The tier-0 gateway is the NSX logical router that provides the North-South connectivity for the NSX logical networking to the physical infrastructure. vSphere IaaS control plane supports multiple tier-0 gateways on multiple NSX Edge clusters in the same transport zone.

For more information about configuring NSX route maps on the edge tier-0 router, see the VMware Cloud Foundation Operations and Administration Guide at https://docs.vmware.com/en/VMware-Cloud-Foundation/4.0/vcf-40-doc.zip.

Prerequisites

Verify that you have created an NSX Edge cluster.

Procedure

  1. Log in to the NSX Manager.
  2. Select Networking > Tier-0 Gateways.
  3. Click ADD GATEWAY.
  4. Enter a name for the tier-0 gateway.
    For example, ContainerT0.
  5. Select an active-standby HA mode.
    The default mode is active-active. In active-standby mode, the elected active member processes all traffic. If the active member fails, a new member is elected to be active.
  6. If the HA mode is active-standby, select a failover mode.
    Option Description
    Preemptive If the preferred node fails and recovers, it will pre-empt its peer and become the active node. The peer will change its state to standby.
    Non-preemptive If the preferred node fails and recovers, it will check if its peer is the active node. If so, the preferred node will not pre-empt its peer and will be the standby node.
  7. Select the NSX Edge cluster previously created.
    For example, select Cluster Profile - 1.
  8. Click Save.
    The tier-0 gateway is created.
  9. Select Yes to continue with the configuration.
  10. Configure interfaces.
    1. Expand Interfaces and click Set.
    2. Click Add Interface.
    3. Enter a name.
      For example, enter the name TIER-0_VWT-UPLINK1.
    4. Select Type as External.
    5. Enter an IP address from the Edge Logical Router – Uplink VLAN. The IP address must be different from the management IP address configured for the NSX Edge VMs previously created.
      For example, 10.197.154.1/24.
    6. In Connected To, select the tier-0 uplink segment previously created.
      For example, TIER-0-LS-UPLINK
    7. Select an NSX Edge node from the list.
      For example, nsx-edge-1.
    8. Click Save.
    9. Repeat steps a - h for the second interface.
      For example, create a second uplink TIER-0_VWT-UPLINK2 with IP address 10.197.154.2/24 connected to nsx-edge-2 Edge node.
    10. Click Close.
  11. To configure high availability, click Set in HA VIP Configuration.
    1. Click ADD HA VIP CONFIGURATION.
    2. Enter the IP addess.
      For example, 10.197.154.3/24
    3. Select the interfaces.
      For example, TIER-0_WVT-UPLINK1 and TIER-0_WVT-UPLINK2
    4. Click Add and Apply.
  12. To configure routing, click Routing.
    1. Click Set in Static Routes.
    2. Click ADD STATIC ROUTE.
    3. Enter a name.
      For example, DEFAULT-STATIC-ROUTE.
    4. Enter 0.0.0.0/0 for network IP address.
    5. To configure next hops, click Set Next Hops and then Add Next Hop.
    6. Enter the IP address of the next hop router. Typically, this is the default gateway of the management network VLAN from the NSX Edge logical router uplink VLAN.
      For example, 10.197.154.253.
    7. Click Add and Apply and SAVE.
    8. Click Close.
  13. (Optional) Select BGP to configure BGP local and peer details.
  14. To verify connectivity, make sure that an external device in the physical architecture can ping the uplinks that you configured.

Configure NSX Route Maps on Edge Tier-0 Gateway

When you deploy vSphere IaaS control plane, the route maps created on the edge tier-0 gateway in eBGP mode contains an IP prefix with only a deny rule. This blocks routes from getting advertised to the ToR switches.

If you are using the Edge cluster only for Kubernetes - Workload Management, follow option 1 and deactivate tier-1 route advertisements. If you are using the Edge cluster for additional tasks, follow option 2 and create a new allow rule.

Option 1: Deactivate Advertisements of Tier-1 Connected Networks through Tier-0 Gateway

Networks connected to tier-1 gateway are not advertised from tier-0 gateway to outside networks.

  1. Log in to the NSX Manager.
  2. Select Networking > Tier-0 Gateways.
  3. Click Edit.
  4. In the Advertised Tier-1 Subnets section, deselect Connected interfaces and Segments.
  5. Click Apply and then click Save.

Option 2: Create New Allow Rule and Apply it to Route Re-redistribution

When you deploy vSphere IaaS control plane, a new deny rule is appended to the route map. So you must add a new permit rule to the route map to allow any IP prefix list and route map and apply it to the route redistribution rule as the last rule.

  1. Log in to the NSX Manager.
  2. Select Networking > Tier-0 Gateways.
  3. Create a new IP prefix list.
    1. Expand Routing.
    2. Click 1 next to IP Prefix Lists.
    3. In the Set IP Prefix List dialog box, click Add IP Prefix List.
    4. Enter a name, for example, test and click Set.
    5. Click Add Prefix.
    6. In Network, click Any and in Action, select Permit.
    7. Click Apply and then click Save.
  4. Create a route map for the IP prefix list created in step 3.
    1. Click Set next to Route Map.
    2. Click Add Route Map.
    3. Add new match criteria with IP prefix.
    4. Select the IP prefix created in step 3 and action Permit.
    5. Click Apply and then click Save.
  5. Apply edited route map to route re-distribution.
    1. On the Tier-0 Gateways page, expand Route Re-Distribution and click Edit
    2. From the drop-down menu in the Route Map column, select the route map you created in step 4.
    3. Click Apply and then click Save.

Create a Tier-1 Gateway

A tier-1 gateway is typically connected to a tier-0 gateway in the northbound direction and to segments in the southbound direction.

Prerequisites

Verify that you have created a tier-0 gateway.

Procedure

  1. Log in to the NSX Manager.
  2. Select Networking > Tier-1 Gateways.
  3. Click ADD TIER-1 GATEWAY.
  4. Enter a name for the gateway. For example, ContainerAviT1
  5. Select a tier-0 gateway to connect to this tier-1 gateway. For example, ContainerT0.
  6. Select the NSX Edge cluster. For example, select EDGECLUSTER1.
  7. After you select an NSX Edge cluster, a toggle gives you the option to select NSX Edge nodes.
  8. Select a failover mode or accept the default option of Non-preemptive.
  9. Accept the default options for remaining settings.
  10. Click SAVE.
  11. (Optional) Configure service interfaces, static routes, and multicast settings. You can accept the default values.

Create a Tier-0 Uplink Segment and Overlay Segment

The tier-0 uplink segment provides the North-South connectivity from NSX to the physical infrastructure. The overlay segment provides the Service Engine management NIC with the IP address.

Prerequisites

Verify that you have created a Tier-0 gateway.

Procedure

  1. Log in to the NSX Manager.
  2. Select Networking > Segments > ADD SEGMENT.
  3. Enter a name for the segment.
    For example, TIER-0-LS-UPLINK.
  4. Select the transport zone previously created.
    For example, select vlanTZ.
  5. Toggle the Admin Status to enable it.
  6. Enter a VLAN ID of the Tier-0 gateway.
    For example, 1089.
  7. Click Save.
  8. Repeat steps 2-7 to create an overlay segment nsxoverlaysegment with transport zone nsx-overlay-transportzone.