Configure OSPF in NSX-T

In my past blog article on setting up NSX-T, I’ve covered using BGP as the dynamic routing protocol for north-south traffic.
A customer wanted to use OSPF to interconnect their physical networking fabric with NSX-T. Time to play with this setup in the lab 🙂

The logical routing topology which is used in my setup is depicted below:

For simplicity, we use the same uplink VLANs as with the initial BGP setup. The external interfaces will be OSPF enabled on the Tier-0 Service Router of our two edge nodes. In our setup, the Tier-0 gateway will belong to a backbone OSPF area named “0” (or “0.0.0.0”). An excellent write-up on OSPF and NSX-T can be found in this VMware blog article.

To configure OSPF on the Tier-0 gateway, we log in to the NSX Manager web UI. Then we follow the below procedure:

1. Select Networking > Tier-0 Gateways.
2. Click the OSPF toggle to enable OSPF.
3. In the Area Definition field, click Set to add an area definition.
4. Click Add Area Definition for area 0 as follows.
   • Area ID: 0
   • Type: Normal
   • Authentication: None
5. Click Save.
   
6. In the Graceful Restart field, select Helper Only.
7. Click the ECMP toggle to enable ECMP.
8. Configure the first edge interfaces as follows.
   • In the Interface column, select an interface from the dropdown list.
   • In the Area ID column, select an area ID from the dropdown list.
   • In the Network Type column, select Broadcast.
   • In the OSPF column, set the toggle to Enabled.
   • Click the BFD toggle to enable BFD.
   • Select the default BFD profile.
   • OSPF Hello Interval: 10 s
   • OSPF Dead Interval: 40 s
   • Click Save.
9. Repeat the steps above to configure the remaining interfaces.
   
10. Click Save.
11. Click Route Re-distribution to expand the section.
12. Click the OSPF Route Redistribution Status toggle to enable OSPF route redistribution.
13. Click on the number right of Route Re-distribution and click Add Route Re-Distribution
14. Create the following route re-distribution:
    • Name: Lab-Default-RR
    • Destination Protocol: OSPF
    • Route Re-distribution: click on the number and select the following sources:
      • Advertised Tier-1 Subnets
      • LB VIP
      • LB SNAT IP
      • Connected Interfaces & Segments (all auto-selected)
      • Static Routes
      • NAT IP
      • Click Apply
    • Route Map: leave empty
      
15. Click Add
16. Click Apply
17. Click Close Editing

To make the OSPF configuration work, we must configure the upstream routers accordingly.

On our VyOS based router tor-router1 we configure dynamic routing as follows:

set protocols ospf area 0 network 172.27.11.0/24
set protocols ospf area 0 network 172.27.12.0/24
set protocols ospf default-information 
set protocols ospf log-adjacency-changes 
set protocols ospf parameters router-id 172.27.11.1
set protocols ospf refresh timers 60
set protocols ospf interface eth5 network broadcast
set protocols ospf interface eth5 bfd
set protocols ospf redistribute connected

On tor-router2, we configure the following:

set protocols ospf area 0 network 172.27.12.0/24
set protocols ospf area 0 range 172.27.0.0/16 
set protocols ospf log-adjacency-changes 
set protocols ospf parameters router-id 172.27.12.1
set protocols ospf refresh timers 60
set protocols ospf interface eth1 network broadcast
set protocols ospf interface eth1 bfd
set protocols ospf redistribute connected

To verify the routing configuration, we can log into one of the configured edge nodes and have a look on the routing table:

