Giovanni_P
Enthusiast
Enthusiast

Static routes limits

Hi all,

recently i have read a document on vmware site that explains limits of vShield suite, included a maximum number of static routes for a vShield Edge (100 max static routes).

I have tested this creating 500 "fake" static routes (192.168.x.x -> {real ip address X} ) via API and finally creating a "real" static route ( {real ip address Y} -> {real ip address X} ).

Next I tried a SSH connection to the {real ip address Y} and it succesfully connected.

After all my question is: the limit explain in the document is referred to what?

What happens if i'll insert 500 static route in a prod. environmet? (50% works and 50% not?)

Ps. you can read the document at this address: VMware KB: vCloud Networking and Security 5.1 Edge configuration limits and throughput

Thank you in advice

Giovanni

0 Kudos
4 Replies
showard1
Enthusiast
Enthusiast

Hi

Configuration maxes sometimes represent actual limits to what something can do.   Usually though, they refer to what VMware has thoroughly tested and what GSS will be able to support.   IMO more than 500 static routes will probably function, but you're on your own if a problem is encountered.

It is possible to obtain an RFQ (request for qualification) via our product teams in situations like this.  Basically its an exception that GSS grants you in advance that allows you to operate outside of the configuration maxes.  Its not a simple process, so I'd advise going down that path only if you really need to.  Your SE or Sales Rep can put you in touch with the right people for this.

Sean

Giovanni_P
Enthusiast
Enthusiast

Hi Sean,

Thank you for the answer.

I don't really need 500 static routes, but I wanted only see what happens if I overtake the limit of 100 static routes.

But which are the problems I can incur if I use (for example) 500 static routes?

1) The static route doesn't effect?

2) vShield return an error?

3) The interfaces shut down?

4)...

...

0 Kudos
Texiwill
Leadership
Leadership

Hello,

As Sean said the limits are there to limit supportability based on what was tested with the size of the vCNS Edge appliance in use. There is only so much memory for the appliances. In addition, there are performance considerations. You may need to bump your vCNS Edge size to higher to support larger counts of routes in a performant way.  The more rules (FW, DNAT,SNAT) and routes, the more CPU the Edge will take. You may be better off having more Edges in place that are smaller than one massive one. For example, I use Edges to separate tenants but also various trustzones outside my tenants. these are simple 2 vNIC Edges but allows me to have specific FWs for each trustzone. Scale out vs Scale up.

re: Errors

Since VMware has not tested it, the only way to find an answer is to test things yourself.... Failures may happens, CPU utilization will definitely go up....

Best regards,
Edward L. Haletky
VMware Communities User Moderator, VMware vExpert 2009, 2010, 2011,2012,2013,2014

Author of the books 'VMWare ESX and ESXi in the Enterprise: Planning Deployment Virtualization Servers', Copyright 2011 Pearson Education. 'VMware vSphere and Virtual Infrastructure Security: Securing the Virtual Environment', Copyright 2009 Pearson Education.

Virtualization and Cloud Security Analyst: The Virtualization Practice, LLC -- vSphere Upgrade Saga -- Virtualization Security Round Table Podcast

--
Edward L. Haletky
vExpert XIV: 2009-2022,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill
Giovanni_P
Enthusiast
Enthusiast

Ok i inderstand

I'll monitor the vShield Edge performance and I'll try to find the limit of static routes for my Edge (quad XL).

Thank you again

Giovanni

0 Kudos