NSX-T功能--交换、路由
在上一篇中,我们把NSX-T和vCenter结合,并部署好了Edge Cluster。现在我们试着将虚拟化网络的网关下移,并使用T0连接到物理网络。
做网络实验之前,我们通常会准备好网络拓扑、IP地址规划,路由规划等。
拓扑图
我们搭建两层虚拟路由器结构,T0提供南北向路由,两台T1提供东西向路由和相应子网的接入。
部署T0路由器
T0的外联
在虚拟网络,是没有连接线缆的。为了给T0一个外联的地点,我们建立一个Segment
注意:
- 选择transport Zone:tz-vlan,这样就和Edge的Vlan交换机结合起来了。
- VLAN填选‘0’,表示可以允许所有VLAN
配置T0路由器
HA-Mode要选择Active Standby,只有在这种模式下,T0才能提供有状态的服务。
配置出口port
BGP设置
配置BGP 邻居
配置路由转发,这里可能用到的是直连路由的转发、NAT和LB路由
在模拟的物理路由器上面看:
vyos@vyos:~$ show ip bgp neighbors
BGP neighbor is 192.168.100.3, remote AS 65001, local AS 65002, external link
Hostname: nsxt-edge-02
BGP version 4, remote router ID 192.168.100.3, local router ID 192.168.100.1
BGP state = Established, up for 00:02:23
Last read 00:00:20, Last write 00:00:23
Hold time is 180, keepalive interval is 60 seconds
BGP 邻居以及建立起来。
部署T1路由器
选择连接到T0路由器,并配置路由转发。
配置分段Segment
选择要连接的路由器
在Transport Zone选择Overlay的TZ
如果填写Subnet地址,这个是路由器的端口地址,也即是子网的网关。
配置好以后,可以在vCenter上面看到这些分段,注意图标和原有PortGroup不一样
检查路由分发
在模拟的物理路由器上面看路由信息
vyos@vyos:~$ show ip ro
Codes: K - kernel route, C - connected, S - static, R - RIP,
O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP,
T - Table, v - VNC, V - VNC-Direct, A - Babel, D - SHARP,
F - PBR, f - OpenFabric,
> - selected route, * - FIB route, q - queued route, r - rejected route
S>* 0.0.0.0/0 [1/0] via 192.168.0.1, eth0, 6d01h39m
C>* 10.10.20.0/24 is directly connected, eth1, 6d01h39m
C>* 10.10.30.0/24 is directly connected, eth1, 6d01h39m
B>* 172.10.1.0/24 [20/0] via 192.168.100.3, eth1, 00:02:53
B>* 172.20.1.0/24 [20/0] via 192.168.100.3, eth1, 00:02:24
C>* 192.168.0.0/24 is directly connected, eth0, 6d01h39m
C>* 192.168.100.0/24 is directly connected, eth1, 6d01h39m
C>* 192.168.110.0/24 is directly connected, eth1, 6d01h39m
C>* 192.168.120.0/24 is directly connected, eth1.120, 6d01h39m
C>* 192.168.130.0/24 is directly connected, eth1.130, 6d01h39m
C>* 192.168.200.0/24 is directly connected, eth1, 6d01h39m
C>* 192.168.210.0/24 is directly connected, eth1.210, 6d01h39m
C>* 192.168.220.0/24 is directly connected, eth1.220, 6d01h39m
可以看到通过BGP学习到的172.20.1.0/24和172.10.1.0/24两段地址。
vyos@vyos:~$ ping 172.10.1.1
PING 172.10.1.1 (172.10.1.1) 56(84) bytes of data.
64 bytes from 172.10.1.1: icmp_seq=1 ttl=63 time=2.31 ms
64 bytes from 172.10.1.1: icmp_seq=2 ttl=63 time=1.21 ms
64 bytes from 172.10.1.1: icmp_seq=3 ttl=63 time=2.46 ms
64 bytes from 172.10.1.1: icmp_seq=4 ttl=63 time=3.14 ms
检查逻辑路由器的部署
在上一篇我们介绍了几种架构中逻辑路由器的部署情况,这个实验中,部署了两级路由器,且T1路由器并未启用服务,那么,按照前面的介绍,这应该是下面的架构:
| Routertire | Edge | H/V |
|---|---|---|
| T0 SR | Y | |
| T0 DR | Y | Y |
| T1 DR | Y | Y |
其中,在Edge上有T0 SR、T0 DR和T1 DR;在Esxi上有T0 DR和T1 DR。
查看Esxi
登录到Esxi后使用nsxcli命令查看:
[root@esx-01a:~] nsxcli
esx-01a.corp.tanzu> get logical-routers
Mon May 17 2021 UTC 07:11:16.903
Logical Routers Summary
------------------------------------------------------------------------------------------
VDR UUID LIF num Route num Max Neighbors Current Neighbors
Esxi上面并没有逻辑路由器?
