Your diagram shows you have two separate uplinks from your edges on VLAN overlays to two different networks. Not sure why you're doing this as it doesn't make too much sense. The proper way to do this is configure those uplinks on your T0 to be in the same subnet. One port per edge. Configure a HA VIP across those two T0 uplinks. Your static route on your Meraki has its next hop set to that HA VIP. However, in order to route outbound traffic from NSX-T land, you will need to configure a default route (0.0.0.0/0) on your T0 directed to the next hop upstream. That is usually on the same subnet as the T0 uplink in the VLAN overlay.
Your diagram shows you have two separate uplinks from your edges on VLAN overlays to two different networks. Not sure why you're doing this as it doesn't make too much sense. The proper way to do this is configure those uplinks on your T0 to be in the same subnet. One port per edge. Configure a HA VIP across those two T0 uplinks. Your static route on your Meraki has its next hop set to that HA VIP. However, in order to route outbound traffic from NSX-T land, you will need to configure a default route (0.0.0.0/0) on your T0 directed to the next hop upstream. That is usually on the same subnet as the T0 uplink in the VLAN overlay.
Daphnissov,
Currently I have setup each uplink on the same subnet and connected to one port per edge as described above but would appreciate guidance regarding HA VIP configuration.
Thanks
This should be covered in the official docs. You configure the HA VIP on your T0. After creating uplinks for each edge, you create the VIP but do not assign it to any interface. Leave the field blank and it will auto-assume both available uplinks. Goes without saying but the HA VIP needs to be in the same subnet as the individual uplink ports.
I did search online and number of times on NSX-t 2.4 and can't find HA VIP configuration only router ports.
Hello Rob80,
Base by you PDF you have 2 uplinks in 2 different vlans.
Did you check if you have L2 connectivity
VLAN 2011 from MX65 Meraki --- Edge Uplink1
Example:
MX65 Meraki IP 192.20.11.1
Edge Uplink1 IP 192.20.11.2
There suppose to be connectivity.
Ping form 192.20.11.1 to 192.20.11.2 suppose to be ok
VLAN 2012 from MX65 Meraki --- Edge Uplink2
MX65 Meraki IP 192.20.12.1
Edge Uplink1 IP 192.20.12.2
There suppose to be connectivity.
Ping form 192.20.12.1 to 192.20.12.2 suppose to be ok
Please before going to the Routing configuration check the steps from above to be sure you have L2 connectivity :smileygrin:
Then go on edge routing and add destination 0.0.0.0/0 GW 192.20.11.1,192.20.12.1
And if you have a default route just delete'it.
My recommendation is still to use BGP
Hi,
HA VIP has now been configured with IP of 192.20.11.5 which I can ping from VM's.
I added the following addresses to nsx-t static route
And another IP on MX
But still no connection to outside world.
Hi,
In order to use bgp I need router capable in supporting bgp as one of the prerequisites is AS which seems can be only setup when mx in vpn concentrator mode, but then I have no vlans or network.
Thanks
Ok, I need to be able to see these screenshots you're posting as they're extremely small. Please also show your edge profiles and what interfaces are connected where. Also show your transport zone (overlay) profile and how your hosts are connected.
Ok, this gives me a better idea. Here are questions for you to check out based on your images.
Your vmkping command in your screenshot is not what I wrote. Flags are case sensitive. From the ESXi host, do it again and check the result:
vmkping -S vxlan <TEP> -d -s 1572 -c 10
From your ESXi host, you should be able to do a vmkping from the TEP to the:
From a VM that is attached to a logical switch, you should be able to ping (do not alter MTU):
After you've corrected all these things, please indicate which of these ping tests pass and which fail.
Regarding your static route, it's wrong. The T0 static route needs to be the gateway for that segment which is the SVI on the Meraki. So it needs to be 192.20.11.1.
Your Meraki must have a static route setting the next hop for any networks you do not wish to NAT as the HA VIP address.
In terms of Tier-0, do I need to remove all and recreate on Advanced networking? Shall I do the same with Tier-1 or keep as it is.
Yes, to eliminate complexity, remove anything you have for routing and switching that's not under Advanced Networking & Security.
NSX-T to edge node ping didn't succeed:
-- 192.20.11.5 ping statistics ---
10 packets transmitted, 0 packets received, 100% packet loss
[root@ESXi:~] vmkping -S vxlan 192.20.11.5 -d -s 1572 -c 10
PING 192.20.11.5 (192.20.11.5): 1572 data bytes
--- 192.20.11.5 ping statistics ---
10 packets transmitted, 0 packets received, 100% packet loss
[root@ESXi:~] vmkping -S vxlan 192.20.11.2 -d -s 1572 -c 10
PING 192.20.11.2 (192.20.11.2): 1572 data bytes
--- 192.20.11.2 ping statistics ---
10 packets transmitted, 0 packets received, 100% packet loss
[root@ESXi:~] vmkping -S vxlan 192.20.11.3 -d -s 1572 -c 10
PING 192.20.11.3 (192.20.11.3): 1572 data bytes
--- 192.20.11.3 ping statistics ---
10 packets transmitted, 0 packets received, 100% packet loss
Regarding below
If you only have one ESXi host and, for whatever reason, you can't ping the TEPs on your edges but a VM which is running on that host and connected to an NSX-T logical switch has that level of access then something isn't right with that vmkping command.
Based on what you say here
- Gateway (T1 downlink for this segment) - success
- T1 linked port to T0 - success
- T0 uplink HA VIP address - success
- Gateway on the HA VIP network (which you say should be 192.20.11.1) - unsuccessful
it sounds like you do not have your static routes configured correctly. So next show how you have configured your static route on your L3 switch.
Basically I have mx65 doing layer 3 routing between vlans where esxi connected via layer 2 switch ms120-8lp as MTU of 1600 required as a minimum. I atatcehd below screens of current setup where I haven't added anything on switch for static routing.
MX 65
and for ms 120-8lp
Your static route appears to be wrong. If .5 is the HA VIP address, you need to direct any networks which you want to route into your T0. This would be any logical segments that exist behind a T1. From your diagram, that appeared to be 10.x.y.z/24 subnets. You will either need to summarize those routes into one, or set static routes for each network.
I have made the following amendments on mx device
and wonder if I need to do similar on the switch.
Your App-Tier is really a 10.10.20.0/25 network?
Do a traceroute from a host external to any of these networks to a host that resides on one of them. What do you get?