NSX design with cisco UCS/fabric interconnects and Nexus switches

Hi Experts

I am new to NSX design and deployment and working on a project. We deploy NSX for applications of level 4 (web, app, db, DC). I use logic, DLR, ESG and DFW switches. I next we intend to use roads static confusion..

1. do we cover all the VLAN from the virtual to the physical environment? for example mgmt VLAN, level vlans(web,app,db), vxlan transport vlan or it should be only a VLAN specific?  which means would be I have set all the VLANS in environment NSX in my physical switching environment?

2 vds? don't we create not only 1 vds initially during the deployment of vcenter or more? Should we take any special consideration while deploying to the deployment of the NSX?

3 static routes - we configure static routes on the DLR and the GSS? Should I use the default routes upstream? on the physical router should we be routing all subnets from virtual environment to the GSS.

4. where and who should create virtual machines? Via vCenter or before the deployment of the nsx NSX?

5. we have a level of domain controller. Should it be part of 3 or separate applications with allow any any rule on DFW?

Thank you

Sam

(1) the VLANs which exist for physical Machines span the logical switch VXLAN NSX in the following cases:

  • If the current deployment there are physical Machines in the same Vlan and subnet IP with Virtual Machines. If this common Port Vlan group is migrated to a switch logic VXLAN Backed port group and not possible to change the IP addresses of the virtual machines, and then a bridge DLR (Distributed logical router) works as the conversion between Vlan physical and virtual VXLAN
  • If Conversion of P-to-V of the physical Machines continue on this Vlan

VLAN which cover only the virtual machines or virtual local networks which cover only physical Machines must not be delayed.

(2) for the deployment of the NSX, there may be more than 1 dVS or only 1 vDS according to the design. There may be another type of traffic other VXLAN base of virtual machines such as backup, storage, VMotion and the overall design, management, best practices apply here as well.  A requirement of the NSX is a common VDS that spans the entire Cluster. For each Cluster, this "common VDS' may be different. Yet once this VDS maybe a separate VDS dedicated VTEP or VTEP features functionality can be added to the existing VDS. It may be best to separate the VTEP vDS.

(3) for the DLR, a default gateway is usually sufficient. If static routes are used, the GSS must then drive by default upstream and the static routes with the next hop of the DLR downstream for the subnets in the subnets IP VM logical switch. On the physical router static route to the VM, but also DLR - ESG logical subnets Subnet switch is required. Management of static routes is easier if route summarization is possible, or if necessary, close to the IP subnets, so it may be a good idea to use the dynamic routing such as Ospf or BGP protocol. There are also features of IP address management in Vrealize and other IPAM solutions if Automation is necessary for large and dynamic environments.

(4) NSX has no functionality in the creation of the VM, it only creates Services network such as switches, routers, Firewalls, Load Balancing. The creation of the part VM continiues the same way as before. A point to note is maybe the logic is created appear as VXLAN named port groups on the VDS. NSX Manager creates groups of ports on the VDS, the only difference is that the name includes VXLAN. The virtual machine is like before added to this group of VXLAN Backed Port settings, or added to the logical switch from NSX Manager interface that appears again as a Plugin for VCenter. VCENTER is so point to create virtual machines and add these VMs to the logic is.

(5) level of domain controller can be a separate layer, or other third party, may be preferable to upgrade separated except 3 applications. Usually, it's the same design without NSX. dFW rules can help protect the domain controller with allowing only ports of the virtual machine or physical Machines being admitted. dFW rules can apply to VXLAN based logical switches NSX so that VLAN based DVS Port groups because it's the kernel module.

Tags: VMware

Similar Questions

  • VNX 5300 file shared storage - connect to Cisco UCS 6200 interconnection fabric

    Hello

    I'm designing a calculation and Shared Storage solution to help

    • EMC VNX 5300 shared storage

      • Block
      • File - sharing two Data Mover with i/o 10GE ports
    • Cisco UCS Blade Server Platform
      • Interconnection of Cisco UCS 6248 fabric
      • Chassis Cisco UCS 5108

    I have a question about where the connection Data movers with i/o 10GE ports. I connected to the 6248 UCS Cisco fabric interconnections or connect them to the switch IP network?

    kind is ok.

