Monday, January 11, 2021

NSX-T VRF Gateway

 VRF Gateway feature in NSX-T is similar to VRF lite feature in physical networks in the following ways:

  1. Just like there is no need of another physical router for a separate routing instance using VRF lite feature, there is no need to deploy additional edges in case of NSX-T VRF gateways. This drastically reduces the resource requirements. In the case of NSX-T version 3.1, 100 VRFs are supported per edge node.
  2. NSX-T VRF lite offers routing isolation within the VRF Gateway.

In NSX-T, before creating VRF gateway, there should be a parent Tier 0 Gateway.

VRF gateway inherits the following from parent Tier 0 Gateway:

a. HA mode

If parent Tier 0 gateway has active-active availability mode then VRF gateways which utilize the parent T0 all of them will have active-active HA mode.

b. Edge Cluster

c. BGP AS number

d. Graceful restart settings

e. BGP multipath relax

The above topology is what I have used in my lab setup.

VRF Gateways are deployed as Tier 0 Gateways and downstream Tier 1 Gateways are connected to VRF gateways.

As shown in the above diagram, separate VLANs and IP subnets have been used on the VRF Gateways.

VLAN is the channel for data plane in the case of VRF gateways.

You have the ability to run BGP in each VRF gateway for route exchange with the upstream infrastructure.

VLANs and IP subnets have been tabulated below:

Before deploying VRF gateway, we will ensure the following is in place:

  1. NSX managers are deployed
  2. vcenter server is added as compute manager to NSX-T
  3. Hosts are configured as host transport nodes.
  4. Edges have been deployed, edge cluster is created.
  5. Parent Tier 0 Gateway is configured along with uplink interface configuration and BGP configuration.

You can check my previous posts for the above workflows.

Transport Zones
Host Uplink Profile
Edge Uplink Profile
Transport zones on hosts
Hosts have been configured for NSX using VDS as NSX-T host switch
Edge Node Configuration
Edge Transport Nodes
Edge Cluster has been created for parent T0 and VRF gateways
Parent Tier 0 Gateway
Segments for uplinks on parent Tier 0 Gateway
Layer 3 interfaces on parent T0 gateway
BGP configuration on parent Tier 0 Gateway
BGP neighbors on parent T0 gateway

Deployment workflow for VRF gateway is as follows:

In my lab, I have deployed two VRF Gateways.

  1. Create uplink segments for VRF gateways, here specify the VLAN ID information
Segments for uplinks of VRF Gateway A
  1. Next create VRF Gateway
Create VRF Gateway A

VRF gateway is associated with parent Tier 0 Gateway.

L3 interfaces on VRF Gateway A
BGP configuration on VRF Gateway A

Note inter-sr I-BGP is not supported on VRF Gateway

BGP peers on VRF Gateway A

Since my topology also has VRF Gateway B, I will follow the same workflow and configure VRF Gateway B as well.

Next, create corresponding Tier 1 gateways and connect them to respective VRF gateway as shown in the topology above.

Create corresponding Tier 1 Gateways and attach to respective VRF gateways

Next create segments for the workloads and attach workloads to the correct overlay segments.

Overlay segments for workloads
VM connected to overlay network Web-VRF-A
VM connected to overlay network Web-VRF-B

Physical network needs to learn NSX routes.

Hence connected networks on Tier 1 gateways will be advertised towards VRF gateways.

VRF gateways will redistribute NSX routes into BGP.

Advertise connected networks on Tier 1 Gateways
Route redistribution on VRF Gateway A

Validation:

ICMP test between VM on VRF-A to VM on VRF-B
Physical router 1 learns NSX routes
Reach-ability between loopback on physical router 2 and VM on VRF-B

From the logs, there is connectivity between VMs which are in different VRFs.