For those coming from an NSX-V background, you’ll remember how we enabled east-west traffic by deploying Distributed Logical Routers (DLR). This has changed ever so slightly in NSX-T, with earlier versions using Tier-1 Logical Routers, and in 2.4, Tier-1 Gateways.

To give an overview, Tier-1 Gateways (or more specifically, the Distributed Router component of the Tier-1 Gateway):

  • Provide basic packet-forwarding functionality
  • Are able to span all transport nodes (hypervisors and edge transport nodes)
  • Run as a kernel in the ESXi hypervisor or as an OVS file in the KVM
  • Provide distributed east-west routing functionality
  • Provide local routing on the hypervisors.

On and off ramp gateway services (such as north-south routing) are handled by Tier-0 Gateways, and these will be covered in detail in the next article.

This article assumes you have successfully deployed your NSX Manager appliance(s), connected your vCenter Server as a Compute Manager, created your Transport Zones and Host Transport Node Uplink Profiles, and have successfully added your Host Transport Nodes.

The Scenario

A customer/tenant needs to host a single two-tier application. This two-tier application is made up of two virtual machines. Each VM will be hosted on it’s own subnet/network segment, and each will connect to an upstream Tier-1 Gateway (T1-GW-TENANT-001) for east-west routing.

VMware NSX-T - Tier-1 Gateway - Multi-Tier Application

Further clarity regarding the VMs can be seen via the below table:

VM Name Role IP Address Gateway/Tier-1 Gateway Interface
T001-WEB-001 Web Server 10.100.110.11/24 10.100.110.1
T001-DB-001 Database Server 10.100.120.11/24 10.100.120.1

To create the above topology (and to enable east-west connectivity between the two VMs) we will step through the below process:

  1. Create a Tier-1 Gateway
  2. Create two Segments (Web-Tier and Database-Tier) and attach to the Tier-1 Gateway
  3. Add VMs to the appropriate Segment and amend each of the VM’s IP configuration
  4. Test connectivity between VMs.

Prerequisites

Before we jump into creating our Tier-1 Gateway and Segments, let’s take a look at the prerequisites.

1. I’ve already added my vCenter Server as a Compute Manager, the Connection Status for which is a health ‘Up’.VMware NSX-T - Tier-1 Gateway - Multi-Tier Application - Prerequiste

2. I’ve also created two Transport Zones (one for Overlay traffic and one for VLAN-backed traffic). Both of these Transport Zones have been assigned to an N-VDS (NVDS-PRODUCTION), the status for each is again a health ‘Up’.VMware NSX-T - Tier-1 Gateway - Multi-Tier Application - Prerequiste

3. Lastly, I’ve added my compute vSphere Cluster and have assigned the cluster a Transport Node Profile.The latter is completely optional, although is recommended to ensure configuration consistency across all vSphere Hosts (ESXi). The NSX-T Tunnel End Point (TEP) on each of my hosts has been assigned an IP address from an NSX-T IP Address Pool, required in order to encapsulate and pass this traffic between hosts via the GENEVE protocol.VMware NSX-T - Tier-1 Gateway - Multi-Tier Application - Prerequisite

1. Create a Tier-1 Gateway

1.1 Navigate to Networking > Tier-1 Gateways and click Add Tier-1 Gateway.

1.2 Give the new Tier-1 Gateway a Name and click Save.VMware NSX-T Tier-1 Gateway - Create Gateway

1.3 When prompted to ‘…continue configuring this Tier-1 Gateway?’, click NO.VMware NSX-T Tier-1 Gateway - Create Gateway

2. Create Segments

Next we will create two logical networks – i.e. Segments. One will be utilised by our Web Tier (SEG-110-WEB), and will house our Web Server VM (T001-WEB-01), and the second Segment will be utilised by our Database Tier (SEG-120-DB), and will house our Database Server VM (T001-DB-01).

2.1 Navigate to Networking > Segments and click Add Segment.

2.2. Give the new Segment a Name (1), connect the Segment to the recently created Tier-1 Gateway from the Connected Gateway & Type drop-down menu (2), select the Overlay Transport Zone (3), and click Set Subnets (4).VMware NSX-T Tier-1 Gateway - Create Segments

2.3 When the Set Subnets window opens, click Add Subnet.VMware NSX-T Tier-1 Gateway - Create Segments

2.4 Enter the Segment’s Gateway/next hop in CIDR format (in this scenario, the Web Tier subnet – 10.100.110.1/24) and click Add. VMware NSX-T Tier-1 Gateway - Create Segments

2.5 Click Apply.VMware NSX-T Tier-1 Gateway - Create Segments

2.6 Note the Subnet count now shows ‘1’. When ready, click Save. VMware NSX-T Tier-1 Gateway - Create Segments

2.7 When prompted to ‘…continue configuring this Segment?’, click NO. VMware NSX-T Tier-1 Gateway - Create Segments

2.8 After a moment, the Segment’s status should display ‘Up’. If not, click Refresh at the bottom of the screen.VMware NSX-T Tier-1 Gateway - Create Segments

2.9 Repeat steps 2.1-2.8 to create the Database subnet/Segment (10.100.120.1/24). Once complete, you should see the two new Segments displayed as below, both of which should be connected to our Tier-1 Gateway.VMware NSX-T Tier-1 Gateway - Create Segments

2.10 Let’s take a quick look at how these Segments are displayed via the vSphere Client. Browsing to one of our vSphere Hosts (Hosts and Clusters > Configure > Virtual Switches), we can see the new Segments have been attached to our N-VDS.VMware NSX-T Tier-1 Gateway - Create Segments

2.11 Likewise, via the Networks tab, we can see the new Segments under the vSphere Datacentre (in my case ‘SDDC-UK-CARDIFF’).VMware NSX-T Tier-1 Gateway - Create Segments

3. Add VMs to Segments

Lastly, we simply need to add a workload into our new NSX-T Segments. In the below screenshots you will note the deployment of two VMs – a Web Server (T001-WEB-01) and a Database Server (T001-DB-01). Each VM has been assigned to the relevant NSX-T Segment, and their IP configuration amended to reflect it’s subnet and the correct default gateway (i.e. – the correct interface on the Tier-1 Gateway).

VM Name Role IP Address Gateway/Tier-1 Gateway Interface
T001-WEB-001 Web Server 10.100.110.11/24 10.100.110.1
T001-DB-001 Database Server 10.100.120.11/24 10.100.120.1

Web Server – T001-WEB-01:

VMware NSX-T Tier-1 Gateway - Add VMs

Database Server – T001-DB-01:VMware NSX-T Tier-1 Gateway - Add VMs

4. Test Connectivity

Each VM is now housed in a suitable network segment, and each VM has been configured to route via an interface on the upstream Tier-1 Gateway (as depicted in the below diagram).

VMware NSX-T - Tier-1 Gateway - Multi-Tier Application - Routing

From the below screenshots, we can see a successful ICMP test. Specifically, ICMP traffic is able to route between each of the VMs via the Tier-1 Gateway.

From T001-WEB-01 to T001-DB-01:VMware NSX-T Tier-1 Gateway - ICMP Test - Web to DB

From T001-DB-01 to T001-WEB-01:VMware NSX-T Tier-1 Gateway - ICMP Test - DB to Web

The traffic flow can also be visualised via the NSX-T UI utilising a number of tools

VMware NSX-T Tier-1 Gateway - Troubleshooting via Port-Connection
Connectivity troubleshooting via the Port Connection tool.
VMware NSX-T Tier-1 - Troublehshooting Traceflow
Connectivity troubleshooting via the Traceflow tool, enabling administrators to inspect the path of a packet as it travels from one logical port to single or multiple logical ports.

This concludes the deployment and configuration of the Tier-1 Gateway, as well as the creation of a number of Segments which allow VMs to utilise and route traffic via the N-VDS overlay.

In Summary

In this article we covered east-west connectivity required by the components of a two-tier application. Specifically, we deployed a Tier-1 Gateway, two logical networks via NSX-T Segments, and two VMs which utilise the new Segments. Traffic between the two VMs is successful by traversing the Tier-1 Gateway, however, neither VM is able to route to the upstream physical network. For this we will require a Tier-0 Gateway.

In the next article we will enable north-south routing (from physical to virtual) by deploying and configuring a Tier-0 Gateway and all it’s prerequisite components. We will also look at a number of logical routing use cases, and the ability to separate provider and multi-tenant environments..

2 Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.