  • Port-channel problem between fabric Interconnect and vPC N7K

    Hi all

    I have a problem with the Port Uplink channel between fabric interconnect with N7K using vPC

    It's my network for the UCS deployment topology

    N7K I configured vPC for red link and green linkto the fabric Interconnect A I has configured the Port-Channel with Member is Port 1 and Port 2, uplink is red link. Interconnection fabric B, I have configured the Port-Channel with Member's Port 1 and Port 2, uplink's green link.

    The interface port-channel on N7K show is good, each port-channel upwards and have all members. But the fabric Interconnnect, when I see in the UCS Manager, the status of the Port-Channel on Fabic A and fabric B dysfunction not more info: no operational Member. Although all the link is a link to the top and I've got the status of the Port Channel is enabled in the UCS Manager. When I see the properties Port 1, Port to Port-Channel 2, I see the number of members status is: individual. This means channel port is not up and no member in this configuration. I want to using the port-channel load balance and more bandwidth for the uplink of 20Gig. I don't understand why?

    Please help me solve this problem, I have to send the screenshot of UCS Manager when I show the status of the Port-Channel and Port-member in port-channel to reach items.

    Can someone help me solve this problem, thanks a lot. References, please include elements for more details on the fault.

    Thank you

    Trung.

    Hello Nguyen,

    Since the two N7k please collect:

    SH cdp nei

    SH run membership in. X int

    SH sum port-chan

    Thank you

    Matthew

  • vFoglight with Cisco UCS

    Hello all,.
    We are looking for Cisco UCS for our ESX env. and I was wondering if someone was running vFoglight UCS and had problems.
    Or if someone of Quest/Vizioncore knows of any problem or future integration planned with UCS.

    Thank you
    Craig Dieck

    Craig, I know of many clients running the Cisco USC with VMware and they are very happy. There is no known issue with vFoglight perspective. VFoglight hardware monitoring currently able to extract any platform SNMP information. If you are looking for a vFoglgith to pull information from the physical ESX servers directly (not SNMP) you will need to ask for a discussion of the roadmap with your representative local of the quest.

    Inform the product manager for the platform you are using and what you want to be monitored and displayed...

  • AnyConnect + possible PSK (pre-shared key) as under with cisco vpn client ikev1 and ikev2

    Is it possible to create a VPN Anyconnect of RA with just the name of user and password + pre-shared key (Group) for the connection, as could do for ikev1 with cisco VPN client? I am running 8.4.X ASA code and looks like tunnel-group commands have 8.2.X somewhat change. If you change the group type of the tunnel for remote access, now there is no option for IKEv2 PSK. This is only available when you choose the type

    Type of TG_TEST FW1 (config) # tunnel - group?

    set up the mode commands/options:
    Site IPSec IPSec-l2l group
    Remote access using IPSec-IPSec-ra (DEPRECATED) group
    remote access remote access (IPSec and WebVPN) group
    WebVPN WebVPN Group (DEPRECATED)

    FW1(config-tunnel-General) # tunnel - group TG_TEST ipsec-attributes
    FW1(config-tunnel-IPSec) #?

    configuration of the tunnel-group commands:
    any required authorization request users to allow successfully in order to
    Connect (DEPRECATED)
    Allow chain issuing of the certificate
    output attribute tunnel-group IPSec configuration
    mode
    help help for group orders of tunnel configuration
    IKEv1 configure IKEv1
    ISAKMP policy configure ISAKMP
    not to remove a pair of attribute value
    by the peer-id-validate Validate identity of the peer using the peer
    certificate
    negotiation to Enable password update in RADIUS RADIUS with expiry
    authentication (DEPRECATED)

    FW1(config-tunnel-IPSec) # ikev1?

    the tunnel-group-ipsec mode commands/options:
    pre-shared key associate a key shared in advance with the connection policy

    I'm getting old so I hope that it is not in another complaint curmudgeonly on the loss of functionality. :)

    Many small businesses do not want to invest in the PKI. It is usually a pain to deploy, backup, make redundant, etc..

    But it would be nice to have a bit more security on VPN other than just the connections of username and password.

