Nested Virtualization is an extremely useful tool that helps customers easily test and try out new VMware products and solutions before rolling that into a proper development environment for further validation. This is especially handy for those wanting to setup an NSX-based environment and simulating their actual deployment topology, configuration and upgrade workflows.
In this past year, I have seen a 10x increase in the number of NSX-T based questions that have come up from customers and our field, the adoption of NSX-T is definitely in full swing. As expected, questions about running Nested ESXi on top of a physical NSX-T deployment has come up and there has actually been several variations that have been asked about whether that is Nested ESXi using VSS, VDS, NSX-V or even NSX-T running on top of an N-VDS, which is the virtual switch that NSX-T uses.
Luckily all of these combinations work and just require some basic configuration changes within NSX-T. However, before I continue, let me remind folks again that VMware does NOT officially support Nested Virtualization.
As a refresher, if you are just using a VSS or VDS with no NSX-V or NSX-T, you no longer need to enable Promiscuous Mode. For VSS, you can use ESXi MAC Learn dvFilter Fling and for VDS as of vSphere 6.7 and can simply take advantage of the new native MAC Learning feature. With NSX-T, we can also take advantage of MAC Learning but the changes must now be applied within NSX-T Manager as it is responsible for managing the virtual switch versus vCenter Server. In both the configurations mentioned below, you are making the changes to your physical NSX-T deployment, not the Nested layer.
VSS/VDS or NSX-V on NSX-T
MAC Learning in NSX-T is configured as part of the MAC Discovery Policy for a Network Segment Profile which can be found under the Segments tab in the NSX-T Policy UI. By default, MAC Learning is disabled in the default MAC Discovery Profile which is applied to all Network Segments that are created if not overridden by a user. To enable MAC Learning, simply create a new Segment Profile and enable the MAC Learning feature which we will use to override when creating a new Network Segment.
Now when you create a new Network Segment, in the MAC Discovery configuration, we can change profile to point to our MAC Learning enabled Profile and now you are ready to deploy Nested ESXi VMs that can be configured with VSS, VDS or NSX-V running on top of an N-VDS.
Nested NSX-T on NSX-T
In addition to enabling MAC Learning in your physical NSX-T deployment, if you wish to run NSX-T on top of physical NSX-T deployment, you will need to make one additional change when creating your Overlay Transport Zone which is only possible when using the NSX-T API. The property that needs to be added is called nested_nsx which is boolean value and ensures that networking will function properly when running a Nested NSX-T instance on top of your physical NSX-T deployment.
The easiest way to configure this is using PowerCLI (but you can certainly use the NSX-T REST API) and below is the snippet required to create a Transport Zone with the required setting:
Connect-NsxtServer -Server nsx.primp-industries.com $transportZoneService = Get-NsxtService -Name "com.vmware.nsx.transport_zones" $overlayTZSpec = $transportZoneService.help.create.transport_zone.Create() $overlayTZSpec.display_name = "TZ-Nested-NSX-T" $overlayTZSpec.host_switch_name = "nsxswitch" $overlayTZSpec.transport_type = "OVERLAY" $overlayTZSpec.nested_nsx = "true" $transportZoneService.create($overlayTZSpec)
If the operation was successful, you should get a new Transport Zone created with the required setting and you can setup your Nested NSX-T instance.
Alex López | vExpert 🇵🇷 (@iVirtuAlex) says
In your NSX-T on NSX-T portion above, does that change need to be made on the nested side or the physical side?
Alex López | vExpert 🇵🇷 (@iVirtuAlex) says
Please disregard, I see the answer above. Apologies for missing that initially.
Jason Wong says
I though native MAC Learning is only for VDS and not available for VSS, am I wrong or has that actually changed ?
----------------------
As a refresher, if you are just using a VSS or VDS with no NSX-V or NSX-T, you no longer need to enable Promiscuous Mode as of vSphere 6.7 and can simply take advantage of the new native MAC Learning feature.
William Lam says
Jason,
Thanks for the catch and I've updated the blog post to clarify. I meant to say that in general, Prom Mode isn't required. VSS can use the MAC Learn dvFilter and VDS, you can use native MAC Learn feature. There isn't a case where Prom Mode should be enable which has a perf penalty 🙂
Alex López | vExpert 🇵🇷 (@iVirtuAlex) says
William,
I know I previously asked this and you stated above that these changes must be done on the physical-side NSX-T deployment, but after taking a look at the APIs, the description for the "nested_nsx" parameter states "Flag to indicate if transport nodes in this transport zone are connected through nested NSX. The flag on need to be set in nested NSX environment." Can you clarify? does this still need to be set on the new TZ on the physical side, or should it be set on the nested NSX-T TZ as per the API param description? 🙂 Thx for everything you do for the vCommunity!
Trevor Davis says
Is this done one nested NSX or Physical? Was that ever clarified?