Principles
- Install NSX Edge
- Understand how to connect/disconnect a Logical Switch from a logical router
- Understand and describe the different types of router interfaces
- Determine NSX components needed to build out topologies with logical routers
- Understand how to add and configure a new logical router
- Determine use case for and configure a management interface
- Determine use case for and configure High Availability for a logical router
- Configure routing protocols
- Static
- OSPF
- BGP
- IS-IS
- Configure default gateway
- Determine if cross-protocol route sharing is needed for a given NSX implementation
- Understand how to configure administrative distances for routing
- Understand configuration differences between iBGP and eBGP
- Understand and configure route redistribution
References
- NSX Administration Guide
http://pubs.vmware.com/NSX-62/topic/com.vmware.ICbase/PDF/nsx_62_admin.pdf
- NSX Installation Guide
https://pubs.vmware.com/NSX-62/topic/com.vmware.ICbase/PDF/nsx_62_install.pdf
Install NSX Edge
- Go to “Networking and Security -> NSX Edges” and click Add
- Select type of router required: DLR or Universal
- For Universal Routers select whether Local Egress is required
- At least one appliance must be deployed – 2 for HA. Settings required are:
- Cluster/Resource Pool
- Datastore
- Host
- Folder
- On DLRs, only IPV4 addressing is supported
- The HA Interface should be placed in a dedicated VXLAN and takes it’s IP from the 169.250.0.0/16 range
- An NSX Edge must have at least one Internal Interface to be deployed
- At least one “Uplink” interface is required for dynamic routing configuration
- Enable automatic VM startup and shutdown on all Edge cluster hosts
Understand how to connect/disconnect a Logical Switch from a logical router
- From the Edge Manager Tab, select “Interfaces”
- Click on the Edit icon against the Interface to be configured
- Select Interface type – Internal or External
- Click Select next to the “ConnectedTo” field and pick:
- Distributed or Standard Port Group for VLAN backed Interfaces
- Logical Switch to VXLAN backed Interfaces
Understand and describe the different types of router interfaces
- An ESG can have up to 10 Internal, Uplink and Trunk Interfaces combined
- Internal Interfaces:
- For VM->VM “East-West” communication
- Created as pseudo vNics on the DLR (Logical Interfaces – LIF)
- Maximum of 991 Logical Interfaces per DLR
- Uplink Interfaces:
- For “North-South” communication
- Can connect to an ESG, VLAN backed port group or 3rd party VM
- Created as vNics on Logical Router virtual appliance
- Maximum of 8 Uplink Interfaces per DLR
- DLR -> ESG Connection:
- DLR Interface = Uplink
- ESG Interface = Internal
- Trunk Interfaces
- Type = Internal
- 2 Types
- VLAN
- VXLAN – from NSX 6.1 onwards
- Requires the configuration of a Sub-Interface
- Sub-Interfaces can be used by:
- DHCP
- BGP Routing
- Load Balance
- IPSEC VPN
- L2 VPN
- Sub-Interfaces cannot be used for HA or Logical Firewall
- The IP Address assigned to a sub-interfaces can however be used in a Firewall rule
Determine NSX components needed to build out topologies with logical routers
- NSX Controllers (for route distribution – not Arp resolution)
- Logical Switches
- ESGs for North/South Traffic
- Optionally, distributed firewall for E-W traffic
DLR Interfaces
- Uplink: Connects to physical network – usually a VLAN but can also be connected to a VXLAN. If connected to VLAN backed distributed port group, this Interface has a Physical MAC Address (pMAC)
- Internal: Connects a logical switch – VXLAN. Interfaces of this type have a Virtual MAC Address (vMAC). The vMAC is the same on each host that a DLR is configured on
- LIF: Logical Interface connecting to a VXLAN. When configurating a DLR, it is referred to as an Internal Interface (see above)
- Management: No longer supported as of NSX 6.2 – use the DLR Protocol IP for remote management
- vdr Port (Logical Router Port): Special dvPort connected to the logical router kernel module on the ESXi host. All routed traffic passes through it and has a pMAC associated with it
ARP Tables
- The DLR maintains an ARP table per LIF
- ARP resolution is conducted by flooding requests to VTEP members of a Logical Switch
- A separate ARP table is maintained per host i.e. tables are not synchronised across hosts
Understand how to add and configure a new logical router
See 1.3
Determine use case for and configure a management interface
- Management Interfaces can be useful for troubleshooting
- In previous releases of NSX the HA Interface was known as the management interface
- HA Interface is not reachable from outside its local subnet
- Configuring a static route out of the HA Interface is discouraged as it would break reverse path filtering
- There is no longer a dedicated management Interface on a Logical Router
- Use the Protocol IP Address of a dynamic routing configuration for management
