Solved: VCD 10.5 Networking without NSX

Aschtra · ‎11-17-2023

Hello,

Recently our company has been looking into VCD because we've heard NSX networking is not a requirement anymore.

I have the following setup:

VCenter 8.0.1D

3x VMWare Host 7.0.3 in a ClLuster with DRS Enabled

1 Distributed Virtual Switch

4 port groups in seperated VLANS.

1 Linux Server for NFS Share

I have installed VCD 10.5 and added the VCenter instance to VCD.

I am able to see the resource pools, hosts, storage DVS and the port groups.

I have created 1 organization and 1 organization VCD attached to it. I also created a Provider VDC.

I also created a network pool type of port groups backed with 2 of the 4 portgroups and attached this to my org VCD.

I also created 1 external network which i attached to 1 port group

Now this is where I am stuck. I'd like to use the port groups in my VCenter that I've attached to the organization for networking for the VMs. When I create a VM at the tenant I am unable to select any networking / portgroups.

So what I did was go to the networking tab at the tenant and add networks. I have the choice between Direct and Isolated networks.

When I choose Direct, i can specifically choose the external network, and thus the specific portgroup, from the list. When I added this I can then choose this Extenral Direct network when creating a VM.

Now part 2.

When I selected Isolated i have to give it a name and Gateway CIDR. After creation it gets randomly attached to 1 of the 2 VLANS in the network pool. I want to be able to specify this.

So the TL;DR is:

I have several portgroups in my VCenter, how do I attached specific port groups to VMs at a Tenant.

Thank you for reading!

Kind Regards,

Damiën

Aschtra · ‎11-27-2023

Hello,

I found the solution.

External networks is the best option for us. I found out that a tenant (admin) user can create network at their side. But not Direct (external) networks. This has to be done by the Service Provider.

Since I was clicking to the tenant portal via the Service provider portal I was able to create a Direct networks. When I logged in as an actual tenant user I was unable to create Direct networks so this fixes our security issue with tenant being able to see the network information of the external networks and being able to access each other networks.

Posting here for anyone who facing similar challenge

View solution in original post

rguhr · ‎11-17-2023

Without NSX you only have Direct and Isolated to choose from.

"Imported Distributed Port Groups" are not possible without a Provider VDC connected to an NSX manager.
The documentation is missing this in the prerequisites part (SR confirmed this).

If I remember correctly, there is no way to assign the correct VLAN directly. So you have to create the network, check whether the correct vlan has been selected: If not, create the next network and then rename it if necessary.

The most convenient way would be to set up a fake NSX setup (Manager and NSX deployed on ESXi) - then you can directly select the vCenter port groups in the VCD tenant as a provider. That would be the "Imported Distributed port groups" feature from above.

Probably the way via the external networks is the intended way without NSX (we don't use it ourselves, so I can't say much about it)

Aschtra · ‎11-20-2023

Hello,

Thank you for your reply. This alligns with our thoughts. Either creating many external networks or creating a dummy NSX and have it installed on a few hosts.

So I tried out both. And I have the same problem with both of them.

With external networks, they are attached to the provider. Every organization I create in VCD will be able to see this External networks. in our use case this means that every organization will be able to see (and use if they have the other information) networks of each other.

The same applies to using the dummy NSX method. I am now able to import a portgroup from our DVS via the tenant portal. But the whole DVS is available to the tenant. This means again all of our networks will be visible and usable to organizations.

Is there any way to work around this? (without NSX ofcourse) We could possibly play around with the Tenants permission at Tenant side but that partly defeats the purpose I guess. We could deny them the creation of networks so that part will have to be done via the provider.

So now I am able to provide specifics protgroups to a tenant. But I still want to finegrain it by being able to give Tenant Y portgroup 1,2,3 and Tenant X portgroup 4,5,6.

Thank you for thinking with me!

Sreec · ‎11-21-2023

Your networking design will be severely constrained without NSX, so carefully consider all of your use cases. Most significantly, tenant security will be directly correlated with the physical fabric's design and security. To respond to your inquiry, you can join virtual machines (VMs) to direct networks and have a corresponding external network for each port group in VCD (you can even have overlapping subnets).

Cheers,
Sree | VCIX-5X| VCAP-5X| VExpert 7x|Cisco Certified Specialist
Please KUDO helpful posts and mark the thread as solved if answered

Aschtra · ‎11-21-2023

Hello,

Yes, this is partly a solution for us. Partly because every organization I create will have access to these external networks. This is probably something that won't get approved.

If I am able to restrict visibility / usage of external networks to my tenants than it probably can work for us.

Aschtra · ‎11-27-2023

Hello,

I found the solution.

External networks is the best option for us. I found out that a tenant (admin) user can create network at their side. But not Direct (external) networks. This has to be done by the Service Provider.

Since I was clicking to the tenant portal via the Service provider portal I was able to create a Direct networks. When I logged in as an actual tenant user I was unable to create Direct networks so this fixes our security issue with tenant being able to see the network information of the external networks and being able to access each other networks.

Posting here for anyone who facing similar challenge

All

VCD 10.5 Networking without NSX