VMware Networking Community
MihirP
Enthusiast
Enthusiast
Jump to solution

IPs to be used for NSX deployment

Hello,

I am implementing NSX for various solutions like vCloud, vRA. But what I am confused at and not understanding is basically which IPs should be assigned in NSX deployment.

To be more precise, I have seen many videos and articles on NSX, but everywhere example given uses below IP ranges;

WebTier, DBTier, AppTier > Uses IP from 172.x.x.x

NSX Logical router interfaces > 192.168.x.x

But I want to use NSX in our production environment.

So need to know which IPs should be used for Logical Routers interfaces and VMs behind this NSX ?

> Routable IPs or Non-routable IPs

> If Non-routable IPs are used

   Then do I have to use NAT ? If NAT is used, then how NATing will happen in the case of vRA or vCloud consumer VMs where these VMs are deployed on demand, because while configuing NAT if     I am not wrong, then 1:1 mapping of VM IPs needs to be done.

> If Routable IPs are used

   Then VMs behind NSX and Logical Router Interfaces can be assigned routable IPs (VLAN based) ?

I am really confused on specially how this IP assignment needs to be done in NSX. Please guide.

Please do not reply that is is the basics of NSX and see videos. I have gone through it and not able to understand. So expectation is making me understand with specific examples which will clear my doubt.

Thanks.

Reply
0 Kudos
1 Solution

Accepted Solutions
Sreec
VMware Employee
VMware Employee
Jump to solution

1) Decide Private subnets that needs to be applied to the VMs behind NSX and NSX DLR

2) Apply Private IPs to the VMs behind NSX

3) Apply Private IPs to all interfaces of DLR

4) Make the Default Gateway of all VMs that are behind NSX as the next hop IP of NSX DLR

5) Apply VLAN IP to External Interface of Edge Gateway

6) Configure NAT to allow mapping of Private to Routable VLAN IPs

Yes , above understanding is correct .

For On-Demand VMs, like in vCloud that are created by end users:

1) Decide Private subnets that needs to be applied to the VMs behind NSX and NSX DLR

>>>>>> This step does is not applicable as VMs does not exist >>>> > 2) Apply Private IPs to the VMs behind NSX <<<<<<<

3) Apply Private IPs to all interfaces of DLR

4) Make the Default Gateway of all VMs that are behind NSX as the next hop IP of NSX DLR

5) Apply VLAN IP to External Interface of Edge Gateway

6) Configure NAT in advance to allow mapping of Private to Routable VLAN IPs. As here we have list of IPs that will be used for vCloud consumer VMs and list of Routable VLAN IPs

I would request you to revisit the topics that I shared in VxLAN - Use of Scoped vs VLAN subnets  , specifically "Scope" different subnets for DLR (internal & uplink interface), ESG (only internal interface) . The way DLR interface and IP plumbing is done bit differently in VCD.

If above is True, then now only 1 question:

> When end user creates VM on demand how will they know which is the Routable VLAN IP which is mapped to the Private IP of that VM ?

This totally depends upon how you have designed the VCD portal and what is exposed to end user . Let assume , end user can login to their respective tenant portal , they could see their VM , with Internal&External IP mapping informations etc . If you have a custom portal running on top VCD, ideally underlying VCD mapping will be hidden , it would be external IP( IP Masquerading possible) information along with virtual machine information which will be populated over there.

Cheers,
Sree | VCIX-5X| VCAP-5X| VExpert 7x|Cisco Certified Specialist
Please KUDO helpful posts and mark the thread as solved if answered

View solution in original post

Reply
0 Kudos
6 Replies
Sreec
VMware Employee
VMware Employee
Jump to solution

As far as IP scheme for your workloads , this is something you have to decide and better isolate these subnets from below subnets which are ideally required for vSphere & NSX setup

1)ESXi Management

2)VM Management

3) VXLAN Transport

4) vMotion and IP san (Optional)

5) Transit VLAN based on tenant design

> Routable IPs or Non-routable IPs

> If Non-routable IPs are used

   Then do I have to use NAT ? If NAT is used, then how NATing will happen in the case of vRA or vCloud consumer VMs where these VMs are deployed on demand, because while configuing NAT if     I am not wrong, then 1:1 mapping of VM IPs needs to be done.

You can do 1:Many NAT (PAT)as well, there is no hard rule .

> If Routable IPs are used

  Then VMs behind NSX and Logical Router Interfaces can be assigned routable IPs (VLAN based) ?

Yes , just private subnets is enough (No need of VLANs , it is better to go with VXLAN stack)

Cheers,
Sree | VCIX-5X| VCAP-5X| VExpert 7x|Cisco Certified Specialist
Please KUDO helpful posts and mark the thread as solved if answered
Reply
0 Kudos
MihirP
Enthusiast
Enthusiast
Jump to solution

Taking below scenarios;

Scenario 1: VMs which are already existing needs to be used in NSX

1) Use NAT

2) Use Non-routable IPs i.e. Private subnets;

     (a) For VMs behind NSX, where VM's Default Gateway need to be changed to the IP of Logical Router's Internal Interface ??

     (b) For all the interfaces of the relevant Logical Router except the Uplink Interface of Edge Gateway ??

   

If above's answer is YES, then existing VMs part I understood.

Scenario 2: On demand VMs, like VMs created by end user in vCloud director in Consumer Cluster

1) Use Non-routable IPs, i.e. Private subnets on all relevant Logical Router interfaces except Uplink Interface of Edge Gateway

2) But now, how to use NAT in this case, as VMs will be created on demand.

