NSX V2T Migration

Welcome to NSX Migration for VCD tool lab.

Through this lab, you will learn how to migrate a service provider driven, organization Virtual Data Center (VDC) from VMware NSX® Data Center for vSphere® (NSX-V) backed provider VDC to organization VDC of NSX-TTM Data Center backed provider VDC in a VMware Cloud Director environment.

Topics covered are:

  • Pre-requisite steps for vcdNSXMigrator tool
    • How to download vcdNSXMigrator tool
    • Configuring NSX, vCenter and VMware Cloud Director
  • Performing a Migration tool
    • Migration Pre-check
    • Migration
    • Post-Migration Verification
    • Cleanup

Pre-requisite steps for V2T migration tool

This section provides several pre-requisite steps before you run vcdNSXMigrator to migrate your Org VDC from NSX-V Provider VDC to NSX-T Provider VDC.

Lab Infrastructure overview

There is "stark-legacy" org VDC  in NSX-V Provider VDC.

"stark-legacy" has 1 vapp (web-cities) and 3 Web VMs are  running on web-cities vapp.

This org VDC will be migrated to NSX-T backed Provider VDC using vcdNSXMigrator tool

Preparing the V2T migration tool

In this section we will prepare the v2T migrator tool ready to perform the migration.

Downloading the v2T Migrator Tool

To download the v2T migrator tool, you will have to download it from my.vmware.com and you can find the binary in "Drivers and Tools" tab of VMware Cloud Director product download page.

For this Lab, you will use the windows version binary which we already downloaded for you

Extracting vcdNSXMigrator zip file

  1. Click Lab files short cut on the desktop screen.
  2. Right click VMware-NSX-Migration-for-VMware-Cloud-Director-1.1.zip and select Extract All...
  3. Change the destination path to C:\ and click Extract
  4. Go to C:\vcdNSXMigrator folder in the file explorer and you can see the extracted version of  vcdNSXMigrator files

Login to vCenter

Access the vsphere client and key in the credentials to access vCenter:

  1. Click vCenter (https://vcsa-01a.corp.local) in the Favorites bar
  2. Login to vCenter as administrator credential
    • ID : administrator@corp.local
    • PASSWORD : VMware1!
  3. Click Login

Create a Dummy Distributed Virtual Port group Migrator tool to use

Create Distributed virtual port group for the v2t migrator tool to utilize. This port-group will be used to connect the tenant's old NSX-v edge gateways to while migrating the uplinks to NSX-T side.

Go to Networking menu

  1. Click Menu
  2. Select Networking

Create New Distributed Port group

  1. Expand RegionA01 Datacenter in the left plane.
  2. Right-Click the RegionA01-vDS-COMP Distributed virtual switch
  3. Select Distributed Port Group  
  4. Select New Distributed Port Group

Configure Name  in New Distributed portgroup

  1. Change the name to Dummy-DPG
  2. Click Next

Configure settings

  1. Change VLAN type to VLAN and set the VLAN ID to 888
  2. Click Next
  3. Then you can see review the summary , click Finish

TIP: This should be a dummy VLAN that doesn't exist in your datacenter. We need it because we cannot leave the edge gateway unattached to an uplink.

Login to NSX-T Manager

  1. Open New tab in Chrome  and Select NSX-T (https://nsx-mgr.corp.local) in Favourite bar.
  2. Login to NSX-T Manager as:
    • ID : admin
    • PASSWORD : VMware1!VMware1!
  3. Click LOG IN

Prepare Edge cluster deployment for Bridging

Now you will deploy new edge vm and configure new edge cluster for Bridging. This edge will be used for maintaining L2 adjacency between the NSX-v backed Org VDC and the NSX-T backed Org VDC so that all the internal workloads connectivity can continue run during migration.

