vSZ-D Network Configuration

  • 2
  • Question
  • Updated 20 hours ago
  • Answered
  • (Edited)
Hello,

I'm attempting to turn up a vSZ-D instance in my lab. I've got a pair of vSZ controllers running in a cluster, each with three interfaces (Management, Cluster, Control). The vSZ-D documentation is pretty bad, as it calls the one interface "Management/Control" and doesn't really say what it does, or really how it's supposed to connect to the vSZ controllers. I've tried it on both the "Management" and "Cluster" networks but I can't get it to connect. I have not tried it on the "Control" (which is Public) for the controllers as this is the same subnet as the "Data" interface should be on.

Also, I have no idea how the "Data" interface is supposed to work VLAN-wise. Is the IP I assigned just untagged?

Could someone share how theirs is configured and working? I would really appreciate it!

Thanks
Photo of salad

salad

  • 14 Posts
  • 3 Reply Likes

Posted 1 year ago

  • 2
Photo of Michael Brado

Michael Brado, Official Rep

  • 2183 Posts
  • 301 Reply Likes
Photo of salad

salad

  • 14 Posts
  • 3 Reply Likes
Thanks for the reply Michael, I have already scoured those documents and they do not contain the information I need.

What network should the "Management" interface of the dataplane module be configured on, and what IP does it need to connect to the control plane one?
Photo of salad

salad

  • 14 Posts
  • 3 Reply Likes
I am the VAR. I've reached out to our SE for any design documents he may have. This really should be covered in your manual...
Photo of Eddie

Eddie

  • 17 Posts
  • 2 Reply Likes
MY SE says he has not learned this deployment yet as it is so new. We are having a heck of a time getting this to work on Cisco UCS using direct I/O.
Photo of salad

salad

  • 14 Posts
  • 3 Reply Likes
I should follow up on this post, then! We have managed to get the vSZ-D working. The software has a problem in that, unlike the controller, it doesn't let you select which interface should be used for default routing. It turns out that the vSZ-D talks to the controller on the Control interface - not Management. This meant, for us, that it was trying to send all packets out of the Management interface, instead of the "Data" interface.

On the vSZ-D we had to change the Management and Control/Data to be in the SAME subnet/VLAN, and point it to the public IP of the controller. It then worked flawlessly. Of course management protocols now need to be firewalled off.

Our SE is working on getting this behaviour corrected so it acts more like the vSZ software.
Photo of Eddie

Eddie

  • 17 Posts
  • 2 Reply Likes
So what I'm hearing is that when asked for the IP address of the vSZ-H controller I should be giving the vSZ-D the IP address of the control interface and not the management interface of the controller? The instruction specifically say that on the vSZ-D the management and data interface need to be on separate networks, so one of your statements confused me. I need the vSZ-D to communication on the 1Gig interface to the vSZ controller and all of the client data to use the data Direct I/O 10Gig interface on the vSZ-D.
Photo of salad

salad

  • 14 Posts
  • 3 Reply Likes
Yeah, it's very confusing. The important parts are:

 - vSZ-D "Management/Control" must connect to vSZ-H "Control"
 - vSZ-D "Data" is in totally separate routing table and not used as a candidate for routing any traffic other than tunnels

I eventually tried setting the vSZ-D to connect to the vSZ-H's Control IP (which is public). I expected the vSZ-D to start sending packets out of its own Data interface, which has an IP in the same subnet. This was not the case - it just sent them out the Management interface towards the default gateway. My setup has a totally isolated management VLAN so that default gateway was fake - if I had a firewall or router in there of some sort, the vSZ-D probably would have been able to communicate outwards to the vSZ-H with NAT or something, but it would have been ugly.

You can absolutely run the vSZ-D's Management/Control and Data interfaces on different network. In my setup it was easier to just put them on the same VLAN as I only allocate one /24 of public IPs per site. The APs still connect to the vSZ-D's Data interface. 

Hope that makes sense now!
(Edited)
Photo of Eddie

Eddie

  • 17 Posts
  • 2 Reply Likes
Mind if I ask you, What VM platform are you using and are you using Direct I/O as recommended by Ruckus since they say vSwitch can cause random reboots to the vSZ-D.

