vExpert

Deep Dive in to Virtualization & Cloud


VMware NSX Edge Configuration

VMware NSX is the network virtualization platform that enables the implementation of virtual networks on your physical network and within your virtual server infrastructure. VMware NSX Data Center delivers virtualized networking and security entirely in software, completing a key pillar of the Software-defined Data Center (SDDC), and enabling the virtual cloud network to connect and protect across data centers, clouds, and applications.

NSX Edge Services Gateway (ESG)

The NSX Edge Services Gateway (ESG) offers a feature rich set of services that include NAT, routing, firewall, load balancing, L2/L3 VPN, and DHCP/DNS relay. NSX API allows each of these services to be deployed, configured, and consumed on-demand. Each ESG virtual appliance can have a total of ten uplink and internal network interfaces. With a trunk, an ESG can have up to 200 sub interfaces. The internal interfaces connect to secured port groups and act as the gateway for all protected virtual machines in the port group. The subnet assigned to the internal interface can be a publicly routed IP space or a NATed/routed RFC 1918 private space. Firewall rules and other NSX Edge services are enforced on traffic between network interfaces.

Uplink interfaces of ESGs connect to uplink port groups that have access to a shared corporate network or a service that provides access layer networking. Multiple external IP addresses can be configured for load balancer, site-to-site VPN, and NAT services.

Deploy NSX Edge Services Gateway 

To add Edge Services Gateway, navigate to vCenter Web Client – Network and Security – NSX Edges – Click on +ADD sign as shown below and select Edge Services Gateway

Select Name, Host Name and Deployment option as Deploy Edge Appliance VM and click Next.

Note: – You can select High Availability option for your production infrastructure, and this will create one more Edge Appliance.

Provide Username and Password for the appliance and click Next

Select the Datacenter and deployment size and click + sign under Edge Appliances VM and provide the location where the EDGE appliance will be deployed.

Provide Resource Pool, Datastore and ESXi host details and click ADD

Click Next to proceed with Edge appliance deployment

Here you will be configuring the Internal / uplink for Edge Services Gateway (ESG), Click on +ADD to configure the ESG.

Now we will configure the internal network for ESG, as you remember we created a Transit Logical Switch and connected as the uplink of DLR, This ESG will connect the other end of DLR uplink.

Same way we will add the uplink for ESG, My ESG is connected to External Router directly, Select the External network Name, Port Group and provide the External network IP Address and click OK.

Click Next to continue with ESG configuration

Provide the Gateway for ESG Uplink and click Next.

Select Default Firewall Policy as Accept and click Next.

Review the configuration and click Finish.

Once complete you can see the new ESG on NSX Edge window like below.

Static and Dynamic Routing between ESG and DLR

NSX has two types of routing subsystems, optimized for two key needs.

  • Routing within the logical space, also known as “East – West” routing, provided by the Distributed Logical Router (DLR);
  • Routing between the physical and logical space, also known as “North – South” routing, provided by the Edge Services Gateways (ESG).

Both provide options for horizontal scaling. You can scale-out distributed E-W routing via the DLR.

The DLR supports running a single dynamic routing protocol at a time (OSPF or BGP), while the ESG supports running both routing protocols at the same time. The reason for this is the DLR is designed to be as a “stub” router, with a single path out, which means more advanced routing configurations are typically not required. Both the DLR and the ESG support having a combination of static and dynamic routes. Both the DLR and the ESG support ECMP routes. Both provide L3 domain separation, meaning that each instance of a Distributed Logical Router or an Edge Services Gateway has its own L3 configuration, like an L3VPN VRF.

In this recipe we will see how we can enable OSPF between ESG and DLR, before starting with the configuration login to DLR and ESG appliance console and check the current(default) routes available by entering below command.

#show ip route

OSPF Configuration in DLR

To configure OSPF in Distributed Logical Router, navigate to vCenter Web Client – Network and Security – NSX Edges – Click double click on Distributed Logical Router

Click on RoutingGlobal ConfigurationDynamic Routing ConfigurationEdit

Select the Router ID as Transit to Edge and click Save.

Click on Publish so that the Router ID will get configured

Once configured the Router ID click on OSPF

Configure the below values before enabling the OSPF on DLR

  • Area ID – OSPF Area ID to be used between DLR and ESG
  • Area to Interface Mapping
  • Protocol Address – Additional IP address for Dynamic Routing
  • Forwarding Address – This will be the Interface ip on ESG

To configure new Area ID, click on ADD to configure the new Area ID, also remove the default Area 51

Provide the new Area ID and Type and click ADD.

Click on Publish to apply the changes

To create new Area to Interface mapping, click on ADD

Provide the Interface and Area ID and click ADD.

Click on Publish to apply changes

To configure Protocol Address and Forwarding Address click on Edit.

Select the Interface and Protocol Address and Enable OSPF and click on Save.

Click on Publish to apply the changes.

OSPF Configuration in ESG

To configure OSPF in Edge Services Gateway, navigate to vCenter Web Client – Network and Security – NSX Edges – Click double click on Edge Services Gateway

Click on RoutingGlobal ConfigurationDynamic Routing ConfigurationEdit

Select ESG Uplink as Router ID and click Save.

Click on Publish to apply the changes

Configure the below values before enabling the OSPF on DLR

  • Area ID – OSPF Area ID to be used between DLR and ESG
  • Area to Interface Mapping
  • Route Redistribution

To configure new Area ID, click on ADD to configure the new Area ID, also remove the default Area 51

Provide the new Area ID and Type and click ADD.

Click on Publish to apply the changes.

To create new Area to Interface mapping, click on ADD

Provide the Internal interface towards DLR and Area ID and click on ADD.

Click on Publish to apply the changes.

Click on Edit to enable the OSPF on ESG

Change the Status to Enable and click on Save.

Click on Publish to apply the changes.

Click on Route Redistribution and ADD a new distribution table

Select Allow Learning from Static Routes and Connected and click ADD.

Click on Publish to apply the changes.

Finally Enable the Route Redistribution.

Click on Publish to apply the changes.

You can verify the OSPF configuration by entering the below command on DLR and ESG console, and you can see the new routes as highlighted.

#show ip route

To make this NSX series more understandable, i am splitting this in to multiple blogs

Part 1 – What is VMware NSX

Part 2 – NSX Manager 6.4.x Installation & Configuration

Part 3 – How to Install Microsoft CA Signed Certificate In NSX Manager

Part 4 – VMware NSX 6.4.x Configuration

Part 5 – VMware NSX Logical Switching and DLR Configuration

Part 6 – VMware NSX Edge Configuration

Part 7 – How to Upgrade NSX Manager

Thanks,

If you have any comments, please drop me a line.
I hope this article was informative, and don’t forget to buy me a coffee if you found this worth reading.



Leave a Reply

Your email address will not be published. Required fields are marked *


This site uses Akismet to reduce spam. Learn how your comment data is processed.