INFO: You have to create this edge VM in source side vsphere cluster (NSX-V)

Go to Transport Zones

Creating New tranport Zone for Bridging

  1. Go to System
  2. Expand Fabric in the left pane
  3. Select Transport Zones
  4. Click +ADD button to create new Transport Zone
Create New Transport Zone
  1. Set  the name to  Bridge-TZ
  2. Set theTraffic Type to  VLAN
  3. Click ADD
Go to Edge Transport Nodes

Deploy Edge VM for Bridging

  1. Go to System
  2. Expand Fabric in the left pane
  3. Select Nodes
  4. Select Edge Transport Nodes  in the right pane
  5. Click +ADD EDGE VM
Configure Name and Description
  1. Set the Name to Bridge-edge-vm
  2. Set Hostname/FQDN to edge-02.corp.local
  3. select Form factor to Small
  4. Expand Advanced Resource Reservations and scroll-down to Memory reservation field
  5. Set Memory Reservation : 0
  6. click Next

!!!CAUTION!!! Lab environment has limited resources hence we set Form Factor to small and Memory Reservation to 0, otherwise Edge VM Power On will fail. In production environments, you will pick Form Factor Large and leave Memory Reservation to default (100%)

Configure Credentials

Configure Credentials

  1. Set CLI Password : VMware1!VMware1!
  2. Set Allow SSH login : Yes
  3. Set System Root Password : VMware1!VMware1!
  4. Set Allow Root SSH login : Yes
  5. Click Next

!!!CAUTION!!! The Password Should be same to NSX-T manager's Password, otherwise the migration will fail

Configure Deployment

Configure Deployment

  1. Select Compute Manager : vcsa-01a.corp.local
  2. Select Cluster : Legacy Workloads
  3. Select Datastore : RegionA01-ISCSI01-COMP01
  4. click Next

!!!CAUTION!!! Bridge edge VM should be located in Source cluster backed by NSX-V PVDC (Legacy Workloads). This is to allow the bridge VM to maintain L2 adjacency between NSX-V Org VDCs and the NSX-T Org VDCs

Configure node settings
  1. Configure IP info
    • IP Assignment : Static
    • Management IP : 192.168.110.32/24
    • Default Gateway : 192.168.110.1
  2. Select Management Interface : Click Select interface and Select VM-RegionA01-vDS-COMP01
  3. Configure DNS and NTP
    • Search Domain Names : corp.local
    • DNS Servers : 192.168.110.10
    • NTP Servers : 192.168.100.1
  4. Then click Next
Configure NSX

Configure NSX

  1. Input Edge Switch Name : hol-nvds
  2. Select Transport Zone : TZ-HOL-Overlay
  3. Select UplinkProfile : nsx-edge-single-nic-uplink-profile
  4. Set IP Pool info
    • IP Assignment : Use IP Pool
    • IP Pool : HOL TEP Pool
  5. Teaming Policy Switch Mapping > uplink-1 : click Select Interface and select ESXi-RegionA01-vDS-COMP01
  6. click Finish

!!!CAUTION!!! Do not use default Edge switch name (e.g. nvds1). Edge Switch Name Should be "hol-nvds" following the Switch Name defined on the TZ-HOL-Overlay Transport Zone settings

INFO: Deploying Edge VM may takes several minutes. After deploying Edge VM is completed only then proceed to next step. Have a 15 minutes break :)

OR, you could proceed to creating the Tier-0 gateway here first before circling back

Go to Edge cluster
  1. Go to System
  2. Expand Fabric
  3. Select Nodes
  4. Select Edge Clusters
  5. Click +ADD
Create Edge Cluster for Bridging
  1. Set Name : Bridge-Edge-Cluster
  2. Transport Nodes > Edge nodes : Move Bridge-edge-vm to Selected pane using allow button
  3. Then click ADD

Create Dedicated Tier-0 router for destination NSX-T backed Provider VDC

We will create New Tier-0 router for target Org VDC in NSX-T. Dedicated Edge node and Edge cluster is already deployed in this lab for you.

