Table of Contents
Deploy the appropriate NSX Edge (ESG/DLR) device according to a deployment plan
Method of deploying the Edge Services Gateway (ESG) and Distributed Logical Router (DLR) is same. In Fact both are NSX edges only, but difference lies in the functionality offered by ESG and DLR.
DLR optimizes East-West traffic in datacenter i.e traffic between the VM’s whereas ESG optimizes North-South traffic i.e traffic going out of datacenter.
The ESG sits at the perimeter of your SDDC and connects to the external network. You may see sometimes ESG being referred as perimeter gateway as well. The main services provided by ESG are:
- NAT.
- DHCP.
- Firewall.
- Load balancing.
- L2 and L3 VPNs.
The ESG supports static, OSPF, BGP and IS-IS routing protocols. The DLR supports only BGP and OSPF protocol.
We can deploy ESG in HA mode where 2 edge VM’s are deployed in active/standby mode. The control and data plane reside inside the VM. In case of active node going down, the standby VM takes control and become active. Default time for HA failover is 15 secs.
I am not covering much details about ESG here are there are plenty of blogs written by experts on this topic. Below slide show demonstrates how to deploy an ESG.
DLR Deployment
DLR connects to the logical switches and routes layer 3 east-west traffic in the ESXi host kernel without leaving the host. The DLR supports a maximum of 1000 logical interfaces (LIFs). A LIF connects to Logical Switches (VXLAN virtual wire) or distributed portgroups (tagged with a vlan).
The DLR has a firewall but only supports firewall policy on the control and management traffic of the uplinks configured to an ESG. Below slide show demonstrate high level overview of DLR deployment steps.
Configure Default Gateway parameters
You can configure the default gateway for static routes and dynamic routing details. Interface used for default gateway helps in sending out any traffic details of which is not present in the routing table.
Process of configuring default gateway parameters are same for DLR and ESG.
To configure default gateway on an ESG or DLR, login to vSphere Web Client and navigate to Networking & Security > NSX Edges. Double click on ESG or DLR and navigate to Manage > Routing > Global Configuration and select Default Gateway and click on Edit button.
Select appropriate vNIC and define the IP that will act as default gateway.
Modify the MTU and Admin Distance if required and hit OK.
Make sure you hit Publish changes button else details will not be saved.
Configure Static Routes
For smaller environments, configuring static routes is easier than configuring dynamic routing. But as environment grows and become more complex as new subnets being introduced over the time, use dynamic routing to negate human errors while defining the static routes.
Process of configuring static routes is similar for both ESG and DLR. To define static route on an ESG, double-click on appropriate ESG under NSX edges list and navigate to Manage > Routing > Static Routes and click on green + button to add a new route.
Specify destination network in CIDR notation, next hop IP address, outgoing interface, and MTU and hit OK.
Click on “Publish changes”
Select and configure appropriate dynamic routing protocol according to a deployment plan
NSX supports 3 different routing protocols:
- Open Shortest Path First (OSPF)
- Border Gateway Patrol (BGP)
- Intermediate System to Intermediate System (IS-IS)
Dynamic routing protocols allows for rapid deployment of new virtual networks, which gets propagated into the rest of the network and activated on the fly.
Configure OSPF
OSPF is a link-state dynamic routing protocol typically used within a single routing domain. Routers participating in OSPF establish peering with each other and become neighbors. Once the neighborhood is established, they start exchanging their routing table so that the routing topology information is similar between neighbors.
OSPF areas break up the network so that routers in one area know less topology information about the subnets in the other area and they do not know about the routers in the other area at all. As a result routers needs less cpu and memory for processing the smaller routing tables.
In NSX you can configure OSPF dynamic routing on Distributed Logical Routers (DLRs) and between DLRs and ESG’s. When configuring a DLR instance to use OSPF, make sure you have an OSPF-capable neighbour (usually the ESG) inside the same network that the DLR is in.
Lets start configuring OSPF on DLR first.
Login to vSphere Web Client and navigate to Networking & Security > Edges and double click on the DLR edge and navigate to Manage > Routing > Global Configuration and edit Dynamic Routing Configuration to define a Router ID.
Note: Router-ID is used to find a specific device within a OSPF database. Router ID’s must be unique to prevent unintended OSPF database problems.
Select the DLR uplink (The one which is connected to ESG) and hit OK.
Router ID field will be populated with the IP of the uplink. Hit Publish Changes.
