HCX - Segments Created with NSX-T Manager UI/API not Visible in NE wizard
Article ID: 321601
Updated On:
Products
Issue/Introduction
In the following NSX-T MANAGER view UI, the Logical Switches (Segments) highlighted in the red boxes were created (+ADD) while in the MANAGER view. The other segments were created while in the POLICY view as signified by the Protected Object Icon
NSX-T MANAGER View UI - Networking - Logical Switches - Switches
HCX only supports NSX-T segments that are created with the NSX-T Policy UI/API. As a result, the segments above that were created with the NSX-T Manager UI are not visible in the HCX Manager Network inventory list when creating a Network Profile
HCX Manager UI - Interconnect - Network Profiles - CREATE NETWORK PROFILE
<snip>
Resolution
HCX only supports NSX-T segments (and other networking objects) that are created with the NSX-T Policy UI/API. Please refer to the HCX User Guide
In NSX-T deployments, HCX supports integration with networking objects created with the NSX Simplified UI/API only.
For sites where segments have been previously created via the NSX-T Manager UI/API, the following migration strategy is available to create Policy based shadow segments based off of the existing Manager based segments
IMPORTANT - The shadow segment solution is limited only to HCX fleet appliance deployment and basic network extension workflows given that not all required properties for full HCX support are converted into the shadow segments. Please consider the following prior to implementing the solution:
- NSX-T must be in use at both the onPrem and Cloud HCX sites
If deploying optional Network Extension (NE) services between the 2 sites:
- The “Allow Overlapping VLAN” option must be selected when creating the HCX Network Extension.
- Mobility Optimized Networking (MON) is NOT supported.
- MAC-NAT rules won't be created on target NE and ESX side during extension of shadow segments. As a result, NSX-T Distributed Logical Router (DLR) MAC address at one of the sites must be changed to maintain the uniqueness of GW MAC address.
- Some older NSX-T 3.x software versions may not support the capability to modify the DLR MAC address.
Step 1)
A) For each Logical Switch (Segment) created via the NSX-T Manager UI/API that you wish to create a Policy based shadow segment for, determine the Logical Switch ID and Transport Zone associated with that segment. For VLAN Transport Zone segments also determine the VLAN associated with the segment
NSX-T MANAGER View UI - Networking - Logical Switches - Switches - <select Logical Switch> - Overview
Overlay Transport Zone Segment Example (Traffic Type Overlay):
VLAN Transport Zone Segment Example (Traffic Type VLAN):
B) For the Transport Zone associated with the Logical Switch (Segment) determine it's Transport Zone ID
NSX-T MANAGER View UI - System - Fabric - Transport Zones - Transport Zones - <select Transport Zone> - Overview
Overlay Transport Zone Segment Example (Traffic Type Overlay):
VLAN Transport Zone Segment Example (Traffic Type VLAN):
C) Alternatively, the following GET API call can also be used as another way to determine the Logical Switch ID and Transport Zone ID (and VLAN in the case of a VLAN Transport Zone Segment) for all Logical Switches (Segments) configured
- Replace the <IP_address> in the URL below with the IP address assigned to your NSX-T Manager
- Replace <Password> below with the admin password used by your NSX-T Manager
Command Syntax:
curl -k -u 'admin:<Password>' https://<IP_address>/api/v1/logical-switches
Sample Command:
curl -k -u 'admin:Secret123' https://10.10.10.1/api/v1/logical-switches
Sample Command Output - Overlay Transport Zone Segment:
<snip>
{
"switch_type" : "DEFAULT",
"transport_zone_id" : "3f8bb5f6-####-####-####-c62e8ed41370",
"vni" : 69649,
"admin_state" : "UP",
"replication_mode" : "MTEP",
"address_bindings" : [ ],
"switching_profile_ids" : [ {
"key" : "SwitchSecuritySwitchingProfile",
"value" : "fbc4fb17-####-####-####-ccdf04301888"
}, {
"key" : "SpoofGuardSwitchingProfile",
"value" : "fad98876-####-####-####-1681e6b88ec1"
}, {
"key" : "IpDiscoverySwitchingProfile",
"value" : "64814784-####-####-####-badeff705639"
}, {
"key" : "MacManagementSwitchingProfile",
"value" : "1e7101c8-####-####-####-ce3d8dd078fb"
}, {
"key" : "PortMirroringSwitchingProfile",
"value" : "93b4b7e8-####-####-####-3364611b5d09"
}, {
"key" : "QosSwitchingProfile",
"value" : "f313290b-####-####-####-fab5026e9495"
} ],
"hybrid" : false,
