NSX-V Segment ID Pool Migration

This procedure is based on KB 57844
When you have overlapping segment ID Pool range in a specific environment (one vCenter server) with another environment (second vCenter server) this is the full process how to migrate the current working objects (VMs, NSX Edges, Logical Routers, Logical Switches) to a new Segment ID Pool:

I. Prerequisite

0. Put monitoring suppression for vCD Cells, vCenter server and NSX Manager

1. Upgrade all components to 6.4.4: NSX Manager, NSX Controllers, host agents, Edge Gateways

2. Stop the backups (if they are using the vCenter server API)

3. Setup Postman

3.1. Download and start Postman

3.2. Create a request

3.3. Headers > Key "Content Type" > Value "application/xml"

3.4. Authorization > Basic Auth > username "admin" > password

3.5. File > Settings > Turn off "SSL Certificate Verification"

4. Stop the vCenter server operations from vCD: login vCD (https://yourowncloud.com): Manage & Monitor > vCenters > Right click on the vCenter server > Disable

5. Change cluster DRS configuration from Fully Automated to Manual

6. Gather information (with PowerShell) in CSV file, about all NSX objects which will be migrated: Logical Switches, Logical Routers, Edges, VMs, etc. (script bellow just collect data):

[CmdletBinding(PositionalBinding=$false)]
Param (
[parameter(Position= 0, Mandatory = $false)]
[string]$VIServer = "YOURCLOUDVCR01.local",
[string]$PathExportNsxLogicalSwitch     = "C:\Support\Scripts\NSX\NSXReport.csv",
[string]$PathExportNsxLogicalRouter     = "C:\Support\Scripts\NSX\NSXLogicalRouter.csv"
)
begin
{
    If ( ! (Get-module PowerNSX )) {
    Import-Module PowerNSX
    }
# connecting to the NSX server
$connection = Connect-NSXServer -vCenterServer $VIServer
$defaultNsxConnection = $connection
$defaultViServer = $connection.viConnection
}
process 
{
# Getting NSX Edge information
$getEdge = get-nsxedge |Get-NsxEdgeInterface 
$edge = $getEdge | select name,edgeId,portgroupName
$edgeEdgeSub = $getEdge | Get-NsxEdgeSubInterface 
 # Getting NSX Logical Router information
 $getNsxLogicalRouter = Get-NsxLogicalRouter | Get-NsxLogicalRouterInterface | select connectedToId,logicalRouterId,connectedToName,type
    
 $output =    foreach ( $ls in Get-NsxLogicalSwitch ) {
        $pg = $ls | Get-NsxBackingPortGroup
        foreach ( $portgroup in $pg) { 
            $vm = $portgroup| Get-VM
            foreach ( $virtualmachine in $vm) { 
                    $vlookup = $edge | where {$_.portgroupName -like $ls.name}
                    $vlookupEdgeSub = $edgeEdgeSub | where {$_.logicalSwitchName -like $ls.name}
                    $VMdetails = (get-vm $virtualmachine.name | Get-NetworkAdapter | where {$_.NetworkName -like $portgroup.name})
                 [pscustomobject]@{
                    "vCenter" = $defaultViServer.name
                    "NSX" = $defaultNsxConnection.server
                    "LS_ObjectID" = $ls.objectId
                    "LS_Name" = $ls.name
                    "LS_vdnId" = $ls.vdnId
                    "EdgeID" = $vlookup.edgeId
                    "EdgeVNIC" = $vlookup.name
                    "EdgeTrunk_LS_ID" = $vlookupEdgeSub.logicalSwitchId
                    "EdgeTrunk_LS_Name" = $vlookupEdgeSub.logicalSwitchName
                    "EdgeTrunk_LS_isConnected" = $vlookupEdgeSub.isConnected
                    "LS_tenantId" = $ls.tenantId
                    "BackingPortGroup" = $portgroup.name
                    "VirtualMachine" = $virtualmachine.name
                    "VirtualMachineNICname" = $VMdetails.name
                    "VirtualMachineNICmac" = $VMdetails.MacAddress
                 } # END pscustomobject
            }
        }
    }
$getNsxLogicalRouter | export-csv $PathExportNsxLogicalRouter -NoTypeInformation
$output | export-csv $PathExportNsxLogicalSwitch -NoTypeInformation
}
end
{
   Disconnect-NsxServer
}

