VMware NSX

Hi,

When creating a project there is only a single transport zone available which is the default transport zone for the project. That transport zone needs to be an overlay transport zone. This is understandable.

However I have a customer which I want to add to a separate project space in NSX (a tenant). This customer has VMs mixed with physical equipment on the same vlan's which are extended into NSX through vlan segments in their dedicated NSX environment. We need to migrate this setup to a tenant in our enviroment and want to put this customer in a project space.  Since there are also bare metal servers that are connected to the same vlan/IP segment, I'd like to use a vlan segment.

This is however not possible in a project space. 

In the default  space it is possible to use vlan transport zones and vlan segments but we prefer not to put the customer in the default space.

In both the default space as well as a project space you can give an overlay segment a vlan ID. In the default space you can also set an edge bridge and vlan on an overlay segment. In the project space there is no option to assign a edge bride and vlan to a segment. 

When I assign a vlan ID to a (overlay) segment in a project I see in the topology overview I see that 'Traffic Type' is changed from "Overlay" to "VLAN". There is however no communication possible from and to the vlan.

How should we configure a project overlay segment so it behaves as a regular vlan?  Is a tier-1 gateway necessary when using the overlay as a vlan?  I can imagine that we assign the tier-1 gateway some unused IP in the same segment so as to not be in the way of traffic to the physical gateway.

I know that this is not quite how it's supposed to be used, but it's a lot better as an in-between solution than placing everyting in the default space. 

Thanks,

Rob.

Hi Rob,

Did you actually check in the Docs what features are supported with the (rather new) Projects feature of NSX?

search for "NSX Projects" -> https://docs.vmware.com/en/VMware-NSX/4.2/administration/GUID-52180BC5-A1AB-4BC2-B1CE-666292505317.html

my eyes directly see a link there called "Features Available for Consumption Under NSX Projects" -> https://docs.vmware.com/en/VMware-NSX/4.2/administration/GUID-65FF7290-B739-4A0B-9C08-F3CDADF4D7A9.html

So - no VLANs supported for your workloads in Projects, in no way. Maybe sometime in the future (I have absolutely no clue in that regard), but IMHO VLANs are contradictory to the concept of Multitenancy resp. Projects, besides the general idea of NSX and Overlay Networking.

BR
Steffen

Hi,

When creating a project there is only a single transport zone available which is the default transport zone for the project. That transport zone needs to be an overlay transport zone. This is understandable.

However I have a customer which I want to add to a separate project space in NSX (a tenant). This customer has VMs mixed with physical equipment on the same vlan's which are extended into NSX through vlan segments in their dedicated NSX environment. We need to migrate this setup to a tenant in our enviroment and want to put this customer in a project space.  Since there are also bare metal servers that are connected to the same vlan/IP segment, I'd like to use a vlan segment.

This is however not possible in a project space. 

In the default  space it is possible to use vlan transport zones and vlan segments but we prefer not to put the customer in the default space.

In both the default space as well as a project space you can give an overlay segment a vlan ID. In the default space you can also set an edge bridge and vlan on an overlay segment. In the project space there is no option to assign a edge bride and vlan to a segment. 

When I assign a vlan ID to a (overlay) segment in a project I see in the topology overview I see that 'Traffic Type' is changed from "Overlay" to "VLAN". There is however no communication possible from and to the vlan.

How should we configure a project overlay segment so it behaves as a regular vlan?  Is a tier-1 gateway necessary when using the overlay as a vlan?  I can imagine that we assign the tier-1 gateway some unused IP in the same segment so as to not be in the way of traffic to the physical gateway.

I know that this is not quite how it's supposed to be used, but it's a lot better as an in-between solution than placing everyting in the default space. 

Thanks,

Rob.

HI Steffen,

I agree and already stated that it makes perfect sense to use overlay network only within the projects, however I also think that one of the reasons for using an on premise cloud solution is to be more flexible as to what is or isn't possible with 'cloud' technologies. In our case we'e severely limited due to an already existing single use (all in default) implementation of NSX which we need to move into our (new) multi tenant NSX environment.  Only vlans sengemts, DFW and  so used on local managers, we therefore need to copy the config throug scripts. Groups have dynamic memberships based on VM tags which will be lost when moving the VM to the new NSX environment. We solved most of the issues now with some scripts but are forced to move this customer into the default space which we don't really want to so.  Converting everything to overlay segments introduces additional complexity and risk so we really don't want to do that right now.  When the entire customer is placed in a project (tenant) and we control all VMs and segments and routers it will be far easier to do a segment conversion for those segments where the tenant need the control of their own segments.

