Introduction

VMware NSX has been providing multi-tenancy capabilities to an SDDC since its inception. There are various ways to achieve it, depending on the use cases. In the simplest architecture, multi-tenancy is achieved by creating and connecting various Tier-1 gateways to a Tier-0 gateway, where each Tier-1 gateway belongs to a dedicated tenant with a non-overlapping network. Having several Tier-0 gateways, each owned by a different tenant, is another way of achieving multi-tenancy.

Multi-tenancy without NSX VRF

The concept of VRF is not new with NSX. It has been since v3.x of NSX. The VRF functionality has changed and gained new features with the latest iterations of NSX.

Virtual Routing and Forwarding (VRF) allows NSX admins to virtualize the routing table on a Tier-0 gateway and provide tenant separation from a routing perspective. With VRF, you can configure per-tenant data plane isolation up to the physical network without creating a Tier-0 gateway per tenant. Each tenant has their isolated routing and forwarding tables within a Tier-0 gateway.

VRF Architecture

VRF gateways are instantiated on an existing tier-0 gateway in the infrastructure. A VRF gateway inherits some of the tier-0 gateway settings, such as HA mode, edge cluster, internal transit subnet, and T0-T1 transit subnets. Additionally, every VRF has unique configuration settings, such as static routes, BGP routing, etc.

VRF gateways save costly compute resources, as you implement multiple VRFs on the same tier-0 gateway and thus reduce the number of edge clusters and edge nodes. 

The diagram below is a sample representation of a VRF implementation in VMware NSX.

Lab Topology & BOM

I am using the following BOM in my lab for VRF configuration:

Component	Version
VMware vSphere	8.0 U3e
vCenter Server	8.0 U3e
Vmware NSX	4.2.2.x
Vyos Router	1.5

I have implemented the following topology in the lab:

• VRF-Red connects to the physical network over BGP via VLANs 1620 & 1621
• VRF-Blue connects to the physical network over BGP via VLANs 1630 & 1631
• VRF is implemented in physical routers to prevent the Red & Blue VRFs from communicating with each other at the physical layer. 
• The parent Tier-0 gateway is also BGP peering with physical routers for non-VRF workloads. 

VRF Implementation Steps

Below are high-level steps for implementing VRF: 

1. Create a Parent Tier-0 Gateway
2. Create VLAN-backed uplink segments for the VRFs.
3. Create VRF gateways.
4. Configure uplink interfaces on the VRF gateways.
5. Configure BGP on the VRF gateway.
6. Enable route redistribution on the VRF gateway. 
7. Create Tier-1 Gateways and attach them to the VRF Gateways.
8. Create overlay segments and attach them to Tier-1 Gateways.

Step 1: Parent Tier-0 gateway Deployment

I already have T0 deployed in my lab, so I am skipping this step.

Step 2: Create Uplink Segments for VRF

Each VRF will connect to the northbound router via VLAN-backed uplinks. These uplinks are created as trunk uplinks and are configured to allow a subset of VLANs. 

Uplink Segment Name	VLAN Range
VRF-Red-Trunk	1620-1629
VRF-Blue-Trunk	1630-1631

In the NSX Manager UI, navigate to the Networking > Segments to create the trunk uplinks. 

Repeat the process for the blue VRF.

Step 3: Create VRF gateways

To create a new VRF, navigate to Networking > Tier-0 Gateways > Add Gateway and select VRF

Specify the name of the VRF gateway, select the parent Tier-0 gateway, and click Save.

Repeat the process to create other VRF gateways. 

Step 4: Create VRF gateway external interfaces

For northbound connectivity, we need to create external interfaces for the VRF instances. In total, we need to create 4 interfaces per VRF. Each edge node will host 2 interfaces.

Note: Since I have 2 VRFs in the lab, I created 8 external interfaces. 

To create interfaces for the VRF gateway, edit the gateway and click Set under Interfaces and GRE Tunnels.

Configure the IP address for the interface and associate it with the trunk uplink segment. 

Ensure to specify the Access VLAN ID for the external interface. This VLAN ID is used for BGP peering with the physical router, and thus, the VLAN should exist on the physical router.

Repeat the process for creating the remaining interfaces for the VRF gateway. 

Step 5: Configure BGP on the VRF Gateways

BGP on VRF gateways is configured in the same way as you configure it on the Tier-0 gateway. VRFs inherit the parent Tier-0 BGP local AS number, but you can override it with the AS number as defined in the BGP peering configuration on the northbound router.

I am using the following BGP scheme in my lab. 

Device	BGP ASN	BGP VLAN	Gateway Address
Northbound Router	65003
Parent Tier-0 Gateway	65002	VLAN 1615 & 1616	172.16.15.1 172.16.16.1
VRF Red Gateway	65006	VLAN 1620 & 1621	172.16.20.1 172.16.21.1
VRF Blue Gateway	65007	VLAN 1630 & 1631	172.16.30.1 172.16.31.1

Expand the BGP section of the VRF gateway to configure your BGP settings.

Click the set button to configure the BGP neighbors. 

Repeat the steps for configuring additional neighbors.

Validate BGP establishment on the northbound router. 

Blue VRF BGP

Step 6: Enable Route Redistribution on the VRF Gateway

To advertise networks from the VRF gateways to the northbound router, configure route redistribution.

Edit the settings of the VRF gateway, expand Route Redistribution, and click on Set.

Click on Set.

Select the Tier-0/Tier-1 subnets that will be advertised to the physical network and click on Apply.

Step 7: Create Tier-1 gateways and connect them with VRF gateways

To create a Tier-1 gateway, navigate to Networking > Tier-1 Gateways and click Add Tier-1 Gateway.

Specify the gateway name and attach it to the VRF gateway.

Under Route Advertisement, select the routes that will be advertised to connected VRF gateways and then click on Save.

Repeat the steps to create Tier-1 gateways for the other tenants. 

Step 8: Create overlay segments.

Create overlay segments for the tenants so that they can attach their workloads to the created segments.

And that’s it for this post. In the next post, I will discuss traffic flow for VRF gateways.

I hope you enjoyed reading this post. Feel free to share this on social media if it is worth sharing.