VMware Networking Community
Petersaints
Enthusiast
Enthusiast

NSX-T 2.5 - design help - newbie

Hello all,

Hope i find all of you well. I’m newbie on NSX. First of all, sorry about my poor english writing skill.

I’m in a project for a customer that pretends to implement NSX-T. Can anyone give me a help with the design for this project?

The hardware that I will have available to start, are 4 hosts, with four 10Gb NIC and two 25Gb NIC, each.

The 4 servers will work as a hyper-converged solution. I will have to install vSphere 6.7, vSAN, VCSA 6.7 and NSX-T 2.5, plus all the customer workloads will be created on them, in at least two tenants. I will also have to separate the DMZ traffic from the other customer traffic. DMZ on a N-VDS and the other on another N-VDS (make sense?).

I need a suggestion, to know what the is best solution design due the conditions that I have available.

I was thinking:

- Use 2x 25Gbit pnics for ESXi management network + vcenter + vMotion + VSAN (vDS)

- Use 2x10Gbit pnics for NSX-T (customer DMZ) (N-VDS)

- Use 2x10Gbit pnics for NSX-T (other customer traffic) (N-VDS)

Is that a simple away, or there is other way more simple?

Other questions:

-    About the tenants, each one will have a T1-router but only one T0 for both?

-    The TEP ip pool, I will have two (Two overlay TZ, one for DMZ and other for the other traffic), right? One for DMZ and other for other customer traffic?

-    The Edge cluster will have two Edge appliances for both DMZ and the other traffic, or should I have an edge cluster for DMZ and other cluster for the other traffic?

Many thanks.

Pedro Santos

Tags (1)
7 Replies
llewellyngm
VMware Employee
VMware Employee

First, I would allocate deadicated links for vSAN, depending on the workload 2x 10GB link should be fine and on a separate vds

For NSX I would merge the TEPs and separated the Tenants using different T0s with routing  the 2x 25GB is more than adequate esp if you use lb_sourceid on those interfaces

Then use the last 2x10Gb nic vcenter + vMotion

Sreec
VMware Employee
VMware Employee

Use 2x 25Gbit pnics for ESXi management network + vcenter + vMotion + VSAN (vDS)

- Use 2x10Gbit pnics for NSX-T (customer DMZ) (N-VDS)

- Use 2x10Gbit pnics for NSX-T (other customer traffic) (N-VDS)

Is that a simple away, or there is other way more simple?

To start  with you can stick with above approach ,however a  better approach will be a dedicated 2x10G for VSAN . If you have more service(Management/Backup) insertion in the pipeline  , you can club it with 2x25 and configure a NIOC.

Other questions:

-    About the tenants, each one will have a T1-router but only one T0 for both?

     This is purely a design choice, we can have a collapsed TO router ( with shared routing table )  and this might be good for shared services , at the same time its a single point of failure ( Redundancy can be still be achieved using ECMP)

-    The TEP ip pool, I will have two (Two overlay TZ, one for DMZ and other for the other traffic), right? One for DMZ and other for other customer traffic?

     This is perfect and i believe there is unique L2/L3 devices for DMZ

-    The Edge cluster will have two Edge appliances for both DMZ and the other traffic, or should I have an edge cluster for DMZ and other cluster for the other traffic?

     Better approach is unique cluster per zone .

You should explore NSX T 3.0 which has got VRF lite feature , for sure that will be an added benefit when you go with Shared TO with routing isolation and a good design for MPLS based routes.

Cheers,
Sree | VCIX-5X| VCAP-5X| VExpert 6x|Cisco Certified Specialist
Please KUDO helpful posts and mark the thread as solved if answered
Reply
0 Kudos
Petersaints
Enthusiast
Enthusiast

Hi

Use 2x 25Gbit pnics for ESXi management network + vcenter + vMotion + VSAN + Backups (vDS)

- Use 2x10Gbit pnics for NSX-T (all customer traffic) (N-VDS)

- Use 2x10Gbit pnics for NSX-T (Internal DevOPS team management - Virtual machines deployment, automation...) (N-VDS)

So...

a) Customer tenants

- One T1 per tenant, all connected to the same T0. Each tenant with a segment for web,other for app and other for DMZ. About the transport zones, only one overlay for all the traffic? Or should have one overlay for DMZ? The vlans only two are enough or if i had the a separate overlay for DMZ, should i have other two vlans?

- The TEPs, i will have the overlay TEPs and a cluster of Edges sharing the same pNICs. I will need to have two pools, right?

b) DevOPS team tenant

- One T1 and a dedicated T0?

About the transport zones, only one overlay for all that management traffic plus two vlans, right?

- The TEPs, i will have the overlay TEPs and a cluster of Edges sharing the same same pNIC. I will need to have two pools right?

- On each customer tenant one segment for DevOPS (connected to the other N-VDS)

- With this scenario, will DevOPS tenant reach the customer tenants? How?

c) Related with management network + vcenter + vMotion + VSAN + Backups, do i get any benefit in migrating the vDS to a N-VDS?

Many thanks. Sorry im in the begining of NSX-T world Smiley Happy

Reply
0 Kudos
Sreec
VMware Employee
VMware Employee

a) Customer tenants

- One T1 per tenant, all connected to the same T0. Each tenant with a segment for web,other for app and other for DMZ. About the transport zones, only one overlay for all the traffic? Or should have one overlay for DMZ? The vlans only two are enough or if i had the a separate overlay for DMZ, should i have other two vlans?

Do you have unique cluster for DMZ workloads ? Or they share the DC cluster ?

- The TEPs, i will have the overlay TEPs and a cluster of Edges sharing the same pNICs. I will need to have two pools, right?

Yes, two IP pools are required.

b) DevOPS team tenant

- One T1 and a dedicated T0?

Yes, if you are looking for isolated approach that is what is possible with NSX T 2.5

About the transport zones, only one overlay for all that management traffic plus two vlans, right?

What do you mean by overlay for all management traffic ?

- On each customer tenant one segment for DevOPS (connected to the other N-VDS)

- With this scenario, will DevOPS tenant reach the customer tenants? How?

Tenant to Tenant reachability will purely based how well you design the routing . For sure routing is required for this communication and it could be probably hitting your Core layer .

c) Related with management network + vcenter + vMotion + VSAN + Backups, do i get any benefit in migrating the vDS to a N-VDS?

I would highly recommend to go with NSX T 3.0 version as you will get VDS 7.0 benefit for all types of traffic.

Cheers,
Sree | VCIX-5X| VCAP-5X| VExpert 6x|Cisco Certified Specialist
Please KUDO helpful posts and mark the thread as solved if answered
Reply
0 Kudos
Petersaints
Enthusiast
Enthusiast

Hi Sreec,

Answering you:

a) They will share the DC cluster

b) I mean management traffic, the overlay traffic it self. Smiley Happy

As you recommend i think it's better try NSX-T 3.0. Probably i will have more flexibility and a more simple design.

Screec, thank you very much for you time.

Regards,

Pedro Santos

Reply
0 Kudos
Sreec
VMware Employee
VMware Employee

a) They will share the DC cluster

I prefer to go with one VLAN.

b) I mean management traffic, the overlay traffic it self.

Single VLAN for management network will ease your troubleshooting and firewall requirements. So choice is yours , but don't call management traffic as overlay traffic Smiley Wink

Cheers,
Sree | VCIX-5X| VCAP-5X| VExpert 6x|Cisco Certified Specialist
Please KUDO helpful posts and mark the thread as solved if answered
Petersaints
Enthusiast
Enthusiast

Thanks Sreec.

Reply
0 Kudos