Default Gateway (IP Routing on Avi SE)

Overview

There are multiple use cases for enabling IP routing on Avi Service Engines.

When new application servers are deployed, the servers need external connectivity for manageability. In the absence of a router in the server networks, the Avi SE can be used for routing the traffic of server networks.

Another use case is when virtual services use an application profile with the Preserve Client IP option enabled, back-end servers receive traffic with the source IP set to the IP of the originating clients. The Avi SE’s IP needs to be configured as the default gateway for these servers to route all traffic back through the SEs to the clients.

Note: This feature is not supported for IPv6.

Scope

The following features are supported:

  • IP routing is supported on two-armed, no-access configurations of Linux server clouds and VMware clouds, and conditionally supported on CSP. On CSP, it is supported when the interfaces attached to the SE instances are configured in SR-IOV mode.
  • VMWare write access clouds are also supported when configured via the CLI.
  • Avi Vantage supports IP routing for VMware cloud deployments in write access mode. For this feature to work on VMware write access clouds, at least one virtual service must be configured with the following configurations:
    • One arm (in the two-arm mode deployment) must be placed in the back-end network. For this network, SE acts as the default gateway.
    • The other arm is placed in the desired front-end network.
  • The HA mode must be legacy HA (active/standby) only for SE groups with the enable IP routing option set. Starting with Avi Vantage version 18.2.5, the HA mode must be legacy HA (active/standby) only for SE groups and routing has to be enabled in corresponding Network Service.
  • IP routing cannot be enabled in conjunction with the distribute load option set in the SE group configuration.
  • IP routing is supported on the following:
    • Only DPDK-based SEs.
    • VMware write access mode, if a virtual service has already been created. This virtual service creates the required Service Engines before MAC masquerading is tested.

Note: Starting with Avi Vantage version 18.2.6, preserve_client_ip is supported for non-directly-connected or routed back-end servers. However, all the required IPs on Avi Vantage still needs to be static in nature and there is no support for DHCP relay.

Use Case

legacy HA active/standby

Briefly, enabling IP routing requires the following configurations to be done at various points in the network:

  • On the Avi Controller, enable IP routing for the SE group. Starting with Avi Vantage version 18.2.5, this has to be configured via Network Service of routing_service type.
  • On the front-end router, configure static routes to the back-end server networks with the nexthop as floating IP in front-end network .
  • If BGP is enabled in the network and BGP peers configured on the SEs, then enable Advertise back-end subnets via BGP for the SE group. Starting with Avi Vantage version 18.2.5, if BGP is enabled in the network and BGP peers are configured on the SEs, then enable Advertise back-end subnets via BGP for the SE group in the above routing enabled Network Service.
  • On the back-end servers, configure the SE’s floating IP in back-end server network as the default gateway.

Configure IP Routing (Without BGP Peer)

Consider a simple two-leg setup with the server(s) in the 10.10.10.0/24 back-end network (starting with Avi Vantage version 18.2.6, it need not be directly connected network) and front-end router in 10.10.40.0/24 network. Steps to configure IP routing (default gateway) feature are listed below. UI and CLI in each step are just the two different ways of configuring the same step.

Note: This feature is supported for IPv6 in Avi Vantage.

  1. Navigate to Infrastructure > Service Engine Group > Edit

    IP routing without BGP Peer-step one

    The screenshot for 18.2.5 is as follows:

    IP routing without BGP Peer-step one for 18.2.5

    a. Configure the HA mode in the SE group to legacy HA (Active/Standby)

    : > configure serviceenginegroup Default-Group
     : serviceenginegroup> active_standby
     Overwriting the previously entered value for active_standby
     : serviceenginegroup> ha_mode ha_mode_legacy_active_standby
     Overwriting the previously entered value for ha_mode
     : serviceenginegroup>save

    b. Distribute Load is not enabled.

    c. Configure Floating IP Addresses (for instance, 10.10.10.11), one on each back-end network. These IP addresses will get configured on the active SE and will be taken over by the standby SE (new-active) upon failover.

     
       : > configure serviceenginegroup Default-Group
       : serviceenginegroup> floating_intf_ip 10.10.10.11
       : serviceenginegroup> save

    Starting with Avi Vantage version 18.2.5, Floating IP Addresses are configurable via Network Service of service_type routing_service. Refer to Network Service configuration page for more details.

    d. If there are no BGP peers configured, then configure Floating IP address for front-end networks too (for instance, 10.10.40.11).

     
      : > configure serviceenginegroup Default-Group
      : serviceenginegroup> floating_intf_ip 10.10.40.11
      : serviceenginegroup> save

    Starting with Avi Vantage version 18.2.5, if there are no BGP peers configured, then configure Floating IP address for front-end networks too (for instance, 10.10.40.11) using the above Network Service configuration.

  2. Enable IP routing on all SEs in the SE group.

     
     : > configure serviceenginegroup Default-Group
     : serviceenginegroup> enable_routing
     Overwriting the previously entered value for enable_routing
     : serviceenginegroup> save

    Starting with Avi Vantage version 18.2.5, enable IP routing on all SEs in the SE group using Network Service configuration. Refer to Network Service configuration page for more details.

  3. The above steps completes the SE group configuration to enable routing. However, the network is incomplete without the front-end routers and back-end servers being configured accordingly. Starting with Avi Vantage version 18.2.5, the above steps completes the configuration of routing for Service Engine Group via Network Service. However, the network is incomplete without the front-end routers and back-end servers being configured accordingly.

  4. Front-end router configuration (if no BGP peers are configured on SE). Configure the the front-end router with a static route to the back-end server network (with next-hop pointing to floating interface IP of SE in front-end network).

    For example:

    route add -net 10.10.10.0/24 gw 10.10.40.11
  5. Back-end server configuration. a. Configure the default gateway of back-end server(s) to point to floating interface IP of SE (the one in server network).

    route add default gw 10.10.10.11

    This ensures that all the traffic including return (VIP) traffic from the back-end network uses SE for all northbound traffic.

  6. Configure the default gateway of SE to front-end as needed. Navigate to Infrastructure > Routing > Static Route > Create.

    IP routing without BGP Peer-step five

Configure IP-Routing (With BGP Peer)

For configuring IP routing without BGP peers, follow the five steps detailed above with the following exceptions:

  • If the front-end supports BGP peering, then there is no necessity to configure floating IPs on the front-end interface (skip step 1.d above).
  • Also, you do not have to configure static routes in the front-end router (skip step 3 above).

After performing the above steps, follow the instructions below:

  1. Navigate to Infrastructure > Routing > BGP Peering > Edit.
    On the Avi Controller, configure BGP Peers network and IP Address.
    : > configure vrfcontext global
     : vrfcontext> bgp_profile ibgp local_as 1
     : vrfcontext:bgp_profile	>
     : vrfcontext:bgp_profile> peers peer_ip 10.10.40.3
     New object being created
     : vrfcontext:bgp_profile:peers>
     : vrfcontext:bgp_profile:peers> subnet
     

    IP4 Prefix Format

    (required) Subnet providing reachability for ...  : vrfcontext:bgp_profile:peers> 
      subnet 10.10.40.0/24 : vrfcontext:bgp_profile:peers> 
      bfd : vrfcontext:bgp_profile:peers> 
      save : vrfcontext:bgp_profile> 
      save : vrfcontext> save 

    IP routing with BGP Peer-step one

  2. Navigate to Infrastructure > Service Engine Group > Edit > Advanced. Enable Advertise back-end subnets via BGP. This UI knob will appear only if Enable IP Routing option is selected.
      : > configure serviceenginegroup Default-Group
      : serviceenginegroup> advertise_backend_networks
      Overwriting the previously entered value for advertise_backend_networks
      : serviceenginegroup> save

    IP routing with BGP Peer-step two
    Starting with Avi Vantage version 18.2.5, configure Advertise Backend Networks of the Service Engine Group via its corresponding Network Service. Refer to Network Service configuration page for more details.

  3. Configure the application profile to preserve client IPs for associated virtual service(s). This step is to be performed before any virtual service using the given application profile is enabled.
     : > configure applicationprofile System-HTTP
     : applicationprofile> preserve_client_ip
     Overwriting the previously entered value for preserve_client_ip
     : applicationprofile> save

    This configuration will not succeed if enable_routing is not yet configured. This configuration works in mutual exclusion with Connection Multiplexing option for L7 application profiles.

  4. Create a virtual service with an application profile for which preserve client IP is enabled.

Suggested Additional Reading