Go to Tier-0 Gateways
  1. Go to Networking
  2. Select Tier-0 Gateways
  3. Click ADD GATEWAY
  4. Select Tier-0
Create Tier-0 gateway
  1. Input Tier-0 Gateway name : legacy-t0
  2. Select edge cluster : legacy-edge-cluster
  3. HA Mode : Active Standby
  4. Scroll down and click SAVE
Configure additional settings for New Tier-0 Gateway
  1. You can see the above message, click YES
Configure Interface
  1. Scroll down a little and expand INTERFACES
  2. Click Set
  1. Click ADD INTERFACE
  2. Set Name : uplink
  3. Type : leave in default (External)
  4. Input IP address/Mask :  192.168.100.8/24
  5. Select connected to (segment) : uplink
  6. Select Edge Node : legacy-edge
  7. Scroll down a little and click SAVE
  8. Then click the CLOSE

!!!CAUTION!!! You should hit the Enter key when you input ip address

Configure Static routes
  1. Expand ROUTING
  2. Click Set button for Static Routes
Configure Static Routes (continue)
  1. Click ADD STATIC ROUTE
  2. Set Name : default route
  3. Set Network : 0.0.0.0/0
  4. Click Set Next Hops
Configure Static Routes (continue) - Set Next Hops
  1. Click ADD NEXT HOP
  2. Input IP address 192.168.100.1 then press Enter key
  3. Click ADD
  4. Click APPLY
  5. Then you can return to the Static Route config window, click SAVE
  6. Click  CLOSE
  7. Then click CLOSE EDITING.

Login to VMware Cloud Director

  1. Select VCD - Provider  (vcd-01a.corp.local) in the favorite bar
  2. Input admin credential
    • ID : admin
    • PASSWORD : VMware1!
  3. click SIGN IN

Add the External Network in VMware Cloud Director Potral

Now you have to created a dummy port group in vCenter and new Tier-0 gateway in NSX-T, you will need to add them as external network in VMware Cloud Director Provider Portal.

Go to External Network
  1. Go to Resources
  2. Select Cloud Resources
  3. Select External Network
  4. Click NEW
Create External Network for Dummy Port Group

Create new external network for dummy DVS port group for bridging.

Configure Backing Type
  1. Select Backing type. : vSphere Resources > Distributed Port Groups
  2. Click NEXT
Configure General info
  1. Input name : dummy ext network
  2. Click NEXT
Select Port Groups
  1. Select Dummy-DPG
  2. Click NEXT
Configure gateway IP
  1. Click NEW
  2. Input Gateway CIDR : 169.254.250.1/24
  3. Click pencil icon for Static IP Pools

INFO: We've selected 169.254.250.0/24 segment as the dummy segment. It can be any IP range that is not used within your datacenter. There is no need to create that network within your datacenter.

  1. Enter an IP range : 169.254.250.10-169.254.250.20
  2. Click ADD
  3. Click SAVE
  4. Then you will return to the External network config menu, click NEXT
  5. Review the summary and click Finish
Create External Network for New Tier-0 Gateway

Now you will create  an external network for New Tier-0 Gateway (NSX-T) as destination.

Go to External Network
  1. Go to Resources
  2. Select Cloud Resources
  3. Select External Network
  4. Click NEW
Configure Backing Type
  1. Select NSX-T Resources (Tier-0 Router)
  2. Select a registerd NSX-T Manager : nsx-mgr.corp.local
  3. Click NEXT

INFO: We are using another Tier-0 router for the external network because there is a bug in the current v2T migrator tool that prevents us from leveraging on existing Tier-0s. This will be fixed in subsequent migrator tool releases.

Configure General info
  1. Enter the name : legacy ext network
  2. Click NEXT
Select Tier-0 Router
  1. select Tier-0 Router : legacy-t0
  2. click NEXT
Configure Gateway IP
  1. Click NEW
  2. Enter the Gateway CIDR : 192.168.100.1/24
  3. Click the pencil icon for the Static IP Pools
Configure Static IP Pools
  1. Enter an IP range : 192.168.100.250-192.168.100.250
  2. Click ADD
  3. Click SAVE
  4. then you will return to the External network config menu, click NEXT
  5. Review the summary and click Finish

INFO: The IP pool just has to be in the range of the NSX-V's external network IP pool. The external network IPs will be migrated and added into this IP pool by the migration tool.

Configuring UserInput.yml

Before you run vcdNSXMigrator tool, you have to update UserInput.yml yaml file

This yaml file includes Endpoints, Credentials and Source/Destination environment.

Go to vcdNSXMigrator Folder location

Open File Explorer and go to vcdNSXMigrator folder.

