Skip to content. | Skip to navigation

IT Virtualization Blog

Personal tools

This is SunRain Plone Theme
You are here: Home / Users / lmarzke / howto / NSX / Lab 2 - NSX dist Logical Router with Edge NAT

Intro to NSX - Distributed Logical Routing and Edge gateway with NAT

by lmarzke last modified Oct 11, 2017 02:21 PM
NSX lab setup using a distributed Logical router (DLR) for east/west routing, and and Edge gateway (ESG) for both SNAT and DNAT.


This is the 2nd of a many part series in learning NSX.    While there are plenty of Internet tutorials and Lab's to assist in learning NSX I found many of them to be too complicated for first time learners.   A second problem was that many on-line howto documents failed to document 3 or 4 critical IP's associated with the DLR  or ESG routers,  leading to hours of research to figure it out.

So I won't go into detail about all the steps required , as that can be found many places on-line,  but I will provide a complete diagram of working configurations with all IP's listed and screen shots of the working configuration screens.   Had I had  this info it would have saved me many hours.   The public IP's have been modified for security

The entire series is linked here.

 Lab Diagram

LDR router with EPG gateway NAT


Distributed Logical Router (DLR)

This tutorial builds upon the last one by moving the Logical switch connections of the last lab over the the Distributed logical router (DLR).  This time we have built out all 3 tiers of a multi-tier app ( web, app, db ) as three logical switches on 3 separate subnets.  In order to pass traffic between tiers,  the LS's are connected to the DLR, which by default routes all 'Directly connected' networks.  That is,  we don't need to change any defaults on the DLR as long as the (3) LS's are connected to it, and the firewall is set to default PASS,  the 3 tiers should have connectivity.


The DLR is connected to the ESG by a new Logical Switch (LS) called the "Transit network".   In larger environments the ESG's are typically located in the "Edge Cluster" so using an LS makes it easy to get traffic from any NSX computer cluster to the Edge Cluster.

Note that VM's are routed east/west by the DLR and use the DLR as their default GW.   However the transit network is routed north/south to the public Internet by the ESG,  so the DLR uses the ESG as it's default GW.   The ESG then uses the ISP as it's default GW.   This can get confusing if you are new to multi-hop routing.

One complication is that we now have switched from static routing to using OSPF.   If static routing were used,  each time a new LS ( and subnet)  was added to the DLR , we would have to manually add static routes to the ESG   Since the LS's are not directly connected to the ESG,  it has to be told about them.   However,  by setting up OSPF between the DLR and ESG, this routing information is automatically 'distributed' to the ESG.  That is, the ESG knows for instance that is reachable via the DLR's forwarding IP.     In this lab, the OSPF configuration is rather simple, in that it automatically distributes ALL directly connected subnets up to the ESG.  


As in the last lab,  we use the ESG to NAT our VM's to the Internet.   Web1 is setup for SNAT outbound to the Internet on the .15 IP, while the public .16 IP is set for DNAT inbound SSH traffic on port 21 to Web1.     Since the ESG firewall is connected to the Internet,  the default policy must be "DENY" and we have to enter firewall rules to allow any traffic.   Note that firewall rules are written on the IP prior to being NATed,  not the translated IP.


Logical Router Interfaces

Each of the Logical switches for the Web,App, and DB tiers are connected to the DLR, with an LIF IP of '.1' for each.

A new Transit Logical Switch is created and connected to the DLR.   The transit network is the north/south link to the ESG.

DLR Interfaces


DLR Routing

OSPF is setup with the transit network defined as a new "Normal" area "10".   The Area definitions box is too small to show the '10'.  Then OSFP is enabled with the Forward address set to the Transit uplink address ( .2 ), and the Protocol address set to a free address on the Transit network ( .3 ),  with Graceful restart enabled. 

OSFP routing

DLR route redistribution

OSPF is now configured so knowledge  of any "connected" networks on the DLR will be redistributed to other OFPF instances.  In this case the routes in Area 10 will be made know to the ESG which is also running OSPF.   Note the 'Redist status' at the top of the screen is also enabled.

DLR route redist

 DLR Firewall

The DLR firewall default generated rules are used.   Nothing has been added.   The firewall status should be enabled.

DLR firewall

ESG Setup

 The ESG interfaces are setup for north/south routing.   One interface is attached to an existing 'dvFIOS' (WAN) distributed portgroup and set for existing pubic IP's.    A second interface is attached to the Transit network,  with an IP of '.1' 

 ESG interfaces

ESG Routing config

The ESG routing is setup with the Internet (WAN) Gateway address,  and the router ID is selected from a pickbox selecting the Wan interface ( identified by the Primary WAN IP of )

ESG routing config



The ESG config is setup the same way as the previous DLR.  OSFP  Transit network is defined as Normal area '10' .  ( The Area Def below is too small to show the '10' line ).  OSPF status at the top shows "Enabled".

ESG OSPF config


ESG OSPF route redistribution

ESG routing is set to distribute connected routes ( e.g  The Internet gateway ) to the DLR.   Note that the top line shows OSPF is enabled.

ESG OSPF route redist



ESG NAT is setup much the same as Lab 1.    The Transit network is setup for outbound SNAT to the primary public IP of '.15' , while the second public IP of '.16' is setup for DNAT of SSH inbound to the web1 VM.  Note that the DNAT is set to the second public IP of '.17' ( not the internal VM IP )


 ESG Firewall 

 Finally the ESG firewall is setup.   Since we are on the public Internet the default firewall rule is set to 'DENY'.    The autogenerated rules below are 1,2, and 5.    We add a rule to allow inbound SSH traffic to the public IP '.16' ( here this is defined as a IP_group with one IP ) to be allowed for later NAT translation.   Note that the top of screen shows the firewall is enabled.

ESG Firewall


Lets look at the ESG to see how the OSPF routes are showing up.    Prior to OSPF being enabled,  the ESG shows the following ( using 'show ip route' command' ),  so the ESG has an interface connected to network,  but knows nothing about anything on that network.

ESG routes no redist

After enabling OSPF,  the ESG now shows the following routes.  The new OSPF routes show up with a "O" in the left column.  The route to the DLR shows up over the transit network on locally connected,   and the routes to the logical switches show up reachable by the DLR on

 ESG routes from ospf


Document Actions