VMware NSX

Hi everyone

i don't know what is the difference between DLR and ESG

Can i deploy only ESG for an archtecture multi-tenants

Thank you

Hi Rizzello,

There is a brief description here

VMware NSX for vSphere 6.2 Documentation Center

However the DLR is a distributed component, the appliance that gets deployed is just to administer it, without it NSX can still route traffic between VLANs on the same host, or across hosts using VXLAN encapsulation without having to hairpin up to a northbound router.

A DLR has different characteristics outlined here

VMware NSX for vSphere 6.2 Documentation Center‌

Up to 1,000 DLR instances per host

Up to 999 logical interfaces (LIFs) on each DLR (8 x uplink + 991 internal) + 1 x management

Up to 10,000 LIFs per host distributed across all DLR instances (not enforced by NSX Manager)

Whereas the edge is more like a traditional perimiter firewall/gateway/router

VMware NSX for vSphere 6.2 Documentation Center

Each ESG can have up to 10 vNIC interfaces, or 200 trunk sub-interfaces.

Multitenancy is a common use case for ESGs and DLRs

Hope that helps

thank you very much for your response

it's very helpful

another question

for my lab can i use only ESG

or  the DLR is necessary

You can use only ESGs if you're not needing more than 10 interfaces. In my lab I use a combination of one DLR and 3 ESGs, only because I'm using ECMP and testing some other features like loadbalancing. Why not use one DLR connected to a transit logical switch and one ESG with one interface on the transit switch and one uplink interface to your outside network.

I tried this configuration but i don't know what the DNAT don't works

then i deleted the DLR and use  only ESG connected to 3 logical switches  and in this case the DNAT is working

I want understand what the role of DLR exactly if the ESG can route the traffic between VMS and between logical and physical network

Hi rizello,

NSX Edge = centralized routing

on a medium-large environment normally we have NSX Edge clusters & NSX Edge Racks

traffic from/to outside NSX environment (e.g. internet) going to the edge cluster/racks first

gateway IP address is in the nsx edge gateway vm

NSX DLR = distributed routing

VM to VM communication do not need to traverse to edge cluster/rack

gateway IP addresses are distributed across esxi hosts which prepared for NSX

in a very small environment e.g. only 1 esxi hosts for example, having DLR does not make any differences.

but when you have multiple esxi hosts and VMs on different subnet/vxlan/logical switches are distributed across esxi hosts,

NSX DLR helps to route VMs between different logical switches optimizing east-west traffic

the picture is taken from the NSX design guide, more explanation is also available on the design guide

VMware® NSX for vSphere Network Virtualization Design Guide ver 3.0

then i can use only ESG

??

thank you very much

Hi

Sorry for replying on old thread . You had mentioned

"without it NSX can still route traffic between VLANs on the same host, or across hosts using VXLAN encapsulation without having to hairpin up to a northbound router."

Can u please explain how ? Following is what i think :

In order that VM1 talks to VM2 , you either need a routing device present right inside the host [ which can be a DLR ] .. Or you have to take traffic out of host to a physical routing device and get back to host A

Now the second option that I mentioned is a hairpin at external router .

Can you explain how routing could be done without DLR / external router in following cases :

     a) VMs on same host

     b) VMs on diff hosts

Thanks

Gaurav

What he means is that you don't need the DLR Control VM, as this is part of the Control Plane and not the Data Plane. Routing in the Data Plane is handled by the DLR, which is part of the kernel of each host. When two VMs on the same host but in different subnets need to talk to each other, the traffic will not leave the physical host. If both VMs are on different hosts, naturally traffic will flow to the upstream switches to which the physical host is connected. However, routing is still performed in the ESXi kernel DLR.

If you're talking about not have a DLR and/or upstream router, then you can still route traffic using a Edge Services Gateway or other 3rd party router. But you will need to hit a router somewhere eventually.

You wrote :

"If both VMs are on different hosts, naturally traffic will flow to the upstream switches to which the physical host is connected. However, routing is still performed in the ESXi kernel DLR."

I don't think so that DLR will come in play (correct me if i am wrong here). For example :

In this case , is DLR coming in play ? No .. The routing is completely taken care by a physical device here

To me DLR has a use case when devices talk within host .. ESG has a use case when there is a use case of "data centre interconnect " or "talk to external world"..

Please correct me if i am wrong here

Well, you're not completely wrong :smileywink:

If your VMs are behind a DLR, routing will be handled by the DLR (within a host and between hosts, it doesn't matter). The traffic will then be sent to the destination host through VXLAN. This VXLAN traffic can of course be routed.

And indeed, the ESG is used for North/South routing, to and from the datacenter.