nsx-en1> get logical-router
Tue Aug 02 2022 UTC 13:29:56.223
Logical Router
UUID                                   VRF    LR-ID  Name                              Type                        Ports   Neighbors
736a80e3-23f6-5a2d-81d6-bbefb2786666   0      0                                        TUNNEL                      4       12/5000
4627a84b-fda0-4368-8da1-7a1421aa8502   1      3075   DR-t1-domain-c1010:3686082f-a4d   DISTRIBUTED_ROUTER_TIER1    5       2/50000
8c4abfee-7761-4a50-8302-20bda7faf0b5   2      1045   SR-Tier0-GW-1                     SERVICE_ROUTER_TIER0        6       1/50000
37d023e7-cd5a-4f44-b284-49d8f929f928   4      1046   DR-Tier1-GW-1                     DISTRIBUTED_ROUTER_TIER1    7       5/50000
2c83c15b-92dd-4789-b30d-74f6c6ca1ff5   5      3077   DR-t1-domain-c1010:3686082f-a4d   DISTRIBUTED_ROUTER_TIER1    4       0/50000
67f576a7-7c50-43af-8243-cdda1bf06f15   6      3076   SR-t1-domain-c1010:3686082f-a4d   SERVICE_ROUTER_TIER1        5       2/50000
68dc9a18-4b01-4c34-a27b-21883ebe5469   7      2050   SR-acme-egw-01                    SERVICE_ROUTER_TIER1        5       2/50000
26959761-c5a4-4009-a3ec-739fb206d5ba   8      3074   SR-domain-c1010:3686082f-a4d0-4   SERVICE_ROUTER_TIER1        5       2/50000
84a14cdc-4640-4537-b67f-535f0b7aa9d2   9      1044   DR-Tier0-GW-1                     DISTRIBUTED_ROUTER_TIER0    9       10/50000
af9c7634-df57-4ffd-bfb1-31ad334f7a07   10     3073   DR-domain-c1010:3686082f-a4d0-4   DISTRIBUTED_ROUTER_TIER1    4       2/50000
a126d5aa-2791-4d60-ae83-32611095cc1a   11     3078   SR-t1-domain-c1010:3686082f-a4d   SERVICE_ROUTER_TIER1        5       2/50000

nsx-en1> vrf 2
nsx-en1(tier0_sr)> get route

Flags: t0c - Tier0-Connected, t0s - Tier0-Static, b - BGP, o - OSPF
t0n - Tier0-NAT, t1s - Tier1-Static, t1c - Tier1-Connected,
t1n: Tier1-NAT, t1l: Tier1-LB VIP, t1ls: Tier1-LB SNAT,
t1d: Tier1-DNS FORWARDER, t1ipsec: Tier1-IPSec, isr: Inter-SR,
> - selected route, * - FIB route

Total number of routes: 33

t0s> * 0.0.0.0/0 [1/0] via 172.27.11.1, uplink-298, 21:58:41
t1c> * 10.10.10.0/24 [3/0] via 100.64.240.1, linked-310, 21:58:38
t1c> * 10.10.20.0/24 [3/0] via 100.64.240.1, linked-310, 21:58:38
t0c> * 100.64.240.0/31 is directly connected, linked-310, 21:58:41
t0c> * 100.64.240.2/31 is directly connected, downlink-300, 21:58:41
t0c> * 100.64.240.4/31 is directly connected, downlink-322, 21:58:41
t0c> * 100.64.240.6/31 is directly connected, downlink-338, 21:58:41
t0c> * 100.64.240.8/31 is directly connected, downlink-302, 21:58:41
t1c> * 100.100.0.0/28 [3/0] via 100.64.240.3, downlink-300, 21:58:38
t1c> * 100.100.0.16/28 [3/0] via 100.64.240.5, downlink-322, 21:58:38
t1c> * 100.100.0.32/28 [3/0] via 100.64.240.7, downlink-338, 21:58:41
t1c> * 100.100.0.48/28 [3/0] via 100.64.240.5, downlink-322, 21:58:38
t0c> * 169.254.0.0/24 is directly connected, downlink-340, 21:58:41
o  > * 172.16.11.0/24 [110/20] via 172.27.11.1, uplink-298, 00:54:50
o  > * 172.16.12.0/24 [110/20] via 172.27.11.1, uplink-298, 00:54:50
o  > * 172.16.13.0/24 [110/20] via 172.27.11.1, uplink-298, 00:54:50
o  > * 172.16.14.0/24 [110/20] via 172.27.11.1, uplink-298, 00:54:50
t0c> * 172.27.11.0/24 is directly connected, uplink-298, 21:58:41
t0c> * 172.27.12.0/24 is directly connected, uplink-304, 21:58:41
o  > * 172.27.13.0/24 [110/20] via 172.27.11.1, uplink-298, 00:54:50
t1c> * 192.168.20.0/24 [3/0] via 100.64.240.1, linked-310, 21:58:38
t1l> * 192.168.21.1/32 [3/0] via 100.64.240.3, downlink-300, 21:58:38
t1l> * 192.168.21.2/32 [3/0] via 100.64.240.5, downlink-322, 21:58:38
t1n> * 192.168.22.1/32 [3/0] via 100.64.240.3, downlink-300, 21:58:38
t1n> * 192.168.22.2/32 [3/0] via 100.64.240.5, downlink-322, 21:58:38
t1n> * 192.168.22.3/32 [3/0] via 100.64.240.7, downlink-338, 21:58:41
o  > * 192.168.123.0/24 [110/20] via 172.27.11.1, uplink-298, 00:54:50
t0c> * fc37:f210:9a29:a800::/64 is directly connected, linked-310, 21:58:41
t0c> * fc37:f210:9a29:a801::/64 is directly connected, downlink-300, 21:58:41
t0c> * fc37:f210:9a29:a802::/64 is directly connected, downlink-322, 21:58:41
t0c> * fc37:f210:9a29:a803::/64 is directly connected, downlink-338, 21:58:41
t0c> * fc37:f210:9a29:a804::/64 is directly connected, downlink-302, 21:58:41
t0c> * fe80::/64 is directly connected, downlink-322, 21:58:41
Tue Aug 02 2022 UTC 13:30:17.828
nsx-en1(tier0_sr)>