     (a) e.g. One user logs into vCloud and creates a VM. This VM gets private subnet IP from Pool., say .172.20.10.1. Here how Routable VLAN IP will be NATed and User will know that NATed IP

I hope I am able to clarify my doubt.

Reply
0 Kudos
Sreec
VMware Employee
VMware Employee
Jump to solution

1) Use NAT

2) Use Non-routable IPs i.e. Private subnets;

     (a) For VMs behind NSX, where VM's Default Gateway need to be changed to the IP of Logical Router's Internal Interface ??

Yes , if you want to optimize E-W routing , preferred option is to configure GW on DLR .

    (b) For all the interfaces of the relevant Logical Router except the Uplink Interface of Edge Gateway ??

   

I'm sorry , can you please explain what you are trying convey/achieve with above statement ?

If above's answer is YES, then existing VMs part I understood.

Scenario 2: On demand VMs, like VMs created by end user in vCloud director in Consumer Cluster

1) Use Non-routable IPs, i.e. Private subnets on all relevant Logical Router interfaces except Uplink Interface of Edge Gateway

2) But now, how to use NAT in this case, as VMs will be created on demand.

     (a) e.g. One user logs into vCloud and creates a VM. This VM gets private subnet IP from Pool., say .172.20.10.1. Here how Routable VLAN IP will be NATed and User will know that NATed IP

Eventually these VM's should be connected to one of the VCD network type which we both know . So assuming you have one such networks available , you could configure NAT/Routing in advance with required firewall rules , so that irrespective of the VM creation/deletion - connectivity configurations are in place and that makes a seamless experience for end user .

Cheers,
Sree | VCIX-5X| VCAP-5X| VExpert 7x|Cisco Certified Specialist
Please KUDO helpful posts and mark the thread as solved if answered
Reply
0 Kudos
MihirP
Enthusiast
Enthusiast
Jump to solution

Ah ok, I guess now I got it. Let me know if my below understanding is true;

For Existing VMs:

1) Decide Private subnets that needs to be applied to the VMs behind NSX and NSX DLR

2) Apply Private IPs to the VMs behind NSX

3) Apply Private IPs to all interfaces of DLR

4) Make the Default Gateway of all VMs that are behind NSX as the next hop IP of NSX DLR

5) Apply VLAN IP to External Interface of Edge Gateway

6) Configure NAT to allow mapping of Private to Routable VLAN IPs

For On-Demand VMs, like in vCloud that are created by end users:

1) Decide Private subnets that needs to be applied to the VMs behind NSX and NSX DLR

>>>>>> This step does is not applicable as VMs does not exist >>>> > 2) Apply Private IPs to the VMs behind NSX <<<<<<<

3) Apply Private IPs to all interfaces of DLR

4) Make the Default Gateway of all VMs that are behind NSX as the next hop IP of NSX DLR

5) Apply VLAN IP to External Interface of Edge Gateway

6) Configure NAT in advance to allow mapping of Private to Routable VLAN IPs. As here we have list of IPs that will be used for vCloud consumer VMs and list of Routable VLAN IPs

If above is True, then now only 1 question:

> When end user creates VM on demand how will they know which is the Routable VLAN IP which is mapped to the Private IP of that VM ?

Reply
0 Kudos
Sreec
VMware Employee
VMware Employee
Jump to solution

1) Decide Private subnets that needs to be applied to the VMs behind NSX and NSX DLR

2) Apply Private IPs to the VMs behind NSX

3) Apply Private IPs to all interfaces of DLR

4) Make the Default Gateway of all VMs that are behind NSX as the next hop IP of NSX DLR

5) Apply VLAN IP to External Interface of Edge Gateway

6) Configure NAT to allow mapping of Private to Routable VLAN IPs

Yes , above understanding is correct .

For On-Demand VMs, like in vCloud that are created by end users:

1) Decide Private subnets that needs to be applied to the VMs behind NSX and NSX DLR

>>>>>> This step does is not applicable as VMs does not exist >>>> > 2) Apply Private IPs to the VMs behind NSX <<<<<<<

3) Apply Private IPs to all interfaces of DLR

4) Make the Default Gateway of all VMs that are behind NSX as the next hop IP of NSX DLR

5) Apply VLAN IP to External Interface of Edge Gateway

6) Configure NAT in advance to allow mapping of Private to Routable VLAN IPs. As here we have list of IPs that will be used for vCloud consumer VMs and list of Routable VLAN IPs

I would request you to revisit the topics that I shared in VxLAN - Use of Scoped vs VLAN subnets  , specifically "Scope" different subnets for DLR (internal & uplink interface), ESG (only internal interface) . The way DLR interface and IP plumbing is done bit differently in VCD.

If above is True, then now only 1 question:

> When end user creates VM on demand how will they know which is the Routable VLAN IP which is mapped to the Private IP of that VM ?

This totally depends upon how you have designed the VCD portal and what is exposed to end user . Let assume , end user can login to their respective tenant portal , they could see their VM , with Internal&External IP mapping informations etc . If you have a custom portal running on top VCD, ideally underlying VCD mapping will be hidden , it would be external IP( IP Masquerading possible) information along with virtual machine information which will be populated over there.

Cheers,
Sree | VCIX-5X| VCAP-5X| VExpert 7x|Cisco Certified Specialist
Please KUDO helpful posts and mark the thread as solved if answered
Reply
0 Kudos
MihirP
Enthusiast
Enthusiast
Jump to solution

Thank you very much for making me understand this. I will configure it and may be post question again if required Smiley Happy

Reply
0 Kudos