8 Replies Latest reply on Apr 21, 2017 10:48 AM by Bayu Wibowo

    NSX Edge ECMP + NAT

    rajeevsrikant Hot Shot

      At present I have 2 NSX Edge Gateways in ECMP mode with OSPF. Attached is the diagram for reference..

      I also need to use NAT functionality on my edge gateway. I need NAT to access few networks.

      Lets say Network A (10.10.0.0/16) & Network B (20.20.0.16) This network will not be published outside & it requires NAT to be accessed from outside.

      Since ECMP is configured I will not be able to use  NAT due to stateful functionality.

      Below is my plan would like to know if this is the right approach.

       

      1.Setup a new Edge Gateway in HA (Active - Standby)

      2. Configure NAT in the NSX Edge Gateway.

      3. Setup new DLR (with Control VM) for the Network A & Network B. The new DLR will be the D.G for the Network A & B.

      4. The NSX controllers will be the existing. No need to setup new NSX controllers.

       

      Please let me know if my approach is right.

      Mainly point 3 & 4. - Is new DLR (with Control VM) is mandatory.

        • 1. Re: NSX Edge ECMP + NAT
          Bayu Wibowo Master User Moderators vExpert

          There is no diagram on your attachment.

          You can have ECMP on the aggregation and NAT after the ECMP

          See below diagram, tenant on the left

          Bayu Wibowo | VCIX6-DCV, VCIX6-NV
          VMTN Communities User Moderator
          https://nz.linkedin.com/in/bayupw | http://bayupw.blogspot.com | twitter @bayupw
          • 2. Re: NSX Edge ECMP + NAT
            rajeevsrikant Hot Shot

            Sorry missed it.

            • 3. Re: NSX Edge ECMP + NAT
              rajeevsrikant Hot Shot

              Saw the diagram which you have shared.

              Few questions regarding this.

              1. So from the DLR, the exist point will be the Tenant NSX Edge with HA. - Is my understanding right.
              2. separate DLR is not required in this scenario.

               

              Also would like to know regarding my proposal , whether is there any demerit to it.

              I prefer not to change anything in my existing topology. In the diagram which I have shared I have put box to indicate the current setup. The right hand side is the new setup I am planning for.

              • 4. Re: NSX Edge ECMP + NAT
                Bayu Wibowo Master User Moderators vExpert

                In the diagram I have shared, it will be one DLR per tenant.

                Edge HA tenant (on the left) have different DLR to the Edge ECMP tenant (on the right).

                 

                If you would like to have a separate Edge Gateways with different network/function, you would need to create a separate DLR.

                Please also note that multiple DLR to single Edge is not supported as per design guide, below is the diagram

                Regarding your diagram, it is possible but I would suggest to create a separate uplink network for Edge#3 & Edge#4 to connect to physical router,

                not sharing the same layer 2 network with Edge#1 and Edge#2.

                Same with the DLR transit network to Edge, have a separate transit network logical switch for DLR to Edge HA.

                The router could be confused if you have same network advertised through different routers with same cost without ECMP

                Bayu Wibowo | VCIX6-DCV, VCIX6-NV
                VMTN Communities User Moderator
                https://nz.linkedin.com/in/bayupw | http://bayupw.blogspot.com | twitter @bayupw
                • 5. Re: NSX Edge ECMP + NAT
                  rajeevsrikant Hot Shot

                  Yeah i got it.

                  I am planning to have separate uplink network for Edge#3 & Edge#4 to connect to physical router, The representation is my diagram is wrong. Will correct it.

                  Also will have separate transit network to the new Edge from the new DLR.

                  • 6. Re: NSX Edge ECMP + NAT
                    rajeevsrikant Hot Shot

                    One more question:

                    From the Edge GW which will be setup as HA, it will have uplink which will be logically connected to both my LAN routers.(OSPF between Edge & Physical device)

                    So from the edge , there will be 2 paths to reach outside (1 from Physical device 1 & the 2nd path from physical device 2)

                    So is this consider as ECMP & should i enable the ECMP option in my NSX Edge.

