You can add up to seven secondary NSX Managers in a cross-vCenter NSX environment. Universal objects configured on the primary NSX Manager are synchronized to the secondary NSX Managers.

Before you begin

  • There should be at least two NSX Managers, one with the primary role and one with the standalone or transit role.

  • The version of the NSX Managers (the primary NSX Manager and NSX Managers that will be assigned the secondary role) must match.

  • The node IDs of the primary NSX Manager and the NSX Managers that will be assigned the secondary role must be present and different. NSX Manager instances deployed from OVA files have unique node IDs. An NSX Manager deployed from a template (as in when you convert a virtual machine to a template) will have the same node ID as the original NSX Manager used to create the template, and these two NSX Managers cannot be used in the same cross-vCenter NSX installation.

    Note:

    You can view the NSX Manager node ID with the following REST API call:

    GET https://NSX-Manager-IP-Address/api/2.0/services/vsmconfig

  • Each NSX Manager must be registered with a separate and unique vCenter Server system.

  • The UDP ports used for VXLAN must be the same for all NSX Managers.

    Note:

    You can view and change the VXLAN port using the vSphere Web Client at Networking & Security > Installation > Logical Network Preparation. See Change VXLAN Port in the NSX Administration Guide.

  • When assigning the secondary role to a NSX Manager, the vCenter Server system linked to it must not have any deployed NSX Controllers.

  • The segment ID pool of the NSX Manager being assigned the secondary role must not overlap with the segment ID pools of the primary NSX Manager or the segment ID pool of any other secondary NSX Manager .

  • The NSX Manager being assigned the secondary role must have the standalone or transit role.

  • Both primary and secondary NSX Managers must be on the same TLS version for universal synchronization to work correctly.

    Verify that the secondary NSX Manager is configured to use at least one of the TLS versions configured on the primary NSX Manager. See "Change FIPS Mode and TLS Settings on NSX Manager" in the NSX Administration Guide.

About this task

NSX Managers can have one of four roles:

  • Primary

  • Secondary

  • Standalone

  • Transit

To view the role of an NSX Manager, log in to the vCenter linked to the NSX Manager, and navigate to Home > Networking & Security > Installation and select the Management tab. The role is displayed in the Role column in the NSX Managers section. If there is no Role column shown, the NSX Manager has the standalone role.

Procedure

  1. Log in to the vCenter linked to the primary NSX Manager.
  2. Navigate to Home > Networking & Security > Installation and select the Management tab.
  3. Select the primary NSX Manager. Then select Actions > Add Secondary NSX Manager.
  4. Enter the IP address, user name, and password of the secondary NSX Manager.
    Note:

    You should use host name to configure secondary NSX Manager, if the primary NSX Manager is using IPv6 address.

  5. Click OK.
  6. Check that the certificate thumbprint matches the certificate of the secondary NSX Manager.
  7. After successful registration the role changes from Standalone to Secondary.

    If your vCenter Server systems are in Enhanced Linked Mode, you can see the roles of all NSX Managers associated with those vCenter Server systems from the Home > Networking & Security > Installation tab.

    If your environment does not employ Enhanced Linked Mode, log in to the vCenter linked to the secondary NSX Manager to view the NSX Manager's role.

    If the NSX Manager role change is not displayed, log out of the vSphere Web Client and log back in.

    Note:

    Initially, the controller status might show disconnected. Wait a few seconds and then refresh the vSphere Web Client and the status will change to Normal.