VRF-Lite in NSX-T Data Center


 VRF-Lite in NSX-T Data Center

–  Prashant Pandey


Recently I have completed one of the deployments with VRF-Lite having 10 tenants, VRF-Lite is such a useful feature to achieve multitenancy in NSX-T Data Center.

For this document and topology simplicity, I have kept the tenant count as 2 only but the concept is same for any number of tenant count.

 

In this document, we will be discussing about VRF-Lite in NSX-T Data Center, we will be majorly focusing on below points.

  •       What is VRF Lite and its benefit in NSX-T Data Center.
  •       How Tier-0 gateway to Physical gateway connectivity looks like with & without VRF-Lite in case of multitenant environment.
  •       Important points to remember while using VRF-Lite.

 

Introduction –

VRF lite feature is introduced with NSX-T 3.0 onwards to support multitenancy environment.

It allows us to have segmentation among different tenants, without having the need of multiple tier-0 & edge-clusters.

 ==================================================================================================================================================

Think of a scenario where tier-0 is running in Active-Active high availability option with 6 ways ECMP that is with 6 Edge nodes & we have 2 Tenants in our environment.

 

Without VRF-Lite –

  1. We need separate Tier-0 for each tenant.
  2. We need separate Edge cluster & eventually separate edge nodes for each tenant, which is going to consume hell of resources if our tenant counts increases.



With VRF-Lite –

  1.          We only need 1 Parent Tier-0, we can have multiple VRF gateways under the same. (As per max config data it is 100 VRF per Edge Node for NSX 3.2 version)
  2.       We no longer need separate Edge Nodes, same ENs will be used for all VRF, that is we don’t need separate Edge cluster either.
  3.       Here both Blue & Red VRF will use same edge nodes from edge cluster 01 for their respective BGP peering.





VRF Lite properties in NSX-T DC - With VRF we are kind off making logical separation in Tier-0 gateway, VRF has its own properties but still inherits some configuration options from its parent Tier-0 that can’t be changed.

 

Each VRF has its own –

1.       Interface

2.       BGP Neighbour

3.       Gateway Firewall & NAT

 

Each VRF Inherits below options from parent Tier-0 (configuration can’t be changed at VRF level, it will be greyed out)

1.       High availability option – (A/A, A/S)

2.       Local AS Number for BGP

3.       Edge Cluster 




Limitations of VRF Lite - The following services cannot be configured in a VRF gateway:

• VPN

• Load balancer

 

PS: Any Improvement points or suggestions are welcome.

-----Thank You-----

Prashant Pandey

Comments

Post a Comment

Popular posts from this blog

Decision Factors to choose in between NVDS & CVDS during NSX-T deployments

Image
Decision Factors to choose in between NVDS & CVDS            - Prashant Pandey, VCAP-NV During NSX-T deployment, while preparing Transport nodes we have an option to choose between  NVDS (virtual switch dedicated to NSX tasks) & VDS (existing virtual switch used to manage vCenter environment) There are few design decisions which I have tried to consolidate and capture for easy reference. Decision Factors to choose N-VDS or Converge VDS. N-VDS Converge VDS Supports older version of vSphere, prior to 7.0 Requires vSphere 7.0 or more. Requires free pNics for uplinks No free pNics are required , can use original VDS uplinks only. Can only be managed in NSX and not in vCenter. Can be centralized managed in vCenter. Available with older version of NSX-T, prior to 3.0 Available with NSX-T 3.0 onwards ...
Read more

NSX-v to NSX-T workload migration with Network Coexistence via L2Bridge

Image
NSX-v to NSX-T workload migration with Network Co-existence - L2Bridging - Prashant Pandey , VCAP-NV   Use case -L2bridge is one of major use-case of workload migration from NSX-v to NSX-T along with network co-existence. Summary - There are mainly 3 use-cases for the workload migration from NSX-v to NSX-T . 1. Subnet based Migration - Shut one subnet at NSX-v  and add & advertise the same from NSX-T Pros - Easy to migrate, no addition VLAN requirement at physical network. Cons – No flexibility at Application level migration, it has be entire subnet in one go, might not be feasible in most of the production environment.   2. Network Co-existence with VMware HCX tool – Supports Network stretch with L2E feature. Pros – Network Co-existence can be achieved with ease. Cons – Separate license requires, includes extra cost.   3. Network Co-existence with L2Bridging - Supports Network stretch with layer 2 bridging feature. Pros – Netwo...
Read more

Independent Bridging : NSX-v to NSX-T In-Parallel Migration use case.

Image
                    Independent Bridging : NSX-v to NSX-T In-Parallel Migration use case. –  Prashant Pandey, VCAP-NV-2021 Agenda NSX-v to NSX-T workload migration using NSX Independent bridging option. •          Different Available Migration Approaches – High level •          Independent Bridging approach – In detail •          Customer use-case discussion – Why independent Bridging ? •          L2Bridging Readiness •          Validation & Testing Why Migrate to NSX-T ? NSX for vSphere (NSX-V) has already been out of general support since Jan/2022 & will be out of technical guidance from Jan/2023 onwards. Top of mind question for customers who have adopted NSX-V is - how do I upgrade my NSX-V based data center to...
Read more