In my previous post, NSX Layer 2 VPN: Migrating workloads between Datacentres, I described the process and theory behind using an NSX Layer 2 VPN (L2VPN) to migrate workloads from a soon-to-be-retired VLAN backed datacentre, to an NSX Managed logical switch backed datacentre. In this post I will take you through the deployment of the L2VPN in my lab environment, following these high-level steps:
- Prepare the NSX Managed Site
- Deploy the Layer 2 VPN Server
- Prepare the Standalone Site
- Deploy the Layer 2 VPN Client
- Validate the Layer 2 VPN connectivity
Current lab environment
The Lab environment I am using currently reflects the diagram below, with two VMs deployed onto VLAN 20 within my “remote” site (my remote site is actually just a separate cluster from my “NSX Managed Site”, which is my workload cluster). In my NSX Managed site I have a Provider Logical Router (PLR) and Distributed Logical Router (DLR) configured.
Configure the NSX Managed Site
To prepare the NSX Managed Site the L2VPN-Server needs to be connected to a “trunk” interface, which allows multiple VLAN or Logical Switches to be configured as sub-interfaces, rather than having an interface in each VLAN/Logical Switch.
The below Port Group is configured to allow any VLAN to pass (0-4094), but you can add just the VLANs that you wish to bridge (for example, if I am bridging VLAN 20 I could enter “20”).
We also need to enable Forged Transmits on the trunk port group to allow the edge to relay L2VPN traffic through the interface.
Note: For the L2VPN-Server in the NSX Managed Site the NSX Manager will configure the trunk port group interface as a sink port, so it is not necessary to configure Promiscuous mode. Additional configuration is required for the NSX Standalone Edge deployment in the Standalone Site, which I’ll cover later.
I also need to create (or identify an existing) Logical Switch that will be extended by the L2VPN – I’ve created a new Logical Switch that has a VXLAN Network Identifier (VNI) of 5005. It’s not connected to an Edge or Distributed Logical Router, and has no VMs attached.
Now that the pre-requisites are configured we can deploy the NSX Edge for the Layer 2 VPN Server (L2VPN-Server).
Deploy the NSX Edge
- Install Type: Edge Services Gateway
- Name: “L2VPN-Server”
- Ensure “Deploy NSX Edge” and “Enable High Availability” are configured
- User Name: admin
- Enter a complex password and confirm
- Enable SSH to allow SSH access to the Edge when deployed for troubleshooting and verification
- Select the Datacentre to deploy to
- Appliance Size: For production I would go with a minimum of Large, but as this is a lab environment I will use Compact
- Configure the appliance deployment resource, datastore, and folder
- Configure only the Uplink interface, connected to the uplink network (you cannot configure a trunk interface here).
- Configure the Default Gateway
- Configure the default firewall policy to Accept
- Leave the HA parameters as default to auto-assign an automatic private (APIPA) IP address
Finally, complete the deployment wizard. When the deployment completes the NSX Manager will have deployed two NSX Edges in Active/Standby mode
Configuring the Edge Interfaces
The first task in configuring the L2VPN Sever is to add the trunk interface. Using the Networking & Security > NSX Edges page, double click to edit the L2VPN-Server Edge. Select Manage > Settings > Interfaces, then select an un-configured vNIC.
- Name – “L2VPN-Trunk” or something meaningful
- Type – “Trunk”
- Connected To – select the Port Group that is configured as a VLAN trunk earlier
- Click + to add a Sub Interface
- Name – “L2VPN-VLAN20” is the name of the Logical Switch I want to extend
- Tunnel Id – enter a tunnel ID (I’ve used 1), this is used to match the VLAN on the Standalone Site with the Logical Switch on the NSX Managed Site
- Backing Type – Network
- Network – select the Logical Switch to be extended “L2VPN-VLAN20”
- Configure Subnets
- Primary IP – assign the free IP from VLAN 20’s subnet
- Click OK
Configure the Layer 2 VPN Server
Next, configure the L2 VPN server under the Manage > VPN > L2 VPN tab. Click Change to add modify the global configuration.
