I get this question all the time.
How do I migrate my existing VLAN backed workloads into NSX?
The answer is pretty simple but it has some design concerns. In order to explain the process let’s make some assumptions:
- You have two virtual machines (VM1, VM2)
- They are all on the same subnet that is backed by a VLAN 310
- The subnet assigned to the VLAN is 10.40.10.0/24
- Subnet 10.40.10.0/24 is routed by physical_router1
The environment is shown below:
Let’s assume that our NSX network is also built out at this time as follows:
- Edge Services gateway ESG_1 provides routing between physical and virtual using OSPF area 10 to peer with physical_router1
- ESG_1 connects to a distributed logical router (DLR_1)
- Virtual networks backed by VXLAN operate behind DLR_1
- The ESG is advertising for 10.60.10.0/24 running on VNI5000
The setup is visualized below:
Ok so how to do we get virtual machines on VLAN310 behind the DLR_1 so we can take advantage of all of the NSX routing advantages?
#1 Create a new destination network
Create a new logical switch which will be VNI5001 (assigned number by NSX) at this point don’t assign it a gateway on the DLR_1
Deploy a new ESG we will call ESG_2 with just management interfaces
#3 Create a bridge
Use ESG_2 to bridge VLAN310 and VNI5001. There a number of constraints with bridges which I will mention after the process steps.
#4 Test VNI5001
Put a test virtual machine into 10.40.10.0/24 on VNI5001 and test connectivity to VM1 and VM2.
#5 Move virtual machines into VNI5001
Switch the network interface for VM1 and VM2 into VNI5001. They will take a single ping interruption and should continue to work.
#6 Change routing
Here is the interruptive part. Currently routing to VM1 is going from physical_router1 to switch on VLAN310 through ESG_2 into VNI5001 not an ideal path. We need to switch 10.40.10.0/24 to be advertised by ESG_1. We can do this by removing ESG_2 (interrupts network to VM1 + VM2) and adding a gateway for 10.40.10.0/24 on the DLR_1 for VNI5001. ESG_1 will then advertise the new subnet to the physical_router1 assuming it’s accepted because the old route has been removed traffic will resume.
Bridge mode allows you to migrate into virtual networking with IP address changes. It does cause an interruption. One might wonder if you could not just run bridge mode forever. There are performance and latency concerns to consider with this plan.
Design considerations to bridge mode:
- An ESG used to provide a L2 bridge maps to a single VLAN so for each bridge you require a new ESG
- If the ESG fails anything on the virtual networking side will fail because it’s the single point to bridge
- Performance can be impacted all traffic crossing the bridge has to route into the ESG bridge then to the destination VM
- If redundancy beyond VMware HA is a concern active / passive ESG’s are supported
- L2 VLAN must be present on all ESXi hosts that may run the ESG with the bridge
So with some design considerations in the book this did not address VLAN’s with physical and virtual machines. A bridge can provide the functionality of communication between physical and virtual. This may seem like a good solution but it requires careful design and performance considerations. Single points of failure or configuration challenges on the physical network can cause the whole solution to fail.
You can read more about bridges on VMware’s documentation here.
© 2017, Joseph Griffiths. All rights reserved.