Solved: Re: how to configure DLR and ESG management networ...

Joey2008 · ‎05-03-2017

1. DLR: From VMware NSX class example, DLR has one interface facing transit (uplink) Logical Switch, three LS (internal) to web, app and DB, so where can I configure a direct management access? (let's say the same management network as NSX manager/ESX hosts), I also tried to access all for LS interfaces from SSH, they won't allow me to access.

2. ESG: From VMware NSX class example, ESG has one interface facing external uplink and one interface facing transit (downlink), I am able to SSH in from uplink IP but that is supposed for production not for management. When configure ESG, if we choose HA mode, I get chance to configure management IP but it never gives me chance to choose the network/portgroup where it will connect? so how do I configure management access to it, same as DLR, I want to access it the same network as NSX manager/ESX hosts.

Thank you very much!

Joey2008

DominicFoley · ‎05-04-2017

For an ESG you can create another uplink that connects to your management port group, this is no problem as uplinks from ESG's often connect to vlan backed port groups, which your management network will be on. You would have to look carefully at your routing - if your 2nd uplink which is for production traffic is doing BGP or OSPF, you probably want to filter out advertising the management network, as it will be being advertised by the physical network in all liklihood.

Now a dLR is a different matter. You don't want to add an uplink which connects to your management network, as this will be a VLAN backed portgroup (not VXLAN). The problem you have with vlan LIFs on a dLR is to do with designated instances, arp and failover. It is strongly recommended not to add an interface to a dLR which is VLAN backed, only VXLAN.

This means you have a VXLAN uplink on your dLR. If you are doing static routing, then you can ssh into this uplink address, if you are doing dynamic routing, then you will need to ssh into the protocol address which you configure - of course, you will need to route between your management network and your dLR transit network for this to work. Don't forget, you also have edge firewall, which can be enabled on ESG's and dLR's (but not ESG's in ECMP mode) to allow ssh access from specific sources.

If this has helped, please mark as correct.

Rgds

Dominic

View solution in original post

rajeevsrikant · ‎05-03-2017

One way to achieve is by creating the interface & connect to the Management network port group.

Assign the same port group where your vCenter & NSX Managers are connected to it. Assign the IP Address from the same network range of vCenter & NSX Manager.

Once you do this , you will be able to SSH to NSX Edge Gateway using the IP Address you assigned from the Management segment.

I hope this is what your expectation is ?

DominicFoley · ‎05-04-2017

For an ESG you can create another uplink that connects to your management port group, this is no problem as uplinks from ESG's often connect to vlan backed port groups, which your management network will be on. You would have to look carefully at your routing - if your 2nd uplink which is for production traffic is doing BGP or OSPF, you probably want to filter out advertising the management network, as it will be being advertised by the physical network in all liklihood.

Now a dLR is a different matter. You don't want to add an uplink which connects to your management network, as this will be a VLAN backed portgroup (not VXLAN). The problem you have with vlan LIFs on a dLR is to do with designated instances, arp and failover. It is strongly recommended not to add an interface to a dLR which is VLAN backed, only VXLAN.

This means you have a VXLAN uplink on your dLR. If you are doing static routing, then you can ssh into this uplink address, if you are doing dynamic routing, then you will need to ssh into the protocol address which you configure - of course, you will need to route between your management network and your dLR transit network for this to work. Don't forget, you also have edge firewall, which can be enabled on ESG's and dLR's (but not ESG's in ECMP mode) to allow ssh access from specific sources.

If this has helped, please mark as correct.

Rgds

Dominic

Joey2008 · ‎05-04-2017

Thanks, for ESG, it is doable, not for DLR.

Joey2008 · ‎05-04-2017

Thanks.

ESG: I can create an interface and connect to a management portgroup, yes, I can access in that way. The HA IPs seem to be for itself, not for my access.

DLR: You are so right for this one, it has to be protocol IP, I kept trying uplink IP and internal IPs... And the access has to be from uplink instead of inside!

I wish VMware can just add management interface by default, much easier!

moderatelo · ‎05-10-2017

In NSX DLR has both data place and control plane build in.

Data plane is called "Forwarding IP" (when you configure routing you specify it) usually it is your first available IP.

Then for Control Plane you configure "Control VM IP" (when you configure routing you specify it). That is what's used to login to DLR. Yes it is not a dedicated management subnet but by design that is your control plane. You supposed to build your control plane in separate Mgmt cluster, different physical location and different infrastructure IP space etc. This way you get your full separation of data/control plane. This way when there are network issues in compute you can login to your control plane (control VM of DLR) and hopefully fix the issue from that point of view.

Joey2008 · ‎05-10-2017

You are right, thank you.

We still have to route the control plane VM out to get access in or get access from vcenter. I just thought we could add management network to the same subnet as controllers/NSX managers/ESG, so I can just access easily.

All

how to configure DLR and ESG management network