6 Replies Latest reply on Apr 21, 2019 8:16 PM by SunshineM

    IPs to be used for NSX deployment

    SunshineM Enthusiast

      Hello,

       

      I am implementing NSX for various solutions like vCloud, vRA. But what I am confused at and not understanding is basically which IPs should be assigned in NSX deployment.

       

      To be more precise, I have seen many videos and articles on NSX, but everywhere example given uses below IP ranges;

       

      WebTier, DBTier, AppTier > Uses IP from 172.x.x.x

      NSX Logical router interfaces > 192.168.x.x

       

      But I want to use NSX in our production environment.

       

      So need to know which IPs should be used for Logical Routers interfaces and VMs behind this NSX ?

       

      > Routable IPs or Non-routable IPs

       

      > If Non-routable IPs are used

         Then do I have to use NAT ? If NAT is used, then how NATing will happen in the case of vRA or vCloud consumer VMs where these VMs are deployed on demand, because while configuing NAT if     I am not wrong, then 1:1 mapping of VM IPs needs to be done.

       

      > If Routable IPs are used

         Then VMs behind NSX and Logical Router Interfaces can be assigned routable IPs (VLAN based) ?

       

      I am really confused on specially how this IP assignment needs to be done in NSX. Please guide.

       

      Please do not reply that is is the basics of NSX and see videos. I have gone through it and not able to understand. So expectation is making me understand with specific examples which will clear my doubt.

       

      Thanks.

        • 1. Re: IPs to be used for NSX deployment
          Sreec Master
          vExpertCommunity Warriors

          As far as IP scheme for your workloads , this is something you have to decide and better isolate these subnets from below subnets which are ideally required for vSphere & NSX setup

           

          1)ESXi Management

          2)VM Management

          3) VXLAN Transport

          4) vMotion and IP san (Optional)

          5) Transit VLAN based on tenant design

           

           

          > Routable IPs or Non-routable IPs

           

          > If Non-routable IPs are used

             Then do I have to use NAT ? If NAT is used, then how NATing will happen in the case of vRA or vCloud consumer VMs where these VMs are deployed on demand, because while configuing NAT if     I am not wrong, then 1:1 mapping of VM IPs needs to be done.

           

          You can do 1:Many NAT (PAT)as well, there is no hard rule .

           

          > If Routable IPs are used

            Then VMs behind NSX and Logical Router Interfaces can be assigned routable IPs (VLAN based) ?

          Yes , just private subnets is enough (No need of VLANs , it is better to go with VXLAN stack)

          • 2. Re: IPs to be used for NSX deployment
            SunshineM Enthusiast

            Taking below scenarios;

             

            Scenario 1: VMs which are already existing needs to be used in NSX

             

            1) Use NAT

            2) Use Non-routable IPs i.e. Private subnets;

                 (a) For VMs behind NSX, where VM's Default Gateway need to be changed to the IP of Logical Router's Internal Interface ??

                 (b) For all the interfaces of the relevant Logical Router except the Uplink Interface of Edge Gateway ??

               

            If above's answer is YES, then existing VMs part I understood.

             

            Scenario 2: On demand VMs, like VMs created by end user in vCloud director in Consumer Cluster

             

            1) Use Non-routable IPs, i.e. Private subnets on all relevant Logical Router interfaces except Uplink Interface of Edge Gateway

            2) But now, how to use NAT in this case, as VMs will be created on demand.

                 (a) e.g. One user logs into vCloud and creates a VM. This VM gets private subnet IP from Pool., say .172.20.10.1. Here how Routable VLAN IP will be NATed and User will know that NATed IP

             

            I hope I am able to clarify my doubt.

            • 3. Re: IPs to be used for NSX deployment
              Sreec Master
              Community WarriorsvExpert

              1) Use NAT

              2) Use Non-routable IPs i.e. Private subnets;

                   (a) For VMs behind NSX, where VM's Default Gateway need to be changed to the IP of Logical Router's Internal Interface ??

              Yes , if you want to optimize E-W routing , preferred option is to configure GW on DLR .

               

                  (b) For all the interfaces of the relevant Logical Router except the Uplink Interface of Edge Gateway ??

                 

              I'm sorry , can you please explain what you are trying convey/achieve with above statement ?

               

              If above's answer is YES, then existing VMs part I understood.

               

              Scenario 2: On demand VMs, like VMs created by end user in vCloud director in Consumer Cluster

               

              1) Use Non-routable IPs, i.e. Private subnets on all relevant Logical Router interfaces except Uplink Interface of Edge Gateway

              2) But now, how to use NAT in this case, as VMs will be created on demand.