  1. Go to C:\vcdNSXMigrator folder
  2. Scroll down a little then you can see sampleUserInput.yml

Rename SampleUserInput.yml to UserInput.yml

  1. Right click sampleUserInput.yml file and select Rename
  2. Rename samspleUserInput.yml to UserInput.yml

Edit contents in UserInput.yml file

  1. Right-click UserInput.yml and select Edit with Notepad++
  2. Edit contents like the below , then save and exit Notepad++

Settings for UserInput.yml

---
VCloudDirector:
  Common:
    ipAddress: vcd-01a.corp.local 
    username: admin
    verify: False
  Organization:
    OrgName: stark
  SourceOrgVDC:
    OrgVDCName: stark-legacy
  NSXTProviderVDC:
    ProviderVDCName: nextgen-resources
    ExternalNetwork: legacy ext network
  NSXVProviderVDC:
    ProviderVDCName: legacy-resources
    ExternalNetwork: External Porgroup
    DummyExternalNetwork: dummy ext network
NSXT:
  Common:
    ipAddress: nsx-mgr.corp.local
    username: admin 
    verify: False
  EdgeClusterName: Bridge-Edge-Cluster
  TransportZone: 
    TransportZoneName: Bridge-TZ

Vcenter:
  Common:
    ipAddress: vcsa-01a.corp.local
    username: administrator@corp.local
    verify: False

Common:
  CertificatePath: /root/vcdNSXMigrator/caCert.pem # ca/self-signed certificate path for validation
  MaxThreadCount: 75 # Number of threads to be used for parallel processing
  TimeoutForVappMigration: 3600 # Timeout to be used for vapp migration task in seconds (Default value - 3600 seconds)

Pre-Migration Checks

The v2T migrator tool comes with a migration pre-checks to ensure that most pre-requisites are verified before actually performing the migration. This would provide administrators like yourself a higher confidence level before actually performing what might be a disruptive migration.

Run the vcdNSXMigrator with preCheck option

Open Command prompt and run vcdNSXMigrator with preCheck option

  1. Run Command Prompt in the start menu
  2. go to C:\vcdNSXMigrator and run vcdNSXMigrator.exe like the below
C:\> cd C:\vcdNSXMigrator
C:\vcdNSXMigrator> vcdNSXMigrator.exe --filepath=C:\vcdNSXMigrator\userInput.yml --preCheck

!!!CAUTION!!! The command is case-sensative. Please type the correct character (Middle 'C' is uppercase in preCheck )

  1. After executing the command, you have to enter several paswords for VCD, vCenter and NSX-T Manager
    • VMware Cloud Director password : VMware1!
    • NSX-T  password : VMware1!VMware1!
    • vCenter password : VMware1!

Pre-check Issues

You will see the above error message after you run vcdNSXMigrator as preCheck mode.

In your own environment, you may see different errors so you need to fix all issues before executing the actual migration.

Determine the preCheck failure reason from log files

To easily check the issues encountered:

  1. Go to the logs folder inside the vcdNSXMigrator folder
  2. Open the preCheck-Summary text file
  3. Determine the issue

In this Lab,  one unsupported config should be changed

INFO: As of now vcdNSXMigrator tool doesn't support fast provisioned Org VDC

Go to stark-legacy Org VDC in VCD Provider Portal

  1. Go to Resources in  VMware Cloud Director Provider Portal (VCD -Provider in the favorite bar of Chrome )
  2. Select Cloud Resources
  3. Select Organization VDCs
  4. Click stark-legacy Org VDC 

Edit Storage Policies in stark-legacy Org VDC

  1. Select Storage under the Policies
  2. click EDIT

Disable Fast provisioning

  1. Click on Fast provisioning toggle to disable
  2. Click SAVE

Re-run vcdNSXMigrator with preCheck option

Back to command prompt,

  1. Re-run vcdNSXMigrator with preCheck option:

C:\vcdNSXMigrator>vcdNSXMigrator.exe --filepath=C:\vcdNSXMigrator\UserInput.yml --preCheck

  1. Enter all passwords for VCD, NSX-T and vCenter
    • VMware Cloud Director Password :  VMware1!
    • NSX-T Password : VMware1!VMware1!
    • vCenter Password : VMware1!

