Appreciated if you could explain at what scenario that we should use dedicated t0 and vrf lite w.r.t to vcd where we could have many pvdc and this is within the enterprise customer.
Thanks Romain for sharing, I have few quires, would be great if you may respond. 1. What's the significance of Parent Tier-0 BGP Peering with TOR if we are only to use tier-0 VRF gateways in vCD, having said that we don't intended to use parent tier-0 for any other purpose from NSX? Having said, we can either import parent Tier-0 or Tier-0 VRF gateway in vCD, not both at the same time. Can we use Tier-0 VRF without having parent tier-0 peered with TOR. 2. Can tenant configure static routing in vCD on Tier-0 VRF gateway if that is dedicate to vCD tenant? In-case dedicated VRF external networks are WAN/MPLS and Internet? or we need to have BGP peering with both WAN/MPLS and Internet external interfaces?
I Guess, I've got the answer to my queries. 1. If you want to use an overlay segment as uplink/external network to tier-0 vrf gw to reach BGP neighbor configured at TOR, you need to have BGP Peering of parent tier-0 with TOR, that way tier-0 vrf gw will be able to reach TOR (i.e. via Parent tier-0 Routing table). incase VLAN based segment is used for VRF uplinks/external networks you are already in physical world or connected to TOR, you dont need parent tier-0 in any way, BGP peering can be directly established with TOR. so for shared Internet for tenants of vCD we can use either vrf tier-0 gw or parent tier-0 gw. keeping in mind we can only import either vrf gw or parent gw. 2. Static routes can be configured in nsx-t only not available in vCD UI, even though it's dedicated. and both the option BGP/Static are supported for MPLS/WAN, however only BGP is supported for Internet uplink as tier-0 VRF GW has to advertise NAT public IPs to TOR whenever that NAT rules are created. Would be great if you validate, either my understanding is correct or not.
@@shumailahmed7154 I only saw your comments today. The "parent" Tier-0 sole purpose is to run the VRF instance. You don't need to peer it with physical routers, but you need to do it if you want to have an additional layer of T0 connected via overlay. Indeed, static routes are not available yet in self-service, it's a roadmap item. In the meantime, it's possible to configure such routes via NSX-T as a day-2 operations by the system admin. From a pure technical point of view, you could do static route even for Internet but it's a nightmare to maintain.
Thanks for wonderful series . As we got from series T0 should be used for northbound routing under T0 a-a cluster , but SR service should be on T1 under a-s edge cluster. So is it better to put T1 edge cluster near to vm? N to edge cluster in dedicated cluster
It depends on many factors, all options are valid (and less opinionated as in NSX-V). NSX-T edges close to your workloads is fine, as well as in the management cluster or in dedicated vSphere edge cluster.
@@RomainDECKER Thanks I have another query regarding SNAT in NSXT when I have scenarion where 10.1.1.0/24 subnet under T1(Edge from vcd stand point ) and we have SNAT option, when I configure Source 10.1.1.0/24 Destination 0.0.0.0/0 SNAT External Ip 1.1.1.1 , it is throwing me error Address 0.0.0.0/0 overlaps with Segment path=[/infra/segments/14cb618c-0516-455d-8696-932513324904] that has subnet 10.1.1.0/24., error code 500105 Do we need to write some pre rules for not matching internal subnet
@@abhishekkunal51 Based on what you described, I wouldn't put the destination (0.0.0.0/0) at all. Why do you need it? By default, the traffic will be SNAT'd to everything.
hi guys, great video serie, director 10.5 changed all menus, really apreciated a ' VCD NSX T Northbound Routing' update 😁
Appreciated if you could explain at what scenario that we should use dedicated t0 and vrf lite w.r.t to vcd where we could have many pvdc and this is within the enterprise customer.
Thanks Romain for sharing, I have few quires, would be great if you may respond.
1. What's the significance of Parent Tier-0 BGP Peering with TOR if we are only to use tier-0 VRF gateways in vCD, having said that we don't intended to use parent tier-0 for any other purpose from NSX? Having said, we can either import parent Tier-0 or Tier-0 VRF gateway in vCD, not both at the same time. Can we use Tier-0 VRF without having parent tier-0 peered with TOR.
2. Can tenant configure static routing in vCD on Tier-0 VRF gateway if that is dedicate to vCD tenant? In-case dedicated VRF external networks are WAN/MPLS and Internet? or we need to have BGP peering with both WAN/MPLS and Internet external interfaces?
I Guess, I've got the answer to my queries.
1. If you want to use an overlay segment as uplink/external network to tier-0 vrf gw to reach BGP neighbor configured at TOR, you need to have BGP Peering of parent tier-0 with TOR, that way tier-0 vrf gw will be able to reach TOR (i.e. via Parent tier-0 Routing table). incase VLAN based segment is used for VRF uplinks/external networks you are already in physical world or connected to TOR, you dont need parent tier-0 in any way, BGP peering can be directly established with TOR. so for shared Internet for tenants of vCD we can use either vrf tier-0 gw or parent tier-0 gw. keeping in mind we can only import either vrf gw or parent gw.
2. Static routes can be configured in nsx-t only not available in vCD UI, even though it's dedicated.
and both the option BGP/Static are supported for MPLS/WAN, however only BGP is supported for Internet uplink as tier-0 VRF GW has to advertise NAT public IPs to TOR whenever that NAT rules are created.
Would be great if you validate, either my understanding is correct or not.
@@shumailahmed7154 I only saw your comments today. The "parent" Tier-0 sole purpose is to run the VRF instance. You don't need to peer it with physical routers, but you need to do it if you want to have an additional layer of T0 connected via overlay.
Indeed, static routes are not available yet in self-service, it's a roadmap item. In the meantime, it's possible to configure such routes via NSX-T as a day-2 operations by the system admin.
From a pure technical point of view, you could do static route even for Internet but it's a nightmare to maintain.
Thanks for wonderful series . As we got from series T0 should be used for northbound routing under T0 a-a cluster , but SR service should be on T1 under a-s edge cluster. So is it better to put T1 edge cluster near to vm? N to edge cluster in dedicated cluster
It depends on many factors, all options are valid (and less opinionated as in NSX-V). NSX-T edges close to your workloads is fine, as well as in the management cluster or in dedicated vSphere edge cluster.
@@RomainDECKER Thanks
I have another query regarding SNAT in NSXT
when I have scenarion where 10.1.1.0/24 subnet under T1(Edge from vcd stand point ) and we have SNAT option, when I configure Source 10.1.1.0/24 Destination 0.0.0.0/0 SNAT External Ip 1.1.1.1 , it is throwing me error
Address 0.0.0.0/0 overlaps with Segment path=[/infra/segments/14cb618c-0516-455d-8696-932513324904] that has subnet 10.1.1.0/24., error code 500105
Do we need to write some pre rules for not matching internal subnet
When I do this via Manager it works
@@abhishekkunal51 Based on what you described, I wouldn't put the destination (0.0.0.0/0) at all. Why do you need it? By default, the traffic will be SNAT'd to everything.
@@RomainDECKER Thanks Romain for the reply, yes you are right when I defined the field in other way it worked for me.