You can configure the static and dynamic routing on your NSX Data Center for vSphere edge gateways.

To enable dynamic routing, you configure an advanced edge gateway using the Border Gateway Protocol (BGP) or the Open Shortest Path First (OSPF) protocol.

For detailed information about the routing capabilities that NSX Data Center for vSphere provides, see the NSX Data Center for vSphere documentation.

You can specify static and dynamic routing for each advanced edge gateway. The dynamic routing capability provides the necessary forwarding information between Layer 2 broadcast domains, which allows you to decrease Layer 2 broadcast domains and improve network efficiency and scale. NSX Data Center for vSphere extends this intelligence to the locations of the workloads for East-West routing. This capability allows more direct virtual machine to virtual machine communication without the added cost or time needed to extend hops.

Specify Default Routing Configurations for the NSX Data Center for vSphere Edge Gateway in the VMware Cloud Director Service Provider Admin Portal

You can specify the default settings for static routing and dynamic routing for an edge gateway in VMware Cloud Director.

Note: To remove all configured routing settings, use the CLEAR GLOBAL CONFIGURATION button at the bottom of the Routing Configuration screen. This action deletes all routing settings currently specified on the subscreens: default routing settings, static routes, OSPF, BGP, and route redistribution.

Procedure

  1. Open Edge Gateway Services.
    1. From the primary left navigation panel, select Resources, and from the page top navigation bar, select the Cloud Resources tab.
    2. From the secondary left panel, select Edge Gateways.
    3. Click the radio button next to the name of the target edge gateway, and click Services.
  2. Navigate to Routing > Routing Configuration.
  3. To enable Equal Cost Multipath (ECMP) routing for this edge gateway, turn on the ECMP toggle.
    As described in the NSX Administration documentation, ECMP is a routing strategy that allows next-hop packet forwarding to a single destination to occur over multiple best paths. NSX determines these best paths either statically, using configured static routes, or as a result of metric calculations by dynamic routing protocols like OSPF or BGP. You can specify the multiple paths for static routes by specifying multiple next hops on the Static Routes screen.

    For more details about ECMP and NSX, see the routing topics in the NSX Troubleshooting Guide.

  4. Specify settings for the default routing gateway.
    1. Use the Applied On drop-down list to select an interface from which the next hop towards the destination network can be reached.
      To see details about the selected interface, click the blue information icon.
    2. Type the gateway IP address.
    3. Type the MTU.
    4. (Optional) Type an optional description.
    5. Click Save changes.
  5. Specify default dynamic routing settings.
    Note: If you have IPsec VPN configured in your environment, you should not use dynamic routing.
    1. Select a router ID.
      You can select a router ID in the list or use the + icon to enter a new one. This router ID is the first uplink IP address of the edge gateway that pushes routes to the kernel for dynamic routing.
    2. Configure logging by turning on the Enable Logging toggle and selecting the log level.
    3. Click OK.
  6. Click Save changes.

What to do next

Add static routes. See Add a Static Route To an NSX Data Center for vSphere Edge Gateway Using the VMware Cloud Director Service Provider Admin Portal.

Configure route redistribution. See Configure Route Redistributions on an NSX Data Center for vSphere Edge Gateway Using the VMware Cloud Director Service Provider Admin Portal.

Configure dynamic routing. See the following topics:

Add a Static Route To an NSX Data Center for vSphere Edge Gateway Using the VMware Cloud Director Service Provider Admin Portal

You can add a static route for a destination subnet or host in VMware Cloud Director.

If ECMP is enabled in the default routing configuration, you can specify multiple next hops in the static routes. See Specify Default Routing Configurations for the NSX Data Center for vSphere Edge Gateway in the VMware Cloud Director Service Provider Admin Portal for steps on enabling ECMP.

Prerequisites

As described in the NSX documentation, the next hop IP address of the static route must exist in a subnet associated with one of the NSX Data Center for vSphere edge gateway interfaces. Otherwise, configuration of that static route fails.

