Road to VCAP6-NV: Objective 2.3 – Configure and Manage Routing

VMwareNSX
In this blog post I will cover section 2 object 2.3 of the VCAP6-NV Deploy exam.

Objective 2.3 – Configure and Manage Routing

  • Deploy the appropriate NSX Edge (ESG/LDR) device according to a deployment plan
  • Configure centralized and distributed routing
  • Configure default gateway parameters
  • Configure static routes
  • Select and configure appropriate dynamic routing protocol according to a deployment plan:
    • OSPF
    • BGP
    • IS-IS
  • Configure route redistribution to support a multi-protocol environment

Deploy the appropriate NSX Edge (ESG/LDR) device according to a deployment plan

The distributed logical router (DLR) is a kernel module that allows the hypervisor to make routing decisions locally. It can perform routing between VXLAN networks and between virtual and physical networks. The DLR connects directly to logical switches. In doing so, it becomes the default gateway for virtual machines that are connected to logical switches. The DLR has support for static routes, BGP, and OSPF. By means of a DLR control VM, the DLR is able to make routing adjacencies with other network devices. The DLR is optimized for east-west data traffic. The DLR can have a total of 1000 uplink and internal interfaces

The NSX Edge services gateway provides common gateway services, such as DHCP, VPN, NAT, dynamic routing, and load balancing. The NSX Edge services gateway can be leveraged for North-South routing for connecting your virtual environment to the intranet/Internet. The NSX Edge provides centralized routing and is deployed as a virtual machine. The NSX Edge supports OSPF, BGP, Static Routes and Route Redistribution. Unlike the DLR, the Edge can support both OSPF and BGP together. The NSX Edge appliance can have a total of 10 uplink and internal interfaces.

Deploy a NSX Logical Distributed Router

Navigate to Networking & Security > NSX Edges and click the green +.

d01

Click Logical Router to deploy a LDR. Enter in a name for the LDR. The Deploy Edge box is checked by default. Note: If you plan to do dynamic routing or use the logical router’s firewall, then a edge appliance is required. If you will only be using static routes, then there’s no need to deploy the appliance. You cannot deploy the edge appliance to the logical router after the logical router has been created.

Click Next.

d02

Enter in a password for the admin account. It must be between 12-25 characters and must have at least one lower case letter, at least one number, and at least one special character. Enabling SSH is optional. If you do enable it, you have to manually allow access in the logical router’s firewall to the protocol address of the logical router. Click Next.

d03

Click the green + to deploy the edge appliance

d04

Select the placement parameters. Click OK.

d05

Click Next.

d06

Click the green + to begin creating a interface on the DLR. Select whether this will be a Internal or Uplink interface. In my case I am creating my uplink interface to my transit switch that will eventually be used to peer with my ESG. Assign a IP address also. Click OK.

d07

For the HA configuration, it is recommended that you choose a logical switch to connect to. If you don’t assign a IP address to the HA interface, NSX will generate a IP for you. Create any additional interfaces that you want on the DLR. Click Next.

d08

Configure your default gateway. Click Next.

d09

Verify your configuration. Click Finish and the DLR will then be deployed.

d10

Deploy a NSX Edge Services Gateway

Deploying a ESG is very similar to that of a DLR. The ESG will have some slightly different options to chose from.

To begin navigate to Networking & Security > NSX Edges and click the green +. Select Edge Services Gateway. Enter a name for the appliance. Click Next.

d11

Enter a admin password. It has the same password requirements as the DLR. Once again, Enable SSH is off by default. Enable auto rule generation is enabled by default. This allows control traffic to flow freely on the NSX Edge. It does not auto generate rules for data traffic however. Click Next.

d12

This is one of the options that is not avaliable when deploying a DLR. The size affects the amount of vCPU and RAM that the edge appliance will have. Click Next.

d13

Click the green + to create your interfaces

d14

Decide whether the interface will be a Uplink or Internal interface, connect it to the proper port group or logical switch and assign it a IP address. Optionally, you can enter the MAC address for the interface. The Proxy ARP setting allows the ESG the answer ARP requested intended for other machines. The Send ICMP Redirect option will convey routing information to hosts. Reverse Path Filter verifies the reachability of the source address in packets being forwarded. In enabled mode, the packet must be received on the interface that the router would use to forward the return packet. In loose mode, the source address must appear in the routing table. Click OK.

d15

Create any other interfaces that you need to have in place. Click Next.

d16

Enter the default gateway IP. Click Next.

