Sunday, November 20, 2016

VCNS to #NSX upgrade (spanish) Me and @J_Kolkes for #vBrownBag LATAM

End of support for VCNS was announced for September 2016. One of our vBrownBagLATAM members, Jorge Torres, was tasked with doing the upgrade to NSX and was getting conflicting information - the official docs said one thing and the actual AV product he was using was saying another thing, and he also needed to include a vSphere upgrade.

vBrownBag is a community of people helping each other learn. As such, we decided to do a session to review all of the documentation together and invited other experts to participate such as Elver Sena, author of the official VCP-NV book, and Stalin Pena, VCIX-NV. The result was the following session; I led by reviewing the main documentation available, Jorge did a specific session on his product and then we opened the conversation.

I'm happy to present this entry in this blog and introduce you to the world of vBrownBag if you didn't know about it!

Wednesday, November 2, 2016

Awesome community VCAP6-NV study guide by @clint_nz

I've been meaning to highlight the amazing work being done by Clinton Prentice, @clint_nz , at his blog As you all probably know, the first VCIX-NV certification is being slowly replaced with deployment and design vcap6 certifications, which when combined would then become the new VCIX-NV.

Clinton is going through the VCAP6-NV Deploy blueprint (1.2 from what I can tell) doing a blog (with practical demo!) for each of the blueprint items. It's phenomenal, difficult and time consuming work, and I just want to make sure he gets the shout outs he deserves :) Definitely will be a shoe-in the next time vExpertNSX applications open!

You can see all his posts by accessing his tag directly:

As far as I know, this is the only public study guide on this new certification so far - not to take away from previous VCIX-NV study guides such as Iwan's

Wednesday, October 12, 2016

VMware NSX Youtube channel

I figured I hadn't showcased the VMware NSX Youtube channel. There's great videos in there that you can't find anywhere else, as well as in the main VMware channel. Pay attention also to their playlists, as they have great compilations that include videos that are not particularly on their channel, but complement - such as the OpenvSwitch videos with Ben Pfaff.

I leave you with this very fun "Introduction to NSX" video - can't believe this one is 3 years old!

Tuesday, September 13, 2016

Opinion - NSX's tipping point, aka, it's first "vMotion"

As I study for my VCP6-NV (6.2) beta exam and I read Elver's excellent book, my thoughts wander off to the VMworld 2016 vExpert party and Pat Gelsinger explaining that he thought NSX hadn't reached it's big "oh wow!" moment yet - like when you showed someone a vSphere vMotion for the first time.

The more I've thought about what would make that happen for me, I realize that I believe that NSX should control IPAM in an organization. Hear me out.

IPAM - IP address management - is a perennial challenge in organizations. Any request for a new server is waiting on three things - approval, assigning specifics and delivery. Where it comes to assigning specifics, IPAM is a function that is either shared between network and sysadmin teams, or is owned by the networking team, with an enterprise solution deployed in the best cases, or an excel in a share in the worst cases. This is one of those things that I know very few organizations handle in exactly the same way today.

Lots of cloudy org's use DHCP instead of static IPAM to avoid this time-consuming step - why waste time on IP address assignment, when it's just a number. However, the majority of enterprises are still managing static IP assignment and probably won't move to this DHCP model (for many valid, and traditional, reasons).

NSX has a phenomenal capability that most other networking products don't have: it has native and absolute connections to each server's OS thanks to VMware tools. That means that NSX could in theory always 1) know all the real IP address of a server 2) change the IP addresses as needed 3) confirm that IP addresses are available using ARP as well

I bolded the word control in my statement above. I visualize an NSX-integrated IPAM solution where administrators never again have to set a static IP on a server. Once the VM is turned on and a nic is assigned, I envision NSX ensures the IP address on that VM and corrects/sets if it finds it to be non-compliant.

When your IP address management is tied to a solution that has the level of interaction that NSX has, talking about VLANs and IP addresses could become a thing of the past. This means you can gain the advantages of DHCP (just don't worry about assigning the IP addresses) while still having static addresses in your environment. It's a win-win scenario - no one can change an IP if it's not validated in the IPAM, and no one assigns an existing IP (or wrong IP address details, think of all the other things like DNS server information) that they shouldn't.

This, co-incidentally, also makes changing things like the default gateway IP on a whole subnet of servers a breeze. Try to do that today in a 100% automated, "this will just work" manner, without spending a lot of planning, testing and resources!

