VCP6-NV Study Notes-Section 5: Configure VMware NSX Virtual Networks – Part 2
Objective 5.4: Configure and Manage Logical Routers
Dynamic routing provides the necessary forwarding information between layer 2 broadcast domains, thereby allowing you to decrease layer 2 broadcast domains and improve network efficiency and scale
NSX extends this intelligence to where the workloads reside for doing East-West routing. This allows more direct virtual machine to virtual machine communication without the costly or timely need to extend hops
Source: http://pubs.vmware.com/NSX-6/topic/com.vmware.ICbase/PDF/nsx_6_admin.pdf
Install NSX Edge
The services gateway gives you access to all NSX Edge services such as firewall, NAT, DHCP, VPN, load balancing, and high availability.
- You can install multiple NSX Edge services gateway virtual appliances in a datacenter
- Each NSX Edge virtual appliance can have a total of ten uplink and internal network interfaces.
- internal interfaces connect to secured port groups and act as the gateway for all protected virtual machines in the port group
- Uplink interfaces of NSX Edge connect to uplink port groups that have access to a shared corporate network or a service that provides access layer networking
Procedure:
- Log in to the vSphere Web Client.
- Click Networking & Security and then click NSX Edges.
- Click Add icon and In the Add Edge in the Gateway wizard, select Edge Services Gateway
- Select Enable High Availability to enable and configure high availability (HA)
- Type a name for the NSX Edge virtual machine.This name appears in your vCenter inventory. The name should be unique across all Edges within a single tenant
- (Optional) Type a host name for the NSX Edge virtual machine. This name appears in CLI. If you do not specify the host name, the Edge ID is displayed in CLI
- (Optional) Type a description and tenant for this NSX Edge, then click Next
Source: http://pubs.vmware.com/NSX-6/topic/com.vmware.ICbase/PDF/nsx_6_install.pdf
Understand how to connect/disconnect a logical switch from a logical router
You must specify the management interface for the router. You use this interface for out-of-band (meaning not over the same network your data travels) access to NSX Edge.Using a separate, dedicated interface for managing the router is good since it does not interfere with network traffic and the interface is available even if other network interfaces go down
You can configure up to 999 interfaces, with a maximum of 8 uplinks.
Procedure:
- (Optional) On the Interfaces page, type the IP address for the management interface.
- (Optional) In Management Interface Configuration, click Select next to the Connected To field and select the logical switch or port group that you want to set as the management interface. Add to add a subnet for the management interface.
- Type the IP address of the subnet and click OK. If you add more than one subnet, select the primary subnet.
- Type the subnet prefix length and click OK
- In Configure Interfaces, click the Add icon to add a traffic interface and type a name for the interface
- Select Internal or Uplink to indicate whether this is an internal or external interface. Select the port group or VXLAN virtual wire to which this interface should be connected.
- Click Select next to the Connected To field.
- Depending on what you want to connect to the interface, click the Virtual Wire or Distributed Portgroup tab.
- Select the appropriate virtual wire or port group.
- Click OK.
- Select the connectivity status for the interface.
- In Configure Subnets, click the Add icon to add a subnet for the interface
- In Add Subnet, click the Add ( ) icon to add an IP address.
- Type the IP address.You must add an IP address to an interface before using it on any feature configuration and Click OK.
- Type the subnet prefix length and Click OK and then click OK again. Finally click Next and the Default Gateway page appears.
Source: http://pubs.vmware.com/NSX-6/topic/com.vmware.ICbase/PDF/nsx_6_install.pdf
Understand and describe the different types of router interfaces
Source: http://pubs.vmware.com/NSX-6/topic/com.vmware.ICbase/PDF/nsx_6_admin.pdf
Determine NSX components needed to build out topologies with logical routers
Source: http://pubs.vmware.com/NSX-6/topic/com.vmware.ICbase/PDF/nsx_6_admin.pdf
Understand how to add and configure a new logical router
With distributed routing, virtual machines or workloads that reside on the same host on different subnets can communicate with one another without having to traverse a traditional routing interface such as the NSX Edge services gateway.