Procedure

  1. Open Edge Gateway Services.
    1. From the primary left navigation panel, select Resources, and from the page top navigation bar, select the Cloud Resources tab.
    2. From the secondary left panel, select Edge Gateways.
    3. Click the radio button next to the name of the target edge gateway, and click Services.
  2. Navigate to Routing > Static Routes.
  3. Click the Create (add button) button.
  4. Configure the following options for the static route:
    Option Description
    Network Type the network in CIDR notation.
    Next Hop Type the IP address of the next hop.

    The next hop IP address must exist in a subnet associated with one of the edge gateway interfaces.

    If ECMP is enabled, you can type multiple next hops.

    MTU Edit the maximum transmission value for data packets.

    The MTU value cannot be higher than the MTU value set on the selected edge gateway interface. You can see the MTU set on the edge gateway interface by default on the Routing Configuration screen.

    Interface Optionally, select the edge gateway interface on which you want to add a static route. By default, the interface is selected that matches the next hop address.
    Description Optionally, type a description for the static route.
  5. Click Save changes.

What to do next

Configure a NAT rule for the static route. See Add an SNAT or a DNAT Rule To an NSX Data Center for vSphere Edge Gateway in the VMware Cloud Director Service Provider Admin Portal.

Add a firewall rule to allow traffic to traverse the static route. See Add an NSX Data Center for vSphere Edge Gateway Firewall Rule in the VMware Cloud Director Service Provider Admin Portal.

Configure OSPF On an NSX Data Center for vSphere Edge Gateway Using the VMware Cloud Director Service Provider Admin Portal

You can configure the Open Shortest Path First (OSPF) routing protocol for the dynamic routing capabilities of an NSX Data Center for vSphere edge gateway. A common application of OSPF on an edge gateway in a VMware Cloud Director environment is to exchange routing information between edge gateways in VMware Cloud Director.

The NSX edge gateway supports OSPF, an interior gateway protocol that routes IP packets only within a single routing domain. As described in the NSX Administration documentation, configuring OSPF on an NSX edge gateway enables the edge gateway to learn and advertise routes. The edge gateway uses OSPF to gather link state information from available edge gateways and construct a topology map of the network. The topology determines the routing table presented to the Internet layer, which makes routing decisions based on the destination IP address found in IP packets.

As a result, OSPF routing policies provide a dynamic process of traffic load balancing between routes of equal cost. An OSPF network is divided into routing areas to optimize traffic flow and limit the size of routing tables. An area is a logical collection of OSPF networks, routers, and links that have the same area identification. Areas are identified by an Area ID.

Prerequisites

A Router ID must be configured . Specify Default Routing Configurations for the NSX Data Center for vSphere Edge Gateway in the VMware Cloud Director Service Provider Admin Portal.

Procedure

  1. Open Edge Gateway Services.
    1. From the primary left navigation panel, select Resources, and from the page top navigation bar, select the Cloud Resources tab.
    2. From the secondary left panel, select Edge Gateways.
    3. Click the radio button next to the name of the target edge gateway, and click Services.
  2. Navigate to Routing > OSPF.
  3. If OSPF is not currently enabled, use the OSPF Enabled toggle to enable it.
  4. Configure the OSPF settings according to the needs of your organization.
    Option Description
    Enable Graceful Restart Specifies that packet forwarding is to remain uninterrupted when OSPF services are restarted.
    Enable Default Originate Allows the edge gateway to advertise itself as a default gateway to its OSPF peers.
  5. (Optional) You can either click Save changes or continue with configuring area definitions and interface mappings.
  6. Add an OSPF area definition by clicking the Add (add button) button, specifying details for the mapping in the dialog box, and clicking Keep.
    Note: By default, the system configures a not-so-stubby area (NSSA) with area ID of 51, and this area is automatically displayed in the area definitions table on the OSPF screen. You can modify or delete the NSSA area.
    Option Description
    Area ID Type an area ID in the form of an IP address or decimal number.
    Area Type Select Normal or NSSA.

    NSSAs prevent the flooding of AS-external link-state advertisements (LSAs) into NSSAs. They rely on default routing to external destinations. As a result, NSSAs must be placed at the edge of an OSPF routing domain. NSSA can import external routes into the OSPF routing domain, by that means providing transit service to small routing domains that are not part of the OSPF routing domain.

