Distributed Multi-Tier Routing in NSX-T

Distributed Multi-Tier Routing in NSX-T

Comments 5 comments

I learned something today, which in hindsight is obvious. Hopefully this helps someone that runs into the same “strange” (but not so strange) behavior.

I created the following topology today, to prepare for some NSX-T demo I am giving tomorrow:

routing topology

What I (among other stuff) wanted to show, was that routing between Test-Segments “D” and “E” and “A”, “B” and “C”, is completely distributed. So when VM’s from the different segments live on the same host, no physical hops are in the path.

To my surprise, after I created the environment, there wás hopping going on. Even when the VM’s where on the same host, the traffic would go from the host to the edge-node on which the T1 was hosted and from there back to the host.

So below is a picture of a TraceFlow which is using the T1’s SR to route traffic:

traceflow badtraceflow bad2

As you can see (sorry for the small print in the picture), the traffic is going out of the “esx” host and towards the “edge” (hop 1) and later on, it goes back to the “esx” host again (hop 2). You have to trust me that the host is the same on both occasions.

So after asking around, one of my instructors during the LiveFire training last month, suggested that the T1’s might be located on an Edge Node and that that would instantiate the T1’s SR. Since there could be firewalling or other stateful services used in the traffic, it would make sense that traffic is put through the SR and not just through the DR’s.

When I tried to delete the Edge Node Cluster config from the T1, I got the following error:

error when deleting edge node cluster

which basically tells me that, although I didn’t configure it, the firewall service is active on this T1, when it is connected to an Edge Node Cluster. When looking at the advanced configuration of the T1, I can verify this:

firewall config on T1

So in this case, I deleted the T1’s (after disconnecting the Segments off course) and recreated them, this time not on an Edge Node Cluster, and voila, routing is fully distributed:

traceflow good

And this also helps with reducing latency :).

So, it works as should be expected, but it took some time to figure that out and why. Thanks to my trainer at the NSX-T LiveFire (which I can highly recommended!).

Please follow and like us:
error
fb-share-icon
Tweet

5 thoughts on “Distributed Multi-Tier Routing in NSX-T

  1. Yep, if you associate a T1 with a edge cluster it will instantiate the SR with the firewall set to default open. So never do this, until centralised services are required.

    Reply
  2. Pingback: NSX-T East-West Traffic Flow - Spill the NSX-T
  3. Pingback: Setting up layer-3 connectivity with NSX-T -
  4. Pingback: Load Balancing with NSX-T 3.0 -

Leave a Reply

Your email address will not be published. Required fields are marked *