functiontemporarilyunavailable

VMwarevCloudArchitectureToolkitforServiceProvidersVMwarevCloudNetworkingandSecurityUpgradetoVMwareNSXinVMwarevCloudDirectorEnvironmentsVersion2.
9January2018TomasFojtaVMwarevCloudNetworkingandSecurityUpgradetoVMwareNSXinVMwarevCloudDirectorEnvironments2|VMwarevCloudArchitectureToolkitforServiceProviders2018Inc.
Allrightsreserved.
ThisproductisprotectedbyU.
S.
andinternationalcopyrightandintellectualpropertylaws.
Thisproductiscoveredbyoneormorepatentslistedathttp://www.
vmware.
com/download/patents.
html.
VMwareisaregisteredtrademarkortrademarkofVMware,Inc.
intheUnitedStatesand/orotherjurisdictions.
Allothermarksandnamesmentionedhereinmaybetrademarksoftheirrespectivecompanies.
VMware,Inc.
3401HillviewAvePaloAlto,CA94304www.
vmware.
comVMwarevCloudNetworkingandSecurityUpgradetoVMwareNSXinVMwarevCloudDirectorEnvironments3|VMwarevCloudArchitectureToolkitforServiceProvidersContentsIntroduction5InteroperabilityandUpgradePath62.
1SolutionInteroperability.
62.
2UpgradePaths7ImpactofNetworkVirtualizationTechnology103.
1CiscoNexus1000V.
103.
2vCloudDirectorNetworkIsolation(VCDNI)10MigrationConsiderations114.
1PortRequirements114.
2vCloudDirectorLegacyEdgeCompatibility.
124.
3Management144.
4Licensing154.
5NSXControllerCluster.
154.
6VMwareNSXVIBUpgrade.
164.
7ControlPlaneMode194.
8VMwarevShieldAppandVMwarevShieldEndpoint20MigrationScenariowithMinimalProductionImpact21ReferenceDocuments23VMwarevCloudNetworkingandSecurityUpgradetoVMwareNSXinVMwarevCloudDirectorEnvironments4|VMwarevCloudArchitectureToolkitforServiceProvidersListofTablesTable1.
RequiredNetworkPorts.
11Table2.
NSXControllerClusterRequirements15Table3.
SolutionVersionOverview.
21Table4.
UpgradeScenarioSteps.
21ListofFiguresFigure1.
vCloudDirectortovCloudNetworkingandSecurityandVMwareNSXInteroperability.
6Figure2.
vCloudDirectortovCenterChargebackInteroperability7Figure3.
VMwareNSXUpgradePaths8Figure4.
vCloudDirectorUpgradePaths.
9Figure5.
vCloudNetworkingandSecurityIntegrationwithExternalSwitchProviders.
10Figure6.
VMwareNSXCommunicationRequirements.
11Figure7.
NSXEdgeNodesinLegacyCompatibilityMode12Figure8.
NSXManagerApplianceUserInterface.
14Figure9.
VMwarevCenterSingleSign-OnUserConfiguredinVMwareNSX.
14Figure10.
VMwareNSXUserInterfaceinvSphereWebClient.
15Figure11.
VMwareNSXVIBUpgrade.
16Figure12.
NotReadyStateinVMwareNSXUserInterface17Figure13.
RebootRequiredinvSphere17Figure14.
ChangeofTransportZoneControlPlaneMode(1of2)19Figure15.
ChangeofTransportZoneControlPlaneMode(2of2)19VMwarevCloudNetworkingandSecurityUpgradetoVMwareNSXinVMwarevCloudDirectorEnvironments5|VMwarevCloudArchitectureToolkitforServiceProvidersIntroductionVMwarevCloudDirectorreliesonVMwarevCloudNetworkingandSecurityorVMwareNSXforvSpheretoprovideabstractionofthenetworkingservices.
Untilnow,bothplatformscouldbeusedinterchangeablybecausetheybothprovidethesameAPIsthatvCloudDirectorusestoprovidenetworksandnetworkingservices.
ThevCloudNetworkingandSecurityplatformend-of-support(EOS)dateis19September2016.
OnlyNSXforvSpherewillbesupportedwithvCloudDirectorafterthevCloudNetworkingandSecurityend-of-supportdate.