Navigate to OSPF tab and hit edit for OSPF Configuration option.
Select “Enable OSPF” and specify following:
- Forwarding Address: IP address of the DLR Uplink which connects to ESG.
- Protocol Address: A unique IP address within the same subnet as the Forwarding Address. Protocol address is used by the protocol to form adjacencies with the peers.
Under Area Definition, delete the default Area 51 and click on green + button to add a new Area.
Specify Area ID and select type as Normal and authentication set to None.
Under Area to Interface Mapping, click on green + button and specify DLR interface which connects to ESG and select the newly created Area. Hit OK.
Hit publish changes to save the settings.
Lets configure OSPF on ESG now.
Double click on the ESG from edge list and navigate to Manage > Routing > Global Configuration and edit Dynamic Routing Configuration to define a Router ID.
Select the uplink of the ESG (this is usually a transit VXLAN network).
Hit Publish Changes to save the settings.
Navigate to OSPF tab and edit OSPF Configuration.
Select “Enable OSPF” and “Enable Default Originate” options and hit OK.
Under Area Definition click green + button and Add an Area with same ID which you added on DLR. Select type as normal and Authentication set to none. Hit OK.
Under Area to Interface Mapping, click on green + button and select vNIC interface which connects the ESG to DLR. Also select the Area ID created in previous step and hit OK.
Hit Publish Changes to save the settings.
Configure Border Gateway Protocol (BGP)
BGP is an exterior gateway protocol usually used at the perimeter of a datacenter. BGP uses Autonomous Systems (AS) number (defined by end-user) to construct its routing table of networks. Each router participating in BGP will have a Local AS defined, as well as a remote AS defined for it’s neighbor.
A connection between both gateways is established first, and then routing information is exchanged between the two devices. When creating a peering between routers, you can define prefix filters which determine which IP prefixes (subnets) are accepted or rejected by the router and which IP prefixes are sent out to the neighbours.
NSX supports BGP on both DLR and the ESG.
Let’s start with configuring BGP on DLR first.
Login to vSphere Web Client and navigate to Networking & Security > Edges and double-click on the DLR edge and navigate to Manage > Routing > Global Configuration and edit Dynamic Routing Configuration to define a Router ID.
Select the interface which connects to ESG and hit OK.
Hit Publish changes to save settings.
Navigate to BGP tab and edit BGP Configuration.
Select Enable BGP and specify Local AS number.
Note: AS in the range 64512 – 65534 and 4200000000 – 4294967294 can be used for internal usage.
Under Neighbors, click on green + button to specify peering router.
Specify IP address of the neighbour and forwarding and protocol address (discussed earlier while configuring ospf) and the AS number of the neighbor router. Hit OK.
Hit Publish Changes to save settings.
Lets configure BGP on ESG now.
Login to vSphere Web Client and navigate to Networking & Security > Edges and double click on the ESG and navigate to Manage > Routing > Global Configuration and edit Dynamic Routing Configuration to define a Router ID.
Select the uplink interface of the ESG.
Hit publish changes to save settings.
Navigate to BGP tab and edit BGP configuration.
Select Enable BGP and specify Local AS number (same as specified in DLR neighbor list)
Under Neighbors, click on green + button to add the peering router.
Specify neighbor IP address and its AS number. Hit OK.
Hit Publish Changes to save settings.
Configure IS-IS
In my lab I am unable to demonstrate IS-IS routing as I am running NSX 6.3.5 in lab and IS-IS was removed from NSX 6.3. To configure IS-IS please see VMware Documentaion
Configure Route Redistribution to support a multi-protocol environment
By default, routers share routes with other routers running the same protocol. In a multi-protocol environment, you must configure route redistribution for cross-protocol route sharing.
From NSX edges list, select your edge device (DLR or ESG) and double click on it and navigate to Manage > Routing > Route Redistribution, click Edit.
Select the protocol that you want to enable redistribution for. Click OK.
Hit Publish Changes to save settings.
Under IP Prefixes, click green + button and provide a name and the IP/Network in CIDR format.
Under Route Redistribution Table, click on green + button and set prefix to Any or the one which you created in previous step.
Specify the learner protocol and select appropriate Allow Learning from check boxes and select Permit from the Action drop down. Hit OK.
Hit Publish changes to save settings.
And that sums up objective 2.3 of VCAP-NV Deploy exam.
Reference Documents
I hope you enjoyed reading this post. Feel free to share this on social media if it is worth sharing. Be sociable