d17

Configure the firewall default policy. If you do not configure this option, the default behavior is to deny all traffic. Click Next.

d18

Click Finished and the ESG will deploy.

d19

Configure default gateway parameters

This is something that we configured on deployment but if we ever need to change the settings of the default gateway, navigate to Networking & Security > NSX Edges and double click the edge device. Under Manage > Global Configuration you will see the default gateway settings. Click Edit.

d20

Select the Interface for the default gateway and enter the gateway IP. Click OK.d21

 

Publish the Changesd22

Configure static routes

Navigate to Networking & Security > NSX Edges and double click the edge device. Under ManageRouting > Static Routes click the green +

d23

Enter in the network, next hop, and interface information. Click OK.

d24

Publish Changes

d25

 

Select and configure appropriate dynamic routing protocol according to a deployment plan:

OSPF

For a logical router:

In order to configure OSPF, you must first have a router ID configured.

Navigate to Networking & Security > NSX Edges and double click the edge device. Under ManageRouting > Global Configuration > Dynamic Routing Configuration click Edit.o02

By default, it chooses the DLR’s uplink interface as the Router ID. Click OK.

o03

After you publish the changes, navigate to the Manage tab and click OSPF. Click Edit.

o01

Check Enable OSPF. Enter in a Protocol address and Forwarding address that are on the same subnet. The Protocol address is what the DLR uses to create the peering with the adjacent device. In our case, it will be the ESG. The forwarding address is what is used to forward datapath packets. Click OK.

o04

By default, area 51 is created as a NSSA under Area Definitions. I just edited that and made it a Normal area. You can delete it and create whatever area number that you want. Click OK.

o05

Under Area to Interface Mappings, select the interface that you want to be a part of the areas that you create. In this case I am making my uplink interface a part of area 51 to peer with my ESG. Click OK and publish your changes.

o06

 

For NSX Edge Services Gateway:

The process is done the same ESG with the exception that you don’t need a protocol address. So I’ve given the ESG a router ID and enabled OSPF. The ESG does have another option that can be selected with enabling OSPF and that is Default Originate. Default originate allows the ESG to advertise itself as a default gateway to its neighbors

o07

Also with the ESG instead of choosing my uplink interface to map to area 51, I chose my internal interface. This will allow the OSPF peering to take place between the DLR and ESG. Click OK and publish your changes.

o08

 

BGP

For Logical Router:

In order to configure BGP, you must first have a router ID configured.

Navigate to Networking & Security > NSX Edges and double click the edge device. Under ManageRouting > BGP click edit beside BGP Configuration. Check Enable BGP and enter in your AS number

bgp01

Under Neighbors click the green +. Enter in the IP of the ESG. This is the interface that is pointing toward the DLR, the internal interface. Enter in the forwarding address and protocol address. Once again, the protocol address is what is used to peer with the ESG and the forwarding address is used to forward data packets. So when we go to our ESG to do the neighbor configuration, we will use the DLR’s protocol address and the neighbor IP address. Click OK. Publish changes.

bgp02

 

For NSX Edge Services Gateway:

Just like on the DLR, we enable BGP and enter in a Local AS number. The same is true here of the Enable Default Originate as it was with OSPF. The ESG can advertise itself as a default gateway if this is enabled. Click OK.

bgp03

Click the green + under Neighbors. Enter in the protocol address of the DLR and the remote AS. Click OK. Publish Changes.

bgp04

 

Configure route redistribution to support a multi-protocol environment

By default, routers share routes with other routers running the same protocol. In a multi-protocol environment, you must configure route redistribution for cross-protocol route sharing.

Navigate to you edge device and under Manage > Routing > Route Redistribution, click Edit. Select the protocol that you want to enable redistribution for. Click OK.

rd01

Under IP Prefixes, you can enter in the networks that you want advertise or restrict from being advertised. You reference these IP prefixes in your route redistribution table and BGP filters. Click the green + and add a network. Click OK.

rd02

Under Route Redistribution table click the green +. Here is where we will either permit or deny one of our prefix lists from getting advertised. Under Prefix Name, we can select from a list of IP prefixes that we created. The Learner Protocol option is the protocol that is to learn route from other protocols. Allow learning from is where we select the protocols from which routes should be learned. In this case that means, allow BGP to learn routes from OSPF and connected routes. And notice that the action is set to Permit. That can be changed to Deny to remove routes from being advertised. Click OK and publish changes

rd03

Note: I did not go over IS-IS configuration because it has been depreciated as of version 6.3.0. I am running 6.3.3 in my lab.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s