NSX-T Configuration from Scratch

 In this blog post we'll see step by step configuration of NSX-T


1. Add Compute Manager



2. Create Transport Zones as following

    a. One Overlay Transport Zone for Host and Edge Transport Nodes

    b. Two VLAN Transport Zones. One for Host Transport Nodes and another for Edge Transport Node. (having two separate VLAN transport zones is not necessary, a single VLAN Transport Zone can be used Host and Edge Transport zones)



3. Create Uplink profile for Host Transport Node

    In our design, we are using LAG consisting of two uplink on Host Transport Nodes. LAG is already created on vCenter ESXi hosts. Transport VLAN is the VLAN used for Host TEP IP address pool. There is no need to specify the MTU size in Host Uplink Profile, as we are using converged VDS in our design and MTU settings need to configured in VDS (on vCenter).




    MTU Settings on VDS




4. Create IP pool for Host Transport Nodes. In our case, we would be using DHCP.


5. Create Host Transport Node Profile

    Type: VDS (since we decided to use VDS with NSX)
    Name: Select the Compute Manager from the first dropdown, and in the second dropdown, select the VDS that would be hosting NSX segments.
    Uplink Profile: Select the uplink profile that we created for Host Transport Node in above steps.
    IP Assignment: We can chose either static, IP Pool, or DHCP. We are using DHCP here.
    Teaming Policy Uplink Mapping: In the first column, LAG1 is the Object that we created in uplink profile we created in above steps for Host Transport Nodes. In the second column, the LAG1 is the actual LAG crated on VDS (on vCenter), which is selected from the dropdown-select option.
    





6. Configure the Compute Cluster of vCenter for NSX. 
    Select the Host Transport Node profile created in steps above to configure NSX on the cluster.



7. Create Uplink Profile for Edge Transport Node

    For efficient load balancing, we'll be using standalone uplinks on Edge Nodes, each uplink going to Left and Right TOR switches.
    MTU needs to be specified in the Edge uplink profile.
    For Transport VLAN, use the VLAN of IP address pool used for Edge Node TEPs. It is recommended to use different subnets for Host TEP and Edge TEP.





8. Create a Trunk PortGroup on VDS for Edge Node uplink




9. Create IP Pool for Edge TEP.

     It is recommended to use different subnets for Host TEP and Edge TEP.



10. Create Edge Transport Nodes

    Management interface shall connect to normal port group on vCenter VDS



12. Create Edge Cluster Profile

    We'll use the default one.


13. Add Edge Cluster





13. Create Tier-0 Gateway and attach it to the edge cluster created above.




14. Add Segments for Tier-0 Gateway Uplink connectivity

    We will be adding three segments in the Edge VLAN transport zone. These segments will be hosing uplinks to provide connectivity between Tier-0 gateways and physical network through the Edge Nodes.
    First Access VLAN segment for parent Tier-0 gateway left uplink, which will be used for connectivity towards left TOR switch. 
    Second Access VLAN segment for parent Tier-0 gateway right uplink, which will be used for connectivity towards right TOR switch.
    Third segment will be Trunked segment for carrying VRF (Tier-0 child) gateways traffic. Left and Right VLAN ID would be specified while created interfaces on VRF gateways.







15. Add Interfaces to the Tier-0 Gateway

    Name: Name the interface
    Type: External
    Connected To(segment): segment for left or right uplink created in above steps
    Edge Node: Select either of edge node. There will be two interfaces per edge node, one for left uplink and another for right uplink.
    MTU: Define the MTU size




Create all other interfaces. Two interfaces though each of four Edge Nodes.





16. Enable BGP on Tier-0 gateway

    Enable BGP and configure Local AS on Tier-0 gateway. The same Local AS would be inherited by the child Tier-0 VRF gateways.



17. Add child Tier-0 VRF gateways

Add VRF gateways for DC and PUBLIC VRF



18. Add Interfaces to VRF Gateways

    Similar to how we created interfaces for parent Tier-0 gateway, we'll create eight interfaces on each VRF gateways as well, with only difference in configuration of Connected To(Segment) and Access VLAN ID.
    In the Connected To field, select the Trunk interface which will carry traffic for both left and right uplinks.
    In the Access VLAN ID field, specify the VLAN ID for left or right VLAN as appropriate.










19. Enable Route Re-Distribution on Tier-0 VRF gateway

    To establish connectivity between the overlay segments and physical network, enable route re-distribution on Tier-0 VRF gateway for Tier-1 Connected Interfaces & Segments.
    Re-distribution of routes can also be controlled by using a Route Map









20. Configure BGP on TOR switches.

    Following configuration includes only relevant part of  BGP peering with Tier-0 DC VRF gateway from TOR switches.

