An administrator has recently deployed NSX, but is still using a pair of physical network security
devices. The administrator wants to use the physical security devices to filter virtual machine traffic
hosted in the overlay network.
Which NSX component will provide the connectivity between the overlay and the physical
network?
A.
Distributed Firewall
B.
NSX Controller
C.
Edge Services Gateway
D.
Logical Router
The two types of logical routing communications discussed above are usually achieved leveraging two different functionalities: centralized routing and distributed routing.
Centralized routing represents the on-ramp/off-ramp functionality that allows communication between the logical network space and the external layer 3 physical infrastructure.
Edge services gateway can also provide connectivity with the physical network and I think it is the preferred option.
In case of logical router, you need to have cable to physical network on every ESX. Edge gateway eliminates it.
C seems to me a better option
C is true but D is more specific, so it’s better choice, in my opinion.
NSX Edge contains both Services Gateway and Logical Router. Edge Gateway is the one that links the outside world. C should be a better answer.
This question doesn’t ask which one connects to “the outside world”; regardless, both ESR and DLR can connect to physical network in different ways. One does not require gateway services for this question.
The Logical Router (distributed logical router) is for east west trafic.
The question is:
Which NSX component will provide the connectivity between the overlay and the physical
network?
So we looking at north south trafic and not the trafic between logical networks.
The Edge is connected to the physical network for routing and connected to the logical Router:
“The VMware NSX Edge services gateway provides services, such as NSX Edge routing, perimeter firewall, network address translation (NAT), Dynamic Host Configuration Protocol (DHCP), virtual private network (VPN), load balancing, and high availability.”
So answer C can be the only correct answer.
I reconsider answer D (it must be a DLR in bridge mode, the question/answers does not give the option).
It is not clear if the trafic is north/south “physical security devices to filter virtual machine traffic hosted in the overlay network” is not by definition a firewall.
Task of bridge DLR:
“Reuse of existing physical network and security resources”
yeah, I thought it might be C..but if you think about the statement in the question “still using a pair of physical network security devices” that means the customer has which is called a Tier 1 design – which it does not use a ESG to connect to the physical network and yes, answer D will make sense.
Thanks Luscan for explaining
Due that the question is soo simple the answer should be as it, I think that the correct answer is D but in real world you usually will use a ESG for N/S traffic, remeber that DLR doesn’t allow LB or NAT.
“filter virtual machine traffic hosted in the overlay network.”
The question does not state now the vm is connected to the physical world. In NSX the recommended method is to use the ESG for this connectivity. Bridging with DLR is a corner case and Routing to Physical directly via DLR is not recommended due to design limitations.
Answer is C
Because the question specifies hardware security devices to filter VM traffic, you don’t necessarily want and Edge Services Gateway to perform any additional translation of IP addresses or packets. This would introduce a lot of unneeded and unwanted overhead.
http://is.gd/RGaKYt – L2 Bridges – “You can create an L2 bridge between a logical switch and a VLAN, which enables you to migrate virtual workloads to physical devices with no impact on IP addresses”
“The DLR is unique because it enables each vSphere hypervisor host to perform L3 routing between virtual and physical subnets in the kernel at line rate. The DLR is configured and managed like one logical router chassis, where each hypervisor host is like a logical line card. Because of that the DLR works well as the “device” handling the East-West traffic in your virtual network. You know, the traffic between virtual machines, the traffic between virtual and physical machines, all of that backend traffic that makes your application work. We want this traffic to have low latency and high throughput, so it just makes sense to do this as close to the workload as possible, hence the DLR.”
Please correct me. I’m new.
Although there is nothing in the wording of the question ruling out C, there is also nothing in the question implying north/south bound traffic, so D seems to be the best answer between the two.
Absolutely answer is D. Here it is asking for default gateway for VM and if placement of gateway is in physcial wolrd then only logical router can connect both VM and their defualt gateway over L2 Bridge.
regarding the statement it needs l2 bridging which is a dlr feature. D is correct I believe