Tosecurethehighestlevelofsupportandcompatibilitygoingforward,migratefromvCloudNetworkingandSecuritytoNSXforvSphere.
Thisdocumentprovidesguidanceandconsiderationstosimplifytheprocessandtounderstandtheimpactofchangestotheenvironment.
NSXforvSphereprovidesasmooth,in-placeupgradefromvCloudNetworkingandSecurity.
TheupgradeprocessisdocumentedinthecorrespondingVMwareNSXUpgradeGuides(versions6.
01,v6.
12,6.
23).
Thisdocumentisnotmeanttoreplacetheseguides.
Instead,itaugmentsthemwithspecificinformationthatappliestotheusageofvCloudDirectorinserviceproviderenvironments.
1http://pubs.
vmware.
com/NSX-6/topic/com.
vmware.
ICbase/PDF/nsx_6_install.
pdf2http://pubs.
vmware.
com/NSX-61/topic/com.
vmware.
ICbase/PDF/nsx_61_install.
pdf3http://pubs.
vmware.
com/NSX-62/topic/com.
vmware.
nsx.
upgrade.
doc/GUID-4613AC10-BC73-4404-AF80-26E924EF5FE0.
htmlVMwarevCloudNetworkingandSecurityUpgradetoVMwareNSXinVMwarevCloudDirectorEnvironments6|VMwarevCloudArchitectureToolkitforServiceProvidersInteroperabilityandUpgradePathVMwareprovidessolutioninteroperabilityandupgradepathmatrixes4thatlistverifiedandsupportedproductcombinations.
Thesematrixesareupdatedfrequentlyasnewproductversionsarereleased.
Therefore,refertothematrixesbeforetheactualmigrationplanning.
2.
1SolutionInteroperabilityThefollowingfigurehighlightskeyconstraintsandconsiderationsthatarevalidatthetimeofthiswriting.
ThekeyconsiderationfocusesonvCloudDirectorsupportoftheunderlyingnetworkingplatformreleases.
Figure1.
vCloudDirectortovCloudNetworkingandSecurityandVMwareNSXInteroperability4http://partnerweb.
vmware.
com/comp_guide2/sim/interop_matrix.
phpVMwarevCloudNetworkingandSecurityUpgradetoVMwareNSXinVMwarevCloudDirectorEnvironments7|VMwarevCloudArchitectureToolkitforServiceProvidersNotevCloudDirector8.
10supportsonlyVMwareNSXandisnotcompatiblewithvCloudNetworkingandSecurity.
ThismeansmigrationfromvCloudNetworkingandSecuritytoVMwareNSXmustbedonewhilerunningavCloudDirectorversionearlierthan8.
10.
ThenetworkplatformversionisstoredinvClouddatabaseandcheckedduringavCloudDirector8.
10upgrade.
Therearealsoothersolutioninteroperabilityconstraintsbasedonserviceproviderenvironments.
Forexample,whileVMwareNSXprovidesbackwardcompatibilityforVMwarevShieldAPIs(sothatmostofthetoolsusingtheseAPIsstillfunction),serviceprovidersareencouragedtoverifysupportpriortotheiractualproductionupgrade.
Thesetoolsmightincludecustomnetworkmonitoringormeteringsolutions.
Forexample,VMwarevCenterChargebackManagercollectsnetworktransferdatathroughtheVMwarevShieldManagerDataCollectorthatusesavShieldAPI.
NoteAtthetimeofwritingthisdocument,themostrecentversionofvCenterChargebackManager,version2.
7.
1,isnotsupportedwithvSphere6andvCloudDirector8.
10.
Figure2.
vCloudDirectortovCenterChargebackInteroperability2.
2UpgradePathsIngeneral,theupgradefromvCloudNetworkingandSecuritytoNSXforvSphereisachievedbyupgradingvShieldManagerwithaspecialVMware-vShield-Manager-Upgrade-bundle-to-NSXupgradebundle.
CurrentlythisupgradebundleisavailableforallNSXforvSpherereleases,except6.
2.
1.
VMwarerecommendsupgradingtothehighestsupportedVMwareNSXversionbasedonthevarioussolutionsandtoolsincorporatedintheserviceproviderenvironment(vCloudDirector,vSphere,andsoon).
