NSX-T Lab – Part 6

Welcome to the final part of this series. We’ve come a long way.
After configuring North-South dynamic routing between the Tier-0 logical router and the “physical” (pfSense) router in part 5, it’s now time to add a Tier-1 logical router and some logical switches.

Tier-1 logical router

The purpose of Tier-1 routers is to facilitate for true multi-tenancy in the NSX platform. Tenants have their own T1 routers that connect to an administrator’s T0 router. Changes in the physical network do not necessarily affect tenants Tier-1 routers.

Multi-tenancy with T1 routers

A Tier-1 logical router needs to be connected to a Tier-0 logical router to get the northbound physical router access. The connection between T1 and T0 is established over a special routerlink. This link is assigned a /31 subnet within the 100.64.0.0/10 reserved address space (RFC6598).

Deploying the Tier-1 logical router

In NSX Manager I navigate to Networking > Routing. Click on the “+ Add” button and choose “Tier-1 Router”:

A couple of things need to be specified here. I’m calling my T1 “tier-1-01” and pick the “tier-0-01” Tier-0 router I created in part 5. I also need to pick an Edge cluster, Failover Mode, Edge cluster members (Edge transport nodes), and a preferred member.

Clicking “Add” deploys the Tier-1 router.

When clicking on the new Tier-1 router and having a look under Configuration > Router Ports I can see the special router port used for the routerlink to the Tier-0 router:

Logical networks created in NSX should be advertised to the Tier-0 and ultimately the physical router. For this to happen I need to configure Routing > Route Advertisement:

Here I choose to advertise everything that is available.

And that’s it for the basic configuration of my Tier-1 router. The logical router topology looks like this at this point:

Creating Tier-1 downlink ports

Downlink ports are Tier-1 router ports connecting to logical switches. They serve as a default gateways for the virtual machines that are in the same subnet.

I will create three downlink ports for now. I will deploy the classic three tiered network segments: web, app, and db.

On the Tier-1 router I once again navigate to Configuration > Router Ports. Adding the first router port called “rp-web”:

As you see I configured IP address 10.204.244.1/24 for this interface. It’s basically here I decide that the web IP subnet is 10.204.244.0/24.

You may have noticed that I also created a new logical switch called “ls-web” in the process. Its configured like this:

The logical is switch is part of the “overlay01” transport zone. No surprise here.

I repeat these steps to create the “rp-app”, and “rp-db” router ports and their associated logical switches

Downlink router ports
Logical switches

The topology with the logical switches attached to the Tier-1 router:

Looking on the Tier-1 router under Routing > Route Advertisement I can see that my three subnets are being advertised:

Verifying routing

Let’s see if the distributed router on the Tier-0 has these networks in its forwarding table. I log in to one of the Edge VMs CLI and change to the Tier-0 DR context:

get logical-router
Listing the logical routers

The Tier-0 DR is living in VRF 6.

vrf 6
get forwarding

There are, among others, the three IP subnets associated with my newly created router ports. I see that the routerlink subnet 10.64.160.0/31 is used to get to the logical networks which seems to make sense.

Let’s also having a look at the Tier-0 SR context

vrf 3
get forwarding

Beautiful! My new networks ended up all the way there too. As you can see the Tier-0 SR uses the intra tier transit link as the gateway to get to these networks. This is also as expected.

The million dollar question is: Are my new logical networks known on the physical network? Let’s check the forwarding table at my pfSense:

Absolutely. I’m seeing my three IP subnets in pfSense’s forwarding table. I can even ping the Tier-1 “rp-web” router port from the pfSense:

So this is where the NSX admin takes a step back and the VI admin comes in and starts deploying VMs on the new logical networks. 😉

Connecting a virtual machine

Speaking of which, how do I connect a VM to an NSX-T port group? It turns out to be really easy. NSX-T logical networks show up as N-VDS port groups in vCenter:

And therefore connecting a VM to an NSX-T logical network is done the usual way:

Conclusion

That’s it! This was a very basic NSX-T deployment in 6 parts. I hope you enjoyed it. There is much more to look at and configure in NSX-T, but the main platform is in place.

From here it will be about enabling features and possibly scaling out a bit. I expect to return to this lab environment in coming blog posts.

One thing that happened while I was writing the series was the NSX-T 2.4 release. There are a bunch of new features and improvements in version 2.4 and my next blog post might very well be about upgrading this environment to 2.4. Stay tuned!

2 thoughts on “NSX-T Lab – Part 6

  1. Hey! Would have loved to see more network diagrams with every step as you progress, makes it easier to wrap my mind around the whole thing, especially as the whole terminology is also pretty new to me. Do you think you might be able to add that for every step?

    Liked by 1 person

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s