I basically got this answer from them so far: "I spoke with our developer and below is the recommended NICs. If your Cisco UCS server is using other than the recommended then we don't support it." with a picture of their infamous documentation. Not very happy being told too bad so sad.
Photo of salad

salad

  • 12 Posts
  • 3 Reply Likes
I'm running ESXi 5.5, the "data" NIC is VMXNET3 like the OVA was configured with. Not using Direct I/O as I need vMotion to still work. The underlying chips are Broadcom on Lenovo/IBM x3550 M5

Haven't heard of this random reboot thing, where did you read that?
Photo of Eddie

Eddie

  • 17 Posts
  • 2 Reply Likes
Straight from support. They recommend when setting up vSZ-D that the Management/Control can be vSwitch but Data interface should be Direct I/O. I asked why and they said they have had customers with random reboots of the vSZ-D and when they went direct I/O is fixed it. Yeah see Cisco UCS ESXi5.5 is what we have but they won't support the NIC blades with the proper driver. I told them they need to either log in and do their magic loading the driver into my VM appliance or write a hotfix to add the drivers for Cisco UCS support.  Haven't heard back but my Local Sales rep. is sending emails to SE and updating the case.  I have a feeling I'm going to hit a brick wall with these guys. Thinking maybe I should have gone with the ZD3000 or ZD5000. How long has yours been deployed and how large scale is your environment that yo uhave not experienced what they claim will happen?
Photo of Eddie

Eddie

  • 17 Posts
  • 2 Reply Likes
We also have a cluster pair of controllers and purchase 2 vSZ-D 1 for each. I am wondering if when running and my primary vSZ-D connected to the primary controller dies doe the "Following" controller and its associated vSZ-D take over the tunneled traffic.  That's my next question to them if we even stay on VM platform.
Photo of salad

salad

  • 12 Posts
  • 3 Reply Likes
Just in the testing phase, I got it set up maybe a month ago. Yeah that's another reason I don't like Direct I/O... driver nonsense... misses the point of virtualization!

I have no idea how multiple vSZ-Ds is supposed to work. I'm not entirely certain my SE does either, haha! It's on my to-do list. I'd like it if the tunnels failed over, but I'm not sure how that would be configured yet as I don't see many knobs at all in the controller's web interface.
Photo of Yogesh Ranade

Yogesh Ranade

  • 7 Posts
  • 0 Reply Likes
@salad and @ Eddie, This is Yogesh here. I am the Product Manager for the vSZ-D. Thanks for raising very pertinent queries related to the vSZ-D deployment. We sincerely appreciate and value your feedback. Would you be kind enough to send me an email to [email protected]. I would like to schedule a conference call with you and our vSZ-D engineering team to answer all your technical queries sometime next week, if that's okay with you.
Photo of Eddie

Eddie

  • 17 Posts
  • 2 Reply Likes
I'm fine with the call set up for Monday. You should know that my SE has informed me that his is spesking with, i assume your team, to see about getting this driver issue fixed. He did mention it could take a little while. I have also spoke to our sales and SE regartding maybe they recommended the wrong product as it seems your tech team as stated that if or Cisco ucs vw doesn't have the drivers in your manual, too bad they can't help. You should know that I've been in the IT industry for over 35 years and know very well that code can be written to hit fix this issue and add drivers to an ova for your customers. We will see how this evolves next week but i can't help feel that had we gotten the ZD3000 out 5000 i wouldn't be in this position. Another note for you is that we are migrating off of our Enterasys wifi solution that has been running just fine for over 8 years tunneling client traffic back to the controllers, of course those are physical not virtual. Thanks for your time,
Eddie
Photo of Yogesh Ranade

Yogesh Ranade

  • 7 Posts
  • 0 Reply Likes
Hi Eddie, Thanks again for the feedback. Sure let's get on a call for me to better understand what your deployment use-case is ? vSZ-D is a product built on top of Intel DPDK architecture and there are platform limitations due to the DPDK toolkit. Regarding utilizing ZD 3K/5K, we probably need to understand your needs for tunneling of data and throughput requirements. As you are aware, with the vSZ-D the dataplane function is completely decoupled from the control plane (vSZ) which provides flexibility in deployments. We need to understand better what you need and your tunneling throughput requirements so that we could provide our inputs. Can you share with me your official email id where i can send a meeting invite ?
Photo of Eddie

Eddie

  • 17 Posts
  • 2 Reply Likes
Yogesh,
If you email me I can reply and you will have my phone numbers in my email signature.
I can step out of training for a few moment to discuss what you would like to.
Photo of salad

salad

  • 14 Posts
  • 3 Reply Likes
I appreciate the offer, Yogesh, but I am away on vacation all of next week. My co-worker and I would certainly like to sit down and talk vSZ when I'm back, if that is an option!
Photo of Yogesh Ranade

Yogesh Ranade

  • 7 Posts
  • 0 Reply Likes
Sure, would be glad to set something up the week after next. Can you send me your official email id where i can send a meeting invite ?
Photo of salad

salad

  • 14 Posts
  • 3 Reply Likes
Hi Yogesh,

You can get me at [email protected]