VMwarevCloudNetworkingandSecurityUpgradetoVMwareNSXinVMwarevCloudDirectorEnvironments8|VMwarevCloudArchitectureToolkitforServiceProvidersFigure3.
VMwareNSXUpgradePathsVMwarevCloudNetworkingandSecurityUpgradetoVMwareNSXinVMwarevCloudDirectorEnvironments9|VMwarevCloudArchitectureToolkitforServiceProvidersFigure4.
vCloudDirectorUpgradePathsVMwarevCloudNetworkingandSecurityUpgradetoVMwareNSXinVMwarevCloudDirectorEnvironments10|VMwarevCloudArchitectureToolkitforServiceProvidersImpactofNetworkVirtualizationTechnologyvCloudDirectorcurrentlysupportsvariousnetworkvirtualizationtechnologies,someofwhicharelegacytechnologiesthatarenolongerrecommendedgoingforward.
ThemostscalablerecommendedvirtualizationtechnologyisVirtualExtensibleLAN(VXLAN).
3.
1CiscoNexus1000VvCloudDirectorsupportstheCiscoNexus1000VvirtualdistributedswitchthroughtheExternalSwitchProviderfeatureofvShieldManager.
ThevShieldAPIcallstodeploy,manage,ordeletevirtualnetworksarethentranslatedtoNetworkSegmentationManagerAPIs,whichrunontheCiscoVirtualSupervisorModule—themanagementcomponentofNexus1000Vswitch.
ThelogicalnetworkscanbeVLAN-basedorVXLAN-based.
Figure5.
vCloudNetworkingandSecurityIntegrationwithExternalSwitchProvidersThisfunctionalityisnolongersupportedwithVMwareNSX.
Insuchcases,youmustfirstmigratefromCiscoNexus1000VtoVMwarevSphereDistributedSwitchandthensubsequentlymigratetoVMwareNSX.
Theactualmigrationstepsareoutofscopeforthisdocument.
3.
2vCloudDirectorNetworkIsolation(VCDNI)BeforeVXLANgainedmassadoption,vCloudDirectorreliedonvCloudnetworkisolationtechnologytoprovidealogicalnetworkoverlay.
ThisMAC-in-MACproprietaryencapsulationtechnologyisstillsupported,however,supportforthistechnologyisnowdeprecated.
UnlikeVXLANlogicalnetworks,VCDNIlogicalnetworksarecreateddirectlybyvCloudDirector,whichcommunicateswithVMwareESXihoststhroughthevCloudAgentrunningintheVMkernel.
Therefore,avCloudNetworkingandSecurityupgradehasnoimpactonVCDNInetworksandthereisnolimitationofusingthemtogetherwithVMwareNSX.
Serviceprovidersare,however,encouragedtouseVXLANtechnologybecauseVCDNIisadeprecatedtechnologyandissupportedonlyforlegacydeployments.
ThemigrationstepsfromVCDNItoVXLANareoutofscopeforthisdocument.
VMwarevCloudNetworkingandSecurityUpgradetoVMwareNSXinVMwarevCloudDirectorEnvironments11|VMwarevCloudArchitectureToolkitforServiceProvidersMigrationConsiderations4.
1PortRequirementsNSXforvSphererequiresadditionalportstobeopenedbetweenvariouscomponentsoftheserviceprovider'ssolution.
Thisisduetothenewcontrolplanemechanismaswellasthemanagementplanemessagebus.
Figure6.
VMwareNSXCommunicationRequirementsTable1.
RequiredNetworkPortsSourceTargetPortProtocolNotesESXiHostVMwareNSXManager5671TCPNewrequirement(RabbitMQ)ESXiHostVMwareNSXController1234TCPNewrequirement(UserWorldAgent)NSXManagerNSXController443TCPNewrequirementNSXControllerNSXController2878,2888,3888,7777,30865TCPNewrequirementNSXManagerVMwarevCenterServer443,902TCPSameasvShieldManagervCenterServerNSXManager80TCPSameasvShieldManagerNSXManagerESXiHost443,902TCPSameasvShieldManagerNSXManagerESXiHost8301,8302UDPNewrequirement(DVSSync)VMwarevCloudNetworkingandSecurityUpgradetoVMwareNSXinVMwarevCloudDirectorEnvironments12|VMwarevCloudArchitectureToolkitforServiceProvidersSourceTargetPortProtocolNotesESXiHostNSXManager8301,8302UDPNewrequirement(DVSSync)ESXiHostvCenterServer80TCPSameasvShieldManagervCenterServerESXiHost80TCPSameasvShieldManagerNoteAdditionalportsareneededforNTP(TCP123),DNS(TCP53),andSyslog(TCP514).