II. Migration

1. Create a new non overlapping Segment Range using Postman (Body > raw):

POST https://10.10.10.40/api/2.0/vdn/config/segments 
<segmentRange> 
<name>DATACENTER</name> 
<begin>10001</begin> 
<end>20000</end> 
</segmentRange>

# Note the segment range “id” (lets call it newRangeId) returned in response payload.

2. # GET segments will also return segment range "id" using Postman:

GET https://10.10.10.40/api/2.0/vdn/config/segments

it will return <newRangeId> here

example output:

<segmentRanges>

  <segmentRange>

    <id>1</id>   <- this is the ID to use in step 4.

    <name>5000-5999</name>

    <begin>5000</begin>

    <end>5999</end>

    <isUniversal>false</isUniversal>

    <universalRevision>0</universalRevision>

  </segmentRange>

</segmentRanges>

3. Disconnect Edges, VMs, vNIC from the dvpg (LogicalSwitch) by following the steps bellow:

3.1. Before any deletion every logical switch connection should be write down (VMs, Edges):

3.1.1. Home > Network and Security > Logical Switches > take screenshot of Logical Switch ID, Segment ID, Name > Click on the logical switch > Related Objects > take screenshot of Edge tab, VMs tab

3.1.2. Home > Network and Security > Edge Gateways > Click on the Edge (or Logical Router) > Manage > Settings > Interfaces (take a screenshot & write down the information inside the edit menu)

3.1.3. Based on the logical switch ID go to network port group and take a screenshot of the VMs: Home > Networking > portgroup name > VMs

3.2. Remove and disconnect the related objects:

3.2.1. Home > Network and Security > Logical Switches > Select each logical switch > Related Objects > Actions > Remove VM > Select all the VMs in the list > Remove

# DisconnectNic is taken from   PowerNSX module
function DisconnectNic {
                
    param (
        $nic,
        $WaitTimeout = 90
    )
                
    #See NSX API guide 'Attach or Detach a Virtual Machine from a Logical Switch' for
    #how to construct NIC id.
    $vmUuid = ($nic.parent | get-view).config.instanceuuid
    $vnicUuid = "$vmUuid.$($nic.id.substring($nic.id.length-3))"
                
    #Construct XML
    $xmldoc = New-Object System.Xml.XmlDocument
    $xmlroot = $xmldoc.CreateElement("com.vmware.vshield.vsm.inventory.dto.VnicDto")
    $null = $xmldoc.AppendChild($xmlroot)
    Add-XmlElement -xmlRoot $xmlroot -xmlElementName "objectId" -xmlElementText $vnicUuid
    Add-XmlElement -xmlRoot $xmlroot -xmlElementName "vnicUuid" -xmlElementText $vnicUuid
    Add-XmlElement -xmlRoot $xmlroot -xmlElementName "portgroupId" -xmlElementText ""
                
    #Do the post
    $body = $xmlroot.OuterXml
    $URI = "/api/2.0/vdn/virtualwires/vm/vnic"
    if ( $confirm ) {
        $message  = "Disconnecting $($nic.Parent.Name)'s network adapter from a logical switch will cause network connectivity loss."
        $question = "Proceed with disconnection?"
                
