Objective 5.4 – Configure and manage Logical Routers

Principles

• Install NSX Edge
• Understand how to connect/disconnect a Logical Switch from a logical router
• Understand and describe the different types of router interfaces
• Determine NSX components needed to build out topologies with logical routers
• Understand how to add and configure a new logical router
• Determine use case for and configure a management interface
• Determine use case for and configure High Availability for a logical router
• Configure routing protocols
  • Static
  • OSPF
  • BGP
  • IS-IS
• Configure default gateway
• Determine if cross-protocol route sharing is needed for a given NSX implementation
• Understand how to configure administrative distances for routing
• Understand configuration differences between iBGP and eBGP
• Understand and configure route redistribution

References

1. NSX Administration Guide

http://pubs.vmware.com/NSX-62/topic/com.vmware.ICbase/PDF/nsx_62_admin.pdf

1. NSX Installation Guide

https://pubs.vmware.com/NSX-62/topic/com.vmware.ICbase/PDF/nsx_62_install.pdf

Install NSX Edge

• Go to “Networking and Security -> NSX Edges” and click Add
• Select type of router required: DLR or Universal
  • For Universal Routers select whether Local Egress is required
• At least one appliance must be deployed – 2 for HA. Settings required are:
  • Cluster/Resource Pool
  • Datastore
  • Host
  • Folder
• On DLRs, only IPV4 addressing is supported
• The HA Interface should be placed in a dedicated VXLAN and takes it’s IP from the 169.250.0.0/16 range
• An NSX Edge must have at least one Internal Interface to be deployed
• At least one “Uplink” interface is required for dynamic routing configuration
• Enable automatic VM startup and shutdown on all Edge cluster hosts

Understand how to connect/disconnect a Logical Switch from a logical router

• From the Edge Manager Tab, select “Interfaces”
• Click on the Edit icon against the Interface to be configured
• Select Interface type – Internal or External
• Click Select next to the “ConnectedTo” field and pick:
  • Distributed or Standard Port Group for VLAN backed Interfaces
  • Logical Switch to VXLAN backed Interfaces

Understand and describe the different types of router interfaces

• An ESG can have up to 10 Internal, Uplink and Trunk Interfaces combined
• Internal Interfaces:
  • For VM->VM “East-West” communication
  • Created as pseudo vNics on the DLR (Logical Interfaces – LIF)
  • Maximum of 991 Logical Interfaces per DLR
• Uplink Interfaces:
  • For “North-South” communication
  • Can connect to an ESG, VLAN backed port group or 3^rd party VM
  • Created as vNics on Logical Router virtual appliance
  • Maximum of 8 Uplink Interfaces per DLR
• DLR -> ESG Connection:
  • DLR Interface = Uplink
  • ESG Interface = Internal
• Trunk Interfaces
  • Type = Internal
  • 2 Types
    • VLAN
    • VXLAN – from NSX 6.1 onwards
  • Requires the configuration of a Sub-Interface
  • Sub-Interfaces can be used by:
    • DHCP
    • BGP Routing
    • Load Balance
    • IPSEC VPN
    • L2 VPN
  • Sub-Interfaces cannot be used for HA or Logical Firewall
    • The IP Address assigned to a sub-interfaces can however be used in a Firewall rule

Determine NSX components needed to build out topologies with logical routers

• NSX Controllers (for route distribution – not Arp resolution)
• Logical Switches
• ESGs for North/South Traffic
• Optionally, distributed firewall for E-W traffic

DLR Interfaces

• Uplink: Connects to physical network – usually a VLAN but can also be connected to a VXLAN. If connected to VLAN backed distributed port group, this Interface has a Physical MAC Address (pMAC)
• Internal: Connects a logical switch – VXLAN. Interfaces of this type have a Virtual MAC Address (vMAC). The vMAC is the same on each host that a DLR is configured on
• LIF: Logical Interface connecting to a VXLAN. When configurating a DLR, it is referred to as an Internal Interface (see above)
• Management: No longer supported as of NSX 6.2 – use the DLR Protocol IP for remote management
• vdr Port (Logical Router Port): Special dvPort connected to the logical router kernel module on the ESXi host. All routed traffic passes through it and has a pMAC associated with it

ARP Tables

• The DLR maintains an ARP table per LIF
• ARP resolution is conducted by flooding requests to VTEP members of a Logical Switch
• A separate ARP table is maintained per host i.e. tables are not synchronised across hosts

Understand how to add and configure a new logical router

See 1.3

Determine use case for and configure a management interface

• Management Interfaces can be useful for troubleshooting
• In previous releases of NSX the HA Interface was known as the management interface
  • HA Interface is not reachable from outside its local subnet
  • Configuring a static route out of the HA Interface is discouraged as it would break reverse path filtering
• There is no longer a dedicated management Interface on a Logical Router
• Use the Protocol IP Address of a dynamic routing configuration for management