Switch-408A#
vlan 3420
   name NSX_T0_GW_LEAF_A_DC_PEERING
!
interface Vlan3420
   description NSX T0 GW LEAF A DC PEERING
   vrf DC
   ip address 172.22.63.1/28
   bfd interval 100 min_rx 100 multiplier 3
!
router bgp 65448
   neighbor NSX-T0-GW01-DC-VRF peer group
   neighbor NSX-T0-GW01-DC-VRF remote-as 65460
   neighbor NSX-T0-GW01-DC-VRF bfd
   neighbor NSX-T0-GW01-DC-VRF send-community
   !
   vrf DC
      neighbor 172.22.63.3 peer group NSX-T0-GW01-DC-VRF
      neighbor 172.22.63.3 description NSX EN01 UPLINK-A DC VRF
      neighbor 172.22.63.4 peer group NSX-T0-GW01-DC-VRF
      neighbor 172.22.63.4 description NSX EN02 UPLINK-A DC VRF
      !
      address-family ipv4
         neighbor NSX-T0-GW01-DC-VRF activate


Switch-408B#
vlan 3421
   name NSX_T0_GW_LEAF_B_DC_PEERING
!
interface Vlan3421
   description NSX T0 GW LEAF B DC PEERING
   vrf DC
   ip address 172.22.63.17/28
   bfd interval 100 min_rx 100 multiplier 3
!
router bgp 65448
   neighbor NSX-T0-GW01-DC-VRF peer group
   neighbor NSX-T0-GW01-DC-VRF remote-as 65460
   neighbor NSX-T0-GW01-DC-VRF bfd
   neighbor NSX-T0-GW01-DC-VRF send-community
!
   vrf DC
      neighbor 172.22.63.19 peer group NSX-T0-GW01-DC-VRF
      neighbor 172.22.63.19 description NSX EN01 UPLINK-B DC VRF
      neighbor 172.22.63.20 peer group NSX-T0-GW01-DC-VRF
      neighbor 172.22.63.20 description NSX EN02 UPLINK-B DC VRF
      !
      address-family ipv4
         neighbor NSX-T0-GW01-DC-VRF activate



Switch-409A#
vlan 3420
   name NSX_T0_GW_LEAF_A_DC_PEERING
!
interface Vlan3420
   description NSX T0 GW LEAF A DC PEERING
   vrf DC
   ip address 172.22.63.33/28
   bfd interval 100 min_rx 100 multiplier 3
!
router bgp 65449
   neighbor NSX-T0-GW01-DC-VRF peer group
   neighbor NSX-T0-GW01-DC-VRF remote-as 65460
   neighbor NSX-T0-GW01-DC-VRF bfd
   neighbor NSX-T0-GW01-DC-VRF send-community
!
   vrf DC
      neighbor 172.22.63.35 peer group NSX-T0-GW01-DC-VRF
      neighbor 172.22.63.35 description NSX EN03 UPLINK-A DC VRF
      neighbor 172.22.63.36 peer group NSX-T0-GW01-DC-VRF
      neighbor 172.22.63.36 description NSX EN04 UPLINK-A DC VRF
      !
      address-family ipv4
         neighbor NSX-T0-GW01-DC-VRF activate


Switch-409B#
vlan 3421
   name NSX_T0_GW_LEAF_B_DC_PEERING
!
interface Vlan3421
   description NSX T0 GW LEAF B DC PEERING
   vrf DC
   ip address 172.22.63.49/28
   bfd interval 100 min_rx 100 multiplier 3
!
router bgp 65449
   neighbor NSX-T0-GW01-DC-VRF peer group
   neighbor NSX-T0-GW01-DC-VRF remote-as 65460
   neighbor NSX-T0-GW01-DC-VRF bfd
   neighbor NSX-T0-GW01-DC-VRF send-community
!
   vrf DC
      neighbor 172.22.63.51 peer group NSX-T0-GW01-DC-VRF
      neighbor 172.22.63.51 description NSX EN03 UPLINK-B DC VRF
      neighbor 172.22.63.52 peer group NSX-T0-GW01-DC-VRF
      neighbor 172.22.63.52 description NSX EN04 UPLINK-B DC VRF
      !
      address-family ipv4
         neighbor NSX-T0-GW01-DC-VRF activate



21. Add BGP Neighbors

    Local AS would be inherited from the parent Tier-0 gateway. We have to specify the neighbor IP address, Remote AS number and the source Addresses.




22. Create Tier-1 Gateways

    Crate Tier-1 Gateways for each of Tenant, i.e. for DC and PUBLIC, and connect the Tier-1 Gateways with respective Tier-0 VRF gateways. In the route-advertisement section,  enable 'All Connected Segments and Service Ports'.



23. Add DHCP Relay Profile




24. Add Segments for compute workload

Add segments in the Overlay transport Zone and connect it to the appropriate Tier-1 Gateway.

