Step 1

Step 1 — Network / DNS / NTP / AD Plan (one page)

Lock this before filling any other workbook page. If you only have time for one meeting with the network + AD/PKI teams, run it on this page. Everything in the workbook flows from these decisions.

Prefer a spreadsheet? Download the blank fillable planning templates (IP/DNS, VLAN/subnet, NTP/AD/CA, BGP) — capture the plan in CSV, then transfer to the workbook or Coscia’s planner. For the firewall flows these networks depend on, see Firewall & Ports.

Convention used in the templates below: site code sfo, instance m01, rack r01. Replace consistently when copying for a real deployment. VLAN IDs and CIDRs are placeholders.


A. VLAN / Subnet plan

Fill one row per traffic type. The same table covers Mgmt Domain and the first WLD — duplicate it for additional WLDs / clusters.

#TrafficVLAN IDCIDR (IPv4)CIDR (IPv6, optional)MTUGatewayNotes
1ESX Management/241500ESXi host mgmt VMKs. The VCF Installer must be able to reach / route to this network to commission the hosts (it does not live here)
2VM Management/241500Largest subnet — appliances + two reserved blocks; see carve-out below. The VCF Installer deploys here using the SDDC Manager IP + FQDN — see note below
3VCF Management (optional)/241500Only if separating VCF services from VM-mgmt
4vMotion/249000Jumbo required
5vSAN/249000Jumbo required; skip if NFS/FC only
6ESX Host Overlay (TEP)/249000Jumbo; MTU inherited from the vDS; static TEP pool recommended (DHCP scope supported)
7NSX Edge Overlay (TEP)/249000Jumbo
8NSX Edge Uplink-01/29 or /309000Point-to-point to ToR-A; BGP peer
9NSX Edge Uplink-02/29 or /309000Point-to-point to ToR-B; BGP peer
10NFS (optional)/249000Only if principal storage = NFS
11VPC Gateway external (optional)/249000External / north-south network for the Distributed Transit Gateway. Only when VPC Gateway = Distributed (intake A10); the Centralized model is configured post-bringup
12Public / upstream peering uplink (optional)/29 or /309000Point-to-point to a public / upstream / DMZ router, separate from the ToR fabric. Only if you run a distinct public peering (intake B22); BGP session details in §B. Most fleets don’t need this

Overlay MTU: host and edge TEP networks carry GENEVE and need MTU ≥ 1600; set 9000 on the distributed switch. The host-overlay VMK inherits its MTU from the vDS rather than a per-network field.

VCF Installer = SDDC Manager identity. When you deploy the VCF Installer on one of the management-domain ESX hosts (the usual greenfield case), you give it the IP and FQDN you plan for SDDC Manager — the appliance switches into SDDC Manager mode after bring-up, so there is no throwaway / temporary IP. Reserve that single IP + FQDN as SDDC Manager (intake E7); the Installer just needs routed reachability to the ESX Management network to commission the hosts. (Only an Installer deployed outside the management infrastructure uses a separate temporary address.) Per Broadcom TechDocs.

Port group VLAN gotcha: on the host you deploy it on, place the Installer on a port group carrying the VM Management VLAN. A fresh ESXi host’s default VM Network port group is untagged (VLAN 0), so if VM Management is a tagged VLAN, set the VLAN ID on it (or use a tagged port group) first — otherwise the appliance comes up with no management connectivity.

IP range carve-out (per subnet)

Inside each /24 reserve contiguous ranges so static pools / DHCP scopes don’t collide with appliance IPs.

Host-facing subnets — one IP per host VMK, sized here for up to 16 mgmt hosts:

SubnetReserved forRange example
ESX MgmtHost mgmt VMK.11–.30
vMotionHost vMotion VMK.101–.116
vSANHost vSAN VMK.101–.116
ESX OverlayHost TEPs (×2 per host)Static pool (recommended), e.g. .101–.132; DHCP scope supported
Edge OverlayEdge TEPs.11–.20

TEP addressing: prefer a static IP pool, entered in the VCF Installer — no external DHCP dependency, and no per-AZ scopes in stretched designs. Per Broadcom TechDocs either a static IP pool or a DHCP server on the Host Overlay VLAN satisfies the prerequisite; pools can also be created per cluster later (Create an IP Pool for Tunnel Endpoint IP Addresses).

VM Management subnet — the crowded one. A VCF 9.1 management domain packs a lot onto this network: ~30–48 IPs. Size it generously (a /24 is normal — do not try to squeeze it into a /27). On top of discrete appliance IPs it needs two dedicated contiguous blocks: a /29 for VCF Automation and a /28/27 for the VCF management-services runtime. Each additional VI Workload Domain also lands its vCenter (1) + NSX Manager cluster (4) on this subnet — +5 IPs per WLD — so leave headroom. The full per-component FQDN/IP list is on TechDocs: VCF Components FQDNs and IP addresses.