The other side of the IPAM coin - another big thing - that NSX should potentially do is help, or fully control, DNS after an IP address change. Remember, NSX sees every packet out there. 

If we just let it help (to appease MS AD for example) DNS, then I see it going like this. Sync operations after a change, in it's default settings, can take a while, due to several things. NSX could inspect the packets and since it knows the authoritative information thanks to it controlling IPAM, could even help DNS information to spread quickly, by doing things such as dropping outdated replies from DNS servers and prioritizing replies from updated ones.

If we let it fully control, then DNS sync operations become a thing of the past - with the level of effort that we push a change to each host's vib, the DNS information in the network is automagically updated. Wouldn't that be a sight! Would it be called Distributed DNS?

In essence, what I'm proposing is to let NSX take care of traditional "building block" services that a typical network needs. Why stand up DNS servers when each host can participate in a distributed and updated mesh that just provides that service? Why assign IP addresses when you have an underlying control plane that sees all traffic and can do it for you, in a much more reliable fashion than you could? This idea does not conflict the NSX designs of today, where we manage the network's IP addresses in a control plane, and the actual workloads are in a different plane.

I'm sure there are many more services that are crucial in today's TCP/IP world that could potentially be integrated - network virtualization is simply that big of a deal. TCP/IP got to where it is today because of it's robust survivability, but as many vendors with optimizations have shown us, there is both a functional and operational overhead that can be tweaked. That world is changing - we don't have to wait because of unknowns - with NSX, we know!

We can start abstracting more and more from the details and simplify. We already see this in the firewall rule making capabilities of NSX today, and I think the tipping point for NSX will be when the workload IP details will be  a "worry of the past" - IP addressing and name resoution "just work".

Don't agree? Would love to hear your comments below, or through twitter!


Monday, September 12, 2016

NSX news you should not have missed (September 2016)

This is a very quick recap of some major events which have happened within the last few months regarding NSX:

1) The first major licensing change for NSX was announced back in May 2016. If you are buying NSX today, you should read KB 2145269 . The typical customer that starts with micro-segmentation needs at least the Advanced tier, while customers upgrading from VCNS (which is no longer under support on September 19, 2016) can use the cheapest version of the product. This post by the register is a nice summary.

2) NSX 6.2.3 was recalled as it had problems (KB 2146227 and KB 2146293 are two examples) that caused downtime. 6.2.4 was released shortly after to correct this, and customers were advised to skip 6.2.3. This link is great to keep up to date with any NSX KBs and issues:

3) VCP-NV Exam news : the first version of the VCP-NV exam, VCPN610, was retired on November 30, 2015. The current version is called VCP6-NV and its code is 2V0-641. This is based on NSX v6.0. A new version of the exam, 2V0-642 which is based on NSX 6.2, is now in Beta (go to, head to the Pearson site using the new single sign on, and check under the Beta category). At a cost of only $50, it's worth taking, even if the timeline makes this more of a "practice run" than a serious study target. 

4) The official study guide for the VCP6-NV 2V0-641 was officially released August 17. This book was written by Elver Sena Sosa, who I had the pleasure to meet in VMworld (more on that in another post). I bought my copy and had him sign it :)

Right now you can get it a discount using this post-VMworld promotion:

If the promotion expires, you can also get it from my Amazon affiliate link below and you would automagically send me a very small cut of the sale price :)

vExpert NSX!

Last August 17 the vExpert NSX program was announced to the world. 

"vExpert NSX" is a sub-program within VMware's vExpert program - only current vExperts were allowed to apply. As a believer in the trans-formative power of NSX and network virtualization in general, and thanks to the VMUG/vBrownBag contributions and posts in this blog, my application was accepted and I am very proud to have been awarded this designation.

