I have used VLC to deploy nested VCF for a long time and I am quite happy with how it works. VLC is usually deployed to a VLAN Trunk Port Group. This requires the VLANs used in the nested VCF to be configured on the physical switches in the environment. This does not scale well, and it is hard to automate. By following the steps below we are able to deploy VLC to an NSX-T Overlay Segment which allows each VFC instance to be isolated on their own layer 2 network. NSX-T Overlay Segments can be deployed automatically and they don’t require any changes to the physical network. This also allows us to use overlapping IP addressing between them. I have not yet tested to connect my Segment to a Tier-1 Gateway so that the nested VCF can connect to any external networks, but I plan to do this soon and update this post.
NSX-T Configuration
The following configuration needs to be done on the hosting NSX-T environment.
IP Discovery Profile
| Name | vcf-nested-ip-profile |
| Duplicate IP Detection | Disabled |
| ARP Snooping | Enabled |
| ARP Binding Limit | 256 |
| ND Snooping | Disabled |
| ND Snooping Limit | 3 |
| ARP ND Binding Limit Timeout | 10 |
| Trust on First Use | Enabled |
| DHCP Snooping | Disabled |
| DHCP Snooping – IPv6 | Disabled |
| VMware Tools | Enabled |
| VMware Tools – IPv6 | Disabled |
MAC Discovery Profile
| Name | vcf-nested-mac-profile |
| MAC Change | Enabled |
| MAC Learning Aging Time | 600 |
| MAC Learning | Enabled |
| MAC Limit | 4096 |
| MAC Limit Policy | Allow |
| Unknown Unicast Flooding | Enabled |
Segment Security Profile
| Name | vcf-nested-security-profile |
| BPDU Filter | Disabled |
| BPDU Filter Allow List | Not Set |
| Server Block | Disabled |
| Server Block – IPv6 | Disabled |
| Non-IP Traffic Block | Disabled |
| Rate Limits | Disabled |
| Receive Broadcast | 0 |
| Receive Multicast | 0 |
| Client Block | Disabled |
| Client Block – IPv6 | Disabled |
| RA Guard | Enabled |
| Transmit Broadcast | 0 |
| Transmit Multicast | 0 |
Segments
| Name | vcf-nested-trunk-01 |
| Transport Zone | overlay-tz |
| Connected Gateway | None |
| Subnet | None |
| Profiles | vcf-nested-ip-profile vcf-nested-mac-profile vcf-nested-security-profile |
| VLAN | 0-4094 |
Jump Host Configuration
To deploy VLC we need a jump host with two network adapters, one connected to your management network so that we can access it with RDP, and one connected to the nested environment so that we can connect to the nested appliances there. More details on this can be found in the VLC installation guide.
Jump Host 01
| Name | jumpy-01 |
| OS | Windows Server 2019 |
| NIC1 | Portgroup: pg-management Driver: VMXNET3 |
| NIC2 | Portgroup: vcf-nested-trunk-01 GW: None VLAN: 10 (Tagged in Guest OS) Driver: VMXNET3 |
| Software | Powershell 5.1+ PowerCLI 12.1+ OVFTool 4.4+ .Net Framework |
| Static Routes | For example: route ADD 10.50.0.0 MASK 255.255.255.0 10.0.0.221 |
| Windows Firewall | On |
| Powershell Policy | Set-ExecutionPolicy Unrestricted |
VLC Configuration
| Location | C:\VLC |
| Bringup Configuration | C:\VLC\NOLIC-44-TMM-vcf-ems-public.json |
| ESXi Host Configuration | C:\VLC\conf\default_mgmt_hosthw.json |
| Licenses | Must be added to NOLIC-44-TMM-vcf-ems-public.json |
| Cloud Builder | C:\VLC\VMware-Cloud-Builder-4.4.0.0-19312029_OVF10.ova |
| MTU | 1700 (can probably be increased to 8800 or more) |
VLCGui.ps1 Configuration
The following changes need to be done to the default VLCGui.ps1 to make it work with NSX-T.
Changed the following to be able to select NSX-T Segments:
| From |
If ($isSecSet.AllowPromiscuous.Value -and $isSecSet.ForgedTransmits.Value -and $isSecSet.MacChanges.Value){ |
| To |
If(-not ($isSecSet.AllowPromiscuous.Value -and $isSecSet.ForgedTransmits.Value -and $isSecSet.MacChanges.Value)){ |
Changed the following to get 1500 bytes MTU on vSwitch0:
| From |
$kscfg+="esxcli network vswitch standard set -v vSwitch0 -m 9000`n" |
| To |
$kscfg+="esxcli network vswitch standard set -v vSwitch0 -m 1500`n" |
Added the following to recreate vmk0 so that it gets a unique MAC address:
$kscfg+="esxcfg-vmknic --del vmk0 -p |
$kscfg+="esxcfg-vmknic --add vmk0 --portgroup |
$kscfg+="esxcfg-route -a default |
Change the MAC Address of NSX-T Virtual Distributed Router
You must change the default MAC address of the NSX-T virtual distributed router in the nested VCF deployment so that it does not use the same MAC address that is used by the hosting NSX-T virtual distributed router.
Change the MAC Address of NSX-T Virtual Distributed Router
An alternative is to configure the hosting NSX-T environment’s Overlay Transport Zone with the nested_nsx property set to true, but this has to be done when creating the Transport Zone.
Thanks to Ben Sier for helping me getting this to work.
CyberNils.net 
HI,
One thing i could not get is that you mentioned to create a segment using Overlay. If i select Overlay as TZ, then i won’t get an option to enter the VLAN which have mentioned to enter as “0-4094”. please clarify.
Also can i used the above mentioned to build VCF using traditional method like using excel sheet with all details populated?
thanks
EmVee.
LikeLike
Hi, not sure why you are not able to enter VLAN ID when selecting Overly TZ. I hope you have tried to expand the Additional Settings? Yes, you can use the Excel sheet with VLC. Just deselect “Do bringup”.
LikeLike
Hi,
Thanks for your time to reply. I am sure you can’t enter VLAN ID when you select Overlay TZ. Because, you create a segment either with Overlay or VLAN, can’t mix both.
When i say excel sheet, i mean the traditional way fo building cloud builder without using VLC.
thanks
EmVee
LikeLike
If the transport zone is of type VLAN, specify a list of VLAN IDs. If the transport zone is of type Overlay, and you want to support layer 2 bridging or guest VLAN tagging, specify a list of VLAN IDs or VLAN ranges. In this case we want to use guest VLAN tagging with an Overlay Segment.
LikeLike
NILS,
You are correct!. I can now able to enter the VLAN IDs. thanks for that. Let me try to install and let you know when done.
EmVee
LikeLike
Hi NILS KRISTIANSEN,
An question. When i choose to use different vlan for mgmt/vmotion/vsan/vxlan, where would i set the GW for each vlan? is there any method that i should follow? or it doesn’t matter as underlying NSX-T overlay will take care?
thanks
EmVee
LikeLike
I am not sure if I follow exactly what you are doing, but if you are using VLC to deploy VCF you set the GWs in the bringup Excel or json file. I suggest joining VLC Support on Slack here to get better help: https://tiny.cc/getVLCSlack
LikeLike