Stage XXXIII: NSX-T

After the reconfiguration of my HomeLab workstation machine in Stage XXXII: Workstation Upgrade Again it was time to modify the Lab once again. I was using NSX -V for several years and now it was time to utilize NSX-T inside my environment:

NSX-T

I did not upgrade my NSX-V setup to NSX-T because I modified the server infrastructure and created new (vSAN) clusters. I did a Greenfield Installation….

Manager

I set up the first NSX-T Manager and deployed the other ones via the NSX-T Mgr Admin Page.

NSX-T Manager is resource intensive….

We need three of these little monster VMs

Virtual IP

Next step was the Virtual IP configuration to fully utilize all the NSX-T Managers via one IP

Easy configuration….

Compute Managers

Now it is time to add my vCenter as a Compute Manager within NSX-T:

Add all your vCenters….

Transport Zones

After the Compute Manager Configuration step, next one is the Transport Zone Creation:

I created two Transport Zones, one for the Overlay and one for the Edges (will be configured later)

Create an Overlay TZ

Also create an Edge Transport Zone

Host Transport Nodes

Next logical step is the Transport Node creation. Each ESXi host act as a transport node within NSX-T. I have configured different uplink policies for my different ESXi host network config. Some hosts have 2 x 10GbE, 4 x 10GbE, 2 x 40GbE…..

Dual NSX-T vmmic uplink policy here

Edge Transport Nodes

No it is time to deploy NSX-T Edges for your environment. Pretty straight forward process:

Edge Transport Nodes (2 for High Availability)

N-VDS Configuration for my Edges

Edge Cluster

Creating an Edge Cluster is very simple and should be done within seconds

Simply select both Edges

Segments

Now we can create our network segments (port groups) within the NSX-T Manager. You can create segments for the Overlay or VLAN based segments

Create the segments you need

Tier 1

We have successfully configured the NSX-T environment including network segments. Now let’s integrate East-West Routing through Tier 1 Gateways:

Create your first Tier1, we need more later….

Segments linked to the newly created Tier 1 Gateway

No, we have a routed setup for VMs (East-West traffic)

Tier 0

What about North-South traffic? For that we need to configure a Tier-0 Gateway:

Tier-0 is linked to the Tier-1 Gateway

The Tier-0 GW has two uplinks, both Edges

Static Routes / USG

How can the physical environment communicate with the newly configured NSX-T setup? Via Dynamic routing (BGP) or static routes. In my case: Static Routes

Send every unknown package to the two next hops, the Edges

Both Uplinks are configured

That is the NSX-T static route configuration, here is my physical static route setup on the Ubiquiti USG-XG-8:

Static routes for all NSX-T networks on my physical router

Load Balancer

The NSX-T setup is now up and running, time for some add-ons. I wanted a load balancer for my tiny App-DB-Webserver setup. First I created a new Tier-1 Gateway for the Load Balancing

Link that Tier-1 GW also to Tier-0

Create a Load Balancer

I created one Load Balancer with two configurations: One for the HTTPs and one for the HTTP Redirect.

Virtual Server including SSL certificate

Server Pool Web with the virtual servers inside

One App profile and one redirect profile

Monitor option for the Server

Distributed Firewall

My last step was the Distributed Firewall configuration. I wanted to implement a Microsegmentation. First step is to create Security Groups and add your VMs to it.

Create a group for each VM and a group for the whole stack (WebApp)

The final step is to configure the firewall rules and publish your setup to the transport nodes.

Allow only specific communication and block the rest

Want to know more about NSX-T? Attend one of the amazing VMware LiveFire Trainings…

Stay tuned for my next #HomeLab stages… There are many more to come.

Here is the next one: Stage XXXIV: Site Recovery Managerhttps://vcdx181.com/stage-xxxiv-site-recovery-manager/