Default Gateway (IP Routing on Avi SE)
Overview
There are multiple use cases for enabling IP routing on Avi Service Engines.
When new application servers are deployed, the servers need external connectivity for manageability. In the absence of a router in the server networks, the Avi SE can be used for routing the traffic of server networks.
Another use case is when virtual services use an application profile with the preserve client IP option enabled, back-end servers receive traffic with the source IP set to the IP of the originating clients. The Avi SE’s IP needs to be configured as the default gateway for these servers to route all traffic back through the SEs to the clients.
Suggested Additional Reading
Scope
The following features are supported:
- IP routing is supported on two-armed, no-access configurations of Linux server clouds and (as of release 17.2.4) VMware clouds, and conditionally supported on CSP. On CSP, it is supported when the interfaces attached to the SE instances are configured in SR-IOV mode.
- The HA mode must be legacy HA (active/standby) only for SE groups, with the enable IP routing option set.
- IP routing cannot be enabled in conjunction with the distribute load option set in the SE group configuration.
- IP routing is enabled on only one (global) VRF.
- IP routing is supported only on DPDK-based SEs.
- IP routing is supported on VMware write access mode, if a virtual service has already been created. This virtual service creates the required Service Engines before MAC masquerading is tested.
Back-end servers must be on a directly-connected network (no router in between SE and servers) using all static IPs (no DHCP or DHCP relay).
Example Use Case
Briefly, enabling IP routing requires the following configurations to be done at various points in the network:
- On the Avi Controller, enable IP routing for the SE group.
- On the front-end router, configure static routes to the back-end server networks with the nexthop as floating IP in front-end network.
- If BGP is enabled in the network and BGP peers configured on the SEs, then enable “Advertise back-end subnets via BGP” for the SE group.
- On the back-end servers, configure the SE’s floating IP in back-end server network as the default gateway.
Configure IP Routing (Without BGP Peer)
Consider a simple two-leg setup with the server(s) in the 10.10.10.0/24 back-end network (always a directly connected network) and front-end router in 10.10.40.0/24 network. Steps to configure IP routing (a.k.a default gateway) feature are listed below. UI and CLI in each step are just the two different ways of configuring the same step.
- Navigate to Infrastructure -> Service Engine Group -> Edit
a. Configure the HA mode in the SE group to legacy HA (Active/Standby).
b. Ensure Distribute Load is not enabled.: > configure serviceenginegroup Default-Group : serviceenginegroup> active_standby Overwriting the previously entered value for active_standby : serviceenginegroup> ha_mode ha_mode_legacy_active_standby Overwriting the previously entered value for ha_mode : serviceenginegroup>save
c. Configure Floating IP Addresses (for e.g., 10.10.10.11), one on each back-end network. These IP addresses will get configured on the active SE and will be taken over by the standby SE (new-active) upon failover.
d. If there are no BGP peers configured, then configure Floating IP address for front-end networks too (for example, 10.10.40.11).: > configure serviceenginegroup Default-Group : serviceenginegroup> floating_intf_ip 10.10.10.11 : serviceenginegroup> save
: > configure serviceenginegroup Default-Group : serviceenginegroup> floating_intf_ip 10.10.40.11 : serviceenginegroup> save
- Enable IP routing on all SEs in the SE group.</b>
: > configure serviceenginegroup Default-Group : serviceenginegroup> enable_routing Overwriting the previously entered value for enable_routing : serviceenginegroup> save
- The above steps complete the SE group configuration to enable routing. However, the network is incomplete without the front-end routers and back-end servers being configured accordingly.
- Front-end router configuration (if no BGP peers are configured on SE)
a. Configure the the front-end router with a static route to the back-end server network (with next-hop pointing to floating interface IP of SE in front-end network). For example:route add -net 10.10.10.0/24 gw 10.10.40.11.
- Back-end server configuration.
a. Configure the default gateway of back-end server(s) to point to floating interface IP of SE (the one in server network)
route add default gw 10.10.10.11
This ensures that all the traffic including return (VIP) traffic from the back-end network uses SE for all northbound traffic.
- Configure the default gateway of SE to front-end as needed:
Navigate to Infrastructure -> Routing-> Static Route-> Create
Configure IP-Routing (With BGP Peer)
For configuring IP routing without BGP peers, follow the five steps detailed above with the following exceptions:
- If the front-end supports BGP peering, then there is no necessity to configure floating IPs on the front-end interface (skip step 1.d above).
- Also, there is also no need to configure static routes in the front-end router (skip step 3 above).
After performing the above steps, follow the instructions below:
- Navigate to Infrastructure -> Routing -> BGP Peering -> Edit
On the Avi Controller, configure BGP Peers network and IP Address.
: > configure vrfcontext global : vrfcontext> bgp_profile ibgp local_as 1 : vrfcontext:bgp_profile > : vrfcontext:bgp_profile> peers peer_ip 10.10.40.3 New object being created : vrfcontext:bgp_profile:peers> : vrfcontext:bgp_profile:peers> subnet IP4 Prefix format
(required) Subnet providing reachability for ... : vrfcontext:bgp_profile:peers> subnet 10.10.40.0/24 : vrfcontext:bgp_profile:peers> bfd : vrfcontext:bgp_profile:peers> save : vrfcontext:bgp_profile> save : vrfcontext> save - Enable the advertisement of back-end subnets via BGP.
: > configure serviceenginegroup Default-Group : serviceenginegroup> advertise_backend_networks Overwriting the previously entered value for advertise_backend_networks : serviceenginegroup> save
- Configure the application profile to preserve client IPs for associated virtual service(s). This step is to be performed before any virtual service using the given application profile is enabled.
This configuration won't succeed if enable_routing is not yet configured. This configuration works in mutual exclusion with “connection multiplexing” option for L7 application profiles.: > configure applicationprofile System-HTTP : applicationprofile> preserve_client_ip Overwriting the previously entered value for preserve_client_ip : applicationprofile> save
- Create a virtual service with an application profile for which preserve client IP is enabled.