Re: NSX-T - Tier-0 Gateway - Public

chadc1979 · ‎03-16-2020

I am trying to understand how Tier-0 Gateway would connect directly to the internet, I don't have a virtual or physical router.

I have 2 ToR switches and on each switch I have a run from the data centers internet backbone connected to 1 switch and another run connected to the other switch.

The data center handles load balancing and monitoring of those 2 runs.

They have their own VLAN and provide a public block of IPs in a single range.

With NSX-v I would deploy an ESG and assign an uplink to the public VLAN along with an IP and Gateway and then I'd have an internal link going into a different VLAN and use that as my gateway for N-S traffic or in this case I'm guessing it would go to Tier-1 and Tier-1 would handle VLAN and VXLAN traffic of E-W.

Every diagram I see uses 2 VLANs for traffic to the ToR and they are all private address ranges.

So my question is, has someone put together a blog describing how to do the above or is it as simple as using a single VLAN and giving the Tier-0 Gateways public addresses, public VIP and the BGP partner would be the gateway provided by the data center?

Seems a big departure as I learn the differences between NSX-v and NSX-T.

Thanks

chadc1979 · ‎03-16-2020

I think I figured it out, I'll use a single VLAN and the Tier-0 Gateway will have 2 Interfaces 1 on Edge-VM1 and the other Interface on Edge-VM2.

I'll use 2 public IP addresses, one on each interface above and that'll load balance the N-S traffic.

Then I configure a Static Route instead of BGP as I have no control over the Data Center provided public uplinks.

Lalegre · ‎03-17-2020

As you correctly said you can apply the VLAN Segment to the T0 Uplinks. Same as NSX-V applies to NSX-T but in different architecture.

The graphics on the design where they uses two VLANs on uplinks is a way to configure but in different infrastructures they use the same VLAN to connectivity N-S. What i do not know is if you will be able to load balance all the traffic that goes out using those uplinks. Maybe to be sure, you can configure an Active-Standby Edge deployment.

robertalvianus · ‎03-17-2020

You may need to install edge firewall in T0 gateway as you connect the uplink to public network.

Lalegre · ‎03-18-2020

Also take in mind that if you configure the Firewall Service on the T0 then you will have to go with Active-Standby strictly because the Active-Active topology does not support stateful services.

chadc1979 · ‎03-18-2020

I did do the Active/Standby after reading that the Active/Active deployment has some limitations in features.

I still haven't gotten to far, but the single VLAN certainly makes since in my scenario.

I'm thinking it'll look like such to kind of mimic my current environment:

Tier-0 -> Tier-1 -> VLAN backed Segment where Management/Monitoring and other services reside and then the Overlay off Tier-1 for all the GENEVE networks.

So that kind of looks like NSX-v Perimeter ESG -> Distributed Router -> VLAN/VXLAN and then a bunch of OneArm Load-Balancers.

Now in NSX-T those OneArm Load-Balancers are comprised of a Segment, standalone Tier-1 and LB, I found some good blogs about building the same design out but using NSX-T and I have to say once I got my head around it, it was pretty easy.

For DMZs would you connect those to Tier-0, that's how I do it now with the Perimeter ESG.

Thanks

chadc1979 · ‎03-19-2020

After looking at more design schemes I’m wondering if it should be more the following:

Tier-0 Uplink1 goes to the public network (internet)

Tier-0 Uplink2 goes to the private network that is VLAN backed where NSX Manager, vCenter etc etc live.

for public I add 0.0.0.0/0 and for private I add static routes to get to the other VLANs Managed by the L3 switch.

DMZs I use a VLAN and attach the Segment to Tier-0 and make Tier-0 the DMZ gateway.

Then Tier-1 is just for Overlay, it seems you can’t add VLAN backed Segments to Tier-1 if it has uplinks you Tier-0 from my testing.

All

NSX-T - Tier-0 Gateway - Public