NSX – Configure L2 VPN service to stretch multiple logical networks across geographical sites

You first enable the L2 VPN service on the NSX Edge instance and then configure a server and then a client. I’m going to try and use a Hands on Lab to spin up two ESGs and stretch a L2 network between them both.

You need to use the Trunk interface to setup L2 VPNs, so here are the steps for that:

1. Click on Settings tab. Click on Interfaces Select a vNIC and click on the pencil icon to bring up the Edit NSX Edge Interface wizard.

2. Enter an interface name then set Type: Trunk. Click on the Select link next to the text box for Connected To and attach the interface to a standard or distributed port group:

3. Click on the Green Plus sign (+) icon underneath the label Sub Interfaces. Enter the following info:

  • Name: L2VPN-Server-SubInterface
  • Tunnel Id: 1
  • Backing Type: Network
  • Click the Green Plus sign (+) icon.
  • Enter in 172.16.10.1 in the Primary IP Address field
  • Enter 24 for the Subnet Prefix Length.
  • Click the link for Select next to the Connected To.

This gives you an option to click “Trunk” which will show the details of the sub interfaces:

I have create a trunk port on the Server ESG and the Client ESG as well… same process on each (with different IPs).

Enable L2 VPN

You must enable L2 VPN before configuring a tunnel.

1. Log in to the vSphere Web Client.

2. Click Networking & Security and then click NSX Edges.

3. Double-click an NSX Edge.

4. Click the Manage tab and then click the VPN tab.

5. Click L2 VPN.

 

Add L2 VPN Server

The L2 VPN server is the source NSX Edge to which the L2 VPN is to be connected.

1. Log in to the vSphere Web Client.

2. Click Networking & Security and then click NSX Edges.

3. Double-click an NSX Edge.

4. Click the Manage tab and then click the VPN tab.

5. Click L2 VPN, select Server, and click Change:

6. In Listener IP, type the primary or secondary IP address of an external interface of the NSX Edge.

7. The default port for the L2 VPN service is 443. Edit this if required.

8. Select the encryption method.

 

9. In Server Certificates, do one of the following.

  • Select Use System Generated Certificate to use a self signed certificate for authentication.
  • Select the signed certificate to be used for authentication.

10. Click OK.

11. Click the Green Plus Sign (+) icon.

12. Check the checkbox for Enable Peer Site, Enter a name, user ID, password and click on the link for Select Sub Interfaces:

13. Add the trunk interface we created earlier:

14. Click ok then ok again

15. Ensure the L2 VPN mode is set to Server and click Publish Changes.

16. Lastly, click Enable and then Publish again.

Add L2 VPN Client

The L2 VPN client is the destination NSX Edge.

1. Log in to the vSphere Web Client.

2. Click Networking & Security and then click NSX Edges.

3. Double-click an NSX Edge.

4. Click the Manage tab and then click the VPN tab.

5. Click L2 VPN, select Client, and click Change:

6. Add the L2 VPN server address (the other ESG), select the same Encryption algorithm and type in the user ID and password you setup on the L2 VPN Server:

7. Click on the Select Sub Interfaces link to bring up the available list of Sub Interfaces to attach to the service.

8. Click ok, ok Enable and Publish

Check L2 VPN Tunnel Status

1. Once enabled, click on the button labelled Fetch Status (this button is only on the client). We may need to click on this a couple of times after the service is enabled.

2. Expand Tunnel Status.

3. Verify the Status is Up as seen in the screenshot below:

4. To check on the L2 VPN Server click “Show L2VPN Statistics”:

This will hopefully show you something like this:

 

Leave a Reply

Your email address will not be published. Required fields are marked *