In modern data-centre architectures, seamless integration between virtualized and physical networking is critical. VMware NSX-T provides robust networking and security capabilities, including support for dynamic routing protocols like BGP (Border Gateway Protocol). This blog post walks through how to configure BGP to establish connectivity between an NSX-T Tier-0 (T0) Gateway and an IBM Backend customer network - BCR gateway (IBM cloud private network)




      Prerequisites:

Understand the working for NSX-T edge networking: NSX-T Edge is a virtual machine used to host Tier-1 and Tier-0 gateways, enabling routing between overlay segments and VLAN-backed segments

 

    In This example screenshots are from different environment, So the IPs are in different range compare to IBM private networks. Here physical subnet is 172.27.11.xx/24 and LS-web, LS-app, LS-db are overlay VM segments . 
Overall network topology :

Why BGP?

BGP is a dynamic routing protocol commonly used to exchange routing information between routers at different levels. Here we using BGP in NSX-T Tier-0 Gateway level to peer with external devices like IBM cloud BCR routers etc and allowing automated route exchange and high availability network multiple interface connections.

Prerequisites

Before setting up BGP between an NSX-T T0 Gateway and an IBM BCR gateway, ensure the following:

·       NSX-T Datacentre is deployed and operational.

·       The physical network supports required routing adjacency and minimum MTU size 1600 bytes.

·       Make sure that your NSXT cluster (optional), Hosts, nodes and Segments are created.

·       Required IBM cloud Portable Private IPs which is routing through the host VLAN to establishing BGP connectivity from T0 gateway (Edge VM) to IBM BCR router and for NAT protocol.

·       Deploy NSX edge VMs and cluster with proper Overlay and Underlay connectivity  with help VDS

·       The external gateway/router is reachable from NSX edge VM and configured to support BGP.

·       If the NSX and Edge clusters are not configured, Please follow this document

https://techdocs.broadcom.com/us/en/vmware-cis/nsx/vmware-nsx/4-2/installation-guide/installing-nsx-edge/nsx-edge-installation-requirements.html

Steps for Creating T0 gateway and establish BGP peering with IBM cloud BCR router

1.         Create and Configure Tier-0 Gateway Or Re-configure existing T0 gateway

Navigate to Networking > Tier-0 Gateways > Click **Add Gateway**, assign a name (e.g., T0-GW) and select an Edge Cluster > HA mode select active-standby OR active-active > Save

NOTE: Once you saved new GW object, Then only the other configuration properties can be enables. If you are configuring existing T0 GW, you can skip the first step, But make sure your T0 GW is in active standby HA mode. BGP is state full protocol and it is only supports in active standby HA mode

2. Create VLAN backed network segment for Edge Interfaces (You can use existing segments if you are already created). Important details are, Connected gateway: empty, Transport zone: Should be VLAN backed TZ that created for Edge nodes, Subnet: is optional, VLAN: Portable subnet VLAN

3. From T0 GW edit screen Under Interfaces, create interface with in the Segment which is create in previous step and assign IBM portable IP,  that will peer with the external gateway,

Important details are, Name:, Type: External, IP address: <Portable IP and subnet>, Segment: <Select the proper segment which have correct VLAN ID of portable subnet>. Edge node: <Select Edge1>

4. Repeat the previous step of creating T0 interface again to create second interface in another edge node (Edge2), Use another portable IP from same subnet and VLAN

5. Verify the interfaces and IP configuration of your T0 Gateway from Edge VM
ssh to your edge VM as admin user
Run the below commands to check the interface and IP details
# get logical-routers 

Then identify the VRF ID of SR T0 router and run commands like below

# vrf  <vrf id >

# get interfaces

#ping <gateway IP of portable subnet>   (IBM BCR router)

Sometimes ICMP packets responding will be disabled, So you won’t get response for ping to BCR IP, So you should check the ARP of BCR router from your T0 GW (VRF) by using command “# get neighbor” , If you are not able to communicate T0 GW with BCR GW, You should trouble and fix this issue before going to next step.

6. Once able communicate your T0 gateway to IBM BCR router, For follow the steps to enable BGP peering

Go to T0 editing screen >> Routing section > BGP >  Toggle the BGP button to Enabled >> Set the **Local AS Number** (e.g., `65001`) >> Save

7. Configure BGP Neighbours – From same screen click on “BGP neighbours Set” >> Add BGP neighbour >> IP Address : Gateway IP of your portable subnet (IBM BCR) >> Enter the Remote AS number (This can get from IBM cloud network support team) > Select source IP any one T0 interface IP, Which is created in previous step.

8. Repeat the same step to add one more BGP peering from T0 second interface

9. Once the BGP peering is added, you can check BGP peering status by clicking the i button near to BGP neighbours peers status column. Connection status should be “Established”

Configure Route Redistribution

As your overlay and IP and Subnet cannot directly communicate with IBM network, So the Overlay subnets are connected to T1 gateway should be address translated to IBM cloud IP and forward the routes to T0 gateway.

1. Create a SNAT rule for your T1 gateway to convert the source IP from overlay IP to IBM cloud VLAN backed IP, You can use any free IP from IBM cloud portable subnet which is created for T0 GW  interfaces. (NAT rules can be configured in T1 or T0 gateways and HA mode should be active-standby, As SNAT and DNAT is stateful service, cannot be configured in active-active mode)



2.  Once you created NAT rule on T1/TO gateway, Enable NAT IPs and all connected segments and service ports under Route Advertisement  and Save. Once you Advertise the route from T1 GW to T0, Then you should do the same in T0 gateway to forward the route to IBM BCR router.

Once you completed all these tasks successfully, Your Overlay IP segment will able to communicate to IBM cloud private network and Private endpoints. This can be verify by pinging IBM private IP like DNS 10.0.80.11 from your Overlay VMs.  Your overlay VMs can use many IBM cloud services using private endpoints  connectivity, like File/block/object storage services, Private DNS, NTP, API endpoints etc.

## Summary

Integrating NSX-T with external networks using BGP at the Tier-0 Gateway provides a scalable and resilient way to propagate routes dynamically. This approach eliminates the need for manual static routing and simplifies cross-domain connectivity. With proper configuration and route redistribution, NSX-T becomes a fully routable part of the data centre fabric.

If you require help with any of the topics discussed, please reach out to IBM Cloud Support via the Support Center. https://cloud.ibm.com/unifiedsupport/supportcenter