Network segments are logical networks for use by workload VMs in the SDDC compute network.

VMware Cloud on AWS supports three types of network segments: routed, extended and disconnected.
  • A routed network segment (the default type) has connectivity to other logical networks in the SDDC and, through the SDDC firewall, to external networks.
  • An extended network segment extends an existing L2VPN tunnel, providing a single IP address space that spans the SDDC and an on-premises network.
  • A disconnected network segment has no uplink, and provides an isolated network accessible only to VMs connected to it. Disconnected segments are designed so they can be toggled between routed and disconnected, so they need to be configured to work in either mode. Disconnected segments are created when needed by VMware HCX (see Getting started with VMware HCX).

See VMware Configuration Maximums for limits on segments per SDDC and network connections per segment.

SDDCs are created without a default network segment, so you must create at least one for your workload VMs. When you create a segment, you start by configuring some basic parameters and specifying how DHCP requests are handled on the segment. After the segment has been created, you can take additional, optional steps to specify a segment profiles and create DHCP static bindings.

Procedure

  1. Log in to VMware Cloud Services at https://vmc.vmware.com.
  2. Click Inventory > SDDCs, then pick an SDDC card and click VIEW DETAILS.
  3. Click OPEN NSX MANAGER and log in with the NSX Manager Admin User Account shown on the SDDC Settings page. See SDDC Network Administration with NSX Manager.
    You can also use the VMware Cloud Console Networking & Security tab for this workflow.
  4. Open the Segments page.

    To create a new segment, click ADD SEGMENT and give the new segment a Name and optional Description. See Enabling and Using IPv6 in SDDC Networks for additional information about creating IPv6 or dual-stack segments.

    To delete or modify a segment, click its Actions menu button and choose Edit. You can modify all segment properties, including segment type. You can also edit or delete the segment's DHCP configuration.
    Important: You cannot disable or delete a segment of any type if it has attached VMs or VIFs. Disconnect attached VMs and VIFs before deleting the segment.
  5. Specify a segment type and connected gateway in the Connected Gateway drop-down, then fill in the required configuration parameters.

    In the default configuration, only the Compute Gateway can be selected as the Connected Gateway. See Add a Custom Tier-1 Gateway to a VMware Cloud on AWS SDDC for information about creating additional Tier-1 gateways in your SDDC. Networks configured on segments connected to a secondary Tier-1 gateway will not be advertised to Direct Connect, SDDC Group (VTGW) or ESXi management hosts by default. To establish that connectivity, define a route aggregation that includes those networks. See Aggregate and Filter Routes to Uplinks.

    Parameter requirements depend on the segment type.

    Table 1. Routed Segment Configuration Parameters
    Parameter Value
    VPN Tunnel ID N/A for Routed or Disconnected segment types.
    Subnets

    Specify an IP address to use as the gateway, along with a subnet mask that defines the size of the network, in CIDR format. The gateway address cannot be the first or last IPs within the CIDR block, which by are reserved as the network address and broadcast address of the segment. For example, to define the subnet represented by 192.168.1.0/24 with a gateway of 192.168.1.1, enter 192.168.1.1/24 in this field.

    The address range you specify here must not overlap your SDDC management network, any of the CIDR clocks listed in Reserved Network Addresses, or any of the subnets in the Connected Amazon VPC. If any part of the block is in a public IP space, it must be in one that has been allocated for your use by IANA or another regional internet registry.

    URPF Mode Choose Strict to apply Unicast Reverse Path Forwarding (URPF) strict mode, as defined by RFC3704 or None to turn off URPF for this subnet.
    SET DHCP CONFIG

    Routed segments default to using the Compute Gateway DHCP server. Per-segment DHCP configuration, including DHCP relay, can be specified when you create or update the segment. See Configure Segment DHCP Properties.

    Domain Name (Optional) Enter a fully qualified domain name. Static bindings on the segment automatically inherit this domain name.
    Tags

    See Add Tags to an Object in the NSX Data Center Administration Guide for more information about tagging NSX objects.

