ZIA Virtual Service Edge Cluster with vmware NSX-T
Virtual Service Edge (VSE) utilizes the CARP protocol, which is the public domain version of the VRRP protocol, for high availability across multiple virtual service edges. In a nutshell, each VSE has a unique management IP, a proxy IP, a load balancer IP, and a shared cluster IP. The CARP protocol is responsible for making the cluster IP representative of the VSE that will proxy traffic at that time.
Changes to ESX must be configured to support CARP, as outlined in our guide for Configuring Virtual Service Edge Clusters. The referenced terms that are specific to ESX changes when the NSX-T overlay is deployed.
ESX/VCenter: Port Group := NSX: Segment
ESX/VCenter: Promiscuous mode := Unknown Unicast Flooding
ESX/VCenter: MAC Address Changes := MAC Change
ESX/VCenter: Forged Transmits := MAC Learning
In order to get the Virtual Service Edge CARP protocol working with ESX with NSX-T:
- Create a MAC Discovery Profile Segment
- Configure MAC Learning
- Assign the MAC Discovery Profile to the NSX Segment
- Provision the Virtual Service Edge machines to that segment
- Continue with the guide for Configuring Virtual Service Edge Clusters omitting the ESX specific configuration tasks.