Step 2

Step 2 — Intake (role-based)

Use this after the Step 1 network/DNS plan is signed off. Questions are grouped by who owns the answer, so you can send the right section to the right team and run shorter, more focused conversations.

Every question is tagged with the workbook sheet it feeds, so transferring answers is mechanical (see workbook-cell-mapping.md).

Legend:

  • [MGMT]Deploy Management Domain sheet
  • [CFG-M]Configure Management Domain sheet
  • [WLD]Deploy Workload Domain sheet
  • [CFG-W]Configure Workload Domain sheet
  • [CLU]Deploy Cluster sheet
  • [SIZE]Management Domain Sizing sheet
  • [PLAN]VCF & VVF Planning sheet
  • [DAYN]Deploy Fleet Management Day-N sheet

A. Architect / Project decisions

Owner: solution architect + project lead. 30 min.

#QuestionSheetDefault suggestion
A1VCF version to deploy[PLAN]9.1.0.0
A2Operation[PLAN]Deploy a new VCF fleet
A3First or additional VCF instance?[PLAN]First instance
A4Deployment model: 3-node HA vs. single-node?[MGMT]HA (Three-node)
A5Appliance size: Small / Medium / Large?[MGMT]Medium (verify in [SIZE])
A6Existing vCenter to import? VCF Ops? VCF Auto?[MGMT]All No (greenfield)
A7Storage option: vSAN-ESA / vSAN-OSA / NFS / FC?[MGMT]vSAN-ESA
A8vSAN Data-in-Transit encryption?[MGMT]Off (perf cost; turn on if compliance requires)
A9Failures To Tolerate (FTT)?[MGMT]1
A10VPC Gateway: Distributed connectivity vs. Centralized?[MGMT]Centralized (configured post-bringup)
A11Dual-stack (IPv4 + IPv6)?[MGMT]IPv4 only unless requirement
A12Separate VCF mgmt network from VM mgmt network?[MGMT]Use VM mgmt network
A13Multiple Availability Zones (stretched)? → if Yes, work 03-multi-az-prep.md[MGMT]No (single AZ)
A14Number of management hosts (4–16)[MGMT]4
A15Number of WLDs at GA, plus number of clusters in each[WLD]1 WLD, 1 cluster
A16CEIP (telemetry) on?[MGMT]On
A17Which fleet components at bring-up vs. Day-2? (VCF Automation, Log Management, Ops for Networks) → 05-day2-deployments.md[DAYN]VCF Automation Day-2

B. Network team

Owner: network engineering. 60 min. Refer to Step 1 plan for raw values.

#QuestionSheet
B1ESX Mgmt: VLAN, MTU=1500, IPv4 gateway CIDR[MGMT]
B2VM Mgmt: VLAN, MTU=1500, IPv4 gateway CIDR[MGMT]
B3VCF Mgmt (if separate): VLAN, MTU, gateway CIDR[MGMT]
B4VCF Management Services IP range — /28 (12, min) to /27 (30); lives inside the VM Mgmt subnet[MGMT]
B5VCF Automation IP range — 5 IPs, allocate a /29; inside the VM Mgmt subnet (Shared-Network placement; other placements see B21)[MGMT]
B6vMotion: VLAN, MTU=9000, gateway CIDR, host IP range[MGMT]
B7vSAN: VLAN, MTU=9000, gateway CIDR, host IP range[MGMT]
B8ESX Host Overlay: VLAN, MTU=9000, gateway CIDR; static TEP pool (recommended) or DHCP? If static: pool range[MGMT]
B9NSX Edge Overlay: VLAN, MTU=9000, gateway CIDR, IP range[CFG-M]
B10NSX Edge Uplink-01: VLAN, /29 or /30, edge IP, ToR peer IP[CFG-M]
B11NSX Edge Uplink-02: VLAN, /29 or /30, edge IP, ToR peer IP[CFG-M]
B12NSX Edge AS number (your side of the BGP peering)[CFG-M]
B13ToR-A / ToR-B AS numbers[CFG-M]
B14BGP MD5 password (per peer) — optional, only if BGP authentication is enabled[CFG-M]
B15BFD on edge uplinks? (recommended)[CFG-M]
B16Routes to advertise / receive?[CFG-M]
B17DHCP scope details for ESX Host Overlay (if DHCP)[MGMT]
B18SFTP host, port, account, target path[CFG-M]
B19Proxy (only if online depot needs it): FQDN, port, auth?[MGMT]
B20VPC Gateway external network (only if A10 = Distributed): VLAN, gateway CIDR[MGMT]
B21Day-2 fleet network (if not Shared Mgmt): placement (Dedicated Mgmt / NSX Overlay Segment / NSX VLAN Segment) + networkName, subnet, gateway, IP pool, VCF Automation cluster CIDR → 05-day2-deployments.md[DAYN]
B22Public / upstream peering (optional) — needed? If so: peer AS, peer IP, MD5, advertised/received prefixes; own uplink subnet if not sharing the Edge uplinks → 01-network-dns-plan.md §B[CFG-M]