                    • 7. Re: NSX Edge ECMP + NAT
                      rajeevsrikant Hot Shot

                      One more question.

                      With Edge HA & with 2 upstream routers is it recommended to run OSPF or static route is preferred.

                      • 8. Re: NSX Edge ECMP + NAT
                        Bayu Wibowo Master User Moderators vExpert

                        For your first questions, it depends on your requrements.

                        Yes you can use ECMP as per design guide below

                        But stateful services do not work on ECMP because there would be asymmetrical routing and stateful services will fail.

                        So if you have stateful services such as load balancer, edge firewall, NAT, don't use ECMP.

                        You can set the primary physical router as the primary path and the secondary physical router as the backup path and use cost (or administrative distance for static routes) to set the primary router as the preferred path.

                        Use a different interface for connection to the secondary physical router

                        If the two routers are on the same network, you can also use FHRP and peer with the router's virtual ip address

                         

                        For your second questions, again, it depends on your requirements.

                        If your environment is pretty static then static should be fine.

                        But if the environment is dynamic, new networks (logical switches) often need to be added, then you could use dynamic routing such as OSPF/BGP so you don't need to manually add routes everytime you need to advertise new networks

                        For ECMP setup, you would need dynamic routing so the ECMP routes can be added/removed automatically by the dynamic routing

                        Bayu Wibowo | VCIX6-DCV, VCIX6-NV
                        VMTN Communities User Moderator
                        https://nz.linkedin.com/in/bayupw | http://bayupw.blogspot.com | twitter @bayupw
                        • 9. Re: NSX Edge ECMP + NAT
                          rajeevsrikant Hot Shot

                          Thanks.

                           

                          The diagram which you have shown is the setup i am planning to implement.

                          I need to use NAT, so i will not enable ECMP to my upstream 2 physical routers.

                          Initial my understanding was if both the Edge Gateway was active, then only NAT should not be enabled.

                          From your reply  I understand that , even if only 1 Edge GW is active but if it has 2 equal cost uplinks to 2 different routers , NAT should not be enabled.

                           

                          Regarding the 2nd question regarding to use static or OSPF.

                          My preference is to have the design which has minimal down time in case failure of either Edge or Control VM

                           

                          Static:

                          - If i use only Static route, there will no DLR Control VM. So there is no failure component of DLR Control VM

                          - If I use only static, If the active Edge GW fails , normally how long time it will take for the traffic to flow to the standby Edge Gateway (including the time the standby GW becomes active)

                           

                           

                          OSPF:

                          - I need to use DLR Control VM. If active Control VM fails, there will be down time. In order to avoid this I need to add static route in Edge Gateway along with OSPF & redistribute.

                          - If Active Edge GW fails there will be downtime till the route is switched to the Standby Edge.

                          - To reduce the down time the OSPF timers needs to be fine tuned to have minimum Hello/Dead Interval.

                           

                           

                          So please suggest which is the best option i should choose.

                          • 10. Re: NSX Edge ECMP + NAT
                            rajeevsrikant Hot Shot

                            Further to the above , I have attached the static route design.

                            1. Edge GW in Active -Standby

                            2. No DLR Control VM

                            3. Edge GW will form single L2 Connectivity to 2 Physical routers.

                            4. HSRP will be configured on Physical Routers.

                            5. Edge GW will be configured with default route with Next Hop IP as HSRP IP Address.

                            6. NAT will be enabled in the NSX Edge GW.

                            7. Physical routers will have OSPF with equal cost paths to outside network.

                             

                            Routing from NSX Edge to outside network will always happen via Physical Router#1 because of HSRP priority.

                            This is no issue. South -> North Traffic no issue.

                            What will happen to the route from Physical router#2 to NSX Edge Gateway.

                            The north -> south traffic comes from Physical Router#2 to NSX Edge. Will this create any problem to NAT.

                            • 11. Re: NSX Edge ECMP + NAT
                              rajeevsrikant Hot Shot

                              Attached diagram for reference.