What is L2 VPN?
From VMware NSX Administration Guide
With L2 VPN, you can stretch multiple logical networks (both VLAN and VXLAN) across geographical sites. Virtual machines remain on the same subnet when they are moved between sites and their IP addresses do not change.
L2 VPN thus allows enterprises to seamlessly migrate workloads backed by VXLAN or VLAN between physically separated locations. For cloud providers, L2 VPN provides a mechanism to on-board tenants without modifying existing IP addresses for workloads and applications.
Below diagram shows how a VXLAN was extended between sites using L2 VPN
Graphic Thanks to VMware
Lets jump into lab and configure a L2 VPN.
Before deploying/modifying any ESG for L2 VPN connectivity, we need a trunk portgroup on vDS. In my lab I have created a dvportgroup in both site A & B.
L2 VPN Server configuration
To configure a L2 VPN, double click on edge where you want to configure server settings and navigate to Manage > Interfaces and edit the first availble free vNIC.
Provide a name for the interface and set type as “Trunk”.
Select the dvportgroup which you created on Site-A (server side).
Click on green + button to add a sub-interface.
In my lab I have a VXLAN called “DB-Dev-Tier” to which I have one database server tied and I will be adding this virtualwire as sub-interface.
- Select “Enable Sub-Interface” and provide a name.
- Specify a tunnel id. This will be same on both server and client side.
- Select backing type as “Network”
- Click on change to select the approprite logical switch.
- Specify primary IP address and subnet mask
Hit OK to continue.
Hit OK one more time to finish editing the interface task.
Navigate to VPN > L2 VPN tab and select L2VPN mode as server and click on change button.
Type the primary or secondary IP address of an external interface of the NSX Edge as listener IP and select appropriate encryption algo.
When we configure L2 VPN client, we will be connecting to above IP, so make sure to note it down somewhere.
Check mark the “Use system generated certificate” and hit OK.
Under Site Configuration Details, click on + button to specify site settings.
Provide a name for the site and username/password via which client will connect to server.
Under “Stretched Interfaces”, select the sub-interface which we created earlier.
Egress Optimization Gateway Address: If the default gateway for virtual machines is same across the two sites, type the gateway IP addresses for which the traffic should be locally routed or for which traffic is to be blocked over the tunnel.
Enable the L2VPN Service and click on publish chnages to save configuration.
L2 VPN Client Configuration
I deployed a new ESG in my site-B where I will be configuring the L2 VPN client.
I have created a logical switch named “DB-New” in my Site-B and I will be using this logical switch as sub-interface on ESG where L2 VPN Client will be configured.
Double click on the newly deployed edge and navigate to Manage > Interfaces and edit the first availble vNIC.
Provide a name for the interface and select type as Trunk and map it to the apropriate dvportgroup which we created in Site-B.
Click on + button to add sub-interface.
- Provide a name for the interface and select type as Network.
- Enter the tunnel ID same as what you specified on server side.
- Map it to the appropriate logical switch and specify the primary IP address and subnet mask for the sub-interface.
Hit OK to continue.
Navigate to Manage > VPN > L2 VPN and select mode as “Client” and click on change button.
- Server Address: IP address of the edge interface of Site-A where L2 Server is configured.
- Port number & Encryption Algo: Same as Site-A
- Stretched Interfaces: Created in previous step
- User ID/Password: Credentials of user created on server side.
Hit OK to continue.
Enable L2 VPN service and click on publish changes to save configuration.
Click on fetch status to verify Tunnel status. If your configuration is correct, your tunnel status should report as UP.
On server side, you can fetch the same by clicking on “Show L2VPN Statistics”
Lets test the connectivity between 2 sites.
On Site-A I have db-01 VM which is connected to LS which was added as sub-interface on ESG. This VM is having an IP of 172.16.30.2 and its default gateway is pointing to IP address which we specified while adding the sub-interface.
On Site-B, I have DB-NEW-01b VM which is on same IP segment as Site-A but connected to LS DB-New which we added as sub-interface on ESG where L2VPN client is configured.
I initiated a ping from both sites and I was able to reach the concerned VM.
And that’s it for this post.
I hope you enjoyed reading this post. Feel free to share this on social media if it is worth sharing. Be sociable