NSX – Configure local egress

Full disclosure I am not a networking guy… so… I might have got this completely wrong!!

First here is a diagram that visually shows the problem with Universal Logical Switches and Universal Logical Routers:

In the example above we have a VM in DC2 that is looking to get out to the internet (excuse the simplified diagrams). The problem is the VM running in DC2 will have no way to guarantee which ESG is used to break out to the web. This is because the Universal DLR in DC2 will have two paths to reach the intranet: one via the NSX Edge in DC1 and another over the NSX Edge over DC2.

This is because the Logical Router Control VM that owns the routing adjacency to the NSX Edges sees both NSX Edges as equally weighted to reach anything north bound and it can choose either NSX Edge to forward the traffic to.

So to solve this problem (well start the lay the ground work) NSX introduces “location awareness” when the routing table is created. How? Assign an ID (which I believe is based on the NSX Manager UUID (Remember 1 NSX Manager to 1 vCenter) to all Universal Logical Router entities, uDLR Control VMs and ESXi hosts that you want to belong to the same “location” e.g. are in the same site. Using this “Locale ID”, the NSX Controllers will only populate the routing table to ESXi hosts that have the same Locale ID as the Logical Router Control VM

D’Oh… at this point we have only made it worse! In the diagram above we have two problems; first ESXi hosts in DC1 would get the routing table since they have the same Locale ID as the Logical Router Control VM but ESXi hosts in DC2 would not as they do not have a Logical Router Control VM within their Locale ID “group”. Secondly the Logical Router Control VM in DC1 cans still see the NSX Edges in both DCs are equally costed routes.

Looks bad but now this framework is in place we can start to solve problems… solution to the first problem? NSX allows you to deploy a second Logical Router Control VM from the other (secondary) NSX Managers (up to 8 Logical Router Control VMs in total, one per NSX Manager in the domain). The second Logical Router Control VM is assigned the same Locale ID as the ESXi hosts in other DCs.

To solve the second problem we have stop the LR Control VM in DC1 from forming routing adjacency with the NSX Edge in DC2 and vice-versa. To do this I created a Universal Logical Switch for each DC that connected only ESGs and Logical Router Control VMs within the same DC/Site/Locale:

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.