4.
2vCloudDirectorLegacyEdgeCompatibilityTherearechangesinbehaviorbetweenvCloudDirector8.
10andpreviousversions.
4.
2.
1vCloudDirector8.
0andEarlierInvCloudDirector8.
0andearlierversions,OrganizationVDCandvAppedgegatewaysaredeployedinvShield(legacy)compatibilitymode(NSXEdgeversion5.
5.
4).
Figure7.
NSXEdgeNodesinLegacyCompatibilityModeItisimportantinvCloudDirector8.
0andearliernottoupgradelegacyedgeservicesgatewaystoVMwareNSXversion6becausethiswillbreakvCloudDirectorcompatibility.
OlderversionsofvCloudDirector5.
5.
xand5.
6.
xhaveabugthatresultsinanedgeupgradeonvCloudDirectorredeployaction.
Topreventthisbehavior,thefollowingvCloudDirectordatabasechangeisnecessarypriortovCloudNetworkandSecuritymigration.
WhenupgradingtoVMwareNSX6.
2,addthefollowinglinetotheconfigtableinthevCloudDirectorSQLServerdatabase:INSERTINTOconfig(cat,name,value,sortorder)VALUES('vcloud','networking.
edge_version_for_vsm6.
2','5.
5',0);NoteUsenetworking.
edge_version_for_vsm6.
1ifNSX6.
1isusedornetworking.
edge_version_for_vsm6.
0ifNSX6.
0isused.
Formoreinformation,seethefollowingVMwareKnowledgeBasearticles:http://kb.
vmware.
com/kb/2096351andhttp://kb.
vmware.
com/kb/2108913.
VMwarevCloudNetworkingandSecurityUpgradetoVMwareNSXinVMwarevCloudDirectorEnvironments13|VMwarevCloudArchitectureToolkitforServiceProviders4.
2.
2vCloudDirector8.
10InvCloudDirector8.
10,edgegatewaysandvAppedgesaredeployedasfullNSXEdgenodes(version6.
x)withthesamefeatureset,accessiblethroughtheuserinterfaceorAPI,aslegacyNSXEdgenodes.
vCloudDirector8.
10alsosupportslegacyedgesdeployedbeforeupgradetovCloudDirector8.
10.
VMwarerecommendsredeployingtheoldedgesinvCloudDirectororupgradingtheminVMwareNSXtoleveragethemoreefficientmessagebuscommunicationmodewithNSXManagerasopposedtothelegacyVIXAPImode.
IftheNSXEdgenodesareupgradeddirectlyinVMwareNSX,verifythatvCloudDirectorisstillrunningbecauseitneedstobenotifiedabouttheNSXEdgeversionchange.
ThefollowingPowerShellscriptshowshowtheVMwareNSXAPIcanbeusedtoautomatetheupgradeofallNSXEdgenodes(shownforinformationalpurposesonly).
$Username="admin"$Password="default"$NSXManager="nsx01.
gcp.
local"$TargetVersion="6.
2.
3"###Createauthorizationstringandstorein$head$auth=[System.
Convert]::ToBase64String([System.
Text.
Encoding]::UTF8.
GetBytes($Username+":"+$Password))$head=@{"Authorization"="Basic$auth"}##Gettotalnumberofedges$Request="https://$NSXManager/api/4.
0/edges"$r=Invoke-WebRequest-Uri($Request+"startIndex=0&pageSize=1")-Headers$head-ContentType"application/xml"-ErrorAction:Stopif($r.
StatusCode-eq"200"){Write-Host-BackgroundColor:Black-ForegroundColor:GreenStatus:Connectedto$NSXManagersuccessfully.
}$TotalNumberOfEdges=([xml]$r.
content).
pagedEdgeList.
edgePage.
pagingInfo.
totalCount##Getalledges$r=Invoke-WebRequest-Uri($Request+"startIndex=0&pageSize="+$TotalNumberOfEdges)-Headers$head-ContentType"application/xml"-ErrorAction:Stop[xml]$rxml=$r.
