NSX-T Layer 2 bridging - scenarios & use cases

    Layer 2 bridging is very useful feature of NSX-T, which provides connection to a VLAN backed port group or a device, such as a gateway, that resides outside of NSX-T DC environment. Useful scenarios, among others, are:

  • Workload migration from VLAN-backed to NSX overlay segment,
  • NSX-V to NSX-T migration in Customer environments,
  • Security features leverage using NSX-T Gateway firewall etc.

L2 bridging feature requires usage of Edge clusters and Edge Bridge profiles.

    Deployments should consider different options, with most important scenarios, for implementation below (this covers Edge VM deployment option as typical use case):

  • Edge VM on VSS portgroup --> promiscuous and forged transmit on portgroup REQUIRED / ESXi host (with Edge VM) command "esxcli system settings advanced set -o /Net/ReversePathFwdCheckPromisc -i 1" REQUIRED / Active and Standby Edge VMs should be on different hosts,
  • Edge VM on VDS 6.6 (or later) portgroup --> Enable MAC learning with the option "Allow Unicast Flooding" on the portgroup using VIM API DVSMacLearningPolicy and setting allowUnicastFlooding to TRUE,
  • Edge VM on VDS 6.5 (or later) portgroup --> same setup like in first option (VSS portgroup),
  • Edge VM on NSX-T segment --> new segment MAC discovery profile with MAC Learning and Unknown Unicast Flooding ENABLED / attach created segment profile to uplink segment used by Edge node VM
  • Don't forget to configure required bridge profile on your edge nodes, with attaching that profile to overlay segment inside NSX which you're bridging for specific VLAN.

    Regarding useful setup picture for testing/lab-ing purposes - something like this should help:


    Similar approach goes for direction where you're building NSX segment bridged inside regular VLAN, where you want to collect some physical/virtual workloads which needs to stay as part of that L2 domain.


Comments

Post a Comment

Popular posts from this blog

NSX ALB LetsEncrypt with DNS-01 challenge - BIND example

    In some of my previous posts, mentioned here LetsEncrypt script integration and Script parameter usage , I explained how useful it can be for NSX advanced load balancing solutions to utilise this kind of approach for free and automatic certificate manipulation, especially in environments with large number of web services inside. This approach utilises HTTP-01 based challenge with LetsEncrypt systems and L7 HTTP/S virtual services on NSX ALB side.     Now, from some time ago there is enhancement in this area, developed by official Avi Networks devops page, in terms of using DNS-01 challenge also. I tried on-prem option using Bind DNS as server which works very well.     Steps are pretty much similar to HTTP-01 option, which can be summarised as following:      - Create L7 virtual service with publicly available FQDN - certificates resolved can be in both options RSA or ECDSA, as configured during creation;        - Do...
Read more

VMware SD WAN - multiple locations - LAN IP address space overlapping with NAT

Image
     Different scenarios are possible in terms of routing, NAT-ing and IP overlapping setups using VMware Velocloud SD WAN technology in Customer environments.      Recently I had an PoC with my Customer for the on-prem option with this VMware solution, where different use cases were interesting to show and demonstrate - one of them is something I would like to share and it relates to possibility of LAN-side NAT on Edge (branch) locations, with purpose to have IP overlapped on these setups. Next picture is showing typical Hub&Spoke setup where it can be possible to make this type of configuration: Picture 1. VMware SD WAN lab on-prem environment     Basically thing which needs to be accomplished is appropriate NAT solution for LANs on every branch Edge which are and needs to be the same (192.168.1.0/24 in this example) - as it is shown on Picture 1.      Honestly speaking, NAT is not one of so powerful things insi...
Read more