    If this is not possible, it is possible to configure the Anyconnect customer to IKEv1 with PSK and name at the level of the Group client?

    If this is not possible, WTH did cisco end customer VPN cisco as a choice of VPN connection (other than to get more fresh mail of license)?

    I really hope that something like this exists still!

    THX,

    WR

    You are welcome

    In addition to two factors, you can also do double authentication (ie the two using the user name and password). Each set of credentials can come from a Bank of different identities.

    With this scheme, you can can configure a local user name (common) with password on the SAA (think of it as your analog PSK) and the other be the AD user identification information.

  • Connectivity between Interconnect and Nexus 2000 fabric options

    Hello

    I would like to know what models of fabric nexus 2000 Extenders can I use if I want to connect them to a pair of interconnections 6248UP fabric in a FEX deployment, so I can move between blade and rack servers service profiles.

    Thanks for your replies.

    Christian

    Christian,

    Take a look at this guide.  It should answer all your questions:

    http://www.Cisco.com/en/us/customer/docs/unified_computing/UCS/c-series_integration/ucsm2.0.2/b_UCSM_202_C-integration.html

    Kind regards

    Robert

  • Authentication PEAP with Cisco ACS 5.3 and Lotus Notes DB

    Hello

    I want to authenticate clients wireless against the name of user/passwords stored in a lotus notes database.

    Network: PEAP SSID-> Accesspoint-> controller-> ACS 5.3 WLAN 4404-> Notes DB

    Is this possible?

    I can connect to the attributes and ldap groups and query. but when I try to authenticate a user, I always get an error "object not found in the identity store.

    Bind test succeeds (> 100 groups and > 100 subjects.)

    EAP MSCHAP v2 is not taken in charge with LDAP by ACS

    You can use EAP GTC

    You should a begging utility that supports PEAP (EAP-GTC)

    such as ADU, Intel Proset, CSSC Cisco AnyConnect,... you can google for a list of applicants

    Open the new thread for cause of Apple

    ------------------------------------------------------------------

    Be sure to note the correct answers and report this thread as answered

  • OpenSSL with 'Cisco VCS Certificate Creation and use - deployment guide. "

    Hi team,

    To prevent users to log on with the VCS Highway, we want to use OpenSSL (version: 1.0.1p 9 julio 2015), but I am facing the following problem:

    1 - I can't implement the command "touch index.txt".

    2 - I can´t implement the command "openssl genrsa-aes256-out private/cakey.pem 4096"; and when I apply these commands I get "OpenSSL is not recognized.

    I did all the steps that says "VCS certificate creation and use Cisco".

    What could be the matter?

    Thanks for your advice.

    Kind regards

    Bill

    Already explained why touch does not, simply create the .txt through windows command file.

  • UCS fabric Interconnect after Failover (primary, subordinate)

    Dear team,

    After the changeover of FI - A has FI - B when we check show state his FI - B as primary and FI - A cluster as subordinates

    The FI - A is now back online and HA shows as ready, but when we check to see the cluster status his shows still FI-B as primary and FI-A as subordinates

    FI - A return himself will support as primary or do we need to give the force control of FI - B head to FI - A as primary again?

    Thanks and greetings

    Jose

    Hi Jose,

    FI has returned to the primary course again. The primary/sub-sub-coordinate is purely in a management perspective and nothing else (the two FIs before traffic etc.). Therefore, there is no problem to have FI B as primary or vice versa.

    On a side note, if you want to trigger a failover manually, you can do the CLI from the context of local-mgmt of the primary focus:

    UCS-B# connect local-mgmt b
    UCS-B(local-mgmt)# cluster lead a
    

    

    Thanks,
    

    Shankar

  • Bpdguard and nexus portfast

    HW SW INFO:

    UCS B200MII

    Nexus 5K

    PVS 7.1

    7.1 XD

    http://support.Citrix.com/article/CTX123158

    According to this link, I need to enable portfast and disable bpdguard in Cisco and Nexus

    My friend argument, no need to enable the portfast because pvs and vm win7 all using vnic, which there is no user disconnect nic physical port.

    Is this true?

