3 Replies Latest reply on May 10, 2018 8:44 PM by canero

    Local Egress and routes towards ESG

    joelstudi Lurker

      Author : betsyl

      URL : http:////docs.vmware.com/en/VMware-NSX-for-vSphere/6.2/com.vmware.nsx-cross-vcenter-install.doc/GUID-98B1347A-2961-4E2A-B6AC-2C38FD19D127.html

      Topic Name : Local Egress

      Publication Name : Cross-vCenter NSX Installation Guide

      Product/Version : VMware NSX for vSphere/6.2

      Question :

      What routes does the ESG forward towards the north physical router when local Egress is enabled? Are they being filtered? Can asymmetric routing occur (e.g. out on site A and in on site B)?

        • 1. Re: Local Egress and routes towards ESG
          Sreec Master
          vExpertCommunity Warriors

          Local Egress will ensure site specific routes are send via respective Site ESG ( SITE A ESG OR SITE B ) for optimal routing. Technically you can certainly filter routes at  any layer (NSX or physical network) , it depends upon the use case. We can filter at ESG,TOR- BGP path prepend are few options for ingress traffic . This is something that we have to consider for A-A and A-P sites and GSLB would be a great  option when we have apps spanned across multiple sites.  Remember  in Active-Active model DC we always expect ingress/egress  at the data center local to the client

          You should certainly read below articles


          Multi-site Active-Active Solutions: NSX-V and F5 BIG-IP DNS


          NSX-V Multi-site Options and Cross-VC NSX Design Guide


          Asymmetric routes are expected when ESG's are in ECMP pairs. To prevent that ESG firewall will be disabled and stateful services are allowed to run on ESG. DFW rules are preferred in that case

          Asymmetric routing with ECMP and Edge Firewall Enabled – Route to Cloud

          VMware Knowledge Base

          1 person found this helpful
          • 2. Re: Local Egress and routes towards ESG
            joelstudi Lurker

            Thanks a lot for your response.


            But for the Universal Locical Switches that are attached to both the UDLR on Site A and UDLR on Site B the UDLR's will publish the route for this segment to ESGs on Site A and Site B. So in an active-active environment there is no way of controlling on the UDLR if Site A or Site B is the entry point for ingress traffic. So there is the possibility of asymmetric routing even with only one ESG per site. Thats also why the feature is called "local egress"...

            • 3. Re: Local Egress and routes towards ESG
              canero Hot Shot

              As pointed on the prevous post, symmetrical traffic is needed for performance and if there is firewall on the ESG. This could be achieved in 2 ways:


              1. Using NAT on ESG for the VM and using Global Load Balancer. If Nat pools are kept on seperate subnets, the ingress and egress woiuld be symmetrical. This needs the GLB to understand on which side the Application servers reside and change the dns replies dynamically. If there is no server for App-A on Site-2, it should stop site-2 replies.

              2. If NAT is not used, UDLR could understand on which site a VM exists from the arp table, and start to announce this specific /32 host route towards ESG, which in turn announces this route to physical Wan cloud. Thus clients ingress and egress is always symmetrical. If there are 2 vMs with Ips VM-1 on site-1, and VM-2 on site-2 ingress and egress is symmetrical, and if VM-1 goes to site-2, the ingress traffic towards VM-1 changes to Site-2. GLB again could distribute the load betweeb sites according to number of App servers for different sites.


              For active-standby scenarios GLB could not be needed.