"span" : [ ],
"resource_type" : "LogicalSwitch",
"id" : "a18fc31a-####-####-####-b02e98faf359",
"display_name" : "fle#######",
"description" : "",
"tags" : [ ],
"_create_user" : "admin",
"_create_time" : 1624401047645,
"_last_modified_user" : "admin",
"_last_modified_time" : 1624401047645,
"_system_owned" : false,
"_protection" : "NOT_PROTECTED",
"_revision" : 0,
"_schema" : "/v1/schema/LogicalSwitch"
}
<snip>
Sample Command Output - VLAN Transport Zone Segment:
<snip>
{
"switch_type" : "DEFAULT",
"transport_zone_id" : "41299c61-####-####-####-91d07375c7ec",
"vlan" : 3998,
"admin_state" : "UP",
"address_bindings" : [ ],
"switching_profile_ids" : [ {
"key" : "SwitchSecuritySwitchingProfile",
"value" : "fbc4fb17-####-####-####-ccdf04301888"
}, {
"key" : "SpoofGuardSwitchingProfile",
"value" : "fad98876-####-####-####-1681e6b88ec1"
}, {
"key" : "IpDiscoverySwitchingProfile",
"value" : "0c403bc9-####-####-####-847ed0f9f52e"
}, {
"key" : "MacManagementSwitchingProfile",
"value" : "1e7101c8-####-####-####-ce3d8dd078fb"
}, {
"key" : "PortMirroringSwitchingProfile",
"value" : "93b4b7e8-####-####-####-3364611b5d09"
}, {
"key" : "QosSwitchingProfile",
"value" : "f313290b-####-####-####-fab5026e9495"
} ],
"hybrid" : false,
"span" : [ ],
"resource_type" : "LogicalSwitch",
"id" : "bc31b390-####-####-####-687e9792a19c",
"display_name" : "vm#####",
"description" : "",
"tags" : [ ],
"_create_user" : "admin",
"_create_time" : 1624474387668,
"_last_modified_user" : "admin",
"_last_modified_time" : 1624474387668,
"_system_owned" : false,
"_protection" : "NOT_PROTECTED",
"_revision" : 0,
"_schema" : "/v1/schema/LogicalSwitch"
}
<snip>
Step 2)
Use the following PATCH API call to create a Policy based shadow segment based off of the existing Manager based segment. Repeat this step for each Manager based segment that you wish to create a Policy based shadow segment for. Please note that the command syntax is slightly different for Overlay and VLAN Transport Zone Segments so an example is provided for each type below. The creation of the Policy based shadow segment is non-disruptive
- Replace <Password> below with the admin password used by your NSX-T Manager
- Replace <Segment_name> in the display_name field below with the name of your current Manager based segment
- Replace <Segment_name> in the URL below with the name of your current Manager based segment
- Replace <IP_address> in the URL below with the IP address assigned to your NSX-T Manager
- Replace <Transport_Zone_ID> below with the one associated with your Manager based segment as determined in previous Step1)
- Replace <Logical_Switch_ID> below with the one associated with your Manager based segment as determined in previous Step1)
- For the VLAN Transport Zone command syntax only, replace <VLAN#> below with the same one used in the corresponding Manager based segment
Command Syntax - Overlay Transport Zone Segment:
curl -k -u 'admin:<Password>' -X PATCH -H "Content-Type: application/json" -d '{"display_name": "<Segment_name>", "admin_state": "UP", "transport_zone_path": "/infra/sites/default/enforcement-points/default/transport-zones/<transport_Zone_ID>", "ls_id": "<Logical_Switch_ID>"}' https://<IP_address>/policy/api/v1/infra/segments/<Segment_name>
Command Syntax - VLAN Transport Zone Segment:
curl -k -u 'admin:<Password>' -X PATCH -H "Content-Type: application/json" -d '{"display_name": "<Segment_name>", "admin_state": "UP", "vlan_ids": ["<VLAN#>"], transport_zone_path": "/infra/sites/default/enforcement-points/default/transport-zones/<transport_Zone_ID>", "ls_id": "<Logical_Switch_ID>"}' https://<IP_address>/policy/api/v1/infra/segments/<Segment_name>
Sample Command - Overlay Transport Zone Segment:
curl -k -u 'admin:Secret123' -X PATCH -H "Content-Type: application/json" -d '{"display_name": "fl#######", "admin_state": "UP", "transport_zone_path": "/infra/sites/default/enforcement-points/default/transport-zones/3f8bb5f6-####-####-####-c62e8ed41370", "ls_id": "a18fc31a-####-####-####-b02e98faf359"}' https://10.10.10.1/policy/api/v1/infra/segments/fleet2000
Sample Command - VLAN Transport Zone Segment:
curl -k -u 'admin:Secret123' -X PATCH -H "Content-Type: application/json" -d '{"display_name": "vm#####", "admin_state": "UP", "vlan_ids": ["3998"], "transport_zone_path": "/infra/sites/default/enforcement-points/default/transport-zones/41299c61-####-####-####-91d07375c7ec", "ls_id": "bc31b390-####-####-####-687e9792a19c"}' https://10.10.10.1/policy/api/v1/infra/segments/vmotion
