Objective 5.4 – Configure and manage Logical Routers

Principles

  • Install NSX Edge
  • Understand how to connect/disconnect a Logical Switch from a logical router
  • Understand and describe the different types of router interfaces
  • Determine NSX components needed to build out topologies with logical routers
  • Understand how to add and configure a new logical router
  • Determine use case for and configure a management interface
  • Determine use case for and configure High Availability for a logical router
  • Configure routing protocols
    • Static
    • OSPF
    • BGP
    • IS-IS
  • Configure default gateway
  • Determine if cross-protocol route sharing is needed for a given NSX implementation
  • Understand how to configure administrative distances for routing
  • Understand configuration differences between iBGP and eBGP
  • Understand and configure route redistribution

References

  1. NSX Administration Guide

http://pubs.vmware.com/NSX-62/topic/com.vmware.ICbase/PDF/nsx_62_admin.pdf

  1. NSX Installation Guide

https://pubs.vmware.com/NSX-62/topic/com.vmware.ICbase/PDF/nsx_62_install.pdf

Install NSX Edge

  • Go to “Networking and Security -> NSX Edges” and click Add
  • Select type of router required: DLR or Universal
    • For Universal Routers select whether Local Egress is required
  • At least one appliance must be deployed – 2 for HA. Settings required are:
    • Cluster/Resource Pool
    • Datastore
    • Host
    • Folder
  • On DLRs, only IPV4 addressing is supported
  • The HA Interface should be placed in a dedicated VXLAN and takes it’s IP from the 169.250.0.0/16 range
  • An NSX Edge must have at least one Internal Interface to be deployed
  • At least one “Uplink” interface is required for dynamic routing configuration
  • Enable automatic VM startup and shutdown on all Edge cluster hosts

Understand how to connect/disconnect a Logical Switch from a logical router

  • From the Edge Manager Tab, select “Interfaces”
  • Click on the Edit icon against the Interface to be configured
  • Select Interface type – Internal or External
  • Click Select next to the “ConnectedTo” field and pick:
    • Distributed or Standard Port Group for VLAN backed Interfaces
    • Logical Switch to VXLAN backed Interfaces

Understand and describe the different types of router interfaces

  • An ESG can have up to 10 Internal, Uplink and Trunk Interfaces combined
  • Internal Interfaces:
    • For VM->VM “East-West” communication
    • Created as pseudo vNics on the DLR (Logical Interfaces – LIF)
    • Maximum of 991 Logical Interfaces per DLR
  • Uplink Interfaces:
    • For “North-South” communication
    • Can connect to an ESG, VLAN backed port group or 3rd party VM
    • Created as vNics on Logical Router virtual appliance
    • Maximum of 8 Uplink Interfaces per DLR
  • DLR -> ESG Connection:
    • DLR Interface = Uplink
    • ESG Interface = Internal
  • Trunk Interfaces
    • Type = Internal
    • 2 Types
      • VLAN
      • VXLAN – from NSX 6.1 onwards
    • Requires the configuration of a Sub-Interface
    • Sub-Interfaces can be used by:
      • DHCP
      • BGP Routing
      • Load Balance
      • IPSEC VPN
      • L2 VPN
    • Sub-Interfaces cannot be used for HA or Logical Firewall
      • The IP Address assigned to a sub-interfaces can however be used in a Firewall rule

Determine NSX components needed to build out topologies with logical routers

  • NSX Controllers (for route distribution – not Arp resolution)
  • Logical Switches
  • ESGs for North/South Traffic
  • Optionally, distributed firewall for E-W traffic

DLR Interfaces

  • Uplink: Connects to physical network – usually a VLAN but can also be connected to a VXLAN. If connected to VLAN backed distributed port group, this Interface has a Physical MAC Address (pMAC)
  • Internal: Connects a logical switch – VXLAN. Interfaces of this type have a Virtual MAC Address (vMAC). The vMAC is the same on each host that a DLR is configured on
  • LIF: Logical Interface connecting to a VXLAN. When configurating a DLR, it is referred to as an Internal Interface (see above)
  • Management: No longer supported as of NSX 6.2 – use the DLR Protocol IP for remote management
  • vdr Port (Logical Router Port): Special dvPort connected to the logical router kernel module on the ESXi host. All routed traffic passes through it and has a pMAC associated with it

ARP Tables

  • The DLR maintains an ARP table per LIF
  • ARP resolution is conducted by flooding requests to VTEP members of a Logical Switch
  • A separate ARP table is maintained per host i.e. tables are not synchronised across hosts

Understand how to add and configure a new logical router

See 1.3

Determine use case for and configure a management interface

  • Management Interfaces can be useful for troubleshooting
  • In previous releases of NSX the HA Interface was known as the management interface
    • HA Interface is not reachable from outside its local subnet
    • Configuring a static route out of the HA Interface is discouraged as it would break reverse path filtering
  • There is no longer a dedicated management Interface on a Logical Router
  • Use the Protocol IP Address of a dynamic routing configuration for management