ComponentIPsBlockNotes
vCenter1Management domain vCenter
NSX Manager43 cluster nodes + 1 cluster VIP
SDDC Manager1
VCF Operations53 analytics nodes (primary / replica / data) + cloud proxy + license server
VCF Operations VIP1Optional: external load balancer for an HA deployment
NSX Edge nodes (if deployed)2Mgmt-domain edge cluster; matches en01/en02 in the DNS table below
VCF Automation5/293 node IPs + 2 buffer for automatic redeploy of failed nodes / rolling updates (TechDocs); allocate a contiguous /29
VCF management-services runtime12–30/28/27Dedicated contiguous block: /28 = 12 (minimum), /27 = 30 (recommended) — the headroom absorbs Day-N Log Management and real-time metrics worker nodes (rows below)
Avi Controller cluster (optional)43 controller nodes + cluster VIP — only if Avi is the chosen LB (e.g. Supervisor LB choice / Automation HA / tenant LB); see prerequisites.md
VCF Operations for Networks (optional)2 (+2 if Large)Platform node + collector node — lands here when the Day-2 placement is the Shared Management Network (a Large platform is a 3-node cluster: +2); see 05-day2-deployments.md
Log Management (optional)— (from runtime block)Day-N: 1 FQDN + 6 IPs, +2 per additional replica — allocated from the services-runtime block above, not extra subnet IPs (TechDocs FQDN/IP list); size the block /27 if Log Management is planned. See 05-day2-deployments.md
Real-time metrics (optional)— (from runtime block)Day-N: 6 IPs, also allocated from the services-runtime block (TechDocs FQDN/IP list)
Identity BrokerFQDN only — served from the services-runtime block above, no extra VM Mgmt IP
Approx. total~30–48A /24 VM Mgmt subnet leaves ample room (+4 if the Avi LB is in scope, +2–4 if Ops for Networks shares this subnet; Log Management / real-time metrics come out of the runtime block — size it /27)

Separate internal networks — keep off the VM Mgmt subnet. The VCF services runtime uses an internal container CIDR, 198.18.0.0/15 by default (change to 240.0.0.0/15 or 250.0.0.0/15 if it clashes) — and VCF Automation uses the same kind of internal cluster CIDR, with the same default and alternatives (the cluster CIDR captured in intake B21; see 05-day2-deployments.md section D). These are internal to the platform, not routed appliance IPs — just make sure the blocks do not overlap anything you actually route.


B. BGP plan

ItemValueNotes
NSX Edge AS (your side)Private ASN, e.g. 65001
ToR-A ASPrivate ASN, e.g. 65010
ToR-B ASSame as ToR-A if iBGP within fabric, else distinct
ToR-A peer IP (Uplink-01)
ToR-B peer IP (Uplink-02)
BGP MD5 password (optional)Optional — only if you enable BGP MD5 authentication; per peer. Not required by NSX (neighbor IP + remote AS are the only required settings)
BFD enabledY/NRecommended on point-to-points
ECMPYesRequired on Edge↔ToR
Prefix-list / route-mapTBDOften advertise default in / Tier-0 subnets out
Public / upstream peering (optional)Separate BGP session for public / north-south routes (internet edge, DMZ, or upstream provider), distinct from the internal ToR fabric peering above. If used, capture its peer AS, peer IP, MD5, and advertised/received prefixes — plus a dedicated uplink subnet if it does not share the Edge uplinks. Most fleets don’t need this; the ToR uplinks already carry north-south.

Multi-AZ: whether the Edge uplinks and this peering are stretched across AZs or per-AZ depends on the NSX connectivity model — stretched under Centralized, per-AZ under Distributed (intake A10). See 03-multi-az-prep.md section D.

TechDocs: the Edge cluster / Tier-0 / BGP peering this plan feeds is set up per Set up Centralized Connectivity with Edge Clusters — neighbor IP + remote AS are the only required BGP settings (MD5 and BFD are optional).


C. DNS

Two DNS servers (resolver IPs to put into appliances)

#FQDN / hostnameIPv4
1
2

Required A + PTR records (Mgmt Domain — minimum)

Every FQDN below needs both an A and a PTR. Add WLD/cluster hosts in the same shape.

Lowercase only. The TechDocs FQDN/IP list marks the fleet-services family with “Do not use capital letters in the FQDN”: VCF Automation, VCF services runtime, fleet components, instance components, Identity Broker, Log Management, real-time metrics. DNS itself is case-insensitive but the appliances are not always — the practical rule: create every VCF FQDN lowercase.

