After configuring NSX, complete the configuration procedure on Arista CloudVision eXchange (CVX) to enable CVX to interact with NSX.

Prerequisites

NSX has registered the CVX as an enforcement point.

Procedure

  1. Log in to NSX Manager as a root user and run the following command to create a thumbprint for CVX to communicate with NSX Manager:
    openssl s_client -connect <IP address of nsx-manager>:443 | openssl x509 -pubkey -noout | openssl rsa -pubin -outform der | openssl dgst -sha256 -binary | openssl base64
    Sample output:
    depth=0 C = US, ST = CA, L = Palo Alto, O = VMware Inc., OU = NSX, CN = nsx-mgr
    verify error:num=18:self signed certificate
    verify return:1
    depth=0 C = US, ST = CA, L = Palo Alto, O = VMware Inc., OU = NSX, CN = nsx-mgr
    verify return:1
    writing RSA key
    S+zwADluzeNf+dnffDpYvgs4YrS6QBgyeDry40bPgms=
  2. Run the following commands from the CVX CLI:
    cvx
    no shutdown
    service pcs
    no shutdown
    controller <IP address of nsx-manager>
    username <NSX administrator user name>
    password <NSX administrator password>
    enforcement-point cvx-default-ep
    pinned-public-key <thumbprint for CVX to communicate with NSX Manager>
    notification-id <notification ID created while registering CVX with NSX>
    end
    
  3. Run the following command from the CVX CLI to check the configuration:
    show running-config
    Sample ouput:
    cvx
          no shutdown
       source-interface Management1
       !
       service hsc
          no shutdown
    
       !
       service pcs
          no shutdown
          controller 192.168.2.80
          username admin
          password 7 046D26110E33491F482F2800131909556B
          enforcement-point cvx-default-ep
          pinned-public-key sha256//S+zwADluzeNf+dnffDpYvgs4YrS6QBgyeDry40bPgms=
          notification-id a0286cb6-de4d-41de-99a0-294465345b80
  4. Configure tag on the ethernet interface of the physical switch that connects to the physical server. Run the following commands on the physical switch managed by CVX.
    configure terminal
    interface ethernet 4
    tag phy_app_server
    end
    copy running-config startup-config
    Copy completed successfully.
  5. Run the following command to verify tag configuration for the switch:
    show running-config section tag
    Sample output:
    interface Ethernet4
       description connected-to-7150s-3
       switchport trunk allowed vlan 1-4093
       switchport mode trunk
       tag sx4_app_server
    

    IP addresses that are learnt on the tagged interfaces, using ARP, are shared with NSX.

  6. Log in to NSX Manager to create and publish firewall rules for the physical workloads managed by CVX. See Security for more information on creating rules. For example:

    NSX Manager firewall rules created for CVX.

    NSX policies and rules published in NSX appear as dynamic ACLs on the physical switch managed by CVX.

    Policies and rules from NSX as they appear in the physical switch managed by CVX.

    For more information, see CVX HA set up, CVX HA Virtual IP setup, and Physical Switch Mlag Setup