    Area Authentication Select the type of authentication for OSPF to perform at the area level.

    All edge gateways within the area must have the same authentication and corresponding password configured. For MD5 authentication to work, both the receiver and transmitter must have the same MD5 key.

    Choices are:

    • None

      No authentication is required.

    • Password

      With this choice, the password you specify in the Area Authentication Value field is included in the transmitted packet.

    • MD5

      With this choice, the authentication uses MD5 (Message Digest type 5) encryption. An MD5 checksum is included in the transmitted packet. Type the Md5 key into the Area Authentication Value field.

  7. Click Save changes, so that the newly configured area definitions are available for selection when you add interface mappings.
  8. Add an interface mapping by clicking the Add (add button) button, specifying details for the mapping in the dialog box, and clicking Keep.
    These mappings map the edge gateway interfaces to the areas.
    1. In the dialog box, select the interface you want to map to an area definition.
      The interface specifies the external network that both edge gateways are connected to.
    2. Select the area ID for the area to map to the selected interface.
    3. (Optional) Change the OSPF settings from the default values to customize them for this interface mapping.
      When configuring a new mapping, the default values for these settings are displayed. In most cases, it is recommended to retain the default settings. If you do change the settings, make sure that the OSPF peers use the same settings.
      Option Description
      Hello Interval Interval (in seconds) between hello packets that are sent on the interface.
      Dead Interval Interval (in seconds) during which at least one hello packet must be received from a neighbor before that neighbor is declared down.
      Priority Priority of the interface. The interface with the highest priority is the designated edge gateway router.
      Cost Overhead required to send packets across that interface. The cost of an interface is inversely proportional to the bandwidth of that interface. The larger the bandwidth, the smaller the cost.
    4. Click Keep.
  9. Click Save changes in the OSPF screen.

What to do next

Configure OSPF on the other edge gateways that you want to exchange routing information with.

Add a firewall rule that allows traffic between the OSPF-enabled edge gateways. See Add an NSX Data Center for vSphere Edge Gateway Firewall Rule in the VMware Cloud Director Service Provider Admin Portal.

Make sure that the route redistribution and firewall configuration allow the correct routes to be advertised. See Configure Route Redistributions on an NSX Data Center for vSphere Edge Gateway Using the VMware Cloud Director Service Provider Admin Portal.

Configure BGP On an NSX Data Center for vSphere Edge Gateway Using the VMware Cloud Director Service Provider Admin Portal

You can configure Border Gateway Protocol (BGP) for the dynamic routing capabilities of an NSX Data Center for vSphere edge gateway in VMware Cloud Director.

As described in the NSX Administration Guide, BGP makes core routing decisions by using a table of IP networks or prefixes, which designate network reachability among multiple autonomous systems. In the networking field, the term BGP speaker refers to a networking device that is running BGP. Two BGP speakers establish a connection before any routing information is exchanged. The term BGP neighbor refers to a BGP speaker that has established such a connection. After establishing the connection, the devices exchange routes and synchronize their tables. Each device sends keep alive messages to keep this relationship alive.

Procedure

  1. Open Edge Gateway Services.
    1. From the primary left navigation panel, select Resources, and from the page top navigation bar, select the Cloud Resources tab.
    2. From the secondary left panel, select Edge Gateways.
    3. Click the radio button next to the name of the target edge gateway, and click Services.
  2. Navigate to Routing > BGP.
  3. If BGP is not currently enabled, use the Enable BGP toggle to enable it.
  4. Configure the BGP settings according to the needs of your organization.
    Option Description
    Enable Graceful Restart Specifies that packet forwarding is to remain uninterrupted when BGP services are restarted.
    Enable Default Originate Allows the edge gateway to advertise itself as a default gateway to its BGP neighbors.
    Local AS Required. Specify the autonomous system (AS) ID number to use for the local AS feature of the protocol. The value you specify must be a globally unique number between 1 and 65534.

    The local AS is a feature of BGP. The system assigns the local AS number to the edge gateway you are configuring. The edge gateway advertises this ID when the edge gateway peers with its BGP neighbors in other autonomous systems. The path of autonomous systems that a route would traverse is used as one metric in the dynamic routing algorithm when selecting the best path to a destination.

