Setup NSX L2VPN on Standalone Edge

With NSX L2VPN, you can extend your VLAN/VXLAN across multiple data centers.  Even in a non-NSX environment, you can achieve this as well by use of standalone edge. In this blog, I will show you how to set up NSX L2VPN between Standalone Edge and NSX edge.

Topology:2018-06-27_162648

As the above, we have 1 NSX edge as L2VPN server and 1 standalone edge which resides in the remote DC which is non-NSX environment. Our target is to stretch two VXLAN backed networks (172.16.136.0/24 and 172.16.137.0/24) to 2 VLAN (VLAN100 and VLAN200) backed networks in remote DC via L2VPN. In addition, we will leverage 4 virtual machines for our L2VPN communication testing.

2 virtual machines in NSX environment:

test1000: 10.172.136.100 gw 172.16.136.1 which is connected to VXLAN10032;

test1002: 10.172.137.100 gw 172.16.137.1 which is connected to VXLAN10033;

2 virtual machines in non-NSX environment:

test1001: 10.172.136.101 gw 172.16.136.1 which is connected to a dVS port-group with access vlan 100;

test1003: 10.172.137.101 gw 172.16.137.1 which is connected to a dVS port-group with access vlan 200;

Step 1: Configure NSX Edge as L2VPN Server

  • Create 2 sub interfaces(sub100: 172.16.136.1/24 and sub200: 172.16.137.1) by two VXLANs under trunk port

L2VPN Server03

Two VXLAN sub-interfaces, please note that 1st sub-interface is mapped to vNic10 and 2nd sub-interface is mapped to vNic11.

L2VPN Server04

Sub-interface sub100: tunnel Id 100/172.16.136.1 (VXLAN 10032)

L2VPN Server05

Sub-interface sub200 tunnel Id 200/172.16.137.1 (VXLAN 10033)

L2VPN Server06

  • L2VPN Server setting as below:
    • Listener IP: 172.16.133.1
    • Listener Port: 443
    • Encryption Algorithm: AES128-GCM-SHA256
    • Site Configuration:
      • name: remote
      • User Id/Password: admin/credential
      • Stretched Interfaces: sub100 and sub200

L2VPN Server01

L2VPN Server02

Step 2: Deploy and Setup L2VPN virtual appliance

Use standard process of deploying a virtual appliance.

  • Start the deploy OVF template wizard

1.2

  • Select the standalone Edge ovf file which is downloaded from vmware.com

1.3

1.4

  • Accept extra configuration options

1.5

  • Select name and folder1.6

1.7

  • Select storage

1.8

  • Setup Networks: here we use one dVS port-group for the standalone trunk interface. We will provide more details around the setting of this port-group later1.9
  • Customize template. We will configure L2VPN client here as well.

The configuration includes multiple parts:

Part1: standalone edge admin credentials:

1.10

Part2: standalone edge network setting:

1.11

Part 3: L2VPN setting, which required to exactly match the L2VPN server configuration which you did in Step1 including cipher suite, L2VPN Server address/service port and L2VPN username/password for authentication

1.12

Part4: L2VPN Sub Interfaces

1.13.1

Part5: other setting, e.g. proxy if your standalone edge need proxy to establish connectivity to L2VPN server.

1.14

  • Accept all setting and submit for the standalone edge deployment.

1.14.1

Once the standalone edge deployment is completed and powered on, you should be able to see the L2VPN tunnel is up either on NSX edge L2VPN server or standalone edge via CLI (show service l2vpn).

On NSX edge L2VPN server:

L2VPN up

On standalone edge:

l2vpn status_client

Step 3: Verification of communication

I simply use PING to verify the communication. My initial test is failed. Yes, you still need to configure port group DPortGroup_ClientTrunk to support L2VPN although L2VPN tunnel is up. You don’t need to do the same for NSX edge as it is completed automatically for you when you configure L2VPN on it.

  • VLAN trunking with VLAN100 and VLAN200

PG_ClientTrunk03

PG_ClientTrunk02

After completing of the above configuration, you will be able to ping all testing virtual machines between each other:

  • test1001 to test1000 (communication within 172.16.136.0/24 via L2VPN)

test01

  • test1003 to test1002 (communication for 172.16.137.0/24 via L2VPN)

test02

  • test1001 to test1003 (communication between 172.16.136.0/24 and 172.16.137.0/24 via L2VPN)

test03

You can check the mac-address and L2VPN mapping relationship via CLI “show service l2vpn bridge”

show_service_l2vpn_bridge

Possibly you noted there is an interface called na1 in the above, which is tunnel interface is created at NSX edge for L2VPN, you can find more details via show interface na1″

interface_na1

On standalone edge L2VPN client end, you will find 2 new vNiCs (vNic_110 and vNic_210) for VLAN 100 and 200 are created as well like vNic10 and vNic11 on the NSX Edge L2VPN server end.

L2VPN client new vNic

In addition, you can find a L2VPN tunnel interface tap0 on standalone edge.

l2vpn client trunk

One thought on “Setup NSX L2VPN on Standalone Edge

  1. Pingback: Tip: NSX – Force Admin UP on Standalone Edge – vPlusOne

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s