Friday, November 1, 2019

NSX-T Layer 2 Bridging

 Layer 2 Bridging

One important use case of layer 2 bridging is migration of physical to virtual machines.
Here the same IP subnet is split between virtual machines backed by overlay network and physical machines backed by VLAN backed distributed port group.

There will be times when certain physical machines cannot leverage virtualization. Layer 2 bridging can be used in such cases where the physical machines need to keep layer 2 adjacency with virtual machines backed by Geneve backed segment in NSX-T


Configuration for layer 2 bridging:

This lab uses a host which is prepared for NSX-T and hence there is N-VDS on the compute host.
The setup uses a shared edge and compute cluster setup; hence the edge VMs are hosted on cluster prepared for NSX-T 

1. Dedicated edge node cluster is used in the lab for Layer 2 Bridging purpose.
2. Tier 0 Gateway uses separate Edge Transport Nodes other than the ones used for Layer 2 Bridging purpose.
3. Figure below shows the connectivity of edge dedicated for layer 2 bridging purpose.
4. fp-eth2 is unused
5. fp-eth0 is mapped to Logical Switch on host N-VDS which is used for Overlay traffic. This logical switch is a trunk logical switch.
6. fp-eth1 is used for Bridged VLAN which is backed by distributed port group on DVS.

Important Note:
The security settings of the distributed port group used for bridging should have:
a. Promiscuous mode enabled
b. And also forged transmits should be enabled.


Dedicated Edge Nodes for Layer 2 Bridging

NSX-T Logical Topology for Layer 2 Bridging Use Case


We will create a dedicated transport zone for Layer 2 Bridging.
This new transport zone for Layer 2 Bridging will use a new N-VDS, the N-VDS name in this lab is bridge.
The name of N-VDS used for Overlay traffic is ndvs





Next, on the edges used for Layer 2 Bridging, we will ensure that there are two transport zones, one used for Overlay traffic and the second transport zone for Layer 2 Bridging.

N-VDS Configuration for Overlay Traffic


N-VDS used for Bridging

Edges nsx-edge-5 and nsx-edge-6 are part of edge cluster dedicated for Layer 2 Bridging service.
This lab only involves the use case related to Layer 2 Bridging.




Two bridge profiles are created.
Bridge-Profile-1 has nsx-edge-5 as Primary Node
Bridge-Profile-2 has nsx-edge-6 as Primary Node
By using such a set up, both edge nodes in the edge node cluster can be used to bridge traffic related to different VLANs.
Preemption has been also enabled to ensure when primary node recovers from failure, it becomes active again.



We have a Tier 1 Gateway in the lab setup which has segments Web and App attached to it.
Please note that this Tier 1 Gateway does not have Edge Cluster associated with it.




Advanced Networking and Security tab in NSX-T Manager GUI interface is used to map the bridge profile with appropriate segment.

Web segment is mapped with Bridge-Profile-1. VLAN ID 11 is used to bridge Web segment.

App segment is mapped with Bridge-Profile-2. VLAN ID 12 is used to bridge App segment.


This completes the bridging configuration.


 
Validation:
Next up is the validation part.
For validation, I will create a layer 3 interface on my physical router and assign IP from the subnet where bridging is used.
This is for demo purpose only; in production setup you will either keep the gateway for bridged subnet on physical router or Tier 1 Gateway.