With L2 VPN, you can stretch multiple logical networks (both VLAN and VXLAN) across geographical sites. In addition, you can configure multiple sites on an L2 VPN server.

Virtual machines remain on the same subnet when they are moved between sites and their IP addresses do not change. Egress optimization enables Edge to route any packets sent towards the Egress Optimization IP address locally, and bridge everything else.

So, with L2 VPN service, enterprises can seamlessly migrate workloads between different physical sites. The workloads can run on either VXLAN-based networks or VLAN-based networks. For cloud service providers, L2 VPN provides a mechanism to on-board tenants without modifying existing IP addresses for workloads and applications.

  • Starting in NSX Data Center 6.4.2, you can configure the L2 VPN service over both SSL and IPSec tunnels. However, you can configure the L2 VPN service over IPSec tunnels only by using REST APIs. For more information about configuring L2 VPN over IPSec, see the NSX API Guide.
  • With NSX 6.4.1 and earlier, you can configure the L2 VPN service only over SSL tunnels.
Figure 1. Extending VXLAN Across Multiple Sites Using L2 VPN

L2 VPN tunnel between sites A and B, which have workload VMs connected to VXLAN networks. Both sites are managed by NSX.

The L2 VPN client and serve learn the MAC addresses on both local and remote sites based on the traffic flowing through them. Egress optimization maintains local routing because the default gateway for all virtual machines is always resolved to the local gateway using firewall rules. Virtual machines that have been moved to Site B can also access L2 segments that are not stretched on Site A.

If one of the sites does not have NSX deployed, a standalone Edge can be deployed on that site.

In the following graphic, L2 VPN stretches network VLAN 10 to VXLAN 5010 and VLAN 11 to VXLAN 5011. So VM 1 bridged with VLAN 10 can access VMs 2, 5, and 6.

Figure 2. Extending non-NSX Site with VLAN-Based Networks to NSX-Site with VXLAN-Based Networks Using L2 VPN

L2 VPN tunnel between sites A and B. Site A has VLAN networks that are not managed by NSX. Site B has VXLAN networks that are managed by NSX.