We can see the OSPF routes marked with the “o” flag.

Next, let’s check this on one of the ToR routers:

vyos@tor-router1:~$ show ip route
Codes: K - kernel route, C - connected, S - static, R - RIP,
       O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP,
       T - Table, v - VNC, V - VNC-Direct, A - Babel, D - SHARP,
       F - PBR, f - OpenFabric,
       > - selected route, * - FIB route, q - queued, r - rejected, b - backup

S>* 0.0.0.0/0 [1/0] via 192.168.123.1, eth0, weight 1, 1d05h05m
O>* 10.10.10.0/24 [110/20] via 172.27.11.2, eth5, weight 1, 00:57:44
O>* 10.10.20.0/24 [110/20] via 172.27.11.2, eth5, weight 1, 00:57:44
O>* 100.100.0.0/28 [110/20] via 172.27.11.2, eth5, weight 1, 00:57:44
O>* 100.100.0.16/28 [110/20] via 172.27.11.2, eth5, weight 1, 00:57:44
O>* 100.100.0.32/28 [110/20] via 172.27.11.2, eth5, weight 1, 00:57:44
O>* 100.100.0.48/28 [110/20] via 172.27.11.2, eth5, weight 1, 00:57:44
C>* 172.16.11.0/24 is directly connected, eth1, 1d05h05m
C>* 172.16.12.0/24 is directly connected, eth2, 1d05h05m
C>* 172.16.13.0/24 is directly connected, eth3, 1d05h05m
C>* 172.16.14.0/24 is directly connected, eth4, 1d05h05m
S>* 172.16.31.0/24 [1/0] via 172.16.11.254, eth1, weight 1, 1d05h05m
O   172.27.11.0/24 [110/1] is directly connected, eth5, weight 1, 1d05h05m
C>* 172.27.11.0/24 is directly connected, eth5, 1d05h05m
O>* 172.27.12.0/24 [110/11] via 172.27.11.2, eth5, weight 1, 00:57:45
C>* 172.27.13.0/24 is directly connected, eth6, 1d05h05m
O>* 192.168.20.0/24 [110/20] via 172.27.11.2, eth5, weight 1, 00:57:44
O>* 192.168.21.1/32 [110/20] via 172.27.11.2, eth5, weight 1, 00:57:44
O>* 192.168.21.2/32 [110/20] via 172.27.11.2, eth5, weight 1, 00:57:44
O>* 192.168.22.1/32 [110/20] via 172.27.11.2, eth5, weight 1, 00:57:44
O>* 192.168.22.2/32 [110/20] via 172.27.11.2, eth5, weight 1, 00:57:44
O>* 192.168.22.3/32 [110/20] via 172.27.11.2, eth5, weight 1, 00:57:44
C>* 192.168.123.0/24 is directly connected, eth0, 1d05h05m

Again, the OSPF routes are marked with the “O” flag.