NSX-T: Multi-Tier Routing Architecture

In my last post I discussed about single-tier routing architecture and demonstrated how T0 gateway is able to handle both East-West & North-South routing. In this post I will explain two-tier (aka multi-tier) routing architecture. 

If you are new to NSX-T, I would recommend reading previous blog post from my NSX-T 3.0 series to gain some understanding. 

1: NSX-T Management & Control Plane Setup

2: Uplink Profiles in NSX-T

3: Transport Zones & Transport Node Profiles

4: NSX-T Data Plane Setup

5: Configure Logical Routing in NSX-T

Let’s get started.

Introduction

Two-Tier architecture is most common deployment method in production environment. It lays the foundation of Multi-Tenancy by separating T0 gateway (provider construct) from the T1 gateway (tenant construct).

In a multi-tenant environment, its the service provider who takes cares of deploying & configuring T0 gateway. Tenants are responsible for creating & managing their respective T1 gateways.

Logical Routing Connectivity

Let’s do a quick recap about components of  T0 & T1 gateway and how they interact with each other.

T0 when deployed, hosts DR & SR components. DR component is responsible for handling East-West traffic and SR component takes cares of the North-South traffic.

When T1 gateway is created and attached to edge cluster & T0 gateway, DR component gets created on T1. When stateful services are enabled on T1, SR component gets instantiated. 

  • The DR & SR components of the T0 & T1 gateway are connected to each other via an internal (Transit) link which is backed by NSX managed subnet 169.254.0.0/28
  • SR component of T1 gets attached to DR component of T0 (when we connect T1 GW to T0) via another transit link called Router Link which is backed by NSX managed subnet 100.64.0.0/16.

Tier-0 gateway connects to upstream routers via VLAN backed uplinks. T1 gateway has northbound connectivity with T0 over Router Link. T1 also have downlinks to one or more L2 segments. Workloads are placed on these segments. 

Since Router Link is created and managed by NSX-T, we don’t need to configure anything there in order to enable communication between T0 & T1. NSX-T takes care of configuring this automatically. However, we can restrict subnets from T0/T1 to be advertised to upstream routers via Route Filtering/Advertisement

Below diagram is a logical representation of two-tier routing.

In this post, I am not covering deployment steps of T0 & T1 gateways as I already covered them in earlier Post

Here is  quick tour from my lab. 

One T0 gw is deployed and it has one connected T1 gw. There are no logical segments attached directly to T0.

T1 gw deployed and is connected to T0. Also its been associated with my edge cluster. 

There are 3 logical segments connected to this T1 gw. 

These are the 3 segments that are connected to T1. 

Routing Verification

To verify routing, I connected to App01, Web01 & DB01 vm one by one and performed following test:

  • pinged default gateway
  • pinged ip of vm’s that are on different subnet than the one where source vm is placed.
  • pinged to outside world.

From all 3 vm’s, all tests were successful and thus I verified both east-west & north-south routing is working fine.

And that’s it for this post.

I hope you enjoyed reading the post. Feel free to share this on social media if it is worth sharing 🙂 

Leave a ReplyCancel reply