This article explains the routing behavior of NSX-T T1 Logical Routers concerning directly connected network segments. It clarifies why a T1 router will prioritize directly connected network routes over more specific static or dynamic routes for destinations within those connected networks, even when an administrator attempts to force traffic out of the T1.

When two NSX segments (10.0.12.0/24 and 10.0.97.0/27) are connected to the same T1 Logical Router, attempts to add a more specific route for a host within one segment (e.g., 10.0.12.11) to force its traffic out through an external firewall (north-south) when originating from the other segment (10.0.97.0/27) fail. The traffic instead remains internal to the T1 router and never leaves for external inspection.

VMware NSX-T Data Center
VMware NSX

This behavior is by design in networking principles, including NSX-T. When traffic from a T1 Logical Router is destined for an IP address within a network that is directly connected to that same T1, the T1 will bypass its routing table lookup.

Here's why:

1. Direct Connectivity has Highest Priority: In any routing protocol or system, a directly connected network has the highest administrative distance or priority. The router intrinsically knows that it is directly attached to this segment and can directly deliver traffic to hosts within it.
   
   
2. No Need for Routing Table Lookup: If the T1 sees a destination IP (e.g., 10.0.12.11) that falls within one of its directly connected segments (e.g., 10.0.12.0/24), it doesn't need to consult its routing table for a path. It already knows the most efficient path is directly out of the interface connected to that segment.
   
   
3. Hairpinning Prevention (Internal Traffic): This design prevents unnecessary "hairpinning" of internal network traffic through external devices. If traffic from 10.0.97.0/27 on the T1 is destined for 10.0.12.11 on the same T1, the T1 will directly route it between the internal interfaces. It will not send the traffic "north" to a firewall only for it to potentially come back "south" to the same T1 for delivery to the other directly connected segment.