How VRF Lite works in NSX-T 3.1 (Pt. 1)

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hey everybody mike here today i'm going to be talking to you guys about vrf light in nsxt what is it what does it look like from a high level architectural overview and all of that stuff as usual i'm hoping to take out all of the fluff and just kind of distill it down to what you need to know about it i won't be doing any implementation in this video oh no but it's definitely something i have on my radar to actually show you guys how it works in real you know in the real lab i guess real lab lab production we'll just call it lab production how about that so that said let's get to it but before we do you guys need to subscribe i'm at 733 subs as of this recording right now still 733 i got to be honest with you guys when i first started this channel i did all my research and people were saying it was gonna take usually about two years to hit a thousand subs i'm at 733 and this is month six i can't tell you how awesome that is and it's also kind of freaky like who wants to watch me that's kind of i'm questioning your sanity right now i'm done talking let's get into the vr flight stuff so the first thing you should know about vrf light is that it ultimately is a feature in nsxt that allows us to segment between tenants so picture maybe i had i don't know an engineering department over here and i had another engineering department for another part of the organization or something like that i can segment between the two and i can keep the vms in each of those tenants completely separate they can be connected to separate segments separate logical routers everything is completely separate from a logical standpoint keep in mind this is all in software so we're not needing to buy additional hardware we could have say a single cluster of vsphere hosts and we could have multiple tenants within that environment using vrf lite now i know those of you that are really technical are probably wondering how nsx implements this well the first thing i want to point out is there's no multi-protocol bgp or mpls or anything like that behind the scenes basically nsx is just kind of chopping up the logical routers and i'm going to get into that in a little bit but that's at a high level how it works that said it does run bgp from the vrfs and i'll explain some of the terminology and i've got a slide coming up that'll make it a little bit clearer for you but basically think about it like this it runs bgp from nsx vrfs to non-nsx so to your physical network toporac router switches whatever the case is it'll run bgp between there but there's no bgp like within nsx to implement vrf light if that makes sense so the best way i can explain vrf light is think about it like you're taking a tier zero a tier zero logical router and you're kind of splitting it up you're virtualizing it in a way so it's kind of the same way that vsphere did for physical servers where we took a physical server we virtualized everything and then now you have a bunch of vms ultimately which are just kind of mini servers living on that physical server it's the same idea so you're going to have your tier 0 that you had before but now you're going to have individual vrfs within that tier 0 and they'll kind of look like a tier 0 in the gui but basically they'll inherit some things from that kind of parent t0 so some of those things that will not be inherited so each of those virtualized t0s or vrf's they'll get things like their own ips so your vrf will actually have its own external interface ips going to the physical network it'll also have its own bgp neighbors which i'll show you in the next slide it'll have its own gateway firewall it'll run nat on its own and basically that's it there's a couple of other things that you can tune and tweak for that vrf t0 but as far as things that are inherited from that parent t0 because remember when you create the vrf you're basically going to link it to the parent and when you link it to that parent it's going to inherit certain things that'll be things like the ha mode the edge cluster bgp local as number so if i have say bgp local as100 on my parent t0 and i go say i want to create a vrf and i link it to that t0 well guess what i'm using as100 for that vrf instance as well so i know that was a lot of information so let me break it down a little bit different let me show you how we did this the old way so before there was vrf light you could actually accomplish this functionality from nsxt but you kind of did it in in my opinion sort of a messy way so let's take this example we have this single vsphere host here we've got a single tenant we've got an edge cluster and a t0 sitting on top of that edge cluster and by the way when i say edge cluster i want to be clear if you followed my other videos through my nsxt from scratch series this should be clear but just in case it's not when i say an edge cluster i'm talking about a cluster that has multiple edge vms inside of it so when i say t0 for example that would be actually living on an edge vm that said we also have the physical router here this could be again this could be a physical router or a layer 3 switch whatever the case is it doesn't really matter now let's say we wanted to set up this tenon we go ahead and into the gui we say okay we want to create a t1 we link it to a t0 that's all pretty standard that's the same nsx you know and love if you followed my other stuff i go in there then and i say okay i'm going to create a segment this is just a logical segment it's an overlay segment and i connect that to the t1 no big deal up until this point at that point we then go to the t0 we set up bgp from the t0 directly to a physical router and everything's good we have routes being exchanged so this physical router is learning about these segments or these subnets i should say over here from this segment a it's learning about that via bgp and vice versa that t0 was learning about basically all routes outside of nsx from that physical router so that's nothing new or shouldn't be anything really new but let's expand it to another tenant so now we have this tenant b here and we go ahead and we create the same kind of constructs we create a t1 there we create this segment b here we connect it to a t1 but here's the thing we would have to create a separate edge cluster and here's why because within nsxt you can only have one t0 per edge cluster so that's where it breaks ultimately when we were talking about multi-tenancy before is yes you could do it but you had to have multiple edge clusters per tenant so in this case i deploy another edge cluster edge cluster o2 including my edge vms i deploy this or configure this t0 i connect that t1 up to the t0 and then you guessed it i now configure bgp from this t0 to the physical network this works fine there's no reason why it doesn't work i think the biggest problem is just a waste of resources because we're talking about what if you had 30 tenants you would need 30 edge clusters and at least you know for ha 60 edge vms which is just a huge waste so that's where vrf light comes into the picture it comes into the picture to solve this mess right here so let's take a look at the way nsxt is doing this with vrf light we have those same tenants here we have tenant a tenant b i didn't change anything here i still have a segment in each of these tenants and they're connected to t1s now in this case i only have one edge cluster and we'll just say for example again i didn't depict it on the slide here but let's just say we have two edge vms here so we have you know we'll call it edge one edge two doesn't really matter logically it's all just one edge cluster now inside of that edge cluster i've gone and i've said i want to create a t0 and i configure what's called a vrf in nsxt manager so if you've ever set up a t0 you'll actually see there will be a drop down where instead of create a t0 you'll select vrf when you create that vrf basically that's that part where i said you're virtualizing the t0 so this blue vrf actually kind of looks and feels just like its own t0 but it's not it's actually just kind of a child of this t0 that we have here this green one and then basically from there everything else is the same nsx you know you would go to your t1 and instead of your uplink being this t0 this green t0 your up link would actually be blue dash vrf and then the same thing would be true for the other tenants so we create save red dash vrf and then we link that t1 up to that red vrf and then same thing as you saw here with the blue vrf we set up bgp from the tenants directly from these vrf's so it's not a requirement that you run bgp from the underlying or from the parent t0 to the physical network that's not a requirement at all you would just basically be running bgp from the vrfs if that makes sense now i do want to mention that when we think about this design it you can tend to look at it and kind of think that okay well how does it route between tenants right if i want to go from tenant a to tenant b how do i do that and the answer is that routing would actually have to happen on the physical fabric so in this case you would actually route to your edge cluster and then it would route out to the physical network and then come back in to go to that other tenant now there is ways that you can do it with static routing as well but there are some caveats as well there's some restrictions around nat and that sort of thing so just be aware of that if you are interested in doing it look through the release notes and that sort of thing but for the most part it's safe to say that routing between tenants would occur generally as of 3.1 through the physical fabric so that's all i have for you in this episode i hope everyone's staying safe and healthy until next time take care time to give the people what they want [Music] you

Info

Channel: NRDY Tech

Views: 1,817

Rating: undefined out of 5

Keywords:

Id: K6CG1-6WS4I

Channel Id: undefined

Length: 10min 3sec (603 seconds)

Published: Mon Nov 23 2020