Architecture pattern for using Direct Link with NSX-T and EVPN
On VMware vCenter Server instance in IBM Cloud® classic infrastructure, your workloads are deployed and run on VMware NSX-T™ overlay networks. As part of the deployment, the automation deploys an example NSX-T topology. You can use the provisioned examples as your base or build your own topologies on overlay. These overlay networks are not automatically advertised to IBM Cloud classic infrastructure network.
This architecture pattern presents private connectivity for VMware vCenter Server® that uses Direct Link and EVPN. EVPN (Ethernet VPN) is a standards-based BGP control plane that extends Layer 2 and Layer 3 connectivity between different data centers. Multi-Protocol BGP (MP-BGP) EVPN is established between NSX-T T0 and a Customer Router through Direct Link. IBM Cloud private network and Direct Link are used as L3 transport network for VXLAN traffic. VXLAN is the used encapsulation between NSX-T and the Customer Router.
You can use Gateway Appliance or vCenter Server gateway cluster with Juniper vSRX or other device as part of the solution. This is optional.
Deploying Direct Link with NSX-T and EVPN
The following diagram presents an overview for an architecture pattern for using Direct Link with NSX-T and EVPN.
This architecture pattern deployment is summarized as follows:
- vCenter Server instance is deployed at IBM Cloud classic infrastructure. Two IBM Cloud private VLANs and one IBM Cloud Public VLAN (optional) are deployed. Each of these VLANs host multiple subnets. You can see the details through IBM Cloud for VMware Solutions portal.
- NSX-T T0 is deployed with two interfaces - private and public (optional). If you opt for a public one, this interface is attached to your Public VLAN and has direct internet access. Your T0's private interface is attached to the Private VLAN and it uses IBM Cloud portable private IP.
- If vCenter Server gateway cluster with vSRX (or other third-party device) or IBM Cloud Gateway Appliance is deployed to your classic infrastructure, you must configure your vCenter Server instance Private Primary VLAN. It is routed through the vSRX or Gateway Appliance. Ensure that you allow BGP and VXLAN traffic though the firewall.
- Create a Direct Link at your IBM Cloud data center or zone location and attach your classic network as a connection. All your classic networks in the region are advertised with Local routing option (or all with Global Option). Ensure that you advertise the required networks for establishing the BGP session and VXLAN traffic.
- Configure MP-BGP with eBGP multihop and EVPN on your T0 router. Create a T0 VRF for each tenant as an EVPN tenant in NSX-T.
- VXLAN or VNI is used for each tenant. Transport between your colocation router and NSX-T transport nodes and Tier-0 traverse through IBM Cloud classic infrastructure network and Direct Link.
- Each tenant can have their own WANs or MPLS. You must arrange the network separation at colocation by using your routers and switches. Also, you must design and configure how to secure and separate the tenants and connect to tenant WANs.
Considerations
When you design or deploy this architecture pattern, consider the following steps:
- You are responsible for configuring EVPN between your T0 gateways and the routers in colocation.
- You can deploy additional NSX-T edge transport nodes manually on IBM Cloud side, if needed.
- EVPN uses its own address family in MP-BGP and NSX-T advertises EVPN type-5 routes.
- If you use
vpnv4 unicast address-familyin the connecting router to connect to MPLS VPNs, your router must be able to convert the advertisements between these two address families. - Refer to your router vendor and VMware NSX-T documentation for EVPN interoperability and EVPN configuration details.