Thanks for the links, and yes I did read loads of documentation but as you already stated it's quite new and I wanted to make sure I didn't miss anything since it does sound as something that should/might be possible in an on premise setup.

Kind Regards,

Rob.

Hi Rob,

Did you actually check in the Docs what features are supported with the (rather new) Projects feature of NSX?

search for "NSX Projects" -> https://docs.vmware.com/en/VMware-NSX/4.2/administration/GUID-52180BC5-A1AB-4BC2-B1CE-666292505317.html

my eyes directly see a link there called "Features Available for Consumption Under NSX Projects" -> https://docs.vmware.com/en/VMware-NSX/4.2/administration/GUID-65FF7290-B739-4A0B-9C08-F3CDADF4D7A9.html

So - no VLANs supported for your workloads in Projects, in no way. Maybe sometime in the future (I have absolutely no clue in that regard), but IMHO VLANs are contradictory to the concept of Multitenancy resp. Projects, besides the general idea of NSX and Overlay Networking.

BR
Steffen

Hi,

When creating a project there is only a single transport zone available which is the default transport zone for the project. That transport zone needs to be an overlay transport zone. This is understandable.

However I have a customer which I want to add to a separate project space in NSX (a tenant). This customer has VMs mixed with physical equipment on the same vlan's which are extended into NSX through vlan segments in their dedicated NSX environment. We need to migrate this setup to a tenant in our enviroment and want to put this customer in a project space.  Since there are also bare metal servers that are connected to the same vlan/IP segment, I'd like to use a vlan segment.

This is however not possible in a project space. 

In the default  space it is possible to use vlan transport zones and vlan segments but we prefer not to put the customer in the default space.

In both the default space as well as a project space you can give an overlay segment a vlan ID. In the default space you can also set an edge bridge and vlan on an overlay segment. In the project space there is no option to assign a edge bride and vlan to a segment. 

When I assign a vlan ID to a (overlay) segment in a project I see in the topology overview I see that 'Traffic Type' is changed from "Overlay" to "VLAN". There is however no communication possible from and to the vlan.

How should we configure a project overlay segment so it behaves as a regular vlan?  Is a tier-1 gateway necessary when using the overlay as a vlan?  I can imagine that we assign the tier-1 gateway some unused IP in the same segment so as to not be in the way of traffic to the physical gateway.

I know that this is not quite how it's supposed to be used, but it's a lot better as an in-between solution than placing everyting in the default space. 

Thanks,

Rob.

HI Steffen,

I agree and already stated that it makes perfect sense to use overlay network only within the projects, however I also think that one of the reasons for using an on premise cloud solution is to be more flexible as to what is or isn't possible with 'cloud' technologies. In our case we'e severely limited due to an already existing single use (all in default) implementation of NSX which we need to move into our (new) multi tenant NSX environment.  Only vlans sengemts, DFW and  so used on local managers, we therefore need to copy the config throug scripts. Groups have dynamic memberships based on VM tags which will be lost when moving the VM to the new NSX environment. We solved most of the issues now with some scripts but are forced to move this customer into the default space which we don't really want to so.  Converting everything to overlay segments introduces additional complexity and risk so we really don't want to do that right now.  When the entire customer is placed in a project (tenant) and we control all VMs and segments and routers it will be far easier to do a segment conversion for those segments where the tenant need the control of their own segments.

Thanks for the links, and yes I did read loads of documentation but as you already stated it's quite new and I wanted to make sure I didn't miss anything since it does sound as something that should/might be possible in an on premise setup.

Kind Regards,

Rob.

Hi Rob,

Did you actually check in the Docs what features are supported with the (rather new) Projects feature of NSX?

search for "NSX Projects" -> https://docs.vmware.com/en/VMware-NSX/4.2/administration/GUID-52180BC5-A1AB-4BC2-B1CE-666292505317.html

my eyes directly see a link there called "Features Available for Consumption Under NSX Projects" -> https://docs.vmware.com/en/VMware-NSX/4.2/administration/GUID-65FF7290-B739-4A0B-9C08-F3CDADF4D7A9.html

So - no VLANs supported for your workloads in Projects, in no way. Maybe sometime in the future (I have absolutely no clue in that regard), but IMHO VLANs are contradictory to the concept of Multitenancy resp. Projects, besides the general idea of NSX and Overlay Networking.

