Virtual routing and forwarding (VRF) makes it possible to instantiate isolated routing and forwarding tables within a router. VRFs are supported by deploying tier-0 VRF gateways. A tier-0 VRF gateway must be linked to a parent tier-0 gateway and inherits some of the tier-0 gateway settings, such as HA mode, Edge cluster, internal transit subnet, T0-T1 transit subnets, and BGP routing configuration.

Multiple tier-0 VRF instances can be created under the same parent tier-0, which allows the separation of segments and tier-1 gateways into multiple isolated tenants. With tier-0 VRF gateways, tenants can use overlapping IP addresses without any interference or communication with each other.

NSX tier-0 VRF gateways can be used to connect tenant networks to external routers using static routes or BGP [RFC4364]. This is also known as VRF-Lite.

Network topology with a separate tier-0 VRF gateway for each tenant.

NSX tier-0 VRF gateways can also be deployed with EVPN. For more information, see Ethernet VPN (EVPN).

NSX Federation support:

  • Tier-0 VRF gateway is not supported with NSX Federation and therefore it cannot be configured on Global Manager.
  • Tier-0 VRF gateway is not supported on stretched tier-0 gateways in NSX Federation.

Note that even though a tier-0 VRF gateway has an HA mode, it does not have a mechanism to respond to a communication failure that is independent of the parent tier-0 gateway's mechanism. If a tier-0 VRF gateway loses connectivity to a neighbor but the criteria for the tier-0 gateway to fail over is not met, the VRF gateway will not fail over. The only time a VRF gateway will fail over is when the parent tier-0 gateway does a failover.