17 Enabling BGP on NSX DLR and Edge Routers

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
you there with bgp yeah you know me you there with bgp yeah you know me my friend in this nugget we're going to enable the gold standard of internet routing border gateway protocol and we can do so on both our edge service gateway devices connected up to the isp we can also support it in the interior using it distributed logical routers i'm looking forward to doing it together with you in this hands-on lab so to get our hands dirty with bgp we're going to log on to the vmware hands-on labs hol 1903 the getting started lab fire up google chrome log on as administrator at vsphere dot local once we're logged on we'll go ahead and click the home button up at the top and make our way down to networking and security of course in the navigator let's go ahead and select nsx edges we can see our two devices one being a perimeter gateway and nsx edge device the other one being distributed logical router let's select the nsx edge double-click that to delve into the depths of its configuration and to add support for bgp we're going to head over to the manage tab and what we're wanting to manage is routing support so let's over head over to routing as its subsetting the first thing to ensure we have is a router id any router supporting ospf or bgp needs a router id which is typically assigned based upon one of the ip addresses associated with an interface we can see that's already been configured ahead of time here on 192 168 100.3 we can also see that bgp has already started let's take a look at that bgp configuration we can see that the bgp service is listed as started and that we're using the local autonomous system value of 65001 we see the option for graceful restart has been started and that means that even when bgp is going through a process of reconfiguration it's still willing to forward on the data plane based upon the routing table it already has default originated is stopped which means we do not promote ourselves automatically as a default gateway to interior bgp devices then we have added a neighbor unlike ospf which dynamically discovers neighbors bgp requires that we manually configure pointers to neighbors based upon their autonomous system number and ip address anytime there's communication between an autonomous system and a neighbor that's using a different autonomous system as we see down here a connection to 192 168 100.1 at autonomous 65002 that's when we're using external bgp and that's exactly how routing is done on the internet is with external bgp now before we do any other configuration let's go enable bgp on our distributed logical router so we'll go ahead and click the home button and head down to networking and security and let's crack open nsx edges and specifically edge 3 our logical router for this device we need to make sure we're looking at the routing tab and let's start with the global configuration the very first thing we need is some sort of router id so let's go ahead and click edit in the dynamic routing configuration and from the drop down menu we can see we can add the transit network because it supports uplink ids automatically as router ids or we could add a custom id for example we could enter in 2.2.2.2 this 32-bit value is never used for routing it is only used as a way to identify this particular router versus other routers when looking at configuration tables let's click ok and we can publish those changes in order to start supporting bgp on this router we're going to go ahead and click bgp on the left hand side and we're going to go to the edit button up at the top to initialize our configuration first check mark is there to enable bgp pretty straightforward we can enable a graceful restart which maintains the forwarding state even during the restart of the bgp process the router continues to route even when bgp's service restarts it doesn't lose the route when that happens if you're wondering when would i ever want to not have a graceful restart it's actually something we have to turn off when we're going through an upgrade process of nsx routers you'll notice that there's no default route originate here even available and that's because as a dlr we are the end of the road not a place where we would expect a default route to come from down at the bottom we need to define the local autonomous system number what is the contextual identity of this router and all the routes that it might support and that's going to be 65 0001. then we'll click ok when the autonomous system numbers are the same as they are between the dlr and our edge services gateway we're going to be using what's called interior bgp instead of exterior bgp once again let's go ahead and click publish changes at the top now that we've got our core bgp configuration in place we can add neighbors and we know we have a neighbor that is potentially available at 192.168.5.1 that's our edge services gateway whereas this device our distributed logical router is currently running on 192.168.5.2 when it comes to that transit network that supports the connection between the two of them so now we're ready to add our neighbor of the edge services gateway so we'll click the green plus to add a new neighbor and the first thing we need to do is select the ip address that we're connecting to and the ip address that will be the up link address that we're connecting from right how do these two routers talk to each other to share bgp information and we can use the drop down menu to make this a little easier and select the interface of the transit network and it'll pre-populate it with the forwarding address assigned to that interface and then we can indicate the ip address that we're connecting to is 192.168.5.1 that's the edge