                   (a) e.g. One user logs into vCloud and creates a VM. This VM gets private subnet IP from Pool., say .172.20.10.1. Here how Routable VLAN IP will be NATed and User will know that NATed IP

               

              Eventually these VM's should be connected to one of the VCD network type which we both know . So assuming you have one such networks available , you could configure NAT/Routing in advance with required firewall rules , so that irrespective of the VM creation/deletion - connectivity configurations are in place and that makes a seamless experience for end user .

              • 4. Re: IPs to be used for NSX deployment
                SunshineM Enthusiast

                Ah ok, I guess now I got it. Let me know if my below understanding is true;

                 

                For Existing VMs:

                 

                1) Decide Private subnets that needs to be applied to the VMs behind NSX and NSX DLR

                2) Apply Private IPs to the VMs behind NSX

                3) Apply Private IPs to all interfaces of DLR

                4) Make the Default Gateway of all VMs that are behind NSX as the next hop IP of NSX DLR

                5) Apply VLAN IP to External Interface of Edge Gateway

                6) Configure NAT to allow mapping of Private to Routable VLAN IPs

                 

                For On-Demand VMs, like in vCloud that are created by end users:

                 

                1) Decide Private subnets that needs to be applied to the VMs behind NSX and NSX DLR

                 

                >>>>>> This step does is not applicable as VMs does not exist >>>> > 2) Apply Private IPs to the VMs behind NSX <<<<<<<

                 

                3) Apply Private IPs to all interfaces of DLR

                4) Make the Default Gateway of all VMs that are behind NSX as the next hop IP of NSX DLR

                5) Apply VLAN IP to External Interface of Edge Gateway

                6) Configure NAT in advance to allow mapping of Private to Routable VLAN IPs. As here we have list of IPs that will be used for vCloud consumer VMs and list of Routable VLAN IPs

                 

                If above is True, then now only 1 question:

                 

                > When end user creates VM on demand how will they know which is the Routable VLAN IP which is mapped to the Private IP of that VM ?

                • 5. Re: IPs to be used for NSX deployment
                  Sreec Master
                  vExpertCommunity Warriors

                  1) Decide Private subnets that needs to be applied to the VMs behind NSX and NSX DLR

                  2) Apply Private IPs to the VMs behind NSX

                  3) Apply Private IPs to all interfaces of DLR

                  4) Make the Default Gateway of all VMs that are behind NSX as the next hop IP of NSX DLR

                  5) Apply VLAN IP to External Interface of Edge Gateway

                  6) Configure NAT to allow mapping of Private to Routable VLAN IPs

                   

                  Yes , above understanding is correct .

                   

                  For On-Demand VMs, like in vCloud that are created by end users:

                   

                  1) Decide Private subnets that needs to be applied to the VMs behind NSX and NSX DLR

                   

                  >>>>>> This step does is not applicable as VMs does not exist >>>> > 2) Apply Private IPs to the VMs behind NSX <<<<<<<

                   

                  3) Apply Private IPs to all interfaces of DLR

                  4) Make the Default Gateway of all VMs that are behind NSX as the next hop IP of NSX DLR

                  5) Apply VLAN IP to External Interface of Edge Gateway

                  6) Configure NAT in advance to allow mapping of Private to Routable VLAN IPs. As here we have list of IPs that will be used for vCloud consumer VMs and list of Routable VLAN IPs

                   

                  I would request you to revisit the topics that I shared in VxLAN - Use of Scoped vs VLAN subnets  , specifically "Scope" different subnets for DLR (internal & uplink interface), ESG (only internal interface) . The way DLR interface and IP plumbing is done bit differently in VCD.

                   

                  If above is True, then now only 1 question:

                   

                  > When end user creates VM on demand how will they know which is the Routable VLAN IP which is mapped to the Private IP of that VM ?

                   

                  This totally depends upon how you have designed the VCD portal and what is exposed to end user . Let assume , end user can login to their respective tenant portal , they could see their VM , with Internal&External IP mapping informations etc . If you have a custom portal running on top VCD, ideally underlying VCD mapping will be hidden , it would be external IP( IP Masquerading possible) information along with virtual machine information which will be populated over there.

                  • 6. Re: IPs to be used for NSX deployment
                    SunshineM Enthusiast

                    Thank you very much for making me understand this. I will configure it and may be post question again if required