To enable access between your VMs and the outside world, you can configure an external or internal BGP (eBGP or iBGP) connection between a tier-0 gateway and a router in your physical infrastructure.
When configuring BGP, you must configure a local Autonomous System (AS) number for the tier-0 gateway. You must also configure the remote AS number. EBGP neighbors must be directly connected and in the same subnet as the tier-0 uplink. If they are not in the same subnet, BGP multi-hop should be used.
BGPv6 is supported for single hop and multihop. Redistribution, prefix list, and route maps are supported with IPv6 prefixes.
RFC-5549 enables BGPv6 sessions to exchange IPv4 routes with an IPv6 next hop. To minimize the number of BGP sessions and IPv4 addresses, you can exchange both IPv4 and IPv6 routes over a BGP session. Support for encoding and processing an IPv4 route with an IPv6 next hop is negotiated as part of the capability exchange in the BGP OPEN message. If both sides of a peering session support the capability, IPv4 routes are advertised with an IPv6 next hop. Multi-protocol BGP (MP-BGP) is used to advertise the Network Layer Reachability Information of a IPv4 address family using the next hop of an IPv6 address family.
A tier-0 gateway in active-active mode supports inter-SR (service router) iBGP. If gateway #1 is unable to communicate with a northbound physical router, traffic is re-routed to gateway #2 in the active-active cluster. If gateway #2 is able to communicate with the physical router, traffic between gateway #1 and the physical router will not be affected. A route learned by an Edge node from a northbound router will always be preferred to the same route learned over inter-SR iBGP. It is not possible to change this preference.
The implementation of ECMP on NSX Edge is based on the 5-tuple of the protocol number, source and destination address, and source and destination port.
- Redistribution, prefix lists, and routes maps are supported.
- Route reflectors are not supported.
- BGP confederation is not supported.
- BGP Autonomous System Number (ASN) per Tier-0 VRF Gateway and BGP neighbor: You can configure a different BGP ASN per Tier-0 VRF Gateway and also per BGP neighbor. For more information, see BGP Autonomous System Number per Tier-0 VRF Gateway and BGP neighbor.
- Inter-VRF Routing: You can configure inter-VRF routing using easier workflows by importing and exporting routes between VRFs. For more information, see Inter-VRF Routing.
- Autonomous-System-Wide Unique BGP Identifier: NSX supports RFC6286, to relax the uniqueness of router ID between BGP peers across AS. BGP will form neighborship across AS even if the routers have the same router ID.
Note: This new behavior of accepting the same BGP RouterID will be the default in the system and cannot be changed.
- If there is no loopback interface, BGP takes the highest interface IP address as RID.
- If BGP has already chosen the highest interface IP as RID, adding a loopback interface will not affect BGP neighborship and RID is not changed.
- If RID is the highest interface IP and loopback is present, disabling and enabling BGP will not change the RID.
- If RID is the highest interface IP and loopback is present, rebooting the edge node, enabling maintenance mode on the edge node, or restarting the routing process will not change the RID.
- If RID is the highest interface IP and loopback is present, redeploying or replacing the edge transport node will change the RID to the IP address of the interface received first by the edge node's routing process.
- If RID is the highest interface IP and loopback is present, modifying or deleting the highest interface IP address will change the RID to the loopback interface IP.
- If RID is the loopback interface IP, modifying or deleting the highest interface IP will not change the RID.
- Clearing BGP neighbors will change the RID. It retains only the old RID.
- If the loopback interface has an IPv6 address, BGP does not use it as RID. It will take the highest IPv4 interface IP.
- A soft restart or hard restart of BGP adjacency from a remote site does not affect the BGP RID.
As defined in https://datatracker.ietf.org/doc/html/rfc2842, a BGP speaker determines the capabilities supported by its peer by examining the list of capabilities present in the Capabilities Optional Parameter in the OPEN message that the speaker receives from the peer. NSX supports the following capabilities:
Capability Code | Capability Description | Address Families Supported | Advertised Support from Tier-0 Gateway | Supported by Tier-0 Gateway when Received from Peer | Default Behavior | Configurable |
---|---|---|---|---|---|---|
1 | Multiprotocol extensions, with:
|
IPv4 Unicast IPv6 Unicast L2VPN EVPN |
Yes | Yes | IPv4 Unicast address family is enabled and advertised by default when an IPv4 neighbor is configured, or manually added in the Route Filter settings under the BGP neighbor configuration. IPv6 Unicast address family is enabled and advertised by default when an IPv6 neighbor is configured, or manually added in the Route Filter settings under the BGP neighbor configuration. L2VPN EVPN address family is enabled and advertised when configured in the Route Filter settings under the BGP neighbor configuration. The IPv4 Unicast address family is mandatory in NSX and automatically enabled when adding L2VPN EVPN address family. |
Yes |
2 | Route refresh | IPv4 Unicast IPv6 Unicast L2VPN EVPN |
Yes | Yes | Advertised by default | No |
5 | Extended next hop encoding | IPv6 Unicast | Yes | Yes | Not advertised by default. To enable this capability you must provide an IPv4 address family along with the IPv6 address family for the IPv6 BGP peer IP address. | Yes |
64 | Graceful restart | IPv4 Unicast IPv6 Unicast L2VPN EVPN |
Yes | Yes | Not advertised by default (Edge node by default is a helper) | Yes |
65 | Support for 4-octet AS number | IPv4 Unicast IPv6 Unicast L2VPN EVPN |
Yes | Yes | Advertised by default | No |
69 | ADD-Path, with:
|
IPv4 Unicast IPv6 Unicast L2VPN EVPN |
Yes (Receive only) | Yes (both Send and Receive) | The receive-only capability is supported and advertised by default. When the Edge node receives the same BGP prefix multiple times but with the same metric, if ECMP is enabled, all paths will be installed and active. When the Edge node receives the same BGP prefix multiple times with different metrics (for example, a larger ASPATH length) the best path route will be installed and active. The less preferred paths will be kept in the BGP routing table to improve control plane convergence. |
No |
73 | FQDN | IPv4 Unicast IPv6 Unicast L2VPN EVPN |
Yes | Yes | Advertised by default | No |
128 | Route refresh (Cisco) | IPv4 Unicast IPv6 Unicast L2VPN EVPN |
Yes | Yes | Advertised by default | No |
If a BGP down event occurs, an alarm will be raised. For details about the alarm, see the Routing Events table in NSX Event Catalog. In this release, additional information is provided regarding the reason for state changes of the BGP peer.
/policy/api/v1/infra/tier-0s/{tier-0-id}/locale-services/{locale-service-id}/bgp/neighbors/{neighbor-id} /policy/api/v1/global-infra/tier-0s/{tier-0-id}/locale-services/{locale-service-id}/bgp/neighbors/{neighbor-id}
false
. For example:
PATCH https://<nsx-mgr>/policy/api/v1/infra/tier-0s/T0-1/locale-services/default/bgp/neighbors/peer-1 { "enabled": "false" }
You can also use the GET method to view the value of the enabled and other parameters.
- With only BGP configured, if all BGP neighbors go down, the service router's state will be down.
- With only BFD configured, if all BFD neighbors go down, the service router's state will be down.
- With BGP and BFD configured, if all BGP and BFD neighbors go down, the service router's state will be down.
- With BGP and static routes configured, if all BGP neighbors go down, the service router's state will be down.
- With only static routes configured, the service router's state will always be up unless the node is experiencing a failure or in a maintenance mode.