VMware Networking Community
mikew123
Contributor
Contributor
‎02-09-2018 01:42 AM

NSX and vMSC

Hello,

I read document "Multi-site Options and cross-VC NSX design guide". As per page 15, it mentions below:

It’s also possible to deploy an active-active Egress solution using universal objects with the Local Egress feature; in this case only static routing is supported. In both cases active workloads can reside at both sites. The active/passive model is preferred for simplicity and to avoid asymmetric traffic flows. The ESGs at a single site can also be deployed in HA mode if stateful services are required.

So, "active/passive" model is recommended for vMSC. But that means, only one site can be used for for south-north traffic. The external network of the other site is in standby mode. The access to the applications on the other site needs go through interconnect between the two data centers. Is that true?

Thanks

Mike

Reply
0 Kudos
4 Replies
bayupw
Leadership
Leadership
‎02-09-2018 01:55 AM

Hi Mike, access to applications is north-south traffic (ingress traffic) e.g. from WAN to data centre and typically handled in the physical network outside of NSX.

Depending on the physical network but if a particular network is advertised on the active site, then the traffic would come from active site.

If there are some applications running on the passive site that need to be accessed, the traffic would come from active site then traversing through the data centre interconnect to reach applications in passive site.

These two blog posts may be useful for you:

Elver's Opinion: DC Ingress Traffic with Stretched Layer 2

http://networkinferno.net/ingress-optimisation-with-nsx-for-vsphere

Bayu Wibowo | VCIX6-DCV/NV
Author of VMware NSX Cookbook http://bit.ly/NSXCookbook
https://github.com/bayupw/PowerNSX-Scripts
https://nz.linkedin.com/in/bayupw | twitter @bayupw
Reply
0 Kudos
mikew123
Contributor
Contributor
‎02-09-2018 11:35 AM

Thank you. The two posts are very helpful.

After read the first post, I understand that the ingress traffic issue is not specific to NSX configuration. A physical stretched L2 network have the same issue too.

So, I got one more question. I believe there is something need to be done after a failover:

For a physical stretched L2 network, after a site failover, we need advertise the same subnet on the DR site at least. Who will do this? administrator does it manually, or there is certain automatic way?

For a NSX virtual network, after a site failover, we need: (1) bring up the passive ESG on DR site; (2) advertise the same subnet on DR site;  Again, will be handled by NSX automatically, or administrator needs to be involved?

Thanks

Mike

Reply
0 Kudos
bayupw
Leadership
Leadership
‎02-10-2018 02:52 AM

Hi Mike,

For an active/passive setup, you can leverage dynamic routing (OSPF or BGP) to handle the route advertisement.

You can pre-create the Edges and have Control VM peering with both active and passive Edges on the two sites and use dynamic routing weight to handle the failover automatically.

Below is the diagram

pastedImage_0.png

Or you can use vSphere HA in vMSC and just deploy Edges at the active site and use vSphere HA to failover the Edges to the other site as shown in below diagram.

pastedImage_0.png

This is also covered in NSX-V Multi-site Options and Cross-VC NSX Design Guide page 125

Bayu Wibowo | VCIX6-DCV/NV
Author of VMware NSX Cookbook http://bit.ly/NSXCookbook
https://github.com/bayupw/PowerNSX-Scripts
https://nz.linkedin.com/in/bayupw | twitter @bayupw
Reply
0 Kudos
tanurkov
Enthusiast
Enthusiast
‎02-12-2018 06:14 AM

The main reason for recorded that NSX had some bad "bug" which was not dealing with Ingres and Egress traffic correctly.

and documentations says that you can use it but what is hidden that is some scenarios traffic will be dropped .

and second is of course of physical environment need to be setup accordingly to NSX to support Active/active , like BGP local pref or prepending solutions.

Regards Dmitri

Reply
0 Kudos