NSX

Geneve Tunnel Dependencies in NSX-T

Introduction:

This post covers two crucial Geneve Tunnel dependencies to be aware of within NSX-T network virtualized environments:

  1. Host Transport Node virtualized guest overlay traffic initiates Geneve tunnels.
  2. Edge Transport Nodes require active Geneve tunnels to establish BGP peering.

High-Level Concept to Remember:

If the Geneve Bidirectional Forwarding Detection (BFD) tunnels are not up due to misconfiguration or other network issues, the Edge’s failover mechanism triggers causing the Edge Node to drop its BGP neighborships. This failsafe mechanism is in place to ensure that the Tier-0 Gateway does not keep advertising routes to the upstream router via BGP when the Edge’s Geneve Tunnels are down, as it won’t be able to process N-S traffic. 

NSX-T Lab Topology to demonstrate Geneve Tunnel Dependencies:

Let’s demonstrate these two concepts in the lab, with a focus on BGP peer state and Gevene tunnel state. The following setup is used to illustrate that without active virtualized workloads, there are no tunnels between Geneve Termination End Points (TEPs) and that without Geneve tunnels, BGP peers are down.

Scenario 1: With guest overlay traffic, Geneve Tunnels are active, and BGP Peers establish:

We have a single powered Virtualized Guest, named VM1, on ESXi host esxcna01-s1, generating overlay traffic:

The Guest is creating overlay traffic to initiate a Geneve Tunnel between Compute and Edge nodes:

CLI from Compute Node:
[root@esxcna01-s1:~]nsxdp-cli bfd sessions list
 Remote              Local               local_disc          remote_disc         recvd               sent                local_state         local_diag          client              flaps
 192.168.110.180     192.168.110.183     4988543c            32cf4a00            2863                2728                up                  No Diagnostic       vdl2                1


CLI from Edge Node:
nsxtedge01> get bfd-sessions | find Dest_port|Encap|address|State
 Dest_port                     : 3784
 Encap                         : null
 Local_address                 : 192.168.110.65
 Remote_address                : 192.168.110.66
 State                         : down
 Dest_port                     : 3784
 Encap                         : geneve                  <--- Geneve Tunnel up to Compute Node
 Local_address                 : 192.168.110.180
 Remote_address                : 192.168.110.183
 State                         : up
 Dest_port                     : 3784
 Encap                         : vlan
 Local_address                 : 192.168.110.180
 Remote_address                : 192.168.110.181
 State                         : down

The Edge Node Geneve tunnel is a prerequisite to establish BGP peering:

nsxtedge01> vrf 2
nsxtedge01(tier0_sr)> get bgp neighbor summary
 BFD States: NC - Not configured, AC - Activating,DC - Disconnected
             AD - Admin down, DW - Down, IN - Init,UP - Up
 BGP summary information for VRF default for address-family: ipv4Unicast
 Router ID: 192.168.100.102  Local AS: 65111
 Neighbor                            AS          State Up/DownTime  BFD InMsgs  OutMsgs InPfx  OutPfx
 192.168.100.2                       65100       Estab 01:17:56     NC  91      82      6      4
 169.254.0.130                       65111       Activ 00:45:08     NC  1104    1108    0      0
 BFD States: NC - Not configured, AC - Activating,DC - Disconnected
             AD - Admin down, DW - Down, IN - Init,UP - Up
 BGP summary information for VRF default for address-family: ipv6Unicast
 Router ID: 192.168.100.102  Local AS: 65111
 Neighbor                            AS          State Up/DownTime  BFD InMsgs  OutMsgs InPfx  OutPfx
 169.254.0.130                       65111       Activ 00:45:08     NC  1104    1108    0      0

nsxtedge01(tier0_sr)> get route bgp
 Flags: t0c - Tier0-Connected, t0s - Tier0-Static, B - BGP,
 t0n - Tier0-NAT, t1s - Tier1-Static, t1c - Tier1-Connected,
 t1n: Tier1-NAT, t1l: Tier1-LB VIP, t1ls: Tier1-LB SNAT,
 t1d: Tier1-DNS FORWARDER, > - selected route, * - FIB route
 Total number of routes: 5
 b  > * 192.168.150.0/24 [20/0] via 192.168.100.2, uplink-298, 01:18:53
 b  > * 0.0.0.0/0 [20/0] via 192.168.100.2, uplink-298, 01:18:53
 b  > * 10.155.14.0/24 [20/0] via 192.168.100.2, uplink-298, 01:18:53
 b  > * 192.168.21.0/24 [20/0] via 192.168.100.2, uplink-298, 01:18:53

Scenario 2: With guest overlay traffic, Geneve Tunnels drop, and BGP Peering is down:

Virtualized Guest, VM1, is powered down:

Without overlay traffic, the Geneve Tunnel between Compute and Edge nodes drop:

[root@esxcna01-s1:~] nsxdp-cli bfd sessions list
 Remote              Local               local_disc          remote_disc         recvd               sent                local_state         local_diag          client              flaps

nsxtedge01> get bfd-sessions | find Dest_port|Encap|address|State      <--- no Geneve Tunnel to Compute Node
 Dest_port                     : 3784
 Encap                         : null
 Local_address                 : 192.168.110.65
 Remote_address                : 192.168.110.66
 State                         : down
 Dest_port                     : 3784
 Encap                         : vlan
 Local_address                 : 192.168.110.180
 Remote_address                : 192.168.110.181
 State                         : down                  

Without an active Edge Node Geneve tunnel, there are no BGP neighbors and no learned BGP routes:

nsxtedge01> vrf 2
nsxtedge01(tier0_sr)> get route bgp
 Flags: t0c - Tier0-Connected, t0s - Tier0-Static, B - BGP,
 t0n - Tier0-NAT, t1s - Tier1-Static, t1c - Tier1-Connected,
 t1n: Tier1-NAT, t1l: Tier1-LB VIP, t1ls: Tier1-LB SNAT,
 t1d: Tier1-DNS FORWARDER, t1ipsec: Tier1-IPSec,
      selected route, * - FIB route
 Total number of routes: 0    <--- no BGP routes from physical
        

This article covers additional details on Geneve Tunnels, and How to Validate MTU in an NSX-T Environment.

Summary:

Although an NSX-T environment without workload traffic isn’t realistic, this lab does help to reinforce some key concepts in NSX-T operation, including two crucial Geneve Tunnel dependencies.

Begin typing your search term above and press enter to search. Press ESC to cancel.