Configuring Virtual Service Edge in an ESX NSX-T environment

ZIA Virtual Service Edge Cluster with vmware NSX-T

Virtual Service Edge (VSE) utilizes the CARP protocol, which is the public domain version of the VRRP protocol, for high availability across multiple virtual service edges. In a nutshell, each VSE has a unique management IP, a proxy IP, a load balancer IP, and a shared cluster IP. The CARP protocol is responsible for making the cluster IP representative of the VSE that will proxy traffic at that time.

Changes to ESX must be configured to support CARP, as outlined in our guide for Configuring Virtual Service Edge Clusters. The referenced terms that are specific to ESX changes when the NSX-T overlay is deployed.

ESX/VCenter: Port Group := NSX: Segment

ESX/VCenter: Promiscuous mode := Unknown Unicast Flooding

ESX/VCenter: MAC Address Changes := MAC Change

ESX/VCenter: Forged Transmits := MAC Learning

In order to get the Virtual Service Edge CARP protocol working with ESX with NSX-T:

  1. Create a MAC Discovery Profile Segment
  2. Configure MAC Learning
  3. Assign the MAC Discovery Profile to the NSX Segment
  4. Provision the Virtual Service Edge machines to that segment
  5. Continue with the guide for Configuring Virtual Service Edge Clusters omitting the ESX specific configuration tasks.


1 Like