NSX-V and OSPF Area Types Walkthrough – See why NSSA is better for Tenants – Part 2

In Part 1, we made some observations by configuring all the NSX-V Tenants under a single Area 0. To summarize, these were the observations:

  • Each Tenant DLR has a single uplink for North bound traffic (Uplink to ESG) and has a Default route point to the ESG. In that case, why can’t we filter out the E2 routes advertised from the other Tenants.
  • Why we need to increase the number of routing table entries and LSDB entries on each DLR?
  • Why a DLR on Tenant need to see routes advertised from other Tenants? Can this be masked with some default routes?
  • With dynamic Tenant network changes (Creating a Tenant network, deleting a Tenant network etc), why DLRs in other Tenants need to be notified of the changes? Why we need to anticipate unnecessary LSA flooding?

If you haven’t read Part 1, then please find it here: https://vxplanet.com/2019/04/24/a-study-on-nsx-v-with-ospf-area-types-why-is-nssa-better-for-tenants-part-1/

In this post, we will look at the OSPF design option called NSSA that can address all of the above observations. I can’t say those as Issues, so I would prefer saying as ‘Observations’ . Lets move on.

Scenario 2  – Each Tenant is in it’s own NSSA Area. 

[Click here for HQ Image]


Here each Tenant is configured to be in it’s own OSPF NSSA Area. The physical infrastructure is on the backbone Area 0. The ESG becomes the OSPF ABR that connects each Tenant NSSA areas to the backbone Area 0.

To visualize things from an ESG point of view, this is how OSPF configuration on ESG would look like:

  • Each Internal Interface of ESG that connects to the DLR of each Tenant would be in its own OSPF NSSA Area.
  • The VLAN Uplink of the ESG that peers with the Aggregation layer would be in Backbone Area 0.

To visualize things from a DLR (Tenant) point of view, this is how OSPF configuration on each DLR would look like: 

  • The Uplink Interface of each DLR that connects to the ESG would be on an OSPF NSSA area
  • The Internal Interfaces where the logical switches attaches are redistributed into the OSPF process.
  • Each DLR is in fact an OSPF NSSA ASBR.

OSPF Configuration on the S5048-ON Aggregation switches

No changes are being made to the physical infrastructure. They are configured on OSPF Area 0 and use the same configuration as Part 1.

OSPF Configuration on the NSX-V ESG

As mentioned earlier, the VLAN Uplink of ESG is configured on OSPF Area 0. The Internal Interfaces to the Tenants are on their unique NSSA Areas.

Tenant 1 -> NSSA Area 1

Tenant 2 -> NSSA Area 2

The priority of the ESG Uplink VLAN interface is set to zero, just to avoid it becoming the DR/BDR for the physical segment in Area 0. [Click here for HQ Image]


Note that when you create an NSSA Area, you can select if this ESG would hold the NSSA Translator Role. This is useful in a multi ESG deployments where the ESG holding this role would take the responsibility of Translating the Type 7 LSAs generated by the NSSA DLRs to Type 5 LSAs so that it can be seen as E2 routes by other routers. In our case, it’s just one ESG so we don’t need that option to be enabled.


OSPF Configuration on Tenant01 (DLR_Tenant01)

As mentioned earlier, the DLR Uplinks to the ESG is configured on OSPF NSSA Area 1. All the Internal interfaces are redistributed into the NSSA Area 1.

Note that only NSSA Areas support ASBRs. Normal Stub or Totally Stub areas doesn’t support ASBR. NSX-V doesn’t support Stub or Totally Stub areas.

[Click here for HQ Image]


OSPF Configuration on Tenant02 (DLR_Tenant02)

The configuration is similar to Tenant 1 DLR except that it is configured for NSSA Area 2.

[Click here for HQ Image]


Routing Tables, OSPF LSDB, LSA Filtering & Translation

Now that the configuration is completed, lets look at the different tables on the DLRs, ESG and the Aggregation switches and check out what they see.

Lets look at the Tables on Tenant 1 DLR 

This is the OPPF LSDB. It now has a filtered list. DLR maintains the LSDB specific to the NSSA Area 1. Note that a copy of the same table exists on the ESG ABR as well.


Type 1 LSA table maintains only the local links now – DLR uplink and the ESG internal link.

Type 2 LSA Table now has only one DR, in this case it is the ESG.

There is a Type 3 LSA Table. This is advertised from the ESG about the Inter-Area routes. It maintains a summary of all the Inter-Area routes.

There are no Type 4 or Type 5 LSA Tables. 

There is a Type 7 LSA Table. This has info about all the routes redistributed into the OSPF process. They appear as Type 7 (N2 Routes) inside the NSSA area and are translated by the ESG ABR to Type 5 LSAs. So they are seen as E2 routes by other non-NSSA areas (the physical network)

Now, lets look at thr routing table of the Tenant. Notice that there are no E2 routes here. That is, no routes advertised from the other Tenants (as well as any E2 routes) coming from External. It is now superseded by the Default route.


Now lets look at the forward address of a route redistributed by this DLR. Since we have only a single ESG instance, this is not of a concern here. This comes into play when a DLR connects to multiple ESGs. DLR advertises about what would be the return address when a client needs to reach this redistributed logical network.


The same observations can be made for Tenant 2 DLR.

Lets look at the Tables on the ESG

This is the OSPF database for the Type 7 LSAs. As this ESG is the ABR, it maintains the Type 7 LSA table for all the NSSA areas.


Lets look at the routing table. We can see that all the redistributed routes from the DLRs in each tenant appear as an N2 route in the routing table. ESG translates their N2 route to an E2 route where it can be seen by other non-NSSA areas.


Lets look at the tables on the Aggregation switches

The routing table doesn’t show any N2 routes. They are visible only inside an NSSA area. Instead you can see that all N2 routes are translated to E2 routes.


For each External route received, you can see two descriptors – an Advertising Router and Forwarding Address. As discussed previously, Advertising Router is the one that performs the LSA Type 7 to Type 5 conversion. Forward Address is the one used by this router to reach that particular destination. That means it is not necessary that Advertising Router can be the Next-hop. This is applicable only in Large deployments.

Observations from Scenario 2

  • Each Tenant DLR is in it’s own NSSA Area. All Type 5 LSAs are filtered out and the routing tables doesn’t show up any E2 routes of other Tenants.
  • Each Tenant DLR is independent of changes happening to other tenants. As each Tenant is in its own area, LSA flooding is localized because each maintains its own LSDB and doesn’t affect other areas.
  • Scaling up or scaling out of Tenants have zero impact on other tenants with respect to routing updates.
  • Redistribution of routes on each Tenant is possible with NSSA (as Stub or Totally stub doesn’t support ASBRs. NSX supports only NSSA)
  • We can’t filter out the Type 3 LSAs (IA routes). We need to configure the area as ‘Totally NSSA’, however this is not available at this moment.

Now I hope you are clear why NSSA areas are better for Tenants when you use OSPF for dynamic routing in NSX-V. This concludes Part 2 of this post. 

If you missed out Part 1, it is available at the below link:






Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s