NSX-V to NSX-T Migration using Layer 2 Bridging
This blog will explore how we can migrate workloads which are on hosts prepared for NSX-V to hosts prepared for NSX-T using NSX-T Layer 2 Bridging.
 |
Cluster Setup
|
In the lab setup, four hosts ESXi 1 up to 4 are prepared for NSX-T and the remaining four hosts ESXi5 up to ESXi 8 are prepared for NSX-V
NSX-T edges used for Layer 2 bridging are on NSX-V prepared hosts.
 |
Logical Setup
|
The above is the logical setup used in this lab.
 |
IP Addressing
|
Above shows the IP addressing used in the lab.
 |
BGP AS Numbering
|
The above picture shows the BGP AS numbering used.
 |
BGP peerings
|
The above diagram shows the BGP peerings.
e-BGP peerings between NSX and the physical network.
i BGP between NSX-V edges and Distributed Logical Router.
There is no routing protocol between Tier 1 Gateway of NSX-T and Tier 0 Gateway upstream.
During migration, traffic flow will be through NSX-V edges which means that:
1. You can prefer not to advertise connected subnets on the Tier 1 Gateway
2. Or to keep BGP disabled on Tier 0 Gateway.
NSX-V Setup
 |
NSX-V Prepared Cluster
|
Above picture shows the four hosts prepared for NSX-V
 |
NSX-V Edges and DLR
|
The required NSX-V edges and DLR have been deployed.
 |
Workloads hosted on both clusters
|
 |
VM on VXLAN
|
One VM Windows 10-2 is hosted on this NSX-V prepared cluster.
We need to make sure that security settings of the port group (corresponding to the VXLAN being bridged) are set accordingly.
- Set promiscuous mode on the portgroup.
- Allow forged transmit on the portgroup.
https://docs.vmware.com/en/VMware-NSX-T-Data-Center/2.5/administration/GUID-F133B293-5DEA-4DC8-99DB-6EF004C8D8D7.html
 |
Security settings of VXLAN backed port group
|
NSX-T Setup
 |
Overlay Transport Zone defined using REST API Client
|
To
ensure unique mac addresses are used on layer 3 interfaces of DLR and
Tier 1 Gateway respectively, ensure overlay transport zone in NSX-T is
defined as above with
 |
Compute host transport nodes prepared for NSX-T
|
 |
NSX-T Edges
|
nsx-edge-1 and nsx-edge-2 are NSX-T edges which are used for Layer 2 bridging.
These edges are placed on cluster prepared for NSX-V.
The remaining two edges nsx-edge-3 & nsx-edge-4 are used for Tier 0 Gateway.
 |
Edge used for L2 Bridging
|
Fast-path interfaces fp-eth0 and fp-eth1 on the edges used for Layer 2 bridging are used for Geneve traffic, they are uplinked to a trunk port group on VDS used for NSX-V preparation. This way all NSX traffic stays on this VDS which is also used for NSX-V host preparation.
 |
NSX-T Edge Clusters
|
 |
Tier 0 Gateway
|
 |
Tier 1 Gateway
|
 |
NSX-T Segment connected to Tier 1 Gateway
|
 |
Gateway set on NSX-T Segment
|
Validation of the setup
 |
VM on NSX-T Segment
|
 |
Reach ability between physical router loopback and both VMs
|
The above picture shows BGP peerings between the router and NSX-V edges.
At this stage, the BGP peerings between the physical routers and NSX-T edges are down/disabled.
Reason being that all workloads from NSX-V prepared hosts are not yet on NSX-T prepared hosts.
 |
Reach ability between VM on VXLAN to loopback of physical router
|
 |
| Reach ability between VM on NSX-T segment to loopback of physical router |
At this point, we know that Layer 2 bridging is working as intended and that the layer 2 bridge is forwarding traffic upstream.
 |
Traffic flow from VM on NSX-T Segment to loopback interface of physical router
|
Migration
Now we will migrate the VM which is on NSX-V prepared cluster to NSX-T prepared cluster.
With this, both the workloads will then be on NSX-T prepared cluster.
At this point of time, we need to ensure that workloads have Tier 1 Gateway as their gateway.
We will ensure BGP peerings between physical routers and NSX-T edges are now all up.
And disable the BGP peerings between physical routers and NSX-V edges
 |
Workloads migrated to NSX-T prepared cluster
|
Above picture shows that workloads have moved to NSX-T prepared cluster.
 |
After migration, traffic flow from physical router to VMs on NSX-T segment
|
From the physical router, we validate that BGP peerings with NSX-T edges are now up and those with NSX-V edges are down.
Traffic now starts flowing through NSX-T edges.
 |
VM on NSX-T Segment to loopback IP of physical router
|
 |
VM on NSX-T segment to loopback IP of physical router
|
 |
Traffic flow after migration
|
