A tier-0 gateway has downlink connections to tier-1 gateways and external connections to physical networks.
If you are adding a tier-0 gateway from Global Manager in NSX Federation, see Add a Tier-0 Gateway from Global Manager.
- NAT
- Load balancing
- Stateful firewall
- VPN
- IPv4 only
- IPv6 only
- Dual Stack - both IPv4 and IPv6
You can configure the tier-0 gateway to support EVPN (Ethernet VPN). For more information about configuring EVPN, see Ethernet VPN (EVPN).
Source Type | Description |
---|---|
Connected Interfaces and Segments | These include external interface subnets, service interface subnets and segment subnets connected to the tier-0 gateway. |
Static Routes | Static routes that you have configured on the tier-0 gateway. |
NAT IP | NAT IP addresses owned by the tier-0 gateway and discovered from NAT rules that are configured on the tier-0 gateway. |
IPSec Local IP | Local IPSEC endpoint IP address for establishing VPN sessions. |
DNS Forwarder IP | Listener IP for DNS queries from clients and also used as source IP used to forward DNS queries to upstream DNS server. |
EVPN TEP IP | This is used to redistribute EVPN local endpoint subnets on the tier-0 gateway. |
Source Type | Description |
---|---|
Connected Interfaces and Segments | These include segment subnets connected to the tier-1 gateway and service interface subnets configured on the tier-1 gateway. |
Static Routes | Static routes that you have configured on the tier-1 gateway. |
NAT IP | NAT IP addresses owned by the tier-1 gateway and discovered from NAT rules that are configured on the tier-1 gateway. |
LB VIP | IP address of the load balancing virtual server. |
LB SNAT IP | IP address or a range of IP addresses used for source NAT by the load balancer. |
DNS Forwarder IP | Listener IP for DNS queries from clients and also used as source IP used to forward DNS queries to upstream DNS server. |
IPSec Local Endpoint | IP address of the IPSec local endpoint. |
Proxy ARP is automatically enabled on a tier-0 gateway when a NAT rule or a load balancer VIP uses an IP address from the subnet of the tier-0 gateway external interface. By enabling proxy-ARP, hosts on the overlay segments and hosts on a VLAN segment can exchange network traffic together without implementing any change in the physical networking fabric.
For a detailed example of a packet flow in a proxy ARP topology, see the NSX Reference Design Guide on the VMware Communities portal.
Before NSX 3.2, proxy ARP is supported on a tier-0 gateway in only an active-standby configuration, and it responds to ARP queries for the external and service interface IPs. Proxy ARP also responds to ARP queries for service IPs that are in an IP prefix list that is configured with the Permit action.
Starting in NSX 3.2, proxy ARP is also supported on a tier-0 gateway in an active-active configuration. However, all the Edge nodes in the active-active tier-0 configuration must have directly reachability to the network on which proxy ARP is required. In other words, you must configure the external interface and the service interface on all the Edge nodes that are participating in the tier-0 gateway for the proxy ARP to work.
Prerequisites
- If you plan to configure multicast, refer to Configuring Multicast.
- If you plan to configure the gateway DHCP server, refer to Attach a DHCP Profile to a Tier-0 or Tier-1 Gateway.
Procedure
Results
- In the Interfaces section: External and Service Interfaces.
- In the Routing section: IP Prefix Lists, Static Routes, Static Route BFD Peer, Community Lists, Route Maps.
- In the BGP section: BGP Neighbors.
If NSX Federation is configured, this feature of reconfiguring a gateway by clicking on an entity is applicable to gateways created by the Global Manager (GM) as well. Note that some entities in a GM-created gateway can be modified by the Local Manager, but others cannot. For example, IP Prefix Lists of a GM-created gateway cannot be modified by the Local Manager. Also, from the Local Manager, you can edit existing External and Service Interfaces of a GM-created gateway but you cannot add an interface.