Create and Manage Logical Switches

By | July 4, 2018

In this post, we will cover following topics of Objective 2.1 of VCAP6-NV Deploy Exam

Objective 2.1 – Create and Manage Logical Switches

  • Create/Delete Logical Switches
  • Assign and configure IP addresses
  • Connect a Logical Switch to an NSX Edge
  • Deploy services on a Logical Switch
  • Connect/Disconnect virtual machines to/from a Logical Switch
  • Test Logical Switch connectivity

Create Logical Switches

Functionality of a Logical switch is very similar to that of a physical switch i.e they allow isolation of applications and tenants for security purpose. A logical switch when deployed, creates a broadcast domain to allow isolation of the VM’s running in infrastructure. Logical switches uses VXLAN to provide separation of duties.

The logical switch operates in the overlay and is totally independent of the physical network (the underlay). With Transport Zones (TZ) spanning multiple clusters it’s possible for a Logical Switch joined to a specific TZ to be available across multiple clusters, data centre-wide. Issues with Layer 2 adjacency have been resolved.

The VNI or VXLAN Network Identifier range starts at 5000 and ranges up to 16.7 million.

Just like any network design you will want to work out your logical network segments. Each logical switch is a boundary for these e.g. logical switch ‘X’ with a VNI of 5010 might be a 10.0.0.0/24 subnet; and logical switch ‘Y’ with a VNI of 5020 might be a 10.1.0.0./24 subnet. Later in this series we will cover the NSX Distributed Logical Router (DLR) which can be configured to route these networks.

To know more about logical switches, you can refer to this  VMware documentation

Prerequisites for creating a Logical Switch

Before you go and start creating logical switches in your environment, you have to make sure you meet following requirements:

  • vSphere distributed switches must be configured. You cannot deploy logical switches on standard switches.
  • NSX controllers must be deployed.
  • Your compute host clusters must be prepared and ready to go.
  • VXLAN must be configured.
  • A Transport Zone and a segment ID pool must be configured.

To Create a Logical Switch:

Log into the vSphere Web Client.

Click Networking and Security, then Logical Switches.

Click the green + sign to add a logical switch.

I am going to create a logical switch called ‘Database Tier’, I add it to the Global_TZ Transport Zone which spans both of my Compute Clusters, accept the default  Replication Mode of Unicast, and click OK.

ls

Note: By default, the Replication Mode of the logical switch is determined by the mode configured in the Transport Zone. Read the NSX Install Guide more on this if your interested.

Note: The IP Discovery option is enabled by default and it enables ARP suppression between VMs on the same segment (i.e. VM knows IP but not MAC thus must do an ARP Broadcast to entire VXLAN Segment to determine the MAC). The NSX Controllers maintain an ARP table and is pushed to the ESXi hosts which respond to local ARP Responses. Read the NSX Install Guide.

Note: The Enable MAC Learning option is disabled by default. VMware says to enable this option if your VMs have multiple NIC and MAC addresses. Read the NSX Install Guide.

Once we created the logical switch we can see it in the Web Client:

ls2

If we now go look at one of my Compute Cluster hosts I can see the logical switch has been created on the Compute vDS with a VNI of 5000.

tz3

As the TZ that the logical switch is connected to spans both my Compute and Edge Clusters (containing 2 hosts each) the logical switch is available on all 4 hosts.

To Delete a Logical Switch:

Before deleting logical switch, we have to make sure there are no VM’s connected to the LS we are trying to delete.

Select your logical switch, click the blue cog and select ‘Remove‘. This will delete the logical switch.

ls8

Note: You will not be able to remove a logical switch if you have VMs or any Edge Gateway interfaces connected to it, so remove those dependencies first.

Assign and configure IP addresses

This topic is bit confusing as it’s not clear what is the actual requirement of this objective as you can’t assign IPs to a logical switch. You can attach a logical switch to a Distributed Logical Router (DLR) or Edge Services Gateway (ESG) and configure the interface IP address and subnet prefix- but thats not on the switch.

The next section covers adding a logical switch to an existing ESG. We will see the IP addressing etc.

