Company ACME Enterprise has two private data centers "site A" and "site B". NSX Data Center is deployed at both data centers. As an NSX administrator, you want to migrate workloads (applications) from site A to site B by stretching or extending the VLAN networks on site A to the VXLAN networks on site B.

NSX L2 VPN supports egress optimization by using the same gateway IP address on both sites. This scenario uses the egress optimization feature and ensures that the IP addresses of the applications do not change after the migration.

The following figure shows the logical topology of extending networks between two sites by using the L2 VPN service on the NSX Edges.


Figure shows L2 stretching of VLAN networks on site A to VXLAN networks on site B.
The L2 VPN service on the NSX Edge at site A is configured in "client" mode, and the L2 VPN service on NSX Edge at site B is configured in "server" mode. As an administrator, your objective is to create a L2 VPN tunnel and perform an L2 extension between sites A and B, such that:
  • Tunnel ID 200 extends the VLAN 10 network on site A to the VXLAN 5010 network on site B.
  • Tunnel ID 201 extends the VLAN 11 network on site A to the VXLAN 5011 network on site B.

The following figure shows the logical representation of the L2 extension between both sites.


Figure shows an L2 VPN tunnel between the server edge and the client edge.
Remember: In this scenario, both sites have NSX-managed edges. To perform an L2 extension between two sites, the edge that is configured in "server" mode must be an NSX Edge. However, the edge that is configured in "client" mode can either be an NSX Edge or a standalone edge, which is not NSX-managed.

If the client site uses a standalone edge, you can stretch only VLAN networks on the client site with the VLAN or VXLAN networks on the server site.

You can perform an L2 extension either by configuring L2 VPN service over SSL, or by configuring L2 VPN over IPSec. The following procedure explains the steps for stretching L2 networks using L2 VPN over SSL.

Procedure

  1. Navigate to the L2 VPN edge on site B and configure a vnic interface of type "trunk". Add two sub interfaces on this interface.
    For detailed instructions about configuring an interface on the edge and adding sub interfaces, see Configure an Interface.
    For example, in this scenario, configure "vnic 1" on the server edge to connect to a distributed port group. Add sub interfaces that connect to logical switches with VNI 5010 and 5011. Each sub interface must have a unique tunnel ID. The following table shows the sub interface configuration on the L2 VPN server edge.
    Table 1. Sub Interfaces on vnic 1 of L2 VPN Server Edge
    Name IP Addresses Network VNI Tunnel ID Status
    sub_vxlan1 192.168.10.10/24 VXLAN-Network1 5010 200 Connected
    sub_vxlan2 192.168.100.10/24 VXLAN-Network2 5011 201 Connected
  2. Navigate to the L2 VPN edge on site A and configure a vnic interface of type "trunk". Add two sub interfaces on this interface.
    For example, in this scenario, configure "vnic 2" on the client edge to connect to a standard port group. Add sub interfaces that connect to VLANs 10 and 11. The tunnel IDs on the client edge must match the tunnel IDs that you specified on the server edge. The following table shows the sub interface configuration on the L2 VPN client edge.
    Table 2. Sub Interfaces on vnic 2 of L2 VPN Client Edge
    Name IP Addresses VLAN Tunnel ID Status
    sub_vlan1 192.168.10.10/24 10 200 Connected
    sub_vlan2 192.168.100.10/24 11 201 Connected
  3. Configure the L2 VPN edge at site B.
    1. Set the L2 VPN mode as Server.
    2. Specify the Global Configuration settings.
      For detailed instructions about configuring the L2 VPN server, see Configure L2 VPN Server.
    3. In Site Configuration Details, click Add and specify the configuration of the L2 VPN client (peer) site.
      For detailed instructions about adding L2 VPN peer sites, see Add Peer Sites.
      For example, in this scenario, do the following peer site configuration:
      • Add a peer site with name "site-A". Select the "vnic 1" trunk interface on the server edge, and include the two sub interfaces "sub_vxlan1" and "sub_vxlan2" as the stretched networks. Ensure that you enable the peer site. The following table shows the sub interfaces (stretched interfaces) on peer site-A.
        Table 3. Sub Interfaces on Peer Site-A
        Name Parent Index Parent Name IP Addresses Network VNI Tunnel ID
        sub_vxlan1 1 vnic1 192.168.10.10/24 VXLAN-Network1 5010 200
        sub_vxlan2 1 vnic1 192.168.100.10/24 VXLAN-Network2 5011 201
      • In the Egress Optimization Gateway Address text box, enter 192.168.10.10,192.168.100.10.
    4. Start the L2 VPN service on the server edge.
    5. Publish the changes.
  4. Configure the L2 VPN edge at site A.
    1. Set the L2 VPN mode as Client.
    2. Specify the Logging Configuration and Global Configuration settings.
      For detailed instructions about configuring the L2 VPN client, see Configure L2 VPN Client.
      For example, in this scenario, do the following configuring on the L2 VPN Client:
      • Select the "vnic 2" trunk interface on the client edge, and include the two sub interfaces "sub_vlan1" and "sub_vlan2" as the stretched networks. The following table shows the sub interfaces (stretched interfaces) on the L2 VPN client edge.
        Table 4. Stretched Interfaces on L2 VPN Client Edge
        Name Parent Index Parent Name IP Addresses VLAN Tunnel ID
        sub_vlan1 2 vnic2 192.168.10.10/24 10 200
        sub_vlan2 2 vnic2 192.168.100.10/24 11 201
      • In the Egress Optimization Gateway Address text box, enter 192.168.10.10,192.168.100.10.
    3. Start the L2 VPN service on the client edge.
    4. Publish the changes.

Results

L2 VPN tunnel is established between site A and site B. You can now migrate workloads between the two sites by using the stretched L2 networks.

What to do next

On the L2 VPN server edge and client edge:
  • Verify that the L2 VPN tunnel status is "Up".
  • View the tunnel statistics.
For detailed instructions, see View L2 VPN Statistics.

Alternatively, you can log in to the CLI console of the L2 VPN server edge and client edge and verify the tunnel status by running the show service l2vpn command.

For more information about this command, see the NSX Command Line Interface Reference Guide.