    If set to false then can I globally enable portfast and disable bpdguard on base sw and nexus

    Thank you

    Sorry, I wasn't clear, see below

    Q1. no need to activate the portfast because pvs and vm win7 all using vnic

    A. your answer is Yes, it means without having to enable portfast

    Yes, but if you do, it does nothing

    I am referring only to the network between UCS fabric interconnection and N5k

    See, for example. https://supportforums.Cisco.com/thread/2070841

    There is no tree cover in UCS EHM run below your uplinks, so you can use Port Fast safely.

    PortFast should only be enabled on ports connected to a single host. Connecting hubs, concentrators, switches, bridges, etc. to this interface when the portfast is enabled, may cause temporary bridges loops.

    Please see for establishing a vpc

    http://www.Cisco.com/c/en/us/products/collateral/switches/nexus-5000-series-switches/configuration_guide_c07-543563.html

    Q2. I have in the world, enable portfast and disable bpdguard on base sw and nexus

    According to my interpretation, without having to enable portfast global and disable bpdguard on base sw and nexus

    Is your overall question or interface? I would certainly by interface.

    How can I check that end host in FI mode is used or not?

    This is the default value.

  • Cisco UCS B200 M4Compatible with 2100 FEX in UCS 5108 chassis & FI 6100?

    Hello

    The blade server Cisco UCS B200 M4 is compatible with FEX 2100 within a Cisco UCS 5108 chassis & Cisco UCS 6100 fabric of interconnection?

    The interop tool said clearly for the B200-M4:

    http://www.Cisco.com/Web/TechDoc/UCS/interoperability/matrix/matrix.html

    Note 14: The 2104XP fabric Extender is not compatible when the 1240 and 1280 or 1240 and VIC Port Expander are combined on the same blade. Applies to the M3 and M3 B200 as well as B420 B22 with 1240 and the 2 adapter connector populated

    or for the VIC 1340

    Note 38: 6100 series fabric interconnects and 2100 series fabric Extender is not supported

  • Use of external ports on the fabric of the UCS of interconnections

    Hello everyone

    We have a new UCS with 2 fabric interconnects and I want to uplink the ISCSI NICS to an external server not cisco.   What I read, it looks like using a port of the device is the way to go.  However I have noticed on the port configuration of the server, he does not see the VLAN already defined.  The server communicates only with a SAN upstream on our main switch;  If you define a VLAN separately on external does this mean if my server had to communicate with a blade of Cisco low flow to send traffic to the base and then back down even though he was on the same VLAN?  Just try to understand it.  Would it not be better to configure the mode switch?   I know that you will lose some functionality with mode switch.

    Thank you

    Jason,

    I don't ' know if you've already read, but here's the doc of a connectivity device port.

    http://www.Cisco.com/c/en/us/support/docs/servers-unified-computing/UCS-...

    Thank you

    Saurabh

  • Cisco UCS components and software bug

    I was reading on the Cisco products affected by the vulnerability of software to the following Cisco Security Council

    http://Tools.Cisco.com/Security/Center/content/CiscoSecurityAdvisory/CIS...

    I couldn't find if below products/components are affected by this problem... can someone confirm if these products/components are vulnerable to the software?

    Cisco UCS Manager

    Integrated management of Cisco (CIMC) controller

    Cisco UCS blade chassis

    TIA

    I agree that sentence is a bit off, note that the view talking affected _products_ (or not), not specific _components_ of a product.

    UCS seems to be off the hook. Not affected are:

    • Cisco UCS series B (blade) servers
    • Cisco UCS C-Series (Stand alone Rack) servers
    • Cisco UCS Central
    • Cisco UCS fabric of interconnections
    • Systems Cisco UCS Invicta series Solid State

    MMIC and UCSM would be part of the FI or B-or-C-series, etc.

  • How can Cisco ucs c220 m4 I start with 12g cisco sas controller? 2012 UEFI Server installation issues

    first time with cisco ucs c220 m4, check my photos

    You have a VD 11TB.

    Only way to start on this is by using UEFI.

    You need to activate UEFI in the boot order.

    Anything over 2 TB and more 4 K sector size readers require the UEFI boot option.

    BIOS will not process the VDs when manages UEFI.

    Kirk...

