multiple areas of the infrastructure and customers are seeing tremendous benefits.  While some customers often start with a single use case, we’re seeing our customers immediately find other use cases for the product.  Over the next series of blog posts, we will be digging into each of the use cases for the NSX platform listed above and how these use cases are applying to Healthcare organizations.


New Home Lab Build

In previous iterations of my home lab, I’ve built on the premise of keeping things as close to a ‘production’ system as I could.  This meant running physical equipment and setting up scenarios with that line of thinking. This grew from two physical hosts that I bought back in 2010 and then grew into the three vSAN nodes that I added in 2014 and Cisco 3750G switches that I added in as well.  I managed to build out a dual-DC type of configuration and it worked great for quite a while.

Since joining VMware in late 2014, my lab has been satisfactory to keep my skills current.  As I made the transition to the Networking and Security Business Unit, NSBU, at VMware in January of 2016, the lab has been in need of some updating.  Recently I made a decision to build out a new home lab, this time consisting of high-end pieces and going with nesting.  I sold off my vSAN nodes, moved one of my old servers to be my wife’s new desktop, it’s still a badass for what she needs, and I got rid of the loud and power-hungry 3750G’s.  The result has been a dramatic reduction in heat and noise in my office which is where I had to put my lab as I’m not fortunate to have basement where I can this gear.

As I started going down the path of deciding what I wanted to build, I knew it had to be powerful, quiet, and as power-efficient as possible.  I wanted maximum capabilities to run multiple topologies and basically be a on-premises version of VMware’s OneCloud environment we have to demo and testing.  With my new job in the NSBU and working with the VMware NSX platform, there are so many different use cases that I wanted to be able to setup and test out that my Healthcare customers may run into.  With some back and forth with my homeDC peer, Erik Bussink, I came up with a build that does just that.

The build consists of the following:

The best thing about this was I was able to sell all the other parts of my home lab and not have to add too much more cash to build this.  I got a really good deal on the NVMe drive off eBay as those can run as much as $2500 by themselves.

The rest of my lab consists of the following:

The result has been a new high-powered and fully capable lab system that meets all my requirements.




Managing Custom Services in NSX

I was working on some labs recently and creating custom services to block ports that may otherwise not exist in the NSX Service list. NSX allows you to create custom services in Firewall rules to block certain kinds of services. I was fumbling about in the interface trying to figure out where all you could create these custom services, and also where the heck do I edit them after I’ve created them? Just a bit of background on what I’m talking about.

Services – NSX has out of the box Services that can be used when creating Security Policies and Firewall rules for common types of services that may run in most datacenters. These can be used to either, Accept, Block, or Reject, those types of service traffic with NSX. Here’s just a glimpse of the list. It’s quite extensive.


Service Groups – NSX has out of the box Service Groups, which are groupings of common services that make up certain types of applications. You can see from this list, what I’m referring to. Let’s take a look at SharePoint 2010. It has several services that could be grouped together to easily create one rule that could encompass all of the services associated with that application. This means when I want to setup a rule for that type of application service, I only have to create one rule to ‘rule’ the entire application. Beautiful!


As I was working through my lab and practicing making Security Policies and Service Groups using the Service Composer, I noticed that when I went to put in a service I wanted to block, that service wasn’t in the list. Nobody likes CIFS and I wanted to try and block it for a VM. So I figured I would just create a custom service for CIFS to block it. What I found was that CIFS wasn’t in the list. 😦


What I also found out is that you can’t create a custom service from Service Composer through the Security Policies Wizard. You can see from the shot below there’s no ‘New Service…’ link.


However there is a ‘New Service…’ link when you edit a Firewall rule as you can see here. I figured there had to be a better way to get my custom Service input without having to go through a Firewall rule to do it.


Never one to consult the documentation, because what fun is that, I went digging through the interface to find out where the custom service would show up and I found it!

The list of Services and Service Groups can be found by selecting NSX Managers>Click on the NSX Manager in the list>Manage>Grouping Objects>Service/Service Groups. From this interface I can create new services and new service groups as well as edit them. You can also edit the out of the box policies as well.

According to this link, I can see what I need to help me in terms of ports and protocols.  Now I can create my custom service for CIFS. CIFS operates on both TCP and UDP 445, so I’m going to create a custom Service Group to encompass both of those into one easy group to make my rule with. But I first have to create both of the services I want to add to the group, one for TCP and one for UDP.



I can now add both of these to a new Service Group to be used in my Security Policy.


And now I can select it from the list when I create my Security Policy and all is well. Easy stuff.


What a year…

Yes I know there’s still a month left in the year.  To say this year was a great year would be a complete understatement. I made some hard promises to myself this year, and I’m really amazed where things have come and where they are going.

