nsx lab – implement nsx edge services gateway devices

So far we have concerned ourselves with east-west traffic, now we are going to deploy an edge services perimeter gateway,

The object is communication outside of the visualization layer, or outside of the datacenter, basically  north-south traffic.

There are two options once we have a dLR
1. The distributed Logical Router could be configured with a physical router as the next hop
2. Use and edge gateway to connect one or more dLRs to the physical network

One reason for placing an edge gateway between the dLR and physical network, is that it allows us to create secure multi-tenant environments, we can isolate logical networks, as well as provision  other network services such as Load Balancing, Firewall, and VPN. The Edge will allow us to separate routing protocols in the data-plane.

NSX-Lab-dLR - multi-tenant edge

So as to test this we need to create a layer 3 destination, in the lab I have deployed a vyos appliance (not too complicated to set up and configure)
eth2 of the router is connected to the nested portgroup dvpg-10gb-site-a-uplink with the ip 192.168.100.1

Our objective is to reach this ip from virtual machine web-1 in the 172.16.10.0 network

NSX-Lab-dLR - vyos (1)

Adding the edge onto what we have already built should result in this

NSX-Lab-dLR - distributed router

Take note; that when you see gateway, it refers to the next hop, not an ip on the device itself.

First up open a ssh session to an esxi host and run net-vdr -l -I and locate the name of the dLR  – in this the example nsxlab+edge-2

 

[root@esx01:~] [root@esx01:~] net-vdr -l -I

VDR Instance Information :
---------------------------

Vdr Name:                   nsxlab+edge-2
Vdr Id:                     0x00001388
Number of Lifs:             4
Number of Routes:           5
State:                      Enabled
Controller IP:              192.168.110.72
Control Plane IP:           192.168.110.51
Control Plane Active:       Yes
Num unique nexthops:        1
Generation Number:          0
Edge Active:                No

 

Next check the current routing table, you should see your logical networks 172.16.10, 172.16.20, 172.16.30  and Transit network 192.168.10.0

[root@esx01:~] net-vdr -l --route nsxlab+edge-2

VDR nsxlab+edge-2 Route Table
Legend: [U: Up], [G: Gateway], [C: Connected], [I: Interface]
Legend: [H: Host], [F: Soft Flush] [!: Reject] [E: ECMP]

Destination      GenMask          Gateway          Flags    Ref Origin   UpTime     Interface
-----------      -------          -------          -----    --- ------   ------     ---------
0.0.0.0          0.0.0.0          192.168.10.10    UG       1   AUTO     99026      138800000002
172.16.10.0      255.255.255.0    0.0.0.0          UCI      1   MANUAL   99052      13880000000a
172.16.20.0      255.255.255.0    0.0.0.0          UCI      1   MANUAL   99052      13880000000b
172.16.30.0      255.255.255.0    0.0.0.0          UCI      1   MANUAL   99052      13880000000c
192.168.10.0     255.255.255.128  0.0.0.0          UCI      1   MANUAL   99053      138800000002
[root@esx01:~]

From Networking and Security > NSX Edges

esg-1

esg-2

esg-3

esg-4

Note: In NSX 6.2 an interface can have multiple non-overlapping subnets,  one primary and multiple secondary IP addresses.
From what I understand local link IPs are assigned to HA virtual machines in the Edge HA so that they can communicate with each other, the multiple address feature allows management IP addresses to override the local links.

esg-5

esg-6

Set default gateway to point to the vyos/physical router
(In some cases this is not needed, for example when dynamic routing protocols are enabled, however I found it was need to connect to site-2 in the L2VPN lab)

edge-1-1

Set the Firewall policy otherwise all traffic will be denied

esg-7

esg-8

Once deployed, we can start testing

esg-9

From web-1 ping 192.168.10.2 which is the end of the transit network on dLR, should be successful
From web-1 ping 192.168.10.10 which is the end of the transit network on ESG, it doesn’t respond because we have not set up routing.
So in the next post we will look at Static and Dynamic routing

Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.