This blog is a continuation of the “Planned” or “Unplanned” failover of NSX-V components i.e. NSX Manager, controllers, universal distributed logical routers in an Active/Passive datacentre scenario i.e. all North/South routing flow via one site’s ESG(s).
Just to reverberate, I have split this topic into three parts:
- Part 1 (here), talks about:
- Use Cases
- Assumptions
- Current state and Target State i.e. before and after failover
- Pre-requisites
- Summary of the Failover Plan
- Part 2 (this blog post), talks about the failover configuration steps to make Site-B “Primary”
- Part 3 (here), talks about the configuration steps required after Site-A comes back online to avoid conflicts.
- Part 1 (here), talks about:
I would encourage you to visit the previous blog Part 1 and get familiar with the assumptions, visualize before and after failover states, and the pre-requisites of this Cross-vCenter NSX Design, before proceeding ahead.
Below are the diagrams to visualize the placement of the NSX-V components and routing that will be achieved, after following the steps in this “Part 2” of the Failover Plan:
Location of the NSX-V components, after failover (Click on the Image to enlarge it):
North/South routing of NSX-V components, after failover (Click on the Image to enlarge it):
Site-A (Only in case of a planned Failover):
- Shutdown all ESGs/DLRs/UDLRs
- Shutdown Controllers
- Shutdown NSX Manager
Site-A:
- Disconnect Secondary NSX Manger from Primary:
- Go to “Network and Security” Plugin in the vSphere Client
- Installation and Upgrade -> Management -> NSX Managers
- Select the Secondary NSX Manager
- Click “Actions” -> “Disconnect from the Primary NSX Manager”
- The NSX Manager will now be in Transit Mode.
- Disconnect Secondary NSX Manger from Primary:
- Promote/Assign the NSX Manager (now in Transit mode) as Primary:
- Select the NSX Manager (now in Transit mode
- Click “Actions” -> “Assign primary Role”.
- Promote/Assign the NSX Manager (now in Transit mode) as Primary:
- Deploy the Universal NSX-V Controllers:
- Go to “Network and Security” Plugin in the vSphere Client
- Installation and Upgrade -> Management -> NSX Controller Nodes
- Click Add and deploy the “three” Universal NSX controller nodes with the same configuration
- Deploy the First controller, wait for it to deploy successfully and when the status says connected deploy the next two.
- Create DRS rules for the controller VMs to run on separate ESXi Hosts.
- Deploy the Universal NSX-V Controllers:
- Deploy UDLR Control VMs:
- Go to “Network and Security” Plugin in the vSphere Client
- NSX Edges -> Double click the respective UDLR
- Settings -> Configuration (for NSX-V 6.4.5: Settings ->Appliance Settings)
- Add “NSX Edge Appliance” and specify the Datacenter, Cluster/Resource pool and Datastore
- Click the “Add” icon to deploy another NSX Edge device with the same configuration
- Configure HA for UDLR as necessary.
- Change CLI credentials as necessary
- Go to “Network and Security” Plugin in the vSphere Client
- NSX Edges -> Right the respective UDLR and click “Change CLI credentials”
- Enter the Credentials and click “Ok”
- Deploy UDLR Control VMs:
- Verify “Global Configuration” on the UDLR:
- Go to “Network and Security” Plugin in the vSphere Client
- NSX Edges -> Double click the respective UDLR
- Click Manage -> Routing
- Verify Configuration as documented before (in pre-requisites)
- Verify ECMP (if configured previously)
- Verify Router ID.
- Verify “Global Configuration” on the UDLR:
- Verify and amend “Dynamic Routing” configuration for the UDLR control VM(s):
- Go to “Network and Security” Plugin in the vSphere Client
- NSX Edges -> Double click the respective UDLR
- Click Manage -> Routing
- Verify the configuration as documented before (in the pre-requisites) and amend as necessary:
- Verify BGP configuration status, AS numbers, neighbors, etc.
- Amend the BGP neighbor’s weights – set “Site-B” ESG neighbors higher than “Site-A” e.g. if the “Site-A” ESG neighbors weight is 60 set “Site-B” ESG neighbors weight to 120.
- If configured, amend any BGP filters as necessary to permit or deny network routes
- Verify Route Redistribution
- Open the console of the UDLR VM and login with “admin” credentials
- Verify BGP neighbors status is “Established” and “UP” for Site-B ESG IPs, by running the following command:
show ip bgp neighbors
- Verify the routes (or “Default” route) are being received from Site-B ESGs, by running the following command:
- Verify and amend “Dynamic Routing” configuration for the UDLR control VM(s):
show ip route
Note: Follow the same steps above, for each UDLR Instance as necessary.
- Amend any dynamic routing configuration on ESGs, as necessary:
- If configured, amend any filters as necessary to permit or deny network routes to Physical switch neighbors
- Check BGP neighbors status is Established, UP
- Verify routes are being exchanged (both Physical routes and UDLR routes), by running the following command:
- Amend any dynamic routing configuration on ESGs, as necessary:
show ip bgp neighbors
show ip route
- Optional: If “Site-B” will be the “Primary” for some forceable future, update the syslog, NTP and DNS IPs on the following components to point to the Site-B syslog server
- UDLR
- NSX controllers.
- Optional: If “Site-B” will be the “Primary” for some forceable future, update the syslog, NTP and DNS IPs on the following components to point to the Site-B syslog server
- If deployed, enable any “OneArm” Load Balancer ESG(s) network connectivity in Site-B (enable interface)
This completes Part 2 of the NSX-V Site Failover/Failback Plan, lets discuss the configuration “step-by-step” required, when “Site-A” (previous primary) comes back online in NSX-V Site Failover/Failback Plan: Part 3.