A tier-0 gateway has downlink connections to tier-1 gateways and uplink connections to physical networks.

If you are adding a tier-0 gateway from Global Manager in NSX Federation, see Add a Tier-0 Gateway from Global Manager.

You can configure the HA (high availability) mode of a tier-0 gateway to be active-active or active-standby. The following services are only supported in active-standby mode:
  • NAT
  • Load balancing
  • Stateful firewall
  • VPN
Note: Active-standby tier-0 gateways are supported starting in NSX-T Data Center 3.0.1.
Tier-0 and tier-1 gateways support the following addressing configurations for all interfaces (uplinks, service ports and downlinks) in both single tier and multi-tiered topologies:
  • IPv4 only
  • IPv6 only
  • Dual Stack - both IPv4 and IPv6
To use IPv6 or dual stack addressing, enable IPv4 and IPv6 as the L3 Forwarding Mode in Networking > Networking Settings > Global Networking Config .

You can configure the tier-0 gateway to support EVPN (Ethernet VPN) type-5 routes. For more information about configuring EVPN, see Configuring EVPN.

If you configure route redistribution for the tier-0 gateway, you can select from two groups of sources: tier-0 subnets and advertised tier-1 subnets. The sources in the tier-0 subnets group are:
Source Type Description
Connected Interfaces and Segments These include external interface subnets, service interface subnets and segment subnets connected to the tier-0 gateway.
Static Routes Static routes that you have configured on the tier-0 gateway.
NAT IP NAT IP addresses owned by the tier-0 gateway and discovered from NAT rules that are configured on the tier-0 gateway.
IPSec Local IP Local IPSEC endpoint IP address for establishing VPN sessions.
DNS Forwarder IP Listener IP for DNS queries from clients and also used as source IP used to forward DNS queries to upstream DNS server.
EVPN TEP IP This is used to redistribute EVPN local endpoint subnets on the tier-0 gateway.
The sources in the advertised tier-1 subnets group are:
Source Type Description
Connected Interfaces and Segments These include segment subnets connected to the tier-1 gateway and service interface subnets configured on the tier-1 gateway.
Static Routes Static routes that you have configured on the tier-1 gateway.
NAT IP NAT IP addresses owned by the tier-1 gateway and discovered from NAT rules that are configured on the tier-1 gateway.
LB VIP IP address of the load balancing virtual server.
LB SNAT IP IP address or a range of IP addresses used for source NAT by the load balancer.
DNS Forwarder IP Listener IP for DNS queries from clients and also used as source IP used to forward DNS queries to upstream DNS server.
IPSec Local Endpoint IP address of the IPSec local endpoint.

On a tier-0 gateway, proxy ARP handles ARP queries for the external and service interface IPs. Starting with NSX-T Data Center 3.0.2, proxy ARP also handles ARP queries for service IPs that are in an IP prefix list that is configured with the Permit action.

Prerequisites

If you plan to configure multicast, see Configuring Multicast.