- Listener IP – the IP address that will communicate with the L2VPN-Client
- Listener Port – the port over which communication will happen
- Encryption Algorithm – select the desired alogorithm
- Certificate Details
- Check the Use System Generated Certificate – for self-signed, or
- Select the CA Signed certificate
Click on the plus icon to add a Site Configuration for the Standalone Site.
- Name – enter a meaningful name
- User Id – create a username for the L2VPN
- Password – generate a random, long and complex password for the L2VPN
- Stretched Interfaces
- Select the sub-interface configured on the Trunk port
- Leave the remaining settings
Enable the L2VPN Service by clicking Start
Publish the changes to enable the configuration.
The L2VPN Server side is now configured and waiting for connections from the L2VPN Client.
Configure the Standalone Site
As with the NSX Managed Site, a trunk port group configured to allow the bridged VLAN IDs is required to connect the standalone L2VPN-Client Edge, and Forged Transmits must be enabled to allow the Edge to relay L2VPN traffic through the interface.
The port group on the Standalone Site must either be configured for Promiscuous mode, or the port that the L2VPN-Client connects to must be configured as a Sink Port. The Sink Port method is recommended because using Promiscuous mode can cause duplicate pings and responses, however it can be difficult to configure. See Configure a Sink Port in the NSX documentation for detailed instructions.
Deploy the Standalone NSX Edge Client
Now that the Layer 2 VPN Server is configured on the NSX Managed Site we can deploy the Standalone NSX Edge as a Layer 2 VPN Client. The download for the NSX L2VPN Client Edge includes OVF configuration for Large and X-Large Edges, depending on performance requirements of the Layer 2 VPN. When deploying the OVF the 6 VMDK files, one OVF file and one MF file should be selected.
In the Standalone Site, start the Deploy OVF Template… wizard and select the OVF components
Run the OVF deplopyment Wizard, enter a name and location for the L2VPN-Client, select the host or cluster to deploy the Edge to and select the storage on which to deploy to.
When selecting the networks, the trunk interface should be connected to the trunk port group configured earlier. The Public interface is connected to network that can route to the L2VPN-Server. The HA interface is used if enabling HA mode on the L2VPN-Client Edge and is used for HA heartbeat traffic.
If deploying in HA mode, those settings can be configured in the High Availability section of the template customisation.
The L2VPN settings must match the settings configured on the L2VPN-Server:
- Ciphers – select the cipher that matches the L2VPN-Server
- Egress Optimized IP Address – leave blank for this configuration
- Password – the password for the L2VPN User (KSc3Q$3YpMx2<k)
- Server Address – the IP address of the L2VPN-Server
- Server Port – the port configured for the L2VPN-Server
- Username – the user name for the L2VPN User
- Sub Interfaces VLAN – this is where you tie together the VLAN ID with the Tunnel ID configured on the L2VPN-Server. I am binding VLAN 20 with Tunnel ID 1 (which was what I configured on the server side for the Logical Switch).
- Uplink Interface
- DNS IP Address – DNS server to use
- Default Gateway – uplink network default gateway
- IP Address – this is the IP address that will communicate with the L2VPN-Server
- Prefix Length – prefix for the uplink network
- CLI passwords
- Configure passwords for the CLI admin, enable and root
Once the OVF is deployed, power on the VM.
As mentioned above, in order to bridge the networks a Sink Port needs to be configured for the Standalone Edge using the method described in the documentation to complete this task.
The lab configuration now matches the diagram below
Validating Layer 2 VPN connectivity
In order to validate the L2VPN connectivity, I have migrated one of the two VMs from to VLAN 20 onto the Logical Switch.
Now with the VM attached to the logical switch I can ping the gateway, the second VM and also out to the internet, through the physical router in the Standalone Site.
Note: The duplicate responses (DUP!) received from the PING requests are due to the teaming policy on the Distributed Virtual Switch in my lab. See L2VPN Options to Mitigate Looping.
The lab configuration now matches the diagram below:
Finally, I will migrate the default gateway for VLAN 20 to the Distributed Logical Router by removing the interface from the physical router in the Standalone Site, and adding the interface to the Distributed Logical Router on the NSX Managed Site. And again, validating the connectivity between sites (this time from l2vpn-test-2):