Cheers
Ross
Photo of Eddie

Eddie

  • 17 Posts
  • 2 Reply Likes
Unfortunately I had forgotten about my training all this week from 7-5 so I will not be able to take a call as I will be in a classroom environment. I will however have my laptop for emails if you like.
[email protected]
Photo of Yogesh Ranade

Yogesh Ranade

  • 7 Posts
  • 0 Reply Likes
Eddie,

Apologies for the delay in getting back. I will schedule something on your calendar for early next week.
Photo of Eddie

Eddie

  • 17 Posts
  • 2 Reply Likes
Salad, did yo say you got your vSZ-D actually working? We have it set up like you have at this time using vSwitch. The tunnel gets established and a tunnel to the test AP that has the test SSID using Ruckus GRE tunneling selected is established. I am trying with static IP for now on the vlan 1730 that I have created on my router and dhcp because I can never seem to ping my default gateway. Multiple clients CAN ping each other when on that same SSID that is tunneled but none of us can ping the default gateway. I am sniffing at the enterprise switch that my UCS VMware is connected to and do not see any traffic. Is yours actually working.
Photo of salad

salad

  • 14 Posts
  • 3 Reply Likes
Hey Eddie,

Yes, it actually works! lol I was very excited. I followed the directions in the manual on how to configure the vSwitch to pass all VLANs unmolested. I think the port group is simply configured with a VLAN ID of -1 or 0 or 4096 or something like that. The only NIC in the vSwitch is dedicated to that. I set up the switchport for trunking with the vSZ-D's VLAN as untagged/native. After the AP's tunnel establishes I get client traffic tagged out whatever VLAN I set on that SSID. I like to think of the port group and vSwitch like that old 8-port SMC that supported a really high MTU and just passed VLAN tags like a dumb bridge ;)

I'm running ESXi 5.5 Enterprise. No distributed vSwitch stuff. I can do up screenshots if you like.

Cheers
Ross
(Edited)
Photo of Eddie

Eddie

  • 17 Posts
  • 2 Reply Likes
Got it working. We had the NIC on vSwitch set for reject, the default, not promiscuous so it was dropping all VLANs. Once we set that to promiscuous it started working fine.
Whew, not I can finally start testing.
Photo of salad

salad

  • 14 Posts
  • 3 Reply Likes
Ahhh that setting, yes. Good to hear you got it sorted out finally!
Photo of salad

salad

  • 14 Posts
  • 3 Reply Likes
One of the things I haven't gotten around to testing fully yet is the AP's interception of packets. The GRE tunnel runs a low MTU - I think around 1330 bytes - of course it's not a router, so ICMP "Too Large" messages are going to be interesting! My initial testing was with an older iPhone and a Windows 7 laptop, but the laptop actually had an IP in the same subnet as the AP.
Photo of Don Bertos

Don Bertos

  • 15 Posts
  • 0 Reply Likes
Anyone get this working on KVM? Seems like a nightmare to setup - So far I can only get the data network to ping anywhere
Photo of James Laszko

James Laszko

  • 1 Post
  • 0 Reply Likes
Does anyone have any insight into how to accomplish setup using the VSZ-D on a dvSwitch?  Are they just not supported?
Photo of salad

salad

  • 14 Posts
  • 3 Reply Likes
Any luck with this? I'd assume that if they work using a regular vSwitch, a distributed one shouldn't be a hassle. It all looks the same to the VM
Photo of Jamie Walmsley

Jamie Walmsley

  • 18 Posts
  • 3 Reply Likes
+1 to the documentation being bad. Im currently conguring a SZ300 and the docs concerning control planes/data planes and what each does and it how fits into the overall architecture is awful.
(Edited)
Photo of salad

salad

  • 14 Posts
  • 3 Reply Likes
Does the "real" SZ integrated both the "control" and the "data" into the same box? With vSZ-D nowhere in the docs does it say that the system is managed as if it were an AP by the controllers, but the APs connect to the vSZ-D as if it were a controller...
(Edited)
Photo of iksgnodd

iksgnodd

  • 1 Post
  • 0 Reply Likes
documentation for this is awful.. I hope Ruckus can fix it, as this has been a pain the past couple of days... I've managed to establish tunnel from AP to vSZ-D and see tunneled SSID,  but can't seem to ping the gateway (I assume gateway of data interface subnet). I am using Cisco UCS blade servers, vSZ-E and vSZ-D... I just placed all interface in the same subnet for simplicity's sake, but can't ping the gateway from tunneled SSID... hopefully, someone can help! thanks