Content$Edges=@()foreach($EdgeSummaryin$rxml.
pagedEdgeList.
edgePage.
edgeSummary){$n=@{}|selectName,Id,Version$n.
Name=$edgeSummary.
Name$n.
Id=$edgeSummary.
objectId$n.
Version=$edgeSummary.
appliancesSummary.
vmVersion$Edges+=$n}##Upgradealledgesforeach($Edgein$Edges){if($Edge.
Version-ne$TargetVersion){##UpgradeedgeWrite-Host"UpgradingEdge"$Edge.
Name$Uri="https://$NSXManager/api/4.
0/edges"+"/"+$Edge.
Id+"action=upgrade"$r=Invoke-WebRequest-URI$Uri-MethodPost-Headers$head-ContentType"application/xml"-Body$sxml.
OuterXML-ErrorAction:Stop}}Note:Theupgrade(orredeploy)ofanNSXEdgegatewayimpactsnetworktrafficforashorttime.
VMwarevCloudNetworkingandSecurityUpgradetoVMwareNSXinVMwarevCloudDirectorEnvironments14|VMwarevCloudArchitectureToolkitforServiceProviders4.
3ManagementvCloudNetworkingandSecurityismanagedfromauserinterfacethatisaccessedthroughthevShieldManagerapplianceFQDNorthroughtheVMwarevSphereClient(theinstallableversion).
WhenvShieldManagerisupgradedtoNSXManager,itsuserinterfaceisusedonlyformanagementoftheappliance,whiletheVMwareNSXmanagementisperformedfromtheVMwarevSphereWebClientNSXplug-in.
TheNSXManagerapplianceuserinterfaceisaccessedwithalocalaccount.
ThisistheaccountusedforaccessingthevShieldManagerCLI.
Figure8.
NSXManagerApplianceUserInterfaceTheVMwareNSXuserinterfaceinthevSphereWebClient(seeFigure10)isaccessedwiththeVMwarevCenterSingleSign-OnuserwhohasthenecessaryprivilegesinVMwareNSX(seethefollowingfigure).
Figure9.
VMwarevCenterSingleSign-OnUserConfiguredinVMwareNSXVMwarevCloudNetworkingandSecurityUpgradetoVMwareNSXinVMwarevCloudDirectorEnvironments15|VMwarevCloudArchitectureToolkitforServiceProvidersFigure10.
VMwareNSXUserInterfaceinvSphereWebClient4.
4LicensingVMwareNSXusesadifferentlicensekeythanvCloudNetworkingandSecurity.
AfteranupgradeofvShieldManagertoNSXManager,VMwareNSXwillrunundera60-daytriallicense.
YoumustassignaVMwareNSXlicensekeyinthevSphereWebClient.
4.
5NSXControllerClusterTheNSXControllerclusterisacompletelynewcomponent,whichisdeployedaftersuccessfulNSXManagermigration.
TheclustermustbedeployedbeforeanyoftheadvancedVMwareNSXfeaturesthatrequireitcanbeused.
Table2.
NSXControllerClusterRequirementsNSXFeatureNSXControllerClusterRequirementVXLANtransportcontrolplaneMulticastHybridUnicastDistributedfirewall*NSXEdgeservicesgatewaysDistributedLogicalRouter*VXLAN–VLANbridging*ARPsuppressionVMwarevCloudNetworkingandSecurityUpgradetoVMwareNSXinVMwarevCloudDirectorEnvironments16|VMwarevCloudArchitectureToolkitforServiceProviders*ThesefeaturesarenotnativelyexposedthroughthevCloudDirectoruserinterfaceorAPI.
ThefollowingareNSXControllerclusterdesignconsiderations:TheNSXControllerclusterconsistsofNSXControllernodes,whicharedeployedbyNSXManagertothevSphereenvironmentwhichtheNSXManagerispairedwith.
Therefore,theNSXControllerisrunningintheresourcegroup(customerworkload)vSphereclusters.
AnNSXControllerclusteralwaysconsistsofthreenodes(virtualmachines)deployedbyNSXManager.
Forhighavailabilitypurposes,eachNSXControllernodemustbeplacedonadifferenthost.
Thiscanbeachievedwithamanually-created,anti-affinityDRSrulewithinvSphere.
