Configure a NSX-T overlay network on a Windows 2016 bare metal server.
In this article, I will show you how to prepare your Windows 2016 bare metal server to be configured as an transport node in NSX-T and how to configure a NSX-T overlay segment on a Windows 2016 server bare metal server. By configuring your bare metal server as a transport node, you will be able to secure your workload with NSX-T.
Table of Contents
Requirements
- The NSX kernel module for Windows Server 2016 bare metal – url
- Ansible playbook version equal or greater than 2.5.0 (for Windows) or 2.4.3.0 (for other platforms)
- The BMS Ansible playbooks. (choose the branch that is compatible with your NSX-T version) – url
- An overlay segment.
- A Windows 2016 bare metal server with 4CPU and 16GB RAM.
Prepare the Windows 2016 bare metal server.
In order to secure a Windows 2016 bare metal server, we need to do some preparations. Let’s start by making sure that your Windows 2016 server is up-to-date. I experienced some strange behavior when I tried to add the bare metal server as a transport node in NSX-T. After upgrading the Windows 2016 server with the latest updates, I was able to successfully add the server as a transport node in NSX-T.
Install NSX-T Kernel module
We can now proceed with installing the NSX kernel module on the Windows Server 2016 bare metal server. Make sure to download NSX kernel module for Windows server 2016 with the same version of your NSX-T instance. Start the installation of the NSX kernel module by executing the .exe file.
Configure WinRM
We need to enable WinRM on the bare metal server to allow communication between third party software and hardware. VMware have already published a script to do so.
Open a Powershell prompt (run as administrator) and execute the following command:
wget -o ConfigureWinRMService.ps1 https://raw.githubusercontent.com/vmware/bare-metal-server-integration-with-nsxt/master/bms-ansible-nsx/windows/ConfigureWinRMService.ps1
After successfully retrieving the Powershell script from the VMware GitHub, we can now execute the file to configure WinRM.
powershell.exe -ExecutionPolicy ByPass -File ConfigureWinRMService.ps1
According to the following documentation from VMware, we need to execute some manual WinRM commands to configure certain settings, but you can ignore that step because that has already been set by the ConfigureWinRMService.ps1 script.
Perform the following command to verify the configure WinRM listeners:
winrm e winrm/config/listener
Configure the bare metal server as a transport node in NSX-T
Create an uplink profile for the bare metal servers
Before we are going to add the bare metal server as a transport node, we need to create a new uplink profile that we are going to use for the bare metal servers.
The windows 2016 bare metal server is a VM in my test lab with 2 network adapters, one NIC in the management VLAN and the other one in a trunked portgroup.
We can now proceed with adding the Windows 2016 bare metal server as transport node into NSX-T. In the NSX-T web GUI go to system –> Fabric –> Nodes and click on +ADD
In the “Add Transport Node” wizard, add the required information from the Windows 2016 bare metal server and click on next.
On the next page of the “Add Transport Node” wizard, select the Transport Zone, Uplink Profile and IP Assignment and click on Next.
NSX-T will start with preparing and configuring the Windows 2016 bare metal server. This could take a few minutes.
If everything went fine, you will see success in the configuration state column. In Windows you will see that there are two extra NICs available that will be used for the VTEP and overlay network.
Configure the application interface with Ansible.
We will now configure the application interface with the Ansible playbooks that are available on GitHub. You need to have Ansible installed in your environment. In my case, I have Cygwin Terminal with Ansible installed, which I will run the Ansible playbooks with.
The only file you need to edit is the win_hosts file. You have 3 ways to configure the application interface.
- Static
Enable static configuration on Application Interface; - Dhcp
Enable dhcp configuration on Application Interface; - Migration
This mode supports Management and Application sharing the same IP;
Enable migration mode on Application Interface; Also named as “underlay mode” or “VLAN-0 mode”;
In my lab, I will use the static option to configure the application interface. In the example below, you will see a snippet of the win_hosts file. I defined the management IP of my bare metal server with the overlay segment name, IP address and netmask which it needs to have.
# host group for servers [servers_static] 10.0.10.99 ls_name=Mgmt-RegionA01-VXLAN static_ip=10.50.0.99 netmask=255.255.255.0
We are now going to verify the network configurations on the Windows 2016 bare metal server by running the following command:
Get-NetIPAddress | where-object{($_.AddressFamily -like "IPV4") -and ($_.InterfaceAlias -like "Eth*")}
Final words
You might not see your bare metal VTEP address in the transport node overview. According to VMware this is a bug in NSX-T. Another bug I ran into is that the routing table parameters in Ansible playbook were not working. So routing configurations must be manually configured on your bare metal server.
I hope that this article helps you a bit in securing your Windows 2016 bare metal server with NSX-T.