Configuring VMware Cross-vCenter NSX

What is Cross vCenter NSX?

Cross-vCenter NSX feature was introduced in NSX 6.2 and it allows central management of network virtualization and security policies across multiple vCenter Server systems. In a cross-vCenter NSX environment, you can have multiple vCenter Servers, each of which must be paired with its own NSX Manager. One NSX Manager is assigned the role of primary NSX Manager, and the others are assigned the role of secondary NSX Manager.

Cross vCenter NSX components

Cross vCenter NSX introduces universal objects; such as:

  • Universal Controller Cluster (UCC)
  • Universal Transport Zone (UTZ)
  • Universal Logical Switch (ULS)
  • Universal Distributed Logical Router (UDLR)
  • Universal IP Set/MAC Set
  • Universal Security Group/Service/Service Group
  • Universal distributed firewall rules.

In a Cross vCenter NSX architecture, all universal objects are created on primary NSX manager and it is then synchronized to all secondary NSX managers via the Universal Synchronization Service. This service only runs on primary NSX manager.

vSphere Requirements for Cross vCenter NSX

vSphere 6 is a current requirement for Universal Logical Switches, Distributed Logical Routers and Distributed Firewall. Cross-VC NSX does not have a dependency on a specific Platform Services Controller deployment model. Both Embedded and External modes are supported. However benefits of an External PSC include:

  • Enhanced Linked Mode (centralized management of NSX)
  • Cross VC vMotion from vSphere Web Client UI

Cross vCenter NSX Deployment

Greenfield Deployments of Cross-VC NSX are straightforward and high level steps can be summarized as below:

  • Assign Primary/Secondary NSX Manager Roles
  • Deploy Universal Controller Cluster
  • Consume Universal or Local objects

In-place upgrade of existing NSX environments to enable Cross-VC have certain requirements such as:

  • No controller should be present in NSX manager which will be assigned secondary role.
  • Segment ID should be unique per NSX taking part in cross vCenter NSX configuration

Note: For cross vCenter NSX, NSX manager version should be same on both sides. 

In my lab I am doing a In-place upgrade and I had a controller at Site-B which I deleted before configuring cross vCenter NSX.

I also verified that I have unique segment ID pool set as 5000-6000 and 6001-7000 at Site-A and B respectively. 

Configure NSX Manager Roles

Assign Primary role to specified NSX Manager

Login to vCenter UI and navigate to Network & Security > Installation > Management tab and select the NSX manager to which you want to assign Primary role and from Actions tab select “Assign Primary Role”

Click on yes button to proceed

After 2-3 minutes, you will see the role of NSX manager changing from Standalone to Primary

Assign Secondary role to specified NSX Managers

 

To add a secondary role to a NSX manager, select the primary NSX manager from the list and from Actions tab select “Add Secondary NSX Manager”

Select the NSX manager which will be assigned secondary role and punch the admin credentials and click on Add. Accept the SSL thumbprint which will be presented to you.

After a minute or so, role of the other NSX manager will change from standalone to secondary.

Deploy/Configure Universal Controller Cluster

 

There is only one universal control cluster and it resides with the Primary NSX Manager. This creates the NSX control plane across all secondary NSX Managers. Since I am doing a In-place upgrade, I already had 3 controllers deployed in Site-A where my Primary NSX manager is sitting.

Once you assign Primary/Secondary roles to NSX manager, the controllers associated with Primary NSX manager becomes universal controllers. Under NSX controllers tab you will see 3 extra controllers, but they are managed by Primary NSX manager only.

If you are doing green field deployment and deploying controllers post assigning NSX manager roles, then you have to deploy 3 controllers.

Create/Configure Universal segment ID pools

 

Universal Segment ID pool is needed to assign VNI to the universal logical switches. To define a universal segment ID, navigate to Network & Security > Installation > Logical Network > Segment ID and  click on Edit. 

Under Universal Segment ID pool, specify the range and click on save button.

From the NSX Manager drop down menu, select the secondary NSX manager and verify that newly created segment ID pool is visible there.

Note: If any universal object post creation is not visible in secondary NSX manager, you can force synchronization by selecting primary NSX manager and from Actions tab select “Perform Universal Synchronization

Create/Manage Universal Transport Zones

 

There can be only one universal transport zone in a cross vCenter NSX configuration and this is created where your primary NSX manager is residing. Your universal logical switches hooks to universal transport zone.

To create a Universal Transport Zone, go to Transport Zones tab under Logical Network preparation and make sure primary NSX manager is selected. Click on + button to add a new transport zone.

Provide a name for the transport zone and select appropriate Replication Mode. Also make sure to check mark “Mark this object for Universal Synchronization”. If you forget to select this box, the transport zone will be created as local transport zone instead of universal.

You can also add the clusters which will be associated with this transport zone. 

You can verify that scope of the newly created transport zone shows as “Universal”

If you select the secondary NSX manager from the list, you will see the newly created universal TZ present there.

And that’s it for this post.

I hope you find this post informational. Feel free to share this on social media if it is worth sharing. Be sociable 🙂

Leave a ReplyCancel reply