这是因为在Esxi初始化中,并不需要提供路由等服务。
我们在Esx-01a上部署一个虚拟机:
再次查看Esx-01a的逻辑路由器
esx-01a.corp.tanzu> get logical-routers
Mon May 17 2021 UTC 07:15:25.736
Logical Routers Summary
------------------------------------------------------------------------------------------
VDR UUID LIF num Route num Max Neighbors Current Neighbors
770bd784-6222-4c4e-8f8e-3d667f48ddf0 3 8 50000 17
03fc3c16-d4b6-4921-9547-baf459ca9c28 2 3 50000 8
6490db7f-9000-42dd-9c37-e210377b041f 2 3 50000 8
现在有了三个逻辑路由器,但是他们是什么呢?
我们可以分别查看这三台路由器的端口信息:
esx-01a.corp.tanzu> get logical-router 770bd784-6222-4c4e-8f8e-3d667f48ddf0 interfaces
Mon May 17 2021 UTC 07:22:37.846
Logical Router Interfaces
---------------------------------------------------------------------------
IPv6 DAD Status Legend: [A: DAD_Sucess], [F: DAD_Duplicate], [T: DAD_Tentative], [U: DAD_Unavailable]
LIF UUID : 1af8a568-132b-4328-aaf9-1b404b7a7211
Mode : [b'Routing-Backplane']
Overlay VNI : 69635
IP/Mask : 169.254.0.1/24; fe80::50:56ff:fe56:4452/128(U)
Mac : 02:50:56:56:44:52
Connected DVS : DSwitch-tanzu
Control plane enable : True
Replication Mode : 0.0.0.1
Multicast Routing : [b'Enabled', b'Oper Down']
State : [b'Enabled']
Flags : 0x90308
DHCP relay : Not enable
DAD-mode : ['LOOSE']
RA-mode : ['SLAAC_DNS_THROUGH_RA(M=0, O=0)']
LIF UUID : ca50b054-8f8e-43d0-9f5c-bd1a2d4724fc
Mode : [b'Routing-LinkLif']
Overlay VNI : 69634
IP/Mask : 100.64.160.0/31; fe80::50:56ff:fe56:4452/128(U); fcce:6440:3ca7:5800::1/64(U)
Mac : 02:50:56:56:44:52
Connected DVS : DSwitch-tanzu
Control plane enable : True
Replication Mode : 0.0.0.1
Multicast Routing : [b'Disabled', b'Oper Down']
State : [b'Enabled']
Flags : 0x8308
DHCP relay : Not enable
DAD-mode : ['LOOSE']
RA-mode : ['SLAAC_DNS_THROUGH_RA(M=0, O=0)']
LIF UUID : a96c3411-ff55-4dc6-bea3-1859997f21c6
Mode : [b'Routing-LinkLif']
Overlay VNI : 69637
IP/Mask : 100.64.160.2/31; fe80::50:56ff:fe56:4452/128(U); fcce:6440:3ca7:5801::1/64(U)
Mac : 02:50:56:56:44:52
Connected DVS : DSwitch-tanzu
Control plane enable : True
Replication Mode : 0.0.0.1
Multicast Routing : [b'Disabled', b'Oper Down']
State : [b'Enabled']
Flags : 0x8308
DHCP relay : Not enable
DAD-mode : ['LOOSE']
RA-mode : ['SLAAC_DNS_THROUGH_RA(M=0, O=0)']
esx-01a.corp.tanzu> get logical-router 6490db7f-9000-42dd-9c37-e210377b041f interfaces
Mon May 17 2021 UTC 07:26:05.879
Logical Router Interfaces
---------------------------------------------------------------------------
IPv6 DAD Status Legend: [A: DAD_Sucess], [F: DAD_Duplicate], [T: DAD_Tentative], [U: DAD_Unavailable]
LIF UUID : 226c7d70-02fe-4d47-98af-9225e2f972ec
Mode : [b'Routing-LinkLif']
Overlay VNI : 69637
IP/Mask : 100.64.160.3/31; fe80::50:56ff:fe56:4455/128(U); fcce:6440:3ca7:5801::2/64(U)
Mac : 02:50:56:56:44:55
