NSX-V to NSX-T Migration using Layer 2 Bridging

NSX-V to NSX-T Migration using Layer 2 Bridging

This blog will explore how we can migrate workloads which are on hosts prepared for NSX-V to hosts prepared for NSX-T using NSX-T Layer 2 Bridging.


Cluster Setup

In the lab setup, four hosts ESXi 1 up to 4 are prepared for NSX-T and the remaining four hosts ESXi5 up to ESXi 8 are prepared for NSX-V

NSX-T edges used for Layer 2 bridging are on NSX-V prepared hosts.


Logical Setup

The above is the logical setup used in this lab.


IP Addressing


Above shows the IP addressing used in the lab.


BGP AS Numbering


The above picture shows the BGP AS numbering used.


BGP peerings


The above diagram shows the BGP peerings.

e-BGP peerings between NSX and the physical network.

i BGP between NSX-V edges and Distributed Logical Router.

There is no routing protocol between Tier 1 Gateway of NSX-T and Tier 0 Gateway upstream.

During migration, traffic flow will be through NSX-V edges which means that:

1. You can prefer not to advertise connected subnets on the Tier 1 Gateway

2. Or to keep BGP disabled on Tier 0 Gateway.


NSX-V Setup

NSX-V Prepared Cluster


Above picture shows the four hosts prepared for NSX-V


NSX-V Edges and DLR


The required NSX-V edges and DLR have been deployed.


Workloads hosted on both clusters



VM on VXLAN

One VM Windows 10-2 is hosted on this NSX-V prepared cluster.


We need to make sure that security settings of the port group (corresponding to the VXLAN being bridged) are set accordingly.

  • Set promiscuous mode on the portgroup.
  • Allow forged transmit on the portgroup.

https://docs.vmware.com/en/VMware-NSX-T-Data-Center/2.5/administration/GUID-F133B293-5DEA-4DC8-99DB-6EF004C8D8D7.html

Security settings of VXLAN backed port group

NSX-T Setup

Overlay Transport Zone defined using REST API Client


To ensure unique mac addresses are used on layer 3 interfaces of DLR and Tier 1 Gateway respectively, ensure overlay transport zone in NSX-T is defined as above with

“nested_nsx”: true



Compute host transport nodes prepared for NSX-T


NSX-T Edges


nsx-edge-1 and nsx-edge-2 are NSX-T edges which are used for Layer 2 bridging.
These edges are placed on cluster prepared for NSX-V.

The remaining two edges nsx-edge-3 & nsx-edge-4 are used for Tier 0 Gateway.

Edge used for L2 Bridging

Fast-path interfaces fp-eth0 and fp-eth1 on the edges used for Layer 2 bridging are used for Geneve traffic, they are uplinked to a trunk port group on VDS used for NSX-V preparation. This way all NSX traffic stays on this VDS which is also used for NSX-V host preparation.


NSX-T Edge Clusters


Tier 0 Gateway


Tier 1 Gateway


NSX-T Segment connected to Tier 1 Gateway


Gateway set on NSX-T Segment

Validation of the setup

VM on NSX-T Segment




Reach ability between physical router loopback and both VMs


The above picture shows BGP peerings between the router and NSX-V edges.
At this stage, the BGP peerings between the physical routers and NSX-T edges are down/disabled.
Reason being that all workloads from NSX-V prepared hosts are not yet on NSX-T prepared hosts.

Reach ability between VM on VXLAN to loopback of physical router


Reach ability between VM on NSX-T segment to loopback of physical router


At this point, we know that Layer 2 bridging is working as intended and that the layer 2 bridge is forwarding traffic upstream.


Traffic flow from VM on NSX-T Segment to loopback interface of physical router

Migration

Now we will migrate the VM which is on NSX-V prepared cluster to NSX-T prepared cluster.

With this, both the workloads will then be on NSX-T prepared cluster.

At this point of time, we need to ensure that workloads have Tier 1 Gateway as their gateway.

We will ensure BGP peerings between physical routers and NSX-T edges are now all up.

And disable the BGP peerings between physical routers and NSX-V edges


Workloads migrated to NSX-T prepared cluster


Above picture shows that workloads have moved to NSX-T prepared cluster.


After migration, traffic flow from physical router to VMs on NSX-T segment


From the physical router, we validate that BGP peerings with NSX-T edges are now up and those with NSX-V edges are down.

Traffic now starts flowing through NSX-T edges.


VM on NSX-T Segment to loopback IP of physical router


VM on NSX-T segment to loopback IP of physical router


Traffic flow after migration


One thought on “NSX-V to NSX-T Migration using Layer 2 Bridging

  1. This is a great blog! Is there anyone to accomplish this if your V infrastructure is using OSPF, and of course our new T will be BGP?

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s