I believe I have a particular background which helps me in helping others for this topic:

  • I have a networking education background (took up to CCNP3 in my college years) of which I never had the opportunity to actually work in a dedicated fashion (ie, I was never a network engineer, the closest was a Network Control Center engineer which did give me access to routers and firewalls, but it was not my responsibility to design and do changes)
  • I enjoy networking in general. Currently I am a fan of the OpenvSwitch work that is entwined with cloud computing and OpenStack and is also related to NSX, and I've always had an admiration for the OpenBSD project, their pf firewall and their network implementations
  • My day to day role is a dedicated VMware engineer serving a large enterprise environment - and I'm busy! So my posts won't be fluff :)
  • I speak both English and Spanish fluently and enjoy making connections in the vCommunity
Taking these things into consideration - things I'd already covered somewhat in the mission for this blog - I gladly accept the vExpert NSX award and further commit to help others in learning and adopting NSX and related technologies. I will blog in both English and Spanish as the content becomes available, with a focus on not repeating what is widely available but highlighting relevant news that should not be missed, covering certification exams, and taking you along on my journey.

As always feel free to reach out on twitter and let me know if I can help!

Friday, June 17, 2016

NSX 6.2.3 and some exciting news for current customers with access to vShield

NSX 6.2.3 was released June 9. It's really an important release, although not a major one. I think a lot of the features are being added in response to actual customers hitting deployment limitations that no one had bothered to finish implementing. You can check the full release here

Some of the more important updates were:

  • Change in the VXLAN UDP port from 8472 to 4789
  • Hardware VTEP
  • Lots of UI & management enhancements
  • Log Insight for NSX now available

However, there is one big consequence that ended being quite the nice surprise.

Change in default license & evaluation key distribution: default license upon install is "NSX for vShield Endpoint", which enables use of NSX for deploying and managing vShield Endpoint for anti-virus offload capability only. Evaluation license keys can be requested through VMware sales.

What this means is huge. If you had vShield in your organization, the upgrade path is NSX. Since you had access to vShield before, you get access to NSX now.

Note: vShield isn't a high requirement. vShield Endpoint is part of Essentials Plus and up. Most enterprise vSphere customers will now see the NSX 6.2.3 download available if they look for the vSphere binaries, even if they choose version v5.5 (that is still the minimum, but please install the latest for your labs)

With this, the "floodgates" have opened and much more people have access to the NSX bits. You still need a real license to play with all the features, but at least the NSX OVA is in your hands and you can start deploying it and learning.

One can expect to see more NSX content out there, and also, I would think a lot of content and community presentations for people upgrading from vShield to this new NSX level.

I think VMware has released this at a good time and hopefully soon I'll add my grain of salt and help everyone that came from being a vSphere admin in learning NSX.

Thursday, June 9, 2016

Exam Tips - VCAP6-NV Deploy with Gabriel Maciel @gmaciel_ca

Gabriel Maciel is one of the smartest NSX engineers that VMware has and part of a "Dream Team" of Latin American NSX experts such as Elver Sena, Raymundo Escobar and Stalin Pena. Particularly for the VCAP6-NV Deploy, you will notice Gabriel is one of the exam contributors so heed any advice he gives out (without breaking NDA of course!).

Today he presented "Section 7 - Perform Advanced VMware NSX Troubleshooting" in the LATAM chapter of @vBrownBag. Once the video is live I'll embed it into this post. The presentation is in Spanish but the advice is Universal :D

Here are some of the tips covered for the exam in this session in written form:

  • HOL 1625 has everything you need to study for this topic
  • The documentation is your best friend:
  • Apart from the Troubleshooting Guide mentioned in the blueprint, make sure to also study the Command Line Interface Reference manual! CLI is very important for both the exam and real life.
  • Learn how to check Manager and Cluster Health through GUI
  • Take advantage of Central commands that show information for the whole NSX deployment (new in 6.2)
  • Learn how to check common controller issues, such as lack of space, a wrong deployment network, or an exhausted IP pool!
  • Don't erase a failed controller unless 1) your other two have majority 2) you've already opened a case with GSS and uploaded logs 3) all other options are exhausted. There is normally a bigger problem that is manifested as a problem in the controller, so that needs to be fixed first.
  • Very important to understand the limits that transport zones represent. Make sure the correct clusters are members. This ties in with cross-vCenter NSX in Section 6.
  • Take advantage of the GUI troubleshooting tools to check for Flows and Logs, but be comfortable with the CLI options as well. Most networking guys will be happy that there is a CLI option to check all firewall rules applied to an interface or load balancer details.
  • For Section 7.3 search for "service" in the CLI Reference and learn and practice the commands in the mentioned HOL.
  • Gabriel keeps a document with all his frequently used commands - he graciously shared it with us for all vBrownBag listeners. You can download this document here.