  5. You can either click Save changes, or continue to configure settings for the BGP routing neighbors.
  6. Add a BGP neighbor configuration by clicking the Add (add button) button, specifying details for the neighbor in the dialog box, and clicking Keep.
    Option Description
    IP Address Type the IP address of a BGP neighbor for this edge gateway.
    Remote AS Type a globally unique number between 1-65534 for the autonomous system to which this BGP neighbor belongs. This remote AS number is used in the BGP neighbor's entry in the system's BGP neighbors table.
    Weight The default weight for the neighbor connection. Adjust as appropriate for your organization's needs.
    Keep Alive Time The frequency with which the software sends keep alive messages to its peer. The default frequency is 60 seconds. Adjust as appropriate for the needs of your organization.
    Hold Down Time The interval for which the software declares a peer dead after not receiving a keep alive message. This interval must be three times the keep alive interval. The default interval is 180 seconds. Adjust as appropriate for the needs of your organization.

    Once peering between two BGP neighbors is achieved, the edge gateway starts a hold down timer. Every keep alive message it receives from the neighbor resets the hold down timer to 0. If the edge gateway fails to receive three consecutive keep alive messages, so that the hold down timer reaches three times the keep alive interval, the edge gateway considers the neighbor down and deletes the routes from this neighbor.

    Password If this BGP neighbor requires authentication, type the authentication password.

    Each segment sent on the connection between the neighbors is verified. MD5 authentication must be configured with the same password on both BGP neighbors, otherwise, the connection between them will not be made.

    BGP Filters Use this table to specify route filtering using a prefix list from this BGP neighbor.
    Caution: A block all rule is enforced at the end of the filters.
    Add a filter to the table by clicking the + icon and configuring the options. Click Keep to save each filter.
    • Select the direction to indicate whether you are filtering traffic to or from the neighbor.
    • Select the action to indicate whether you are allowing or denying traffic.
    • Type the network that you want to filter to or from the neighbor. Type ANY or a network in a CIDR format.
    • Type the IP Prefix GE and IP Prefix LE to use the le and ge keywords in the IP prefix list.
  7. Click Save changes to save the configurations to the system.

What to do next

Configure BGP on the other edge gateways that you want to exchange routing information with.

Add a firewall rule that allows traffic to and from the BGP-configured edge gateways. See Add an NSX Data Center for vSphere Edge Gateway Firewall Rule in the VMware Cloud Director Service Provider Admin Portal for information.

Configure Route Redistributions on an NSX Data Center for vSphere Edge Gateway Using the VMware Cloud Director Service Provider Admin Portal

By default the router only shares routes with other routers running the same protocol. When you have configured a multi-protocol VMware Cloud Director environment, you must configure route redistribution to have cross-protocol route sharing. You can configure route redistribution for an NSX Data Center for vSphere edge gateway.

Procedure

  1. Open Edge Gateway Services.
    1. From the primary left navigation panel, select Resources, and from the page top navigation bar, select the Cloud Resources tab.
    2. From the secondary left panel, select Edge Gateways.
    3. Click the radio button next to the name of the target edge gateway, and click Services.
  2. Navigate to Routing > Route Redistribution.
  3. Use the protocol toggles to turn on those protocols for which you want to enable route redistribution.
  4. Add IP prefixes to the on-screen table.
    1. Click the Add (add button) button.
    2. Type a name and the IP address of the network in CIDR format.
    3. Click Keep.
  5. Specify redistribution criteria for each IP prefix by clicking the Add (add button) button, specifying the criteria in the dialog box, and clicking Keep.
    Entries in the table are processed sequentially. Use the up and down arrows to adjust the sequence.
    Option Description
    Prefix Name Select a specific IP prefix to apply this criteria to or select Any to apply the criteria to all network routes.
    Learner Protocol Select the protocol that is to learn routes from other protocols under this redistribution criteria.
    Allow learning from Select the types of networks from which routes can be learned for the protocol selected in the Learner Protocol list.
    Action Select whether to permit or deny redistribution from the selected types of networks.
  6. Click Save changes.