This article describes the regulations, if deploying NSX-T Edges as appliance and show the supported deployment scenarios.
Following a short overview about the three deployment scenarios.
- NSX-T Edge appliance on NSX-T prepared host with just N-VDS
- NSX-T Edge appliance on NSX-T prepared host with VDS and N-VDS
- NSX-T Edge appliance on different vSphere cluster not prepared for NSX-T
These three scenarios will be described in more detail during this article.
NSX-T Edge appliance on NSX-T prepared host with just N-VDS
In some scenarios you will not have enough hosts to install more than one vSphere cluster and especially not for dedicated physical NSX-T Edge nodes.
Further your active hosts inside the available cluster don´t have enough physical uplinks towards your TOR switches to deploy VDS and N-VDS simultaneously.
In this case you are able to migrate all workloads and the management traffic from VDS to N-VDS.
Lets summarize your current situation:
- For example: Cluster with 3 hosts
- Each Host with two uplinks
- All uplinks are bound to N-VDS, no uplinks available for further VDS
For deployment of a NSX-T Edge appliance under this circumstances you need to separate the VLAN segment for the TEP network.
You need one VLAN segment for the TEP network of the ESXi hosts and a separated VLAN segment for the TEP network of the Edges.
The separation of the TEP networks is necessary, because the Edge appliance is running inside the ESXi hosts and is connected to the N-VDS inside the kernel.
Therefore the ESXi host is not able to forward the traffic inside the TEP network towards the Edge appliance, if the ESXi host and the Edge appliance are inside the same VLAN segment.
By separating the TEP networks the ESXi host is able to redirect the traffic towards the Edge appliance TEP address.
Further you need to ensure that MTU has the proper size inside these two VLAN segments and between them as well.
The Reason is that all traffic between the ESXi hosts and the Edges will be routed and the routing device must not fragment the Overlay (GENEVE) traffic.
NSX-T Edge appliance on NSX-T prepared host with VDS and N-VDS
If you have four or more uplinks, you are able to separate management and workload traffic. In such a scenario you have the opportunity to use a VDS for management traffic and a N-VDS for the workload, each VDS/ N-VDS connected with two uplinks.
Lets summarize your current situation:
- For Example: Cluster with three hosts
- Each Host with four uplinks
- Two uplinks connected to VDS
- Two uplinks connected to N-VDS
For Edge appliance deployment you need a separate VLAN as well, because the Edge appliance is still located at a NSX prepared ESXi host.
The network separation enables the host to differ which TEP communication is sent to which destination (Edge or ESXi).
The difference to the first scenario is the Management and workload separation, which is an advantage under the following circumstances.
- Backup consumes much traffic: It is possible to setup the Backup communication at the uplinks used for Management traffic instead consuming bandwidth of the workload bandwidth.
- Workload Outage: Under some circumstances it might be possible NSX is facing some problems and communication through the N-VDS is disrupted. In this scenario you still have access to the Management network since it is separated from the Workload traffic and N-VDS. So NSX problems does not affect the Management traffic.
NSX-T Edge appliance on different vSphere cluster not prepared for NSX-T
The most powerful Edge deployment scenario would be to use dedicated physical hosts and install these hosts as “Edge Cluster”, but sometimes this is to expensive depending to your use case. In this case the next best opportunity to deploy a Edge is to locate the Edge appliance on a separated vSphere Cluster which is not prepared for NSX. This brings the following advantages.
- TEP VLAN could be the same for Edge and ESXi hosts which will be prepared for NSX, because the Edge is located at ESXi hosts which are not memeber of any TEP network
- MTU of 1600 Bytes or higher is just needed for L2 traffic, because TEP traffic stay inside one VLAN
- Traffic from Edge to the physical environment and the internet is separated to different uplinks and does not consume bandwidth of East-West-Traffic.