C. AD / DNS / NTP team

Owner: Windows / identity / DNS admin. 30 min.

#QuestionSheet
C1AD forest root domain name[CFG-M]
C2Site / child domain (if any)[CFG-M]
C3DC FQDNs (at least two)[CFG-M]
C4LDAPS reachable from VM Mgmt subnet?[CFG-M]
C5SSO bind service account (DN + password owner)[CFG-M]
C6SDDC admin / operator / viewer AD group DNs[CFG-M]
C7DNS server #1 / #2 IP addresses[MGMT]
C8Default DNS suffix for VCF (e.g. sfo.example.io)[MGMT]
C9Confirmation: every FQDN from 01-network-dns-plan.md has A+PTRPrereq
C10NTP source #1 / #2 FQDNs (and CNAME wrapper)[MGMT]
C11AD DCs syncing to the same NTP sourcesPrereq

D. PKI / certificate team

Owner: CA admin. 20 min.

#QuestionSheet
D1Internal CA type — Microsoft CA or OpenSSL (fleet cert management); external CA is CSR-based only (VCF won’t import an externally-created cert+key)[CFG-M]
D2CA root + intermediate certificate (PEM)[CFG-M]
D3CSR submission method (Web Enrollment / other)[CFG-M]
D4Template name to issue VMware certs[CFG-M]
D5SAN policy: per-host SAN or wildcard?[CFG-M]
D6Cert validity period and renewal owner[CFG-M]

E. Platform / virtualization team

Owner: VMware/platform engineer. 60 min.

#QuestionSheet
E1VCF instance name (≥3 chars, e.g. San Francisco)[MGMT]
E2Management domain name (e.g. sfo-m01)[MGMT]
E3ESXi host FQDNs (Host #1 .. Host #N)[MGMT]
E4ESXi root password (single password, all hosts)[MGMT]
E5ESXi host iLO/iDRAC inventory (out-of-band, separate doc)Prereq
E6vCenter FQDN + IP[MGMT]
E7SDDC Manager FQDN + IP — the VCF Installer is deployed with this IP+FQDN (on a mgmt host) and becomes SDDC Manager[MGMT]
E8NSX Manager VIP FQDN + IP, plus 3 node FQDNs + IPs[MGMT]
E9VCF Operations — 3 analytics node FQDNs+IPs (primary/replica/data). Default cluster address is a floating IP (no LB). A load-balancer VIP is optional and, if used, must be an external LB (never provided by VCF) — capture the VIP FQDN+IP and put every node FQDN + the LB FQDN in the cert SAN → 05-day2-deployments.md B.1[MGMT]
E10VCF Automation — appliance/cluster FQDN+IP + VCF services-runtime FQDN (lowercase FQDNs only — TechDocs); nodes come from the /29 range (B5), or the non-shared placement network (B21)[MGMT]
E11NSX Edge node 1 / 2 FQDNs + IPs[CFG-M]
E12Cluster / vDS / DPG naming conventions[MGMT]
E13Any VI Workload Domains at GA? → capture each in section H below[WLD]
E14VCF fleet/services FQDNs new in 9.x — Cloud Proxy, License Server, Identity Broker, VCF services runtime, Ops for Networks platform + collector (each needs A+PTR+IP; services-runtime / fleet-services FQDNs lowercase only — TechDocs); several may be Day-2 → 05-day2-deployments.md[MGMT]
E15VCF Automation Day-2 deployment: method (SDDC Manager API vs. via VCF Operations) + network placement (Shared Mgmt / Dedicated Mgmt / NSX Overlay Segment / NSX VLAN Segment) → 05-day2-deployments.md[DAYN]
E16Avi Load Balancer (only if Avi is the chosen LB — e.g. for Supervisor, the Automation-HA VIP, or tenant LB; Supervisor also runs without Avi): controller size (Small / Large / XLarge), 3 controller node FQDNs+IPs + cluster VIP FQDN+IP (VM Mgmt subnet, A+PTR) → prerequisites.mdPrereq

F. Security / passwords

Owner: security lead. 15 min.