Determine use case for and configure High Availability for a logical router

• HA is used to provide automated failover in the event of failure
• For a Logical Router, this means continuation of packet forwarding following an outage
• Careful tuning of routing protocol timers is needed to minimise an outage
• Packet forwarding continues during failover on the Hypervisor, but routing adjacencies may be withdrawn during the failover
• To configure HA, deploy 2 VMS during DLR edge deployment and configure the HA Interface by placing it into a dedicated logical switch

Configure routing protocols

Static

• Go to the Edge -> Manage -> Routing Tab and select “Static Routes” on left hand panel
• Click Add and enter the configuration parameters:
  • Destination Network in CIDR format e.g. 192.168.20.0/24
  • Next Hop IP Address (must be directly reachable)
  • If ECMP enabled, then multiple next hops may be entered
  • Interface to apply on
  • MTU (usually 1500 and limited to max MTU configured on the Edge)
  • Admin Distance: 1-255. Lower distance = Higher preference
  • Location ID (Optional)
    • Required only if using Local Egress
    • Default = Locale ID of NSX Manager
    • Routes are only sent to hosts with matching Locale ID
  • Description (Optional)

OSPF

• First configure the Router ID in Edge -> Manage -> Routing -> Router ID
  • Defaults to first uplink Interface IP but can be overridden
• Go to the Edge -> Manage -> Routing Tab and select “OSPF” on left hand panel
• Click Edit and enter the configuration parameters:
  • Forwarding Address: IP in data path for packet forwarding
  • Protocol Address: IP for route peering
• Click Add in “Area Definitions” to add an OSPF Area and enter parameters:
  • Area ID: IP or decimal number
  • Type: Normal or NSSA
• Authentication (Optional): None, Password, MD5 (+MD5 password)
• Click Add in “Area to Interface Mapping” to map an Interface to an Area
• Hello Interval (optional)
• Dead Interval (optional)
• Priority: Interface with highest priority is the designated router
• Cost (Optional): Inversely proportional to the bandwidth of an Interface

BGP

• First configure the Router ID in Edge -> Manage -> Routing -> Router ID
  • Defaults to first uplink Interface IP but can be overridden
• Go to the Edge -> Manage -> Routing Tab and select “BGP” on left hand panel
• Click Edit and enter the configuration parameters:
  • Graceful Restart: allows packet forwarding during BGP process restart
  • Default Originate: advertise this router as default route to neighbours
  • Local AS
• Click Add in Neighbors section and configure for each one:
  • Forwarding Address: IP in data path for packet forwarding
  • Protocol Address: IP for route peering
  • Remote AS
  • Default Weight
  • Hold Down Timer
  • Keep Alive Timer
  • Authentication
  • Route Filters per neighbour (Optional)

IS-IS

• First configure the Router ID in Edge -> Manage -> Routing -> Router ID
  • Defaults to first uplink Interface IP but can be overridden
• Go to the Edge -> Manage -> Routing Tab and select “IS-IS” on left hand panel
• Click Edit and enter the configuration parameters:
  • System ID
  • Type: Level 1, Level 2 or Level 1-2
  • Domain Password
  • Area Password
• Configure IS-IS Areas
• Configure Interface Mapping:
  • Circuit Type (Level1, 2 or 1-2)
  • Hello Interval
  • Hello Multiplier
  • LSP Interval
  • Metric
  • Priority
  • Mesh Group
  • Authentication Password

Configure default gateway

• Go to the Edge -> Manage -> Routing Tab and ensure “Global Configuration” on left hand panel is selected
• Click Edit in the Default Gateway panel and enter the configuration parameters:
  • Interface
  • IP Address
  • MTU
  • Admin Distance
  • Description

Determine if cross-protocol route sharing is needed for a given NSX implementation

• Cross-Protocol Route Sharing is also known as “Route Redistribution”
• Required in a multiprotocol environment e.g. Datacenter uses BGP and uplink uses OSPF
• Specific Interfaces can be excluded from redistribution by configuring a filter
• From NSX 6.2 onwards, the HA Interface is automatically excluded from redistribution

Understand how to configure administrative distances for routing

• Admin Distance: 1-255. Lower distance = Higher preference
  • 0 = Connected
  • 1 = Static
  • 20 = External BGP
  • 30 = OSPF Intra-Area
  • 110 = OSPF Inter-Area
  • 200 = Internal BGP
  • 255: Withdraw route from Routing Information Base (RIB)

Understand configuration differences between iBGP and eBGP

• iBGP is the peering of Routers within the same Autonomous System
• eBGP is the peering of Router in difference Autonomous Systems
• Routes learned from an eBGP Peer are shared with eBGP Peers
• Router learnded from an iBGP Peer:
  • Are forwarded to eBGP Peers
  • Are not forwarded to other iBGP Peers
• iBGP requires a full mesh i.e. all routers participating inside an AS must peer with one another
• NSX does not have a route reflector or support BGP Confederations

Understand and configure route redistribution

See 1.12