NSX ALB routing - multiple floating IP and BGP setup

    Recently, I had very interesting scenario around NSX ALB (ex Avi Networks) setup with multiple networks, NAT's and no-NAT's, but more important routing requirement inside Customer environment.

As you are aware of - NSX ALB Service engines have multiple NICs - to be more accurate there are 1 management + 9 data interfaces, which can be used with different configurations depending on actual needs and infrastructure.

In my specific case, there were following assumptions which were successfully deployed across virtual service configuration:

- external network (from NSX ALB perspective) - based on Cisco ACI SDN solution, where basically different L3-outs (specific ACI setup) for multiple NSX ALB needs were configured directly on Cisco platform. For this purpose, we will introduce VRF named XYZ, specifically created for connections mentioned above;

- there is a need for multiple floating IP + BGP config in place on NSX ALB SE's, which can be found on this link Default Gateway (IP Routing on Avi SE);

- network service is introduced for per VRF routing purpose (in my case VRF XYZ), with config described on this link Network Service Configuration. Per below image (picture 2) multiple floating IP's are introduced, depending on server group which is needed;

- NAT is playing critical component also, because different policies are needed depending on traffic of interest - even some traffic does not need to be NAT-ed at all because of proper routing. This config on newer NSX ALB versions is available from GUI, but CLI can be used also if preferred (link NAT Configuration on Avi Service Engine). Picture 1 is from my example:

Picture 1. NAT policy configured from GUI

In overall, every config with picture is telling more than thousands of words - next one is giving mapping between all requirements mentioned earlier:

Picture 2. Functional requirements with multiple floating IP's / routing on SE data plane

To conclude this routing setup, with multiple floating IP's and BGP in place - it's possible to configure it, but you shouldn't expect of SE to behave as typical router. It can accomplish similar requirements, even more complex one like in this post, but primary function of SE is not router nor full options BGP neighbour - but he can cover them to some extent 👍


Popular posts from this blog

VMware SD WAN - multiple locations - LAN IP address space overlapping with NAT

NSX ALB (Avi) BGP scaling using ECMP and RHI