Determine use case for and configure High Availability for a logical router
- HA is used to provide automated failover in the event of failure
- For a Logical Router, this means continuation of packet forwarding following an outage
- Careful tuning of routing protocol timers is needed to minimise an outage
- Packet forwarding continues during failover on the Hypervisor, but routing adjacencies may be withdrawn during the failover
- To configure HA, deploy 2 VMS during DLR edge deployment and configure the HA Interface by placing it into a dedicated logical switch
Configure routing protocols
Static
- Go to the Edge -> Manage -> Routing Tab and select “Static Routes” on left hand panel
- Click Add and enter the configuration parameters:
- Destination Network in CIDR format e.g. 192.168.20.0/24
- Next Hop IP Address (must be directly reachable)
- If ECMP enabled, then multiple next hops may be entered
- Interface to apply on
- MTU (usually 1500 and limited to max MTU configured on the Edge)
- Admin Distance: 1-255. Lower distance = Higher preference
- Location ID (Optional)
- Required only if using Local Egress
- Default = Locale ID of NSX Manager
- Routes are only sent to hosts with matching Locale ID
- Description (Optional)
OSPF
- First configure the Router ID in Edge -> Manage -> Routing -> Router ID
- Defaults to first uplink Interface IP but can be overridden
- Go to the Edge -> Manage -> Routing Tab and select “OSPF” on left hand panel
- Click Edit and enter the configuration parameters:
- Forwarding Address: IP in data path for packet forwarding
- Protocol Address: IP for route peering
- Click Add in “Area Definitions” to add an OSPF Area and enter parameters:
- Area ID: IP or decimal number
- Type: Normal or NSSA
- Authentication (Optional): None, Password, MD5 (+MD5 password)
- Click Add in “Area to Interface Mapping” to map an Interface to an Area
- Hello Interval (optional)
- Dead Interval (optional)
- Priority: Interface with highest priority is the designated router
- Cost (Optional): Inversely proportional to the bandwidth of an Interface
BGP
- First configure the Router ID in Edge -> Manage -> Routing -> Router ID
- Defaults to first uplink Interface IP but can be overridden
- Go to the Edge -> Manage -> Routing Tab and select “BGP” on left hand panel
- Click Edit and enter the configuration parameters:
- Graceful Restart: allows packet forwarding during BGP process restart
- Default Originate: advertise this router as default route to neighbours
- Local AS
- Click Add in Neighbors section and configure for each one:
- Forwarding Address: IP in data path for packet forwarding
- Protocol Address: IP for route peering
- Remote AS
- Default Weight
- Hold Down Timer
- Keep Alive Timer
- Authentication
- Route Filters per neighbour (Optional)
IS-IS
- First configure the Router ID in Edge -> Manage -> Routing -> Router ID
- Defaults to first uplink Interface IP but can be overridden
- Go to the Edge -> Manage -> Routing Tab and select “IS-IS” on left hand panel
- Click Edit and enter the configuration parameters:
- System ID
- Type: Level 1, Level 2 or Level 1-2
- Domain Password
- Area Password
- Configure IS-IS Areas
- Configure Interface Mapping:
- Circuit Type (Level1, 2 or 1-2)
- Hello Interval
- Hello Multiplier
- LSP Interval
- Metric
- Priority
- Mesh Group
- Authentication Password
Configure default gateway
- Go to the Edge -> Manage -> Routing Tab and ensure “Global Configuration” on left hand panel is selected
- Click Edit in the Default Gateway panel and enter the configuration parameters:
- Interface
- IP Address
- MTU
- Admin Distance
- Description
Determine if cross-protocol route sharing is needed for a given NSX implementation
- Cross-Protocol Route Sharing is also known as “Route Redistribution”
- Required in a multiprotocol environment e.g. Datacenter uses BGP and uplink uses OSPF
- Specific Interfaces can be excluded from redistribution by configuring a filter
- From NSX 6.2 onwards, the HA Interface is automatically excluded from redistribution
Understand how to configure administrative distances for routing
- Admin Distance: 1-255. Lower distance = Higher preference
- 0 = Connected
- 1 = Static
- 20 = External BGP
- 30 = OSPF Intra-Area
- 110 = OSPF Inter-Area
- 200 = Internal BGP
- 255: Withdraw route from Routing Information Base (RIB)
Understand configuration differences between iBGP and eBGP
- iBGP is the peering of Routers within the same Autonomous System
- eBGP is the peering of Router in difference Autonomous Systems
- Routes learned from an eBGP Peer are shared with eBGP Peers
- Router learnded from an iBGP Peer:
- Are forwarded to eBGP Peers
- Are not forwarded to other iBGP Peers
- iBGP requires a full mesh i.e. all routers participating inside an AS must peer with one another
- NSX does not have a route reflector or support BGP Confederations
Understand and configure route redistribution
See 1.12