services gateway but then we need a protocol address we're adding a new ip address here and the reason why is because the forwarding address is being used here on the data plane this is going to be how each esxi host that holds its own copy of the distributed logical router can forward frames to the edge services gateway which it knows exists because of the shared protocol of bgp but the bgp communication doesn't happen directly between the edge services gateway router and each and every esxi host remember to support dynamic routing protocols what do we need to have a control vm and that control vm needs its own protocol ip address that is going to be used to support communication with the edge services gateway and so that's what we're assigning here is the control plane ip address that will be used by the control vm we do not have to configure this as a separate ip address somewhere in the interface configuration we just type it in right here and that's what it will use so we'll use 192.168.5.3 it just has to be within the same subnet as our forwarding address for the remote autonomous system we need to know what autonomous system 5.1 is using because if it doesn't match it will fail to connect so we're going to put in 65 000 and one we can leave the wait keep alive and hold down time so they're defaults for now and those are values that determine priorities when we're looking at weight and we get a route from more than one source as well as the keep alive and hold down time which determine how long it takes for a route to essentially be pulled out of the routing table because i haven't heard from my neighbor in a while we could add a password but we're going to leave it blank for now and of course we can add bgp filters which can choose what information we actually are willing to accept or share with our bgp neighbor for now we'll leave all that blank and click ok then we can publish our changes but now that we know that we're coming from 192.168.5.3 as our protocol address we need to configure our edge services gateway to use us as a neighbor so let's go back up to home down to networking and security over to nsx edges open up the nsx edge edge 1 make sure we're managing routing select bgp on the left hand side and then click the green plus to add a neighbor because this is not a dlr the configuration is actually a little bit simpler who's the neighbor 192 168 5.3 remember when you're pointing to a dlr as a neighbor you need to point to the protocol address not the forwarding address it'll learn the forwarding address when they communicate the protocol address is how it communicates and the remote autonomous system number at 5.3 is 65 000 m1 the wait keep alive and hold down times are the same password is left blank filters are off now we can click ok let's publish our changes so the edge services gateway gets a little smarter and let's see if our routers have learned anything let's go over to vms and templates let's expand region a1 let's log in to distributed router 1. with the distributed router selected we'll go ahead and click on the thumbnail to log in spacebar if we need to wake it up and then we'll log in as admin with a password of vmware one exclamation point vmware one exclamation point and then the command in the cli to be able to view the current routing table is show iprout and sure enough we see over here on the left hand side a bunch of bgp sourced routes we have a gateway of last resort a default gateway for this router to forward all unknown packets and then a bunch of specific routes to be able to get to the 10 20 30 60 and 70 networks then we have one more down at the bottom to be able to get to the one nine two one six eight one hundred network perfect so we definitely have a relationship between our distributed logical router and our edge services gateway because although otherwise we never could have learned this information now let's go back to the vsphere web client and let's select the perimeter gateway and we'll click the thumbnail and log on in the same way here let's do a show ip route in this locale and our information here is a little different we can see we are getting bgp information from 192168 100.1 if we think about the continuum of our isp router connected down to our edge services gateway connected down to our dlr the reason why there's a default route propagated down to all of them with bgp is because default route originate was enabled at the isp level and then works its way down to all subsequent routers that allow for it when we looked at the distributed logical router we saw in the routing table that there was information that had come from the edge services gateway with that b prefix that indicated yes this is bgp information but here looking on the edge services gateway we don't see any information coming the other direction and if that's the case that means we don't have bi-directional routing the dlr is connected to networks 172 16 80.0 and 172.16.90.0 and there are no routes for those up here on the edge services gateway let's see if we can figure out why that's the case and correct that issue we'll go back to the web services client and let's navigate back to our edge services gateways under networking and security then on the left hand side nsx edges let's select edge one the nsx edge double click on that and head over to routing at the global configuration level we can see our router id is set up bgp is started if we go down to bgp itself we see it started local aes graceful restart default originate is not enabled here but it does propagate the default route that it learned from the isp and then we have our two neighboring routers the key here is actually going to be found under route redistribution it's in this location that we can see that we in fact are