Starting with version 10.3.1, VMware Cloud Director supports the creation, deletion and management of L2 VPN tunnels between NSX-T Data Center edge gateways.
With L2 VPN, you can extend your organization VDC by enabling virtual machines to maintain their network connectivity across geographical boundaries while keeping the same IP address. The connection is secured with a route-based IPSec tunnel between the two sides of the tunnel.
You can configure the L2 VPN service on an NSX-T Data Center edge gateway in your VMware Cloud Director environment and create a L2 VPN tunnel. Virtual machines remain on the same subnet, which enables you to extend your organization VDC by stretching its network. This way, an edge gateway at one site can provide all services to virtual machines on the other site.
To create the L2 VPN tunnel, you configure an L2 VPN server and an L2 VPN client.
The service type - server or client - that you configure on the first L2 VPN tunnel on an edge gateway determines the session mode for all other L2 VPN tunnels on the edge gateway. You can only configure one client session per edge gateway.
After you create a tunnel, you cannot change its session mode from server to client, or vice versa. For example, if you want to change the session mode on an NSX-T edge gateway from server to client, you must delete all existing server tunnels from it.
When you create an L2 VPN server tunnel endpoint, a tunnel ID is automatically assigned to the organization VDC network that you stretch, and a peer code is generated. On the client side of the tunnel, you need to add a corresponding network with the same tunnel ID, peer code, and the same subnet.
For more information on L2 VPN for NSX-T, see NSX-T Data Center Administration Guide.
Configure an NSX-T Data Center Edge Gateway as an L2 VPN Server
The L2 VPN server is the destination NSX-T Data Center edge to which the L2 VPN client is going to connect.
In Server session mode, the NSX-T Data Center edge gateway acts as the server side of the L2 VPN tunnel. It generates peer codes to distribute for client sessions.
You can connect multiple peer sites to a single L2 VPN server.
Prerequisites
- Verify that the NSX-T Data Center edge gateway is connected to a routed organization virtual data center network.
- Verify that your role includes the Organization vDC Gateway: Configure L2 VPN right.
Procedure
Results
What to do next
Copy the L2 VPN Peer Code From An L2 VPN Server Endpoint
To configure an NSX-T Data Center edge gateway as an L2 VPN client, you must copy the peer code that is generated from the L2 VPN server side of the tunnel.
Prerequisites
Verify that you configured the L2 VPN server endpoint of the tunnel.
Procedure
- From the top navigation bar, select Resources and click Cloud Resources.
- In the left panel, click Edge Gateways, and click the name of the target edge gateway.
- Under Services, click L2 VPN.
- Select the L2 VPN tunnel for which you want to copy the peer code.
- Click the Copy peer code button.
Results
Configure an NSX-T Data Center Edge Gateway as an L2 VPN Client
You can create only one client tunnel on an NSX-T Data Center edge gateway.
Prerequisites
- Verify that your role includes the Organization vDC Gateway: Configure L2 VPN right.
- Verify that there are no other client L2 VPN tunnels configured on this edge gateway.
- Configure an NSX-T Data Center Edge Gateway as an L2 VPN Server.
- Copy the peer code of the L2 VPN server endpoint. See Copy the L2 VPN Peer Code From An L2 VPN Server Endpoint.