VMware Networking Community
oliverlis
Contributor
Contributor
‎01-30-2023 05:05 PM
Jump to solution

NSX-T with VLAN Segments only and a virtual port channel on the switch

Hey there,

i'm currently at a deployment where only VLAN Segments are gonna be leveraged as only the DFW should be used which so far isn't a problem.

Nsx-t 3.0 is currently deployed, because it seems Cisco aci in version 5.1 only has this version on its support matrix.

Create the Manager, Create the Vlan-TZ, ESXi-Uplink-Profile, Transport Node Profile, attach it to the cluster/vDS and voila.

But it seems that customer has a VPC on both Cisco switches configured wheras the vDS doesn't use LACP and therefore is just handing out it's traffic over both uplinks/vmnics.

Now when a test-VM is attached to the NSX-T VLAN Segment only some pings will go trough where a "simple" Portgroup with the same vlan on the same vDS works without any problems.

By going over the design documentation:
NSX with Cisco 9k (Page 6)
https://communities.vmware.com/t5/VMware-NSX-Documents/Reference-Design-Deploying-NSX-with-Cisco-UCS...


This discussion:

https://communities.vmware.com/t5/VMware-NSX-Discussions/NSX-Edge-Cluster-VTEP-Load-Balancing-and-Fa...

This vmware nsx on Cisco 7k Design Document (Page 6)
https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/products/nsx/vmware-nsx-on-cisco-n...

From what i've read so far, most topics within those documentation are keeping overlay networks and Edge-VMs in mind, but when you don't need Overlay networks and Routing what should be configured if a VPC is used by the Switch?

Create a LACP LAG on the DVS so that only 1 Uplink is used (as an analogy to single vTEP Design)? Or will it be necessary to remove the VPC on the Portchannel?

The Host Uplink Profile which i've created is using Load Balance Source with uplink1 and uplink2 configured both as active, but getting pings trough seems to be kinda lucky as some are getting trough in the beginning but afterwards they won't.
It only works again if i remove uplink1 from Host Uplink Profile so that uplink2 is only available and from what i see and since the Gateway is still pingable atleast for a few seconds NSX wise it should be good.

But since a normal vDS Portgroup with the same VLAN id doesn't show the behavior, NSX is now the culprit i would love to hear your input as what my next steps should be.
What i definitely want to do is using pktcap-uw to show, that traffic from the VLAN segment is getting out of the physical NIC.

But what would be a good design or rather configuration decision which doesn't keep Edges and Routing in mind and only leverages VLAN Segments for simple usage of DFW after moving from NSX-V?

best regards and many thanks

Oliver

Reply
0 Kudos
1 Solution

Accepted Solutions
ShahabKhan
VMware Employee
VMware Employee
‎02-01-2023 02:19 AM
Jump to solution

Did you try creating  LAG in the Host Transport Node uplink profile? You can refer to the following document for the same.

https://docs.vmware.com/en/VMware-NSX-T-Data-Center/3.2/installation/GUID-50FDFDFB-F660-4269-9503-39...

 

View solution in original post

Reply
0 Kudos
7 Replies
ShahabKhan
VMware Employee
VMware Employee
‎01-31-2023 04:10 AM
Jump to solution

Hi Oliver,

What is the load-balancing you are using for Host uplink profile & on the vDS?

Reply
0 Kudos
oliverlis
Contributor
Contributor
‎01-31-2023 05:08 AM
Jump to solution

Hi ShahabKhan,

the Host Uplink Profile has Load Balanced Source and the vDS has Route based on IP-Hash which seems to be the culprit.

As far as i know there is no way to leverage Route based on IP-Hash within NSX-T because we specifically want to control over which vmnic/uplink the traffic goes, right?

 

Reply
0 Kudos
ShahabKhan
VMware Employee
VMware Employee
‎01-31-2023 08:26 AM
Jump to solution

Yes. Try changing it to Route Based on Originating Port just for single port-group & test.

Reply
0 Kudos
oliverlis
Contributor
Contributor
‎01-31-2023 08:52 AM
Jump to solution

Yeah within the vDS we did create a Port Group with Route Based on Originating Port and saw the same behavior the VLAN Segments have.

Now i'm in search for a document that says NSX-T won't work / isn't supported with IP-Hash so that the customer has something "official" to talk about changes within his infrastructure.

 

 

Reply
0 Kudos
Sreec
VMware Employee
VMware Employee
‎02-01-2023 01:19 AM
Jump to solution

What is the hardware make and model of ESXi nodes?  Have you tested with a single PNIC mapping? Are using updated Drivers and firmware? 

Cheers,
Sree | VCIX-5X| VCAP-5X| VExpert 7x|Cisco Certified Specialist
Please KUDO helpful posts and mark the thread as solved if answered
Reply
0 Kudos
ShahabKhan
VMware Employee
VMware Employee
‎02-01-2023 02:19 AM
Jump to solution

Did you try creating  LAG in the Host Transport Node uplink profile? You can refer to the following document for the same.

https://docs.vmware.com/en/VMware-NSX-T-Data-Center/3.2/installation/GUID-50FDFDFB-F660-4269-9503-39...

 

Reply
0 Kudos
oliverlis
Contributor
Contributor
‎03-09-2023 05:20 PM
Jump to solution

In the end it was the Route based on IP Hash Part without leveraging LACP. With the LAG now we got it working. Thanks again!

Reply
0 Kudos