NSX Layer 2 VPN: Deploying for datacentre migrations

In my previous post, NSX Layer 2 VPN: Migrating workloads between Datacentres, I described the process and theory behind using an NSX Layer 2 VPN (L2VPN) to migrate workloads from a soon-to-be-retired VLAN backed datacentre, to an NSX Managed logical switch backed datacentre. In this post I will take you through the deployment of the L2VPN in my lab environment, following these high-level steps:

• Prepare the NSX Managed Site
• Deploy the Layer 2 VPN Server
• Prepare the Standalone Site
• Deploy the Layer 2 VPN Client
• Validate the Layer 2 VPN connectivity

Current lab environment

The Lab environment I am using currently reflects the diagram below, with two VMs deployed onto VLAN 20 within my “remote” site (my remote site is actually just a separate cluster from my “NSX Managed Site”, which is my workload cluster). In my NSX Managed site I have a Provider Logical Router (PLR) and Distributed Logical Router (DLR) configured.

Current lab layout

Configure the NSX Managed Site

To prepare the NSX Managed Site the L2VPN-Server needs to be connected to a “trunk” interface, which allows multiple VLAN or Logical Switches to be configured as sub-interfaces, rather than having an interface in each VLAN/Logical Switch.

The below Port Group is configured to allow any VLAN to pass (0-4094), but you can add just the VLANs that you wish to bridge (for example, if I am bridging VLAN 20 I could enter “20”).

VLAN trunk port group configuration

We also need to enable Forged Transmits on the trunk port group to allow the edge to relay L2VPN traffic through the interface.

Configure the port group to accept Forged Transmits

Note: For the L2VPN-Server in the NSX Managed Site the NSX Manager will configure the trunk port group interface as a sink port, so it is not necessary to configure Promiscuous mode. Additional configuration is required for the NSX Standalone Edge deployment in the Standalone Site, which I’ll cover later.

I also need to create (or identify an existing) Logical Switch that will be extended by the L2VPN – I’ve created a new Logical Switch that has a VXLAN Network Identifier (VNI) of 5005. It’s not connected to an Edge or Distributed Logical Router, and has no VMs attached.

A new Logical Switch with VNI 5005

Now that the pre-requisites are configured we can deploy the NSX Edge for the Layer 2 VPN Server (L2VPN-Server).

Deploy the NSX Edge

• Install Type: Edge Services Gateway
• Name: “L2VPN-Server”
• Ensure “Deploy NSX Edge” and “Enable High Availability” are configured

Deploy NSX Edge – Name and description

• User Name: admin
• Enter a complex password and confirm
• Enable SSH to allow SSH access to the Edge when deployed for troubleshooting and verification

Deploy NSX Edge – Settings

• Select the Datacentre to deploy to
• Appliance Size: For production I would go with a minimum of Large, but as this is a lab environment I will use Compact
• Configure the appliance deployment resource, datastore, and folder

Deploy NSX Edge – Configure deployment

• Configure only the Uplink interface, connected to the uplink network (you cannot configure a trunk interface here).

Deploy NSX Edge – Configure interfaces

• Configure the Default Gateway

Deploy NSX Edge – Default gateway settings

• Configure the default firewall policy to Accept
• Leave the HA parameters as default to auto-assign an automatic private (APIPA)  IP address

Deploy NSX Edge – Firewall and HA

Finally, complete the deployment wizard. When the deployment completes the NSX Manager will have deployed two NSX Edges in Active/Standby mode

Deployed NSX Edge

Configuring the Edge Interfaces

The first task in configuring the L2VPN Sever is to add the trunk interface. Using the Networking & Security > NSX Edges page, double click to edit the L2VPN-Server Edge. Select Manage > Settings > Interfaces, then select an un-configured vNIC.

Selecting an Edge interface to use for the trunk

• Name – “L2VPN-Trunk” or something meaningful
• Type – “Trunk”
• Connected To – select the Port Group that is configured as a VLAN trunk earlier
• Click + to add a Sub Interface
  • Name – “L2VPN-VLAN20” is the name of the Logical Switch I want to extend
  • Tunnel Id – enter a tunnel ID (I’ve used 1), this is used to match the VLAN on the Standalone Site with the Logical Switch on the NSX Managed Site
  • Backing Type – Network
  • Network – select the Logical Switch to be extended “L2VPN-VLAN20”
  • Configure Subnets
    • Primary IP – assign the free IP from VLAN 20’s subnet
  • Click OK

Configure the trunk sub-interface

Configure the Layer 2 VPN Server

Next, configure the L2 VPN server under the Manage > VPN > L2 VPN tab. Click Change to add modify the global configuration.

