Solved: NSX Design

vSohill · ‎12-17-2018

HI,

Get a design question from our customer. The customer will design 3 clusters, Management, Edge and Compute. Management cluster consumers are vCenter NSX manager and other vRealize components. The customer will connect the Management cluster to the management network only. The edge will be connected to the Payload network and the management network. Do we need connection between the Management cluster and the Payload network. The transport zone is running over the payload network.

spirest · ‎12-19-2018

Edges are configured VIA the host they live on and do not require direct connectivity to the NSX manager. I misspoke previously. The NSX manager doesn't need to talk to your ESG directly, it just needs to be able to talk to the host your ESG lives on. I just finished a deployment last week where many ESGs were totally isolated from the network, but I still configured them successfully.

My assumption is that when NSX configures an ESG, it does so via the ESX host management port. Then ESX relays that configuration to the ESG via vmware tools, which is automatically installed on ESGs.

In short - What you described with your ESG will work just fine so long as the edge cluster ESXi hosts are prepped and talking to NSX!

View solution in original post

lhoffer · ‎12-18-2018

The management network does not need to be able to reach the subnets/VLANs that'll carry your overlay traffic if that's what you're asking. You can get a full list of the ports and protocols used between the various components for NSX-V in the Ports and Protocols Required by NSX section of the upgrade guide. If you're talking about NSX-T, you can get the same info in the Ports and Protocols section of the install guide.

spirest · ‎12-18-2018

The only real requirement for NSX reachability is that your NSX manager can talk to vcenter. And your NSX manager can talk to your controllers AND the management port of all esxi hosts.

Many customer will put NSX Manager, vCenter, Controllers and ESX all the same /24 subnet. If the customer has a large number of ESXI hosts they may expand into another management subnet, but still need reachability.

This article has a diagram with very basic requirements. There are more detailed diagrams floating around out there, but this one answers you question. VCP-NV: A (Quick) Look at VMware NSX Architecture

As mentioned by someone else already. There is no communication requirement for your VTEP/VXLAN vmk ports and the rest of NSX. The only thing a VTEP needs to be able to talk to, is the VTEP of whatever host it needs to send traffic to. Most VTEP/VXLAN networks are completely isolated to a single layer 2 segment.

vSohill · ‎12-19-2018

Thanks the quick answer

If the controllers located with vCenter on the management cluster on the same network.Edge gateway located on edge cluster on different network, no network connection between Edge and Controllers neither vCenter. Management cluster will have up-links to management and vMotion and Management workload. Will it work ?

spirest · ‎12-19-2018

Edges are configured VIA the host they live on and do not require direct connectivity to the NSX manager. I misspoke previously. The NSX manager doesn't need to talk to your ESG directly, it just needs to be able to talk to the host your ESG lives on. I just finished a deployment last week where many ESGs were totally isolated from the network, but I still configured them successfully.

My assumption is that when NSX configures an ESG, it does so via the ESX host management port. Then ESX relays that configuration to the ESG via vmware tools, which is automatically installed on ESGs.

In short - What you described with your ESG will work just fine so long as the edge cluster ESXi hosts are prepped and talking to NSX!

vSohill · ‎12-19-2018

Thank you,

All

NSX Design