NSX-T Series: Part 11 – NSX-T Multi-Tier Routing
In this “NSX-T Series: Part 11 – NSX-T Multi-Tier Routing” part, we will discuss the difference between T0 and T1 gateway and how the routing architecture will be designed.
But if you want to start from beginning you can refer my previous part of the Series:
NSX-T Series : Part 1 -Architecture and Deploy
NSX-T Series : Part 2 – Adding Compute Manager
NSX-T Series : Part 3 – Planning NSX VXLAN
NSX-T Series : Part 4 – Transport Zones and Use cases for Multi-Transport Zone
NSX-T Series: Part 5 – NSX-T N-VDS and VDS 7.0
NSX-T Series: Part 6 – NSX-T Uplink Profile
NSX-T Series: Part 7 – NSX-T ESXi Transport Node
NSX-T Series: Part 8 – NSX-T Logical Switching Use Cases
NSX-T Series: Part 9 – NSX-T Logical Switching Services
NSX-T Series: Part 10 – NSX-T Routing
Multi-Tier Topology
Multi-Tier routing can be defined by many scenario, but in VMware defined data center it means when we have muti-tenant or multi-application scenarios. When we have multi-tenant environment provisioning is always a pain where manually the routing and infra is prepared, though this can be solved by automation.
When we look through multi-tenant/application network topology in NSX-V we usually define separate EDGE or , even some time separate DLR. In that case when we need to route traffic from VM1 of APP1 to APP2 VM 2 we need to follow following routing path which is not very optimal way of switching and routing the traffic. In that case the traffic need to leave hypervisor multiple times even though VM1 and VM2 sits on same ESXi.
APP1 VM1—>DLR 1—> EDGE 1 –PHY Router/Switch/F-W–> EDGE 2 —-> DLR 2—> APP2 VM2
But with NSX-T we can solves this basic issue, and we optimize the traffic path for multi-tier/application traffic. In this case one can visualize there is DLR above DLR1 (Tenant1) and DLR2 (Tenant2).
Tier-0 Gateway
The major role of Tier-0 Gateway is to connect to Physical Infra and terminates BGP routing for external connectivity.
The major point which we need to take here is Single Tier-0 can be configured per NSX-T EDGE-Cluster, so if we have to create multiple T-0 we need to deploy more number of Edge Cluster ( Though if we need to play with multi-tenant we can use VRF-Lite feature discussed in our previous blog )
Tier-1 Gateway
Tier-1 is first hop router for VM and isolates a tenant from other, but if we have colliding IP subnet we need to plan : VRF Lite or Separate T-0 Gateway.
This can also server for Service Router process but very limited ex: NAT, because most of the SR features are defined on T0 Gateway ( Check the changes as per release notes this keeps getting updated on new version )
Benefits:
- Tenant Isolation
- Separate control for Infra and Tenant admin
- Eliminates dependency on physical infrastructure when a new tenant is provisioned
Summary
In this blog, we will discussed the difference between T0 and T1 gateway and how the routing architecture will be designed. In further blog we will discuss the Services of NSX and thanks for visiting the blog. Happy Learning !
AlgoSec – NSPM Solution Quick Review
Choosing the Right Networking Solution is Essential for AI Success
Public Cloud Security Part-1
About Author
abhishek
Expert in Network, Virtualization and Security field in On-Prem and Public Cloud. Passionate about new technology and consult the best solution to business organisation.Previously served Networkershome, EMC2, Cisco, VMware and Arista in different fields of Engineering, TAC, Consulting, Designing and Training. Certification : CCIE#48639, VCIX DCV and NV, Aviatrix Multi Cloud, SD-WAN Specialist, Palo Alto PCNSE, Amazon Cloud, Docker Certified Engineer. LinkedIn : https://www.linkedin.com/in/abhishekkunal51/
Hello Abhishek, thank you for all the wonderful articles.
I have a question regarding the multi-tenant setup in nsxt, are you saying that traffic now doesn’t have to leave the nsxt environment to the physical to switch between tenant, but rather traffic is routed through the t0 router since the tenant hangs off the t0?
Hi Abdul,
Yes this is the major change from V to T
Hi Abhishek,
On a NSX-T 3.1 multi-tenant environment, can we achieve the complete isolation by using Gateway firewall policies? or combination of GW and DFW policies? or only possible via VRF lite?
I’m also interested by the answer
Hi Siva,
Thanks for going through the blog.
If you are looking complete isolation the in that case you need to check how T1 is connected to T0.
If you have T0 ( vrf-lite ) and in North you have VRF on router for each tenant then in that case GFW, DFW is not required.
But if you are merging T1’s on single T0 then in that case you need to play with DFW for east-west traffic and for N-S Gateway FW.
If you have any question let me know, if blog it in detailed way.