Specify the subnet gateway address and select the DHCP relay profile under 'Set DHCP Config' settings












Comments

Post a Comment

Popular posts from this blog

Specifying SSH port in Ansible Inventory

There may be some instances where you set a custom port for SSH on your network device. If ssh port for hosts is different than the default port 22, it can be specified in the inventory file with colon (:) after hostname. #vi inventory # Inventory file for Ansible   [XE] ios-xe-mgmt.cisco.com:8181 ios-xe-mgmt-latest.cisco.com:8181   [XR] sbx-iosxr-mgmt.cisco.com:8181
Read more

Ansible-Playbook to display output of multiple show commands (using stdout_lines with Loop)

 In this playbook, we we'll see how we can get display of multiple show commands in stdout_lines format. We can make use of loops (or with_items) for submitting multiple commands, but debug output with stdout_lines does not gives the formatted result as it would give for single command. So in case of multiple commands, we can debug the output of each command separately in stdout_lines format.
Read more

Filtering Routes in BGP using Route-maps and Prefix-list

Image
Order of preference of attributes in BGP The order of preference varies based on whether the attributes are applied for inbound updates or outbound updates. For inbound updates the order of preference is:     route-map     filter-list     prefix-list, distribute-list For outbound updates the order of preference is:     prefix-list, distribute-list     filter-list     route-map NOTE: The attributes prefix-list and distribute-list are mutually exclusive, and only one command (neighbor distribute-list or neighbor prefix-list) can be applied to each inbound or outbound direction for a particular neighbor. Scenario: We own the AS500 and advertising a network block of 192.0.2.0/24 and 180.179.179.0/16 to two different ISPs. Objectives: Configure router R1 to establish eBGP neighbor relationship with ISP1. Configure router R1 to establish eBGP neighbor relationship with ISP2. Advertise  192.0.2.0/24 network to ISP1 only. Advertise 180.179.179.0/16 network to ISP2 only. Receive routes having n
Read more

Ansible Playbook for Network OS Upgrade with pre and post checks

You have 100s of network switches or routers that you need to upgrade. How much time would it take for you to do the upgrades? There are a lot number of sub-tasks involved while upgrading IOS image of a Cisco router or a switch. This time of upgradation can be reduced through automation from various Enterprise Configuration Management tools that also have ability to upgrade network OS. Though these tools give an easy to use graphical interface, but this requires you to have appropriate license and also restricts you to customize your upgrade process.
Read more

Bypassing Proxy Server in Google Chrome

Image
There may be times when you might want to use Google Chrome and do not wish to use the proxy settings for which you are bound to use in Internet Explorer because of your company policies. If you try to change proxy settings in Google Chrome, by default it will open the System Internet Properties dialogue box, and most of the times, change in proxy setting options is restricted by domain group policy. So here is an alternate way to remove or disable proxy settings in Google Chrome. 1. Right click the GoogleChrome.exe and create it's shortcut. 2. Open the properties of the shortcut of GoogleChrome.exe created in previous step. 3. Here you have to edit the Target of this shortcut. You have to add   --proxy-server=""  after the existing path. You are done. Now enjoy the web browsing without any restrictions.
Read more

VMware NSX Traffic Flow — East-West & North-South

Image
Understanding how traffic is flowing in NSX environment is an important aspect to successfully maintain and troubleshoot networks having NSX. In this post we'll understand hop-by-hop flow of traffic in East-West and North-South directions. East-West: VMs on Same Subnet, Same Host VM-1 has IP address 172.16.20.6 and VM-2 has IP address 172.16.20.7 VM-1 vNIC è Logical Switch (Segment ID 5002) è VM-2 vNIC
Read more

Export or Backup Azure Network Security Groups into CSV using PowerShell

There could be many use cases where you may want to export Network Security Groups into CSV. You might have question, how to export or backup Azure Network Security Groups into CSV. Here is the PowerShell script that you can use to export Azure Network Security Groups into CSV using PowerShell script. This script will export Network Security Group along with rules of all Active subscriptions into a CSV.
Read more

Ansible-playbook for backing up running config of Cisco IOS

This ansible-playbook can be used to backup running configuration from Cisco IOS devices. You can refer to my earlier post Getting Started with your first ansible-playbook for Network Automation  to know about the parameters used in this playbook. Inventory file # Inventory file for Ansible [XE] ios-xe-mgmt.cisco.com:8181 ios-xe-mgmt-latest.cisco.com:8181 [XR] sbx-iosxr-mgmt.cisco.com:8181 [all:vars] ansible_network_os=ios Playbook --- - name: Define Parameters   hosts: XE   gather_facts: no   connection: network_cli   tasks:    - name: backup the config      ios_config:       backup: yes      register: backup_config    - name: Store the config to directory      copy:       src: "{{ backup_config.backup_path }}"       dest: "/tmp/backups/{{ inventory_hostname }}" Running the playbook [prashant@Prashant-VM01 ~]$ ansible-playbook play03.yml -i /home/prashant/inventory -u developer -k SSH password: PLAY [Define Parameters] **********************************************
Read more