If it's done successfully, you will see  This info message:

[INFO] | All the pre-migration validations have passed successfully

Access the stark-legacy Tenant Portal

Access the stark-legacy tenant portal by:

  1. Click on Resources
  2. Click on Cloud Resources tab
  3. Click on Organization VDCs on left pane
  4. Click on the pop-up button for stark-legacy

Pre-migration VM Connectivity Check

Verify the network connectivity for the VM :

  1. Click on VM Console for web-paris
  2. Type ifconfig in the VM's CLI and verify the IP address of the VM (172.16.30.22)
  3. Execute ping 192.168.110.10 to verify external world connectivity

Perform the same for web-singap where you ping 172.16.30.22 to verify L2 adjacency connectivity

Perform Migration

Now you are ready to migrate stark-legacy Org VDC from NSX-V Provider VDC to NSX-T Provider VDC

Let's use passwordFile option at this time.

After first run vcdNSXMigration (including preCheck), the migration tool creates a passwordFile for all credentials so that you can skip to enter the password steps

  1. Go to C:\vcdNSXMigrator
  2. Run vcdNSXMigrator using passwordFile
    C:\vcdNSXMigrator>vcdNSXMigrator.exe --filepath=C:\vcdNSXMigrator\userInput.yml --passwordFile=C:\vcdNSXMigrator\passfile

Post Migration Verify

If Migration is completed successfully, you can see the above message

TIPS: If the migration fails, the NSX Migration for VMware Cloud Director tool exits automatically. You can either remediate and rerun the migration, or perform the rollback. The NSX Migration for VMware Cloud Director tool will run from the last point of failure. During the remediation process, do not make any changes to the operation performed by the NSX Migration for VMware Cloud Director tool.

Verify Edge Gateway

Login to VCD - Provider portal

  1. Go to Resources
  2. Click on Cloud Resources
  3. Select Edge Gateways
  4. You can see  both types of gateways (NSX-T  and NSX-V)

Verify Org VDC

Login to VCD - Provider portal

  1. Go to Resources > Cloud Resources
  2. Select Organization VDCs
  3. You can see New org VDC backed by NSX-T  [stark-legacy-t] and old Org VDC [stark-legacy] with state changed to "Disabled"

Go to stark-legacy-t Org VDC tenant Portal

  1. Click pop-up button for stark-legacy-t to open tenant portal

Verify vAPP and VM Migrated to new Org VDC

You can see 3 virtual machines as Powered On status. These all VMs belongs to web-cities vapp.

Verify VM's North-South Network connectivity

We notice that there is 30% packet loss (559 packets / 11 minutes) for N-S traffic.

INFO: Once migrated, the Edge Gateway default firewall rule is any any deny. At the point of creating this lab, we're not sure whether its intentional or its a bug.

Verify VM's East-West Network Connectivity

We notice that there is 0% packet loss for E-W traffic.

Cleanup the old Org VDC from NSX-V PVDC

If post verification is done, perform cleanup to remove old org VDC from NSX-V PVDC.

Org VDC name will be changed to the original one after cleanup from stark-legacy-t -> stark-legacy (after removing the NSX-v Org VDC)

!!!CAUTION!!! There is no more rollback after this point

Execute vcdNSXMigrator Cleanup option

Go to the command prompt

  1. run vcdNSXMigrator using passwordFile
    C:\vcdNSXMigrator>vcdNSXMigrator.exe --filepath=C:\vcdNSXMigrator\userInput.yml --passwordFile=C:\vcdNSXMigrator\passfile --cleanup
  2. then remove the password file (C:\vcdNSXMigrator\passfile) for security reason
    C:\vcdNSXMigrator>del passfile

Test Yourself!

If you would like to test your own topology, feel free to. There are tiny CentOS VMs in the catalog for you to deploy and you are free to deploy it on any topology you like as long as the resources permit.

Create your own topology, create your own firewall rules, create your own NAT rules. Then migrate again.

!!!CAUTION!!! For every Org VDC Network you have (routed or isolated) in the Org VDC, you will need to have one Bridge Edge Node provisioned for each. In this lab, we have already provisioned one and we have sufficient resources for only one more.