Category Archives: Networking

NSX – Create/configure Universal Logical Switches

In a cross-vCenter NSX deployment, you can create universal logical switches, which can span all vCenters. The transport zone type determines whether the new switch is a logical switch or a universal logical switch. When you add a logical switch to a universal transport zone, the logical switch is universal.

1. In the vSphere Web Client, navigate to Home > Networking & Security > Logical Switches.

2. Select the primary NSX Manager.

3. Click the New Logical Switch (New Logical Switch) icon.

Continue reading

NSX – Create/manage Universal transport zones

Universal transport zones control the hosts that a universal logical switch can reach. A universal transport zone is created by the primary NSX Manager and is replicated to the secondary NSX Managers. Universal transport zones can span one or more vSphere clusters across the cross-vCenter NSX environment.

1. In vCenter, navigate to Home > Networking & Security > Installation and select the Logical Network Preparation tab.

2. Click Transport Zones and click the New Transport Zone (New Transport Zone) icon.

3. Select Mark this object for universal synchronization.

Continue reading

NSX – Configure Universal segment ID pools

The universal segment ID pool specifies a range for use when building logical network segments. Cross-vCenter NSX deployments use a unique universal segment ID Pool to ensure that the universal logical switches VXLAN network identifiers (VNIs) are consistent across all secondary NSX Managers.

The universal segment ID is defined once on the primary NSX Manager and then synced to all of the secondary NSX Managers. The universal segment ID range controls the number of universal logical switches that can be created. Note that the segment ID range must be unique across any NSX Manager that you plan use in a cross-vCenter NSX deployment. This example uses a high range to provide future scalability.

1. In vCenter, navigate to Home > Networking & Security > Installation and select the Logical Network Preparation tab.

Continue reading

NSX – Configure NSX manager roles (Primary, Secondary, Standalone, Transit)

The primary NSX Manager runs the controller cluster. Additional NSX Managers are secondary. The controller cluster that is deployed by the primary NSX Manager is a shared object and is referred to as the universal controller cluster. Secondary NSX Managers automatically import the universal controller cluster. There can be one primary NSX Manager and up to seven secondary NSX Managers in a cross-vCenter NSX environment.

NSX Managers can have one of four roles:

  • Primary
  • Secondary
  • Standalone
  • Transit

Primary, Secondary and Standalone roles are easy to understand. The Transit role is used when a primary or secondary NSX Manager is changed to Standalone and there are remaining universal objects in existence. Continue reading

NSX – Add Layer 2 Bridging

You can create an L2 bridge between a logical switch and a VLAN, which enables you to migrate virtual workloads to physical devices with no impact on IP addresses. A logical network can leverage a physical L3 gateway and access existing physical networks and security resources by bridging the logical switch broadcast domain to the VLAN broadcast domain.

The L2 bridge runs on the host that has the NSX Edge logical router virtual machine. An L2 bridge instance maps to a single VLAN, but there can be multiple bridge instances. The logical router cannot be used as a gateway for devices connected to a bridge.

If High Availability is enabled on the Logical Router and the primary NSX Edge virtual machine goes down, the bridge is automatically moved over to the host with the secondary virtual machine. For this seamless migration to happen, a VLAN must have been configured on the host that has the secondary NSX Edge virtual machine.

1. Log in to the vSphere Web Client.

2. Click Networking & Security and then click NSX Edges.

3. Double click a logical router. Continue reading

NSX – Configure NAT services to provide access to services running on privately addressed virtual machines

NSX Edge provides network address translation (NAT) service to assign a public address to a computer or group of computers in a private network. Using this technology limits the number of public IP addresses that an organization or company must use, for economy and security purposes. You must configure NAT rules to provide access to services running on privately addressed virtual machines.

The NAT service configuration is separated into source NAT (SNAT) and destination NAT (DNAT) rules.

Below are two examples the first of DNAT and the second is SNAT:


You create a destination NAT (DNAT) rule to change the destination IP address from a public to private IP address or vice versa. The original (public) IP address must have been added to the NSX Edge interface on which you want to add the rule.

Continue reading