Capture in a password manager — not in this file. The intake just confirms who owns each password so it’s available on deploy day.

#ComponentOwnerSheet
F1ESXi root[MGMT]
F2vCenter administrator@vsphere.local[MGMT]
F3vCenter root[MGMT]
F4SDDC Manager vcf / root / admin[MGMT]
F5NSX Manager admin / audit / root[MGMT]
F6VCF Operations admin[MGMT]
F7VCF Automation admin[MGMT]
F8NSX Edge admin / audit / root[CFG-M]
F9SSO bind account[CFG-M]
F10Backup encryption passphrase[CFG-M]
F11Avi controller admin / VCF Ops admin (break-glass) — only if Avi LB in scopePrereq

Password policy: minimum 15 chars, mix of upper/lower/digit/special; no spaces. VMware appliances reject < > & ' " in some fields — avoid them.


G. Depot / binaries

Owner: project manager / operations team. 10 min.

#QuestionSheet
G1Online or offline depot?[MGMT]
G2Download Service ID (online only)[MGMT]
G3Activation Code (online only)[MGMT]
G4Offline depot FQDN + port (offline only)[MGMT]
G5Proxy required? (FQDN, port, auth)[MGMT]

If G1 = online — or the offline flow uses the VCF Download Tool — the egress firewall / proxy (G5) must allow the Public URLs table in prerequisites.md (all outbound 443).


H. Workload Domain / Cluster

Owner: VMware / platform engineer. Repeat the whole block per VI Workload Domain, and the cluster rows (H7–H11) per additional cluster. Skip entirely if the deployment is management-domain-only at GA. New VLANs/subnets per WLD come from Step 1 (01-network-dns-plan.md).

Sizing gotcha: a WLD’s vCenter (1 IP) and NSX Manager cluster (3 nodes + VIP = 4 IPs) land on the management VM Management subnet, not the WLD’s own networks. Every extra WLD therefore consumes 5 more IPs on the mgmt VM Mgmt /24 — account for it in the Step 1 carve-out.

WLD-level:

#QuestionSheet
H1WLD name (e.g. sfo-w01) + deployment type (full deployment with cluster)[WLD]
H2WLD vCenter FQDN + IP, SSO domain (e.g. sfo-w01.local). vCenter IP is on the mgmt VM Mgmt subnet[WLD]
H3NSX Manager: new instance or shared? If new — 3 node FQDNs+IPs + cluster VIP FQDN+IP (all on the mgmt VM Mgmt subnet)[WLD]
H4NSX connectivity: Centralized or Distributed? If Distributed — external VLAN + gateway CIDR + 2 Virtual Network Appliance FQDNs/IPs (on the ESX Mgmt network)[WLD]
H5Enable vSphere Supervisor? (requires centralized edge gateway; needs Service CIDR + control-plane IP range)[WLD]
H6Principal storage: vSAN-ESA / vSAN-OSA / VMFS-on-FC / NFS / vVols; storage-policy FTT[WLD]

Cluster-level (repeat per cluster):

#QuestionSheet
H7Cluster name (e.g. sfo-w01-cl01), image, host FQDNs (3–16)[CLU]
H8Per-cluster networks (own VLANs/subnets): ESX Mgmt (MTU 1500), vMotion (9000), vSAN (9000), Host Overlay TEP (9000, static pool); optional vSAN Storage Client / Storage Cluster networks[CLU]
H9vDS layout: one vDS for all traffic, or separate secondary/tertiary vDS (e.g. dedicated vSAN / overlay). MTU 9000, 2 uplinks, LACP?[CLU]
H10NSX host overlay: TEP VLAN + static IP-pool CIDR/range, uplink profile, transport zones[CLU]
H11Stretched cluster? If multi-AZ, work 03-multi-az-prep.md — witness, AZ2 host networks, fault-domain mapping, per-AZ overlay[CLU]
H12WLD password owners: WLD vCenter SSO / root, NSX admin / audit / root[WLD]

TechDocs references

Authoritative Broadcom pages behind the biggest intake decisions:


Closing

When every section above has answers, the workbook can be filled in one sitting. Cross-reference workbook-cell-mapping.md to know exactly which cell each answer goes into.