Solved

Can not configure the network segmentation 2.1 on an existing cluster.

  • 21 October 2020
  • 2 replies
  • 673 views

Badge +6

https://next.nutanix.com/how-it-works-22/network-segmentation-basics-38414
It seems the network segmentation 2.1 doesn’t support the isolation physically between the backplane and management. 


So, it tries to isolate logically following this procedure.

ISOLATING THE BACKPLANE TRAFFIC LOGICALLY ON AN EXISTING CLUSTER (VLAN-BASED SEGMENTATION ONLY)
https://portal.nutanix.com/page/documents/details?targetId=Nutanix-Security-Guide-v5_15:wc-network-segment-on-existing-cluster-wc-t.html


AOS5.15.1 / ESXi 6.7u3 
Standard vSwitch, vSwitch0 
Port Gourp: Backplane Network, CVM Backplane Network (for CVM)

it doesn’t recognize any port groups.

The procedure doesn’t mention about the vSwitch0 or port group condition. 

Is there any information of this?

Thx,

icon

Best answer by lk541 23 October 2020, 08:00

View original

This topic has been closed for comments

2 replies

Badge +6

Thank you for the update. 
It was settled.
This procedures works and could be to segment the backplane traffic physically.  
ISOLATING THE BACKPLANE TRAFFIC PHYSICALLY ON AN EXISTING CLUSTER
https://portal.nutanix.com/page/documents/details?targetId=Nutanix-Security-Guide-v5_15:wc-network-segment-on-existing-cluster-backplane-physically-isolate-wc-t.html


This is also mentioned in AOS5.11.1 release notes. 
NEW AND UPDATED FEATURES | AOS 5.11.1
https://portal.nutanix.com/page/documents/details?targetId=Release-Notes-AOS-v5_11_1:AOS-features-updates-aos-r.html

Physical Backplane Segmentation
You can physically isolate the backplane traffic (intra cluster traffic) from the management traffic (Prism, SSH, SNMP) in to a separate VNIC on the CVM and using a dedicated virtual network that has its own physical NICs. This type of segmentation therefore offers true physical separation of the backplane traffic from the management traffic.

 

Userlevel 6
Badge +5

From what you are doing I feel like this is the part of the guide you should be following Isolating the Backplane Traffic Physically on an Existing Cluster:

On the ESXi hosts, do the following:

  1. Create a vSwitch for the backplane traffic.
  2. From vSwitch0, remove the uplinks (physical NICs) that you want to add to the vSwitch you created for the backplane traffic.
  3. On the backplane vSwitch, create one port group for the CVM and another for the host. Ensure that at least one uplink is present in the Active Adaptors list for each port group if you have overridden the failover order.

See the ESXi documentation for instructions about how to perform these tasks.

Note: Before you perform the following procedure, ensure that the uplinks you added to the vSwitch or bridge are in the UP state.

 

Let me know if that is what you were looking for.
The instructions on how to configure the vSwitch on ESXi can be found on the VMware documentations portal. For example, Create a vSphere Standard Switch (VMware vSphere 6.7)

 

It seems the network segmentation 2.1 doesn’t support the isolation physically between the backplane and management. 

I’m not sure why you believe that physical isolation isn’t supported.

From the post you refer to:

NS 2.1 - Physical Backplane Segmentation

Released in AOS 5.11.1, this FEAT made the backing network customization available for Backplane hence allowing users to segment their Backplane traffic physically. This FEAT also added support for DVS based networks for both Backplane and Service.

Maybe I am misunderstanding or misreading something? If so, my apologies in advance.