Connect a Logical Switch to an NSX Edge

When you connect a logical switch to an Edge Services Gateway or a Distributed Logical Router it allows East-West routing between logical switches; or North-South routing to the outside world.

To meet this requirement, make sure you already have an:

  • Existing NSX Logical Switch.
  • Existing NSX Edge gateway.

Log into the vSphere Web Client.

Click Networking and Security, then Logical Switches.

Select a logical switch, click the blue cog and select Connect Edge.

conlog

Select the Edge Gateway and click Next.

ed

An ESG can have a maximum of 10 interfaces. In the below picture my ESG has 1 interface configured with an Uplink to an external network (the Internet).

Select a free interface and click Next. (Note: I actually selected vnic8 not vnic1 as shown)

ed2

Edit the Edge interface details. Provide it a NamePrimary IP Address and Subnet Prefix Length. and choose whether this will be an internal or an uplink port, set the connectivity status to “Connected”

The Database_Tier logical switch which I am adding to this ESG I have defined as the 192.168.1.0/24 subnet. The Primary IP Address (192.168.1.1) will be the Gateway for this network.

ed3

Review your settings and click Finish to complete adding the logical switch to the ESG.

If  we now go and Manage the ESG, we can see the interface I just configured.

ed5

I have a Windows 2012R2 VM (win2k8-a) and added it to the Database-Tier logical switch.

I open the console on win2k8-a and configure the following IPv4 details:

ip

I can now ping the Database-Tier gateway address: 192.168.1.1 and also the Uplink interface to the external network 10.0.0.5.

aa

Deploy services on a Logical Switch

This enables you to deploy 3rd Party Services to your logical switch.  In my lab I don’t have any 3rd party services installed so I am unable to demonstrate this.

Below steps taken from the VMware NSX 6.2 Administration Guide explains how to attach a service profile to a LS.

3rd

Connect/Disconnect virtual machines to/from a Logical Switch

This is pretty straight forward.

To Connect Virtual Machines:

Log into the vSphere Web Client.

Click Networking and Security, then Logical Switches.

Select the Logical Switch then click the blue cog and select Add VM.

Select your VM/VMs and click OK.

 

To Disconnect Virtual Machines:

Log into the vSphere Web Client.

Click Networking and Security, then Logical Switches.

Select the Logical Switch then click the blue cog and select Remove VM.

Select your VM/VMs and click OK.

 

Test Logical Switch connectivity

Logical switch connectivity tests confirms whether or not two hosts in a VXLAN transport network can communicate with each other. This test is an ICMP PING and the default MTU size is 1550 bytes. The test is per logical switch. If the connectivity fails, ensure that you have MTU set correctly.

Log into the vSphere Web Client.

Click Networking and Security, then Logical Switches.

Double-Click the switch you want to perform the test on.

swtest

Select the Source host.

Select the Destination host.

Click Start Test. The test will run and show you the results.

swtesst2.JPG

 

You can additionally test Broadcast across the VXLAN network.

Click Broadcast.

Select Source host, followed by Start Test.

The test will show any unresponsive hosts to the broadcast.

swbroad

You also test from the command line on a ESXi host.

SSH into a host.

Run the following command:

vmkping ++netstack=vxlan -s 1572 -d 172.16.0.13

Note: -s is size, -d option sets DF (Don’t Fragment) bit on the IPv4 packet

vmkping

That’s it for this post, in xext post we will cover: Objective 2.2 – Configure and Manage Layer 2 Bridging

I hope this has been informative and thank you for reading! Be social and share it on social media, if you feel worth sharing it…!!!

Hello,

I am Rahul Sharma, I am currently working as Subject Matter Expert for SDDC and Cloud Infrastructure Services, Mainly on VMware Virtualization Platform.

I have 9 Year’s of IT experience and have expertise in Designing and Deploying of VMware vSphere, vSAN, vCloud Director, vRealize Automation, SRM, NSX  and modern data center technologies like vBlock, Cisco UCS, DELL, HPE C7000, HPE Synergy HCI etc.

I am VCIX6-DCV, Dual VCP – DCV & NV, MSCE – Cloud, CCNA, ITIL v3 Certified.

Leave a Reply

Your email address will not be published. Required fields are marked *