On the professional front –

I dug into Twitter and got involved. Apparently people think what I have to say is worthy enough to listen to. I do try and use Twitter to actually purvey worthy to read information and support for the community. There are the occasional ‘what beer I’m drinking’ tweets as well. Because beer is important.

I continued to blog as much as possible. Getting involved in Twitter and being inspired by the people around me caused my blog hits to skyrocket. They’re no top 50 blog types of numbers but I’m proud that my blog has been helpful, or least it appears that way, so I’m very happy that my efforts are finding their way to someone.

I decided to toss my hat into the Virtual Design Master competition. You can read more about that over in this thread, but it was nothing short of an amazing experience overall. It was well thought out, well executed, and just plain fun. I met some really great people in the competition and was fortunate enough to meet a few of them in person as well. I keep in touch with them frequently.

I started going to my VMUG meetings and treating them like normal business meetings. Doing this I made sure that VMUGs were used to learn and network with my peers and grow. Making them as important as a business meeting, it meant that I would make them mandatory to attend.

I was elected to the vExpert 2014 group. This was my first entry to the group and I was very surprised to see that I was brought in my first go around. It was great validation that what I was doing was recognized as helpful to a community that I wanted to be a part of. I’m proud to be involved in that program. It has led to talking on the vCommunity Roundtable about my VSAN homelab which was an awesome experience.

I made PernixPro this last go-around. This is a company that is doing some amazing things and if what I think they’re ultimate goal is comes to fruition, they’re going to floor the industry. Their product speaks for itself, and it works really really well. Really great people in all the areas of their organization. I’m glad they found my contributions useful and invited me. Looking forward to see what they’ll do next.

On the personal front –

My wife and I celebrated our 8th wedding anniversary this year. If I said it was easy, I would be lying, but she has supported me and stood by through everything and that’s saying a lot. I’m a lucky guy and I can’t wait to share another 8 (and then that’s enough I think) with her. Love ya baby!

My daughter celebrated her first birthday. No one can explain how much you’ll love a child until you actually have one. There’s really nothing like it and I wouldn’t change it ever. Every day it’s just amazing to watch what happens when she learns something new or does something and makes us laugh.

On December 30th, or before that maybe, my wife will be giving birth to our new daughter. We’re both really looking forward to meeting her and my oldest is ready as well. It’s yet another milestone for our little family and we’re both really excited, although I’m probably going to have to arm myself for when they start dating.

Last but definitely not least –

On December 15th I will be joining VMware as a Senior Systems Engineer for Healthcare. The decision to leave was very tough for me. I’ve been working with two of the same guys for 10 and 5 year respectively. You get used to how people work and when you find that great collaboration, you accomplish great things and it becomes difficult to move on.  These people are my family away from my family and not just people I know or work with. But just like anyone you know that’s genuinely concerned about you as a person, they embraced my decision and they know it’s the right move and support me. You can’t ask for a better way to resign than when they truly wish you well.

As a job, this is a change for me professionally to move to the pre-sales side of the house. I have lived on the customer side for my entire career.  Having talked with my family and friends about it, I’m ready to take that next career step and this is going to be a really fun ride. VMware is a great organization and I’m extremely lucky and humbled to be invited to become part of that. I’m really looking forward to working with our products more in depth and seeing the future of the products from the inside; all while helping solve my customer’s toughest business challenges.

This has been an amazing year on all fronts. Thanks to everyone that’s been a part of the journey.  I’m a very fortunate guy and while it’s nice to reminisce on 2014, I’m really looking forward to what’s in store for 2015.

VCP-NV Blueprint Breakdown

I spent the last few weeks breaking down the VCP-NV v1.0 blueprint as best as I could. I wanted to share it with the community and hopefully it will help someone else out.

The blueprint is pretty extensive for a VCP level exam, but there are several sections that mirror other sections in other blueprints. The tools provided in the blueprint document are very close to everything you would need to break it down. I found that some of the tools simply weren’t good enough to provide proper information. So I added links to them at the bottom of this post. I spent countless hours in the VMware Hands-on-Labs running through the NSX interface and CLI. I probably loaded HOL-SDC-1303 over 50 times all together. Bottom line, if you don’t have direct access to NSX, other than deployment those HOLs will pretty much provide you with anything you need to do in the VCP-NV blueprint. I suggest going through those labs multiple times.

All in all, this is hopefully helpful to you in your studies. I’ll update things as I catch them as wrong or lacking in the document.