Friday, May 20, 2016

NSX Socialab NYC 05-2016

This was a cool session. I was able to see Prabhu Barathi and Mike Fortuna (sorry, no twitter, please remind him about that) again after seeing them in the last VMUG and meet other VMware administrators who were eager to learn about NSX. I also got to meet Julie Starr, who is a firewall specialist inside the NSX team (I put some of her blog posts here).

The dynamics consisted of VMware employees giving you a more technical presentation than you would get at a VMUG, with people testing out the homelabs, and basically answering every question that came up. This is actually very important, because the people that showed up (over 100 signed up, we had three simultaneous classes on this date) have different backgrounds: from CCIE or firewall specialists with no VMware experience, to students that are just learning about VMware. The work of teaching and explaining about NSX is quite difficult since it encompasses so many skills until you get the "aha" moment.

The website that features the Hands On Labs is . You can create an account and possibly also have these HOLs count for (this is a great list of all the NSX tasks ).

Some excellent tips for the labs:

1) Increase the Hands on Labs VM resolution. By default it's not set to the maximum!

2) Use the "More Options" on the Manual and select Split Screen

Tell it to send the manual link to your e-mail. This is a special link that gives you the manual in full screen (without the whole HOL)

3) HOL documentation in PDF and HTML format is also available at

Tuesday, May 17, 2016

Como le explicaria NSX a un colega en 10 minutos

I just came back from manning the Q&A interface on the Mission VMUG event. I was able to translate my VMUG presentation into Spanish and join other 5 friends . I'm switching to Spanish now

Hola amigos de Latinoamérica! Fue un honor participar en las sesiones de comunidad de este evento. Fue muy divertido ponernos de acuerdo entre todos para asegurarnos q esta oportunidad de presentar en un evento global de VMUG en espanol! 

Grabe dos sesiones "Como le explicaria NSX a un colega en 10 minutos" y "¡Entra en la comunidad virtual!". Aqui dejo las presentaciones para que puedan aprovechar los links :)

Aqui están los twitter handles de todos los presentadores en Espanol:

Tuesday, May 3, 2016

NYC VMUG April 2016 presentation "How I would explain NSX to a friend in 10 minutes"

I did a small presentation on "How I would explain NSX to a friend in 10 minutes" because I found out that explaining NSX to a fellow VMware administrator was not something that could be done in a few sentences. I would add a bit more today - for example, I'd like to add the convenience of having the VM's networks defined virtually and not needing to trunk a new vlan into the hosts whenever you need to create a new subnet. 

It was a great "tee up" to VMware's @prabhu_b and Michael Fortuna who gave an excellent (and more in depth) session .

The full ppt is available here and hopefully I will get a video of it soon. 

My friend @stalin_pena snagged a pic for me (you can see @GregLaub next to me) and we sent it out the @nycvmug handle as well :D

Tuesday, April 12, 2016

Why network virtualization changes the security game

I recently gave a VMUG presentation - the concept was doing an introduction to NSX to a friend. One of the slides highlights that the context from which you can manage changes from being what the network sees to what the VMware admin sees - which is quite a lot more.

I found this video by the great Martin Casado and I think it's a perfect short snippet of this idea and thought to share here.

Friday, January 29, 2016

Getting VCP-NV without taking the required class through the CCNA/CCNP program

Please check out this blog entry from VMware Education and Certification

You still have to take the VCP-NV exam but if you have an active CCNA/CCNP you don't need to go to the required class to achieve the certification. There is now no time limit on this path. This is significantly cheaper :)

Thursday, January 28, 2016

Free eBook - NSX for vSphere - A Foundation of the SDDC

Earlier this month the following very smart guys (I put their twitter links so you can follow them) released a free ebook for learning and implementing NSX

Prasenjit Sarkar and his blog
Michael Haines (same blog as Prasenjit)
Roie Ben Haim and his blog
Anuj Modi and his blog
Ajit Sharma and his blog

The book is totally DIY - they just made a PDF with no publisher, no copyright - grab this knowledge source and learn. You have to admire them because co-authoring a book is never easy and it's more than 200 pages.

I've seen two links to the book - I leave them both in case one doesn't work in the future

I'm going to start reading - you should too :D

Don't forget to also check for the release of the official VCP-NV book coming soon from

Elver Sena Sosa - blogs at

I leave my affilitate link (if you buy it through here I get a cut) to amazon: