Reading Time: 6 minutes

For those coming from an NSX-V background, you’ll remember how we enabled east-west traffic by deploying Distributed Logical Routers (DLR). This has changed ever so slightly in NSX-T, with earlier versions using Tier-1 Logical Routers, and in 2.4, Tier-1 Gateways.

To give an overview, Tier-1 Gateways (or more specifically, the Distributed Router component of the Tier-1 Gateway):

  • Provide basic packet-forwarding functionality
  • Are able to span all transport nodes (hypervisors and edge transport nodes)
  • Run as a kernel in the ESXi hypervisor or as an OVS file in the KVM
  • Provide distributed east-west routing functionality
  • Provide local routing on the hypervisors.

On and off ramp gateway services (such as north-south routing) are handled by Tier-0 Gateways, and these will be covered in detail in the next article.

This article assumes you have successfully deployed your NSX Manager appliance(s), connected your vCenter Server as a Compute Manager, created your Transport Zones and Host Transport Node Uplink Profiles, and have successfully added your Host Transport Nodes.

The Scenario

A customer/tenant needs to host a single two-tier application. This two-tier application is made up of two virtual machines. Each VM will be hosted on it’s own subnet/network segment, and each will connect to an upstream Tier-1 Gateway (T1-GW-TENANT-001) for east-west routing.

VMware NSX-T - Tier-1 Gateway - Multi-Tier Application

Further clarity regarding the VMs can be seen via the below table:

VM Name Role IP Address Gateway/Tier-1 Gateway Interface
T001-WEB-001 Web Server 10.100.110.11/24 10.100.110.1
T001-DB-001 Database Server 10.100.120.11/24 10.100.120.1

To create the above topology (and to enable east-west connectivity between the two VMs) we will step through the below process:

  1. Create a Tier-1 Gateway
  2. Create two Segments (Web-Tier and Database-Tier) and attach to the Tier-1 Gateway
  3. Add VMs to the appropriate Segment and amend each of the VM’s IP configuration
  4. Test connectivity between VMs.

Prerequisites

Before we jump into creating our Tier-1 Gateway and Segments, let’s take a look at the prerequisites.

1. I’ve already added my vCenter Server as a Compute Manager, the Connection Status for which is a health ‘Up’.VMware NSX-T - Tier-1 Gateway - Multi-Tier Application - Prerequiste

2. I’ve also created two Transport Zones (one for Overlay traffic and one for VLAN-backed traffic). Both of these Transport Zones have been assigned to an N-VDS (NVDS-PRODUCTION), the status for each is again a health ‘Up’.VMware NSX-T - Tier-1 Gateway - Multi-Tier Application - Prerequiste

3. Lastly, I’ve added my compute vSphere Cluster and have assigned the cluster a Transport Node Profile.The latter is completely optional, although is recommended to ensure configuration consistency across all vSphere Hosts (ESXi). The NSX-T Tunnel End Point (TEP) on each of my hosts has been assigned an IP address from an NSX-T IP Address Pool, required in order to encapsulate and pass this traffic between hosts via the GENEVE protocol.VMware NSX-T - Tier-1 Gateway - Multi-Tier Application - Prerequisite

1. Create a Tier-1 Gateway

1.1 Navigate to Networking > Tier-1 Gateways and click Add Tier-1 Gateway.

1.2 Give the new Tier-1 Gateway a Name and click Save.VMware NSX-T Tier-1 Gateway - Create Gateway

1.3 When prompted to ‘…continue configuring this Tier-1 Gateway?’, click NO.VMware NSX-T Tier-1 Gateway - Create Gateway

2. Create Segments

Next we will create two logical networks – i.e. Segments. One will be utilised by our Web Tier (SEG-110-WEB), and will house our Web Server VM (T001-WEB-01), and the second Segment will be utilised by our Database Tier (SEG-120-DB), and will house our Database Server VM (T001-DB-01).

2.1 Navigate to Networking > Segments and click Add Segment.

2.2. Give the new Segment a Name (1), connect the Segment to the recently created Tier-1 Gateway from the Connected Gateway & Type drop-down menu (2), select the Overlay Transport Zone (3), and click Set Subnets (4).VMware NSX-T Tier-1 Gateway - Create Segments

2.3 When the Set Subnets window opens, click Add Subnet.VMware NSX-T Tier-1 Gateway - Create Segments

2.4 Enter the IP address in CIDR format. This will act as the Segment’s Gateway and, in turn, the default gateway for any virtual machines housed on this Segment. When ready, click Add. VMware NSX-T Tier-1 Gateway - Create Segments

2.5 Click Apply.VMware NSX-T Tier-1 Gateway - Create Segments

2.6 Note the Subnet count now shows ‘1’. When ready, click Save. VMware NSX-T Tier-1 Gateway - Create Segments

2.7 When prompted to ‘…continue configuring this Segment?’, click NO. VMware NSX-T Tier-1 Gateway - Create Segments

2.8 After a moment, the Segment’s status should display ‘Up’. If not, click Refresh at the bottom of the screen.VMware NSX-T Tier-1 Gateway - Create Segments

2.9 Repeat steps 2.1-2.8 to create the Database subnet/Segment (10.100.120.1/24). Once complete, you should see the two new Segments displayed as below, both of which should be connected to our Tier-1 Gateway.VMware NSX-T Tier-1 Gateway - Create Segments

2.10 Let’s take a quick look at how these Segments are displayed via the vSphere Client. Browsing to one of our vSphere Hosts (Hosts and Clusters > Configure > Virtual Switches), we can see the new Segments have been attached to our N-VDS.VMware NSX-T Tier-1 Gateway - Create Segments

2.11 Likewise, via the Networks tab, the new Segments are displated under the vSphere Datacentre (in my case ‘SDDC-UK-CARDIFF’).VMware NSX-T Tier-1 Gateway - Create Segments

3. Add VMs to Segments

Lastly, we simply need to add a workload into our new NSX-T Segments. In the below screenshots you will note the deployment of two VMs – a Web Server (T001-WEB-01) and a Database Server (T001-DB-01). Each VM has been assigned to the appropriate NSX-T Segment, and their IP configuration amended to reflect it’s subnet and the correct default gateway (i.e. – the correct interface on the Tier-1 Gateway).

VM Name Role IP Address Gateway/Tier-1 Gateway Interface
T001-WEB-001 Web Server 10.100.110.11/24 10.100.110.1
T001-DB-001 Database Server 10.100.120.11/24 10.100.120.1

Web Server – T001-WEB-01:

VMware NSX-T Tier-1 Gateway - Add VMs

Database Server – T001-DB-01:VMware NSX-T Tier-1 Gateway - Add VMs

4. Test Connectivity

Each VM is now housed in a suitable network segment, and each VM has been configured to route via an interface on the upstream Tier-1 Gateway (as depicted in the below diagram).

VMware NSX-T - Tier-1 Gateway - Multi-Tier Application - Routing

From the below screenshots, we can see a successful ICMP test. Specifically, ICMP traffic is able to route between each of the VMs via the Tier-1 Gateway.

From T001-WEB-01 to T001-DB-01:VMware NSX-T Tier-1 Gateway - ICMP Test - Web to DB

From T001-DB-01 to T001-WEB-01:VMware NSX-T Tier-1 Gateway - ICMP Test - DB to Web

The traffic flow can also be visualised via the NSX-T UI utilising a number of tools. In the below screenshot we use the Port Connection tool.

VMware NSX-T Tier-1 Gateway - Troubleshooting via Port-Connection
And below, we use the Traceflow tool, enabling administrators to inspect the path of a packet as it travels from one logical port to single or multiple logical ports.

VMware NSX-T Tier-1 - Troublehshooting Traceflow

This concludes the deployment and configuration of the Tier-1 Gateway, as well as the creation of a number of Segments which allow VMs to utilise and route traffic via the N-VDS overlay.

In Summary

In this article we covered east-west connectivity required by the components of a two-tier application. Specifically, we deployed a Tier-1 Gateway, two logical networks via NSX-T Segments, and two VMs which utilise the new Segments. Traffic between the two VMs is successful by traversing the Tier-1 Gateway, however, neither VM is able to route to the upstream physical network. For this we will require a Tier-0 Gateway.

In the next article we will enable north-south routing (from physical to virtual) by deploying and configuring a Tier-0 Gateway and all it’s prerequisite components. We will also look at a number of logical routing use cases, and the ability to separate provider and multi-tenant environments..

4 Comments

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.