Network segments are logical networks for use by workload VMs in the SDDC compute network.

VMware Cloud on Public Cloud supports three types of network segments: routed, extended and disconnected.
  • A routed network segment (the default type) has connectivity to other logical networks in the SDDC and, through the SDDC firewall, to external networks.
  • An extended network segment extends an existing L2VPN tunnel, providing a single IP address space that spans the SDDC and an on-premises network.

    If L2VPN is not activated in your SDDC, and you want to activate it, contact your account team.

  • A disconnected network segment has no uplink, and provides an isolated network accessible only to VMs connected to it. You can create disconnected segments and convert them to other segment types.

See VMware Configuration Maximums for limits on segments per SDDC and network connections per segment.

Depending on your hyperscale cloud provider, a Single Host Starter SDDC might be created with a single routed network segment named sddc-cgw-network-1. Multi-host SDDCs are created without a default network segment, so you must create at least one for your workload VMs. When you create a segment, you start by configuring some basic parameters and specifying how DHCP requests are handled on the segment. After the segment has been created, you can take additional, optional steps to specify a segment profiles and create DHCP static bindings.

Note:

For some hyperscale cloud providers, you must follow additional steps to configure north-south traffic. For more information, see your hyperscale cloud provider documentation.

Procedure

  1. With CloudAdmin privileges, log in to NSX Manager.
  2. Open the Segments page.

    To create a new segment, click ADD SEGMENT and give the new segment a Name and optional Description.

    To delete or modify a segment, click its Actions menu button and choose Edit. You can modify all segment properties, including segment type. You can also edit or delete the segment's DHCP configuration.
    Important: You cannot disable or delete a segment of any type if it has attached VMs. Disconnect attached VMs before deleting the segment.
  3. Specify a segment type and connected gateway in the Connected Gateway drop-down, then fill in the required configuration parameters.

    In the default configuration, only the Compute Gateway can be selected as the Connected Gateway. See Add a Tier-1 Gateway for information about creating additional Tier-1 gateways in your SDDC. Networks configured on segments connected to a secondary Tier-1 gateway will not be advertised to a dedicated high bandwidth, low latency connection or ESXi management hosts by default. To establish that connectivity, define a route aggregation that includes those networks

    Parameter requirements depend on the segment type.

    Table 1. Routed Segment Configuration Parameters
    Parameter Value
    VPN Tunnel ID N/A for Routed or Disconnected segment types.
    Subnets

    Specify an IPv4 CIDR block for the segment. The block must not overlap your management network, or any of the CIDR clocks listed in Reserved Network Addresses. If any part of the block is in a public IP space, it must be in one that has been allocated for your use by IANA or another regional internet registry.

    URPF Mode Choose Strict to apply Unicast Reverse Path Forwarding (URPF) strict mode, as defined by RFC3704 or None to turn off URPF for this subnet.
    SET DHCP CONFIG

    Routed segments default to using the Compute Gateway DHCP server. Per-segment DHCP configuration, including DHCP relay, can be specified when you create or update the segment. See Configure Segment DHCP Properties.

    Domain Name (Optional) Enter a fully qualified domain name. Static bindings on the segment automatically inherit this domain name.
    Tags

    See Add Tags to an Object in the NSX Data Center Administration Guide for more information about tagging NSX objects.

    Table 2. Extended Segment Configuration Parameters
    Parameter Value
    VPN Tunnel ID Specify the tunnel ID of an existing L2VPN tunnel. N/A for Routed or Disconnected segment types. If you have not already created an L2VPN, see Configure a Layer 2 VPN Tunnel in the SDDC.
    Subnets N/A for Extended segments.
    URPF Mode Choose Strict to apply Unicast Reverse Path Forwarding (URPF) strict mode, as defined by RFC3704 or None to turn off URPF for this subnet.
    Domain Name (Optional) Enter a fully qualified domain name. Static bindings on the segment automatically inherit this domain name.
    Tags

    See Add Tags to an Object in the NSX Data Center Administration Guide for more information about tagging NSX objects.

    Table 3. Disconnected Segment Configuration Parameters
    Parameter Value
    VPN Tunnel ID N/A for Routed or Disconnected segment types.
    Subnets

    Specify an IPv4 CIDR block for the segment. The block must not overlap your management network, or any of the CIDR clocks listed in Reserved Network Addresses. If any part of the block is in a public IP space, it must be in one that has been allocated for your use by IANA or another regional internet registry.

    Domain Name (Optional) Enter a fully qualified domain name. Static bindings on the segment automatically inherit this domain name.
    URPF Mode Choose Strict to apply Unicast Reverse Path Forwarding (URPF) strict mode, as defined by RFC3704 or None to turn off URPF for this subnet.
    Tags

    See Add Tags to an Object in the NSX Data Center Administration Guide for more information about tagging NSX objects.

  4. Click SAVE to create or update the segment.
    Click YES if you want continue with segment configuration. If you click NO, you can edit the segment later if you need to.
    The system creates the requested segment. This operation can take up to 15 seconds to complete. When the segment Status transitions to Up the segment is ready for use. If the segment Status is Down, you can click the information icon info icon for more information about the cause of the problem.
  5. (Optional) Click SEGMENT PROFILES to view profiles for the segment.
    Every segment has a read-only profile that specifies how it handles IP discovery, MAC discovery, and related security controls. Key settings include:
    • Promiscuous mode is not supported.
    • MAC Learning is not supported. Only a single MAC address can be used on a NIC connected to the segment.
    • BPDU filtering is turned on.
    • IP address discovery (which affects the IPs added to groups using dynamic membership) is set to Trust on First Use. Detection uses ARP and DHCP snooping, as well as VMware Tools. See Understanding IP Discovery Segment Profile in the NSX Data Center Administration Guide.
  6. (Optional) Configure DHCP STATIC BINDINGS.
    1. Click Set to specify static bindings for VMs on the segment.
      Click ADD IPV4 STATIC BINDING, then give the binding a Name and specify an IPv4 address included in the segment and a MAC address. When a VM with the specified MAC address is powered on and connected to the segment, it receives the specified address. Click SAVE to create the binding, then add another binding or click APPLY to apply the specified static bindings to the segment.
    2. Click DHCP Options to specify DHCP Classless Static Routes (Option 121) and Generic Options.
      • Each classless static route option in DHCP for IPv4 can have multiple routes with the same destination. Each route includes a destination subnet, subnet mask, next hop router. See RFC 3442 for information about classless static routes in DHCPv4. You can add a maximum of 127 classless static routes on a DHCPv4 server.
      • For adding Generic Options, select the code of the option and enter a value of the option. For binary values, the value must be in a base-64 encoded format.

What to do next

After a segment has been created and has a status of Success, you can click VIEW STATISTICS to view statistics for network traffic to and from the segment. You can click VIEW RELATED GROUPS to see a list of groups that include this segment. For more information, see Add a Group in the NSX Data Center Administration Guide.