Objective 8.2 – Determine Cross-vCenter Requirements and Configurations


  • Deploy a Cross-vCenter NSX environment
    • Create and configure the Primary NSX Manager
    • Create and configure the Secondary NSX Manager
  • Migrate an NSX deployment to Cross-vCenter
  • Create and configure Cross-vCenter components
    • Universal Segment ID Pool
    • Universal Transport Zone
    • Universal Logical Switch
    • Universal Distributed Logical Router
  • Compare and contrast Local and Universal Firewall Rules


  1. NSX Administration Guide


  1. NSX Cross-vCenter Installation Guide


  1. NSX vSphere API Guide


Deploy a Cross-vCenter NSX environment

  • Use Enhanced Linked Mode to simplify management of linked NSX installations
  • All NSX Managers in an ELM deployment can be managed from a single pane of glass

Create and configure the Primary NSX Manager

  1. Deploy NSX Manager virtual appliance in the usual manner and connect to primary vCenter
  2. Ensure each NSX Manager has a unique UUID
    1. Automatic if deployed from OVA
    2. Same as template if cloned
    3. Therefore, always deploy from OVA
  3. View Node ID with REST API:

GET https://NSX-Manager-IP-Address/api/2.0/services/vsmconfig








  1. Do not upgrade VMWare tools on deployed appliance
  2. Deploy Universal NSX Controllers
    1. Once an NSX Manager is assigned the Primary Role its controllers become Universal
    2. No Controllers deployed on the Secondary managers
  3. Prepare Hosts and configure VXLAN in the usual manner
  4. Each NSX Manager must be registered with a separate vCenter
  5. UDP Port used for VXLAN must be the same for all managers
  6. Assign Primary NSX Manager Role: NSX -> Installation & Upgrade -> Management: Role
    1. All NSX Manager versions must match across the installation

Create and configure the Secondary NSX Manager

  1. All NSX Managers must be on the same version
  2. Up to 7 Secondary NSX Managers can be configured
  3. Secondary NSX Managers must not have any NSX Controllers deployed
  4. Manager Node ID must be unique
  5. The NSX Manager being assigned the secondary role must have the standalone or transit role
  6. Primary NSX Manager -> Installation & Upgrade -> Management

Select Primary Manager and: Actions -> Add Secondary NSX Manager

Migrate an NSX deployment to Cross-vCenter

  • Deploy Secondary NSX Manager(s) will same version as the Primary
  • Make sure the node IDs are unique
  • Configure Universal Segment IDs (ensure uniqueness)
  • Delete any existing Controllers
  • Add Secondary managers to the Primary
  • Verify connectivity to existing Edges/DLRs on secondary NSX systems
  • Configure Universal objects as needed

Create and configure Cross-vCenter components

Universal Segment ID Pool

  • Max Pool side = 10,000 (max vDS port groups on a vDS)
  • Segment IDs must not overlap across all vCenters in the environment
  • Add a unique multicast address range (across all vCenters) if using Hybrid or Multicast replication
  • A single multicast address can be added from the GUI – use API to add more
  • Recommended multicast address range starts at
  • Do not use or as the multicast address range as it’s used for local subnet control

Universal Transport Zone

  • Only one universal transport zone can be configured
  • Created on primary and replicated to secondary managers
  • Can span multiple vSphere clusters

Universal Logical Switch

  • Configure Universal Logical Switches
  • Select Universal transport zone to make a switch Universal
  • IP Discovery:
    • Minimises ARP flooding within a VXLAN
    • Enabled by default
    • Cannot be disabled on Universal VXLANs from GUI – only from API
  • MAC Learning:
    • Builds VLAN/MAC table on each vNIC and stored as part of dvfilter data
    • Useful if using trunking vNics (VGT)

Universal Distributed Logical Router

  • Provides routing between universal networks
  • Firewall rules apply to Control VM uplink interfaces only & do not affect the data plane
  • If HA is enabled, ensure both edges are in the same vCenter
  • A DLR can only be connected to VXLANs in one Transport Zone

Compare and contrast Local and Universal Firewall Rules

  • Local rules can be configured independently on each NSX Manager
  • Service Composer objects are local only
  • Centralised Cross-vCenter DFW apply to all vCenter Servers in the environment
  • Universal Rules automatically synchronised across all NSX Managers
  • 1 x Universal L2 and 1 x Universal L3 DFW sections per environment

Universal Security Objects

  • Universal IP Sets
  • Universal MAC Sets
  • Universal Security Groups
  • Universal Services
  • Universal Service Groups

Unsupported DFW features in a cross-vcenter environment

  • Exclude List
  • SpoofGuard
  • Flow monitoring
  • Network service insertion