• Listener IP – the IP address that will communicate with the L2VPN-Client
• Listener Port – the port over which communication will happen
• Encryption Algorithm – select the desired alogorithm
• Certificate Details
  • Check the Use System Generated Certificate – for self-signed, or
  • Select the CA Signed certificate

Configure the L2 VPN Server

Click on the plus icon to add a Site Configuration for the Standalone Site.

• Name – enter a meaningful name
• User Id – create a username for the L2VPN
• Password – generate a random, long and complex password for the L2VPN
• Stretched Interfaces
  • Select the sub-interface configured on the Trunk port
• Leave the remaining settings

Add a peer site configuration

Enable the L2VPN Service by clicking Start

Start the L2VPN Service

Publish the changes to enable the configuration.

Publish the configuration changes

The L2VPN Server side is now configured and waiting for connections from the L2VPN Client.

Network state, with the L2VPN Server deployed

Configure the Standalone Site

As with the NSX Managed Site, a trunk port group configured to allow the bridged VLAN IDs is required to connect the standalone L2VPN-Client Edge, and Forged Transmits must be enabled to allow the Edge to relay L2VPN traffic through the interface.

The port group on the Standalone Site must either be configured for Promiscuous mode, or the port that the L2VPN-Client connects to must be configured as a Sink Port. The Sink Port method is recommended because using Promiscuous mode can cause duplicate pings and responses, however it can be difficult to configure. See Configure a Sink Port in the NSX documentation for detailed instructions.

Deploy the Standalone NSX Edge Client

Now that the Layer 2 VPN Server is configured on the NSX Managed Site we can deploy the Standalone NSX Edge as a Layer 2 VPN Client. The download for the NSX L2VPN Client Edge includes OVF configuration for Large and X-Large Edges, depending on performance requirements of the Layer 2 VPN. When deploying the OVF the 6 VMDK files, one OVF file and one MF file should be selected.

In the Standalone Site, start the Deploy OVF Template… wizard and select the OVF components

Select the OVF components

Run the OVF deplopyment Wizard, enter a name and location for the L2VPN-Client, select the host or cluster to deploy the Edge to and select the storage on which to deploy to.

When selecting the networks, the trunk interface should be connected to the trunk port group configured earlier. The Public interface is connected to network that can route to the L2VPN-Server. The HA interface is used if enabling HA mode on the L2VPN-Client Edge and is used for HA heartbeat traffic.

Deploy the Standalone L2VPN Client – Select networks

If deploying in HA mode, those settings can be configured in the High Availability section of the template customisation.

The L2VPN settings must match the settings configured on the L2VPN-Server:

• Ciphers – select the cipher that matches the L2VPN-Server
• Egress Optimized IP Address – leave blank for this configuration
• Password – the password for the L2VPN User (KSc3Q$3YpMx2<k)
• Server Address – the IP address of the L2VPN-Server
• Server Port – the port configured for the L2VPN-Server
• Username – the user name for the L2VPN User

Deploy the Standalone L2VPN Client – L2VPN settings

• Sub Interfaces VLAN – this is where you tie together the VLAN ID with the Tunnel ID configured on the L2VPN-Server. I am binding VLAN 20 with Tunnel ID 1 (which was what I configured on the server side for the Logical Switch).
• Uplink Interface
  • DNS IP Address – DNS server to use
  • Default Gateway – uplink network default gateway
  • IP Address – this is the IP address that will communicate with the L2VPN-Server
  • Prefix Length – prefix for the uplink network
• CLI passwords
  • Configure passwords for the CLI admin, enable and root

Deploy the Standalone L2VPN Client – Sub interface, uplink and user settings

Once the OVF is deployed, power on the VM.

As mentioned above, in order to bridge the networks a Sink Port needs to be configured for the Standalone Edge using the method described in the documentation to complete this task.

The lab configuration now matches the diagram below

Lab current state, with layer 2 VPN configured

Validating Layer 2 VPN connectivity

In order to validate the L2VPN connectivity, I have migrated one of the two VMs from to VLAN 20 onto the Logical Switch.

Now with the VM attached to the logical switch I can ping the gateway, the second VM and also out to the internet, through the physical router in the Standalone Site.

Ping responses from bridged VM

Note: The duplicate responses (DUP!) received from the PING requests are due to the teaming policy on the Distributed Virtual Switch in my lab. See L2VPN Options to Mitigate Looping.

The lab configuration now matches the diagram below:

VMs on both sides are L2 adjacent

Finally, I will migrate the default gateway for VLAN 20 to the Distributed Logical Router by removing the interface from the physical router in the Standalone Site, and adding the interface to the Distributed Logical Router on the NSX Managed Site. And again, validating the connectivity between sites (this time from l2vpn-test-2):

Validating connectivity from the Standalone Site, after the gateway is migrated