        $choices = New-Object Collections.ObjectModel.Collection[Management.Automation.Host.ChoiceDescription]
        $choices.Add((New-Object Management.Automation.Host.ChoiceDescription -ArgumentList '&Yes'))
        $choices.Add((New-Object Management.Automation.Host.ChoiceDescription -ArgumentList '&No'))
                
        $decision = $Host.UI.PromptForChoice($message, $question, $choices, 1)
    }
    else { $decision = 0 }
    if ($decision -eq 0) {
        Write-Progress -Activity "Processing" -Status "Disconnecting $vnicuuid from logical switch"
        $response = invoke-nsxwebrequest -method "post" -uri $URI -body $body -connection $connection
        Write-Progress -Activity "Processing" -Status "Disconnecting $vnicuuid from logical switch" -Completed
                
        $job = [xml]$response.content
        $jobId = $job."com.vmware.vshield.vsm.vdn.dto.ui.ReconfigureVMTaskResultDto".jobId
                
        Wait-NsxGenericJob -Jobid $JobID -Connection $Connection -WaitTimeout $WaitTimeout -FailOnTimeout:$FailOnTimeout
                
    }
}
#vCenter Connection and Path to file
$VIServer = "YOURCLOUDVCR01.local"
$connection = Connect-NSXServer -vCenterServer $VIServer
$defaultNsxConnection = $connection
$defaultViServer = $connection.viConnection
# Point to the CSV file generated from the script above !!!
$Import = import-csv C:\Support\Scripts\NSX\NSXReport.csv
# Put the current Virtual Wire you are working on
$virtualwire = "virtualwire-01"
$pathToVMList = $Import | where {($_.LS_ObjectID -eq $virtualwire) -and ($_.VirtualMachine -notlike "vse-*")}
# disconnect VM from Logical Switch (there is a 100 sec timeout)
foreach ($vm in $pathToVMList){
$VirtualMachineNic = get-vm $VM.VirtualMachine | Get-NetworkAdapter | where {$_.NetworkName -eq $VM.BackingPortGroup}
DisconnectNic -nic $VirtualMachineNic  -WaitTimeout 100 
}

3.2.2. Home > Network and Security > NSX Edges > Double Click on the Edge (or Logical Router) > Manage > Settings > Interfaces (take the name of the logical switch) usually vNIC 1 > Select (radio button) > Disconnect > Confirm "Yes" > wait till Pending Job finish.

When disconnecting edges with High Availability configured, do remember to check and ensure HA is not configured on a logical switch also. (if the HA configuration is vNic "Any" there is no need to change anything)

Note: if you have only one connected interface you should connect another one and then disconnect the original one which should be migrated. After the migration connect back the original one and delete the temporary one.

4. Move each logical switch from the old segment range to new segment range.

This API needs virtualwire-id and rangeId as inputs which can be taken from the get-NSXinfo report. API payload is empty (on success the status code of the request will be "200 OK"):

PUT https://10.10.10.40/api/2.0/vdn/virtualwires/virtualwire-100/segmentreconfig/<newRangeId>

===

Try this in case of an error: POST "https://10.10.10.40/api/2.0/vdn/virtualwires/virtualwire-40/backing?action=remediate

===

5. ONLY for Logical routers:

5.1. POST https://10.10.10.40/api/4.0/edges/{edge-id}?action=vdridreconfig&vdnRangeId=<newRangeId>

Output: 204 (No Content)

6. Go to Home > Network and Security > NSX Edges > Double Click on the Edge > Manage > Settings > Interfaces and then reconnect the interface that was disconnected (wait till Pending Job finish)

7. Redeploy the migrated edge/logical router

8. Check if the new configuration for each logical router is pushed to the host with net-vdr  - "net-vdr -L -l edge-113 more"

