NSX-T Lab: Logical Routers / Gateways


Welcome to Part 14 of the NSX-T Lab Series. In the previous post, we configured our Edge cluster.
In this post we briefly discuss Logical Routers / Gateways before we setup our Tier-1 and Tier-0 Gateways.

First off my apologies for the delay in getting these posts up, life and work are taking up a lot of my time at the moment anyway lets get to it.

I’m not going to go into massive detail on logical routing design or how it works that it is a large topic and deserves a separate post of it’s own which I will get to soon, I will cover the basics here so you understand what it is we are doing in this build, besides this is a lab build guide so let’s just build the lab and worry about the architecture stuff later on.

I’ve been working with NSX-V for about 3 years now and so the concepts are ingrained into my brain, unfortunately this means I have to relearn the concepts with NSX-T as they are very different.
On the face of it things seem familiar, we still have edges and we now have DR’s whereas with NSX-V we had Edges and DLR’s however NSX-T Edges and DR’s are not the same as NSX-V Edges and DLR’s so we need to cover some of the basics before we get into configuring our Tier 1 and Tier 0 Logical Routers / Gateways.

What are Logical Routers/Gateways?

OK to start off Logical routers are now referred to as Gateways they are still logical routers but primarily known as gateways. You’ll still see them referred to as logical routers in some documentation and funnily enough on the Advanced Networking and Security tab, if you go to Routers and click Add you’ll see Tier-0 Router and Tier-1 Router, not that we will use this tab to deploy them, remember that tab is going in future releases!

There are two types of Gateways

NSX-T Gateways provide North-South and East-West connectivity.

North-south routing enables tenants to access public networks and external systems to access the virtual environment.
North-south means traffic leaving the virtual environment this is via the Edge uplinks to the top of rack switches (TORs). This will always be via a Tier-0 Gateway.

East-west traffic allows connectivity between different networks within the same tenant. In other words between one Segment and another connected to the same gateway.
This is typically via a Tier-1 Gateway however it can also be done via a Tier-0 Gateway.

So what are the Tiers?

With NSX-V you could create a tiered topology using provider level ESG’s connected to Tenant level ESG’s which then connect to Tenant DLR’s. the diagram below is an example of a design I did for a customer a while ago.
This layout is also how you would configure NSX-V if you wanted overlapping IP addresses as the NATting is done on the Tenant level ESG’s

With NSX-T there are two tiers by default built into the product, this allows us to easily deploy a tiered architecture and this is the standard deployment model even if multi tenancy is not needed.
However you don’t have to deploy a multi tier architecture you can instead simply deploy a Tier-0 Gateway and connect your Segments directly to it. As shown below.

And here is an example of a multi tier topology. Note there are two tenants but this can be just one tenant which will result in 1 Tier-0 Gateway and 1 Tier-1 Gateway which is what we will be configuring in our lab.

The top-tier gateway will always be a Tier 0 and the bottom-tier gateway is a Tier 1.
This structure gives both provider administrator and tenant administrators complete control over their services and policies. Administrators control and configure Tier-0 routing and services, and tenant administrators control and configure Tier-1.
The uplink interfaces of a Tier-0 connect to the physical network and is where dynamic routing protocols can be configured to exchange routing information with physical routers.
The internal interfaces of a Tier-0 connect to a single or multiple Tier-1 routing layer(s) and receives routing information from them.
To optimize resource usage, the Tier-0 layer does not push all the routes coming from the physical network towards Tier-1 but does provide default information.

The Tier-1 routing layer internal interfaces connect the logical segments defined by the tenant administrators and provides one-hop routing function between them.
Tier-1 Gateways are connected to Tier-0 Gateways and a tier transit link is automatically created, there is no dynamic routing between the Tier-1 and Tier-0 it is handled by a static route, (this differs from NSX-V where the DLR needed a routing protocol or static routes to exchange routes) because there is no dynamic routing there is no need for a control VM.
In the routing configuration for the Tier-1, we have the option to advertise connected routes, which is what tells the Management Plane to update the configuration on the upstream T0.

Logical Routers

A logical router consists of two optional parts: a distributed router (DR) and one or more service routers (SR).

A DR spans hypervisor’s whose VMs are connected to this logical router, as well as edge nodes the logical router is bound to.
Functionally, the DR is responsible for one-hop distributed routing between logical segments and/or logical routers connected to this logical router.
Think DLR in NSX-V, all Gateways will have a DR.

The SR is responsible for delivering services that are not currently implemented in a distributed fashion, such as stateful NAT.

A logical router always has a DR, and it has SRs if any of the following is true:

  • The logical router is a Tier-0 Gateway, even if no stateful services are configured.
  • The logical router is Tier-1 Gateway linked to a Tier-0 router and has services configured that do not have a distributed implementation (such as NAT, LB, DHCP).

That’s a very brief run down of logical routing, I will be expanding on this topic in the future with more detailed posts but for now let’s get on with the build.
Next up we will get into the more complex elements and start configuring our routing.
NSX-T Lab: Tier 1 Gateway

Leave a Reply

Your email address will not be published. Required fields are marked *