Configure L2 VPN on VMware NSX

VMwareNSX

Using NSX Edge, you can create a L2 VPN that can stretch multiple logical networks, whether VLAN or VXLAN, across geographical sites. With L2 VPN, a VM can remain on the same subnet when moved between sites and their IP addresses do not have to change. To configure a L2 VPN, you configure a L2 VPN server (destination Edge) and an L2 VPN client (source Edge). Then you enable L2 VPN services on both. But before we can create the L2 VPN, we must create a trunk port on our NSX edge.

First we need to create a portgroup on the vDS for the NSX edge to connect it’s trunk port to:

Navigate to your vDS and create your portgroup

ssl27

On the teaming and failover configs for the portgroup, make sure only one uplink it set to active and the others are set to standby. This is done to prevent routing loops.

Now navigate back to the NSX edge that you will create the VPN on. Go to Manage > Settings > Interfaces and create a new interface. Make sure you select the Type as Trunk and connect it to the portgroup that was just created

ssl28

Now click the green + under Sub Interfaces. Enter a name and Tunnel ID. The Tunnel ID will need to be the same for both sites. For Backing Type, Network is for VLAN or VXLAN and VLAN is only for VLAN. I selected Network since I’m going from VXLAN to VXLAN. Select the backend network that you want to allow across the VPN. Enter a primary IP address for the sub interface. Click OK.

ssl29

Now we see the Trunk interface is created.

 

ssl30

 

Now under Manage > VPN > L2 VPN, make sure the L2VPN mode is set to Server. Click Change.

ssl31

Select the external interface, port number, and encryption method. Under certificate details, you can use a system generated, self signed, or cert that you added. Once you have everything selected, click OK.

ssl32

Under Site Configuration Details, click the green +. Enter in a name, user ID and password, and select the sub interface. For Egress Optimization Gateway Address,  if the default gateway for virtual machines is the same across the two sites, type the gateway IP addresses of the sub interfaces or the IP addresses to which traffic should not flow over the tunnel. In my case, I entered the IP of the sub interface. Click OK.

ssl33

Now go and start the L2VPN Service and Publish Changes on the edge.

ssl34

Now at our other site, on the edge device doing the L2 VPN, I also create a subinterface

ssl35

Under Manage > VPN > L2 VPN, make sure the L2VPN mode is set to Client. Click Change.

ssl36

Now we need to configure the client settings. For Server Address, enter in the IP address of the remote VPN server that was just configured. Make sure you select the same encryption algorithm here that you configured on the other site. In Stretched Interface, select the sub interface to be stretched to the server. For Egress Optimization Gateway Address, put in the IP address of the sub interface or the IP address of traffic that should not flow over the tunnel. In the User Details section, enter in the creds that you created on the server side configuration. Click OK.

ssl37

Now start the L2 VPN service and publish changes

ssl38

Now, when I go back on the L2 VPN server side and check the L2VPN Statistics, the tunnel status is UP

ssl39

To test my connection between the two sites, I jump on to a VM on Site A (VM01) and run a ping and tracert to a VM on Site B (VM02) and both are successful.

ssl40

And that’s all there is to it! That wasn’t so bad.

 

 

 

 

 

 

 

 

 

 

 

 

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s