NSX-T Lab – Part 5

Hi there again! I’ve made some good progress with my NSX-T lab deployment, but there’s still a lot to do!

The plan

Back in part three I made a high-level plan for the NSX data plane deployment. Let’s have a look:

  1. Prepare the vSphere distributed switch – part three
  2. Configure transport zones – part three
  3. Create logical switches – part three
  4. Prepare & configure ESXi hosts – part four
  5. Deploy & configure Edge VMs –part four
  6. Configure routing

Things are working out pretty well so far so I’ll simply stick to this plan and go on with setting up NSX routing.

Tier-0 logical router

The Tier-0 logical router acts as a gateway service between the logical and physical network. A Tier-0 logical router has downlink ports to Tier-1 logical routers and uplink ports that connect to the external network. Tier-0 logical routers support things like BGP dynamic routing and ECMP.

Deploying the Tier-0 logical router

No reason to wait. In NSX Manager I navigate to Networking > Routing:

Here I’m clicking on the “+Add” button and choose “Tier-0 Router”:

I’m calling the Tier-0 router “tier-0-01” and select the Edge cluster I created in part four. I’m leaving the high-availability mode at the default “Active-Active” meaning that traffic is load balanced across all members of the Edge cluster.

Creating Tier-0 router ports

With the Tier-0 router deployed I will now create four router ports (of which two will be used at this point). I click the “tier-0-01” logical router and navigate to Configuration > Router Ports:

Clicking the “+Add” button brings up the following form:

I will use these are settings for the four router ports in my lab:

SettingRouter Port #1Router Port #2Router Port #3Router Port #4
Namerp-uplink01-tn-edge-01rp-uplink02-tn-edge-01rp-uplink01-tn-edge-02rp-uplink02-tn-edge-02
TypeUplinkUplinkUplinkUplink
MTU1500150015001500
Transport Nodetn-edge-01tn-edge-01tn-edge-02tn-edge-02
URPF ModeStrictStrictStrictStrict
Logical Switchls-uplink01ls-uplink02ls-uplink01ls-uplink02
Logical Switch Port Namesp-uplink01-tn-edge-01sp-uplink02-tn-edge-01sp-uplink01-tn-edge-02sp-uplink02-tn-edge-02
IP Address/mask172.27.11.2/24172.27.12.2/24172.27.11.3/24172.27.12.3/24

The four router ports once they are created:

As you can see each Edge transport node has two uplink router ports.

Configuring Tier-0 dynamic routing

In my lab I will use BGP dynamic routing between Tier-0 and pfSense. On the Tier-0 router navigate to Routing > BGP:

First I enable BGP and ECMP and set the local AS to 65000:

Next I’m going to add the BGP neighbor by clicking the”+Add” button under “Neighbors”:

The neighbor address is 172.27.11.1 and the remote AS is 65001 as configured on the pfSense. I also modify the values for “keep alive” and “hold down” to 4 and 12 seconds respectively.

Under “Local Address” I will only select the two router ports in VLAN 2711 for now:

Note that the IP addresses of the Tier-0 uplink router ports have already been added as BGP neighbors in the pfSense configuration.

Finally, under “Address Families” I add and enable “IPV4_UNICAST”:

The BGP neighbor has now been configured:

The last thing I want to enable on the Tier-0 router is route redistribution. I click on Routing > Route Redistribution:

I create a new criteria called “redist-all” and select all sources:

This ensures that the Tier-0 will redistribute routes from all available sources.

Verifying Tier-0 dynamic routing

Let’s start by checking if the BGP neighbor connection status looks healthy. I select the “tier-0-01” router and click on Actions > Generate BGP Summary:

This generates a list with the current neighbor connection status:

To verify that routes are received from the pfSense router, I log in to one of the Edge VMs and run the following commands:

get logical-routers

Listing the logical router instances on the Edge VM. It’s VRF 3 (service router) I’m interested in. Changing to VRF 3’s context:

vrf 3

And now I run:

get route

This command lists the routes in the VRF 3 context. I can see a number of routes coming from the pfSense router via BGP (b).

To test actual traffic flow I ping an IP addresses located in the physical network from within the VRF 3 context:

It looks like North-South traffic flow is operational!

Diagram

Let’s finish with a diagram of the routing topology I built so far:

Availability? Not really, but this is a lab environment. I do not recommend using this setup in a production environment. I will deploy another pfSense router and create additional BGP peerings to make my lab look more like a production deployment, but that’s for another time. 😉

Conclusion

In this part I deployed the Tier-0 logical router and configured North-South dynamic routing. After some basic verification and testing things seem to be working.
This piece of NSX infrastructure is critical when it comes to logical networks being able to communicate with the physical network and vice versa.

In the next part I will continue setting up routing by deploying a Tier-1 logical router and some logical L2 networks.

One thought on “NSX-T Lab – Part 5

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s