Sunday, June 24, 2018

OSPF Routing Protocol in NSX


OSPF NSX




The above topology illustrates OSPF Totally NSSA setup in NSX domain.

Distributed logical router is handling east-west traffic within the data center while the edges E1 and E2 are handling north-south traffic.

Edges E1 and E2 are configured in ECMP mode which allows more bandwidth to flow in north-south direction.
Upto eight edges E1 – E8 can be configured in ECMP mode to handle north-south traffic.

The other mode for edge is Active/Standby which can be utilized when stateful services like NAT, firewall, load balancer, SSL and IPSec VPN are to be configured on the edge.
In our topology above, such stateful services are not configured and the requirement is to have more bandwidth in north-south direction.

Downstream to the DLR are the logical switches corresponding to Web, App and DB tiers respectively.
And the workloads are connected to the logical switches.

A brief about DLR control VM.
DLR Control VM is required when:
a.       There are dynamic routing protocols configured
b.       Or when there is L2 Bridging configured.
L2 bridging is useful while migrating workloads from physical to virtual environment.
L2 bridging also facilitates extending physical network to virtual network and vice versa.

Referencing the topology and the routing protocol setup, a DLR control VM is required in this setup.
Also, when you deploy edge as a Distributed Logical Router, these two IP addresses need to be configured aside from IP addresses related to LIFs
-          Protocol address – This IP address corresponds to the control plane exchange.
-          Forwarding address which corresponds to data plane and this IP address handles exchange of data traffic.

===========================================================================

Routing setup:


a.       Totally NSSA area is configured which is corresponding to the NSX domain.
b.       With Totally NSSA area configuration, the ABRs will inject a default route into Totally NSSA area automatically.
c.       Totally NSSA area configuration will allow redistribution of connected interfaces on the DLR.
d.       Physical routers have been configured as OSPF Area Border Routers
So the physical routers are interfacing backbone area and the Totally NSSA Area.
e.       The DLR along with edges E1 and E2 are within Totally NSSA Area.
f.        NSX domain needs a default route for egress traffic from NSX domain.
Routes which do not belong to the Totally NSSA area and which are external to this area will be replaced by Type 3 default route.
g.       Edge E1 will have OSPF peering with DLR control VM and with physical routers upstream.
Likewise for edge E2.
h.       Two external VLANs are used from each edge to peer with the physical routers.
The number of external VLANs will be equal to number of VDS uplinks. Each external VLAN will be carried on one ESXi uplink.
With such a setup, both uplinks from ESXi will be utilized for forwarding data traffic. Also a failure of one of the physical uplinks will cause data traffic to shift to the other physical uplink from ESXi.