Tag: VMware

Configuring OSPF on an edge services gateway (ESG) enables the ESG to learn and advertise routes. The most common application of OSPF on an ESG is on the link between the ESG and a Logical (Distributed) Router. This allows the ESG to learn about the logical interfaces (LIFS) that are connected to the logical router. This goal can be accomplished with OSPF, IS-IS, BGP or static routing.

OSPF routing policies provide a dynamic process of trafficload balancing between routes of equal cost.

An OSPF network is divided into routing areas to optimize traffic flow and limit the size of routing tables.

An area is a logical collection of OSPF networks, routers, and links that have the same area identification.

Procedure:

Double Click on ESG-1.

Under Dynamic routing configuration , select ESG uplink as a router ID and click OK.

Under OSPF click on OSPF configuration and select edit:

Now under Area definitions define area ID. We will use the same area ID 20, which we have used in DLR:

In area to interface mapping, we will select Transit interface and map it with area ID 20:

Under route redistribution, select edit and enable OSPF:

In the following screen, the ESG’s default gateway is the ESG’s uplink interface to its external peer.

The router ID is the ESG’s uplink interface IP address—in other words, the IP address that faces its external peer.

The area ID configured is 20, and the internal interface (the interface facing the logical router) is mapped to the area.

The connected routes are redistributed into OSPF so that the OSPF neighbor (the logical router) can learn about the ESG’s uplink network.

Make sure that the ESG is learning OSPF external routes from the logical router.

Log in to your ESG , and run “show ip route” command.

Note that the below two routes are defined on the DLR and ESG learned them via OSPF.

Guys this is it as of now , thanks for reading . i hope it was worth reading and do share on social media if you like the post.

Configuring OSPF on a logical router enables VM connectivity across logical routers and from logical routers to edge services gateways (ESGs). OSPF routing policies provide a dynamic process of  traffic load balancing between routes of equal cost.

An OSPF network is divided into routing areas to optimize  traffic flow and limit the size of routing tables.

An area is a logical collection of OSPF networks, routers, and links that have the same area

identification. Areas are  identified by an Area ID.

Double click on Distributed logical router.

Click Routing and then click OSPF

.1 Enable OSPF.

a Click Edit at the top right corner of the window and click Enable OSPF

b In Forwarding Address, type an IP address that is to be used by the router data path module in the

hosts to forward data path packets.

c In Protocol Address, type a unique IP address within the same subnet as the Forwarding Address

.The protocol address is used by the protocol to form adjacencies with the peers.

2Configurethe OSPF areas.

a Optionally, delete the not-so-stubby area (NSSA) 51 that is configured by default.

b In Area Definitions, click the Add icon.

Click on edit:

Under Area Definitions , click on (+) sign:

Enter the area ID and click on okay:

Under Area to interface mapping click on (+):

Under route redistribution, make sure that OSPF is enabled:

The NSX Topology now is some like below:

In the following screen, the logical router’s default gateway is the ESG’s internal interface IP address(192.168.10.1).

The router ID is the logical router’s uplink interface—in other words, the IP address that faces the ESG(192.168.10.2).

The logical router configuration uses 192.168.10.2 as its forwarding address. The protocol address can be any IP address that is in the same subnet and is not used anywhere else. In this case, 192.168.10.3 is configured.

 

The area ID configured is 20, and the uplink interface (the interface facing the ESG) is mapped to the area.

In the next blog post , i will cover the OSPF routing configuration on ESG so that DLR and ESG can share the routes with each other.

You can install multiple NSX Edge services gateway virtual appliances in a data center. Each NSX Edge virtual appliance can have a total of ten uplink and internal network interfaces. The internal interfaces connect to secured port groups and act as the gateway for all protected virtual machines in the port group.

The subnet assigned to the internal interface can be a publicly routed IP address space or a NATed/routed RFC 1918 private space. Firewall rules and other NSX Edge services are enforced on traffic between interfaces. Uplink interfaces of an ESG connect to uplink port groups that have access to a shared corporate network or a service that provides access layer networking.

Procedure:

1 In vCenter, navigate to Home > Networking & Security > NSX Edges and click the Add (+) icon.

2 Select Edge Services Gateway and type a name for the device. This name appears in your vCenter inventory. The name should be unique across all ESGs within a single tenant. Optionally, you can also enter a hostname. This name appears in the CLI. If you do not specify the host name, the Edge ID, which gets created automatically, is displayed in the CLI. Optionally, you can enter a description and tenant and enable high availability.

3 Type and re-type a password for the ESG.

4 (Optional) Enable SSH, high availability, and automatic rule generation, and set the log level. If you do not enable automatic rule generation, you must manually add firewall, NAT, and routing configuration to allow control traffic for certain, NSX Edge services, including as load balancing and VPN. Auto rule generation does not create rules for data-channel traffic. By default, SSH and high availability are disabled, and automatic rule generation is enabled. By default, the log level is emergency. By default, logging is enabled on all new NSX Edge appliances. The default logging level is NOTICE.

5 Select the size of the NSX Edge instance based on your system resources

In the next blog , i will cover the configuration of Dynamic routing (OSPF ) in Distributed logical router.

 

A distributed logical router (DLR) is a virtual appliance that contains the routing control plane, while distributing the data plane in kernel modules to each hypervisor host. The DLR control plane function relies on the NSX controller cluster to push routing updates to the kernel modules.