TheNSXControllernodeVMmustbeconnectedtoastandardordistributedportgroup.
ItcannotbeconnectedtoaVXLAN-basedportgroup(logicalswitch).
NSXControllerinstancesmusthavenetworkconnectivitytoNSXManagerandESXimanagementvmknics.
TheydonotneedtobedeployedinthesameL2subnetorvSpherecluster.
4.
6VMwareNSXVIBUpgradeVMwareNSXmustreplacethevShieldVMkernelmodulesandinstallnewVMwareInstallationBundles(VIBs)oneveryvCloudDirectormanagedESXihost.
ThisisdoneintheVMwareNSXuserinterfacebyclickingUpdatenexttoeachvSpherecluster.
Figure11.
VMwareNSXVIBUpgradeTheupgradeofvShieldorVMwareNSXVIBsrequiresareloadofthenewESXiimageand,therefore,arebootoftheESXihost.
VMwareNSXautomaticallytriestoputeachhostintomaintenancemodeandrebootit.
Thisaction,however,isnotrecommendedinvCloudDirectorenvironmentsfortworeasons:BeforeahostisputintoavSpheremaintenancemode,disableitinvCloudDirectorsothatvCloudDirectordoesnottrytoscheduletasksonthehost(forexample,toperformimageuploads).
Allworkloads(notonlyrunningVMs)mustbeevacuatedduringthemaintenancemode.
AcustomerwhodecidestopoweronaVMorcloneaVMthatisregisteredtoarebooting(andtemporarilyunavailable)hostwouldbeotherwiseimpacted.
VMwarevCloudNetworkingandSecurityUpgradetoVMwareNSXinVMwarevCloudDirectorEnvironments17|VMwarevCloudArchitectureToolkitforServiceProvidersTherefore,VMwarerecommendsthefollowingstepsinstead:1.
BeforeaVIBupgrade,changetheVMwarevSphereDistributedResourceScheduler(DRS)automationmodetomanualoneachvSphereclustertopreventVMwareNSXfromattemptingtoputhostsinmaintenancemode.
CautionDonotdisableDRS.
DisablingDRSwilldeleteyourresourcepoolsandcorruptyourvCloudDirectorinstallation.
2.
AftertheVIBinstallationfinishes,changetheDRSautomationmodetotheinitialsetting.
IntheVMwareNSXuserinterface,hostswillbeintheNotReadystateandwillrequirearebootinvSphere.
Figure12.
NotReadyStateinVMwareNSXUserInterfaceFigure13.
RebootRequiredinvSphere3.
MakesurethateachvSphereclusterhasenoughcapacitytotemporarilyrunwithoutonehost.
(ItisverycommontohaveatleastN+1HAredundancy.
)4.
DisablethehostinvCloudDirector.
5.
PutthehostintovSpheremaintenancemodewhileevacuatingallrunning,suspended,andpowered-offVMs.
6.
Rebootthehost.
7.
Whenthehostcomesup,exitthemaintenancemode.
8.
EnablethehostinvCloudDirector.
9.
Repeatwithotherhosts.
Steps4-9canbeeasilyautomatedandscripted,forexample,withVMwarevSpherePowerCLI.
VMwarevCloudNetworkingandSecurityUpgradetoVMwareNSXinVMwarevCloudDirectorEnvironments18|VMwarevCloudArchitectureToolkitforServiceProvidersThefollowingscriptisshownforinformationalpurposesonly.
##ConnecttovCloudDirectorandallvCenterServersitmanagesConnect-CIServer-Servervcloud.
gcp.
local-UserAdministrator-PasswordVMware1!
Connect-VIServer-Servervcenter.
gcp.
local-UserAdministrator-PasswordVMware1!
$ESXiHosts=Search-cloud-QueryTypeHostforeach($ESXiHostin$ESXiHosts){$CloudHost=Get-CIView-SearchResult$ESXiHostWrite-HostWrite-Host"Workingonhost"$CloudHost.
NameWrite-Host"DisablinghostinvCloudDirector"$CloudHost.
Disable()Write-Host"Evacuatinghost"Set-VMHost$CloudHost.
Name-StateMaintenance-Evacuate|Out-NullWrite-Host"Rebootinghost"Restart-VMHost$CloudHost.