BR
Steffen

Hi,

When creating a project there is only a single transport zone available which is the default transport zone for the project. That transport zone needs to be an overlay transport zone. This is understandable.

However I have a customer which I want to add to a separate project space in NSX (a tenant). This customer has VMs mixed with physical equipment on the same vlan's which are extended into NSX through vlan segments in their dedicated NSX environment. We need to migrate this setup to a tenant in our enviroment and want to put this customer in a project space.  Since there are also bare metal servers that are connected to the same vlan/IP segment, I'd like to use a vlan segment.

This is however not possible in a project space. 

In the default  space it is possible to use vlan transport zones and vlan segments but we prefer not to put the customer in the default space.

In both the default space as well as a project space you can give an overlay segment a vlan ID. In the default space you can also set an edge bridge and vlan on an overlay segment. In the project space there is no option to assign a edge bride and vlan to a segment. 

When I assign a vlan ID to a (overlay) segment in a project I see in the topology overview I see that 'Traffic Type' is changed from "Overlay" to "VLAN". There is however no communication possible from and to the vlan.

How should we configure a project overlay segment so it behaves as a regular vlan?  Is a tier-1 gateway necessary when using the overlay as a vlan?  I can imagine that we assign the tier-1 gateway some unused IP in the same segment so as to not be in the way of traffic to the physical gateway.

I know that this is not quite how it's supposed to be used, but it's a lot better as an in-between solution than placing everyting in the default space. 

Thanks,

Rob.

Hi,

When creating a project there is only a single transport zone available which is the default transport zone for the project. That transport zone needs to be an overlay transport zone. This is understandable.

However I have a customer which I want to add to a separate project space in NSX (a tenant). This customer has VMs mixed with physical equipment on the same vlan's which are extended into NSX through vlan segments in their dedicated NSX environment. We need to migrate this setup to a tenant in our enviroment and want to put this customer in a project space.  Since there are also bare metal servers that are connected to the same vlan/IP segment, I'd like to use a vlan segment.

This is however not possible in a project space. 

In the default  space it is possible to use vlan transport zones and vlan segments but we prefer not to put the customer in the default space.

In both the default space as well as a project space you can give an overlay segment a vlan ID. In the default space you can also set an edge bridge and vlan on an overlay segment. In the project space there is no option to assign a edge bride and vlan to a segment. 

When I assign a vlan ID to a (overlay) segment in a project I see in the topology overview I see that 'Traffic Type' is changed from "Overlay" to "VLAN". There is however no communication possible from and to the vlan.

How should we configure a project overlay segment so it behaves as a regular vlan?  Is a tier-1 gateway necessary when using the overlay as a vlan?  I can imagine that we assign the tier-1 gateway some unused IP in the same segment so as to not be in the way of traffic to the physical gateway.

I know that this is not quite how it's supposed to be used, but it's a lot better as an in-between solution than placing everyting in the default space. 

Thanks,

Rob.

Hi Rob,

the way we designed the NSX muti-tenancy feature assumed that project admins do not have control over the physical infrastructure, which is why the lifecycle of VLAN networks is not part of the capabilities allowed within a project or a VPC. That said your use case is valid, a tenant ( mapped to an NSX project ) may have virtual and physical workloads. The way we thought to cover this use case is via the sharing feature:
https://docs.vmware.com/en/VMware-NSX/4.1/administration/GUID-F17B20A0-12B8-483A-AE54-75AC580F57F1.html#GUID-F17B20A0-12B8-483A-AE54-75AC580F57F1

The enterprise admin can create VLAN segments and share them with a project, the project admin can then interconnect that VLAN to a Tier-1 gateway service interface so that the T1  is the gateway for the server. This way the project admin has a way to control the routing and gateway firewall for the physical server without the risk impacting the physical fabric that should remain under the control of the provider.

Hi,

When creating a project there is only a single transport zone available which is the default transport zone for the project. That transport zone needs to be an overlay transport zone. This is understandable.

However I have a customer which I want to add to a separate project space in NSX (a tenant). This customer has VMs mixed with physical equipment on the same vlan's which are extended into NSX through vlan segments in their dedicated NSX environment. We need to migrate this setup to a tenant in our enviroment and want to put this customer in a project space.  Since there are also bare metal servers that are connected to the same vlan/IP segment, I'd like to use a vlan segment.

This is however not possible in a project space. 

