Hydra 1303

All News Items

NSX-T Routing: Part I

from the Hydra High Council Nov 10th 2020

In this blog, we will continue talking about NSX-T features, but this time with a focus on routing. NSX-T routing can be a bit complex due to the different interrelated concepts and components involved. To begin, we will start by explaining the types of routers you will encounter.

Note: In recent versions of NSX-T, routers are often referred to as gateways. We will use both names interchangeably.

Logical Routers

Logical routing in NSX-T is accomplished with two types of routers: Tier-0 and Tier-1. The Tier-0 router is considered to act as a service provider router and the Tier-1 acts as a tenant router.

The Tier-0 gateway provides connectivity to external networks, using static routes or BGP. It can also run stateful services like NAT, VPN, and firewall. When both Tier-0 and Tier-1 routers are present, the Tier-0 is primarily in charge of handling the North-South traffic between the virtualized environment and the external physical network.

The Tier-1 gateway is optional based on your routing topology (we will come back to that in a bit). This router cannot connect directly to external networks. Instead, any traffic the Tier-1 gateway has that needs to be routed externally is sent to the Tier-0 router. Whereas the Tier-0 gateway is primarily concerned with North-South traffic, the Tier-1 gateway is optimized for East-West traffic. It can be configured with additional services like load balancing, NAT, VPN, and firewall.

So far, we know there are two types of logical routers in NSX-T. Now let's talk about topologies.

Routing Topologies

With NSX-T routing, there are two topologies available: Single Tier & 2-Tier.

The Single Tier topology does not involve any Tier-1 routers. You have one or more Tier-0 routers with uplinks to connect to external networks and downlinks to connect to segments for connectivity to workloads supporting your application.

Single Tier Routing Topology

The 2-Tier topology, as the name suggests, is composed of a tier of one or more Tier-0 routers and a tier of one or more Tier-1 routers. This is the recommended topology because it is much more scalable. Another big reason to go with a 2-Tier topology is that load balancers are only supported on Tier-1 routers, which are not included in the Single Tier topology.

2-Tier Routing Topology

Tier-1 routers connect to the Tier-0 router using the router link (a system-generated switch) and are configured to advertise the logical networks they are aware of to the Tier-0 router.

Both topologies require the Tier-0 router to be properly configured to route with the external networks.

Note: You don't need to be a service provider to go with the recommended 2-Tier routing topology.

Now to add some pepperoni to the pizza. Let's talk about logical router components.

Logical Router Components

Logical Routers have two components: DR and SR.

The DR component (Distributed Router) is always present for both logical routers (Tier-0 and Tier-1). It distributes the routing information. Because the routes are distributed, it avoids the traditional issue of having traffic between two VMs, one on subnet A and one on subnet B (but both on the same host), from being forwarded to an external router and then routed right back to the same host. Having the routing information distributed means that each host already has what it needs to route from one VM to the other without any traffic needing to leave the host.

The SR component (Services Router) is used for services that cannot be distributed like: external connectivity, VPN, NAT, load balancing, and North-South firewalling. The Tier-0 gateway always has the SR component because it is external facing, and these services support external connectivity. The SR for the Tier-1 gateway will be present only if stateful services like VPN, NAT, LB and firewall are enabled (remember the Tier-1 gateway cannot connect to external networks directly.)

Logical Routers Components

You might wonder, where are these components hosted? We will answer that now…

In the first post of this NSX-T series, we discussed how the NSX-T architecture is comprised of three planes: management, control, and data planes. The components of the logical routers (DR and SR) are hosted on transport nodes, which are part of the data plane.

To be more specific, the DR component is hosted on hypervisors and Edges. The SR component is only hosted on Edges.

DR and SR Span

NSX Edges

The NSX Edges on NSX-T are empty boxes that offer compute resources for the components of the logical routers. All services that cannot be distributed, require an Edge Cluster (providing external connectivity, VPN, NAT, LB, FW).

Let's take a look at the following diagram to get a better understanding of the role of the NSX Edge.

NSX Edge Hosting Tier-0 and Tier-1 Components

In the above example, there is a Tier-0 gateway with external connectivity and two Tier-1 gateways connected to it. Because external connectivity cannot be distributed (it cannot use the DR component), an Edge Cluster is required for the Tier-0 gateway to host its SR component. The DR component will always be present on the Edge for the Tier-0 gateways, providing distributed routing services.

The blue Tier-1 gateway does not have any stateful services configured, so the Edge will only be hosting the DR component (no SR is needed).

The red Tier-1 gateway has a stateful service configured: NAT. Therefore, an Edge Cluster is required to host the SR component it needs. The DR component will always be present on the Edge for the Tier-1 gateways to do distributed routing.


NSX-T routing performs the function of physical routers, but in software and with much less overhead, which greatly increases both speed and agility, while overcoming traditional routing challenges like hairpinning at the same time.

In this blog, we've only covered the fundamentals of NSX-T Routing. Because of the complexity of the topic, be sure to come back for Part 2, where we will discuss Active/Active and Active/Standby modes as well as fun with BGP… stay tuned!!