Name-Confirm:$false|Out-NullWrite-Host-NoNewline"Waitingforhosttocomeonline"do{sleep15$HostState=(get-vmhost$CloudHost.
Name).
ConnectionStateWrite-Host-NoNewline".
"}while($HostState-ne"NotResponding")do{sleep15$HostState=(get-vmhost$CloudHost.
Name).
ConnectionStateWrite-Host-NoNewline".
"}while($HostState-ne"Maintenance")Write-HostWrite-Host"Hostrebooted"Set-VMHost$CloudHost.
Name-StateConnected|Out-NullWrite-Host"EnablingHostinvCloudDirector"$CloudHost.
Enable()}VMwarevCloudNetworkingandSecurityUpgradetoVMwareNSXinVMwarevCloudDirectorEnvironments19|VMwarevCloudArchitectureToolkitforServiceProviders4.
7ControlPlaneModeWhentheNSXControllerclusterisdeployed,themulticastcontrolplanemodecanoptionallybechangedtounicastorhybridmodestoenablecontroller-basedVXLANoverlays.
Theunicastcontrolplanemodedoesnotrequiremulticastintheunderlyingnetworkatall.
HybridmodedoesnotrequiremulticastroutingacrossL3domains(PIM)butreliesonmulticastineachL2switchingdomain.
ThechangeofthecontrolplanemodeismadeintheVMwareNSXuserinterfaceonthetransportzonescorrespondingtoeachProviderVirtualDataCenter(PVDC)VXLANnetworkpool.
Allexistinglogicalswitches(VXLANlogicalnetworks)mustbemigratedtothenewcontrolplanemodeaswell.
Figure14.
ChangeofTransportZoneControlPlaneMode(1of2)Thechangeofcontrolplanemodeandmigrationofexistinglogicalswitcheshasnoimpactonthenetworkingdataplanetraffic.
Figure15.
ChangeofTransportZoneControlPlaneMode(2of2)VMwarevCloudNetworkingandSecurityUpgradetoVMwareNSXinVMwarevCloudDirectorEnvironments20|VMwarevCloudArchitectureToolkitforServiceProviders4.
8VMwarevShieldAppandVMwarevShieldEndpointvCloudNetworkingandSecurityoffersahypervisor-basedfirewall(VMwarevShieldApp)andantivirusandanti-malwareplatform(VMwarevShieldEndpoint)forthird-partyvirtualappliances.
WhenupgradingtoVMwareNSX,thesetechnologiesaremigratedtotheVMwareNSXDistributedFirewallandVMwareNSXGuestIntrospection.
BecauseneitherofthesetwotechnologiesisprovidedthroughvCloudDirector,descriptionsoftheprocessfortheirmigrationareoutofscopeforthisdocument.
TheVMwareNSXUpgradeGuidesprovideareferenceforthemigrationstepsanddescribetheserviceimpact.
VMwarevCloudNetworkingandSecurityUpgradetoVMwareNSXinVMwarevCloudDirectorEnvironments21|VMwarevCloudArchitectureToolkitforServiceProvidersMigrationScenariowithMinimalProductionImpactThefollowingscenarioshowsanexampleofaserviceprovidermigratingfromvCloudNetworkingandSecurity,whileatthesametimeupgradingtonewversionsofvCloudDirectorandvSphere.
Impactonthedurationofthemaintenancewindow(andthusonendusers)isalsodiscussed.
Table3.
SolutionVersionOverviewSolutionInitialVersionTargetVersionvCloudDirector5.
6.
48.
10vCloudNetworkingandSecurity/VMwareNSXvCloudNetworkingandSecurity5.
5.
4VMwareNSX6.
2.
2vSphere(vCenterServerandESXi)5.
5U26.
0U2vCenterChargebackManager2.
72.
7.
x5TherecommendedpathforthesolutioninstallationandupgradesisdescribedinthefollowingtabletogetherwiththeimpactonthevCloudDirectorportal,theabilitytomanagevCloudDirectorobjectsthroughthevCloudUI/API,andtheimpactoncustomer'srunningworkloads.
Table4.
UpgradeScenarioStepsStepDescriptionvCloudDirectorPortalImpactManageabilityImpactWorkloadImpact1.
UpgradevCenterChargebackManagerfrom2.
7to2.
7.
x.
NoneNoneNone2.
UpgradevCloudDirectorfrom5.
