NSX-T Series: Part 16 – NSX-T Segment T1 Gateway with EDGE Cluster(SR)
Introduction
In this part we will explore the traffic behaviour when a NSX-T Segment T1 Gateway with EDGE Cluster(SR , and in this scenario we will explore design decision which should be followed in production environment.
If you want to start from beginning you can refer my previous part of the Series:
NSX-T Series : Part 1 -Architecture and Deploy
NSX-T Series : Part 2 – Adding Compute Manager
NSX-T Series : Part 3 – Planning NSX VXLAN
NSX-T Series : Part 4 – Transport Zones and Use cases for Multi-Transport Zone
NSX-T Series: Part 5 – NSX-T N-VDS and VDS 7.0
NSX-T Series: Part 6 – NSX-T Uplink Profile
NSX-T Series: Part 7 – NSX-T ESXi Transport Node
NSX-T Series: Part 8 – NSX-T Logical Switching Use Cases
NSX-T Series: Part 9 – NSX-T Logical Switching Services
NSX-T Series: Part 10 – NSX-T Routing
NSX-T Series: Part 11– NSX-T Multi-Tier Routing
NSX-T Series: Part 12 – NSX-T EDGE Deploy Part-1
NSX-T Series: Part 13 – NSX-T EDGE Deploy Part-2
NSX-T Series: Part 14 – NSX-T Segment without IP Subnet/Gateway
NSX-T Series: Part 15 – NSX-T Segment with T1 Gateway without EDGE Cluster
Scenario 3.2 T1 with Edge Cluster(SR)
In our previous blog we went through the Distributed routing which gives routing features, and is highly available. In this scenario we will walk through what will be the role of Edge deployed.
As per the design decison one should choose to have Edge Cluster mapped to T1 when we need to consume the SR services, such as Gateway-Firewall, NAT, IPSec Services.
In such scenarios the traffic path will via the Edge cluster and the deployment of T1 Edge can be only Active/Standby.
As we know the DR component will be instantiated on every Transport Node as per the workload availability, which will function for the East-West communication. But now when we choose Edge Cluster it will also instantiate the SR service on related Edge-Cluster.
- Topology : T1 with Edge Cluster
- In the following topology we have show 2 segments part of same T1 router/gateway ( 10.1.1.0/24 and 20.1.1.0/24 ).
- The DR service will be instantiated on Transport nodes which includes ESXi and Edge.
- The SR service as per the service are being started the components will start on the Edge, in Active/Standby mode where one Edge will be able to receive the data plane traffic.
- The transist-segment-vxlan(between DR and SR) will be auto generated by the system.
- The northbound IP of the transit-segment (DR-SR) will be same across the T1 component.(In the below topology it is 169.254.0.1
Design Decision
>> It is very important to understand in the production setup, if there is SR service requirement then only map T1 to edge cluster. Otherwise there will be undesired traffic path through Active Edge which won’t give us the benefit and make unnecessary East-West traffic.
>> It will be ideal for the case when T0 is acting as Active-Active Routing/Switching functionality and T1 is serving for SR services. This way of designing will give extra benefit of using the Active/Active from North-South and SR service on T1 layer where new cluster can be scaled out as per the demand.
>> NOTE : The East-West traffic security cannot be defined by T1 SR Gateway firewall service, this can be only handled by Distributed Firewall only.
>> Config Maximum : Per Edge Cluster one can add 4000 T1 Logical routing/gateway as per 3.1.2 release
https://configmax.vmware.com/guest?vmwareproduct=NSX-T%20Data%20Center&release=NSX-T%20Data%20Center%203.1.2&categories=17-0,18-37,18-46,18-32,18-33
>> In large cloud setup as per the SR service the T1 SR Edge Cluster can be managed by platform ,where if there is only requirement of a service like IPSec then specific cluster can be deployed ( same case with NAT service). But if the services are instantiated then most probably some service will run side-by-side like NAT and Firewall and even with the case with IPSec and Firewall. This decision will distribute the Data Plane from T0 to across the Edge Cluster as per the tenant required services.( NOTE: T1 can be mapped to single Edge Cluster **)
T0 to T1 traffic distribution on the basis of service
>> In the scenario of other NFV service integration it is very important to understand the placement of T1 SR service, because in case of AVI Load balancer ( NSX advance load balancer ) the T1 will be connected to AVI Service Engine.
During this deployment we should place AVI SE and T1 Edge on same cluster for minimizing East-West traffic. But if the ESXi cluster which will host Edges is not prepared for NSX-T( which ideally shouldn’t be prepared ), in that case you cannot provision T1 and AVI SE on same cluster. The same case can be with other NFV solutions like F5 for scenarios where T1 connects to Overlay network to F5/other NFV.
Nice article Abhishek as always. But I guess there is one error in the first diagram (The ESXi-1). The Seg_B subnet should be 20.0.0.0/24 instead of 10.0.0.0/24.
Hi Arunabha
Thanks for your kind response, I have updated the figure.
Its perfect now.