VM's on an NSX-T Overlay Segment experience connectivity issues with devices connected to a Physical VLAN and/or External Subnet
search cancel

VM's on an NSX-T Overlay Segment experience connectivity issues with devices connected to a Physical VLAN and/or External Subnet

book

Article ID: 415433

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

In NSX-T environments, virtual machines connected to an overlay segment may be unable to reach certain destinations in the physical network.

Typical symptoms include:

  • Overlay workloads unable to reach specific physical networks or external destinations.

  • ARP requests timing out within the NSX-T overlay.

  • Traceflow or packet captures showing traffic egressing toward the Tier-1 DR Kernel module but are dropped.

  • No valid route resolution for the destination subnet.

 

Environment

VMware NSX

Cause

Upon investigation, it is discovered that the IP subnet assigned to the NSX-T overlay segment overlaps with a subnet that already exists in the physical network.
Although the overlay and physical networks are separate domains, this overlap results in routing ambiguity and dropped traffic at the logical router boundary.

When an overlay segment in NSX-T uses a subnet that overlaps with a physical network subnet already advertised to or learned by the Tier-0/Tier-1 Gateway:

  • The Tier-0 logical router receives two conflicting routes for the same network — one learned from the overlay segment and one from the physical uplink (BGP or static).

  • Because NSX-T’s control plane prioritizes the connected route (the one locally attached to the Tier-1 or Tier-0), packets destined for that subnet are routed internally to the overlay rather than forwarded to the physical network.

  • As a result, packets from overlay workloads destined for the physical subnet are dropped or blackholed, since the logical router believes the destination exists locally.

This is not a bug — it’s a result of route overlap and precedence rules in NSX-T.
In short, the logical router’s connected route to the overlapping overlay subnet takes priority over any external route for the same network, causing egress traffic to fail.

Resolution

To restore connectivity, eliminate overlapping subnets between NSX-T overlay segments and the physical network.

Option 1 — Assign a Unique Subnet to the Overlay Segment

  • Redesign the overlay segment with a subnet that does not exist anywhere in the physical environment.

  • Example:

    • Physical network: 10.10.10.0/24

    • Overlay segment: use a different subnet such as 10.10.20.0/24

This is the most reliable and recommended solution.

Option 2 — Use NAT for Isolation

If changing the subnet is not possible (e.g., due to application or legacy design constraints):

  1. Configure SNAT or DNAT on the Tier-1 or Tier-0 Gateway so that overlay workloads appear to the physical network as coming from a different, non-overlapping range.

  2. Example:

    • Overlay VM: 10.10.10.10

    • SNAT to 172.16.10.10 when egressing to the physical world.

This prevents the routing conflict while maintaining logical isolation.

Option 3 — Use Separate Routing Instances

  • Create a dedicated Tier-1 Gateway for the overlapping overlay network.

  • Connect it to a VRF or a separate Tier-0 instance so the conflicting routes do not exist in the same routing table.

  • This is common in multi-tenant or brownfield environments where address overlap is temporarily unavoidable.

Additional Information

 

  • NSX-T enforces connected route preference; any subnet directly connected to a Tier-0 or Tier-1 logical router will override learned routes for the same prefix.

  • Route filtering or prepending in BGP cannot override the connected route precedence.

  • Overlapping subnets between logical and physical domains are unsupported and should be avoided in production designs.

  • Refer to VMware NSX Administration Guide for validated subnetting and routing practices: Administration Guide

 

Powered by Wolken Software