NSX-T 2.5 Getting Started, Part 2 - Service Configuration!

Now that the primary infrastructure components for NSX-T are in place, it is now possible to build-out the actual functions that NSX-T is designed to provide.

A friendly suggestion, make sure your Fabric is healthy before doing this:

NSX Monitoring

NSX-T differs from NSX-V quite a bit here. Irregular topologies between edge routers aren't supported, and you have to design any virtual network deployments in a two-tier topology that somewhat resembles Cisco's Aggregation-Access model, but in REVERSE.

The top tier of this network, or as VMWare calls it in their design guide, Tier-0, the primary function provided by logical routers in this layer are simply route aggregation devices, performing tasks such as:

  • Firewalling
  • Dynamic Routing to Physical Network
  • Route Summarization
  • ECMP

The second logical tier, Tier-1 is automatically and dynamically connected to Tier-0 routers via /31s generated from a prefix of your choosing. This logical router will experience a much higher frequency of change, performing tasks like:

  • Layer 2 segment termination/default gateway
  • Load Balancing
  • Firewalling
  • VPN Termination
  • NAT
  • Policy-Based Forwarding

Before implementing said network design, I prefer to write out a network diagram.

Network Diagram

Let's start with configuring the Tier-0 gateway:

Tier-0 Gateway

We'll configure the Tier-0 router to redistribute pretty much everything:

Route Redistribution

Configure the uplink interface:

Set Interfaces

Oddly enough, we have spotted a new addition with 2.5 in the wild - the automatic inclusion of prefix-lists!

Configure IP Prefix List

We also want to configure route summarization, as the switches in my lab are pretty ancient (WS-3560-24TS-E). I'd recommend doing this anyway in production, as it will limit the impact of widespread changes. To pull that off, you *should* reserve the following prefixes, even if they seem excessive:

  • A /16 for Virtual Network Services per transport zone
  • A /16 for NSX-T Internals, allocating /19s to each tier-0 cluster, as outlined in our diagram.

I did so below, and it makes route aggregation or summarization EASY.

Route Aggregation

Now, we configure BGP Neighbors:

Configure BGP Neighbors

Configure Tier-0 Router

At this point, we want to save and test the configuration. It'll take a while for NSX-T to provision the services listed here, but once it's up, you'll see:

BGP Leaf Reachability

Check for advertised routes. Only routes that exist are aggregated, so you should only see 10.8.0.0/16:

BGP Leaf Summary

BGP Leaf All

As a downside, I have prefix-filtering to prevent my lab from stomping on the vital pinterest and netfix network, so I had to add the new prefixes to that:

Firewall BGP Import Rule

That was quite a journey! Fortunately, Tier-1 gateway configuration is MUCH simpler, initially. Most of the work performed on a Tier-1 Gateway is Day 1/Day 2, where you add/remove network entities as you need them:

Tier-1 Gateway

Let's add a segment to test advertisements. I STRONGLY RECOMMEND WRITING A NAMING CONVENTION HERE. This is one big difference between NSX-V and NSX-T, where you don't have this massive UUID in the port group obfuscating what you have. Name this something obvious and readable, your future self will thank you.

Logical Segments

Hey look, new routes!

BGP Leaf Summary

BGP Leaf All

As I previously mentioned, these segments, once provisioned, are just available as port-groups for consumption by other VMs on any NSX prepared host:

vSphere Segments

Next, we'll configure NSX-T to make waffles!