You can find the breakdown here

Helpful sites –

Helpful HOL training –




Manually Register NetApp VSC on Win2k12 R2

I was doing some lab work today when I ran across an issue with Windows Server 2012 R2 and the NetApp Virtual Storage Console 5.0 installation. It appears that the VSC 5.0 installation doesn’t work out of the box or is not supported on Windows 2012 R2 just yet. Regardless of what the reason is, let’s make it work.

Run the installation for the VSC as you normally would. Select your options as necessary.

vsc_manual_pic1You’ll notice through the installation that the install will hang and then provide a warning about manually opening the page for registering the VSC with vCenter Server.

vsc_manual_pic2Attempts to browse to the site will turn up nothing.

vsc_manual_pic3In the VSC 5.0 Admin guide there’s reference to manually registering the plugin with vSphere. You don’t have to do the entire procedure actually, you only need to perform a manual setup of the SSL certificate. You’ll first need to stop the following service:

vsc_manual_pic4Then you need to open an Administrative Command Prompt and run the following command:

vsc_manual_pic5vsc ssl setup –cn <insert vCenter Server FQDN>

This will bring up a prompt for a password for the keystore. By default, the first password is ‘changeit’. You need to enter your own password in the next prompt and you’ll be set.

vsc_manual_pic6You can no restart the service and attempt to register the plugin.

We should now be able to browse to the site and register the plugin with vCenter. ***Be sure to browse to ‘https://localhost:8141/Register.html’. Do not use a lowercase ‘R’ or you’ll get a 403 Forbidden page instead!***

vsc_manual_pic7Looks like we’re good to go.

Editing vmnic names – vSphere 5.5

One of my hosts in my lab had a bad NIC that I found the other day. It’s a quad port NIC and only two of the four ports were showing up. After some testing, I went ahead and replaced the NIC with a spare I had laying around and found that when I rebooted up the server, the vmnics were completely out of whack on the host.

Doing some research I found a KB article explaining that changing the file was unsupported, but since this is a lab and that’s never stopped me in the past I went ahead and edited the esx.conf file anyway.

I’ve already fixed this issue on my lab server, so I went back and broke it again for demonstration purposes. As you can see the vmnic27 NIC is completely jacked up. It should be vmnic7 in our order. So let’s edit the esx.conf file and make it work.

esx_conf_fix_pic1The configuration file can be found in the following directory on the ESXi host, /etc/vmware/esx.conf. Below are the excerpts from the esx.conf file where you need to make the appropriate changes to change the vmnic naming.

/vmkdevmgr/pci/s00000002:02.01/alias = "vmnic27"

/device/000:009:00.1/vmkname = "vmnic27"

/net/pnic/child[0014]/mac = "00:10:18:c0:f8:c6"
/net/pnic/child[0014]/virtualMac = "00:50:56:50:f8:c6"
/net/pnic/child[0014]/name = "vmnic27"

As you can see, there are three places in the file that wrong name exists. We should double check to make sure that what we’re changing accurately reflects the true NIC we want to change. We’re looking for ‘00:10:18:c0:f8:c6’.

esx_conf_fix_pic2So we confirmed that this is in fact the correct NIC as the MAC addresses coincide.

Note – if you have dual or quad port NIC, ESXi numbers the vmnics based on slot and then appears to number by MAC address in order. As you can see above, the quad port NIC has the exact same MAC address with the exception of the last 2 hexadecimal characters. The lowest number in hex, is the lowest vmnic number of that card and goes up until all numbered. Does this make sense? Well it does appear that way. If you take a look at the vmnics listed in the screenshot below, you can see that they correspond like this:

vmnic4 – 00:10:18:c0:f8:c0
vmnic5 – 00:10:18:c0:f8:c2
vmnic6 – 00:10:18:c0:f8:c4
vmnic7 – 00:10:18:c0:f8:c6 <- should be this but shows as vmnic27, because it’s broken

So the theory seems to hold up. You want to take this into consideration because I had more than one NIC that was screwed up because of an entire quad NIC change out. This meant I had to match MAC addresses to the vmnics to determine the order. Needless to say it was a mess, but I was able to correct it.

Now let’s fix. Make a backup copy of the esx.conf file, call it esxoriginal.conf if you want. Then we make the changes to the sections of the esx.conf file, save it back to the host, and reboot.

/vmkdevmgr/pci/s00000002:02.01/alias = "vmnic7"
/device/000:009:00.1/vmkname = "vmnic7"
/net/pnic/child[0014]/mac = "00:10:18:c0:f8:c6"

/net/pnic/child[0014]/virtualMac = "00:50:56:50:f8:c6"

/net/pnic/child[0014]/name = "vmnic7"

Once the reboot is complete, we take a look at our network adapters in the vSphere Client, and we can see that vmnic7 has been restored to its proper name. Pretty simple.esx_conf_fix_pic3