In the default  space it is possible to use vlan transport zones and vlan segments but we prefer not to put the customer in the default space.

In both the default space as well as a project space you can give an overlay segment a vlan ID. In the default space you can also set an edge bridge and vlan on an overlay segment. In the project space there is no option to assign a edge bride and vlan to a segment. 

When I assign a vlan ID to a (overlay) segment in a project I see in the topology overview I see that 'Traffic Type' is changed from "Overlay" to "VLAN". There is however no communication possible from and to the vlan.

How should we configure a project overlay segment so it behaves as a regular vlan?  Is a tier-1 gateway necessary when using the overlay as a vlan?  I can imagine that we assign the tier-1 gateway some unused IP in the same segment so as to not be in the way of traffic to the physical gateway.

I know that this is not quite how it's supposed to be used, but it's a lot better as an in-between solution than placing everyting in the default space. 

Thanks,

Rob.

Hi Rob,

the way we designed the NSX muti-tenancy feature assumed that project admins do not have control over the physical infrastructure, which is why the lifecycle of VLAN networks is not part of the capabilities allowed within a project or a VPC. That said your use case is valid, a tenant ( mapped to an NSX project ) may have virtual and physical workloads. The way we thought to cover this use case is via the sharing feature:
https://docs.vmware.com/en/VMware-NSX/4.1/administration/GUID-F17B20A0-12B8-483A-AE54-75AC580F57F1.html#GUID-F17B20A0-12B8-483A-AE54-75AC580F57F1

The enterprise admin can create VLAN segments and share them with a project, the project admin can then interconnect that VLAN to a Tier-1 gateway service interface so that the T1  is the gateway for the server. This way the project admin has a way to control the routing and gateway firewall for the physical server without the risk impacting the physical fabric that should remain under the control of the provider.

Hi,

When creating a project there is only a single transport zone available which is the default transport zone for the project. That transport zone needs to be an overlay transport zone. This is understandable.

However I have a customer which I want to add to a separate project space in NSX (a tenant). This customer has VMs mixed with physical equipment on the same vlan's which are extended into NSX through vlan segments in their dedicated NSX environment. We need to migrate this setup to a tenant in our enviroment and want to put this customer in a project space.  Since there are also bare metal servers that are connected to the same vlan/IP segment, I'd like to use a vlan segment.

This is however not possible in a project space. 

In the default  space it is possible to use vlan transport zones and vlan segments but we prefer not to put the customer in the default space.

In both the default space as well as a project space you can give an overlay segment a vlan ID. In the default space you can also set an edge bridge and vlan on an overlay segment. In the project space there is no option to assign a edge bride and vlan to a segment. 

When I assign a vlan ID to a (overlay) segment in a project I see in the topology overview I see that 'Traffic Type' is changed from "Overlay" to "VLAN". There is however no communication possible from and to the vlan.

How should we configure a project overlay segment so it behaves as a regular vlan?  Is a tier-1 gateway necessary when using the overlay as a vlan?  I can imagine that we assign the tier-1 gateway some unused IP in the same segment so as to not be in the way of traffic to the physical gateway.

I know that this is not quite how it's supposed to be used, but it's a lot better as an in-between solution than placing everyting in the default space. 

Thanks,

Rob.

Hi Rob,

the way we designed the NSX muti-tenancy feature assumed that project admins do not have control over the physical infrastructure, which is why the lifecycle of VLAN networks is not part of the capabilities allowed within a project or a VPC. That said your use case is valid, a tenant ( mapped to an NSX project ) may have virtual and physical workloads. The way we thought to cover this use case is via the sharing feature:
https://docs.vmware.com/en/VMware-NSX/4.1/administration/GUID-F17B20A0-12B8-483A-AE54-75AC580F57F1.html#GUID-F17B20A0-12B8-483A-AE54-75AC580F57F1

The enterprise admin can create VLAN segments and share them with a project, the project admin can then interconnect that VLAN to a Tier-1 gateway service interface so that the T1  is the gateway for the server. This way the project admin has a way to control the routing and gateway firewall for the physical server without the risk impacting the physical fabric that should remain under the control of the provider.

Hi,

When creating a project there is only a single transport zone available which is the default transport zone for the project. That transport zone needs to be an overlay transport zone. This is understandable.

