vPSO

Overview:

Two pod VVD design with an underlay built on Cisco ACI and using OSPF adjacencies with a single area with BGP providing adjacencies for the overlay provided by NSX.

Problem description: Inconsistent routing of traffic on the overlay.

The root of the Problem:

Edge-1 was publishing routes to ACI fabric to allowing underlay to route traffic to overlay networks. ACI was then publishing those routes to Edge-2 with higher priority than what the DLR was publishing the routes to Edge-2 as this causing traffic on Edge-2 could not forward to the DLR connected to Edge-2.

Resolution: Was to change the design from uplinks on multiple edges to uplink on single EDGE with HA enabled.

Reconfiguration:

Edge Configuration: Uplink to vDS and Internal connection to Global Transport Network

OSPF routing on EDGE: Uplink1 will connect to ToR for OSPF traffic.

BGP routing on EDGE: Configure Neighbors.

Route Distribution on EDGE: Needs two distributions from BGP to OSPF and accept all BGP.

DLR configuration: Uplink to EDGE-01 with three local virtual switches.

OSPF Configuration on DLR:  Disable

BGP Configuration on the DLR: BGP connection to the Edge.

Route redistribution: Only BGP connected needed.

Final configuration architecture:

It is critical that VVD project is greenfield deployment with spine leaf network topology. Where VVD can be accomplished on a traditional three-tier network, it might not fit within the preferred prescribed nature of a VVD. The preferred routing protocol is BGP, VVD can support OSPF configurations with some little extra effort. Where if there is no dynamic routing protocol an install of VVD will need a custom design for NSX to fit your network. Understanding firewall topology between different network zones is critical.

Failure to start with the prescribed Greenfield with Spine Leaf and BGP with good firewall documentation can add time and cost to a VVD project.

Please see https://kb.vmware.com/s/article/2079386 where Port 4789 is a requirement for the data center to data center traffic via VTEP protocol.

Please see https://communities.vmware.com/docs/DOC-34307 for all ports if there are firewalls between network segments in one datacenter. Along with an understanding of what ports might need to be open for users to access management products.

Prerequisites like AD Service Accounts, FQDN for all servers with forward and reverse DNS are working is paramount. SSL certificates need to be generated before the start of the project. Having hardware that is same per cluster is VMware best practice and is necessary for successful VVD deployment.

Please see http://pubs.vmware.com/vmware-validated-design-41/topic/com.vmware.ICbase/PDF/vmware-validated-design-41-sddc-planning-preparation.pdf

For a list of prerequisites and guide to prep for VVD engagement, I assume that VLAN’s, IP’s and FQDN’s will follow your corporate procedures.

Yes, the prerequisites seem to be a daunting task but many of them are core services for any data center. The vast majority of this prep work will cut down on process and change approval time and allow you to focus on the task of deployment laid out in the documentation for VMware validated designs.

@dcd270

Joe Tietz