RoleSample FQDNIP source
ESXi host 1..Nsfo01-m01-r01-esx0N.sfo.example.ioESX Mgmt subnet
vCentersfo-m01-vc01.sfo.example.ioVM Mgmt subnet
NSX Manager VIPsfo-m01-nsx01.sfo.example.ioVM Mgmt subnet
NSX Manager node 1sfo-m01-nsx01a.sfo.example.ioVM Mgmt subnet
NSX Manager node 2sfo-m01-nsx01b.sfo.example.ioVM Mgmt subnet
NSX Manager node 3sfo-m01-nsx01c.sfo.example.ioVM Mgmt subnet
SDDC Managersfo-vcf01.sfo.example.ioVM Mgmt subnet
VCF Operations VIPsfo-vcfops01.sfo.example.ioVM Mgmt subnet
VCF Operations node 1–3sfo-vcfops01{a,b,c}.sfo.example.ioVM Mgmt subnet
Cloud Proxysfo-cp01.sfo.example.ioVM Mgmt subnet
License Serversfo-lic01.sfo.example.ioVM Mgmt subnet
Identity Brokersfo-idb01.sfo.example.ioservices-runtime block
VCF Automation VIPsfo-vcfauto01.sfo.example.ioVM Mgmt subnet
NSX Edge 1sfo-m01-en01.sfo.example.ioVM Mgmt subnet
NSX Edge 2sfo-m01-en02.sfo.example.ioVM Mgmt subnet
Avi Controller VIP (optional)sfo-m01-avi01.sfo.example.ioVM Mgmt subnet
Avi Controller node 1–3 (optional)sfo-m01-avi01{a,b,c}.sfo.example.ioVM Mgmt subnet
VCF Ops for Networks platform (optional)sfo-vcfopsnet01.sfo.example.ioVM Mgmt subnet (or the Day-2 placement network)
VCF Ops for Networks collector (optional)sfo-vcfopsnet01c.sfo.example.ioVM Mgmt subnet (or the Day-2 placement network)
Log Management VIP (optional)sfo-vcflogs01.sfo.example.ioservices-runtime block (integrated LB; the 6+ worker nodes need IPs, not FQDNs)

DNS settings checklist

  • Forward + reverse zones for the parent domain
  • Forward + reverse zones for any child / site domains (e.g. sfo.example.io)
  • Dynamic updates: Nonsecure and secure
  • Zone replication scope: All DNS servers in this forest
  • Every FQDN unique; every PTR present
  • No CNAME for any VCF appliance hostname (must be A)
  • All FQDNs lowercase (required for the fleet-services family; recommended everywhere)

D. NTP

#FQDNResolves toNotes
A-1ntpserver.sfo.example.ioA-record, source #1
A-2ntpserver.sfo.example.ioA-record, source #2 (same name, round-robin)
CN-1ntp.sfo.example.ioCNAME → aboveThis is what goes in every appliance
A-3ntp0.sfo.example.ioOptional, direct mgmt of source #1
A-4ntp1.sfo.example.ioOptional, direct mgmt of source #2
  • Sources must sync to different upstream NTP (avoid common-mode failure).
  • AD DCs configured to sync to the same external sources.
  • Two NTP entries on every appliance (use the CNAME and a backup A-record).

E. Active Directory

ItemValue
AD forest roote.g. example.io
Site/child domaine.g. sfo.example.io (or N/A)
DC FQDNs
LDAPS port reachableY/N
Service account for SSO bindDN + password owner
SDDC admin groupDN
SDDC operator groupDN
SDDC viewer groupDN
Users to pre-createper Active Directory Inputs sheet

TechDocs: AD is bound fleet-wide via the VCF Identity Broker — Configure an Identity Provider; prep details + gotchas in prerequisites.md.


F. Certificates

ItemValue
Internal CA typeMicrosoft CA or OpenSSL (fleet cert management). External CA is CSR-based only — VCF won’t import an externally-created cert+key
CA root + intermediate CRTPath / how delivered
CSR submission methodWeb Enrollment (basic auth) / DCE-RPC / Other
Template namee.g. VMware
Wildcard allowed?Y/N (workbook expects per-host SAN certs)

TechDocs: Configure a Certificate Authority for VMware Cloud Foundation — CA prerequisites (Microsoft CA Web Enrollment / OpenSSL) in prerequisites.md.


G. SMTP / SFTP / Proxy

ServiceFQDN / IPPortNotes
SMTP relay25Allowlist mgmt subnet
SFTP backup22Account + path for NSX / SDDC Mgr backups
Proxy (opt.)443Only if online depot needs proxy

Sign-off

Once A–G are filled and signed by the network/AD/PKI owners, move on to 02-intake.md to capture platform-side answers (hosts, sizing, passwords). The intake doc references this page rather than asking the same questions twice.