When an NSX-managed Edge is set up as a L2 VPN client, some configuration is automatically done by NSX. When a standalone NSX Edge is set up as a L2 VPN client, these configuration steps must be done manually.

If one of the VPN sites does not have NSX deployed, you can configure an L2 VPN by deploying a standalone NSX Edge at that site. A standalone Edge is deployed using an OVF file on a host that is not managed by NSX. This deploys an Edge Services Gateway appliance to function as an L2 VPN client.

If a standalone edge trunk vNIC is connected to a vSphere Distributed Switch, either promiscuous mode or a sink port is required for L2 VPN function. Using promiscuous mode can cause duplicate pings and duplicate responses. For this reason, use sink port mode in the L2 VPN standalone NSX Edge configuration.

Procedure

  1. Retrieve the port number for the trunk vNIC that you want to configure as a sink port.
    1. Log in to the vSphere Web Client, and navigate to Home > Networking.
    2. Click the distributed port group to which the NSX Edge trunk interface is connected, and click Ports to view the ports and connected VMs. Note the port number associated with the trunk interface.
      Use this port number when fetching and updating opaque data.
  2. Retrieve the dvsUuid value for the vSphere Distributed Switch.
    1. Log in to the vCenter Mob UI at https://<vc-ip>/mob .
    2. Click content.
    3. Click the link associated with the rootFolder (for example: group-d1 (Datacenters)).
    4. Click the link associated with the childEntity (for example: datacenter-1).
    5. Click the link associated with the networkFolder (for example: group-n6).
    6. Click the DVS name link for the vSphere distributed switch associated with the NSX Edges (for example: dvs-1 (Mgmt_VDS)).
    7. Copy the value of the uuid string.
      Use this value for dvsUuid when fetching and updating opaque data.
  3. Verify if opaque data exists for the specified port.
    1. Go to https://<vc-ip>/mob/?moid=DVSManager&vmodl=1.
    2. Click fetchOpaqueDataEx.
    3. In the selectionSet value box paste the following XML input: 
      <selectionSet xsi:type="DVPortSelection">
    <dvsUuid>c2 1d 11 50 6a 7c 77 68-e6 ba ce 6a 1d 96 2a 15</dvsUuid> <!-- example dvsUuid -->   
    <portKey>393</portKey>  <!-- example port number -->
</selectionSet>

      Use the port number and dvsUuid value that you retrieved for the NSX Edge trunk interface.

    4. Set isRuntime to false.
    5. Click Invoke Method.
    If the result shows values for vim.dvs.OpaqueData.ConfigInfo, then there is already opaque data set, use the edit operation when you set the sink port. If the value for vim.dvs.OpaqueData.ConfigInfo is empty, use the add operation when you set the sink port.
  4. Configure the sink port in the vCenter managed object browser (MOB).
    1. Go to https://<vc-ip>/mob/?moid=DVSManager&vmodl=1.
    2. Click updateOpaqueDataEx.
    3. In the selectionSet value box paste the following XML input: 
      <selectionSet xsi:type="DVPortSelection">
    <dvsUuid>c2 1d 11 50 6a 7c 77 68-e6 ba ce 6a 1d 96 2a 15</dvsUuid> <!-- example dvsUuid -->   
    <portKey>393</portKey>  <!-- example port number -->
</selectionSet>

      Use the dvsUuid value that you retrieved from the vCenter MOB.

    4. On the opaqueDataSpec value box paste one of the following XML inputs:

      Use this input to enable a SINK port if opaque data is not set (operation is set to add): 

      <opaqueDataSpec>
    <operation>add</operation> 
    <opaqueData>
        <key>com.vmware.etherswitch.port.extraEthFRP</key>
        <opaqueData xsi:type="vmodl.Binary">AAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=</opaqueData>
    </opaqueData>
</opaqueDataSpec>
      Use this input to enable a SINK port if opaque data is already set ( operation is set to edit): 
      <opaqueDataSpec>
    <operation>edit</operation> 
    <opaqueData>
        <key>com.vmware.etherswitch.port.extraEthFRP</key>
        <opaqueData xsi:type="vmodl.Binary">AAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=</opaqueData>
    </opaqueData>
</opaqueDataSpec>

      Use this input to disable a SINK port: 

      <opaqueDataSpec>
    <operation>edit</operation>
        <opaqueData>
            <key>com.vmware.etherswitch.port.extraEthFRP</key>
            <opaqueData xsi:type="vmodl.Binary">AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=</opaqueData>
    </opaqueData>
</opaqueDataSpec>
    5. Set isRuntime to false.
    6. Click Invoke Method.