NOTE: When the PATCH API call is successfully run there is no command output
Step 3)
A) Confirm that the Policy based shadow segment was created successfully in the NSX-T Policy view UI and that it has a green Admin State and Status
NSX-T POLICY view UI - Networking - Segments - Segments
Overlay Transport Zone Segment Example
VLAN Transport Zone Segment Example
B) (Optional) The following GET API call can also be used to check if the new Policy based shadow segment was created successfully
- Replace the <IP_address> in the URL below with the IP address assigned to your NSX-T Manager
- Replace <Password> below with the admin password used by your NSX-T Manager
Command Syntax:
curl -k -u 'admin:<Password>' https://<IP_address>/policy/api/v1/infra/segments
Sample Command:
curl -k -u 'admin:Secret123' https://10.10.10.1/policy/api/v1/infra/segments
Sample Command Output - Overlay Transport Zone Segment:
<snip>
{
"results" : [ {
"type" : "DISCONNECTED",
"ls_id" : "a18fc31a-####-####-####-b02e98faf359",
"transport_zone_path" : "/infra/sites/default/enforcement-points/default/transport-zones/3f8bb5f6-####-####-####-c62e8ed41370",
"admin_state" : "UP",
"replication_mode" : "MTEP",
"resource_type" : "Segment",
"id" : "fleet2000",
"display_name" : "fl#######",
"path" : "/infra/segments/fl#######",
"relative_path" : "fl#######",
"parent_path" : "/infra",
"unique_id" : "9409ab69-####-####-####-c3d11c5dd091",
"marked_for_delete" : false,
"overridden" : false,
"_create_user" : "admin",
"_create_time" : 1624931964408,
"_last_modified_user" : "admin",
"_last_modified_time" : 1624931964410,
"_system_owned" : false,
"_protection" : "NOT_PROTECTED",
"_revision" : 0
}
<snip>
Sample Command Output - VLAN Transport Zone Segment:
<snip>
{
"type" : "DISCONNECTED",
"ls_id" : "bc31b390-####-####-####-687e9792a19c",
"vlan_ids" : [ "3998" ],
"transport_zone_path" : "/infra/sites/default/enforcement-points/default/transport-zones/41299c61-####-####-####-91d07375c7ec",
"admin_state" : "UP",
"replication_mode" : "MTEP",
"resource_type" : "Segment",
"id" : "vm#####",
"display_name" : "vm#####",
"path" : "/infra/segments/vm#####",
"relative_path" : "vm#####",
"parent_path" : "/infra",
"unique_id" : "c8447472-####-####-####-dda8c175928c",
"marked_for_delete" : false,
"overridden" : false,
"_create_user" : "admin",
"_create_time" : 1625611128557,
"_last_modified_user" : "admin",
"_last_modified_time" : 1625611128559,
"_system_owned" : false,
"_protection" : "NOT_PROTECTED",
"_revision" : 0
}
<snip>
Step 4)
Confirm that the new Policy based shadow segment is now visible in the HCX Manager inventory
- The NSX Logical Switch Network will be of Type DISCONNECTED because the Policy based shadow segment does not have an IP subnet configuration. IP subnet information (if applicable) will be in the original Manager based segment
HCX Manager UI - Interconnect - Network Profile - CREATE NETWORK PROFILE - NSX Logical Switch
<snip>
Step 5)
Continue to deploy HCX as you normally would by creating the required HCX Network Profiles, Compute Profile, and Service Mesh
Step 6)
If deploying optional Network Extension (NE) services between the 2 sites:
- Select the Allow Overlapping VLAN option for each Policy based shadow segment in order to force the connection
- DO NOT select Mobility Optimized Networking (MON) for the Policy based shadow segments as this feature is not supported on these segments
HCX Manager UI - Network Extension - Create A Network Extension
<snip>
Additional Information
1) NSX-T Routing and DHCP
Routing and DHCP configurations corresponding to the original NSX-T Manager Logical Switch (Segment) will continue to function after the creation of the corresponding Policy based shadow segment
NSX-T MANAGER View UI - Networking - Tier-1 Logical Routers
NSX-T MANAGER View UI - Networking - DHCP - Servers
2) NSX-T Manager View Logical Switch Tags
While in NSX-T Manager view, only Logical Switches that were originally created in Policy View (as signified by the Protected Object Icon) will have associated Tags stating that they were created via a Policy. Logical Switches created via Manager View with a corresponding Policy based shadow segment will continue to not have Tags
NSX-T Manager View UI - Networking - Logical Switches - <select Logical Switch> - Overview
Segments originally Created in Policy view have Tags:
Segments created in Manager view with a corresponding Policy based shadow segment do not have Tags:
Feedback
