The upstream network from the VxRail cluster must be configured to allow passage for VxRail networks that require external access. Using Appendix A: VxRail Network Configuration Table for reference, upstream passage is required for the External Management VLAN (Row 1), any VM Network VLANs (Row 6), and the optional vCenter Server Network VLAN (Row 7). If a vSAN witness is required for the VxRail cluster, include the VxRail Witness Traffic Separation VLAN (Row 74) for upstream passage. The VxRail Internal Management VLAN (Row 2) must be blocked from outbound upstream passage.

Optionally, the vSphere vMotion VLAN (Row 3) and vSAN VLAN (Row 4) can be configured for upstream passage. If you plan to expand the VxRail cluster beyond a single rack, configure the VxRail network VLANs for either stretched Layer 2 networks across racks, or to pass upstream to routing services if new subnets will be assigned in expansion racks.

Figure 71.    Logical networks connecting to upstream elements

If your Layer 2/Layer 3 boundary is at the lowest network tier (top-of-rack switch), perform the following tasks:

• Configure point-to-point links with the adjacent upstream switches.
• Terminate the VLANs requiring upstream access on the top-of-rack switches.
• Enable and configure routing services for the VxRail networks requiring upstream passage.

If your Layer 2/Layer 3 boundary is upstream from at the lowest network tier (top-of-rack switch), perform the following tasks:

• Connect ports on the adjacent upstream switch to the uplinks on the top-of-rack switches.
• Configure logical pairings of the ports on the adjacent upstream switch and the top-of-rack switch.
• Configure the logical port pairings, commonly known as “port channels” or “Ether Channels,” to allow upstream passage of external VxRail networks.