I am trying to understand how Tier-0 Gateway would connect directly to the internet, I don't have a virtual or physical router.
I have 2 ToR switches and on each switch I have a run from the data centers internet backbone connected to 1 switch and another run connected to the other switch.
The data center handles load balancing and monitoring of those 2 runs.
They have their own VLAN and provide a public block of IPs in a single range.
With NSX-v I would deploy an ESG and assign an uplink to the public VLAN along with an IP and Gateway and then I'd have an internal link going into a different VLAN and use that as my gateway for N-S traffic or in this case I'm guessing it would go to Tier-1 and Tier-1 would handle VLAN and VXLAN traffic of E-W.
Every diagram I see uses 2 VLANs for traffic to the ToR and they are all private address ranges.
So my question is, has someone put together a blog describing how to do the above or is it as simple as using a single VLAN and giving the Tier-0 Gateways public addresses, public VIP and the BGP partner would be the gateway provided by the data center?
Seems a big departure as I learn the differences between NSX-v and NSX-T.
Thanks
I think I figured it out, I'll use a single VLAN and the Tier-0 Gateway will have 2 Interfaces 1 on Edge-VM1 and the other Interface on Edge-VM2.
I'll use 2 public IP addresses, one on each interface above and that'll load balance the N-S traffic.
Then I configure a Static Route instead of BGP as I have no control over the Data Center provided public uplinks.
As you correctly said you can apply the VLAN Segment to the T0 Uplinks. Same as NSX-V applies to NSX-T but in different architecture.
The graphics on the design where they uses two VLANs on uplinks is a way to configure but in different infrastructures they use the same VLAN to connectivity N-S. What i do not know is if you will be able to load balance all the traffic that goes out using those uplinks. Maybe to be sure, you can configure an Active-Standby Edge deployment.
You may need to install edge firewall in T0 gateway as you connect the uplink to public network.
Also take in mind that if you configure the Firewall Service on the T0 then you will have to go with Active-Standby strictly because the Active-Active topology does not support stateful services.
I did do the Active/Standby after reading that the Active/Active deployment has some limitations in features.
I still haven't gotten to far, but the single VLAN certainly makes since in my scenario.
I'm thinking it'll look like such to kind of mimic my current environment:
Tier-0 -> Tier-1 -> VLAN backed Segment where Management/Monitoring and other services reside and then the Overlay off Tier-1 for all the GENEVE networks.
So that kind of looks like NSX-v Perimeter ESG -> Distributed Router -> VLAN/VXLAN and then a bunch of OneArm Load-Balancers.
Now in NSX-T those OneArm Load-Balancers are comprised of a Segment, standalone Tier-1 and LB, I found some good blogs about building the same design out but using NSX-T and I have to say once I got my head around it, it was pretty easy.
For DMZs would you connect those to Tier-0, that's how I do it now with the Perimeter ESG.
Thanks
After looking at more design schemes I’m wondering if it should be more the following:
Tier-0 Uplink1 goes to the public network (internet)
Tier-0 Uplink2 goes to the private network that is VLAN backed where NSX Manager, vCenter etc etc live.
for public I add 0.0.0.0/0 and for private I add static routes to get to the other VLANs Managed by the L3 switch.
DMZs I use a VLAN and attach the Segment to Tier-0 and make Tier-0 the DMZ gateway.
Then Tier-1 is just for Overlay, it seems you can’t add VLAN backed Segments to Tier-1 if it has uplinks you Tier-0 from my testing.