NSX 4.X VRF Issue “Overlapping Trunk VLAN on Logical Switch”

Manish Jha

I came across an interesting issue while configuring VRF gateways in NSX 4.x. The configuration was erroring out with the message “Logical Switch trunk-vlan overlapping with another Logical Switch in the same underlying Edge host-switch is not allowed. Change VLAN configuration.”

After configuring the Tier-0 VRF Gateways, the parent Tier-0 went down.

Also, 2 out of 4 interfaces on the VRF gateway were stuck in the configuring state. 

The Cause

The main cause of this issue was that I created 2 trunked segments for northbound connectivity and allowed the same range of VLANs on them.

This method used to work perfectly fine in NSX 3.x. I have blogged on this topic earlier. So, I was wondering why the same steps are not working.

While troubleshooting, I came across this post by Graham Smith on Broadcom’s community channel. He has provided the resolution in his blog post here.

In NSX 3.x, there wasn’t a mechanism to check for overlapping VLAN IDs on the logical segments, and hence, you can have 2 segments trunking the same set of VLANs. That’s no longer the case with NSX 4.0, and as such, the NSX segment may fail to initialize if the ranges overlap.

The Resolution

1: Using non-trunked logical segments: A non-trunked logical segment is nothing but creating the uplink segments the same way that you would for a regular Tier-0 gateway, i.e., a logical segment backed by a VLAN ID and associated with the relevant named teaming policy.

This approach works just fine; however, this setup requires a new segment for each VRF gateway, and since edges are dual-linked for uplink configuration, two uplink segments are needed per VRF. Given that we can scale a single Edge cluster to 100 VRFs, we’d need up to 200 uplink segments to build this.

2: Using trunked logical segments: This approach requires creating the uplink segments as a trunk and allowing a range of VLANs for the edge node connectivity with northbound routers. The VLAN range can be wide; however, it must not include any TEP VLANs or any existing VLAN ranges on other segments. 

If you opt for the second approach, you need to create one trunk logical segment per VRF and specify the VLAN ID when configuring the Tier-0 VRF gateway interfaces.

And that’s it for this post. I hope this article saves your precious time if you are configuring VRFs in NSX 4.x.

I hope you enjoyed reading this post. Feel free to share this on social media if it is worth sharing.

Leave a Reply