    Table 2. Extended Segment Configuration Parameters
    Parameter Value
    VPN Tunnel ID Specify the tunnel ID of an existing L2VPN tunnel. N/A for Routed or Disconnected segment types. If you have not already created an L2VPN, see Configure a Layer 2 VPN Tunnel in the SDDC.
    Subnets N/A for Extended segments.
    URPF Mode Choose Strict to apply Unicast Reverse Path Forwarding (URPF) strict mode, as defined by RFC3704 or None to turn off URPF for this subnet.
    Domain Name (Optional) Enter a fully qualified domain name. Static bindings on the segment automatically inherit this domain name.
    Tags

    See Add Tags to an Object in the NSX Data Center Administration Guide for more information about tagging NSX objects.

    Table 3. Disconnected Segment Configuration Parameters
    Parameter Value
    VPN Tunnel ID N/A for Routed or Disconnected segment types.
    Subnets

    Specify an IP address to use as the gateway, along with a subnet mask that defines the size of the network, in CIDR format. The gateway address cannot be the first or last IPs within the CIDR block, which by are reserved as the network address and broadcast address of the segment. For example, to define the subnet represented by 192.168.1.0/24 with a gateway of 192.168.1.1, enter 192.168.1.1/24 in this field.

    The address range you specify here must not overlap your SDDC management network, any of the CIDR clocks listed in Reserved Network Addresses, or any of the subnets in the Connected Amazon VPC. If any part of the block is in a public IP space, it must be in one that has been allocated for your use by IANA or another regional internet registry.

    Note:

    Disconnected segments can be toggled between routed and disconnected, so the gateway and subnet should be defined here with that in mind even though they will not be used or advertised as long as the segment remains disconnected.

    Domain Name (Optional) Enter a fully qualified domain name. Static bindings on the segment automatically inherit this domain name.
    URPF Mode Choose Strict to apply Unicast Reverse Path Forwarding (URPF) strict mode, as defined by RFC3704 or None to turn off URPF for this subnet.
    Tags

    See Add Tags to an Object in the NSX Data Center Administration Guide for more information about tagging NSX objects.

  6. Click SAVE to create or update the segment.
    Click YES if you want continue with segment configuration. If you click NO, you can edit the segment later if you need to.
    The system creates the requested segment. This operation can take up to 15 seconds to complete. When the segment Status transitions to Up the segment is ready for use. If the segment Status is Down, you can click the information icon info icon for more information about the cause of the problem.
  7. (Optional) Click SEGMENT PROFILES to view profiles for the segment.
    Every segment has a read-only profile that specifies how it handles IP discovery, MAC discovery, and related security controls. Key settings include:
    • Promiscuous mode is not supported.
    • Forged transmits are not supported.
    • MAC Learning is not supported. Only a single MAC address can be used on a NIC connected to the segment.
    • BPDU filtering is turned on.
    • IP address discovery (which affects the IPs added to groups using dynamic membership) is set to Trust on First Use. Detection uses ARP and DHCP snooping, as well as VMware Tools. See Understanding IP Discovery Segment Profile in the NSX Data Center Administration Guide.
    See Enabling and Using IPv6 in SDDC Networks for additional information about profiles for IPv6 or dual-stack segments.
  8. (Optional) Configure DHCP STATIC BINDINGS.
    1. Click Set to specify static bindings for VMs on the segment.
      Click ADD IPV4 STATIC BINDING, then give the binding a Name and specify an IPv4 address included in the segment and a MAC address. When a VM with the specified MAC address is powered on and connected to the segment, it receives the specified address. Click SAVE to create the binding, then add another binding or click APPLY to apply the specified static bindings to the segment.
    2. Click DHCP Options to specify DHCP Classless Static Routes (Option 121) and Generic Options.
      • Each classless static route option in DHCP for IPv4 can have multiple routes with the same destination. Each route includes a destination subnet, subnet mask, next hop router. See RFC 3442 for information about classless static routes in DHCPv4. You can add a maximum of 127 classless static routes on a DHCPv4 server.
      • For adding Generic Options, select the code of the option and enter a value of the option. For binary values, the value must be in a base-64 encoded format.

What to do next

After a segment has been created and has a status of Success, you can click VIEW STATISTICS to view statistics for network traffic to and from the segment. Statistics begin at segment creation. You can click VIEW RELATED GROUPS to see a list of groups that include this segment. For more information, see Add a Group in the NSX Data Center Administration Guide.