You can deploy multiple NSX Manager nodes to provide high availability and reliability.

After the new nodes are deployed, these nodes connect to the NSX Manager node to form a cluster. The recommended number of clustered NSX Manager nodes is three.

Note: Deploying multiple NSX Manager nodes using the UI is supported only on ESXi hosts managed by vCenter Server.

All the repository details and the password of the first deployed NSX Manager node are synchronized with the newly deployed nodes in the cluster.

Prerequisites

  • Verify that an NSX Manager node is installed. See Install NSX Manager and Available Appliances.
  • Verify that compute manager is configured. See Add a Compute Manager.
  • Verify that the system requirements are met. See System Requirements.
  • Verify that the required ports are open. See Ports and Protocols.
  • Verify that a datastore is configured and accessible on the ESXi host.
  • Verify that you have the IP address and gateway, DNS server IP addresses, domain search list, and the NTP server IP address for the NSX Manager to use.
  • If you do not already have one, create the target VM port group network. Place the NSX-T Data Center appliances on a management VM network.

    If you have multiple management networks, you can add static routes to the other networks from the NSX-T Data Center appliance.

Procedure

  1. From a browser, log in with admin privileges to an NSX Manager at https://<nsx-manager-ip-address>.
  2. Select System > Appliances > Overview > Add Nodes.
  3. Enter the NSX Manager common attribute details.
    Option Description
    Compute Manager Registered resource compute manager is populated.
    Enable SSH Toggle the button to allow an SSH login to the new NSX Manager node.
    Enable Root Access Toggle the button to allow the root access to the new NSX Manager node.
    CLI Username and Password Confirmation

    Set the CLI password and password confirmation for the new node.

    Your password must comply with the password strength restrictions.
    • At least 12 characters
    • At least one lower-case letter
    • At least one upper-case letter
    • At least one digit
    • At least one special character
    • At least five different characters
    • Default password complexity rules are enforced by the following Linux PAM module arguments:
      • retry=3: The maximum number of times a new password can be entered, for this argument at the most 3 times, before returning with an error.
      • minlen=12: The minimum acceptable size for the new password. In addition to the number of characters in the new password, credit (of +1 in length) is given for each different kind of character (other, upper, lower and digit).
      • difok=0: The minimum number of bytes that must be different in the new password. Indicates similarity between the old and new password. With a value 0 assigned to difok, there is no requirement for any byte of the old and new password to be different. An exact match is allowed.
      • lcredit=1: The maximum credit for having lower case letters in the new password. If you have less than or 1 lower case letter, each letter will count +1 towards meeting the current minlen value.
      • ucredit=1: The maximum credit for having upper case letters in the new password. If you have less than or 1 upper case letter each letter will count +1 towards meeting the current minlen value.
      • dcredit=1: The maximum credit for having digits in the new password. If you have less than or 1 digit, each digit will count +1 towards meeting the current minlen value.
      • ocredit=1: The maximum credit for having other characters in the new password. If you have less than or 1 other characters, each character will count +1 towards meeting the current minlen value.
      • enforce_for_root: The password is set for the root user.
      Note: For more details on Linux PAM module to check the password against dictionary words, refer to the man page.

    The CLI username is already set to admin.

    Root Password and Password Confirmation

    Set the root password and password confirmation for the new node.

