We are preparing the design for NSX deployment, kindly advise in which case i use ESG with ECMP instead of an ESG with HA ?
If the ESG are providing routing i would go with ECMP rather than HA (which i see is more suited to symmetrical connectivity).
If you have two ESG which are using ECMP (multiple route paths), if one goes down at least only half will be affected, it will then reroute to the other ESG. if you use HA and it happens to take down the active, you then need to wait it out before the passive kicks in. HA Deadtimer + extra. It really depends on your setup. I find ECMP to be a lot more quicker than HA in terms of network connectivity restoration.
To add to this, if you are using stateful services on the ESG - load balancing, NAT, FW, VPN - then you will need to use HA rather than ECMP. If there isn't a requirement for stateful services, ECMP can provide quicker failover if you tune the routing protocol timers.
Good point, but to double check also the FW will be disabled if we enable ECMP ?
So what we cannot work with distributed firewall ?
When using ECMP on the ESG stateful services including the ESG firewall is disabled, however you are still able to leverage the distributed firewall to protect virtual machines.
The ESG FW and DFW are two separate entities and have different enforcement points.