NSX DLR and ESG with OSPF – Part 5 – Configure OSPF

This is part 5 of the NSX Distributed Logical Router (DLR) and Edge Services Gateway (ESG) with OSPF configuration guide, describing the configuration of OSPF and DLR DHCP Relay to an external DHCP Server.

This is a five part series describing the steps to deploy DLR and ESG with OSPF:

What are we trying to do in this section?

  • Configure OSPF Area 0 on the DLR and ESG
  • Allow the ESG to publish the Default Route via OSPF
  • Configure the DLR as a DHCP Relay for all “Internal” DLR Interfaces
  • Configure a Static Route on the External Router for the NSX networks.
  • Test DHCP Relay, East-West traffic via the DLR and North-South traffic via the ESG.

A diagram to clarify things:

ospf_dhcp_relay_overview

Configure OSPF on the Distributed Logical Router (DLR)

  1. Login to the vSphere Web Client with an account that has NSX and vCenter Admin privileges.
  2. Select “Home” and then the “Networking & Security” icon to access “NSX Home”.
  3. Select “NSX Edges”, the correct “NSX Manager” IP Address and then double click the “Logical Router” object deployed in Part 3.
  4. In the “Logical Router” Management window, select the “Manage” object, the “Settings” tab and then the “Interfaces” object.
  5. In the “Interfaces” window, verify that a single “Uplink” and two “Internal” interfaces exist.
  6. Select the “Firewall” tab and press the red “Disable” button.  The firewall is now disabled.
  7. Select the “Routing” tab and press the “Global Configuration” object.  The press the “Dynamic Routing Configuration” “Edit” button.
  8. In the “Edit Dynamic Routing Configuration” window, set the “Router ID” by selecting the configured interface from the drop-down list and then press “OK”.
  9. In the “Global Configuration” screen, press the “Publish Changes” button.
  10. Select the “OSPF” object and select the “Not-So-Stubby-Area” (Type NSSA) “Area ID” “51” under “Area Definitions” and press the red “X” to delete it.
  11. In the “OSPF” screen, press the green “+” sign under “Area Definitions” to add “Area ID” 0.
  12. In the “New Area Definition” window, enter “Area ID” “0”, “Type” “Normal”, “Authentication” “None” and then press the “OK” button.
  13. In the “OSPF” screen, press the green “+” sign under “Area to Interface Mapping” to add the “Uplink” interface to OSPF “Area ID” 0.
  14. In the “New Area to Interface Mapping” window, select the “Uplink” interface from the drop-down menu for “Interface”,  Area “0” from the drop-down menu for “Area” and then press the “OK” button.
  15. In the “OSPF” screen, press the “OSPF Configuration” “Edit” button.
  16. In the “OSPF Configuration” window, tick “Enable OSPF”, enter a free IP Address for the “Protocol Address”, the “Uplink” interface IP Address as the “Forwarding Address” and then press the “OK” button.
  17. In the “OSPF” screen, press the “Publish Changes” button.

nsx_dlr_config_1 nsx_dlr_config_2 nsx_dlr_config_3 nsx_dlr_config_4 nsx_dlr_config_5nsx_dlr_config_10 nsx_dlr_config_6 nsx_dlr_config_7 nsx_dlr_config_8 nsx_dlr_config_9

Configure OSPF on the Edge Services Gateway (ESG)

  1. Login to the vSphere Web Client with an account that has NSX and vCenter Admin privileges.
  2. Select “Home” and then the “Networking & Security” icon to access “NSX Home”.
  3. Select “NSX Edges”, the correct “NSX Manager” IP Address and then double click the “NSX Edge” object deployed in Part 4.
  4. In the “NSX Edge” Management window, select the “Manage” object, the “Settings” tab and then the “Interfaces” object.
  5. In the “Interfaces” window, verify that a single “Uplink” and a single “Internal” interface exists.
  6. Select the “Firewall” tab and press the red “Disable” button.  The firewall is now disabled.
  7. Select the “Routing” tab and press the “Global Configuration” object.  The press the “Dynamic Routing Configuration” “Edit” button.
  8. In the “Edit Dynamic Routing Configuration” window, set the “Router ID” by selecting the configured interface from the drop-down list and then press “OK”.
  9. In the “Global Configuration” window, verify that the “Default Gateway” configured in Part 4 is present.
  10. In the “Global Configuration” screen, press the “Publish Changes” button.
  11. Select the “OSPF” object and select the “Not-So-Stubby-Area” (Type NSSA) “Area ID” “51” under “Area Definitions” and press the red “X” to delete it.
  12. In the “OSPF” screen, press the green “+” sign under “Area Definitions” to add “Area ID” 0.
  13. In the “New Area Definition” window, enter “Area ID” “0”, “Type” “Normal”, “Authentication” “None” and then press the “OK” button.
  14. In the “OSPF” screen, press the green “+” sign under “Area to Interface Mapping” to add the “Uplink” interface to OSPF “Area ID” 0.
  15. In the “New Area to Interface Mapping” window, select the “Internal” interface from the drop-down menu for “Interface”,  Area “0” from the drop-down menu for “Area” and then press the “OK” button.
  16. In the “OSPF” screen, press the “OSPF Configuration” “Edit” button.
  17. In the “OSPF Configuration” window, tick “Enable OSPF”, tick “Enable Default Originate” and then press the “OK” button.
  18. In the “OSPF” screen, press the “Publish Changes” button.

nsx_esg_config_1 nsx_esg_config_2 nsx_esg_config_3 nsx_esg_config_4 nsx_esg_config_5 nsx_esg_config_6 nsx_esg_config_7 nsx_esg_config_8 nsx_esg_config_9 nsx_esg_config_10 nsx_esg_config_11

Configure a Static Route on the External Router

The external router or firewall that is terminating the external network requires a “Static” route for the “10.x.x.x/255.0.0.0” networks created within NSX.  This is required for return traffic from the external router/firewall to make its way back into the NSX eco-system.  The instructions below describe adding a static route to the Huawei LTE 4G Router.

