hello all,
need to know what is the role of DLR firewall and Edge firewall, it is to protect its Management or Uplink interfaces only or i can use it to prevent traffic from any vm to another vm ?
Thanks,
shamy
The DLR is what "lives" on all ESXi hosts, so that it is distributed, which provides for optimized East/West routing. For example, when two VMs on different subnets but on the same host need to communicate (for which routing is used), traffic will not leave the physical host. It is because of the distributed nature of the DLR that you need something like ESGs to route to and from the datacenter (North/South traffic).
The DLR Control VM is needed to provide dynamic routing like BGP or OSPF. The DLR Control VM is used for dynamic routing peering with upstream routers (ESGs) and pushes routing tables out to the ESXi hosts. One important thing to note is that the DLR Control VM is part of the Control Plane and is therefore not part of the data path (Data Plane).
DLR and ESG firewalls are used by these components themselves. You will find that firewall rules are created automatically when enabling dynamic routing for instance.
The ESG firewall can also be used to do North/South firewalling (provided that you're not running in ECMP mode). The DLR firewall shouldn't really be used to perform firewalling for your VMs. I also doubt it will even work, since traffic doesn't go through the DLR, since the DLR is distributed across all hosts. Haven't tested this though. I do know that it's not recommended to perform firewalling on the DLR (and why would/should you, when you can use the Distributed Firewall?).
how traffic doesn't go through the DLR ? , even two vms on two separate logical switches ?
The traffic goes through the DLR, but not through the DLR Control VM. It's the DLR Control VM that has a firewall built-in.
what is the difference between DLR and DLR control vm ?
The DLR is what "lives" on all ESXi hosts, so that it is distributed, which provides for optimized East/West routing. For example, when two VMs on different subnets but on the same host need to communicate (for which routing is used), traffic will not leave the physical host. It is because of the distributed nature of the DLR that you need something like ESGs to route to and from the datacenter (North/South traffic).
The DLR Control VM is needed to provide dynamic routing like BGP or OSPF. The DLR Control VM is used for dynamic routing peering with upstream routers (ESGs) and pushes routing tables out to the ESXi hosts. One important thing to note is that the DLR Control VM is part of the Control Plane and is therefore not part of the data path (Data Plane).
DLR Control VM is part of the Control Plane and DLR is part of Data plane ?
Thanks,
shamy
Correct!