With NSX L2VPN, you can extend your VLAN/VXLAN across multiple data centers. Even in a non-NSX environment, you can achieve this as well by use of standalone edge. In this blog, I will show you how to set up NSX L2VPN between Standalone Edge and NSX edge.
As the above, we have 1 NSX edge as L2VPN server and 1 standalone edge which resides in the remote DC which is non-NSX environment. Our target is to stretch two VXLAN backed networks (172.16.136.0/24 and 172.16.137.0/24) to 2 VLAN (VLAN100 and VLAN200) backed networks in remote DC via L2VPN. In addition, we will leverage 4 virtual machines for our L2VPN communication testing.
2 virtual machines in NSX environment:
test1000: 10.172.136.100 gw 172.16.136.1 which is connected to VXLAN10032;
test1002: 10.172.137.100 gw 172.16.137.1 which is connected to VXLAN10033;
2 virtual machines in non-NSX environment:
test1001: 10.172.136.101 gw 172.16.136.1 which is connected to a dVS port-group with access vlan 100;
test1003: 10.172.137.101 gw 172.16.137.1 which is connected to a dVS port-group with access vlan 200;
Step 1: Configure NSX Edge as L2VPN Server
- Create 2 sub interfaces(sub100: 172.16.136.1/24 and sub200: 172.16.137.1) by two VXLANs under trunk port
Two VXLAN sub-interfaces, please note that 1st sub-interface is mapped to vNic10 and 2nd sub-interface is mapped to vNic11.
Sub-interface sub100: tunnel Id 100/172.16.136.1 (VXLAN 10032)
Sub-interface sub200 tunnel Id 200/172.16.137.1 (VXLAN 10033)
- L2VPN Server setting as below:
- Listener IP: 172.16.133.1
- Listener Port: 443
- Encryption Algorithm: AES128-GCM-SHA256
- Site Configuration:
- name: remote
- User Id/Password: admin/credential
- Stretched Interfaces: sub100 and sub200
Step 2: Deploy and Setup L2VPN virtual appliance
Use standard process of deploying a virtual appliance.
- Start the deploy OVF template wizard
- Select the standalone Edge ovf file which is downloaded from vmware.com
- Accept extra configuration options
- Select name and folder
- Select storage
- Setup Networks: here we use one dVS port-group for the standalone trunk interface. We will provide more details around the setting of this port-group later
- Customize template. We will configure L2VPN client here as well.
The configuration includes multiple parts:
Part1: standalone edge admin credentials:
Part2: standalone edge network setting:
Part 3: L2VPN setting, which required to exactly match the L2VPN server configuration which you did in Step1 including cipher suite, L2VPN Server address/service port and L2VPN username/password for authentication
Part4: L2VPN Sub Interfaces
Part5: other setting, e.g. proxy if your standalone edge need proxy to establish connectivity to L2VPN server.
- Accept all setting and submit for the standalone edge deployment.
Once the standalone edge deployment is completed and powered on, you should be able to see the L2VPN tunnel is up either on NSX edge L2VPN server or standalone edge via CLI (show service l2vpn).
On NSX edge L2VPN server:
On standalone edge:
Step 3: Verification of communication
I simply use PING to verify the communication. My initial test is failed. Yes, you still need to configure port group DPortGroup_ClientTrunk to support L2VPN although L2VPN tunnel is up. You don’t need to do the same for NSX edge as it is completed automatically for you when you configure L2VPN on it.
- VLAN trunking with VLAN100 and VLAN200
- Security: enable promiscuous mode and accept Forged Transmits. Please note VMWare recommend to use sink port than promiscuous mode. I use promiscuous mode here for simplification. You can refer the link for how to configure a sink port: https://docs.vmware.com/en/VMware-NSX-for-vSphere/6.3/com.vmware.nsx.admin.doc/GUID-3CDA4346-E692-4592-8796-ACBEEC87C161.html
After completing of the above configuration, you will be able to ping all testing virtual machines between each other:
- test1001 to test1000 (communication within 172.16.136.0/24 via L2VPN)
- test1003 to test1002 (communication for 172.16.137.0/24 via L2VPN)
- test1001 to test1003 (communication between 172.16.136.0/24 and 172.16.137.0/24 via L2VPN)
You can check the mac-address and L2VPN mapping relationship via CLI “show service l2vpn bridge”
Possibly you noted there is an interface called na1 in the above, which is tunnel interface is created at NSX edge for L2VPN, you can find more details via “show interface na1″
On standalone edge L2VPN client end, you will find 2 new vNiCs (vNic_110 and vNic_210) for VLAN 100 and 200 are created as well like vNic10 and vNic11 on the NSX Edge L2VPN server end.
In addition, you can find a L2VPN tunnel interface tap0 on standalone edge.