    Summary for those who seek a similar question:

    • Client a large VD created, 11TB
    • 2 TB and more, 4K sector drives, require boot UEFI + GPT, cannot use the legacy/MBR
    • To set startup to local HD option, that referenced the PCI-E Slot, the raid controller was in (HBA slot in this case)
    • UEFI mode, can't score a VD as "bootable disk / startup.
    • You will see not the VD/raid controller appear in the 'real' boot order during the OS install.
    • Once the installation of the OS compatible UEFI is made, it will create a UEFI boot to the operating system "Windows Boot Manager" entry in our case.
    • After the next reboot, if you check your boot order, you should see this UEFI OS boot manager entry.

  • View of the horizon 3.5.0 and ThinApp v4.7 with Cisco ASA Smart Tunnel 9.3.3

    Hello

    The problem:

    Our technology smart tunnel doesn't seem to be forward traffic to our new customer from the view.  I wonder what kind of configuration changes must be considered to enable such a connection.  The error returned when searching for the host name goes in the direction of the hostname not found.  Error finding of intellectual property is related to the time-out.

    Background information and specifications:

    We are in the process of upgrading our servers from 5.2 to 6.2 connection.  As part of the upgrade, we want to improve our customers for the Horizon to use version 3.5.0.  To make it easier on vendors and remote computers we prefer also to our Horizon View Client with ThinApp 4.7.3 ThinApp.  We currently have a Cisco ASA, supporting a SSL VPN portal with "Smart Tunnel" technology.  The ASA is currently on firmware 9.3.3 in production, but we have access to version 9.5 in test.

    Preferred connection scenario:

    User > PC > VMware View Client (ThinApp would be) > Cisco ASA Smart Tunnel > view connection server > Virtual Office

    .exe running on the client to view ThinApp:

    It seems the ThinApp Client version view is only launching VMware - view.exe.

    .exe running from the customer view full/thickness:

    VMware - view.exe

    -ftnlsv.exe

    -vmwsprrdpwks.exe

    -ftscanmgr.exe

    There is something else to consider when the view client configuration ThinApp or thickness to work with Cisco SSL VPN Portal and the Smart Tunnel?  We should have ports configured in the client in connection with the same view Firewall works with SSL VPN Portal port redirector functionality.

    We have not been able to find any documentation on how to properly configure the smart to work with the New Horizon 3.5.2 client Tunnel.  A ticket of troubleshooting with Cisco suggests that the Smart Tunnel feature still perhaps not compatible with this new Horizon (thin or thick) client.  Currently, we are looking at other options because it is not not clear whether Cisco will be able to get us the confirmation or offer a solution without delay of our project to upgrade.  Maybe stick to the previous VMware View Client version 5.4.0 which we know work with Smart Tunnel in some situations and with the redirector port for others.

Maybe you are looking for

  • Toshiba WT8-A-102 - platform driver to win 10 missing Intel

    TOSHIBA - I REQUEST - THIS IS WHERE INTEL PLATFORM DRIVER FOR WINDOWS 10! Status on the page of the driver Toshiba Windows 10 has changed.Now, he said: supported model, all of the software available for the upgrade to Windows 10.Details: Your PC sele

  • Satellite C660D suddenly hangs and crashes on games

    Hello world I just bought a new laptop 3 days ago, which is m380 C660D Core I3 2.53 GHZ and 3 GB of DD3 ram, 64-bit Windows 7 Service pack 1 with an ATI Mobility Radeon HD 5470 512 MB video card memory dedicated. My problem is that I installed a game

  • Error 403 on the HP ePrintCenter website

    Hello I have just bought a HP Photosmart printer and like to register on the HP ePrintCenter website. However, I get all sorts of "403 Forbidden" errors on this site: When I select a different country and language (using the button at the bottom of t

  • Strange black rectangle top-right

    I have a strange black rectangle in the upper right corner of the office. It is above all the windows, which means that I can't use the close button, and it contains two or three numbers. Usually, they are 060 001, but sometimes it turns into 058 001

  • I have not upgraded to windows 7. He already windows 7 inside and can not run my original monopoly game. I want to remedy.

    I hope someone can answer my question. I bought a new computer with windows 7 in there and I can not run the original monopoly game in it. I want to play. It's better than the new games they released. can someone help me with this. s * address email