Determine use case for and configure High Availability for a logical router

  • HA is used to provide automated failover in the event of failure
  • For a Logical Router, this means continuation of packet forwarding following an outage
  • Careful tuning of routing protocol timers is needed to minimise an outage
  • Packet forwarding continues during failover on the Hypervisor, but routing adjacencies may be withdrawn during the failover
  • To configure HA, deploy 2 VMS during DLR edge deployment and configure the HA Interface by placing it into a dedicated logical switch

Configure routing protocols

Static

  • Go to the Edge -> Manage -> Routing Tab and select “Static Routes” on left hand panel
  • Click Add and enter the configuration parameters:
    • Destination Network in CIDR format e.g. 192.168.20.0/24
    • Next Hop IP Address (must be directly reachable)
    • If ECMP enabled, then multiple next hops may be entered
    • Interface to apply on
    • MTU (usually 1500 and limited to max MTU configured on the Edge)
    • Admin Distance: 1-255. Lower distance = Higher preference
    • Location ID (Optional)
      • Required only if using Local Egress
      • Default = Locale ID of NSX Manager
      • Routes are only sent to hosts with matching Locale ID
    • Description (Optional)

OSPF

  • First configure the Router ID in Edge -> Manage -> Routing -> Router ID
    • Defaults to first uplink Interface IP but can be overridden
  • Go to the Edge -> Manage -> Routing Tab and select “OSPF” on left hand panel
  • Click Edit and enter the configuration parameters:
    • Forwarding Address: IP in data path for packet forwarding
    • Protocol Address: IP for route peering
  • Click Add in “Area Definitions” to add an OSPF Area and enter parameters:
    • Area ID: IP or decimal number
    • Type: Normal or NSSA
  • Authentication (Optional): None, Password, MD5 (+MD5 password)
  • Click Add in “Area to Interface Mapping” to map an Interface to an Area
  • Hello Interval (optional)
  • Dead Interval (optional)
  • Priority: Interface with highest priority is the designated router
  • Cost (Optional): Inversely proportional to the bandwidth of an Interface

BGP

  • First configure the Router ID in Edge -> Manage -> Routing -> Router ID
    • Defaults to first uplink Interface IP but can be overridden
  • Go to the Edge -> Manage -> Routing Tab and select “BGP” on left hand panel
  • Click Edit and enter the configuration parameters:
    • Graceful Restart: allows packet forwarding during BGP process restart
    • Default Originate: advertise this router as default route to neighbours
    • Local AS
  • Click Add in Neighbors section and configure for each one:
    • Forwarding Address: IP in data path for packet forwarding
    • Protocol Address: IP for route peering
    • Remote AS
    • Default Weight
    • Hold Down Timer
    • Keep Alive Timer
    • Authentication
    • Route Filters per neighbour (Optional)

IS-IS

  • First configure the Router ID in Edge -> Manage -> Routing -> Router ID
    • Defaults to first uplink Interface IP but can be overridden
  • Go to the Edge -> Manage -> Routing Tab and select “IS-IS” on left hand panel
  • Click Edit and enter the configuration parameters:
    • System ID
    • Type: Level 1, Level 2 or Level 1-2
    • Domain Password
    • Area Password
  • Configure IS-IS Areas
  • Configure Interface Mapping:
    • Circuit Type (Level1, 2 or 1-2)
    • Hello Interval
    • Hello Multiplier
    • LSP Interval
    • Metric
    • Priority
    • Mesh Group
    • Authentication Password

Configure default gateway

  • Go to the Edge -> Manage -> Routing Tab and ensure “Global Configuration” on left hand panel is selected
  • Click Edit in the Default Gateway panel and enter the configuration parameters:
    • Interface
    • IP Address
    • MTU
    • Admin Distance
    • Description

Determine if cross-protocol route sharing is needed for a given NSX implementation

  • Cross-Protocol Route Sharing is also known as “Route Redistribution”
  • Required in a multiprotocol environment e.g. Datacenter uses BGP and uplink uses OSPF
  • Specific Interfaces can be excluded from redistribution by configuring a filter
  • From NSX 6.2 onwards, the HA Interface is automatically excluded from redistribution

Understand how to configure administrative distances for routing

  • Admin Distance: 1-255. Lower distance = Higher preference
    • 0 = Connected
    • 1 = Static
    • 20 = External BGP
    • 30 = OSPF Intra-Area
    • 110 = OSPF Inter-Area
    • 200 = Internal BGP
    • 255: Withdraw route from Routing Information Base (RIB)

Understand configuration differences between iBGP and eBGP

  • iBGP is the peering of Routers within the same Autonomous System
  • eBGP is the peering of Router in difference Autonomous Systems
  • Routes learned from an eBGP Peer are shared with eBGP Peers
  • Router learnded from an iBGP Peer:
    • Are forwarded to eBGP Peers
    • Are not forwarded to other iBGP Peers
  • iBGP requires a full mesh i.e. all routers participating inside an AS must peer with one another
  • NSX does not have a route reflector or support BGP Confederations

Understand and configure route redistribution

See 1.12