Principles
- Deploy a Cross-vCenter NSX environment
- Create and configure the Primary NSX Manager
- Create and configure the Secondary NSX Manager
- Migrate an NSX deployment to Cross-vCenter
- Create and configure Cross-vCenter components
- Universal Segment ID Pool
- Universal Transport Zone
- Universal Logical Switch
- Universal Distributed Logical Router
- Compare and contrast Local and Universal Firewall Rules
References
- NSX Administration Guide
http://pubs.vmware.com/NSX-62/topic/com.vmware.ICbase/PDF/nsx_62_admin.pdf
- NSX Cross-vCenter Installation Guide
http://pubs.vmware.com/NSX-62/topic/com.vmware.ICbase/PDF/nsx_62_cross_vc_install.pdf
- NSX vSphere API Guide
http://pubs.vmware.com/NSX-6/topic/com.vmware.ICbase/PDF/nsx_604_api.pdf
Deploy a Cross-vCenter NSX environment
- Use Enhanced Linked Mode to simplify management of linked NSX installations
- All NSX Managers in an ELM deployment can be managed from a single pane of glass
Create and configure the Primary NSX Manager
- Deploy NSX Manager virtual appliance in the usual manner and connect to primary vCenter
- Ensure each NSX Manager has a unique UUID
- Automatic if deployed from OVA
- Same as template if cloned
- Therefore, always deploy from OVA
- View Node ID with REST API:
GET https://NSX-Manager-IP-Address/api/2.0/services/vsmconfig
e.g.
<vsmConfig>
<biosUuid>564DB421-6C49-1487-3061-86FB7A21F81E</biosUuid> <nodeId>96a4b242-f5ad-4b97-b7bc-80f4d450165d</nodeId> <vsmUuid>564DB421-6C49-1487-3061-86FB7A21F81E</vsmUuid> <version>6.4.5.13282012</version> </vsmConfig> |
- Do not upgrade VMWare tools on deployed appliance
- Deploy Universal NSX Controllers
- Once an NSX Manager is assigned the Primary Role its controllers become Universal
- No Controllers deployed on the Secondary managers
- Prepare Hosts and configure VXLAN in the usual manner
- Each NSX Manager must be registered with a separate vCenter
- UDP Port used for VXLAN must be the same for all managers
- Assign Primary NSX Manager Role: NSX -> Installation & Upgrade -> Management: Role
- All NSX Manager versions must match across the installation
Create and configure the Secondary NSX Manager
- All NSX Managers must be on the same version
- Up to 7 Secondary NSX Managers can be configured
- Secondary NSX Managers must not have any NSX Controllers deployed
- Manager Node ID must be unique
- The NSX Manager being assigned the secondary role must have the standalone or transit role
- Primary NSX Manager -> Installation & Upgrade -> Management
Select Primary Manager and: Actions -> Add Secondary NSX Manager
Migrate an NSX deployment to Cross-vCenter
- Deploy Secondary NSX Manager(s) will same version as the Primary
- Make sure the node IDs are unique
- Configure Universal Segment IDs (ensure uniqueness)
- Delete any existing Controllers
- Add Secondary managers to the Primary
- Verify connectivity to existing Edges/DLRs on secondary NSX systems
- Configure Universal objects as needed
Create and configure Cross-vCenter components
Universal Segment ID Pool
- Max Pool side = 10,000 (max vDS port groups on a vDS)
- Segment IDs must not overlap across all vCenters in the environment
- Add a unique multicast address range (across all vCenters) if using Hybrid or Multicast replication
- A single multicast address can be added from the GUI – use API to add more
- Recommended multicast address range starts at 239.0.1.0/24
- Do not use 239.0.0.0/24 or 239.128.0.0/24 as the multicast address range as it’s used for local subnet control
Universal Transport Zone
- Only one universal transport zone can be configured
- Created on primary and replicated to secondary managers
- Can span multiple vSphere clusters
Universal Logical Switch
- Configure Universal Logical Switches
- Select Universal transport zone to make a switch Universal
- IP Discovery:
- Minimises ARP flooding within a VXLAN
- Enabled by default
- Cannot be disabled on Universal VXLANs from GUI – only from API
- MAC Learning:
- Builds VLAN/MAC table on each vNIC and stored as part of dvfilter data
- Useful if using trunking vNics (VGT)
Universal Distributed Logical Router
- Provides routing between universal networks
- Firewall rules apply to Control VM uplink interfaces only & do not affect the data plane
- If HA is enabled, ensure both edges are in the same vCenter
- A DLR can only be connected to VXLANs in one Transport Zone
Compare and contrast Local and Universal Firewall Rules
- Local rules can be configured independently on each NSX Manager
- Service Composer objects are local only
- Centralised Cross-vCenter DFW apply to all vCenter Servers in the environment
- Universal Rules automatically synchronised across all NSX Managers
- 1 x Universal L2 and 1 x Universal L3 DFW sections per environment
Universal Security Objects
- Universal IP Sets
- Universal MAC Sets
- Universal Security Groups
- Universal Services
- Universal Service Groups
Unsupported DFW features in a cross-vcenter environment
- Exclude List
- SpoofGuard
- Flow monitoring
- Network service insertion