NSX-T – Services

Service Router

  • Physical Infrastructure connectivity
  • NAT
  • DHCP
  • Load Balancer
  • VPN Gateway
  • Bridging
  • Service Interface
  • Metadata Proxy for Openstack
The appliances where the centralised services or SR instances are hosted are called Edge nodes. An Edge node is the appliance that provide connectivity to the physical infrastructure.

Configuring NAT

In NSX-T, you can configure the NAT on both Tier-0 and Tier-1 gateways. There are three different types of NAT rules:
  • Source NAT (SNAT)
    • Translates the source outbound packets of the local IP address to a known external IP address so the application can continue to work over the internet with its external IP address.
  • Destination NAT (DNAT)
    • Enables access to internal private IP addresses from the outside world by translating the destination IP when inbound communication is initiated.
  • Reflexive NAT or stateless NAT
    • Reflexive NAT rules are stateless access control lists (ACLs) that must be defined in both directions. These rules are created when stateful NAT cannot be used.  For example, Tier-0 gateway is running in active-active equal-cost multipath (ECMP) mode. You cannot configure stateful NAT because asymmetrical paths might cause a problem.
Tier-0 and Tier-1 in active-standby mode support SNAT and DNAT.
Tier-0 and Tier-1 in active-active mode support reflexive NAT.
NAT allows translation from one IP address to another. For example, a public address is NAT’d to a local private IP address. This can be either a one-one mapping or one-to-many IP mapping.
NAT64 is a mechanism for translating IPv6 packets into IPv4 packets. Only supported on active-standby Tier-0 gateway.

Configuring DHCP and DNS Service

The DHCP server is initiated on a service router on an active/standby Tier-0 or Tier-1 gateway.
DHCP Workflow
  • Build a DHCP Profile
  • Configure Tier-1 or Tier-0 gateway with DHCP profile
  • Create a segment and configure DHCP IP address range
  • Attach Vm to the segment
  • Configure VM VIFs to acquire DHCP IP address
DNS
NSX-T has a built-in caching conditional DNS forwarder that holds addresses for the duration for the TTL. This is useful for reducing the load from the main DNS servers.
Configuring Load Balancing
Supports both layer 4 and layer 7
Layer-7 can load balance http headers
Must be attached on a Tier-1 gateway in active/standby
A load balancer includes virtual servers, profiles, server pools, and monitors.
There are multiple sizes of load balancers, consider the scalability, small, medium, large, extra large
All the LB components are reusable
IPSec VPN
Layer 3 network point to point between sites
Can be on Tier-0 or Tier-1 gateways
Supports IPSec dead peer detection
VPN types
  • Policy-based VPN
  • Route-based VPN
Tennent with overlapping networks require NAT on Tier-0 gateways
Supports active/standby high availability
Supports IPSec in tunnel mode
L2 VPN
Sits on top of IPSec
Similar to Layer 2 bridging,
Tier-0 or Tier-1 is supported
Only preshared key, no certificates at the moment
Layer 2 uses GRE over IPSec as a transport method
Tunnel redundancy is not supported
Supports hub-and-spoke topology