VMware Networking Community
Shamyy
Enthusiast
Enthusiast
‎02-19-2017 01:18 AM
Jump to solution

what is the role of DLR firewall and Edge firewall,

hello all,

need to know what is the role of DLR firewall and Edge firewall,  it is to protect its Management or Uplink interfaces only or i can use it to prevent traffic from any vm to another vm ?

Thanks,

shamy

1 Solution

Accepted Solutions
hansroeder
Enthusiast
Enthusiast
‎02-19-2017 03:23 AM
Jump to solution

The DLR is what "lives" on all ESXi hosts, so that it is distributed, which provides for optimized East/West routing. For example, when two VMs on different subnets but on the same host need to communicate (for which routing is used), traffic will not leave the physical host. It is because of the distributed nature of the DLR that you need something like ESGs to route to and from the datacenter (North/South traffic).

The DLR Control VM is needed to provide dynamic routing like BGP or OSPF. The DLR Control VM is used for dynamic routing peering with upstream routers (ESGs) and pushes routing tables out to the ESXi hosts. One important thing to note is that the DLR Control VM is part of the Control Plane and is therefore not part of the data path (Data Plane).

View solution in original post

0 Kudos
7 Replies
hansroeder
Enthusiast
Enthusiast
‎02-19-2017 01:54 AM
Jump to solution

DLR and ESG firewalls are used by these components themselves. You will find that firewall rules are created automatically when enabling dynamic routing for instance.

The ESG firewall can also be used to do North/South firewalling (provided that you're not running in ECMP mode). The DLR firewall shouldn't really be used to perform firewalling for your VMs. I also doubt it will even work, since traffic doesn't go through the DLR, since the DLR is distributed across all hosts. Haven't tested this though. I do know that it's not recommended to perform firewalling on the DLR (and why would/should you, when you can use the Distributed Firewall?).

0 Kudos
Shamyy
Enthusiast
Enthusiast
‎02-19-2017 02:32 AM
Jump to solution

how traffic doesn't go through the DLR ? , even two vms on two separate logical switches ?

0 Kudos
hansroeder
Enthusiast
Enthusiast
‎02-19-2017 02:34 AM
Jump to solution

The traffic goes through the DLR, but not through the DLR Control VM. It's the DLR Control VM that has a firewall built-in.

Shamyy
Enthusiast
Enthusiast
‎02-19-2017 02:49 AM
Jump to solution

what is the difference between DLR and DLR control vm ?

0 Kudos
hansroeder
Enthusiast
Enthusiast
‎02-19-2017 03:23 AM
Jump to solution

The DLR is what "lives" on all ESXi hosts, so that it is distributed, which provides for optimized East/West routing. For example, when two VMs on different subnets but on the same host need to communicate (for which routing is used), traffic will not leave the physical host. It is because of the distributed nature of the DLR that you need something like ESGs to route to and from the datacenter (North/South traffic).

The DLR Control VM is needed to provide dynamic routing like BGP or OSPF. The DLR Control VM is used for dynamic routing peering with upstream routers (ESGs) and pushes routing tables out to the ESXi hosts. One important thing to note is that the DLR Control VM is part of the Control Plane and is therefore not part of the data path (Data Plane).

0 Kudos
Shamyy
Enthusiast
Enthusiast
‎02-19-2017 04:05 AM
Jump to solution

DLR Control VM is part of the Control Plane and DLR is part of Data plane ?


Thanks,

shamy

0 Kudos
hansroeder
Enthusiast
Enthusiast
‎02-20-2017 12:30 AM
Jump to solution

Correct!

0 Kudos