based on your requirements you need bridging between the VLAN and the Project Overlay segments. You have 2 main options:
2) Do bridging via the management plane API. This is not what we would like to see from a product perspective (The idea is that management API are deprecated and will be removed at some point), but if I put my Architect hat on, this is probably what I would do. An example is here:
https://blogs.vmware.com/networkvirtualization/2023/09/nsx-v2t-layer-2-bridging-with-nsx-t-projects.html/
I will be happy to discuss your specific customer project needs and challenges on a call. If interested, ping me on my email: name.lastname@broadcom.com.
Original Message:
Sent: Jul 29, 2024 08:45 AM
From: Rob Simons
Subject: Using vlans in a project
Hi Luca,
I've read the document and played with it a bit but in the document it states that:
"When a segment is shared with a project, it does not mean that the VMs, ports, and gateway interfaces on this segment are exposed to the project. In fact, the project does not have visibility into the segment ports, interfaces, and workload VMs of the shared segment. Therefore, project users cannot configure distributed firewall policies on the workload VMs that are connected to the shared segment."
I can view the shared segment in the segments overview from within the project and it's associated port groups. I cannot add a VM or portgroup to a security group which is correct according to the document.
The vlan which is shared with the project is reachable through a service interface, which means that it's behind a L3 hop from a network perspective. This means I cannot share VMs and bare metal servers on the same segment which was my original intent. Since it's (from project perspective) behind a L3 hop it makes sense that DFW cannot be applied either. However I do need a mix of DFW and bare metal in the same segment since that's what the source environment uses.
Back to the drawing board it seems.
Regards,
Rob.
Original Message:
Sent: Jul 28, 2024 06:02 AM
From: Luca Camarda
Subject: Using vlans in a project
Hi Rob,
the way we designed the NSX muti-tenancy feature assumed that project admins do not have control over the physical infrastructure, which is why the lifecycle of VLAN networks is not part of the capabilities allowed within a project or a VPC. That said your use case is valid, a tenant ( mapped to an NSX project ) may have virtual and physical workloads. The way we thought to cover this use case is via the sharing feature:
https://docs.vmware.com/en/VMware-NSX/4.1/administration/GUID-F17B20A0-12B8-483A-AE54-75AC580F57F1.html#GUID-F17B20A0-12B8-483A-AE54-75AC580F57F1
The enterprise admin can create VLAN segments and share them with a project, the project admin can then interconnect that VLAN to a Tier-1 gateway service interface so that the T1 is the gateway for the server. This way the project admin has a way to control the routing and gateway firewall for the physical server without the risk impacting the physical fabric that should remain under the control of the provider.
Original Message:
Sent: Jul 26, 2024 07:03 PM
From: Rob Simons
Subject: Using vlans in a project
Hi,
When creating a project there is only a single transport zone available which is the default transport zone for the project. That transport zone needs to be an overlay transport zone. This is understandable.
However I have a customer which I want to add to a separate project space in NSX (a tenant). This customer has VMs mixed with physical equipment on the same vlan's which are extended into NSX through vlan segments in their dedicated NSX environment. We need to migrate this setup to a tenant in our enviroment and want to put this customer in a project space. Since there are also bare metal servers that are connected to the same vlan/IP segment, I'd like to use a vlan segment.
This is however not possible in a project space.
In the default space it is possible to use vlan transport zones and vlan segments but we prefer not to put the customer in the default space.
In both the default space as well as a project space you can give an overlay segment a vlan ID. In the default space you can also set an edge bridge and vlan on an overlay segment. In the project space there is no option to assign a edge bride and vlan to a segment.
When I assign a vlan ID to a (overlay) segment in a project I see in the topology overview I see that 'Traffic Type' is changed from "Overlay" to "VLAN". There is however no communication possible from and to the vlan.
How should we configure a project overlay segment so it behaves as a regular vlan? Is a tier-1 gateway necessary when using the overlay as a vlan? I can imagine that we assign the tier-1 gateway some unused IP in the same segment so as to not be in the way of traffic to the physical gateway.
I know that this is not quite how it's supposed to be used, but it's a lot better as an in-between solution than placing everyting in the default space.
Thanks,
Rob.