Procedure:

1 In the vSphere Web Client, navigate to Home > Networking & Security > NSX Edges.

2 Click the Add (+) icon.

3 Select Logical (Distributed) Router and type a name for the device. This name appears in your vCenter inventory. The name should be unique across all logical routers within a single tenant. Optionally, you can also enter a hostname. This name appears in the CLI. If you do not specify the host name, the Edge ID, which gets created automatically, is displayed in the CLI.

4 (Optional) Deploy an edge appliance. Deploy Edge Appliance is selected by default. An edge appliance (also called a logical router virtual appliance) is required for dynamic routing and the logical router appliance’s firewall, which applies to logical router pings, SSH access, and dynamic routing traffic. You can deselect the edge appliance option if you require only static routes, and do not want to deploy an Edge appliance. You cannot add an Edge appliance to the logical router after the logical router has been created.

5 (Optional) Enable High Availability. Enable High Availability is not selected by default. Select the Enable High Availability check box to enable and configure high availability. High availability is required if you are planning to do dynamic routing.

6 Type and re-type a password for the logical router

7 Configure interfaces. On logical routers, only IPv4 addressing is supported. In the HA Interface Configuration, if you selected Deploy NSX Edge you must connect the interface to a distributed port group. It is recommended to use a VXLAN logical switch for the HA interface. An IP address for each of the two NSX Edge appliances is chosen from the link local address space, 169.250.0.0/16. No further configuration is necessary to configure the HA service.

In the next blog post , i will cover the installation of ESG (Edge Services Gateway).

An NSX logical switch reproduces switching functionality (unicast, multicast, broadcast) in a virtual environment completely decoupled from underlying hardware.

Logical switches are similar to VLANs, in that they provide network connections to which you can attach virtual machines. The VMs can then communicate with each other over VXLAN if the VMs are connected to the same logical switch. Each logical switch has a segment ID, like a VLAN ID. Unlike VLAN IDs, it’s possible to have up to 16 million segment IDs.

Procedure:

1 In the vSphere Web Client, navigate to Home > Networking & Security > Logical Switches.

2 Click the New Logical Switch (+) icon.

3 Type a name and optional description for the logical switch.

4 Select the transport zone in which you want to create the logical switch. By default, the logical switch inherits the control plane replication mode from the transport zone. You can change it to one of the other available modes. The available modes are unicast, hybrid, and multicast. The case in which you might want to override the inherited transport zone’s control plane replication mode for an individual logical switch is when the logical switch you are creating has significantly different characteristics in terms of the amount of BUM traffic it will to carry. In this case, you might create a transport zone that uses as unicast mode, and use hybrid or multicast mode for the individual logical switch.

5 (Optional) Click Enable IP Discovery to enable ARP suppression. This setting minimizes ARP traffic flooding within individual VXLAN segments—in other words, between VMs connected to the same logical switch. IP discovery is enabled by default.

6 (Optional) Click Enable MAC learning if your VMs have multiple MAC addresses or are using virtual NICs that are trunking VLANs.

7 Attach a VM to the logical switch by selecting the switch and clicking the Add Virtual Machine (+) icon.

8 Select the VM and click the right-arrow button.

9 Select a vNIC

Each logical switch that you create receives an ID from the segment ID pool, and a virtual wire is created. A virtual wire is a dvPortgroup that is created on each vSphere distributed switch.

The virtual wire descriptor contains the name of the logical switch and the logical switch’s segment ID. Assigned segment IDs appear in multiple places, as shown in the following examples. In Home > Networking & Security > Logical Switches:

In Home > Networking:

In Home > Hosts and Clusters > VM > Summary

On the hosts that are running the VMs that are attached to the logical switch, log in and execute the following commands to view local VXLAN configuration and state information. n Displays host-specific VXLAN details.

VDS Name displays the vSphere distributed switch to which the host is attached. The Segment ID is the IP network used by VXLAN. The Gateway IP is the gateway IP address used by VXLAN.

The Network Count remains 0 unless a DLR is attached to the logical switch. The Vmknic count should match the number of VMs attached to the logical switch

Test IP VTEP interface connectivity, and verify the MTU has been increased to support VXLAN encapsulation. Ping the vmknic interface IP address, which can be found on the host’s Manage > Networking > Virtual switches page in the vCenter Web Client.

The -d flag sets the don’t-fragment (DF) bit on IPv4 packets. The -s flag sets the packet size.

This is it regarding the creation of a logical switch , in the next blog post i will cover the configuration of Distributed logical router.

You can exclude a set of virtual machines from NSX distributed firewall protection.

NSX Manager, NSX Controllers, and NSX Edge virtual machines are automatically excluded from NSX distributed firewall protection. In addition, VMware recommends that you place the following service virtual machines in the Exclusion List to allow traffic to flow freely.

– vCenter Server. It can be moved into a cluster that is protected by Firewall, but it must already exist in the exclusion list to avoid connectivity issues. n Partner service virtual machines.

– Virtual machines that require promiscuous mode. If these virtual machines are protected by NSX distributed firewall, their performance may be adversely affected.

– The SQL server that your Windows-based vCenter uses. n vCenter Web server, if you are running it    separately.

Procedure

1 In the vSphere Web Client, click Networking & Security.

2 In Networking & Security Inventory, click NSX Managers.

3 In the Name column, click an NSX Manager.

4 Click the Manage tab and then click the Exclusion List tab.

5 Click the Add (+) icon

6 Type the name of the virtual machine that you want to exclude and click Add

In the next post i will cover how to prepare vSphere Host Cluster for NSX.