Scenario 1

This example illustrates how an 8325 switch can be connected to a VMware NSX.

Key components

  • NSX controllers: Central control point for all logical switches in the network.

  • Management network: Network on which the 8325 switch communicates with the NSX controllers.

  • Hardware VTEP (8325 switch): Communication with the NSX controller occurs via the switch management port (which operates as a DHCP client by default). Interface 1/1/1 links the switch to the layer 3 network. Interface 1/1/3 extends the layer 2 domain over a VXLAN and links the switch to the bare metal server. OSPF is used to enable the routed layer 3 underlay network.

  • Bare metal server: Physical server providing network services.

  • Layer 3 transport network: The underlay network which provides routing functionality.

  • Virtualization server: The virtualization server is managed by VMWare VSphere. It hosts software VTEPs which perform VXLAN encapsulation for VMs deployed in virtual servers (such as an ESXi server).

Procedure
  1. On the 8325 switch:
    1. Enable interface1/1/1, assign the IP address100.1.1.1/24to it, and configure OSPF. 
      switch#configswitch(config)#interface 1/1/1switch(config-if)#ip address 100.1.1.10/24switch(config-if)#ip ospf area 0switch(config-if)#no shutdownswitch(config-if)#exitswitch(config)#router ospf 1switch(config-ospf)#router-id 1.1.1.1switch(config-ospf)#router-id 1.1.1.1switch(config-ospf)#router-id 1.1.1.1
    2. Create VLAN10. 
      switch(config)#vlan 10switch(config-vlan-10)#exit
    3. 创建一个环回接口1with IP address100.1.1.1/32and assign it to OSPF area 0 on the default VRF. 
      switch(config)#router ospf 1 vrf defaultswitch(config-ospf-1)#exitswitch(config)#interface loopback 1switch(config-loopback-if)#ip address 100.1.1.1/32switch(config-loopback-if)#ip ospf 1 area 0switch(config-loopback-if)#exitswitch(config)#
    4. Enable interface1/1/3and assign VLAN10to it. 
      switch(config)#interface 1/1/3switch(config-if)#no shutdownswitch(config-if)#no routingswitch(config-if)#vlan access 10switch(config-if)#exit
    5. Create VXLAN interface 1 and assign the source IP address100.1.1.1/24to it. 
      switch(config)#interface vxlan 1switch(config-vxlan-if)#source ip 100.1.1.1switch(config-vxlan-if)#no shutdown
    6. Create VNI5000, and assign VLAN10to it. 
      switch(config-vxlan-if)#vni 5000开关(config-vni)#vlan 10开关(config-vni)#exitswitch(config-vxlan-if)#exit
    7. Configure the HSC manager address. 
      switch(config)#hscswitch(config-hsc)#manager ip 10.10.10.1
    8. Enable the HSC. You are prompted to use the default certificate installed on the switch to secure the connection with the manager. Typey. 
      switch(config-hsc)#enableTrust Anchor (TA) profile configurations are not used for HSC authentication. Instead HSC will store the CA certificate from the HSC controller during the first TLS handshake and use it for all future authentications with HSC servers. This CA certificate will not be used for any other certificate-based authentication. Do you want to continue (y/n)?y
    9. Make a copy of the default certificate (local-cert) in PEM format. You need to configure this certificate on the NSX manager. 
      switch#show crypto pki certificate local-cert pemCertificate name: local-cert Associated Applications: captive-portal, hsc, https-server, syslog-client Certificate status: installed Certificate type: self-signed -----BEGIN CERTIFICATE----- MIDITCDskKkeLkDKfjlsafkdjLdfkejwlisfuslekfjsdkfjelfrjsekfslkefjselfkjslde8383 ... 3md0k4o9vjksdoijeknkviocvhsksdoeo399((jifiIIIHFKwlIelId8rekILF:IofJe,kei(gfo9 -----END CERTIFICATE------
      Copy the lines between----BEGIN CERTIFICATE-----and-----END CERTIFICATE-------.
  2. On the NSX manager, add the switch certificate using the vSPhere Web Client. SelectNetworking & Securityand thenService Definitions. On theHardware Devicestab, click添加(+) and paste the certificate into the appropriate box. 
    switch#show crypto pki certificate local-cert pemCertificate name: local-cert Associated Applications: captive-portal, hsc, https-server, syslog-client Certificate status: installed Certificate type: self-signed -----BEGIN CERTIFICATE----- MIDITCDskKkeLkDKfjlsafkdjLdfkejwlisfuslekfjsdkfjelfrjsekfslkefjselfkjslde8383 ... 3md0k4o9vjksdoijeknkviocvhsksdoeo399((jifiIIIHFKwlIelId8rekILF:IofJe,kei(gfo9 -----END CERTIFICATE------
    For more information on configuring the NSX manager, refer to the VMware NSX documentation.