Please checkout the white paper Dell Networking: Multitenancy Across Physical and Logical Environments with VRF-lite and VMware NSX. In the white paper I discuss use cases and how NVO and VRF-lite can be used together to deploy a consistent multitenant framework across logical and physical networks. In this short blog, I expand on the concept I presented in a prior blog, Multitenancy on Dell Networking Switches via VRF-lite, of how NVO and VRF-lite together can be used to deploy a consistent multitenant framework across logical and physical networks.
As mentioned in the prior blog, a technology like VMware NSX can be utilized to provide network virtualization and multitenancy in the logical space. At the same time, if tenant workloads will be traversing both the logical and physical network, VRF-lite can be used on the physical network. This will allow for multitenancy with overlapping IP addresses across both the logical and physical network/resources.
Examples and applications include:
- Mapping of non-virtualized resources (Ex: databases, file servers, etc.) in the physical environment that need to be part of a tenant’s environment where the physical resources for each tenant will also utilize the same IP address space across all tenants.
- Multitenancy across two remote locations with one location employing NVO and the other location using traditional VLANs with VRF-lite on the physical environment.
- Using VFR-lite as a migration strategy for network virtualization where multitenancy between logical and physical networks/resources needs to be maintained.
The figure below presents an example where each VXLAN Network Identifier (VNI) on the logical network maps to a VLAN on the physical network. Each tenant logical switch (represented by a VNI) connects to a different distributed logical router (not shown) in the logical space and maps to a VLAN in the physical space.
As shown in the figure below, one method of deployment can be to leverage VMware NSX L2 Gateway to have a tenant logical switch on the logical network map to a VLAN on the physical network.
Tenant logical switches connect to a tenant Distributed Logical Router (DLR) in the logical space and maps to a VLAN in the physical space. In this example, an IP address is placed on the physical VLAN on the spine/core Dell S6000 switches and tied to a specific VR for the respective tenant. This is only needed in this use case to allow for overlapping IP addresses on the physical network.
The physical resources connecting to the VRs can be on the same subnet or on different subnets. In either case, this setup allows for overlapping IP addresses for both the logical and physical resources. In this setup, if routing to a physical resource is needed, it is handled by the VR for the respective tenant.
Another method of deployment is to use the VMware Edge Services Router (ESR) / Perimeter Edge (PE) to route to external physical resources and still use VRF on the physical routers to allow for overlapping IP addresses; this is shown in the diagram below.
Here, instead of using the VMware NSX L2 gateway to bridge between VXLAN and VLAN and have the VR on the physical switch do the routing, the ESR for the respective tenant does the routing, while the VRs on the physical switches still allow for overlapping IP addresses for the physical network/resources. Multitenancy is achieved because each tenant in the logical environment has a different Edge VLAN that also exists on the physical switches and is mapped to the respective tenant VRF.
For example, in this second deployment scenario, a portion of the Compute Virtual Distributed Switch (VDS) would look like the below. This screenshot shows an example of a separate Edge VLAN for Tenant 1 (VLAN 501) and a separate Edge VLAN for Tenant 2 (VLAN 502) created on the VDS.
In this setup, each tenant has two ESR virtual appliances in their respective VLAN deployed as Active/Standby; starting with NSX 6.1, ESRs can also be deployed as Active/Active allowing for equal-cost multi-path (ECMP) routing. The ESR will peer with the external network and share routing information. VRFs on the physical switches/routers will map to the respective tenant edge VLAN to keep routing and IP addressing isolated for each tenant.
The below image shows how such a setup may look with a 3-tier architecture replicated for Tenant 1 and Tenant 2.
The screenshot below shows the respective logical switches which are created (for clarity, not all fields are shown). Note, each tenant has its own set of logical switches. The Tenant 2 switches are identified by the 2 at the end of their names (Ex:. Web-Tier-2, App-Tier-2 etc.). The Tenant 1 switch names do not end with a number.
The logical switches are then connected to the respective tenant NSX DLR/ESR routers. The image below shows the DLR and ESR routers created for Tenant 1 and Tenant 2. Note, the screenshot displays the DLR Control VM, as the DLR is a kernel-level module on the respective hosts.
On the physical switches you will want to make sure the VRFs are created and tied to the respective VLANs for each tenant. Routing protocols can then be configured as required; the routing protocol would also be configured on the ESR and DLR. An example Dell S6000 VRF-lite configuration for the two tenants shown in the logical diagram is shown below.
Example Dell S6000 VRF-lite configuration for two tenants:
enable
configure
feature vrf
ip vrf tenant1 1
exit
ip vrf tenant2 2
exitinterface vlan 501
ip vrf forwarding tenant
ip address 10.40.40.2/29
no shutdown
exitinterface vlan 502
ip vrf forwarding tenant
ip address 10.40.40.2/29
no shutdown
exitrouter ospf 1 vrf tenant
router-id 9.9.9.8
network 180.0.0.0/24 area 0
network 190.0.0.0/24 area 0
network 200.0.0.0/24 area 0
network 10.40.40.0/29 area 0
exitrouter ospf 2 vrf tenant2
router-id 10.10.10.9
network 180.0.0.0/24 area 0
network 190.0.0.0/24 area 0
network 200.0.0.0/24 area 0
network 10.40.40.0/29 area 0
exit
write
Follow me on Twitter: @Humair_Ahmed
Dell VRF-lite & VMware NSX does it face any troubles with Windows Vista?