willing to redistribute information into bgp and specifically down at the bottom under the route redistribution table we can see that we're willing to redistribute information that came from connected routes this is how the bgp database is going to be initially populated on this router with a list of connected routes that it's then willing to share with its other bgp neighbors and if we want our dlr to be able to do the same thing then we're going to need to configure an equivalent setting let's click the back button until we're looking at our list of edge devices and let's delve into edge 3 the logical router let's make sure we're looking at route redistribution which on this device is already configured for ospf to inject information into the ospf database but bgp is not enabled yet so let's click the edit button on the right hand side so we'll just start with a check mark in bgp and click ok and then down at the bottom under the route redistribution table we'll click the green plus there and from the drop down menu let's select bgp and indicate that we allow learning from connected routes and leave it with the default action of permit then we'll click ok let's publish those changes which immediately updates the control vm with the information necessary to now start speaking bgp correctly to other devices and now let's take a look at the perimeter gateway tab that we already have open and we can just up arrow and show the ip route again and take a look my friend we have a couple of new routes 80 and 90 now learned which are available to route via 5.2 why is it not 5.3 remember 5.2 is the forwarding address that's the esxi dlr address 5.3 was the control information that's where the information came from if you want to see some more information about bgp here at the cli we can type in show ipbgp and press enter and here it displays the information in the bgp table which includes the locally sourced connected routes those all have a next hop of 0.0.0.0 and the adjacent routers that are either within the same autonomous system or as we see with the default gateway come from a different autonomous system in this case 65002 when we're troubleshooting information about bgp regarding neighbors we can type in show ipbgp neighbors and press enter and here at the top we see ah there it is the bgp neighbor of 192.168.5.3 there's that control vmip address with its autonomous system it's currently up that's a good thing we see our hold and keep alive intervals that are configured we can see the number of messages that have occurred and if you're not getting the information that you're expecting one of the things to look for is going to be well what i even receive or send to that particular device and if these numbers are not what you were expecting then you might want to look at filters that might be blocking that and redistribution which determines what you're initially injecting into the bgp database and therefore are sharing with other neighboring bgp router down at the bottom we see our bgp neighbor one nine two one six eight one hundred dot one you can press spacebar and we can see that from that device we received one route our default gateway but we advertised nine and down at the bottom we have our connection between our local and remote hosts identifying the ip addresses that were used and the ports that were used port 179 is used by one of the two devices to function as a server and then we have an ephemeral port that is used on the other side to function as a client so they establish a client server tcp relationship and in this example this edge services gateway as it's connecting up to the isp the server is on the local port side so we're functioning as the server in this case and the isp is functioning as the client but as we connect down to the distributed logical router the remote port is 179. that means that for that relationship the dlr is functioning as the server and the edge services gateway is functioning as the client as long as we don't have a situation where both devices are trying to function as a server we won't have any issues my friend by going through this nugget you just successfully configured bgp on both your distributed logical router and your edge services gateway i hope this has been informative for you and i'd like to thank you for viewing
Info
Channel: IT King
Views: 38
Rating: undefined out of 5
Keywords:
Id: 2y5WtLtqeH0
Channel Id: undefined
Length: 15min 17sec (917 seconds)
Published: Tue Nov 30 2021
Related Videos
Using esxtop to identify storage performance issues in vSphere ESXi environment (multiple versions)
VMwareKB
74K
Automating AWS with Python - Configure EC2
IT King
Cisco IOS XE - Embedded Packet Capture Tutorial
Network Engineer Pro
1.8K
Automating AWS with Python - Configure DNS with Route 53
IT King
Automating AWS with Python - Integrate SNS
IT King
Automating AWS with Python - Autoscale events and Cloud Watch
IT King
Automating AWS with Python - Miscellaneous features
IT King
Automating AWS with Python - Send notification to slack
IT King
Automating AWS with Python - The Serverless framework
IT King
Automating AWS with Python - Save data to DynamoDB Part 1
IT King
1
Automating AWS with Python - S3 events and serverless
IT King
Automating AWS with Python Intro to Rekognition
IT King
Automating AWS with Python - Save data to DynamoDB Part 2
IT King
Automating AWS with Python - Sign up and configure slack
IT King
Automating AWS with Python - Sign up and configure slack
IT King
Automating AWS with Python - Refactor the script
IT King
Automating AWS with Python - Publish to a CDN with Cloud Front SSL Support
IT King
BGP Overview
F5 DevCentral
131K
LOG4J Vulnerability: Easiest Explanation with Live Demo🔥
Spin The Hack
24K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.