Connected DVS : DSwitch-tanzu
Control plane enable : True
Replication Mode : 0.0.0.1
Multicast Routing : [b'Disabled', b'Oper Down']
State : [b'Enabled']
Flags : 0x8308
DHCP relay : Not enable
DAD-mode : ['LOOSE']
RA-mode : ['SLAAC_DNS_THROUGH_RA(M=0, O=0)']
LIF UUID : 758b2000-aca5-4a00-a061-88f2e18a1291
Mode : [b'Routing']
Overlay VNI : 69636
IP/Mask : 172.20.1.1/24
Mac : 02:50:56:56:44:52
Connected DVS : DSwitch-tanzu
Control plane enable : True
Replication Mode : 0.0.0.1
Multicast Routing : [b'Enabled', b'Oper Down']
State : [b'Enabled']
Flags : 0x80388
DHCP relay : Not enable
DAD-mode : ['LOOSE']
RA-mode : ['UNKNOWN']
esx-01a.corp.tanzu> get logical-router 03fc3c16-d4b6-4921-9547-baf459ca9c28 interfaces
Mon May 17 2021 UTC 07:27:52.391
Logical Router Interfaces
---------------------------------------------------------------------------
IPv6 DAD Status Legend: [A: DAD_Sucess], [F: DAD_Duplicate], [T: DAD_Tentative], [U: DAD_Unavailable]
LIF UUID : 965f9bd2-0382-4256-bab3-1e8dd5ed30ce
Mode : [b'Routing-LinkLif']
Overlay VNI : 69634
IP/Mask : 100.64.160.1/31; fe80::50:56ff:fe56:4455/128(U); fcce:6440:3ca7:5800::2/64(U)
Mac : 02:50:56:56:44:55
Connected DVS : DSwitch-tanzu
Control plane enable : True
Replication Mode : 0.0.0.1
Multicast Routing : [b'Disabled', b'Oper Down']
State : [b'Enabled']
Flags : 0x8308
DHCP relay : Not enable
DAD-mode : ['LOOSE']
RA-mode : ['SLAAC_DNS_THROUGH_RA(M=0, O=0)']
LIF UUID : 2253b442-e17e-43c7-8e2d-48b451a8ae8c
Mode : [b'Routing']
Overlay VNI : 69633
IP/Mask : 172.10.1.1/24
Mac : 02:50:56:56:44:52
Connected DVS : DSwitch-tanzu
Control plane enable : True
Replication Mode : 0.0.0.1
Multicast Routing : [b'Enabled', b'Oper Down']
State : [b'Enabled']
Flags : 0x80388
DHCP relay : Not enable
DAD-mode : ['LOOSE']
RA-mode : ['UNKNOWN']
整理如下:
判断的依据(上一篇):
- 默认情况下,SR 和 DR 之间的链路使用 169.254.0.0/28 子网。在部署 Tier-0 或 Tier-1 逻辑路由器时,将自动创建这些路由器内中转链路。
- 为 Tier-0 到 Tier-1 的连接分配的默认地址空间为 100.64.0.0/10。将在 100.64.0.0/10 地址空间中为每个 Tier-0 到 Tier-1 的对等连接提供一个 /31 子网。在创建 Tier-1 路由器并将其连接到 Tier-0 路由器时,将自动创建该链路。
查看Edge
nsxt-edge-02> get logical-router
Mon May 17 2021 UTC 08:06:17.773
Logical Router
UUID VRF LR-ID Name Type Ports Neighbors
736a80e3-23f6-5a2d-81d6-bbefb2786666 0 0 TUNNEL 3 2/5000
e223cfbb-7f3d-4083-8cc6-6ea5ff2fa9e1 1 2 SR-T0-01a SERVICE_ROUTER_TIER0 5 1/50000
770bd784-6222-4c4e-8f8e-3d667f48ddf0 3 1 DR-T0-01a DISTRIBUTED_ROUTER_TIER0 6 4/50000
03fc3c16-d4b6-4921-9547-baf459ca9c28 4 4 DR-T1-172.10.1 DISTRIBUTED_ROUTER_TIER1 5 2/50000
6490db7f-9000-42dd-9c37-e210377b041f 5 5 DR-T1-172.10.2 DISTRIBUTED_ROUTER_TIER1 5 2/50000
可以清晰的看到在Edge上有T0 DR、T0
SR和T1 DR
结论:
逻辑路由器的部署符合预期,即在Edge上有T0 SR、T0 DR和T1 DR;在Esxi上有T0 DR和T1 DR
在这个实验中,我们部署了T0、T1两层路由器,并与物理路由器通过BGP交换路由。同时部署了网络分段,下沉网关到T1上。
下图反映了本架构的整体组件和流量情况:
以上