Preserve client IP for NSX-T overlay deployments with respect to configuration at virtual service, SE group, and network service will remain the same as per other supported clouds. There are additional pre-requisites and limitations which are discussed in this section.

Procedure

  1. The Service Engine HA Mode should be Legacy (Active/Standby).


  2. The NSX-T user for configuring NSX-T cloud should have additional permissions of Netx Partner Admin and Security Admin for the preserve client IP functionality apart from the Network Admin requirement for other use cases (See Configuring NSX-T Roles for more details).


  3. Set URPF Mode to None for the VIP data segments in which the preserve client IP feature will be enabled.


    Note:

    If uRPF Mode is not set to None, then an event with error will be generated, though the status of the virtual service is up, as shown below:



  4. Configure the virtual service (for which preserve client IP has to configured), and pool server as Network Security Groups. Individual IP address or range, DNS Name, and IP group are not allowed.
  5. Configure the Floating Interface IP (FIP) in the network service and attach it to the appropriate SE group, VRF, and cloud reference which is hosting the virtual service that require the preserve client IP feature. The FIP is used as the redirection target for reply traffic from the back-end servers and ensures that traffic always routes back to the Active Service Engine when a failover occurs. For more information, see Network Service Configuration in the VMware NSX Advanced Load BalancerConfiguration Guide.
    [admin:10-170-67-140]: > show nsxt segment London_ALB_DATA_SEGMENT
     +-------------------+-----------------------------------------+
     | Field             | Value                                   |
     +-------------------+-----------------------------------------+
     | uuid              | segmentruntime-ab75a213243b             |
     | segment_id        | /infra/segments/London_ALB_DATA_SEGMENT |
     | name              | London_ALB_DATA_SEGMENT                 |
     | subnet            | 192.168.100.0/24                        |
     | dhcp_enabled      | True                                    |
     | nw_ref            | London_ALB_DATA_SEGMENT                 |
     | nw_name           | London_ALB_DATA_SEGMENT                 |
     | vrf_context_ref   | London_Tier1Gateway1                    |
     | tier1_id          | /infra/tier-1s/London_Tier1Gateway1     |
     | opaque_network_id | 9cbf6823-3bb8-4935-a675-e07872e7935f    |
     | segment_gw        | 192.168.100.1/24                        |
     | dhcp_ranges[1]    | 192.168.100.170-192.168.100.180         |
     | segname           | London_ALB_DATA_SEGMENT                 |
     | tenant_ref        | admin                                   |
     | cloud_ref         | nsxt_cloud_overlay                      |
     +-------------------+-----------------------------------------+
    Note:

    From the configuration, note that the DHCP range is 192.168.100.170-192.168.100.180

  6. The preserve client IP is configured as shown below:
    [admin:10-170-67-140]: > show networkservice nsxt_preserveIP_ns
     +--------------------------------+-----------------------------------------------------+
     | Field                          | Value                                               |
     +--------------------------------+-----------------------------------------------------+
     | uuid                           | networkservice-55e0f033-02e1-4a6b-99a1-b3a0f674f380 |
     | name                           | nsxt_preserveIP_ns                                  |
     | se_group_ref                   | Default-Group                                       |
     | vrf_ref                        | London_Tier1Gateway1                                |
     | service_type                   | ROUTING_SERVICE                                     |
     | routing_service                |                                                     |
     |   enable_routing               | False                                               |
     |   routing_by_linux_ipstack     | False                                               |
     |   floating_intf_ip[1]          | 192.168.100.150                                     |
     |   enable_vmac                  | False                                               |
     |   enable_vip_on_all_interfaces | True                                                |
     |   advertise_backend_networks   | False                                               |
     |   graceful_restart             | False                                               |
     |   enable_auto_gateway          | False                                               |
     | tenant_ref                     | admin                                               |
     | cloud_ref                      | nsxt_cloud_overlay                                  |
     +--------------------------------+-----------------------------------------------------+

    The floating IP is 192.168.100.150, which is outside the DHCP range:



What to do next

Note:
  • Ensure that the FIP is from the same segment where the Service Engine’s data segment is configured

  • Ensure that the FIP does not fall in the DHCP/static range of the data segment