Prerequisite: You must have at least three controller nodes and one logical switch in your environment before installing an logical router
Procedure:
- Log in to the vSphere Web Client.
- Click Networking & Security and then click NSX Edges
- Click Add icon
- In the Add Edge Gateway wizard, select Logical (Distributed) Router
- Select Enable High Availability to enable and configure high availability (HA)
- Type a name for the NSX Edge VM
- Optionally type a host name for the NSX Edge and a description and tenant for this NSX Edge. Then click next
Determine use case for and configure a management interface
See above
Determine use case for and configure High Availability for a logical router
See above
Configure routing protocols
- Static Route
- Click Networking and Security and then click NSX Edge
- Double-click NSX Edge
- Click the Manage tab and then click the Routing tab
- Select Stati routes from the left panel
- Click the Add icon
- Type a description for the static route
- Select the interface on which to add a stati route
- type the network CIDR notation
- type IP address of the Next hop
- For MTU, edit the max transmission value for the data packets if required and click OK
- OSPF
- OSPF routing policies provide a dynamic process of traffic load balancing between routes of equal cost.
- An OSPF network is divided into routing areas to optimize traffic. An area is a logical collection of OSPF networks, routers, and links that have the same area identification
- Prerequisite: Router ID must be specified
- Procedure
- Doble click NSX Edge and Click routing then OSPF
- For Edge gw -> Click Enable
- For logical router
- click Edito at the top right corner
- Click Enable OSPF
- in Forwarding Address type an IP address used by route datapath module in the hosts to forward
- In protocol Address type a unique IP address with the same subnet as the Forwarding Address.
- In Area Definitions click Add icon
- Type an Area ID (it supports an area ID in the form of an IP address or decimal number)
- Select Stub in the Type field
- Select the type of Authentication.
- None
- password
- MD5
- In Area to interface mapping, click the Add icon to map the interface that belongs to the OSPF area
- Select the interface you want to map and the OSPF area that you want to map it to.
- Hello Interval displays the default interval between hello packets are sent on the interface. (Edit the default if required)
- Dead interval displays. the interval during which at least one hello packer must be received from a neighbor before declare down
- Priority displays the default priority of the interface
- Cost of an interface displays the default overhead required to send packets across that interface.
- Click OK and then Publish Changes
- BGP
- Border Gateway Protocol (BGP) makes core routing decisions. It includes a table of IP networks or prefixes which designate network reachability among autonomous systems.
- Procedure
- Double-click an NSX Edge
- Click Routing and then click BGP
- Click Edit
- In the Edit BGP Configuration dialog box, click Enable BGP.
- Type the router ID in Local AS. Type the Local AS. This is advertised when BGP peers with routers in other autonomous systems (AS). The path of ASs that a route traverses is used as one metric when selecting the best path to a destination.
- Click Save.
- In Neighbors, click the Add icon.
- Type the IP address of the neighbor.
- Type the remote AS.
- Edit the default weight for the neighbor connection if required.
- Hold Down Timer displays interval (180 seconds) after not receiving a keep alive message that the software declares a peer dead. Edit if required.
- Keep Alive Timer displays the default frequency (60 seconds) with which the software sends keep alive messages to its peer. Edit if required.
- If authentication is required, type the authentication password. Each segment sent on the connection between the neighbors is verified. MD5 authentication must be configured with the same password on both BGP neighbors, otherwise, the connection between them will not be made.
- To specify route filtering from a neighbor, click the Add icon in the BGP Filters area.
- Select the direction to indicate whether you are filtering traffic to or from the neighbor.
- Select the action to indicate whether you are allowing or denying traffic.
- Type the network in CIDR format that you want to filter to/from the neighbor.
- Type the IP prefixes that are to be filtered and click OK. and click Publish Changes.
- IS-IS
- Intermediate System to Intermediate System (IS-IS) is a routing protocol designed to move information by determining the best route for datagrams through a packet-switched network.