  1. Login to the Huawei LTE 4G Router management interface with URL: http://<Gateway IP Address> and the default credentials “admin/admin”.
  2. Select the “LAN” tab and then the “Static Routing” object.
  3. Then press the “Add” button.
  4. In the “Add Static Route” window, enter the “Destination IP Address” (eg. “10.0.0.0”), the “Subnet Mask” (eg. “255.0.0.0”), the “Router IP Address” (this is the IP Address from the ESG Uplink Interface) and then press the “Submit” button.
  5. Verify that the “Static Route” is listed.

4G_Router_Static_Route_1 4G_Router_Static_Route_2

Verify OSPF is running End-to-End

  1. Login to the vSphere Web Client with an account that has NSX and vCenter Admin privileges.
  2. Select “Home” and then the “VMs and Templates” icon to open the console to the “Distributed Logical Router” created in Part 3.
  3. Login to the DLR as “admin” with the password specified in Part 3.
  4. Enter the command “show ip ospf neighbor” and press “Enter”.  Verify that the “Neighbor” “State” is “Full/BDR”.
  5. Enter the command “show ip route” and press “Enter”.  Verify that the default route “0.0.0.0” is listed with “O” (OSPF derived) and “E2” (OSPF External Type 2).
  6. Before you run the next command, open a Console session via the C# client to the DLR virtual appliance.  This is because the ping exit “Control-C” sequence is not recognised from the Web Client.
  7. Enter the command “ping <external network Gateway IP Address>” and verify that ICMP responses are received.  Press “Control-C” to exit ping.
  8. Enter the command “ping <Google IP Address>” and verify that ICMP responses are received.  Press “Control-C” to exit ping.  You can find the Google IP Address with the command “nslookup google.com” from “Terminal” (OS X) or “CMD”/”PowerShell” (Windows 7).
  9. If ping responses are not received for this test, then test ping from the External Network Router/Firewall (eg. ping 10.0.0.1 – LDR Internal Interface Gateway IP)

dlr_check_ospf_1 dlr_check_ospf_2 dlr_check_ospf_3 dlr_check_ospf_44G_Router_Ping_Test_1

Configure DHCP Server on the Edge Services Gateway (ESG)

This will only work for an “Internal” interface that is directly connected to ESG virtual appliance.  You cannot configure a DHCP Pool on an ESG and then use the DHCP Relay function from the DLR to get an IP address from the ESG.

Configure DHCP Relay on the Distributed Logical Router (DLR)

  1. Login to the vSphere Web Client with an account that has NSX and vCenter Admin privileges.
  2. Select “Home” and then the “Networking & Security” icon to access “NSX Home”.
  3. Select “NSX Edges”, the correct “NSX Manager” IP Address and then double click the “Logical Router” object deployed in Part 3.
  4. In the “Logical Router” Management window, select the “Manage” object, the “Settings” tab and then the “DHCP Relay” object.
  5. In the “DHCP Relay” screen, select the “DHCP Relay Global Configuration” “Edit” button.
  6. In the “Modify DHCP Relay Global Configuration” window, enter the IP Address of the external DHCP server in the “IP Addresses” field and press “OK”.
  7. In the “DHCP Relay” screen, select the green “+” button under “DHCP Relay Agents”.
  8. In the “Add DHCP Relay Agent” window, select the “Internal” interface of the DLR from the “vNIC” drop-down list, select the matching “Gateway IP address” from the drop-down list and then press “OK”.
  9. Do this for each “Internal” interface of the DLR.

 

nsx_dlr_dhcp_relay_1 nsx_dlr_dhcp_relay_2 nsx_dlr_dhcp_relay_3

Power-On Two VMs and test DHCP Relay, E/W & N/S Traffic

  1. Assign the vNIC portgroups of the two test VMs to the separate Logical Switches that were defined for the DLR “Internal” interfaces.
  2. Power-on both VMs and open the consoles for both.
  3. Access the external DHCP server and verify that “Address Leases” exist for the two Virtual Machines.
  4. Verify that IP addresses have been assigned to each VM via DHCP.
  5. Ping each VM from the other and verify ICMP responses.
  6. Ping “google.com” from each and verify ICMP responses.
  7. From the Web browser of each VM, connect to the URL http://www.vmware.com
  8. Traceroute the other Virtual Machine’s IP address using the “traceroute” command and verify two hops are recorded (and vice-versa).  Proving that the DLR is routing from VM to VM.
  9. Configuration and Testing complete!

two_vms_1 two_vms_2 two_vms_3 two_vms_4 two_vms_5 two_vms_6

Other Resources

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Powered by WordPress.com.
%d bloggers like this: