Default Gateway (IP Routing on Avi SE)


There are multiple use cases for enabling IP routing on Avi Service Engines.

When new application servers are deployed, the servers need external connectivity for manageability. In the absence of a router in the server networks, the Avi SE can be used for routing the traffic of server networks.

Another use case is when virtual services use an application profile with the preserve client IP option enabled, back-end servers receive traffic with the source IP set to the IP of the originating clients. The Avi SE’s IP needs to be configured as the default gateway for these servers to route all traffic back through the SEs to the clients.

Suggested Additional Reading


The following features are supported:

  • IP routing is supported on two-armed, no-access configurations of Linux server clouds and (as of release 17.2.4) VMware clouds, and conditionally supported on CSP. On CSP, it is supported when the interfaces attached to the SE instances are configured in SR-IOV mode.
  • The HA mode must be legacy HA (active/standby) only for SE groups, with the enable IP routing option set.
  • IP routing cannot be enabled in conjunction with the distribute load option set in the SE group configuration.
  • IP routing is enabled on only one (global) VRF.
  • IP routing is supported only on DPDK-based SEs.
  • IP routing is supported on VMware write access mode, if a virtual service has already been created. This virtual service creates the required Service Engines before MAC masquerading is tested.

Back-end servers must be on a directly-connected network (no router in between SE and servers) using all static IPs (no DHCP or DHCP relay).

Example Use Case

legacy HA active/standby

Briefly, enabling IP routing requires the following configurations to be done at various points in the network:

  • On the Avi Controller, enable IP routing for the SE group.
  • On the front-end router, configure static routes to the back-end server networks with the nexthop as floating IP in front-end network.
  • If BGP is enabled in the network and BGP peers configured on the SEs, then enable “Advertise back-end subnets via BGP” for the SE group.
  • On the back-end servers, configure the SE’s floating IP in back-end server network as the default gateway.

Configure IP Routing (Without BGP Peer)

Consider a simple two-leg setup with the server(s) in the back-end network (always a directly connected network) and front-end router in network. Steps to configure IP routing (a.k.a default gateway) feature are listed below.  UI and CLI in each step are just the two different ways of configuring the same step.

  1. Navigate to Infrastructure -> Service Engine Group -> EditIP routing without BGP Peer-step onea. Configure the HA mode in the SE group to legacy HA (Active/Standby).
    : > configure serviceenginegroup Default-Group
    : serviceenginegroup> active_standby
    Overwriting the previously entered value for active_standby
    : serviceenginegroup> ha_mode ha_mode_legacy_active_standby
    Overwriting the previously entered value for ha_mode
    : serviceenginegroup>save
    b. Ensure Distribute Load is not enabled.
    c. Configure Floating IP Addresses (for e.g.,, one on each back-end network. These IP addresses will get configured on the active SE and will be taken over by the standby SE (new-active) upon failover.
    : > configure serviceenginegroup Default-Group
    : serviceenginegroup> floating_intf_ip
    : serviceenginegroup> save
    d. If there are no BGP peers configured, then configure Floating IP address for front-end networks too (for example,
    : > configure serviceenginegroup Default-Group
    : serviceenginegroup> floating_intf_ip
    : serviceenginegroup> save
  2. Enable IP routing on all SEs in the SE group.</b>
    : > configure serviceenginegroup Default-Group
    : serviceenginegroup> enable_routing
    Overwriting the previously entered value for enable_routing
    : serviceenginegroup> save
  3. The above steps complete the SE group configuration to enable routing. However, the network is incomplete without the front-end routers and back-end servers being configured accordingly.
  4. Front-end router configuration (if no BGP peers are configured on SE)
    a. Configure the the front-end router with a static route to the back-end server network (with next-hop pointing to floating interface IP of SE in front-end network). For example:

    route add -net gw

  5. Back-end server configuration.
    a. Configure the default gateway of back-end server(s) to point to floating interface IP of SE (the one in server network)

    route add default gw

    This ensures that all the traffic including return (VIP) traffic from the back-end network uses SE for all northbound traffic.

  6. Configure the default gateway of SE to front-end as needed:
    Navigate to Infrastructure -> Routing-> Static Route-> CreateIP routing without BGP Peer-step five

Configure IP-Routing (With BGP Peer)

For configuring IP routing without BGP peers, follow the five steps detailed above with the following exceptions:

  • If the front-end supports BGP peering, then there is no necessity to configure floating IPs on the front-end interface (skip step 1.d above).
  • Also, there is also no need to configure static routes in the front-end router (skip step 3 above).

After performing the above steps, follow the instructions below:

  1. Navigate to Infrastructure -> Routing -> BGP Peering -> Edit
    On the Avi Controller, configure BGP Peers network and IP Address.
    : > configure vrfcontext global
    : vrfcontext> bgp_profile ibgp local_as 1
    : vrfcontext:bgp_profile	>
    : vrfcontext:bgp_profile> peers peer_ip
    New object being created
    : vrfcontext:bgp_profile:peers>
    : vrfcontext:bgp_profile:peers> subnet
    IP4 Prefix format 
          (required) Subnet providing reachability for ... : vrfcontext:bgp_profile:peers> subnet : vrfcontext:bgp_profile:peers> bfd : vrfcontext:bgp_profile:peers> save : vrfcontext:bgp_profile> save : vrfcontext> save 
    IP routing with BGP Peer-step one
  2. Enable the advertisement of back-end subnets via BGP.
    : > configure serviceenginegroup Default-Group
    : serviceenginegroup> advertise_backend_networks
    Overwriting the previously entered value for advertise_backend_networks
    : serviceenginegroup> save
  3. Configure the application profile to preserve client IPs for associated virtual service(s). This step is to be performed before any virtual service using the given application profile is enabled.
    : > configure applicationprofile System-HTTP
    : applicationprofile> preserve_client_ip
    Overwriting the previously entered value for preserve_client_ip
    : applicationprofile> save
    This configuration won't succeed if enable_routing is not yet configured. This configuration works in mutual exclusion with “connection multiplexing” option for L7 application profiles.
  4. Create a virtual service with an application profile for which preserve client IP is enabled.