NSX-V Lab: Edge Services Gateways

Intro

Welcome to Part 14 of the NSX-V Lab Series. In the previous post, we created our universal Distributed Logical Router.
In this post we will deploy our Edge Services Gateways and get them ready to connect them to our Distributed Logical Router and peer with our simulated physical routers.

What is an Edge Services Gateway?

An Edge Services Gateway (ESG) is essentially the on off ramp to your virtual infrastructure. It’s connects the virtual to the physical and provides north south routing functionality.
It also allows stateful services such as NAT, DHCP, Load Balancing and VPN.
As these services are stateful we can only use them on an Active Passive Edge configuration. For ECMP edges we cannot use stateful services.
Most customer deployments utilize an ECMP Edge configuration.
Where stateful services are needed these are often deployed on another ESG beneath the ECMP Edges.
The diagram below is from a customer design that I created, in it we can see the two Provider Edges in ECMP mode connected to those are two Tenant Edges in HA mode, each one has a tenant DLR connected.
With this configuration the customer can use overlapping IP ranges for the tenant VM’s as the Tenant Edges are providing NAT services.

The Build

In order for me to simulate a customer deployment I need to have two separate uplink VLANs as can be seen in the design diagram above.
The design uses two uplink VLANs the first uplink VLAN is only present on switch A and each ESG uplink 1 connects to this VLAN.
Switch B has the second uplink VLAN and ESG uplink 2 connects to this.
The reason for the different VLANs is it provide multiple paths for north south traffic and as such ECMP mode can use more available bandwidth by utilizing both its uplinks simultaneously.

I’m using Sophos XG routers to simulate the physical switches, I’m not going to cover how to setup the XG router there are other blogs out there that do a better job that I could to explain it. I will just cover the basics of what I have setup.
I need to create a VLAN interface, so I go to ‘Network’ ‘Interfaces’ ‘Add Interface’ then select ‘Add VLAN’

Port 1 is my physical interface the zone is LAN. I enter a VLAN ID of 60 and assign a static IP address and subnet mask.
I repeat the process to create the second uplink VLAN which is VLAN 70

Next I need to create the Distributed Port Groups on my Edge vDS.

I set the VLAN type as VLAN and the VLAN ID as 60

I set all the security options to Accept

For the Active Uplinks I set the Active uplink to Uplink 1 and Unused to Uplink 2.
I’ll repeat this process for VLAN 70 but for VLAN 70 the Active Uplink will be Uplink 2 with Uplink 1 Unused.

I’m now ready to create my ESG’s.
From the NSX console go to ‘NSX Edges’ then click on ‘+ ADD’ then select ‘Edge Services Gateway’

Give it a name and ensure that ‘Deploy Edge Appliance VM’ is selected which it should be as thats what we are doing πŸ˜‰
Do not tick High Availability.

Enter a complex password for my lab I’ll enable SSH.
The Auto Rule Generation Enabled/Disabled doesn’t matter since we will be disabling the Edge Firewall anyway.

Select the Datacenter for the Edge Appliance VM and select the size required. For the lab I’ll stick with Compact then click the +

Select the Cluster/Resource Pool for my lab I have a dedicated Edge cluster call vEdge.

Select the storage.

I’ll remove the Resource Reservation. if this was a production build then this should be left on.

Click ‘Next’

We now need to configure our interfaces.
Unlike the DLR deployment the Edge deployment will not let you continue until at least 1 interface is configured. Click ‘+ ADD’

The first uplink I’ll create is the Uplink1 interface.
Give it a name, ensure that Uplink is selected then click the Pencil Icon.

Select the ‘Distributed Virtual port Group’ tab and then select the Uplink-VLAN-60 port group.

Enter the IP and subnet then click on the Advanced tab at the top.

Set the MTU to the correct value for my lab thats 1600.
Change the reverse path filter to ‘Disable’ this is always set this way on ECMP Edges to allow traffic to return on a different interface. if we leave this setting Enabled then traffic would get dropped!

Enable ‘Send ICMP Redirect’

Repeat the process for Uplink2 to VLAN 70.

Now we need to create the interface from the ESG to the DLR.
Give the interface a name and then change the Type to Internal.
Click the Pencil icon.

Select the Transit network Logical Switch that we created earlier

Assign an IP address and subnet then configure the advanced settings again.

We now have all our interfaces configured.

Disable the default gateway, we have two uplinks so don’t want to force traffic to use just one.

The Firewall Default Policy can be left as it is since we will be disabling the firewall anyway the setting is not relevant.

Thats it now click ‘Finish’

Repeat the process to deploy the second ESG.

As we are setting up a dual site solution we now need to repeat this whole process again on our DR site. I’m not going to blog all that as its mostly the same just using different VLAN IDs for the second site Uplinks.

That’s it for the ESG initial setup. The next step is to finish configuring them and setup dynamic routing for that I’ll cover in the next blog post otherwise this one will be huge!

NSX-V Lab Part:15 NSX-V ESG Routing configuration

Leave a Reply

Your email address will not be published. Required fields are marked *