Thank you in advance.
I am upgrading our vCenter environment and vShield etc. This platform hosts a lot of servers with multiple production networks with segmentation so I need to be careful. We are also multi-tenant so security and isolation are important and gaining overlay will help with overlapping subnets.
I created a new vCenter with 3 clusters.
1 - LAB
1 - Management / Edge
1 - Compute
I have created and running most of the servers in the new environment, except the web servers that need a load balancer. I have a number of L3 subnets including a management subnet that contains vCenter and NSX and the controllers etc.. I need to create an edge gateway so I can create the load balancer. It seems like I need to also have logical switches and routers to make this all work. Most of my subnets are protected by VLANS and their gateway to egress the subnet is a virtual firewall, not a L3 switch interface.
I have this successfully completed.
NSX Controller nodes
Host preparation for one cluster (lab)
It seems like I need to config the VXLAN. When I config it, the system asks for a VLAN. Should I use my management VLAN or create a new one just for VXLAN or what?? It also asks for an IP Pool and a gateway, DNS etc.. Based on that it seems easiest to create it on my management VLAN as that has the rest of the VM infrastructure and can access my DNS servers and so on. But I am not sure that is correct or if it just needs to be an isolated L2/L3 subnet and no need to route out anywhere.
I hope that makes sense?
I think once I get that figured out I can move on and create Edge and Router and switches and transport. I am just working through the installation and upgrade screen a section at a time and it seems I am stuck until I get VXLAN done.
For production design you certainly should have unique subnet and VLAN which will help you to isolate different traffic types and most importantly if there are any network migrations down-the line it will ease the migration activity as we can do it in phases. Please do go through the design guides-https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/products/nsx/vmw-nsx-network-virtu... (page 103)
Assuming this is NSX-v and not NSX-T:
You should use separate dedicated Vlan/Subnet for VTEP.
No need to have it routed to outside, its internal.
If your use case is only micro segmentation and LB, then you can also design your network without VXLAN, no need to prepare hosts with VXLAN.
Preparing hosts with VXLAN is only required if you want to use distributed routing feature with GW of all networks in NSX and not virtual FW.
First of all you need to plan your workload subnets and create for each subnet a logical switch with segment ID in the NSX and all this will be routed by the logical routers you will create in the NSX. Second you will design or adjust physical VLANs for the management, the VTEP and the Edges uplinks. And better to segregate the traffic first the VTEP in isolated VLAN, second the uplink gateway on different VLAN that linked with the physical core switch /routers and the management in third VLAN.
If you want to create it in the same Management VLAN this will not affect the functionality but it's better from the security and performance(in case of separate NIC) point of view.
I hope this answer your question and i hope that this become answer or helpful comment for you. also, for More details and more information just follow my blog http://www.syncgates.com.