I'm facing the following scenario. I have my NSX infrastructure with one DLR on three ESXi hosts. On top of that, I have a Palo Alto firewall that today is my default route from the DLR. I also have a Cisco Router connected to the DLR that today doesn't receive any traffic from the DLR. I could reach through this Cisco Router the same group of subnets I can reach through the Palo Alto Firewall, but my first option is to send all the traffic to the PA because there I have all my firewall rules (I don't want the traffic from my virtual networks to be routed directly by the Cisco Routers cause I would lose all the security that PA Firewall gives me).
Today everything is routed using a static route in the DLR pointing to PA Firewall as the next hop, and PA has a static routes to reach the virtual networks through the DLR using the DLR as the next hop. The problem with this design is that if the PA Firewall went down, I would lose the connection to the outside world. But in that case I could have the possibility to change the default route of the DLR to use the Cisco Router instead the PA Firewall (changing also the static routes to the virtual networks in the Cisco Gateway in order to be reached through the DLR) and everything would go up and running again.
If I wanted to do all this failover from the PA to the Cisco Router automatically assuming that all are standard routing devices, I would configure OSPF between the DLR and the PA Firewall, the PA Firewall and the Cisco Router and between DLR and Cisco Router and everything would work perfectly, because I could put a higher cost between the the DLR and the Cisco Gateway and the routes learnt by the DLR from the PA Firewall would win or would have a better costs and if the PA Firewall went down the DLR would use the routes learnt by the Cisco Router.
But these are not standard routing device, at least the DLR is not. When I configured this topology in the DLR, it appeared an error saying that the DLR doesn't support OSPF running in more than one uplink interface (and I have two, one against the PA Firewall and another one facing the Cisco Router). Firstly I thought the solution was to put an ESG that talks to PA and Cisco Router instead of using the DLR, but reading about the ESG I see that it only supports 10 logical interfaces but only one of them can be an uplink interface. And I would need two uplink interfaces, one to connect to PA and another one to connect to Cisco Router.
So, the question is. How could I resolve my problem with NSX? The question is quite simple. How do I manage if I want to have two default gateways from the NSX perspective but one of them to be the preferred one?
Deploy two ESGs.
Deploy two ESGs.