#http://www.enterprisedaddy.com/2018/04/how-to-execute-script-remotely-on-esxi-hosts/
# C:\Support\plink.exe is needed.
# add info
$root = "root" 
$Passwd = "  add password here   "
$esxlist = " add servers here", "add servers here"
$edge = "edge-123" # "edge-100"
# work
$cmd = "net-vdr -L -l $edge"
$plink = "echo y | C:\Support\plink.exe"
$remoteCommand = '"' + $cmd + '"'
$outResult = foreach ($esx in $esxlist) {
    Connect-VIServer -Server $esx -User  $root -Password $Passwd > $null
    # Write-Host -Object "starting ssh services on $esx"
    $sshstatus = Get-VMHostService  -VMHost $esx | Where-Object { $psitem.key -eq "tsm-ssh" }
    if ($sshstatus.Running -eq $False) {
        Get-VMHostService | Where-Object { $psitem.key -eq "tsm-ssh" } | Start-VMHostService 
    }
    # Write-Host -Object "Executing Command on $esx"
    $output = $plink + " " + "-batch -ssh" + " " + $root + "@" + $esx + " " + "-pw" + " " + $Passwd + " " + $remoteCommand
    $message = Invoke-Expression -command $output
    [PSCustomObject]@{
        Name = $esx
        Vxlan = ($message | Select-String -Pattern "Vxlan:").ToString().split("Vxlan:")[-1]
    }    
    Disconnect-VIServer -Server $esx -Confirm:$false
}
$outResult

9. Home > Network and Security > Logical Switches > Select each logical switch > Related Objects > Actions > Add VM > Search for the name of the VM > Select the VM > Click the right arrow > Next > Select the appropriate network adapter > Next > Finish

# connect
foreach ($vm in $pathToVMList){
$VirtualMachineNic = get-vm $VM.VirtualMachine | Get-NetworkAdapter | where {($_.MacAddress -eq $VM.VirtualMachineNICmac) -and ($_.Name -eq $VM.VirtualMachineNICname)}
Connect-NsxLogicalSwitch -NetworkAdapter $VirtualMachineNic -LogicalSwitch (Get-NsxLogicalSwitch -Name $VM.LS_Name) -WaitTimeout 100
} 

10. After we migrate all Logical Switches and routers (on success the status code of the request will be "200 OK"):

DELETE https://10.10.10.40/api/2.0/vdn/config/segments/<oldRangeId>

11. Enable the integration between the vCD and the vCenter: login to vCD > Manage & Monitor > vCenters > Right click on the vCenter server > Enable

12. Change the cluster DRS from "Manual" to "Fully Automated"

===========================================

Backout plan:

1. Login vCD (https://yourowncloud.com): Manage & Monitor > vCenters > Right click on the vCenter server > Disable

2. Login to https://YOURCLOUDVCR01.local

3. Disconnect Edges, VMs, vNIC from the dvpg (LogicalSwitch) by following the steps bellow:

3.1. Before any deletion every logical switch connection should be write down (VMs, Edges):

3.1.1. Home > Network and Security > Logical Switches > take screenshot of Logical Switch ID, Segment ID, Name > Click on the logical switch > Related Objects > take screenshot of Edge tab, VMs tab

3.1.2. Home > Network and Security > Edge Gateways > Click on the Edge (or Logical Router) > Manage > Settings > Interfaces (take a screenshot & write down the information inside the edit menu)

3.1.3. Based on the logical switch ID go to network port group and take a screenshot of the VMs: Home > Networking > portgroup name > VMs

3.2. Remove and disconnect the related objects:

3.2.1. Home > Network and Security > Logical Switches > Select each logical switch > Related Objects > Actions > Remove VM > Select all the VMs in the list > Remove

# DisconnectNic is taken from PowerNSX module
function DisconnectNic {
                
    param (
        $nic,
        $WaitTimeout = 90
    )
                
    #See NSX API guide 'Attach or Detach a Virtual Machine from a Logical Switch' for
    #how to construct NIC id.
    $vmUuid = ($nic.parent | get-view).config.instanceuuid
    $vnicUuid = "$vmUuid.$($nic.id.substring($nic.id.length-3))"
                
    #Construct XML
    $xmldoc = New-Object System.Xml.XmlDocument
    $xmlroot = $xmldoc.CreateElement("com.vmware.vshield.vsm.inventory.dto.VnicDto")
    $null = $xmldoc.AppendChild($xmlroot)
    Add-XmlElement -xmlRoot $xmlroot -xmlElementName "objectId" -xmlElementText $vnicUuid
    Add-XmlElement -xmlRoot $xmlroot -xmlElementName "vnicUuid" -xmlElementText $vnicUuid
    Add-XmlElement -xmlRoot $xmlroot -xmlElementName "portgroupId" -xmlElementText ""
                
    #Do the post
    $body = $xmlroot.OuterXml
    $URI = "/api/2.0/vdn/virtualwires/vm/vnic"
    if ( $confirm ) {
        $message  = "Disconnecting $($nic.Parent.Name)'s network adapter from a logical switch will cause network connectivity loss."
        $question = "Proceed with disconnection?"
                
