VMware NSX

Author : betsyl

URL : http:////docs.vmware.com/en/VMware-NSX-for-vSphere/6.2/com.vmware.nsx-cross-vcenter-install.doc/GUID-98B1347A-2961-4E2A-B6AC-2C38FD19D127.html

Topic Name : Local Egress

Publication Name : Cross-vCenter NSX Installation Guide

Product/Version : VMware NSX for vSphere/6.2

Question :

What routes does the ESG forward towards the north physical router when local Egress is enabled? Are they being filtered? Can asymmetric routing occur (e.g. out on site A and in on site B)?

Local Egress will ensure site specific routes are send via respective Site ESG ( SITE A ESG OR SITE B ) for optimal routing. Technically you can certainly filter routes at  any layer (NSX or physical network) , it depends upon the use case. We can filter at ESG,TOR- BGP path prepend are few options for ingress traffic . This is something that we have to consider for A-A and A-P sites and GSLB would be a great  option when we have apps spanned across multiple sites.  Remember  in Active-Active model DC we always expect ingress/egress  at the data center local to the client

You should certainly read below articles

Multi-site Active-Active Solutions: NSX-V and F5 BIG-IP DNS

NSX-V Multi-site Options and Cross-VC NSX Design Guide

Asymmetric routes are expected when ESG's are in ECMP pairs. To prevent that ESG firewall will be disabled and stateful services are allowed to run on ESG. DFW rules are preferred in that case

Asymmetric routing with ECMP and Edge Firewall Enabled – Route to Cloud

VMware Knowledge Base

Thanks a lot for your response.

But for the Universal Locical Switches that are attached to both the UDLR on Site A and UDLR on Site B the UDLR's will publish the route for this segment to ESGs on Site A and Site B. So in an active-active environment there is no way of controlling on the UDLR if Site A or Site B is the entry point for ingress traffic. So there is the possibility of asymmetric routing even with only one ESG per site. Thats also why the feature is called "local egress"...

As pointed on the prevous post, symmetrical traffic is needed for performance and if there is firewall on the ESG. This could be achieved in 2 ways:

1. Using NAT on ESG for the VM and using Global Load Balancer. If Nat pools are kept on seperate subnets, the ingress and egress woiuld be symmetrical. This needs the GLB to understand on which side the Application servers reside and change the dns replies dynamically. If there is no server for App-A on Site-2, it should stop site-2 replies.

2. If NAT is not used, UDLR could understand on which site a VM exists from the arp table, and start to announce this specific /32 host route towards ESG, which in turn announces this route to physical Wan cloud. Thus clients ingress and egress is always symmetrical. If there are 2 vMs with Ips VM-1 10.10.10.10/24 on site-1, and VM-2 10.10.10.20/24 on site-2 ingress and egress is symmetrical, and if VM-1 goes to site-2, the ingress traffic towards VM-1 changes to Site-2. GLB again could distribute the load betweeb sites according to number of App servers for different sites.

For active-standby scenarios GLB could not be needed.