NSX-T Lab: Segments


Welcome to Part 10 of the NSX-T Lab Series. In the previous post, we finally installed NSX-T on our compute host cluster.
Before we deploy the Edge nodes we will create our Segments/Logical Switches.

Why do you keep saying Segments/Logical Switches?

So a Logical switch is an NSX-V and early NSX-T name for the VXLAN/Geneve VLAN that a VM connects to.
In NSX-T 2.4 these are now called Segments so can we drop the Logical Switch name to avoid confusion?
Well yes and no, a lot of the VMware documentation uses both names to describe the segments and they are essentially the same thing, for the purpose of this post a Segment is configured in the Networking Tab and a Logical Switch is configured in the Advanced Networking tab.

Within the UI you will still see the terms Switches and Logical Switch but only under the Advanced Networking and Security page.
However you do not want to start creating the Segments/Logical Switches in there.
This difference in terminology and places to configure things can be a tad confusing but be aware all configuration should be done in the Simplified UI, thats the tabs to the left of Advanced Networking & Security.

There are only a few use cases that need to use the Advance tab and VMware are going to remove the Advanced tab in future releases and the migration of a Logical Switch to a Segment will be a pain if you have a lot of VM’s using them. Advanced UI is shown below.

So what is a Segment?

A segment reproduces switching functionality in an NSX-T Data Center virtual environment this is completely decoupled from the underlying hardware.
Segments are similar to VLANs, in that they provide network connections to which you can attach VMs.
Each Segment forms a Layer 2 network so the VMs assigned to a segment can then communicate with each other over tunnels (the TEP’s we setup in the last post) between hypervisors .
Each segment has a virtual network identifier (VNI), which is essentially a VLAN ID. But Unlike traditional VLAN’s the VNI’s can scale into the millions. 

A segment can be one of two types Overlay or VLAN backed and the type is determined by the transport zone it is connected to. I will show that later in the post. Remember a transport zone defines the span of a Segment.

The build

From the Networking tab go to Segments and then hit ‘Add Segment’
Give it a name.
Unlike NSX-V the names is what will appear on the N-VDS.
No longer do we have to deal with the massively long system generated name! Ignore the Uplink and Type section we will configure that later.
Select the transport zone that the Segment will be a part of.
This one for my lab is the web segment for you guessed it my web servers as they will use a Geneve network I need to set the transport zone to TZ-Overlay.
Thats it now click save.

At this stage we don’t want to do any further configuration so click ‘No’

I’ll repeat the same process for my App network..

And my DB network.

Just as in NSX-V creating a segment is very quick and simple, to see the NSX networks we can go to a host. The networks will be shown under funnily enough the Networks tab.
You won’t be able to see these networks in the vCenter networking section since the vCenter is not involved in managing or creating them.
But they are viewable from the host.

I have a nice simple three tier app that I use for testing, consisting of two web servers, two app servers and a DB server.
So now that we have our segments we need to attach the VM’s to them.
The process is the same on vSphere as it is for any other network.
Right click the VM and Edit Settings.

If needed browse to the network and select it

Save the changes, and repeat for any other VM’s.

Now that I have my VM’s connected to my Segments I want to make sure they can ping each other. As mine is a nested lab I need to ensure that the Nested Hosts are on different physical hosts and that VM’s in the same segment are on different nested hosts, this proves that the VM’s are using the TEP’s to communicate across the physical network and that the layer 2 segment is working.

So I ping from Web server 1 to Web server 2 and the ping works.
I can also do this test on the App server 1 to App server 2.
I cannot however yet ping from segment to segment i.e. web to app as I will need to configure routing first, this is coming up in a couple of posts.

Now I also need some VLAN backed segments to use with my Edge nodes uplinks to the physical network.
I need two so I name the first one UplinkA-LS
The process is the same except this time I’ll pick the VLAN transport zones, for the first one I select TZ-VLANA.
Important to note here is that the VLAN ID is set to 0, this is because we are tagging at the port group on our Edge vDS.
I then repeat this again for the Uplink B and use the TZ-VLANB Transport zone.

Creating a Logical switch in Advanced Networking & Security

As I mentioned earlier we now do not create segments in the advanced UI unless there is a specific need to but I’ll cover it here for completeness.
You will notice that the segments we just created are already shown here, if you try and edit them there are only a small number of changes that can be made here as most of the configuration for the segments needs to be done via the simple UI.
Click ‘Add’ to add a new switch

Give it a name, select the transport zone, Uplink teaming policy (Use default) Select the replication Mode. For the segments we created earlier we can change the Replication mode from the Advanced networking page but the default is Hierarchical Two-Tier replication which is the preferred mode so theres really no need to change it. Enter a VLAN if needed and Add.

Note that from here we can see the logical switch we just created and also the segments created earlier, the highlighted icon indicates that they were created in the simple UI.

On the segments page the logical switch we just created will not show as it’s not a segment. Note the icon shown here indicates a segment.

The logical switch as seen via the host Networks page.

So we now have our VM’s connected to our segments we need to setup the Layer 3 routing so the app can communicate.
But first lets deploy our Edge nodes.
You can have layer 3 routing between the segments without an Edge node as the distributed routing function is at the host level however since we are replicating a production build and we want to be able to talk north/south as well we will need to deploy Edge nodes so lets get on with it.

2 thoughts to “NSX-T Lab: Segments”

Leave a Reply

Your email address will not be published. Required fields are marked *