        $choices = New-Object Collections.ObjectModel.Collection[Management.Automation.Host.ChoiceDescription]
        $choices.Add((New-Object Management.Automation.Host.ChoiceDescription -ArgumentList '&Yes'))
        $choices.Add((New-Object Management.Automation.Host.ChoiceDescription -ArgumentList '&No'))
                
        $decision = $Host.UI.PromptForChoice($message, $question, $choices, 1)
    }
    else { $decision = 0 }
    if ($decision -eq 0) {
        Write-Progress -Activity "Processing" -Status "Disconnecting $vnicuuid from logical switch"
        $response = invoke-nsxwebrequest -method "post" -uri $URI -body $body -connection $connection
        Write-Progress -Activity "Processing" -Status "Disconnecting $vnicuuid from logical switch" -Completed
                
        $job = [xml]$response.content
        $jobId = $job."com.vmware.vshield.vsm.vdn.dto.ui.ReconfigureVMTaskResultDto".jobId
                
        Wait-NsxGenericJob -Jobid $JobID -Connection $Connection -WaitTimeout $WaitTimeout -FailOnTimeout:$FailOnTimeout
                
    }
}
#vCenter Connection and Path to file
$VIServer = "YOURCLOUDVCR01.local"
$connection = Connect-NSXServer -vCenterServer $VIServer
$defaultNsxConnection = $connection
$defaultViServer = $connection.viConnection
# csv file from get-NSXinfo
$Import = import-csv C:\Support\Scripts\NSX\NSXReport.csv
$virtualwire = "virtualwire-60"
$pathToVMList = $Import | where {($_.LS_ObjectID -eq $virtualwire) -and ($_.VirtualMachine -notlike "vse-*")}
# disconnect
foreach ($vm in $pathToVMList){
$VirtualMachineNic = get-vm $VM.VirtualMachine | Get-NetworkAdapter | where {$_.NetworkName -eq $VM.BackingPortGroup}
DisconnectNic -nic $VirtualMachineNic  -WaitTimeout 100 
}

3.2.2. Home > Network and Security > NSX Edges > Double Click on the Edge (or Logical Router) > Manage > Settings > Interfaces (take the name of the logical switch; e.g. dvs.....) usually vNIC 1 > Select (radio button) > Disconnect > Confirm "Yes" > wait till Pending Job finish.

When disconnecting edges with High Availability configured, do remember to check and ensure HA is not configured on a logical switch also. (if the HA configuration is vNic "Any" there is no need to change anything)

4. Move each logical switch from the old segment range to new segment range.

This API needs virtualwire-id and rangeId as inputs which can be taken from the get-NSXinfo report. API payload is empty (on success the status code of the request will be "200 OK"):

PUT https://10.10.10.40/api/2.0/vdn/virtualwires/virtualwire-100/segmentreconfig/<newRangeId>

===

Try this in case of an error: POST "https://10.10.10.40/api/2.0/vdn/virtualwires/virtualwire-40/backing?action=remediate

===

5. ONLY for Logical routers:

5.1. POST https://10.10.10.40/api/4.0/edges/{edge-id}?action=vdridreconfig&vdnRangeId=<newRangeId>

6. Go to Home > Network and Security > NSX Edges > Double Click on the Edge > Manage > Settings > Interfaces and then reconnect the interface that was disconnected (wait till Pending Job finish)

