A tier-0 gateway has downlink connections to tier-1 gateways and external connections to physical networks.
If you are adding a tier-0 gateway from Global Manager in NSX Federation, refer to Add a Tier-0 Gateway from Global Manager.
- NAT
- Load balancing
- Stateful firewall
- VPN
- IPv4 only
- IPv6 only
- Dual Stack - both IPv4 and IPv6
You can configure the tier-0 gateway to support EVPN (Ethernet VPN). For more information about configuring EVPN, refer to Ethernet VPN (EVPN).
Source Type | Description |
---|---|
Connected Interfaces and Segments | Redistribute all subnets configured on Interfaces and routes related to tier-0 segments, tier-0 DNS Forwarder IP, tier-0 IPsec Local IP, tier-0 NAT types. Redistribute subnets configured on segments connected to tier-0. |
Static Routes | Redistribute static routes that you have configured on the tier-0 gateway. |
NAT IP | Redistribute NAT IPs owned by tier-0 and discovered from NAT rules that are configured on the tier-0 gateway. |
IPsec Local IP | Redistribute local IPsec endpoint IP address for establishing VPN sessions. Redistribute IPsec subnets. |
DNS Forwarder IP | Redistribute listener IP for DNS queries from clients and also used as source IP used to forward DNS queries to upstream DNS server. Redistribute DNS forwarder subnets. |
EVPN TEP IP | Redistribute EVPN local endpoint subnets on Tier-0. |
Inter VRF Static | Redistribute IPs advertised by tier-0 or VRF instances. |
Router Link | Redistribute router link port subnets on tier-0 gateways. |
Source Type | Description |
---|---|
Connected Interfaces & Segments / VPC Subnets |
|
Static Routes | Redistribute all subnets and static routes advertised by tier-1 gateways or NSX VPCs. |
NAT IP | Redistribute NAT IP addresses owned by the tier-1 gateway or NSX VPC and discovered from NAT rules that are configured on the tier-1 gateway or NSX VPC. |
LB VIP | Redistribute IP address of the load balancing virtual server. |
LB SNAT IP | Redistribute IP address or a range of IP addresses used for source NAT by the load balancer. |
DNS Forwarder IP | Redistribute Listener IP for DNS queries from clients and also used as source IP used to forward DNS queries to upstream DNS server. |
IPsec Local Endpoint | Redistribute IP address of the IPsec local endpoint. |
Proxy ARP is automatically enabled on a tier-0 gateway when a NAT rule or a load balancer VIP uses an IP address from the subnet of the tier-0 gateway external interface. By enabling proxy-ARP, hosts on the overlay segments and hosts on a VLAN segment can exchange network traffic together without implementing any change in the physical networking fabric.
For a detailed example of a packet flow in a proxy ARP topology, refer to the NSX Reference Design Guide on the VMware Communities portal.
Proxy ARP is supported on a tier-0 gateway in an active-standby configuration, and it responds to ARP queries for the external and service interface IPs. Proxy ARP also responds to ARP queries for service IPs that are in an IP prefix list that is configured with the Permit action.
Proxy ARP is also supported on a tier-0 gateway in an active-active configuration. However, all the Edge nodes in the active-active tier-0 configuration must have directly reachability to the network on which proxy ARP is required. In other words, you must configure the external interface and the service interface on all the Edge nodes that are participating in the tier-0 gateway for the proxy ARP to work.
Starting with NSX 4.1.1, you can find out the total number of routes for a tier-0 gateway with the following APIs. For more information about the APIs, refer to the NSX API Guide.
GET /policy/api/v1/infra/tier-0s/{tier-0-id}/number-of-routes GET /policy/api/v1/global-infra/tier-0s/{tier-0-id}/number-of-routes
Prior to NSX 4.2.1, inter-SR routing to manage asymmetric traffic failures was supported only on tier-0 gateway, but not on VRF gateways. Starting with NSX 4.2.1, Inter-SR routing is also supported on active-active VRF gateways within a single site. To enable this feature, you must first turn on the Multi-VRF Inter SR toggle under the Additional Settings section while configuring a tier-0 gateway. Turning on this toggle runs MP-BGP between edges that is required for inter-node route sync to handle asymmetric VRF connectivity and inter-site connectivity for stretched VRFs in a Federation setup. If the Multi-VRF Inter SR toggle is off, inter-SR routing cannot be enabled for a tier-0 VRF gateway and tier-0 VRF gateways cannot be stretched to multiple sites in a Federation setup. Additionally, to enable inter-SR routing for a tier-0 VRF gateway, you must also turn on the Inter SR iBGP toggle under the BGP section while configuring the tier-0 VRF gateway.
When you turn on the Multi-VRF Inter SR toggle:
- There will be disruption in inter-SR and inter-site traffic.
- You cannot turn the toggle off.
Prerequisites
- If you plan to configure multicast, refer to Configuring Multicast on an NSX Tier-0 or Tier-1.
- If you plan to configure the gateway DHCP server, refer to Attach an NSX DHCP Profile to a Tier-0 or Tier-1 Gateway.
Procedure
Results
- In the Interfaces section: External and Service Interfaces.
- In the Routing section: IP Prefix Lists, Static Routes, Static Route BFD Peer, Community Lists, Route Maps.
- In the BGP section: BGP Neighbors.
If NSX Federation is configured, this feature of reconfiguring a gateway by clicking on an entity is applicable to gateways created by the Global Manager (GM) as well. Note that some entities in a GM-created gateway can be modified by the Local Manager, but others cannot. For example, IP Prefix Lists of a GM-created gateway cannot be modified by the Local Manager. Also, from the Local Manager, you can edit existing External and Service Interfaces of a GM-created gateway but you cannot add an interface.