Procedure

  1. From your browser, log in with admin privileges to an NSX Manager at https://<nsx-manager-ip-address>.
  2. Select Networking > Tier-0 Gateways.
  3. Click Add Tier-0 Gateway.
  4. Enter a name for the gateway.
  5. Select an HA (high availability) mode.
    The default mode is active-active. In the active-active mode, traffic is load balanced across all members. In active-standby mode, all traffic is processed by an elected active member. If the active member fails, a new member is elected to be active.
  6. If the HA mode is active-standby, select a failover mode.
    Option Description
    Preemptive If the preferred node fails and recovers, it will preempt its peer and become the active node. The peer will change its state to standby.
    Non-preemptive If the preferred node fails and recovers, it will check if its peer is the active node. If so, the preferred node will not preempt its peer and will be the standby node.
  7. (Optional) Select an NSX Edge cluster.
  8. (Optional) Click Additional Settings.
    1. In the Internal Transit Subnet field, enter a subnet.
      This is the subnet used for communication between components within this gateway. The default is 169.254.0.0/24.
    2. In the T0-T1 Transit Subnets field, enter one or more subnets.
      These subnets are used for communication between this gateway and all tier-1 gateways that are linked to it. After you create this gateway and link a tier-1 gateway to it, you will see the actual IP address assigned to the link on the tier-0 gateway side and on the tier-1 gateway side. The address is displayed in Additional Settings > Router Links on the tier-0 gateway page and the tier-1 gateway page. The default is 100.64.0.0/16.
  9. Click Route Distinguisher for VRF Gateways to configure a route distinguisher admin address.
    This is only needed for EVPN and for the automatic route distinguisher use case.
  10. (Optional) Add one or more tags.
  11. Click Save.
  12. For IPv6, under Additional Settings, you can select or create an ND Profile and a DAD Profile.
    These profiles are used to configure Stateless Address Autoconfiguration (SLAAC) and Duplicate Address Detection (DAD) for IPv6 addresses.
  13. (Optional) Click EVPN Settings to configure EVPN.
    1. Select a VNI pool.
      You can click the menu icon (3 dots) to create a VNI pool if you have not previouly created one.
    2. In the EVPN Tunnel Endpoint field click Set to add EVPN local tunnel endpoints.
      For the tunnel endpoint, select an Edge node and specify an IP address.
      Optionally, you can specify the MTU.
      Note: Ensure that the uplink interface has been configured on the NSX Edge node that you select for the EVPN tunnel endpoint.
  14. To configure route redistribution, click Route Redistribution and Set.
    Select one or more of the sources:
    • Tier-0 subnets: Static Routes, NAT IP, IPSec Local IP, DNS Forwarder IP, EVPN TEP IP, Connected Interfaces & Segments.

      Under Connected Interfaces & Segments, you can select one or more of the following: Service Interface Subnet, External Interface Subnet, Loopback Interface Subnet, Connected Segment.

    • Advertised tier-1 subnets: DNS Forwarder IP, Static Routes, LB VIP, NAT IP, LB SNAT IP, IPSec Local Endpoint, Connected Interfaces & Segments.

      Under Connected Interfaces & Segments, you can select Service Interface Subnet and/or Connected Segment.

  15. To configure interfaces, click Interfaces and Set.
    1. Click Add Interface.
    2. Enter a name.
    3. Select a type.
      If the HA mode is active-standby, the choices are External, Service, and Loopback. If the HA mode is active-active, the choices are External and Loopback.
    4. Enter an IP address in CIDR format.
    5. Select a segment.
    6. If the interface type is not Service, select an NSX Edge node.
    7. (Optional) If the interface type is not Loopback, enter an MTU value.
    8. (Optional) If the interface type is External, you can enable multicast by setting PIM (Protocol Independent Multicast) to Enabled.
      PIM can be enabled only on a single uplink interface.
      Note: If you later disable PIM on this interface, then multicast will be disabled on all interfaces including the downlinks on this gateway.
    9. (Optional) Add tags and select an ND profile.
    10. (Optional) If the interface type is External, for URPF Mode, you can select Strict or None.
      URPF (Unicast Reverse Path Forwarding) is a security feature.
    11. After you create an interface, you can download the ARP table by clicking the menu icon (three dots) for the interface and selecting Download ARP table.
  16. (Optional) If the HA mode is active-standby, click Set next to HA VIP Configuration to configure HA VIP.
    With HA VIP configured, the tier-0 gateway is operational even if one uplink is down. The physical router interacts with the HA VIP only. HA VIP is intended to work with static routing and not with BGP.
    1. Click Add HA VIP Configuration.
    2. Enter an IP address and subnet mask.
      The HA VIP subnet must be the same as the subnet of the interface that it is bound to.
    3. Select two interfaces from two different Edge nodes.
  17. Click Routing to add IP prefix lists, community lists, static routes, and route maps.
  18. Click Multicast to configure multicast routing.
  19. Click BGP to configure BGP.
  20. (Optional) To download the routing table or forwarding table, click the menu icon (three dots) and select a download option. Enter values for Transport Node, Network and Source as required, and save the .CSV file.

What to do next

After the tier-0 gateway is added, you can optionally enable dynamic IP management on the gateway by selecting either a DHCP server profile or a DHCP relay profile. For more information, see Attach a DHCP Profile to a Tier-0 or Tier-1 Gateway.