- Procedure:
- Log in to the vSphere Web Client.
- Click Networking & Security and then click NSX Edges.
- Double-click an NSX Edge.
- Click Routing and then click IS-IS.
- Click Edit and then click Enable IS-IS.
- Type the System ID and select the IS-IS type.
- Level 1 is intra-area, Level 2 is inter-area, and Level 1-2 is both.
- Level 2 routers are inter-area routers that can only form relationships with other Level 2 routers.
- Routing information is exchanged between Level 1 routers and other Level 1 routers, and Level 2 routers only exchange information with other Level 2 routers.
- Level 1-2 routers exchange information with both levels and are used to connect the inter-area routers with the intra-area routers.
- Type the Domain Password and Area Password. The area password is inserted and checked for Level 1 link state packets, and the domain password for Level 2 link state packets.
- Define the IS-IS areas.
- Click the Add icon in Areas.
- Type up to three area IP addresses.
- Click Save.
- Configure interface mapping.
- Click the Add icon in Interface Mapping.
- Choose the Circuit Type to indicate whether you are configuring the interface for Level-1, Level-2, or Level-1-2 adjacency.
- Hello Interval displays the default interval in milliseconds between hello packets that are sent on the interface. Edit the default value if required.
- Hello Multiplier displays the default number of IS-IS hello packets a neighbor must miss before it is declared down. Edit the default value if required.
- LSP Interval displays the time delay in milliseconds between successive IS-IS link-state packet (LSP) transmissions. Edit the default value if required.
- Metric displays default metric for the interface. This is used to calculate the cost from each interface via the links in the network to other destinations. Edit the default value if required.
- Priority displays the priority of the interface. The interface with the highest priority becomes the designated router. Edit the default value if required.
- In Mesh Group, type the number identifying the mesh group to which this interface belongs. Edit the default value if required.
- Type the authentication password for the interface and click OK. Edit the default value if required.
- Click Publish Changes.
Configure default gateway
If you installing an NSX Edge services gateway, provide the IP address for the NSX Edge default gateway.
Procedure:
- On the Default Gateway page, select Configure Default Gateway.
- Select the interface that can communicate with the next hop or gateway IP address.
- Type the IP address for the default gateway.
- In MTU, the default MTU for the interface you selected in Step 2 is displayed. You can edit this value, but it cannot be more than the configured MTU on the interface.
- Click Next -> The Firewall & HA page appears.
Source: http://pubs.vmware.com/NSX-6/topic/com.vmware.ICbase/PDF/nsx_6_install.pdf
Determine if cross-protocol route sharing is needed for a given NSX implementation
Understand how to configure administrative distances for routing
Understand configuration differences between iBGP and eBGP
When BGP runs between two peers in the same autonomous system (AS), it is referred to as Internal BGP (iBGP or Interior Border Gateway Protocol). When it runs between different autonomous systems, it is called External BGP (eBGP or Exterior Border Gateway Protocol). Routers on the boundary of one AS exchanging information with another AS are called border or edge routers or simply eBGP peers and are typically connected directly, while iBGP peers can be interconnected through other intermediate routers.
Source: https://en.wikipedia.org/wiki/Border_Gateway_Protocol
Understand and configure route redistribution
By default, routers share routes with other routers running the same protocol. In a multi-protocol environment, you must configure route redistribution for cross-protocol route sharing.
Procedure:
- Double-click an NSX Edge.
- Click Routing and then click Route Redistribution.
- Click Change next to Route Redistribution Status.
- Select the protocols for which you enable route redistribution and click OK. Add an IP prefix.
- Entries in the IP Prefix list are processed sequentially.
- Click the Add icon in IP Prefixes.
- Type a name and IP address of the network.
- Click OK.
- Specify redistribution criteria for the IP prefix.
- Click the Add icon in Route Redistribution table.
- In Learner Protocol, select the protocol that is to learn routes from other protocols.
- In Allow Learning from, select the protocols from which routes should be learned.
- Click OK.
- Click Publish Changes.