However I have a customer which I want to add to a separate project space in NSX (a tenant). This customer has VMs mixed with physical equipment on the same vlan's which are extended into NSX through vlan segments in their dedicated NSX environment. We need to migrate this setup to a tenant in our enviroment and want to put this customer in a project space.  Since there are also bare metal servers that are connected to the same vlan/IP segment, I'd like to use a vlan segment.

This is however not possible in a project space. 

In the default  space it is possible to use vlan transport zones and vlan segments but we prefer not to put the customer in the default space.

In both the default space as well as a project space you can give an overlay segment a vlan ID. In the default space you can also set an edge bridge and vlan on an overlay segment. In the project space there is no option to assign a edge bride and vlan to a segment. 

When I assign a vlan ID to a (overlay) segment in a project I see in the topology overview I see that 'Traffic Type' is changed from "Overlay" to "VLAN". There is however no communication possible from and to the vlan.

How should we configure a project overlay segment so it behaves as a regular vlan?  Is a tier-1 gateway necessary when using the overlay as a vlan?  I can imagine that we assign the tier-1 gateway some unused IP in the same segment so as to not be in the way of traffic to the physical gateway.

I know that this is not quite how it's supposed to be used, but it's a lot better as an in-between solution than placing everyting in the default space. 

Thanks,

Rob.

Hi Luca, 

I've read the document and played with it a bit but in the document it states that:

"When a segment is shared with a project, it does not mean that the VMs, ports, and gateway interfaces on this segment are exposed to the project. In fact, the project does not have visibility into the segment ports, interfaces, and workload VMs of the shared segment. Therefore, project users cannot configure distributed firewall policies on the workload VMs that are connected to the shared segment."

I can view the shared segment in the segments overview from within the project and it's associated port groups.  I cannot add a VM or portgroup to a security group which is correct according to the document.

The vlan which is shared with the project is reachable through a service interface, which means that it's behind a L3 hop from a network perspective.  This means I cannot share VMs and bare metal servers on the same segment which was my original intent. Since it's (from project perspective) behind a L3 hop it makes sense that DFW cannot be applied either. However I do need a mix of DFW and bare metal in the same segment since that's what the source environment uses.

Back to the drawing board it seems. 

Regards,
Rob.

Hi Rob,

the way we designed the NSX muti-tenancy feature assumed that project admins do not have control over the physical infrastructure, which is why the lifecycle of VLAN networks is not part of the capabilities allowed within a project or a VPC. That said your use case is valid, a tenant ( mapped to an NSX project ) may have virtual and physical workloads. The way we thought to cover this use case is via the sharing feature:
https://docs.vmware.com/en/VMware-NSX/4.1/administration/GUID-F17B20A0-12B8-483A-AE54-75AC580F57F1.html#GUID-F17B20A0-12B8-483A-AE54-75AC580F57F1

The enterprise admin can create VLAN segments and share them with a project, the project admin can then interconnect that VLAN to a Tier-1 gateway service interface so that the T1  is the gateway for the server. This way the project admin has a way to control the routing and gateway firewall for the physical server without the risk impacting the physical fabric that should remain under the control of the provider.

Hi,

When creating a project there is only a single transport zone available which is the default transport zone for the project. That transport zone needs to be an overlay transport zone. This is understandable.

However I have a customer which I want to add to a separate project space in NSX (a tenant). This customer has VMs mixed with physical equipment on the same vlan's which are extended into NSX through vlan segments in their dedicated NSX environment. We need to migrate this setup to a tenant in our enviroment and want to put this customer in a project space.  Since there are also bare metal servers that are connected to the same vlan/IP segment, I'd like to use a vlan segment.

This is however not possible in a project space. 

In the default  space it is possible to use vlan transport zones and vlan segments but we prefer not to put the customer in the default space.

In both the default space as well as a project space you can give an overlay segment a vlan ID. In the default space you can also set an edge bridge and vlan on an overlay segment. In the project space there is no option to assign a edge bride and vlan to a segment. 

When I assign a vlan ID to a (overlay) segment in a project I see in the topology overview I see that 'Traffic Type' is changed from "Overlay" to "VLAN". There is however no communication possible from and to the vlan.

How should we configure a project overlay segment so it behaves as a regular vlan?  Is a tier-1 gateway necessary when using the overlay as a vlan?  I can imagine that we assign the tier-1 gateway some unused IP in the same segment so as to not be in the way of traffic to the physical gateway.

I know that this is not quite how it's supposed to be used, but it's a lot better as an in-between solution than placing everyting in the default space. 

Thanks,

Rob.