So far we have concerned ourselves with east-west traffic, now we are going to deploy an edge services perimeter gateway,
The object is communication outside of the visualization layer, or outside of the datacenter, basically north-south traffic.
There are two options once we have a dLR
1. The distributed Logical Router could be configured with a physical router as the next hop
2. Use and edge gateway to connect one or more dLRs to the physical network
One reason for placing an edge gateway between the dLR and physical network, is that it allows us to create secure multi-tenant environments, we can isolate logical networks, as well as provision other network services such as Load Balancing, Firewall, and VPN. The Edge will allow us to separate routing protocols in the data-plane.
So as to test this we need to create a layer 3 destination, in the lab I have deployed a vyos appliance (not too complicated to set up and configure)
eth2 of the router is connected to the nested portgroup dvpg-10gb-site-a-uplink with the ip 192.168.100.1
Our objective is to reach this ip from virtual machine web-1 in the 172.16.10.0 network
Adding the edge onto what we have already built should result in this
Take note; that when you see gateway, it refers to the next hop, not an ip on the device itself.
First up open a ssh session to an esxi host and run net-vdr -l -I and locate the name of the dLR – in this the example nsxlab+edge-2
[root@esx01:~] [root@esx01:~] net-vdr -l -I VDR Instance Information : --------------------------- Vdr Name: nsxlab+edge-2 Vdr Id: 0x00001388 Number of Lifs: 4 Number of Routes: 5 State: Enabled Controller IP: 192.168.110.72 Control Plane IP: 192.168.110.51 Control Plane Active: Yes Num unique nexthops: 1 Generation Number: 0 Edge Active: No
Next check the current routing table, you should see your logical networks 172.16.10, 172.16.20, 172.16.30 and Transit network 192.168.10.0
[root@esx01:~] net-vdr -l --route nsxlab+edge-2 VDR nsxlab+edge-2 Route Table Legend: [U: Up], [G: Gateway], [C: Connected], [I: Interface] Legend: [H: Host], [F: Soft Flush] [!: Reject] [E: ECMP] Destination GenMask Gateway Flags Ref Origin UpTime Interface ----------- ------- ------- ----- --- ------ ------ --------- 0.0.0.0 0.0.0.0 192.168.10.10 UG 1 AUTO 99026 138800000002 172.16.10.0 255.255.255.0 0.0.0.0 UCI 1 MANUAL 99052 13880000000a 172.16.20.0 255.255.255.0 0.0.0.0 UCI 1 MANUAL 99052 13880000000b 172.16.30.0 255.255.255.0 0.0.0.0 UCI 1 MANUAL 99052 13880000000c 192.168.10.0 255.255.255.128 0.0.0.0 UCI 1 MANUAL 99053 138800000002 [root@esx01:~]
From Networking and Security > NSX Edges
Note: In NSX 6.2 an interface can have multiple non-overlapping subnets, one primary and multiple secondary IP addresses.
From what I understand local link IPs are assigned to HA virtual machines in the Edge HA so that they can communicate with each other, the multiple address feature allows management IP addresses to override the local links.
Set default gateway to point to the vyos/physical router
(In some cases this is not needed, for example when dynamic routing protocols are enabled, however I found it was need to connect to site-2 in the L2VPN lab)
Set the Firewall policy otherwise all traffic will be denied
Once deployed, we can start testing
From web-1 ping 192.168.10.2 which is the end of the transit network on dLR, should be successful
From web-1 ping 192.168.10.10 which is the end of the transit network on ESG, it doesn’t respond because we have not set up routing.
So in the next post we will look at Static and Dynamic routing