6.
4to8.
0.
1.
ThiscanbedoneasarollingupgradewhenonlythelastcellanddatabaseconfigurescriptactuallyrequiresvCloudDirectordowntime.
Yes(inminutes)Yes(inminutes)None3.
DisableaspecificvCenterServerinstanceinvCloudDirector6.
ThenupgradetherelatedvShieldManagerwiththeVMware-vShield-Manager-Upgrade-bundle-to-NSXupgradebundle.
Aftertheupgradeiscomplete,enablethevCenterServerinvCloudDirector.
NoneYesfortheworkloadsmanagedbythespecificvCenterServer(30-60mins)None5Atthetimeofthiswriting,vCenterChargebackManagerisnotcompatiblewithvSphere6.
6SeeDisabledvCenterServerContinuestoAcceptvCloudDirectorOperations(https://kb.
vmware.
com/kb/2145610)forimportantconsiderations.
VMwarevCloudNetworkingandSecurityUpgradetoVMwareNSXinVMwarevCloudDirectorEnvironments22|VMwarevCloudArchitectureToolkitforServiceProvidersStepDescriptionvCloudDirectorPortalImpactManageabilityImpactWorkloadImpact4.
Repeatstep3forallothervCenterServerinstancesmanagedbyvCloudDirector.
5.
DeploytheNSXControllercluster.
NoneNoneNone6.
UpgradeVMwareNSXVIBsonallhosts(seeSection4.
6).
NoneNoneNone7.
(Optional)ChangethecontrolplanemodeandmigrateallVXLANnetworks.
NoneNoneNone8.
DisableaspecificvCenterServerinstanceinvCloudDirector7.
UpgradethevCenterServerfrom5.
5U2to6.
0U2.
Whencomplete,enablethevCenterServerinvCloudDirector.
NoneYes,fortheworkloadsmanagedbythespecificvCenterServer(30-60mins)None9.
Repeatstep8forallothervCenterServerinstancesmanagedbyvCloudDirector.
10.
UpgradeeachESXihost.
(UseasimilarapproachtothatdiscussedinSection4.
6.
)NoneNoneNone11.
UpgradevCloudDirectorfrom8.
0.
1to8.
10.
ThiscanbedoneasarollingupgradewhenonlythelastcellanddatabaseconfigurescriptactuallyrequiresvCloudDirectordowntime.
Yes(inminutes)Yes(inminutes)None12.
(Optional)UpgradeallNSXEdgegatewaystoversion6.
2.
NoneNoneAfewsecondsofnetworkimpactoneachNSXEdgegateway7SeeDisabledvCenterServerContinuestoAcceptvCloudDirectorOperations(https://kb.
vmware.
com/kb/2145610)forimportantconsiderations.
VMwarevCloudNetworkingandSecurityUpgradetoVMwareNSXinVMwarevCloudDirectorEnvironments23|VMwarevCloudArchitectureToolkitforServiceProvidersReferenceDocumentsItemURLVMwareNSX6.
2UpgradeGuidehttp://pubs.
vmware.
com/NSX-62/index.
jsptopic=%2Fcom.
vmware.
nsx.
upgrade.
doc%2FGUID-C4A1FE0E-7319-494A-A776-BAD3D9208FDA.
htmlVMwareNSX6.
1InstallationandUpgradeGuidehttp://pubs.
vmware.
com/NSX-61/topic/com.
vmware.
ICbase/PDF/nsx_61_install.
pdfVMwareNSX6.
0InstallationandUpgradeGuidehttp://pubs.
vmware.
com/NSX-6/topic/com.
vmware.
ICbase/PDF/nsx_6_install.
pdfVMwareProductInteroperabilityMatrixeshttp://partnerweb.
vmware.
com/comp_guide2/sim/interop_matrix.
phpArchitectingaVMwarevCloudDirectorSolutionfortheVMwareCloudProviderProgramhttp://www.
vmware.
com/content/dam/digitalmarketing/vmware/en/pdf/vcat/vmware-architecting-a-vcloud-director-solution.
pdfVMwarevCloudArchitectureToolkitforServiceProviders(vCAT-SP)http://www.
vmware.
com/solutions/cloud-computing/vcat-sp.
htmlvCloudArchitectureToolkitBloghttp://blogs.
vmware.
com/vcat/