    Your password must comply with the password strength restrictions.
    • At least 12 characters
    • At least one lower-case letter
    • At least one upper-case letter
    • At least one digit
    • At least one special character
    • At least five different characters
    • Default password complexity rules are enforced by the following Linux PAM module arguments:
      • retry=3: The maximum number of times a new password can be entered, for this argument at the most 3 times, before returning with an error.
      • minlen=12: The minimum acceptable size for the new password. In addition to the number of characters in the new password, credit (of +1 in length) is given for each different kind of character (other, upper, lower and digit).
      • difok=0: The minimum number of bytes that must be different in the new password. Indicates similarity between the old and new password. With a value 0 assigned to difok, there is no requirement for any byte of the old and new password to be different. An exact match is allowed.
      • lcredit=1: The maximum credit for having lower case letters in the new password. If you have less than or 1 lower case letter, each letter will count +1 towards meeting the current minlen value.
      • ucredit=1: The maximum credit for having upper case letters in the new password. If you have less than or 1 upper case letter each letter will count +1 towards meeting the current minlen value.
      • dcredit=1: The maximum credit for having digits in the new password. If you have less than or 1 digit, each digit will count +1 towards meeting the current minlen value.
      • ocredit=1: The maximum credit for having other characters in the new password. If you have less than or 1 other characters, each character will count +1 towards meeting the current minlen value.
      • enforce_for_root: The password is set for the root user.
      Note: For more details on Linux PAM module to check the password against dictionary words, refer to the man page.
    DNS Servers Enter the DNS server IP address available in the vCenter Server.
    NTP Servers Enter the NTP server IP address.
  4. Enter the NSX Manager node details.
    Option Description
    Name Enter a name for the NSX Manager node.
    Cluster Designate the cluster the node is going to join from the drop-down menu.
    Resource Pool or Host Assign either a resource pool or a host for the node from the drop-down menu.
    Datastore Select a datastore for the node files from the drop-down menu.
    Network Assign the network from the drop-down menu.
    Management IP/Netmask Enter the IP address and netmask.
    Management Gateway Enter the gateway IP address.
  5. (Optional) Click New Node and configure another node.
    Repeat steps 3-4.
  6. Click Finish.
    The new nodes are deployed. You can track the deployment process on the System > Appliances > Overview page or the vCenter Server.
  7. Wait for 10-15 minutes for the deployment, cluster formation, and repository synchronization to complete.
    All the repository details and the password of the first deployed NSX Manager node are synchronized with the newly deployed nodes in the cluster.
    Note: If the master node reboots when the deployment of a new node is in progress, the new node might fail to register with the cluster, and displays the Failed to Register message on the new node's thumbnail. To redeploy the node manually on the cluster, go to the new node's thumbnail, select the vertical ellipses, and click Retry.
  8. After the NSX Manager boots, log in to the CLI as admin and run the get interface eth0 command to verify that the IP address was applied as expected.
  9. Enter the get services command to verify that all the services are running.
    If the services are not running, wait for all the services to start running.
    Note: The following services are not running by default: liagent, migration-coordinator, and snmp. You can start them as follows:
    • start service liagent
    • start service migration-coordinator
      Note: Start this service on only one NSX Manager node. See the NSX-T Data Center Migration Coordinator Guide.
    • For SNMPv1/SNMPv2:
      set snmp community <community-string>
      start service snmp
      The maximum character limit for community-string is 64.
    • For SNMPv3
      set snmp v3-users <user_name> auth-password <auth_password> priv-password <priv_password>
      The maximum character limit for user_name is 32. Ensure that your passwords meet PAM constraints. If you want to change the default engine id, use the following command:
      set snmp v3-engine-id <v3-engine-id>
      
      start service snmp
      v3-engine-id is a hexadecimal string that is 10 to 64 characters long.

      NSX-T Data Center supports SHA1 and AES128 as the authentication and privacy protocols. You can also use API calls to set up SNMPv3. For more information, see the NSX-T Data Center API Guide.

  10. Log in to the first deployed NSX Manager node and enter the get cluster status command to verify that the nodes are successfully added to the cluster.
  11. Verify that your NSX Manager has the required connectivity.
    Make sure that you can perform the following tasks.
    • Ping your NSX Manager from another machine.
    • The NSX Manager can ping its default gateway.
    • The NSX Manager can ping the hypervisor hosts that are in the same network as the NSX Manager using the management interface.
    • The NSX Manager can ping its DNS server and its NTP server.
    • If you enabled SSH, make sure that you can SSH to your NSX Manager.

    If connectivity is not established, make sure that the network adapter of the virtual appliance is in the proper network or VLAN.

What to do next

Configure NSX Edge. See Install an NSX Edge on ESXi Using the vSphere GUI.