If one of the sites that you want to stretch is not backed by NSX, you can deploy a standalone Edge as the L2 VPN client on that site.

If you want to change FIPS mode for a standalone edge, use the fips enable or fips disable command. For more information, refer to NSX Command Line Interface Reference.

You can deploy a pair of standalone L2 VPN Edge clients and enable HA between them for VPN redundancy support. The two standalone L2 VPN Edge clients are called node 0 and node 1. It is not mandatory to specify the HA configuration settings on both standalone L2 VPN Edge appliance at the time of deployment. However, you must enable HA at the time of deployment.

The steps in the following procedure apply when you want to deploy the standalone Edge as a L2 VPN client for routing traffic either through an SSL tunnel or an IPSec VPN tunnel.

Prerequisites

You have created a trunk port group for the trunk interface of the standalone Edge to connect to. This port group requires some manual configuration:

  • If the trunk port group is on a vSphere Standard Switch you must do the following:
    • Enable forged transmits.
    • Enable promiscuous mode.

    See the vSphere Networking Guide.

  • If the trunk port group is on a vSphere Distributed Switch you must do the following:
    • Enable forged transmits. See the vSphere Networking Guide.
    • Enable sink port for the trunk vNic, or enable promiscuous mode. A good practice is to enable a sink port.

    Sink port configuration must be done after the standalone Edge has been deployed, because you need to change the configuration of the port connected to the Edge trunk vNIC.

Procedure

  1. Using vSphere Web Client, log in to the vCenter Server that manages the non-NSX environment.
  2. Select Hosts and Clusters and expand clusters to show the available hosts.
  3. Right-click the host where you want to install the standalone Edge and select Deploy OVF Template.
  4. Enter the URL to download and install the OVF file from the Internet or click Browse to locate the folder on your computer that contains the standalone Edge OVF file and click Next.
  5. On the OVF Template Details page, verify the template details and click Next.
  6. On the Select name and folder page, type a name for the standalone Edge and select the folder or data center where you want to deploy. Then click Next.
  7. On the Select storage page, select the location to store the files for the deployed template.
  8. On the Select networks page, configure the networks the deployed template must use. Click Next.
    • The Public interface is the uplink interface.
    • The Trunk interface is used to create subinterfaces for the networks that will be stretched. Connect this interface to the trunk port group you created.
    • The HA interface is used to set up high availability on the standalone L2 VPN Edge appliances. Select a distributed port group for the HA interface.
  9. On the Customize Template page, specify the following values.
    1. Type and retype the CLI admin password.
    2. Type and retype the CLI enable password.
    3. Type and retype the CLI root password.
    4. Type the uplink IP address and prefix length, and optionally default gateway and DNS IP address.
    5. Select the cipher to be used for authentication. The selected value must match the cipher used on the L2 VPN server.
      Note: Perform this step only when you want to configure L2 VPN over SSL.
    6. To enable Egress Optimization, type the gateway IP addresses for which traffic should be locally routed or for which traffic is to be blocked over the tunnel.
    7. (Optional) Select the Enable TCP Loose Setting check box when you want the existing TCP connection (for example, an SSH session) to the VM over L2 VPN to remain active after the VM is migrated.
      By default, this setting is not enabled. When this setting is disabled, the existing TCP connection to the VM over L2 VPN is lost after the VM is migrated. You must open a new TCP connection to the VM after the migration is done.
    8. To enable high availability on the standalone L2 VPN Edge appliance, select the Enable High Availability for this appliance check box.
    9. (Optional) Type the IP address of the first standalone L2 VPN Edge appliance (node 0). The IP address must be in the /30 IP subnet.
    10. (Optional) Type the IP address of the second standalone L2 VPN Edge appliance (node 1). The IP address must be in the /30 IP subnet.
    11. (Optional) On node 0 appliance, select 0 to assign the IP address of node 0 for the HA interface. Similarly, on node 1 appliance, select 1 so that IP address of node 1 is used for the HA interface.
    12. (Optional) Specify an integer value for the dead interval time in seconds. For example, type 15.
      Note: If you specify HA configuration settings during deployment of a standalone L2 VPN Edge client, the standalone Edge appliance VM gets a standby HA status until HA is fully configured. This means that the network interfaces on the Edge appliance VM are disabled. Make sure that you set the HA peer nodes to create the active and standby appliances. For detailed instructions, see Configure HA on Standalone L2 VPN Clients.
    13. Type the L2 VPN server address and port.
      If you are configuring the L2 VPN client to route traffic through the IPSec VPN tunnel, you must specify the IP address of the peer site, and the peer code.
    14. Type the user name and password with which the peer site is to be authenticated.
      Note: Perform this step only when you want to configure L2 VPN over SSL.
    15. In Sub Interfaces VLAN (Tunnel ID), type VLAN ID(s) of the networks you want to stretch. You can list the VLAN IDs as a comma-separated list or range. For example, 2,3,10-20.
      If you want to change the VLAN ID of the network before stretching it to the standalone Edge site, type the VLAN ID of the network, and then type the tunnel ID in brackets. For example, 2(100),3(200). The Tunnel ID is used to map the networks that are being stretched. However, you cannot specify the tunnel ID with a range. So this might not be allowed: 10(100)-14(104). You might need to rewrite this as 10(100),11(101),12(102),13(103),14(104).
    16. If the standalone Edge does not have direct access to the Internet and must reach the source (server) NSX Edge through a proxy server, type the proxy address, port, user name, and password.
    17. If a Root CA is available, you can paste it in the Certificate section.
    18. Click Next.
  10. On the Ready to complete page, review the standalone Edge settings and click Finish.

What to do next

  • Power on the standalone Edge appliance.
  • Note the trunk vNIC port number and configure a sink port. See Configure a Sink Port.
  • If you have specified the HA configuration settings, such as HA IP address, HA index value, and the dead interval time while deploying the standalone L2 VPN Edge appliances, you can validate the HA configuration on the console of the deployed nodes with the show configuration command.
  • If you have not specified the HA configuration settings during deployment, you can do it later from the NSX Edge Console by running the ha set-config command on each node.

Make any further configuration changes with the standalone Edge command-line interface. See the NSX Command Line Interface Reference.