nsx lab – Implement Logical Routers

Before we start lets get clear the objective, we need two vms web-1 and app-1 in separate layer 2 subnets.
Although can now reach web-2 from Web-1 even though it’s on another host, we are unable to communicate between logical layer 2 segments

For example web-1 in the 172.16.10.0/24 network segment cannot communicate with app-1 in the 172.16.20.0/24 network segment

NSX-Lab-dLR - New Page 13

To route distinct layer 2 networks we need to set up distributed logical routers.
These are inline or kernel based implementations and avoid the tromboning or hair-pinning issues associated with physical devices or appliances.

NSX-Lab-dLR - distributed router

 

Networking & Security > NSX Edges

nsxlab-63

nsxlab-64

nsxlab-65

 

When we get to the step to Configure interfaces, the HA Interface/Management Interface Configuration is a little confusing.

In prior releases of NSX, the HA interface was called the management interface. The HA interface is not supported for remote access to the logical router.

You must connect the HA interface to a distributed portgroup that can be reached by the NSX Controllers. This connection is important, even if you are not configuring HA and are not configuring an IP address on the HA interface. If you do not attach the HA interface to a distributed port group, routing will not work. This interface should generally be connected to the management distributed portgroup.


Basically put it on the same portgroup as your controllers and don’t bother configuring an IP

nsxlab-66

Next we add the actual Logical Interfaces or LIFs, first the Transit-LIF, which connects directly as an Uplink to the Transit network.

nsxlab-67

Then configure the Internal links, first the Web-LIF to the Web-Tier /Web logical switch

nsxlab-68

Continue until all the Internal LIFs are  configured

nsxlab-69

The Gateway refers to the next hop, not an ip on the dLR

nsxlab-70

nsxlab-71

While dLR is deploying, open an ssh session from web-1, and  ping app-1 in the 172.16.20.0/24 network
We should see once the dLR comes online that we are able to ping between these distinct layer 2 networks

 

NSX-Lab-dLR - New Page 12

 

From the web client, find dLR-1, and validate the ip addresses just configured are present

nsxlab-72

 

From one of the controllers check the name, and LR-ID, then run a summary of the interfaces to be sure all are connected

show control-cluster logical-routers interface-summary <LR-ID>
nsx-controller # show control-cluster logical-routers instance all
 LR-Id      LR-Name             Universal Service-Controller Egress-Locale      In-Sync    Sync-Category
 0x1388     nsxlab+edge-1       false     192.168.110.72     local              Yes        NORMAL

show control-cluster logical-routers interface-summary <LR-ID>
nsx-controller # show control-cluster logical-routers interface-summary 0x1388
Interface                        Type   Id                       IP[]
13880000000b                     vxlan  5002(0x138a)             172.16.20.254/24
13880000000a                     vxlan  5001(0x1389)             172.16.10.254/24
13880000000c                     vxlan  5003(0x138b)             172.16.30.254/24
138800000002                     vxlan  5000(0x1388)             192.168.10.2/24

 

Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.