7. Redeploy the migrated edge/logical router

8. Check if the new configuration for each logical router is pushed to the host "net-vdr -L -l edge-113 more"

#http://www.enterprisedaddy.com/2018/04/how-to-execute-script-remotely-on-esxi-hosts/
# C:\Support\plink.exe is needed.
# add info
$root = "root" 
$Passwd = "  add password here   "
$esxlist = " add servers here", "add servers here"
$edge = "edge-123" # "edge-117"
# work
$cmd = "net-vdr -L -l $edge"
$plink = "echo y | C:\Support\plink.exe"
$remoteCommand = '"' + $cmd + '"'
$outResult = foreach ($esx in $esxlist) {
    Connect-VIServer -Server $esx -User  $root -Password $Passwd > $null
    # Write-Host -Object "starting ssh services on $esx"
    $sshstatus = Get-VMHostService  -VMHost $esx | Where-Object { $psitem.key -eq "tsm-ssh" }
    if ($sshstatus.Running -eq $False) {
        Get-VMHostService | Where-Object { $psitem.key -eq "tsm-ssh" } | Start-VMHostService 
    }
    # Write-Host -Object "Executing Command on $esx"
    $output = $plink + " " + "-batch -ssh" + " " + $root + "@" + $esx + " " + "-pw" + " " + $Passwd + " " + $remoteCommand
    $message = Invoke-Expression -command $output
    [PSCustomObject]@{
        Name = $esx
        Vxlan = ($message | Select-String -Pattern "Vxlan:").ToString().split("Vxlan:")[-1]
    }    
    Disconnect-VIServer -Server $esx -Confirm:$false
}
$outResult

9. Home > Network and Security > Logical Switches > Select each logical switch > Related Objects > Actions > Add VM > Search for the name of the VM > Select the VM > Click the right arrow > Next > Select the appropriate network adapter > Next > Finish

# connect
foreach ($vm in $pathToVMList){
$VirtualMachineNic = get-vm $VM.VirtualMachine | Get-NetworkAdapter | where {($_.MacAddress -eq $VM.VirtualMachineNICmac) -and ($_.Name -eq $VM.VirtualMachineNICname)}
Connect-NsxLogicalSwitch -NetworkAdapter $VirtualMachineNic -LogicalSwitch (Get-NsxLogicalSwitch -Name $VM.LS_Name) -WaitTimeout 100
}

10. Enable the integration between the vCD and the vCenter: login to vCD > Manage & Monitor > vCenters > Right click on the vCenter server > Enable

11. Change the cluster DRS from "Manual" to "Fully Automated"

===========================================

Impact:

During the migration for each logical switch there will be a short (5-10 minutes) disconnection of the networking for all Edges, Logical Routers and VMs. All related networks which are in the current Logical Segment Pool will lose connection to the migrated logical switch which is in the new Segment ID Pool.

VMs and Edges: is equal to unplug the network cable from a physical server.

===========================================

Test Details:

1. Log in into https://YOURCLOUDVCR01.local

2. Go to Network & Security

3. Check the status of the Logical Switch (Logical Switches section)

4. Check the status of the Edges connected to the logical switch (Edge section)

5. Based on the information extracted before the change check the status of the VMs connected to the Logical switch

6. Check the options are in place after refreshing the vSphere Web Client.

7. Go to vCD: https://yourowncloud.com and check the status of the Orgs

8. Go to vCD and check the logs under System

9. Go to vCD: check Stranded Items, Switches & Port Groups, Storage Policies, Datastores, Hosts, Resource Pools, vCenters, Network Pools, External Networks, Edge Gateways, Organization VDCs, Provider VDCs, Cloud Cells, Organizations

10. Check if there are errors/warnings on cluster level for the tenant which was migrated

11. Check each host which is part of the tenant cluster if there are errors in: /var/log/vmkernel.log (Use Log Insight)

12. Manually move several VMs in the vCenter server and check if there are warnings/errors in the tenant cluster

13. Wait DRS to automatically move some VMs from one host to another and check for warnings/errors in the tenant cluster

14. Check again the status of the VMs and the Edges inside the vCD